The days that Scada systems could hide behind obscurity are over. These systems are on internet, use common protocols of which information is widely available. On 15 July this year, the first Trojan was found that specifically queries databases that are also used by Scada systems.

This presentation starts by explaining how the power grid works. A typical network architecture has three zones. A corporate network, a DCS (), EMS (Energy Management System) or DMS (Distribution Management System) network and a network with the industrial systems on it. These networks are typically separated by firewalls. When you add smart meters to the mix they are typically connected in a similar fashion.

The formal models around SCADA security all evolve around this zoning model.

Red Tiger Security has developed a special process to do assessment of these networks, because industrial equipment starts behaving funny when scanned with standard vulnerability scanners. Automated scanning of Scada systems form the network is okay, but scanning the industrial equipment will cause outages.

Scada environments are often poorly patched because patches are known to break Scada systems. Most of the vulnerabilities discovered in these infrastructures are found in the Scada DMZ, because these systems are often not maintained by corporate IT, because they don;t know how to maintain it, but it is also not owned by the Scada engineers.

A further breakdown of the vulnerabilities found in this DMZ are found on Web Servers, Application Servers and Databases. The top four common vulnerabilities found are: configuration issues, cross site scripting, Denial of Service and information disclosure.

Most (over 62%) of the Scada systems are running on Microsoft Windows operating systems. Not a good match to the needed stability (monthly patches) and lifetime needed by Scada systems.

Interesting finds are hard to categorized. Adult content, game servers, Online dating databases and Bittorrent clients have all been found on these systems.

After exploring classical Scada system security mistakes the talk moved on to Smart Meter and Smart Grid technology.Smart Meter technology is making the same mistakes again.

First systems where designed to last for 20 years. That is a long time to not find any vulnerabilities in them. And the ability to remotely patch these systems is scary on its own.

Old vulnerabilities have a new impact when considering smart meters. E.g. data enumeration can tell criminals when somebody is vacation and when it is thus a good time to rob somebody’s home.

The software in smart meters is really vulnerable to very old classes of bugs like, e.g. ping of death.

About the speaker

Jonathan Pollet – Red Tiger Security, LLC

Jonathan Pollet, Founder and Principal Consultant for Red Tiger Security, has over 10 years of experience researching vulnerabilities and conducting field security assessments of Industrial Process Control Systems, SCADA Systems, Automated Meter Reading systems, and Smart Grid technology. After graduating from the University of New Orleans with honors and receiving a B.S. degree in Electrical Engineering, he was hired by Chevron and worked in the SCADA and Automation Team for the Upstream Exploration & Production division. Pollet designed and implemented PLC and SCADA systems for several offshore and onshore facilities.

Realizing the potential security implications of the industry moving towards TCP/IP communications in the late 1990s, and seeing a trend to connect SCADA systems to Enterprise IT networks, Pollet started investigating SCADA, Process Control Systems, and embedded devices for cyber security vulnerabilities.

Throughout his career, he has been actively involved with the IEEE, ISA, ISSA, UTC, CSIA, and other professional societies. Pollet has been involved in over 110 vulnerability assessments of plant and process control systems. He has also delivered over 75 presentations and training sessions on SCADA Systems, Critical Infrastructure Protection, and SCADA Security to the FBI, Department of Homeland Security, and several private sector security conferences. He has spoken at many conferences and workshops for government and professional organizations around the world. Pollet has also authored over 25 white papers, all specifically on the security of SCADA and embedded control systems.

The Spyderlabs guys had a busy year. They investigated over 200 incidents in 24 different countries and ended up collecting enough malware samples. Based upon last year’s DEFCON talk they are going to dive deeper and bring you the most interesting samples from around the world

This talk will bring you 4 new freaks and 4 new victims including: a Sports Bar in Miami, Online Adult Toy Store, US Defense Contractor, and an International VoiP Provider.

The malware being demoed are very advanced pieces of software written by very skilled developers. The complexity in their propagation, control channels, anti-forensic techniques and data exporting properties will be very interesting to anyone interested in this topic, even tough the major categories have stayed the same.

Malware comes in various categories: Keyboard logger, screen loggers and memory scrapers. Disk scrapers are not very popular because it is slow and is noticed to easily due to heavy disk activity. There are three basic ways to own a system: Physical, Easy and Uber . Physical means inserting something like a USB stick or key logger. Easy is e.g. through publicly exposed RDP and default passwords.

Malware is getting much harder to detect because they are better tested and using more stealthy techniques like root kits.

Sample SL2009-127 – Memory Rootkit Malware – Captain Brain Drain

The malware consisted of three files. Loader.exe, ramsys32.sys and searcher.dll. The loader was able to install the sys file, which was the root kit. The main oabjective was to steal credit card data from a Miami Sports Bar. All the data is stored in a system file in the windows system directory. The data is automatically uploaded to the criminals at 10pm every night.

Sample SL2010-018 – Windows Credential Stealer – Don’t Call Me Gina

This malware consists of three files, fsgina.ddl and fsgina.dll and timestop.exe which allows the attacker to change the access times and creation timestamps of the files it creates. Upon installation the malware actually sets the timestamp of fsgina.ddl to the timestamp of msgina.dll so that it looks like the file is created when the system was installed, this applies to all dates, including the datas in the master file table (mft). Next the registry is modified to load the fsgina.dll in front of the msgina.dll. The fsgina.dll looks just like the msgina.dll and even funcitons the same, not letting in users that enter the wrong credentials, but it captures and stores all account names and passwords entered.

Msgina is the dll the handles the graphical logon screen.

Sample SL2009-143 – Network Sniffer Rootkir – Clandestine Transit Authority

This malware was found on the systems of an international voip provider with about 80.000 clients. It was a typical root kit that captured credit card data, but in stead of taking the track data from memory it logged all network packets that contained track data. The captured packets did upload all data to an ftp server at 01:00 when everybody sleeps. The malware actually compresses the data in RAR format and password protects the RAR file to avoid detection by IDS systems.

