Dan Vasile – InfoSec Adventures

TLS, CAs, chains of trust and certificate pinning

I’ve been mocking Sun Tzu and trying to make 3D printing useful in my last articles. It’s time for some hardcore InfoSec action. More specifically how to prevent mobile apps eavesdropping.

When a TLS (Transport Layer Security) certificate is assigned, there is a trust chain that is created to verify everyone from the root CA (Certificate Authority) to the actual website’s certificate.

The chain itself is not verified. A given system, for example a web browser, will consider a server’s certificate as valid because it can build a valid chain with all the signatures and matching names according to X.509 which starts with a root CA that the client already has and ends with the certificate to validate (the server’s certificate). When a website is changing its certificate, the rest of the chain remain the same.

Signatures don’t create trust, they transport trust. It still has to start somewhere. Each client (either the browser or in the operating system) comes with a list of trusted CAs. These are the public keys and names of some entities which are deemed trustworthy. The user doesn’t choose them, the operating system or the browser come pre-loaded with these. The root CA are trustworthy if you trust them for not issuing certificates with fake information. When a CA signs a certificate for some entity, it is supposed to make sure that the public key that the CA puts in that certificate, along with the entity’s name, is really owned by that entity. Similarly, when a root CA delegates its power to another CA (intermediate CA), it makes sure through audits and binding contracts that the sub CA is trustworthy and that it will apply the same rules.

The Public Key Infrastructure relies on the client to know a priori a handful of public keys owned by trusted CA and that they implicitly trust everything that these CA signs. The certificates assume a tree-like structure, with the root and sub CAs as the tree and the end-entities, the TSL servers certificates as leaves. A certificate chain is a path from the root to a given leaf.

If a root or sub CA becomes untrustworthy a process known as revocation is triggered.

When installing a proxy (think Burp or ZAP) to intercept TLS traffic, the pentester (or the attacker!?) exports the proxy certificate and installs it as a root CA on the target system. All the TLS certificates will be signed by this new root CA.

Before the new root CA is installed, the browser will display information like this

After the new root CA is installed, it starts signing all the certificates and the browser will report the following

In the example above (PortSwigger’s Burp certificate was installed on the target system) this happens because each CA can create any certificates they want, for example they can create a certificate for google.com even if there is already such a certificate from another CA. And the browser will accept these certificates because they trust the root CA.

Now, mobile apps have a particular way of protecting against this. In a simplified scenario it works something like this: the client makes a connection to the server and the server responds with its TSL certificate. If that certificate was issued by a Certificate Authority that is trusted by the OS, then the connection is allowed. All data sent through this connection is then encrypted with the server’s public key. For an attacker’s perspective, the mobile device would have to trust the attacker’s certificate. Through phishing, physical access or other means an attacker can push a CA certificate on the device and thus be able to perform man in the middle attacks.

Certificate pinning to the rescue

Certificate pinning is making sure the client checks the server’s certificate against a known copy hard-coded in the application of that certificate and not against the OS’s trusted CAs. Simply bundle your server’s certificate inside your application, and make sure any TLS request first validates that the server’s certificate exactly matches the bundle’s certificate. A good article on the technical bits of certificate pinning implementation can be found on OWASP’s web site.

The problem of multiple end-points

A mobile application can connect to multiple backend services. Multiple endpoints means multiple public certificates that need pinning. For a handful it might be manageable but if the number increases it’s advisable to look for another solution. Creating a unique endpoint that acts as a proxy and a load balancer for all the requests might be a feasible solution and would require just one pinned certificate.

As additional supporting material and refresher, I propose the following:

TLS handshake explained
A very easy visual explanation of how key exchange occurs (courtesy of pascariu.com)

Look too much into the Sun (Tzu) and you will be blinded

You can’t go to a security conference nowadays and not hear at least 700 references to Sun Tzu and his writing, The Art of War. And how important and relevant that book is to the world of Information Security.

But let’s not limit our focus to the InfoSec guys. Life coaches (whatever they are) are abusing the subject with exaggerated comparisons and vague slogans. And the business people, oh, believe me, these are the most creative. Telling you how big of a war is out there and how to deal with it like a boss. I kind of secretly desire for a cooking show to refer to The Art of War and debate how to diminish cucumbers’ morale before chopping and throwing them into the salad. All for a better taste of course, because, you know, cucumbers are the enemies.

I don’t find it particularly amusing to be the one breaking the spell but somebody has to do it.

So, The Art of War is a military treaty from 2500 years ago. One other important aspect you have to consider is that the writing and translation process was complicated to say the least. The origins of the text and author are known only to a certain degree of confidence and the writing went through several translation and reinterpretation cycles. It does outline some generic principles which can be applied in various aspects of life, especially if one has the tendency to generalize. Otherwise it talks about:

Using gongs, drums, banners and flags to raise morale (funny enough, some InfoSec companies take this ad-literam)
Analyzing weather and terrain conditions. Showing your troops that you packed enough food for the winter. If your rival’s forces are crossing a body of water, don’t meet them in the middle, where you’ll both be bogged down. Instead, wait until half of them have landed and attack while the entire army is divided.
How spies must be liberally rewarded and their work highly appreciated.

Again, if one is prone to the confirmation bias and willing to look for far-fetched parallels, he can identify in the above 3 bullets awareness, reconnaissance and intelligence.

For this kind of people I’m willing to make a few recommendations of good readings:

Little Red Ridding Hood outlining the necessity for risk analysis. Red should of known better when walking the woods alone.
Snow White, which teaches us the need for security assessments. Our heroine could have used one of the dwarfs for QA testing the apple.
And finally, my favorite, The Three Little Pigs from which we can learn about the security in depth principle and the need for security architecture.

Next time you go into a meeting and talk about the importance of Information Security, use The Three Little Pigs as your support material (on your own risk).

