(My) BruCON 2016 notes (3)

Here are my quick notes from the BruCON 2016 conference. All the slides can be found here.

NO EASY BREACH:Challenges and Lessons Learned from an Epic Investigation bruCon

The attack started with a phishing email; the attack compromised more that 2 000 systems, 50 000 emails.

How the attack took place:

1. fast-paced attacher

  • 10-25 systems infected every day.
  • the attacker steal information every day.

response

  • develop indicators to aid triage.
  • focus on : lateral movements, pivoting, recon, new tools or back-doors.
  • streamlined documentation.

lessons learned

  • be fast and flexible.

2. stealthy attacks

  • used anti-forensics techniques to hide endpoint and network activity.
  • altered communication scheme + strong crypto.
  • mass activity to obscure the real target.
  • data theft using only legitimate us-based services – gmail, google drives, one drive.

response

  • maximize the utility of trace forensics artifacts.
  • some attacker behavior recovered from sdelete.
  • took time and patience to filter out the network noise.
  • deployed additional open-source tech

lessons learned

  • improve visibility and don’t stop looking.
  • map attacker activity ti potential data sources.
  • network times provides reliable chronology.

3. rapidly evolving tactics

  • seven unique persistence mechanism.
  • seven distinct back-door families.
  • minimal re-use of meta-data commonly tracked and shared as indicator.

response

  •  fought to keep network visibility on all malware families.
  • spent time analyzing system with unknown activity.
  • create indicators for every stage of attack life-cycle.
  • develop flexible & resilient indicators

lessons learned

  • enhance and test your best indicators even when they’re working.

4. advanced attack techniques

  • attacker leveraged PowerShell.
  • used Windows Management Instrumentation.
  • attacker used Kerberos tickets attacks which made tracking lateral movement difficult.

response

  • searched for WMI persistence.
  • identified evidence of attacker code in WMI repository.
  • parsed out embedded scripts and malware.
  • updated the environment to power shell 3.0 and enabled logging.
  • turned attacker power shell usage from a threat to a benefit by logging and iocs to made findings attacker activity much easier.
  • worked around Kerberos attacks: looked for remote Kerberos logons around the time of attacker activity.

Hacking KPN: Lessons from the trenches

The presentation was about 3 different vulnerabilities discovered by the kpn read team.

  1. vulnerability linked to the Java de-serialisation vulnerability.
    1. the kpn team did a java deserialization burp plug-in fork
  2. Citrix Netscaler
    1. Netscaler login vulnerabiilty
  3. reverse-engineering cryptography from binary

New Adventures in Active Defense, Offensive Countermeasures and Hacking Back

The idea was that the security industry are doing the same things over and over again, very often as a defender we build very static walls. So the presenter propose to an “active defense”:

Active defense is not about :

  • hacking back
  • about one technical solution
  • revenge

Active defense is about:

  • have a range of solutions.

All the proposed solutions and demos are part of the advanced defense harbinger distribution which is a Linux distribution based on Ubuntu LTS that it comes with many tools aimed at active defense pre-installed and configured. Some demos of the following components:

  • weblabyrinth
  • honey ports
  • honey badger
  • jarcombiner

(My) BruCON 2016 notes (2)

Here are my quick notes from the BruCON 2016 conference. All the slides can be found here.

What Does the Perfect Door or Padlock Look Like?bruCon

The talk was about how (some) doors and padlocks can be easily opened. The presentation was full of videos and explanatory schemes. For the doors the following parts can be attacked:

  • hinge removal – to fix, use jam pins
  • the latch
  • the inside handle
  • key boxes
  • edge baps – request to exit sensors
  • the bottom gap
  • the door frame

Anti-Forensics AF

The presentation contained the following topics:

  • memory anti-forencics
    • the goal is to inhibit the acquisition and analysis
    • for windows, removing PE header from disk (once the executable is loaded in memory).
    • for windows, zero the header from disk (once the executable is loaded in memory).
    • for linux, remove the EMF header
    • for linux, zero the header (memeset)
  • android anti-forestics
    • use encryption to protect.
    • power down the device.
    • leverage device sensors; foe ex: if the phone is moving, then shut down the device
  • fun with sd cards
    • demo of the SDTool tool that modifies the SD card firmware to write/or not the card or in memory.

Esoteric Web application vulnerabilities

The sql injection vulnerability is dead due to the massive use of the ORM frameworks, the same for the XSS injections due to the mvc, templates and default HTML So, as a hacker you must find new vulnerabilities; here are 5 (esoteric) vulnerabilities:

  1. aggressive input decoding; nosql injection using ruby on rails and MongoDB
  2. call me to verify my identity; try to hack the phone activation procedure for a 2 FA functionality.
  3. password reset implementation feature; try to hack the password reset feature for a 2 FA
  4. hack around the usage of the Paypal IPN protoco
  5. just missed that one; it happen even to the best of us.

