First two sessions were somewhat low quality from a contect perspective. Too basic from on technology and on new innovations. Even for me as a non engineer. The difference between full backup, incrementals and differentials is not the thing we came here for. Although i must say that merging incrementals on the back end to always have full backups available sounds interesting. Curious to see this working in real life. How transprrent will that be? Lets ask Commvault later today. And if i can find them Quest as well. Would be nice to learn a bit on automated restore testing as well. Guaranteeing back ups remains an issue. Especially on tapes.

When i get answers, you’ll probably read more about it on cf.net or twitter.

Sunday started with a very interesting talk by Herbert Bos about the work done at the VU University which pushes the limits of what’s possible with regards to reliable operating systems. Some of the other interesting talks were the Capsicum talk by Robert Watson which focused on providing applications what they need to solve real-world security problems and the OpenSSH talk by Damien Miller which described all the useful new features available to make our lives easier. The new rlimit-based sandboxing for OpenSSH is an especially neat trick.

Possibly the best part of the conference was the amount of Dutch speakers, it’s awesome to see this level of contributions from my home country. So let’s keep up the good work and make next year even better.

The first part covers the structure, addressing and services:
Pularikkal_PartI.pdf

The second part covers routing and transition mechanisms:
Pularikkal_PartII.pdf

MLarson_IntroDNSSEC.pdf

Why do we need DNSsec, in short: DNSsec offers protection against spoofing of DNS data.
In DNSsec every zone has a public/private key pair where the Public key is stored in the new DNSKEY record and the Private key is kept save.

Phone Bill a CC NC ND image from Nikita Kashner's Flickr stream

By Darren Anstee of Arbor Networks

Why is it a good idea to us flow information?

• You don’t need to invest in new equipment to get flow information
• It can be used to detect malware infected hosts, DDoS, zero-day exploits, attack and abuse
• Network flows information is generated regardless if there was symmetric or a-symmetic routing

Network flow information is like a phone bill, you cannot tell what has been said, but you can use it to prove who talked to who.

So what does a flow record contain?

• Source IP address
• Destination IP address
• Source port
• Destination port
• Input IfIndex
• Protocol
• Type of Service
• packet count
• Byte count
• First packet time
• Last packet time
• Output ifIndex
• Etc…

Flow information allows you to monitor large geographically dispersed networks.

So how can flow information be used for security purposes?

Flow information helps you understand how you network normally behaves. Unusual behavior might indicate DDoS attacks of malware infections.

One could look at the flow information manually, but it does make more sense to install a collection and analysis system. These systems often give the benefit of providing historical data that can help us understand current data and allow us to use this information for forensic purposes.

There are a lot of open source and commercial flow collection and analysis systems available.

Next Darren showed demonstrations of how flow information can be used.

First example is how to detect malware infected hosts in an enterprise environment.

How? One of two ways:

• Looking for abnormal behavior
• Looking for known bad behavior, e.g. communication to known Command can Control servers

So what is typical unusual behavior?

• Unusual outbound SMTP
• Off-net DNS queries
• Scan detection
• Unusual outbound behavior
• etc.

Finding more then one anomalies increases the likelihood of these systems being infected.

One of the bonuses of flow information is that routers and switches still generate flow information even if firewalls drop the traffic.

Darren showed us how tools like nfdump can be used to detect systems with various abnormal behavior such as connecting to external mail servers or DNS servers too much or generating classic DDoS attacks.

Naturally you can also use flow information to detect DDoS attacks.

How do tools, like those Arbor makes, detect DDoS attacks?

• Baseline detection and baseline deviation
• Misuse flow detection (SYN-flood, UDP-flood)
• Detect bursts in the network
• Use thresholds

Why would you use flow information over firewall logs? Routers and switches are much more omnipresent and switches and routers do generate flows even if the firewall drops the traffic.

The slides for this talk with links to whitepapers and open source tools can be downloaded from the first.org website.

Black Skimmer Rynchops niger Skimming a cc by image from marlin harm's Flick stream

By Adam Laurie and Daniele Bianco

Slides on the HitB Materials page.

So what is EMV it stand for Europay, Mastercard and Vista and is a new security statndard for credit cards.With the introduction of EMV the liabiliy moved from the merchant to the cardholder because fraud is thought to be unlikely.  However EMV has allready been proven to be broken. E.g. Murdoch et. al. have proven that it is possible to use a stolen card without knowing the PIN.

This talk focuses  on the ability to still skim a EMV credit card, without reading the magstripe (which is very often still present).

Skimming a chip card may be more interesting because the user cannot see the interface and thus cannot detect the skimmer. The time effort to install a smartcard skimmer is quite small.

The industry perceives these tools as complex, but that is not true. Devices are small, easy to install and hard to detect.

It is possible to clone the track 1 and track 2 magnetic stripe data from publicly readable data of EMV chip. Luckily not all EMS cards support this.

So magnetic stripe data can be stolen and a stolen card van be used without a PIN, but is it possible to do PIN and magnetic stripe harvesting with EMV cards.

