Tuesday started fine, train down the capital a chance to meet up with the London work team. So far so good, until a colleague suggested a ‘quiet’ drink after work. Ended up not being too quiet after all.
With Wednesday starting off with ‘why?….’, I found some energy and headed for Security BSides London. As I’d already reconnoitered the location on Tuesday getting to the location was a breeze, only to find the door locked. Javvad Malik to the rescue, arrived at same time and managed to call one of the organisers to let us in. After brief introductions all round I met Soraya Iggy in person for the first time, absolutely nothing like I was expecting but great in every way. After receiving goodie bag (and getting repeated grief from Iggy to change into con shirt) I enjoyed some good geek chat whilst watching the venue fill.
After the official opening of the event, I headed upstairs to track two, which started with Aaron Finnon discussing DNS tunneling techniques. I was looking forward to this talk as I’d got half of the information over a drink after Aaron gave his famous SSL talk when OWASP Leeds travelled to Newcastle. My main takeaway from the discussion was that with the use of some relatively simple tools it can be relatively simple to bypass most captive wireless portals if they aren’t sufficiently tying down egress traffic. First on my to-do list of ‘I wonder what happens if you try this in my environment?’.
Second session was David Rook and Chris Wysopal, discussing ‘Jedi Mind’ tricks for building security programs. Having watched recordings of both presents from other events I was looking forward to getting the live experience, and neither disappointed. The presentation was great and I took a lot away for how to both discuss security issues with non-infosec people, and how to talk about the problems in business terms to get buy-in to effect real change in an organisation. I was somewhat surprised, as this started a trend of the event with my favourite presentations being non-technical in nature.
Third session was one that I’d heard a few people dismiss before the event as being a bit lame. I’d already picked it out as my preferred session for this timeslot (it was a tough call, other track was Justin Clark discuss web app attacks, but the end would have over run with the next talk I wanted to see). I’m glad I didn’t let the naysayers dissuade me, Ellen Moar and Colin McLean did a great job demonstrating just how simple it is for anyone with basic computer knowledge (script kiddie) to cut and paste their way past defensive countermeasures (AV). Content wasn’t anything groundbreaking (which is why I think some weren’t keen), but I think it’s the first time I’ve actually seen someone ‘prove’ what we all accept as gospel. Scary stuff.
Final session of the morning was Xavier Mertens discuss logging and event management. Not the most thrilling of topics I’ll admit, but it’s something that so few organisations seem to get right I was interested to find out if there were any ‘better’ ways that could improve the process. Not only are there apparently better ways, but apparently there are also free better ways, so I’m going to talk a closer look at OSSEC.
After lunch Steve Lord provided an ‘interesting’ look into different types/levels of pentester and what it means to be in the industry. The talk received a lot of laughs, but in hindsight I wish I seen a talk with more technical content. For me, bsides was for education and networking, I’ll leave comedy to the comedians.
Next talk was better, Wicked Clown, expanding on his Brucon Lightening talk showing how to break out of a restricted RDP session. This was a great presentation, and was another attack to add to my ‘what if’ to-do list. More importantly he also provided a simple fix to prevent the attack vector, considering it’s a single checkbox, and the workaround breaks how most would ‘expect’ the service to behave I’ll echo his confusion as to why Microsoft don’t have the checkbox ticked by default. Perhaps secure out of the box is too much to ask?
David Rook took to the stage again, this time alone and discussing static code analysis with Agnitio. I’d taken a look at Agnitio since David released it, but as I’m not much of a dev (see the utilities I release for proof…) haven’t been able to try it in anger. If you’re interested, the talk slides are available on the Security Ninja blog. If the tool can reach the stated end of it’s road map of being the ‘Burp Suite of static analysis’ then it should be a fantastic tool.
Next talk I saw was Manuel demo (reverse~re)engineering of DRM within Android applications. I found the talk fascinating, mostly by how quick Manuel was able to put the pieces of the puzzle together and bypass the protections put in place to do exactly what he was attempting. Whilst the presentation was good, it was one of those where you felt your comparative IQ drop as you see black magic being wielded at the keyboard before your eyes.
