Ramblings of the änal security guy

Sometimes pointless, always rambling, best ignored…

Archive for the ‘Conference’ Category

« Previous Entries

SANS SEC401 – Security Essentials

Posted by ChrisJohnRiley on December 5, 2009

Everybody should have a good foundation to build from. After all, there’s no point in building a tower of knowledge, just to find that the foundations can’t hold it up. SANS Security Essentials is a great course to provide that foundation.

One of the things I love to hear from students after teaching Security 401 is “I have worked in security for many years and after taking this course I realized how much I did not know.” With the latest version of Security Essentials and the Bootcamp, we have really captured the critical aspects of security and enhanced those topics with examples to drive home the key points. After attending Security 401, I am confident you will walk away with solutions to problems you have had for a while plus solutions to problems you did not even know you had.
- Eric Cole

Dr. Eric Cole on YouTube — Introducing Security Essentials

This class covers a lot of ground. I know the average SANS class is packed with juicy knowledge and tasty technical goodness, but the 401 class really crams it in. 11-12 Hours a day, and 6 days long. It’s not any easy task to take in everything, but Dr. Eric Cole is a great instructor, and really helps make things clear. As you’d expect from a class of this type, the content is wide-spreading and not as in-depth as some of the other SANS courses. Then again, this is what you’d expects from a course of this type. There’s no point in building a good foundation in 3 areas of the security landscape and skipping the rest. The 401 class covers the areas you need to know about without going too in-depth in any one thing. There’s plenty here for you to think about and it certainly gives you an idea of where your weak points are, and how to fill them in.

Day 1 – Networking Concepts

It’s hard to protect your network without knowing whats really going on on the wire. The first day of the 401 class was dedicated to understanding the fundamentals of networking, from the cable up. The information covered is just enough to really understand whats going on, without having to be a packet-monkey, or expert in routing protocols. Sure, there’s some exercises on decoding IP/TCP headers with pen and paper, but nothing that complex. As long as you can add up that is. It’s not rocket science after all ;) Day 1 concluded with some virtualization and physical security modules. It was nice to see the physical security aspects covered where so many classes tend to skip over the topic.

Day 2 – Defense In-Depth

I’m a big fan of defense in-depth, and always try to drum it into clients when testing systems. After all, a single piece of equipment that stops all attacks is only good until you can find a bypass for it. When that happens, you’re completely exposed, unless you’re layering your defenses. Eric covered a lot of ground here in day 2. Malware, worms and trojans, alongside policy, password security and web-application attacks and defense. Again there’s just enough here to understand the basics without confusing people who’ve started the class with a clean slate. If you’re an old hand, there’s still information here to be had. Even though I’ve been through the 560, 542 and 709 classes, there still points that make me sit up and pay attention. Nobody knows everything after all.

Day 3 – Internet Security Technologies

Day 3 kicked off with discussion of attacks and hardening of systems. Coverage of IDS/IPS/HIDS and some great hints and tips about maximizing your firewall protection and layout. Even though most people know what a firewall does and how it works, people rarely consider the pros and cons of multiple firewalls, positioning and using packet, stateful and proxy filters to maximize the protection without overloading the systems. Discussion of signature based protections vs. Anomaly analysis (including the method of using clipping levels to improve identification of possibly suspicious traffic/behaviour). To give the students a hands-on experience with IDS, a short module on Snort (including writing a simple Snort rule) is included as the 3rd day draws to a close.

Day 4 – Secure Communications

After finishing up the risk analysis module from Day 3, we moved quickly into one of the sections of the class I was really looking forward to, encryption. Eric took the class from basics of cryptography (ROT-13, Caesar Cipher) through to a surprisingly easy to understand diagram on how Diffie-Hellmen Key Exchange really works. There was good coverage of data protection in-transit, at rest and the key points of key management issues. Moving away from cryptography toward mobile and wireless, we covered a range of different connection solutions. In particular, Bluetooth, 802.11, and ZigBee were covered in-depth. It was good to see the newer technologies such as ZigBee discussed even in the essentials class. To bring it home for day 4 we talked about VoIP and the increasing convergence of technology within the enterprise.

Day 5 – Windows Security

As with the other days, we kicked off day 4 with the final module of the previous day. In this case we talked about OPSEC (Operations Security). OPSEC is taking a step back from the technical and making sure that the appropriate risks are being addresses. It’s all about the Big Picture and protection of company information. Tracking and finding your companies weaknesses can also give you an idea where your competitors may have fallen short. To kickoff the Windows section of the class, we covered the basics of Windows Access Controls, patching and hot fixes, as well as the all important backup/restore of critical data. Of course no Windows security class would be complete without the extensive coverage of access permissions, rights and controls.