Sample SL2010-007 0 Client-Side PDF Attack – Dwight’s Duper

This attack was performed against a US defense contractor. The malware was spread by a specially crafted email with PDF attached that exploited the system. The email was actually very impressive, it was coming from the right sender, used his email signture lines and was written in the kind of language used in the organisation.

The malicious PDF file actually first extracts all the files it needs, and then shows another PDF with content you would expect. The malware gets everything that it is in the my documents folder, steals firefox passwords and FTPs them off.

Conclusions

The key to malware success is customisations. Generic malware does not work. The key to successful exploitation is to be slow, steady and stealthy.

Malware is getting more and more advanced.

About the speakers

Nicholas J. Percoco – Trustwave

Nicholas J. Percoco is the head of SpiderLabs at Trustwave -the advanced security team that has performed more than 750 cyber forensic investigations globally, thousands of penetration and application security tests for Trustwave clients. In addition, his team is responsible for the security research that feeds directly into Trustwave’s products and services through real-time intelligence gathering. He has more than 15 years of information security experience. Nicholas acts as the lead security advisor to many of Trustwave’s premier clients by assisting them in making strategic decisions around various security and compliance regimes. As a speaker, he has provided unique insight around security breaches and trends to public and private audiences throughout North America, South America, Europe, and Asia including security conferences such as Black Hat, DEFCON, SecTor and You Sh0t the Sheriff. Prior to Trustwave, Nicholas ran security consulting practices at both VeriSign and Internet Security Systems. Nicholas holds a Bachelor of Science in Computer Science from Illinois State University.

Jibran Ilyas – Trustwave

Jibran Ilyas, is a Senior Forensic Investigator at Trustwave’s SpiderLabs. He is a member of Trustwave’s SpiderLabs -the advanced security team focused on penetration testing, incident response, and application security. He has investigated some of nations largest data breaches and is a regular contributor for published security alerts through his research. He has 7 years experience and has done security research in the area of computer memory artifacts. Jibran has presented talks at security conferences (DEFCON, SecTor) in the area of Computer Forensics and Cyber Crime. Jibran is also a regular guest lecturer at DePaul and Northwestern University. Prior to joining SpiderLabs, Jibran was part of Trustwave’s SOC where he helped Fortune 500 clients with their Security Architectures and deployments. Jibran holds a Bachelors of Science degree from Depaul University and Masters degree in Information Technology Management from Northwestern University.

From isfullofcrap Flickr photo stream. Creative Commons License

BlackhatEU : Virtual Forensics
By Christiaan Beek

What are the challenges when you have to do forensics on a virtual environment?
•    What are the tools available?
•    Are the tools forensically sound?
•    Where is the data?
•    Who owns the data?
•    What forensic techniques do we use?
•    How to acquire data from the cloud?

Citrix is a nightmare for forensics investigators. There is no personal hard disk to investigate, only a personal profile which does not have very much data in it.
Information sources for Citrix are:
•    Last login logfile
•    User profile (NTUser.dat;registry;temp files)
•    Citrix Access Gateway logs
•    Radius log

VMWare need different approach and tools for static of live forensics. If you are making a disk image of a VMWare server, you better bring some big disks.

VM’s are used by criminals to perform illegal transactions and then destroying the VM to cover their tracks.

In his slides Christiaan had a list of useful files for VMWare forensics:

Useful software is:
•    FTK Imager
•    Liveview
•    Encase
•    MMLS & DD
•    Mounting and carving tools like Foremost and Photorec

There is also a VMWare snapshot comparison tool made by Zairon

In Windows 7 virtualization is a part of the OS: VHD, XP mode and Virtual PC. On the positive side you can mount a VHD read-only to do investigations. However being able to boot from a VHD gives entire different opportunities for abuse. Also system backups are made in VHD format.

Contrary to VMDK files VHD files can be investigated with FTK.

Even though XP Mode creates a virtual machine, this machine shares all media between the host and the guest OS.

If Windows 7 creates a VHD file for XP mode, it does not format it, but just leaves the old data that was there when it was created.

XP mode also has a undo mode the is not enabled by default. The VUD files that get created are like VMware snapshots. VUD cannot be read by tools like FTK. VUD and VHD headers are very similar. If you rename a VUD file to a VHD file you can investigate it normally.

The talk is about abusing the anti-XSS filters built into IE8 to always be able to perform XSS.

Microsoft decided to implement anti-XSS measures in IE because XSS is so common. On the other hand the wanted to be careful not to break the web and to keep things performant and the solution itself had to be secure.

So how do these filters work?
•    Examine all outbound requests for XSS patterns using heuristics filters.
•    If something matches the filter a dynamic signature is generated
•    If the signature matches then the response is neutered.

The heuristic filters look for suspicious requests, e.g. parameters with <script> tags in them. The dynamic signature is then generated to take into account some forms of server transformations, but basically this looks if the same text is not returned as part of the web interface. If XSS is detected one character in the original text is replaced by a hash mark (#).

The presentation then gave a breakdown of typical heuristic signatures, they can all be found at http://p42.us/ie8xss/filters02.txt.

So one of the things the researchers found was that these filters can be bypassed. Regular expressions are not perfect and complex to write. Examples are at http://goo.gl/sour, and http://goo.gl/KVDI.

But even more fun is to turn the filters against themselves.

Because the filter is designed to filter out certain tags, it can be used to disable other script tags as well. This can be used to disable framebusters, block sandboxes and disable other javascript based security mechanism.

The XSS filters can also be used to alter the ‘=’ sign into a hash sign (#). Which can alter the entire meaning of certain HTML tags.

The XSS filters can be abused to malform (neuter) html tags. The onerror properties of these tagscan then be used to triggers scripts.

The way the XSS filter where built up allow the neutering of just about any = sign on a page.

