at first a happy new year to all our readers!
And, of course, to everybody else, too ;-). May 2013 bring good things for you all, in particular (but not only) in the infosec space.
At the recent ATSAC 2012 conference a guy from the CERT Insider Threat Center gave a talk on the exact topic. Given that the ENISA Cloud Computing Risk Assessment lists “Cloud Provider Malicious Insider” as one of the top eight risks (out of overall 35 risks evaluated) and we just had some discussion about this in a customer environment, this might be of interest for some readers.
We’re delighted to provide the first announcement of talks of next year’s Troopers edition. Looks like it’s going to be a great event again 😉
Here we go:
==================
Peter Kieseberg: Malicious pixels – QR-codes as attack vectors.
Synopsis: QR-Codes, a version of two-dimensional barcodes that are able to store quite large amounts of information, started gaining huge popularity throughout the last few years, including all sorts of new applications for them. Originating from the area of logistics, they found their ways into marketing and since the rise of modern smartphones with their ability to scan them in the street; they can be found virtually everywhere, often linking to sites on the internet. Currently even standards for paying using QR-codes were proposed and standardized. In this talk we will highlight possible attack vectors arising from the use of QR-Codes. Furthermore we will outline an algorithm for calculating near-collisions in order to launch phishing attacks and we will demonstrate the practical utilization of this technique.
Bio: Peter Kieseberg is a researcher at SBA Research, the Austrian non-profit research institute for IT-Security. He received a Dipl. Ing. (equivalent to MSc) degree in Technical Mathematics in Computer Science from the Vienna University of Technology. His research interests include digital forensics, fingerprinting of structured data and mobile security. Continue reading “Troopers 2013 – First Round of Talks Selected”
As I mentioned the Telco Sec Day in the last post… for those who missed Flo’s announcement: in the interim all slides of the Telco Sec Day are available online here.
Obviously, given I initiated the event, I’m biased 😉 but to me it provided great insight from both the talks and the networking with other guys from the telco security field, and it did actually what it was meant for: fostering the exchange between different players in that space, for the sake of sustainably improving its’ overall security posture.
A number of participants suggested performing it again which we hence plan to do, at next year’s Troopers (probably happening in the week 03/12-03/16 [calendar week 11]).
As in 2011 we really liked the conference; there was a number of interesting talks and we met quite some fellows from the IPv6 security space. Btw: we plan to organize a dedicated IPv6 security summit in late 2012 (probably on 6th and 7th of November) in Heidelberg, similar to the Telco Sec Day at Troopers. We’ll annouce details as for this one in some weeks.
As there has been some public demand for that, here we go with the final agenda for the Troopers “TelcoSecDay“. The workshop is meant to provide a platform for research exchange between operators, vendors and researchers. The slides of the talks will potentially be made available as well.
8:30: Opening Remarks & Introduction
9:00: Sebastian Schrittwieser (SBA Research): Guess Who’s Texting You? Evaluating the Security of Smartphone Messaging Applications.
10:00: Peter Schneider (NSN): How to secure an LTE-Network: Just applying the 3GPP security standards and that’s it?
10:45: Break
11:00: Kevin Redon (T-Labs): Weaponizing Femtocells – The Effect of Rogue Devices on Mobile Telecommunications
11:45: Christian Kagerhuber (Group IT Security, Deutsche Telekom AG): Security Compliance Audit Automation (SCA, TeleManagementForum TMF528)
12:30: Lunch
13:45: Philipp Langlois (P1 Security): Assault on the GRX (GPRS Roaming eXchange) from the Telecom Core Network perspective, from 2.5G to LTE Advanced.
15:00: Break
15:15: Harald Welte (sysmocom): Structural deficits in telecom security
16:30: Closing Remarks
17:00: End of workshop
19:00: Joint dinner (hosted by ERNW) in Heidelberg Altstadt for those interested and/or staying for the main conference
====
Synopses & Bios
Sebastian Schrittwieser: Guess Who’s Texting You? Evaluating the Security of Smartphone Messaging Applications.
Synopsis: Recently, a new generation of Internet-based messaging applications for smartphones was introduced. While user numbers are estimated in the millions, little attention has so far been paid to the security of these applications. In this talk, we present our experimental results, which revealed major security flaws, allowing attackers to hijack accounts, spoof sender-IDs, and enumerate subscribers.
Bio: Sebastian Schrittwieser is a PhD candidate at the Vienna University of Technology and a researcher at SBA Research. His research interests include, among others, digital forensics, software protection, code obfuscation, and digital fingerprinting. Sebastian received a Dipl.-Ing. (equivalent to MSc) degree in Business Informatics with focus on IT security from the Vienna University of Technology in 2010.
===
Peter Schneider: How to secure an LTE-Network: Just applying the 3GPP security standards and that’s it?
Synopsis: This talk briefly introduces the security architecture of an LTE mobile network as specified by 3GPP and shows which threats it mitigates and which not. It discusses additional, not-standardized security measures and how they can contribute to making mobile networks as secure as they need to be.
Bio: After many years of research, prototyping and systems engineering in the area of communication technologies, Peter works currently as a senior expert for mobile network security in the Security Technologies Team at Nokia Siemens Networks Research. He is author of various mobile network related security concepts. He is also active in the 3GPP security standardization and in several security research projects.