To tie in with the previous cryptography discussions we talked about EFS and Bitlocker and the pros/cons of using TPM (with USB token, PIN) to enforce boot integrity. Naturally we spent time looking at the technical side of security policies (GPOs, Security templates, …) and the issue of dealing with extensive security policies in large-scale Windows environments.  Finishing up we covered automation when it comes to securing and maintaining security of systems. It’s interesting to see Microsoft’s move to more command line based solutions. Give it another 10 -15 years and it’ll be just as good as Linux at the command line ;)

Day 6 – Linux Security

Kicking things off for the last day, Eric went over the key differences and histories that make Linux and Windows such polar opposites. As you can imagine, a large part of the time today was spent discussing the intricacies of the*nix permissions system (including SUID, GUID and sticky bits). It was interesting to cover the usage of groups and the ability to assign passwords to specific groups using gpasswd. It was also good to get a quick overview of how PAM fits into the overall Linux authentication and user account management. pam_cracklib and pam_unix are something I’ll definitely be looking at more in the future. Finally I really get the permission system used in Linux. All it takes sometimes, is a simple down to earth explanation.

Jumping from permissions, we did a quick overview of the boot processes, run-levels and services. It’s great to hear little tips and tricks from people who work with this stuff on a daily basis. Things like the RC scripts. Newer systems (anything in the last 5 years) can handle 2 startup files with the same number (i.e. S08service and S08service2). Older systems would only run 1 of the services, and ignore the other. Certainly an important note when working on older *nix systems.

In the logging and monitoring section we covered a number of interesting log files. Of special interest to me (as a penetration tester), was the /var/run/btmp log file. If this file is present on a system, it contains information on failed logon attempts, with the attempted password listed in plaintext. Obviously this could be a great source of information if a user mis-types their password. At the very least, it’s a starting point for a brute-force of that account. At best, you have the users password and can start guessing what they mis-typed. As you’d expect a range of logging and centralised log management was discussed. After all, no talk on *nix logging would be complete without mentioning SYSLOG and SYSLOG-NG.

Winding up the class we touched on *nix patch management and enhancing the security of Linux. As you’d expect, we spent some time discussing APT and RPM based patching solutions, before moving into IPTables, TripWire and Bastille Linux.

It’s been an exhausting 6 days… but I feel like I’ve filled in a few gaps in my knowledge. I’ve especially enjoyed working with Dr Eric Cole and hearing about his take on various topics. Eric has a lot of knowledge to bring to the table, and I hope to attend another of his classes in the future.

Conclusion

There’s far too much information crammed into this class to really write about every topic covered. Then again, that’s not the point of this review. I’ve covered the key points we discussed, and hope it gives a good overview for people looking at taking this class in the future. I would say however, that SANS updates the classes on a regular basis. So your mileage may vary ;)

I stand by my earlier comments that the security essentials class gives a good foundation. However, I would append a small note. If you’re already an experienced InfoSec person, then there will be times when you’re required to review things you already know. This isn’t a bad thing, as there’s always a few points that are worth reviewing, or described from a different standpoint. When looking purely at the content of the course and the method/style of delivery, I would highly recommend this class as the place to start when it comes to moving into InfoSec. The broad level of knowledge is both theoretical and technical, yet not too in-depth too get sidetracked into a single topic for too long. If you’re already working in InfoSec, then checkout the assessment test below to see what your level of knowledge is.

If you want to test yourself and see where the gaps in your knowledge are, you can use the SANS Security Essentials assessment Test to see how you score.

Posted in Conference, Security, Study | Tagged: , , , | 1 Comment »

SANS DEV319 / SEC319 – Intro to Web Application Security

Posted by ChrisJohnRiley on November 29, 2009

Prior to the 6-day classes starting at SANS London 2009, I had the chance to sit in on the 2-day DEV319 class (run by Johannes Ullrich) to see what the class was all about. As I’ve said over and over again, I love learning, and I can’t say no when somebody offers me a chance to sit in on a class, even if it is something I’ve already covered in my recent GWAPT course. Once thing I like about the classes from SANS is the instructors. Unlike some companies, the people teaching the class  really do this for a living. They’re not just standing there reading the slides and nothing more. Johannes really know his stuff when it comes to web applications. There is so much knowledge there to be gained just by asking questions and discussing solutions. This is the real essence of learning in my opinion. Sitting at the back of the class can only get you so far. So next time you’re at a class make sure you ask some questions. You will be surprised what you can learn just be asking.

