Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

Tag Archives: BSidesLondon

Defense by Numbers: Making problems for script kiddies and scanner monkies

Since early 2012 I’ve been working on a simple theory…

The Theory:

By varying [response|status] codes, it should be possible to slow down attackers and automated scanners.

If you’ve met me at a conference any time in the last year I’ve probably talked about it at length and bored the hell out of you (sorry about that BTW).

After researching a number of aspects of this theory I put forward a presentation for BSidesLondon to talk about my findings and how it might be applied to application defense.

The topic can be a little complex due to the various ways browsers handle [response|status] codes. Even within a specific browser the handling of different content types varies. JavaScript is a prime example of that. Where as a browser will happily show you a webpage received with a 404 “Not Found” code, the same browser may not accept active script content with the same code.

During testing I also discovered a couple of interesting issues with Proxy servers that could be used by attackers to expose credentials… as well as some very interesting browser quirks that are probably only interesting to a handful of people. Still, I like edge-case stuff, it’s weird and that suits me just right ;)

BSidesLondon Abstract

On the surface most common browsers (user agents) all look the same, function the same, and deliver web content to the user in a relatively uniformed fashion. Under the surface however, the way specific user agents handle traffic varies in a number of interesting ways. This variation allows for intelligent and skilled defenders to play with attackers and scripted attacks in a way that most normal users will never even see.
This talk will attempt to show that differences in how user agents handle web server responses can be used to improve the defensive posture of a website. Further examples will be given that show specially crafted responses can disrupt common automated attack methods and cause issues for casual attackers and wide scale scanning of websites

If the topic is something that interests you (and I’m sure there’s a lot more research to be done here) feel free to take a snoop at the slides… The talk was recorded also, so keep an eye on the BSidesLondon website and twitter feed for information on the video/audio release.

 

 

Links:

  • Some thoughts on HTTP response codes –> HERE
  • Privoxy Proxy Aauthentication Credential Exposure [cve-2013-2503] –> HERE
  • mitm-proxy scripts used in testing –> HERE

BSidesLondon 2013

It’s been a while since I’ve had the chance to update the blog, and that makes me a sad panda… still, sometimes life gets in the way of the really important stuff. Plus, nobody really reads this crap anyway right!

Still, pleasantries aside, next week is BSidesLondon (and a couple of events that run alongside it, such as 44cafe, and that small $vendor thing called InfoSec Europe). I was lucky enough to get selected as one of the speakers for this years event, and despite not dressing up like a gay biker, I hope the talk will be interesting. So, if you like number, weird edge cases, or innovative ways to protect web applications, come along to my talk and let me know what you think!

  • Defense by numbers: Making problems for script kiddies and scanner monkeys

Chris John Riley
Track One 12:45 – 13:30

On the surface most common browsers (user agents) all look the same, function the same, and deliver web content to the user in a relatively uniformed fashion. Under the surface however, the way specific user agents handle traffic varies in a number of interesting ways. This variation allows for intelligent and skilled defenders to play with attackers and scripted attacks in a way that most normal users will never even see.
This talk will attempt to show that differences in how user agents handle web server responses can be used to improve the defensive posture of a website. Further examples will be given that show specially crafted responses can disrupt common automated attack methods and cause issues for casual attackers and wide scale scanning of websites

Just to warn those brave souls to plan to attend… I have LOTS of slides… it could get messy ;) I’ll try to put my slides up on Slideshare prior to the talk so people can follow along if they want.

Anyway, as part of the build-up to the conference I wanted to list a few of the talks I’m really looking forward to seeing (time permitting).

  • Pentesting like a Grandmaster

Abraham Aranguren
Track One 10:15 – 11:15

Chess is a complex game: The number of permutations is just too great to compute the best possible move during a game. This is similar to pen testing in that we also have too many vulnerabilities to find and choose from not only on a 1 by 1 basis but also how we would chain them together like a real attacker. Chess players must analyse efficiently to beat time constraints like pentesters but unlike pentesters they have been doing this for a long time.

