"Lessons in Building your own Awareness Community - At the EU #SecAwareSummit"

Editor's Note: Martine van de Merwe and Chris Karelse arespeakers for the upcomingSecurity Awareness Summit 6/7 December in London. Below they give an overview of their talk on Building Your Own Awareness Community. We all have that experience where it was better if we connected more and earlier with other security awareness professionals. It is … Continue reading Lessons in Building your own Awareness Community - At the EU #SecAwareSummit

from lspitzner

Splunk Custom Search Command: Searching for MISP IOC’s

While you use a tool every day, you get more and more knowledge about it but you also have plenty of ideas to improve it. I’m using Splunk on a daily basis within many customers’ environments as well as for personal purposes. When you have a big database of events, it becomes quickly mandatory to deploy techniques to help you to extract juicy information from this huge amount of data.  The classic way to do hunting is to submit IOC’s to Splunk (IP addresses, domains, hashes, etc) and to schedule searches or to search it in real time. A classic schema is:

Inputs are logs, OSINT sources or output from 3rd party tools. Outputs are enriched data. A good example is to use the MISP platform. Useful IOC’s are extracted at regular interval via the API and injected into Splunk for later searching and reporting.

# wget --header 'Authorization: xxxxx' \
       --no-check-certificate \
       -O /tmp/domain.txt \
       https://misp/attributes/text/download/domain/false/false/false/false/false/7d

This process has a limit: new IOC’s are not immediately available when exported on a daily basis (or every x hours). When we see new major threats like the Bad Rabbit last week, it is useful to have a way to search for the first IOCs released by security researchers. How to achieve this? You can run manually the export procedure by starting a connection on the Splunk server and executing commands (but people must have access to the console) or … use a custom search command! Splunk has a very nice language to perform queries but, do you know that you can expand it with your own commands? How?

A Splunk custom search command is just a small program written in a language that can be executed in the Splunk environment. My choice was to use Python. There is an SDK available. The principle is simple: input data are processed to generate new output data. The basis of any computer program.

I wrote a custom search command that interacts with MISP to get IOCs. Example:

The command syntax is:

|getmispioc [server=https://host:port] 
            [authkey=misp-authorization-key]
            [sslcheck=y|n]
            [eventid=id]
            [last=interval]
            [onlyids=y|n]
            [category=string]
            [type=string]

The only mandatory parameters are ‘eventid’ (to return IOCs from a specific event) or ‘last’ (to return IOCs from the last x (hours, days, week, or months). You can filter returned data by filtering on the ‘ids_only’ flag and/or a specific category or type. Example:

|getmispioc last=2d onlyids=y type=ip-dst

Now, you can integrate the command into more complex queries to search for IOCs across your logs. Here is an example with bind logs  to search for interesting domains:

source=/var/log/named/queries.log
[|getmispioc last=5d type=domain
 |rename value as query
 |fields query
]

The custom command is based on PyMISP. The script and installation details are available on my github account.

[The post Splunk Custom Search Command: Searching for MISP IOC’s has been first published on /dev/random]

from Xavier

[SANS ISC] Some Powershell Malicious Code

I published the following diary on isc.sans.org: “Some Powershell Malicious Code“.

Powershell is a great language that can interact at a low-level with Microsoft Windows. While hunting, I found a nice piece of Powershell code. After some deeper checks, it appeared that the code was not brand new but it remains interesting to learn how a malware infects (or not) a computer and tries to collect interesting data from the victim… [Read more]

[The post [SANS ISC] Some Powershell Malicious Code has been first published on /dev/random]

from Xavier

Learn from leading cybersecurity experts

More than 170K technology and business leaders from across the world depend on Microsofts Modern Workplace monthly webcast to shed new light on business challenges related to technology. Over the past four years, Modern Workplace has had the worlds leading experts share their advice on technology topics, such as security, including CISOs, Chief Privacy Officers, Cyber Intelligence Advisors, and Chief Digital Officers. Just in the past year, Modern Workplace security episodes included:

• Cyber Intelligence: The Human Element (covering Identity and Access Management)
• Cyber Intelligence: Help Prevent a Breach (covering Threat Protection)
• The Privacy Balance: Staying Secure and Ethical with Your Data (covering Information Protection)
• Data Defense: An Inside Look at Your Secure Cloud (covers Security Management)

These episodes include more than just security checklists and basicsthey go into depth around the decisions business leaders are faced with every day. In the episode on data privacy, Hillery Nye, Chief Privacy Officer at Glympse, explained how the startup company made a very conscious decision to not collect data that it could have easily gathered from its real-time location sharing app. The company collects customer data and uses it for very specific purposes, but it never stores or sells that data. The company may have given up some opportunities to monetize its customer data, but Nye feels that the company gains even more by being a responsible corporate citizen and establishing a reputation for privacy. She discussed how a companys brand is affected by its privacy policies, and how businesses can better align their privacy policies with business strategy for long term success.

The Modern Workplace series has been nominated for four regional Emmy awards because of its creative presentation of diverse perspectives and insights. To learn more about how technology can help drive your business, check out the Modern Workplace episodes on-demand today!

from Microsoft Secure Blog Staff

“TorWitness” Docker Container: Automated (Tor) Websites Screenshots

The idea of this Docker container came after reading the excellent Micah Hoffman’s blog post: Dark Web Report + TorGhost + EyeWitness == Goodness. Like Micah, I’m also receiving a daily file with new websites discovered on the (dark|deep) web (name it as you prefer). This service is provided by @huncky Twitter account. Once a day, you get an XLS sheet with newly discovered websites. Micah explained how to process automatically these URLs. He’s using TorGhost with EyeWitness (written by Chris Truncer). It worked very well but it requires the installation of many libraries (EyeWitness has a lot of software dependencies) and I hate polluting my system with libraries used by only a few tools. That’s why I using Docker to run everything in a container. Also, processing a new XLS files every way is really a pain! So let’s automate as much as possible. To process the XLS file, I wrote a small Python script xlsxtract.py (see my previous blog post):

# ./xlsxtract.py -w 'New Today' -c A -r 2- -s /tmp/HiddenServices.xlsx
marketos2sttgxde.onion
s4usinb4eu7exiqj.onion
jt3wzqga4wrprwrf.onion
anonstni3rufuvab.onion
torhnpnu2vv5xtrh.onion
torl7e6yohnjtrn3.onion
anggactr2fturxop.onion
ntqb6tpjsdl4kpu7.onion
gfdbbv5mmprt3dor.onion
22222owjmamxwgv4.onion
cbehcy6letx6vnao.onion
2reich6dcr3dclrx.onion
36663z4ei2552lu6.onion

I built a Docker container (‘TorWitness’)  that performs the following tasks:

• Setup TorGhost and connect to the Tor network
• Extract .onion URLs from XLS files
• Take screenshots of the URLs via EyeWitness

But, sometimes, it can be helpful to visit other websites (not only on the .onion) via the Tor network. That’s why you can pass your own list of URLs as an argument.

Here is an example of container execution:

$ cat $HOME/torwitness/urls.txt
https://blog.rootshell.be
https://isc.sans.edu
$ docker run \
     --rm \
     -it ÷
     -v $HOME/torwitness:/data \
     --cap-add=NET_ADMIN --cap-add=NET_RAW \
     torwitness \
     urls.txt
      _____           ____ _               _
     |_   _|__  _ __ / ___| |__   ___  ___| |_
       | |/ _ \| '__| |  _| '_ \ / _ \/ __| __|
       | | (_) | |  | |_| | | | | (_) \__ \ |_
       |_|\___/|_|   \____|_| |_|\___/|___/\__|
    v2.0 - SusmithHCK | www.khromozome.com
[done]
[12:19:18] Configuring DNS resolv.conf file.. [done]
 * Starting tor daemon...  [OK]
[12:19:18] Starting tor service..  [done]
[12:19:19] setting up iptables rules [done]
[12:19:19] Fetching current IP...
[12:19:19] CURRENT IP : 51.15.79.107
Using environment variables:
TIMEOUT=30
MAX_RETRIES=3
Found Onion URLs to process:
https://blog.rootshell.be
https://isc.sans.edu
################################################################################
#                                  EyeWitness                                  #
################################################################################
Starting Web Requests (2 Hosts)
Attempting to screenshot https://blog.rootshell.be
Attempting to screenshot https://isc.sans.edu
Finished in 22.2635469437 seconds
$ cd $HOME/torwitness
$ ls
results-20171025113745 urls.txt
$ cd results-20171025113745
$ firefox result.html

If you don’t pass a file to the Docker, it will parse XLSX files in the /data directory and extract .onion URLs. There are multiple cases where this container can be helpful:

• Browsing the dark web
• Performing reconnaissance phase
• Hunting
• Browsing attacker’s resources

To build the Docker, instructions and the Dockerfile are available on my GitHub repository.

