white paper document
The world is gearing up for cyberwar. The US Cyber Command became operational in November. Nato has enshrined cyber security among its new strategic priorities. The head of Britain's armed forces said recently that boosting cyber capability is now a huge priority for the UK. And we know China is already engaged in broad cyber espionage attacks against the west. So how can we control a burgeoning cyber arms race? We may already have seen early versions of cyberwars in Estonia and Georgia, possibly perpetrated by Russia. It's hard to know for certain, not only because such attacks are often impossible to trace, but because we have no clear definitions of what a cyberwar actually is. Do the 2007 attacks against Estonia, traced to a young Russian man living in Tallinn and no one else, count? What about a virus from an unknown origin, possibly targeted at an Iranian nuclear complex? Or espionage from within China, but not specifically directed by its government? To such questions one must add even more basic issues, like when a cyberwar is understood to have begun, and how it ends.
The exploitation of operating system kernel vulnerabilities has received a great deal of attention lately. In userland most generic exploitation approaches have been defeated by countermeasure technologies. Contrary to userland protections, exploitation mitigation mechanisms for kernel memory corruptions have not been widely adopted. Recently this has started to change. Most operating system kernels have started to include countermeasures against NULL page mappings, stack and heap corruptions, as well as for other vulnerability classes. At the same time, researchers have concentrated on developing ways to bypass certain kernel protections on various operating systems. This presentation will describe in detail the state-of-the-art in kernel exploitation mitigations adopted (or not) by various operating systems (Windows, Linux, Mac OS X, FreeBSD) and mobile platforms (iOS, Android). Moreover, it will also provide approaches, notes, hints and references to existing work for bypassing some of these kernel protections.
Communications technologies are becoming cheaper in today's market, increasing the use of GSM, DECT, NFC, and other protocols in cheap consumer devices. But, as availability increases, does the quality of engineering also increase? And, what systems drive the integrated circuits serving these protocols? Often, the core of simple consumer based technology is one of many types of microcontrollers. These systems drive the application logic, presenting an interface to the user and communicating through a chosen set of mechanisms. But, how do we attack these systems?
The presenter will demonstrate how the growing consumer device market can be attacked through many of the same software exploit strategies available for common platforms today. While these common exploit strategies are useful, they must be tuned toward the platforms and architectures targeted - and often blindly, as there is little or no access to the software. The presenter will present techniques and tools used to compromise these environments and discuss the common architectural intricacies that assist the attacker in achieving their end game.
While input validation vulnerabilities such as XSS and SQL injection have been intensively studied, a new class of injection vulnerabilities called HTTP Parameter Pollution (HPP) has not received as much attention. HPP attacks consist of injecting encoded query string delimiters into other existing parameters. If a web application does not properly sanitize the user input, a malicious user can compromise the logic of the application to perform either client-side or server-side attacks. One consequence of HPP attacks is that the attacker can potentially override existing hard-coded HTTP parameters to modify the behavior of an application, bypass input validation checkpoints, and access and possibly exploit variables that may be out of direct reach.
In the talk we present the first automated system for the detection of HPP vulnerabilities in real web applications. Our approach consists of injecting fuzzed parameters into the web application and a set of tests and heuristics to determine if the pages that are generated contain HPP vulnerabilities. We used this system to conduct a large-scale experiment by testing more than 5,000 popular websites and discovering unknown HPP flaws in many important and well-known sites such as Microsoft, Google, VMWare, Facebook, Symantec, Paypal and others. These sites have been all informed and many of them have acknowledged or fixed the problems. We will explain in details how to efficiently detect HPP bugs and how to prevent this novel class of injection vulnerabilities in future web applications.
We present a novel rootkit detection technique called "kernel code tunneling". The technique uses a custom-made dynamic instrumentation framework to analyze execution flow.
While similar dynamic instrumentation engines do exist (e.g. Intel PIN), our engine offers significant advantages:
- it was designed for kernel mode operation
- it was designed to correctly handle potentially offensive code
Current rootkit detection engines either use methods like "cross view", or analyze specific data areas (e.g. IDT, SSDT) or code areas (e.g. they search for inline patches). However, rootkits are getting more and more complex. No more are inline patches limited to the first bytes of a function: we can now find them anywhere in the execution flow. Instead of a simple JMP/CALL to the malicious code, complex control transfer trampolines are now commonplace.
