Saturday, October 21, 2017

Hacktivity 2017 Wrap-Up Day 2

Let’s go for more wrap-ups. The second day started smoothly with Haroon Meer’s keynote. There was only one track today, the second room being fully dedicated to hackerspaces. Harron is a renowned speaker and the title of his keynote was “Time to play ‘D’”. The intro was simple: Nothing new, no 0-day, he decided to start his keynote based on his previous talks, especially one from 2011: “Penetration testing considered harmful“. Things changed considerably from a hardware and software point of view but we are still facing the same security issues. Example: a today’s computer is based on multiple computers (think about the MacBook Pro and its touch bar which is based on the same hardware as the Apple watch). Generic security solutions fail and an AV can still be easily bypassed. He gave many good facts and advice. Instead of buying expensive appliances, use this money to hire skilled people. But usually, companies have a security issue and they fix it by deploying a solution that… introduces new issues. He insisted and gave examples of “Dirty Cheap Solutions”. With a few lines of Powershell, we can easily detect new accounts created in an Active Directory. Aaron gave another example with a service he created: canarytokens.org. You create files, URLs, DNS records that are linked an email address and, in case of breach or unexpected access, an alert is sent to you. Another one: regular people don’t use commands lines ‘uname’, ‘ifconfig’ or ‘whoami’. Create alerts to report when they are used!

The first regular talk was given by Tobias Schrödel: “Hacking drones and buying passwords in the Darknet“. What’s the relation between them? Nothing, Tobias just accepted to cover these two topics! The talk was very entertaining and Tobias is a very good speaker… The first part (drones) was made in a management style (with a tie) and the second one with a t-shirt, classic one. Why hacking drones? In Germany, like in many countries, the market for drones is growing quickly. Small models (more classified as “toys”) are using Wireless networks to be controlled and get the pictures from the camera. Those drones provide a SSID, DHCP and are managed via a web interface. So they can be compared to a flying router! There are different ways to take down a drone. The safest solution is to use eagles because they can drop out the drone out of the zone that must be secured. The attack he demonstrated was a simple de-auth attack. The second part of the talks focused on the black market. Not a lot of people already bought stuff on the Darknet (or they hide it) but they are nice webshops where you can buy passwords for many official shops like eBay, Zalando, Paypal, etc… But why a company should buy passwords on the Darkweb? A few years ago, Dropbox suffered from a mega leak with millions of passwords in the wild. That’s bad but even more when corporate email addresses are present in sensitive leaks like Ashley-Madison. In Germany, a big company found 10 email addresses in this leak. If employees are free in their private life, this could have a very huge impact in case of blackmailing: “Give us access to these internal documents or we make your wife/husband aware of your Ashley-Madison account. This is a way to protect its business.

Then, Adrian Vollmer presented “Attacking RDP with Seth – How to eavesdrop on poorly secured RDP connections“. Adrian explained in details how’s working the RDP protocols to authenticate users. In the past, he used Cain & Abel to attack RDP sessions but the tool is quite old and unmaintained (I’m still using it from time to time). So, he decided to write his own tool called Seth. It exploits a misconfiguration in many RDP services. RDP security is similar to SSL but not exactly the same. He explained how this can be abused do downgrade from Kerberos to RDP Security. In this case, a popup warning is displayed to the victim but it is always ignored.

After the morning coffee break, I expected a lot from this talk: “A heaven for Hackers: Breaking Log/SIEM Products” by Mehmet Ince. The talk was not based on ways to abuse a SIEM via the logs that it processed but based on the fact that a SIEM is an application integrating multiple components. The methodology he used was:

  • Read the documentation
  • Understand the features
  • Get a trial version
  • Break it to access console
  • Define attack vector(s)
  • Find a vulnerability

He reported three cases. The first one was AlienVault. They downloaded two versions (the latest one and the previous one) and make a big diff in the files. Based on this, three problems were found: object injection, authentication bypass and IP spooking through XFF. By putting the three together, they were able to get a SQL injection but RCE is always better. They successfully achieved this by created a rule on the application that triggered a command when an SSH denied connection was reported. Evil! The second case targeted ManagEngine. The product design was bad and password to connect to remote Windows systems were stored in a database. If was possible to get access to a console to perform SQL queries but the console obfuscated passwords. By renaming the field ‘password’ to ‘somethingelse’, passwords were displayed in clear text! (“SELECT password AS somethingelse FROM …”). In the third case, LogSign, it was more destructive: it was possible to get rid of the logs… so simple! This was a nice talk.

Then, Ben Seri & Gregory Vishnepolsky presented “BlueBorne Explained: Exploiting Android devices over the air“. This vulnerability was in the news recently and is quite important:

  • 5.3B devices vulnerable in the wild
  • 8 vulnerabilities,  4 critical
  • Multiple OS: Android, Linux, Windows, IOS
  • No user interaction or auth
  • Enables RCE, MitM and info leaks

They reviewed the basic of the Bluetooth protocol and the different services (like SDP – “Service Discovery Protocol”). They gave a huge amount of details… The finished with a live demo by compromising an Android phone via the BNEP service (“BT Network Authentication Protocol). Difficult to follow for me but a huge research!

After a lunch break and interesting discussions, back to the main theatre for the last set of talks. There were two presentations that I found less interesting (IMHO). Anto Joseph presented “Bug hunting using symbolic virtual machines“. Symbolic execution + fuzzing a winning combination to find vulnerabilities. Symbolic execution is a way to analyse the behaviour of a program to determine what inputs cause each part of a program to execute. The tool used by Anto was klee. He made a lot of demos to explain how the tool is working. It looks to be a great tool but it was difficult to follow for my poor brain.

The next talk started late due to a video issue with the speaker’s laptop. Dmitry Yudin presented ” PeopleSoft: HACK THE Planet^W university“. By university, we mean here the PeopleSoft Campus Solutions which is used in more than 1000 universities worldwide. The main components are a browser, a web server, an application, a batch server and a database. Multiple vulnerabilities have been found in this suite, Dmitry explained the CVE-2017-10366. He explained all the step to jump from one service to another until a complete compromise of the suite.

After the last break, the day finished with two interesting presentations. Kirils Solovjovs presented “Tools for effortless reverse engineering of MikroTik routers“. Mikrotik routers are used worldwide and can be considered as a nice target. They are based on Linux, but RouterOS is based on an old kernel from 2012 and is closed source. So, we need a jailbreak! Kirils explained two techniques to jailbreak the router. He also found a nice backdoor which requires a specific file to be created on the file system. He explained many features of RouterOS and also some security issues like in the backup process. It is possible to create a file containing ‘../../../../’, so it was possible to create the file required by the back door. He released on the tools here.

To cloture the day and the conference, Gábor Szappanos talked about “Office Exploit Builders“. Why? Because Office documents remain the main vector of infection to drop malwares. It’s important to have “good” tools to generate malicious documents but who’s writing them?  Usually, VBA macros are used but, with a modern version of Office, macros are disabled by default. It’s better to use an exploit. Based on a study conducted two years ago, APT groups lack of knowledge to build malicious documents so they need tools! Gábor reviewed three tools:

  • AKBuilder: Active since 2015, typically used by Nigerians scammers and cost ~$500
  • Ancalog Exploit Builder: Peak of activity in 2016, also used by scammers. Price is ~$300 (retired)
  • Microsoft Word Intruder: used by more “high” profile, it can drop more dangerous pieces of malware. Written in PHP for Windows, its price is ~$20000-$35000!

A nice presentation to close the day! So, this closes the two days of Hacktivity 2017, the first edition for me. Note that the presentations will be available on the website in the coming days!

[The post Hacktivity 2017 Wrap-Up Day 2 has been first published on /dev/random]



from Xavier

Friday, October 20, 2017

Hacktivity 2017 Wrap-Up Day 1

My wrap-up crazy week continues… I’m now in Budapest to attend Hacktivity for the first time. During the opening ceremony some figures were given about this event: 14th edition(!), 900 attendees from 23 different countries and 36 speakers. Here is a nice introduction video. The venue is nice with two tracks in parallel, workshops (called “Hello Workshops”), a hacker center, sponsor’ booths and… a wall-of-sheep! After so many years, you realize immediately that it is well organized and everything is under control.