===
Kevin Redon: Weaponizing Femtocells – The Effect of Rogue Devices on Mobile Telecommunications
Synopsis: Mobile phones and carriers trust the traditional base stations which serve as the interface between the mobile devices and the fixed-line communication network. Femtocells, miniature cellular base stations installed in homes and businesses, are equally trusted yet are placed in possibly untrustworthy hands. By making several modifications to a commercially available femtocell, we evaluate the impact of attacks originating from a compromised device. We show that such a rogue device can violate all the important aspects of security for mobile subscribers, including tracking phones, intercepting communication and even modifying and impersonating traffic. The specification also enables femtocells to directly communicate with other femtocells over a VPN and the carrier we examined had no filtering on such communication, enabling a single rogue femtocell to directly communicate with (and thus potentially attack) all other femtocells within the carrier’s network.
Bio: Kevin Redon does his master of computing at the Technische Universitaet Berlin. He also works for “Security in Telecommunication” (SecT), a research group of the university.
===
Christian Kagerhuber: Security Compliance Audit Automation (SCA, TeleManagementForum TMF528)
Synopsis: Today, Service Providers are in need of comprehensive information relevant to effective security management. Service Providers have to evaluate and verify the compliance of their infrastructure and services to corporate security directives and legal guidelines. This includes being able to retrace OSS Operators’ behavior on OSS systems via standardized log messages. But to answer all necessary security compliance questions, log data alone appears not to be sufficient.
Service Providers need configuration data and telemetry data centralized at hand without manual, time-consuming OSS Operator activity. Even interactive polling of their devices is not sufficient because Service Providers must track down changes in the environment and the effective date/period. The talk is about what to solve this problem.
Bio: Christian is a Senior Security Expert at Deutsche Telekom (DT), responsible for the security of DT’s NGOSS system (called NGSSM) and BNG/SCRAT project. He build up T-Online’s Identity Management and CERT and is the author of various Deutsche Telekom security standards, e.g. on platform virtualisation and SSH.
===
Philippe Langlois: Assault on the GRX (GPRS Roaming eXchange) from the Telecom Core Network perspective, from 2.5G to LTE Advanced.
Synopsis: GRX is the global private network where Telecom network operators exchange GPRS roaming traffic of their users. It’s also used for all M2M networks where roaming is used, and that is the case from some company’s truck fleet management system down to intelligence GPS location spybug tracking system. GPRS has been there from 2.5G GSM networks to the upcoming LTE Advanced networks, and is now quite widespread technology, along with its attacks. GRX has had a structuring role in the global telecom world at a time where IP dominance was being to be acknowledged. Now it has expanded to a lightweight structure using both IP technologies and ITU-originated protocols.
We’ll see how this infrastructure is protected and can be attacked, and we’ll discover the issues with the specific telco equipment inside GRX, namely GGSN and SGSN but also now PDN Gateways in LTE and LTE Advanced “Evolved Packet Core”. We will see its implication with GTP protocol, DNS infrastructure, AAA servers and core network technologies such as MPLS, IPsec VPNs and their associated routing protocols. These network elements were rarely evaluated for security, and during our engagements with vulnerability analysis, we’ve seen several typical vulnerabilities that we will be showed in this speech. We will demo some of the attacks on a simulated “PS Domain” network, that it the IP part of the Telecom Core Network that transports customers’ traffic, and investigate its relationships with legacy SS7, SIGTRAN IP backbones, M2M private corporate VPNs and telecom billing systems. We will also seem how automation enable us to succeed at attacks which are hard to perform and will show how a “sentinel” attack was able to compromise a telecom Core Network during one penetration test.
Bio: Philippe Langlois is a leading security researcher and expert in the domain of telecom and network security. He founded internationally recognized security companies (Qualys, WaveSecurity, INTRINsec, P1 Security) as well as led technical, development and research teams (Solsoft, TSTF). He founded Qualys and led the world-leading vulnerability assessment service. He founded a pioneering network security company Intrinsec in 1995 in France. His founded his first business, Worldnet, France’s first public Internet service provider, in 1993. Philippe was also lead designer for Payline, one of the first e-commerce payment gateways. He has written and translated security books, including some of the earliest references in the field of computer security, and has been giving speeches on network security since 1995 (Interop, BlackHat, HITB, Hack.lu). Previously professor at Ecole de Guerre Economique and various universities in France (Amiens, Marne La Vallée) and internationally (FUSR-U, EERCI). He is a FUSR-U (Free University for Security Research) collaborator and founding member. Philippe is providing industry associations (GSM Association Security Group, several national organizations) and governmental officials with Critical Infrastructure advisory conferences in Telecom and Network security. Now Philippe is providing with P1 Security the first Core Network Telecom Signaling security scanner & auditor which help telecom companies, operator and government analyze where and how their critical telecom network infrastructure can be attacked. He can be reached through his website at: http://www.p1security.com
He has presented previously at these security/hacking conferences: Hack.lu, Hack in the Box (HITB), Blackhat, Hackito Ergo Sum (paris, France), SOURCE, Chaos Communication Congress (Berlin, Germany), ekoparty (bueos aires, argentina), H2HC (sao paulo, brazil), SYSCAN (Hong Kong; Thailand), Bellua (Jakarta, Indonesia), INT (Mauritius), Interop… (some events listed there http://www.p1sec.com/corp/about/events/ )
===
Harald Welte: Structural deficits in telecom security
Synopsis: Especially in recent years, numerous practical attacks and tools have been developed and released. The attack patterns and methods from the dynamic Internet world have finally caught up with the dinosaur of the Telecom world. So far, the industry has failed to demonstrate sufficient interest in developing proper responses. The changes so far have been superficial. Are they a sufficient response for what is to come? Has the telecom industry realized the true implications of having left the “walled garden”? The talk will leave the field of actual attacks behind in order to talk about what at least the author perceives as structural deficits in terms of IT security at operators and equipment vendors.
