|
|
 A new year started and why change good habits? I’m just back from the first OWASP Belgium Chapter meeting of 2012. Here is my quick wrap-up. The organization remains the same, the first few minutes were dedicated to some news from the OWASP organization given by Seba. A survey was organized by the Belgium chapter about the attendees and their expectations. Some results were presented. Most part of the members define their knowledge between “security aware” and “experienced“. Good news, lot of people are ready to participate and submit talk ideas! What’s on their wishlist for 2012? Mobile security, HTML5, SDLC, SAP and more demos/hands-on sessions. One recommendation for this year: more interaction between the chapter meetings (via forums, mailing lists?).
Continue reading First 2012 OWASP Belgium Chapter Meeting Wrap-Up
 (Source: pastebin.com) For those who (still) don’t know pastebin.com, it’s a website mainly for developers. Its purpose is very simple: You can “paste” text on the website to share it with other developers, friends, etc. You paste it, optionally define an expiration date, if it’s public or private data and your are good. But for a while, this on-line service is more and more used to post “sensitive” information like passwords or emails lists. By “sensitive“, I mean “stolen” or “leaked” data. Indeed, pastebin.com allows anybody to use their services without any authentication, it’s easy to remain completely anonymous (if you submit data via proxy chains, Tor or any other tool which takes care of your privacy)
In big organizations, marketing departments or agencies learned how to use social networks for a long time. They can follow what has been said about their products and marketing campaigns. In my opinion, it is equally important to follow what’s posted about your organization on pastebin.com! Many people are looking for interesting data on pastebin.com from an offensive point of view. Let’s see how this can also benefit to the defensive side.
For me, pastebin.com became an important source of information and I keep an eye on it every day. But, due to the huge amount of information posted every minute, it is impossible to process it manually. Of course, you can search for some keywords but it’s totally inefficient. In a first time, I grabbed and processed some HTML content using the classic UNIX tools. Later, I found a nice Python script developed by Xavier Garcia: python.py. It checks continuously for data leaks on pastebin.com using regular expressions. I kept it running for a while on a Linux box and it did a quite good job but I needed more! Xavier’s script send the found “pasties” on the console. It is possible to dump the detected pasties by sending a signal to the process. Not always easy. That’s why I decided to go a step further and write my own script! The principle remains the same as the script in Python (why re-invent the wheel?) but I added two features that I found interesting:
- It must run as a daemon (fully detached from the console) and started at boot time.
- It must write its finding in a log file.
The next step sounds logical: If you have a log file, why not process it automatically: Let’s monitor pastebin.com within your SIEM! If you find information posted on pastebin.com, it could be very interesting to be notified (a great added-value for your DLP processes). My script generates Syslog messages and (optionally) CEF (“Common Event Format“) events which can be processed directly by an ArcSight infrastructure. Syslog messages can be processed by any SIEM or log management solution like OSSEC (see below). It is now possible to completely automate the process of detecting potentially sensitive leaked data and to generate alerts on specific conditions.
First install the script on a Linux machine. Requirements are light: a Perl interpreter with a few modules are required (normally all of them are already installed on recent distribution) and a web connectivity to http://pastebin.com:80. If you are behind a proxy, you can define the following environment variable, it will be used by the script:
# export HTTP_PROXY=http://proxy.company.com:8080
The script can be started with some useful options:
Usage: ./pastemon.pl --regex=filepath [--facility=daemon ] [--ignore-case][--debug] [--help]
[--cef-destination=fqdn|ip] [--cef-port=<1-65535>] [--cef-severity=<1-10>]
Where:
--cef-destination : Send CEF events to the specified destination (ArcSight)
--cef-port : UDP port used by the CEF receiver (default: 514)
--cef-severity : Generate CEF events with the very easy to process and can be specified priority
(default: 3)
--debug : Enable debug mode (verbose - do not detach)
--facility : Syslog facility to send events to (default: daemon)
--help : What you're reading now.
--ignore-case : Perform case insensitive search
--regex : Configuration file with regular expressions (send SIGUSR1 to reload)
Once running, the script scans for newly uploaded pasties and search for interesting content using regular expressions. There is no limitation on the number of regular expressions (defined in a text file). To not disturb pastebin.com webmasters, the script waits a random number of seconds between each GET requests (between 1 and 5 seconds). There is only one mandatory parameter ‘–regex‘ which gives the text files with all the regular expressions to use (one per line). If one of the regular expressions matches, the following information will be sent to the local Syslog daemon:
Jan 16 14:43:24 lab1 pastemon.pl[29947]: Sending CEF events to 127.0.0.1:514 (severity 10)
Jan 16 14:43:24 lab1 pastemon.pl[29947]: Loaded 17 regular expressions from /data/src/pastemon/pastemon.conf
Jan 16 14:43:24 lab1 pastemon.pl[29947]: Running with PID 29948
<time flies>
Jan 16 15:57:48 lab1 pastemon.pl[29948]: Found in http://pastebin.com/raw.php?i=hXYg93Qy : CREATE TABLE (9 times) -- phpMyAdmin SQL Dump (1 times)
All matching regular expressions are listed with their number of occurrences. This can be easily processed by OSSEC using the following decoder:
<decoder name="pastemon">
<program_name>^pastemon.pl</program_name>
</decoder>
<decoder name="pastemon-alert">
<parent>pastemon</parent>
<regex>Found in http://pastebin.com/raw.php?i=\.+ : (\.+) \(</regex>
<order>data</order>
</decoder>
The first regular expression is stored in the OSSEC “data” variable to be used as conditions in rules. Here is an example: The rule #100203 will trigger an alert if some yahoo.com email addresses are leaked in pastebin.com. (Note: This regular expression must be defined in the script configuration file!)