The Art of War is a good book if read properly and understood in the context in which it was written. China, 2500 years ago. And it’s not the only strategy manual from that region and period, another good read is The Seven Military Classics of Ancient China. The only universal principle coming out of these texts is that you must know yourself, your opponents and the context, and adapt your strategies accordingly.

More 3D printing: fixing a broken car key

I’ve been told that my 3D printing hobby is not practical in the real world. And it’s mostly true. That’s why it’s a hobby.

However, I managed to solve an otherwise costly problem.

Due to domestic accidents (don’t ask), the hook of the detachable car key of the Suzuki Swift can break. With a 3D printer and a heat source we can fix that problem easily.

Measurements, SketchUp, a nice logo and we have a model ready to be printed.

The tricky bit was to insert the metal part in the 3d printed part, pliers and the gas cooker were helpful in the process. I heated the metal part and carefully inserted it. During the cooling process, the metal part got fixed in the plastic cap.

And the final result

If you have the same problem and more importantly the same car, I posted the model on Thingiverse.

The revised and compressed OWASP Top 3 Web Application Vulnerabilities

I love Top 10s. They’re everywhere and about everything: Top 10 Fascinating Facts About Neanderthals, Top 10 Crazy Bridal Preparation Customs, Top 10 Alleged Battles Between Humans And Aliens, etc.

But my question was always: why 10? Why not 11? Or 9. Or whatever else? I guess 10 sounds more important than 11 or 9. It’s the decimal system, 10 fingers, easy to visualize. What would you trust more, a Top 11 or a Top 10? Then the pressure is on the top creator to add, eliminate or combine elements to end up with 10 for a credible list.

Let’s get back to our InfoSec sheep. I prefer simplification and that’s why I started a quest to see if I can end up with a shorter version of the OWASP Top 10.

"The OWASP Top Ten is a powerful awareness document for web application security [...] represents a broad consensus about what the most critical web application security flaws are. [...] Adopting the OWASP Top Ten is perhaps the most effective first step towards changing the software development culture within your organization into one that produces secure code." [link]

The OWASP Top 10 is a versatile project and can be used in multiple ways. But as you work with it, you realize that it is a little bit bloated.

Short URLs are Harmful for Cloud Data Sharing

I was never a big fan of sharing cloud data through a unique link, rather than nominating the specific people that can access the data. To me it feels like security through obscurity.

It looks something like this:

https://{cloud_storage_provider}/?secret_token={some_unique_token}

All the security of this model relies in the randomness and length of the secret token. But essentially the data is exposed to everyone. Google (Drive) is doing it, Microsoft (OneDrive) is doing it.

Now the really silly part comes in. Because the URL is quite lengthy, a decision was made to use URL shorteners (goo.gl, bit.ly, etc.) to distribute the above mentioned links. Which essentially means that the entropy of secret link is now reduced to just a few characters (around 6 usually).

Martin Georgiev and Vitaly Shmatikov from Cornell Tech did an interesting research on these shortener services to see how much data they can gather, the results were impressive/scary. They were able to trace back Google Maps searches back to individuals and get access to confidential data.

A slightly more complex 3D printing project – The Pirate

I bought a Prusa i3 kit some time ago, in an effort to experiment a little bit around 3D printing.

In parallel, I had a discussion about everything with Dani (like most of our discussions). Things like Kickstarter, games, prototyping and USB sticks were predominant in that particular one. A few days later he came back with a set of pirate characters and a story-line. I decided to focus on the main one and build a prototype.

Hacking the Wii remote control

You know that sensation when you are ready to make that winning move but the Wii Remote is thinking otherwise and refuse to move as you intended? I feel the same and I had strong bad feelings about my controller(s). You might have noticed that I never considered that it might be my lack of skills, the controller is always to be blamed! And I keep changing them.

My feelings for the Wii Remote changed after I saw what Johnny Lee can do with it:

Tracking Your Fingers
Multi-point Interactive Whiteboards
Head Tracking for Desktop VR Displays

It’s pretty impressive for a 15$ piece of hardware and some additional components that you can get for a couple of bucks. Not to mention that if you already have the Wii console, it’s free.

Johnny published all the software on his site so that you can replicate (and maybe extend?) his work.

He delivered a presentation at TED demonstrating some of his work:

Updating Kali Linux from behind a restrictive proxy

I installed Kali Linux from the mini ISO, so I ended up with a fully functioning Linux system but with little to no tools (just nmap and ncat).

In order to install the tools that are making Kali what it is, I had to install the metapackages. For me, the easiest option was to install all of them (kali-linux-all).

It sounds simple:

# apt-get install kali-linux-all

but it was failing constantly

Failed to fetch http://http.kali.org/kali/pool/main/##whatever_package## Size mismatch

A little bit of research and trying to download the actual package from the host machine made me realize that the proxy was blocking access to the packages.

I decided to check if Tor traffic is allowed. Luckily it was. So I installed it

# apt-get install tor

started it

# tor &

and used torify to pass all the traffic through Tor

# torify apt-get install kali-linux-all

A few more minutes (6+ GB) and I had my fully featured Kali installation.

http vs https performance

A while ago I had a huge argument with a development team regarding the usage of https. Their major concern was that the impact on performance would be so big that their servers wouldn’t be able to handle the load.

Their approach was to use https just for the login sequence and plain text communication for everything else. And it was not like they didn’t understand the underplaying problem of sending session cookies over an unencrypted channel, it was just that they thought https is too much for the servers to deal with.

Doing some research back then, I found a paper from the 90s stating that the performance impact was between 10 and 20%. And that only because of the hardware (mainly) CPU available at that time. With the advancement in computational power that should have decreased over time.