The CVM list on the card, which is digitally signed, tells the terminal how to authenticate to the card. The PIN is only sent to the card is the card specifies this in the CVM list.

However it turns out that, under certain circumstances, PoS terminals do not correctly detect a tampered CVM list and thus will present the PIN in plain text even if the CVM state this shouldn’t happen.

Adam and Daniele then demonstrate the tools they have developed to actually copy a card and u

He began his professional career during his early years at university as system administrator and IT consultant for several scientific organizations. His interest for centralized management and software integration in Open Source environments has focused his work on design and development of suitable R&D infrastructure. One of his hobbies has always been playing with hardware and electronic devices.

At the time being he is the resident Hardware Hacker for international consultancy Inverse Path where his research work focuses on embedded systems security, electronic devices protection and tamperproofing techniques. He presented at many IT security events and his works have been quoted by numerous popular media.

About Adam Laurie

Adam Laurie is a freelance security consultant working the in the field of electronic communications. He started in the computer industry in the late Seventies, working as a computer programmer on PDP-8 and other mini computers, and then on various Unix, Dos and CP/M based micro computers as they emerged in the Eighties. He quickly became interested in the underlying network and data protocols, and moved his attention to those areas and away from programming, starting a data conversion company which rapidly grew to become Europe’s largest specialist in that field (A.L. downloading Services). During this period, he successfully disproved the industry lie that music CDs could not be read by computers, and, with help from his brother Ben, wrote the world’s first CD ripper, ‘CDGRAB’.

At this point, he and Ben became interested in the newly emerging concept of ‘The Internet’, and were involved in various early open source projects, the most well known of which is probably their own ‘Apache-SSL’ which went on to become the de-facto standard secure web server. Since the late Nineties they have focused their attention on security, and have been the authors of various papers exposing flaws in Internet services and/or software, as well as pioneering the concept of re-using military data centres (housed in underground nuclear bunkers) as secure hosting facilities.

Adam has been a senior member of staff at DEFCON since 1997, and also acted as a member of staff during the early years of the Black Hat Briefings, and is a member of the Bluetooth SIG Security Experts Group and speaks regularly on the international conference circuit on matters concerning Bluetooth security. He has also given presentations on forensics, magnetic stripe technology, InfraRed and RFID.

He is the author and maintainer of the open source python RFID exploration library ‘RFIDIOt’, which can be found at http://rfidiot.org. Adam is a Director and full time researcher working for Aperture Labs Ltd., specialising in reverse engineering of secure systems.

Steve Jobs for Fortune magazine a cc nc nd image from tsevis's Flick stream

By Jean-Baptiste Bédrune and Jean Sigwald

Slides on the HitB Materials page.

This talk is about data security and the iPhone. Almost all iPhone like deices (excluding the iPad2 for the moment) can book usigned code when they are in recovery mode. It is also possible to create acustom ram disk, thee are techniques used by jailbreakers and phone forensics people.

Data in the iPhone is encrypted with either the UID (unique iPhone key) or GID (key unique to each model).

In the iPhone (iOS < 4) the UID key was only used  to facilitate fast wipe (change key, cannot read flash anymore), it did not provide data security. The iPhone 4 was designed with data security in mind. Jean and Jean demonstrate the tools they wrote to get around the data protection of iOS 4

Because the unlock code is used for data security data can be set to be only available when:

• The Phone is unlocked
• After the phone is unlocked for the first time
• Always

In iOS 4 there is an escrow key which allows MobileMe and iTunes to access the phone for backup or passcode reset without unlocking the phone.

The first tool that they developed and demonstrated was the keyChainViewer which can be used to view the contents of keyChain, but not the keys.

Using the built in iOS functions (that use the passwcode) you can actually bruto force the passcode of the phone with a small application on the phone. If you boot the phone from a ram disc you can do this without knowing the passcode. Using the brute forced passcode the keyChain can be read and decrypted.

Next tools where demoed to browse the encrypted filesystem and to decrypt iTunes backup files.

Conclusion of the researchers:

• iOS4 offers far better protection then iOS3
• Mail files (with the exception of exchange) are protected by the passcode this offers additional protection, but it can be obtained if you have the phone

Tools are available on http://code.google.com/p/iphone-dataprotection/

About Jean-Baptiste Bédrune

Jean-Baptiste works at the Software security R&D team at Sogeti for 4 years. His domains of research include code (un)protection, audit of DRM solutions, applied cryptography, reverse engineering on embedded devices and distributed computing. Jean joined Sogeti in early 2010. His research topics include reverse engineering, embedded devices and smartphones security.

About Jean Sigwald

Jean Sigwald is a security researcher working at Sogeti ESEC R&D lab. His research is mainly focused on smartphones security and the services offered by the network operators.

Bad day at the office a cc nc ND iamge from Roger Smith's Flick stream

By Itzik Kotler

Slides on the HitB Materials page.

Itzik start his presentation that writing StuxNet for a company is much less hard then writing one for a nuclear reactor. Stuxnet is interesting in that it is a purely software based attack that had a real hardware based effect.