Our presentation will cover the following topics:
- design of a kernel-based dynamic instrumentation engine
- overcoming kernel-specific issues (IRQ levels, async tasks, self modifying code)
- analysis of various tunneling sessions, with/without active rootkits
- specific cases when instrumentation has provided us with enough data to effectively *clean* the machine
In this talk we explore modern enterprise virtualization and cloud computing systems, discussing why and how most of these infrastructures are still vulnerable to attacks which are years old.
XSS, CSRF, Shell Escape, unsafe connections: you name it. A corpus of knowledge is already in the public domain, but it has never been organized and reviewed in an orderly, reasoned reading.
Leveraging the exploiting capabilities of VASTO (the Virtualization ASsessment TOolkit),we will attack various commercial products, also going through cloud computing solutions and looking at what is good and what is not so good in virtualization security today.
From all these single exploits we will derive lessons we need to learn on how we design and implement virtualization environments, and how we think about their security. This will be a call to action for new security means and approaches.
For if we are still vulnerable to these attacks, we're doing it wrong!
A single vulnerability in any one of the applications in Apple's app store can result in devastating implications for the millions of iOS users (iPhones and iPads).
In this presentation, we will take a look some interesting application level attacks techniques against iOS. More specifically, we will cover:
+ UI Spoofing attacks against Safari and the UIWebView component in the iOS SDK.
+ How insecurely designed URL scheme handlers can be abused by rogue web applications to perform arbitrary transactions like launching arbitrary phone calls.
+ Abuse of Apple's push messaging system and it's implications.
+ Attacks against insecure storage and network activity.
Our discussion will also include a look at attacks against popular apps in Apple's App Store, and what developers can do to protect against such vulnerabilities.
Microsoft Windows provides interfaces to allow applications to store and use cryptographic keys and certificates. These CryptoAPI and CNG interfaces in Windows allow applications to mark stored private keys as non-exportable, thereby preventing users from extracting private key data that is installed on their own systems. This private key "security" is provided mostly by data obfuscation via Microsoft's Cryptographic Service Providers. This talk will discuss the details of said obfuscation and provide code to export non-exportable keys from client versions of Windows, server versions of Windows, and Windows Mobile devices. Unlike prior work done in this space, the solution offered in this talk does not rely on function hooking or code injection.
Denial of Service attacks have been polluting internet pipes from the days the internet was born. eCommerce, gaming and any other online businesses depend on uptime to generate revenue, where DoS has the most direct financial impact imaginable.
Furthermore, the surge of businesses using cloud services, billed for bandwidth usage on a pay-per-use basis - exposes any such cloud-based business to potential financial impact from DoS attacks.
This talk will start with an overview of DoS attack types and recent incidents, and then dive into the most advanced Anti-DoS technologies out there, covering the operation, detection, analysis, and mitigation of DoS attacks.
A new open-source HTTP Robot Mitigator will be announced - Roboo - utilizing some of the discussed techniques to fight off HTTP-based robots. This software will be demonstrated against LOIC - Low Orbit Ion Cannon, an open-source DoS application used in the recent Wikileaks attacks.
Banks and large corporations are constantly upgrading their infrastructure. One of the latest additions to the Cisco family is the 7000-series with it's new and "secure" linux-based NX-OS. This switch can easily take the role as the sole core switch in some of the largest network infrastructures in the world. It manages up to 512 x 10 gigabit interfaces and is a new virtualization platform within networking. Unfortunately, its new operating system also exposes old attacks, previously classified as network based denial of service, as remotely exploitable buffer overflows. Deployment of generic rootkits is also possible by breaking out of the Cisco CLI environment using a series of undocumented features. What would be the impact for a large bank or corporation be if the core switch was infected with backdoors that gave an attacker control over all VLANs?