And indeed, as of 2010, Gmail switched to using HTTPS for everything by default. Their calculation shows that SSL/TLS accounts for less than 1% of the CPU load, less than 10KB of memory per connection and less than 2% of network overhead. Of course there were some tweaks, but no rocket science involved.

1%, 2%, 10KB. Nothing. I remember somebody saying that 640KB ought to be enough for anyone 🙂 Maybe he knew something. As you can see in the link, Bill Gates didn’t actually say that.

5 more years have passed since then, hardware is more capable, cheaper, so there’s no excuse not to use https.

I’ve seen poor implementations where all http traffic was passed over a secure channel, but not the .js files. Needless to say, a MitM attack can easily modify the .js on the fly and run code in the victim’s browser.

As a closing note, use https for everything, don’t invoke the performance issues, there’s no reason in the current era not to do so.

Is application security an agile process?

No. Judging by the way it is marketed and sold today, application security is not, by any means, agile.

Can it be? Well, Microsoft says so. When it comes to security, Microsoft changed a lot in the past decade. The development frameworks they offer have built-in security features nowadays. So, if they say security can be built into an agile development methodology, maybe they know something.

From the old days of development where the waterfall model was the sine qua non, application security developed alongside and followed the same waterfall approach.

Let’s see what are the major interactions between application security and the software development process in a waterfall model approach:

Requirements – AppSec defines non-functional requirements aka security requirements. High level risk and threat analysis are also performed during this phase
Design – secure architecture analysis and finer grain risk analysis
Construction – source code analysis
Testing – penetration testing
Debugging – follow up on the security defects mitigation process
Deployment – retesting if needed
Maintenance – regular retesting

The challenges with an agile methodology, if we are to consider the Agile Manifesto, are multiple. Let’s take it one by one:

Requirements – In an agile environment, changing the requirements is welcomed. While the high level security requirements are the same, specific requirements based on the functionality of the application are needed. New functionality may open new threats so a threat analysis should be performed. Also, each functional requirement should go through a risk analysis process
Design – if the new requirements require a change in the design of the application, a new architecture analysis should be performed to cover the change
Construction – things are no different here compared to the waterfall model, however, because sprints are usually very short ( a few weeks or even less) automation is a must.
Testing – this is usually one of the major concerns, not only doing a penetration test on the changes, but also assessing the overall security implications
Debugging – same as above, however at a much faster pace
Deployment – similar
Maintenance – in an agile environment, periodic retesting becomes crucial

So, what is there to be done to implement application security in an agile environment?

Here are some things to consider:

Security training; training the Agile team in respect to information and application security means they are going to take more security conscious decisions
Have a full time security expert in the agile team
Implement automation in the source code analysis; use a fully integrated solution with the development environment meaning that whenever a piece of code is saved in the repository, this gets scanned and potential security defects are sent to the bug tracking system for triage
Implement as much automation as possible in the testing phase; liaise with the QA team and implement security checks during that phase
Perform the individual regular activities at certain gates in the process (as opposed to each sprint)

It all boils down to the exact configuration of the development environment and the chosen methodology and processes, but application security can and should be mapped on them with very good results.

WordPress Security Implementation Guideline

I (finally) managed to complete my project on WordPress Security. You can find it here:

https://www.owasp.org/index.php/OWASP_Wordpress_Security_Implementation_Guideline

I also delivered a presentation at the OWASP Romania InfoSec Conference 2014 on this topic. The presentation is on SlideShare:

WordPress Security Implementation Guideline – Presentation for OWASP Romania Infosec Conference 2014 from Dan Vasile

Yours truly in action:

Updating your Raspberry Pi

Once you’ve installed Raspbian on your Raspberry Pi, it’s time to upgrade the Pi and the OS. Four simple commands:

# sudo apt-get install rpi-update
# sudo rpi-update
# sudo apt-get update
# sudo apt-get upgrade

Installing Raspbian from scratch without a keyboard or a monitor

So, you got your Raspberry Pi, a nice SD card, but you can’t remember the last time you saw a keyboard and the only thing around you is a laptop with Windows. Don’t worry, there’s a simple solution.

Download the latest version of Raspbian and Win32 Disk Imager.

Start Win32 Disk Imager (“Run as Administrator”). After installation start the program, select your SD card and the Raspbian image that you downloaded earlier. Lay back for a few minutes.

Since you don’t have any other means to access Raspbian other than SSH, you need to figure the IP address.

You can set up your router to assign a unique IP address via DHCP for the MAC address corresponding to your Raspberry Pi.

Or you can scan for open SSH ports in your LAN:

# nmap -sT -p 22 -v 192.168.x.1-255

Once you’ve identified the IP of your Raspberry, SSH into it.

The default user/password is pi/raspberry. Needless to say, you should change your default password. You can also set a root password, just “sudo su” from the command line and run “passwd” once you have root privileges.

Now it’s time to set a static IP address. SSH into the box once you know the IP address and do the following.

# sudo cp /etc/network/interfaces /etc/network/interfaces.old
# sudo nano /etc/network/interfaces

In the end, the configuration file should look like this:

auto lo
 iface lo inet loopback

 auto eth0
 iface eth0 inet static
 address 192.168.x.222
 gateway 192.168.x.1
 netmask 255.255.255.0
 network 192.168.x.0
 broadcast 192.168.x.255

 allow-hotplug wlan0
 iface wlan0 inet manual
 wpa-roam /etc/wpa_supplicant/wpa_supplicant.conf
 iface default inet dhcp

You just need to restart the network

# sudo /etc/init.d/networking restart

and you can SSH on the new static IP address.

Security concerns regarding cloned Facebook accounts

What is Facebook account cloning?

A form of identity theft in which a malicious attacker impersonates a legitimate user. This is done by creating a copy of the original account.