[The post “TorWitness” Docker Container: Automated (Tor) Websites Screenshots has been first published on /dev/random]

from Xavier

Automatic Extraction of Data from Excel Sheet

Excel sheets are very common files in corporate environments. It’s definitively not a security tool but it’s not rare to find useful information stored in such files. When these data must be processed for threat hunting or to collect IOC’s, it is mandatory to automate, as much as possible, the processing of data. Here a good example: Everyday, I’m receiving  one email that contains a list of new URLs found on the dark web (Tor network). I’m processing them automatically with a script but it’s a painful task: open the Excel sheet, select the URLs, copy, create a text file, paste and the file to the next script. Being a lazy guy, what not automate this?

Luckily, Python has a nice module called openpyxl which is very helpful to read/write XLS[X|M] files. Reading the content of a file can be performed with only a few lines of Python but I decided to write a small tool that could extract specific zones of the sheet based on the arguments. I called the script xlsxtract.py. Its syntax is easy to understand:

# ./xlsxtract.py -h
Usage: xlsxtract.py [options] <file> ...

Options:
 --version show program's version number and exit
 -h, --help show this help message and exit
 -w WORKBOOK, --workbook=WORKBOOK
 Workbook to extract data from
 -c COLS,... --cols=COLS Read columns (Format: "A", "A-" or "A-B")
 -r ROWS,... --rows=ROWS Read rows (Format: "1", "1-" or "1-10")
 -m MAX, --max=MAX Process maximum rows
 -p, --prefix Display cell name
 -s, --stop Stop processing when empty cell is found

You can specify the cells to dump with the ‘–cols’ and ‘–rows’ parameters. Only one, a range or starting from (‘A’, ‘A-C’ or ‘A-‘) and (‘1’, ‘1-100’ or ‘1-‘). Multiple ranges can be separated by commas. A maximum of cells to reports can be specified (the default is 65535). You can also stop processing cells when a first empty one is found. If no ranges are specified, the script dumps all cells starting from A1 (be careful!).

Here is a simple shell with an inventory of servers:

 

 

To extract the list of IP addresses, we can use xlsxtract.py with the following syntax:

$ xlsxtr.py -r A -c 2-600 -s -w 'Sheet1' test.xlsx
10.0.0.1
10.0.0.2
10.0.0.3

Now, if the sheet is more complex and we have IP addresses spread in multiple cells:

 

 

We use xlsxtract.py like this:

$ xlsxtr.py -r A,F -c 3-600 -s -w 'Sheet1' test.xlsx
10.0.0.1
10.0.0.2
10.0.0.3
172.16.0.1
172.16.0.2
172.16.0.3

The script is available on my github repository: xlsxtract.py.

 

 

[The post Automatic Extraction of Data from Excel Sheet has been first published on /dev/random]

from Xavier

A 4-point action plan for proactive security

It can be difficult these days to make sense of all the potential ways you could step up your security. But with automated attacks moving faster and faster, many organizations are feeling a real need to change their approach and get more proactive about security.

Should you focus on endpoint detection and response (EDR)? Should you deploy multi-factor authentication (MFA) to control access to all your corporate resources? Or do you need to control your cloud apps and infrastructure more closely with a cloud access security broker (CASB)? Should your first step be deploying data loss prevention (DLP)?

If youre feeling a little confused about where to start, join us for our webinar: A 4-point action plan for proactive security. Well share how Microsoft approaches security and how you can cut through all the confusion to prioritize a few projects that will have real impact on your level of protection.

from Microsoft Secure Blog Staff

[SANS ISC] Stop relying on file extensions

I published the following diary on isc.sans.org: “Stop relying on file extensions“.

Yesterday, I found an interesting file in my spam trap. It was called ‘16509878451.XLAM’. To be honest, I was not aware of this extension and I found this on the web: “A file with the XLAM file extension is an Excel Macro-Enabled Add-In file that’s used to add new functions to Excel. Similar to other spreadsheet file formats, XLAM files contain cells that are divided into rows and columns that can contain text, formulas, charts, images and… macros!” Indeed, the file contained some VBA code… [Read more]

 

[The post [SANS ISC] Stop relying on file extensions has been first published on /dev/random]

from Xavier

"Three Commandments to Building a Mature Awareness Program"

I'm excited how more and more organizations understand that cyber security isno longer just about technology, but about people. To have an effective security program, you have to also effectively manage your human risk. And to manage your human risk, you need an effective awareness program. But it also amazes me how people over complicate … Continue reading Three Commandments to Building a Mature Awareness Program

from lspitzner

SSN for authentication is all wrong

Unless you were stranded on a deserted island or participating in a zen digital fast chances are youve heard plenty about the massive Equifax breach and the head-rolling fallout. In the flurry of headlines and advice about credit freezes an important part of the conversation was lost: if we didnt misuse our social security numbers, losing them wouldnt be a big deal. Let me explain: most people, and that mainly includes some pretty high-up identity experts that Ive met in my travels, dont understand the difference between identification and verification. In the real world, conflating those two points doesnt often have dire consequences. In the digital world, its a huge mistake that can lead to severe impacts.

Isnt it all just authentication you may ask? Well, yes, identification and verification are both parts of the authentication whole, but failure to understand the differences is where the mess comes in. However, one reason its so hard for many of us to separate identification and verification is that historically we havent had to. Think back to how humans authenticated to each other before the ability to travel long distances came into the picture. Our circle of acquaintances was pretty small and we knew each other by sight and sound. Just by looking at your neighbor, Bob, you could authenticate him. If you met a stranger, chances are someone else in the village knew the stranger and could vouch for her.

The ability to travel long distances changed the equation a bit. We developed documents that provided verification during the initiation phase, for example when you have to bring a birth certificate to the DMV to get your initial drivers license. And ongoing identification like a unique ID and a photo. These documents served as a single identification and verification mechanism. And that was great! Worked fine for years, until the digital age.

The digital age changed the model because rather than one person holding a single license with their photo on it, we had billions of people trying to authenticate to billions of systems with simple credentials like user name and password. And no friendly local villager to vouch for us.

Who are you? Prove it!

This is where the difference between the two really starts to matter. Identification answers the question: Who are you? Your name is an identifier. It could also be an alias, such as your unique employee ID number.

Do you want your name to be private? Imagine meeting another parent at your kids soccer game and refusing to tell them your name for security reasons. How about: Oh your new puppy is so adorable, whats her name? And you respond, If I told you, Id have to kill you. Or you try to find an address in a town with no street signs because the town is super security conscious. Ridiculous, right? Identifiers are public specifically so we can share them to help identify things.

We also want consistency in our identifiers. Imagine if that town had street signs, but changed the names of the streets every 24 hours for security reasons. And uniqueness, if every street had the same name, youd still have a heck of a time finding the right address wouldnt you?

Now that were clear on what the identifier is, we can enumerate a few aspects that make up a really good one:

• Public
• Unchanging
• Unique

In a town or public road, we have a level of trust that the street sign is correct because the local authorities have governance over road signs. Back in our village, we trust Bob is Bob because we can verify him ourselves. But in the digital world, things get pretty tricky how do you verify someone or something youve never met before? Ask them to- Prove It!

We use these two aspects of authentication almost daily when we log into systems with a user ID (identification) and password (verification). How we verify in the real world can be public, unchanging, and unique because its very hard to forge a whole person. Or to switch all the street signs in a town. But verification online is trickier. We need to be able toprovide verification of who we are to a number of entities, many of whom arent great at protecting data. And if the same verification is re-used across entities, and one loses it, attackers could gain access to every site where it was used. This is why experts strongly recommend using unique passwords for every website/app. This goes for those challenge questions too. Which can lead to some fun calls with customer service, Oh, the town where I was born? Its: xja*21njaJK)`jjAQ^. At this point in time our fathers middle name, first pets name, town where we were born, school we went to and address history should be assumed public, using them as secrets for verification doesnt make sense anymore.

If one site loses your digital verification info, no worries. You only used it for that site and can create new info for the next one. What if you couldnt change your password ever? It was permanent and also got lost during the Yahoo! breach? And it was the one you use at your bank, and for your college and car loans, and your health insurance? How would you feel?

