In an upcoming series of blog posts I will discuss some principles & considerations on developing an IPv6 address plan. In (hopefully) rather quick succession there will be three posts:
the first on some general rules as for IPv6 address planning which we regard instrumental in the process.
the second covering the “PI space from a single RIR or PI space from each (relevant, as for $ORG) RIR?” debate.
the third on actual approaches to structuring/grouping each region’s /32 (or /36) into subdivisions like sites, VRFs, facilities, use types, buildings, whatever. I understand that this part is probably the one quite some readers are most interested in; still for a reasonable line of thought the others have to be covered in advance.
We wish you a happy new year and a good start to 2014. A new year has begun and, just before that, 30C3 took place. I think almost all of you have heard about the congress and its topics. In particukar there was Glenn Greenwald’s keynote or there were new publications/revelations by Jacob Appelbaum, which you will probably have heard about from main media.
But besides of all that, there were really a lot of other interesting talks we want to give you a short introduction to. Overall it was a really good conference this year and a lot of awesome talks. But, like always, it is not possible to see all of them, so here is a short summary of some of our favorites:
First of all, I hope you all had a good start to 2014. Having some time off “between the years” (which is a German saying for the time between Christmas and NYE), I caught up on several virtualization security topics.
While virtualization is widely accepted as a sufficiently secure technology in many areas of IT operations (also for sensitive applications or exposed systems, like DMZs) by 2014, there are several recent vulnerabilities and incidents that are worth mentioning.
First of all, a rather old vulnerability (codename “VMDK Has Left the Building“) was eventually patched by VMware, the day before Christmas’ eve (honi soit qui mal y pense… 😉 ). While the initially described file inclusion vulnerability cannot be exploited anymore, first tests in our lab show that attempts to exploit the vulnerability lead to a complete freeze of the shared ESXi host. We still need to dig deeper into the patch and will keep you posted.
On November’s patch Tuesday, an important vulnerability in Hyper-V was patched by Microsoft. The bulletin does not provide a lot of details as for the vulnerability, but the relevant sentence is this one: “An attacker who successfully exploited this vulnerability could execute arbitrary code as System in another virtual machine (VM) on the shared Hyper-V host.”. This does not allow code execution in the hypervisor. However, Hyper-V’s architecture comprises the so-called root partition, which is a privileged virtual machine used for all kinds of management functionality. This means that code execution in this particular virtual machine most probably will still give an attacker complete control over the hypervisor. Even without this root partition, the vulnerability would be one of the worst-case vulnerabilities in the age of Cloud computing, provided that MS Azure employs Hyper-V (which can be considered a fair assumption. Still we have no distinct knowledge here). Again, we’ll have a closer look at this one in the near future.
At the end of December, OpenSSL suffered from a virtualization-related incident. The shared hypervisor was compromised using a weak password of the hosting provider. While password-related attacks are not specific to virtualized environments, it emphasizes the need for secure management practices for virtualization components. This sounds like a very basic recommendation, but many security assessments we conducted in this space resulted in the need to include “attacks against management interfaces” in the top ERNW virtualization risks, which we cover in our virtualization and cloud security workshops. Also we mentioned this in some presentations and research results.
As the described events show, virtualization security will remain an important topic in 2014 (even though marketing material suggest to simply adopt virtualization – I won’t give any links here, you’ve probably already seen plenty 😉 ). We will cover several aspects during this year’s Troopers edition. While our workshop on “Exploiting Hypervisors” is already online (for the detailed description, see here), one talk is missing: Due to some rather strict NDAs, we can’t provide any details so far (but if you’ve read the MS13-092 credits carefully, it shouldn’t be too hard to guess 😉 ).
I hope you’re looking forward to 2014 as much as I do, stay tuned,
At first a very happy new year to all our readers!
Today we announce the third round of Troopers 2014 talks (first round here, second here).
