Corelan Cybersecurity Research

As some of you might know, I am currently attending Blackhat Europe (hosted in Barcelona this year). So I wanted to take the opportunity to fill you in on the details of this first day of briefings, and provide you with a short overview of the presentations I have attended today.

I am most certainly not the only person that will be blogging/writing about Blackhat, so I’ll just keep things short and give you my personal view on things.  You can find more/other information about the briefings at Blackhat Europe (and some other excellent stuff) at http://blog.c22.cc.

Before I get started I would like to mention that, the day before the seminars started, I got the opportunity and pleasure to finally meet some of the folks I have been communicating with over the last few monts : Didier Stevens (and his wife), Xavier Mertens, Chris John Riley and Frank Breedijk.

(from left to right : Frank, Chris and Xavier)

In addition to that, I met some other nice and interesting people during the course of the day, so my day has been quite "fruitful" from that perspective as well.

Also, a half an hour before the seminars started, I had a chat with some folks from Core Security and they invited me at the Core Security party tomorrow evening. Too bad I won’t be able to stay at the party for a long time, because I’m flying back to Belgium tomorrow evening. Anyways, the party badge looks shiny and that’s half the fun I guess :-) – Thank you Core Security.

Day 1 kicked off with an introduction given by Jeff Moss (who basically explained that Blackhat Europe moved from Amsterdam to Barcelona because of ‘sizing’ issues). 

As the number of attendees (and the number of speakers) is increasing (this is the first year with 3 tracks instead of 2), the location in Amsterdam was becoming to small to host the trainings and seminars… so Barcelona appears to be the next best thing :-). And I can’t blame them

 

Security – the facebook way

After the introduction, Facebook CSO Max Kelly took care of the keynote speech, in which he presented facebooks approach & strategy towards security.

The first part of the talk outlined some generic security concepts : Software and applications will always have vulnerabilities. Each vulnerability represents a threat. A threat can be targetted and results in an attack. The attach is always launched by a person, for a specific reason, with a specific motive.  Sound fair to me.

What really got my attention in his presentation was the fact that the strategy (and perhaps a substantial part of their economic model so it seems) of facebook is based on filing lawsuits and going after the people that try to abuse vulnerabilities in facebook. Facebook doesn’t really care about the vulnerabilities themselves, but they have focussed their attention on detecting abuse and tracking down the abuser. It’s not all bad, because an important piece of the process is to discover what the motives are (spam=>making money=>somebody will pay the spammer), so they can try to take out the root originator of the abuse.

After all vulnerabilities will be there forever, Max says, no matter what we do.

So basically, the facebook security values are

• diligently pursue attackes of any type
• use al legal means to identify attackers
• use all legal resources to protect the company and its customers
• respect the trust that users put into facebook
• move fast, focus on high-level problems
• work with the security community

When translated into actions, they basically

• don’t care about vulnerabilities (they are infinite, and trying to fix them will probably introduce new bugs)
• accept that there are bugs, they know about the threats that result from the bugs, but they try to be realistic about it
• monitor, detect and watch attacks
• go after the attackets

I also noticed (on the second or third slide) a small statement about reporting vulnerabilities to facebook.  Facebook seems to be open to researchers to report vulnerabilities, but only under certain (legal) circumstances… The fact that Max did not even mention it during his presentation (while the text was still displayed on the screens), it only emphasizes that they don’t really care about vulnerabilities.  Facebook does not want to invest a whole lot of research and money to pro-actively find and fix bugs.  In my opinion (just my personal view), they’re not really waiting for researchers to file bugs either.  In fact, I’m pretty sure it will be almost impossible to report bugs to facebook in a legal way… after all, you would still be hacking into an application that is running on third party servers.  So I’m not sure about their statement that they are willing to work with the security community.  And if they are, it’ll probably be one way direction only :-)

To be honest, from a business perspective, there’s nothing wrong with this economic model. But I am afraid that, from a security point of view, it will only lead to more bugs and doesn’t really support the fact that developer education (about writing secure code) is extremely important.

So, not everything was "bad" of course. He mentioned that it is very important (for any web application if you think about it) to log interactions and CPU/memory cycles required for certain interactions. It will not only allow you to properly size and scale your servers, but it might also indicate if there is an issue (for example somone trying to take advantage of a bug in the application and has launched a scripted attack against a specific component of the application).

After the keynote, during Q&A, somebody asked if facebook has plans to deliberitely "plant" vulnerabilities into their applications to attract hackers … the (politically correct) answer was – of course – "no".