So can software damage hardware? Yes it can:

• Software controls hardware ad can make it perform damaging hardware
• Software can damage software that runs hardware
• Software runs hardware and can make this hardware take an action that damages other hardware

So what is PDOS (Permanent Denial of Service)? Damaging hardware so bad that it needs to be replace or reinstalled.

Users the brick their phone when they try to jailbreak it are basically causing a self inflicted PDoS.

So who would do it and why?

Possible scenario’s are:

• Industrial espionage/sabotage

• Rival companies
• Foreign nations

• Hacktivism
• Revenge

So what techniques can you use to cause PDoS:

• Phlashing: malicious overwrite of firmware
• Malicious overclocking. Overclocking hardware too much will break it, e.g. by overheating
• Overvolting. Increasing the voltage of equipment
• Overusing. Causing too much wear and tear on a mechanism
• Power Cycling. most equipment does not handle frequent on-off switching very well

So lets look at some local attacks first:

• Disabling or slowing down fans of computer or other equipment will cause temperature increases which may lead to other failures
• CPU overheating by causing an infinite loop
• Microcode flashed directly into the CPU can be used to cause a PDoS as well, e.g. by overwriting hard wired instruction with faulty instructions
• The techniques for CPUs work for GPUs as well
• Hard drives can  be overheated using excessive read and writes, worn out by excessive parking and phlashed
• Solid state drives van be bricked by wearing out the flash memory by excessive writing

And example of a harddrive attack is a Pseudo format. E.g. by using the script:

# while true; do dd if=/dev/hda1 of=/dev/hda1 conv=notrunc; done

Another harddrive attack is a Spindown attack:

# hdparam –S 1 /dev/had

# while true; sleep 60; dd if/dev/random of=foobar count=1; done

DVD/CD Rom attack:

# while true; do eject /dev/cdrom; eject –t /dev/cdrom; done

Flash memory wear attack:

# while true ; do dd if=/dev/urandom of=/dev/flash; done

But even older equipment can be PDoS-ed. e.g. a CRT monitored can be damaged by sending them the wrong requencies. E.g. the XFree86 configuration warns about this.

Also floppy drives can be damaged by, e.g. moving the head to a sector outside the drive enclosure.

But these updates are also possible remotely, e.g. many devices allow over the wire (OTW) or over the air (OTA) firmware updates.

There are some countermeasures that can be used:

• Overclocking protection
• Overvolting protection
• Temperature protection
• Digitally signed firmware

Breaking the ice a cc nc nd by image from MarcelGermain's Flickr stream

By Ivan Ristić

Slides on the HitB Materials page.

Ivan researches SSL for Qualys. SSL was designed as a protocol add-on by Netscape to secure http, but can be used to secure other protocols as well.

The main challenges today are:

1. Fragility of the trust ecosystem
2. Incorrect or weak configuration
3. Slow adoption of modern statndar
4. Lack of support for virtual SSL hosting
5. Mismatch between HTTP and SSL

There are three main attacks against SSL:

• Passive MitM

• Session Hijacking

• Session bypass (ssl strip)
• Renegotiation attack
• Rogue certificates
• User attackers (who reads warnings)

Ivan’s has a lot of data based on the a surveys conducted by his employer Qualys SSL Labs, EFF’s SSL Observatory. In total 1.2million sites with valid certificates where investigated.

Ivan showed a slide that indicates that of the sites visited only 0.6% of the sites had a fully correct SSL configuration, nearly 50% of the sites did not offer SSL at all.

In Qualys’ most In the most recent SSL Survey only 32% of the sites offering SSL where configured correctly.

So now for the bad stuff:

• 48% of the sites offering SSL still offer SSLv2 which is know to be cryptographically insecure, it is a good thing that most browsers reject it
• Most sites do not offer any support for TLSv1.1 and TLSv1.2
• 62% of the sites still use weaks ciphers
• The TLS renegotiation vulnerability discovered in 2009 still effects nearly 35% the sites

But it is not just about how SSL is configures, but also about how it is used:

• Nearly 80% of the sites offering SSL do not redirect their users to the secure sites by default.
• HTTP Strict Transport Security is only used by 80 out of the the nearly 250,000 sites tested by Qualys.
• The adoption of EV certificates is also low
• Of the tested sites on 9 used all three above techniques.
• A lot of sites mark their cookies as HttpOnly or Secure, but even less that use both techniques
• 22% of the tested sites use some form of mixed content, if you exclude the sites that only use it for images this number only drops slightly to nearly 19%
• 68% of the login forms where not served over HTTPS and 54% submitted data to an http site

So what can we concluse:

• Systematic issues are hotly debated
• However SSL is often broken  by bad deployment and implementation issues
• It is possible to achieve reasonable security, but most sites choose not to do it
• Among the popular sites only a handful have decent SSL deployments

SSL is a success because it bought a relative security to the general public.

Florida Fragments a cc nc sa by image from Merrick Brown's Flickr stream

By Elena Kropochkina and Joffrey Czarny

Slides on the HitB Materials page.

