Category Archives: Conference

[BSidesLV] ExploitHub: Arming the Pen Testers to Plug the Holes

Posted on July 28, 2010 by ChrisJohnRiley| 1 Comment

ExploitHub: Arming the Pen Testers to Plug the Holes Vik Phatak

The State of Security

You can only rely on vendors to a certain point. They can’t protect from everything.

Exploit test results  –> Top 5 (Endpoint protection)

  1. Trend Micro
  2. McAfee
  3. Kaspersky
  4. Sophos
  5. F-Secure

Most tested do significantly better detecting the original exploit than a variant (altered payload etc….)

It’s not about a single product however, as a combination of protections is best to give overall protection

When using evasion techniques, no vendor comes out clean.

So how do you make things better –> By shining a light on it, and putting public pressure ont he vendors

Between Metasploit, Core and Canvas… under 10% of vulns are accounted for with a working exploit. This means 90% of vulns aren’t easily exploitable.

Just because it’s not in these products, doesn’t mean you’re secure.

Leveling the playing field

This is where the problem lies. The bad guys have some of these exploits. These aren’t always 0-day, they’re things that have been patched but there’s no PUBLIC exploit available for it.

How do we level the playing field? The security researchers aren’t getting together to share!

The answer is to create a marketplace for exploits…. you choose the price and see who wants to buy!

Connecting the buyers who need the exploit, with the sellers who have the technical skill to write the exploit.

No more free bugs… maybe tis is the solution?

Exploit Hub

Guiding principles

  • Enabling whitehats to do their job
  • Legitimize researchers
  • Create economically sustainable ecosystem
  • Researchers control the content and prices
    • If you want to sell an exploit for $10,000 per download… feel free

Working closely with Metasploit to create templates and integrate with Metasploit. Making it easier to buy and use without trying to get an exploit working first!

NSS Role –> Validation of the exploit where possible, making available in the store

Goal is to increase availability of exploits

0-day un-patched exploits won’t be available to prevent blackmail of companies

exploithub@nsslabs.com

Links:

  • Vik Phatak Bio –> LINK
  • NSSLabs –> LINK

→ 1 Comment

Posted in Conference, Security

Tagged , , ,

[BSidesLV] Building Bridges: Forcing Hackers and Business to “Hug it Out”

Posted on July 28, 2010 by ChrisJohnRiley| 2 Comments

Building Bridges: Forcing Hackers and Business to “Hug it Out” – Andrew Hay, Chris Nickerson

Started as a discussion from Shmoocon 2010 – Hackers and business, who’s responsible for what

Nobody wants to accept responsibility

There’s the stereotypical black t-shirt who are too cool to talk to business

There’s the business who just want to protect their business and don’t know what to do

It’s a fight that’s been brewing for a while and both sides really want to meet the other.

This talk shouldn’t exist… but the industry obviously needs it!

  • The problems
  • The view from the trenches
  • The view from the business
  • The way to fix this problem

The view from the trenches

- Management is clueless

- They don’t care about security

- They will only do the “bare minimum”

- They play golf and waste time in meetings all day

- They don’t respond when I show them how important it is

Security guys are overworked, get all the blame and don’t get the respect we deserve

The view from the business

- Hackers don’t have a clue

- They don’t care about the business

- They don’t understand the economic challenges and regulations

- They surf the internet all day

- The don’t listen when I tell them how dangerous it is

The business work long hours, don’t get the respect they deserve

Pure Security vs. Business Security

Hacker perspective:

The business is responsible for operating as a business.

The hackers are screaming they can get into boxes

A secure environment is the goal, but this will never happen –> utopian view

As a business person, availability will usually trump anything else. If the systems go down, it’s a big problem.

Business perspective:

Availability is king!

The cost of secure operation could be detrimental to the bottom line –> Budgets are fixed, scope is fixed. Business doesn’t like it when you come to them with unannounced costs.

Shell a box vs disruption

Hacker perspective:

Shell == Game Over

Security people can’t validate their findings without exploiting systems

Business perspective:

To business, shell means nothing. How does it link to business impact?

There’s a huge difference with the level of responsibility between a hacker (pentester, etc…) and the guys running the business. We say “you must” without thinking who’s really in-charge and responsible for making those choices.