As usual, the day started with a keynote. Costin Raiu from Kaspersky presented “Why some APT research is like palaeontology?” Daily, Kaspersky collects 500K malware samples and less than 50 are really interesting for his team. The idea to compare this job with palaeontology came from a picture of Nessie (the Lochness monster). We some something on the picture but are we sure that it’s a monster? Costin gave the example of Regin: They discovered the first sample in 1999, 1 in 2003 and 43 in 2007. Based in this, how to be certain that you found something interesting? Finding IOCs, C&Cs is like finding bones of a dinosaur. At the end, you have a complete skeleton and are able to publish your findings (the report). In the next part of the keynote, Costin gave examples of interesting cases they found with nice stories like the 0-day that was discovered thanks to the comment left by the developer in his code. The Costin’s advice is to learn Yara and to write good signatures to spot interesting stuff.

The first regular talk was presented by Zoltán Balázs: “How to hide your browser 0-days?‘. It was a mix of crypto and exploitation. The Zoltán’s research started after a discussion with a vendor that was sure to catch all kind of 0-day exploits against browsers. “Challenge accepted” for him. The problem with 0-day exploits is that they quickly become ex-0-day exploits when they are distributed by exploit kits. Why? Quickly, security researchers will find samples, analyze them and patches will be available soon. From an attacker point of view, this is very frustrating. You spend a lot of money and lose it quickly. The idea was to deliver the exploit using an encrypted channel between the browser and the dropper. The shellcode is encrypted, executed then download the malware (also via a safe channel is required). Zoltán explained how he implemented the encrypted channel using ECDH (that was the part of the talk about crypto). This is better than SSL because if you control the client, it is too easy to play MitM and inspect the traffic. It’s not possible with the replay attack that implemented Zoltán. The proof of concept has been released.

Then another Zoltán came on stage: Zoltán Wollner with a presentation called “Behind the Rabbit and beyond the USB“. He started with a scene of the show Mr Robot where they use a Rubber Ducky to get access to a computer. Indeed a classic USB stick might have hidden/evil features. The talk was in fact a presentation of the Bash Bunny tool from Hak5. This USB stick is … what you want! A keyboard, a flash drive, an Ethernet/serial adapter and more! He demonstrated some scenarios:

  • QuickCreds: stealing credentials from a locked computer
  • EternalBlue

This device is targeting low-hanging fruits but … just works! Note that it requires physical access to the target computer.

After the lunch coffee break, Mateusz Olejarka presented “REST API, pentester’s perspective“. Mateusz is a pentester and, by experience, he is facing more and more API when conducting penetration tests. The first time that an API was spotted in an attack was when @sehacure pwned a lot of Facebook accounts via the API and the password reset feature. On the regular website, he was rejected after a few attempts but the anti-bruteforce protection was not enabled on the beta Facebook site! Today RASK API are everywhere and most of the application and web tools have an API. An interesting number:  by 2018, 50% of B2B exchanges will be performed via web APIs. The principle of an API is simple: a web service that offers methods and process data in JSON (most of the time). Methods are GET/PUT/PATCH/DELETE/POST/… To test a REST API, we need some information: the endpoint, the documentation, get access to access key and sample calls. Mateusz explained how to find them. To find endpoints, we just try URI like “/api”, “/v1”, “/v1.1”, “/api/v1” or “/ping”, “/status”, “/health”, … Sometimes the documentation is available online or returned by the API itself. To find keys, two reliable sources are:

  • Apps / mobile apps
  • Github!

Also, fuzzing can be interesting to stress test the API. This one of my favourite talk, plenty of useful information if you are working in the pentesting area.

The next speaker was Leigh-Anne Galloway: “Money makes money: How to buy an ATM and what you can do with it“. She started with the history of ATMs. The first one was invented in 1967 (for Barclay’s in the UK). Today, there are 3.8M devices in the wild. The key players are Siemens Nixdorf, NSC and Fujitsu. She explained how difficult is was for her to just buy an ATM. Are you going through the official way or the “underground” way? After many issues, she finally was able to have an ATM delivered at her home. Cool but impossible to bring it in her apartment without causing damages. She decided to leave it on the parking and to perform the tests outside. In the second part, Leigh-Anne explained the different tests/attacks performed against the ATM: bruteforce, attack at OS level, at hardware and software level.

The event was split into two tracks, so I had to make choice. The afternoon started with Julien Thomas and “Limitations of Android permission system: packages, processes and user privacy“. He explained in details how are the access rights and permissions defined and enforced by Android. Amongst a deep review of the components, he also demonstrated an app that, once installed has no access, but, due to the process of revocation weaknesses, the app gets more access than initially.

Then Csaba Fitzl talked about malware and techniques used to protect themselves against security researchers and analysts: “How to convince a malware to avoid us?“. Malware authors are afraid of:

  • Security researchers
  • Sandboxes
  • Virtual machines
  • Hardened machines

Malware hates to be analysed and they sometimes avoid to infect certain targets (ex: they check the keyboard mapping to detect the country of the victim). Czaba reviewed several examples of known malware and how to detect if they are being monitored. The techniques are multiple and, as said Csaba, it could take weeks to review all of them. He also gave nice tips to harden your virtual machine/sandboxes to make them look really like a real computer used by humans. Then he gave some tips that he solved by writing small utilities to protect the victim. Example: mutex-grabber which monitors malwr.com and automatically creates the found Mutexes on the local OS. The tools reviewed on the presentation are available here. Also a great talk with plenty of useful tips.

After the last coffee break, Harman Singh presented “Active Directory Threats & Detection: Heartbeat that keeps you alive may also kill you!“. Active Directories remain a juicy target because they are implemented in almost all organizations worldwide! He reviewed all the components of an Active Directory then explained some techniques like enumeration of accounts, how to collect data, how to achieve privilege escalation and access to juicy data.

Finally, Ignat Korchagin closed the day with a presentation “Exploiting USB/IP in Linux“. When he asked who know or use USB/IP in the room, nobody raised hands. Nobody was aware of this technique, same for me! The principle is nice: USB/IP allows you to use a USB device connected on computer A from computer B. The USB traffic (URB – USB Request Blocks) are sent over TCP/IP. More information is available here. This looks nice! But… The main problem is that the application level protocol is implemented at kernel level! A packet is based on a header + payload. The kernel gets the size of data to process via the header. This one can be controlled by an attacker and we are facing a nice buffer overflow! This vulnerability is referenced as CVE-2016-3955. Ignat also found a nice name for his vulnerability: “UBOAT” for “(U)SB/IP (B)uffer (O)verflow (AT)tack“. He’s still like for a nice logo :). Hopefully, to be vulnerable, many requirements must be fulfilled:

  • The kernel must be unpatched
  • The victim must use USB/IP
  • The victim must be a client
  • The victim must import at least one device
  • The victim must be root
  • The attacker must own the server or play MitM.

Ignat completed his talk with a live demo that crashed the computer (DoS) but there is probably a way use the head application to get remote code execution.

Enough for today, stay tuned for the second day!

[The post Hacktivity 2017 Wrap-Up Day 1 has been first published on /dev/random]



from Xavier

Hack.lu 2017 Wrap-Up Day 3

Hack.lu is already over and I’m currently waiting for my connecting flight in Munich, that’s the perfect opportunity to write my wrap-up. This one is shorter because I had to leave early to catch my flight to Hacktivity and I missed some talks scheduled in the afternoon. Thank Lufthansa for rebooking my flight so early in the afternoon… Anyway, it started again early (8AM) and John Bambenek opened the day with a talk called “How I’ve Broken Every Threat Intel Platform I’ve Ever Had (And Settled on MISP)”. The title was well chosen because John is a big fan of OSINT. He collects a lot of data and provides them for free via feeds (available here). He started to extract useful information from malware samples because the main problem today is the flood of samples that are constantly discovered. But how to find relevant information? He explained some of the dataset he’s generating. The first one is DGA or “Domain Generation Algorithm“.  DNS is a key indicator and is used everywhere. Checking a domain name may also reveal interesting information via the Whois databases. Even if data are fake, they can be helpful to link different campaigns or malware families together and get more intelligence about the attacker. If you can reverse the algorithm, you can predict the upcoming domains, prepare yourself better and also start takedown operations. The second dataset was the malware configurations. Yes, a malware is configurable (example: kill-switch domains, Bitcoin wallets, C2, campaign ID’s, etc). Mutex can be useful to correlated malware from different campaigns like DGA. John is also working on a new dataset based on the tool Yalda. In the second part of his presentation, he explained why most solutions he tested to handle this amount of data failed (CIF, CRITS, ThreatConnect, STIX, TAXII). The problem with XML (and also an advantage at the same time): XML can be very verbose to describe events. Finally, he explained how he’s now using MISP. If you’re interested in OSINT, John is definitively a key person to follow and he is also a SANS ISC handler.