Defending the poor

The first real "researcher" talk I attended today was the one given by the legendary FX. (FYI : right before the meeting I got the chance to have a little chat with him and thanked him for reviewing my Unicode exploit tutorial. Although time was short, he really took the time to have a little chat, which is something I’ve very much appreciated)  Anyways, this was the first time I saw a presentation by FX (or anyone else at a security conference such as Blackhat) that targets the defense-part of security.   In "Defending the poor", he explained the history of how the flash player (or more specifically the SWF format) has evolved until what it is today, and how it is flawed by design.  To cut a long story short, the file format has plenty of design errors and will continue to lead to system compromises all over the world.  The install base of flash player is immense (although MS Silverlight is catching up real quick) and that leaves many users susceptible to security issues.  While in the recent version of SWF an attempt was made to fix some of the issues, the reality is that the player still supports all downwards-compatible (and flawed) formats, and there’s nothing we can do about it …   Well maybe there is.

FX is working on a tool called BlitzaBleiter, which will basically

• parse a swf file when it’s presented to an end user browser, and check for strict SWF specification compliancy
• drop the original swf file
• verify the code inside the swf file
• recreate a safe file
• present it to the end user
• do some runtime analysis (and block certain API calls by looking at arguments on the flash player stack)

The utility is created in .Net (C#, which has many advantages, as it has built-in protection against many overflows), and works on both the Windows and Linux platform).

The downside is that, while this browserplugin will already stop a substantial range of attacks, it still won’t stop all malicious code, and it’s not going to be easy to close this final gap.  Stay tuned on this one, because it looks promising already.   And for other security researches : this is a good example of added value for business people like me !  Knowing about the vulnerabilities is really necessary… but spending a decent amount of time to work on creative, inexpensive solutions, is even more important to get management buy-in in this time of economic recession.

Unveiling Maltego 3.0

To be honest, I haven’t really played with Maltego 2.x yet… but what I have seen in the (not yet released) 3.0 version of Maltego, I felt sorry for myself and obviously got impressed at the same time (to say the least).

It’s hard to describe in a few words what Maltego is, because I would probably end up disrespecting the concept and added value of this tool.  Maltego positions itself as an open source intelligence and forensics application, but in essence it is "just" an awesome data mining tool, that uses various "transformation" to get more data about certain objects, from various sources (websites, google, whois, network scans, DNS, and even custom integrations with for example your own databases etc)

The power behind the product is the data mining and correllation engine, and it’s beautiful graphical representation, which will allow anyone to build relationships and links between all kinds of objects (people, computers, keywords, etc)

Roelof Temmingh from Paterva demo’ed his new "baby" with pride and emotion and impressed the entire room with the new features of the product :

• Look & feel updates :
  • Dynamic graphing
• Improved "Entities" :
  • Custom entities
  • Manual linking
  • Bookmarking & annotations
  • entity display/edit
• Improved navigation :
  • EWV fully interactive
  • Set transform settings on the fly
  • detailed view
• etc

Especially the NER (Named Entity Recognition), using API’s from OpenCalais and AlchemyAPI, will add a lot of value to this utility.  You can basically feed a text/webpage/…  into the API and it will extract entities (names, facts, places, events, topics, etc), so you can use that as part of your mining exercise.

Version 3 is not released yet, and Roelof stressed that they won’t release it until it’s ready.

If you want to follow up on Maltego, make sure to subscribe to the Maltego Beta blog. The whitepaper and slides can be downloaded from the Blackhat website.

Next generation clickjacking

The "Next generation clickjacking" talk, presented by Paul Stone from Context Information Security was really interesting. Based on research from Jeremy Grossman in 2008, Paul took things to a new level and showed a couple of new techniques that can be abused on malicious websites to trick users to clicking on certain parts of a web site, in an attempt to steal information from that computer.  In fact, using a technique that combines hidden iframes with drag & drop api in a java applet, and end user does not really have to click on a button or link anymore to trigger the malicious code.  Very neat finding !

The speaker also demonstrated a tool (works fine with Firefox 3.6) he wrote which will help you test your own applications (or basically build Proof of concept webpages) for various clickjacking techniques.

Finally, he indicated that most browsers are currently not able to provide real protection against this form or exploitation. The only thing you can do is try to keep your website from running inside a frame.  You can do this by

– setting X-Frame-Options parameter (which will only work on newer browsers such as IE8)

On apache, you can do this by setting the following value in your httpd.conf file :

Header always append X-Frame-Options deny

or

Header always append X-Frame-Options sameorigin

(if you want to allow the functionality when you still want to allow framing from the same URL that is hosting the webpage)

– using some javascript code (which will obviously only work when javascript is enabled) to prevent your website from running inside an iframe.  An easy way to do this is adding this to every webpage on your website :

From a client perspective, the only thing you can do is enabling the "no script" plugin (or just disable javascript), but that is likely going to break a lot of functionality (and might prevent websites from framebusting at the same time, so it might defeat the purpose to a certain extend)

SAP Backdoors : A ghost at the heart of your business

While I’m not a big SAP expert (who is anyway :) ), I was really curious about this presentation, given by Mariano Nuñez Di Croce (from Argentina). Mariano works at Onapsis, a company specializing in business critical application security (such as SAP, JD Edwards, Siebel etc).  The presentation is available on the Blackhat website.