The event finished with ‘Security YMCA’, words cannot describe this ‘experience’ so I won’t attempt to, and leave you with this YouTube video. (WARNING: once seen, cannot be unseen). Unfortunately trying to hide at the back didn’t help in the end, so I must apologise to Ellen as I managed to say thanks for an interesting talk by subjecting her to my ‘singing’ attempts. To ensure the the guilty aren’t protected, those at the front assaulting your sensors are:
we don’t have a solution for the iPhone, as it’s a secure platform why bother?
June 16th marked the first time the Open Web Application Security Project’s (OWASP) Leeds/Northern Chapter ran an event at Northumbria University, meaning it was the first time I was able to attend. Jason Alexander started off events with a brief overview of OWASP and the projects the group is involved with.
ENISA Common Assurance Maturity Model (CAMM) Project
Colin Watson did a good job of explain the work he and others have been working on. The project have released two documents which Colid discussed, the Cloud Computing Risk Assessment[.pdf] and the Cloud Computing Information Assurance Framework[.pdf]. Don’t be put off by the focus on ‘Cloud’, whilst this was the focus and reasoning behind the work at the start of the project, the information and processes Colin describes could easily be related to any IT environment and at first glance seem to be well worth a read.
Open Source Security Myths
Next up David Anumudu gave a somewhat brave talk considering the audience discussing and (potentially) debunking the assumption that open source software is more secure than it’s closed source competitors. David picked on the now famouse phrase from The Cathedral and the Bazaar, ‘ Given enough eyeballs, all bugs are shallow’. David argues that while this is true and reasonable, it only works in practice if all the eyeballs have both the incentive and the skills to effectively audit the code for bugs, something is rarely discussed. A sited example of insecurities in prominent open source software was that of the MD6 hashing algorithm, intruced at Crypto 2008, where despite being designed and developed by a very clued up team still had a critical flaw in it’s implementation.
My ultimate take away from this talk was that software’s licensing model has no direct impact on the security and vulnerabilities of any codebase, only the development model and developers themselves have any real impact.
SSL/TLS – Just when you thought it was safe to return
Arron Finnon (Finux) gave a great presentation on vulnerabilities and weaknesses with the implementation of SSL protection. Arron argues that most problems with SSL are actually related to the implementation rather than methodology itself, and that despite the high profile of problems related to SSL most techies still don’t ‘get’ it; and most users, regardless of user awareness training will continue to blindly click through the cert warning prompts.
Several of Moxie Marlinspike’s tools were discussed, mainly SSLStrip and SSLSniff. I was aware of both tools, but hadn’t tried them out in my own lab yet, after Arron’s discussion of the problem and capabilities this is definitely something that I intend to rectify shortly. Especially when combined with other SSL issues, including the SSL renegotiation attack and the Null Prefix[.pdf] attack issues with SSL can be deadly to an environment.
Main takeaway from this talk was that SSL isn’t as secure as some would state, and that when planning to defend against the attack vectors we need to stop thinking ‘what if’ and start working towards ‘what when’.
AppSensor – Self aware web app
Colin Watson came back to the front to discuss the work currently being undertaken with the AppSensor project. The idea behind the project is to create web applications that are ‘self aware’ to a lesser extent enabling any user making ‘suspicious’ web requests to be limited or disconnected to limit the damage that they can cause to the target system, and works on the premise that the application can identify and react to malicious users in fewer connection requests than the user needs to find and exploit a vulnerability.
The identification comes from watching for a collection of red flags and tripwires built throughout the system, from simply looking for X number of failed log-in attempts to real-time trend analysis looking for an unusual increase in particular functionality requests. A lot of the potential indicators and trapped reminded me a lot of an old post on the Application Security Street Fighter blog, convering using honeytokens to identify malicious activity, which I’ve covered previously.
Overall I really enjoyed the event, I’m hoping that the Leeds/Northern OWASP chapter decide to run more events within Newcastle, but if not it’s convinced me that the events are worth the time and cost to travel down to the other locations. Always good to discuss infosec topics face to face with some really knowledgeable people.