Business doesn’t understand what exploitation or popping a box is. If they think you might take it down then you’ll get delegated to the dev environment to test.

If an exploit is required to validate, we’ll skip that test

Cost vs Completeness

Hacker perspective:

Security guys always want a free scope. When business say they want a system tested, they have a focus. Who are we to complain that we’re only focusing on 2% of the environment.

Having the mindset that everything has to be tested doesn’t work all the time.

Business perspective:

Testing on every level isn’t always whats needed.

Rules for engagement are built from a lack of business understanding… sometimes. This doesn’t mean they’ll change however.

Security people aren’t giving business cases for other things that could or should be tested. Testing everything at once might also not be the best plan. Take things one-step at a time.

“You need to do this because if you don’t you’re stupid” –> not such a good way to convince somebody!

Budget and compliance dictates whats needed or wanted. PCI only needs specific tests. Educate the business that this isn’t always best.

Scope vs Hackers don’t have a scope

Hacker perspective:

As security people we always hide behind this excuse. If you want that, quit and become a blackhat.

“Scope is a guideline… I’m gonna test it all” –> Taking down a productive AS/400 isn’t a good thing if it’s not in scope. Business downtime == money

SE is out of scope? WHY? Real hackers will attack our people –> Do you know what effect this kind of test has? Maybe the company doesn’t need this organizational and legal issue. SE isn’t always easy and clean from the business standpoint.

Business perspective:

Business doesn’t always know whats best for them… if they did, they’d already have secured it

Scope creep does not benefit the business –> testing systems outside of scope causes business issues.

Political ramifications of SE is too much for a business to handle sometimes

Downtime vs Patch to secure

Hacker perspective:

It’s just a patch, install it already!

How much revenue will be lost if this threat vector is exploited!

Patching now may reduce downtime due to a breach later

If you’re worried about installing a patch, test it first

This is stupid, why isn’t it automated? –> Hacker “I could script that”

Business perspective:

Downtime isn’t an option –> WAF or other inline patching –> Put a band-aid on it

But we’ve got a Firewall and AV

Attackers are on the outside –> Users on the inside have all the info.. aren’t they a threat ?

Costs!

We’re a hospital/bank/whatever… we CAN’T go DOWN! –> Not just a technical issue, it’s a reputation issue. Always available!

Feature Release vs Secure Development

Hacker perspective:

It needs to be secure vs it needs to be released

If we fix it now, we’re releasing a secure system and don’t have to fix it later

Delivery timelines can shift

Saving money by fixing now (cite post release 100x bugfix increase cost)

I won’t put my name on THAT <insert tantrum here>

Business perspective:

Delaying the release may jeopardize our Go To Market strategy

Fixes can be applied post release –> Hotfix, next minor release –> Hope nobody finds that vuln before the patch is out!

Development & QA time costs money

May lose money by fixing it now –> Loose customers, loose deals

Feature profits fund future development and also security enhancements –> ones it sells we’ll secure it

Compromise Disclosure vs Potential financial devastation

Hacker perspective:

We should be open and tell our customers

It’s our duty to report flaws to vendors and the public

Business perspective:

This could jeopardize future and current business –> no business, no security, no job!

Let somebody else report it

We’re in business to make money not report vulnerabilities

We got hit, but nothing sensitive was accessed –> SURE ;)

Compliance vs Security

Hacker perspective:

Compliance is NOT security!

Compliance should be a by-product of being secure

Compliance is stupid and somebody else problem

Business perspective:

Compliance initiatives fund security products and tests –> need to test to achieve a tick in the right box

Our customers require us to be certified… not secure

Achieve compliance and security should follow! –> isn’t this the wrong way around?

Not enough money for both… business has to be compliant!

The way to fix the problem

Business want it all neat and pretty…. hackers want the real info no matter how messy it is!

Business needs to

Understand that:

  • Hackers are intelligent people who are responsible enough to be educated on the business and it’s issues
  • Business has a large moving target to keep up with and need effective direction
  • Hackers are their first and last line of defence / They defend your paycheck and require your support
  • Getting the understanding
  • ….

The business keeps moving and the workload to keep up with new threats, systems and technologies is a big issue. Business also don’t want to be the one up till 4am dealing with system security. If it’s working then nobody cares…. no win situation!

