Breaking

Assesment of Visual Voicemail on iPhones

VVM on iOS 5.0.1

Visual Voicemail (VVM) is a common feature of phone providers which allows accessing the good old voice-mailbox through the phone’s visual interface. In contrast to the classical voicemail approach, VVM allows intuitive navigation through voice-messages without dealing with an automated voice which tells you about message count and possible options. However, this implies the need of actually loading the messages of missed calls on the phone. The VVM-app displays missed calls and downloads corresponding messages which have been left by the initial caller. The software comes with your iPhone and is not intended for uninstallation. However, providers have to support it and will have to activate it for supporting clients. This feature is available on iPhones since August 2009 and became available on BlackBerrys and few Nokia phones later. Android doesn’t implement VVM in general. However some telecommunication providers offer their own apps to add this feature. Since version 4.0, Android offers an official Voicemail Provider API enabling better integration for the mobile OS.

Lately we had a deeper look at a VVM client. The client is integrated (on iPhones) into the phone app but has to be activated by the provider (and a special backend is needed). We assume it’s handled through a stealth SMS or alike, since related network traffic is not visible. Also most providers charge you for this feature. Some contracts include VVM, but typically it has to be activated initially. Even if connection to a wireless LAN exists, the traffic between phone and the VVM backend is routed through the 3G interface and doesn’t pass the Wi-Fi connection. This is interesting, since actually the Wi-Fi connection is typically preferred. This allows the providers to limit the backend access to their own „IPs used on the 3G networks“, meaning only customers with a SIM card from the corresponding provider can access the mailbox system. From a corporate point of view this also means, that a phone connected to a wireless LAN with an active VPN connection would certainly bypass its „default way to the Internet“ and consequently also bypass potentially present security controls like proxy servers.

After actual VVM usage, we jailbroke the phone and installed assessment tools. In addition we installed Cydia (third party app store), an SSH daemon (to connect remotely) and tcpdump (to sniff network traffic). Cydia makes use of the packet management as known from “Debian GNU/Linux”. So we used  “dpkg -i”  to install the local packet (.deb) of KeychainViewer, which was not available through the repository.

By sniffing the network traffic it was possible to examine the IMAP protocol revealing username and the corresponding hashed password (which allows to repeat a successful login) and of course all voicemail files. We want to highlight, that all the voicemail files have been transferred unencrypted. In addition we had a look at the keychain entries of the app. This revealed information (used protocol, port and server IP) already known from sniffing the network traffic and some new details. The first thing we recognized was the format of the account name (as already seen in network traffic) as well as the password, which is stored in cleartext. Knowing the server IP address, we already reach the critical amount of sensitive information becoming available through sniffing the network traffic. As the IMAP protocol on port 143 is used for communication, we were able to test the retrieved connection data and credentials by using a standard email client. Unsurprisingly it worked out well. The screenshots show how we used thunderbird to read the folder structure of the mailbox itself. Voice calls are basically implemented as emails with an .amr audio file attached.

Mailbox with Thunderbird

In addition we found, that after activation of the VVM feature, the configuration (.plist) file is stored at /var/mobile/Library/Voicemail/com.apple.voicemail.imap.parameters.plist
containing the username, protocol information, the state of the voicemail account and the server IP. Having the username and server IP, which depends on the provider but can typically be figured out very easily, an attacker can run brute force attacks against the email server which is exposed to the Internet.
Furthermore the whole data transfer turned out to be unencrypted. One could argue that sniffing 2G/3G isn’t that easy when compared with sniffing Wi-Fi traffic. But even though eavesdropping or MITM attacks are not as likely as on Wi-Fi networks, they shouldn’t be completely ignored. Unfortunately login credentials tend to be long-living data. Once intercepted, these data will give an attacker the opportunity to access mailboxes and corresponding applications for a long time.

Providers still seem to rely on the non-interceptable properties of their networks. Even though intercepting isn’t easy, several publications have proofed them wrong in the last years. Thus this thread model is at least questionable.In addition scenarios exist, in which traffic is routed through untrusted areas e.g. in case of roaming. Considering the increasing importance of TCP/IP, traffic will more and more pass untrusted areas. In addition the trust model seems not to imply the actual user as a threat against sensitive data stored on the device (such as credentials for the VVM server). Last but not least, finding sensitive information such as login credentials unencrypted/unhashed still comes with a sobering taste.
All this has to be kept in mind, when using such technologies and may lead to the question, if the providers trust/thread model matches your own or those of your environment/company.

Have a nice day,
Sergej

Continue reading
Building

A Structured Approach to Handling External Connections, Part 1

I’m currently involved in creating an up to date approach to handling external connections (read: temporary/permanent connections with external parties like business partners) of a very large enterprise. Currently they have sth along the lines of: “there’s two types of external connections, trusted and untrusted. the untrusted ones have to be connected by means of a double staged firewall”.

