Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

Tag Archives: visualization

Security Forum 2011: New Technology, Old Mistakes

Hagenberg Security Forum 2011

New Technology, Old Mistakes – Claudio Criscione

Virtualization security is easy…

…[and cloud sec too whilst we’re here]

Should we only care about the hypervisor? No, if we do we’re only looking at a single component of a complex system. There is a high number of technologies used to create an enterprise virtualization technique, and they should all be looked at. We have more problems than just the hypervisor!

Why does everybody think Virtualization security is all about breaking out of the VM?

They’re hard to do… I know of only 1 in the last 5 or 6 years! So, is it really that bad?

In a products youth it’s common to see low hanging fruit… there are also a lot of highly complex attacks that have yet to be explored

After years the low hanging fruit is still there, but more of a “woooops” that got left in.

Evolution of the product moves more towards complex attacks and away from the low hanging fruit.

Taking this theory and examining VMware as an example you get to see a lot of low hanging fruit, and lots of woops!

Tools of the trade

As a child you don’t try to understand a technology, you break it into parts… this is the same thing we want to do. Attack!

After looking for tools, and finding nothing, VASTO was born!

Virtualization ASsessment TOolkit

VASTO is an exploit pack for Metasploit. Beta 0.5 out now (or later today) from vasto.nibblesec.org

Commonly discovered issues that will be discussed .:

  • Secure Updates
  • Insecure Content Download
  • XSS
  • Path Traversal
  • Weak SSL implementations
  • Insecure Log Files

Secure Updates

There are solutions available to secure this… it’s an already solved issues!

However, not for everyone.

E.G VMWare vSphere Client Update Feature performs a GET /client/clients.xml from the server

This XML file contains patch version information, and the download URL to get a new copy of the client!

So, with a MITM attack, you can change the XML file contents! Do you see the problem. Of course SSL is used, but nobody uses a REAL certificate. Everybody uses self-signed certs… and everybody knows what happens then!

Do you want to continue working, or do you want to go home? Just click continue…

Game Over!

VMware have patched this issue, but it took more than 18 months to get patched! This is too long…

Content Download

Private cloud services allow companies to download ready-made compliances. The method used to download the appliance however, is usually flawed and can be MITM’d to inject content into the appliance in transit.

Demo of Apiquo client MITM and appliance replacement.

When the Apiquo client requests a VM, the MITM can replace the contents as no further checks are made on the validity of the contents delivered.


When managing your VM solutions through a web-interface, the security of that infrastructure is of paramount importance.

Web-interfaced run the world!

Demo of vCenter XSS (still unpatched)

All you need to control the infrastructure, is a single XSS

Secure Connections

vCenter is the central hub of an ESX based enterprise solution. If you can MITM the connection between the vCenter and the ESX servers it would be bad… so SSL is used!

Starting from version 4 it checks the cert… before that, it didn’t even check.

After that a pop-up is ALWAYS present, even if the cert if good! Way to condition your admins… and the 1st pop-up only has a close button. The second (all blue, no big red X) lets you say Yes/No… at least.

Oh and the password is sent unhashed within the SSL connection too.

Bad UI implementations are part of the problem!

Path Traversal

Flaw exists in Jetty 6.1.16 (vCenter just includes that version)

As it’s a Windows machine… it’s not easy to exploit.

Still, on VMware there’s a nice log file gift that gives you valid  sessionID’s of users on the web-interface (world readable). This  needs a little bit of coding to exploit. Lucky enough VASTO includes a session_rider module.

Demo of VASTO Autopwn

Automates the exploitation and session riding using the discovered sessionID’s

Lots more attacks… but no time today! It’s not just VMware.

All these bugs are years old, but they’re not going away.

All virtualization and cloud services today are rushed to market. Security is an afterthought.

Now they start to care… but they have years to make up for!

The Hypervisor is fine and secure, but everything around it isn’t

“The limits of your language, are the limits of your world”


DeepSEC: Cloud-based log Analysis and Visualization

Cloud-based log Analysis and Visualization Raffael Marty

IaaS –> Infrastructure as a service

PaaS –> Platform as a service

SaaS –> Software as a service

LaaS –> Logging as a service!

It’s not that different from what we had before… Cost and time are the big saving here. No need to set up a huge datacenter just for your needs. No need to think about power, AC and what happens if you only need those 100 systems for a week!


  • Visability
  • Big Data


How many machines do you need to have running, what’s really being used.