Hackers need to

Understand that:

  • Learn more about the business, it’s opportunities and how cost plays into the decision process
  • Identify the political challenges and pose their problems/solutions in a manner that fits
  • Talk in a language that business understands
    • Mimic terms used by business
    • Cut down on the techno babble

Both need to

  • Learn to respect and tolerate the others skills and problems
  • Recognize that both camps bring value
  • Realize that neither camp should dictate best practices but rather agree on best practice
  • Understand that they have the same goals but start off on different opposite sides to get there

Ask yourself what you’ve done to bridge the gap between security and management?

Links:

→ 2 Comments

Posted in Conference, Security

Tagged , , , ,

[BSidesLV] Multi-Player MetaSploit

Posted on July 28, 2010 by ChrisJohnRiley| Leave a comment

Multi-player Metasploit – Ryan Lynn

Note: The talk was cut to 30 minutes due to technical issues


There’s no easy way to record information for sharing currently built into Metasploit and other tools

The current solution is to complete a task and then upload and share through another tool (i.e Dradis or other wikis).

This isn’t real-time data and relies on people actually uploading the information.

Metasploit already offers Database support. By using the XMLRPC extension you can pass data directly to Metasploit about tasks and upload information.

This makes all information actionable and real-time. Results aren’t forgotten or outdated. They are the most recent version available.

Types of Objects

  • Workspaces
  • Hosts
  • Services
    • maps to hosts
  • Vulnerabilities
    • maps to hosts
    • maps to services
  • Notes
  • Events
    • List of executed tasks –> added by Metasploit
  • Loots
    • Captured credentials etc…
  • Clients
    • Client-side information
  • Users

All of these objects contain information on what has been found and is actionable.

Demo –> Multi-player Metasploit

Importing of data directly from nmap, nikto, nessus, qualys and other tools

Nikto logs each finding directly into the Metasploit database putting each finding in as a separate section.

Interaction with BeEF allows for profiling of client systems and logs the information for clients into the database. If vulnerable client-side software is found the vulnerabilities are also entered into the database.

By importing information from all these scans and checks, it’s possible to put together a single database and report based on the findings of each tool

Links:

→ Leave a comment

Posted in Conference, Security

Tagged , , , ,

[BSidesLV] Injecting Simplicity not SQL

Posted on July 28, 2010 by ChrisJohnRiley| 2 Comments

Injecting Simplicity not SQL – David Rook

Talk not aimed at specific vulnerabilities or new attack vectors.

AIM: Try and provide an answer to the problems in application security

  • It’s broken lets fix it
  • The current approach
  • The principles of secure development
  • The principles approach is working

Secure Development is broken

We aren’t progressing. SQL Injection is 10 years old, XSS is 11 years old. These are still problems after more than a decade.

SQL and XSS accounted for around 31.65% in 2010, and have accounted for around a third of all CVE numbers over the last few years.

Note: CVE numbers only show publicly available exploits

This shows a lack of application security progress.

WASC Web Application Security Statistics offers another option to the CVE numbers, but is again a limited dataset (around 33,000 sites checked)

Verizon Data Breach Investigations Report 2010 states that 89% of all data breaches are attributable to SQL Injection.

The Current Approach

Developers aren’t taught how to develop secure code, they’re taught how to exploit flaws using things like WebGoat. This doesn’t teach them how to prevent this however.

What if we used that method to teach driving. We don’t take a learner driver and teach them how to crash into a wall in a hope they learn how to avoid it. But that’s the method we’re using currently to teach developers.

The use of lists such as the OWASP Top 10 are contributing to the problem. They have their place, but for a developer looking to learn how to write secure code they cause confusion.

Between lists the terms don’t match. This adds to the confusion. By looking at the name it’s also hard to find what the real vulnerability is. Between the 3 major lists there are 45 entries (41 unique names). Web Developers pointed to these lists are confused.

Philosophical Application Security

Give a man a fish…..

Teach a developer about the vulnerability and he can protect against it.

Teach a developer how to develop secure code, and he can write secure code.

What do we need

Put the application security horse before the cart

The principles of secure developement

  • Input Validation
  • Output Validation
  • Error Handling
  • Authentication and Authorisation
  • Session Management
  • Secure Communications
  • Secure Storage
  • Secure Resource Access
  • Auditing and logging

Input Filtering

Understand the data your application accepts and set data types. Understanding the input allows you to restrict input.

