ITS Blog

Today and Yesterday I attended a security conference called Passwords11. It was a conference where a lot of people were talking and discussing everything about passwords and even, how we could possibly get rid of them. At this point in time, I would like to give a big THANK YOU to Per Thorsheim, who on one side was organizing the conference on his own, on his own spare time and on the other hand gave us some sight seeing at the end.

In the next couple of days I will write something about most likely all articles and as soon as the video recordings are ready I will link them here. I still can not believe that it is already over. But the good news are, there will be a password12, and most likely others will follow. If you did not follow the live stream, you missed a lot, for example I saw the first time in real live a cold boot attack. To get the full picture you will have wait till the videos and articles are ready.

Just as a reminder to you. Passwords11, a conference in Norway is just taking place. Have a look at the live stream of the conference.

Live Stream

On hack.lu Thursday I attended a workshop on Red Team Testing. Red Team testing comes from military jargon. It means to try to break into a facility. Not only on electronic or network way but also, if needed, physically. At the very first beginning there was a video presented, showing a show called Tiger Team breaking in to a jewelry store. This action was done on behalf of the owner. If you would like to get an impression of such things take a look at trutv.com. They produced a show where the team broke into a car dealer facility.

Talking about read team testing, the testing team need always to have the permission of the owner or their representatives. Without this written permission all actions are illegal and should not be done. After having the permission the next step is to gather information on the target. This step will most likely take about 60% of the overall time for the test.

The target

Together with the customer first the business is evaluated with respect to the three aspects of security: Confidentiality, Integrity, Availability. For this task, first a list with all parts of the business is created. An example in case of a hospital could be:

• billing,
• health care,
• credit card handling,
• client data
• etc.

The next step is to evaluate, the criticality of each aspect on each part of the business.

Looking at a hospital, it is important that patient data is kept confidential, integer and always available, simple because people can die if it is not. Dying people in a hospital will destroy this business, especially if it is in the responsibility of the hospital. On the other hand looking at credit data, confidentiality has to be high, but if the credit card information is not available for an hour it is not critical for the business. The money can be taken later from the account. After finishing the matrix the targets for the attack are the highest rated parts of the business.

Scope

After defining the target, the scope has to be clarified. Scope means, what is allowed and what is forbidden. If the goal is to break in to a facility, it has to be clarified, if you are allowed to use brute force, like driving a truck through the front door, or softer approaches have to be chosen. In general a good team should always be able to work without harming the systems with force. If during the test the team encounters opportunities, which are beyond scope or which had not been discussed, a call to the customer can clarify if the scope can or should be changed.

Information gathering

As in the beginning mentioned, 60% of the time needed is used for information gathering. During information gathering, it is important to stay out of the scope of the security team of the customer. Therefore you can not use portscanners or something similar, since the security team of the customer would get on red alert and therefore raise the alert level of the target. Your victim will immediately know that it is being attacked and take countermeasures. A better way is to use google or other sources to get information about your victim. Also their webside is a good information source. Looking at the job opportunities you can learn which kind of software they use just by looking at the required skillset. For Information gathering have a look at

Maltego or Foca

Foca allows you to search for files published by the victim and extract metadata from it. Maltego gathers information from various sources and puts everything together. Also mindmapping tools will help to organize the collected data.

The plan

Having all information gathered it is time to make a plan. In the planning phase the team should not only concentrate on one plan, but also think about a plan B, C, D … and so on. It is always good to have a lot of options in the back, in case something unexpected happens. This can range from some security guards, which catches the team, to the team cannot open a lock.

The second last step is then the attack by itself. This step is built a lot on experience. During the attack the team should document each target which is successfully taken. This can be a picture of the team holding some documents or something similar. Whichever documentation is choosen the customer should at the end be convinced that the goal was reached.

Debriefing

After the attack it is time to debrief the customer. The customer should get a full report, covering the parts of his business together with the security aspects which have been broken. Every step performed during the attack needs to be added to a report, together with the found weaknesses and suggestions how to improve the overall security. In this step the customer can be reminded that security is not only about performing tests but also that the security is a process. A process to which the customer needs to commit himself to. It is then up to the client, to make the needed changes to his habit, to his facility and to his processes to improve security.

Inside this article I could only cover a very small amount of the content of the workshop. I would like to thank Chris Nickerson and Ryan Jones for holding this workshop.

