Cupfighter.net

There are many concerns these days on security when taking services from cloud providers. All the areas where Schuberg Philis is actively being audited on, are area’s of concerns for IT managers.

How do I know my cloud service is being hacked and abused if it is not running inside my datacenter? What possibilities do I have to check if my employees are acting along the lines of my Acceptable Use policy? Where are the logs of that abuse, and how can I trust the logs? How do I know that my data is not copied elsewhere in the cloud, and analysed offline by my competitor?

With regards to cloud storage, the CDMI (Cloud Data Management Interface) is trying to address some of the questions, but is only one step forward.

Cloud service providers still have a long way to go. An initiative like Eurocloud  is doing great work in paving the road to trust in cloud service providers.

When cloud service providers will be able to succesfully address the concerns, they have a big advantage over the classical IT model of running your own IT: they provide all the securities you would normally build and control youself, but combined with cloud advantages like fast provisioning and fast reuse of resources.

Small and medium-sized business will then be able to actually get a better and more secure service with cloud services, then what they could build and control themselves.

What does this mean for SBP? Sure there will be competition from the cloud providers. But we are nothing more than just another cloud provider. We build services for our clients with our own cloud technologies of fast provisioning, centralized log analysis, but since we build private clouds for our customers, these customers can demand tailored solutions to address their specific needs and concerns.

Cloud computing is not a threath to our business model, but is preparing the market more and more for putting commodity services in the big generic clouds, combined with the need of supporting highly tailored private clouds.

So it is time to face the fact: Schuberg Philis, the private cloud company!

Phone Bill a CC NC ND image from Nikita Kashner's Flickr stream

By Darren Anstee of Arbor Networks

Why is it a good idea to us flow information?

• You don’t need to invest in new equipment to get flow information
• It can be used to detect malware infected hosts, DDoS, zero-day exploits, attack and abuse
• Network flows information is generated regardless if there was symmetric or a-symmetic routing

Network flow information is like a phone bill, you cannot tell what has been said, but you can use it to prove who talked to who.

So what does a flow record contain?

• Source IP address
• Destination IP address
• Source port
• Destination port
• Input IfIndex
• Protocol
• Type of Service
• packet count
• Byte count
• First packet time
• Last packet time
• Output ifIndex
• Etc…

Read more…

Bad day at the office a cc nc ND iamge from Roger Smith's Flick stream

By Itzik Kotler

Slides on the HitB Materials page.

Itzik start his presentation that writing StuxNet for a company is much less hard then writing one for a nuclear reactor. Stuxnet is interesting in that it is a purely software based attack that had a real hardware based effect.

So can software damage hardware? Yes it can:

• Software controls hardware ad can make it perform damaging hardware
• Software can damage software that runs hardware
• Software runs hardware and can make this hardware take an action that damages other hardware

So what is PDOS (Permanent Denial of Service)? Damaging hardware so bad that it needs to be replace or reinstalled.

Users the brick their phone when they try to jailbreak it are basically causing a self inflicted PDoS.

So who would do it and why?

Read more…

Breaking the ice a cc nc nd by image from MarcelGermain's Flickr stream

By Ivan Ristić

Slides on the HitB Materials page.

Ivan researches SSL for Qualys. SSL was designed as a protocol add-on by Netscape to secure http, but can be used to secure other protocols as well.

The main challenges today are:

1. Fragility of the trust ecosystem
2. Incorrect or weak configuration
3. Slow adoption of modern statndar
4. Lack of support for virtual SSL hosting
5. Mismatch between HTTP and SSL

There are three main attacks against SSL:

• Passive MitM

• Session Hijacking

• Session bypass (ssl strip)
• Renegotiation attack
• Rogue certificates
• User attackers (who reads warnings)

Ivan’s has a lot of data based on the a surveys conducted by his employer Qualys SSL Labs, EFF’s SSL Observatory. In total 1.2million sites with valid certificates where investigated.

Ivan showed a slide that indicates that of the sites visited only 0.6% of the sites had a fully correct SSL configuration, nearly 50% of the sites did not offer SSL at all.

In Qualys’ most In the most recent SSL Survey only 32% of the sites offering SSL where configured correctly.

Read more…

Florida Fragments a cc nc sa by image from Merrick Brown's Flickr stream

By Elena Kropochkina and Joffrey Czarny

Slides on the HitB Materials page.

Lots of Webshells used by pentesters to get access to the systems are detected by conventional security products like anti-virus, IPS and WAF. In stead of building a new websheel for each assignment the presenters tried to work towards a framework for webshells, that was modular and added obfuscation as a protection against AV/IPS/WAF.

But if you want to build a webshell framework you need to know what is out there. Most webservers on the internet are dominantly Apache, IIS and Weblogic. Pentesters are most in need of Webshells based on ASP, PHP and Java shells as it is heavily used for intranet applications.

The presenters gave an overview of the webshels out there for webshells for Linux, MySQL, PHP, JSP, ASP. Many of the common shells have high detection rates on the most common anti-virus platforms.