Bio: Harald Welte is communications security consultalt for more than a decade. He was co-author of tne netfilter/iptables packet filter in the Linux kernel and has since then been involved in a variety of Free Software based implementations of protocol stacks for RFID, GSM, GPRS, and TETRA. His main interest is to look at security of communication systems beyond the IP-centric mainstream. Besides his consulting work, he is the general manager of Sysmocom GmbH, providing custom tailored communications solutions to customers world-wide.
===
Have a great Sunday everybody, see you soon at Troopers 😉
if you’re following this blog regularly or if you’ve ever attended an ERNW-led workshop which included an “architecture section” you will certainly remember the “Seven Sisters of Infrastructure Security” stuff (used for example in this post). These are a number of (well, more precisely, it’s seven ;-)) fundamental security principles which can be applied to any complex infrastructure, be that a network, a building, an airport or the like.
As part of our upcoming Black Hat and Troopers talks we will apply those principles to some VoIP networks we (security-) assessed and, given we won’t cover them in detail there, it might be helpful to perform a quick refresher of them, together with an initial application to VoIP deployments. Here we go; these are the “Seven Sisters of Infrastructure Security”:
Access Control
Isolation
Restriction
Encryption
Entity Protection
Secure Management
Visibility
Now, let me discuss them in a bit more detail and put them into a VoIP context.
Access Control (“try to keep the threats out of the environment containing the assets to be protected”)
This should pretty much always be an early consideration as limiting access to “some complex infrastructure” obviously provides a first layer of defense and does so in a preventative[1] way. Usually authentication plays a major role here. Please note that in computer networks the access control principle does not only encompass “access to the network [link]” (where unfortunately the most prevalent technology – Ethernet – does not include easy-to-use access control mechanisms. And, yes, I’m aware of 802.1X…) but can be applied to any kind of (“sub-level”) communication environment or exchange. Taking a “passive-interface” approach for routing protocols is a nice example here as this usually serves to prevent untrusted entities (“the access layer”) from participating in some critical protocol [exchange][2] at all.
In a VoIP scenario limiting who can participate in the various layers and communication exchanges, be it by authentication, be it by configuration of static communication peers for certain exchanges[3] (yes, we know this might not scale and usually has a bad operational feasibility) would be an implementation of the access control principle.
Isolation (“separate some elements of the environment from others, based on attributes like protection need, threat potential or trust/worthiness”)
In computer networks this one is usually implemented by network segmentation (with different technologies like VLANs or VRFs and many others) and it’s still one of the most important infrastructure security principles. I mean, can you imagine an airport or corporate headquarters without areas of differing protection needs, different threat exposure or separate layers and means of access? [You can’t? So why do you think about virtualizing all your corporate computer systems on one big unified “corporate cloud”? ;-)]
Again, it should be noted that “traditional network segmentation” is only one variant. Using RFC 1918 (or ULA, for that matter) addresses in some parts of your network without NATing them at some point, or refraining from route distribution at some demarcation point constitute other examples.
In the VoIP world the main realization of the isolation principle is the commonly found approach of “voice vs. data VLAN[s]”.
Restriction (“once [as of the above principle] isolated parts get connected try to limit the interaction between those parts at the intersection point”)
This is the one most people think of when it comes to network security as this is what the most widely deployed network security control, that is firewalls, is supposed to do.
Two points should be noted here, from our perspective:
In some network security architecture documents phrases going like “the different segments are [to be] separated by firewalls” can be found. Which, well, is a misconception: usually a firewall connects networks (which would be isolated otherwise), it does not separate them. It may (try to) limit the traffic passing the intersection point but it still is a connection element.
And it should be noted that the restriction it applies (by filtering traffic) always has an operational price tag. Which is the one of the reasons why firewalls nowadays tend to fail so miserably when it comes to their actual security benefit…
In VoIP networks using the restriction approach is considerably hard (and hence quite often simply doesn’t happen) given a number of protocols’ volatility when it comes to the (UDP/TCP) ports they use.
Encryption (“while in transit encrypt some asset to protect it from threats on its [transit] way”)
This is a very common infrastructure security control as well (alas, at times the only one people think of) and probably does not need further explanation here.
Still it should be noted – again – that it has an operational price tag (key management and the like). Which – again – is the very reason why it sometimes fails so miserably when it comes to providing actual security…
In the VoIP world (as this one is very much about “assets in transit”) it’s (nowadays) a quite common one, even though still a number of environments refrains from using it, mainly due to the mentioned “operational price tag”.
Entity Protection (“take care of the security exposure of the individual elements within the environment containing the assets to be protected”)
This encompasses all measures intended to increase the security of individual elements. It’s not limited to simple hardening though, but includes all other “security [posture] quality assurance” things like pentesting or code reviews (when the element looked at is an application).
Adding a comment again I’d like to state that, in times of virtualization and vaporizing security layers (deploying shiny apps pretty much directly connecting customers to your ERP systems, by means of fancy webservices) this one might become more and more important. In the past many security architectures relied on layers of isolation & restriction and thereby skipped the hardening/quality assurance step (“we don’t have to harden this Solaris box as there’s a firewall in front of it”). As the talks’ case studies will show this one is a fundamental (and overlooked) one in many VoIP deployments.
Secure Management (“manage the [infrastructure] elements in a secure way”)
Secure management usually can be broken down to:
Restrict the endpoints allowed to establish management connections.
Either use a trusted environment (network link) or use secure variants of mgmt. protocols instead of their less secure counterparts (SSH vs. Telnet, HTTPS vs. HTTP, SNMPv3 vs. community-based SNMP and the like).