For those that don’t know, the first run of the InfoSec Mentors programme got off the ground this week. My mentee, Jacob (@BiosShadow), has released his first blog post, Being out of the Loop, since we were paired together and it has struck a chord with my own experience with similar problems and got me thinking at the same time.
To sum up Jacob’s post he his frustrated that there is no active infosec community within a reasonable distance of his location. I can relate to this sentiment; when beginning the slow road towards an infosec career, before I was even aware a legitimate career in the field were possible, my own interactions and learning opportunities were limited to reading books or online articles. The online infosec community is, in my opinion, great; and the debates, relationships and friendships that can be developed is something that I don’t think is found in any other industry, but you can’t fully replace the benefits from a face to face meeting.
One of the early mistakes I made was assuming that information security and computer threats were only of interest to those solely focused on information security. I’ve since discovered that different aspects of infosec can be of interest or concern to anyone in the IT or business arenas, and I’ve been involved in some interesting discussions and debates on information security with some very intelligent people at some of my areas flourishing IT user groups whose focus isn’t infosec specific. It was one of these groups, SuperMondays, that provided my first public speaking opportunity and despite my topic, honeypots, being quite specialist I believe the talk was very well recieved.
Since first finding SuperMondays I have continued to discover a great and vibrant IT community in my region (NorthEast England), and I’m continually surprised when I continue to stumble upon other groups in the area like the Northern UK Security Group (must find time to travel across to Manchester) and I am eagerly awaiting the local-ish OWASP chapter from Leeds heads North to Northumbria University next Wednesday.
If you feel the same frustations as Jacob and myself (and others), throw a message out on twitter or your blog etc. letting people know who and where you are. You just might be surprised to find others in your area with the same problems.
For my part: If you’re in the North East of England (or general area) get in touch and let me know, always keen to discuss information security with anyone willing to listen.
Yesterday I had the pleasure of attending the Digital Security & Governance for SMEs at Northumbria University. The purpose of the event was to help SMEs better understand that threats targeting their information systems, their responsibilities in securing personally identifiable information (PII) and to introduce NUWARP (more later).
After the event was introduced, the first slot was taken by David Reynolds, CEO of the International Association of Accounts Innovation & Technology Consultants (IAAITC). An accountant may have been a strange choice to start a Digital Security event but that was the point, David covered sensitive information that is handled by all types of businesses as well as covering the legal and regulatory requirements that impact all businesses. Covering the most common compliance topics including the Data Protection Act (DPA) and Payment Card Industry Data Security Standard (PCI DSS) David did an excellent job of highlighting that information security is relevant to all employees and business types, not just ‘IT’ companies or the secret techie hidden in the back corner.
Next up Paul Holborow from RMT discussed data loss and the impact that this can have on a business. Given the press coverage it received in 2007 it is no real surprise that Paul’s main case study focused on Revenue and Customs lost CDs, but Paul may have been slightly unnerved to discover some of HMRC’s auditors could be found in the audience. If you’ve spent much time working with information security or business continuity planning Paul’s talk wouldn’t have contained too many surprises, one tip that I did take from the talk was that the Information Commissioner’s Office (ICO) maintains a public list of the complaints that it has investigated, if you’re interested in a particular complaint, or just curious about what the ICO gets involved in give it a look here.
Phil and Colin, both from the University discussed their work into monitoring data leakage from an organisation. Like Paul’s talk previously if you understand and have worked with data leak prevention (DLP) technologies you’re unlikely to be surprised, but the content was definitely new to some of the delegates who I observer furiously scribbling notes. It also seemed to come as a surprise to several delegates when Phil stated that approximately 70% of security breaches are the result of insider’s not ‘mysterious hackers out there’. There were some excellent real-world examples, the one that seemed to hit home to most of the audience was the scenario of the sales person taking the client database with them to a new job. A lot of the statistics used in the talk were sourced from Cyber-Ark’s white paper ‘The global recession and it’s effect on work ethics’ (registration required), definitely worth a read if you’re interested in this area.