Even tough there are some webshells that are nearly complete in features and others that are not detected by Anti-Virus there isn’t one that is both.

There are a few ways to get around anti-virus encoding, obfuscation and encryption. There are common tools available to obfuscation for different languages like PHP, VBScript and Java. Obfuscation tools make reading the code harder, but are analysis is often still possible.

Read more…

By Don A. Bailey

Slides on the HitB Materials page.

Don’s talk focuses about devices that are designed to track your assets or loved one., specifically the Zoombak who’s biggest selling point is that you can use it to definitely know where your kids are. Zoombak really took off after it was endorsed by TV personality Oprah.

A Zoombak devices basically consist of a GSM module and a MicroController. These two do not share any memory, but talk to each other over a serial channel using AT commands.

On of the first flaws in the Zoombak is that the GSM module can only talk using the decommissioned and broken A5/2 algorithm. A5/2 is so weak that it can be cracked in real time using PC hardware, but Don didn’t use this eakness to attack the device.

Because being on the GSM network all the time is too expensive the Zoombak device works differently. If you want to know the location of the device you send it an SMS, the SMS is polled from the SIM by the Micro Controller and acts on this command, e.g. by sending the location of the device to a website over the GPRS network.

Read more…

For Heat a CC-NC-ND image from ailatan's Flickr stream

By Xavier Mertens

Managing security events from you network. It is often perceived as boring. There is a lot of information and lots of tools. Additionally log formats are not standardized.

There are also economic issues, uptime often takes precedence over uptime, it takes time, staff may be reduced and it not a revenue generating activity.

Additionally there are legal issues, these issues center around privacy and have to be checked against local law.

Managing security logs is a layered approach:

1. Log collection
2. Normalization
3. Storage
4. Search
5. Reporting
6. Correlation

Correlation can be used to give events more meaning. This can be done with external sources like vulnerability information, but also with internal sources like e.g. badge swipes or geo-location. Read more…

Wrong Way ... Way Wrong a CC NC SA image from Bob.Fornal's Flickr stream

Virtualization aims to save money, make things simple and quick to deploy. Saving money and quick deployment are arch enemies of security

Virtualization products require security on the hypervisor level. Being able to hop from one virtual machine to another is not acceptable. Also there are a lot of products that focus on the security in the virtual machines, but virtualized infrastructure are complex by nature.

Relative lame bugs like XSS can be a big deal in virtualization infrastructures

Claudio demonstrates that live on stage, by exploiting a XSS bug in VMWare vCenter which took 1.5 years to patch.

Claudio showed us how an unprivileged user on the vCenter machine able to read a logfile contain the administrator SOAP session ID. Using this ID and Vasto administrator privileges where obtained. Until the last patch read-only access to vCenter meant that the user could take over the virtual infrastructure using standard tools.

Next attack demonstrated is against an Oracle virtual machine. Using standard “lame” exploits Claudio was able to hope from the application level administrator to the system root account.

So there are still some very simple vulnerabilities in this software.

Virtualization software is broken today, and we have to treat it accordingly. We have to make people aware that it is broken.

Virtualization infrastructures should be setup in such a way that a XSS in the management layer cannot lead to a disaster.

Read more…

Ghosts of Lake Sutherland a CC NC SA image from Wyrmworld's Flickr stream

DoS, making resources unavailable to others. Common motives are hacktivism, extortion and rivalry. Most big attacks are successful.

So what are the risks of being under DoS attack? Downtime, lost revenue, large bills from the cloud service providers.

What kinds of DoS attacks are there?

• Layer 3 – Muscle-based attacks, generating too much packets for the equipment or saturating the pipe.
• Layer 4 – Consumes more resources on the device., e.g. SYN flood, connection flood, concurrent connection exhaustion, garbage data.
• Layer 7 – Attacking the application. Trying to consume as much resources as possible. E.g. HTTP page flood, HTTP bandwidth consumption, DNS query flood, SIP INVITE flood. There attacks are low rate, high impact

So how do you mitigate DoS attacks?

Static thresholds work and put the operation team in control, however they require constant tuning and restrict the detection phase to a single-dimension (rate only).

Adaptive threshold, attempting the learn real traffic characteristics, which improves accuracy, however, natural traffic peaks like e.g. a Christmas peak may be blocked too.

Read more…

Cycle Garage a CC NC ND image from Ezu's Flickr stream

This talk focuses on ABAP, Advance Business Application Programming language from SAP.

ABAP:

• A proprietary language of which the exact specification is not freely available.
• It has platform independent code
• It has client separation built-in
• It has integrated auditing capabilities
• System-to-system calls via SAP RFC standard
• Built-in transportation system and version control
• Integrated platform-independent SQL Standard: Open SQL
• Built-in authentication, roles and (explicit) authorization model
• Thousands of well-known standard programs and database tables
• 150+ Million Line of Code in an ECC6.0 System

So what are the ABAP security risks?

• Back doors can be introduced, e.g. by a malicious developer.
• The program can have undesired side effect (e.g. SQL injection)
• Sub standard authentication used

Read more…