Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

Tag Archives: hagenberg

Security Forum 2012

The Security Forum is the annual IT-Security Conference in Hagenberg that addresses current issues in this domain. Traditionally it takes place over the course of two days in April. On the first day visitors are offered technical as well as management-oriented papers by representatives of business, research and public service.

After last years security forum I couldn’t very well miss this years event, and it didn’t disappoint. Although a number of the presentations were a little too management focused and light on technical details for my liking, these were overshadowed by great presentations from Scott Behrens from Neohapsis and the short but very interesting Security Insight talks that took place in the evening.

Just like last year the real benefit I feel came from the discussions between sessions. Talking to the presenters and attendees is always the high-point of these conferences I find.

Below is a few brief notes on the presentations I managed to attend and think are worth noting. Slides aren’t yet available for most talks as far as I’m aware.

Webshell Detection using NeoPI (Scott Behrens)


This talk concentrated on the issue of detecting webshells when performing incident response. When faced with a collection of servers and maybe more than 20,000 files present in a webroot, how can you find the needle amongst the needles. Scott demonstrated a number of analysis techniques that can be used to better discover webshells present on a system, and showed the abilities of the NeoPI script to dig into a webroot and point out discrepancies and possibly malicious webshells.

The NeoPI script is currently available on the Neohapsis github page and is looking for people to assist in future development and testing.

Security Insights (evening talks)


The evening talks moved away from the more management style presentations during the day and focused more on technical projects. Three of the talks were of particular interest.

Sicherheit in der Bürgerkartenumgebung (Wolfgang Ettlinger)

In this talk Wolfgang discussed some of the issues he discovered when testing the security of the Austrian Citizen Card. In Austria this card can be used to officially sign documents and prove the identity of the holder. This includes the ability to sign-in to online banking using the card and a pin to prove the holder is who they say they are. Wolfgang showed a number of vulnerabilities in the BKU (the Java based environment that deals with PIN authentication and card communication) and showed the ability for an attacker to steal the PIN and use it to sign documents or perform actions as the user. A more detailed write-up is available on Wolfgang’s blog.

Covert Channel Protocol – verdeckte Informationsübertragung (Florian Preinstorfer)

Florian discussed his ongoing research into covert channels and in particular discussed his (PoC) implementation that uses both HTTP, ICMP and  DNS to transfer data covertly by using client and server-side proxies to alter traffic. Although the work is still ongoing I’m looking forward to seeing what the final result it, as the premise seems interesting. As soon as code is released or more information becomes available I’ll make sure to post it up in my [SuggestedReading] feed.

Oh noes! Another Android Malware Talk (Thomas Eder, Michael Rodler)

The final presentation of the night walked us through an analysis of Android malware (in particular an SMS application that sends premium rate SMS messages). The tools discussed were the usual fare, however the presenters are working together with a larger team to implemented a more automated and structured way to analyse Android malware called EPIC (DE). The project is still in it’s PoC phase, but seems to be something to keep an eye on!

Special thanks to the Hagenberger Kreis for making the conference such an enjoyable experience… Hope to see you all next year!

Security Forum Hagenberg 2012 – CFP

The Security Forum is a yearly meeting held at Hagenberg University (this year it takes place on the 18th-19th April). Alongside presentations on the 18th, there are also a number of workshops being held the day after.

Earlier this year I had the pleasure of attending my first Security Forum event at Hagenberg University. As my girlfriend went to Hagenberg it’s one of the first places I got to really spend any time when coming to Austria, so I guess it’ll always have a special place in my heart. It wasn’t until after my Girlfriend graduated that I learnt about the Security Forum, and I’ve been trying to get to visit ever since.

The highlight (for me anyway) of last years event, was Claudio Criscone’s presentation on virtualization security. It was certainly eye-opening how badly some of these systems were configured and what you can do with an exposed admin interface. It’s a hard act to follow, but I hope for some equally good presentations at the 2012 edition.

With that in mind, the Call For Papers is now open (PDF –> EN DE) so get your papers in…

If you’re thinking of attending the conference, please let me know… always good to meet new people and see old friends!

Security Forum 2011: New Technology, Old Mistakes

Hagenberg Security Forum 2011

New Technology, Old Mistakes – Claudio Criscione

Virtualization security is easy…

…[and cloud sec too whilst we’re here]

Should we only care about the hypervisor? No, if we do we’re only looking at a single component of a complex system. There is a high number of technologies used to create an enterprise virtualization technique, and they should all be looked at. We have more problems than just the hypervisor!

