Thursday, April 27, 2017

"Building a Champions Program - At the #SecAwareSummit"

Editor's Note: Cassie Clarkis a security community manager for developers within Salesforce. Sheis one of the speakers for the upcoming Security Awareness Summit 2/3 Aug in Nashville, TN. Below shegives an overview on herupcoming talk onSecurity Champions. Have you heard of the employee engagement training programs called Security Champions? Ever considered starting a Security Champions … Continue reading Building a Champions Program - At the #SecAwareSummit

from lspitzner

Wednesday, April 26, 2017

FIRST TC Amsterdam 2017 Wrap-Up

Here is my quick wrap-up of the FIRST Technical Colloquium hosted by Cisco in Amsterdam. This is my first participation to a FIRST event. FIRST is an organization helping in incident response as stated on their website:

FIRST is a premier organization and recognized global leader in incident response. Membership in FIRST enables incident response teams to more effectively respond to security incidents by providing access to best practices, tools, and trusted communication with member teams.

The event was organized at Cisco office. Monday was dedicated to a training about incident response and the two next days were dedicated to presentations. All of them focussing on the defence side (“blue team”). Here are a few notes about interesting stuff that I learned.

The first day started with two guys from Facebook: Eric Water @ Matt Moren. They presented the solution developed internally at Facebook to solve the problem of capturing network traffic: “PCAP don’t scale”. In fact, with their solution, it scales! To investigate incidents, PCAPs are often the gold mine. They contain many IOC’s but they also introduce challenges: the disk space, the retention policy, the growing network throughput. When vendors’ solutions don’t fit, it’s time to built your own solution. Ok, only big organizations like Facebook have resources to do this but it’s quite fun. The solution they developed can be seen as a service: “PCAP as a Service”. They started by building the right hardware for sensors and added a cool software layer on top of it. Once collected, interesting PCAPs are analyzed using the Cloudshark service. They explained how they reached top performances by mixing NFS and their GlusterFS solution. Really a cool solution if you have multi-gigabits networks to tap!

The next presentation focused on “internal network monitoring and anomaly detection through host clustering” by Thomas Atterna from TNO. The idea behind this talk was to explain how to monitor also internal traffic. Indeed, in many cases, organizations still focus on the perimeter but internal traffic is also important. We can detect proxies, rogue servers, C2, people trying to pivot, etc. The talk explained how to build clusters of hosts. A cluster of hosts is a group of devices that have the same behaviour like mail servers, database servers, … Then to determine “normal” behaviour per cluster and observe when individual hosts deviate. Clusters are based on the behaviour (the amount of traffic, the number of flows, protocols, …). The model is useful when your network is quite close and stable but much more difficult to implement in an “open” environment (like universities networks).
Then Davide Carnali made a nice review of the Nigerian cybercrime landscape. He explained in details how they prepare their attacks, how they steal credentials, how they deploy the attacking platform (RDP, RAT, VPN, etc). The second part was a step-by-step explanation how they abuse companies to steal (sometimes a lot!) of money. An interesting fact reported by Davide: the time required between the compromisation of a new host (to drop malicious payload) and the generation of new maldocs pointing to this host is only… 3 hours!
The next presentation was performed by Gal Bitensky ( Minerva):  “Vaccination: An Anti-Honeypot Approach”. Gal (re-)explained what the purpose of a honeypot and how they can be defeated. Then, he presented a nice review of ways used by attackers to detect sandboxes. Basically, when a malware detects something “suspicious” (read: which makes it think that it is running in a sandbox), it will just silently exit. Gal had the idea to create a script which creates plenty of artefacts on a Windows system to defeat malware. His tool has been released here.
Paul Alderson (FireEye) presented “Injection without needles: A detailed look at the data being injected into our web browsers”. Basically, it was a huge review of 18 months of web-­inject and other configuration data gathered from several botnets. Nothing really exciting.
The next talk was more interesting… Back to the roots: SWITCH presented their DNS Firewall solution. This is a service they provide not to their members. It is based on DNS RPZ. The idea was to provide the following features:
  • Prevention
  • Detection
  • Awareness

Indeed, when a DNS request is blocked, the user is redirected to a landing page which gives more details about the problem. Note that this can have a collateral issue like blocking a complete domain (and not only specific URLs). This is a great security control to deploy. Note that RPZ support is implemented in many solutions, especially Bind 9.

Finally, the first day ended with a presentation by Tatsuya Ihica from Recruit CSIRT: “Let your CSIRT do malware analysis”. It was a complete review of the platform that they deployed to perform more efficient automatic malware analysis. The project is based on Cuckoo that was heavily modified to match their new requirements.

The second day started with an introduction to the FIRST organization made by Aaron Kaplan, one of the board members. I liked the quote given by Aaron:

If country A does not talk to country B because of ‘cyber’, then a criminal can hide in two countries

Then, the first talk was really interesting: Chris Hall presented “Intelligence Collection Techniques“. After explaining the different sources where intelligence can be collected (open sources, sinkholes, …), he reviewed a serie of tools that he developed to help in the automation of these tasks. His tools addresses:
  • Using the Google API, VT API
  • Paste websites (like
  • YARA rules
  • DNS typosquatting
  • Whois queries

All the tools are available here. A very nice talk with tips & tricks that you can use immediately in your organization.

The next talk was presented by a Cisco guy, Sunil Amin: “Security Analytics with Network Flows”. Netflow isn’t a new technology. Initially developed by Cisco, they are today a lot of version and forks. Based on the definition of a “flow”: “A layer 3 IP communication between two endpoints during some time period”, we got a review the Netflow. Netflow is valuable to increase the visibility of what’s happening on your networks but it has also some specific points that must be addressed before performing analysis. ex: de-duplication flows. They are many use cases where net flows are useful:
  • Discover RFC1918 address space
  • Discover internal services
  • Look for blacklisted services
  • Reveal reconnaissance
  • Bad behaviours
  • Compromised hosts, pivot
    • HTTP connection to external host
    • SSH reverse shell
    • Port scanning port 445 / 139
I would expect a real case where net flow was used to discover something juicy. The talk ended with a review of tools available to process net flow data: SiLK, nfdump, ntop but log management can also be used like the ELK stack or Apache Spot. Nothing really new but a good reminder.
Then, Joel Snape from BT presented “Discovering (and fixing!) vulnerable systems at scale“. BT, as a major player on the Internet, is facing many issues with compromized hosts (from customers to its own resources). Joel explained the workflow and tools they deployed to help in this huge task. It is based on the following circle: Introduction,  data collection, exploration and remediation (the hardest part!).
I like the description of their “CERT dropbox” which can be deployed at any place on the network to perform the following tasks:
  • Telemetry collection
  • Data exfiltration
  • Network exploration
  • Vulnerability/discovery scanning
An interesting remark from the audience: ISP don’t have only to protect their customers from the wild Internet but also the Internet from their (bad) customers!
Feike Hacqueboard, from TrendMicro, explained:  “How political motivated threat actors attack“. He reviewed some famous stories of compromised organizations (like the French channel TV5) then reviewed the activity of some interesting groups like C-Major or Pawn Storm. A nice review of the Yahoo! OAuth abuse was performed as well as the tab-nabbing attack against OWA services.
Jose Enrique Hernandez (Zenedge) presented “Lessons learned in fighting Targeted Bot Attacks“. After a quick review of what bots are (they are not always malicious – think about the Google crawler bot), he reviewed different techniques to protect web resources from bots and why they often fail, like the JavaScript challenge or the Cloudflare bypass. These are “silent challenges”. Loud challenges are, by examples, CAPTCHA’s. Then Jose explained how to build a good solution to protect your resources:
  • You need a reverse proxy (to be able to change quests on the fly)
  • LUA hooks
  • State db for concurrency
  • Load balancer for scalability
  • fingerprintjs2 / JS Challenge

Finally, two other Cisco guys, Steve McKinney & Eddie Allan presented “Leveraging Event Streaming and Large Scale Analysis to Protect Cisco“. CIsco is collecting a huge amount of data on a daily basis (they speak in Terabytes!). As a Splunk user, they are facing an issue with the indexing licence. To index all these data, they should have extra licenses (and pay a lot of money). They explained how to “pre-process” the data before sending them to Splunk to reduce the noise and the amount of data to index.
The idea is to pub a “black box” between the collectors and Splunk. They explained what’s in this black box with some use cases:
  • WSA logs (350M+ events / day)
  • Passive DNS (7.5TB / day)
  • Users identification
  • osquery data

Some useful tips that gave and that are valid for any log management platform:

  • Don’t assume your data is well-formed and complete
  • Don’t assume your data is always flowing
  • Don’t collect all the things at once
  • Share!