An attacker would most likely:

create an account under the same name as the victim using a public email address (Gmail, Yahoo, etc.)
copy all the pictures from the victim’s account and add them under the cloned one
duplicate posts from the victim’s accounts
get the list of favorite artists, songs, movies and replicate them under the cloned accounts
get a list of all the friends

To make things easier, there are scripts available to do this with just a few clicks. One of them is FBPwn. It was written as a social engineering tool but we can safely assume that a sophisticated attacker will have better scripts and is probably able to duplicate posts in almost real time from the victim’s account.

The next step is to start adding as friends all the friends of the victim. In addition, the attacker may choose to block the victim and close relatives from viewing the cloned account and avoid detection.

What are the motives behind this?

To find the real motivation we need to differentiate between a private and a business person (which is a private person outside working hours but the attacker is mainly interested in the information that is related to his work).

For a private person, the main reasons behind account cloning are:

Profit – ask favors, money or other stuff from the victim’s friends
Revenge – which is another form of profit; the attacker will post on behalf of the victim compromising information or disclose (distorted) confidential information or extract information based on the trust relationship that he now has with the victim’s friends
Fun – trolling is almost a sport and some people find the energy and resources to make fun of others

For a business person, the attacker’s reasons are more or less the same, but the stake is much higher:

Profit – impersonating a legitimate user, the attacker can get access to confidential information from co-workers and spread distorted information for confusion; he can also try to social engineer his way to internal systems and credentials
Revenge – a disgruntled employee can perform this sort of attack as a payback
Discredit – a company may hire attackers to discredit their competition

This type of cloning can easily be extended over any social media platform like Twitter, LinkedIn, etc.

A motivated attacker will always find a way to duplicate in a credible manner a social media account given enough resources.

So, what can we do to prevent this?

Well, on one side, there is nothing preventing other people creating cloned accounts. However there are some preventive measures that one can take to limit the impact of a cloned account.

Don’t accept people you don’t know as friends (you wouldn’t do that in the real life, so why do it in the virtual world?)
Periodically review your friends list and delete the persons that don’t have a valid reason to be there
Ask your friends not to accept a separate invitation to connect from you (the possible cloned account) without getting in contact with you offline
To help your friends, announce them when you receive invitations from cloned accounts
Divide your friends in interest groups (family, close friends, co-workers, etc.) and post information to the relevant groups
Block cloned accounts by the email address used to register: https://www.facebook.com/help/115913751826993/
Report cloned accounts: https://www.facebook.com/help/207209825981040/
Limit the access to your data only to your friends (I’ll have a separate post to discuss the security settings of Facebook)

Intercepting custom communication protocols in Windows 7

Actually, the title should have been: “Don’t feel lucky and go beyond the first result in a Google search”.

I’ve been using EchoMirage for some time but apparently I’ve been using the wrong one. Because when you search for it in Google you normally click the first link. Right? Wrong!

Lock-picking, lock-pickers and hacking

I’ve never been that much into lock-picking myself, never quite got too excited by the subject.

Until I’ve seen this guy and his awesome presentation.

You feel like taking the tools and start practicing on your front door after seeing this. Or on your neighbors door, depending on your preferences and where you want to spend the night. You have to admit that Mr. Towne has a special gift and is a true showman.

Nevertheless, this is a perfect example of what hacking was originally supposed to mean, understanding (and exploiting) what happens inside a black box from a technical perspective. And even though it’s not related to InfoSec, it’s the perfect example for to describe hacking to non-technical people.

Doing some more research about Schuyler Towne, I found out that he initiated a Kickstarter project to create custom lockpicks designed by a competitive lockpicker to bring “Open Locksport” to market. Awesome.

The only problem is that he failed to deliver the tools, and according to Wikipedia It was later revealed that Towne had been using the Kickstarter funds for his own purposes. These expenditures have included things such as travel and living expenses, car insurance and repairs, computer hardware and other undisclosed expenses. Towne also used the funds to take his family on a holiday and purchase a TV. A number of supporters have subsequently taken over the Kickstarter projects with initial picks out for delivery. However, as of 2014, the majority of orders have still not been filled.

🙂 Isn’t that funny? He’s now paying back from his salary and speaking fees. He looks like the kind of lunatic you wouldn’t land your money to but nevertheless a very funny and awesome lunatic.

Defcon – the movie

Like Hangover with geeks

Does it pay to be a BlackHat hacker?

Dan VASILE @DefCamp Bucharest 2013

Hacking the WordPress Ecosystem

I delivered a speech at OWASP Romania InfoSec Conference 2013 in Bucharest (I took part in the organization of the event as well).

Dan Catalin Vasile – Hacking the WordPress Ecosystem from Dan Catalin VASILE

Bug Bounty Programs

Building an InfoSec RedTeam

Building an InfoSec RedTeam from Dan Catalin VASILE

Change MAC address in iOS for iPhone/iPad

In older versions it used to be as easy as:

# ifconfig en0 ether xx:xx:xx:xx:xx:xx

For iOS versions >5 you have to resort to nvram:

# nvram wifiaddr=xx:xx:xx:xx:xx:xx

and then reboot the device.

Prerequisite: jailbroken device, terminal access (local or SSH) and sudo.

Traffic mirroring in Linux

It comes in hand when analyzing traffic to forward a copy of the traffic to a specific IP where a machine is listening and running Wireshark & stuff. It’s very useful for routers that don’t have the capabilities to run network analysis tools (like DD-WRT).

Just run the following commands replacing the xxx.xxx.xxx.xxx field with the IP of your listening machine:

# iptables -t mangle -A POSTROUTING -d 0.0.0.0/0 -j ROUTE --tee --gw xxx.xxx.xxx.xxx

# iptables -t mangle -A PREROUTING -s 0.0.0.0/0 -j ROUTE --tee --gw xxx.xxx.xxx.xxx

Permanent IP forwarding in Linux

We usually do

# echo 1 > /proc/sys/net/ipv4/ip_forward

when we want to enable forwarding in Linux.