Lots of Webshells used by pentesters to get access to the systems are detected by conventional security products like anti-virus, IPS and WAF. In stead of building a new websheel for each assignment the presenters tried to work towards a framework for webshells, that was modular and added obfuscation as a protection against AV/IPS/WAF.

But if you want to build a webshell framework you need to know what is out there. Most webservers on the internet are dominantly Apache, IIS and Weblogic. Pentesters are most in need of Webshells based on ASP, PHP and Java shells as it is heavily used for intranet applications.

The presenters gave an overview of the webshels out there for webshells for Linux, MySQL, PHP, JSP, ASP. Many of the common shells have high detection rates on the most common anti-virus platforms.

Even tough there are some webshells that are nearly complete in features and others that are not detected by Anti-Virus there isn’t one that is both.

There are a few ways to get around anti-virus encoding, obfuscation and encryption. There are common tools available to obfuscation for different languages like PHP, VBScript and Java. Obfuscation tools make reading the code harder, but are analysis is often still possible.

Using this knowledge the presenters designed a webshell platform. The platform should be language independent, resistant against third party unauthorized access and not be detected by AV/IPS/WAF.

Protection against unauthorized third party access is archived by mean of encryption based on “user provided key”, server IP address and client IP address.

So what are the must have functionalities of the framework:

• System information
• Graphical file maanger
• file upload/download
• command line cmd
• SQL manager

Elena and Joffrey show the design and some code fragments of the platform and demonstrated the proof of concept platform.

The proof of concept is already very feature rich.

Elena Kropochkina begins her professional career in Devoteam Audit Security team. She was graduated by Ecole Polytechnique and Telecom ParisTech with a M.S. in Computer Science. She is specialized in IT Security and Artificial Intelligence.

About Joffrey Czarny

Joffrey Czarny, working for Devoteam Security Business Unit (FR). Since 2001, Joffrey is a pentester, he has released advisories on VoIP Cisco products and spoken at various security-focused conferences (Wireless Conference at Infosec Paris and Wireless Workshop at Hack.lu 2005, VoIP at Hack.lu 2007/2008 and ITunderground 2008/2009). On his site, www.insomnihack.net, he maintains the Elsenot project and posts video tutorials and tools on several security aspects.

Slides on the HitB Materials page.

Don’s talk focuses about devices that are designed to track your assets or loved one., specifically the Zoombak who’s biggest selling point is that you can use it to definitely know where your kids are. Zoombak really took off after it was endorsed by TV personality Oprah.

A Zoombak devices basically consist of a GSM module and a MicroController. These two do not share any memory, but talk to each other over a serial channel using AT commands.

On of the first flaws in the Zoombak is that the GSM module can only talk using the decommissioned and broken A5/2 algorithm. A5/2 is so weak that it can be cracked in real time using PC hardware, but Don didn’t use this eakness to attack the device.

Because being on the GSM network all the time is too expensive the Zoombak device works differently. If you want to know the location of the device you send it an SMS, the SMS is polled from the SIM by the Micro Controller and acts on this command, e.g. by sending the location of the device to a website over the GPRS network.

The SMS received by the Zoombak does not only contain what should be sent back, but also the IP address where the device needs to post this data.

By reverse engineering the messages sent between the MicroController and the GSM module Don was know the protocol and to spoof the devices.

Using a small shell script and tons of SMSes you can actually test devices to see if they are Zoombak devices. But using a technique Don dubbed ‘War Texting’ he was able to avoid SMS spam detection, e.g. by changing the nonce and thus generating a different messages per hosts.

But spamming all phone numbers is not needed. There are device characteristics that can be used to narrow the target range. E.g. by polling the HLR we can determine if the device is a T-Mobile device.

Next step after being able to identify a target, but can we intercept the data and spoof the device? Yes we can!

So what fun can we have with these devices? It can be used to e.g. know or spoof the location of valuable goods that are often protected by these devices. E.g. to pinpoint a “good” location for a heist or to convince the security system that nothing is wrong.

What can be done?

• Don’t send IP addresses in SMS messages
• Encrypt the SMS messages
• Don’t allow non-Zoomback devices to receive IP messages from the Zoomback devices
• Use HLR data to detect fraud

Embedded Security is hard:

• Weak security surface
• Big threat surface
• Many “moving parts”
• The days of obfuscation are over

It is very likely that Zoomback is not the only example of this, mechanisms like this are also used in traffic control systems, SCADA systems and many other applications.

While Don’s primary expertise is in developing exploit technology, he is also well versed at reverse engineering, fuzzing, enterprise programming, binary analysis, root kit detection and design, and network penetration testing. In addition, Don has helped develop and enhance risk management programs for several Fortune 500 companies in recent years and has been invited to speak about risk management from a CISO perspective at government organized conferences.

For the past five years, Don has presented research at several international security conferences discussing topics such as stealth root-kit design, zero-day exploit technology, DECT, GSM, and microcontroller security. Most recently, Don spoke at Blackhat Abu Dhabi 2010 and ToorCon San Diego 2010 regarding vulnerabilities in the global telephone network and the GSM protocol.