Two intense days full of useful information and tips to better defend your networks and/or collect intelligence. The slides should be published soon.

[The post FIRST TC Amsterdam 2017 Wrap-Up has been first published on /dev/random]

from Xavier

Supply chain security demands closer attention

Often in dangerous situations we initially look outwards and upwards for the greatest threats. Sometimes we should instead be looking inwards and downwards. Supply chain security in information and communication technology (ICT) is exactly one of those situations where detailed introspection could be of benefit to all concerned. The smallest security breach can have disastrous implications, irrespective of whether the attackers’ entry point is within one’s own system or within that of a supplier. ATM breaches, which can expose hundreds of millions of people’s personal information, are one example of how an attack can occur via a contractor.

My experience over the last fifteen or more years of cybersecurity policy work is that in a diverse, globalized and interconnected world, supply chains can pose a major cybersecurity threat if left unmanaged. Many products are built up from elements that are created and modified by different companies in different places. This is as true of software as it is of hardware. Global supply chains create opportunities for the introduction of counterfeit elements or malicious code. The problem is not concentrated in one region and the consequences can be global.

The situation not wholly new nor is it wholly unknown. From Microsoft’s perspective, based on our experience in the cyber supply chain risk management (C-SCRM) space and in line with our broad approach to all cybersecurity issues, the best approach to validating ICT products and components is risk-based. If I was to put forward basic elements of a supply chain risk management stance they would include:

  • A clear understanding of the critical supply chain risks that need to be mitigated, which will require regular evaluation and adjustment as threats or technologies change;
  • Principles and practices that take account of the lifecycle of threats whilst promoting transparency, accountability and trust between companies themselves and between companies and the authorities;
  • An understanding that flexibility is critical, given i) vendors’ differing business models and markets, and ii) that seemingly simple changes in technology can rapid change threat models; and,
  • A holistic approach to C-SRCM-based technical controls, operational controls, and vendor & personnel controls.

In addition to effective risk management, I can see a clear case for international standards in international supply chains. If we recognize that even the smallest weakness in a jurisdiction “over there” might be a way in for cyber criminals “over here”, international standards would be a common basis for judging whether or not a supply chain can be secure in its fundamentals.

Governments considering how to make their ICT supply chains more secure need to solicit industry feedback on their proposals. Indeed, I would argue that public-private partnerships to develop supply chain proposals are the best way to approach the issue. Both states and companies gain by cooperating in the fight against supply chain-led cyberattacks.

Microsoft depends on the trust our customers place in our products and as a multinational company, we understand the relevance of secure cross-border supply chains. So, even if C-SCRM is rarely the first thing considered when looking at cybersecurity, we will continue to make the case for a comprehensive and global approach to securing ICT supply chains that is risk-based, transparent, flexible and standards-led.

from Paul Nicholas

Tuesday, April 25, 2017

How future policy and regulations will challenge AI

I recently wrote about how radical the incorporation of artificial intelligence (AI) to cybersecurity will be. Technological revolutions are however frequently not as rapid as we think. We tend to see specific moments, from Sputnik in 1957 to the iPhone in 2007, and call them “game changing” – without appreciating the intervening stages of innovation, implementation and regulation, which ultimately result in that breakthrough moment. What can we therefore expect from this iterative and less eye-catching part of AI’s development, looking not just at the technological progress, but its interaction with national policy-making process?

I can see two overlapping, but distinct, perspectives. The first relates to the reality that information and communication technology (ICT) and its applications develop faster than laws. In recent years, examples of social media and/or ride hailing apps have seen this translate into the following regulatory experience:

  1. Innovation: R&D processes arrive at one or many practical options for a technology;
  2. Implementation: These options are applied in the real world, are refined through experience, and begin to spread through major global markets;
  3. Regulation: Governments intervene to defend the status quo or to respond to new categories of problem, e.g. cross-border data flows;
  4. Unanticipated consequences: Policy and technology’s interaction inadvertently harms one or both, e.g. the Wassenaar’s impact on cybersecurity R&D.

AI could follow a similar path. However, unlike e-commerce or the shared economy (but like nanotechnology or genetic engineering) AI actively scares people, so early regulatory interventions are likely. For example, a limited focus on using AI in certain sectors, e.g. defense or pharmaceuticals, might be positioned as more easily managed and controlled than AI’s general application. However, could such a limit really be imposed, particularly in the light of potential for transformative creative leaps that AI seems to promise? I say that would be unlikely – resulting in yet more controls. Leaving aside the fourth stage of unknown unknowns of unanticipated consequences, the third phase, i.e. regulation, would almost inevitably run into trouble of its own by virtue to having to legally define something as unprecedented and mutable as AI. It seems to me, therefore, that even the basic phases of AI’s interaction with regulation could be fraught with problems for innovators, implementers and regulators.

The second, more AI-specific perspective is driven by the way its capabilities will emerge, which I feel will break down into three basic stages:

  1. Distinction: Creation of smarter sensors;
  2. Direction: Automation of human-initiated decision-making;
  3. Delegation: Enablement of entirely independent decision-making.

Smarter sensors will come in various forms, not least as part of the Internet of Things (IoT), and their aggregated data will have implications for privacy. 20th century “dumb lenses” are already being connected to systems that can pick out number plates or human faces but truly smart sensors could know almost anything about us, from what is in our fridge and on our grocery list, to where we are going and whom we will meet. It is this aggregated, networked aspect of smarter sensors that will be at the core of the first AI challenge for policy-makers. As they become discriminating enough to anticipate what we might do next, e.g. in order to offer us useful information ahead of time, they create an inadvertent panopticon that the unscrupulous and actively criminal can exploit.

Moving past this challenge, AI will become able to support and enhance human decision-making. Human input will still be essential but it might be as limited as a “go/no go” on an AI-generated proposal. From a legal perspective, mens rea or scope of liability might not be wholly thrown into confusion, as a human decision-maker remains. Narrow applications in certain highly technical areas, e.g. medicine or engineering, might be practical but day-to-day users could be flummoxed if every choice had unreadable but legally essential Terms & Conditions. The policy-making response may be to use tort/liability law, obligatory insurance for AI providers/users, or new risk management systems to hedge the downside of AI-enhanced decision-making without losing the full utility of the technology.

Once decision-making is possible without human input, we begin to enter the realm of speculation.  However, it is important to remember that there are already high-frequency trading (HFT) systems in financial markets that operate independent of direct human oversight, following algorithmic instructions. The suggested linkages between “flash crash” events and HFT highlight, nonetheless, the problems policy-makers and regulators will face. It may be hard to foresee what even a “limited” AI might do in certain circumstances, and the ex-ante legal liability controls mentioned above may seem insufficient to policy-makers should a system get out of control, either in the narrow sense of being out of the control of those people legally responsible for it, or in the general sense of it being out of control of anybody.