<rule id="100203" level="0">
<decoded_as>pastemon</decoded_as>
<description>Data found on pastebin.com.</description>
</rule>
<rule id="100204" level="7">
<if_sid>100203</if_sid>
<description>Detected yahoo.com email addresses on pastebin.com!</description>
<extra_data>@yahoo\.com$</extra_data>
</rule>
If you have an ArcSight infrastructure, you can enable the CEF events support. The same event as above will be sent to the configured CEF destination and port:
<29>Jan 16 15:57:48 CEF:0|blog.rootshell.be|pastemon.pl|v1.0|regex-match|One or more regex matched|10|request=http://pastebin.com/raw.php?i=hXYg93Qy destinationDnsDomain=pastebin.com msg=Interesting data has been found on pastebin.com.
cs0=CREATE TABLE cs0Label=Regex0Name cn0=9 cn0Label=Regex0Count cs1=-- phpMyAdmin SQL Dump cs1Label=Regex1Name cn1=1 cn1Label=Regex1Count
To process the CEF events on ArcSight’s side, configure a new SmartConnector, a new UDP CEF receiver and the events should be correctly parsed:
 (Click to enlarge) That looks great! But the next question is: “What to look for on pastebin.com?“. Well, it depends on you… Based on your organization or business, there are things that you can’t miss. Here is a list of useful regular expressions that I often use:
RegEx Purpose
--------------------------------------------------------------------- -----------------------------------
company\.com Your company domain name
@company\.com Corporate e-mail addresses
CompanyName Company name
MyFirstName MyLastName Your full name
@xme Twitter account
192.168.[1-3].[0-255] IP addresses ranges
anonbelgium Hackers groups
#lulz Trending Twitter hashtags
#anonymous
#antisec
-----BEGIN RSA PRIVATE KEY----- Interesting data!
-----BEGIN DSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
-- MySQL dump Interesting dumps!
belgium My country
city My city
((4\d{3})|(5[1-5]\d{2})|(6011))-?\d{4}-?\d{4}-?\d{4}|3[4,7]\d{13} Credit cards
If you have interesting regular expressions or ideas, feel free to share!
Source is available here. As usual, this is provided “as is” without any warranty. Happy monitoring!
The idea of this article came from a colleague of mine. He wrote a first version of the script described below. I found it very useful and asked his permission to re-use it and to write this blog article. Thanks to him! In the mean time, during my researches, I also found that a friend, Didier Stevens, published on his blog the same kind of script but for an AirCap adapter. Mine uses any adapter capable to be switched to “monitor” mode.
All devices have Wi-Fi interfaces (laptops, tablets, mobile phones, consoles, etc) and their operating systems have features to easily manage the wireless networks you connect them to. When you connect for a first time to a new network, most users save the informations for later use (or the system stores it for you without notification). This small database will be used later by the operating system to discover which known network(s) is(are) available and automatically connect to them.
This database may contains a lot of interesting data. Some may reveal private information like your employer, your ISP, where you go to party, to eat, where you go on holidays or which security conference you attended. Why? Simply because networks are often configured with explicit names. Have a look at the screenshots below taken from a laptop running Ubuntu:
 (Click to enlarge)  (Click to enlarge) By default, when a new wireless network is configured, the flag “auto-connect” is enabled. This is the case on Ubuntu, MacOS and Windows 7. What does this mean? Each time you boot your computer or you reconfigure your Wireless card, the device will sent “Probe Request” management frame over the air. This can be compared to a message like “Hey! Network xxx are you there?“. Even if your network uses encryption, all those probes are sent in clear! In Wi-Fi technologies, they are several methods available to detect the available networks or SSIDs:
- Beacon,
- Probe Requests,
- Probe Responses,
- Association Requests,
- Reassociation Requests
“Probe Requests” are very interesting to be captured to detect the SSID’s already configured and used by people. To achieve this, we just need a BackTrack 5, a Wi-Fi network card that supports monitoring mode and some tools. To collect “Probe Requests“, just use the following commands:
# iwconfig wlan0 mode monitor
# iwconfig wlan0 channel <i>
# tshark -i wlan0 subtype probereq
It’s easy but not very convenient! If you keep tshark running a few hours, you could miss data. The purpose of the script is to automate this process and keep some statistics about the detected probe requests (clients MAC addresses and SSID’s). It’s also important to scan all the available channels (1-14) to grab as much SSID’s as possible. This is called “channel hopping” and to achieve this, the script starts a child process which changes the Wi-Fi channel every 5 seconds within an infinite loop. The script syntax is the following:
Usage: ./hoover.pl --interface=wlan0 [--help] [--verbose] [--iwconfig-path=/sbin/iwconfig]
[--ipconfig-path=/sbin/ifconfig]
[--dumpfile=result.txt]
Where:
--interface : Specify the wireless interface to use
--help : This help
--verbose : Verbose output to STDOUT
--ifconfig-path : Path to your ifconfig binary
--iwconfig-path : Path to your iwconfig binary
--tshark-path : Path to your tshark binary
--dumpfile : Save found SSID's/MAC addresses in a flat file (SIGUSR1)
It will dump all detected SSID’s to the console in a completely passive way. No packets are sent over the air from the scanning host! When you kill the script or wake it up via a SIGUSR1 signal, it will dump all detected SSID’s, MAC addresses, packets count and the last time if was seen. The example below shows the result of one day of scan in my neighborhood. 40 SSID’s detected in my area is not bad (I’m leaving in the countryside).