Logging of security related events and potentially all management actions performed.
While this is (should be) an obvious security principle, daily assessment experience shows that failures/weaknesses in this space account for the majority of critical vulnerabilities when it comes to infrastructure security. This applies in particular to VoIP implementations (see the case studies for examples).
Visibility (“be able to assess the current security posture of your infrastructure and its elements with reasonable effort”)
This is where logging (+ analysis), monitoring etc. come into play. We’d like to note that while this is a valid infrastructure security principle, its actual security benefit is often overestimated given the “detection/reaction” nature of this principle and its subsequent bad operational feasibility.
This is a particularly interesting (and neglected) one in many VoIP environments. Usually the data generated in this space (for VoIP) can not be easily processed (by $SIEM you acquired two years ago, for a six-figure € number and which still has only a handful of use cases defined…), while on the other hand being heavily useful (or even required for legal follow-up) in one of those numerous billing fraudincidents.
How to Apply those Principles in a Generic Way
As the above application to VoIP shows, these fundamental security principles allow for tackling any type of “securing assets within a complex overall setting” by going through a simple (checklist-type) set of questions derived from them. These questions could look like
Can we limit who’s taking part in some network, protocol, technology, communication act?
Any need to isolate stuff due to different protection need, (threat) exposure or trust(worthiness)?
What can be done, filtering-wise, on intersection points?
Where to apply encryption in an operationally reasonable way?
What about the security of the overall system’s main elements?
How to manage the infrastructure elements in a secure way?
How to provide visibility as for security-related stuff, with reasonable effort?
In a sequel to this post I might cover the mentioned case studies in more detail. In case I miss doing so, the slides will be available after the respective events ;-).
Have a great Sunday,
Enno
[1] As it requires the usually most scarce resource of an organization, that is humans and their brains. The part that can not be easily substituted by technology…
[1] In general preventative controls have a better cost/benefit ratio than detective or reactive ones. And this is still true in the “you’ll get owned anyway that’s why you should spend lots of resources on detective/reactive controls” marketing hype age…
[2] To provide another example from the routing protocol space: the “inter-operator trust and TCP-” based nature of BGP (as opposed to the “multicast and UDP-“based nature of other routing protocols) certainly is one of the most fundamental stability contributing properties of the current Internet.
[3] Another simple example here. If the two VoIP gateways in the incident described here had used a host route for each other instead of their default route (which wasn’t needed given their only function was to talk to each other), presumably the whole thing wouldn’t have happened.
I’m currently involved in creating an up to date approach to handling external connections (read: temporary/permanent connections with external parties like business partners) of a very large enterprise. Currently they have sth along the lines of: “there’s two types of external connections, trusted and untrusted. the untrusted ones have to be connected by means of a double staged firewall”.
Which – of course – doesn’t work at all in a VUCA world, for a number of reasons (the demarcation between trusted and untrusted is quite unclear – just think of mergers & acquisitions –; “business doesn’t like implementing 2-staged firewalls in some part of the world where they just signed the memorandum for a joint venture to build windmills in the desert”; firewalls might not be the appropriate control for quite some threats anyway – see for example slide 46 of this presentation– and so on). Not to mention that I personally think that the “double staged firewall” thing is based on an outdated threat model, in particular when implemented with two different vendors (for the simple reason that the added operational effort usually is not worth the added security benefit. see this post for some discussion of the concept of “operational feasibility”…).
Back to the initial point: the approach to be developed is meant to work on the basis of several types of remote connections which each determine associated security controls and other parameters. Which, at the first glance, does not seem overly complicated, but – as always – the devil is in the details.
What to base those categories on: the trust or security level of the other party (called “$OTHER_ORG” in the following) – or just assume they’re all untrusted? The protection needs of the data accessed by $OTHER_ORG? The (network) type of connection or number & type of users (unauthenticated vs. authenticated, many vs. few), the technical characteristics of the services involved (is an outbound Bloomberg link to be handled differently than an inbound connection to some published application, by means of a Citrix Access Gateway? if so, in what way?) etc.
As a start we put together a comprehensive list of questions as for the business partner, the characteristics of the connection and the data accessed and other stuff. These have to be answered by the (“business side”) requestor of an external connection. To give you an idea of the nature of questions here’s the first of those (~ 40 overall) questions:
Please provide details as for the company type and ownership of $OTHER_ORG.
More specifically: does $COMPANY hold shares of $OTHER_ORG?
Who currently manages the IT infrastructure of $OTHER_ORG?
Does $OTHER_ORG dispose of security relevant (e.g. ISO 27001) certifications or are they willing to provide SAS 70/ISAE 3402/SSAE 16 (“Type 2”) reports?
What is – from your perspective – $OTHER_ORG’s maturity level as for information security management, processes and overall posture?
How long will the connection be needed?
Which $COMPANY resources does $OTHER_ORG need to access?
Does a risk assessment for the mentioned ($COMPANY) resources exist?
What is the highest (data) classification level that $OTHER_ORG needs access to?
What is the highest (data) classification of data stored on systems that $OTHER_ORG accesses by some means (even if this data is not part of the planned access)?
Will data be accessed/processed that is covered by regulatory frameworks [e.g. Data Protection, PCI, SOX].
What would – from your perspective – be the impact for $COMPANY in case the data in question was disclosed to unauthorized 3rd parties?
What would – from your perspective – be the impact for $COMPANY in case the data in question was irreversibly destroyed?
What would – from your perspective – be the impact for $COMPANY in case the service(s) in question was/were rendered unavailable for a certain time?