Here we go:
===
Daniel Mende: Implementing an USB Host Driver Fuzzer FIRST TIME MATERIAL
Abstract: The Universal Serial Bus (USB) can be found everywhere these days, may it be to connect a mouse or keyboard to the computer, transfer data on a flash drive connected via USB or to attach some additional hardware like a Digital Video Broadcast receiver. Some of these devices use a standardized device class which are served by an operating system default driver while other, special purpose devices, do not fit into any of those classes, so vendors ship their own drivers. As every vendor specific USB driver installed on a system adds additional attack surface, there needs to be some method to evaluate the stability and the security of those vendor proprietary drivers. The simplest way to perform a stability analysis of closed source products is the fuzzing approach. As there have been no publicly available tools for performing USB host driver fuzzing, I decided to develop one ;-), building on Sergey’s and Travis’ legendary Troopers13 talk. Be prepared to learn a lot about USB specifics, and to see quite a number of blue screens and stack traces on major server operating systems…
Bio: Daniel Mende is an ERNW security researcher specialized on network protocols and technologies. He s well known for his routing protocol attack tool LOKI, the DIZZY fuzzing framework and a bunch of testing tools from the 3GPP domain. He has presented on protocol security at many occasions including Troopers, Blackhat, CCC, HackInTheBox and ShmooCon. Usually he releases a new tool when giving a talk.
===
Martin Gallo: SAP’s Network Protocols Revisited FIRST TIME MATERIAL
Abstract: What network protocols does my SAP system use? Are those services secure from a network perspective? Are old and well-known attacks still relevant? What’s the remote attack surface of my SAP environment? Do I really know my level of exposure? Are there tools available to assess the security of the services?
This talk is the result of my journey trying to answer these questions and understanding how the different SAP network protocols work, after spending some of my spare time during the last months working on expanding my knowledge about the network attack surface of SAP systems, reversing some of the protocols and implementing tools and libraries to work with them.
The talk will bring some details and realistic attack vectors regarding the different networks protocols available on both new and classic SAP installations. Some hardening and mitigation ideas will be discussed aimed at increasing the defenses against these threats and attacks.
Bio: Martin Gallo is Security Consultant at CORE Security, where he performs application and network penetration testing, conducts code reviews and identifies vulnerabilities in enterprise and third party software. His research interests include enterprise software security, vulnerability research and reverse engineering.
Abstract: IT Security is often considered to be a technical problem. However, IT Security is about decisions made by humans and should therefore be researched with psychological methods. Technical/Engineering methods are not able to solve security problems.
In this talk I will introduce the Institute’s research programme about the Psychology of Security. We are going to research the psychological basics of IT security, including: How do people experience IT security? How are they motivated? How do they learn? Why do people tend to make the same mistakes again and again (Buffer Overflow, anyone?)? What can we do to prevent security incidents? Which curricula should be taught about IT security?
Bio: Stefan Schumacher is the Head of the Magdeburger Institut fuer Sicherheitsforschung and Editor of the Magdeburger Journal zur Sicherheitsforschung. He studied Educational Science and Psychology and is currently managing the research project Psychology of Security.
His research interest focusses on Social Engineering, Security Awareness and Qualitative Research about the Perception of Security. He is also an Assistant Lecturer at the University Magdeburg.
He has been involved in the Hacker and Open Source Scene (NetBSD) for the last 20 years. He gave more than 140 public talks in the last 10 years at conferences like DeepSec Vienna, DeepIntel, Chaos Communication Congress, Chaos Communication Camp, Chemnitzer Linux-Tage, Datenspuren, LinuxDays Luxembourg, DGI Forum Wittenberg, GUUG FFG, ILA etc. and published several articles and a book on IT and Security Policy.
