Monday 31 October 2011

hashdays 2011 Diary


I've just got back from hashdays 2011 in Switzerland where I had a great time meeting old and new friends and listening to some great talks. For those who didn't attend or those interested in what I thought, here is my hashdays 2011 diary.

Friday

We made the short walk around the corner to the Radisson Blu, grabbed some breakfast croissants and coffee and settled down to hear the opening speech from Pascal. I hadn't met Pascal at this point but he came over as a passionate, fun-loving guy who clearly wanted everyone to have a great time at hashdays. After running through some of the details about the con itself, the badges and the wireless network he introduced Mikko Hypponen for the keynote.

I've seen videos of a few of Mikko's talks and I've always enjoyed them. Seeing a talk IRL was great. Mikko is a polished speaker, confident, fluent and engaging. His talk took us through some of the real threats facing computer users today, the types of malware we are seeing, the types of people behind them.

Viruses or malware have changed significantly over the twenty years or so in which Mikko has analysed it. It used to be that people did it for fun, or to cause destruction but the most important thing was that somehow you knew you had been infected. Most viruses did not employ much stealth, that wasn't their goal. Nowadays, malware infection is big business and the ability to stay hidden and keep the host infected is important as it increases the possible revenue.

But are the people behind modern malware actually making any money? The resounding answer is YES! Organised gangs are sitting on literally hundreds of millions of US dollars. It's a phenomenal amount of money, with the total turnover worth more than the international drug trade. That is some achievement for an industry so young.

Why is it working though? How are so many people fooled? Some of the examples Mikko showed us make it pretty clear. My favourite example was a banking trojan which inserted a single page after login and before displaying your accounts page. The page informed the banks customer that the bank had set up a new investment account which will return x percent over some period of time. The account had been automatically created and here was the account number. All you need to do to take advantage of this new investment opportunity is transfer some money.

Of course, the account number belonged to the criminal but the beauty was now the customer, believing only the bank could have placed this page on an authenticated part of the site and that it's a genuine product, actually wants to transfer the money. This means they willingly perform all the multi-factor, out-of-band authentication required to complete the transaction before continuing to their accounts as normal.

As Mikko suggests, it's not obvious how to stop that. Mikko ended his talk with the statement there is "job security in security". As someone who works in the industry I suppose this is good news and bad news.

Next up I chose Track 2 and "Pentesting iPhone and iPad Applications" by Annika Meyer and Sebastien Andrivet. After a slightly nervous introduction from Annika, Sebastien took us through a live demo of some techniques you can use to assess the security of iOS applications. The demo was impacted slightly by the "curse of live demonstrations" but in the end it wasn't enough to diffuse the point. Essentially though I was a little disappointed, I was hoping for less reliance on jailbreaking.

My main takeaway was that, despite what we may be led to believe by Apple, apps are going in to the App Store which contain all the usual software security bugs. Go figure. Most seem to be relying on the "closed" nature of iOS to protect credentials, Sebastien demonstrated PIN codes and passwords stored in plain text in config files. This is of course trivial to get around, either by jailbreaking or accessing unencrypted (the default) backup images created by iTunes.

Maybe I shouldn't be but I was slightly surprised to discover the official LinkedIn application uses plain HTTP for all communications aside from log in. Though, as I just checked, so does the main website so at least it's consistent but seriously, must do better.

I had high expectations for the next talk "IPv6, the new network hackers playground". IPv6 is one of those areas where I feel we are not paying enough attention. Most people I speak to still have only a basic understanding of the next generation of IP though I'm convinced this is going to be a rich avenue of attack for some time while the stack matures.

I thought they would cover this and more during this talk but unfortunately most of the talk seemed to cover attacks which are just as valid in IPv4. Pinging the "broadcast" address to discover live nodes on the network for example. Many of you may be aware there is no broadcast traffic in IPv6, instead there is much more use of multicast. So to ping the local "broadcast" address the equivalent (Linux) command is now:
ping6 ff02::1%eth0
assuming the interface you wish to use is eth0. If you want to take this a step further check out the Multicast address Wikipedia article and look for "Well know IPv6 multicast addresses".
What was interesting was discussion of how to abuse Microsoft's Teredo service, a transitionary 6to4 service with built-in support in Windows. That's what all those ISATAP NetBIOS queries are that you see on networks. I definitely need to look more into the possibilities with this.

There was a lengthy section on Apple iOS mDNS and the fact that iPhones and iPads like to transmit their hostname to the mDNS address. This is not new to anyone with a wireless network and a copy of Wireshark. By default when you activate an iOS device, iTunes will name the device after your name. This means that, unless you rename it (and you do rename them right?) or don't use your name on your OS you are transmitting your full name into the ether on any network your iOS device is connected to.

