Let’s get right into the presentations this time, shall we?
First up was “Scanning 0/0,” a talk presented by Mark Schloesser from Rapid7. There are several players active in this area of Internet-wide scanning, including shadowserver, the University of Michigan, shodan, and Erratasec. They all use specific tools, such as nmap, massscan, zmap. Those tools enable entities to scan the entire internet in 45 minutes from 1 machine with 1 gb/s.
Schloesser talked a bit about “The Internet Census 2012” – the guy who hacked 400,000-500,000 devices that had standard passwords and used them to scan the entire internet for all ports and banners. A little history on worldwide vulnerabilities was presented. IPMI, UPnP, and NTP were all covered. Scholesser emphasized the fact that Rapid7 has always been paying attention to these issues.
There are currently around 10k routers with no telnet password at all; you’re just logged in as admin per default upon connecting. There are also devices with SNMP strings with username/pw in string, which include Windows command shell access applications/devices, Linux root shells applications/devices (3k vulnerable of each), web-based license plate readers, and serial port readers — all of them devices that make network disabled devices into network enabled devices.
Rapid7 is running a “scan all the things” project to raise awareness these and other issues. It’s a big data collection project.
Saumil Shah presented next on “Hacking with pictures.” Shah is focused primarily on offensive security; he researches how attackers are able to deliver exploits and slip under/avoid the radar. Attackers are able to avoid detection using JS obfuscation, broken file formats, OLE embedding, split code across JavaScript and actionscript, and spreading the payload. (Loading resources from different places hides it from security tools.)
Shah then went on to show how we can use CANVAS to pull out characters from a picture and reassemble it as JavaScript hidden inside the picture. First, he presented a perfect PNG file and a perfectly valid piece of JavaScript. It’s a polyglot method like angecryption. Then came demo time. Shah presented a picture of a cat with JavaScript showing the current time. (The time updated on every click or refresh.) He also announced that he had found out how to do it with JPGs. JPEG is more powerful for hiding stuff, after all. He ultimately broke it thanks to EXIF in IE 9 and above using Canvas for exploit dev and heap spray through Pixel arrays. Calc.exe popped on the heap spray demo, and the exploit here would even have avoided EMET. So now any picture can be an exploit delivery. When you decouple the image file containing the exploit from the decoder file, both files are clean in the eyes of security engines. Then the decoder pulls the script out of the image file for you.
Shah then brought everything together with three imagines on a page. The heap spray only started when the user moused over on the third picture; the other two were safe.
So what does this mean? Now payloads can go back in time, meaning that time travel — at least from a security standpoint — has almost become possible. Send a target a picture with an exploit, and it does nothing by itself. But then you push them the decoder, which is also safe, which creates a get 304 (data already present), and boom!
This attack vector will work in the wild, so it is reasonable to expect that we will see instances of it pretty soon.
But how do you defend against something that is not limited to just browsers but implicates anything that parses images?
This ought to be a wakeup call for browser security guys. After all, why should a JavaScript file load with a picture?
Next up were Paul Rascagneres and Eric Leblond, who presented on “D&D of malware with exotic CNC.”
The researchers went through various malware and interesting exfil methods and then showed how to detect and/or block using Suricata (YAY For defenses). Feasible methods include:
1. Named pipes from a non-Internet connected machine.
2. DNS, such as FrameworkPOS being used in the Home Depot breach. (A funny detail was revealed here. A bad guy implemented his malware with double XOR obfuscation. That gives plaintext.) To block this using Suricata, you find DNS exfil via LUA. When the fast pattern matches, then you do a deep check.
3. Steganography methods, i.e. Uroboros hid data in image files. Suricata provides no direct detection options, but when it comes to saving image files and manually inspecting them, iNotify is your friend.
Humans always beat magic boxes, as Paul said during his presentation.
Dominique Bongard then presented on “weak random number generator in WPS external pin protocol implementations.” His presentation went through some history of WPS, attacks, and why it’s insecure. A static WPS pin is very insecure due to pin re-use. A brute force attack on the pin has already been demonstrated in other conference presentations. What’s new this time is that actors can launch an offline WPS attack.