Why does everybody think Virtualization security is all about breaking out of the VM?

They’re hard to do… I know of only 1 in the last 5 or 6 years! So, is it really that bad?

In a products youth it’s common to see low hanging fruit… there are also a lot of highly complex attacks that have yet to be explored

After years the low hanging fruit is still there, but more of a “woooops” that got left in.

Evolution of the product moves more towards complex attacks and away from the low hanging fruit.

Taking this theory and examining VMware as an example you get to see a lot of low hanging fruit, and lots of woops!

Tools of the trade

As a child you don’t try to understand a technology, you break it into parts… this is the same thing we want to do. Attack!

After looking for tools, and finding nothing, VASTO was born!

Virtualization ASsessment TOolkit

VASTO is an exploit pack for Metasploit. Beta 0.5 out now (or later today) from vasto.nibblesec.org

Commonly discovered issues that will be discussed .:

  • Secure Updates
  • Insecure Content Download
  • XSS
  • Path Traversal
  • Weak SSL implementations
  • Insecure Log Files

Secure Updates

There are solutions available to secure this… it’s an already solved issues!

However, not for everyone.

E.G VMWare vSphere Client Update Feature performs a GET /client/clients.xml from the server

This XML file contains patch version information, and the download URL to get a new copy of the client!

So, with a MITM attack, you can change the XML file contents! Do you see the problem. Of course SSL is used, but nobody uses a REAL certificate. Everybody uses self-signed certs… and everybody knows what happens then!

Do you want to continue working, or do you want to go home? Just click continue…

Game Over!

VMware have patched this issue, but it took more than 18 months to get patched! This is too long…

Content Download

Private cloud services allow companies to download ready-made compliances. The method used to download the appliance however, is usually flawed and can be MITM’d to inject content into the appliance in transit.

Demo of Apiquo client MITM and appliance replacement.

When the Apiquo client requests a VM, the MITM can replace the contents as no further checks are made on the validity of the contents delivered.


When managing your VM solutions through a web-interface, the security of that infrastructure is of paramount importance.

Web-interfaced run the world!

Demo of vCenter XSS (still unpatched)

All you need to control the infrastructure, is a single XSS

Secure Connections

vCenter is the central hub of an ESX based enterprise solution. If you can MITM the connection between the vCenter and the ESX servers it would be bad… so SSL is used!

Starting from version 4 it checks the cert… before that, it didn’t even check.

After that a pop-up is ALWAYS present, even if the cert if good! Way to condition your admins… and the 1st pop-up only has a close button. The second (all blue, no big red X) lets you say Yes/No… at least.

Oh and the password is sent unhashed within the SSL connection too.

Bad UI implementations are part of the problem!

Path Traversal

Flaw exists in Jetty 6.1.16 (vCenter just includes that version)

As it’s a Windows machine… it’s not easy to exploit.

Still, on VMware there’s a nice log file gift that gives you valid  sessionID’s of users on the web-interface (world readable). This  needs a little bit of coding to exploit. Lucky enough VASTO includes a session_rider module.

Demo of VASTO Autopwn

Automates the exploitation and session riding using the discovered sessionID’s

Lots more attacks… but no time today! It’s not just VMware.

All these bugs are years old, but they’re not going away.

All virtualization and cloud services today are rushed to market. Security is an afterthought.

Now they start to care… but they have years to make up for!

The Hypervisor is fine and secure, but everything around it isn’t

“The limits of your language, are the limits of your world”


Security Forum (Hagenberg)

I guess every cloud has a silver lining… unless it’s a cloud service provider obviously! So, despite having to cancel my planned trip to Japan due to the unfortunate happenings over there at the moment, I do get to attend this years Security Forum at Hagenberg University of Applied Sciences.

The Security Forum is a yearly meeting held at Hagenberg University (this year it takes place on the 6th-7th April). Alongside presentations on the 6th, there are also a number of workshops being held on the 7th.

Although I’ve always wanted to attend the Security Forum events, I’ve never really had the chance due to other overlapping commitments . It’ll be nice to meet up with some Austrian security professionals and talk shop for once… not to mention the need to get a t-sirt with the cool HK logo on it 😀

Taking a look through the schedule, there are a couple of very interesting talks I’d like to catch at the event .:

I’ll try to do some “speed blogging” from the event if the situation allows… but my German isn’t up to scratch when it comes to blogging in 2 languages! We’ll have to see how it goes 😉 Still it will be good to meet up with Claudio again and talk over a beer!

If you’re attending the conference, please let me know!