These three stages would suggest significant challenges for policy-makers, with existing legal processes losing their applicability as AI moves further away from direct human responsibility. The law is, however adaptable, and solutions could emerge. In extremis we might, for example, be willing to add to the concept of “corporate persons” with a concept of “artificial persons”. Would any of us feel safer if we could assign legal liability to the AIs themselves and then sue them as we do corporations and businesses? Maybe.

In summary then, the true challenges for AI’s development may not exist solely in the big ticket moments of beating chess masters or passing Turing Tests. Instead, there will be any number of roadblocks caused by the needs of regulatory and policy processes systems still rooted in the 19th and 20th centuries. And, odd though this may sound from a technologist like me, that delay might be a good thing, given the potential transformative power of AI.


from Paul Nicholas

Monday, April 24, 2017

4 steps to managing shadow IT

Shadow IT is on the rise. More than 80 percent of employees report using apps that weren’t sanctioned by IT. Shadow IT includes any unapproved hardware or software, but SaaS is the primary cause in its rapid rise. Today, attempting to block it is an outdated, ineffective approach. Employees find ways around IT controls.

How can you empower your employees and still maintain visibility and protection? Here are four steps to help you manage SaaS apps and shadow IT.

Step 1: Find out what people are actually using

The first step is to get a detailed picture of how employees use the cloud. Which applications are they using? What data is uploaded and downloaded? Who are the top users? Is a particular app too risky? These insights provide information that can help you develop a strategy for cloud app use in your organization, as well as indicate whether an account has been compromised or a worker is taking unauthorized actions.

Step 2: Control data through granular policies

Once you have comprehensive visibility and understanding of the apps your organization uses, you can begin to monitor users’ activities and implement custom policies tailored to your organization’s security needs. Policies like restricting certain data types or alerts for unexpectedly high rates of an activity. You can take actions when there are violations against your policy. For instance, you can take a public link and make it private or create a user quarantine.

Step 3: Protect your data at the file level

Protecting data at the file level is especially important when data is accessed via unknown applications. Data loss prevention (DLP) policies can help ensure that employees don’t accidentally send sensitive information, such as personally identifiable information (PII) data, credit card numbers, and financial results outside of your corporate network. Today, there are solutions that help make that even easier.

Step 4: Use behavioral analytics to protect apps and data

Through machine learning and behavioral analytics, innovative threat detection technologies analyze how each user interacts with the SaaS applications and assess the risks through deep analysis. This helps you to identify anomalies that may indicate a data breach, such as simultaneous logons from two countries, the sudden download of terabytes of data, or multiple failed-logon attempts that may signify a brute force attack.

Where can you start?

Consider a Cloud Access Security Broker (CASB). These solutions are designed to help you achieve each of these steps in a simple, manageable way. They provide deeper visibility, comprehensive controls, and improved protection for the cloud applications your employees use—sanctioned or unsanctioned.

To learn why CASBs are becoming a necessity, read our new e-book. It outlines the common issues surrounding shadow IT and how a CASB can be a helpful tool in your enterprise security strategy.

Read Bring Shadow IT into the Light.


from Microsoft Secure Blog Staff

Friday, April 21, 2017

[SANS ISC] Analysis of a Maldoc with Multiple Layers of Obfuscation

I published the following diary on “Analysis of a Maldoc with Multiple Layers of Obfuscation“.

Thanks to our readers, we get often interesting samples to analyze. This time, Frederick sent us a malicious Microsoft Word document called “Invoice_6083.doc” (which was delivered in a zip archive). I had a quick look at it and it was interesting enough for a quick diary… [Read more]

[The post [SANS ISC] Analysis of a Maldoc with Multiple Layers of Obfuscation has been first published on /dev/random]

from Xavier

Thursday, April 20, 2017 Abused to Deliver Phishing Pages

The Internet Archive is a well-known website and more precisely for its “WaybackMachine” service. It allows you to search for and display old versions of websites. The current Alexa ranking is 262 which makes it a “popular and trusted” website. Indeed, like I explained in a recent SANS ISC diary, whitelists of websites are very important for attackers! The phishing attempt that I detected was also using the URL shortener (Position 9380 in the Alexa list).

The phishing is based on a DHL notification email. The mail has a PDF attached to it:

DHL Notification

This PDF has no malicious content and is therefore not blocked by antispam/antivirus. The link “Click here” points to a short URL:


Note that HTTPS is used which already make the traffic non-inspected by many security solutions.

Tip: If you append a “+” at the end of the URL, will not directly redirect you to the hidden URL but will display you an information page where you can read this URL!

The URL behind the short URL is:

hxxps:// also maintains statistics about the visitors: Statistics

It’s impressive to see how many people visited the malicious link. The phishing campaign was also active since the end of March. Thank you for this useful information!

This URL returns the following HTML code:

<META http-equiv="refresh" content="0;URL=data:text/html;base64, ... (base64 data) ... "
<body bgcolor="#fffff">

The refresh META tag displays the decoded HTML code:

<script language="Javascript">

The deobfuscated script displays the following page:

DHL Phishing Page

The pictures are stored on a remote website but it has already been cleaned:


Stolen data are sent to another website: (This one is still alive)


The question is: how this phishing page was stored on If you visit the upper level on the malicious URL (, you find this: Files

Go again to the upper directory (‘../’) and you will find the owner of this page: alextray. This guy has many phishing pages available:

alextray's Projects

Indeed, the Internet Archives website allows registered users to upload content as stated in the FAQ. If you search for ‘’ on Google, you will find a lot of references to multiple contents (most of them are harmless) but on VT, there are references to malicious content hosted on

Here is the list of phishing sites hosted by “alextray”. You can use them as IOC’s:

hxxps:// (Yahoo!)
hxxps:// (Microsoft)
hxxps:// (DHL)
hxxps:// (Adobe)
hxxps://[pk[.html (Microsoft)
hxxps:// (TNT)
hxxps:// (TNT)
hxxps:// (Adobe)
hxxps:// (DHL)
hxxps:// (Microsoft)
hxxps:// (Microsoft)
hxxps:// (Yahoo!)
hxxps:// (Microsoft Excel)
hxxps:// (Adobe)
hxxps:// (DHL)
hxxps:// (Google Drive)
hxxps:// (Microsoft)
hxxps:// (Microsoft)
hxxps:// (DHL)
hxxps:// (DHL)
hxxps:// (DHL)
hxxps:// (Yahoo!)
hxxps:// (Microsoft)
hxxps:// (Yahoo!)
hxxps:// (DHL)
hxxps:// (Microsoft)
hxxps:// (DHL)
hxxps:// (DHL)
hxxps:// (Microsoft)
hxxps:// (Microsoft)
hxxps:// (Yahoo!)
hxxps:// (Microsoft)
hxxps:// (Microsoft)
hxxps:// (DHL)
hxxps:// (Adobe)
hxxps:// (Google)
hxxps:// (Microsoft)
hxxps:// (Microsoft)
hxxps:// (Microsoft)
hxxps:// (Yahoo!)
hxxps:// (Yahoo!)
hxxps://;kfd;k.html (Yahoo!)
hxxps:// (TNT)
hxxps:// (Microsoft)
hxxps:// (Google)
hxxps:// (Microsoft)
hxxps:// (Microsoft)
hxxps:// (Adobe)
hxxps:// (Microsoft)
hxxps:// (Microsoft)
hxxps:// (Microsoft)
hxxps:// (Microsoft)
hxxps:// (Yahoo!)
hxxps:// (Microsoft)
hxxps:// (Microsoft)
hxxps:// (DHL)
hxxps:// (Google)
hxxps://;.html (Microsoft)
hxxps:// (Microsoft)
hxxps:// (Microsoft)
hxxps:// (DHL)
hxxps:// (Microsoft)
hxxps:// (Yahoo!)
hxxps:// (Microsoft)
hxxps:// (Microsoft)
hxxps:// (Microsoft)
hxxps:// (Microsoft)
hxxps:// (Microsoft)
hxxps:// (DHL)
hxxps://;.html (Microsoft)
hxxps:// (Microsoft)
hxxps:// (Microsoft)

[The post Abused to Deliver Phishing Pages has been first published on /dev/random]

from Xavier

Navigating cybersecurity in the New Age

In today’s rapidly evolving tech landscape, tools, gadgets, and platforms aren’t the only things advancing. Cyberattacks are becoming more powerful, wide-ranging, and harmful to organizations around the globe.