The next talk was “Automation Attacks at Scale” by Will Glazier & Mayank Dhiman. Databases of stolen credentials are a goldmine for bad guys. They are available everywhere on the Internet. Ex: Just by crawling Pastebin, it is possible to collect ~20K passwords per day (note: but most of them are duplicates). It is tempting to test them but this requires a lot of resources. A valid password has a value on the black market but to test them, attackers must spend some bucks to buy resources when not available for free or can’t be abused). Will and Mayank explained how they are working to make some profit. They need tools to test credentials and collect information (Ex: Sentra, MBA, Hydra, PhantomJS, Curl, Wget, …). They need fresh meat (credentials), IP addresses (to make the rotation and avoid blacklists) and of course CPU resources. About IP rotation, they use often big cloud service providers (Amazon, Azure) because those big players on the Internet will almost never be blacklisted. They can also use compromised servers or IoT botnets. In the second part of the talk, some pieces of advice were provided to help to detect them (ex: most of them can be fingerprinted just via the User-Agent they use). A good advice is also to keep an idea on your API logs to see if some malicious activity is ongoing (bruteforce attacks).

Then we switched to pure hardware session with Obiwan666 who presented “Front door Nightmares. When smart is not secure“. The research started from a broken lock he found. The talk did not cover the “connected” locks that can manage with a smartphone but real security locks found in many enterprises and restricted environments. Such locks are useful because the key management is easier. No need to replace the lock if a key is lost, the access-rights must just be adapted on the lock. It is also possible to play with time constraints. They offer multiple ways to interact via the user: with something you have (a RFID token), something you are (biometrics) or something you know (a PIN code). Obiwan666 explained in details how such locks are built and, thanks to his job and background in electronics, he has access to plenty of nice devices to analyze the target. He showed X-ray pictures of the lock. X-Ray scanner isn’t very common! Then he explained different scenarios of attack. The first one was trivial: sometimes, the lock is mounted in the wrong way and the inner part is outside (“in the wild”). The second attack was a signal replay. Locks use a serial protocol that can be sniffed and replayed – no protection). I liked the “brain implant” attack: you just buy a new lock (same model), you program it to grant your access and replace the electronic part of the victim with yours…Of course, traditional lock-picking can be tested. Also, a thermal camera can reveal the PIN code if the local has a pinpad. I know some organizations which could be very interested to test their locks against all these attacks! 🙂

After an expected coffee break, another awesome research was presented by Aaron Kaplan and Éireann Leverett: “What is the max Reflected Distributed Denial of Service (rDDoS) potential of IPv4?“. DDoS attacks based on UDP amplification are not new but remain quite effective. The four protocols in the scope of the research were: DNS, NTP, SSDP and SNMP. But in theory, what could be the effect of a massive DDoS over the IPv4 network? They started the talk with one simple number:

108.49Tb/s

The idea was to scan the Internet for vulnerable services and to classify them. Based on the location of the server, they were able to estimate the bandwidth available (ex: per countries) and to calculate the total amount of bandwidth that could be wasted by a massive attack. They showed nice statistics and findings. One of them was a relation between the bandwidth increase and the risk to affects other people on the Internet.

Then, the first half-day ended with the third keynote. This one was presented by Vladimir Kropotov, Fyodor Yarochkin: “Information Flows and Leaks in Social Media“. Social media are used everywhere today… for the good or the bad. They demonstrated how social network can react in case of a major event in the world (nothing related to computers). Some examples:

  • Trump and his awesome “Covfefe”
  • Macron and the French elections
  • The Manchester bombing
  • The fight of Barcelona for its independence

They mainly focused on the Twitter social network. They have tools to analyze the traffic and relations between people and the usage of specific hashtags. In the beginning of the keynote, many slides had content in Russian, no easy to read but the second part was interesting with the tracking of bots and how to detect them.

After the lunch break, there was again a lightning talk session then Eleanor Saitta came to present “On Strategy“. I did not follow them. The last talk I attended was a cool one: “Digital Vengeance: Exploiting Notorious C&C Toolkits” by Waylon Grange. The idea of the research was to try to compromize the attackers by applying the principle of offensive security. Big disclosure here: hacking back is often illegal and does not provide any gain but risks of liability, reputation… Waylon focused on RAT (“Remote Access Tools”) like Poison Ivy, Dark Comet or Xtreme RAT. Some of them already have known vulnerabilities. He demonstrated his finding and how he was able to compromise the computer of remote attackers. But what do when you are “in”? Search for interesting IP addresses (via netstat), browser the filesystem, install persistence, a keylogger or steal credentials, pivot, etc.

Sorry for the last presentation that I was unable to follow and report here. I had to leave for Hacktivity in Budapest. I’ll also miss the first edition of BSidesLuxembourg, any volunteer to write a wrap-up for me?  So to recap this edition of Hack.lu:

  • Plenty of new stickers
  • New t-shirts and nice MISP sweat-shirt
  • Lot of coffee (and other types of drinks)
  • Nice restaurants
  • Excellent schedule
  • Lot of new friends (and old/classic ones)
  • My Twitter timeline exploded 😉

You can still expect more wrap-ups tomorrow but for another conference!

[The post Hack.lu 2017 Wrap-Up Day 3 has been first published on /dev/random]



from Xavier

Thursday, October 19, 2017

Hack.lu 2017 Wrap-Up Day 2

As said yesterday, the second day started very (too?) early… The winner of the first slot was Aaron Zauner who talked about pseudo-random numbers generators. The complete title of the talk was “Because ‘User Random’ isn’t everything: a deep dive into CSPRGNs in Operating Systems & Programming Languages”. He started with an overview of random numbers generators and why we need them. They are used almost everywhere even in the Bash shell where you can use ${RANDOM}.  CSPRNG is also known as RNG or “Random Number Generator”. It is implemented at operating system level via /dev/urandom on Linux on RtlGenRandom() on Windows but also in programming languages. And sometimes, with security issues like CVE-2017-11671 (GCC fails to generate incorrect code for RDRAND/RDSEED. /dev/random & /dev/urandom devices are using really old code! (fro mid-90’s). According to Aaron, it was a pure luck if no major incident arises in the last years. And today? Aaron explained what changed with the kernel 4.2. Then he switched to the different language and how they are implementing random numbers generators. He covered Ruby, Node.js and Erlang. All of them did not implement proper random number generators but he also explained what changed to improve this feature. I was a little bit afraid of the talk at 8AM but it was nice and easy to understand for a crypto talk.