Chris Laing provided a live demo of an external attack. As Chris introduced himself as ‘an ethical hacker paid to break into your systems’ I was looking forward to the display, but was disappointed when Chris took control of a Windows 2000 server using an old MSRPC exploit with Metasploit. The scariest aspect of the whole event was the fact that almost every delegate took a deep breath and turned white. I did ask Chris the thinking behind using an old exploit and target, and was told he was concerned about scaring the audience too much and that some of them may be concerned that he was making exploits ‘known’ that target systems they run in production. Personally I would argue that if the exploit is already in Metasploit (framework 2, demo used WHAX as an attack platform) then it is already ‘known’ and that the demo could have had a much greater impact targeting a more recent platform. However I can understand Chris’ reasoning, and the demo still had an impact on those that hadn’t seen Metasploit at work before. My only concern would be that some may have left the event thinking ‘that was scary, glad we upgraded from Windows 2000….’
The last presentation slot was taken by Alison Pickard who discussed ‘What is effective information crisis management’. Covering the ‘softer’ side of information security Alison’s talk did an excellent job of highlighting how simple it can be for organisations to fall foul of information security regulations. Alison introduced an excellent resource that I wasn’t previously aware of in JISC infoNet. if you’re responsible for personal information or it’s security (stop thinking, after Alison’s presentation this means EVERYONE) I’d definitely recommend have a browse and seeing what you can learn.
To finish the event after scaring most of the delegates Chris again took the stage to introduce the Northumbria University Warning Advice and Reporting Point (NUWARP). For those unfamiliar with WARPs, they are:
I was definitely impressed with the proposed services to be provided by NUWARP, hopefully the group should be able to significantly improve the security awareness and defenses of local businesses and those in a wider area. Although there is a cost attached to the services provide I was honestly surprised with how low this was in relation to the specialised knowledge and information available, and as NUWARP is set-up as a non-profit all costs get fed back into the service so the resources available can only improve.
As a taster and bonus to event delegates the event pack included a number of high quality ‘best practice’ data sheets covering a full range of information security topics including the DPA, passwords and securely outsourcing. If you want additional information on NUWARP contact Chris or Phil using information in the links above, the NUWARP is something I would definitely recommend investigating to see how it could help your organisation.
– Andrew Waite
I’ll admit that I largely ignored the original Month of PHP Bugs (MOPB), at the time I had just made the decision to stop coding in PHP and try a more mature language. I had found PHP to be a very simple language to learn and code it, but as a result I also found it very simple to code very badly in as well. (and I’ve since found that a bad coder can code badly in any language, hence why I gave up the career path of developer).
However, this month’s SuperMondays event changed my perspective slightly. Lorna Jane gave a great presentation on using PHP to provide a web services architecture, at first glance looks like PHP has improved and matured significantly since I last used it. For those interested Lorna’s talk was recorded and is available here, and Lorna’s own take on the event can be found here.
So while I’m not in a position to contribute to the month’s releases, I will be paying closer attention to the resources released this time around. If you think you can contribute the organizers have posted a list of accepted topics:
- New vulnerability in PHP  (not simple safe_mode, open_basedir bypass vulnerabilities)
- New vulnerability in PHP related software  (popular 3rd party PHP extensions/patches)
- Explain a single topic of PHP application security in detail (such as guidelines on how to store passwords)
- Explain a complicated vulnerability in/attack against a PHP widespread application 
- Explain a complicated topic of attacking PHP (e.g. explain how to exploit heap overflows in PHP’s heap implementation)
- Explain how to attack encrypted PHP applications
- Release of a new open source PHP security tool
- Other topics related to PHP or PHP application security
 Articles about new vulnerabilities should mention possible fixes or mitigations.