Learn Mac vulnerability exploitation from master exploit chef Vincenzo Iozzo, who will cook up several exploits in front of a live conference audience. The master chefs will demonstrate all the stages in the preparation of a gourmet exploit, from how to find and choose the right ingredients (vulnerabilities) to various preparation methods (exploitation techniques) that you may use in your own home kitchen. The recipes demonstrated will include both local privilege escalation and remote browser-based client-side vulnerabilities.
Attendees are invited to 'play along' on their own laptops. All that will be required is a laptop running the latest version of Snow Leopard and IDA Pro. The demonstrations will use IDA Pro 6.0 for Mac OS X, but attendees will also be able to follow along somewhat using IDA Pro 5.0 Freeware in Wine or a Windows VM. No network access will be required and demonstration materials will be available via CD/USB.
Many applications such as Internet Explorer, Adobe Reader and Google Chrome make use of Microsoft's "practical sandboxing" techniques. But how much additional protection does this provide against memory corruption attacks?
This talk will evaluate three consumers of this sandboxing mechanism point out similarities, differences and ultimately flaws within each of these "sandbox" mechanisms.
The Reverse Engineer occasionally faces situations where even his most advanced commercial tools do not support the instruction set of an arcane CPU. To overcome this situation, one can develop the missing disassembler. This talk is meant to be a tutorial on how to approach the task, what to focus on first and what surprises one may be in for. The primary focus will be on the transformation of byte code back into mnemonic representation where only the reverse transformation is available (i.e. you have the respective assembler). It also covers how to integrate your new disassembler into your reverse engineering tool chain. This tutorial talk will give:
* An introduction to the problem
* How to obtain byte code
* Recognizing basic properties of the byte code
* Finding Addressing Modes
* Implementing a IDA Pro processor module
* Reading code you are not supposed to
Flaws in the business logic of web-based applications have long been ignored, partly because they are so difficult to explain to developers, but mainly because they are so difficult to test for in a consistent manner. Today, security testing for business logic flaws is done manually, and it is painstakingly difficult work which requires an in-depth understanding of application purpose and function as well as underlying logic. This talk will feature research which focuses on automating, (as much as possible), the modeling and detection of business logic flaws in web-based applications. What are the principles behind partially and fully automated business logic flaw detection?
While it may never be possible to fully automate business logic flaw detection, (a la artificial intelligence), the research hypothesizes that it IS possible to create a framework tool which allows a tester armed with appropriate application knowledge to â€˜fuzz business logicâ€™ in a meaningful way. The research will present a proof-of-concept framework tool that enables this type of modular testing. A theoretical perspective, as well as practical implementation will be shared, balancing theory and reality in one of the most difficult areas of application security.
The IT security and intelligence community love Maltego – whether it be mapping a target's infrastructure or profiling a person's sphere of influence.
This brief workshop delivers a fantastic introduction to how Maltego can be extended with almost any application,script or data. While Maltego has already been noticed as being on the forefront of open source intelligence this workshop will give you the ability to extend this power to your world.
During the workshop we will give you the knowledge to be able to:
* Extend your Maltego (both the commercial and free versions) to encompass other applications (Every wanted to nmap right after doing a footprint?)
* Scrape websites and be able to harness real-time data (Query any website to get further information)
* Utilise your own scripts to add on additional features (Find out if there is a link between something found on the net and your internal database)
* Sharing these extensions with your team or with the rest of the community
Don't let wikileaks happen to you !!
Let's try this again!
System, network and application logs are a treasure trove for sysadmins, incident handlers and forensic analysts. Manually sifting through the data however is a task that few among us enjoy. In this workshop Xavier and Wim will introduce you to several free and open source tools that will enable you to identify events of interest, working on event logs from various systems, analyzing a mock incident and visualizing seemingly meaningless blobs of data to bring out the information that you need to do your job.
We assume a good knowledge of Windows and Unix/Linux system adminstration and scripting (python/perl). Bringing your own laptop able to run one or more Linux Virtual Machines (VMWare) will significantly increase the learning experience.
We'll present a series of alternative tools to facilitate the debugging and reverse engineering process of Cisco IOS by allowing the integration with most used existing debugging tools such as GDB and Ida Pro.