A full list of publications and talks can be downloaded at
http://www.kaishakunin.com/bib/Stefan-Schumacher-Bibliographie-Liste.pdf
http://www.kaishakunin.com/bib/Stefan-Schumacher-Vortraege.pdf
===
Attila Marosi: Easy Ways To Bypass Anti-Virus Systems
bstract: All IT security professionals know that antivirus systems can be avoided. But few of them knows that it is very easy to do. (If it is easy to do, its impact is huge!) In this presentation I will, on the spot, fully bypass several antivirus systems using basic techniques! I will bypass: signatures detection, emulation/virtualization, sandboxing, firewalls. How much time (development) is needed for it, for this result? Not more than 15 hours without a cent of investment! If I could do this, anyone can do this… so I think we have to focus to this problem.
Using these easy techniques I can create a ‘dropper’ that can deliver any kind of Metasploit (or anything else) shellcode and bypass several well-known antivirus in real-life and full bypass the VirusTotal.com detection with a detection rate in 0.
In my presentation I use 6 virtual machines and 9 real-time demos. Resulting the audience always have a big fun and surprise when they see the most well-know systems to fail – and the challenges what the AVs cannot solved are ridiculously simple and old. So the IT professionals might think too much about the systems which they rely on and which cost so much.
Educational value of the topic:
– We look at how the virus writers develop their codes.
– We will develop a puzzle which may distract the AV virtualization engine to avoid the detection.
– We will develop a code to encrypt/decypt our malicious shellcode.
– We will look at which built-in Windows functions helps the attacker to inject malicious code to a viction process and we try it. (We will use the iexplorer.exe to bypass the firewall.)
– We will look at what solutions are often used to avoid the sandbox.
– Learn the difference between the metamorphous and polymorphous code. I wrote a python script which can create a metamorphous version from a byte code. We will test it in realtime and it will a real challenge for the AVs.
Bio: Attila Marosi has always been working in information security field since he started working. As a lieutenant of active duty he worked for years on special information security tasks occuring within the SSNS. Newly he was transferred to the just established GovCERT-Hungary, wich is an additional national level in the internationally known system of CERT offices. He has several international certificates such as CEH, ECSA, OSCP, OSCE. During his free time he also read lections and does some teaching on different levels; on the top of them for white hat hackers. He has presented at many security conferences including Hacker Halted, DeepSEC and Ethical Hacking.
===
Job de Haas: 20 Ways past Secure Boot
Abstract: This talk presents an overview of all things that can go wrong when developers attempt to implement a chain of trust also called ‘secure boot’. This talk is not so much focused at things like UEFI and Microsoft lockdown, but more at the general application in pay-tv, gaming and mobile devices. On both sides of the fence secure boot is a vital mechanism to understand.
Starting out from design mistakes, we look at crypto problems, logical and debug problems and move towards side channel problems such as timing attacks and glitching. All problems will be illustrated with either public examples or the presenters experiences. To illustrate the practicality, an electromagnetic glitch attack will be demonstrated.
Bio:
Job de Haas holds an M.Sc. in Electrical Engineering and has a track record in the security industry of more than 15 years. He has experience evaluating the security of a wide range of embedded platforms, such as IPTV decoders, satellite receivers, mobile phones, smart meters and a variety of modems (ADSL, Wireless). Further, he is a specialist in the reverse engineering of applications and consumer electronics.
At Riscure, Job is the senior specialist in charge of security testing of embedded devices for high-security environments. Amongst others, he assessed the protection of pay television systems against side channel and card-sharing attacks for conditional access providers. Job has participated in the creation of several certification schemes for customers of embedded products. Job has a long speaking history at international conferences, including talks on security of mobile technologies, reverse engineering of firmware and side channel attacks on embedded systems.
===
Furthermore there’s a new workshop of Jose Miguel Esparza (@EternalTodo) on “Squeezing Exploit Kits and PDF Exploits”. Detailed agenda here.
We’re very happy to announce the second round of Troopers 2014 talks today (first round here).
Some (well, actually most 😉 ) of these talks haven’t been presented before, at any other occasion, so this is exciting fresh material which was/is prepared especially for Troopers.
