Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

Tag Archives: deepsec

[DeepSec 2014] A Myth or Reality – BIOS-based Hypervisor Threat – Mikhail Utin


A Myth or Reality – BIOS-based Hypervisor Threat – Mikhail Utin

The talk is a status report of BIOS-based hypervisor research.

Myths and Reality often interest and interchange… this is how life works.

A myth about a Malicious Hypervisor (Russian Ghost) appeared on Russian Hacker’ website at the end of 2011. It has all myth’s attributes. There were rumors about the post, and the storyteller described it as reality.

We believe that it was real or may still exist, and we possibly know where it was born and eventually escaped from.

This research follows 3 individual cases

Case #1: Malicious BIOS Loaded Hypervisor – MBLH (released 2011)

Published in Russian on a Russian site (in Russian language)

Typical Russian computer science project to develop high performance computer system (not associated with Information Security). Troubleshooting issues from the project revealed that Chinese made motherboards contained additional software modules, embedded in the BIOS, and the standard analysis software didn’t see them.

Although the boards were labelled as “assembled in Canada” a majority of the components where of Chinese origin

Chinese boards had two software systems working simultaneously – there is a malicious hypervisor embedded into the BIOS which utilizes hardware virtualization Intel CPU capability.

By checking execution time of systems commands between boards from “China” and “Canada”

Boards without MBLH showed a significantly lower execution time (60x slower), allowing for detection of the hidden hypervisor

All attempts to bring this issue to light within Russia were dismissed… however the author was able to confirm (with some missing details) that the malicious hypervisor is embedded in the BMC BIOS.

Case #2: “SubVirt: Implementing Malware with Virtual Machines” –  University of Michigan and Microsoft Research

2005/2006 research paper – Virtual Machine Based Rootkit (VMBR)

We demonstrated that a VMBR can be implemented on commodity hardware and can be used to implement a wide range of malicious services

Installed as a shim between the BIOS and the Operating system. The VMBR only loses control of the system in the period of time when the system reboots and the BIOS is in control.

This research was performed on systems that did not support hardware virtualization support.

Research timeline for Case #1 (2007-2010) starts straight after the SubVirt research was released (2006)

Case #3: Widespread Distribution of Malicious Hypervisor via IPMI vulnerability (2013)

“illuminating the security issues surrounding lights out server management” – University of Michigan

IPMI malware carries similar threats to BIOS and is likely easier to develop, since many BMCs run a standard operating system… if widely used IPMI devices can be compromised remotely, they can be leveraged to create a large network of bots”

Attack scenarios highlighted in this research map (4 out of 5) to those seen in case #1.

These attacks cannot be defended against without vendor assistance. It’s not easy to detect an infection

With a modern trend to move toward cloud services, this may affect overall information security.


These style of attacks are dangerous and can infiltrate millions of servers worldwide

In theory these infections cannot be identified… but we still have a chance

There’s no protection against this, put your server in a dumpster – special thanks to IPMI

No security standard calls for secure management (IPMI) protection

References slide:



[DeepSec 2014] Addressing the Skills Gap – Colin McLean



Addressing the Skills Gap – Colin McLean

Mark Weatherford of the US Department of Homeland Security has stated “The lack of people with cyber security skills requires urgent attention. The DoHS can’t find enough people to hire”. The United Kingdom’s National Audit Office has also stated “This shortage of ICT skills hampers the UK’s ability to protect itself in cyberspace and promote the use of the internet both now and in the future”.

It is evident that there is a world-wide cyber-security skills shortage but what can be done about it?

The University of Abertay Dundee in Scotland was the first university to offer an undergraduate “hacking” degree in the UK, starting in 2006. The course is now widely recognised in the UK as a vocational supplier of security testing graduates, with many of the graduates receiving several job offers before they’ve even completed the course.

This talk focuses on the experiences of running the course and examines how the cyber security skills shortage can be addressed. Some of the issues discussed will be: –

Academia; There are many degrees with titles sounding like they may be producing the correct graduates, however, does the content match the type of skills required?

Industry; What can the security industry do to influence the content of academic courses to enable the correct type of graduate to be produced?

Extent of the problem

What is the extent of the skills gap we’re facing.

UK and the USA both state that they can’t find enough people to fill InfoSec positions.