The next part of Bongard’s presentation consisted mainly of basic mathematics applied to crypto unknown variables. 2 constants (E-S1 and 2) are generated with PNRGs, which are often weak pseudo random generators. Can we recover the state of the PNRGs? Yes, you can recover the state and brute force the PIN, so you’re on the router in very little time (24-bit brute force). In Ralink E-S1 and 2 are 0x0 = o. The vulnerabilities can be widespread in WPS implementations, so Bongard contacted some vendors about his research. His efforts did not yield any productive results. Indeed, it is shameful how the security industry still isn’t able to handle disclosures from researchers.
Broadcom, Ralink, Cisco were all bad contacts. The WiFi alliance did actually contact him regarding how he should have done the incident reporting/disclosure, but then he never heard back.
Vendors use easily sniffed info like MAC addresses for generating random numbers, which is never a good idea. The takeaway? Disable WPS on all APs; disabled firmware is only secure way, I guess.
Following Bongard’s presentation, Glib Pakharenko discussed “Cyber attacks during the revolution in Ukraine and the war with Russia.”
Cyber attacks were common before the revolution, but as Glib reveals, things changed once the revolution started. Malicious traffic was rerouted out of Belarus and Cyprus instead of Ukraine, causing an unprecedented drop in the global attribution of attacks to Ukraine IPs. But ultimately it was just rerouted and not gone. Banks and corporations supporting the revolution were attacked, and police confiscated servers, computers, and phones to gain access to protestor social media accounts. PSTN phones were not working in some areas, and the opposition main TV channel was taken offline. Also, massive DDoS attacks were launched against the new government directly following its establishment.
Obviously, communication channels between the Ukraine and Crimea/Russia were limited, with data and servers hosted in Crimea stolen. Russian terrorists attacked cabling infrastructure and ATMs in Kiev, with traffic re-routing into Russia for interception (BGP hijacking?). Via the coordination of its military on television, Russia was able to intercept talk (voice) traffic and media and to hack media, state, and personal accounts
An interesting note: artillery fire was being corrected using mobile phone communication. This has in part led Ukrainians to fear everything made in Russia, including Kaspersky Internet Security suites.
At this point in his talk, Glib shared a plea with us. He urged us to send cheap and efficient ideas for national cyber security to his email. If you have ideas, reach out to Glib. You can find his email in the talk-2014 Hack.lu archive.
Next a few lightning talks took place. My take here is brief for some, for I was talking to some nice people.
First up, a debugging tool called Radare2 was presented. It seemed similar to IDA in what it does.
Bettercrypto announced the public availability of IntelMQ manager – a tool to enrich and visualize data. (Remember the motto – always Open Source!)
I distinctly recall Maximilian Hils presenting “miTM proxy – mitmproxy the man-in-the-middle HTTPS proxy. This is a very flexible proxy in that it can perform upstream proxy, reverse proxy, and transparent proxy. Batteries are included, with client server replay, replacement patterns, and TCP generics available.
Eric Leblond also presented. His talk addressed SELKS, an installable and live ISO based on Debian live. In essence, it is a Suricata configured and manageable via a web interface. Nice that it is helping to make Suricata more accessible to the community in general. Definitely need to try it out.
Featured Download: Social media access at work. Do your employees know the rules?
Next up was aresentation by Didier Stevens: “Detecting security cameras with an IR camera.” I apologize, but I wasn’t paying a lot of attention here.
Following Stevens, Amihai Neiderman presented “How I hacked my city.” Neiderman found a weird free WiFi access point once while travelling. This WIFI and it’s website led to a company that had an allegedly “unbreakable VPN” product among a host of other products (Cue: Challenge to a researcher/hacker). Neiderman accepted the challenge. He started downloading and reversing firmwares to see what he could find. A lot of work later, he received access to parts of firmware and started looking for vulnerabilities. He eventually found one, at which point he wrote an exploit and set up a test system. But the test didn’t work, for it needed to use a larger HTTP header than is usually allowed in order to deliver it. Too bad.
Neiderman at this point started over again. A new search revealed a new vulnerability, which led to a new exploit being successfully proven. He then responsibly disclosed the exploit to the company, who handled it nicely and wondered how anyone could break their XOR encryption.
At one point, a Ukrainian hacker contacted him in an attempt to obtain the exploit!