So, with that in mind, youd probably agree that the best digital verifiers are:

• Private
• Easily changed
• Unique

Your turn

OK, now that you know the difference between identification and verification and the challenges of verification in a digital world, what do you think – Is your SSN a better identifier or verifier?

from Jenny Erie

Hacktivity 2017 Wrap-Up Day 2

Let’s go for more wrap-ups. The second day started smoothly with Haroon Meer’s keynote. There was only one track today, the second room being fully dedicated to hackerspaces. Harron is a renowned speaker and the title of his keynote was “Time to play ‘D’”. The intro was simple: Nothing new, no 0-day, he decided to start his keynote based on his previous talks, especially one from 2011: “Penetration testing considered harmful“. Things changed considerably from a hardware and software point of view but we are still facing the same security issues. Example: a today’s computer is based on multiple computers (think about the MacBook Pro and its touch bar which is based on the same hardware as the Apple watch). Generic security solutions fail and an AV can still be easily bypassed. He gave many good facts and advice. Instead of buying expensive appliances, use this money to hire skilled people. But usually, companies have a security issue and they fix it by deploying a solution that… introduces new issues. He insisted and gave examples of “Dirty Cheap Solutions”. With a few lines of Powershell, we can easily detect new accounts created in an Active Directory. Aaron gave another example with a service he created: canarytokens.org. You create files, URLs, DNS records that are linked an email address and, in case of breach or unexpected access, an alert is sent to you. Another one: regular people don’t use commands lines ‘uname’, ‘ifconfig’ or ‘whoami’. Create alerts to report when they are used!

The first regular talk was given by Tobias Schrödel: “Hacking drones and buying passwords in the Darknet“. What’s the relation between them? Nothing, Tobias just accepted to cover these two topics! The talk was very entertaining and Tobias is a very good speaker… The first part (drones) was made in a management style (with a tie) and the second one with a t-shirt, classic one. Why hacking drones? In Germany, like in many countries, the market for drones is growing quickly. Small models (more classified as “toys”) are using Wireless networks to be controlled and get the pictures from the camera. Those drones provide a SSID, DHCP and are managed via a web interface. So they can be compared to a flying router! There are different ways to take down a drone. The safest solution is to use eagles because they can drop out the drone out of the zone that must be secured. The attack he demonstrated was a simple de-auth attack. The second part of the talks focused on the black market. Not a lot of people already bought stuff on the Darknet (or they hide it) but they are nice webshops where you can buy passwords for many official shops like eBay, Zalando, Paypal, etc… But why a company should buy passwords on the Darkweb? A few years ago, Dropbox suffered from a mega leak with millions of passwords in the wild. That’s bad but even more when corporate email addresses are present in sensitive leaks like Ashley-Madison. In Germany, a big company found 10 email addresses in this leak. If employees are free in their private life, this could have a very huge impact in case of blackmailing: “Give us access to these internal documents or we make your wife/husband aware of your Ashley-Madison account. This is a way to protect its business.

Then, Adrian Vollmer presented “Attacking RDP with Seth – How to eavesdrop on poorly secured RDP connections“. Adrian explained in details how’s working the RDP protocols to authenticate users. In the past, he used Cain & Abel to attack RDP sessions but the tool is quite old and unmaintained (I’m still using it from time to time). So, he decided to write his own tool called Seth. It exploits a misconfiguration in many RDP services. RDP security is similar to SSL but not exactly the same. He explained how this can be abused do downgrade from Kerberos to RDP Security. In this case, a popup warning is displayed to the victim but it is always ignored.

After the morning coffee break, I expected a lot from this talk: “A heaven for Hackers: Breaking Log/SIEM Products” by Mehmet Ince. The talk was not based on ways to abuse a SIEM via the logs that it processed but based on the fact that a SIEM is an application integrating multiple components. The methodology he used was:

• Read the documentation
• Understand the features
• Get a trial version
• Break it to access console
• Define attack vector(s)
• Find a vulnerability

He reported three cases. The first one was AlienVault. They downloaded two versions (the latest one and the previous one) and make a big diff in the files. Based on this, three problems were found: object injection, authentication bypass and IP spooking through XFF. By putting the three together, they were able to get a SQL injection but RCE is always better. They successfully achieved this by created a rule on the application that triggered a command when an SSH denied connection was reported. Evil! The second case targeted ManagEngine. The product design was bad and password to connect to remote Windows systems were stored in a database. If was possible to get access to a console to perform SQL queries but the console obfuscated passwords. By renaming the field ‘password’ to ‘somethingelse’, passwords were displayed in clear text! (“SELECT password AS somethingelse FROM …”). In the third case, LogSign, it was more destructive: it was possible to get rid of the logs… so simple! This was a nice talk.

Then, Ben Seri & Gregory Vishnepolsky presented “BlueBorne Explained: Exploiting Android devices over the air“. This vulnerability was in the news recently and is quite important:

• 5.3B devices vulnerable in the wild
• 8 vulnerabilities,  4 critical
• Multiple OS: Android, Linux, Windows, IOS
• No user interaction or auth
• Enables RCE, MitM and info leaks

They reviewed the basic of the Bluetooth protocol and the different services (like SDP – “Service Discovery Protocol”). They gave a huge amount of details… The finished with a live demo by compromising an Android phone via the BNEP service (“BT Network Authentication Protocol). Difficult to follow for me but a huge research!

After a lunch break and interesting discussions, back to the main theatre for the last set of talks. There were two presentations that I found less interesting (IMHO). Anto Joseph presented “Bug hunting using symbolic virtual machines“. Symbolic execution + fuzzing a winning combination to find vulnerabilities. Symbolic execution is a way to analyse the behaviour of a program to determine what inputs cause each part of a program to execute. The tool used by Anto was klee. He made a lot of demos to explain how the tool is working. It looks to be a great tool but it was difficult to follow for my poor brain.

The next talk started late due to a video issue with the speaker’s laptop. Dmitry Yudin presented ” PeopleSoft: HACK THE Planet^W university“. By university, we mean here the PeopleSoft Campus Solutions which is used in more than 1000 universities worldwide. The main components are a browser, a web server, an application, a batch server and a database. Multiple vulnerabilities have been found in this suite, Dmitry explained the CVE-2017-10366. He explained all the step to jump from one service to another until a complete compromise of the suite.

After the last break, the day finished with two interesting presentations. Kirils Solovjovs presented “Tools for effortless reverse engineering of MikroTik routers“. Mikrotik routers are used worldwide and can be considered as a nice target. They are based on Linux, but RouterOS is based on an old kernel from 2012 and is closed source. So, we need a jailbreak! Kirils explained two techniques to jailbreak the router. He also found a nice backdoor which requires a specific file to be created on the file system. He explained many features of RouterOS and also some security issues like in the backup process. It is possible to create a file containing ‘../../../../’, so it was possible to create the file required by the back door. He released on the tools here.

To cloture the day and the conference, Gábor Szappanos talked about “Office Exploit Builders“. Why? Because Office documents remain the main vector of infection to drop malwares. It’s important to have “good” tools to generate malicious documents but who’s writing them?  Usually, VBA macros are used but, with a modern version of Office, macros are disabled by default. It’s better to use an exploit. Based on a study conducted two years ago, APT groups lack of knowledge to build malicious documents so they need tools! Gábor reviewed three tools:

• AKBuilder: Active since 2015, typically used by Nigerians scammers and cost ~$500
• Ancalog Exploit Builder: Peak of activity in 2016, also used by scammers. Price is ~$300 (retired)
• Microsoft Word Intruder: used by more “high” profile, it can drop more dangerous pieces of malware. Written in PHP for Windows, its price is ~$20000-$35000!

A nice presentation to close the day! So, this closes the two days of Hacktivity 2017, the first edition for me. Note that the presentations will be available on the website in the coming days!

[The post Hacktivity 2017 Wrap-Up Day 2 has been first published on /dev/random]

from Xavier

Hacktivity 2017 Wrap-Up Day 1

My wrap-up crazy week continues… I’m now in Budapest to attend Hacktivity for the first time. During the opening ceremony some figures were given about this event: 14th edition(!), 900 attendees from 23 different countries and 36 speakers. Here is a nice introduction video. The venue is nice with two tracks in parallel, workshops (called “Hello Workshops”), a hacker center, sponsor’ booths and… a wall-of-sheep! After so many years, you realize immediately that it is well organized and everything is under control.