Current InfoSec workers 2.87 million (4.90 million required by 2017). By 2017 we’ll have a skills gap of 2 million people (source)

Academic solution

Lots of classes popping up. However they have their detractors.

Common complaint, is lack of real-world experience.

Academics train theoretical classes, Companies blame academia for teaching too much theoretical stuff. It’s a blame game and nobody wants to back down.

Examining the problems companies are facing, many of them are vocational.

Vocational vs. Theoretical

Mathematical / Theoretical courses are being largely addressed.

Vocational courses are required as theoretical solutions are not being adopted. Better vocational courses, and better courses are needed. Not being dealt with as well as the theoretical side of things.

What skills are needed

  • Core technical knowledge
  • Core practical skills
  • Documentation

Often forgotten…

  • Business appreciation
  • REAL practical skills
  • business documentation
  • thinking out of the box
  • criminal mindset

How can you teach these often forgotten points? It’s not a technical subject, how can you teach a criminal mindset as an academic.

These CAN be catered for during a degree… using things like assessments and extra-curricular activities. As well as support from external partner companies. Student projects with 3rd party companies (such as NCR) have given back to both the students, the lecturers, and the company.

By moulding the class, external companies get the candidates they’re looking for. They can take students straight from the course and put them to use.

Ex-students now regularly come back to give talks at Abertay… not just to teach, but also to inspire.

Graduates are better for this interaction.

Do we need more degrees like Abertay? Yes, but different. Mould it to slightly different ends. Industry driven or guided to what we need in the industry in a few years.

Let students loose… we mustn’t stifle their enthusiasm

Attracting people

Students that are still part of the program, or that have left talk at lots of conferences… this is a great way to attract people to the University. Abertay even run there own conference now to attract the next generation of hackers.

Exchange with other universities helps exchange knowledge and build contacts.

“women in security” initiatives to try and bring in more women into the fold.

Have to enthuse school kids that this is an interesting and possible career path.

Further initiatives

Ask for skills from companies to help teach the next generation

Companies should be approaching academia to try and model what THEY need.

Vocational CAN be academic! Adding research into a purely academic course can give valuable vocational skills

Companies need to work WITH universities… it has to be a partnetship

Companies shouldn’t expect graduates to be experts… they will by definition be generalists because they have to cover everything.


[DeepSec 2014] The Measured CSO – Alex Hutton


The Measured CSO – Alex Hutton

One of the most significant changes technology has wrought over the last decade is the current movement to use data and quantification as a means to better our everyday lives. In both our work life and leisure life, almost no aspect of modern life has escaped our desire to become better using evidence, data, and quantitative methods.

This talk discusses one method to help a Security Department build a better understanding of historically amorphous goals like “effectiveness, efficiency, secure, and risk” using data and models.

Where are we as an industry?

“… when you can measure what you are speaking about, and express it in numbers, you know something about it; but when you cannot express it in numbers, your knowledge is of a meagre and unsatisfactory kind; it may be the beginning of knowledge, but you have scarcely, in your thoughts, advanced to the stage of science, whatever the matter may be.” – Lord Kelvin

This is the journey towards knowledge, and therefore security. We are at the point where we can’t talk about risk using high, medium, low. How would your investors feel if your CEO talked about profit as High, medium or low! We need to talk about things in a different way.

CVSS… “I use it every day, and I’m about to bash it!”

Where we’re at with our risk calculations:

  • somewhat random fact gathering
  • interesting, trivial, irrelevant observations
  • little guidance to data gathering

First Mistake: Limiting ourselves

Security is an engineering issue… Looking at security only as a piece of the OSI layer.

Second Mistake: Blind leading the blind

Example: mobile malware is trending… this must be what we focus on. The FUD factory

Using the DBIR you can pull out more targeted and industry specific metrics that speak a lot more to the real threats. Looking at the DBIR it’s less than 1%. What we should focus on as an “industry” is not what’s hot right now!

mobile malware does not move the needle in out stats as we focus on organizazional security incidents as opposed to consumer device compromise

We’re dealing with complex systems… You can’t make point predictions in a complex system (Freidrich Hayek)

Correlation between CVSSv2 ratings and actual exploitations shows that even the highest rated CVSS vulnerabilities are not that widely exploited.

The measured CSO

The measured CSO must be more like W.E Deming

The potential for improving the system is continuous and never ending… there is no perfect system. The only people who knows where the opportunities to improve are, are the workers themselves. There are countless ways for the system to go wrong.