Which – of course – doesn’t work at all in a VUCA world, for a number of reasons (the demarcation between trusted and untrusted is quite unclear – just think of mergers & acquisitions –; “business doesn’t like implementing 2-staged firewalls in some part of the world where they just signed the memorandum for a joint venture to build windmills in the desert”; firewalls might not be the appropriate control for quite some threats anyway – see for example slide 46 of this presentation– and so on). Not to mention that I personally think that the “double staged firewall” thing is based on an outdated threat model, in particular when implemented with two different vendors (for the simple reason that the added operational effort usually is not worth the added security benefit. see this post for some discussion of the concept of “operational feasibility”…).

Back to the initial point: the approach to be developed is meant to work on the basis of several types of remote connections which each determine associated security controls and other parameters. Which, at the first glance, does not seem overly complicated, but – as always – the devil is in the details.

What to base those categories on: the trust or security level of the other party (called “$OTHER_ORG” in the following) – or just assume they’re all untrusted? The protection needs of the data accessed by $OTHER_ORG? The (network) type of connection or number & type of users (unauthenticated vs. authenticated, many vs. few), the technical characteristics of the services involved (is an outbound Bloomberg link to be handled differently than an inbound connection to some published application, by means of a Citrix Access Gateway? if so, in what way?) etc.

As a start we put together a comprehensive list of questions as for the business partner, the characteristics of the connection and the data accessed and other stuff. These have to be answered by the (“business side”) requestor of an external connection. To give you an idea of the nature of questions here’s the first of those (~ 40 overall) questions:

  • Please provide details as for the company type and ownership of $OTHER_ORG.
  • More specifically: does $COMPANY hold shares of $OTHER_ORG?
  • Who currently manages the IT infrastructure of $OTHER_ORG?
  • Does $OTHER_ORG dispose of security relevant (e.g. ISO 27001) certifications or are they willing to provide SAS 70/ISAE 3402/SSAE 16 (“Type 2”) reports?
  • What is – from your perspective – $OTHER_ORG’s maturity level as for information security management, processes and overall posture?
  • How long will the connection be needed?
  • Which $COMPANY resources does $OTHER_ORG need to access?
  • Does a risk assessment for the mentioned ($COMPANY) resources exist?
  • What is the highest (data) classification level that $OTHER_ORG needs access to?
  • What is the highest (data) classification of data stored on systems that $OTHER_ORG accesses by some means (even if this data is not part of the planned access)?
  • Will data be accessed/processed that is covered by regulatory frameworks [e.g. Data Protection, PCI, SOX].
  • What would – from your perspective – be the impact for $COMPANY in case the data in question was disclosed to unauthorized 3rd parties?
  • What would – from your perspective – be the impact for $COMPANY in case the data in question was irreversibly destroyed?
  • What would – from your perspective – be the impact for $COMPANY in case the service(s) in question was/were rendered unavailable for a certain time?

We then defined an initial set of “types of connections” that dispose of different characteristics and might be handled with different measures (security controls being a subset of these). These connection types/categories included

  • “trusted business partners”/TBP (think of outsourcing partners, with strong mutual contractual controls in place etc.).
  • “external business partner”/EBP (this is the kind-of default, “traditional” case of an external connection).
  • “mergers & acquisitions [heritage]”/MA (including all those scenarios deriving from M & A, like “we legally own them but don’t really know the security posture of their IT landscape” or “somebody else now legally owns them, but they still need heavy access to our central systems, for the next 24-36 months”).
  • “business applications”/BusApp (think of Bloomberg access in finance or chemical databases in certain industry sectors).
  • “external associates”/ExtAss (“those three developers from that other organization we collaborate with on developing a new portal for some service, who need access to the project’s subversion system which happens to sit in our network”).

Next we tried to assign a category by analyzing the answers in a “point-based” manner (roughly going like: “in case we own them by 100% give a point for TBP”, “in case the connection is just outbound to a limited set of systems, give a point to BusApp”, “if it’s an inbound connection from less than 10 users, here’s a point for ExtAss” etc.), in an MS Excel sheet containing the questions together with drop-down response fields (plus comments where needed) and some calculation logic embedded in the sheet. This seemed a feasible approach, but reflecting on the actual points and assignment system, we realized that, in the end of the day, all these scenarios can be broken down to three relevant parameters which in turn determine the handling options. These parameters are

  • the trustworthiness of some entity (e.g. an organization, a network [segment], some users). pls note that _their trustworthiness_ is the basis for _our trust_ so both terms express sides of the same coin.
  • the (threat) exposure of systems and data contained in certain parts of some (own|external) network.
  • the protection needs of systems and data contained in certain parts of (usually the “own”/$COMPANY’s) network.

Interestingly enough every complex discussion about isolating/segmenting or – the other side of the story – connecting/consolidating (aka “virtualizing”) systems and networks can be reduced to those three fundamentals, see for example this presentation (and I might discuss, in another post, a datacenter project we’re currently involved in where this “reduction” turned out to be useful as well).