As usual, the day started with a keynote. Costin Raiu from Kaspersky presented “Why some APT research is like palaeontology?” Daily, Kaspersky collects 500K malware samples and less than 50 are really interesting for his team. The idea to compare this job with palaeontology came from a picture of Nessie (the Lochness monster). We some something on the picture but are we sure that it’s a monster? Costin gave the example of Regin: They discovered the first sample in 1999, 1 in 2003 and 43 in 2007. Based in this, how to be certain that you found something interesting? Finding IOCs, C&Cs is like finding bones of a dinosaur. At the end, you have a complete skeleton and are able to publish your findings (the report). In the next part of the keynote, Costin gave examples of interesting cases they found with nice stories like the 0-day that was discovered thanks to the comment left by the developer in his code. The Costin’s advice is to learn Yara and to write good signatures to spot interesting stuff.

The first regular talk was presented by Zoltán Balázs: “How to hide your browser 0-days?‘. It was a mix of crypto and exploitation. The Zoltán’s research started after a discussion with a vendor that was sure to catch all kind of 0-day exploits against browsers. “Challenge accepted” for him. The problem with 0-day exploits is that they quickly become ex-0-day exploits when they are distributed by exploit kits. Why? Quickly, security researchers will find samples, analyze them and patches will be available soon. From an attacker point of view, this is very frustrating. You spend a lot of money and lose it quickly. The idea was to deliver the exploit using an encrypted channel between the browser and the dropper. The shellcode is encrypted, executed then download the malware (also via a safe channel is required). Zoltán explained how he implemented the encrypted channel using ECDH (that was the part of the talk about crypto). This is better than SSL because if you control the client, it is too easy to play MitM and inspect the traffic. It’s not possible with the replay attack that implemented Zoltán. The proof of concept has been released.

Then another Zoltán came on stage: Zoltán Wollner with a presentation called “Behind the Rabbit and beyond the USB“. He started with a scene of the show Mr Robot where they use a Rubber Ducky to get access to a computer. Indeed a classic USB stick might have hidden/evil features. The talk was in fact a presentation of the Bash Bunny tool from Hak5. This USB stick is … what you want! A keyboard, a flash drive, an Ethernet/serial adapter and more! He demonstrated some scenarios:

• QuickCreds: stealing credentials from a locked computer
• EternalBlue

This device is targeting low-hanging fruits but … just works! Note that it requires physical access to the target computer.

After the lunch coffee break, Mateusz Olejarka presented “REST API, pentester’s perspective“. Mateusz is a pentester and, by experience, he is facing more and more API when conducting penetration tests. The first time that an API was spotted in an attack was when @sehacure pwned a lot of Facebook accounts via the API and the password reset feature. On the regular website, he was rejected after a few attempts but the anti-bruteforce protection was not enabled on the beta Facebook site! Today RASK API are everywhere and most of the application and web tools have an API. An interesting number:  by 2018, 50% of B2B exchanges will be performed via web APIs. The principle of an API is simple: a web service that offers methods and process data in JSON (most of the time). Methods are GET/PUT/PATCH/DELETE/POST/… To test a REST API, we need some information: the endpoint, the documentation, get access to access key and sample calls. Mateusz explained how to find them. To find endpoints, we just try URI like “/api”, “/v1”, “/v1.1”, “/api/v1” or “/ping”, “/status”, “/health”, … Sometimes the documentation is available online or returned by the API itself. To find keys, two reliable sources are:

• Apps / mobile apps
• Github!

Also, fuzzing can be interesting to stress test the API. This one of my favourite talk, plenty of useful information if you are working in the pentesting area.

The next speaker was Leigh-Anne Galloway: “Money makes money: How to buy an ATM and what you can do with it“. She started with the history of ATMs. The first one was invented in 1967 (for Barclay’s in the UK). Today, there are 3.8M devices in the wild. The key players are Siemens Nixdorf, NSC and Fujitsu. She explained how difficult is was for her to just buy an ATM. Are you going through the official way or the “underground” way? After many issues, she finally was able to have an ATM delivered at her home. Cool but impossible to bring it in her apartment without causing damages. She decided to leave it on the parking and to perform the tests outside. In the second part, Leigh-Anne explained the different tests/attacks performed against the ATM: bruteforce, attack at OS level, at hardware and software level.

The event was split into two tracks, so I had to make choice. The afternoon started with Julien Thomas and “Limitations of Android permission system: packages, processes and user privacy“. He explained in details how are the access rights and permissions defined and enforced by Android. Amongst a deep review of the components, he also demonstrated an app that, once installed has no access, but, due to the process of revocation weaknesses, the app gets more access than initially.

Then Csaba Fitzl talked about malware and techniques used to protect themselves against security researchers and analysts: “How to convince a malware to avoid us?“. Malware authors are afraid of:

• Security researchers
• Sandboxes
• Virtual machines
• Hardened machines

Malware hates to be analysed and they sometimes avoid to infect certain targets (ex: they check the keyboard mapping to detect the country of the victim). Czaba reviewed several examples of known malware and how to detect if they are being monitored. The techniques are multiple and, as said Csaba, it could take weeks to review all of them. He also gave nice tips to harden your virtual machine/sandboxes to make them look really like a real computer used by humans. Then he gave some tips that he solved by writing small utilities to protect the victim. Example: mutex-grabber which monitors malwr.com and automatically creates the found Mutexes on the local OS. The tools reviewed on the presentation are available here. Also a great talk with plenty of useful tips.

After the last coffee break, Harman Singh presented “Active Directory Threats & Detection: Heartbeat that keeps you alive may also kill you!“. Active Directories remain a juicy target because they are implemented in almost all organizations worldwide! He reviewed all the components of an Active Directory then explained some techniques like enumeration of accounts, how to collect data, how to achieve privilege escalation and access to juicy data.

Finally, Ignat Korchagin closed the day with a presentation “Exploiting USB/IP in Linux“. When he asked who know or use USB/IP in the room, nobody raised hands. Nobody was aware of this technique, same for me! The principle is nice: USB/IP allows you to use a USB device connected on computer A from computer B. The USB traffic (URB – USB Request Blocks) are sent over TCP/IP. More information is available here. This looks nice! But… The main problem is that the application level protocol is implemented at kernel level! A packet is based on a header + payload. The kernel gets the size of data to process via the header. This one can be controlled by an attacker and we are facing a nice buffer overflow! This vulnerability is referenced as CVE-2016-3955. Ignat also found a nice name for his vulnerability: “UBOAT” for “(U)SB/IP (B)uffer (O)verflow (AT)tack“. He’s still like for a nice logo :). Hopefully, to be vulnerable, many requirements must be fulfilled:

• The kernel must be unpatched
• The victim must use USB/IP
• The victim must be a client
• The victim must import at least one device
• The victim must be root
• The attacker must own the server or play MitM.

Ignat completed his talk with a live demo that crashed the computer (DoS) but there is probably a way use the head application to get remote code execution.

Enough for today, stay tuned for the second day!

[The post Hacktivity 2017 Wrap-Up Day 1 has been first published on /dev/random]

from Xavier

Hack.lu 2017 Wrap-Up Day 3

Hack.lu is already over and I’m currently waiting for my connecting flight in Munich, that’s the perfect opportunity to write my wrap-up. This one is shorter because I had to leave early to catch my flight to Hacktivity and I missed some talks scheduled in the afternoon. Thank Lufthansa for rebooking my flight so early in the afternoon… Anyway, it started again early (8AM) and John Bambenek opened the day with a talk called “How I’ve Broken Every Threat Intel Platform I’ve Ever Had (And Settled on MISP)”. The title was well chosen because John is a big fan of OSINT. He collects a lot of data and provides them for free via feeds (available here). He started to extract useful information from malware samples because the main problem today is the flood of samples that are constantly discovered. But how to find relevant information? He explained some of the dataset he’s generating. The first one is DGA or “Domain Generation Algorithm“.  DNS is a key indicator and is used everywhere. Checking a domain name may also reveal interesting information via the Whois databases. Even if data are fake, they can be helpful to link different campaigns or malware families together and get more intelligence about the attacker. If you can reverse the algorithm, you can predict the upcoming domains, prepare yourself better and also start takedown operations. The second dataset was the malware configurations. Yes, a malware is configurable (example: kill-switch domains, Bitcoin wallets, C2, campaign ID’s, etc). Mutex can be useful to correlated malware from different campaigns like DGA. John is also working on a new dataset based on the tool Yalda. In the second part of his presentation, he explained why most solutions he tested to handle this amount of data failed (CIF, CRITS, ThreatConnect, STIX, TAXII). The problem with XML (and also an advantage at the same time): XML can be very verbose to describe events. Finally, he explained how he’s now using MISP. If you’re interested in OSINT, John is definitively a key person to follow and he is also a SANS ISC handler.