If you want to make this change permanent, you need to edit the /etc/sysctl.conf file and add or uncomment the following line

net.ipv4.ip_forward = 1

Password policies in Windows

To access the password policy in Windows just go to Start and type in the search box secpol.msc. Click on secpol and you’ll be presented with the security policy.

Go to Account Policies, then click on Password Policy.

The options, explained:

History – how many passwords will Windows store (you won’t be able to reuse these passwords)
Complexity requirements – if enabled, the Windows complexity requirement states that passwords should be at least 6 characters long, must not contain the username, have at least 3 different character types ([a-z][A-Z][0-9][special characters])
Minimum length – this overrides the previous length setting
Store passwords using reversible encryption – self explanatory; note that if the key used for encryption is lost, the password can be retreived
Maximum age – how long (in days) until the user is forced to change the password
Minimum age – very interesting option! If left to 0 you can change the password as many times as you like in one day. The problem is in conjunction with History. If, for example, History is set to 5, a user can change 6 passwords in one day and reuse the original password.

More information on: http://windows.microsoft.com/en-au/windows-vista/change-password-policy-settings

OWASP Romania

If you are an English speaker, well, this is a post announcing and promoting the Romanian Chapter of OWASP. You can join your local chapter or the global effort of OWASP to improve information security.

###

OWASP (The Open Web Application Security Project) are acum deschisa o organizatie locala si in Romania. Suntem in cautare de noi membri cu care sa alcatuim o echipa puternica de oameni implicati in securitate informatica. Scopul nostru principal este sa formam o comunitate locala in care sa putem gasi si oferi suport pentru proiectele fiecaruia si sa putem invata si progresa in acest domeniu in care activam sau pentru care avem o pasiune speciala.

Ce este OWASP: O comunitate globala care aduce vizibilitate si conduce evolutia catre siguranta si securitatea softwareului.

Ce isi propune organizatia in Romania:

– sa initieze intalniri periodice intre membri

– sa aduca la intalnirile periodice oameni implicati in OWASP la nivel global

– sa contribuie la proiectele OWASP

– sa propuna si sa dezvolte proiecte proprii in cadrul OWASP

– sa organizeze o conferinta de securitate in Romania

Activitatea OWASP nu este una comerciala sau profit. Mediul de afaceri este insa binevenit si incurajat sa sustina proiectele OWASP.

Cum poti deveni un membru activ al acestei comunitati? Intra pe pagina OWASP Romania, acceseaza grupul nostru de pe LinkedIn, aboneaza-te la lista de mail si intra in contact cu ceilalti membri.

Techniques to play with custom and encrypted protocols

An interesting presentation from DEFCON20 provided by Elie Bursztein and Patrik Samy called “Fuzzing Online Games” touches areas of application security where traffic analysis is not enough to perform a penetration test.

As stated by the authors:
“In a nutshell the lack of direct access to the game server and having to deal with clients that are far too complex to be easily emulated force us to rely on injecting fuzzing data into a legitimate connections rather than use the standard replay execution approach. Top that with heavily encrypted and complex network protocols and you start to see why we had to become creative to succeed :)”

The problem of an application security analysts is that most of the communication is encrypted and is using custom protocols that can’t be intercepted using standard proxies like Burp or Charles. One’s thoughts on this could go into using Mallory as transport layer proxy and should be fine with some custom protocols but still doesn’t deal with the encryption problem. So reverse engineering and memory analysis and manipulation must be involved.

Techniques proposed by the presenters:
– Combining network traffic analysis with memory analysis (check what happens in the memory when certain packets are sent over the wire)

Challenges involved:
– Intercepting traffic
– Bypassing Encryption
– Reversing the protocol
– Monitoring the results of fuzzing

Traffic interception:
– DLL injection at the application level – direct access to game state
– Write a driver at the OS level
– Pass the traffic through an intercepting box – this is done at the network level; as a side note this can be done on the same box using WireShark; keep in mind that WireShark does not intercept packets sent on the loopback interface and you can use RawCap for this

DLL injection:
– Most application use Windows Winsock API and the interesting functions to watch for are connect, recv and send
– Ways to do it: Microsoft detour library and IAT (Import Address Table) hooking:
o http://sandsprite.com/CodeStuff/Understanding_imports.html
o http://sandsprite.com/CodeStuff/IAT_Hooking.html
– The problem is that protection mechanisms like anti-cheating engines detect hooking

Writing a driver:
– Windows Filter Platform – could be an excellent replacement for Mallory since we don’t need an external machine (even a virtual one) to capture the packets

The presenters then focus on the analysis of the custom LOL (League of Legends) protocol to give a practical example. Among others, they use packet, statistical, n-gram analysis and search for a feasible way to fuzz the protocol. They don’t go into details like tools, usage and how to perform the analysis but stay on a high perspective level.

Webmin and Virtualmin installation on Debian

Now that we have a fresh and clean Debian installation we can proceed to Webmin and Virtualmin installation.

Althou installing Apache, MySQL and other stuff needed for a web server by hand is not hard and you can find a lot of support I prefer installing Webmin and Virtualmin to ease the administrative tasks.

If you’re planning for a new server you should start with a fresh Debian installation with only the basic stuff on it.

Fast Debian installation of Webmin:

# wget http://www.webmin.com/download/deb/webmin-current.deb

# dpkg --install webmin-current.deb

You probably will miss some dependencies and will have to install them via ‘apt-get install‘. On my fresh Debian I was missing some perl modules so I did ‘apt-get install perl’, again dependecies missing, but with a ‘apt-get install -f‘ (as instructed) I solved it.

