(My) BruCON 2017 Notes (2)

Here are my quick notes from the BruCON 2017 conference. All the slides can be found here.

How hackers changed the security industry and how we need to keep changing it

Back in the ’90 the hacker community was looked with suspicion by the software industry because the hackers were finding security problems and the software publishers had no process to handle this findings.

Back in the 90’s the only reference in order to create a secure system was the “Orange book“; but the orange book it’s all about security features, no word about bugs or vulnerabilities.

CERT – internet community had no means to fight against malware that’s why CERT was created. But the hacker community do not participate to CERT anymore because there was no traceability of the issues reported, so the Bugtraq was created.

Hackers created the concept of pen-test and the first (hacking) tools :

  • crack
  • satan (first network scanner)
  • netcat
  • NFT (first IDS)

The idea of securing the system by trying to break them was initially not very well welcomed by the industry.

In 2000 companies starts to hire hackers.
2002 – Microsoft Trustworthy computing – all the process of this initiative have been influenced by hackers

2003 (modern security era)

  • pen test became a requirement
  • companies create bug bounty programs

The idea that the security is an external process that is applied at the end is broken.
The security must be embedded in each part of the SDLC.

See no evil, hear no evil: Hacking invisibly and silently with light and sound

 The talk was about how the sound and light can be used to remotely extract information and was articulated around 3 parts:

  • jumping air-gaps
    • air-gap = computer isolated from the network; the goal is to make jump the air gap between the computer and the network in order to get exfiltrate data from the network.
    • ways of exfiltrate data from the network
      • screen luminosity; used to sent commands to an infected laptop, or used for data exfiltration.
      • near-ultrasonic sounds; same goals as the previous one
      • spectregram – embed images in sound files.
    • mitigation for jumping air-gaps
      • screen filters
      • disable luminosity sensors
      • disable microphones/speakers
  • surveillance and anti-surveillance
    • laser microphone – quite easy and cheap to make
    • sniffing and cloning the IR (infra-red) signals; used for bypassing the IR Motion detectors
  • funny things (done by the presentr)
    • Delayed Auditory Feedback (speech jamming) – the presenter build a software version.
    • Demotivating malware analysts –  create aspectregram and add it to a program that somebody will try to reverse it.
    • ultrasonic attack against drones

This is kind of mind-map of the talk:

XFLTReaT: a new dimension in tunnelling

This talk have 2 goals; the fists one is about building tunnels and the second goal is to present the XFLTReaT framework. Apparently the framework is very modular and very easy extensible.

XFLTReaT

  • tunneling framework
  • plug and play
  • modular
  • you do not have to take care by yourself about:
    • set up routing
    • handle multiple users
    • encryption

Client-Server approach; The client have a check functionality to find out which protocol is not filtered on the network.

 

(My) Brucon 2017 notes (1)

Here are my quick notes from the BruCON 2017 conference. All the slides can be found here.

Detecting malware when it is encrypted – machine learning for network https analysis

The goal is to find a way to detect malware using htps without decrypting the traffic.

Context:

  • 1/2 of the world wide Internet traffic is encrypted
  • 10%-40% of all malware traffic is encrypted
  • the encryption interferes with the efficacy of classical detection techniques

Some solutions to the problems:

  • TLS inspection; basically is the reverse proxy which is in the middle between the server and the client
    • advantage – can use the classical detection method
    • drawback – proxy server is expensive.
    • drawback – computationally demanding
  • try to find with no HTTPS decryption

Detect malware with no HTTPS decryption

Dataset used:

Used the pro ids product to capture different logs:

  • connection.log/s
  • ssl.log/s
  • x509.log/s

All this logs will be aggregated in order to create ssl aggregations and then generate a ssl-connect-units (each ssl-connect-unit represents a SSL connection). Each ssl-connect-unit have a source IP, destination IP, destination port, protocol and other 40 features (properties) like number of packages, number of bytes, number of different certificates, ratio of established and not established states .

A data set was created from all this ssl-connection-units and machine learning algorithms have been used against this dataset.

(ML) Algorithms used

  • XGBoost (Extreme Gradient Boosting)
  • Random forest
  • Neural network
  • svm

After using all this ML algorithms the features that have been identified as the most important ones to detect malware traffic:

  • certificate length of validity
  • inbound and outbound packets
  • number of domains in certificate
  • ssl/tls version
  •  periodicity

 

Knock Knock… Who’s there? admin admin and get in! An overview of the CMS brute-forcing malware landscape.