'cup of robots ~ on white' a cc by image from striatic's Flickr stream

By Michael Sandee (FoxIt)

Slides on the HitB Materials page.

Michael’s talk focuses on the current eco systems of botnets. Who run them, who uses them and who benefits from them. Michael starts of by showing how sophisticated Botnets have become. Cyber criminals are running botnets as a commercial business and a ‘cloud service’ including dashboards. He showed an example of a botnet that did not generate its own infections, but used its users to infect targets. As a price 20% of the infected machines are not controlled by the infector but  by the botnet operators.

Some botnets measure their effectiveness by e.g. running virus scanners against their payload every 15 minutes  and reporting back the detection rates of their systems.

It is interesting to see that the prices of e.g. credit card data are currently dropping rapidly. We have come to the point that UK credit card data is now sold for a set price per gigabyte.

Michael illustrated the fact that botnets are getting very advanced with a lot of different examples. E.g. Traffic Converter in the last two years have earned 40 to 50 Million USD and it is a very well run operation.

It is an advanced operation with:

• Live Chat Support
• Support trouble ticket system
• AV testing by humans
• Online helpdesk
• Payment system
• Full QA

Stopping cybercrime is not going to stop. It is more then just botnets, but also fake anti-virus and click fraud. The victims are not large corporation’s, but common folks.

For Heat a CC-NC-ND image from ailatan's Flickr stream

By Xavier Mertens

Managing security events from you network. It is often perceived as boring. There is a lot of information and lots of tools. Additionally log formats are not standardized.

There are also economic issues, uptime often takes precedence over uptime, it takes time, staff may be reduced and it not a revenue generating activity.

Additionally there are legal issues, these issues center around privacy and have to be checked against local law.

Managing security logs is a layered approach:

1. Log collection
2. Normalization
3. Storage
4. Search
5. Reporting
6. Correlation

Correlation can be used to give events more meaning. This can be done with external sources like vulnerability information, but also with internal sources like e.g. badge swipes or geo-location.

Xavier is not a big fan of the big vendors. They provide expensive solutions, but only 10% of the features is used. The most expensive product is not automatically the best solution.

There is a difference between Log management (step 1 to 4 maybe 5) Security (Incident) Event Management (SIEM) should include all 6 steps.

When you want to buy a solution you need to consider:

• Compliance
• What suspicious activity are you looking for
• Web application monitoring
• Correlation
• Supported devices
• Buying a SIEM is a very specific project.

Syslog daemons are a good way to start, but syslog is not issue free. Since a syslog message can contain a free format message it is very hard to pass.

A good too to start is SEC, “Simple Event Correlation”. It performs correlation of logs based on Perlregular expressions to produce new events, trigger scripts or write entries to a file. Perl knowledge is required.

OSSEC is actually a Host Based IDS, but it does Log collection and parsing as well. Like SEC it can create new events or launch scripts and supports rootkit detection and file integrity checking and has log archiving.

There are more protocols then syslog. Unfortunately there is no standard format yet.

Cooking book

Xavier then showed some “recipes”:

• OSSEC to do USB Stick insertion on windows
• MySQL Integrity Auditing
• Detection of suspicious IP’s and users
• To map attacks on the map using Google Maps.
• And an example OSSEC dashboard

There are other tools to get more visualisation:

• Loggly (Saas)
• Splunk
• Secviz.org

Xavier’s conclusion: you need log management because you cannot review your logs manually. You need to stick to your requirements. However you do it, it will cost time and money.

More informaiton on Xaviers blog.

The Key to My Mind (11/12) a CC image from Tony the Misfit's Flickr stream

The private key is supposed to be private. It is what proves that the services and the certificate belong to each other. As an attacker you want to obtain this key in order to spoof the identity of the service.

When you import a certificate with private key or generate a private key via the Microsoft Crypto API (CAPI) you can mark it as non-exportable. But are these keys really non-exportable or is this just a GUI option to give administrators a false sense of security?

In order to find out how an attacker can export a non-exportable key RSA key, we need to dive into the CAPI calls.

Disassembling the CAPI functions shows that there are flags in memory that specify that the key is not exportable. It appears that these flags are stored on the same memory location and user the same function. And you can actually temper with this information and set these flags back to being exportable.

The situation is a bit different in the CAPI: Next generation (CNG). Again a disassembly of these functions shows that the CliCryptExportKey() via the c_SrvRpcCryptExportKey function get the private key from the KeyISO or KeyIsolation RPC service that is meant to isolate the RSA keys from the client memory.

It turns out that the memory of the lsass.exe process can reliably be manipulated to make the SPPkcs8IsKeyExportable function return 1 and thus allow the key to be exported.

In both CAPI and CNG the offsets to the flags are the same across the last 11 years of Microsoft products.

Jason has demonstrated the technique live on stage.

The code as well as the slides will be released to the www.blackhat.com website together with the presentation slides shortly.

Conclusion:Non-exportable keys are a GUI feature, they do not prevent a attacker from getting the key, they just slow him down.