For any enterprise, cybersecurity is one of the most essential factors to business success. With new and emerging technology, leaders have to explore modern security needs via stronger, more intelligent solutions. Today, the modern security officers must:

  • Recognize the intricacies of the cyberspace and the cyberattacks that threaten it
  • Take advantage of machine learning and cloud platforms that enhance security
  • Gain insights to top trends and the future of the cybersecurity industry

Navigating today’s advanced cyber threats is a team effort. Organizations must learn new skills to protect themselves from cyber criminals and ensure infrastructure security. It takes a team of security experts, analysts, IT specialists, and risk assessors to restructure and refine cybersecurity.

On May 10th, Microsoft will live stream from the Security Summit, an invitation-only event for Chief Information Security Officers.  Attend the live, Virtual Security Summit to hear from leading security experts about best practices and solutions to keep your organization safe.

Don’t miss out on the opportunity to gain insights and learn how to protect your organization, detect, and respond to evolving cyberattacks.



from Microsoft Secure Blog Staff

[SANS ISC] DNS Query Length… Because Size Does Matter

I published the following diary on “DNS Query Length… Because Size Does Matter“.

In many cases, DNS remains a goldmine to detect potentially malicious activity. DNS can be used in multiple ways to bypass security controls. DNS tunnelling is a common way to establish connections with remote systems. It is often based on “TXT” records used to deliver the encoded payload. “TXT” records are also used for good reasons, like delivering SPF records but, too many TXT DNS request could mean that something weird is happening on your network… [Read more]

[The post [SANS ISC] DNS Query Length… Because Size Does Matter has been first published on /dev/random]

from Xavier

"Gamify Your Awareness Program - At the #SecAwareSummit"

Editor's Note: Graham Westbrook is the head of awareness atGeisinger Health System in PA/NJ. Heis one of the speakers for the upcoming Security Awareness Summit 2/3 Aug in Nashville, TN. Below he gives an overviewhisupcoming talk on Gamification. I entered the cybersecurity industry from the back door, you could say, having gone to school for &hellip; Continue reading Gamify Your Awareness Program - At the #SecAwareSummit

from lspitzner

Rhode Island Hires First State Cybersecurity Officer

Rhode island’s first ever state cyber security officer

Rhode Island has just hired its first state Cybersecurity officer. Mike Steinmetz will be serving as Gov. Gina M. Raimondo’s policy advisor on cyber security. He will also help develop a comprehensive state cybersecurity strategy that will help the state fight back cyber crimes and prevent them.

Steinmetz will also be serving as Rhode Island’s homeland security adviser. He began working on April 17.

Raimondo made this decision as a part of continuing efforts to create economic development and increase innovation. The decision was also made based on the series of 8 different recommendations in a report that was released in 2015 from the cybersecurity commission of Rhode Island.

Read more details 

The post Rhode Island Hires First State Cybersecurity Officer appeared first on Cyber Security Portal.

from Gilbertine Onfroi

Wednesday, April 19, 2017

Is social engineering the biggest threat to your organization?

“Always remember: Amateurs hack systems. Professionals hack people.” –Bruce Schneier, CTO, Counterpane Internet Security, Inc.

All over the globe, social engineering is a dominant and growing threat to organizational security. Since January 2015, the number of social engineering victims identified by the FBI has increased 270%, costing businesses more than $2.3 billion.

Social engineering happens when a hacker uses manipulation, influence, or deception to get another person to release information or to perform some sort of action that benefits them. Essentially it just comes down to tricking people into breaking normal security procedures such as divulging a password.

Some common types of social engineering include:

  • Spear phishing – sending an email that appears to be from someone you trust, such as the CEO or corporate IT, requesting you to take an action that makes confidential information vulnerable.
  • Dumpster diving – rummaging through the trash to try to find confidential information like design documents with IP information, marketing plans, employee performance plans, or even organizational charts and phone lists.
  • 10 degrees of separation – appearing to have a shared connection you trust to make you feel more secure about discussing confidential information.

No matter how strong your technical security is, your organization’s people are often the most vulnerable link in the chain. But, with thorough, thoughtful, and regular education, they can also be your biggest asset in your fight against social engineering.

To learn how to implement strong security policies and build a security-aware culture to help protect your organization from social engineering risks, check out the Insider’s Guide to Social Engineering.

from Microsoft Secure Blog Staff

[SANS ISC] Hunting for Malicious Excel Sheets

I published the following diary on “Hunting for Malicious Excel Sheets“.

Recently, I found a malicious Excel sheet which contained a VBA macro. One particularity of this file was that useful information was stored in cells. The VBA macro read and used them to download the malicious PE file. The Excel file looked classic, asking the user to enable macros… [Read more]

[The post [SANS ISC] Hunting for Malicious Excel Sheets has been first published on /dev/random]

from Xavier

Tuesday, April 18, 2017

Strategies to build your cybersecurity posture

This post is authored by Michael Montoya, Executive Advisor, Enterprise Cybersecurity Group Asia Region.

“You clicked on an infected message…” In my prior life of managing an enterprise email environment, I started thousands of messages with that response to the victims of the infamous “love bug” email.

Looking back, this was a simple task compared to what we now face. Over the past 20 years, I have been on the front lines of the cybersecurity battlefield and fortunate to serve among some of the greatest professionals in our industry. During this time, I have witnessed the landscape shift from annoying hacker hobbyists to the advanced tactics of nation-states and well-funded organized cyber-criminals. The evolution of attacks is advancing at a record pace, and we are at full throttle inside a digital transformation, I don’t suspect any slowing of the pace of innovation coming from threat actors. In fact, trends indicate the opposite. We have the rise of cyber-terrorists, improving anti-forensics approaches, and non-malware approaches to attacks using in-memory, PowerShell-based, and WMI-based, to name a few.

“How do we stop these new threat actors?” is a common question I am asked. Unfortunately, the landscape is far too complex for a simple answer, and the more appropriate question is “How can we maximize the cost of an attack, for the attackers, so these threat actors leave us alone?” Similarly, if your home is more difficult to rob than your neighbor, you become a much less attractive target. Therefore, how can we increase our security posture in a world where the “identity” is the new network edge, all the while that identity works in coffee shops, airports and wifi hotspots around the globe? If your security posture relies on a human firewall to determine if a website or document is malicious, then you may be the most desirable house in the neighborhood for criminals.

In my years of leading operational teams and working among many of the greatest minds and enterprises, I have picked up keen insights that can improve security hygiene and increase the difficulty for any attacker. Before we dive in, state one truth loud and clear: “I am already breached”. This doesn’t necessarily translate to you being under a hostile attack, but the “assume breach” posture sets a very important tone, and unfortunately is likely to be your reality.