So the attack has two stages: first you need to be able to insert text into an html name value pair. Then you need to trigger a fake XSS attack the will neuter the html name,value pair into activation.
Is this common? Yes it is. Bing, Twitter, Wiki’s Social networks. About 99% of the sites that matter are vulnerable.

If you want to try out the attack yourself, use a vulnerable version of IE8 and visit http://0x.lv/attr.php

How was this fixed?
Microsoft is no longer neutering the = sign

What can you do?
* Turn XSS filtering off
* Use a different browser
* Upgrade you browser after Microsoft fixes it.

Should you disable the filters? No, benefit outways the risks.

What if I run a website?
Microsoft allows websites to add a header that will opt you out of XSS filtering.
“X-XSS-Protection: 0″ or “X-XSS-Protection: 1; mode=block” which will not disable the protection, but will block the entire page from being rendered.

This issue was discovered and reported to Microsoft in September 2009 and was patch in Jauary 2010. Public disclosure was today.

So what about other browsers?
Firefox: NoScript (good), NoXSS (don’t use)
Webkit is developing XSSAuditor. It will respect the same control headers as IE8

Christian demoed two tools called JBoss-autopwn and Tomcat-autopwn.

For both tools he demonstrated that exploitation is possible both on Windows and Linux systems. It is also very likely that his tool also works on Solaris.

Both tools make use of the accessibility of the management console and the ability to guess the administrator passwords which are often unchanged from the default.

The countermeasures against these attacks are obvious: change default password and disable of shield off management interfaces.

The tools are part of the metasploit framework and can be downloaded their.

Image from christianmeichtry's Flickr photostream. Creative Commons license

The talk starts with explaining the properties of Satellite ISPs. Due to the nature of satellite communication, high latency, high downstream bandwidth, the ISPs often use performance enhancing proxies. Often the satellite ISPs use asymmetric links, using a local uplink in combination with the satellite downlink, but symmetric communication, where the uplink also is sent via the satellite is possible too.

The performance enhancing proxy on the local machine has to breaks some of the basic TCP/IP properties to enhance performance, in this also breaking some of the basic security measures.

The downstream from the ISP is relayed to all users without encryption. This means that everybody in the footprint of the satellite can sniff all downstream traffic generated by all users. This opens the possibilities of all kind of abuse scenarios and as satellite ISP subscribers control what is sent over the channel it provides satellite broadcast for the masses.

So how can we use these providers for anonymous communication? Broadcasting provides anonymity because all messages are delivered to all recipients without the recipient having to know the sender. This is impractical in wired unicast networks, but highly practical on broadcast based networks. These are not only satellite, but also Wifi, DOCCIS, WiMAX, 3G.

Because of the nature and cost of the equipment involved in generation broadcasts in other media, satellite ISPs are most suitable for this type of communication.

One of the ways to send an anonymous message is to email it to a satellite ISP subscriber. Anybody sniffing the message can receive the message, but it is also possible to send a packet to a satellite ISP customer and sniff the packet as it is sent.

Encryption of the return traffic can help, but as always cryptography is hard to implement right. E.g. is Diffie Hellman key exchange is used, the ISP subscriber can force the shared key to always be one. Alternatively since an ISP subscriber has access to the decryption software and thus knows the algorithm and the key used, he could request data that, when encrypted, returns to plaintext. Since most encryption algorithms are symmetrically this is not hard to do, but initialization vectors and the addition of encrypted IP headers may make this hard, but not impractical.

When implementing Cisco Wireless network infrastructure Enno and Daniel got the impression that, security wise, these systems smell.

First part of the presentation focuses on what a typical implementation looks like.

There are three generations:
1.    Structured Wireless-Aware Networks (SWAN)
2.    Based on managed APs and LWAPP (After acquiring Airport)
3.    Cisco Unified Wireless Network

The talk focuses on generation one and three.

The are a couple of attack paths: traffic in transit, cryptographics and against components.

First up is SWAN. It mainly runs on WLCCP protocol messages, this protocol is proprietary, so the patents are needed to discover the inner workings and the deviations from the patent.

The key management is arranged by Cisco’s proprietary key management framework called Cisco Centralized Key Management (CCKM). This framework allows the key material for clients from one access point to the other.

One of the properties of the protocol is the selection of the WDS Masters that controls all communication between the APs.
He communication  between the APs is authenticated by means of LEAP. The security of LEAP is debatable at best. And Cisco’s fix, deriving two additional keys based on the first key is debatable too.

Management interfaces are the Achilles’ heel of many systems.

So what do you need for a practical attack against APs? If you can get to the AP’s management interface, you can identify it by identifying WLCCP speakers, sniff the intra AP traffic and crack the LEAP secret. Then you can evict the WDS master if necessary.

Daniel next demoed the attack. He used Loki to sniff the backbone interface to identify the WDS master. Loki can now be used to create a new WDS master but inserting a new WDS master. The master priority is configurable up to 254, but the protocol can handle a value to 255, so you can always win this election.
Next Loki can be used to brute force the detected WDS password and the revealed password can be used to derive the additional security keys.

Even though there are some parts of the crypto space that smells, Enno and Daniel where not able to find practical exploits here.

Management interfaces however are another story.

SNMP is a good friend, especially if people forget to reset their community strings. The SNMP interface does not allow you to reset passwords of existing users, but it does allow you to create administrative users.

The web interface of Cisco WLAN management tooling is web based, with all the classical web based attacks like Cross Site Scripting.

Enno demoed a web based attack. Intercepting a request to the web based interface with burpsuite and rewriting the request he was able to trigger a buffer overflow in the wireless management appliance. This makes you wander what would happen if you run a fuzzer against it.

Key points to take away:
•    “Enterprise WLAN solutions” might be complex beasts
•    There many be not so obvious vulnerabilities
•    Use common sense when deploying
•    The problems outlined are not Cisco specific

The majority of problems are based on management interface. They should never be publicly exposed.