This solution consists of a modification to provide instrumentation capabilities for an existing hardware emulator called Dynamips. Among other things our modification it will allow to use existing fuzzing tools/frameworks, complete analysis of boot-loading process, debug the target IOS independently from preexisting GDB built-in on IOS image, provide more reliability without any annoying restart during debugging session (because the debugger in use isn't running inside the OS being debugged) and provide a secure environment to reproduce attacks and analyze IOS malware.
To summarize, there is not cost related to hardware devices when using this system because the emulator can run most of the IOS versions using different images hardware configurations and allowing the creation of complex network layouts in just a few minutes.
When attacking an 802.11 network that uses 802.1X Enterprise authentication it is key to know what Extensible Authentication Protocol (EAP) type is being used to authenticate the client. The EAP type used by the network will greatly influence which attacks can be successfully launched to gain access to the network. Common EAP types used by wireless networks include PEAP, EAP-TTLS, EAP-TLS, EAP-Fast and LEAP. During this talk attendees will learn how enterprise authentication works, how to manually determine the EAP type and what other useful data can be learned by examining an EAP handshake. Finally EAPEAK, a new free wireless penetration testing tool, will be released that automates this process.
Recent incidents commonly thought to be linked to state sponsored activities have given rise to much discussion over the reliability of technical analysis as a source for adversary attribution - specifically in regards to what is commonly termed as the Advanced Persistent Threat (or APT). We now live in a world where the reverse engineering of a malicious binary, or analysis of a compromised host may very well play into a world-changing decision, such as whether a country should declare war on another - or indeed, whether it is no longer viable for a large, multinational corporation to continue doing business in a given part of the globe.
Of perhaps most note - stuxnet has dominated much of the information security media since it's public acknowledgment in June 2010. Multiple schools of thought have emerged, casting speculation over the identities of those responsible for the authorship and operalization of what some suggest is the most advanced piece of malware observed in the public domain. Nation state? Organized crime? Disgruntled vendor employee? This talk will take a close look at what we really know about this mysterious culmination of bits, closely analyzing some of the popular hypothesis, and identify others which have perhaps not drawn as much momentum.
As a basis for our analysis, we will discuss in depth the merits and demerits of technical analysis; demonstrating ways in which various techniques including static binary analysis and memory forensics may be utilized to build a granular profile of the adversary, and where the same techniques may fall short. The presentation will discuss detailed characterization matrix that can be leveraged to assess and even automate assessment of multiple aspects of the adversary (such as motive, technical skill, technological research resources) that may all play into the way in which we respond to an incident, or reposition ourselves to handle a specific threat over in long term.
Finally, we will review what lessons we can learn from stuxnet - to further attribution related research efforts, and ways in which we might adjust our security posture when it comes to protecting our nations most critical assets.
"The case against monoculture in the computer security space is succinctly given in the executive summary of the ""CyberInsecurity: The Cost on Monopoly"" by Dan Geer et al., article, as follows: Computing is crucial to the infrastructure of advanced countries. Yet, as fast as the world's computing infrastructure is growing, security vulnerabilities within it are growing faster still. The security situation is deteriorating, and that deterioration compounds when nearly all computers in the hands of end users rely on a single operating system subject to the same vulnerabilities the world over. Most of the world's computers run Microsoft's operating systems, thus most of the world's computers are vulnerable to the same viruses and worms at the same time. The only way to stop this is to avoid monoculture in computer operating systems, and for reasons just as reasonable and obvious as avoiding monoculture in farming. Microsoft exacerbates this problem via a wide range of practices that lock users to its platform. The moral of that article is to diversify and use multiple operating systems in an organization to prevent amplifying consequences of an incident involving a particular operating system. Some organizations have indeed taken that message into account and are making a conscious effort to diversify their platforms above and beyond naturally occurring diversification. It is not uncommon for an organization to purchase firewalls from different vendors and deploy both of them in the network. Sometimes even use both of them at the same ingress point. The idea behind this diversification is that if there is vulnerability in one vendor's product, it will not be present in the product made by the other vendor. This session examines what underpins this monoculture argument and which of the underlying premisses are false. The session covers why the solution to the monoculture/monopoly argument, as commonly argued, might not be universally valid and what dangers are hidden in today's systems that are supposedly designed to work around the monoculture problem. The focus of the session is on implementation rather than design side of the things, i.e. an error in design of TCP protocol versus an error in a specific implementation of (otherwise sound) TCP protocol. It is expected that design error will affect all implemention of a given protocol/application and this case is not what this session is focused on. The session is focused on instances where independent implementations of a given design have common points of failure. The session will show how the monoculture argument is applicable at different levels, from a single product (be it a single application or the whole operating system) to the whole systems (e.g., a network or multiple interconnected and cooperating products)."