We then defined an initial set of “types of connections” that dispose of different characteristics and might be handled with different measures (security controls being a subset of these). These connection types/categories included
“trusted business partners”/TBP (think of outsourcing partners, with strong mutual contractual controls in place etc.).
“external business partner”/EBP (this is the kind-of default, “traditional” case of an external connection).
“mergers & acquisitions [heritage]”/MA (including all those scenarios deriving from M & A, like “we legally own them but don’t really know the security posture of their IT landscape” or “somebody else now legally owns them, but they still need heavy access to our central systems, for the next 24-36 months”).
“business applications”/BusApp (think of Bloomberg access in finance or chemical databases in certain industry sectors).
“external associates”/ExtAss (“those three developers from that other organization we collaborate with on developing a new portal for some service, who need access to the project’s subversion system which happens to sit in our network”).
Next we tried to assign a category by analyzing the answers in a “point-based” manner (roughly going like: “in case we own them by 100% give a point for TBP”, “in case the connection is just outbound to a limited set of systems, give a point to BusApp”, “if it’s an inbound connection from less than 10 users, here’s a point for ExtAss” etc.), in an MS Excel sheet containing the questions together with drop-down response fields (plus comments where needed) and some calculation logic embedded in the sheet. This seemed a feasible approach, but reflecting on the actual points and assignment system, we realized that, in the end of the day, all these scenarios can be broken down to three relevant parameters which in turn determine the handling options. These parameters are
the trustworthiness of some entity (e.g. an organization, a network [segment], some users). pls note that _their trustworthiness_ is the basis for _our trust_ so both terms express sides of the same coin.
the (threat) exposure of systems and data contained in certain parts of some (own|external) network.
the protection needs of systems and data contained in certain parts of (usually the “own”/$COMPANY’s) network.
Interestingly enough every complex discussion about isolating/segmenting or – the other side of the story – connecting/consolidating (aka “virtualizing”) systems and networks can be reduced to those three fundamentals, see for example this presentation (and I might discuss, in another post, a datacenter project we’re currently involved in where this “reduction” turned out to be useful as well).
From this perspective a total of eight categories can be defined, with each of those mentioned parameters potentially being “high” or “low”. These would look like
Taking this route greatly facilitates the assignment of both individual connections to a category and sets of potential (generic) controls to the connection type categories, as each answer (to one of those questions) directly influences one of those three parameters (e.g. “we hold more than 50% of their shares” => increase trust; “$OTHER_ORG needs to access some of our systems with high privileges” => increase exposure; “data included that is subject to breach laws” => increase protection need etc.).
Which in turn allows a (potentially weighted) points based approach to identify those connections with many vs. few (trust|exposure|protection need) contributing factors.
More on this including details on the actual calculation approach and the final assignment of a category in the next part of this series which is to be published soon…
Once moreShmooCon is the place to be for some days in late January. Great con, great people and five ERNW guys amongst them 😉
We regard Shmoo(Con) as one of the most important community events at all and it allows us to meet fellow researchers from the US who we can’t easily sit down with to chat very often.
And some lucky guys from ERNW will even continue the trip to head to San Diego (!) for NANOG and NDSS. Not to mention they stay in some fancy beach resort ;-), while I myself fly back today. (Getting older I don’t enjoy staying away from home for a week anymore and I have been missing my kids since some days…)
So what can I report to good ole Germany?
On Friday, Peter Gutmann delivered the keynote (mainly) on how taking a dynamic risk assessment approach based on a number of factors (allowing to rate the overall trustworthiness of a website visited) could heavily contribute to browser security and phishing prevention. While I had the impression there was some room for improvement as for the presentation style, it provided a number of interesting thoughts and on the technical level I really liked it.
[furthermore I learned about the “Crime prevention through environmental design” (CPTED) approach which I wasn’t aware of beforehand].
Next talk I was really looking forward to was Toby Kohlenberg’s “A New Model for Enterprise Defense” piece.
Toby and I had been following each other’s work for some years, so when Intel published this whitepaper he co-authored and he subsequently gave a talk on the stuff at T2 I decided to invite him to speak about the approach at Troopers 2012. Which unfortunately doesn’t work out due to some conflict on his side and he seems at least as unhappy as I am about this 😉
Still ShmooCon provided an opportunity to see his stuff live (btw: at 10:00 AM on Saturday morning which traditionally happens to be one of the least grateful speaking slots at Shmoo ;-)) and discuss it over lunch afterwards.
Dear readers, this is great stuff!
Looking at the current attack and overall security landscape some guys at Intel asked themselves “If we were starting from scratch what would we do differently?” and created a small, focused team that tried to answer that exact question. They came up with an architecture based on four ideas:
Dynamic Trust Calculation
Isolated Security Zones
Aggressively balanced controls
Additional “perimeters” added (User, Data)
The approach is centered around a step they call “dynamic trust calculation” which in turn can be split up into calculating the trust(worthiness) of first the source of an access request to an information entity, taking into account the user identity (“who are you?”), the device and feature set (“what you have”?) and the physical location (“where are you?”), and second the trust(worthiness) of the destination, based on the application, the data’s classification and the data’s location. The “quality” (trustworthiness) of the actual authentication method used might come into play as well (e.g. OTPs or cert based auth providing better numbers in the overall trust calculation then, say, username/password). Evaluating these factors then determines the type of access granted. So a corporate sales guy using a smartphone from an untrusted location might only read customer information or place orders while being able to modify pricing only when using a system within an organization’s network.