!! Dumping detected networks:
!! MAC Address SSID Count Last Seen
!! -------------------- ------------------------------ ---------- -------------------
!! 7E-62-89-9E-C4-E4 Billi-Wifi 43 2012/01/10 22:15:36
!! 07-46-6E-4F-61-4E Réseau de ****** 2732 2012/01/11 16:28:09
!! 6F-B6-11-2E-AF-74 LA HAGOULLE 1 2012/01/11 16:17:08
!! 8F-9F-B1-5B-73-C8 Go-Away-Lamerz 85 2012/01/11 16:28:09
!! 00-ED-E1-3A-A9-1C wifi94 6 2012/01/10 18:25:27
!! E1-28-7F-6A-C6-44 3cles 1 2012/01/11 16:17:08
!! 4E-CD-8A-BD-1C-EB NOW-X-54 10 2012/01/10 20:08:02
!! 0B-8C-A1-1C-BB-51 CRAPS 5598 2012/01/11 16:28:09
!! 91-4A-F0-42-A6-63 bbox2-**** 1 2012/01/11 10:48:49
!! 0B-A7-51-ED-E1-FA SpeedTouchD4288C 2 2012/01/11 16:17:08
!! C09-C2-23-89-2D-E9 ISFS 4 2012/01/10 18:12:25
!! CE-7C-B6-58-39-D3 HAYEZ 1 2012/01/11 10:48:49
!! 44-45-60-E6-61-1B Guest 1 2012/01/11 16:17:08
!! 0B-A7-51-ED-E1-FA bbox2-**** 8 2012/01/11 16:15:11
!! 09-C2-23-89-2D-E9 biblio 1 2012/01/11 10:48:49
!! CE-7C-B6-58-39-D3 free-hotspot.com 2 2012/01/11 16:17:08
!! 37-F3-65-28-35-0C 123EURO 1 2012/01/11 16:17:08
!! E4-8F-02-9B-E8-3C FREE_DELIRIUM 1 2012/01/11 10:48:49
!! 6E-2C-81-CE-13-E3 bbox2-**** 4 2012/01/10 18:25:27
!! E9-4A-D6-4F-72-0C chateau_magique 1 2012/01/11 16:19:07
!! A4-B4-B3-FC-B0-75 WiFi_FD 1 2012/01/11 16:17:08
!! E3-9E-A3-9F-A1-F7 TP-LINK_****** 519 2012/01/11 16:10:51
!! DA-6C-E2-D8-D8-A7 bbox2-**** 6 2012/01/10 18:25:27
!! 03-94-41-21-6C-C2 bbox2-**** 3 2012/01/10 18:25:27
!! 27-E3-1F-61-5A-69 linksys-n 1 2012/01/11 10:48:49
!! 81-8A-48-1B-DF-20 Philips WiFi 1 2012/01/11 10:48:49
!! 55-C3-BE-F9-63-60 SpeedTouch****** 1 2012/01/11 16:17:08
!! F0-3D-CC-D3-16-A4 blanmont 27 2012/01/11 16:28:09
!! 7A-19-39-BC-3B-A6 chouchou 1 2012/01/11 10:48:49
!! 7E-62-89-9E-C4-E4 belgacom 1 2012/01/11 10:48:49
!! 07-46-6E-4F-61-4E Réseau UAH 4 2012/01/10 18:25:27
!! 6F-B6-11-2E-AF-74 dlink 5 2012/01/11 10:48:49
!! 8F-9F-B1-5B-73-C8 sagem-**** 1 2012/01/11 16:17:08
!! 00-ED-E1-3A-A9-1C bbox2-**** 1 2012/01/11 10:48:49
!! E1-28-7F-6A-C6-44 bbox2-**** 2 2012/01/11 10:48:49
!! 4E-CD-8A-BD-1C-EB QuickWiFi 1 2012/01/11 16:17:08
!! 91-4A-F0-42-A6-63 bbox2-**** 1 2012/01/11 16:17:08
!! 81-8A-48-1B-DF-20 linksys 14 2012/01/11 16:19:07
!! 27-E3-1F-61-5A-69 WiFi_6E 1 2012/01/11 16:17:08
!! 82-94-05-84-30-ED Sitecom 1 2012/01/11 16:17:08
!! Total unique SSID: 40
Note: the MAC addresses have been randomized using the MAC Address Generator.
That’s all for the technical part. Now that you have a list of MAC addresses and SSID’s, what can you do with them? How can this script be useful from an attacker perspective?
First, use this as a “presence detection” mechanism. You can track the presence of people in a specific area. Being at home, I could detect when my neighbor is back at home and uses his laptop. Same for companies. Behind outside, you could detect the presence of employees in the office. More your antenna is powerful more you will be able to detect activity from a long way. Then, the detected SSID’s could help you to learn a lot about your potential victim. The goal is to “put a face” on the MAC address. You can learn the type of device/ISP they use. You can learn about the habits (and later to perform social engineering). hotel SSID’s, restaurant SSID’s etc.Some people defines SSID’s with personal data: pet names, street addresses, nick names. Always interesting stuff… If you know that your victim booked an room in a specific hotel, it’s a step forward to asking him to click on a rogue document coming from this hotel. But that’s another story!
The script is available here.
 (Source: rylanclayne.com) Today almost all organizations outsource some of their IT projects to third party partners. Due to the ever changing landscape in information technology, it is virtually impossible for an organization to have internal knowledge in all domains of technology. The web presence is maybe one of the most domain where projects are outsourced to “web agencies”. Today, organizations must have an on-line presence and look attractive to customers, investors and more. You know all what we put under the term “Web 2.0″. Hélas, still today lot of web agencies don’t have a clue about security or do not give the right priority to security.