Install a clean Debian on Virtualbox

I don’t test my ‘ideas’ on live servers, nor do I keep unnecessary hardware around the house to play with them. So I use the other option in hand, a virtual machine. Despite the fact that this will be a VM installation of Debian, the idea for a very clean and basic installation is the same for a real hardware installation.

For my testing purposes I prefer Oracle VM VirtualBox instead of VMWare. First of all because it’s free for home use and secondly it’s smaller and faster for the applications I run. If you don’t already have it installed you can download it from https://www.virtualbox.org/wiki/Downloads.

You might have noticed that I’m a Debian fan, these is the system I have worked for a long time so it’s more of a habit now. For our clean installation we’ll use the so called NetInstall version. It’s a small ISO image (under 200MB), containing only the basics for the installation, the rest of the applications will be downloaded during the install phase. So you must have internet access during installation (if you read this article you surely do, but pay attention when installing on real hardware). So, download the latest version of Debian NetInstall from http://www.debian.org/CD/netinst/.

Start VirtualBox and let’s create a new Virtual Machine, by selecting New:

Installing TCPDump on DD-WRT

Now that we have JFFS enabled we can install new apps on our router. Note that the apps are installed into RAM and will vanish when you log out. You can write a script to automatically install your preferred applications during the log in process.

DD-WRT does not come with a repository but we can use the OpenWRT packages. Just run the following from the command line:

mkdir -p /tmp/smbshare/tmp/ipkg
cd /tmp/smbshare/tmp/ipkg
wget http://downloads.openwrt.org/whiterussian/packages/libpcap_0.9.4-1_mipsel.ipk
ipkg -d smbfs install libpcap_0.9.4-1_mipsel.ipk
wget http://downloads.openwrt.org/whiterussian/packages/tcpdump_3.9.4-1_mipsel.ipk
ipkg -d smbfs install tcpdump_3.9.4-1_mipsel.ipk
export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/tmp/smbshare/usr/lib"
PATH="$PATH:/tmp/smbshare/usr/sbin"

We first install libpcap, a library used by tcpdump. You might get some warnings but it’s fairly safe to ignore them. That’s it, run ‘tcpdump’ from the command prompt and let the flow amaze you. We’ll later discuss some options of tcpdump.

You can check the OpenWRT repositories for other great pieces of software ported and prepared for embedded devices: http://downloads.openwrt.org/whiterussian/packages/

Enabling JFFS in DD-WRT from SSH

I like DD-WRT, it offers the basic tools needed for a router but I’d like to install other apps as well. The problem with embedded devices is that the system is installed in the non-volatile memory (usually 2-4MB) and one can only use the RAM to install apps.

But first we need to map the RAM into a JFFS. There is an option in the web interface allowing us to do so but there goes all the fun. Plus there is a major issue with DD-WRT v24sp1 VPN builds having the JFFS feature removed, presumably due to conflicts between JFFS and bandwidth monitoring. And if we don’t care about bandwidth monitoring we can enable JFFS from the command line.

nvram set jffs_mounted=1
nvram set enable_jffs2=1
nvram set sys_enable_jffs2=1
nvram set clean_jffs2=1
nvram set sys_clean_jffs2=1
nvram commit
reboot

I noticed a “longer than usual” reboot after this operations. If we want to unmount the JFFS:

nvram set sys_enable_jffs2=0
nvram set sys_clean_jffs2=0
nvram set jffs_mounted=0
nvram commit
reboot

The variables created in these operations can be deleted with nvram unset <var>.

Enabling DD-WRT web interface from SSH

With this article we’re starting a new category regarding DD-WRT and micro-embedded devices.

I’ve been using DD-WRT (and other variants as Open-WRT, Tomato, etc. depending on the device) for quite a while and every now and then I need to re-enable the web-interface from the command line. For instance I found the web-interface not responding even thou it was enabled so I wanted to reinitialize it. Just log in via SSH (we all know Telnet is bad, right?) and do the following.

Stopping the web interface from SSH (if it is enabled):

nvram set httpd_enable=0
nvram set http_enable=0
killall httpd

Starting the web interface and setting the parameters (the long and safer version):

nvram set remote_management=1
nvram set http_wanport=8080
nvram set httpsd_enable=1
nvram set https_enable=1
nvram set remote_mgt_https=1
nvram commit
reboot

So now just point your browser to https://your_public_ip:8080.

Notice we enabled https for remote management. Feel free to use any port you like and if you’re a fan of security thru obscurity you might want to use an unassigned port from IANA.

ISO 27001 Domains, Control Objectives and Controls

ISO 27001 has for the moment 11 Domains, 39 Control Objectives and 130+ Controls. Following is a list of the Domains and Control Objectives.

1. Security policy
Information security policy
Objective: To provide management direction and support for information security in accordance with business requirements and relevant laws and regulations.

2. Organization of information security
Internal organization
Objective: To manage information security within the organization.
External parties
Objective: To maintain the security of the organization’s information and information processing facilities that are accessed, processed, communicated to, or managed by external parties.

PCI DSS Control Objectives

Payment Card Industry Data Security Standard has six control objectives and 12 requirements:

1. Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

2. Protect Cardholder Data
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks

3. Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications

4. Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data

5. Regularly Monitor and Test Networks
Requirement 10:Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes

6. Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security

ISO 27001 Certification Statistics

How many companies have certified under ISO 27001? You can find the answer here. So, under 7300 as of mid-August 2011.

Now, in another report from April 2008, there were 4500 certificates. With the distribution: Japan (2550); UK (370);India (430); Taiwan (175); China(110); Germany (90); and then a group of countries (Hungary, Italy, USA, & Korea) at 60.

The distribution remained pretty much the same, with Japan holding more than half of world-wide certifications. Japanese are mad about productivity, so by adopting a standard they accept a set of rules that work.