DEV319 / SEC319 – Intro to Web Application Security

If you’re new to security, finding a place to start can be a real problem. Diving straight into a class covering the deepest darkest secrets of SQL Injection or Cross-Site Scripting isn’t always going to be your best option. The “baptism by fire” approach isn’t for everyone after all. To make a move from systems administration or development that little bit easier, SANS have put together the SEC/DEV319 class to give an introduction to web application security. Don’t misunderstand, this isn’t a 2 day class that glosses over the problems and contains no real meat. The topics covered are in-depth, well explained and looked at in a hands-on approach. The labs are brief due to the tight timescales and amount of information to cover, however they come in at the right time and help to reinforce the content well.

The topics covered are varied and give a good foundation to build on. Obviously no 2 day class can cover everything, but SANS certainly try and cram a lot into a short timescale .:

  • Securing Web Application Architectures and Infrastructures
  • Cryptography
  • Authentication
  • Access Control
  • Session Mechanism
  • Web Application Logging
  • Input Issues and Validation
  • SQL Injection
  • Cross-Site Scripting
  • Phishing
  • HTTP Response Splitting
  • Cross-Site Request Forgery

Also not on the list, but equally important are discussions on logging (what, why, how, legal requirements, …), Phishing mitigation (discovery, defense, tarcking, ..)  and specific information on credit card processing issues (handling of data transfer, CCV/CCV2 numbers , AVS, …). These might not be the most glamorous topics, but for security, they’re just as important as the more technical attacks, like XSS, CSRF, etc…

This class is aimed at developers, QA analysts, and infrastructure security professionals. With that said it offers a great deal of information for anybody who wants to secure web applications. The class is taken from a developer and attacker standpoint, showing how to check for errors and how attackers would take advantage of them. I’m not sure this works as well as people think for developers, but it seems to be the way things are taught currently. One thing to consider if you’re coming at this class from a pure developement background, is the longer langauge specific classes like DEV541 (Secure Coding in Java/JEE: Developing Defensible Applications). These are taken more from a developer standpoint and go deeper into not only the cause of the flaws, but also the underlying code that causes and fixes the issues.

Conclusion:

If you’re a developer or network support technician looking for a good introductory class to web application attack and defence, then this is certainly a great place to start. It will help you hit the ground running with some good knowledge on how things work (from the HTTP protocol  up). Even though this class is a 300 level* course, the content isn’t basic by any means. There’s something here for everybody.

*When selecting the courses that you wish to take, keep in mind that the course numbers indicate relative degree of difficulty. Thus 300-level courses are intended for students who are new to security and have no experience; 400-level courses are intended for students with some experience; 500-level courses are intended for students who are seasoned security professionals; 600- and 700-level courses are the most advanced. The levels are not determined by how much hands-on or technical work is involved in the course, but rather by the overall difficulty of that course in comparison to others in the same discipline. Within any given level, course numbers do not indicate level of difficulty. SEC589, for example, should not be any more difficult than SEC571. – SANS Brochure

Posted in Conference, Security, Study | Tagged: , , , | Leave a Comment »

SANS London

Posted by ChrisJohnRiley on November 20, 2009

It seems like only a few weeks since I finished up my SANS Web Application Penetration Tester OnDemand class. Still, as I’m sure anybody who knows me will tell you, I take any opportunity to learn something new. So once again I’m hoping on a plane and headed to London for a few days with my family, and yet another SANS conference.

Unlike recent courses, which have been very specialist, I’m going “back to basics” in a way, and attending the Security Essentials class (SEC401). I’m hoping to fill in a few gaps in my knowledge and cover some more management style topics. I’m not really the management type (I’m not good at politics), but anything that can help to improve the way I work, think and explain things to the C-level is a good thing in my book. I’ll also try to sit in on the DEV319 class prior to the main part of the conference. I’m not a developer, but I’m interested to see how SANS is going about training developers for secure coding. After all, this is where we seem to be failing at the moment, at least in my opinion.

If you’re attending the conference make sure to come over and say hi. I’ll be one of the facilitators, so I get to wear the nice red apron. Still, you can’t have everything can you ;)

John Strand from the Pauldotcom crew will be running a capture the flag evening at the conference, so even if you’re not attending a course, pop down and say hi. There are also a number of other interesting SANS@night events if CTF isn’t your thing.

Posted in Conference, General Life, Study | Tagged: , , | Leave a Comment »

SANS London 2009 Webcast Series

Posted by ChrisJohnRiley on September 24, 2009

About a weak back I posted about the upcoming SANS London 2009 event (28 November – 6 December). The guys behind the conference have put together a list of webcasts that they’ll be running to showcase the various courses on offer. You can find a list below of the upcoming events that are especially for the European security community. A full list of the webcasts in the series along with a breakdown of the topics covered can be found on the SANS website.