The recent attack against the Arcelor Mittal website is a very good example! They were compromised by Anonymous Belgium and some data were posted on pastebin.com. My goal is not to debate about the Anonymous Belgium’s actions (which remains illegal in Belgium as in most countries). Hacktivism has pro and cons. But when data are posted, it’s always interesting to have a look at them to learn more about the attack. In this case, the website Achille’s hell was a Perl script:
http://www.arcelormittal.com/distributionsolutions/prg/selfware.pl?id_sitemap=1
http://www.arcelormittal.com/fce/prg/selfware.pl?id_sitemap=1
http://www.arcelormittal.com/automotive/prg/selfware.pl?id_siremap=1
http://www.arcelormittal.com/distributionsolutions/prg/selfware.pl?id_sitemap=1
First, is the script common or is it part of a well-known CMS? Google gave me the answer. The query “inurl:selfware.pl” returned only 2960 hits! Most of them referring to Arcelor Mittal websites but also other domains of activity:
- arcelormittal.com
- arcelormittalgent.com
- constructalia.com
- prepaintedmetal.;eu
- prepaintedmetalacademy.eu
- prelaque.com
- ziekenhuiswaregem.be
- seniordepartment.be
- prelague.com
- aep-group.eu
Of course, the same script makes other websites vulnerable to the same SQL injection. No need to fire your sqlmap, just by adding a single-quote (‘) to parameter, you get this error:
Software error:
SELECT id_sitemap, s_type FROM sitemap WHERE base = 14' AND active = 'Y' ORDER BY s_order LIMIT 0,1
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' AND active = 'Y' ORDER BY s_order LIMIT 0,1' at line 1 at libs/selfware.pm line 591.
By checking the primary name servers and whois registration data, it’s easy to discover that all the sites mentioned above were developed by a unique web agency located in Belgium. I won’t give the name here (such companies are sometimes more reactive on the legal aspects instead of fixing their crappy code). And my goal is not destroy their image, they are big enough to do it by themselves!
Let’s put the technical stuffs aside now. What are the conclusions of this story? If you outsource some (web) development tasks to an external partner, don’t forget that YOUR name will in front of the stage! The data breach had a big impact for Arcelor Mittal. Their name was present in all media (social and classic). It’s up to you to take the appropriate measures to avoid this situation. Everything can be outsourced but not your responsibility. The written code is used by your customers or team-members and process your data! How to address this issue?
Scenario 1: You delegate the full development life-cycle to your partner. In this case, you must implement controls to verify the compliance with the original requirements during the complete development cycle.
Scenario 2: You delegate the development part to your partner but you perform the compliance controls (code review, penetration testing). This can be done internally or by a third-party partner.
In both cases, a close relation must be established with the partners. Finally don’t put all the eggs in the same bag: Some people are good developers, others are skilled system administrators. Is it a good idea to host your websites on an external server maintained by your web agency? Do they apply patches? Do they monitor the servers? Do they keep an eye on the logs? Like cloud services, the primary goal is often costs reduction. But it must be properly implemented otherwise, the costs could be… worse! Like a simple SQL injection in crappy code…
 The security market is constantly changing! A few years ago, there was the “UTM” (“Unified Threat Management“) market which offered to customers all-in-one solutions (firewall, anti-virus, IDS, VPN, load-balancing, etc). Some of them were close to make coffee! Then, the “Next Generation” wave started. On top of it, all those products are promoted by vendors with ties as the killer-solution-to-make-your-CSO-life-beautiful! My goal is certainly not to destroy the image of such solutions. It’s part of the game. The security business is growing and each vendor try to get its share of it. But I would like to make you more aware of a potential weakness.
First of all, an all-in-one solution may have positive impacts in your organization:
- A simplified architecture, easier integration within your existing infrastructure.
- Reduced set of management tools (console, log analyzer, monitoring).
- Costs reduction (less power, simplified licensing model, less training)
- Limited point of contact for support
- Quick and automatic databases updates (new threats, viruses or websites blacklists)
Sounds great! Now let me tell you a story. Let’s imagine a customer “C” who is testing a next-generation firewall solution “F“. He tested the integrated anti-virus solution and reported that all the tested viruses passed through the firewall while his regular anti-virus did well.What happened? The customer downloaded and tested some old viruses from public repositories. The firewall manufacturer was contacted and reported the following fact:
“To prevent the database from growing too large we prune old signatures that are no longer considered a risk. To keep our database small (and our scanner fast) we only protect against signatures that are still “in the wild” and haven’t been addressed properly by the targeted supplier.”
By reading this comment, my first reaction was a big “WTF!” but, after a deep breath, it looked more as a best practice. Keep in mind that the tested device is primarily a firewall and:
- The number of virus signatures is constantly growing. Each virus is forked in multiple versions which conduct to multiple signatures.
- It’s a fact that signature based detection is often weak. Still today most anti-virus programs fail to detect viruses which use basic obfuscation techniques.
- Processing a complete database of signatures would require a lot of system resources and affect the overall throughput.
Do we have to blame the vendors in this case? IMHO, No! Their security solutions are often deployed in first line and must keep the best match between emerging threats detection and performances (low latency). There is no magic recipe: They reduce the number of security checks or their reduce the throughput. It’s more important to focus on emerging threats and to propose rapid updates. And from a customer perspective? Be careful! If vendors can’t be blamed for dropping old viruses signatures, they can be blamed for promoting the solutions as “bullet-proof”.
From my point of view, integrated solutions remain primarily “firewalls” (with great features, I admit). But keep in mind that manufacturers must make technical concessions to keep their products powerful. Multiple lines of defense must remain a best practice.
In conclusion, it’s a question of risk management. What is the risk to be infected by an “old” virus? Can you trust the vendor to decide that virus “A” or “B” is not a threat anymore? What makes a virus “old”? From an attacker point of view, what about waiting for a threat level to be reduced and then re-use it to compromise the target? It’s a question of time…
 That’s the Christmas break for most of us! Let’s spend some good times with friends and family. That’s also the period when people like to ask to their crystal ball or their favorite mascot what will happen in the coming months. This is not an exercise for me. I don’t pretend to have enough cards in my hands to decide if this or this topic will become a “hot topic” in 2012. My point of view is way more simple: Attackers will target where the business (read: the money) is.