They demonstrated what you can do with this using people's name and LinkedIn/Google. I feel that way too much time was spent on this. It had little to do with IPv6 and was more suited to a Google Hacking 101 talk in my opinion.

The talk finished up with some discussion of routing protocols and I was interested to learn that OSPFv3 will not support authentication. It is expected that "security" will be provided by utilising IPSEC capabilities in IPv6. This seems crazy to me. Forcing such a significant architectural change is not the responsibility of a routing protocol and is either going to lead to lack of adoption of OSPF in IPv6 networks or an increase in route injection attacks. That said, I'd be curious to know how many people are doing authenticated OSPF in IPv4 anyway.

Then it was lunch and the food laid on was excellent. Various hot dishes as well as sandwiches and soft drinks. The hotel bar was open throughout too for those who wanted something a little stronger. As always, lots of good chats to be had with some very smart people.

After lunch I went to Ian Amit's talk "Pushing in, and pulling out slowly without anyone paying attention". I caught the end of this talk at BruCON but was pleased to be able to see it in full. Ian is a great speaker, nice clear slides, plenty of enthusiasm and great, original content.

I covered the basics of the talk in my BruCON post so I won't repeat myself here.

I then hit the corridor track for a short time before going to Chris Gate's talk "From Low to PWNED". This was an excellent talk filled with loads of good, useful examples of why you shouldn't take your vulnerability scanner's word for it. Don't ignore Low and Medium severity vulnerabilities. Some of the ownage included SharePoint, Cold Fusion and WebDAV. I spoke to Chris afterwards and he had plenty more he didn't put in due to time.

I can vouch for this first hand, I've seen Nessus report readable SMB share as Low. When I browsed the anonymously readable share it was full of company sensitive documents. No shell required that time. So, if you are going to run a scanner make sure you review the output thoroughly, don't just look for the Highs with a Metasploit module available.

To finish the day I had to make a hard choice between a cool looking HTML5 talk or watching FX talk about Lessons learned from Stuxnet. I chose to watch FX, he's something of a legend and I wondered what new light he might shed on Stuxnet.

It was a great talk. FX owned the stage and filled the talk with the sort of low level technical detail I know him for. Stuxnet uses a number of Windows vulnerabilities in order to spread. FX walked us through each of these in wonderful detail. Essentially Stuxnet was built on reliable, remote code execution bugs, creatively conceived and well executed.

The talk went on to highlight where we are now versus where we were with industrial systems before wrapping up the day.

Saturday

I always feel sorry for the people who start day two of a con. I missed the first talk from Marc Ruef and Luca Dal Molin unfortunately but I made it in time for the second, a Lockpicking 101 from Walter Belgers. As someone who has never spent as much time learning lockpicking as I'd have liked, I really enjoyed it. He was a good speaker who engaged the audience well and presented some live demos using his laptop webcam. I learned a lot more about some of the concepts I've come across over the years, including lock bumping, radio locks and how to defeat some of the countermeasures used by lock manufacturers.

After a short break it was time for the PTES Panel. This was one of the reasons I wanted to attend hashdays as I was keen to engage in discussion about how PTES can really make a difference to the Penetration Testing industry. It started out as complete car crash viewing, in a good way, with Nickerson, Ian and Stefan joined by straight-from-the-airport Dave Kennedy engaging in some bar-room banter but it finally got under way proper. Nickerson first conducting a poll from the audience as to what a Penetration Test is. There were some expected and unexpected answers before moving on to another important question. Once you've defined what a penetration test is to you, how are you validating the company you choose to do it?

The consensus was somewhere between "try them", "we know them" and "leave things for them to find, if they don't find them, they're no good". None of these are good answers which is where the PTES is designed to help. It is trying to clearly define what the minimum expectation will be for the customer and of course, the service provider. It is not designed to be a prescriptive methodology for how to perform the technical elements of a test, though a guide is available, it is more about defining a baseline standard for the steps required for the whole test, from pre-engagement to reporting.

I was impressed with Dave Kennedy's passion and clear articulation of the problem and how he's using (and promoting) PTES as a solution. It sounds like PTES is gaining momentum and I for one believe that if we all get behind it we genuinely will make a big difference to a broken industry.

In my previous blog I was a little critical of some of the BruCON talks which focused on bad pentesting. It wasn't that I didn't enjoy them, that they weren't good talks or enjoyable, just that I want to know how we're going to make a difference. What can I do as a tester to help drive this forward? This is what I was looking for from the PTES panel. To an extent I got this. I've seen and heard enough to know this has a serious chance of working if we can get the adoption rate up. Unfortunately this will mean talking to compliance bodies like the PCI SSC to incorporate PTES as a mandatory requirement if we can but hey, the key thing is to get it out there. If that means feeling a bit dirty (compliance should be a result of good security, not a reason for it) then it's a price we'll just have to pay for businesses to start getting true value from penetration testing.