Upcoming Webcasts .:

  • Friday, 25 September
    • Topic: SEC401: SANS Security Essentials Bootcamp Style
    • Instructor: Dr. Eric Cole
    • Time: 15:00 CET
  • Tuesday, 29 September
    • Topic: DEV541: Secure Coding in Java/JEE: Developing Defensible Applications
    • Instructor: Sahba Kazerooni
    • Time: 15:00 CET
  • Wednesday, 30 September
    • Topic: SEC508: Computer Forensics, Investigation & Response
    • Instructor: Jess Garcia
    • Time: 15:00 CET
  • Thursday, 01 October
    • Topic: SEC542: Web App Penetration Testing & Ethical Hacking
    • Instructor: Raul Siles
    • Time: 15:00 CET
  • Friday, 02 October
    • Topic: SEC566: 20 Critical Security Controls
    • Instructor: James Tarala
    • Time: 15:00 CET
  • Wednesday, 07 October
    • Topic: What Course Should I Take at SANS London 2009 & Question and Answer session
    • Instructor: Johannes Ulrich
    • Time:15:00 CET

Previous webcasts in the series .:

  • SEC560: Network Penetration Testing & Ethical Hacking
    • John Strand
  • SEC709: Developing Exploits for Penetration Testers and Security Researchers
    • Stephen Sims

For those who didn’t manage to catch the live webcasts that have already taken place, the recording is now available from the webcast archives.

Posted in Conference, Study | Tagged: , , | Leave a Comment »

[BruCON] The Belgian beer lovers guide to Cloud Security

Posted by ChrisJohnRiley on September 19, 2009

Craig Balding – The Belgian beer lovers guide to Cloud Security

High-level talk covering cloud security with the goal to get people thinking about whats possible.

The CFO view on cloud computing purely bottom line. The less things appear on the balance sheet the better for the company. This isn’t always better for security.

Speed of provisioning makes it an easy sell to the CEO.

Not everyone is happy – IT Security people are cynical people. Same problems in a different guise. From a security standpoint though, we as security professionals need to know about it. The business wants the cloud, so we have to work with it.

Cloud is painting a vision that doesn’t yet exist. Marketing is out of sync with their engineering department. Easy to write it off, but it shouldn’t be that way.

Talking about the cloud is hard. There are so many different kinds. It’s like walking into a Belgian pub and asking  for a beer. Sure, but what kind of beer do you want ?

Cloud properties .:

  • Abstraction of Resources
  • On Demand
  • Elastic
  • Scalable
  • API
  • as a Service (aaS)

Virtualisation != Cloud != Virtualisation

Dynamic resources meet static security – The systems you have to secure as flexible, constantly growing and changing, so how does your security measures adapt to those issues.

Cloud != Outsourcing

You can visit an outsourcing company to check them out. Any large cloud company won’t be willing to show you around the data-center. Cloud is more of a black box solution, with an API interface.

Cloud Platforms are often stitched together open-source software with an API. These combinations and uses are all new. New doesn’t mean secure. Untested combinations are dangerous.

  • Infrastructure as a service (i.e. Virtual servers)
  • Platform as a service (i.e. Google AppEngine,…)
  • Software as a service (i.e. Salesforce.com,…)

Software as a service is no longer a dedicated machine or environment for your software. Shared platform amongst many companies.

Cloud Taxonomy and Ontology ==> More details can be found HERE
Jericho Cloud Cube ==> More details can be found HERE

Cloud can be public or private. Virtual private cloud solutions using VPNs to connect you to the cloud. The level of sharing here opens up attack vectors where moving from the public cloud to the private cloud could be possible. VPN driver vulnerabilities ?

Government clouds — Apps.gov offering cloud storage, software development, virtual machines for government use

Cloud specific security concerns .:

  • What are they hiding in the basement – Where is your data stored ?
  • Uptime – Is 99.9% enough ?
  • Lock-in – Can you get your VMs out if you need to ? What format are they in ? Apps coded to a specific API ?
  • Multi Tenancy – Shared systems with mixed security. Shared Databases with mixed customer data
  • Change Control – What did they change and when ? Do Google have change logs ? Are they public ?
  • Visibility – What logs do you have ? Can you see if somebody is brute-forcing your account ?
  • Cloud Layers – Services layered on-top of services. Subcontractors. What risk level do these dependencies introduce ?
  • Identity – Multiple accounts. Problems in-house, worse on the internet. SSO for the cloud ? Using your AD to authenticate in the cloud ?
  • SLAs – Have you read them ? How often are they changed ? Can you negotiate better SLAs ?
  • Terms of Service – If they screw up you get service credit ? is that ok if you’re down a week or more ?
  • Legal Issues – (Search & Seize) – What if the FBI takes the servers out of the datacenter ?
  • Auditor – They’ve only just learnt about virtualization, do they know what cloud is ?
  • Pay As You Go – Paying with a credit card. Where are your payment details stored ? Do they have anti-fraud systems ? Attackers driving up your CPU usage or bandwidth may cost you more. Can you set a limit?
  • Data Wiping – Can’t do it. You can delete them, but there’s no REALLYDELETETHIS API call.
  • Distributed Programming – Developers have to code to the API, are they experienced with distributed environments ? Race conditions.
  • Cloud APIs – Protected through SSL. Other options