The period is also favorable for all kinds of “yearly reviews“. About this topic, I’ve some material to share with you. I processed all my blog logs from the last twelve months and generated my personal top-ten. What are the most read articles on this blog in 2011?
I’m blogging for fun and it’s always motivating to see the number of visitors growing! Nothing should change in the next year. I’ll continue to share stuff about security topics and write conference wrap-ups. I wish you a Happy (and safe) New Year 2012!
 “E-mail”… What a wonderful online service! When I first connected to the Internet around 1994 (I’m feeling old writing this!), I was so exited to receive my first e-mail! Today, I’m very happy when I received less than 50 e-mails per day! E-mail has been, for years, associated with spam. Still today, most of the SMTP traffic on the Internet is spam. Fighting spam became a real sport for most of us.
Today, most spam can be easily detected and blocked by filters. Being my own e-mail provider (I maintain my own domains, DNS & SMTP servers), regular spam is not an issue for a while. Each week, maximum two to three spams are not detected… I find this acceptable. Today, I’m most concerned by my privacy and how my personal information are managed by third parties.
How do I take care of this issue?
- With my Gmail account, I’m using “email+source@domain.com” e-mail addresses. This helps the creation of filters based on the “+strings” you used. Helas, more and more online services do not allow a plus sign in e-mail addresses.
- Using my own infrastructure, I’m using e-mail addresses like “source@nospam.rootshell.be“.
The goal of those techniques is tracking who leaked or shared your e-mail addresses without your authorization. For a few months, a new project has been initiated by a friend, Tomasz Miklas. His project is called honeymail.net. The principle looks the same as my own solution but it does not require any infrastructure on your side and no registration at all. How does it work?
- The first time you will receive a mail to this address, honeymail.net will create a link between the sender and your alias (a “one-2-one” link). Then the message will be delivered to your private address:
Now, your alias is linked to the sender! If you receive an e-mail to your alias from another source, you’ll be warned.
- To test, just send a new e-mail from another account:
To manage your aliases, simply send other e-mails. Aliases can be temporary paused and resumed. This is useful to simply drop all e-mails sent to them. Another nice operation is the “reset“. It deletes the existing link with the source e-mail address. The website is clear and easy to use, have a look for more details!
At the moment, honeymail.net is still a proof of concept but it looks very promising. I recommend it if your privacy is a main concern!
 My privacy, your privacy are key requirements in our (online) life! Nobody enjoys seeing personal data used by unauthorized people. Let me tell you a story that happened to me today. I visited the website of a well-known vendor to grab some information about its products. When you’d like to access more information like a white-paper, documentation or a live demo, you are often redirected to a very nice form asking you hundreds of personal data. That’s part of the game. Even if, personally, I hate this! Most of the time, I just press the “back” button of my browser or close the tab. After all, looking for some information does not mean that I’m ready to meet the vendor or to be hunt by their sales force! I respect sales people, they have to do a job not always easy but… DON’T BUG ME!
Back to my today’ story. I really needed the precious documentation. Forced to follow the procedure, I filled and submitted the online form. Of course, I never disclose my personal data. Usually I use the one of the Privacy Commission in Brussels:
Jean Dupont
Commission for the Protection of Privacy
Rue Haute, 139
1000 Brussels, Belgium
+32 (0)2 213 85 40
And to protect my e-mail, I use guerrillamail.com which provides temporary e-mail addresses. Some vendors are nasty and refuse disposable e-mail addresses but it remains unusual (hopefully for us). Back to the GuerrillaMail interface, I received the confirmation but also a strange message: (Note: Information has of course be anonymized)
Undelivered mail
From: postmaster@webagency.com, To: ucqczlqd@sharklasers.com, Date 2011-12-14 12:32:04
An error was detected while processing the enclosed message. A list of
the affected recipient follows. This list is in a special format that
allows software like LISTSERV to automatically take action on incorrect
addresses; you can safely ignore the numeric codes.
--> Error description:
Error-for: johndoe@webagency.com
Error-Code: 3
Error-Text: Mailer server.webagency.com said:
"550 5.1.1 <johndoe@webagency.com> User unknown; rejecting"
Error-End: One error reported.
------------------------------ Original message ------------------------------
Received: from AspEmail (server.webagency.com) by server.webagency.com
(LSMTP for Windows NT v1.1b) with SMTP id <0.00018EAA@server.webagency.com>;
Wed, 14 Dec 2011 7:32:02 -0500
From: <ucqczlqd@sharklasers.com>
To: sales@vendor.com,johndoe@webagency.com
Subject: VendorName - Request a Demo
Date: Wed, 14 Dec 2011 07:32:02 -0500
MIME-Version: 1.0
The following information has been submitted:
First Name: Jean
Last Name: Dupont
Company: Commission for the Protection of Privacy
Title: N/A
Email: ucqczlqd@sharklasers.com
Phone: +32 (0)2 213 85 40
State: Brussels
Country: Belgium
Comments: Don't bug me!
Referral Info:
Refering URL: http://www.vendor.com/
Landing Page: /a/very/long/path/to/more/vendor/information/index.asp
Of course, It was very tempting to google for the email address which generated the non-delivery error message. I found the guy! He worked for “webagency.com” as a “Search Marketing Specialist” (Just his title already scares me!) and left seven months ago. I’m wondering why this guy configured the script to send a copy of all visitors information to his mailbox? What can we learn from this story?
- From a visitor point of view, don’t trust the website you’re visiting. Even if they belong to well-known or big players, information can be accessed by third parties. Most websites are developed and hosted outside the company (and outside controls!)
- From a company point of view, manage properly the departure of people. When someone leaves the company, lot of organizations simply close the e-mail account. The right way is to redirect the mailbox to a manager or a direct colleague who will be able to process the new incoming mails. This way, the problem reported above should have been detected and fixed.