The next talk was “Automation Attacks at Scale” by Will Glazier & Mayank Dhiman. Databases of stolen credentials are a goldmine for bad guys. They are available everywhere on the Internet. Ex: Just by crawling Pastebin, it is possible to collect ~20K passwords per day (note: but most of them are duplicates). It is tempting to test them but this requires a lot of resources. A valid password has a value on the black market but to test them, attackers must spend some bucks to buy resources when not available for free or can’t be abused). Will and Mayank explained how they are working to make some profit. They need tools to test credentials and collect information (Ex: Sentra, MBA, Hydra, PhantomJS, Curl, Wget, …). They need fresh meat (credentials), IP addresses (to make the rotation and avoid blacklists) and of course CPU resources. About IP rotation, they use often big cloud service providers (Amazon, Azure) because those big players on the Internet will almost never be blacklisted. They can also use compromised servers or IoT botnets. In the second part of the talk, some pieces of advice were provided to help to detect them (ex: most of them can be fingerprinted just via the User-Agent they use). A good advice is also to keep an idea on your API logs to see if some malicious activity is ongoing (bruteforce attacks).

Then we switched to pure hardware session with Obiwan666 who presented “Front door Nightmares. When smart is not secure“. The research started from a broken lock he found. The talk did not cover the “connected” locks that can manage with a smartphone but real security locks found in many enterprises and restricted environments. Such locks are useful because the key management is easier. No need to replace the lock if a key is lost, the access-rights must just be adapted on the lock. It is also possible to play with time constraints. They offer multiple ways to interact via the user: with something you have (a RFID token), something you are (biometrics) or something you know (a PIN code). Obiwan666 explained in details how such locks are built and, thanks to his job and background in electronics, he has access to plenty of nice devices to analyze the target. He showed X-ray pictures of the lock. X-Ray scanner isn’t very common! Then he explained different scenarios of attack. The first one was trivial: sometimes, the lock is mounted in the wrong way and the inner part is outside (“in the wild”). The second attack was a signal replay. Locks use a serial protocol that can be sniffed and replayed – no protection). I liked the “brain implant” attack: you just buy a new lock (same model), you program it to grant your access and replace the electronic part of the victim with yours…Of course, traditional lock-picking can be tested. Also, a thermal camera can reveal the PIN code if the local has a pinpad. I know some organizations which could be very interested to test their locks against all these attacks!

After an expected coffee break, another awesome research was presented by Aaron Kaplan and Éireann Leverett: “What is the max Reflected Distributed Denial of Service (rDDoS) potential of IPv4?“. DDoS attacks based on UDP amplification are not new but remain quite effective. The four protocols in the scope of the research were: DNS, NTP, SSDP and SNMP. But in theory, what could be the effect of a massive DDoS over the IPv4 network? They started the talk with one simple number:

108.49Tb/s

The idea was to scan the Internet for vulnerable services and to classify them. Based on the location of the server, they were able to estimate the bandwidth available (ex: per countries) and to calculate the total amount of bandwidth that could be wasted by a massive attack. They showed nice statistics and findings. One of them was a relation between the bandwidth increase and the risk to affects other people on the Internet.

Then, the first half-day ended with the third keynote. This one was presented by Vladimir Kropotov, Fyodor Yarochkin: “Information Flows and Leaks in Social Media“. Social media are used everywhere today… for the good or the bad. They demonstrated how social network can react in case of a major event in the world (nothing related to computers). Some examples:

• Trump and his awesome “Covfefe”
• Macron and the French elections
• The Manchester bombing
• The fight of Barcelona for its independence

They mainly focused on the Twitter social network. They have tools to analyze the traffic and relations between people and the usage of specific hashtags. In the beginning of the keynote, many slides had content in Russian, no easy to read but the second part was interesting with the tracking of bots and how to detect them.

After the lunch break, there was again a lightning talk session then Eleanor Saitta came to present “On Strategy“. I did not follow them. The last talk I attended was a cool one: “Digital Vengeance: Exploiting Notorious C&C Toolkits” by Waylon Grange. The idea of the research was to try to compromize the attackers by applying the principle of offensive security. Big disclosure here: hacking back is often illegal and does not provide any gain but risks of liability, reputation… Waylon focused on RAT (“Remote Access Tools”) like Poison Ivy, Dark Comet or Xtreme RAT. Some of them already have known vulnerabilities. He demonstrated his finding and how he was able to compromise the computer of remote attackers. But what do when you are “in”? Search for interesting IP addresses (via netstat), browser the filesystem, install persistence, a keylogger or steal credentials, pivot, etc.

Sorry for the last presentation that I was unable to follow and report here. I had to leave for Hacktivity in Budapest. I’ll also miss the first edition of BSidesLuxembourg, any volunteer to write a wrap-up for me?  So to recap this edition of Hack.lu:

• Plenty of new stickers
• New t-shirts and nice MISP sweat-shirt
• Lot of coffee (and other types of drinks)
• Nice restaurants
• Excellent schedule
• Lot of new friends (and old/classic ones)
• My Twitter timeline exploded

You can still expect more wrap-ups tomorrow but for another conference!

[The post Hack.lu 2017 Wrap-Up Day 3 has been first published on /dev/random]

from Xavier

Hack.lu 2017 Wrap-Up Day 2

As said yesterday, the second day started very (too?) early… The winner of the first slot was Aaron Zauner who talked about pseudo-random numbers generators. The complete title of the talk was “Because ‘User Random’ isn’t everything: a deep dive into CSPRGNs in Operating Systems & Programming Languages”. He started with an overview of random numbers generators and why we need them. They are used almost everywhere even in the Bash shell where you can use ${RANDOM}.  CSPRNG is also known as RNG or “Random Number Generator”. It is implemented at operating system level via /dev/urandom on Linux on RtlGenRandom() on Windows but also in programming languages. And sometimes, with security issues like CVE-2017-11671 (GCC fails to generate incorrect code for RDRAND/RDSEED. /dev/random & /dev/urandom devices are using really old code! (fro mid-90’s). According to Aaron, it was a pure luck if no major incident arises in the last years. And today? Aaron explained what changed with the kernel 4.2. Then he switched to the different language and how they are implementing random numbers generators. He covered Ruby, Node.js and Erlang. All of them did not implement proper random number generators but he also explained what changed to improve this feature. I was a little bit afraid of the talk at 8AM but it was nice and easy to understand for a crypto talk.

The next talk was “Keynterceptor: Press any key to continue” by Niels van Dijkhuizen. Attacks via HID USB devices are not new. Niels reviewed a timeline with all the well-known attacks from 2005 with the KeyHost USB logger until 207 with the BashBunny. The main problems with those attacks: they need an unlocked computer, some social engineer skills and an Internet connection (most of the time). They are products to protect against these attacks. Basically, they act as a USB firewall: USBProxy, USBGuest, GoodDog, DuckHunt, etc. Those products are Windows tools, for Linux, have a look at GRSecurity. Then Niels explains how own solution which gets rid of all the previous constraints: his implants is inline between the keyboard and the host. It must also have notions of real)time. The rogue device clones itself as a classic HID device (“HP Elite USB Keyboard”) and also adds random delays to fake a real human typing on a keyboard. This allows bypassing the DuckHunt tool. Niels makes a demonstration of his tool. It comes with another device called the “Companion” which has a 3G/4G module that connects to the Keynterceptor via a 433Mhz connection. A nice demo was broadcasted and his devices were available during the coffee break. This is a very nice tool for red teams…

Then, Clement Rouault, Thomas Imbert presented a view into ALPC-RPC.The idea of the talk: how to abuse the UAC feature in Microsoft Windows.They were curious about this feature. How to trigger the UAC manually? Via RPC! A very nice tool to investigate RPC interface is RpcView. Then, they switched to ALPC: what is it and how does ir work. It is a client/server solution. Clients connect to a port and exchange messages that have two parts: the PORT_MESSAGE header and APLC_MESSAGE_ATTRIBUTES. They explained in details how they reverse-engineering the messages and, of course, they discovered vulnerabilities. They were able to build a full RPC client in Python and, with the help of fuzzing techniques, they found bugs: NULL dereference, out-of-bounds access, logic bugs, etc. Based on their research, one CVE was created: CVE-2017-11783.