In Asia, we especially find enterprise security is commonly based on firewalls and legacy antivirus technologies. Given this reality, we find that an overwhelming, and I mean OVERWHELMING, majority of endpoints have evidence of malicious artifacts, i.e. they have already been breached.

According to a recent FireEye report, we find that a majority of attacks in Asia go undetected for as many as 520 days and 55% of the time are detected by external entities, not by our firewalls and antivirus technologies! Our numbers in Asia are improving, as well as globally, but not fast enough.

Now that we have assumed breach, how can we increase the cost of an attack? Here are 5 essentials that I have witnessed make a difference:

  1. Hygiene matters. Remember our parents always saying, “wash your hands”? Turns out they were right! Same is true in technology. Here are the minimum operating guidelines and the operational security equivalent to washing your hands:
    • Know your environment, especially your high value assets
    • Patch and install maintenance updates, prioritize your high value assets
    • Use complex passwords and encryption
    • Implement hardened administration and networks
    • Maintain logging
  2. Endpoint modernization. Many of us have modernized in a siloed and bolted-on approach. We have signature-based antivirus, some compliance encryption that drives up our helpdesk calls, and for a few, an endpoint detection and response technology. Each of these likely requires agents consuming critical resources and making our end users shout our names unkindly. The siloed approach requires our operations teams to stitch together and inundate an already overworked Security Info & Event Management system, aka SIEM. A modern endpoint fully integrates these functions and leverages virtualization and container technologies for isolation. The essentials of modern endpoint protection are to:
    • Perform the basics of anti-virus
    • Protect a user’s identity and contain lateral movement
    • Contain ransomware encryption
    • Leverage an intelligence platform to detect indicators of attack and compromise
    • Capture critical information to replay a breach in motion for advanced forensics
  3. Email application protection. There is a common saying in the USA that a “bad day fishing is better than a good day at work”. Allow me to iterate with “a bad day of phishing is a great day at work”. According to the Verizon Data Breach Investigations Report, 77% of modern attacks start with an email where it is too easy to find patient zero. I am surprised by enterprises that continue to implement hygiene services for anti-spam and anti-virus but don’t employ sandboxing or URL rewrite capabilities. Unless we want the human firewall to continue to be our last line of defense, email is a critical application to secure. Vital features are:
    • Anti-Spam/Anti-Virus
    • Sandbox detonation of attachments
    • URL re-write
  4. Intelligence platform. Today’s modern attacks are based on unknowns. This is why signature based technologies like antivirus are not succeeding. Intelligence must be based on a vast data set that can model indicators of attack and indicators of compromise quickly, then deliver these through technology. Enterprises that have developed this platform are at a distinct advantage to better hunt and detect the unknown behaviors that may result in an attack.
  5. Cybersecurity response and operations. People remain a critical component to success. There is no ignoring the shortage of professionals in security, and the demand continues to grow. According to Michael Brown, CEO of Symantec, to help defend us in this new space, “The demand for the (cybersecurity) workforce is expected to rise to 6 million (globally) by 2019.…” In a recent post, Ann Johnson, VP of the Enterprise Cybersecurity Group at Microsoft, championed an important best practice and case for change to help us address this shortage. Ensuring readiness, training and advanced operations are in place is critical. I am never surprised with the silence I often receive when I ask: “What is your first step in your cyberbreach response plan when you have detected a breach?” This needs to be a top priority of any CISO and CIO. Microsoft recently published a reference guide to address incident response. The response plan must include the technology team, executives, legal, marketing, risk and other relevant business stakeholders. Too many times these plans include only the technology teams. Next, enterprises must reduce the noise of alerts and ensure that their detection efficacy is feeding them the alerts that matter. The operations teams must move from reactive alert management to proactive hunting by sweeping endpoints and environments for malicious behavior and artifacts. The latest innovation in threats is non-malware attacks – where threat actors leverage system processes like WMI and Powershell to fly beneath the radar. Identifying these abnormalities with managed sweeps is a new critical operational process. Additionally, the operations teams must consistently run red team/blue team drills to refine their skills and identify potential weak points. Furthermore, adopt an Incident Command System (ICS) for Crisis Management and include executives, legal, marketing, finance, risk and other critical business functions in the incident response plans. Enterprises who have adopted these tactics are at a distinct advantage.

The positives of digital transformation far outweigh the risks and changing threat landscape. We must all assume we have been breached and transform our people, technology and processes to decrease the time it takes to detect a compromise and remediate. Making it more expensive for a threat actor is the biggest deterrence and the steps above significantly increase the hacker cost per comprise.

Michael Montoya is a 20-year veteran of the IT industry, currently serving an Executive Security Advisor in the Asia Pacific Region in the Enterprise Cybersecurity Group at Microsoft.  In this role, he regularly consults enterprise executives and governments in cybersecurity issues, and is a frequent featured speaker at IT conferences around the globe.

from Microsoft Secure Blog Staff

Monday, April 17, 2017

How to protect yourself from cloud attacks

As organizations are rapidly making the move to the cloud, safeguarding cloud resources against advanced cyber threats has become a top priority. Sophisticated attack vectors require a new approach to security. How can you leverage unique insights into a variety of threats to help defend against cloud attacks?

To learn more about how to keep your cloud secure—especially in this ever-present era of cybercrime—join our webinar, Take your cloud security to the next level: How to protect yourself from cloud attacks on April 18, 2017 at 10:00 AM PST. Register now.

This webinar will explore the threat landscape and the anatomy of common cloud attacks, how to detect, prevent and rapidly respond to attacks and leverage insights and analytics to defend yourself against threats. You will learn how Azure Security Center + Operations Management Suite can help you gain visibility and control, prevent and detect cyber-attacks and leverage analytics to help prevent future attacks.

There will be live Q&A with some of Microsoft’s foremost security experts. You don’t want to miss out—reserve your webinar seat today.

Explore more about our unique approach to security at Microsoft Secure.

from Microsoft Secure Blog Staff

How Microsoft is securing the information and communication supply chain

Generally speaking, scrutiny of supply chain security for critical infrastructure is on the rise. Governments around the globe are increasingly paying attention to this issue, a fact which is reflected in recently developed and currently developing policies. That being said, the same principled and risk-based approach applies to managing risk in the supply chains of critical infrastructure as in those in supply chains more generally. The most effective requirements in this space result from governing bodies leveraging expertise by utilizing an open, collaborative, and iterative process that engages a range of stakeholders. One example of this approach in action is the National Institute of Standards and Technology’s (NIST) “Framework for Improving Critical Infrastructure Cybersecurity.” V 1.1 of this Framework, which is currently out for public comment, contains updates focused largely on supply chain security.

We recently heard from Microsoft leaders on the methods and policies for securing the information and communication technology (ICT) supply chain in our webinar “Supply chain security: A framework for managing risk”. In this blog, we will cover some of the fantastic questions our customers asked and how we responded.

How frequently does Microsoft conduct ‘red team’ pen testing of its products before vs. after fielding?
There are several pen test events that are carried out against our products and services annually, some of which are tied to competitions and educational events. Some of these are open to the hacking community, but many are closed events to ensure product and services integrity and availability.

Supply chain logistics today has to have close to real-time access to personal information to deliver products & services to meet customer demands. What changes do you see coming to protect that information?
Cloud based information protection and the broad application of access controls in a consistent and automated way is the best and most realistic way forward. The General Data Protection Regulation (GDPR), which takes effect on May 25, 2018, will require significant changes by organizations all over the world – including Microsoft and our customers. The GDPR represents a paradigm shift in global privacy requirements governing how you respect and protect personal data – no matter where it is sent, processed, or stored. Fundamentally, the GDPR is about protecting and enabling individuals’ rights to privacy, and its goals align with Microsoft’s enduring commitment to a cloud you can trust.