Monitoring for performance, availability.

Security: New threats, new vulnerabilities and different risk distribution.

How can you effectively monitor a system if it comes up and goes down based on load? Whats happening on those systems?

IaaS –> Same as before

PaaS –> Lack of Infrastructure

SaaS –> Blind?

Big Data

How can you handle the large amounts of data created, including the logs of systems that might not exist long.

  • NoSQL
  • Distributed datastores
  • Distributed queues
  • Map reduce
  • ETL (Extract, Transform, Load)

Logging as a service!

Information Visualization

Better tools and capabilities are needed

There are a number of projects, but things still need to improve

A picture is worth a thousand log lines

What can visualization help with ?

  • Exploration and Discovery
  • Answer a question
  • Pose a new question
  • Increase efficiency
  • Communicate information
  • Support decisions
  • Inspire (figure out how things work)

Important visualization…. monitoring webcam to tell you how full the team coffee pot is!

Visualization tools

2 categories:

  • Reporting Libraries
    • HighCharts
    • Flot
    • Google Chart API (Sends data to Google)
    • Open Flash Cart
    • HTML5
  • Visualization Libraries
    • TheJIT
    • Graphael
    • Protovis
    • ProcessingJS
    • Flare

Nowadays you can do almost everything you can do in Flash, with JavaScript!

A large number of these tools are now web-based.

<run through of some of the more useful tools>

The future is outsourcing the logging and concentration on how to output the stuff we need and visualize it in useful ways.

Old Skewl

Tailing a log, or multiple logs…

New Skewl

Centrally logging data, and using dynamic files to view visualizations of that data

Lack of data is also a trigger… why is there no output where there should be.

Changes over time can be easily seen using different colour intensity to show new or unseen traffic.



[Plumbercon/Ninjacon] Visualization for IT-Security

Visualization for IT-Security

L. Aaron Kaplan


This talk will present visualization techniques for IT-security events and incidents.

Conficker demonstrated that sinkholing botnets and logging relevant IT-security events on a massive scale is a powerful weapon for mitigation and remediation. However, naturally these data collections quickly grow to sizes too large to understand or handle. Visualization can prove to be an invaluable tool for the IT security handler to gain insights into the dimensions of a problem as well as for management and even politicians.

Therefore this presentation will show – based on a concrete example – how we can extract understandable information out of a multitude of data sources. The concrete example will deal with DNS, DNScap and NFSen/NFDump visualizations. Since DNS is a hidden treasure box for IT Security and since DNS requests can hint to lots of problems (misconfiguration as well as abuse), visualizing DNS is in our opinion a promising fresh approach.

Finally, a list of practical tools will be presented, which participants can use in their own organizations and thus improve their own incident handling.

Talk from the recent FIRST.org conference in Miami, FL

“This talk is about making nice pictures….. any why we need that”

Last year CERT.AT did some work on tracking Conficker by sinkholing traffic heading to certain .AT domains and tracking them. The information was easy to gather, but the visualization effects presented was something people thought was amazing.

Google Spreadsheets now offers visualization tools to track and display information over time.


“A picture is worth 1000 log records” (R. Marty)

We have too much data, info explosion

Visualization can explain it all to your Grandpa/father/mother/partner…

Target Groups

  • Users
  • Management, Sales, Politicians
  • Operational Staff
  • Researchers

These users have different needs depending on what they need to do with the information

Visualization isn’t new however. Otto Neurath was doing it long before most of us where alive.

There’s not enough of this kind of visualization going on. Things need to improve.


  • Graphviz
  • Maxmind GeoIP
  • Logster
  • Gapminder (Google Gadget)
  • Google Earth
    • Import XML data to show placemarks
  • Unix Filters
    • (cut, sort, uniq -c, sort, gnuplot)
  • processing.org

Sometimes using a simple line graph shows nothing but a few large key spikes. Using other visualization techniques helps to show the full picture.

Do more visualization!

Links :

eport: Cyber Attacks Caused Power Outages in Brazil

  • Plumbercon/Ninjacon Synopsis -–> http://plumbercon.org/schedule/57
  • CERT.AT –> http://cert.at
  • Otoo Neurath –> http://en.wikipedia.org/wiki/Otto_Neurath
  • ISOTYPE –> http://en.wikipedia.org/wiki/Isotype
  • processing.org –> http://processing.org
  • DAVIX –> http://www.secviz.org/node/89