Find the input locations of your application. This is becoming harder and harder, but to secure an application you need to know where the data comes from.

Information to have about all your input points

  • Type
  • Length
  • Size

Obviously the use of regex and white-listing is preferred, but not always possible (speed, complexity, …)

Canonicalisation  –> make sure to decode the string before validation

Demo –> Input Validation (See website for demo videos)

Output Validation

Understanding what you’re outputting to the user. Knowing where your data is going to end up.

Make sure it’s encoded correctly depending on where the output appears.

Make sure you’re filtering data that shouldn’t be displayed back (i.e. credit card numbers are totally are partially starred out)

Don’t rely on input validation alone. Where does your data come from?

Demo –> Input Validation (See website for demo videos)

Error Handling

Even the best programmer has to handle exceptions.

If you don’t handle exceptions then the information returned to the user can be really helpful to an attacker.

Returning ODBC or SQL error messages is good for an attacker.

No error handling == Information leakage

Demo –> Input Validation (See website for demo videos)

Authentication and Authorisation

When you’re designing the application, break it down into different sections and ensure that an authentication and authorisation check is in place. Beware of horizontal (user to other user) and vertical (user to admin) privilege escalation.

Are passwords right for your application? If not use something else.

If you are using passwords, make them complex and securely stored (hashes instead of clear text storage)

Password reset questions need to be something more complex than “mothers maiden name”

CAPTCHA –> Need to be implemented correctly. Can you bypass it and directly call the function/activity behind it?

Maybe re-authenticate for things like money transfer

Session Management

Make sure to use good tested SessionIDs. Use the biggest character set possible, with sufficient entropy.

Don’t roll your own, use a known and accepted system.

Protect SessionIDs using things like SSL/TLS.

Don’t pass a SessionID using clear text (don’t drop to HTTP after logon)

Issue a new SessionID for things like account transfers.

Make sure to set limits and expiration

Secure Communications

Protect data in transit

Avoid things like DES and SHA-0

SSLv2 is bad…. use TLS

Don’t mix secure and insecure together

Secure Storage

Protect data when stored

Use known and accepted encryption

Don’t store data in places where you can’t be confident it is secure –> Client side, isn’t secure

How strong should your storage protection be –> depends on what you’re securing

Store, rotate and destroy encryption keys –> policy and process in place

Secure Resource Access

A bit of a catchall for things that don’t fit elsewhere

Don’t rely on security through obscurity

Patching, setting permissions correctly and hardening your servers

Auditing and Logging

Log records you should be logging –> failed logons etc

Make sure the info is enough for your forensic/incident handling process

Don’t store things you shouldn’t –> credit card info, passwords etc.

Monitor for changes using tripwire

Conclusions

Follow a small, repeatable set of principles

Try not to focus on specific vulnerabilities

Make sure everybody know where and what they’re meant to be doing

If your secure development training doesn’t change the way your developers code, you’ve failed

Links:

→ 2 Comments

Posted in Conference, Security

Tagged , , ,

Blackhat/BSides/DefCon

Posted on July 19, 2010 by ChrisJohnRiley| 1 Comment

I’ve been putting off my selections for this years Blackhat/Bsides/DefCon for as long as I could for a number of reasons. The biggest is, that I have absolutely no idea where I should be and what I should be trying to see. As if things weren’t already confusing enough, this years conferences schedules are even more packed than last years. More tracks at Blackhat, and the addition of BSides (which I totally missed last year).

Still, I guess it’s about as late as it can be, and it’s time to put down a few key presentations that I hope to see. I’m going to limit myself to 3 per conference, as after last year, I know that seeing that talks isn’t as easy as it seems ;)

  • Ivan Ristic: State of SSL on the Internet: 2010 Survey, Results and Conclusions Routers
  • Nathan Hamiel, Marcin Wielgoszewski: Constricting the Web: Offensive Python for Web Hackers
  • Barnaby Jack: Jackpotting Automated Teller Machines Redux

  • Dave Kennedy (Rel1K): SET 0.6 release with special PHUKD Key
  • frank^2: Fuck Tools, Do It yourself Jerk
  • Frank Breedijk, Ian Southam: The road to hell is paved with best practices

  • Ed Schaller: Exploiting WebSphere Application Server’s JSP Engine
  • Joseph McCray: You Spent All That Money And You Still Got Owned…
  • Chema Alonso, José Palazón “Palako”: FOCA2 – The FOCA Strikes Back

I’ll be in town a few days before the conference to take part in some training… so if anybody is about and wants to catchup for some drinks, just shoot me a message.