Wrong Way ... Way Wrong a CC NC SA image from Bob.Fornal's Flickr stream

Virtualization aims to save money, make things simple and quick to deploy. Saving money and quick deployment are arch enemies of security

Virtualization products require security on the hypervisor level. Being able to hop from one virtual machine to another is not acceptable. Also there are a lot of products that focus on the security in the virtual machines, but virtualized infrastructure are complex by nature.

Relative lame bugs like XSS can be a big deal in virtualization infrastructures

Claudio demonstrates that live on stage, by exploiting a XSS bug in VMWare vCenter which took 1.5 years to patch.

Claudio showed us how an unprivileged user on the vCenter machine able to read a logfile contain the administrator SOAP session ID. Using this ID and Vasto administrator privileges where obtained. Until the last patch read-only access to vCenter meant that the user could take over the virtual infrastructure using standard tools.

Next attack demonstrated is against an Oracle virtual machine. Using standard “lame” exploits Claudio was able to hope from the application level administrator to the system root account.

So there are still some very simple vulnerabilities in this software.

Virtualization software is broken today, and we have to treat it accordingly. We have to make people aware that it is broken.

Virtualization infrastructures should be setup in such a way that a XSS in the management layer cannot lead to a disaster.

Claudio defines a new model that consists of a vCell and a vGatekeeper. With the goal of still providing some security if you lose your management solution.

vGatekeeper uses mod_security to define which communication is allowed between the management solution and the virtual machines.

With vGatekeer you can define which actions a user can execute on a virtual infrastructure regardless of his or her authentication level. The vGatekeeper software will generate a network configuration file and a mod_security configuration file that will prevent certain actions for propagating from vCenter to ESXi.

Claudio demos this application live on stage.

vGetkeeper will give the control back to the security team, in stead of it being in control of the virtualization team.

Ghosts of Lake Sutherland a CC NC SA image from Wyrmworld's Flickr stream

DoS, making resources unavailable to others. Common motives are hacktivism, extortion and rivalry. Most big attacks are successful.

So what are the risks of being under DoS attack? Downtime, lost revenue, large bills from the cloud service providers.

What kinds of DoS attacks are there?

• Layer 3 – Muscle-based attacks, generating too much packets for the equipment or saturating the pipe.
• Layer 4 – Consumes more resources on the device., e.g. SYN flood, connection flood, concurrent connection exhaustion, garbage data.
• Layer 7 – Attacking the application. Trying to consume as much resources as possible. E.g. HTTP page flood, HTTP bandwidth consumption, DNS query flood, SIP INVITE flood. There attacks are low rate, high impact

So how do you mitigate DoS attacks?

Static thresholds work and put the operation team in control, however they require constant tuning and restrict the detection phase to a single-dimension (rate only).

Adaptive threshold, attempting the learn real traffic characteristics, which improves accuracy, however, natural traffic peaks like e.g. a Christmas peak may be blocked too.

A more sophisticated detection can be based on using two dimensions, e.g. DNS requests v.s. HTTP requests. The presenters show a graph that shows a 3D graph of an L3 flood. Another metric that can be used is the distribution of content-types vs. the number of HTTP requests.

So by using two dimensions to determine if you are in a DoS attack you can reduce the false positive rate.

A lot of DoS bot clients have a very specific TCP header, however there are too much DoS tools to actually rely on a human to create the signatures.

Besides to passively block traffic by thresholds or patterns, you could also include a active mitigation like:

• Challenge response – This wards of clients that don’t have a full protocol stack e.g. SYN cookies or requiring JavaScript.
• Session Disruption – Causing the clients to use more resources in the attack that you need to mitigate the attack
• Tarpitting – Stalling malicious connections.

There are  a lot of different ways to do challenge response mitigation. Using JavaScript to verify is a DOM is present, detect if flash is present or use other systems.

If an attack is detected, it is important not just to drop the connection, but also to reset the backend connection. If you just reset the backend connection, but not the bot connection you may cause the attacker to consume a lot of resources himself. LaBrea is a nice way of slowing down attacks in progress slowing the connection down, sometimes to the point where the bot crashes.

Most of the shell x86 based hardware is simply incapable of handling a full 1Gb+ network stream at wire speed. Dedicated ASIC is the only hardware capable of supporting these speeds.

Mitigating LOIC

LOIC was not a new tool, but some parts like the hive mind was added lately. It is capable of generating malformed HTTP requests, but it has terrible thread and IO management.

The presenters present Roboo – Open Source HTTP Robot Mitigator.

Roboo will respond to each GET or POST request from an unverified source with a challenge: Challenge is javascript or flash based and optionally gzip compressed. A real browser with full HTTP, HTML, JavaScript and/or Flash player will be able to generate the correct response and issue the original request.

Roboo can whitelist allowed robot activity and pass it.

Roboo integrates with the high performance Nginx webserver and reverse proxy.

Roboo was tested against: LOIC, Acentuix Web Vulnerability Scanner, Metasploit Pro, Nessus and many more. It can serve as a Captcha replacement too.