After the coffee break, a very special talk was scheduled: “The untold stories of Hackers in Detention”. Two hackers came on stage to tell how they were arrested and put in jail. It was a very interesting talk. They explained their personal stories how they were arrested, how it happened (interviews, etc). Also gave some advice: How to behave in jail, what to do and not do, the administrative tasks, etc. This was not recorded and, to respect them, no further details will be provided.

The second keynote was assigned to Ange Albertini: “Infosec and failure”. Ange’s presentation are always a good surprise. You never know how he will design his slides.As he said, his talk is not about “funny” failures. Infosec is typically about winning. The keynote was a suite of facts that prove us that we usually fail to provide good infosec services and pieces of advice, also in the way we communicate to other people. Ange likes retro-gaming and made several comparisons between the gaming and infosec industries. According to him, we should have some retropwning events to play and learn from old exploits. According to Ange, an Infosec crash is coming like the video game industry in 1983 and a new cycle is coming. If was a great keynote with plenty of real facts that we should take care of! Lean, improve, share, don’t be shy, be proactive.

After the lunch, I skipped the second session of lightning talks and got back for “Sigma – Generic Signatures for Log Events” by Thomas Patzke. Let’s talk with logs… When the talk started, my first feeling was “What? Another talk about logs?” but, in fact, it was interesting. The idea behind Sigma is that everybody is looking for a nice way to detect threats but all solutions have different features and syntax. Some example of threats are:

• Authentication and accounts (large amount of failed logins, lateral movement, etc.)
• Process execution (exec from an unusual location, unknown process relationship, evil hashes, etc…
• Windows events

The problem we are facing: there is a lack of standardised format. Here comes Sigma. The goal of this tool is to write use case in YAML files that contain all the details to detect a security issue. Thomas gave some examples like detecting Mimikatz or webshells.

Sigma comes with a generator tool that can generate queries for multiple tools: Splunk, Elasticsearch or Logpoint. This is more complex than expected because field names are different, there are inconsistent file names, etc. In my opinion, Sigma could be useful to write use cases in total independence of any SIEM solution. It is still an ongoing project and, good news, recent versions of ISP can integrate Sigma. A field has been added and a tool exists to generate Sigma rules from MISP data.

The next talk was “SMT Solvers in the IT Security – deobfuscating binary code with logic” by Thaís Moreira Hamasaki. She started with an introduction to CLP or “Constraint Logic Programming”. Applications in infosec can be useful like malware de-obfuscation. Thais explained how to perform malware analysis using CLP. I did not follow more about this talk that was too theoretical for me.

Then, we came back to more practical stuff with Omar Eissa who presented “Network Automation is not your Safe Haven: Protocol Analysis and Vulnerabilities of Autonomic Network”. Omar is working for ERNW and they always provide good content. This time they tested the protocol used by Cisco to provision new routers. The goal is to make a router ready for use in a few minutes without any configuration: the Cisco Autonomic network. It’s a proprietary protocol developed by Cisco. Omar explained how this protocol is working and then how to abuse it. They found several vulnerabilities

• CVE-2017-6664: There is no way to protect against malicious nodes within the network
• CVE-2017-6665 : Possible to reset of the secure channel
• CVE-2017-3849: registrar crash
• CVE-2017-3850: DeathKiss – crash with 1 IPv6 packet

The talk had many demos that demonstrated the vulnerabilities above. A very nice talk.

The next speaker was Frank Denis who presented “API design for cryptography”. The idea of the talk started with a simple Google query: “How to encrypt stuff in C”. Frank found plenty of awful replies with many examples that you should never use. Crypto is hard to design but also hard to use. He reviewed several issues in the current crypto libraries then presented libhydrogen which is a library developed to solve all the issues introduced by the other libraries. Crypto is not easy to use and developer don’t read the documentation, they just expect some pieces of code that they can copy/paste. The library presented by Frank is called libhyrogen. You can find the source code here.

Then, Okhin came on stage to give an overview of the encryption VS the law in France. The title of his talk was “WTFRance”. He explained the status of the French law against encryption and tools. Basically, many political people would like to get rid of encryption to better fight crime. It was interesting to learn that France leads the fight against crypto and then push ideas at EU level. Note that he also mentioned several politician names that are “against” encryption.

The next talk was my preferred for this second day: “In Soviet Russia, Vulnerability Finds You” presented by Inbar Raz. Inbar is a regular speaker at hack.lu and proposes always entertaining presentations! This time he came with several examples of interesting he found “by mistake”. Indeed, sometimes, you find interesting stuff by accident. Inbar game several examples like an issue on a taxi reservation website, the security of an airport in Poland or fighting against bots via the Tinder application. For each example, a status was given. It’s sad to see that some of them were unresolved for a while! An excellent talk, I like it!

The last slot was assigned to Jelena Milosevic. Jelena is a nurse but she has also a passion for infosec. Based on her job, she learns interesting stuff from healthcare environments. Her talk was a compilation of mistakes, facts and advice for hospitals and health-related services. We all know that those environments are usually very badly protected. It was, once again, proven by Jelena.

The day ended with the social event and the classic Powerpoint karaoke. Tomorrow, it will start again at 08AM with a very interesting talk…

[The post Hack.lu 2017 Wrap-Up Day 2 has been first published on /dev/random]

from Xavier

Event recap: Security at Microsoft Ignite

Microsoft Ignite recently gathered 24,000+ attendees from around the world in Orlando, FL. CEO Satya Nadella kicked off an exciting week with his Vision Keynote by articulating how we enable digital transformation, specifically through empowering employees, engaging customers, optimizing operations, and finally through transforming products.

Commitment to security, privacy, and transparency

At the event, Microsoft reaffirmed its commitment to security, privacy, and transparency to its customers and partners through all the four main solution areas: Modern Workplace, Business Applications, Applications & Infrastructure, and Data & Artificial Intelligence. Julia White explained Microsofts approach to security during her session, Microsoft 365: Step up your protection with intelligent security.

Learnings from our customers and partners

During the event, the Microsoft team had the privilege to engage in 410,000 unique interactions within the Expo. In addition, 8,000+ labs were consumed, 54 sessions, two general sessions, 40 breakout sessions across CE, Windows and Office 365 tracks and 12 theater sessions. Our top three security takeaways were:

1. Build awareness of Microsofts commitment to security and privacy
2. Early and frequent product updates communications
3. Transparency from Microsoft equates to trust from customers

Key security related sessions to check out

Key security sessions we recommend you check out are based entirely upon feedback from our customers and partners who attended the sessions. Please take a moment to watch them and learn about new ways you can improve the security posture of your organization.

• Shut the door to cybercrime with Azure Active Directory risk-based identity protection
• Productivity and protection for your employees, partners, and customers with Azure Active Directory
• Deep-dive: Azure Active Directory Authentication and Single-Sign-On
• Azure Active Directory best practices from around the world
• Learn how to use Microsoft Intune with the new admin console and Microsoft Graph API
• Accelerate Azure information protection deployment and adoption
• Learn about Microsoft Advanced Threat Analytics Futures
• Saying goodbye to passwords
• How to get Office 365 to the next level with Azure Active Directory Premium
• Whats new and upcoming in AD FS to securely sign-in your users to Office 365 and other applications

On demand access to content

All breakout sessions and general sessions were recorded for on demand viewing. These recordings are now available at Microsoft Ignite on demand sessions. Please continue to share this link with your customers and partners. Labs will be available for 6 months through MyIgnite.

Conclusion

Microsoft Ignite was a fantastic week for all who attended. We not only shared product visions, but also, we listened and learned from engagements with customers and partners. With continued advances in our security offerings and development in better ways for partners to build a more modern, collaborative and secure work environment, it will be an exciting year for Security.

from Microsoft Secure Blog Staff

Hack.lu 2017 Wrap-Up Day 1

Hack.lu is ongoing in Luxembourg, already the thirteen edition! I arrived yesterday to attend a pre-conference event: the MISP summit. Today the regular talks were scheduled. It seems that more attendees joined this edition. The number of talks scheduled is impressive this year: 11 talks today and 12 talks on Wednesday and Thursday… Here is my wrap-up of the first day!