Looking forward to seeing you all in Vegas…

→ 1 Comment

Posted in Conference, Security

Tagged , , , , ,

NinjaCon round-up

Posted on July 12, 2010 by ChrisJohnRiley| Leave a comment

I had a great time this past weekend in Vienna attending NinjaCon (formerly known as PlumberCon). Alongside a whole pile of interesting presentations, there was a great deal going on alongside the main talks. Day 0 included a number of workshops including one covering penetration testing. It was interesting to sit in and talk to others in Vienna interested in the topic. It was unfortunate that Joe McCray was unable to run the training, but Oliver from ERNW stepped in to save the day, and had some good tips to offer.

As usual I was “speed blogging’” from the event, so there are a few blog posts covering the main points of the talks I attended. I hope you find them entertaining, and at least mildly useful. The talks where streamed live and recorded, so if you get the chance to see the video or view the slides of these presentations I’m sure you’ll appreciate them.

My good friend fish_ (no jokes about chips please), took some great panoramic photos at the conference and was nice enough to let me post a couple here. WerkzeugH is a great venue, so even these pictures don’t do it full justice. Extra points if you can spot me in either picture!

Here’s to NinjaCon 2011…. bigger, better… more Ninja than ever before!

Day 1 :

Day 2 :

→ Leave a comment

Posted in Conference, Security

Tagged ,

[Plumbercon/Ninjacon] How to stay invisible (still using cellphones)

Posted on July 11, 2010 by ChrisJohnRiley| 2 Comments

How to stay invisible (still using cellphones)

Kugg

Synopsis

It is a well known fact that cell phones are the most common way of pinpointing identity, to position and set up a social diagram of an individual under investigation. In this talk, we will learn how to position cell phones using SMS-submit messages from an SMSC and how to position cell-IDs using a phone. These are known methods of positioning. Also, the audience will gain knowledge on how to stay anonymous and avoid getting your MSISDN (cell phone number) identified in the first place. ETSI standards of lawful interception tell half the story on how IMEI, IMSI and MSISDN are logged and tracked together with a position to find out your location. You will learn how to change an IMEI number on your phone as you change IMSI by switching between different low-cost prepaid SIM cards to be able to fly under the radar.

GSM Phone Privacy

7 Attacks that everybody could perform against GSM

ETSI Lawful Interception

Standard private, but working draft can be found at http://eu.sabotage.org

Establishes a form for Lawful Interception requests. The 4 main pieces of information that can be requested are :

  • IMSI (Unique SIM identifier)
  • IMEI (Mobile Phone manufacturer, model, and unique identifier)
  • MSISDN
  • Time

ICCID is made up of 5 parts: System code, MCC, MNC, Subscriber number, check digit

In some cases (such as the recent AT&T hack) it’s possible to transform the ICCID information into an IMSI number.

ETSI LI SMS Interception

Normally the agency performing the interception will receive copies of all SMS sent and received. This however isn’t always possible when the phone is roaming. Arrangements are not in place between countries to share this kind of LI information.

HLR (Home Location Register) Lookups

As presented at CCC in recent years, it’s possible to track a user using a number of online services. These services cost less than €10 to provide tracking services.

One possible service is http://routomessaging.com/

IMSI and IMEI Database

IMSI and IMEI information get associated and stored in a database. Switching SIMS isn’t enough, as once an IMSI and IMEI are linked, you can track the phone even when a new SIM is put into it. Changing the SIM and the Phone is one method of defeating this. Unless you can change the IMEI on a phone.

Nokia had a tool to change the IMEI and other settings on older phones (3310). This isn’t always legal however. Check your local laws.

Sim Card scanning/cloning

Older attack (used by Mitnick, way back).

Simcard cracking/ scanning is used to create a simcard clone

Simcard clones can be used in regular handsets

Operator settings are exposed (and can be modified in the clone)

Older Simcards are prone to this attack using tools like SIMeasy

You can crack the encryption and write the cloned simcard information to a wafercards (Phoenix or smartmouse).