The next talk was “Keynterceptor: Press any key to continue” by Niels van Dijkhuizen. Attacks via HID USB devices are not new. Niels reviewed a timeline with all the well-known attacks from 2005 with the KeyHost USB logger until 207 with the BashBunny. The main problems with those attacks: they need an unlocked computer, some social engineer skills and an Internet connection (most of the time). They are products to protect against these attacks. Basically, they act as a USB firewall: USBProxy, USBGuest, GoodDog, DuckHunt, etc. Those products are Windows tools, for Linux, have a look at GRSecurity. Then Niels explains how own solution which gets rid of all the previous constraints: his implants is inline between the keyboard and the host. It must also have notions of real)time. The rogue device clones itself as a classic HID device (“HP Elite USB Keyboard”) and also adds random delays to fake a real human typing on a keyboard. This allows bypassing the DuckHunt tool. Niels makes a demonstration of his tool. It comes with another device called the “Companion” which has a 3G/4G module that connects to the Keynterceptor via a 433Mhz connection. A nice demo was broadcasted and his devices were available during the coffee break. This is a very nice tool for red teams…

Then, Clement Rouault, Thomas Imbert presented a view into ALPC-RPC.The idea of the talk: how to abuse the UAC feature in Microsoft Windows.They were curious about this feature. How to trigger the UAC manually? Via RPC! A very nice tool to investigate RPC interface is RpcView. Then, they switched to ALPC: what is it and how does ir work. It is a client/server solution. Clients connect to a port and exchange messages that have two parts: the PORT_MESSAGE header and APLC_MESSAGE_ATTRIBUTES. They explained in details how they reverse-engineering the messages and, of course, they discovered vulnerabilities. They were able to build a full RPC client in Python and, with the help of fuzzing techniques, they found bugs: NULL dereference, out-of-bounds access, logic bugs, etc. Based on their research, one CVE was created: CVE-2017-11783.

After the coffee break, a very special talk was scheduled: “The untold stories of Hackers in Detention”. Two hackers came on stage to tell how they were arrested and put in jail. It was a very interesting talk. They explained their personal stories how they were arrested, how it happened (interviews, etc). Also gave some advice: How to behave in jail, what to do and not do, the administrative tasks, etc. This was not recorded and, to respect them, no further details will be provided.

The second keynote was assigned to Ange Albertini: “Infosec and failure”. Ange’s presentation are always a good surprise. You never know how he will design his slides.As he said, his talk is not about “funny” failures. Infosec is typically about winning. The keynote was a suite of facts that prove us that we usually fail to provide good infosec services and pieces of advice, also in the way we communicate to other people. Ange likes retro-gaming and made several comparisons between the gaming and infosec industries. According to him, we should have some retropwning events to play and learn from old exploits. According to Ange, an Infosec crash is coming like the video game industry in 1983 and a new cycle is coming. If was a great keynote with plenty of real facts that we should take care of! Lean, improve, share, don’t be shy, be proactive.

After the lunch, I skipped the second session of lightning talks and got back for “Sigma – Generic Signatures for Log Events” by Thomas Patzke. Let’s talk with logs… When the talk started, my first feeling was “What? Another talk about logs?” but, in fact, it was interesting. The idea behind Sigma is that everybody is looking for a nice way to detect threats but all solutions have different features and syntax. Some example of threats are:

  • Authentication and accounts (large amount of failed logins, lateral movement, etc.)
  • Process execution (exec from an unusual location, unknown process relationship, evil hashes, etc…
  • Windows events

The problem we are facing: there is a lack of standardised format. Here comes Sigma. The goal of this tool is to write use case in YAML files that contain all the details to detect a security issue. Thomas gave some examples like detecting Mimikatz or webshells.

Sigma comes with a generator tool that can generate queries for multiple tools: Splunk, Elasticsearch or Logpoint. This is more complex than expected because field names are different, there are inconsistent file names, etc. In my opinion, Sigma could be useful to write use cases in total independence of any SIEM solution. It is still an ongoing project and, good news, recent versions of ISP can integrate Sigma. A field has been added and a tool exists to generate Sigma rules from MISP data.

The next talk was “SMT Solvers in the IT Security – deobfuscating binary code with logic” by Thaís Moreira Hamasaki. She started with an introduction to CLP or “Constraint Logic Programming”. Applications in infosec can be useful like malware de-obfuscation. Thais explained how to perform malware analysis using CLP. I did not follow more about this talk that was too theoretical for me.

Then, we came back to more practical stuff with Omar Eissa who presented “Network Automation is not your Safe Haven: Protocol Analysis and Vulnerabilities of Autonomic Network”. Omar is working for ERNW and they always provide good content. This time they tested the protocol used by Cisco to provision new routers. The goal is to make a router ready for use in a few minutes without any configuration: the Cisco Autonomic network. It’s a proprietary protocol developed by Cisco. Omar explained how this protocol is working and then how to abuse it. They found several vulnerabilities

  • CVE-2017-6664: There is no way to protect against malicious nodes within the network
  • CVE-2017-6665 : Possible to reset of the secure channel
  • CVE-2017-3849: registrar crash
  • CVE-2017-3850: DeathKiss – crash with 1 IPv6 packet
The talk had many demos that demonstrated the vulnerabilities above. A very nice talk.

The next speaker was Frank Denis who presented “API design for cryptography”. The idea of the talk started with a simple Google query: “How to encrypt stuff in C”. Frank found plenty of awful replies with many examples that you should never use. Crypto is hard to design but also hard to use. He reviewed several issues in the current crypto libraries then presented libhydrogen which is a library developed to solve all the issues introduced by the other libraries. Crypto is not easy to use and developer don’t read the documentation, they just expect some pieces of code that they can copy/paste. The library presented by Frank is called libhyrogen. You can find the source code here.

Then, Okhin came on stage to give an overview of the encryption VS the law in France. The title of his talk was “WTFRance”. He explained the status of the French law against encryption and tools. Basically, many political people would like to get rid of encryption to better fight crime. It was interesting to learn that France leads the fight against crypto and then push ideas at EU level. Note that he also mentioned several politician names that are “against” encryption.

The next talk was my preferred for this second day: “In Soviet Russia, Vulnerability Finds You” presented by Inbar Raz. Inbar is a regular speaker at hack.lu and proposes always entertaining presentations! This time he came with several examples of interesting he found “by mistake”. Indeed, sometimes, you find interesting stuff by accident. Inbar game several examples like an issue on a taxi reservation website, the security of an airport in Poland or fighting against bots via the Tinder application. For each example, a status was given. It’s sad to see that some of them were unresolved for a while! An excellent talk, I like it!

The last slot was assigned to Jelena Milosevic. Jelena is a nurse but she has also a passion for infosec. Based on her job, she learns interesting stuff from healthcare environments. Her talk was a compilation of mistakes, facts and advice for hospitals and health-related services. We all know that those environments are usually very badly protected. It was, once again, proven by Jelena.

The day ended with the social event and the classic Powerpoint karaoke. Tomorrow, it will start again at 08AM with a very interesting talk…

[The post Hack.lu 2017 Wrap-Up Day 2 has been first published on /dev/random]



from Xavier

Event recap: Security at Microsoft Ignite

Microsoft Ignite recently gathered 24,000+ attendees from around the world in Orlando, FL. CEO Satya Nadella kicked off an exciting week with his Vision Keynote by articulating how we enable digital transformation, specifically through empowering employees, engaging customers, optimizing operations, and finally through transforming products.

Commitment to security, privacy, and transparency

At the event, Microsoft reaffirmed its commitment to security, privacy, and transparency to its customers and partners through all the four main solution areas: Modern Workplace, Business Applications, Applications & Infrastructure, and Data & Artificial Intelligence. Julia White explained Microsofts approach to security during her session, Microsoft 365: Step up your protection with intelligent security.

Learnings from our customers and partners

During the event, the Microsoft team had the privilege to engage in 410,000 unique interactions within the Expo. In addition, 8,000+ labs were consumed, 54 sessions, two general sessions, 40 breakout sessions across CE, Windows and Office 365 tracks and 12 theater sessions. Our top three security takeaways were:

  1. Build awareness of Microsofts commitment to security and privacy
  2. Early and frequent product updates communications
  3. Transparency from Microsoft equates to trust from customers

Key security related sessions to check out

Key security sessions we recommend you check out are based entirely upon feedback from our customers and partners who attended the sessions. Please take a moment to watch them and learn about new ways you can improve the security posture of your organization.

On demand access to content

All breakout sessions and general sessions were recorded for on demand viewing. These recordings are now available at Microsoft Ignite on demand sessions. Please continue to share this link with your customers and partners. Labs will be available for 6 months through MyIgnite.

