This website is supported, hosted and funded by Corelan Consulting - https://www.corelan-consulting.com. Please follow us on Facebook (@corelanconsulting) and Twitter (@corelanconsult). Corelan training schedules: https://www.corelan-training.com/index.php/training-schedules



Please consider donating: https://www.corelan.be/index.php/donate/


2,855 views

Blackhat Europe 2010 Barcelona – Day 01

blackhat1 As some of you might know, I am currently attending Blackhat Europe (hosted in Barcelona this year). So I wanted to take the opportunity to fill you in on the details of this first day of briefings, and provide you with a short overview of the presentations I have attended today.

I am most certainly not the only person that will be blogging/writing about Blackhat, so I’ll just keep things short and give you my personal view on things.  You can find more/other information about the briefings at Blackhat Europe (and some other excellent stuff) at http://blog.c22.cc.

Before I get started I would like to mention that, the day before the seminars started, I got the opportunity and pleasure to finally meet some of the folks I have been communicating with over the last few monts : Didier Stevens (and his wife), Xavier Mertens, Chris John Riley and Frank Breedijk.

14042010457

(from left to right : Frank, Chris and Xavier)

In addition to that, I met some other nice and interesting people during the course of the day, so my day has been quite "fruitful" from that perspective as well.

Also, a half an hour before the seminars started, I had a chat with some folks from Core Security and they invited me at the Core Security party tomorrow evening. Too bad I won’t be able to stay at the party for a long time, because I’m flying back to Belgium tomorrow evening. Anyways, the party badge looks shiny and that’s half the fun I guess :-) – Thank you Core Security.

14042010464

Day 1 kicked off with an introduction given by Jeff Moss (who basically explained that Blackhat Europe moved from Amsterdam to Barcelona because of ‘sizing’ issues). 

14042010458

As the number of attendees (and the number of speakers) is increasing (this is the first year with 3 tracks instead of 2), the location in Amsterdam was becoming to small to host the trainings and seminars… so Barcelona appears to be the next best thing :-). And I can’t blame them

 

Security – the facebook way

After the introduction, Facebook CSO Max Kelly took care of the keynote speech, in which he presented facebooks approach & strategy towards security.

The first part of the talk outlined some generic security concepts : Software and applications will always have vulnerabilities. Each vulnerability represents a threat. A threat can be targetted and results in an attack. The attach is always launched by a person, for a specific reason, with a specific motive.  Sound fair to me.

14042010459

What really got my attention in his presentation was the fact that the strategy (and perhaps a substantial part of their economic model so it seems) of facebook is based on filing lawsuits and going after the people that try to abuse vulnerabilities in facebook. Facebook doesn’t really care about the vulnerabilities themselves, but they have focussed their attention on detecting abuse and tracking down the abuser. It’s not all bad, because an important piece of the process is to discover what the motives are (spam=>making money=>somebody will pay the spammer), so they can try to take out the root originator of the abuse.

After all vulnerabilities will be there forever, Max says, no matter what we do.

So basically, the facebook security values are

  • diligently pursue attackes of any type
  • use al legal means to identify attackers
  • use all legal resources to protect the company and its customers
  • respect the trust that users put into facebook
  • move fast, focus on high-level problems
  • work with the security community

When translated into actions, they basically

  • don’t care about vulnerabilities (they are infinite, and trying to fix them will probably introduce new bugs)
  • accept that there are bugs, they know about the threats that result from the bugs, but they try to be realistic about it
  • monitor, detect and watch attacks
  • go after the attackets

I also noticed (on the second or third slide) a small statement about reporting vulnerabilities to facebook.  Facebook seems to be open to researchers to report vulnerabilities, but only under certain (legal) circumstances… The fact that Max did not even mention it during his presentation (while the text was still displayed on the screens), it only emphasizes that they don’t really care about vulnerabilities.  Facebook does not want to invest a whole lot of research and money to pro-actively find and fix bugs.  In my opinion (just my personal view), they’re not really waiting for researchers to file bugs either.  In fact, I’m pretty sure it will be almost impossible to report bugs to facebook in a legal way… after all, you would still be hacking into an application that is running on third party servers.  So I’m not sure about their statement that they are willing to work with the security community.  And if they are, it’ll probably be one way direction only :-)

To be honest, from a business perspective, there’s nothing wrong with this economic model. But I am afraid that, from a security point of view, it will only lead to more bugs and doesn’t really support the fact that developer education (about writing secure code) is extremely important.

So, not everything was "bad" of course. He mentioned that it is very important (for any web application if you think about it) to log interactions and CPU/memory cycles required for certain interactions. It will not only allow you to properly size and scale your servers, but it might also indicate if there is an issue (for example somone trying to take advantage of a bug in the application and has launched a scripted attack against a specific component of the application).

After the keynote, during Q&A, somebody asked if facebook has plans to deliberitely "plant" vulnerabilities into their applications to attract hackers … the (politically correct) answer was – of course – "no".