- Implement code review and strong software development rules. If the data was sent to a second e-mail address for debugging purpose or during a test phase, why leave it active for months?
- Depending on your business, this could have huge compliance impacts! (Note: sensitive information should never been sent via e-mail!)
- Implement SoD (“Separation of Duties“) to ensure that tasks are properly handled. Developers cannot implement backdoors or add unexpected functions in their code.
Now, you will understand why you receive spam even if you manage your e-mail addresses properly! Stay safe!
 It’s a fact: Pv6 deployments are on the raise. We are close to the end of 2011 and this year was really some kind of a kick-off year to deploy the new protocol or to make live tests. I won’t come back on all the new features implemented in the sixth version of our beloved protocol but one of them is interesting amongst the others: the auto-discovery. Of course, it was already possible to let IPv4 hosts configure themselves via DHCP but here, it’s directly integrated in the stack. With IPv6, four new ICMP message types were introduced:
- Neighbor advertisement / solicitation
- Router advertisement /solicitation
Those are part of the “Neighbor discovery” as described in RFC4861. When an IPv6-enabled host connects to a network, it waits for a router advertisement packet but it can also generate some solicitation packets to discover more quickly if IPv6 routers are connected on the same wire. Once received, the router will respond and send the required information to the host to configure its IPv6 stack. One of the information is the network prefix (usually a /64) which will be used to generate IPv6 addresses. Such advertisement or solicitation messages are sent to the special address “ff02::1” which represents all the hosts connected on the wire (same behavior as a broadcast).
If you think like a blackhat, you already understood that this auto-configuration feature can be used to redirect some traffic to a rogue device behaving like an IPv6 router. Nothing new here, such attacks exist for years using a rogue DHCP server. But IPv6 has a big advantage: it can be run on companies networks even if they don’t plan to implement it in a short term. Combined with other protocols like NAT-PT (“Network Address Translation – Protocol Translation” – defined in RFC2766), it’s easy to conduct an attack. Indeed, NAT-PT can “translate” DNS lookups and will return IPv6 addresses. This will force traffic sent to IPv4 only websites to be send to the rogue router. Don’t forget that, in presence of both stacks, modern operating systems will prefer to use IPv6! Evil! If you’re interesting in such kind of attacks, there exists a tools to automate them like: fake_router6. This issue is addressed in RFC6104.
So, the basic question is: “How to protect myself?” or more precisely “How to detect rogue IPv6 routers?“. On Linux systems, the detected neighbors can be displayed using the ‘ip‘ command:
# ip -6 neigh show
fe80::230:48ff:fe27:4e40 dev eth1 lladdr 00:30:48:27:4e:40 router STALE
An easy way to detect a rogue router is to “grep” your official one:
# ip -6 neigh show | grep -q fe80::230:48ff:fe27:4e40 && echo 'Rogue router detected!'
Rogue router detected!
The problem: this is a passive way to detect rogue devices! Why not force routers to make them discoverable by sending RS (“Router Solicitation“) packets on the network? As a proof of concept, I wrote a Perl script which will broadcast RS packets and listen to potential router responses. If the router IP address changed or is not the expected one, if will report the problem.
My tool is called “rrhunter” and can be used with the following syntax:
# rrhunter.pl [-d] [-D] [-f] [-h] [-i device] [-l] [-N prefix/mask] [-n IP6addr]
[-s Facility] [-t Seconds]
The available parameters are:
- “-d” enables the debug mode (increase verbosity)
- “-D” starts the script in daemon mode. It detaches from the console and checks for rogue routers in the background. Messages are sent to the local Syslog daemon.
- “-f” force the daemon to not detach from the console (run in foreground)
- “-h” displays the command syntax.
- “-i device” specifies the device to use to send/listen to packets (default: eth0)
- “-l” enables the listen mode. The first IPv6 neighbor detected will be used as the official one. Any change of the IP address will result in an error message.
- “-N prefix/mask” defines the expected IPv6 prefix returned by the IPv6 neighbor. Any change will result in an error message.
- “-n” defines the expected IPv6 neighbor
- “-s” defines the Syslog facility to use to log messages (default is “daemon”)
- “-t” defines the interval of time between two router solicitation packets
The minimum required parameter is “-n“:
# ./rrhunter.pl -n fe80::230:48ff:fe27:4e40 -d -i eth1
+++ Debug enabled.
+++ Using interface eth1.
+++ Running with PID 12252.
+++ Expected IPv6 neighbor: fe80::230:48ff:fe27:4e40
+++ Listening on eth1.
+++ Router Solicitation packet sent!
+++ Detected IPv6 neighbor: fe80::230:48ff:fe27:4e40.
This example generated the following network traffic:
21:11:50.445138 IP6 (hlim 255, next-header ICMPv6 (58) payload length:  2001:5c0:150e:a300:20c:29ff:fef5:edfd > ip6-allnodes: [icmp6 sum ok] ICMP6, router solicitation, length 8
21:11:50.446112 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 64) fe80::230:48ff:fe27:4e40 > ip6-allnodes: ICMP6, router advertisement, length 64
hop limit 64, Flags [none], pref medium, router lifetime 1800s, reachable time 0s, retrans time 0s[ndp opt]
Now, let’s imagine that our router changed:
# ./rrhunter.pl -n fe80::230:48ff:fe27:4e40 -i eth1
Rogue IPv6 neighbor detected: fe80::230:48ff:fe27:4e41 (Expected: fe80::230:48ff:fe27:4e40).
Another interesting switch is “-N” which requires an IPv6 prefix. The script will check the assigned IPv6 address and report an error if it’s not in the expected scope:
# ./rrhunter.pl -n fe80::230:48ff:fe27:4e40 -d -N 2001:5c0:150f:a300::/64 -i eth1
+++ Debug enabled.