Conclusion

Microsoft Ignite was a fantastic week for all who attended. We not only shared product visions, but also, we listened and learned from engagements with customers and partners. With continued advances in our security offerings and development in better ways for partners to build a more modern, collaborative and secure work environment, it will be an exciting year for Security.



from Microsoft Secure Blog Staff

Wednesday, October 18, 2017

Hack.lu 2017 Wrap-Up Day 1

Hack.lu is ongoing in Luxembourg, already the thirteen edition! I arrived yesterday to attend a pre-conference event: the MISP summit. Today the regular talks were scheduled. It seems that more attendees joined this edition. The number of talks scheduled is impressive this year: 11 talks today and 12 talks on Wednesday and Thursday… Here is my wrap-up of the first day!

The first talk was not technical but very informative: “Myths and realities of attribution manipulation” presented by Félix Aimé & Ronan Mouchoux from Kaspersky. Many companies put more and more efforts in infowar instead of simple malware research. This affects many topics: cyber espionage, mass opinion manipulation or sabotage. The key is to perform attribution by putting a name on a cyber attack. You can see it as putting a tag on an attack. Note that sometimes, attribution suffers from a lack of naming convention like in the AV industry. Not easy to recognise the different actors. To perform this huge task, a lot of time and skills are required. They are many indicators available but many of them can be manipulated (ex: the country of origin, the C2, …). After a definition of attribution and the associated risks, Félix & Ronan reviewed some interesting examples:

  • The case of Turkey.TR domains that were DDoS after the Russian planes crashed
  • The case of Belgium accused to have done an airstrike against the locality of Hassadjek. A few days later, some Belgian media websites were DDoS’d.
As a conclusion to the talk, I like the quote: “You said fileless malware? APT actors try now to be less actor”.

The second slot was assigned to Sébastien (blotus) Blot, Thibault (buixor) Koechlin, Julien (jvoisin) Voisin who presented their solution to improve the security of PHP websites: Snuffleupagus (don’t ask me to pronounce it ;-). The complete title was: “Snuffleupagus – Killing bugclasses in PHP 7, virtual-patching the rest”. The speakers are working for a company provided hosting services and many of their customers are using PHP websites. Besides the classic security controls (OS-level hardening, custom IDS, WAF, …) they searched for a tool to improve the security of PHP. Suhosin is a nice solution but it does not support PHP7. So they decided to write their own tool: Snuffleupagus. They reviewed how to protect PHP with very nice features like the disable_function() feature. Some examples:

sp.disable_function.function(“system”).filename(“foo.php”).allow();
sp.disable_function.function(“system”).filename(“foo.php”).hash(“xxxx”).allow();

You can also restrict parameters passed to functions:

… param(“command”).value_r(“[$|…”).drop();

Then, the speakers demonstrated real vulnerabilities in a well-known tool written in PHP and how their solution could mitigate the vulnerabilities. This is a really nice project still in development but already used by many websites from the Alexa top-ranking list! The project is available here.

After a coffee break, Bouke van Leathem presented his project: “Randori”. In Japanse, Randori is a form of practice in which a designated aikidoka defends against multiple attackers in quick succession. To make it short, it’s the principle of action-reaction: You scan me, I scan you. Randori is a low interaction honeypot with a vengeance as defined by Bouke. The main idea is to reuse the credentials tested by the attackers against themselves. Bouke explained how it developed his honeypot, mainly the pam_randori PAM module. Collected credentials are re-used, no more no less, no code is executed on the remote system. Based on the collected information, Bouke explained in the second part of his talk, how he generated useful statistics to build botnet maps. One of the tools he used for this purpose is ssdeep. Note that the tool can be used in different ways: from an incident responder or ethical hacker perspectives. This project is very interesting and is also available here.

Before the lunch break, we had a keynote. The slot was assigned to Sarah Jamie Lewis and had the title: “Queer Privacy & Building Consensual Systems”. She started with a nice definition of privacy: “Privacy is the right to share information about you… only with people you trust”. Sarah wrote a book (with the same name as her keynote) and used it to illustrate her keynote. She read samples stories about Kath, Ada, Morgan. All those people had privacy issues and have to protect themselves. During the keynote, Sarah looked really affected by those stories but was it the right place to read some samples? I’m not sure. It looks to be a book that you have to read at home, relaxed and not at a security conference (just my $0.02). About privacy, as usual, the facts reviewed during the keynote were the same: our privacy is always threatened and there is a clear lack of solution.

After the lunch, a first lightning talk session was organized followed by Raúl B. Netto’s presentation: “ManaTI: Web Assistance for the Threat Analyst, supported by Domain Similarity”. ManaTI is a project to use machine learning techniques to assist an intuitive threat analyst to help in the discovery of security issues. I missed this talk because I was out with friends.

Then Paul Rascagnères, a regular speaker at hack.lu, came to present tools and techniques to help in debugging malware code written in .Net. This framework is the key component of many Microsoft tools like Powershell. With a nice integration with the operating system, it is also used by bad guys to produce malicious code. Paul started by explained some .Net techniques used by malware (like Assembly.load()). The next part of the talk focused on PYKD, a Python extension for the WinDBG debugger. In a demo, Paul demonstrated how easy it is to use PYKD to debug malicious code.

The next talk was my preferred for this first day: “Device sensors meet the web – a story of sadness and regret” by Lukasz Olejnik. The idea behind this talk was to demonstrate how our privacy can be affected by connected devices or, simply, our browsers. All devices today handle plenty of personal data but web technologies were not designed with privacy in mind. With the modern web, a browser on your smartphone can take advantage of many sensors or connectivity (USB, NFC or Bluetooth). Modern devices have an API that can be queried by web browsers. The first example that Lukasz gave was the batteries. The power level can be queried from a browser. That’s a nice feature indeed but what about privacy issues? Firebox, by abusing the high precision readout can get useful information about the user behaviour. There are also evil scenarios: Just imagine that somebody is looking for a taxi and his /her battery is almost dead. The idea is to go back asap to home. If the taxi reservation page proposes 2 prices: 10€ for a 10 minutes drive and 5€ for a 30 minutes drive, guess which one will be chosen by the customer? Another example, even crazier, was the (ab)use of the light sensor in mobile phones. Lucasz demonstrated how it is possible to steal the browser history via the light sensor: The display emits light that reflects on objects and can be read/decoded. Scary! And other examples are multiple: tracking, behaviour, fingerprinting, etc… How to mitigate this? Not easy, ask permission to the user to access the data, disable the API, purge it from dangerous calls? Finally, Lucasz gave the last example with web payments (in one click) that also have security issues. This was a very nice talk with plenty of examples that should really open our eyes!

After the afternoon coffee break, Maxime Clementz and Antoine Goichot came on stage to present: “Malicious use of Microsoft Local Administrator Password Solution”. The local admin problem is not new with Microsoft operating systems. This account must be present and, within old environments, the password was often the same across all devices in the domain. This makes lateral movement so easy! To solve this issues, Microsoft implemented LAPS or “Local Administrator Password Solution”. How does it work? Random passwords are generated for the local admin. The goal of the talk was to explain how to perform privilege escalation within an environment that has LAPS deployed. In fact, this tools is not new. It was an open source project that was integrated into Microsoft Windows, a client-side extension (CSE). It’s just a DLL called AdmPwd.dll. First observation: the DLL is not signed and does not implement integrity checks. The idea of the PoC was to create a rogue DLL that ignores the temporary password expiration data and write generated passwords in a simple text file. It worked very well. Their recommendation to mitigate this kind of attack: validate the integrity/signature of the DLL.

The next presentation was about cars: “The Bicho: An Advanced Car Backdoor Maker” by Sheila Ayelen Berta. If we see more and more talks about connected cars, this time, it focused on “regular” cars that just have a CAN bus. Sheila explained the tools and hardware that helps to inject commands on a CAN bus. To achieve this, she used a platform called CANspy to sniff messages on a CAN bus. Then, via another tool called “Car Backdoor Maker 1.0”, she was able to generate CAN bus message. Basically, it’s a replay attack. A website has been created to list all CAB messages discovered: opencandb.online. The payload is injected using a microcontroller connected to the CAN bus. It also has GPS capabilities that allow sending the CAN bus message depending on the cat localisation! The payload generator is available here.