ISMS Certification vs Conformity

So, as stated here you can certify against ISO/IEC 27001 only. But why certify? Here are some reasons provided by certification bodies.

Certification finds no basis in legislative or regulatory requirement, so why bother? The best answer is to validate that investment in security controls meets business goals and provides business value. Business value is found in managing business risk, achieving high levels of legislative and regulatory compliance, and managing vulnerabilities and threats. The ISO security standards provide a disciplined approach to information security, business risk management, and compliance management. Certification provides an independent validation that the organization has applied that discipline effectively and proves due diligence on the part of executives and management, that they are addressing the information security needs of
the organization.

ISO ISMS history

The ISO is developing a new series of security standards, the first of which is ISO 27001, Information Technology—Security Techniques— Information Security Management Systems—Requirements. ISO 27001 replaces British Standard (BS) 7799, Part 2. BS 7799, Part 1 evolved into ISO 17799, Information Technology—Security Techniques—Code of Practice for Information Security Management and is now known as ISO 27002. Definitive plans are not yet available; however, tentative plans for additional ISO security standards in the 27000 numbering series include ISO 27003, covering security implementation guidance; ISO 27004, for metrics and measurements; and ISO 27005, covering risk management.

The ISO/IEC 27000 Set of Standards Overview

The ISO/IEC 270xx is a set o standards regarding Information Security Management Systems (ISMS). The developer of this standards is the International Organization for Standardization http://www.iso.org/.

ISO/IEC 27001 and ISO/IEC27002 are derived from ISO/IEC 17799:2005 who is derived from BS7799 (British Standard).

Many standards regarding ISMS are under development and the published ones are subject to periodical reviews.

The ISO/IEC 2700x family is composed of three main categories:

ISMS family of standards (ISO/IEC 27000 – ISO/IEC 27010) – covering specification, metrics, implementation guides, audit guides, risk management
Sector specific requirements (ISO/IEC 27011 – ISO/IEC27030) – Telecos; Healthcare; Automotive; Lotteries
Operational guidance (ISO/IEC 27031 – ISO/IEC 27059)
Continue reading The ISO/IEC 27000 Set of Standards Overview

[Tool] Check if an email address is valid – the php way

In an older post we talked about checking the validity of an email address.

Now let’s make a php function to automate this task. We can use this type of validation to check for example if a user is using a correct address when registering for a service.

Check if an email address is valid – the telnet way

You can use telnet to check if an email is valid. You can actually send emails via telnet, but we’ll stick to checking for now. Remember that this is not a string validation but a complete check with the mail server if the user is valid.

For this example we will use [email protected].

Attacking the lottery

This is purely a theoretical attack on a lottery system. No magic combinations or generators, no syndicates or reading the stars, just a plain attack on the system.

First of all, there are some perquisites. One will need an insider or more in order to carry out the attack, but this should not be a problem based on the fact that a lot of attacks come from the inside. The second matter would be to get access to the central machine taking care of the database. Again, if not well protected, an insider should be able to provide enough data to gain access.

Socks proxy for non-socks applications

For several reasons you may want to use a socks proxy, but a lot of command line applications are not able to work with a socks proxy.

wget for example is unable to work directly with a socks proxy. Also, configuring wget to work with a http proxy is a pain. You can’t specify the proxy from the command line.

SSH tunnels, an alternative to VPN

What do you do when you need a connection to the Internet and the only thing in hand is an unsecured wireless network or hotspot? Do you realize the dangers involved? Would you trust this connection and send confidential data over it?

Of course VPN is the favorite method, but what if you don’t have such an option? Let’s say all you have is a DD-WRT router with no VPN (because you have a mini or generic firmware). Just for the sake of argument. How do you route your traffic through this router from the Internet?

CISSP CBK 10 – Physical Security

Physical Security Controls

Types of controls:

– Administrative controls
– Facility selection or construction
– Facility management
– Personnel controls
– Training
– Emergency response and procedures

– Technical controls
– Access controls
– Intrusion detection
– Alarms
– Monitoring (CCTV)
– Heating, ventilation and air conditioning (HVAC)
– Power supply
– Fire detection and suppression
– Backups

– Physical controls
– Fencing
– Locks
– Lighting
– Facility construction materials

CISSP CBK 9 – Law, Investigations & Ethics

Ethics

ISC2: Code of Ethics Canons –

– Protect society, the commonwealth and the infrastructure

– Act honorably, honestly, justly, responsibly and legally

– Provide diligent and competent service to principals.

– Advance and protect the profession.

IAB – Internet Activites Board: Unethical and unacceptable behaviour –

– Purposely seeking to gain unauthorized access to Internet resources

– Disrupting the intended use of the Internet.

– Wasting resources through purposeful actions

– Destroying the integrity of computer-based information.

– Compromising the privacy of others.

– Involving negligence in the conduct of Internet-wide experiments

CISSP CBK 8 – Business Continuity Planning & Disaster Recovery Planning

BCP / Business Continuity Planning

Prime elements:
– Scope and Plan Initiation
– Business Impact Assessment
– Business Continuity Plan Development
– Plan Approval and Implementation

Scope and Plan Initiation: Marks the beginning of the BCP process It entails creating the scope for the plan.

Roles and Responsibilities

The BCP Commitee: Should be formed and given the responsibility to create, implement and test the plan. Is made up of representatives from senior management, all functional business units, information systems and security administrator.

Senior Management’s Role: Is ultimate responsible for all four phases of the plan.

BIA / Business Impact Assessment: Is a process used to help business units understand the impact of a disruptive event. The impact may be financial (quantitative) or operational (qualitative, such as the inability to respond to customer). A vulnerability assessment is often a part of the BIA process. It identifies the company’s critical systems needed for survival and estimates the outage time that can be tolerated by the company as a result of a disaster or disruption.