+++ Using interface eth1.
+++ Running with PID 12252.
+++ Expected IPv6 network: 2001:5c0:150f:a300::/64
+++ Expected IPv6 neighbor: fe80::230:48ff:fe27:4e40
+++ Listening on eth1.
+++ Router Solicitation packet sent!
+++ Detected IPv6 neighbor: fe80::230:48ff:fe27:4e40.
Unexpected IPv6 address detected: 2001:5c0:150e:a300:20c:29ff:fef5:edfd (Expected: 2001:5c0:150f:a300::/64).
Next example, we start rrhunter in listen mode:
# ./rrhunter.pl -l -D -i eth1 -f
Learned IPv6 neighbor: fe80::230:48ff:fe27:4e40
Now, let’s make a Windows 7 box become a IPv6 router on the same LAN. This is easy to do from the command line:
C:\users\demo>netsh interface ipv6 add address interface="Local Area Connection" address=ff44:bbcc:bc95::1
C:\users\demo>netsh interface ipv6 set interface interface="Local Area Connection" advertise=enabled
C:\users\demo>netsh interface ipv6 add route prefix=::/0 interface="Local Area Connection" nexthop=:: publish=Yes
C:\users\demo>netsh interface ipv6 add route interface="Local Area Connection" prefix=fd44:bbcc:bc95::/64 publish=yes
You should see a few seconds later in the shell running the Perl script:
Rogue IPv6 neighbor detected: fe80::8d7d:7ee9:361a:e41e (Expected: fe80::230:48ff:fe27:4e40).
With ‘fe80::8d7d:7ee9:361a:e41e‘ being the IPv6 link address of the Windows 7 box.
WARNING! This is a proof of concept! By writing this script, I played with the creation and injection of IPv6 packets with Perl (quite funny). I did not test the script in a production environment. On some Linux kernels, strange messages are generated (“netlink: 4 bytes leftover after parsing attributes“). The Perl script is available “as is” on github.com. Feel free to use it, change it, improve it.
Alternatively, you could have a look at rafixd from the Kame project.
 The OWASP Benelux Days is a two-days event organized by three OWASP chapters (Belgium, Netherlands and Luxembourg). The 2010 edition was organized in Eindhoven(NL). This year, it was organized in Luxembourg. After a safe trip, sharing my car with a friend, we arrived at the Luxembourg University. Nice venue with all the facilities to make your life easier: nice room with enough power plugs for everybody, good Wi-Fi, coffee. The catering was also excellent (that’s also important!  )
The first day was dedicated to a training provided by Eoin Keary about “Secure Application Development“. 96 people attended the training, that’s not bad! When Eoin asked how many people are developers, hands raised up. When he asked who’s performing “secure programming“, much less hands raised. This proves that security is not yet in most developers’ mind. My feedback about the first day is a bit mitigated. First, the original training length is two days, difficult to review all the topics within one day, splides were reviewed very quickly. The morning was very “static”. Classic attacks and counter measures were reviewed. The afternoon was dedicated to live examples of attacks against a vulnerable website using BurpSuite. Bad point here, the Wi-Fi or the victim server were not properly sized and frequent timeouts made the exercises difficult to perform.
After the training, Professor Yves Le Traon came to talk about “Security Testing“. It’s a fact: Security testing must be promoted inside your organization! I liked the quote from A. Petrenko:
“In God we trust, for the rest we test“
Think about this! After an introduction about the testing concepts, more focus was given on XSS attacks and its XSS testing framework. A copy of slides about security testing is available here. Very interesting presentation. The day ended with a social event organized in the center of Luxembourg at Agua de Côco. Nice people, nice conversations.
The second day started with a presentation of the “Interdiscipliny Center for Security, Reliability & Trust” (securityandtrust.lu) and some news about the OWASP foundation. Did you know that OWASP already turned ten years? The foundation was created in December 2001. Happy Birthday OWASP! And it’s amazing to review the job performed since the creation. Some numbers:
- 15000 downloads per month
- 30000 unique visitors per month
- 2 millions hits per month
- 140 projects in 3 main areas: protect, detect, life cycle
- 220 chapters / 100 active ones
For easier administration and events organization, OWASP europe has been created in June 2011. What are the goals for 2012? Build the OWASP platform, expand communication channels, grow the community and financial stability (because money remains a key element everywhere). A very quote grabbed from a slide:
“You can’t improve what you can’t measure“
The rest of the day was dedicated to presentation covering several interesting topics. First, Brenno de Winter, a well-know ICT journalist in the Netherlands, presented a talk called “From Diginotar to Leaktober“. This was not a talk but more a story. Brenno came back on the Diginotar story, without any slides support.
This was my preferred presentation! What happened with Diginotar, why was Dutch public authorities affected by the attack, the crisis which followed. Very interesting. A good question from the audience: “Was the bad communication from authorities due to incompetence or something else?” Brenno’s answer: “Maybe both of them, they didn’t know how to handle this!”. This sounds like a good resume. Following this story, a Dutch web site decided to organize “Leaktober” event to prove that no data are safe!
After a coffee break, Justin Clarke talked about “Practical crypto attacks against web applications“. We need cryptography to keep the CIA (Confidentiality, Integrity, Availability). Based on a .Net demo website Justin showed that implementing encryption is good but must be performed in the right way. Otherwise it can be easily broken. Nice live demos were performed. The last one was how to get a configuration file from an application using weak encryption (based on the vulnerability describe in Microsoft Security Bulletin MS10-070).
Andrey Belenko presented his research about the iOS operating system with a talk called “Overcoming iOS data protection to re-enable iPhone forensics“. Forensics operations are based on three steps: Acquisition, analysis and reporting. But modern mobile operating systems prevent this by implementation security features like: password protection, key-chain, storage encryption. Andrey deeply reviewed all the security features implemented by Apple. How encryption is performed, how are managed/stored keys. Lot of interesting stuff for people who are facing issues with iPhones, iPads devices.