At 11:00 in the morning the CTF @ hack.lu was closed. There was already some nice feedback from the participating teams. During the lightning talk the winner are announced. The top places from all participants:

1. Bobsleigh
2. Nibbles
3. Leet more

Only local team could win prices. My congratulations to the winners of the CTF and to the winners of the prices.

Vincent Guyot gave in his talk an overview what is possible with smartards. Smardcards are in general small computers which have the following parts:

• ROM
• CPU
• EEPROM
• RAM
• CPU
• crypto-CPU

They are a all-in-one computer which can be accessed on a client server base. The Developer can add their own features and functions to it. The interesting thing is, that smartcards are commonly trusted objects. While a harddisk, or a USB drive is general suspicious to the guards at for example the airport, no one really cares aboput a smartcard inside a mobile. There are even mobiles which can handle two smardcards, so it is an easy place to hide them.

I just want to mention, that fluxfingers, a group of well trained hackers, is providing the CTF this year at hack.lu.

Have a look at the hack.lu CTF page.

For all local teams, which meaning teams which are present at hack.lu there are some attractive prices like:

• an iPad
• a Kindle
• and much more

So, if your are at hack.lu there are some very good reasons to participate at the CTF.

BTW: registration is still open …

UPDATE: At the moment (1st day, 15:45) only 4 teams registered as local.

In the morning I attended the workshop from Didier Stevens about analyzing malicious PDF files. I rarely attended a workshop with such a high quality.

Dedier showed in 20 good understandable exercises:

• how the format of a PDF looks like
• how javascript is included in a PDF file
• how javascript can be obfuscated
• how files can be included in a PDF
• how files can be launched from a PDF

all the exercises will be made available on Didiers Webpage. Additionally you can find an ebook about analyzing malicious PDFs on his website.

During the workshop there were some tools presented, to analyze the PDF files:

• pdfid.py – analysing the structure of the PDF
• pdf-parse.py – a parser for PDFs which will print out the content of PDF objects
• js – a Javascript parser based on spidermonkey which has been slightly modified.

Take a look at Didiers Webpage, it is worth it.

Andrei Costin gave a overview about what it means to hack a printer. Hacking a printer is mainly about hacking the PC inside a printer. Today a printer is not only just a printer. The models used in companies usually are connected to the network. Printers provide funtionallities starting with printing, faxing and scanning. Some of them can even send emails with scanned contained. Another interesting fact is, that most printers are available 24/7 on the network. Keeping this in mind they are an interesting target for spionage, data collecting in general, as well as for a base to hack the rest of the network.

If an attacker successfully hacks a printer, he could install malware on the system. This malware could easily protect itself from being removed, by simply removing the functionallity to flash the system. The only way to get the printer cleaned would be to send it in to service. The service would then take messures to excvhange the firmware which are outside the possibilities of a normal user.

Some admins make it even more easy to hack the printers by providing a public access from the internet to the printer. By this an attack vector is opened which can nearly not be controlled. To get an idea, look at the XSS articles previously posted.

To get an basic idea what a attacker could do, I will give you a small list of possible harms:

• sending documents, which are printed, scanned or copied to an external Email address
• collecting Identification information of employees who have to identify them self to access the devices
• providing a base for a Botnet
• providing a safe harbour for hacking other computers, not only inside your network

If you also consider that most admins don’t monitor printers and their network traffic (“hey its just a printer”), it is more than likely that the attack will not be detected in the beginning.

It might be worth to have a deeper look into this topic.

E. Filliol started his presentation with a short introduction to misimplementation of crypto systems and basiys in cryptography. First the different type of ciper systems were presented

• stream ciphers – working on a stream of bits or Bytes, most likely performing a xor operation on the message with at (pseudo) random vector. The vector is created based on a key.
• block ciphers – work on defined blocks of a message. For example the message is devided in this parts of 64 Bit. These blocks are encrypted with a key.

After the introduction a short presentation of his project Mediggo. A Library to analyse crypto.

To analyse ciphertext he took the following steps:

1. detection – detect the cypher system
2. build a corpus – get a statistical model of the plaintext language
3. decrypt – try to recover the original message.

Interested to learn more? have a look at the Google-Code project Mediggo. Slides are included there.

I just arrived at hack.lu, an IT Security conference in Luxembourg. During the participation, I will write about the workshops and lectures I attendet to. On the first day I will most likely be in:

• a workshop about breaking weak or misimplemented systems.
• a workshop an Malicious PDF Analysis
• Lecture about Hacking printers for fun and profit
• and others

You can have a look at the conference agenda at hack.lu