[btw: this is a little bit similar to the table I used in bottom of this post, with the difference that the approach laid out there (in that post) is much less flexible and does not provide the security benefit the Intel approach might offer]
So far they’ve started implementing the architecture with own tools and based on currently existing technologies (he mentioned they heavily use proxies when crossing the boundaries of trust zones), so none of this stuff is “readily available as commercial tools”. Still he mentioned that a number of vendors they discussed this with are working on such approaches as well. Hopefully this does not take the road of NAC (which, from my perspective, is fully dead due to the inherent complexity and operational effort it induced].
In addition to the technical aspects of the talk it was actually fascinating to hear how they build and maintained (over time) that “security innovation” team. I might take some lessons as for the way we do such stuff at ERNW…
I’ll keep you updated once Toby’s slides are publicly available (in the interim see the whitepaper mentioned above) and might even find the time to discuss other interesting talks. For the moment have a great Sunday everybody
It’s done. The exciting (and demanding) process of selecting talks for Troopers is complete (for the record: second round of talk selection was here, the first here).
We’re quite happy and looking forward to the event 😉
==================
Rodrigo Branco: Into the Darkness – Dissecting Targeted Attacks
The current threat landscape around cyber attacks is complex and hard to understand even for IT pros. The media coverage on recent events increases the challenge by putting fundamentally different attacks into the same category, often labeled as advanced persistent threats (APTs). The resulting mix of attacks includes everything from broadly used, exploit-kit driven campaigns driven by cyber criminals, to targeted attacks that use 0-day vulnerabilities and are hard to fend off – blurring the threat landscape, causing confusion where clarity is most needed.
This presentation analyzes a specific incident, last March’s RSA breach, explaining the techniques used by the attackers and detailing the vulnerability used to gain access to the network. It further explores the possible mitigation techniques available in current software on the OS and application level to prevent such attacks from reoccurring.
Bio: Rodrigo Rubira Branco (BSDaemon) is the Director of Vulnerability & Malware Research at Qualys. In 2011 he was honored as one of the top contributors to Adobe Vulnerabilities in the past 12 months. Previously, as the Chief Security Research at Check Point he founded the Vulnerability Discovery Team (VDT) and released dozens of vulnerabilities in many important software. He is a member of the RISE Security Group and is the organizer of Hackers to Hackers Conference (H2HC), the oldest and biggest security research conference in Latin America.
==================
Carsten Amann: Security can not only Be Managed by Numbers – You Need More
Abstract: From “the management’s perspective” IT security is usually reduced to key performance indicators. Those indicators tend to leave some room for interpretation, especially for top management people. This room for interpretation can lead to decisions which do not only not improve the security level, but might actually decrease it.
The presentation will give an overview how IT security should be “managed by numbers”, to provide transparency and to gain the trust of the top management.
Bio: After his business information systems studies Carsten Amann started his career with a very large consulting company. He was assigned in managerial positions to software implementation projects for different clients. In 2007 he continued his career with a global supplier for technology and services. There he was initially responsible for the global IT security operations (virus protection, encryption, anti-spam etc.). After this assignment he took over the responsibility for the IT-Client topic (operating system, software distribution). Then he took over the responsibility for services within a product area.
==================
Manuel Leithner: Cloud Storage and Its Implications on Security and Privacy
Abstract: With everything moving to the cloud nowadays, security and privacy is often left behind. An ever increasing number of cloud storage operators offer low cost online storage. In this talk we will present our results on the popular service Dropbox, which relied heavily on data deduplication for better user experience. While data deduplication is a straight forward way to decrease costs in terms of bandwidth and storage, it has implications on privacy and security of user data if done wrong – there ain’t no such thing as a free lunch. We will furthermore present methods how data deduplication can work correctly.
Bio: Manuel was introduced to information security while graduating from a technical college and has done research in the areas of mobile security, cloud computing and compile-time obfuscation. He has appeared on national television, podcasts and possibly Chinese security blacklists.
Furthermore, he’s known to use presentations with an average of 0.3 words per slide.
==================
Piotr Cofta: Security professionals – plumbers of trust
Abstract: Trust is a foundation of security, so that it is often overlooked. The presentation analyses trust from the perspective of an information security professional. It discusses what trust is, how it is structured and what can be done about it, beyond the familiarity of trust assessment or trust management. As a result, participants will develop professional insight into trust.
Bio: Dr. Piotr Cofta is managing Security Transformation, having moved from his role as a Chief Researcher, Identity and Trust. Before that, he has been working for many years for Nokia and for Media Lab Europe, concentrating on the relationship between trust, risk, technology and society.
Dr. Cofta is a contributor to several international standards; he publishes and speaks frequently. He is an author of several patents and publications, from areas such as trust management, identity and privacy, digital rights management and electronic commerce. He is a CISSP and a senior member of IEEE. You can contact him at Piotr.Cofta@cofta.net or at http://piotr.cofta.net.
==================
Frank Block & Michael Thumann: Some Notes on Web Application Firewalls or Why You still Get Owned
Abstract: This talk illuminates Web Application Firewalls (WAFs), with particular focus on the negative detection model. It will present methods how they can be fingerprinted and circumvented in order to demonstrate the wrong feeling of security they might create. Furthermore the tool tsakwaf (The Swiss Army Knife for Web Application Firewalls) will be covered, a little script written in perl that includes various code generation functions for circumventing WAFs and a fingerprinting routine to identify supported WAFs.
Of course there will be some nice demos to prove the point and the speakers will also share their experience from daily web application pentest tasks. Finally, as a special gift, an enhanced version of TSAKWAF will be released at Troopers.