From this perspective a total of eight categories can be defined, with each of those mentioned parameters potentially being “high” or “low”. These would look like

Taking this route greatly facilitates the assignment of both individual connections to a category and sets of potential (generic) controls to the connection type categories, as each answer (to one of those questions) directly influences one of those three parameters (e.g. “we hold more than 50% of their shares” => increase trust; “$OTHER_ORG needs to access some of our systems with high privileges” => increase exposure; “data included that is subject to breach laws” => increase protection need etc.).

Which in turn allows a (potentially weighted) points based approach to identify those connections with many vs. few (trust|exposure|protection need) contributing factors.

 

More on this including details on the actual calculation approach and the final assignment of a category in the next part of this series which is to be published soon…

Have a great weekend

Enno

 

 

Continue reading
Breaking

Don’t Pay Money for Someone Else’s Calls, Again

One of our customers called us recently and asked for some support in investigating a toll fraud issue they encountered in one of their sites. Their telecommunications provider had contacted them informing them that they had accumulated a bill of 30.000€ over the last ten days.

Without knowing anything more specific, I drove to the affected site to get the whole picture.

They have a VoIP deployment based on Cisco Unified Communications Manager (CUCM, aka Call Manager) as Call Agent. The CUCM is connected via a H.323 trunk to a Cisco 2911 ISR G2 which is acting as a voice gateway. The ISR has a primary rate ISDN (PRI) Interface which is connected to the PBX of the telco. Furthermore they use a feature called Direct-inward Dial (DID) or Direct Dial-in (DDI) which is offered by Telco’s to enable calling parties to dial directly to an extension on a PBX or voice gateway.

Basically one then has a so called head number (in networking terms a prefix), together with some phone extensions. When someone from outside wants to call, he dials the head number + phone extension. Before the telco forwards the call to the ISR, the head number is stripped and only the phone extension number is forwarded to the voice gateway. E.g. when calling 12345-678, the local voice gateway will only see the 678 as called number.

After having a good overview of the design, I started to dig around in the log and configuration files to understand what exactly happened and why.

So here is what happened:

Apparently someone from some East European country had called the head number of our customer and prepended a “malicious number” (in some country in Africa) to which the ISR should setup a call.  The ISR only sees the malicious (African) number because, as said before, the head number was stripped by the telco. The malicious number was of course some $EXPENSIVE_LONG_DISTANCE_CALL ;). So the voice gateway received a call from the PBX and forwarded it back to setup the call with that number.

Before we proceed, a little bit of theory how a Cisco router decides how to forward a call, might be helpful:

In Cisco IOS, the call-routing table is configured based on so called dial-peers. These dial-peers specify how a call with a specific destination number should be forwarded.

As an example:

dial-peer voice 1234 pots
description ===incoming_calls===
incoming called number ^[2-7]..$
port 0/3/0

 

This configuration tells the router that calls to a number which matches the regular expression, should be forwarded to port 0/3/0.

As it turns out our customer uses the following dial-peer which is used for outbound calls.

dial-peer voice 5678 pots
description ===outgoing calls===
destination pattern 8T
port 1/1/1:15 -> The ISDN Interface

 

The T is a placeholder value which means that any amount of digits can follow the 8. The reason the pattern matches the digit 8 is that this digit must be dialed before the actual number.

Do I have to mention that the malicious number also starts with an 8? 😉

So back to the presumed course of action:

The call with the malicious number hits the router. The router tries to match a configured dial-peer to forward the call.  I think you can guess which dial peer matched for the malicious number 😉

So the router sends the call back to the PBX to setup a call to the malicious number. Which is billed to our customer…

We then monitored the situation and applied a workaround (more on this in a minute) and observed what happened. As it turned out, unfortunately the attacker was able to circumvent our workaround. We discovered that is was possible to “dial-in” to the router directly by just calling the head number (as the PBX leaves the called number field empty). E.g. the called number field in the log files looks like this:

“Called Number=”

 

The router subsequently provided a line and it was possible to call the number again. Our workaround did only affect incoming calls with the number prepended, but not those where the router is the actual origin of the establishment of the call.

So how can we resolve this issue and stop the toll fraud?

As a long-term solution the configured dial patterns should be reviewed and modified to prevent such things in the future, but – given the overall complexity of the setup – this could not be done overnight.

I am currently working with the customer to develop more suitable dial patterns. I will write a follow up post with the final results when we are finished.

In the mean-time, we developed a temporary workaround to prevent this from happening again:

In Cisco IOS you can manipulate the calling or called-number with so called translation rules and you are also able to reject calls based on the called number. Our customer does not use any extension beginning with 8, so we can drop all calls on the gateway which starts with 8 as called number. So we developed the following translation-rule:

 voice translation Rule 11
  rule 1 reject /^8+/
  rule 2 reject /^$/
 voice translation-profile reject_calls
   translate called 11

 

Rule number 2 addresses the case when the called number field is empty. We mapped this profile to the dial-peers responsible for the incoming calls and specified that calls with the numbers in the translation rule must be rejected.

dial-peer voice 3456 pots
description ===Incoming_Calls===
call-block translation-profile incoming reject_calls
call-block disconnect-cause incoming call-reject
incoming called-number

 
Lessons learned:

Be careful when you develop and implement your dial patterns, as errors in this space can cost you quite a lot of money 😉

VoIP is a complex technology and this complexity can lead to all types of vulnerabilities, as Daniel and Enno are going to show in their talk at Troopers 2012. Toll fraud is still quite common and happens all the time, as you can see in an ERNW newsletter from 2009 covering a similar story from another environment.