The first talk was not technical but very informative: “Myths and realities of attribution manipulation” presented by Félix Aimé & Ronan Mouchoux from Kaspersky. Many companies put more and more efforts in infowar instead of simple malware research. This affects many topics: cyber espionage, mass opinion manipulation or sabotage. The key is to perform attribution by putting a name on a cyber attack. You can see it as putting a tag on an attack. Note that sometimes, attribution suffers from a lack of naming convention like in the AV industry. Not easy to recognise the different actors. To perform this huge task, a lot of time and skills are required. They are many indicators available but many of them can be manipulated (ex: the country of origin, the C2, …). After a definition of attribution and the associated risks, Félix & Ronan reviewed some interesting examples:

• The case of Turkey.TR domains that were DDoS after the Russian planes crashed
• The case of Belgium accused to have done an airstrike against the locality of Hassadjek. A few days later, some Belgian media websites were DDoS’d.

As a conclusion to the talk, I like the quote: “You said fileless malware? APT actors try now to be less actor”.

The second slot was assigned to Sébastien (blotus) Blot, Thibault (buixor) Koechlin, Julien (jvoisin) Voisin who presented their solution to improve the security of PHP websites: Snuffleupagus (don’t ask me to pronounce it ;-). The complete title was: “Snuffleupagus – Killing bugclasses in PHP 7, virtual-patching the rest”. The speakers are working for a company provided hosting services and many of their customers are using PHP websites. Besides the classic security controls (OS-level hardening, custom IDS, WAF, …) they searched for a tool to improve the security of PHP. Suhosin is a nice solution but it does not support PHP7. So they decided to write their own tool: Snuffleupagus. They reviewed how to protect PHP with very nice features like the disable_function() feature. Some examples:

sp.disable_function.function(“system”).filename(“foo.php”).allow();
sp.disable_function.function(“system”).filename(“foo.php”).hash(“xxxx”).allow();

You can also restrict parameters passed to functions:

… param(“command”).value_r(“[$|…”).drop();

Then, the speakers demonstrated real vulnerabilities in a well-known tool written in PHP and how their solution could mitigate the vulnerabilities. This is a really nice project still in development but already used by many websites from the Alexa top-ranking list! The project is available here.

After a coffee break, Bouke van Leathem presented his project: “Randori”. In Japanse, Randori is a form of practice in which a designated aikidoka defends against multiple attackers in quick succession. To make it short, it’s the principle of action-reaction: You scan me, I scan you. Randori is a low interaction honeypot with a vengeance as defined by Bouke. The main idea is to reuse the credentials tested by the attackers against themselves. Bouke explained how it developed his honeypot, mainly the pam_randori PAM module. Collected credentials are re-used, no more no less, no code is executed on the remote system. Based on the collected information, Bouke explained in the second part of his talk, how he generated useful statistics to build botnet maps. One of the tools he used for this purpose is ssdeep. Note that the tool can be used in different ways: from an incident responder or ethical hacker perspectives. This project is very interesting and is also available here.

Before the lunch break, we had a keynote. The slot was assigned to Sarah Jamie Lewis and had the title: “Queer Privacy & Building Consensual Systems”. She started with a nice definition of privacy: “Privacy is the right to share information about you… only with people you trust”. Sarah wrote a book (with the same name as her keynote) and used it to illustrate her keynote. She read samples stories about Kath, Ada, Morgan. All those people had privacy issues and have to protect themselves. During the keynote, Sarah looked really affected by those stories but was it the right place to read some samples? I’m not sure. It looks to be a book that you have to read at home, relaxed and not at a security conference (just my $0.02). About privacy, as usual, the facts reviewed during the keynote were the same: our privacy is always threatened and there is a clear lack of solution.

After the lunch, a first lightning talk session was organized followed by Raúl B. Netto’s presentation: “ManaTI: Web Assistance for the Threat Analyst, supported by Domain Similarity”. ManaTI is a project to use machine learning techniques to assist an intuitive threat analyst to help in the discovery of security issues. I missed this talk because I was out with friends.

Then Paul Rascagnères, a regular speaker at hack.lu, came to present tools and techniques to help in debugging malware code written in .Net. This framework is the key component of many Microsoft tools like Powershell. With a nice integration with the operating system, it is also used by bad guys to produce malicious code. Paul started by explained some .Net techniques used by malware (like Assembly.load()). The next part of the talk focused on PYKD, a Python extension for the WinDBG debugger. In a demo, Paul demonstrated how easy it is to use PYKD to debug malicious code.

The next talk was my preferred for this first day: “Device sensors meet the web – a story of sadness and regret” by Lukasz Olejnik. The idea behind this talk was to demonstrate how our privacy can be affected by connected devices or, simply, our browsers. All devices today handle plenty of personal data but web technologies were not designed with privacy in mind. With the modern web, a browser on your smartphone can take advantage of many sensors or connectivity (USB, NFC or Bluetooth). Modern devices have an API that can be queried by web browsers. The first example that Lukasz gave was the batteries. The power level can be queried from a browser. That’s a nice feature indeed but what about privacy issues? Firebox, by abusing the high precision readout can get useful information about the user behaviour. There are also evil scenarios: Just imagine that somebody is looking for a taxi and his /her battery is almost dead. The idea is to go back asap to home. If the taxi reservation page proposes 2 prices: 10€ for a 10 minutes drive and 5€ for a 30 minutes drive, guess which one will be chosen by the customer? Another example, even crazier, was the (ab)use of the light sensor in mobile phones. Lucasz demonstrated how it is possible to steal the browser history via the light sensor: The display emits light that reflects on objects and can be read/decoded. Scary! And other examples are multiple: tracking, behaviour, fingerprinting, etc… How to mitigate this? Not easy, ask permission to the user to access the data, disable the API, purge it from dangerous calls? Finally, Lucasz gave the last example with web payments (in one click) that also have security issues. This was a very nice talk with plenty of examples that should really open our eyes!

After the afternoon coffee break, Maxime Clementz and Antoine Goichot came on stage to present: “Malicious use of Microsoft Local Administrator Password Solution”. The local admin problem is not new with Microsoft operating systems. This account must be present and, within old environments, the password was often the same across all devices in the domain. This makes lateral movement so easy! To solve this issues, Microsoft implemented LAPS or “Local Administrator Password Solution”. How does it work? Random passwords are generated for the local admin. The goal of the talk was to explain how to perform privilege escalation within an environment that has LAPS deployed. In fact, this tools is not new. It was an open source project that was integrated into Microsoft Windows, a client-side extension (CSE). It’s just a DLL called AdmPwd.dll. First observation: the DLL is not signed and does not implement integrity checks. The idea of the PoC was to create a rogue DLL that ignores the temporary password expiration data and write generated passwords in a simple text file. It worked very well. Their recommendation to mitigate this kind of attack: validate the integrity/signature of the DLL.

The next presentation was about cars: “The Bicho: An Advanced Car Backdoor Maker” by Sheila Ayelen Berta. If we see more and more talks about connected cars, this time, it focused on “regular” cars that just have a CAN bus. Sheila explained the tools and hardware that helps to inject commands on a CAN bus. To achieve this, she used a platform called CANspy to sniff messages on a CAN bus. Then, via another tool called “Car Backdoor Maker 1.0”, she was able to generate CAN bus message. Basically, it’s a replay attack. A website has been created to list all CAB messages discovered: opencandb.online. The payload is injected using a microcontroller connected to the CAN bus. It also has GPS capabilities that allow sending the CAN bus message depending on the cat localisation! The payload generator is available here.

Then, we came back to the issues regarding sharing information. Becky Kazansky presented: “Countering Security Threats by Sharing Information: Emerging Civil Society Practices”. I skipped this talk.

Finally, the first day finished with Parth Suhkla who presented “Intel AMT: Using & Abusing the Ghost in the Machine”. The presentation started with an overview of the AMT technology. It means “Active Management Technology” and is an out-of-band, management platform, embedded into Intel chipsets. The goal is to offer remote management capabilities without any OS. You can imagine that this feature looks juicy to attackers! Parth reviewed the core features of AMT and how it works. One important step is the provisioning options (can be performed via a local agent, remotely, via USB or the BIOS). There was already vulnerabilities discovered in AMT like the INTEL-SA-00075 that covered a privilege escalation issue. AMT was also used by the PLATINIUM attacker group who used the Serial Over LAN as a back channel. In the second part, Parth explained his research: how to abuse AMT? The requirements of the attack were:

• Control the AMT
• Implement persistence
• Be stealthy

He reviewed all the possible scenarios with a rating (complex, easy, …). For each attack, if also explained how to mitigate and detect such attacks. Some interesting ideas:

• Detect usual AMT ports in the network traffic
• Query the ME interface for AMT status (easy on Windows, no tool for Linux)
• Verify the book chain
• Encrypt disk drives with the TPM chipset
• Protect your BIOS (you already did it right?)

The last part covered the forensics investigations related to AMT. Again, an interesting talk.