The talk was about malware brute force attacks of WordPress web sites which is the most used CMS product.

historical overview of the brute-force malware

2009 – first distributed brute force attack against WordPress
2013 – firstDisco also isntalled backdoors in the system
2014 – Mayhem
2015 – Aetra
2015 – CMS Catcher
2015- Troldeshkey
2017 – Stantinko

deep dive of SATHURBOT malware

modular botnet , 4 modules:

  • backdoor module
  • crawling module
  •  brute force module

Evading Microsoft ATA for Active Directory Domination

Microsoft ATA

  • Microsoft Advanced Threat Analytics
  • a product that detects attacks by reading traffic
  • how is deployed; an ATA gateway that intercepts the traffic

Threats detected by ATA:

  • recon
  • compromised credentials
  • lateral movement
  • domain dominance

Evading ATA :

  •  not poking the DC (Domain Controller) is the key
  • If you can’t bypass it then ovoid it by minimal talk with the DC

Atacking ATA deployment:

  • ATA console can be identified with basic banner grabbing.

Secure channels: Building real world crypto systems

What are secure channels – goal is to guarantee the confidentiality and integrity of data travelling over untrusted network.

objectives of a secure channel:

  • confidentiality
  • integrity establishment
  • authenticity

Constructing a secure channel:

  • need a way to exchange keys; keys establishment protocol
  • need a key derivation phase

Secure channel protocol design phases :

  • channel establishment
  • key establishment
  • secure data transfer
  • finish the protocol

How to build efficient security awareness programs

Some quotes from the talk:

  • Security problems are arising where more than one security technology are overlapping.
  • Stop trying to fix human behavior with tech only;maybe that are other ways to fix that.
  • Security isn’t always a business problem, but it’s always a human problem.
  • Tools to fix the human factor in security:
    • Fear
    • Incentives
    • Habits
      • trigger
      • routine
      • reward
      • repeat

Open Source Security Orchestration

Context:

  • multiple cloud severs, all using same Fail2ban jail.
  • How can make the different servers communicate.

In security operations most of the workflows are manual despite of multitude of solutions.
Different scenarios on which the automation could help a lot:

  • firewall role propagation scenario
  • drop propagation scenario
  • prevent known threats scenario
  • capture threat activity scenario

How to do the orchestration: using Adaptive Network Protocol (ANP)

  • developed so that nodes can share event information with each other
  • needed an ANP agent installed on each node.

(My) BruCON 2016 notes (3)

Here are my quick notes from the BruCON 2016 conference. All the slides can be found here.

NO EASY BREACH:Challenges and Lessons Learned from an Epic Investigation bruCon

The attack started with a phishing email; the attack compromised more that 2 000 systems, 50 000 emails.

How the attack took place:

1. fast-paced attacher

  • 10-25 systems infected every day.
  • the attacker steal information every day.

response

  • develop indicators to aid triage.
  • focus on : lateral movements, pivoting, recon, new tools or back-doors.
  • streamlined documentation.

lessons learned

  • be fast and flexible.

2. stealthy attacks

  • used anti-forensics techniques to hide endpoint and network activity.
  • altered communication scheme + strong crypto.
  • mass activity to obscure the real target.
  • data theft using only legitimate us-based services – gmail, google drives, one drive.

response

  • maximize the utility of trace forensics artifacts.
  • some attacker behavior recovered from sdelete.
  • took time and patience to filter out the network noise.
  • deployed additional open-source tech

lessons learned

  • improve visibility and don’t stop looking.
  • map attacker activity ti potential data sources.
  • network times provides reliable chronology.

3. rapidly evolving tactics

  • seven unique persistence mechanism.
  • seven distinct back-door families.
  • minimal re-use of meta-data commonly tracked and shared as indicator.

response

  •  fought to keep network visibility on all malware families.
  • spent time analyzing system with unknown activity.
  • create indicators for every stage of attack life-cycle.
  • develop flexible & resilient indicators

lessons learned

  • enhance and test your best indicators even when they’re working.

4. advanced attack techniques

  • attacker leveraged PowerShell.
  • used Windows Management Instrumentation.
  • attacker used Kerberos tickets attacks which made tracking lateral movement difficult.

response

  • searched for WMI persistence.
  • identified evidence of attacker code in WMI repository.
  • parsed out embedded scripts and malware.
  • updated the environment to power shell 3.0 and enabled logging.
  • turned attacker power shell usage from a threat to a benefit by logging and iocs to made findings attacker activity much easier.
  • worked around Kerberos attacks: looked for remote Kerberos logons around the time of attacker activity.

Hacking KPN: Lessons from the trenches

The presentation was about 3 different vulnerabilities discovered by the kpn read team.