On a side note:

The telco told us that our customer is the 8th customer affected by a toll fraud issue in the last two months. According to the telco all eight companies are in the same city, and the initial VoIP deployment at our customer was performed by an external service provider.

Maybe the same service provider has done the deployment in the other companies too…

Have a great day,
Chris

Continue reading
Events

Diving Into Real-World Security Threats to SAP Systems

This is a guest post by the SAP security experts of BIZEC. Enjoy reading:

On March 20th, the first BIZEC workshop will be held at the amazing Troopers conference in Heidelberg, Germany. For those still unfamiliar with BIZEC: the business application security initiative is a non-profit organization focused on security threats affecting ERP systems and business-critical infrastructures.

The main goals of BIZEC are:

  • Raise awareness, demonstrating that ERP security must be analyzed holistically.
  • Analyze current and future threats affecting these systems.
  • Serve as a unique central point of knowledge and reference in this subject.
  • Provide experienced feedback to global organizations, helping them to increase the security of their business-critical information.
  • Organize events with the community to share and exchange information.

The “BIZEC workshop at Troopers 2012” will dive into the security of SAP platforms. Still to this day, a big part of the Auditing and Information Security industries believe that Segregation of Duties (SoD) controls are enough to protect these business-critical systems.
By attending this session, InfoSec professionals and SAP security managers will be able to stop “flying blind” with regards to the security of their SAP systems. They will learn why SoD controls are not enough, which current threats exist that could be exploited by evil hackers, and how to protect their business-critical information from cyber-attacks.

Attendees can expect a high-dose of technical content covering the latest advances in the SAP security field.

The agenda is really exciting, covering hot topics such as:

  • Real-world cyber-threats to SAP systems, by Mariano Nunez Di Croce (Onapsis)
  • Five years of ABAP Code Reviews – A retrospective, by Frederik Weidemann (VirtualForge)
  • SAP Solution Manager from the hackers point of view, by Ralf Kemp (akquinet)

The workshop will be full of live demonstrations of attacks and discussions on possible mitigation techniques. Furthermore, attendees will have the pleasure of enjoying a great introduction by Gary McGraw, CTO of Cigital and pioneer in software security.

If you want to stay ahead of the threats affecting your SAP platforms, you can’t miss this workshop!

The BIZEC team

Comment by the Insinuator: We’ve prolongued the early-bird period until February 10th. We hope that helps to get your favorite event budgeted 😉


Continue reading
Events

ShmooCon, Again

Once more ShmooCon is the place to be for some days in late January. Great con, great people and five ERNW guys amongst them 😉

We regard Shmoo(Con) as one of the most important community events at all and it allows us to meet fellow researchers from the US who we can’t easily sit down with to chat very often.

And some lucky guys from ERNW will even continue the trip to head to San Diego (!) for NANOG and NDSS. Not to mention they stay in some fancy beach resort ;-), while I myself fly back today. (Getting older I don’t enjoy staying away from home for a week anymore and I have been missing my kids since some days…)

 

So what can I report to good ole Germany?

On Friday, Peter Gutmann delivered the keynote (mainly) on how taking a dynamic risk assessment approach based on a number of factors (allowing to rate the overall trustworthiness of a website visited) could heavily contribute to browser security and phishing prevention. While I had the impression there was some room for improvement as for the presentation style, it provided a number of interesting thoughts and on the technical level I really liked it.

[furthermore I learned about the “Crime prevention through environmental design” (CPTED) approach which I wasn’t aware of beforehand].

 

Next talk I was really looking forward to was Toby Kohlenberg’s “A New Model for Enterprise Defense” piece.

Toby and I had been following each other’s work for some years, so when Intel published this whitepaper he co-authored and he subsequently gave a talk on the stuff at T2 I decided to invite him to speak about the approach at Troopers 2012. Which unfortunately doesn’t work out due to some conflict on his side and he seems at least as unhappy as I am about this 😉

Still ShmooCon provided an opportunity to see his stuff live (btw: at 10:00 AM on Saturday morning which traditionally happens to be one of the least grateful speaking slots at Shmoo ;-)) and discuss it over lunch afterwards.

Dear readers, this is great stuff!

Looking at the current attack and overall security landscape some guys at Intel asked themselves “If we were starting from scratch what would we do differently?” and created a small, focused team that tried to answer that exact question. They came up with an architecture based on four ideas:

  • Dynamic Trust Calculation
  • Isolated Security Zones
  • Aggressively balanced controls
  • Additional “perimeters” added (User, Data)

The approach is centered around a step they call “dynamic trust calculation” which in turn can be split up into calculating the trust(worthiness) of first the source of an access request to an information entity, taking into account the user identity (“who are you?”), the device and feature set (“what you have”?) and the physical location (“where are you?”), and second the trust(worthiness) of the destination, based on the application, the data’s classification and the data’s location. The “quality” (trustworthiness) of the actual authentication method used might come into play as well (e.g. OTPs or cert based auth providing better numbers in the overall trust calculation then, say, username/password). Evaluating these factors then determines the type of access granted. So a corporate sales guy using a smartphone from an untrusted location might only read customer information or place orders while being able to modify pricing only when using a system within an organization’s network.