Bios: Frank Block is a security consultant working for ERNW GmbH and penetration tester focusing on web application pentests. One of his passions is the analysis of security mechanisms to find ways to circumvent those.
Michael Thumann is the Chief Security Officer and the head of the ERNW’s application security team. He has published security advisories regarding topics like ‘Cracking IKE Preshared Keys’ and buffer overflows in web servers or VPN software. Michael enjoys sharing his self-written security tools (e.g. ‘tomas – a Cisco Password Cracker’, ‘ikeprobe – IKE PSK Vulnerability Scanner’ or ‘dnsdigger – a dns information gathering tool’) and his experience with the community. Besides numerous articles and papers he wrote the first German book on pentesting that has become a recommended reading at German universities.
In addition to his daily pentesting tasks he is a regular conference-speaker (incl. several Black Hat events, HITB and RSA Conference) and has also contributed exploit code to the Metasploit Framework. With more than 10 years of experience in computer security Michaels’ main interest is to uncover vulnerabilities and security design flaws from the network to the application level and to reverse almost everything to understand the inner workings.
==================
Johnny Deutsch: The Social Map
Abstract: In our talk we will discuss about the threats that social networks pose on organizations. We will display case studies from our clients that have encountered unwanted exposure on account of their employees or social network applications. The talk addresses issues, such as using the social network as a bed for corporate intelligence gathering, how do users interact with their co-workers and how can we infer from usage trends on the corporate social network policy.
We will demonstrate a variety of issues that corporations must think of when deciding to go on to the social networks. One of the most relevant usages on these networks is to harvest personal data and perform some data visualization tools, such as “Touch Graph”. This application performs this by mapping your friends, dissecting them into groups and creating a map of the employee’s social connections. The map is a good indicator of “closed groups”, a reference that indicated from where these people connect\relate to the employee. A tool that we manufactured for our cyber-services department can achieve a unique feature that enables intelligence gathering on people that user is directly related to or has social ties with. This tool creates a visualization of social circles that are not directly related to your profile, by gathering information that is open for the pubic on Facebook and displays it as a map of connections. In our talk we will display usage cases of the tool and how it relates to our social policy methodology.
Bio: Johnny Deutsch is a manager in the Advisory Services practice of Ernst & Young LLP. Johnny leads the cyber warfare and crime section at Ernst & Young?s Hacktics Advanced Security Center (HASC) based in Tel Aviv, Israel. This cutting-edge security team is dedicated to conducting attack and penetration assessments for EY clients. In this role Johnny is in charge of developing new methodologies and performs cyber vulnerability assessments for HASC clients. Johnny has over 10 years of experience in the field of IT systems and security specializing in large scale VoIP systems and data networking. Prior to Johnny`s employment at HASC, he was a consultant at the Israeli Ministry of Defense and managed large scale projects in the field of IRM (Information Rights Management) and NAC (Network Access Control) systems. Prior to the MoD, Johnny was employed by an American sub contractor for the American Department of Defense and managed projects in the field of cellular communication and its integration of VoIP based PBXs. Prior to the DoD, Johnny served in the Israeli Defense Force and managed integration projects in the field of enterprise storage systems (Netapp) and enterprise WAN communications. Johnny is an active reserve duty officer in the Israeli army at the rank of Lieutenant.
after having announced the first round of Troopers speakers here, we’re happy to publish the second round today 😉
Here we go:
==================
Dmitry Sklyarov – “Secure Password Managers” and “Military-Grade Encryption” on Smartphones: Oh Really?
Abstract: The task of providing privacy and data confidentiality with mobile applications becomes more and more important as the adoption of smartphones and tablets grows. As a result, there are a number of vendors and applications providing solutions to address those needs, such as password managers and file encryption utilities for mobile devices.
In this talk we will analyze several password managers and file encryption applications for Apple iOS platform and demonstrate that they often do not provide any reasonable level of security and that syncing data between desktop and mobile versions of the applications increases the risk of compromise. We will also show that the best way to provide privacy and confidentiality on Apple iOS platform is by adhering to Apple Developer Guidelines and not by reinventing the wheel.
Bio: Dmitry is a Security Researcher at Elcomsoft and a lecturer at Moscow State Technical University. He did a research on the security of eBooks and on the authentication of digital photos. Recent research projects involved mobile phone and smartphone forensics. Dmitry is also a co-developer of the Elcomsoft iOS Forensic Toolkit.
==================
Thomas Stocker: Business Application Security in a Global Enterprise
Abstract: In this talk the business application security process at Allianz SE will be laid out. Information security is an integral part of any IT related project from the very beginning and – supported by a well-defined framework of processes and accompanying documents – this is maintained through the whole project lifecycle. I will give a detailed overview of the process, show the relevant steps and documents and discuss common challenges when dealing with the projects, how to tackle those and lessons learned.
Bio: Thomas works as Information Security Officer for the Holding of Allianz SE. He has initially established and continuously improved the business application security process since he took over the job six years ago. Prior to that he worked as an application developer and architect, so he knows his stuff from the ground up.
==================
Meredith Patterson & Sergey Bratus: Theory of Insecurity
Abstract: Why is the overwhelming majority of networked software still not secure, despite all effort to the contrary? Why is it almost certain to get exploited so long as attackers can craft its inputs? Why is it the case that no amount of effort seems enough to fix software that must speak certain protocols?
The answer to these questions is that for many protocols and services currently in use on the Internet, the problem of recognizing and validating their “good”, expected inputs from bad ones is either not well-posed or is undecidable (i.e., no algorithm can exist to solve it in the general case), which means that their implementations cannot even be comprehensively tested, let alone automatically checked for weaknesses or correctness. The designers’ desire for more functionality has made these protocols effectively unsecurable.