James talk is not about SCADA, it about talking about SCADA.

The security industry has discovered that SCADA systems are in fact information system and all of a sudden security professionals are talking about how they can fix the SCADA security issues.

One of the biggest pieces of FUD that is out there is: if you own the computer you own the system? This is not the case, most of the time when SCADA systems fail, the processes they control stop.

Yes, SCADA systems use control processes by using standard protocols, like modbus tcp, but that doesn’t mean that you understand what energizing coil 13 does to the actual process. If you can break the computer system, it doesn’t men you can break the process.

There are more controls in place in a manufacturing process, e.g. the safety systems that are their to prevent catastrophic from happening or the quality control systems that prevent that dodgy products get out. The most important control in place is that manufacturing is still mostly run by humans who will notice that stuff is about to go wrong.

One of the facts about big infrastructures (electrical nets and manufacturing processes) is that the people who run them count on stuff breaking down. Most of the time you don’t even notice that a major failure in these systems has occurred.

It’s not all negative…
We can understand SCADA systems and we can indeed help. In industrial systems Availability is the key element of the triad, not Integrity or Availability.

If you are going to get involved, be a student, before you become the teacher. Buy some people a cup of coffee and be prepared to put you ego behind you. Understand that these people have being doing this work for a long time and are indeed you parents age, that makes you the kid.

James shared, not for disclosure, a number of examples of IT Security bad practices that where found in the real world and make most IT Security wince and giggle at the same time. Words like rsh, solitaire and non-upgradable NT 4.0 where mentioned.

What will save us, Super Ninja’s, l337 super heros or just “Not Sucking”.

As IT Security people we need to open up, understand this stuff and make small progress that will have a big effect.

This talk is accompanied with the release of Fireshark, a Firefox plugin. It can be downloaded here: fireshark.org

Compromised legitimate websites have increased 225% in the last 12 months.

Stephan wrote the Fireshark too to address the problem of analyzing malware serving legitimate site. He found that to date there was no tools that are available today gave him the information that he needed.

Most malware landing pages use exploit kits that will try to use about 25 exploits. These kids are highly obfuscated. Most analysis tools are well known by the bad guys and are thus protected against de-obfuscation.

What is Fireshark?
Fireshark is a Firefox plugin and a number of post processing scripts designed to crawl compromised sites. By operating inside the browser it can evade quite a bit of de obfuscation techniques.

First Stephan demoed Fireshark in single user mode. Add a list of url’s in data.txt and hit the go button. Fireshark will be visiting these site and store all the information it gathers in your home directory.

The data generated by Fireshark is then available for inspection, parsing and presentation. Currently there are two post processing scripts, but Stephan is open to suggestions abut other post processing scripts.

Stephan’s analysis of his Fireshark data confirms that affiliate advertising is a great source to inject malicious code, because a single injection into one of these sites effects users of multiple highly popular sites.

To illustrate the power of Fireshark, Stephan explained that he used Fireshark to analyze a number of interconnect websites serving malicious content to legitimate website users. He demonstrated that Fireshark is really useful in the analysis of these incidents.

Because Fireshark saves both the original source code and the DOM and gets then straight from Firefox you can run a diff against the two and see what the obfuscated code changes to the DOM.

Most obfuscation techniques can be de-obfuscated by Fireshark because Fireshark will save the de-obfuscated code as it is passed to the java script engine.

Fireshark can be configured to change parts of the browser signature such as user-agent strings.

Image from http://de.wikipedia.org/wiki/Blitzableiter

Felix’s talk is about defending against Flash based web application exploits

This talk is about a tool he developed called “Blitzableiter” (Lightning rod) can be found at http://blitzableiter.recurity.com/. Felix is very much looking for feedback.

Felix has been playing offense for quite some time, but is now playing defense, which he said turns out to be harder then offense.

The motivation for Felix’ work comes form the German government agency BSI who found out that Adobe Flash is way behind the security curve in comparison to other technology.

Rich internet Applications platforms are very persistent:
Over 90% of the broswers have Flash, about 50% have SilverLight or Moonlight and about 75% has Java.

“The problem with Flash is that it won’t go away”, FX said. In an deal world Flash code runs into a sandbox that shields the code from your operating system. “If this worked, I wouldn’t be standing here”.

One of the problems of Flash is that there is no support for “proof or origin”. You cannot digitally sign a Flash file and only execute Flash files from certain authors.

Flash has quite a number of security vulnerabilities in itself, but it also a useful vehicle to deploy other attacks, as Dan Kaminsky showed with his DNS rebinding attack. But there are far more examples like browser redirection, clickjacking, UPNP snd CSRF attacks, etc.

There are three general Flash malware classes:
1.    Downloaders – Download malware onto the user PC
2.    Binary Exploits – Targeting the Flash player directly
3.    Web Attack Vehicle – Using Flash to launch non-flash attacks

Flash Malware is poorly detected by Anti-Virus. 40-70% detection on VirusTotal.com. Oddly enough detection rates drop when the Flash is decompressed, so it seems that detection is based on pattern detection in the compressed files, which can very easily be evaded.

Flash file format is complex and its interpretation may vary depending on the version of the specification. Currently version 3 to version 10 of the file format is supported and in active use.
There is actually not one, but two Flash virtual machines.80%-90% of the Flash objects on the Internet use the older AVM1. The AVM’s have to deal with the challenge of taking into account the file version of the Flash object to “correctly” interpret the code passed to it.

About the defense approach
The defense approach wanted to protect against two scenarios:
•    Malformed files
•    Well formed malicious files that abuse the API

Binding the player or rewriting the player is not an option. So they have chosen a different approach. Normalization of the Flash file handed to the player.

The tool called “Blitzableiter” which means lightning rod and turns “Malicious Lightning into harmless Flash”

Blitzableiter is a Flash parser written in C# that normalizes Flash before feeding in to the Flash player.