[btw: this is a little bit similar to the table I used in bottom of this post, with the difference that the approach laid out there (in that post) is much less flexible and does not provide the security benefit the Intel approach might offer]

So far they’ve started implementing the architecture with own tools and based on currently existing technologies (he mentioned they heavily use proxies when crossing the boundaries of trust zones), so none of this stuff is “readily available as commercial tools”. Still he mentioned that a number of vendors they discussed this with are working on such approaches as well. Hopefully this does not take the road of NAC (which, from my perspective, is fully dead due to the inherent complexity and operational effort it induced].

In addition to the technical aspects of the talk it was actually fascinating to hear how they build and maintained (over time) that “security innovation” team. I might take some lessons as for the way we do such stuff at ERNW…

I’ll keep you updated once Toby’s slides are publicly available (in the interim see the whitepaper mentioned above) and might even find the time to discuss other interesting talks. For the moment have a great Sunday everybody

 

Enno

 

 

Continue reading
Events

Troopers 2012 – Final round of talks selected

It’s done. The exciting (and demanding) process of selecting talks for Troopers is complete (for the record: second round of talk selection was here, the first here).

We’re quite happy and looking forward to the event 😉

 

==================

Rodrigo Branco: Into the Darkness – Dissecting Targeted Attacks

The current threat landscape around cyber attacks is complex and hard to understand even for IT pros. The media coverage on recent events increases the challenge by putting fundamentally different attacks into the same category, often labeled as advanced persistent threats (APTs). The resulting mix of attacks includes everything from broadly used, exploit-kit driven campaigns driven by cyber criminals, to targeted attacks that use 0-day vulnerabilities and are hard to fend off – blurring the threat landscape, causing confusion where clarity is most needed.

This presentation analyzes a specific incident, last March’s RSA breach, explaining the techniques used by the attackers and detailing the vulnerability used to gain access to the network. It further explores the possible mitigation techniques available in current software on the OS and application level to prevent such attacks from reoccurring.

Bio: Rodrigo Rubira Branco (BSDaemon) is the Director of Vulnerability & Malware Research at Qualys. In 2011 he was honored as one of the top contributors to Adobe Vulnerabilities in the past 12 months. Previously, as the Chief Security Research at Check Point he founded the Vulnerability Discovery Team (VDT) and released dozens of vulnerabilities in many important software. He is a member of the RISE Security Group and is the organizer of Hackers to Hackers Conference (H2HC), the oldest and biggest security research conference in Latin America.

 

==================

Carsten Amann: Security can not only Be Managed by Numbers – You Need More

Abstract: From “the management’s perspective” IT security is usually reduced to key performance indicators. Those indicators tend to leave some room for interpretation, especially for top management people. This room for interpretation can lead to decisions which do not only not improve the security level, but might actually decrease it.

The presentation will give an overview how IT security should be “managed by numbers”, to provide transparency and to gain the trust of the top management.

Bio: After his business information systems studies Carsten Amann started his career with a very large consulting company. He was assigned in managerial positions to software implementation projects for different clients. In 2007 he continued his career with a global supplier for technology and services. There he was initially responsible for the global IT security operations (virus protection, encryption, anti-spam etc.). After this assignment he took over the responsibility for the IT-Client topic (operating system, software distribution). Then he took over the responsibility for services within a product area.

 

==================

Manuel Leithner: Cloud Storage and Its Implications on Security and Privacy

Abstract: With everything moving to the cloud nowadays, security and privacy is often left behind. An ever increasing number of cloud storage operators offer low cost online storage. In this talk we will present our results on the popular service Dropbox, which relied heavily on data deduplication for better user experience. While data deduplication is a straight forward way to decrease costs in terms of bandwidth and storage, it has implications on privacy and security of user data if done wrong – there ain’t no such thing as a free lunch. We will furthermore present methods how data deduplication can work correctly.

Bio: Manuel was introduced to information security while graduating from a technical college and has done research in the areas of mobile security, cloud computing and compile-time obfuscation. He has appeared on national television, podcasts and possibly Chinese security blacklists.

Furthermore, he’s known to use presentations with an average of 0.3 words per slide.

 

==================

Piotr Cofta: Security professionals  – plumbers of trust

Abstract: Trust is a foundation of security, so that it is often overlooked. The presentation analyses trust from the perspective of an information security professional. It discusses what trust is, how it is structured and what can be done about it, beyond the familiarity of trust assessment or trust management. As a result, participants will develop professional insight into trust.