How can a tester (PCI, PenTester,..) verify your security. Will the systems be the same today as they are tomorrow. It’s like changing a tyre at 70mph.

The cloud is like the wild-wild-west right now.

More researchers are needed to rally shed light on these security issues.

Cloud Security Aliance – Shape the future of Cloud

Cloudsecurity.org – Craig Baldings Blog

Posted in Conference, Security | Tagged: , , | Leave a Comment »

[BruCON] Red Team Testing

Posted by ChrisJohnRiley on September 19, 2009

Chris Nickerson -  Red Team Testing

The reality of security – Don’t just say what could be done, show what can be done. Prove the sky is falling

Humans have know how to protect themselves for thousands of years, so why do we suck at it now. Just because it’s a computer.

Defending against a dynamic threat is complex.

How do you know your controls work if they’ve never been tested. How do you know you can put up a fight if you’ve never taken a punch ? If an attacker has no rules, why should the defenders. Hackers don’t have scopes, why should testers. Simulate real world attacks.

Compliance isn’t the end of the line, it’s the first step. testing 1% of your company assets doesn’t make your whole company secure.

It’s possible to have a process that is inconstant (without scope or limits) and yet have consistent results.

You never know the value of what you have until it’s gone.

Why traditional testing is dead ?

  • It doesn’t focus risk on business, but on exposure of vulnerability
  • Testing that replicates an attacker (sparring partner) has its hands tied
  • The perimeter is DEAD

Attackers are moving to the client-side (8 of the 20 SANS Top 20 report are client attacks). Most attacks are not something that a perimeter can protect against. Direct and focused attacks are the new style.

  • External Direct – Server / App Attack
  • External Indirect – Client-side / Phishing / Phone calls
  • Internal Indirect – Key/CD drops / Propaganda
  • Internal Direct – Social engineering / Physical
  • Exotic Attacks – Flash mob / Thinking out of the box

Figure out whats important to the company and steal it (physically take it). you can prove ROI if you can prove what you can steal (how much was that router I stole ?)

Best method of attack — Take the EASY way in. If you don’t get in, then you didn’t do enough information gathering.

Social networks are the best way to find out how to act like your target and find information.

Breaking into a company when people are out is the best plan. pick your timing. You can ignore people when they’re asking a question you don’t want to ask.

What you should have in your kit .:

  • Costumes
  • ID Cards
  • Paperwork
  • Lock Picks
  • Laptop
  • Bag
  • Phones (to leave behind)
  • leave behinds
  • Biz Cards
  • Candy
  • Smokes
  • A lighter
  • A Camera of Video recorder
  • Mylar Balloons
  • String
  • Helium
  • Blowup doll (not just for fun!!!)
  • Call jammer
  • Appropriate cables
  • Lineman’s set
  • Grappling hook and rope
  • Audio recorder

Get costumes from different companies and locations so you can easily assume an identity. Speaking a foreign language, faking misunderstanding.

Remote observation with things like GSM bugs, spy camera pens, powerstrips (with wlan , video, audio), Wireless robots, fake alarm sensors,….

Remote key copying by taking a picture and reproducing it offsite. Dress like a janitor and go in like you’re meant to be there.

iPWN – Running iphones as a remote connection to the network.

Cell phone bugging – Flexispy – Alter settings on the phone to proxy things through a central location.
Cell phone tracking – www.instamapper.com, www.opengpstracker.com – Use mobiles for GPS trackers

If you hack a person, they are harder to reboot!

Get ready, Get set

  • Time and date
  • Character
  • Costume
  • Methods
  • Memorizing Data
  • Entrance Strategy
  • Exit Strategy
  • Plan B (C,D,E,F,G,…)

Last defense should be a fake get out of jail free letter – do they really check that ?

Always checkout local business service companies (like printers etc…) lots of sensitive data get left at these locations. Go and say your company left a copy of something last time they were in. Copy Centers are like the Disneyland of social engineering.