At the obvious cost of some memory and CPU cycles Blitzableiter parses and validates the code Flash code and removes any undocumented and known malicious constructions from a Flash file.

Blitzableiter also prevents API abuse, but it is virtually impossible to do up-front anlysis of what a Flash file does before passing it to the Flash player. In stead Blitzableiter adds code to API calls made from the flash to enforce basic security principles like “same origin policy”.

The tool is currently not free of problems, e.g. running the tool in a browser is still not recommended because graphical computations are very expensive.

Every talk of FX about this subject is accompanied by a development release.

Please try the tool and report back issues.

Max Keller moved from running a forensics lab to being the Chief Security Officer of Facebook.

Hit ticket slide is “Security – The facebook way”

Axiom 10: “That feature can be used in a way that you didn’t tink of. Try and find out what it is.”

This rule came into existence when they set up their new service friend finder. Which allows you to upload your address list and check if people where on facebook. It turned out that this service was using a lot of CPU because spammers used the service to validate the existence of email addresses to make their spam lists more valuable.

Rules
In order to cope with attackers facebook uses the following “rules”:
•    We will diligently pursue attackers of any type
•    We will use all legal mean available to identify attackers
•    We will use all legal resources to protect facebook and our users and prevent future attacks
•    Users expect us to handle security incidents for them and we do.
•    If you find a securityhole in facebook and tell us, we won’t take action against you.

Axiom 23: Intelligence is king.

Keep you friends close, keep you enemies closer and don’t tell them who they are.

About the facebook security organization.
Both the Legal Enforcement team and the Security Incident Response team report directly to the CSO. The legal team does not report to the CEO.

Axiom 12: Compliance isn’t security.
Put compliance off as long as you can. If you are doing things right, compliance should be hard to implement. But any time spend on compliance before you absolutely have to is wasted effort.

Return on investment
There are four elements to security.
•    Vulnerabilities are infinite, trying to catch them has a very low return on investment
•    Threats, the ability to use a vulnerability, has a little higher return on investment, but “without attacks, threats and vulnerabilities are fine”
•    Attacks, going after the attack is an efficient way, but
•    Actors. The attacks are used by people for a gain. If you go after the actors, you have the best return on investment.

For example: trying to take the gain out of spamming is a better then trying to remove all possibilities to spam.

Axiom 31: ask your users for help. They want to.
Ultimatly, facebook and its user and have the same vested interests. User can be helpful in detecting precursors to security incidents and are in a certain way the eyes and ears of the facebook security team.

Spam defenses
Max disclosed some of the anti-spam messages used by facebook:
•    Rate limiting
•    User reports
•    Anomaly detection
•    Classifies:
o    String blocking
o    Account deleting
o    Machine learning

A typical spam attack
Spam attacks have a typical MO, Max explains. First the attacker needs to identify the attack. Then the attacker starts to collect accounts. The then attack needs to be scripted, so the software needs to be written or purchased.
These previous phases may go unnoticed. The attacker will the send out messages and direct users outside facebook and try to make a profit.

“Fleshing out” an attack, to make it work, may leave traces. Also the data from honey pots is useful in early identification of (new) attacks.

Account gathering can sometimes be detected because facebook has spread some marked fake account lists in the underground economy.

Attack software is classified by the facebook security team by the bugs in the attack software.

Directing users offsite is the point where facebook can really make a difference, reporting malware to AV vendors, taking down sites, etc. The goal is to reduce the window between the user seeing the message and being able to click on the link and go to the site.

Using the CANSPAM act facebook can get money from the sites being marketed, ultimately getting their cooperation to find the people really responsible for the spam.

Claims against foreign entities are still useful because it enables facebook to seize all assets flowing through the US.

In summary
Going after actors is more and attacks is more usefull the going after threats and vulnerabilities.

Most useful actions lessons:
•    Gether intelligences
•    Know and use the law
•    Keep out of the compliance mindset
•    Indentify and disrupt attacks
•    Use your users

Axiom 66: sometimes, ignore the rules. Bad guys do it all the time.

Yesterday and today are filled with trainings and Wednessday and Thursday are reserved for the briefings which will be covered by cupfighter.net

Hopefully I will be able to give you pretty quick coverage as I previously did at Black Hat USA, Defcon, Hacking at Random and Confidence 2009.02.

Black Hat CEO Jeff Moss previously explained that by moving the conference from Amsterdam (the home town of Schuberg Philis) to Barcelona Black Hat would be able to expand the briefings from a two track to a three track Schedule, only one track smaller then the massive Black Hat conference in Las Vegas.

From the entire overwhelming schedule I have so far selected the following talks:

Day 1

• Keynote by Max Kelly – CSO of Facebook
• Felix FX Lindner: Defending the Poor
• Roelof Temmingh: Unveiling Maltego 3.0
• Stephan Chenette: Fireshark – A tool to Link the Malicious Web
• James Arlen: SCADA and ICS for Security Experts: How to avoid being a Cyber Idiot
• Enno Rey & Daniel Mende: Hacking Cisco Enterprise WLANs

Day 2

• Thai Duong & Juliano Rizzo: Practical Crypto Attacks Against Web Applications
• Christian Papathanasiou: Abusing JBoss
• Steve Ocepek & Wendel G. Henrique: Oracle, Interrupted: Stealing Sessions and Credentials
• David Lindsay & Eduardo Vela Nava: Universal XSS via IE8s XSS Filters
• Christiaan Beek: Virtual Forensics

Besides the two day day program I will naturally be speding time socializing, networking and maybe even talk to some podcasting people.

Stay tuned.