Andreas Wiegenstein & Xu Jia: Risks in Hosted SAP Environments.FIRST TIME MATERIAL
Synopsis: Many SAP customers have outsourced the operation of their SAP systems in order to save cost. In doing so, they entrust their most critical data to a hosting provider, potentially sharing the same SAP server with a number of companies and organizations unknown to them. These companies and organizations virtually sit in the same boat, without knowing each other and without trusting each other. They all trust in the ability of their hosting provider to run their operating environment in a secure way, though.
But how secure is hosted data in a SAP environment?
This talk demonstrates various risks and attack vectors. It covers vulnerabilities and backdoors in the SAP standard (including several zero-days discovered by Virtual Forge) and how they could be used in order to access hosted SAP data. It also covers risks introduced by custom coding provided by any of the hosted parties.
The talk also provides valuable advice for SAP customers that rely on hosting providers. And what the providers should do in order to run their installations safer.
Bio: Andreas Wiegenstein has been working as a professional SAP security consultant since 2003. He performed countless SAP security audits and received credit for more than 60 SAP security patches related to vulnerabilities he discovered in the SAP standard.
As CTO, he leads the Virtual Forge Research Labs, a team focusing on SAP/ABAP specific research and security solutions.
Andreas has trained large companies and defense organizations on ABAP security and has spoken at multiple SAP-specific conferences (like TechEd) as well as at general security conferences such as Troopers, BlackHat, HITB, IT Defense, DeepSec and RSA. He is co-author of the first book on ABAP security (SAP Press 2009) and wrote the security chapter of the ABAP Best Practices Guideline for DSAG, the German SAP User Group (2013). He is also member of BIZEC.org, the Business Security Community.
===
Marion Marschalek & Joseph Moti: What Happens In Windows 7 Stays In Windows 7.
Synopsis: Systems evolve over time, patches are applied, holes are fixed, new features are added. Windows8 is the new flagship product of Microsoft, and as prepared as it can be for a world of white-, grey- and black-hat hackers. System components underlie a tough vulnerability assessment process and are updated frequently to sort out security problems even before they arise. But just too often it happens that these clever fixes are not applied globally to all components, but just to the newest version of a library.
Now we want to make use of exactly that fact to uncover potential vulnerabilities.
What we aim for are the forgotten treasures in Windows7 libraries, holes that got fixed for the bigger brother at some point – but stay unfixed in Windows7 until today. We will present a tool that makes it easy to spot these forgotten vulnerabilities. We can keep track of different versions of libraries of different operating systems and automate the analysis process of a big file set. The focus lies on safe functions, which indicate a potential weakness when missing. The tool we show is flexible and extendible to integrate new features, adapt it to different database backends or generate new views on the data to analyse.
Bios:
Marion Marschalek (@pinkflawd) works at IKARUS Security Software GmbH based in Vienna, Austria. Her main fields of interest are malware research and malware incident response. Besides that Marion teaches basics of malware analysis at University of Applied Sciences St.Pölten and has been speaking at international security conferences, including Defcon Las Vegas, hackl.lu Luxembourg and POC Seoul. In March this year Marion won the Female Reverse Engineering Challenge 2013, organized by RE professional Halvar Flake.
Moti Joseph has been involved in computer security for a long time. In the last few years he has been working on reverse engineering exploit code and developing security products. Moti has been speaking at Black Hat Las Vegas 2007, CONF2009 & CONF2010 in Poland Warsaw, POC 2009 & 2010 in South Korea, ShakaCon 2009 in USA, CHINA 2011 at Shanghai Jiao Tong University, NopCON 2012 in Istanbul and SysCan2010 Taiwan,Taipe.
