This is a short summary of some selected talks from the second day of this year’s Hack in the Box conference in Amsterdam.
Rethinking the Front Lines by Bob Lord
Bob Lord is currently the Director of Information Security at Twitter. He has worked at numerous companies in the area of security and software engineering.
In his keynote for the second day of HITB13AMS he tackled a topic that has raised a lot of discussions in the past months. His talk was a summary of what twitter does internally to ensure the security of the company and a plea to implement so called security awareness trainings for employees in a sustainable way.
Bob points out that the security folks seem to loose focus on elementary problems such as password policies. Security professionals should focus more on humans than tools. Having said that he concludes that a sustainable security awareness can only be achieved by considering habits of people and the culture of an organization. Twitter’s approach is not to just only teach employees on how to comply with internal standards, they also introduced sensitization measures that get constantly monitored. He states that training alone cannot do the job, security must be in the philosophy or the culture of the employees.
By presenting multiple statistics that are based on measurements that start when a new employee comes to twitter, he substantiates his assumptions that it is not the training alone that matters, but how that training integrates into the organization’s culture and that this culture must include security as a high priority. He introduces the term “auto-pilot mode”, in which humans do not think about what they are doing. Bob believes that this is what a good security training must achieve: To not only create awareness but sort of patch the auto-pilot mode of the employees.
Twitter tries to achieve this with initial trainings for new employees. These trainings include for example the correct usage of password vaults to eliminate some of the risks associated with passwords. They even implement phishing tests, where an internal phishing attack is conducted to sensitize employees. Bob says that gamification might be an additional way to improve the compliance with the internal security standards.
The results of these measures are fed back into the process, so that a constant improvement of the measures is achieved.
The numbers Bob presented seem to substantiate the assumption that security awareness trainings have an effect and that these trainings don’t necessarily mean that we are going in a wrong direction here.
As twitter is a company with a very strong culture, these measures might work better than in companies that do not have this kind of philosophy. It would be nice to have some numbers from organizations that do not pursue such a strong philosophy. It seems that we need more data to identify what really works and why.
How I Met Your Modem by Peter Geissler and Steven Ketelaar
In this talk, Peter (better known as blasty) and Steven presented their research on exploiting and backdooring a ZyXEL DSL modem. They first described a really trivial command injection vulnerability (“; whoami”) in the local management web interface (The 90’s called, they want their bugs back!) and used the resulting shell access to completely compromise the modem OS. Unfortunately, this vulnerability requires valid credentials and the web interface is only reachable via LAN, so they started searching for vulnerabilities that can be exploited remotely from the Internet.
The tested ZyXEL device includes support for remote management functionality (TR-069) and has a HTTP daemon listening on Port 7676 on all interfaces. Most of the aformentioned management functionality is protected by a device-dependent HTTP digest authentification, but by analyzing the httpd binary they discovered several unprotected URLs that correspond to test functionality of the underlying HTTP server library (librompager). These test pages contain a trivial stack based buffer overflow that can be exploited to gain code execution on the device.
Steven and Peter described how they first built a MIPS debugging environment using the buildroot toolkit (http://buildroot.uclibc.org/) and used this to develop a stable stack overflow exploit against the ZyXEL device. While overwriting the instruction pointer was trivial, the targetted MIPS system has a separate instruction and data cache, which means that a direct jump to shellcode stored on the stack is not possible. Instead, they used a really clever ROP chain to call sleep() to sync the CPU cache, before jumping to the injected shellcode. They responsibly disclosed the bug to KPN a big dutch internet provider and they even sent some people to gift a “I hacked KPN and all I got was this lousy tshirt” to both of them.
Afterwards, Peter and Steven finished their presentation with a cool live demo showing a VOIP sniffer running on the modem. In my opinion this talk was one of the best of the conference and the demo was quite cool. The embedded HTTP server rompager would probably be a nice target for further research, especially because it seems to be widely used by many different devices.
To Watch or Be Watched: Turning Your Surveillance Camera Against You by Sergey Sheykan and Artem Harutyunyan
The researchers Sergey Sheykan and Artem Harutyunyan (@sshekyan, @hartem) both developers at Qualsys, presented their work about low cost WebCam surveillance cameras. They showed how to turn your security camera against you by exploiting a flaw in the Security Web Cam (FOSCAM F18910W) that runs an ucLinux Kernel. This camera is a cheap (70 €) surveillance tool that is relatively wide spread. They searched for these cameras in the wild using the ShodanHQ search engine and found that 2 out of 10 cameras were accessible with the default admin credentials. They also identified a firmware version that is vulnerable to path traversal which allows an attacker to bypass authentication.
During their research the developers managed to dump the camera´s memory by accessing a special URL like http://cameraurl//proc/kcore. The memorydump found there also contains valid credentials along with other valuable information like connected network devices communicating via UPnP (great for “passive” recon). In their demo the researches altered several things on the camera. First they created a backdoor and added a user on the camera for permanent access. It is also possible to send a CSRF-Token to a victim, adding an administrative account to the camera. Furthermore they were able to use the camera as a Proxy for surfing the internet.
Additionally attackers can dump, edit and push the cameras firmware leaving them with a lot of surface for advanced manipulation that might be used for botnets. Another interesting fact is that the camera vendors are offering a DynDNS service to access the cameras. So if one is looking for a target he only has to choose one of the 140.000 from *.foscam.org or many more from other vendors. There is also a DoS condition if the camera is accessed by 80 concurrent connections that could be mitigated using a software like fail2ban.
The researches created a toolkit for educational purposes which can be downloaded at http://openipcam.com. They made some recommendations regarding the cam including not to expose the camera to the internet, if you have to, you better have some good Firewall and/or IPS rules in place respectively isolate it from the rest of your network.
It was an interesting talk that once more showed how careless users setup new hardware without changing the default credentials and exposing it to the internet. So next time you setup a WebCam better think twice who can access it!