If you clone a sim, the last person to register on the network gets incoming calls, the other is ignored.

Prepaid simcards

Some operators need to see ID (and photocopy the ID) before buying a sim. This ID can then be provided to any agency when requested.

50% of all simcards are pre-paid

Hacked Firmware

Nokia 3310 hacked firmware (Nokia 3310 spyphone).

When activated, the phone will accept any inbound call without notifying the user. This could be used to spy on people and record conversations. As the firmware is available on Rapidshare, it can be modified for other uses.

UEA LI Blackberry –> http://news.bbc.co.uk/2/hi/8161190.stm

The UAE also rolled out a hacked Blackberry firmware that caused issues on people’s Blackberry phones.

Hijacking Mobile Data Connections

Changing the http proxy settings of a user. See http://www.mseclab.com/?p=146

Use IMSI to figure out the operator and correct settings

Possible methods of deployment

  • OTA – Over The Air provisioning
  • iPhone .mobileconfig
  • Possible on Android also

Protecting yourself – Solutions

Make your own rules

  • Who are you giving your number to?
    • They can track you
  • When do you change your IMSI/IMEI?
    • You need to change them at the same time to avoid a trail
  • What number do you give to your mother?
    • Easy to find a link between your family and you using simple checks

Giving out your number is giving out your location

Acceptance of updates may lead to data eavesdropping

Pre-paid cards from abroad make things more complex for legal interception

Links :

eport: Cyber Attacks Caused Power Outages in Brazil

  • Plumbercon/Ninjacon Synopsis -–> http://plumbercon.org/schedule/50
  • UEA LI Blackberry –> http://news.bbc.co.uk/2/hi/8161190.stm
  • ETSI Lawful Interception –> http://eu.sabotage.org
  • Hacking Mobile Data Connections –> http://www.mseclab.com/?p=146
  • HLR Lookups –> http://routomessaging.com/
  • http://routomessaging.com/SMS-services/sms-hlrlookup.pmx

    • → 2 Comments

    Posted in Conference, Security

    Tagged , , , , ,

    [Plumbercon/Ninjacon] Visualization for IT-Security

    Posted on July 11, 2010 by ChrisJohnRiley| 2 Comments

    Visualization for IT-Security

    L. Aaron Kaplan

    Synopsis

    This talk will present visualization techniques for IT-security events and incidents.

    Conficker demonstrated that sinkholing botnets and logging relevant IT-security events on a massive scale is a powerful weapon for mitigation and remediation. However, naturally these data collections quickly grow to sizes too large to understand or handle. Visualization can prove to be an invaluable tool for the IT security handler to gain insights into the dimensions of a problem as well as for management and even politicians.

    Therefore this presentation will show – based on a concrete example – how we can extract understandable information out of a multitude of data sources. The concrete example will deal with DNS, DNScap and NFSen/NFDump visualizations. Since DNS is a hidden treasure box for IT Security and since DNS requests can hint to lots of problems (misconfiguration as well as abuse), visualizing DNS is in our opinion a promising fresh approach.

    Finally, a list of practical tools will be presented, which participants can use in their own organizations and thus improve their own incident handling.

    Talk from the recent FIRST.org conference in Miami, FL

    “This talk is about making nice pictures….. any why we need that”

    Last year CERT.AT did some work on tracking Conficker by sinkholing traffic heading to certain .AT domains and tracking them. The information was easy to gather, but the visualization effects presented was something people thought was amazing.

    Google Spreadsheets now offers visualization tools to track and display information over time.

    Motivation

    “A picture is worth 1000 log records” (R. Marty)

    We have too much data, info explosion

    Visualization can explain it all to your Grandpa/father/mother/partner…

    Target Groups

    • Users
    • Management, Sales, Politicians
    • Operational Staff
    • Researchers

    These users have different needs depending on what they need to do with the information

    Visualization isn’t new however. Otto Neurath was doing it long before most of us where alive.

    There’s not enough of this kind of visualization going on. Things need to improve.