When preparing for a talk on security monitoring, I was fighting hard to add security visualization in the mix while keeping within my alloted timeslot. Most of the feedback I received afterwards was that there wasn't enough of that in the talk. Security visualization, put on the map by the likes of Raffael Marty who performed groundbreaking work with secviz.org and the Davix LiveCD, is a subject that most people are interested in but few manage to master. In this talk I will touch on the basics of visualization techniques and dig deeper into the gathering of data to enable attendees to move beyond pie charts and bar graphs. Using mainly Davix and the Google Chart API, I will demonstrate how to make sense of the huge amount of data that comes at security analysts on a daily basis. In the first place to work more efficiently but also, and not in the least, to report to the business what is actually going on without the message getting lost in noise.
Resources utilized in this presentation and the "Grepping for Gold" Workshop:
Complete list of all tools covered in both talk and workshop:
JQuery visualization plugins:
Commercial visualization tools:
Web Application Payloads are the evolution of old school system call payloads which are used in memory corruption exploits since the 70's. The basic problem solved by any payload is pretty simple: "I have _access_, what now?". In memory corruption exploits it's pretty easy to perform any specific task because after successful exploitation the attacker is able to control the CPU / memory and execute arbitrary system calls in order to create a new user or run an arbitrary command; but in the Web Application field, the attacker is restricted to the "system calls" that the vulnerable Web Application exposes:
* Local File Read - read()
* OS Commanding - exec()
* SQL Injection - read(), write() and possibly exec().
Web Application Payloads are small pieces of code that are run in the attackers box, and then translated by the Web application exploit to a combination of GET and POST requests to be sent to the remote web-server.
This talk will explain how we implemented these payloads, the tricks used for post exploitation, many demos with payloads such as get_source_code, list_processes, apache_config, get_shell, etc.
It has been known since some time now that the massive parallel architecture of modern GPUs provide enormous acceleration when trying to break encryption- or hashalgorithms: GPUs are (depending on the algorithm and the implementation) some hundred times faster compared to standard quad core CPUs when it comes to brute forcing SHA1 and MD5. The enormous potential can also be seen in the supercomputing business: The Tianhe-1A, leader of the top 500 list of supercomputers, is not only equipped with 14.336 CPUs but also with 7.168 NVIDIA Tesla "Fermi" M2050 GPUs - each of which has 448 cores and 3GB RAM. Until recently, one needed to spend a lot of money to get a small cluster of GPU assisted servers, but Amazon now provides an instance type in it's EC2 cloud that sports two of the GPUs that are also used in the Tianhe-1A, resulting in a cheap way to boot up a cluster of GPU accelerated servers that can be used for own purposes.
The first part of the talk will be about the design and the implementation of a massive parallel and GPU assisted environment for breaking encryptions: From generation, the storing and the use of rainbow tables to brute forcing in the cloud. In the second part of the talk the "Cloud Cracking Suite" is introduced: An open source suite designed to demonstrate the performance of breaking several algorithms in the cloud.
The 'Cloud Cracking Suite' is splitted in two parts: The server side and the client. The server side consists of especially for the Fermi-architecture optimized, high performance implementations of SHA1 and MD5 with an interface to use them for rainbow table generation or brute forcing as well as a self-configuring Pyrit for WPA database generation. The client side provides an easy to use CLI which allows one to spawn and control a cluster for a specific task.
As the server side will be available as a hosted AMI, everyone participating can simply download the client, create an account at the AWS and try it out himself.