Koen Vanderloock came to present: “SIMBA – guarding your applications“. Leader of this OWASP project (“Security Integration Module for Business Applications“), he explained its purpose, the features, the futre and how to implement it within your application. Basically, the goal of SIMBA is to simplify the “User Access Management“. Why reinvent the wheel? (and take risks of bugs, bad-implementation). If you have to manage users, roles, access in your application, please have a look first at SIMBA. All the required information is available on simbasecurity.org.
Ludovic Petit came to speak about the legal aspects of development. His talk, called “Do you … legal?” explained what are the current legal aspect of computer crime in Europe. As a developer (or manger), if you manage data, you are legally responsible of them. Directors can be responsible for offenses committed by their organization simply because they failed to adequately, exercise their duty of care (A legal person must be responsible) and consequences can be enormous:
- Financial
- Reputation
- Prosecution
The OWASP foundation as also a legal project in 2008: The OWASP Secure Software Contract Annex. It could be interesting to have a look at it. Keep also in mind: “Security as a service and … trust as a business“.
During Ludovic’s presentation, I read a good remark by a friend on Twitter:
“#owaspbnl11 legal obligations presentation. But how many companies are prosecuted if they don’t protect datas ? None !“
That’s true! Thierry Zoller presented “The rise of the vulnerability market“. The basic of his talk: constantly monitoring the threat landscape. Targeted attacks are on the rise, hacktivists became very popular. First they are different classes of attackers:
- Opportunists (script kiddies)
- Targeting opportunists (hacktivists)
- Targeted (digital mercenaries)
- State founded (apt, espionage).
Those can be represented like a pyramid (more victims are targeted more the surface attack is reduced)
Thierry also explained very well the standard vulnerability life cycle (discovery ->notification -> disclosure -> patch avail -> patch installed) and the associated risks (pre-disclosure risks, post-disclosure and post-patch risks). The vulnerability markets also evolved:
- From 95-2004, it was the fun times)
- Mid-2000 commercial (vendors were informed / public disclosure and a patch available)
- Late 2000, the “black market” was created
- Today, vendors are not informed, user are not informed, no patches avail.
There is a huge business today around the vulnerabilities. Companies are selling services (Secunia, VUPEN, ExploitHub). Others sell commercial exploits framework (CoreImpact). The landscape changed completely. Thierry’s concluded that the importance of skill as a factor to measure attacker sophistication decreased. What increased? The motivation, funding and hence sophistication. Just a remark about the latest slides: they were really commercial and din’t have a reason in a conference like OWASP. But this did not change my conclusion about the talk: very good analyze!
Jean-Marc Bost & Sébastien Bischof presented “The limits of eBanking“. eBanking are very complex web applications and, for a while, became also a nice target. Event if banks try to increase the security, Jean-Marc and Sébastien explained how attackers can still steal your money! First, some stats: Trojans are a realty (5% of Windows PC are infected (source: Microsoft) and 25% are affected by trojans (source: Pandalabs). About the timeline of attacks:
- 2006 (Citibank – MitM attack)
- 2007 (Malware in the browser)
- Today: MI (“malware inside“) with malwares like Spy Eye or Zeus.
Modern trojans are very complex and professional. Very difficult to detect. Example given by Jean-Marc: some of them not only inject Firefox but also the Firefox Crash Reporter to prevent disclosure of info to Mozilla! Sébastien performed a live demo which hided the Firefox process and started a rogue Browser. The main problem is, once rogue code injected into the browser, you cannot trust the display. As a conclusion, don’t forget this: WYSIWYS (“What you see is what you sign.“)
Sasha Rommelfangen, working for the CIRCL, talked about “Dynamic malware analysis – or: the ~five deadly (anti-) venoms“. I was a bit afraid while I read the conference program. This will be a presentation with slides full of assembler code. In fact, not at all! Sasha’s presentation was excellent! When you’ve to analyze a malware, they are some essential questions:
- Who’s behind the attack?
- What was the motivation? Usual cyber criminal would like to get money, governments are looking for intelligence/sabotage and hacktivists “for the lulz”
- What does the malware do? Understanding changes on the system, network activity This is a necessary step for removal
- Why should you be concerned? It might compromise servers/data centers!
There are two methods to analyze a malware. First the static analysis. It’s looking at a file and concluding about run-time behavior without running it (memory check, disassemble). What are the limitations? Packers, obfuscated code, encryption etc. The UNIX command ‘strings’ is sometimes a good start (look for interesting words like “shell“, “getf” or “putf“, etc). Dynamic analysis is much more interesting: The goal is to run the malware in a controlled environment. What are the problems? Most malwares have anti-vm checks, anti-debugging, turing’s halting problem. To perform dynamic analyzis, you first have to build your (safe) environment to be able to listen to the network, to fake network services like DNS and to accept/record all traffic on all ports. Sometimes malware are present in Office documents. I learned about a very interesting tool called OfficeMalScanner which finds shell codes in documents and extract them to build executable. Finally, the Microsoft SysInternals tools remain a classic in every analyst’s toolbox.
Last but not least, Lieven Desmet gave some results about his research on “HTML5 security“. Third-party JavaScript is present everywhere (examples: advertisements, gateway to social networks, services tracking) via scripts inclusion or iframe tags (not the same origin policy). Lieven explained the methodology and scope of the research and of course some results The full report is available here.
That’s all for this edition! What else? There was a CTF organized the second day, the winner received a free ticket for AppSec EU 2012. Write in your agenda right now: The next edition will be held in Belgium in Leuven (KUL) around beginning of December 2012. See you there!
|
|