With fraud and piracy increasing in sophistication & capability how will the industry stay ahead of the curve?
Microsoft has a Digital Crimes Unit which is an international team of attorneys, investigators, data scientists, engineers, analysts, and business professionals working together to transform the fight against cybercrime. In the future, similar means will have the benefit of the kind of automated identification that machine learning can provide to do this at even greater scale.

If the customer requested it, do you have the ability to do external auditing on their behalf? Have you ever had that in a contract internally or with vendors (do you audit vendor security)?
We do not provide audit services to our customers for their consumption. We do perform onsite assessments for our critical suppliers.

Can the panel elaborate on the due diligence Microsoft does on their “fourth party” suppliers, or subcontractors of contractors?
For our suppliers, we ensure that the contracts are clear on our expectations and security requirements not only for them but the suppliers they use as well. Accountability is with the supplier Microsoft contracts with, and if they choose to use a subcontractor, that does not change.

How do I convince my organization to implement supply chain security?
Whether you are working for an organization that provides products or services to governments, enterprises, or consumers, the trust of the purchaser in your output is going to be critical to sales. A principled approach to supply chain risk management can help you establish and/or enhance that trust by demonstrating your commitment to the quality of what you are selling.

Any statistics on actual breaches relating to points of breach?
There are several good reports including Verizon’s annual Data Breach Investigations Report. This report for the most part identifies people as the weakest link with phishing and easy passwords as the first point of breach.

What are the primary components of Microsoft’s vetting process to ensure a reliable vendor? Is there a way that vendors can obtain these requirements beforehand? If so, does that increase or decrease Microsoft’s likelihood of incurring risk?
Vendor onboarding is subject to a mutually agreed upon set of directives for vetting and qualification. These are tailored to Microsoft needs and requirements, so they may vary for other organizations. It is a good practice to discuss these requirements with the vendor prior to onboarding.

If you would like to hear more about the methods and policies for securing the ICT supply chain, watch our webinar Supply Chain Security: A Framework for Managing Risk on-demand.

Learn more about Microsoft’s strategic approach to security at Microsoft Secure.


from Microsoft Secure Blog Staff

Saturday, April 15, 2017

HITB Amsterdam 2017 Day #2 Wrap-Up

After a nice evening with some beers and an excellent dinner with infosec peers, here is my wrap-up for the second day. Coffee? Check! Wireless? Check! Twitter? Check!

As usual, the day started with a keynote. Window Snyder presented “All Fall Down: Interdependencies in the Cloud”. Window is the CSO of Fastly and, as many companies today, Fasly relies on many services running in the cloud. This reminds me the Amazon S3 outage and their dashboard that was not working because it was relying on… S3! Today, all the stuff are interconnected and the overall security depends on the complete chain. To resume: You use a cloud service to store your data, you authenticate to it using another cloud service, and you analyse your data using a third one etc… If one is failing, we can face a domino effect. Many companies have statements like “We take security very seriously” but they don’t invest. Window reviewed some nightmare stories where the security completely failed like the RSA token compromization in 2011, Diginotar in 2012 or Target in 2013. But sometimes dependencies are very simple like DNS… What if your DNS is out of service? All your infrastructure is down. DNS remains an Achille’s heel for many organizations. The keynote interesting but very short! Anyway, it meant more time for coffee…

The first regular talk was maybe the most expected: “Chasing Cars: Keyless Entry System Attacks”. The talk was promoted via social networks before the conference. I was really curious and not disappointed by the result of the research! Yingtao Zeng, Qing Yang & Jun Li presented their work about car keyless attack. It was strange that the guy responsible of the most part of the research did not speak English. I was speaking in Chinese to his colleague who was translating in English. Because users are looking for more convenience (and because it’s “cool”), modern cars are not using RKE (remote keyless entry) but PKE (passive keyless entry). They started with a technical description of the technology that many of us use daily:

Passive key entry system

How to steal the car? How could we use the key in the car owner’s pocket? The idea was to perform a relay attack. The signal of the key is relayed from the owner’s pocket to the attacker sitting next to the car. Keep in mind that cars required to press the button on the door or to use a contact sensor to enable communications with the key. A wake up is sent to the key and unlock doors. The relay attack scenario looks like this:

Relay attack scenario

During this process, they are time constraints. They showed a nice demo of a guy leaving his car, followed by attacker #1 who captures the signal and relay to the attack #2 who unlock the car.

Relay devices

The current range to access the car owner’s key is ~2m. Between the two relays, up to 300m! What about the cost to build the devices? Approximatively 20€! (the cost of the main components). What in real case? Once the car is stolen and the engine running, it will only warn that the key is not present but it won’t stop! The only limit is running out of gas 🙂 Countermeasures are: use a faraday cage or bag, remove the battery more strict timing constraints.

They are still improving the research and are now investigating how to relay this signal through TCP/IP (read: the Wild internet). [Slides are available here]

My next choice was to follow “Extracting All Your Secrets: Vulnerabilities in Android Password Managers” presented by Stephan Uber, Steven Arzt and Siegfried Rasthofer. Passwords remain a threat for most people. For years, we ask users to use strong passwords, to change them regularly. The goal was not here to debate about how passwords must be managed but, as we recommend users to use passwords manager to handle the huge amount of passwords, are they really safe? An interesting study demonstrated that, on average, users have to deal with 90 passwords. The research focused on Android applications. First of all, most of them say that they “banking level” or “military grade” encryption? True or false? Well, encryption is not the only protection for passwords. Is it possible to steal them using alternative attack scenarios? Guess what? They chose the top password managers by the number of downloads on the Google play store. They all provide standard features like autofill, custom browser, comfort features, secure sync and confidential password storage of course. (Important note: all the attacks have been performed on non-rooted devices) Manual filing attack: Manual filling is using the clipboard. 1st problem: any app can read from the clipboard without any specific rights. A clipboard sniffer app could be useful.

The first attack scenario was: Manual filing attack: Manual filling is using the clipboard. First problem: any application can read from the clipboard without any specific rights. A clipboard sniffer app could be useful to steal any password. The second scenario was: Automatic filling attack. How does it work? Applications cannot communicate due to the sandboxing system. They have to use the “Accessibility service” (normally used for disabled people). The issue may arise if the application doesn’t check the complete app name. Example: make an app that starts also with “com.twitter” like “com.twitter.twitterleak”. The next attack is based on the backup function. Backup, convert the backup to .tar, untar and get the master password in plain text in KeyStorage.xml. Browsers don’t provide API’s to perform autofill so developers create a customer browser. But it’s running in the same sandbox. Cool! But can we abuse this? Browsers are based on Webview API which supports access to files… file:///data/package/…./passwords_pref.xml Where is the key? In the source code, split in two 🙂 More fails reported by the speakers:

  • Custom crypto (“because AES isn’t good enough?”)
  • AES used in ESC mode for db encryption
  • Delivered browsers to not consider subdomains in form fields
  • Data leakage in browsers
  • Customer transport security

How to improve the security of password managers:

  • Android provides a keystore, use it!
  • Use key derivation function
  • Avoid hardcoded keys
  • Do not abuse the account manager

The complete research is available here. [Slides are available here]

After the lunch, Antonios Altasis presented “An Attack-in-Depth Analysis of Multicast DNS and DNS Service Discovery”. The objective was to perform threat analysis and to release a tool to perform tests on a local network. The starting point was the RFC and identifying the potential risks. mDNS & DNS-SD are used for zero-conf networking. They are used by the AppleTV, the Google ChromeCast, home speakers, etc. mDNS (RFC6762) provides DNS-alike operations but on the local network (uses 5353). DNS-SD (RFC6763) allows clients to discover instances of a specific service (using standard DNS queries). mDNS uses the “.local” TLD via & FF02::FB. Antonios make a great review of the problems associated with these protocols. The possible attacks are:

  • Reconnaissance (when you search for a printer, all the services will be returned, this is useful to gather information about your victim. Easy to get info without scanning). I liked this.
  • Spoofing
  • DoS
  • Remote unicast interaction

mDNS implementation can be used to perform a DoS attack from remote locations. If most modern OS are protected, some embedded systems still use vulnerable Linux implementations. Interesting: Close to 1M of devices are listening to port 5353 on the Internet (Shodan). Not all of them are vulnerable but there are chances. During the demos, Antonios used the tool he developed: [Slides are available here]

Then, Patrick Wardle presented “OverSight: Exposing Spies on macOS”. Patrick presented a quick talk yesterday in the Commsec track. It was very nice so I expected also some nice content. Today the topic was pieces of malware on OSX that abuse the microphone and webcam. To protect against this, he developed a tool called OverSight. Why bad guys use webcams? To blackmail victims, Why governments use microphone to spy. From a developer point of view, how to access the webcam? Via the avfoundation framework. Sandboxed applications must have specific rights to access the camera (via entitlement ‘com’ but non sandboxed application do not require this entitlement to access the cam. videoSnap is a nice example of avfoundation use. The pending tool is audioSnap for the microphone. The best way to protect your webcam is to put a sticker on it. Note that it is also possible to restrict access to is via file permissions.

What about malware that use mic/cam? (note: the LED will always be on). Patrick reviewed some of them like yesterday:

  • The Hackingteam’s implant
  • Eleanor
  • Mokes
  • FruitFly

To protect against abusive access to the webcam & microphone, Patrick developed a nice tool called OverSight. The version 1.1 was just released with new features (better support for the mic, whitelisting apps which can access resources). The talk ended with a nice case study: Shazam was reported as listening all the time to the mic (even if disabled). This was reported by an OverSight user to Patrick. He decided to have a deeper look. He discovered that it’s not a bug but a feature and contacted Shazam. For performance reasons they use continuous recording on IOS but a shared SDK is used with OSX. Malicious or not? “OFF” means in fact “stop processing the recording” but don’t stop the recording.

Other tools developed by Patrick:

  • KnockKnock
  • BlockBlock
  • RansomWhere (detect encryption of files and high number of created files)

It was a very cool talk with lot of interesting information and tips to protect your OSX computers! [Slides are available here]

The last talk from my list was “Is There a Doctor in The House? Hacking Medical Devices and Healthcare Infrastructure” presented by Anirudh Duggal. Usually, such talks present vulnerabilities around the devices that we can find everywhere in hospitals but the the talk focused on something completely different: The protocol HL7 2.x. Hospitals have: devices (monitors, X-ray, MRI, …), networks, protocols (DICOM, HL7, FHIR, HTTP, FTP) and records (patients). HL7 is a messaging standard used by medical devices to achieve interoperability. Messages may contain patient info (PII), doctor info, patient visit details, allergy & diagnostics. Anirudh reviewed the different types of message that can be exchanged like “RDE” or ” Pharmacy Order Message”. The common attacks are:

  • MITM (everything is in clear text)
  • Message source not validated
  • DoS
  • Fuzzing

This is scaring to see that important information are exchanged with so poor protections. How to improve? According to Anirugh, here are some ideas:

  • Validate messages size
  • Enforce TLS
  • Input sanitization
  • Fault tolerance
  • Anonymization
  • Add consistency checks (checksum)

The future? HL7 will be replaced by FHIR a lightweight HTTP-based API. I learned interesting stuff about this protocol… [Slides are available here]

The closing keynote was given by Natalie Silvanovich working on the Google Project Zero. It was about the Shakra Javascript engine. Natalie reviewed the code and discovered 13 bugs, now fixed. She started the talk with a deep review of the principles of arrays in the Javascript engine. Arrays are very important in JS. There are simple but can quickly become complicate with arrays of arrays of arrays. Example:

var b = [ 1; “bob, {}, new RegExp() ];

The second part of the talk was dedicated to the review of the bug she found during her research time. I was a bit lost (the end of the day and not my preferred topic) but the work performed looked very nice.

The 2017’s edition is now over. Besides the talk, the main room was full of sponsor booths with nice challenges, hackerspaces, etc. A great edition! See you next year I hope!




[The post HITB Amsterdam 2017 Day #2 Wrap-Up has been first published on /dev/random]

from Xavier

Friday, April 14, 2017

HITB Amsterdam 2017 Day #1 Wrap-Up

I’m back in Amsterdam for the 8th edition of the security conference Hack in the Box. Last year, I was not able to attend but I’m attending it for a while (you can reread all my wrap-up’s here). What to say? It’s a very strong organisation, everything running fine, a good team dedicated to attendees. This year, the conference was based on four(!) tracks: two regular ones, one dedicated to more “practical” presentations (HITBlabs) and the last one dedicated to small talks (30-60 mins).

Elly van den Heuvel opened the conference with a small 15-minutes introduction talk: “How prepared we are for the future?”. Elly works for the Dutch government as the “Cyber Security Council“. She gave some facts about the current security landscape from the place of women in infosec (things are changing slowly) to the message that cyber-security is important for our security in our daily life. For Elly, we are facing a revolution as big as the one we faced with the industrial revolution, maybe even bigger. Our goal as information security professional is to build a cyber security future for the next generations. They are already nice worldwide initiatives like the CERT’s or NIST and their guidelines. In companies, board members must take their responsibilities for cyber-security projects (budgets & times must be assigned to them). Elly declared the conference officially open 🙂

The first-day keynote was given by Saumil Shah. The title was “Redefining defences”. He started with a warning: this talk is disrupting and… it was! Saumil started with a step by to the past and how security/vulnerabilities evolved. It started with servers and today people are targeted. For years, we have implemented several layers of defence but with the same effect: all of them can be bypassed. Keep in mind that there will be always new vulnerabilities because products and applications have more and more features, are becoming more complex. I really liked the comparison with the Die Hard movie: It’s the Nakatomi building: we can walk through all the targets exactly in the movie when Bruce Willis travels in the building. Vendors invent new technologies to mitigate the exploits. There was a nice reference to the “Mitigator“. The next part of the keynote was focusing how the CISO daily job and the fight against auditors. A fact: “compliance is not security”. In 2001, the CIO position was split in CIO & CISO but budgets remained assigned to the CIA as “business enabler”. Today, we should have another split: The CISO position must be divided in CISO and COO (Compliance Officer). His/her job is to defend against auditors. It was a great keynote but the audience should be more C-level people instead of “technical people” who already agree on all the facts reviewed by Saumil. [Saumil’s slides are available here]