And prizes are available for the best submissions:
|1.||1000 EUR + Syscan Ticket + CodeScan PHP License|
|2.||750 EUR + Syscan Ticket|
|3.||500 EUR + Syscan Ticket|
|4.||250 EUR + Syscan Ticket|
|5.-6.||CodeScan PHP License|
|7.-16.||Amazon Coupon of 65 USD/50 EUR|
So what are you waiting for? Get contributing…
Tonight was the second NEBytes event, and after the launch event I was looking forward to it. Unfortunately the turn out wasn’t as good as the first event, 56 were registered but I only counted approximately 22 in the audience. The topic I was most interested in was a discussion of Microsoft’s Direct Access (DA), this was billed as an ‘evolution in remote access capabilities’. Being a security guy, obviously this piqued my interest.
Tonight’s speaker covering DA was Dr Dan Oliver, managing director at Sa-V. Before I start I want to state that I have/had no prior knowledge of DA, and my entire understanding comes from the presentation/sales-pitch by Dan tonight, if anyone with more knowledge once to point out any inaccuracies in my understanding or thoughts I’d more than welcome getting a better understanding of the technology.
DA is an ‘alternative’ to VPNs (discussed more later) for a Microsoft environment. The premise is that it provides seamless access to core resources whether a user is in the office or mobile. The requirements are fairly steep, and as Dan discussed on several occasions may be a stumbling block for an organisation to implement DA immediately. These are (some of) the requirements:
- At least one Windows 2008 R2 server for AD and DNS services
- A Certificate Authority
- Recent, high-end client OS: Windows 7, Ultimate or Enterprise SKU only.
- IPv6 capable clients (DA will work with IPv6 to IPv4 technologies)
As few organisations have a complete Win7 roll-out, and even less have the resources available to roll-out the higher end versions Dan was asked why the requirement. Answer: ‘Microsoft want to sell new versions, sorry’.
With DA pitched as an alternative to VPN at numerous points in the presentation the was a comparison between the two solutions, and to me the sales pitch for DA seemed schizophrenic. Dan kept switching between DA being an improvement to the current VPN solutions completely, and DA being suitable for access to lower priority services and data but organisation may prefer to remain with VPNs for more sensitive data. At this point I couldn’t help thinking ‘why add DA to the environment if you’re still going to have VPN technologies as well’. This was especially the case as Dan stated (and I can’t verify) that Microsoft do not intend to stop providing VPN functionality in their technologies.
From a usability and support perspective DA is recommended as it does not require additional authentication to create a secure connection to ‘internal’ services. Apparently having to provide an additional username/password (with RSA token/smartcard/etc.) needed to establish a VPN connection is beyond the capabilities of the average user.
One aspect that I did agree with (and if you listen to Exotic Liability you will be familiar with) is the concept of re-perimeterisation. The concept that the traditional perimeter of assets internal to a firewall is no longer relevent to protect resources in the modern environment, and that the modern perimeter is where data and users are, not tied to a particular geographical location or network segment. However, rather than the perimeter expending to encorporate any end user device that may access or store sensitive data, Dan claimed that DA would shrink the perimeter to only include the data centre, effectively no longer being concerned with the securityof the client system (be it desktop, laptop, etc.).
This point made me very concerned for the model of DA, if the client machine has seamless, always on access to ‘internal’ corporate services and systems I would be even more concerned for the security of the end user machine. If a virus/trojan/worm infects the system with the same access as the user account, then it too has seamless, always on access to the same internal services. I’m hoping this weakness is only my understanding of the technology, seems like a gaping whole in technology. If anyone can shed any light on this aspect of DA I’d appreciate some additional pointers to help clear up my understanding.
At this point I still can’t see an advantage to implementing DA over more established alternatives, my gut feeling is that DA will either become ubiquitous over the coming years or disappear without making an impact. Due to the fact it doesn’t play nice with the most widely implemented MS technologies, let alone ‘nix or OSX clients and the strict requiremented making a roll-out expensive I expect it to be the latter, but I’ve been wrong before.
At this point I decided to make a speedy exit from the event (after enjoying some rather good pizza) as the second event was dev based (Dynamic consumption in C# 4.0, Oliver Sturm) and I definitely fit in the ‘IT Pro’ camp of NEBytes audience.