Then, we came back to the issues regarding sharing information. Becky Kazansky presented: “Countering Security Threats by Sharing Information: Emerging Civil Society Practices”. I skipped this talk.

Finally, the first day finished with Parth Suhkla who presented “Intel AMT: Using & Abusing the Ghost in the Machine”. The presentation started with an overview of the AMT technology. It means “Active Management Technology” and is an out-of-band, management platform, embedded into Intel chipsets. The goal is to offer remote management capabilities without any OS. You can imagine that this feature looks juicy to attackers! Parth reviewed the core features of AMT and how it works. One important step is the provisioning options (can be performed via a local agent, remotely, via USB or the BIOS). There was already vulnerabilities discovered in AMT like the INTEL-SA-00075 that covered a privilege escalation issue. AMT was also used by the PLATINIUM attacker group who used the Serial Over LAN as a back channel. In the second part, Parth explained his research: how to abuse AMT? The requirements of the attack were:

  • Control the AMT
  • Implement persistence
  • Be stealthy
He reviewed all the possible scenarios with a rating (complex, easy, …). For each attack, if also explained how to mitigate and detect such attacks. Some interesting ideas:
  • Detect usual AMT ports in the network traffic
  • Query the ME interface for AMT status (easy on Windows, no tool for Linux)
  • Verify the book chain
  • Encrypt disk drives with the TPM chipset
  • Protect your BIOS (you already did it right?)
The last part covered the forensics investigations related to AMT. Again, an interesting talk.
That’s all for today! Note that talks have been recorded and are already available on Youtube! After our classic “Belgian dinner”, it’s time to take some hours of sleep, tomorrow 12 talks are scheduled! Stay tuned for more wrap-ups!

[The post Hack.lu 2017 Wrap-Up Day 1 has been first published on /dev/random]



from Xavier

Tuesday, October 17, 2017

Cybersecurity in a modern age

By 2021, worldwide cybercrime damage is expected to reach $6 trilliondouble what it cost businesses in 2015. As digital transformation sweeps the globe, the imminent threat of cybercrime grows alongside it. As a result, new techniques in cybersecurity must be developed at a growing rate to keep pace.

Digital-first is the new business frontier, and if we want to keep this landscape a safe space to store and share information, we must be able to quickly identify opportunities to bolster security and adapt to evolving threats. Microsofts cloud technology offers organizations the tools to advance security, enhance government compliance, improve security education, and enable industry collaboration to shut down new threats. Microsoft is creating a new path toward digital transformation in a secure space.

Through cloud technologies, IT professionals now have advanced tools at their fingertips that provide real-time visibility into cybersecurity and the ability to proactively thwart threats before they become an issue. As more organizations move to the cloud, management of security risks can occur in real time. This real-time action on cyber threats helps create cost efficiency, and allows for frequent and seamless updates without reconfiguration, giving IT leaders the upper hand in staying compliant with regulatory guidelines.

With cloud-based technology come real solutions in data loss prevention. IT professionals are using the cloud to secure employee data in new and highly effective ways. Through improved cloud encryption capabilities, organizations can better help protect sensitive information in motion and at rest. Even if cybercriminals are able to breach your network and bypass the first lines of cyber defense, encryption helps keep organizational data from falling into unauthorized hands. Additionally, advanced measures like multi-factor authentication (MFA) and Single Sign-On (SSO) provide additional layers of security by ensuring only those with the proper credentials are able to gain access to information and company platforms. These solutions and innovations in tech security are just the beginning.

With the advent of new technology and the digitization of how IT experts and professionals communicate, a quicker dissemination of knowledge can occur in a collaborative space. Experts can share and explore new ideas and concepts to quickly improve upon cloud technology and how to best address security concerns. By partnering up, industries are able to break new ground on how to secure information, share information, and revolutionize the way government, private enterprise, education systems, and average people navigate a digitally transforming world.

Ready to discover how Microsoft technology is transforming security for a digital-first, cloud-first world, and participate in interactive sessions led by subject matter experts? Microsoft is hosting a series of Security Forums in cities across the United States to demonstrate how organizations can use the latest technology to update and improve their cybersecurity efforts. We invite you to join your fellow IT professionals alongside Microsoft experts to discuss new ways to address evolving cyber threats. Find out how your business can use the power of the cloud to boost security, and get a firsthand look at what Microsoft has to offer.

For more information, including locations near you and a full event calendar, visit the Microsoft Security Forum events page. Dont delay, as seats are limited. Register now to save your spot!



from Microsoft Secure Blog Staff

Monday, October 16, 2017

Microsoft and Progeny Systems enhance security for mobile applications across U.S. Government

In our mobile-first, cloud-first world, security is paramount for organizations of any size. It is especially critical to applications used across the U.S. Government, which is why we are working with the Department of Homeland Security (DHS) Science and Technology Directorate and Progeny Systems to enhance mobile application security.

In support of the broader federal initiative to enable access to quality digital government information and services anywhere, anytime, on any device, Progeny will build a mobile application development security framework for iOS, Android and Windows apps that will be used across several US Government agencies, both for public facing and internal enterprise use cases. This framework will broadly enable developers across the United States Government to focus on building mobile apps that provide business value, with the confidence that security is built in.

The cross-platform, native approach using Visual Studio, the open-source .NET framework, and Xamarin platform will enable developers to build higher quality apps that are fully compliant with the National Information Assurance Partnership (NIAP) mobile app vetting standards, the National Institutes of Standards and Technology (NIST) 800-163 guidance and the Department of Homeland Securitys Mobile Application Playbook. Utilizing Microsofts leading mobile application development tools, the framework will support mobile apps built to run on-premise and on any cloud platform, including government-only clouds such as Azure Government, which meet critical government regulatory compliance requirements.

Id like to congratulate the Department of Homeland Security Science and Technology Directorate for their commitment to addressing the mandates of both security and mobility for their stakeholders, said Greg Myers, Microsoft Vice President of Federal. We look forward to partnering with DHS and ultimately, by bringing mobile, secure, and compliant technology solutions helping them fulfil their critical mission.

Microsofts latest award from the DHS comes on the heels of several related public sector certifications and big data and analytics enhancements to our leading mobile apps and security. It also builds on our current work with the Department of Veterans Affairs and Applied Research Associates, whose Instant Notification System enables the U.S. governments Combating Terrorism and Threat Support Offices Tactical Support Working Group (TSWG) to quickly and effectively notify team members about suspicious packages or events over commercially available networks.

You can read more about our mobile application security work with the Department of Homeland Security (DHS) Science and Technology Directorate and Progeny Systems in their news release. For details on Microsofts leadership in mobile application development, visit Gartners Magic Quadrant report.



from Microsoft Secure Blog Staff

"KRACK Attack - What to Communicate"

Editor's Note: This blog is a work in progress and will be actively updated as new information is released. It was just announced this morning (Monday, 16 October, 2017) that the globally used WPA2 Wi-Fisecurity protocolhas been broken. This standard is the most commonly usedsecurity standard used by Wi-Fi networks around the world. The attack … Continue reading KRACK Attack - What to Communicate

from lspitzner

Friday, October 13, 2017

Wrap-Ups Storm Ahead!

I can’t remember why I started to write conference wrap-ups but it started in 2009 when I attended my first Hack.lu! I had a quick look at my blog archives and, until today, I wrote 184 wrap-ups!  The initial idea was probably to bring some material to colleagues who did not have the chance to attend the conference in Luxembourg. Quickly I got some very positive feedbacks from my existing blog readers and it started to attract more and more people. 

Wrap-Up Feedback

Why am I still writing such kind of articles today? For multiple reasons… The first one is personal: It helps me to learn new stuff. The exercise to keep the focus on a speaker and to take notes on the fly is complex. You need to listen, understand and summarize in real time. Usually, I’m writing very synthetic notes and I force myself to beautify the text the same day (otherwise, I’m quickly losing details). Often, my wrap-ups are published during the night.

The second one is for the community… If I’ve some content, why not share it? Honestly, based on the number of infosec events I’m attending,  I consider myself as a lucky guy. With my wrap-ups, I can share a (very) small piece of information that I collected. They are published “as is” without any restriction and review (read: errors can always be present!). I know that some people reuse them even if they attended the same conference. They need to report some content internally in their organization 😉 They are free but be fair to keep a link to the original article.