Moxie developed a tool and technique called SSLSNIFF which is able to do undetectable Man in the Middle attacks on SSL connections exploiting the possibilities null terminated certificates offer. He defined three possible counter measures against his attack. Certificate validation, software updates and extended validation certificates. Unfortunately he was able to defeat two of these three measures.
Certificate validation these days is handled mostly by the OCSP, the Online Certificate Status Protocol. Marlinspike found a flaw in the protocol. On of the statuses the OCSP can send back is “Try later…”, represented by the number 3. Such a reply does not need to be signed by the CA an causes the browser to fail open, or as Moxie put it: “OCSP is defeated by the number 3”.
Software updates can be another issue. At the time of the presentation, these bugs where only fixed in Firefox 3.5, so how do you prevent people from updating to this version? Most browsers these days have a so called auto update function, this function searches online for a more recent version of the browser, addons or plugins. In order to ensure that no malicious content is installed, the browsers rely on SSL, the same SSL that was broken by Marlinspike’s SSLSNIFF.

But there is more trouble in paradise. Marlinspike also demonstrated a technique het called ssl stripping. Ssl stripping does not attack SSL itself, instead it actually attacks, what Moxie described as the bridge between http and https. “Https is today’s world is not often encountered directly. Users don’t often type https:// in the address bar themselves. In stead they get redirected to an https site or click on a link to it”. By performing an man in the middle attack on the http connection and carefully rewriting all https requests to http requests, Marlinspike was able to create near exact copies of the login pages for services such as gmail and paypal. The user would only know something is wrong, if they notice that the https prefix is not there or that the padlock symbol is missing.

Dan Kaminski was also able to exploit the common name field to get certificates he should not be getting. Different implementations of certificate validation routines have flaws when it comes to handling certificates with multiple common names in them. By requesting a certificate with three common names: CN=www.ioactive.com, CN=www.bankofameric.com and CN=* Kaminski was able to get a certificate that would perceived as follows; the CA would sees the certificate as an www.ioactive.com certificate, which Kaminski is allowed to request. Internet Explorer will interpret the certificate as a www.bankofamerica.com certificate and Firefox will allow the certificate to be used for any url.

Besides the common name abuse, Kaminski also showed us that there is still an MD2RSA signed root certificate present in all browsers. While practical exploitation is not possible at the moment, it is very likely that this possible in the near future. Most browser vendors are working to fix the issue right now, but Kaminski kindly requested his public to “please, do not hack MD2 in the next six months.”

The last talk I attended was Mike Zusman’s “Criminal Charges not Pursued, Hacking PKI”. Mike used another technique to get “interesting” certificates. By exploiting a flaw in the web application of a CA, he was able to request certificates for pretty much any domain he wanted.

One of the solutions seems to be popping up is Extended Validation, which in a sense takes us back a couple of years. A few years back, the only way to buy a certificate was to provide legal evidence that you had control over a domain via an out of band mechanism to a human, but then these persons at the CA’s where replaced by an online application with an automated validation process and the fun started.

Extended Validation changes this by enforcing standards for validation and requiring validation by a human before the certificate gets issued. Extended Validation (EV) CA’s are hard coded in the browser to prevent the addition of malicious CA’s. But EV certificates get trusted just as much as classic certificates.

Mike Zusman was able to perform a man in the middle attack PayPal, which uses an EV certificate to protect its site. What his program does is only redirect a small portion of the traffic, the actual login, to his own malicious website which has a non-EV www.paypal.com certificate obtained via on of the methods described earlier. The only side effect visible to the user is a brief flickering of the green address bar. But will a user notice or care?

Obviously dual factor authentication, like PayPal’s security key, will reduce the risk, but what can we really do?

I was able to share a beer with Mike after he presentation and it looks like there are fundamental underlying problems with the current certificate structure. Here we have architecture of trust, yet its foundations are built on the known insecure DNS database. Browser vendors claim they have this set of rules that should be obeyed in order for a CA to be included in the browser, yet practice shows that certain CAs that have not followed these rules are still in the browser, while on commercial CAs, like CAcert are having a hard time getting included in browsers for what seems to be political reasons.
It is time to ask ourselves fundamental questions like: Is it a good thing that a browser vendor determines who’s assertion of identity to trust. There is a trend that browsers make it harder to accept invalid certificates. Mike said: “It currently takes more clicks to accept an invalid certificate, then to import a new CA”. Is this a good thing?

Both Zusman and Kaminski agree that is would be a good thing if we had a trustworthy DNS structure that we could just to, e.g. store the fingerprints of certificates that are valid for our domain. Unfortunately DNSSEC is currently in a status quo. The current implementation still got issues, but until the root servers are going to be signed nobody will be motivated to fix these issues.

Then he started to explain how he was able to build up his cloudburst exploit.he focused on the guest os devices, because the device are omnipresent in all VMWare pruducts, they run on the host, can be accessed from the guest, are written in C/C++ and parse some complex data.

Cloudburst is a reliable guest to host escape on recent VMWare products: Workstation, Fusion?, ESX Server (4.0 RC Hardfreeze). All the bugs in his presentation have already been patched patched.

Couldburst is a combination of 3 / 4 bugs in VMWare emulated video.

• Host memory leak into the guest
• Host arbitrary memory write from the guest into the host, both absolute and relative.

Also some functions in VMWare where very helpful to bypass DEP.

The VMWare VGA device is a virtual PCI device. And it does support 3D on VMWare on windows. There are bugs in 2D video that allow arbitrary read from the host process, but not bugs that allow an arbitrary memory write in the right area’s of memory in functions that are enabled by default. 3D however offers better possibilities in that it actually ahs a default enabled arbitrary memory write function. It was also in ESX 4.0 RC Hardfreeze, but got fixed before ESX4 reached production.

In order to fully exploit the bug, Kostya had to use the MOSDEF shell code and communicate via de video buffer. This means that the compromised guest OS communicates with the shell code in the compromised host using BMP images.

Kostya’s conclusions are: VMWare is not a security layer, it is just another layer to find bugs in. Given the right bug primitives, you can exploit anything.

He is also wondering why is the 3D video function code is even included in ESX?

