Month: October 2017

(My) BruCON 2017 Notes (2)

Adrian Citu

Here are my quick notes from the BruCON 2017 conference. All the slides can be found here.

How hackers changed the security industry and how we need to keep changing it

Back in the ’90 the hacker community was looked with suspicion by the software industry because the hackers were finding security problems and the software publishers had no process to handle this findings.

Back in the 90’s the only reference in order to create a secure system was the “Orange book“; but the orange book it’s all about security features, no word about bugs or vulnerabilities.

CERT – internet community had no means to fight against malware that’s why CERT was created. But the hacker community do not participate to CERT anymore because there was no traceability of the issues reported, so the Bugtraq was created.

Hackers created the concept of pen-test and the first (hacking) tools :

  • crack
  • satan (first network scanner)
  • netcat
  • NFT (first IDS)

The idea of securing the system by trying to break them was initially not very well welcomed by the industry.

In 2000 companies starts to hire hackers.
2002 – Microsoft Trustworthy computing – all the process of this initiative have been influenced by hackers

2003 (modern security era)

  • pen test became a requirement
  • companies create bug bounty programs

The idea that the security is an external process that is applied at the end is broken.
The security must be embedded in each part of the SDLC.

See no evil, hear no evil: Hacking invisibly and silently with light and sound

 The talk was about how the sound and light can be used to remotely extract information and was articulated around 3 parts:

  • jumping air-gaps
    • air-gap = computer isolated from the network; the goal is to make jump the air gap between the computer and the network in order to get exfiltrate data from the network.
    • ways of exfiltrate data from the network
      • screen luminosity; used to sent commands to an infected laptop, or used for data exfiltration.
      • near-ultrasonic sounds; same goals as the previous one
      • spectregram – embed images in sound files.
    • mitigation for jumping air-gaps
      • screen filters
      • disable luminosity sensors
      • disable microphones/speakers
  • surveillance and anti-surveillance
    • laser microphone – quite easy and cheap to make
    • sniffing and cloning the IR (infra-red) signals; used for bypassing the IR Motion detectors
  • funny things (done by the presentr)
    • Delayed Auditory Feedback (speech jamming) – the presenter build a software version.
    • Demotivating malware analysts –  create aspectregram and add it to a program that somebody will try to reverse it.
    • ultrasonic attack against drones

This is kind of mind-map of the talk:

XFLTReaT: a new dimension in tunnelling

This talk have 2 goals; the fists one is about building tunnels and the second goal is to present the XFLTReaT framework. Apparently the framework is very modular and very easy extensible.

XFLTReaT

  • tunneling framework
  • plug and play
  • modular
  • you do not have to take care by yourself about:
    • set up routing
    • handle multiple users
    • encryption

Client-Server approach; The client have a check functionality to find out which protocol is not filtered on the network.

 

(My) Brucon 2017 notes (1)

Adrian Citu

Here are my quick notes from the BruCON 2017 conference. All the slides can be found here.

Detecting malware when it is encrypted – machine learning for network https analysis

The goal is to find a way to detect malware using htps without decrypting the traffic.

Context:

  • 1/2 of the world wide Internet traffic is encrypted
  • 10%-40% of all malware traffic is encrypted
  • the encryption interferes with the efficacy of classical detection techniques

Some solutions to the problems:

  • TLS inspection; basically is the reverse proxy which is in the middle between the server and the client
    • advantage – can use the classical detection method
    • drawback – proxy server is expensive.
    • drawback – computationally demanding
  • try to find with no HTTPS decryption

Detect malware with no HTTPS decryption

Dataset used:

Used the pro ids product to capture different logs:

  • connection.log/s
  • ssl.log/s
  • x509.log/s

All this logs will be aggregated in order to create ssl aggregations and then generate a ssl-connect-units (each ssl-connect-unit represents a SSL connection). Each ssl-connect-unit have a source IP, destination IP, destination port, protocol and other 40 features (properties) like number of packages, number of bytes, number of different certificates, ratio of established and not established states .

A data set was created from all this ssl-connection-units and machine learning algorithms have been used against this dataset.

(ML) Algorithms used

  • XGBoost (Extreme Gradient Boosting)
  • Random forest
  • Neural network
  • svm

After using all this ML algorithms the features that have been identified as the most important ones to detect malware traffic:

  • certificate length of validity
  • inbound and outbound packets
  • number of domains in certificate
  • ssl/tls version
  •  periodicity

 

Knock Knock… Who’s there? admin admin and get in! An overview of the CMS brute-forcing malware landscape.

The talk was about malware brute force attacks of WordPress web sites which is the most used CMS product.

historical overview of the brute-force malware

2009 – first distributed brute force attack against WordPress
2013 – firstDisco also isntalled backdoors in the system
2014 – Mayhem
2015 – Aetra
2015 – CMS Catcher
2015- Troldeshkey
2017 – Stantinko

deep dive of SATHURBOT malware

modular botnet , 4 modules:

  • backdoor module
  • crawling module
  •  brute force module

Evading Microsoft ATA for Active Directory Domination

Microsoft ATA

  • Microsoft Advanced Threat Analytics
  • a product that detects attacks by reading traffic
  • how is deployed; an ATA gateway that intercepts the traffic

Threats detected by ATA:

  • recon
  • compromised credentials
  • lateral movement
  • domain dominance

Evading ATA :

  •  not poking the DC (Domain Controller) is the key
  • If you can’t bypass it then ovoid it by minimal talk with the DC

Atacking ATA deployment:

  • ATA console can be identified with basic banner grabbing.