Roboo can be downloaded from www.ecl-labs.org.

Roboo was demonstrated.

Summary of the talk:

• DoS is booming – attacks are growing in power and efficiency
• Cloud subscribers are the new victims
• Anti-DoS technologies has greatly evolved

---

Yuri Gushin has been involved with security research & development for over a decade, including extensive work in the fields of IPS and DoS detection and evasion technologies, network and application vulnerability discovery and exploitation, protocol fuzzing and plenty more. Yuri also co-founded the ECL Labs research group.

Currently, Yuri is the Senior Security Specialist for Europe, Middle East and Africa (EMEA) at Radware, heading the major security activities around the region, and playing an active role in the design of Radware’s next generation security offerings.

Alex Behar has been in InfoSec for the last 15 years, participating in research, exploit development and reverse engineering of network protocols and application stacks. Most recently, Alex was a Senior Researcher in Radware’s DefensePro security team and is currently Director of Security Products for Radware North America. Additionally, he is a co-founder of security research think-tank ECL-Labs and core developer of the Raptor Traffic Suite.

Miniature Dotted Hot Pink Cake a CC NC ND image from - Stephanie Kilgast's Flicker account

on in security tools. There are some tools that have some visualization, but it is limited and lacks features.

He then takes us through the hall of fail of visualizations and gives us some tips on visualization.

Thinks as a designer, be aware of who you are visualizing for. Each group has different demands for visualization and want to take different things out of it.

He then proceeds to give us some tips and tricks. He recommends to follow the work of Edward Tufte and Stephen Few who have both done excellent work on data visualization.

If you do data visualization you may want to get data from external reports like osvdb.org datalossdb.org and other industry vendors.

Common problems of data visualization are redundant elements like 3D and color. This is expressed in the ink-to-info ratio. You may want to reduce the bell and whistles you use.

Dashboards are often messy, they should really be aware of their screen real estate. Most important places on the screen are top left and the center of the screen. In order to squeze as much info as possible into a dashboard dashboard often get messy.

Wim presents a number of idea’s on how to make these dashboards better.

Visualization can really aid as well. Wim is showing use visualization tools that can really help.

First, Wim shows us a video that represents an attack on a VOIP server. The movie was created using gltail and can be downloaded from http://www.fudgie.org/.

Afterglow is another tool used b Wim a lot, it creates visualization that can really aid understand log files.

Perl perl | chart director which can also help to create understandable graphics form complex data charts.

The Google charts API and Google Visualization API may be a good alternatives as well. Wim demo’s the visualization capabilities of the Google Visualization API by using publicly available data and visualizing it. Naturally you have to be careful of what data you send to a could provider such as Google.

Sparkline and JQPlot are interesting JQuery libraries you can use for data visualization in a good way without sending it to a cloud..

Conclusions:

• We need data standardization to get more out of visualization
• You need to understand data before you can successfully visualize it
• We need to think outside the gox
• There is more to visualization then pie charts
• There are tools out there: use them wisely.

Cycle Garage a CC NC ND image from Ezu's Flickr stream

This talk focuses on ABAP, Advance Business Application Programming language from SAP.

ABAP:

• A proprietary language of which the exact specification is not freely available.
• It has platform independent code
• It has client separation built-in
• It has integrated auditing capabilities
• System-to-system calls via SAP RFC standard
• Built-in transportation system and version control
• Integrated platform-independent SQL Standard: Open SQL
• Built-in authentication, roles and (explicit) authorization model
• Thousands of well-known standard programs and database tables
• 150+ Million Line of Code in an ECC6.0 System

So what are the ABAP security risks?

• Back doors can be introduced, e.g. by a malicious developer.
• The program can have undesired side effect (e.g. SQL injection)
• Sub standard authentication used

Some ABAP code in the SAP system is dynamically generated at run time this can affect names of variables, SQL statements, but also ABAP variables can contain ABAP code that can be executed at runtime.

While SQL injection is possible in ABAP, it is not possible to terminal an SQL statement an start a new one in Open SQL, hence the possibilities are somewhat limited.

There is even dynamically generated ABAP code, that is generated and executed in memory and then disappears without leaving any trace in the system.

The shortest ABAP program to become super user on a SAP system is 34 characters, but will set of all alarms, a longer version of 56 characters is completely stealthy.

But ABAP has a low level ABAP kernel. It should only be used by SAP, and mostly undocumented, but can be explicitly invoked from ABAP.

There are three kinds of ABAP kernel functions:

• Kernel calls
• System calls
• Kernel methods

Kernel methods are the newest method to interact with the SAP kernel, they are called like normal functions and have typed parameters.

Some routines in the ABAP runtimes have hooks back into ABAP code. These functions are called from the C/C++ of the ABAP runtime. Data is exchanged between the ABAP code and the ABAP runtime via more ABAP kernel calls AB_GET_C_PARAMS and AB_SET_C_PARAMS.

These ABAP kernel hooks can be used to hijack calls in the ABAP runtime.