Badge Forgery – Make it look real, spend all the time you can to make it look perfect (RFID, Digital Camera picture, etc…)

Spoof calls with tools like SpoofApp.com – Various tools for the different platforms

In Person

  • NLP
  • Breathing techniques
  • Touch
  • Psychosomatic Presence
  • Magic
  • Hypnotism
  • Ekmann Coding
  • Facial Feedback
  • Temperature Reading
  • Communication Stances
  • Satir comm. Models
  • Classic Con’s

Social engineering isn’t about lying, it’s a complex and scientific process. Find a process that works and use it.

Lock Picking – If a door stands in the way, pick it. Find a way to trigger the door (blow up doll to trigger a motion sensor)

Finally, Go for GOLD – Use what you’ve learned about people and the systems to get the information and access you need to prove the point. Get things that the business are interested in. Hackers don’t run the business, so why focus on things they think are important.

Automated tools to find things .:

  • Spyder
  • Vericept
  • Any other DLP solution
  • Powershell searches
  • Nessus
  • GREP (regex for what you want)
  • dbDataFinder
  • FileHunter
  • PowerGREP
  • WindowsGREP

Don’t spend hours searching for the crown jewels, use automated scans and attach from outside to download the good stuff.

Posted in Conference, Security | Tagged: , , , | 1 Comment »

[BruCON] Opensource Information Gathering

Posted by ChrisJohnRiley on September 19, 2009

Chris Gate – Open-source Information Gathering

Collect as much information about the target which may be valuable later.

OSINT – Open Source INTelligence

Penetration Testing – Focus is currently on scanning and exploitation
Real life hacking – Focus on gathering the information required to attack

Information gathering phases

  • Passive – No traffic to the target
  • Semi-Passive – Only traffic that looks normal and expected
  • Active – Full searches and enumeration

Infrastructure – Every online source has an infrastructure to be examined.
People/Organisation – Looking at the human side of information gathering

Every company is now online. The companies want you to know everything about them. Some information is voluntary, some is legally required to be made available.

Infrastructure information gathering – Goal is to build an infrastructure diagram with publicly discoverable information.

Maltego can be used to find systems connected to the enterprise by using one piece of information to connect the dots. Maltego transforms offer the ability to find other connected domains, DNS entries, MX servers and more. Find the weakest link in the infrastructure to target your attack.

Tools to use .:

  • Maltego
  • Serversniff.net
  • Robotex.com
  • clez.net
  • CentralOps.net
  • Rsnake’s fierce.pl
  • PassiveRecon Firefox plugin

People/Organisation – Create a profile of people in charge and discover the corporate culture.

Some companies put all of this information on their website. Others prefer to hide this from the public eye.

By pulling down email chains using Google or other email harvester tools you can gain information about staff and connections. Remember to check other TLDs and not just .com. Using Maltego this information can be expanded upon to find social networking links and a stream of other information. With this information you can take it to the next level to Socially Engineer the target prior to the engagement.

Tools to use .:

  • Maltego
  • TheHarvester
  • PassiveRecon Firefox plugin

Document Metadata – Lots of information on people, technologies, and infrastructure. Perfect for client-side exploitation and attack vectors. By doing this in Maltego you can use additional transforms to gain additional information.

Tools to use .:

  • Maltego
  • Metagoofil
  • FOCA

Gathering this information can take a great deal of time. In tests Chris will send around a week working on this phase of the test. Providing a report on information disclosure to the company as part of a penetration test can help them understand the exposure.

Issues

Libextract isn’t good with newer PDF’s = Solutions include FOCA and scripting to directly pull out the data
Goolag = Easy to get your IP banned from Google

Organisation profiling – Online networking and HR tools are a great resource for information. Sites like pipl, xing, spokeo, spoke, 123people and zoominfo can be crawled using their build in APIs. Some sites will cost money, but the information is worth it.

Namechk can be used to find peoples use of social networks.

Maltego now has twitter transforms to see who is communicating with these people, followers, people following and connections.

Tweepsearch or search.twitter.com are useful to finding keywords or groups of people based on specific search criteria.

Taking over somebody’s identity
If somebody has a weak online presence can you act as that person. Can you add a new staff member and join the company groups and use this for Social Engineering. Can you great a Gmail account for this user, register on social networking sites, or write a blog on their behalf.

Posted in Conference, Security | Tagged: , , | Leave a Comment »

[BruCON] Script Fragmentation

Posted by ChrisJohnRiley on September 19, 2009

Stephan Chenette – Script Fragmentation: Fear the new web attack vector

  • Web exploit delivers
  • Current detection bypass techniques
  • Next generation exploit delivery

Exploit delivery is a large part of successful exploitation of a target. Without a suitable delivery method that avoid detection, an exploit will not be able to successfully attack the target. The goal is to make your attack look like normal traffic.