While Mariano really has his act together and is very knowledgable on this topic, it became clear that the real weaknesses for SAP implementations is not only getting your SAP configuration set up correctly (in terms of segregation of duties, and implementing proper development, QA and production environments, each with their own set of parameters), but also heavily relies on database security.  So perhaps his talk should have been given another name… Anyways, this talk was based on SAP running on Oracle, and most exploits were taking advantage from the fact that, when database credentials are compromised, or a database server has been breached, a malicious person can easily implement backdoors into the SAP application/configuration, and these backdoors will remain unnoticed.

The concept of backdoors is quite old, and not a lot of information has been made public on backdooring SAP, but the fact that this kind of information was not publicly available, that it was not exploitable.  That kinda made me think about the talk I had with FX, where he mentioned that despite the fact that his work on Unicode exploits dated from 2003, a lot of people still think that unicode vulnerabilities are not exploitable.

Let’s go back to Oracle and SAP.  Mariano stressed that security is not about segregation of duties alone. Being SOX compliance certainly helps in that perspective, but you can still get owned even though you are fully SOX compliant.  And that is a fact a lot of companies and auditing firms fail to recognize.

When we are talking about ERP systems (Business Critical applications), the impact of a succesful compromise can be quite serious, potentially resulting in financial liability and fraud.  Mariano made a good comparison against the well known CIA triangle. When it comes down to translating CIA to this particular set of risks, we are really talking about

• Confidentiality => Espionage
• Availability => Sabotage
• Integrity => Fraud

The presentation ended with a short demo on the soon-to-be-released free onapsis too which will basically take a snapshot of ABAP (SAP code) (run this on a regular basis) and compare it with older snapshots so you can detect breaches (which would be otherwise go undetected due to the way SAP can be configured/altered by an exploit). Obviously, running this tool only makes sense if the system has not been breached already. So you should start running this

What I took away from this presentation is that the following things are really essential in any SAP implementation :

• decent back-end design (proper database security, database server separated from client network), basically deploy layered security defense in depth,
• the use of up-to-date SAP GUI client software to take advantage of newer password hashing algorithms,
• proper SAP system configuration, enforcing certain newer features (and not allowing backwards compatibility)
• proper segregation of duties (so people cannot alter certain parameters because they simply have the technical permissions to do so)
• a separated development/QA/production environment so code cannot be altered directly in production environment,
• proper code review (so developers cannot leave hidden/hardcoded backdoors behind in custom code,
• proper auditing (OS & DB level),
• the use of the onapsis tool to detect breaches are essential in any SAP deployment

I would also like to add that, in my opinion, it is very important to also focus on all third party components that might tie into the Oracle database. After all, if you manage to secure your SAP/Oracle environment, a simple web application that is built on top of the same Oracle database, might be susceptible to SQL injection, allowing a hacker to plant a backdoor in the system as well.  Finally, as it is the case in many other big ERP systems as well, SAP also appears to use a single user account to access the database backend. So if that account gets compromised, it’s game over.

Hacking Cisco Enterprise WLAN

Ok, I had expected more from this presentation. While I had the impression a lot of good research (and a pretty decent tool) has been done/written for this presentation, the presenter just didn’t succeed at passing the message to the audience.  Maybe this was caused by the fact that this was the last presentation of the day, but the content seemed somewhat outdated in certain areas (targetting LEAP for example, or using arp spoofing  are not really earthshocking news events anymore)

The researches stressed that a lot of Enterprise grade wireless vendors still have a lot of vulnerabilities in their management components/websites, and that a lot companies still put those management components in their regular LAN…   Ok, they have a valid point when they state that it’s easy to hack into most Wireless management systems if you are connected to the LAN, but I had the impression it kind of defeats the purpose, as you are already connected to the LAN already.

Anyways, I’m still looking forward to the release of their wireless audit tool called "Loki" (which may still be a "working" name) as it might combine some features into a single tool.

Again, I was hoping for new techniques or new attacks/defense mechanisms for wireless implementations, but at the same time, maybe it’s just a good time to admit that wireless networks are just slow, impossible to secure, and will never be safer or work better than a good old ethernet cable.

That being said, your "devoted" reporter signs off for the day :-)

/be safe & may the packets be with you

Cheers

Peter

© 2010 – 2021, Peter Van Eeckhoutte (corelanc0d3r). All rights reserved.