Bio: Dr. Piotr Cofta is managing Security Transformation, having moved from his role as a Chief Researcher, Identity and Trust. Before that, he has been working for many years for Nokia and for Media Lab Europe, concentrating on the relationship between trust, risk, technology and society.

Dr. Cofta is a contributor to several international standards; he publishes and speaks frequently. He is an author of several patents and publications, from areas such as trust management, identity and privacy, digital rights management and electronic commerce. He is a CISSP and a senior member of IEEE. You can contact him at Piotr.Cofta@cofta.net or at http://piotr.cofta.net.

 

==================

Frank Block & Michael Thumann: Some Notes on Web Application Firewalls or Why You still Get Owned

Abstract: This talk illuminates Web Application Firewalls (WAFs), with particular focus on the negative detection model. It will present methods how they can be fingerprinted and circumvented in order to demonstrate the wrong feeling of security they might create. Furthermore the tool tsakwaf (The Swiss Army Knife for Web Application Firewalls) will be covered, a little script written in perl that includes various code generation functions for circumventing WAFs and a fingerprinting routine to identify supported WAFs.

Of course there will be some nice demos to prove the point and the speakers will also share their experience from daily web application pentest tasks. Finally, as a special gift, an enhanced version of TSAKWAF will be released at Troopers.

Bios: Frank Block is a security consultant working for ERNW GmbH and penetration tester focusing on web application pentests. One of his passions is the analysis of security mechanisms to find ways to circumvent those.

Michael Thumann is the Chief Security Officer and the head of the ERNW’s application security team. He has published security advisories regarding topics like ‘Cracking IKE Preshared Keys’ and buffer overflows in web servers or VPN software. Michael enjoys sharing his self-written security tools (e.g. ‘tomas – a Cisco Password Cracker’, ‘ikeprobe – IKE PSK Vulnerability Scanner’ or ‘dnsdigger – a dns information gathering tool’) and his experience with the community. Besides numerous articles and papers he wrote the first German book on pentesting that has become a recommended reading at German universities.

In addition to his daily pentesting tasks he is a regular conference-speaker (incl. several Black Hat events, HITB and RSA Conference) and has also contributed exploit code to the Metasploit Framework. With more than 10 years of experience in computer security Michaels’ main interest is to uncover vulnerabilities and security design flaws from the network to the application level and to reverse almost everything to understand the inner workings.

 

==================

Johnny Deutsch: The Social Map

Abstract: In our talk we will discuss about the threats that social networks pose on organizations. We will display case studies from our clients that have encountered unwanted exposure on account of their employees or social network applications. The talk addresses issues, such as using the social network as a bed for corporate intelligence gathering, how do users interact with their co-workers and how can we infer from usage trends on the corporate social network policy.

We will demonstrate a variety of issues that corporations must think of when deciding to go on to the social networks. One of the most relevant usages on these networks is to harvest personal data and perform some data visualization tools, such as “Touch Graph”. This application performs this by mapping your friends, dissecting them into groups and creating a map of the employee’s social connections. The map is a good indicator of “closed groups”, a reference that indicated from where these people connect\relate to the employee. A tool that we manufactured for our cyber-services department can achieve a unique feature that enables intelligence gathering on people that user is directly related to or has social ties with. This tool creates a visualization of social circles that are not directly related to your profile, by gathering information that is open for the pubic on Facebook and displays it as a map of connections. In our talk we will display usage cases of the tool and how it relates to our social policy methodology.

Bio: Johnny Deutsch is a manager in the Advisory Services practice of Ernst & Young LLP. Johnny leads the cyber warfare and crime section at Ernst & Young?s Hacktics Advanced Security Center (HASC) based in Tel Aviv, Israel. This cutting-edge security team is dedicated to conducting attack and penetration assessments for EY clients. In this role Johnny is in charge of developing new methodologies and performs cyber vulnerability assessments for HASC clients. Johnny has over 10 years of experience in the field of IT systems and security specializing in large scale VoIP systems and data networking. Prior to Johnny`s employment at HASC, he was a consultant at the Israeli Ministry of Defense and managed large scale projects in the field of IRM (Information Rights Management) and NAC (Network Access Control) systems. Prior to the MoD, Johnny was employed by an American sub contractor for the American Department of Defense and managed projects in the field of cellular communication and its integration of VoIP based PBXs. Prior to the DoD, Johnny served in the Israeli Defense Force and managed integration projects in the field of enterprise storage systems (Netapp) and enterprise WAN communications. Johnny is an active reserve duty officer in the Israeli army at the rank of Lieutenant.

 

==================

 

See you @Troopers, take care

Enno

Continue reading
Events

Troopers 2012 – Second Round of Talks Selected

Hi everybody,

after having announced the first round of Troopers speakers here, we’re happy to publish the second round today 😉

Here we go:

 

==================

Dmitry Sklyarov – “Secure Password Managers” and “Military-Grade Encryption” on Smartphones: Oh Really?

Abstract:  The task of providing privacy and data confidentiality with mobile applications becomes more and more important as the adoption of smartphones and tablets grows. As a result, there are a number of vendors and applications providing solutions to address those needs, such as password managers and file encryption utilities for mobile devices.