Defending the poor

The first real "researcher" talk I attended today was the one given by the legendary FX. (FYI : right before the meeting I got the chance to have a little chat with him and thanked him for reviewing my Unicode exploit tutorial. Although time was short, he really took the time to have a little chat, which is something I’ve very much appreciated)  Anyways, this was the first time I saw a presentation by FX (or anyone else at a security conference such as Blackhat) that targets the defense-part of security.   In "Defending the poor", he explained the history of how the flash player (or more specifically the SWF format) has evolved until what it is today, and how it is flawed by design.  To cut a long story short, the file format has plenty of design errors and will continue to lead to system compromises all over the world.  The install base of flash player is immense (although MS Silverlight is catching up real quick) and that leaves many users susceptible to security issues.  While in the recent version of SWF an attempt was made to fix some of the issues, the reality is that the player still supports all downwards-compatible (and flawed) formats, and there’s nothing we can do about it …   Well maybe there is.

FX is working on a tool called BlitzaBleiter, which will basically

  • parse a swf file when it’s presented to an end user browser, and check for strict SWF specification compliancy
  • drop the original swf file
  • verify the code inside the swf file
  • recreate a safe file
  • present it to the end user
  • do some runtime analysis (and block certain API calls by looking at arguments on the flash player stack)

The utility is created in .Net (C#, which has many advantages, as it has built-in protection against many overflows), and works on both the Windows and Linux platform).

The downside is that, while this browserplugin will already stop a substantial range of attacks, it still won’t stop all malicious code, and it’s not going to be easy to close this final gap.  Stay tuned on this one, because it looks promising already.   And for other security researches : this is a good example of added value for business people like me !  Knowing about the vulnerabilities is really necessary… but spending a decent amount of time to work on creative, inexpensive solutions, is even more important to get management buy-in in this time of economic recession.

Unveiling Maltego 3.0

To be honest, I haven’t really played with Maltego 2.x yet… but what I have seen in the (not yet released) 3.0 version of Maltego, I felt sorry for myself and obviously got impressed at the same time (to say the least).

It’s hard to describe in a few words what Maltego is, because I would probably end up disrespecting the concept and added value of this tool.  Maltego positions itself as an open source intelligence and forensics application, but in essence it is "just" an awesome data mining tool, that uses various "transformation" to get more data about certain objects, from various sources (websites, google, whois, network scans, DNS, and even custom integrations with for example your own databases etc)

The power behind the product is the data mining and correllation engine, and it’s beautiful graphical representation, which will allow anyone to build relationships and links between all kinds of objects (people, computers, keywords, etc)

Roelof Temmingh from Paterva demo’ed his new "baby" with pride and emotion and impressed the entire room with the new features of the product :

  • Look & feel updates :
    • Dynamic graphing
  • Improved "Entities" :
    • Custom entities
    • Manual linking
    • Bookmarking & annotations
    • entity display/edit
  • Improved navigation :
    • EWV fully interactive
    • Set transform settings on the fly
    • detailed view
  • etc

Especially the NER (Named Entity Recognition), using API’s from OpenCalais and AlchemyAPI, will add a lot of value to this utility.  You can basically feed a text/webpage/…  into the API and it will extract entities (names, facts, places, events, topics, etc), so you can use that as part of your mining exercise.

Version 3 is not released yet, and Roelof stressed that they won’t release it until it’s ready.

If you want to follow up on Maltego, make sure to subscribe to the Maltego Beta blog. The whitepaper and slides can be downloaded from the Blackhat website.

Next generation clickjacking

The "Next generation clickjacking" talk, presented by Paul Stone from Context Information Security was really interesting. Based on research from Jeremy Grossman in 2008, Paul took things to a new level and showed a couple of new techniques that can be abused on malicious websites to trick users to clicking on certain parts of a web site, in an attempt to steal information from that computer.  In fact, using a technique that combines hidden iframes with drag & drop api in a java applet, and end user does not really have to click on a button or link anymore to trigger the malicious code.  Very neat finding !

The speaker also demonstrated a tool (works fine with Firefox 3.6) he wrote which will help you test your own applications (or basically build Proof of concept webpages) for various clickjacking techniques.

Finally, he indicated that most browsers are currently not able to provide real protection against this form or exploitation. The only thing you can do is try to keep your website from running inside a frame.  You can do this by

– setting X-Frame-Options parameter (which will only work on newer browsers such as IE8)

On apache, you can do this by setting the following value in your httpd.conf file :

Header always append X-Frame-Options deny

or

Header always append X-Frame-Options sameorigin

(if you want to allow the functionality when you still want to allow framing from the same URL that is hosting the webpage)

– using some javascript code (which will obviously only work when javascript is enabled) to prevent your website from running inside an iframe.  An easy way to do this is adding this to every webpage on your website :