That’s all for today! Note that talks have been recorded and are already available on Youtube! After our classic “Belgian dinner”, it’s time to take some hours of sleep, tomorrow 12 talks are scheduled! Stay tuned for more wrap-ups!

[The post Hack.lu 2017 Wrap-Up Day 1 has been first published on /dev/random]

from Xavier

Cybersecurity in a modern age

By 2021, worldwide cybercrime damage is expected to reach $6 trilliondouble what it cost businesses in 2015. As digital transformation sweeps the globe, the imminent threat of cybercrime grows alongside it. As a result, new techniques in cybersecurity must be developed at a growing rate to keep pace.

Digital-first is the new business frontier, and if we want to keep this landscape a safe space to store and share information, we must be able to quickly identify opportunities to bolster security and adapt to evolving threats. Microsofts cloud technology offers organizations the tools to advance security, enhance government compliance, improve security education, and enable industry collaboration to shut down new threats. Microsoft is creating a new path toward digital transformation in a secure space.

Through cloud technologies, IT professionals now have advanced tools at their fingertips that provide real-time visibility into cybersecurity and the ability to proactively thwart threats before they become an issue. As more organizations move to the cloud, management of security risks can occur in real time. This real-time action on cyber threats helps create cost efficiency, and allows for frequent and seamless updates without reconfiguration, giving IT leaders the upper hand in staying compliant with regulatory guidelines.

With cloud-based technology come real solutions in data loss prevention. IT professionals are using the cloud to secure employee data in new and highly effective ways. Through improved cloud encryption capabilities, organizations can better help protect sensitive information in motion and at rest. Even if cybercriminals are able to breach your network and bypass the first lines of cyber defense, encryption helps keep organizational data from falling into unauthorized hands. Additionally, advanced measures like multi-factor authentication (MFA) and Single Sign-On (SSO) provide additional layers of security by ensuring only those with the proper credentials are able to gain access to information and company platforms. These solutions and innovations in tech security are just the beginning.

With the advent of new technology and the digitization of how IT experts and professionals communicate, a quicker dissemination of knowledge can occur in a collaborative space. Experts can share and explore new ideas and concepts to quickly improve upon cloud technology and how to best address security concerns. By partnering up, industries are able to break new ground on how to secure information, share information, and revolutionize the way government, private enterprise, education systems, and average people navigate a digitally transforming world.

Ready to discover how Microsoft technology is transforming security for a digital-first, cloud-first world, and participate in interactive sessions led by subject matter experts? Microsoft is hosting a series of Security Forums in cities across the United States to demonstrate how organizations can use the latest technology to update and improve their cybersecurity efforts. We invite you to join your fellow IT professionals alongside Microsoft experts to discuss new ways to address evolving cyber threats. Find out how your business can use the power of the cloud to boost security, and get a firsthand look at what Microsoft has to offer.

For more information, including locations near you and a full event calendar, visit the Microsoft Security Forum events page. Dont delay, as seats are limited. Register now to save your spot!

from Microsoft Secure Blog Staff

Microsoft and Progeny Systems enhance security for mobile applications across U.S. Government

In our mobile-first, cloud-first world, security is paramount for organizations of any size. It is especially critical to applications used across the U.S. Government, which is why we are working with the Department of Homeland Security (DHS) Science and Technology Directorate and Progeny Systems to enhance mobile application security.

In support of the broader federal initiative to enable access to quality digital government information and services anywhere, anytime, on any device, Progeny will build a mobile application development security framework for iOS, Android and Windows apps that will be used across several US Government agencies, both for public facing and internal enterprise use cases. This framework will broadly enable developers across the United States Government to focus on building mobile apps that provide business value, with the confidence that security is built in.

The cross-platform, native approach using Visual Studio, the open-source .NET framework, and Xamarin platform will enable developers to build higher quality apps that are fully compliant with the National Information Assurance Partnership (NIAP) mobile app vetting standards, the National Institutes of Standards and Technology (NIST) 800-163 guidance and the Department of Homeland Securitys Mobile Application Playbook. Utilizing Microsofts leading mobile application development tools, the framework will support mobile apps built to run on-premise and on any cloud platform, including government-only clouds such as Azure Government, which meet critical government regulatory compliance requirements.

Id like to congratulate the Department of Homeland Security Science and Technology Directorate for their commitment to addressing the mandates of both security and mobility for their stakeholders, said Greg Myers, Microsoft Vice President of Federal. We look forward to partnering with DHS and ultimately, by bringing mobile, secure, and compliant technology solutions helping them fulfil their critical mission.

Microsofts latest award from the DHS comes on the heels of several related public sector certifications and big data and analytics enhancements to our leading mobile apps and security. It also builds on our current work with the Department of Veterans Affairs and Applied Research Associates, whose Instant Notification System enables the U.S. governments Combating Terrorism and Threat Support Offices Tactical Support Working Group (TSWG) to quickly and effectively notify team members about suspicious packages or events over commercially available networks.

You can read more about our mobile application security work with the Department of Homeland Security (DHS) Science and Technology Directorate and Progeny Systems in their news release. For details on Microsofts leadership in mobile application development, visit Gartners Magic Quadrant report.

from Microsoft Secure Blog Staff

"KRACK Attack - What to Communicate"

Editor's Note: This blog is a work in progress and will be actively updated as new information is released. It was just announced this morning (Monday, 16 October, 2017) that the globally used WPA2 Wi-Fisecurity protocolhas been broken. This standard is the most commonly usedsecurity standard used by Wi-Fi networks around the world. The attack … Continue reading KRACK Attack - What to Communicate

from lspitzner

Wrap-Ups Storm Ahead!

I can’t remember why I started to write conference wrap-ups but it started in 2009 when I attended my first Hack.lu! I had a quick look at my blog archives and, until today, I wrote 184 wrap-ups!  The initial idea was probably to bring some material to colleagues who did not have the chance to attend the conference in Luxembourg. Quickly I got some very positive feedbacks from my existing blog readers and it started to attract more and more people. 

Why am I still writing such kind of articles today? For multiple reasons… The first one is personal: It helps me to learn new stuff. The exercise to keep the focus on a speaker and to take notes on the fly is complex. You need to listen, understand and summarize in real time. Usually, I’m writing very synthetic notes and I force myself to beautify the text the same day (otherwise, I’m quickly losing details). Often, my wrap-ups are published during the night.

The second one is for the community… If I’ve some content, why not share it? Honestly, based on the number of infosec events I’m attending,  I consider myself as a lucky guy. With my wrap-ups, I can share a (very) small piece of information that I collected. They are published “as is” without any restriction and review (read: errors can always be present!). I know that some people reuse them even if they attended the same conference. They need to report some content internally in their organization They are free but be fair to keep a link to the original article.

It won’t change and, next week, I’ll be in Luxembourg for hack.lu. Immediately after, I’ll fly to Budapest for Hacktivity. Hack.lu is one of my preferred events not only for the quality of the schedule but also for the relaxed atmosphere. I meet some friends once a year at hack.lu! My first participation was in 2008 and this edition promises to be awesome with a bunch of interesting talks. Here is my pre-selection:

• Randori, a low interaction honeypot with a vengeance (Bouke van Laethem)
• Device sensors meet the web – a story of sadness and regret (Lukasz Olejnik)
• The Bicho: An Advanced Car Backdoor Maker (Sheila Ayelen Berta, Claudio Caracciolo)
• Keynterceptor: Press any key to continue (Niels van Dijkhuizen)
• Sigma – Generic Signatures for Log Events (Thomas Patzke)
• Front door Nightmares. When smart is not secure (ObiWan666)

Then, let’s go to Hacktivity. Contrariwise, it will be my first experience with this event. The conference has a very good reputation. A lot of nice topics and here is my pre-selection:

• REST API, pentester’s perspective (Mateusz Olejarka)
• Exploiting USB/IP in Linux (Ignat Korchagin)
• Hacking drones and buying passwords in the Darknet (Tobias Schrödel)
• A heaven for Hackers: Breaking Log/SIEM Products (Mehmet Ince)
• BlueBorne Explained: Exploiting Android devices over the air (Ben Seri Gregory Vishnepolsky)

You can expect a massive amount of Tweets and daily wrap-ups during the week! Stay tuned and thanks again for reading my delusions…

[Note: You can follow the upcoming conferences that I will attend on the right side of this page in the “Upcoming Events” section]

 

 

 

[The post Wrap-Ups Storm Ahead! has been first published on /dev/random]

from Xavier