Scraping Leaky browsers for Fun and Password

The idea is to retrieve passwords stored by the browsers (in RAM) by scrapping the RAM content. Do to this a plug-in to Volatility framework was created (the plug-in will be available soon on GitHub).

The best browser is Chrome with 67% chances to expose the passwords; the worst browser is Firefox with 81% changes to expose the passwords.

Vendors response to this findings; Microsoft created a CVE and the path will be pushed in October/November, Google and Mozilla are denying that’s a real issue.

 

(My) BruCON 2016 notes (1)

Here are my quick notes from the BruCON 2016 conference. All the slides can be found here.

Keynote –  inventing defensivebruCon

The keynote was quite entertaining mainly because it used references to the Greek and Babylonian mythology but on the other side  it was very difficult to really understand the message and the ideas that the presenter tried to promote.
But here some ideas that I was able to catch:

  • assume compromise
  • business people do not understand the security goals
  • perimeter defense; you have to win every time; one single mistake and the perimeter can be breach.
  • attackers are using the speed; the defenders have never the initiative.

Security through design

The presenter believes that the security is seen by the casual user/client as a burden. The security peoples should try to understand why the users try to circumvent the security, try to understand how the peoples are working and must try to adapt the security to fit the user needs.

The possible solutions are not from the IT world; try to apply the design thinking. A good design solution should have the following properties:

  •  is innovative
  • makes a product useful
  • makes a product understandable
  • is long-lasting
  • is unobtrusive

Some examples of products/companies that are trying to understand better the client: 2g Tuesday at Facebook

Building a Successful Internal Adversarial Simulation Team

The problems with the security testing today :

  • limited metrics
  • increase technical debt.
  • gives limited experience.

Another major problem is that the read team and blue team are acting independently, do not really share knowledge.

The speakers proposed some solutions to this problem; some of the interesting points that I was able to catch:

  • predict the likelihood of successful attacks before they happen.
  • creation of an information sharing platform and knowledge base.
  • assemble your team and tools
  • create defensive measurements/metrics.

(My) BruCON 2015 notes (5)

Here are my quick notes from the BruCON 2015 conference. All the slides can be found here.

This is the last ticket about the BruCOn 2015 so, it contains the presentations for which my notes are not so good 🙂

Creating REAL Threat Intelligence with EvernotebruCon

goal:

  • experiment to generate threat intelligence with Evernote.
  • use Evernote as intelligence repository.

background:

  • before buying new commercial solution
    • try quick and dirty solution in house
    • invest in people &process first, then Products.

Use Evernote as a GTD(Getting Things Done ??)-Based Task Mgmt System.

  • treat  Evernote like  a  Database
    • Notebook  ==  Table
    • Note  ==  Free  Form  Record
    • Nested  Notebooks
    • Hierarchical  Tags

Looking Forward – Finding the right balance for INFOSEC

Some words about the infosec in the past and today:

  • in 1999 the security community was a small community
  • things start to change now BUT
    the ratios security/it people it’s very low

Some words about the security breaches:

  • 99% of the breaches is are due to basic things; BUT the companies are focusing on much complicated
    attacks but are forgetting the easy to fill gaps.
  • end-users are still the weakest link; for fishing only one click it’s enough to get in inside the it infrastructure
  • profiling is difficult BUT targeting the user is muck more easier.

Some words about the security industry:

  • security industry is too technology centric.
  • we just hope that the technology will solve the problems magically.
  • technology it takes over talent.

Some ideas for the defence:

  • Disabling local administrator accounts, or randomizing.
  • Rotating domain admin account passwords.
  • Disallow PowerShell execution for normal users.
  • Disallowing executables to be run through TEMP and other directories.
  • Network segmentation of user workstations.
  • Focus on detection capabilities over anything.

I am the Cavalry

The Cavalry is a organization that is focused on issues where computer security intersect public safety and human life. The areas of focus for The Cavalry are medical devices, automobiles, home electronics and public infrastructure.

How to influence people (a pen test like approach):

  • recon
  • empathizing (replaces finding vulnerabilities)
  • enabling changes (replaces exploitation)

Recon

known the official structure and the non-official one.

unofficial structure

  • who is liked
  • trusted influencers

Empathizing

  • understand the stakeholders
  • studies can give you a hint about the way of thinking
  • motivation, career ambitions
  • how the stakeholders make decisions
  • learn how to speak the stakeholders language – cross domain issues

Enabling changes

  • work the system;
  • be adaptive if it didn’t worked
  • riding waves, news
  • speak their language

(My) BruCON 2015 notes (4)

Here are my quick notes from the BruCON 2015 conference. All the slides can be found here.

The malware is just code so, as any other code it is possible (in theory) to analyze/reverse engineer it manually.

The triage is one of the functions of the incident response program and must answer the following three questions regarded to a specific input:

  • is the input malicious ?
  • if yes, what is exploiting ?
  • are we exposed ?