Abraham’s talks are always interesting, and I expect nothing less from his latest talk. He seems to have a unique way of looking at things and from a sneak peek at his slides, I think this one is going to be another interesting talk point.

  • Going Stealth: Staying off the Anti-Virus RADAR

Alex Polychronopoulos
Track One 17:00 – 18:00

Anti-Virus software is often the first line of defence in host based intrusion prevention. For years both black-hats and ethical hackers have researched how to avoid detection – some to compromise hosts reliably and others to improve detection. Executable packers are a popular technique used by virus and malware writers. They “pack” their malicious payload by compressing and/or encrypting it and they distribute it with enough clear-text instructions to “unpack” it. In particular, we’ll look at basic AV detection concepts and the basic design principles for packers. We’ll also touch on advanced techniques like polymorphism and metamorphism. You’ll leave marvelling that your AV ever catches anything at all.

Sometimes AV is the only standing between a good penetration tester and total domination… Anything we can do to test the limits of AV and maybe get that elusive shell is certainly worth the time to learn. Hoping for a few hints and tips here that might help in those situations.

  • How to build a personal security brand that will stop the hackers, save the world and get you the girl

Javvad Malik
Track Two 11:30 – 12:30

You’re a security professional, but even your boss doesn’t remember your name. Your brilliant ideas aren’t listened to, you’re never invited to speak at conferences and not even your mother visits your blog. In this talk I will take you down a journey of self-discovery that took me 3 years and went from another faceless security dude, to someone in control of my personal security brand. What worked, what didn’t work and all the behind-the-curtain magic exposed. If you’re into building your personal brand, making your voice heard amongst the 100’s of security ‘rockstars’ and dinosaurs who get all the attention – this is the talk for you to attend.

Fuck rockstars… no really, in this industry we need solutions, not primadonas with a god complex. Still, that said, having a brand and a platform to shout from is something we need. Plus Javvad is wicked funny and I’m sure he’ll CISSP mofo everybody in the crowd at LEAST once!

  • Dissecting Targeted Attacks – Separating Myths from Facts

Candid Wuest
Track Two 14:30 – 15:30

A lot of media do report on targeted attacks or so-called APTs, but how sophisticated or those attacks really? Flamer & co. are only the tip of the iceberg and even they had flaws. Most of the attacks are not so smart at all, but nevertheless successful. I will elaborate on the common methods of targeted infection & exfiltration, happening every day around the globe. Explaining the methods and tools used by the attackers with real life examples. I will show why they successfully bypass most security tools and analyse where these attacks differ from the common malware flood.

Learn your APT from your elbow… not everything is OMGtargetedStateSponsoredBBQ Malware from China with love!

—————————————————-

Well, those are my picks… so much cool stuff, so little time! Before I sign-off however, I wanted to remind all attendees that it’s your JOB (yep, attendees also have a job to do) to give feedback to speakers. Even if it’s a single point, an idea, or a pat on the back and “that was cool” comment… be part of making the conference better… give feedback or the kitten gets it!

Read my thoughts on “Giving feedback” –> HERE

Hope to see you all in London. Please come up and say hi if you’re about… I only bite when provoked!

BSidesLondon

Well BSidesLondon has come and gone, and what an event. Considering this was the first BSides in the UK it seemed like it had been running for years. Everything was smooth, well planned, and executed. If this was the first event, I have high hopes for the second ;)

I really enjoyed the Track 3 idea… A free room with projector and a signup sheet. Very unconference style! I signed up to do a quick 30-minute SAP talk (scrubbing SAP clean with SOAP), which went down well I hope. I’m not sure about uploading the slides right now, as there are some things that I’m still working through with SAP. Nothing serious, but enough to make you think. Still, maybe I’ll put the talk forward for BSidesLasVegas ;)

Note: If you saw my SAP talk, I’d love feedback on what I can improve… Be harsh, it’s the only way I can improve!

