Cupfighter.net

Powering the cloud. Multi marketing of course, but what is happening in the storage world? What does it mean for mission critical environments? These are the questions I am hoping to get answered today and tomorrow. Currently three sessions done. 1. Introduction to Data protection by Chriss Sop, 2. Optimizing storage in a cloudy, virtualized world by The 451 Group and 3. Enterprise Tiered Storage by John Locky.

First two sessions were somewhat low quality from a contect perspective. Too basic from on technology and on new innovations. Even for me as a non engineer. The difference between full backup, incrementals and differentials is not the thing we came here for. Although i must say that merging incrementals on the back end to always have full backups available sounds interesting. Curious to see this working in real life. How transprrent will that be? Lets ask Commvault later today. And if i can find them Quest as well. Would be nice to learn a bit on automated restore testing as well. Guaranteeing back ups remains an issue. Especially on tapes.

When i get answers, you’ll probably read more about it on cf.net or twitter.

This year the annual EuroBSDcon conference was held in the Netherlands. As usual it was a very interesting conference where each of the BSD’s (FreeBSD, OpenBSD and NetBSD) presented the cool things they are working on. The talks on Saturday started with Testing NetBSD which demonstrated how the NetBSD project is using unit-testing to improve code quality. After that there was the PF anniversary talk by Henning Brauer and Ryan McBride, which provided a nice contrast between Henning’s energy and Ryan’s calm demeanor and showed that they have quite a few plans for the next 10 years of PF. The next talk was about NPF, the new packetfilter in NetBSD. It was really cool to see that the OpenBSD PF developers where quite interested to see which new ideas they could borrow from NPF to make PF better, open source at its finest. Saturday concluded with the BSD history talk by Kirk McKusick, which was a very entertaining description of how Open Source and Unix started at Berkely even before people really knew what they were doing.

Sunday started with a very interesting talk by Herbert Bos about the work done at the VU University which pushes the limits of what’s possible with regards to reliable operating systems. Some of the other interesting talks were the Capsicum talk by Robert Watson which focused on providing applications what they need to solve real-world security problems and the OpenSSH talk by Damien Miller which described all the useful new features available to make our lives easier. The new rlimit-based sandboxing for OpenSSH is an especially neat trick.

Possibly the best part of the conference was the amount of Dutch speakers, it’s awesome to see this level of contributions from my home country. So let’s keep up the good work and make next year even better.

Byju Pularikkal, Cisco Systems, gave two detailed technology overview presentations on IPv6.

The first part covers the structure, addressing and services:
Pularikkal_PartI.pdf

The second part covers routing and transition mechanisms:
Pularikkal_PartII.pdf

Matt Larson, vice President of DNS research Verisign Labs gave a nice overview presentation on DNSsec.

MLarson_IntroDNSSEC.pdf

Why do we need DNSsec, in short: DNSsec offers protection against spoofing of DNS data.
In DNSsec every zone has a public/private key pair where the Public key is stored in the new DNSKEY record and the Private key is kept save.

Phone Bill a CC NC ND image from Nikita Kashner's Flickr stream

By Darren Anstee of Arbor Networks

Why is it a good idea to us flow information?

• You don’t need to invest in new equipment to get flow information
• It can be used to detect malware infected hosts, DDoS, zero-day exploits, attack and abuse
• Network flows information is generated regardless if there was symmetric or a-symmetic routing

Network flow information is like a phone bill, you cannot tell what has been said, but you can use it to prove who talked to who.

So what does a flow record contain?

• Source IP address
• Destination IP address
• Source port
• Destination port
• Input IfIndex
• Protocol
• Type of Service
• packet count
• Byte count
• First packet time
• Last packet time
• Output ifIndex
• Etc…

Read more…

Black Skimmer Rynchops niger Skimming a cc by image from marlin harm's Flick stream

By Adam Laurie and Daniele Bianco

Slides on the HitB Materials page.

So what is EMV it stand for Europay, Mastercard and Vista and is a new security statndard for credit cards.With the introduction of EMV the liabiliy moved from the merchant to the cardholder because fraud is thought to be unlikely.  However EMV has allready been proven to be broken. E.g. Murdoch et. al. have proven that it is possible to use a stolen card without knowing the PIN.

This talk focuses  on the ability to still skim a EMV credit card, without reading the magstripe (which is very often still present).

Skimming a chip card may be more interesting because the user cannot see the interface and thus cannot detect the skimmer. The time effort to install a smartcard skimmer is quite small.

The industry perceives these tools as complex, but that is not true. Devices are small, easy to install and hard to detect.

It is possible to clone the track 1 and track 2 magnetic stripe data from publicly readable data of EMV chip. Luckily not all EMS cards support this.

So magnetic stripe data can be stolen and a stolen card van be used without a PIN, but is it possible to do PIN and magnetic stripe harvesting with EMV cards.

Read more…

Steve Jobs for Fortune magazine a cc nc nd image from tsevis's Flick stream

By Jean-Baptiste Bédrune and Jean Sigwald

Slides on the HitB Materials page.