In this talk we will analyze several password managers and file encryption applications for Apple iOS platform and demonstrate that they often do not provide any reasonable level of security and that syncing data between desktop and mobile versions of the applications increases the risk of compromise. We will also show that the best way to provide privacy and confidentiality on Apple iOS platform is by adhering to Apple Developer Guidelines and not by reinventing the wheel.

Bio: Dmitry is a Security Researcher at Elcomsoft and a lecturer at Moscow State Technical University. He did a research on the security of eBooks and on the authentication of digital photos. Recent research projects involved mobile phone and smartphone forensics. Dmitry is also a co-developer of the Elcomsoft iOS Forensic Toolkit.

 

==================

Thomas Stocker: Business Application Security in a Global Enterprise

Abstract: In this talk the business application security process at Allianz SE will be laid out. Information security is an integral part of any IT related project from the very beginning and – supported by a well-defined framework of processes and accompanying documents – this is maintained through the whole project lifecycle. I will give a detailed overview of the process, show the relevant steps and documents and discuss common challenges when dealing with the projects, how to tackle those and lessons learned.

Bio: Thomas works as Information Security Officer for the Holding of Allianz SE. He has initially established and continuously improved the business application security process since he took over the job six years ago. Prior to that he worked as an application developer and architect, so he knows his stuff from the ground up.

 
==================

Meredith Patterson & Sergey Bratus: Theory of Insecurity

Abstract: Why is the overwhelming majority of networked software still not secure, despite all effort to the contrary? Why is it almost certain to get exploited so long as attackers can craft its inputs?  Why is it the case that no amount of effort seems enough to fix software that must speak certain protocols?

The answer to these questions is that for many protocols and services currently in use on the Internet, the problem of recognizing and validating their “good”, expected inputs from bad ones is either not well-posed or is undecidable (i.e., no algorithm can exist to solve it in the general case), which means that their implementations cannot even be comprehensively tested, let alone automatically checked for weaknesses or correctness. The designers’ desire for more functionality has made these protocols effectively unsecurable.

In this talk we’ll draw a direct connection between this ubiquitous insecurity and basic computer science concepts of Turing completeness and theory of languages. We will show how well-meant protocol designs are doomed to their implementations becoming clusters of 0day, and will show where to look for these 0day. We will also discuss simple principles of how to avoid designing such protocols.

Bios: Meredith L. Patterson is a software engineer at Red Lambda. She developed the first language-theoretic defense against SQL injection in 2005 as a PhD student at the University of Iowa, and has continued expanding the technique ever since. She lives in Brussels, Belgium.

Sergey Bratus is a Research Assistant Professor of Computer Science at Dartmouth College. He sees state-of-the-art hacking as a distinct research and engineering discipline that, although not yet recognized as such, harbors deep insights into the nature of computing. He has a Ph.D. in Mathematics from Northeastern University and worked at BBN Technologies on natural language processing research before coming to Dartmouth.

 

==================

Mariano Nunez Di Croce: SAP (In)security: Latest Attacks and Defenses

Abstract: This presentation details some of the latest attack vectors against SAP systems, explaining some of the techniques malicious parties may use to compromise the systems remotely and then escalate privileges to access sensitive business information.

Join us to see live demonstrations of these attacks, learn about the statistics of dozens of real-world SAP Penetration Tests and identify which are the latest advances in preventing your SAP systems from falling in the wrong hands.

Bio: Mariano Nunez Di Croce is the CEO at Onapsis. Mariano is a renowned researcher in the ERP & SAP Security field, being the first to present on real-world security attacks to SAP platforms. Since then, he has been invited to lecture in some of the most important security conferences in the world, such as BlackHat DC/USA/EU, RSA, SAP, HITB Dubai/EU, Troopers, Ekoparty, HackerHalted, DeepSec, Sec-T, Hack.lu and Seacure.it, as well as in Fortune-100 companies and military organizations.

Mariano has discovered 50+ vulnerabilities in SAP, Microsoft, Oracle and IBM applications. He leads the strategic development of Onapsis X1, has been the developer of the first open-source SAP & ERP Penetration Testing Frameworks and leads the “SAP Security In-Depth” publication. Mariano is also a founding member of BIZEC.org, the Business Security Community. Because of his research work, he has been interviewed and featured in mainstream media such as CNN, Reuters, IDG, New York Times, eWeek, PCWorld, Darkreading and others.

 

==================

Mario Heiderich: Got your Nose! How to steal your precious data without using scripts

Abstract: Cross Site Scripting techniques and quirky JavaScript have received a lot of attention — thus more and more ways to get hands on this threat are being developed and practiced: Security aware people simply switch JavaScript off, developers use sand-boxed IFrames and CSP to protect their applications and NoScript, XSS filters and HTMLPurifer do a great job in keeping people from getting “XSS’d”. But what about attacks in the browser that don’t require any scripting at all — but still steal your precious data, right before you know it? What about attacks so sneaky and sophisticated or just simple, even your best Anti-XSS solution won’t prevent them? Attacks, that don’t use any scripting — but fierce markup tricks from outer space? This talk will introduce and discuss those kinds of attacks, show how attackers steal plain-text passwords, read CSRF tokens and other sensitive data and create self-spying emails and worse without executing a single line of JavaScript. Deactivating scripts and eliminating XSS as a good level of protection? Not anymore!