  1. vulnerability linked to the Java de-serialisation vulnerability.
    1. the kpn team did a java deserialization burp plug-in fork
  2. Citrix Netscaler
    1. Netscaler login vulnerabiilty
  3. reverse-engineering cryptography from binary

New Adventures in Active Defense, Offensive Countermeasures and Hacking Back

The idea was that the security industry are doing the same things over and over again, very often as a defender we build very static walls. So the presenter propose to an “active defense”:

Active defense is not about :

  • hacking back
  • about one technical solution
  • revenge

Active defense is about:

  • have a range of solutions.

All the proposed solutions and demos are part of the advanced defense harbinger distribution which is a Linux distribution based on Ubuntu LTS that it comes with many tools aimed at active defense pre-installed and configured. Some demos of the following components:

  • weblabyrinth
  • honey ports
  • honey badger
  • jarcombiner

(My) BruCON 2016 notes (2)

Here are my quick notes from the BruCON 2016 conference. All the slides can be found here.

What Does the Perfect Door or Padlock Look Like?bruCon

The talk was about how (some) doors and padlocks can be easily opened. The presentation was full of videos and explanatory schemes. For the doors the following parts can be attacked:

  • hinge removal – to fix, use jam pins
  • the latch
  • the inside handle
  • key boxes
  • edge baps – request to exit sensors
  • the bottom gap
  • the door frame

Anti-Forensics AF

The presentation contained the following topics:

  • memory anti-forencics
    • the goal is to inhibit the acquisition and analysis
    • for windows, removing PE header from disk (once the executable is loaded in memory).
    • for windows, zero the header from disk (once the executable is loaded in memory).
    • for linux, remove the EMF header
    • for linux, zero the header (memeset)
  • android anti-forestics
    • use encryption to protect.
    • power down the device.
    • leverage device sensors; foe ex: if the phone is moving, then shut down the device
  • fun with sd cards
    • demo of the SDTool tool that modifies the SD card firmware to write/or not the card or in memory.

Esoteric Web application vulnerabilities

The sql injection vulnerability is dead due to the massive use of the ORM frameworks, the same for the XSS injections due to the mvc, templates and default HTML So, as a hacker you must find new vulnerabilities; here are 5 (esoteric) vulnerabilities:

  1. aggressive input decoding; nosql injection using ruby on rails and MongoDB
  2. call me to verify my identity; try to hack the phone activation procedure for a 2 FA functionality.
  3. password reset implementation feature; try to hack the password reset feature for a 2 FA
  4. hack around the usage of the Paypal IPN protoco
  5. just missed that one; it happen even to the best of us.

Scraping Leaky browsers for Fun and Password

The idea is to retrieve passwords stored by the browsers (in RAM) by scrapping the RAM content. Do to this a plug-in to Volatility framework was created (the plug-in will be available soon on GitHub).

The best browser is Chrome with 67% chances to expose the passwords; the worst browser is Firefox with 81% changes to expose the passwords.

Vendors response to this findings; Microsoft created a CVE and the path will be pushed in October/November, Google and Mozilla are denying that’s a real issue.

 

(My) BruCON 2016 notes (1)

Here are my quick notes from the BruCON 2016 conference. All the slides can be found here.

Keynote –  inventing defensivebruCon

The keynote was quite entertaining mainly because it used references to the Greek and Babylonian mythology but on the other side  it was very difficult to really understand the message and the ideas that the presenter tried to promote.
But here some ideas that I was able to catch:

  • assume compromise
  • business people do not understand the security goals
  • perimeter defense; you have to win every time; one single mistake and the perimeter can be breach.
  • attackers are using the speed; the defenders have never the initiative.

Security through design

The presenter believes that the security is seen by the casual user/client as a burden. The security peoples should try to understand why the users try to circumvent the security, try to understand how the peoples are working and must try to adapt the security to fit the user needs.

The possible solutions are not from the IT world; try to apply the design thinking. A good design solution should have the following properties:

  •  is innovative
  • makes a product useful
  • makes a product understandable
  • is long-lasting
  • is unobtrusive

Some examples of products/companies that are trying to understand better the client: 2g Tuesday at Facebook

Building a Successful Internal Adversarial Simulation Team

The problems with the security testing today :

  • limited metrics
  • increase technical debt.
  • gives limited experience.

Another major problem is that the read team and blue team are acting independently, do not really share knowledge.

The speakers proposed some solutions to this problem; some of the interesting points that I was able to catch:

  • predict the likelihood of successful attacks before they happen.
  • creation of an information sharing platform and knowledge base.
  • assemble your team and tools
  • create defensive measurements/metrics.