Dispite my misgivings from the DA presentation I still enjoyed the event and look forward to the next. If you were at either of the events please let the organisers know your thoughts and ideas for future events by completing this (very) short survey. Thanks Guys.
– Andrew Waite
Last night (2010-01-20) I had the pleasure of attending the launch event for NEBytes.
North East Bytes (NEBytes) is a User Group covering the North East and Cumbrian regions of the United Kingdom. We have technical meetings covering Development and IT Pro topics every month. About
The launch event was done in conjuction with the Sharepoint User Group UK (SUGUK), so was no surprise when the first topic of the night covered Sharepoint 2010, delivered very enthusiastically by Steve Smith. I’ve got no experience with Sharepoint so can’t comment too much on the material, but from the architectural changes I got the impression that it 2010 may be more secure that previous versions as the back-end is becoming more segmented, with different parts of the whole have discrete, dedicated databases. While it might not limit the threat of a vulnerability, it should be able to reduce the exposure in the event of a single breach.
Steve also highlight that there is some very granular accountability logging, in that every part of the application and every piece of data recieves a unique ‘Correlation ID’. The scenarios highlighted suggested that this allows for indepth debugging to determine the exact nature of a crash or system failure, by the same system this should allow for some good forensic pointers when investigating a potential compromise or breach.
Again viewing the material from a security stand point I was concerned that the defaults that appeared as part of Steve’s walkthrough defaulted to less secure options, NTLM authentication not Kerberos and non encrypted communication over SSL. One of Steve’s recommendations did concern me, to participate in the Customer Experience Improvement Program. While I’ve got no evidence to support it, I’m always nervous about passing debugging and troubleshooting information to a third party, never know what information might get leaked with it.
Second session of the night was Silverlight, covered by Mike Taulty (and should be worth pointing out that this session came after a decent quantity of freely provided pizza and sandwiches). As with Sharepoint I had no prior experience of Silverlight other than hearing various people complain about it via twitter, so found the talk really informative. For those that don’t know, Silverlight is designed to be a cross-browser and cross-platform ‘unified framework’ (providing your browser/platform supports Silverlight…)
From a developer and designer perspective Silverlight must be great, the built in functionality provide access to capabilities that I could only dream about when I was looking at becoming a dev in a past life. The intergration between Visual Studio for coding and Blend for design was equally impressive.
Again I viewed the talk’s content from a security perspective. Mike pressed on the fact that Silverlight runs within a tightly controlled sandbox to limit functionality and provide added security. For example the code can make HTTP[S] connections out from the browsing machine, but is limited to the same origin as the code or cross domain code providing the target allows cross domain from the same origin.
However, Silverlight applications can be installed locally in ‘Trusted’ mode, which reduces the restrictions in place by the sandbox. Before installing the app, the sandbox will inform the user that the app is to be ‘trusted’ and warn of the implications. This is great, as we all know users read these things before clicking next when wanting to get to the promised videos of cute kitties… I did query this point with Mike after the presentation and he, rightly, pointed out that any application installed locally would have the ability access all the resources that aren’t protected when in trusted mode. I agree with Mike, but I’m concerned that average Joe User will think ‘OK, it’s only a browser plugin’ (not that this is the case anyway) where they might be more cautious if a website asked them to install a full blown application. Users have been conditioned to install plugins to provide the web experience they expect (flash etc.)
The final talk was actually the one I was most interested in at the start of the night, and was presented by James O’Neil. In the end I was disappointed, unlike the other topics I didn’t get too much that was new to me from the session, I’m guessing because virtualisation solutions are something I encounter on a regular basis. Only real take-away from the talk was the James gets my Urgh! award for using the phrase ‘private cloud infrastructure’ without cracking a smile at the same time.
The night was great, so a big thanks to the guys that setup and ran the event (with costs coming out of their own pockets too). The event was free, the topics and speakers were high quality and to top it off there were some fairly impressive give aways as well, from the usual stickers and pens to boxed Win7 Ultimate packs.
If you’re a dev or IT professional, I’d definitely recommend getting down to the next event.
– Andrew Waite