Various methods currently in use for content (obfuscated code, Polymorphic obfuscation, Encryption) and Network (Referral checks, Blacklisting known security companies,…).

Content in a web 1.0 world come back in one lump – Easy to detect malicious code at the gateway. Bypasses developed to obfuscate the code (including polymorphic) to avoid the filters and detection. Signature analysis is easy to bypass by changing the exploit code (changing vars, removing whitespace, renaming functions, encoding values,…). inclusion of anti-debugging measures.

The AV vendors began to build integrate JavaScript engines within their products to defeat the obfuscation. These engines are usually simplistic and easily bypassed

Is their more attackers can do to foil detection ?

Malicious content can be split across several requests/responses – Harder to check before the malicious code is complete and running. Multi-part attacks. Most checkers do not keep state and can’t therefore draw correlation between separate connections used to build an attack.

  • Exploit UGC
  • Exploit transitive trust
  • Exploit free access/accounts
  • No change in Exploit delivery

But is their even more that attackers can do ?

Content in a web 2.0 is dynamic – Script fragmentation == Malicious AJAX

  • TCP Fragmentation – Network Layer (RFCs and standard)
  • Script Fragmentation – Application Layer (Custom apps, no standards here)

Browsers allow an unknown entity to execute arbitrary code (JavaScript) on the clients machine once it arrives – This is by design.

Discussion of XDR (XML Domain Request Object) as well as examples of standard JavaScript attacks on the DOM.

Script Fragmentation process (simplified)

  • Stored malicious content on server
  • SERVER: Serve client webpage with script fragmentation decoder routine
  • CLIENT: Use XMLHTTPRequest object to request only a small chunk of the malicious content from the server
  • SERVER: Responds with the requested chunk of malicious content
  • CLIENT: Use JavaScript variables to save the chunk of malicious code and repeat request process from the SERVER until the content is complete
  • CLIENT: Decode and run the malicious content on the client (using EVAL or creating a DOM element)

Options for data transfer

  • RAW (user-defined)
  • XML
  • JSON
  • Etc…

Beyond the basics

  • Hide decoder in Flash/PDF files
  • Randomise sequence of offsets
  • xor/encrypt data
  • Previous fragment contains decryption key for next fragment
  • Spread data across multiple webservers (botnet, XDR,…)

The more you can spread and obfuscate the malicious content the more chance there is of it succeeding and bypassing protections. 100 connections to different servers are hard to correlate.

DEMO ==> Using the MDAC exploit (design bug ?) using the script fragmentation method of deployment

Downsides of fragmenting the payload

  • More data is transferred
  • More packets are created

By running the payload through virus total the attack is detected without fragmentation, however cannot detect is when fragmentation is in use.

AV won’t detect script fragmentation attacks – No substantial content to trigger an alert

By generic, use existing engines – The more custom code used, the easier it is to detect and create signatures.

Future defenses .:

  • Better JavaScript emulation
  • Gateway/Worker Gateway defense combination
  • Gateway/Client defense combination
  • Desktop AV has to inspect the DOM/JS Engine
  • Browser vendors have to better expose DOM/Scripting functionality
  • Whitelist active content (eg. NoScript)

Posted in Conference, Security | Tagged: , , | Leave a Comment »

[BruCON] Dispelling the myths and discussing the facts of global cyber warfare

Posted by ChrisJohnRiley on September 19, 2009

Jayson R. Street - Dispelling the myths and discussing the facts of global cyber warfare.

Sun Tzu was a hacker. Hacking has been around for a long time, but it’s not always been on computers. The art of war is read by both military and business students.

Reporting is not investigation. If you want the real perspective you have to find it yourself and not rely on other peoples opinions and reports. In order to understand you need to step back and view things from another persons perspective.

War is no longer dictated by boundaries just bandwidth. Even if you think you have nothing to steal, you still have resources that other people want.

China
China is currently the country of choice when it comes to blaming hacks on foreign countries. This is because of the Red Hacker Environment (a collective of separate hacker groups within China that work together when threatened). Due to the 60 year cycle of change in China, there is a lot of unrest currently. This time is being used to prepare for what they will be starting next year as the next cycle begins. There is also a lot of internal issues between the different sections of China who are also in conflict. It is not unusual to have hacker groups in Shanghai hacking another group in another area of China. This is due to cultural differences. Language issues originally held back Chinese hackers. However over time
things have changed, and is becoming less and less of an issue. Not all Chinese hackers are über leet, but with enough small attacks it builds up.

If Americans can be patriots, why can’t the Chinese by the same ?