The Smart Grid brings greater benefits for utilities and customer alike, however these benefits come at a cost from a security perspective. Unlike the over-hyped messages we usually hear from the media, the sky is NOT falling. However, just like any other technology, the systems and devices that make up the Smart Grid will have weaknesses and vulnerabilities. It is important for us to understand these vulnerabilities, how they can be attacked, and what we need to do to defend against those attacks.
This presentation will explore how the increased functionality and complexity of the Smart Grid also increases the Smart Grid's attack surface, or in other words, increases the ways attackers can compromise the Smart Grid's new infrastructures, systems, and business models. We'll discuss several specific attack avenues against the Smart Grid and the recommendations we are making to utilities and vendors to mitigating and blocking these attacks. This will be done without the FUD and over-hyped framing that we usually find in the media and other Smart Grid presentations.
Come take the official Samurai-WTF workshop given by one of the founders and lead developers of the project, and get special pre-release copy of the next version of Samurai-WTF. You will learn the latest Samurai-WTF open source tools and be shown the latest techniques to perform web application assessments. Practice these skills on one of four vulnerable web applications installed and pre-configured on your Samurai-WTF live DVD. This experience will increase your hacking toolkit and take your web hacking skills to the next level.
Session fixation is an old and well-known web application vulnerability since 2002, but still today, open-source projects, widely deployed web application frameworks, and mission critical commercial business platforms are vulnerable to it, exposing thousands of production web environments worldwide. In particular, the exposure of business platform web interfaces on the Internet, as well as internally, makes this type of vulnerability the entry point to get access to unauthorized business critical data and infrastructures through targeted, criminal (blackmail, fraud, extortion, sabotage, theft and abuse), and industrial and corporate espionage attacks.
The discovery of session fixation and management flaws in web applications can have a devastating impact, allowing attackers to bypass even the most advanced authentication mechanisms. Due to its nature as a core component on web application architectures, plus the complexity of modern web solutions and too broad session management requirements on industry specifications, fixing session fixation vulnerabilities may require a full reassessment and in-depth analysis of the web application design, impacting third party modules and products also, and requiring (in some cases) several months to get them fixed; meanwhile environments remain vulnerable.
The presentation will provide an updated in-depth look at session fixation attacks through case studies from real-world penetration tests, including the details of how these vulnerabilities were discovered and exploited, the vendor timelines from initial reporting until fix and disclosure, and its impact. Following responsible disclosure and best practices during the last two years, the examples detail vulnerabilities in the open-source Joomla! CMS, plus the public disclosure of a session fixation in a widely used web application server, and a 0-day vulnerability in the core platform of the world's leader in business software.
While we may see the number of bugs disclosed differ from year to year, the amount of quality exploits has seen a significant downward trend (this could be a complete lie, due to an unlevel desk and a shaky hand). Not only have exploit mitigation technologies played a huge part in the pwning-decline, but many times the vulnerability and application environment is requisite material and may be quite complicated. The lowest of the low hanging fruit has been picked, it's time to acquire a step ladder.
This presentation will cover techniques used for modern exploitation. They will range from memory management and hard/soft leaks to esoteric techniques. Although lacking any new, generic techniques, the presentation will demonstrate exploitation on select targets and tell the story from bug to working exploit.
We will finish up the presentation with multiple, real-world test cases to show how in-depth knowledge was used to leverage code execution in a variety of common applications.
While ABAP is an advanced, high level business programming language, it provides several low-level interfaces called kernel calls. These kernel calls allow for data exchange between ABAP and the C-Based SAP kernel. SAP's documentation strongly encourages developers not to use kernel calls. This presentation shows what can happen if kernel calls are used and gives a brief overview over some of the most dangerous kernel calls, largely unknown even to seasoned ABAP developers.
The first part of the presentation will introduce several dangerous kernel calls and show how their usage can bypass security features in the SAP standard.
The second part of the presentation will focus on buffer overflow risks related to kernel calls.
While buffer overflows are nothing new, you will see vulnerabilities where ABAP is used as a tunneling agent to propagate buffer overflow attacks to the inner SAP kernel.