===
Rob Lee: Get Over It – Privacy is Good for Security.FIRST TIME MATERIAL
Synopsis: Over the last year government leaks regarding nation-state digital espionage and surveillance have made the topic of privacy a heated discussion point. However, for those that have been championing the privacy cause this is a fight that has been going on for years. One issue with regards to technology and the lack of privacy is that there are a large of amount of people in positions of power, and general public, who have very little idea about how technology works or its capabilities. What is even more interesting is that despite the myth that you can have either privacy or security it is in fact critical to security that you have privacy; the myth is a lie and whether you like it or not privacy is good for security. The speaker is a member of the US Air Force (and as such might be regarded as somewhat biased), but TROOPERS has extended the opportunity to the speaker to present regardless of his affiliation (he does not represent viewpoints of the US government but only himself) and he will discuss his research, own experience, and opinions on why ensuring privacy is actually in governments’ best interest for boosting national security. This talk is bound to present ideas that audience members agree with as well as those that they disagree with which will hopefully lead to heated debate; active participation is encouraged.
Robert has written on control system cyber security, the direction of the cyberspace domain, and advanced digital threats for publications such as Control Global, SC Magazine, Australia Security Magazine, Hong Kong Security Magazine, Cyber Conflict Studies Association, and Air and Space Power Journal. He has also presented related topics at thirteen conferences in eight countries as well as presenting critical infrastructure protection topics to multiple international think tanks. Lastly, he has taught over 500 students through hackINT and his time at Utica College. Routinely consulted for his expertise on such subjects, Robert M. Lee is an active cyber advocate and educator.
===
Robin Sommer: Bro – A Flexible Open-Source Platform for Comprehensive Network Security Monitoring.
Synopsis: Bro is a highly flexible open-source monitoring platform that is today protecting some of the largest networks around; including deployments at major universities, supercomputing centers, U.S. national laboratories, and Fortune 20 enterprises. Bro differs fundamentally from traditional intrusion detection systems, as it is not tied to any single detection approach. Instead it provides users with a rich domain-specific scripting language suitable to express complex application-layer analysis tasks on top of a scalable real-time platform. Bro furthermore records extensive high-level logs of a network’s activity, which regularly prove invaluable for forensics and have helped solve countless security incidents. This presentation will introduce Bro’s philosophy and architecture, walk the audience through a range of the system’s capabilities, discuss deployment scenarios, and provide an outlook on Bro’s development roadmap. Learn more about Bro at http://www.bro.org.
Bio: Robin Sommer is leading the Bro project as a Senior Researcher at the International Computer Science Institute, Berkeley, USA. He is also a member of the cybersecurity team at the Lawrence Berkeley National Laboratory; and he is a co-founder of Broala, a recent startup providing professional Bro services to corporations and government customers. Robin Sommer’s research focuses on network security and privacy, with a particular emphasis on high-performance network monitoring in operational settings. He holds a doctoral degree from TU München, Germany.
===
Christian Sielaff & Daniel Hauenstein: OSMOSIS – Open Source Monitoring Security Issues.FIRST TIME MATERIAL
Synopsis: By trying to emulate a real world environment, we have deliberately chosen software solutions, which are ubiquitous in large IT enterprise networks since many years. Many of the examined solutions have a long list of success stories.
Quite often these monitoring solutions are the only ones in use in small or mid rage businesses, but surprisingly often enterprise environments use them in a large scale. The wide spread usage of these monitoring solutions is mainly based on the fact that they are free, not expensive to maintain and … secure?
We question the last point, while showing how seemingly small security issues may result in large security gaps in your network. Finally we present how compromising one perimetric system may result in a severe security risk for the monitoring network, potentially allowing attacks against further internal networks. This “osmosis” attack clearly shows how the multilayered onion approach can be bypassed by peeling the onion.
Finally we will present mitigation proposals to prevent those attacks at least from a design perspective. This talk is for everyone who uses “off the shelf” solutions in sensitive environments, just because everyone else does.
Bios:
Christian Sielaff works since many years in the Telco world. Previously he was part of an operational department and has designed and maintained secure access solutions. So he also knows the other side of the console.
As part of the Group Information Security of Deutsche Telekom, he focuses on Information Security in the last few years. In the team of Network and Data Center Security he is specialized on the management network security aspects.