It won’t change and, next week, I’ll be in Luxembourg for hack.lu. Immediately after, I’ll fly to Budapest for Hacktivity. Hack.lu is one of my preferred events not only for the quality of the schedule but also for the relaxed atmosphere. I meet some friends once a year at hack.lu! My first participation was in 2008 and this edition promises to be awesome with a bunch of interesting talks. Here is my pre-selection:

  • Randori, a low interaction honeypot with a vengeance (Bouke van Laethem)
  • Device sensors meet the web – a story of sadness and regret (Lukasz Olejnik)
  • The Bicho: An Advanced Car Backdoor Maker (Sheila Ayelen Berta, Claudio Caracciolo)
  • Keynterceptor: Press any key to continue (Niels van Dijkhuizen)
  • Sigma – Generic Signatures for Log Events (Thomas Patzke)
  • Front door Nightmares. When smart is not secure (ObiWan666)

Then, let’s go to Hacktivity. Contrariwise, it will be my first experience with this event. The conference has a very good reputation. A lot of nice topics and here is my pre-selection:

  • REST API, pentester’s perspective (Mateusz Olejarka)
  • Exploiting USB/IP in Linux (Ignat Korchagin)
  • Hacking drones and buying passwords in the Darknet (Tobias Schrödel)
  • A heaven for Hackers: Breaking Log/SIEM Products (Mehmet Ince)
  • BlueBorne Explained: Exploiting Android devices over the air (Ben Seri Gregory Vishnepolsky)

You can expect a massive amount of Tweets and daily wrap-ups during the week! Stay tuned and thanks again for reading my delusions…

[Note: You can follow the upcoming conferences that I will attend on the right side of this page in the “Upcoming Events” section]

 

 

 

[The post Wrap-Ups Storm Ahead! has been first published on /dev/random]



from Xavier

Wednesday, October 11, 2017

"Hey America (and World) GDPR Applies to You To"

In 2003 California rocked the privacy world when it passedCalifornia S.B. 1386. This law stated that any organization that was breached and had the personal data of California residents had to notify those individuals that their data was breached. While the lawwas only passed inCalifornia, the law impacted any organization in the United Statesthat handled … Continue reading Hey America (and World) GDPR Applies to You To

from lspitzner

Tuesday, October 10, 2017

SharePoint and OneDrive: security you can trust, control you can count on

This post is authored by Bill Baer, Senior Product Marketing Manager, SharePoint and OneDrive Team.

In todays complex and regulated environment, businesses need to focus on building more secure solutions that deliver value to their customers, partners, and shareholdersboth in the cloud and on-premises.

Microsoft has been building enterprise software for decades and running some of the largest online services in the world. We draw from this experience to keep making SharePoint and OneDrive more secure for users, by implementing and continuously improving security-aware software development, operational management, and threat-mitigation practices that are essential to the strong protection of your services and data.

SharePoint and OneDrive are uniquely positioned to help you address these evolving security challenges. To begin with, Microsoft has continued to evolve with new standards and regulations. This has been a guiding principle as we think about security for SharePoint and OneDrive. Right alongside that principle is this one: There is no security without usability. If security gets in the way of productivity, users will find a different, less secure way to do their work.

SharePoint and OneDrive allow your organization to go beyond its regular business rhythms and be nimbler in responding to market changes and opportunities. These solutions enable users to access the files and documents they need wherever they’re doing work while sharing and collaborating in real-time. And you control and own your data while Microsoft takes care of it. Explore the many options SharePoint and OneDrive provide to secure you and your information and then read our eBook Securing your content in the new world of work with SharePoint and OneDrive.

For businesses, the time is now to reevaluate security practices. In the modern communications and collaboration, landscape connectivity is ubiquitous and the ability to work remotely has become an ingrained part of the work practice. People have come to expect to be able to access email and documents from anywhere on any device – and for that experience to be seamless.

While this has been an enormous boost to productivity, it also presents huge challenges for security. Previously, businesses needed to concern themselves with a firewall that ended at the corporate boundary. Now that boundary has shifted to the end user. Businesses need to ensure sure that corporate data is safe while enabling users to stay productive in today’s mobile-first world, where the threat landscape is increasingly complex and sophisticated.

We know that data loss is non-negotiable, and overexposure to information can have legal and compliance implications. SharePoint and OneDrive provide a broad array of features and capabilities designed to make certain that your sensitive information remains that way with investments across our security and compliance principles to include compliance tools that span on-premises servers and Office 365 while providing a balance between enabling user self-service.

The rapidly-changing security landscape means that your organization’s content – its knowledge – is being shared more broadly, and accessed from more devices and more locations, than ever before. We’re committed to the security, privacy, and compliance of your data, and we continuously innovate intelligent ways to protect your content and to empower you to govern and manage information. Last month we announced label-based classification for information management policies, which enable a more dynamic governance of content across SharePoint, Exchange, and Skype, and Microsoft Teams. We’re continuously working to ensure content usage adheres to corporate policy defending your organization from todays growing and evolving advanced threats.

To learn more about security and compliance with SharePoint and OneDrive:



from Microsoft Secure Blog Staff

Monday, October 9, 2017

BruCON Network 0x09 Wrap-Up

BruCON 0x09 is over! It’s time to have a look at the data captured during the last Thursday and Friday. As the previous years, the setup was almost the same: An Internet pipe with a bunch of access-points, everything interconnected through a pfSense firewall. The guest network (dedicated to attendees) traffic is captured and processed by a SecurityOnion server + basic full packet capture. We also used our classic wall-of-sheep to track the web browsing activity of our beloved visitors.

Let’s start with a few raw numbers. With the end of the 3G/4G roaming costs in Europe since June, most European visitors avoid the usage of wireless networks and prefer to remain connected via their mobile phone. In a few numbers:

  • 206 Gigabytes of PCAP files
  • 50.450 pictures collected by the wall-of-sheep
  • 19 credentials captured
  • 500+ unique devices connected to the WiFi network
  • 150 PE files downloaded (Windows executables)
  • 3 blocked users
  • 1 rogue DHCP server

We saw almost the same amount of traffic than the previous years (even if we had more people attending the conference!). What about our visitors?
Unique Wi-Fi Clients by OS over Time

Strange that we had some many “unknown” device. Probably due to an outdated MAC address prefixes databases.

Top 10 Applications by Usage - Summary

Good to see that SSL is the top protocol detected! UDP reached the third-position due to the massive use of VPN connections. Which is also good!

Our visitors communicated with 118K+ IP addresses from all over the word:

Worldwide Connections

Here is the top-20 of DNS requests logged:

Rank

FQDN Hits

1

api.dataplicity.com

59310

2

www.google.com

20097

3

softwareupdate.vmware.com

9050

4

auth.gfx.ms

6766

5

swscan.apple.com

6706

6

v10.vortex-win.data.microsoft.com

5300

7

www.googleapis.com

5252

8

www.icanhazip.com

4402

9

www.google.be

3831

10

clients4.google.com

3721

11

play.google.com

3562

12

win10.ipv6.microsoft.com

3459

13

outlook.office365.com

3267

14

ssl.gstatic.com

3130

15

settings-win.data.microsoft.com

3111

16

pingsl.avast.com

2884

17

safebrowsing-cache.google.com

2841

18

avast.com.edgesuite.net

2533

19

graph.facebook.com

2164

20

0x13.nl

1990

As most of the traffic captured was web-based, I had a look at the different tools/applications used to access web resources. Here is the top-20:

Rank

FQDN

1

Firefox

2

Chrome

3

Microsoft-CryptoAPI

4

Microsoft

5

Safari

6

Dalvik

7

trustd

8

MSIE

9

cloudd

10

Debian

11

Windows-Update-Agent

12

iPhone

13

Unspecified

14

Microsoft-WNS

15

CaptiveNetworkSupport

16

serer-bag

17

MICROSOFT_DEVICE_METADATA_RETRIEVAL_CLIENT (1)

18

Spotify

19

Unknown

20

Microsoft-Delivery-Optimization

(1) https://docs.microsoft.com/en-us/windows-hardware/drivers/install/device-metadata-retrieval-client

I uploaded the 200+ gigabytes of PCAP data into my Moloch instance and searched for interesting traffic. What has been found:

  • One visitor polled his network devices (172.16.x.x) during the two days (5995 SNMP connections detected)
  • Two visitors performed RDP sessions to two external IP addresses
  • Two visitors generated SIP (VoIP) traffic with two remote servers
  • 29 remote IMAP servers were identified (strange, no POP3! 🙂
  • SSH connections were established with 36 remote servers (no telnet!)