Secure channels: Building real world crypto systems

What are secure channels – goal is to guarantee the confidentiality and integrity of data travelling over untrusted network.

objectives of a secure channel:

  • confidentiality
  • integrity establishment
  • authenticity

Constructing a secure channel:

  • need a way to exchange keys; keys establishment protocol
  • need a key derivation phase

Secure channel protocol design phases :

  • channel establishment
  • key establishment
  • secure data transfer
  • finish the protocol

How to build efficient security awareness programs

Some quotes from the talk:

  • Security problems are arising where more than one security technology are overlapping.
  • Stop trying to fix human behavior with tech only;maybe that are other ways to fix that.
  • Security isn’t always a business problem, but it’s always a human problem.
  • Tools to fix the human factor in security:
    • Fear
    • Incentives
    • Habits
      • trigger
      • routine
      • reward
      • repeat

Open Source Security Orchestration

Context:

  • multiple cloud severs, all using same Fail2ban jail.
  • How can make the different servers communicate.

In security operations most of the workflows are manual despite of multitude of solutions.
Different scenarios on which the automation could help a lot:

  • firewall role propagation scenario
  • drop propagation scenario
  • prevent known threats scenario
  • capture threat activity scenario

How to do the orchestration: using Adaptive Network Protocol (ANP)

  • developed so that nodes can share event information with each other
  • needed an ANP agent installed on each node.

How to create and customize a Docker image for Burp Suite Professional Edition

Adrian Citu

This ticket explains how to create and customize a Docker image for the Burp Suite Professional Edition. The main difference with a creation of an image for the Burp Suite Free Edition is that you will need to register a valid license during the image creation.

    • Create a Dockerfile for the initial image. You will need to have the burpsuite_pro_Vx.y.z jar file; the jar should be in the bin folder that is on the same level as the Dockerfile. The Docker file looks like this:
    FROM openjdk:8u121-jre-alpine
    RUN apk --update add openssl ca-certificates ttf-dejavu && \
        rm -f /var/cache/apk/* && \
        mkdir -p /opt/burp /work && \ 
        adduser -D -s /bin/sh user user && \
        chown -R user /work

    ADD bin/* /opt/burp/
    RUN chown -R user /home/user/.*
    USER user
    WORKDIR /work
    EXPOSE 8080
  • Build the image:
    docker build -t burppro .
  • Run the image. It will be needed to run the Burp in the UI mode in order to register the license and (eventually) to customize the application (like installing extensions); unfortunately it is not possible to install extensions directly from the command line, so you will have to do it manually.
    docker run -ti \
      -e DISPLAY=$DISPLAY \
      -v /tmp/.X11-unix:/tmp/.X11-unix\
    burppro \
       java -jar /opt/burp/burpsuite_pro.jar
  • Once you’ve finished the customization, commit the new image in order to save the changes made on the initial image.
    docker commit <burppro_container_id> burppro_with_license_with_extension
  • Run the new image (in headless mode).
    docker run -p8080:8080 -ti \
    burppro_with_license_with_extension \
      java -jar -Djava.awt.headless=true /opt/burp/burpsuite_pro.jar

(My) CSSLP Notes – Secure Software Testing

Adrian Citu

Note: This notes were strongly inspired by the following books: CSSLP Certification All in one and Official (ISC)2 Guide to the CSSLP CBK, Second Edition

Security Quality Assurance Testing

Standards for Software Quality AssuranceCSSLP-logo

  • ISO 9216 – provides guidance for establishing quality in software products.
  • ISO 21827 SSE-CMM (Systems Security Engineering Capability Maturity Model) – addresses security engineering activities that span the entire secure system lifecycle.
  • OSSTMM (Open Source Security Testing Methodology Manual) – provides a scientific methodology for assessing operational security built upon analytical metrics.

  Types of software QA Testing

  • functional testing – Software testing is performed to primarily attest the functionality of the software as expected by the business or customer.
  • unit testing
  • system/integration testing – assures that the overall system is compliant with the system-level requirements.
  • regression testing – performed to validate that the software did not break previous functionality or security and regress to a non-functional or insecure state.
  • non-functional testing – covers testing for the recoverability and environmental aspects of the software.
  • performance testing
    • load testing – process of subjecting the software to volumes of operating tasks or users until it cannot handle any more, with the goal of identifying the maximum operating capacity for the software
    • stress testing – aimed to determine the breaking point of the software, i.e., the point at which the software can no longer function.
  • user acceptance testing (smoke testing) – UAT is generally performed as a black box test which focuses primarily on the functionality and usability of the application.

Security testing methods

  • white-box testing – testing is performed on a system with the full knowledge of the working components including the source code and its operations.
  • black-box testing – the attacker has no knowledge of the inner workings of the software under test.
black-box versus white-box testing
black-box versus white-box testing

Type of security testing

  • scanning – automatic enumerations of specific characteristics of an application or network
  • cryptographic validation testing
  • penetration testing – the main objective of penetration testing is
    to see if the network and software assets can be compromised by exploiting the vulnerabilities that were determined by the scans.
  • fuzzing – brute-force method of addressing input validation issues and vulnerabilities.
  • simulation testing – testing the application in an environment that mirrors the associated production environment.