Russia
Very forthcoming with information on their cyber warfare capabilities, budget and resources. Cyber force size is 7,300 with resources including advanced botnet for DDoS and espionage, Electronic pulse weapons (non-nuclear), wireless communications jamming equipment….. Russia vs. Estonia – Probably a good test of Russia’s cyber warfare project. Russia vs. Georgia – The second Beta test. Combined physical and cyber attacks. Russia vs. ???? – Just like history says, Don’t mess with Russia.

Jihad (J1H4D)
Mostly interested in using the internet for .:

  • Recruitment
  • Propaganda
  • Communication

By using VPN connections, darknets and forums.

Brazil to Romania
Southern America = Community based hacking
Eastern Europe = A cross between the movies “Hackers” and “Good Fellas”
Crime does not = Warfare (usually)

US
Titan rain was the US real wakeup call. US response to cyber attacks is a physical response. However it’s not always possible to say who performed the attack. The attacks this year from “North Korea” is a perfect example. It’s still not known where the attack came from. China rent botnets to anybody, however it doesn’t mean that the attack comes from China even if the C&C is based there.

All the cool kids are creating Cyber Warfare units.

Posted in Conference, Security | Tagged: , , | Leave a Comment »

[BruCON] Transition to IPv6 on the internet: Threats and Mitigation techniques

Posted by ChrisJohnRiley on September 18, 2009

Eric Vyncke - Transition to IPv6 on the internet: Threats and Mitigation techniques

Has been running IPv6 at home for 6-7 years.

  • Why IPv6, What is IPv6 ?
  • Shared issues by IPv4 and IPv6
  • Specific issues of IPv6
  • Enforcing a Security policy in IPv6

Current estimates are that IPv4 will be exhausted by the beginning of 2011

Currently seeing <1Gbps of IPv6 traffic through the Amsterdam Internet Exchange — This is not much

Four big changes introduced by IPv6

  • Larger addresses (128 bits vs 32 bits)
  • Multiple addresses per node (correlation more difficult)
  • Optional extension headers (complexity for ACL)
  • ARP is replaced by Neighbor Discovery Protocol

A lot of these changes are a security implication (good and bad)

Shared issues
(Reconnaissance)

  • Due to address space issues, scanning methods will need to change
  • Public servers will be DNS resolvable
  • Increased reliance on Dynamic DNS
  • Administrators will tend to pick easy-to-remember addresses
  • By compromising a host an attacker can learn new addresses to scan

Scanning an IPv6 subnet could be an attack on the router due to the amount of traffic needed to find hosts within a reasonable timeframe.

(Viruses and Worms)

  • Worms cannot scan subnets like they did with IPv4 (see Reconnaissance)
  • Use email to propagate (No change)

IPv6 Privacy Extension (RFC 3041)

  • Should be used as a consumer, but not inside networks
  • changing addresses make your logs useless

ICMPv6

  • Significant changes
  • More relied upon than ICMPv4 (not so easy to just block it all)
  • Firewalls will need to reply to some ICMPv6 messages (Type 133/134, etc….)

Neighbor Discovery Issues

  • Stateless autoconfiguration – Attackers can send fake router advertisements due to lack of authentication
  • Neighbor solicitation – No authentication (much like ARP spoofing for IPv6)
  • Duplicate address detection – System sends request to see if a conflict exists (attacker can DoS a system)

ARP spoofing is now NDP spoofing !

Solution coming that uses Secure Neighbor Discovery – SEND = NDP + crypto (RFC 3971)

Bugs in IPv6 exist just like they have/do in IPv4. The more it’s implemented the more problems can be found and fixed. However attack tools exist for IPv6 already.

Specific IPv6 issues
(The IPSEC myth)

  • IPv6 mandates the implementation of IPv6, but doesn’t require it’s use
  • IPSEC has scaling issues
  • Firewalls, IDS cannot read your traffic
  • Network services like QoS are hindered

(IPv4 to IPv6 Transition challenges)

  • 16+ Methods !
  • Dual Stack – Dual attack surface ! You are only as strong as your weakest stack
  • Jumping from an IPv6 attack into an IPv4 “No split tunneling” VPN possible
  • Your network doesn’t run IPv6, however it doesn’t need to if you PC enables it by default
  • Most transition mechanisms don’t include authentication – Spoofing

Tools like Teredo that make tunnels through the NAT can be used to transport traffic that would normally by blocked when using IPv4. A single opening in the NAT can be used to attack the internal host.

Enforcing the policy
ACL’s need to be able to pass more complex chains to support IPv4 and IPv6.

Training for  network engineers and everybody on what IPv6 is and what impact it will have.

Posted in Conference, Security | Tagged: , , | Leave a Comment »

« Previous Entries