In this talk we’ll draw a direct connection between this ubiquitous insecurity and basic computer science concepts of Turing completeness and theory of languages. We will show how well-meant protocol designs are doomed to their implementations becoming clusters of 0day, and will show where to look for these 0day. We will also discuss simple principles of how to avoid designing such protocols.
Bios: Meredith L. Patterson is a software engineer at Red Lambda. She developed the first language-theoretic defense against SQL injection in 2005 as a PhD student at the University of Iowa, and has continued expanding the technique ever since. She lives in Brussels, Belgium.
Sergey Bratus is a Research Assistant Professor of Computer Science at Dartmouth College. He sees state-of-the-art hacking as a distinct research and engineering discipline that, although not yet recognized as such, harbors deep insights into the nature of computing. He has a Ph.D. in Mathematics from Northeastern University and worked at BBN Technologies on natural language processing research before coming to Dartmouth.
==================
Mariano Nunez Di Croce: SAP (In)security: Latest Attacks and Defenses
Abstract: This presentation details some of the latest attack vectors against SAP systems, explaining some of the techniques malicious parties may use to compromise the systems remotely and then escalate privileges to access sensitive business information.
Join us to see live demonstrations of these attacks, learn about the statistics of dozens of real-world SAP Penetration Tests and identify which are the latest advances in preventing your SAP systems from falling in the wrong hands.
Bio: Mariano Nunez Di Croce is the CEO at Onapsis. Mariano is a renowned researcher in the ERP & SAP Security field, being the first to present on real-world security attacks to SAP platforms. Since then, he has been invited to lecture in some of the most important security conferences in the world, such as BlackHat DC/USA/EU, RSA, SAP, HITB Dubai/EU, Troopers, Ekoparty, HackerHalted, DeepSec, Sec-T, Hack.lu and Seacure.it, as well as in Fortune-100 companies and military organizations.
Mariano has discovered 50+ vulnerabilities in SAP, Microsoft, Oracle and IBM applications. He leads the strategic development of Onapsis X1, has been the developer of the first open-source SAP & ERP Penetration Testing Frameworks and leads the “SAP Security In-Depth” publication. Mariano is also a founding member of BIZEC.org, the Business Security Community. Because of his research work, he has been interviewed and featured in mainstream media such as CNN, Reuters, IDG, New York Times, eWeek, PCWorld, Darkreading and others.
==================
Mario Heiderich: Got your Nose! How to steal your precious data without using scripts
Abstract: Cross Site Scripting techniques and quirky JavaScript have received a lot of attention — thus more and more ways to get hands on this threat are being developed and practiced: Security aware people simply switch JavaScript off, developers use sand-boxed IFrames and CSP to protect their applications and NoScript, XSS filters and HTMLPurifer do a great job in keeping people from getting “XSS’d”. But what about attacks in the browser that don’t require any scripting at all — but still steal your precious data, right before you know it? What about attacks so sneaky and sophisticated or just simple, even your best Anti-XSS solution won’t prevent them? Attacks, that don’t use any scripting — but fierce markup tricks from outer space? This talk will introduce and discuss those kinds of attacks, show how attackers steal plain-text passwords, read CSRF tokens and other sensitive data and create self-spying emails and worse without executing a single line of JavaScript. Deactivating scripts and eliminating XSS as a good level of protection? Not anymore!
Bio: Mario Heiderich works as a researcher for the Ruhr-University in Bochum, Germany, focuses on HTML5, SVG security and believes XSS can be eradicated by using JavaScript. Maybe. Some day. Mario invoked the HTML5 security cheat-sheet and maintains the PHPIDS filter rules. In his spare time he delivers trainings and security consultancy for larger German and international companies for sweet sweet money and the simple minded fun in breaking things. Mario has spoken on a large variety of international conferences, co-authored two books, several academic papers and doesn’t see a problem in his some weeks old son having a netbook already. There you have it.
==================
Nikhil Mittal: More fun using Kautilya or Is it a thumb drive? Is it a toy? no it’s a keyboard
Abstract: How many non-traditional methods you use to get into systems? How about having some more fun while getting into the systems and also making profit out of it? Let us increase the awesomeness of our Penetration tests and start using Human Interface Devices such as Teensy in the pwnage trade.
The tool for the trade for this talk will be Kautilya. Kautilya is a toolkit which can be used to perform various pre-exploitation and post-exploitation activities. Kautilya aims on easing the use of attack vectors which traditionally require human intervention but can be automated using Teensy. Kautilya contains some nice customizable payloads which may be used for enumeration, info gathering, disabling countermeasures, keylogging and using Operating System against itself for much more. The talk will be full of live demonstrations.
An updated version of Kautilya will be released at Troopers that includes a number of previously unseen Linux payloads.
Bio: Nikhil Mittal is a hacker, info sec researcher and enthusiast. His area of interest includes penetration testing, attack research, defense strategies and post exploitation research. He has over 3 years experience in Penetration Testing of many Government Organizations of India and other global corporate giants at his current job position.
He specializes in assessing security risks at secure environments which require novel attack vectors and “out of the box” approach. . He is creator of Kautilya, a toolkit to utilize teensy in penetration tests. In his free time, Nikhil likes to scan full IP ranges of countries for specific vulnerabilities, writes some silly Metasploit scripts and does some vulnerability research. He has spoken at Clubhack’10, Hackfest’11, Clubhack’11 and Black Hat Abu Dhabi’11.