Having workers are management speak the same language is important… having workers record and analyse statistical information helps to improve the system and evaluate changes easily. Everybody in the system has to be responsible for working towards improvement.

How many of us spend an hour doing statistical analysis on the other 38 hours of work we’ve done!

A measured CSO:

  • Relies on metrics, data, intel for good decisions
  • Invests in improvements to people, process and technology

To provide the best and least-cost security for shareholders, and continuity of employment for his workers

  • We as an industry, know that “best” and ” least-cost” are not necessarily contradictors
  • We also have a HUGE continuity issue

Extending something like VERIS is incorporate controls data can assist a measured CSO in understanding where they stand. Using map reduce (HADOOP) this information can be modeled and look for IOC. The key to this is enriching the data with as much metadata as possible.

Framework <–> Models <–> Data

The Metrics and models that “defend” against threat patterns

Mobile malware might not be an issue now, but we need to plan, build, and manage to ensure when it is an issue, we have things already in place.

A Micromort… a one in a million chance of death… we can apply that

We’re bad at combining all those metrics… overweight, on drugs, and doing something stupid.

Becoming measured

What does that mean? What do we need?

Most metrics programs are gathering of some information without any context.

A metric is like a lego piece. It has no context until you build something with all the lego pieces you have.

How do you get context?

Goal, Question, Metric (GQM)

  • Execution: Define goals
  • Models: Question how this can be measured
  • Data: Define metrics that answer the question

The measured CSO creates a scorecard of KRI’s and KPI’s that he can use to evaluate where they currently stand

Framework for GQM –> NIST CSF (Cyber Security Framework)


DEEPSEC 2011: Quick Roundup

Well it’s been a few days since Deepsec 2011 finished, and I thought it was about time I wrote something about the actual conference.

Day 1

The first day started off with the usual 6am start to get to Vienna in time for registration. I arrived a few minutes late for the keynote, but quickly got into the swing of things. The keynote (How Terrorists Encrypt) was a discussion of how terrorist organisations (mostly Al Qaeda and connected cells) use encryption to communicate. Although you’d expect terrorists to have the basics of OPSEC down to a fine art by now, the presentation read more like a catalogue of failures and basic lack of skills/information. Instances such as the BA IT Expert, Rajib Karim and his refusal to use the Mujahideen Secrets tool (front-end for PGP/GPG?) in favour of a simple alphabetic replacement cipher.

The talk was definitely eye-opening on how badly the terrorists seem to be using encryption in general. However it does raise the question, are we only catching the stupid ones? Perhaps the better prepared are using encryption and simply staying below the radar!

I wrote a number of blog posts on the other talks from Day 1 :

Day 1 ended with a discussion by Morgan on the changing face of the infocalypse. Definitely worth catching on video once it’s released.

Day 2

The second day of the conference started off with a presentation on Identity X.0, OAuth, OpenID and general security issues surrounding user-centric Identity technologies. An interesting overview of implementation issues.

As with day 1 I wrote a number of blog posts for talks on day 2 :

After lunch I took some time to watch Kizz MyAnthia’s presentation on Bond Tech and had a long chat with him about Mobile Phone hacking and some issues he had getting his “toys” through UK Border Security.

Unfortunately the second SAP talk of the conference (Rootkits and Trojans on your SAP landscape) met with a slight issue as the presenters laptop fell on the floor as the talk began. Although he managed to complete the talk the demos weren’t possible due to data corruption. This was a pity as the content of the presentation itself was almost 100% the same as a presentation he gave in 2010. The demos would have been the saving grace here I think. Still, that’s life!

The final presentation of the conference was by Tom Mackenzie discussing some of the issues surround vulnerability research and coordination with vendors. The presentation touched on some interesting points and posed some open-ended questions, as well as showing some interesting examples of when things work and when they don’t!

Day 2 finished off with a late night party at Metalab… good music, club mate and good company. Oh and I once again lost to Kyrah at table football! One day I will prevail, oh yes, I will 😀


Overall I’d give Deepsec a 7/10 for a solid conference, with friendly people and good presentations. It will definitely be on my recommended list once I get around to writing one 😉

The Good

Nice mix of presentations

Great location / organisation

The Bad

No way to leave feedback for individual speakers

No lightning talks

The Ugly

At least 1 talk based on 12 month old research / vulnerabilities