This talk is about data security and the iPhone. Almost all iPhone like deices (excluding the iPad2 for the moment) can book usigned code when they are in recovery mode. It is also possible to create acustom ram disk, thee are techniques used by jailbreakers and phone forensics people.

Data in the iPhone is encrypted with either the UID (unique iPhone key) or GID (key unique to each model).

In the iPhone (iOS < 4) the UID key was only used  to facilitate fast wipe (change key, cannot read flash anymore), it did not provide data security. The iPhone 4 was designed with data security in mind. Jean and Jean demonstrate the tools they wrote to get around the data protection of iOS 4

Because the unlock code is used for data security data can be set to be only available when:

• The Phone is unlocked
• After the phone is unlocked for the first time
• Always

In iOS 4 there is an escrow key which allows MobileMe and iTunes to access the phone for backup or passcode reset without unlocking the phone.

The first tool that they developed and demonstrated was the keyChainViewer which can be used to view the contents of keyChain, but not the keys.

Using the built in iOS functions (that use the passwcode) you can actually bruto force the passcode of the phone with a small application on the phone. If you boot the phone from a ram disc you can do this without knowing the passcode. Using the brute forced passcode the keyChain can be read and decrypted.

Next tools where demoed to browse the encrypted filesystem and to decrypt iTunes backup files.

Conclusion of the researchers:

• iOS4 offers far better protection then iOS3
• Mail files (with the exception of exchange) are protected by the passcode this offers additional protection, but it can be obtained if you have the phone

Tools are available on http://code.google.com/p/iphone-dataprotection/

About Jean-Baptiste Bédrune

Jean-Baptiste works at the Software security R&D team at Sogeti for 4 years. His domains of research include code (un)protection, audit of DRM solutions, applied cryptography, reverse engineering on embedded devices and distributed computing. Jean joined Sogeti in early 2010. His research topics include reverse engineering, embedded devices and smartphones security.

About Jean Sigwald

Jean Sigwald is a security researcher working at Sogeti ESEC R&D lab. His research is mainly focused on smartphones security and the services offered by the network operators.

Bad day at the office a cc nc ND iamge from Roger Smith's Flick stream

By Itzik Kotler

Slides on the HitB Materials page.

Itzik start his presentation that writing StuxNet for a company is much less hard then writing one for a nuclear reactor. Stuxnet is interesting in that it is a purely software based attack that had a real hardware based effect.

So can software damage hardware? Yes it can:

• Software controls hardware ad can make it perform damaging hardware
• Software can damage software that runs hardware
• Software runs hardware and can make this hardware take an action that damages other hardware

So what is PDOS (Permanent Denial of Service)? Damaging hardware so bad that it needs to be replace or reinstalled.

Users the brick their phone when they try to jailbreak it are basically causing a self inflicted PDoS.

So who would do it and why?

Read more…

Breaking the ice a cc nc nd by image from MarcelGermain's Flickr stream

By Ivan Ristić

Slides on the HitB Materials page.

Ivan researches SSL for Qualys. SSL was designed as a protocol add-on by Netscape to secure http, but can be used to secure other protocols as well.

The main challenges today are:

1. Fragility of the trust ecosystem
2. Incorrect or weak configuration
3. Slow adoption of modern statndar
4. Lack of support for virtual SSL hosting
5. Mismatch between HTTP and SSL

There are three main attacks against SSL:

• Passive MitM

• Session Hijacking

• Session bypass (ssl strip)
• Renegotiation attack
• Rogue certificates
• User attackers (who reads warnings)

Ivan’s has a lot of data based on the a surveys conducted by his employer Qualys SSL Labs, EFF’s SSL Observatory. In total 1.2million sites with valid certificates where investigated.

Ivan showed a slide that indicates that of the sites visited only 0.6% of the sites had a fully correct SSL configuration, nearly 50% of the sites did not offer SSL at all.

In Qualys’ most In the most recent SSL Survey only 32% of the sites offering SSL where configured correctly.

Read more…

Florida Fragments a cc nc sa by image from Merrick Brown's Flickr stream

By Elena Kropochkina and Joffrey Czarny

Slides on the HitB Materials page.

Lots of Webshells used by pentesters to get access to the systems are detected by conventional security products like anti-virus, IPS and WAF. In stead of building a new websheel for each assignment the presenters tried to work towards a framework for webshells, that was modular and added obfuscation as a protection against AV/IPS/WAF.

But if you want to build a webshell framework you need to know what is out there. Most webservers on the internet are dominantly Apache, IIS and Weblogic. Pentesters are most in need of Webshells based on ASP, PHP and Java shells as it is heavily used for intranet applications.

The presenters gave an overview of the webshels out there for webshells for Linux, MySQL, PHP, JSP, ASP. Many of the common shells have high detection rates on the most common anti-virus platforms.

Even tough there are some webshells that are nearly complete in features and others that are not detected by Anti-Virus there isn’t one that is both.

There are a few ways to get around anti-virus encoding, obfuscation and encryption. There are common tools available to obfuscation for different languages like PHP, VBScript and Java. Obfuscation tools make reading the code harder, but are analysis is often still possible.

Read more…