Neiderman’s talk was followed by Francisco Falcon presentation on “Breaking out of virtualBox through 3d acceleration.” The Oracle VirtualBox hypervisor was broken into during this presentation. It was a very technical presentation of how he discovered several 0days in the Chromium server and in VirtualBox. Non-ASLR modules, he noted, can be relocated, so you cannot always trust that they are in a static address. He conducted a new exploit search and found one with full ASLR bypass. After figuring out a way to heap spray (second vulnerability), he was able to use the first vulnerability, control two fields of a structure, and read the memory on the hypervisor. Then he got control of a pointer directing to a known address which he leaked to the guest side using the established controlled buffer. This gave him the ability to calculate the address of the Chromium server DLL and allowed him to build the ROP chain to break out of the guest,!
The demo worked; the calc.exe popped.
With regards to reducing the risk of a VM breakout, Falcon suggested the following:
– Run EMET on host
– Remove VirtualBox guest additions
– Reduce guest/host integration features
This means you essentially give up useability for security. VirtualBox added the Chromium library to the hypervisor without even thinking about its security. But as we know, you must always think in security! Security by design/default is the end goal. Never forget that, people!
Next up was Sebastian Garcia, who presented “On botnets behavioral patterns in the network: How are we detecting malware?” His talk dealt with analyzing both the binaries and the network traffic. Currently, there are 39 products in the market that do this. But what is working? Few machine learning approaches exist, and anomaly detection especially may not work at all or only under specific circumstances. How long does an indicator sit in a threat intel feed?
A lot of of things are not working in machine learning, including algo descriptions and decently labeled datasets. Also, there is a lack of good evaluations in real environments, the results depend on the dataset and metrics, and generalization is very difficult. Garcia presented a very good graph of botnet CnC traffic and how it can develop over time.
His proposal: we need to deal with this complexity by analyzing and dealing with each single connection, that is, by defining a connection as a type of traffic connected with a certain type of action.
He then presented the 4-tuples method, which simply aggregates NetFlows by ignoring the source port. It extracts three features from each of these NetFlows, and from this data it’s possible to compute a state for each NetFlow. Traffic patterns when 4-tupled are different between a normal PC/server and a botnet PC. The state of the connection is important, but also the transitions between states may give even more information. It is therefore recommended that one matches the stored and trained models to new data streams in order to reliably detect malware/botnets.
Garcia’s botnet detection results: 78% – best 93% and FPR of 0,2% to 10%. (The best results occurred after the model was trained.)
The system was compared to three other models: CAMnEP system, BotHunter system, and BClus systems.
Is this research on par with the current security needs of the world? Or is it 10 years behind like so many others? I don’t know. The next step is behavioral IPS, where we block selected behaviors based on known models. Behavior is key to long-term detection.
Finally, Jeremy Brown and David Seidman from Microsoft presented “Microsoft vulnerability research: how to be a finder as a vendor.” Jeremy brown has been a contributor since 2011. He likes bugs, but he also enjoys fixing things.
MSVR is the product of MS’s need to coordinate the disclosure of vulnerabilities affecting other vendors but that affect products used by or affected by MS products. They do responsible disclosure, reproduction, advice on severity to vendors, and test fixes; they only ask for credit in fixes from vendors in return.
The day ended with a researcher’s dinner arranged by one of the presenters, where I was lucky enough to be invited as a guest. This was an amazing experience. I was surrounded by technical people who possess amazing skills and insight into infosec. I obviously didn’t contribute much except for #TwitterBrain knowledge absorbed through my marathon Twitter sessions. Keeping up with a Twitter feed of 450+ following is quite a task, but it seems a necessity to be able to stay in the know.
I’d recommend the Hack.lu team to arrange something for each of the evenings of this conference since a lot of useful knowledge sharing comes also from the more informal peer-to-peer sessions. To summarize this conference, Hack.lu was a value-proposition from one end to the other for both Defenders, Researchers and Analysts. I highly recommend you sign up next year, if you have the chance. I hope my summaries of the different talks weren’t inaccurate or boring. For any mistakes I made, my apologies.
Claus Cramon Houmann | IT Security Consultant | @ClausHoumann
To find out more about our panel members visit the biographies page.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.