I was lucky enough to be able to “present” as party of the Security YMCA troupe (along with @f1nux, @seccubus, and @suggmeister). I say present, but really it was just a bit of fun. Singing, dancing and funny costumes are great for funny YouTube videos (which I’m assured are already uploaded), but I doubt any real content got across… Still, you can’t blame people for not listening to a man dressed as a gay biker when he says the security industry doesn’t communicate well enough :P

I’d like to thank all the people who put on BSidesLondon… There are too many to mention, but they know who they are! Looking forward to the next edition already… And BSidesVienna as well obviously!

BSidesLondon: How not to get hired for a security job

 How not to get hired for a security job

Stephen Bonner

Why people fail in the hiring process… by doing stupid things!

Some things that I tell you NOT to do, might be what your future employer wants… it’s not easy to define.

The process of hiring is about finding somebody that will fit in and add value to the team. It’s not all about the skill set.

The most important is to hire people for attitude. People don’t often get fired for their lack of skills, most get fired as they don’t fit in!

When you start the process of getting a job is to get involved with an agent… these agents don’t have your best interest in mind! Consider that. They aren’t aligned to your values. They’re in it for the $$$

Sending emails and CVs out of the blue to most companies is also a bad idea. There are some clearly defined processes, and trying to avoid them usually ends badly. Going through an agent is sometimes the best way.

The first thing an agent will do to your CV, is rip it apart to remove contact info… and therefore screw it up. It’s also worth asking for a copy, as some less reputable agents ADD skills!

Please check your CV for spelling and punctuation… oh and if you list reading on your CV as a hobby (which I’d expect from a 5 year old), please actually read something… and know what you read last.

Listing certificates on your CV doesn’t say your smart, it just says you worked at a company that had a training budget! Many HR departments put the same weight on a CISSP as MSc!

Photos in CVs… are just creepy!

It is extremely likely that an employer will Google you… look through your Twitter, Facebook, LinkedIn, etc… Even if it’s not legal/right. If you have a profile, make it a good one. If not, deny it’s you :D

The Telephone Interview

Cut out the background noise… oh, and chance are the other end is on mute, reading their emails!

If you talk for 20 minutes and the other end says nothing, they might have gone! Get feedback. Challenge and answer.

The interview

Being nervous and mumbling… not good. The employer doesn’t care!

Don’t be late, and if you are, have a great excuse (i.e. brought a man back to life on the tube).

Nobody wants to hire somebody who you would want to spend a night stranded in an airport with. Maybe, look like a blanket?

Key questions

What is your password?… 30% of people answer, and they don’t get the job.

If you can’t stand the social engineering pressure of being asked, maybe this isn’t for you.

Nobody replies, “I don’t just have 1 password!”

Best answer was “I can’t tell you”… “because I don’t know what it is”. “Because it’s a pattern on the keyboard”. He then draw out the pattern on a fake keyboard. It was a crap password as well!

Have you ever hacked illegally?

The answer to this is always NO. If you can’t understand the context and lie accordingly, you’re probably not going to get the job.

The NO-WIN situation

Just like Star Trek… put them in a situation they can never get right. See how people who always succeed deal with failure. Covering it up and denying it happened, isn’t a good plan. Deal with the failure.

Team work

How you deal with communications and then follow simple instructions. It’s all about the communication and figuring out issues before they happen

Have you got any questions?

Do ask… and no, holidays isn’t a valid question.

Check you’re applying for the right job. Oh, and the right interview.

Don’t lie about your experience and job. It can be checked.

Don’t slag off your employer. The prospective employer knows you’re going to talk crap about them in the future too!

What happens when you get the answer (NO)

Don’t argue, but get feedback

Arguing doesn’t help. They’re not going to change their mind after all.

Links:

Follow

Get every new post delivered to your Inbox.

Join 127 other followers