He finished by successfully demonstrating the attack to us

In their presentation they first looked at SMS.  SMS is a building block of the phone system and essential to the working of the modern network because it is used for all kinds of stuff. Why is it good to attack? No firewall, processed by all phones, no user interaction and you only need a phone number to send an SMS.

So how is an SMS processed? Phones have two processors: CPU and Modem which talk via an (often simulated) serial line. The modem is controlled by a specific set of AT commands. If an SMS is received by the modem, the modem sends an unsolicited AT result to the CPU. This is what can be fuzzed.

For practical reasons they did not want to send all these SMS’s that where coming out of their fuzzer over the network. First of all I would cost too much money. During the tests they sent over 500,000 messages. Secondly if the messages where sent over the air, it would mean that the would be able to watch the fuzzing going on. Last but not least they might get into trouble because the tests might actually crash the equipment of the telco’s. So for various different phones (iPhone, Android and Windows Mobile) they developed a MitM SMS injection application which sits in the middle of the virtual serial line. This gave them a fast way to send messages and gives free SMS sniffing capabilities

The testing results had to be tested in real life because not all messages could be sent through all mobile networks.

It turns out that it is very easy to perform a DoS attack on various phones. While DoS may be a lame attack, it is still a very useful attack.

On the iPhone the bugs are in the section of code that handles concatenated test messages. If a single message gets too big, it is split up in multiple messages. It turn out that these routines act funny when they are presented with the number -1.

If you tell the iPhone to expect -1 messafes parts of it crash and prevent the phone from working normally. They demoed this attack agains a guy from Vodafone who volunteered.

It turns out that if you tell the iPhone to expect a reasonable amount of messages and you then send it message number -1 you get, under the right conditions, the ability to overwrite memory. But, is it possible to exploit the heap via SMS?

Via subtle SMS manipulation the heap can be controlled via “mini heap feng shui”. And actuall exploitation is possible even though it takes about 519 SMS’s (@ 1/sec)

The is also a DoS against Android powered phones. Google was notified June 19 and fixed the vulnerability last week.

Windows Mobile Phone: Any text messages with %n crashes an HTC Windows mobile phone.

Cloud computing is actually defined as three types of services: Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastrcture as a Service (IaaS). A large VMWare farm for one company is not cloud computing.

Each of the models has their pro’s and cons.

Model 1: Software as a Service (SaaS) – Alex Stamos

With SaaS in stead of running and building your own applications, you are using web applications provided to you by the SaaS provider. This might actually be a good idea because SaaS companies generally know about application security.

Unfortunately using SaaS means that your data will actually reside on the vendor’s location. Also some SaaS vendors use a password recovery mechanism that will make your datacenter admin password as secure as his email account.

Most SaaS vendors do not provide the audit logs needed for an enterprise. That is why it is probably a bad idea to put regulated data into SaaS.

Some allow you to address password and auditing issues by allowing you to use SAML authentication. It takes away some the benefits from SaaS, but you can do things like dual factor authentication, have control over password policies, provide an internal password reset, do auditing and anomaly detection or even restrict the login page behind a VPN.

SaaS does bring large legal concerns because the contracts exclude all the important stuff, e.g. liability and support in case of compromise. Most vendors prevent you from executing penetration test on their services in their EULAs. Exceptions: Amazon, Google, Salesforce.com

SaaS provides far less protection again search en seizure. In the US a hard drive in you house is protected by the US constitution, a hard drive in a service providers datacenter isn’t.

Model 2: Platform as a service (Paas) – Nathan Wilcox

With PaaS you get provided with a development framework that you can use to develop you own service. Examples are:

• Google AppEngine
• SalesForce.com Platform as a Server, Force.com
• Windows Azure

In order to see if applications developed in this way are more or less secure, Nathan did a simple investigation to see how easy/hard is was to get/avoid common issues like CSRF, XSS and SQL Injection as a developer.

CSRF can be mitigated transparently by all the three platforms. But is requires some action on the developer it is easy to forget.  Force.com is an exception, all controls are enabled by default.

Cross Site Scripting prevention requires more developer awareness then CSRF prevention. In cloud computing this is not different from tradition methodologies.

SQL Injection is easier to prevent in PaaS then it is in classic frameworks

Model 3: Infrastructure as a Service (IaaS) – Andres Brecherer

With IaaS you get control over everything above the hypervisor. Because hundreds of machines gets cloned, there are issues here with the Psuedo Random Number Generator (PRNG). This can lead to SSH key compromises.

Large SMS messages are cut up in smaller SMS messages, this means that the SMS messages need to be parsed by the phone to put it back together and thus can be used as an attack vector to breach the phone. By using a technique known as fuzzing, Miller and Mulliner where able to find exploitable conditions that could be turned into an attack and an iPhone virus. The attack takes a total of 519 SMS messages, but will work without any user interaction.

Charlie Miller urges anybody with an iPhone to turn it off if they get a text message with a single square character. “That small cipher will likely be the only warning that someone has taken advantage of the bug”.

Apple was notified on the 18th of June and to date has not released a fix.

They also showed that smart phones like the iPhone and Adraoid and Windows mobile phone based devices can be forced to stop working with a single crafted SMS. The simplest attack was against HTC Windows Mobile phones which crash on any SMS containing the character sequence: “%n”.

There is a lot of code involved converting types between various languages.

Interoperability is effected by standard bugs like buffer overflows and memory corruption but also three new vulnerability classes:

• Object retention vulnerabilities
• Type confusion vulnerabilities
• Transitive trust vulnerabilities

Object retention

Since an object does not know which other objects are using it, it does not know when to destroy itself. Most often this is done via a reference counter but this is not perfect, leading to using heap data as pointers, double frees, objects not being freed at all.

Issues arise from reference counters rolling over, objects being freed to often or not at all. Also a shallow copy instead of a deep copy can lead to problems. These are all programmatical errors.

