During one of our last projects in a large environment we encountered an interesting flaw. Although it was not possible to exploit it in this particular context, it’s worth to be mentioned here. The finding was about Cross-Site Request Forgery, a quite well-known attack that forces a user to execute unintended actions within the authenticated context of a web application. With a little help of social engineering (like sending a link via email, chat, embedded code in documents, etc…) an attacker may force the user to execute actions of the attacker’s choice.
Continue reading “Cross-Site Request Forgery with Cross-Origin Resource Sharing”
IPv6 Hackers Meeting @ IETF 87 in Berlin / Slides
That meeting was actually a great event. Once more, big thanks! to Fernando for organizing it and to EANTC for providing the logistics.
A couple of unordered notes to follow:
a) The slides of our contribution can be found here. Again, pls note that this is work in progress and we’re happy to receive any kind of feedback.
[given Fernando explicitly mentioned Troopers, we’ve allowed ourselves to put some reference to it into this version of the slide deck…]
b) the scripts Stefan currently puts together will be released here once they’ve undergone more testing ;-).
c) Sander Steffann mentioned that Juniper SRX models do have IPv6 support for management protocols. According to this link this seems somewhat correct.
d) we had that discussion about (which) ASA inspects work with IPv6.
Here‘s a link providing some info for 8.4 software releases, this is the respective one for 9.0.
e) I was really impressed by the work performed by these guys and I think that ft6 (“Firewalltester for IPv6”) is a great contribution to the IPv6 security (testing) space.
And, of course, Marc’s latest additions to THC-IPV6 shouldn’t go unnoticed ;-). And I learned he can not only code, but cook as well.
===
Eric Vyncke commented “To be repeated”. We fully second that ;-).
thanks
Enno
Continue readingBasic OS X Hardening & DMA
In the course of a recent endpoint assessment, we also had a OS X 10.8 client system as a target. While we still rely on the Firewire “capability” of unlocking systems on a regular base (using this great tool), we noticed that Apple released a patch to disable Firewire DMA access whenever the system is in a locked state (e.g. with an active screensaver or no user logged in). As we test the Firewire DMA access vulnerability quite often (at least we thought so 😉 ) to prepare for demonstrations in the board room or client assessments, we were quite surprised that we must have actually missed that nice update. In order to verify the effectiveness of the patch, we ran our typical test bed and can quite happily confirm that the update successfully mitigates Firewire DMA access in locked system states.
Beside breaking into unpatched OS X client using Firewire DMA access ;-), we also noticed some lack of hardening guides related to Apples current OS X version 10.8, so we also compiled a basic checklist for OS X hardening measures which we want to share with you:
ERNW_Checklist_OSX_Hardening.pdf
Enjoy,
Matthias
SNMP Reflected Amplification DDoS Attacks
Just recently on the NANOG mailing list a discussion popped up titled “SNMP DDoS: the vulnerability you might not know you have“.
There’s a couple of points here:
Continue reading “SNMP Reflected Amplification DDoS Attacks”
Continue readingResponsible Disclosure and Academic Freedom, Again
Reading this article from the Guardian, on this guy apparently being banned from fully discussing research results in his talk at upcoming USENIX Security, leaves me scratching my head once more. Things might (as so often) be more complex than they seem, but this looks like yet-another misconception as for the contribution of security research (and its public discussion) to the greater good of us all. Which is unfortunate for the speakers (I’ve been in a similar situation once, receiving a threatening legal letter from a very large organization one day before one of our Black Hat presentations and can tell you that stuff like that doesn’t add to one’s anticipation of the talk or the event…), for the audience (including some ERNW guys who will be a USENIX-SEC, so, btw, expect a summary post here) and for the whole community of security researchers.
Ross Anderson from the University of Cambridge (so just ~ 100 miles from Birmingham, where Flavio Garcia works) formerly gave a very nice response when one of his students was approached in a similar fashion. Based on the publicly available information, the judge in the above case did not follow this reasoning. Which I think, is not a good thing for all of us.
Still, have a great remainder of the weekend everybody,
Enno
Continue readingIPv6 Hackers Meeting @ IETF 87, Berlin
Next to IETF 87 going on in Berlin in a few days there will be an informal meeting of the “IPv6 Hackers” on Tuesday. We really look forward to personally meet a number of people who we (so far) only know from the associated mailing list or similar machine-enhanced exchange. We hope to contribute as well. Based on the stuff of this workshop from the IPv6 Security Summit at Troopers13 we might give a short project presentation along the lines of “Some Notes on Testing the Real-World IPv6 Capabilities of Commercial Security Products”, providing an overview of some testing done on commercial gear, together with a discussion of testing approaches, tools and key aspects.
I currently discuss this potential input with the guy who gratefully organized the meeting. In any case I encourage everybody interested in IPv6 security to show up there (you don’t have to be registered to IETF 87) as there’s not much that can substitute meeting in person to discuss how to make the IPv6 world a safer place.
best
Enno
Continue readingBlackBerry 10 USB Modes
So we got these shiny new BlackBerry Q10 and Z10 device laying on the desk one morning. It’s my first BlackBerry, I have to admit, but never the less, the hole wushy GUI and touchy glass stuff wasn’t my main concern, instead i took a look at the stuff going on while you connect the phone (do i have to call it blackberry? its a phone, isn’t it?) to your computer.
Continue reading “BlackBerry 10 USB Modes”
Continue readingSome Notes on Types of Security Controls & the Way they’re Implemented in Enterprise Environments
Welcome back, Dear Reader,
in this post I’d like to share some reflections on the (potentially inefficient) way some security controls can be observed to be deployed in complex organisations and what this may mean for the future of those controls.
In general the space of security controls can be categorized according to different schemes, such as:
- By fundamental principle (preventive, detective, reactive, corrective, deterrent, compensating etc. security controls. see for example this overview or this one or some illustration here).
- By “state of matter” (e.g. components, implementation, operations. again, for some supplemental information look at this one).
- By type of admission: whitelisting vs. blacklisting (some general discussion here, the respective Schneier-Ranum Face-Off to be found here, and this is only Bruce’s half, but with a number of comments).
- Related to the overall architecture of implementation: centralized vs. distributed.
For today’s topic I’ll just focus on the latter two and will introduce those shortly.
Continue readingGanz Gallien?
“Nein! Ein von unbeugsamen Galliern bevölkertes Dorf hört nicht auf, dem Eindringling Widerstand zu leisten.”
This is a famous quote pretty much every German kid used to know. Not sure if this still applies though, my three haven’t touched Asterix comics so far. Anyhow, you might ask why I cite this.
Simple answer: see this recent article from the Guardian on a Utah-based ISP “resisting some pressure”. That’s the spirit…
Have a great Sunday everybody,
Enno
Continue readingPre-Weekend Goody: TROOPERS13 Video
Enjoy! After seeing this I personally feel like signing up for the TROOPERS14 Enthusiast Package 😉
Carry on
Florian & Team