    Tools

    • Graphviz
    • Maxmind GeoIP
    • Logster
    • Gapminder (Google Gadget)
    • Google Earth
      • Import XML data to show placemarks
    • Unix Filters
      • (cut, sort, uniq -c, sort, gnuplot)
    • processing.org
    • DAVIX CD

    Sometimes using a simple line graph shows nothing but a few large key spikes. Using other visualization techniques helps to show the full picture.

    Do more visualization!

    Links :

    eport: Cyber Attacks Caused Power Outages in Brazil

  • Plumbercon/Ninjacon Synopsis -–> http://plumbercon.org/schedule/57
  • CERT.AT –> http://cert.at
  • Otoo Neurath –> http://en.wikipedia.org/wiki/Otto_Neurath
  • ISOTYPE –> http://en.wikipedia.org/wiki/Isotype
  • processing.org –> http://processing.org
  • DAVIX –> http://www.secviz.org/node/89

    • → 2 Comments

    Posted in Conference, Security

    Tagged , , , ,

    [Plumbercon/Ninjacon] CSN.OR.AT Community Sense Net – Honeypot+

    Posted on July 11, 2010 by ChrisJohnRiley| 2 Comments

    CSN.OR.AT Community Sense Net – Honeypot+

    Florian Eichelberger

    Synopsis

    Since Clifford Stoll created the first honeypots in 1989 to safely investigate attacks to computer systems, honeypots have been all around. Although they have been refined and extended, fundamental problems in either attack coverage or visual representation have been plaguing those systems. CSN.OR.AT was an ISPA funded project to address those two issues and provide the necessary information and software to build the honeypot+ discussed in this talk.

    Project is now renamed to Honeypot++

    Project was started and sponsored by ISPA (Internet Service Provider Austria)

    The project tries to be more user friendly and business friendly using open sources reporting engines to allow for more graphical representation of the information.

    The infrastructure uses VPN to communication back from the Honeypot to a central station.

    100% based on open-source software

    • Amun Honeypot
    • Python
    • Debian
    • Snort IDS
    • Surfnet IDS

    Includes an SMTP honeypot. The domain exists, but not listed anywhere. This means that any incoming email is considered malicious. The SMTP honeypot is written in Python.

    Many of the attacks seen are VERY outdated (e.g. Symantec buffer overflows). Most examples provide links to malicious websites instead of sending actual exploits through emails (which are usually filtered).

    Most attacks originate from :

    • China
    • Russia
    • Ukraine
    • Malta
    • Bulgaria
    • Austria
    • ….

    Statistically, the top 3 attacks seen are :

    • TR/Crypt.XPACK.Gen
    • TR/Dropper.Gen
    • WORM/RBot.147456.27

    Most exploits are for DCOM/LSASS/ASN.1 failures in Windows systems. Most of these flaws have been patched by Microsoft for years, but are still being exploited.

    Statistical and Top-Lists are provided in XML format from the homepage.

    Malware samples are available on request, for research purposes

    Newly added service

    http://search.csn.or.at

    Provides a search for IP of MD5… more searches comming

    • MD5 of malware sample checks against the CSN database of seen malware
    • IP search provides a check if attacks against the honeypot have been seen from this address

    Future Outlook

    • More sensors
    • Integration of high interaction honeypots
    • Install a sensor, get the reports for free –> take part in the project
    • Possible interaction with DShield

    Links :

    eport: Cyber Attacks Caused Power Outages in Brazil

  • Plumbercon/Ninjacon Synopsis –> http://plumbercon.org/schedule/57
  • Twitter – Florian Eichelberger –> http://twitter.com/florensik
  • Community Sense Net –> http://csn.or.at
  • Community Sense Net Search –> http://search.csn.or.at
  • Eurotrash MicroTRASH interview –> MP3
  • Amun Honeypot project –> http://amunhoney.sourceforge.net/
  • SURFids –> http://ids.surfnet.nl

    • → 2 Comments

    Posted in Conference, Security

    Tagged , , , ,

    [Plumbercon/Ninjacon] Security in a changing world

    Posted on July 11, 2010 by ChrisJohnRiley| 3 Comments

    Security in a changing world – bringing security-sense to virtualized desktop environments

    Dror-John Roecher

    Synopsis

    Server virtualization has become commonplace and even security has picked up on the subject and established a common understanding of good security practice for virtualized server environments. But a new virtualization trend rises above the horizon – so called ‘Client’ or ‘Desktop’ virtualization. Whereas the scope of server virtualization was limited to the datacenter (and in some context stretched towards the location and ownership of the datacenters, e.g. in the context of cloud-based services), these new client computing approaches easily cross all existent logical and geographical boundaries within our computing environment. They enable a whole set of new services and delivery methods, flexibility in time, location, underlying hardware, operating system and presentation format. All these changes need to be addressed and constructively accompanied by security.