After the first coffee break, I had to choose between two tracks. My first choice was already difficult: hacking femtocell devices or IBM mainframes running z/OS. Even if the second focused on less known environments, mainframes are used in many critical operations so I decided to attend this talk. Ayoub Elaassal is a pentester who focused on this type of targets. People still have an old idea of mainframes. The good old IBM 370 was a big success. Today, the reality is different, modern mainframes are badass computers like the IBM zEC 13: 10TB of memory, 141 processors, cryptographic chips, etc. Who uses such computers? Almost every big companies from airlines, healthcare, insurance or finance ( Have a look at this nice gallery of mainframe consoles). Why? Because it’s powerful and stable. Many people (me first) don’t know a lot about mainframes: It’s not a web app, it uses a 3270 emulator over port 23 but we don’t know how it works. On top of the mainframe OS, IBM has an application layer called CICS (“Customer Information Control System”). For Ayoub, it looks like “a combination of Tomcat & Drupal before it was cool”. CICS is a very nice target because it is used a log: Ayoub gave a nice comparison: worldwide, 1.2M of request/sec are performed using the CICS product while Google reaches 200K requests/sec. Impressive! Before exploiting CICS, the first step was to explain how it works. The mainframe world is full of acronyms. not easy to understand immediately.  But then Ayoub explained how it abused a mainframe. The first attack was to jailbreak the CICS to get a console access (just like finding the admin web page). Mainframes contain a lot of juicy information. The next attack was to read sensitive files. Completed too! So, the next step is to pwn the device. CICS has a feature called “spool” functions. A spool is a dataset (or file) containing the output of a job. Idea: generate a dataset and send it to the job scheduler. Ayoub showed a demo of a Reverse shell in REXX. Like DC trust, you can have the same trust between mainframes and push code to another one. Replace NODE(LOCAL) by NODE(WASHDC). If the spool feature is not enabled, there are alternative techniques that were also reviewed. Finally, let’s to privileges escalation: They are three main levels: Special, Operations and Audit. Special can be considered as the “root” level. Those levels are defined by a simple bit in memory. If you can swap it, you get more privileges. It was the last example. From a novice point of view, this was difficult to follow but basically, mainframes can be compromised like any other computer. The more dangerous aspect is that people using mainframes think that they’re not targeted. Based on the data stored on them, they are really nice targets. All the Ayoub’s scripts are here. [Ayoub’s slides are available here]

The next talk was “Can’t Touch This: Cloning Any Android HCE Contactless Card” by Slawomir Jasek. Cloning things has always been a dream for people. And they succeeded in 1996 with Dolly the sheep. Later, in 2001, scientists make “Copycat”. Today we have also services to clone pets (if you have a lot of money to spend). Even if cloning humans is unethical, it remains a dream. So, we not close also objects? Especially if it can help to get some money. Mobile contactless payment cards are a good target. It’s illegal but bad guys don’t care. Such devices implement a lot of countermeasures but are we sure that they can’t be bypassed? Slawomir explained briefly the HCE technology. So, what are the different ways to abuse a payment application? The first one is of course to stole the phone. We can steal the card data via NFC (but they are already restriction: the phone screen must be turned on). We can’t pay but for motivated people, it should be possible to rebuild the mag stripe. Mobile apps use tokenization. Random card numbers are generated to pay and are used only for such operations. The transaction is protected by encrypted data. So, the next step is to steal the key. Online? Using man-in-the-middle attacks? Not easy. The key is stored on the phone. The key is also encrypted. How to access it? By reversing the app but it has a huge cost. What if we copy data across devices? They must be the same (model, OS, IMEI). We can copy the app + data but it’s not easy for a mass scale attack. The xposed framework helps to clone the device but it requires root access. Root detection is implemented in many apps. Slawomir performed a life demo: He copied data between two mobile phones using shell scripts and was able to make a payment with the cloned device. Note that the payments were performed on the same network and with small amounts of money. Google and banks have strong fraud detection systems. What about the Google push messages used by the application? Cloned devices received both messages but not always (not reliable). Then Slawomir talked about CDCVM which is a verification method that asks the user to give a PIN code but where… on its own device! Some apps do not support it but there is an API and it is possible to patch the application and enable the support (setting it to “True”) via an API call. What about other applications? As usual, some are good while others are bad (ex: some don’t event implement root detection). To conclude, can we prevent cloning? Not completely but we can make the process more difficult. According to Slawomir, the key is also to improve the backend and strong fraud detection controls (ex: based on the behaviour of the user). [Slawomir’s slides are available here]

After the lunch time, my choice was to attend Long Liu’s and Linan Has’s (which was not present) talk. The abstract looked nice: exploitation of the Chakracore core engine. This is a Javascript engine developed by Microsoft for its Edge browser. Today the framework is open source. Why is it a nice target according to the speaker? The source code is freely available, Edge is a nice attack surface. Long explained the different bug they found in the code and they helped them to win a lot of hacking contests. The problem was the monotonous voice of the speaker which just invited to take a small nap. The presentation ended with a nice demo of a web page visited by Edge and popping up a notepad running with system privileges. [Long’s slides are available here]

After the break, I switched to the track four to attend two small talks. But the quality was there! The first one by Patrick Wardle: “Meet and Greet with the MacOS Malware Class of 2016“. The presentation was a cool overview of the malware that targeted the OSX operating system. Yes, OSX is also targeted by malware today! For each of them, he reviewed:

  • The infection mechanism
  • The persistence mechanism
  • The features
  • The disinfection process

The examples covered by Patrick were:

  • Keranger
  • Keydnap
  • FakeFileOpener
  • Mokes
  • Komplex

He also presented some nice tools which could increase the security of your OSX environment. [Patrick’s slides are available here]

The next talk was presented by George Chatzisofroniou and covered a new wireless attach technique called Lure10. Wireless automatic association is not new (the well-known KARMA attack). This technique exists for years but modern operating systems implemented controls against this attack. But MitM attacks remains interesting because most applications do not implement countermeasures. In Windows 10, open networks are not added to the PNL (“Preferred Networks List”).  Microsoft developed a Wi-Fi Sense feature. The Lure10 attack tries to abuse it by making the Windows Location Service think that it is somewhere else and then mimic a Wifi Sence approved local network. In this case, we have an automatic association. A really cool attack that will be implemented in the next release of the wifiphisher phisher framework.  [George’s slides are available here]

My next choice was to attend a talk about sandboxing: “Shadow-Box: The Practical and Omnipotent Sandbox” by Seunghun Han. In short, Shadow-box is a lightweight hypervisor-based kernel protector. A fact: Linux kernels are everywhere today (computers, IoT, cars, etc). The kernel suffers from vulnerabilities and the risk of rootkits is always present. The classic ring (ring 0) is not enough to protect against those threats. Basically, the rootkit changes the system calls table and divert them to it to perform malicious activities.The idea behind Shadow-box is to use the VT technology to help in mitigating those threats. This is called “Ring -1”. Previous researches were already performed but suffered from many issues (mainly performance). The new research insists on lightweight and practical usage. Seunghun explained in detail how it works and ended with a nice demo. He tried to start a rootkit into a Linux kernel that has the Shadow-box module loaded. Detection was immediate and the rootkit not installed. Interesting but is it usable on a day-to-day basis? According to Seunghun, it is. The performance impact on the system is acceptable. [Seughun’ slides are available here]

The last talk of the day focused on TrendMicro products: “I Got 99 Trends and a # is All of Them! How We Found Over 100 RCE Vulnerabilities in Trend Micro Software” by Roberto Suggi Liverani and Steven Seeley. They research started after the disclosure of vulnerabilities. They decided to find more. Why Trendmicro? Nothing against the company but it’s a renowned vendor, they have a bug bounty program and they want to secure their software. The approach followed was to compromise the products without user interaction. They started with low-handing fruits, focused on components like libraries, scripts. The also use the same approach as used in malware analysis: check the behaviour and communications with external services and other components. They reviewed the following products:

  • Smart Protection Server
  • Data Loss Prevention
  • Control Manager
  • Interscan Web Security
  • Threat Discovery Appliance
  • Mobile Security for Enterprise
  • Safesync for Enterprise

The total amount of vulnerabilities they found was so impressive, most of them led to remote code execution. And, for most of them, it was quite trivial. [Roberto’s & Steven’s slides are available here]

This is the end of day #1. Stay tuned for more tomorrow.


[The post HITB Amsterdam 2017 Day #1 Wrap-Up has been first published on /dev/random]

from Xavier