Finally, our wall-of-sheep captured web traffic during the whole conference:

Wall of Sheep

Of course, we had some “p0rn denial of service attacks” but it’s part of the game right? See you for the 0x0A (10th edition) next year with, crossing fingers, more fun on the network!

 

[The post BruCON Network 0x09 Wrap-Up has been first published on /dev/random]



from Xavier

[SANS ISC] Base64 All The Things!

I published the following diary on isc.sans.org: “Base64 All The Things!“.

Here is an interesting maldoc sample captured with my spam trap. The attached file is “PO# 36-14673.DOC” and has a score of 6 on VT. The file contains Open XML data that refers to an invoice.. [Read more]

[The post [SANS ISC] Base64 All The Things! has been first published on /dev/random]



from Xavier

Thursday, October 5, 2017

"The Five Tenets of Cyber Security"

In thetwo day MGT433 Securing the Human course, we start the class bydefining what risk is. Security awareness is nothing more than acontrol to manage human risk. To manage risk, you have to first define it. What stuns me is how often security professionals that have been in this field 5, 10 or even 15 … Continue reading The Five Tenets of Cyber Security

from lspitzner

Announcing support for TLS 1.1 and TLS 1.2 in XP POSReady 2009

This post is authored by Arden White, Senior Program Manager, Windows Servicingand Delivery.

As a follow-up to our announcement regarding TLS 1.2 support at Microsoft, we are announcing that support for TLS1.1/TLS 1.2 on Windows Embedded POSReady 2009 and Windows Embedded Standard 2009 is now available for download as of October 17th, 2017. Were offering this support in recognition that our customers have a strong demand for support for these newer protocols in their environment.

This update for Windows Embedded POSReady 2009 and Windows Embedded Standard 2009 will include support for both TLS 1.1 and TLS 1.2. For application compatibility purposes, these protocols will be disabled by default in a manner similar to the TLS 1.1/TLS 1.2 support that was disabled by default in Windows 7 and Windows Server 2008 R2. After downloading and installing the update these protocols can be enabled by setting the registry keys described in KB4019276.

This update is being made available on the following timeline:

Release Date Channels Classification
October 17, 2017 Microsoft Catalog
January 16, 2018 Windows Update/WSUS/Catalog Optional
February 13, 2018 Windows Update/WSUS/Catalog Recommended


from Microsoft Secure Blog Staff

Wednesday, October 4, 2017

"October OUCH! Newsletter - Something Special for #CyberAware Month"

OUCH! is a free security awareness newsletter published every month in over 25 languages. Each edition focuses on a specific topic on howanyone can securely make the most of today'stechnology. In the past ten years OUCH! has become the world's most trusted security awareness newsletter, from personal use at home to the largest organizations in … Continue reading October OUCH! Newsletter - Something Special for #CyberAware Month

from lspitzner

Tuesday, October 3, 2017

"Are You a NCSAM Champion?"

October is now upon us and National Cyber Security Awareness Month (NCSAM) has officially kicked off. Organized and sponsored by the National Cyber Security Alliance for the United States (ENISA runs the program for Europe), one of the best ways to get involved is to become a NCSAM Champion. Becoming a Champion is free, you … Continue reading Are You a NCSAM Champion?

from lspitzner

Advanced Threat Analytics security research network technical analysis: NotPetya

This post is authored by Igal Gofman, Security Researcher, Advanced Threat Analytics.

On June 27, 2017 reports on a new variant of Petya (which was later referred to as NotPetya) malware infection began spreading across the globe. It seems the malwares initial infection delivered via the “M.E.doc” update service, a Ukrainian finance application. Based on our investigation so far, the propagation steps executed by the malware can be considered sophisticated and well tested.
The malware distributes itself as a DLL file, spreading over internal networks using different lateral movement techniques.

This blog post focuses on the network behavior analysis of NotPetya and the techniques it uses to propagate in the network. This is ongoing research, and well update with additional findings as those become available.

Malware Propagation Flows

Delivery & Initial execution

The malware is delivered via the “M.E.doc” service to infect the first endpoint.

The malware executes and extracts the relevant components to disk. These include:

  1. PsExec – Network remote execution tool.
  2. A credential dumping tool.

More information on these steps can be found at the Windows Security blog.

Reconnaissance

The internal network is probed using multiple discovery methods to identify new workstations and domain controllers. These include:

  • LANMAN NetServerEnum2 API used to get information about workstations and domain controllers.
  • Probing using ports 139 and 445 to other endpoints.
  • If a domain controller is accessible, the malware queries its DHCP Service to enumerate DHCP subnet.
  • In case DHCP subnets are discovered, the malware will continue its discovery against those subnets as well.

Reconnaissance example – NetServerEnum2

In the screenshot above, we can see the NetServerEnum2 API used by the infected machine.
The response includes the domain controller and a list of all known workstations response.

Lateral Movement

To spread itself on the network, the malware tries to access the administrative share ($admin).

  • If the SeDebugPrivilege privilege obtained (Step2), a credentials dumping tool is used to recover additional user credentials from the local memory.
  • Our lab tests have shown that in addition to the current account session, only one additional user is used by the malware to probe the remote hosts. The malware seems to ignore memory dumped users who were tagged under a new credentials session. Moreover, it seems like only one user (the last one who is in memory) is used to probe the destination host
  • Each target endpoint is accessed using multiple authentication protocols, such as NTLM and Kerberos over GSSAPI (SPNEGO). The credentials used for access are:
    • Current user context, under which the malware is running.
    • Successfully dumped credentials (if available).

In the screenshot below, we can see multiple CIFS ticket requests performed by the malware on behalf of the dumped user. Such broad abnormal access attempts performed by the malware will be detected by Microsoft Advanced Threat Analytics (ATA) abnormal behavior detection. Based on previously learned user behavior analytics, the detection mechanism will recognize and alert on the abnormal resource access performed by the malware using the compromised credentials.

Multiple TGS-REQ

In the screenshot above, we can see multiple CIFS ticket requests.

Example of abnormal user access – ATA

Remote Execution

If access to the administrative share was obtained, the malware copies itself to the target host and executes PSEXEC and WMIC.

Malware Copy

PSEXEC Service creation

In the screenshot above, the infected host starts executing the PSEXEC tool.

Exploitation (optional)

If all propagation steps failed, the malware tries to execute one of the SMB exploits (MS17-010).

Available SMB Exploits:

  1. EternalBlue CVE-2017-0144
  2. EternalRomance – CVE-2017-0145

The above steps are performed simultaneously, using multiple threads and runs against each target host. For further information regarding the SMB exploit mitigation, malware encryption steps and initial infection stage, please refer to the Petya worm capabilities blog post.

The spreading capabilities used by the NotPetya malware introduce a new level of sophistication when executing lateral movement.

Detection and mitigation

Microsoft Advanced Threat Analytics allows customers to detect and to investigate a variety of advanced techniques including the lateral movement technique used by NotPetya.

This type of lateral movement can be detected by ATA as abnormal resource access – given the large scanning performed by the user to attempt access additional endpoints on the subnet.

There are several ways customers can detect and prevent NotPetya from impacting their environment.

First, we strongly recommend customers that have not yet installed security update MS17-010 to do so as soon as possible. If applying the patch is not possible, disable SMB V1 on the corporate networks.

Second, we recommend that you verify good credential hygiene. To learn more, read the following article about protecting high value assets with secure admin workstations.

Additional Resources

KB

Blog



from Microsoft Secure Blog Staff