Triage is not malware analysis and should be quick and efficient. The triage workflow:

  • passive analysis.
  • first interaction and download.
    • some malware are crafted to be able to interact with the initial URL only limited number of times
    • some malware could profile your browser, check the browser version, platform, or use the user agent script to decide if the exploit can be executed or not.
    • some tools:useragentstring.com (to check your user agent), onlinecurl.com (on-line version of curl, copy paste a url and you get back the response), hurl.it (idem as previous one).
  • web component analysis.
    • once you have the web component (which is typically an html page + JavaScript) you could try to analyze it.
    • use jsBeautify.org to try to have something human readable in case the code is obfuscated.
    • try to use the browser debugger, eventually change JavaScript eval expressions.
  • exploit analysis.
    • can use showmycode.com to understand the exploit; it is capable to decompile Java, Flash, .Net, PHP
    • sometimes you can blindly search the metasploit exploit template library
  • payload extraction.
  • payload analysis.
    • can submit the file/s to VirusTotal or malwr (virtualized Cuckoo instances).
    • malwr can give you infos about the registry keys created, network traffic.
  • build IOCs (Indication Of Compromise).
    • collection of indicators which can be used to describe a compromised system.

This was an workshop, so the participants had to play with some of the tools. Here is the quick workflow that i followed:

start from a url -> use the onlinecurl.com to get the response (initial interaction) -> saved the response on a file and used to browser debugger to understand what the component is doing (web component analysis)-> get from the JavaScript another url that contains a link to a Java .class file -> use it showmycode.com to decompile the class file (exploit analysis)-> write some Java code to decode parts of the exploit and execute it on ideone.com (payload extraction)-> …time over :(.

(My) BruCON 2015 notes (3)

Here are my quick notes from the BruCON 2015 conference. All the slides can be found here.

Intrusion detection on Linux and OSX with osquery

osquery goals:

  • explore your operation system using sqlbruCon
  • host visibility is motivated by intrusion detection
  • wanted 1 binary; 6MB with no dependencies
  • done in C++
  • created and used by facebook (installed on 60 000 osx)

Same osquery query examples:

  • select pid, name, uid from processes where [constraints]
  • the sql syntax is the SQL lite  syntax.
  • no Windows version; linux and osx only.
  • a lot of cool examples: the list of events that happened on the host (files changed, usb sticks inserted).

A second binary that is presented is called osqueryd. osqueryd is a daemon; it uses a json-config config file to set options and define a schedule. The goal of osqueryd is to execute queries peridically and then send the result to an ELK (ElasticSearch+LogStash+Kibana) system.

The queries used by Facebook are packaged in different files; these packages can be also downloaded free of charge.

Kernel Tales: Security Testing of aarch64 Android Kernels

A kernel contains code from various sources; hardware manufacturers, software companies (google, samsung).
An Android kernel is almost a Linux kerner, so the attack surface is through syscalls;
The way to corrupt the kernel: the user space tries to write in the kernel space by using syscalls or even better use the ioctls to replace the syscall.

The overall idea is to fuzzy the parameters passed to ioctls. The fuzzer used (dronity) is based on the trinity fuzzer; dronity is not yet available (it will be soon on github).

The demo contained the following items:

  • dronity fuzzing a Android development board.
  • dronity fuzzing a real Android tablet.
  • dronity fuzzing an aarch64 kernel on qemu.
  • dronity fuzzing an aarch64 kernel with gdb attached (on qemu) in order to intercept the exception thrown by the kernel.

(My) BruCON 2015 notes (2)

Here are my quick notes from the BruCON 2015 conference.All the slides can be found here.

cve-search a free software to collect search and analyze common vulnerabilities and exposures in software

Some of the goals of the tool: bruCon

  • do vulnerability search on off-line local search.
  • fast lookup of vulnerabilities on different criteria.
  • allow localized classification of vulnerabilities; localization geographically or from the business perspective.
  •  build new tools based on local database of software and hardware vulnerabilities.

Some of the components/features of the tool:

  • db_updater.py
    • the goal of the script is to fetch vulnerabilities from different data-sources.
    • the data sources used are: NIST NVD, D2SEC, Microsoft Bulletin, vFeed.
    • the scrript can be extended to easily fetch other sources.
  • MongoDB
    • is the DB used to store the info.
  • search.py
    • used to search for vulnerabilities in the DB.
  • web interface
    • you can see, search
    • color scheme for vulnerabilities
  • you can use your own tagging system to weight the critical software/vendors in your constituency.
  • you can use statistics using external tools/languages like R
ex: searh.py -p oracle.....| jq -r '.cvss' | Rscript .........

Problems that face the application:

  • some vendors do not publish vulnerabilities information in a parsable way.
  • some vendors do not support the CPE naming convention.

Software using cve-search:

  • CVE-Portal
  • CVE-Scan
  • NorthernSec Vulnerability-Management (still under development)

Roadmap and future:

  • add vulnerabilities data sources from software and hardware vendors
  • expand cve-search to include vulnerabilities whitout CVE assignment.