Thanks to Dave and Nickerson for taking the time afterwards to talk through some of the ideas and challenges I've come across.

After lunch it was the hour of Eurotrash as Chris John Riley and Dale Pearson went head-to-head, albeit in different rooms. The decision was easy for me as I'd seen Dale's talk at BruCON so I went to see Chris "Scrub SAP clean with SOAP".

SAP is a huge product set found in most companies of virtually any size. It is also, it turns out, full of frankly scary insecurities. Chris demonstrated some of the research he has done over the previous year or so, including a collection of Metasploit modules he has written.

While nothing demonstrated is a simple case of point-click-shell, the amount of information given away through the management SOAP interface without requiring authentication is simply staggering. Usernames, instance IDs, operating system details and patch levels to name a few. Pulling this information together Chris talked through a theoretical brute force password attack against SAP. Made much simpler given we can get a list of users and the password policy for free through SOAP requests.

If that doesn't float your boat, you could just try a classic MITM attack as by default SAP's interface uses HTTP over a plain-text connection in conjunction with Basic auth. Clear-text passwords FTW!

If you're hungry for shell, once authenticated to SAP there is the ability to call OS commands - queue Meterpreter demonstration.

I know Chris put a lot of effort in to the slides (including some Monty Python-esque animation) and it showed. Despite his last slide saying "Sorry for sucking so much" he needn't have worried. I learned a bunch, the content was sufficiently detailed and presented well. The live demos even worked (but slides included some example output just in case they hadn't) so all in all, job well done sir.

Next up was Dave Kennedy "Making sense of (in)security". Dave is another great presenter, someone clearly comfortable being in that position and it's easy to see why he can hold down a CISO position at a Fortune 1000 in the US. I've listened to numerous podcasts with Dave on and his enthusiasm shines through in everything he does. In this talk he talked quickly through the problems we currently have selling security to our companies, backed by rapid-fire slide deck, but going on to offer his solution to the problem. Technical CSOs. I'm with him on this. It's not for everyone of course but, as he points out, if we asked someone with no legal background to become Head of Legal, or someone who has never worked in Human Resources to head up HR we'd think it was nuts. Why isn't it the same with Information Security? It's a specialist subject and the CSO must have cut their cloth working up through the ranks before they can surely be qualified to make the correct decisions.

Throw away those ridiculous risk formulas and just get stuff done. Starting talking in language the CEO can understand and focus on what actually matters to the business.

Dave finished with some technical demos, just because he wanted to. :-) He showed an updated SET which includes a new PowerShell attack vector for the Teensy device and changes to the Java Attack Payload which has some clever updates to deploy Metasploit modules without touching disk, of course, bypassing AV.

Last up was Chris Nickerson. If you listen to Exotic Liability you will have some idea that Nickerson is a man with opinions and he's not afraid to share them. In his sights this talk was compliance and it took a beating.

He took it right back to the start, discussing Guidelines, Standards, Best Practises and ultimately Compliance. He put in plain language just how absurd some of the requirements of companies are these days and how obvious it is that large chunks of it have been put together by security vendors to increase sales of off-the-shelf compliance products.

Chris did acknowledge that for some companies, particularly smaller ones (my note, not his), it has given them "something" where perhaps there may have been "nothing" and that has to be good. But on the whole external compliance is causing huge amounts of time and money to be spent on areas of the business which are not necessarily critical to that business' continuity. Amen brother.

Every business is unique. Find out what makes yours (or your client's) money, then protect it.

And then, it was over.....almost. There was just time for a surprise guest at the closing ceremony. Pascal! Last year Pascal did not make it to day two, such was the impact on him of the after party. This time his entry to the room was accompanied by fanfare and wild applause. The badge challenge winner(s) were announced (well done Bob and Ben, you certainly earned it) and the obligatory feedback form draw was performed before time was called on hashdays 2011.

My overall impression of hashdays is that it is a great conference with some high quality talks and speakers. It was well organised and I can't honestly think of anything about it I didn't like. I will definitely be heading back next year if I get the opportunity. I can only hope that the Swiss Franc is not so strong as it was ridiculously expensive. I'm thinking of submitting to the CFP for 2012 so if I got accepted that would certainly help with the costs. Fingers crossed for that but either way I'll be back for hashdays 2012. See you there!

Monday 3 October 2011

7E welcomes on board Marc Wickenden

7E welcomes on board Marc Wickenden who joins the team as our Principal Security Consultant.

Marc brings with him over 13 years of technical experience with the majority of that time within both FSA and Payment Card regulated industries, all with a focus on Internet based business models.

Marc has been heavily involved in Internet Payment services industry for the last 8 years where he specialises in all aspects of information security from PCI DSS compliance through to technical network security solutions. So expect to see some PCI focused blogs in the future.

Make sure to say hello if you are at Hashdays as Marc will be attending.