Type confusion

In IE variant data types require careful programming, therefore they present an opportunity to attackers. Often this is not picked up by the compiler. It can lead to memory corruption and can be exploitable. This is what happened in the ATL bug . This can lead to e.g. double frees. These issues are also present in ATL and addressed by Microsoft’s patches.

Demonstration #1: An active X control was loaded and passed a persistent data stream which caused a free call to uninitialized data. This is exploitable so shell code was executed.

Demonstration #2: in windows 7 IE8 an array of object was passed in stead of the actual objects. The browser interpreted the array as an object which leads to exploitable error.

Even tough Firefox’ NPAPI is a lot simpler, it requires the programmer to check the data types himself, which is often forgotten leading to the same types of issues.

Trust

Browsers need to deal with a lot more the just HTML these days.

If a browser uses a trusted object A and object A trusts object B which is not trusted by the browser, it is still executed.

Demonstration #3: An object is first loaded but its killbit set and not executed. Then a trusted object is loaded, but it is passed a killbitted persistent object which it will execute. In its turn this object will actually start up calc.exe

Remediation of the ATL issues

Any ActiveX control compiled in the last 15 may have these vulnerabilities in there. ATL2.0 was released in 1997 and ATL 9.0 in 2008. Any ActiveX control based on a vulnerable ATL need to be checked if it is vulnerable, if may need some reprogramming and will need recompilation.

All in all there might be quite a big check of vulnerable controls out there besides the other interoperability scenarios that this talk did not address.

A paper is available at http://taossa.com or http://hustlelabs.com

Quick word on the Microsoft patches

When I asked the guys if Microsoft patches provide a sufficient solution I got an evasive answer. However, one of the demonstration machines auto updated itself yesterday and the demonstration stopped working.

Moxie wrote the tool SSLSNIF is that is able to do a man in the middle attack on  an SSL connection based on this vulnerability to proof to Microsoft that it could be exploited, contrary to what Microsoft said.

Even tough Microsoft and others fixed the vulnerability, the tool is still useful, mainly because people don’t pay attention to certificate warning. Also when the guys that made the fake CA certificate by means of the the MD5 collision use SSLSNIFF to actually exploit is.

But there are more ways to attack SSL then doing a man-in-the-middle attack; SSL Stripping

SSLSTRIP actually attacks SSL before we get there by doing a MitM attack on http. Most https links are not typed, but clicked on or redirected to. SSLStrip watches the http traffic go by and modifies links to https sites to links to http, but it still does the https connection in the backend.

The server thinks is everything is normal because it is receiving valid https requests, the client does not display any warnings, but they are missing lock, but because the user is trained to pay attention to negative feedback and not look for positive feedback, this is not a big issue.

Where do we need to go next?

SSL needs to provide Secrecy, Authenticity and Integrity in order to be effective.

One of the issues is that today there are no people involved anymore with SSL certificates. Just domain validation which is based on a Whois lookup of root of the subject. This provides an email address or phone number to send a token to.

The standard for the DN has totally broken down. Most implementations just look at the CN= part. The CN is stored as a ASN1 string in memory, so they are basically Pascal strings, which means that the actual string is prepended by a byte representing the length. The null character is a valid part of CN string. However if you use the C routine Strcmp() it will actually regard www.paypall.com\0evil.org the same as www.paypall.com.

This bug exists in most web browsers, mail clients, chat clients and SSL vpn solutions like Citrix.

SSLSNIF 6.0 supports this.

Drawback of this attack: It needs to be targeted

Most of these products use NSSto do their certificate validation. If you look at the size and structure of the CN comparison code, there must be a bug in there somewhere.

There is: a certificate for *\0thoughtcrime.org will actually work. This is better then a CA certificate. *~thoughtcrime.org will work as well for some strange issue. As will grouping. CN=(www.paypal.com|www.google.com|www.bankofameric.com)\0.thoughtcrime.org actually works as well.

Also there is a flaw in the code thas actually remotely exploitable: (AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\0OVERWRITE).foo.com. And the good thing is, the certificate does not even need to be signed.

Wildcard support is in SSLSNIF as well.

It does fingerprint the clients as well to see if they are SSN clients.

Two measures work against these attacks: Revocations and software updates.

These days most revocations are checked via OCSP. The OSCP response “try later”, the number 3, does not need to be signed. Most SSL implementations will assume a cert is valid if a “try later” rsponse is sent.

This is now also in SSLSniff.

Updates

Most software has an auto update function, e.g. take Firefox or Thunderbird. Unfortunately, these update mechanisms themselves could be a problem. Actually, Firefox/Thunderbird update files are not signed and they totally rely on TLS for their security.

This is also included in SSL Sniff

Stripping the NULL character is not the solution. Some CA’s are vulnerable sitekey.ba\0nkofamerica.com becomes sitekey.bankofamerica.com.

http://www.thoughtcrime.org

When asked, Moxie confirmed that Firefox 3.5 is NOT vulnerable.

moxie@toughtcrime.org

Four phases for RETRI

1. Preparation
2. Assessment
3. Segmentation and restoration
4. Investigate and recovery

Phase 1: Make sure you are ready for everything. This includes having propper backups, know how your network works and having a terminal server.

Phase 2: Do damage assessment. Disconnect the infected network from the internet

Phase 3: Segmentation and restoration

• Create two isolated networks (QNet – dirty and CleanNet – clean) with the same IP address schema and separate the two networks with something like MPLS.
• Turn all computers on the QNet into dump terminal and only allow access to CleanNet terminal server over port 443 with dual factor authentication and encryption.
• Provide basic servers on the terminal servers
• Then start moving functionality over.

Phase 4:

Use tools to figure out what happened.

CodeWord is a tool they developed that can assist it has not been release yet, but is planned to be released as open source later. It has quite a bit of nice features.

Interesting fact: User downtime costs 3 times as much as the actual cleanup.

www.hexsec.com

www.code-word.org