CISSP CBK 7 – Operations Security

Controls and Protections

To protect hardware, software and media resources from:
– Threats in an operating environment
– Internal or external intruders
– Operators who are inappropriately accessing resources

Categories of Controls:
– Preventative Controls: Are designed to lower the amount and impact of unintentional errors that are entering the system and to prevent unauthorized intruder from internally or externally accessing the system.
– Detective Controls: Are used to detect an error once it has occurred.
– Corrective Controls / Recovery Controls: Are implemented to mitigate the impact of a loss event through data recovery procedures.
– Deterrent Controls / Directive Controls: Are used to encourage compliance with external controls.
– Application Controls: Are the controls that are designed into a software application to minimize and detect the software’s operational irregularities.
– Transaction Controls: Are used to provide control over the various stages of a transaction. Types of controls are: Input, processing, output, change and test controls.

CISSP CBK 6 – Security Architecture & Models

Security Model

Is a statement that outlined the requirements necessary to properly support a certain security policy.

Computer Architecture

CPU – Central Processing Unit: Is a microprocessor. Contains a control unit, an ALU / Arithmetic Logic Unit and primary storage. Instructions and data are held in the primary storage unit needed by the CPU. The primary storage is a temporary memory area to hold instructions that are to be interpreted by the CPU and used for data processing.

Buffer overflow – Data being processed is entered into the CPU in blocks at a time. If the software instructions do not properly set the boundaries for how much data can come in as a block, extra data can slip in and be executed.

Real storage – As instructions and data are processed, they are moved back to the system’s memory space / real storage.

CISSP CBK 5 – Cryptography

Definitions

Algorithm: The set of mathematical rules used in encryption and decryption.

Cryptography: Science of secret writing that enables you to store and transmit data in a form that is available only to the intended individuals.

Cryptosystem: Hardware or software implementation of cryptography that transforms a message to cipher text and back to plain-text.

Cryptanalysis: Practice of obtaining plain-text from cipher-text without a key or breaking the encryption.

Cryptology: The study of both cryptography and cryptanalysis.

Cipher-text: Data in encrypted or unreadable format.

Encipher: Act of transforming data into an unreadable format.

Decipher: Act of transforming data into a readable format.

Key: Secret sequence of bits and instructions that governs the act of encryption and decryption.

Key clustering: Instance when two different keys generate the same cipher-text from the same plain-text.

Key-space: Possible values used to construct keys.

Plain-text: Data in readable format, also referred to as clear-text.

Work factor: Estimated time, effort, and resources necessary to break a cryptosystem.

CISSP CBK 4 – Applications & Systems Development Security

Database systems and database management

Types of databases:
– Hierarchical
– Mesh
– Object-oriented
– Relational

DBMS / Database Management System

A suite of programs used to manage large sets of structured data with ad hoc query capabilities for many types of users.

Database: A collection of data stored in a meaningful way that enables multiple users and applications to access, view and modify data as needed.

Database terms/jargon
– Record: Collecion of related data items
– File: Collection of record of the same type
– Database: Cross-referenced collection of files
– DBMS: Manages and controls the database
– Base relation: A table stored in a database
– Tuple: A row in a database
– Attribute: A column in a database
– Primary key: Columns that make each row unique
– View: Virtual relation defined by the database to control subjects from viewing certain data
– Foreign key: Attribute of one table that is the primary key of another table
– Cell: Intersection of a row and column
– Schema: Holds data that describes a database
– Data dictionary: Central repository of data element and their relationships.
– Cardinality: The number of rows in the relation.
– Degree: The number of columns in the relation.
– Domain: Is a set of allowable values that an attribute can take.

CISSP CBK 3 – Security Management Practices

Fundamental Principles of Security

Security objectives

Confidentiality: Provides the ability to ensure that the necessary level of secrecy is enforced.

Integrity: Is upheld when the assurance of accuracy and reliability of information and system is provided and unauthorized modification of data is prevented.

Availability: Prevents disruption of service of productivity.

Definitions

Vulnerability: Is a software, hardware or procedural weakness that may provide the attacker the open door he is looking for to enter a computer or network and have unauthorized access to resources within the environment.

CISSP CBK 2 – Telecommunications & Network Security

Open System Interconnect Model

Protocol – Standard set of rules that determine how systems will communicate across networks.

OSI Model TCP/IP
Application            Application
Presentation
Session
Transport             Host-to-host
Network               Internet
Data Link             Network Access
Physical

Each layer adds its own information to the data packet.

CISSP CBK 1 – Access Control Systems & Methodology

Security principles

Confidentiality: The assurance that information is not disclosed to unauthorized individuals, programs or processes.

Integrity: Information must be accurate, complete and protected from unauthorized modification.

Availability: Information, systems and resources need to be available to users in a timely manner so productivity will not be affected.

Personal note: Conformity with legislation

Continue reading CISSP CBK 1 – Access Control Systems & Methodology

CISSP Intro

This starts a series of posts that deals with CISSP CBK (Common Body Knowledge). The summary covers all the ten CBK that are required for the CISSP Exam. One should not use this as a definitive guide in taking the CISSP exam, but rather as an intro to CISSP. All the data is gathered from various sources, starting from study guides for the exam and ending with materials found on the Internet.

As a side notice, there are questions about CISSP vs CISA. The focus of those two certifications is different. While CISSP is focused on building and maintain security (although is not a technical standard), CISA is more focused on auditing and assessing risks and controls. Your choice of certification should be based on what you really want to work with. If you want to be a security professional, CISSP is the choice. If you want to be an IT/IS auditor instead, then you should take CISA. As I’ve been an IT/IS auditor and now is an IS consultant. There is a lot of knowledge supported by both CISA and CISSP.