    The presentation will detail concepts of client/desktop virtualization for security people, enabling them to understand what the technology does, how it does it and why businesses rush to introduce it. We will go on to discuss security of different solution architectures and establish some basic guidelines on choosing ‘the right stuff for the situation’. These two parts of the presentation serve as a foundation for an abstracted discussion on how to tackle the big changes from a security perspective. How is security changing, what are we doing wrong, what are we doing right and how should we change the way we look at and apply security. Let’s call this ‘change the spirit of security’.

    Where does corporate IT stand today

    Our wish is to use products in a secure way, align business and IT objectives and have this all transparent to the end-user, compliant, etc….

    The reality however is very different. Many security staff see security as a value in itself. They have no link to business functions and no understanding of business needs.

    Broken products, run by people without proper skill-sets, overburdened with too many tasks

    Clinging to the “never change a running system” paradigm – common excuse to never change, move or think and evolve

    Computer budgets are out of control – value of security is not evident

    CxO on IT:

    • Cheap to buy and operate
    • Needed for business, but no value in itself
    • Should be easily exchangeable
    • OPEX, not CAPEX

    Users on IT:

    • Corporate-provided tools often unfit for the job
    • Wish for “freedom of tools”, “freedom of time and location”
    • Cisco Strategy: “Anytime, Anywhere, Anydevice, Anyapp, Anydata…” moving towards collaboration

    Client Virtualization 101

    5 technologies at least…

    • Local OS Virtualization
      • Have your local OS Virtualized
    • Remote OS Virtualization
      • Move the Virtualized Guest to the DataCenter
    • Application Virtualization
      • Package sandboxed applications and remove the need for local installs
      • Restrict access from the application to the OS
      • Example. Microsoft Office 2010 – Click and run version
    • User Profile Virtualization
      • Decouple all users settings from the OS
      • Allows users to easily move between systems and maintain the same environment
    • Presentation Virtualization
      • Run everything remotely and provide access to the remote user
      • example: Citrix

    Remote OS Virtualization

    Pros & Cons

    • + Clients are always accessible for IT-Staff
    • + Performance on demand
    • - Storage needs

    Security architecture depends on the protocol used (PCoIP, RDP, RGS)

    Threats and Vulnerabilities –> Difficult and complex due to the architecture. Outcome is questionable

    Vendors are quick to respond that their solutions are secure, however even they fail to understand the true risks present (example, use of SSL without knowing who validates who… client, server, both?)

    Adapt to a changing world

    Risk has failed us – We are used to trust

    Risk Analysis has mostly failed –> even in finance where they have a lot of statistical information

    • The question boils down to: do you trust the technology? The provider? The source of the information?

    Our security concepts are based on location. With Client Virtualization, the clients are in motion. This creates a new set of problems!

    Replace location-based security with content-based security

    Replace prohibition with enablement

    • Blocking access to things like Skype, ICQ, doesn’t help the problem
    • Enable employees to use them in a secure way and within the company policies

    Replace band-aids with root-cause treatment

    • Many systems, such as Application Firewalls, NAC, etc.. are band-aid solutions
    • Implement long-term solutions such as Secure Application Development, Innate data integrity, …

    Fight operational stupidity

    • Single employee responsible for high-end, high-cost systems
    • Separation of duties… A and B must check…. A is holiday standing for B and vice versa !

    Less is more – Focus on the basics and do this right! –> don’t build the Winchester House of Security!

    Accept that business will always break security

    • If there’s a good business reason, the business will do it regardless of security
      • Security can’t say no…. provide solutions

    Start embracing change

    • Change is a chance
    • Embrace change, by starting to change your mind-set about change

    Links :

    eport: Cyber Attacks Caused Power Outages in Brazil

  • Plumbercon/Ninjacon Synopsis –> http://plumbercon.org/schedule/58

    • → 3 Comments

    Posted in Conference, Security

    Tagged , , , ,