Bio: Mario Heiderich works as a researcher for the Ruhr-University in Bochum, Germany, focuses on HTML5, SVG security and believes XSS can be eradicated by using JavaScript. Maybe. Some day. Mario invoked the HTML5 security cheat-sheet and maintains the PHPIDS filter rules. In his spare time he delivers trainings and security consultancy for larger German and international companies for sweet sweet money and the simple minded fun in breaking things. Mario has spoken on a large variety of international conferences, co-authored two books, several academic papers and doesn’t see a problem in his some weeks old son having a netbook already. There you have it.

 

==================

Nikhil Mittal:  More fun using Kautilya or Is it a thumb drive? Is it a toy? no it’s a keyboard

Abstract:  How many non-traditional methods you use to get into systems? How about having some more fun while getting into the systems and also making profit out of it? Let us increase the awesomeness of our Penetration tests and start using Human Interface Devices such as Teensy in the pwnage trade.

The tool for the trade for this talk will be Kautilya. Kautilya is a toolkit which can be used to perform various pre-exploitation and post-exploitation activities. Kautilya aims on easing the use of attack vectors which traditionally require human intervention but can be automated using Teensy. Kautilya contains some nice customizable payloads which may be used for enumeration, info gathering, disabling countermeasures, keylogging and using Operating System against itself for much more. The talk will be full of live demonstrations.

An updated version of Kautilya will be released at Troopers that includes a number of previously unseen Linux payloads.

Bio: Nikhil Mittal is a hacker, info sec researcher and enthusiast. His area of interest includes penetration testing, attack research, defense strategies and post exploitation research. He has over 3 years experience in Penetration Testing of many Government Organizations of India and other global corporate giants at his current job position.

He specializes in assessing security risks at secure environments which require novel attack vectors and “out of the box” approach. . He is creator of Kautilya, a toolkit to utilize teensy in penetration tests. In his free time, Nikhil likes to scan full IP ranges of countries for specific vulnerabilities, writes some silly Metasploit scripts and does some vulnerability research. He has spoken at Clubhack’10, Hackfest’11, Clubhack’11 and Black Hat Abu Dhabi’11.

 

==================

More talks to follow next week, so stay tuned 😉

See you @Troopers, take care

 

Enno

 

 

 

Continue reading
Breaking

No Connectivity — No Malware Protection

During a recent penetration test, we evaluated the security of a typical corporate employee notebook. It was to be assessed whether employees with a default corporate user account would be able to gain administrative access and subsequently abuse the system for attacks against a certain high value database system. When evaluating this problem set, the first step is to find ways to bring tools and exploit code on the system. Usually this task requires the bypassing of the malware protection agent of the system. At some point, we thought we figured a way to encode exploits and payloads in a way that would not be detected by the malware protection solution. Continue reading “No Connectivity — No Malware Protection”

Continue reading
Breaking

Python Library for De- and Encoding of WCF-Binary streams

In a .NET environment WCF services can use the proprietary WCF binary XML protocol described here. Microsoft uses this protocol to save some time parsing the transmitted XML data. If you have to (pen-) test such services, it would be nice to read (and modify) the communication between (for example) clients and servers. One possibility is Fiddler.

Fiddler’s strengths include its extensibility and its WCF binary plugins. Sadly, these plugins can only decode and display the binary content as XML text.

Our first tool of choice for webapp pentests (Burp Suite) has also a plugin feature, and one can also find plugins for decoding (and encoding XML back to) WCF binary streams. But all WCF binary plugins out there are based on the .NET library which means one either has to work on MS Windows or with Mono. Another disadvantage is the validation and auto-correction feature of such libraries… not very useful for penetration testing 😉

That’s why we decided to write a small python library according to Microsoft’s Open Specification which enables us to decode and encode WCF binary streams. The library has a rudimentary commandline interface for converting XML to WCF binary and vice versa, as well as a plugin for our python-to-Burp plugin (pyBurp).

Continue reading “Python Library for De- and Encoding of WCF-Binary streams”

Continue reading
Breaking

Use Python for Burp plugins with pyBurp

One of our favorite tools for conducting penetration tests (especially, but not only, web application tests) is Portswiggers’s Burp Suite. Burp allows to extend its features by writing own plugins. But because Burp is written in Java, it only supports Java classes as plugins. Additionally, Burp only allows to use one plugin at the same time which has to be loaded on start-up.

Now we have written a Burp-Python proxy (called pyBurp) which adds some features to the plugin system:

  • write plugins in Python
  • load and unload plugins at every time
  • load multiple plugins

Continue reading “Use Python for Burp plugins with pyBurp”

Continue reading