(My) BruCON 2015 notes (5)

Here are my quick notes from the BruCON 2015 conference. All the slides can be found here.

This is the last ticket about the BruCOn 2015 so, it contains the presentations for which my notes are not so good 🙂

Creating REAL Threat Intelligence with EvernotebruCon

goal:

  • experiment to generate threat intelligence with Evernote.
  • use Evernote as intelligence repository.

background:

  • before buying new commercial solution
    • try quick and dirty solution in house
    • invest in people &process first, then Products.

Use Evernote as a GTD(Getting Things Done ??)-Based Task Mgmt System.

  • treat  Evernote like  a  Database
    • Notebook  ==  Table
    • Note  ==  Free  Form  Record
    • Nested  Notebooks
    • Hierarchical  Tags

Looking Forward – Finding the right balance for INFOSEC

Some words about the infosec in the past and today:

  • in 1999 the security community was a small community
  • things start to change now BUT
    the ratios security/it people it’s very low

Some words about the security breaches:

  • 99% of the breaches is are due to basic things; BUT the companies are focusing on much complicated
    attacks but are forgetting the easy to fill gaps.
  • end-users are still the weakest link; for fishing only one click it’s enough to get in inside the it infrastructure
  • profiling is difficult BUT targeting the user is muck more easier.

Some words about the security industry:

  • security industry is too technology centric.
  • we just hope that the technology will solve the problems magically.
  • technology it takes over talent.

Some ideas for the defence:

  • Disabling local administrator accounts, or randomizing.
  • Rotating domain admin account passwords.
  • Disallow PowerShell execution for normal users.
  • Disallowing executables to be run through TEMP and other directories.
  • Network segmentation of user workstations.
  • Focus on detection capabilities over anything.

I am the Cavalry

The Cavalry is a organization that is focused on issues where computer security intersect public safety and human life. The areas of focus for The Cavalry are medical devices, automobiles, home electronics and public infrastructure.

How to influence people (a pen test like approach):

  • recon
  • empathizing (replaces finding vulnerabilities)
  • enabling changes (replaces exploitation)

Recon

known the official structure and the non-official one.

unofficial structure

  • who is liked
  • trusted influencers

Empathizing

  • understand the stakeholders
  • studies can give you a hint about the way of thinking
  • motivation, career ambitions
  • how the stakeholders make decisions
  • learn how to speak the stakeholders language – cross domain issues

Enabling changes

  • work the system;
  • be adaptive if it didn’t worked
  • riding waves, news
  • speak their language

(My) BruCON 2015 notes (4)

Here are my quick notes from the BruCON 2015 conference. All the slides can be found here.

The malware is just code so, as any other code it is possible (in theory) to analyze/reverse engineer it manually.

The triage is one of the functions of the incident response program and must answer the following three questions regarded to a specific input:

  • is the input malicious ?
  • if yes, what is exploiting ?
  • are we exposed ?

Triage is not malware analysis and should be quick and efficient. The triage workflow:

  • passive analysis.
  • first interaction and download.
    • some malware are crafted to be able to interact with the initial URL only limited number of times
    • some malware could profile your browser, check the browser version, platform, or use the user agent script to decide if the exploit can be executed or not.
    • some tools:useragentstring.com (to check your user agent), onlinecurl.com (on-line version of curl, copy paste a url and you get back the response), hurl.it (idem as previous one).
  • web component analysis.
    • once you have the web component (which is typically an html page + JavaScript) you could try to analyze it.
    • use jsBeautify.org to try to have something human readable in case the code is obfuscated.
    • try to use the browser debugger, eventually change JavaScript eval expressions.
  • exploit analysis.
    • can use showmycode.com to understand the exploit; it is capable to decompile Java, Flash, .Net, PHP
    • sometimes you can blindly search the metasploit exploit template library
  • payload extraction.
  • payload analysis.
    • can submit the file/s to VirusTotal or malwr (virtualized Cuckoo instances).
    • malwr can give you infos about the registry keys created, network traffic.
  • build IOCs (Indication Of Compromise).
    • collection of indicators which can be used to describe a compromised system.

This was an workshop, so the participants had to play with some of the tools. Here is the quick workflow that i followed:

start from a url -> use the onlinecurl.com to get the response (initial interaction) -> saved the response on a file and used to browser debugger to understand what the component is doing (web component analysis)-> get from the JavaScript another url that contains a link to a Java .class file -> use it showmycode.com to decompile the class file (exploit analysis)-> write some Java code to decode parts of the exploit and execute it on ideone.com (payload extraction)-> …time over :(.