Daniel Hauenstein: With over 13 years of professional IT security consulting experience, you can safely say he is an old timer in the fast moving field of IT security.
Daniel worked as a security consultant for companies such as Secureware, TUEV Rheinland Secure iT, n.runs and Context Information Security, and for over 6 years now as a freelance consultant. He supported international clients like Microsoft USA, SAP, Deutsche Telekom and Deutsche Bank and also governmental clients with high-security demands in securing their applications and networks.
He is a firm believer that the building blocks of security are a robust design and sound planning as opposed to firewall appliances, antivirus or compliance reports. His passion to prove that even small or presumably insignificant risks may result in “full root access pwnage” made him passionate about how to optimize security solutions. He also does not believe in the mystical power of security certifications.
Daniel loves beer, Scotland, beer in Scotland and travelling. It is said that he knows every internet meme out there.
It’s been a long time… we just published an ERNW Newsletter. Here’s the abstract:
In order to protect sensitive data on corporate laptops, most companies are using full disk encryption solutions. While native encryption products like Microsoft Bitlocker, Apple FileVault and open source solutions like TrueCrypt were already heavily scrutinized by security researchers, many popular commercial third party products are to some point still black boxes.
In this paper, we discuss Check Point Full Disk Encryption (FDE) with active “Windows Integrated Logon”. Checkpoint FDE is a software package that is part of Check Point Endpoint Security and offers full disk encryption on Microsoft Windows and Mac OS X systems. The “Windows Integrated Logon” feature reduces total cost of ownership by disabling pre-boot authentication. Check Point themselves warn about security risk associated with using this feature.
We argue that missing TPM integration and integrity checks make Check Point FDE with activated ”Windows Integrated Logon“ highly insecure against sophisticated attackers. Furthermore, we demonstrate the extraction of AES encryption
keys on a running system and subsequent decryption of the encrypted disk. Our analysis is limited to Check Point FDE v.7.4.9 on Windows operating systems and was performed during a penetration test of an encrypted customer enterprise laptop. Therefore, we concentrate on the client architecture and ignore other aspects like enterprise management interfaces.
Such was the title of a talk I gave yesterday at ACSAC 29. It was an updated and shortened version of a similar talk I had given at the Troopers IPv6 Security Summit (btw: this is the preliminary agenda of the 2014 event).
Matthias and I currently have to pleasure to be at ACSAC, in New Orleans.
From my perspective, at ACSAC the usual conference visit side-effect of personal interaction with peers plays an even larger role than at many other events. In fact we met a number of people we hadn’t seen for quite some time and I could even clear a long unresolved debt (Hi Pastor! and thanks for those International Journal of PoC issues).
Nancy Leveson from MIT delivered a great keynote on “Applying Systems Thinking to Security and Safety“, mainly discussing how an approach she calls “System theoretic process analysis” (STPA) can be used for identifying hazard scenarios in complex systems, and laying out how the same methods can be used both for safety and security. Really inspiring stuff while at the same time highly relevant, in the age of the Internet of Things.
We ourselves also had a little contribution today, with a short talk on “Designing State-of-the-Art Business Partner Connections” which goes back to a project described in this blog post. The slides can be found here.
Looking forward to tomorrow,
have a good one everybody
Last week Florian and I participated at this year’s DeepSec in Vienna. We had a really good time, thanks again to the DeepSec staff for a nice conference. Although it might be a bit late, I want to share some impressions about various talks I enjoyed. Continue reading “DeepSec 2013”
with the rise of low-cost 3D-printers in the homes of thousands [1] of enthusiastic tinkerers the word spreads about these magical machines which can produce any mechanical, artsy, useful or useless parts you might come up with. Standing in living rooms worldwide, they don’t seem like a big threat [2] to anybody. But what happens if you connect them to the Internet?
3D-printers at the TROOPERS12 & TROOPERS13 IT-Security Conference.