There are 8 high risk kernel calls:

• SYSTEM – OS command execution
• XXPASS and XXPASSNET – Compute password hasj
• INTERNET_USER_LOGOON
• C_GET_TABLE
• C_MOD_TABLE
• C_DB_EXECUTE
• C_DB_FUNCTION

SYSTEM can execute any OS command. It completely bypasses the list of allowed OS commands specified by the system administrator. Luckily it uses implicit authority check and the call can be disabled by setting the profile parameter rdisp/call_system to 0. But it is not the only way to execute OS commands!

XXPASS and XXPASSNET computes password hashes that is internally used by SAP to put into the user table. If you use this call outside the correct scope (e.g. Y* or Z* namespace) your session will be terminated and your user account will be locked.

INTERNET_USER_LOGON this can be used to perform user switches and create logon tickers. If can only be used to check credentials and it does keep track of failed login attempts.

C_GET_TABLE allows the programmer to read arbitrary database tables. They do allow cross client data access. So it allows one client of a host SAP installation to read tables from another client.

C_MOD_TABLE this call allow the programmer to write or modify any arbitrary tables on the system, without any restrictions.

C_DB_EXECUTE allows for the execution of arbitrary SQL statement. It allows each and any SQL statement apart from select. It does not respect client boundaries.

C_DB_FUNCITON allow for the execution of arbitrary stored procedures or any arbitrary SQL statement.

Andreas then goes on to demonstrate how to take over an SAP system using these kernel calls.

He showed this by truncating a table and accessing data from another client something you are not supposed to do in custom code. There are even more 0day kernel calls that at this time cannot be disclosed due to responsible disclosure. The ABAP runtime should guard the SAP kernel, but if a large enough parameter can be transported through ABAP an SAP kernel can be performed. Kernel call C_SAPCPARAM can be used to trigger a SAP kernel buffer overflow via ABAT. This is also available remotely via RFC.

gluey harmony a CC NC ND image from giveawayboy's Flickr stream

SAP: Session (Fixation) Attacks and Protections (in Web Applications)

Raul Siles is @taddong on Twitter

Why do we need session management in Web Applications. HTTP is a stateless protocol so the application need to handle ourselves.

Sesion Fixations if different then session hijacking. In hijacking you will use somebody else’s session ID to become them. In session fixation the attacker fixes the session ID before he logins into the target application.

So what is the state of the art of session fixation 9 years after its discovery in 2002?

Like HTTP parameter pollution session IDs can also be accepted from multiple sources, even tough the application only uses a single method. E.g. the application may user GET parameters, but still accept session ID cookies.

So how does session fixation work? An attacker sets up a session with a website, but does not log on. He then tricks a user into log in using the same session ID. As the session gets elevated, both the attacker and victim get the authenticated state.

Session fixation does not require solcial engineering, but can also be obtained by e.g. Cross Site Scripting (XSS) or SQL injection.

In order to demonstrate the problem Raul shows the vulnerability as it existed in Joomla 1.5.x-1.5.15

HTTPS does not protect against session fixation vulnerabilities, neither does using MD5 values for the cookie ID or values.

The second case study involves a web application based on WebLogic. Which is reported live today. The JSESSIONID cookie was configured to contain a too broad domain. normally WebLogic provides two cookies a post authentication cookie and a pre-authentication cookie which should tackle the problem.

The application allowed all resources to be accessed both via HTTP and HTTPS. And the HTTP site did not require the post-authentication cookie. Thus the session fixation protection was not present on HTTP.

So how easy is it to introduce this misconfiguration? If web.xml states that the “transport-guarantee” as NONE this vulnerability is present. This is the default setting.

It could very well be that that even tough you have set the default to CONFIDENTIAL, it could still be that some resources are set to NONE as an exception.

So what can you do about it?

• Set your “AuthCookieEnabled” and “transport-guarantee” setting to secure values.
• If you use the login api, use the ServletAUthenticaiton.generateNewSessionID(request) call after login to generate a new session ID otherwise force the app server to automatically generate new session IDs after login.
• Enforce both encryption and authentication (not set by default)

The third case study focuses on SAP.

In this pentest, users where authenticated against the Intranet first using NTLM then redirected to HTTP SAP application and then redirected to HTTPS SAP application. This allowed Raul to fix the sessionID using a MitM attack.

The session of any user that logged on lead to the testers being able to log on with the same authentications.

The issue was first reported in July 2009, and a fix was released in December 2010. It will take another 3 months to be implemented on the client infrastructure.

SessionIDRegeneration is still disabled in older SAP releases (pre 7.11) in order to avoid compatibility issues.

Other protection methods like SystemCookiesHTTPSenabled and SessionIPProtectionEnabled are both available in SAP but off by default.

Conclusion

• SessionIDs need to be renewed after privilige level changes
• There is no link between session management and authentication, we need to take care of it ourselves
• Limit the number of session tracking methods accepted
• Use HTTPS if you can

It is still an old but valid method affecting thousands of users. You auhtnication can be very secure, however once you have established a secure session with a token, the session ID is all that protects your session.