This is a quick write-up of my experiences at Hack In The Box 2012 in Kuala Lumpur (day one). For each talk I attended I've tried to include a summary of the main points. Sadly I forgot to take pictures so it's one massive wall of text, sorry! Will try and take some for day 2.
List of talks I attended:
- Tracking Large Scale Botnets by Jose Nazario
- Data Mining A Mountain of Vulnerabilities by Chris Wysopal
- 6000 Ways And More - A 15 Year Perspective on Why Telcos Keep Getting Hacked by Philippe Langlois & Emmanuel Gadaix
- iOS6 Security by Mark Dowd & Tarjei Mandt
- "I Honorably Assure You: It is Secure”: Hacking in the Far East by Paul Sebastian Ziegler
Tracking Large Scale Botnets by Jose Nazario
Jose's talk focused on the techniques that are used today to measure the size of botnets by tracking down infected machines.
The general aim of his work was to measure the number of bots, in terms of number of infected machines/ip's/people/accounts and ways to classify the bots by type, geographical region and what the bot does (financial, DOS, infrastructure impact). An interesting quote from a colleague was "it can be easy to identify and count the number of infected machines but its impossible to know the total number of machines (clean and infected) on the internet today". This makes it difficult to really gauge the scale of the problem. He also noted that the resources of security teams are limited and should be carefully prioritized.
Next Jose talked about the actual methods used to track botnets:
- Sinkholes - Redirect CnC traffic to your server using DNS injection, P2P injection, route redirection. Count unique ip's connecting per day. Once redirected, you can send updates and commands to the bots (e.g. removal command) however usually this isn't done for legal reasons. Sometimes its not possible to directly interact with the bots as they sign updates or have other protections (e.g. encryption). There are two major advantages to using sinkholes. Once you have redirected CnC traffic you (i) effectively lock out the botnet herder (ii) can find out who is infected.
- Traffic logs - If you can monitor traffic logs botnet traffic requests often contain a unique identifier. For example in conficker there was a "q" value that acted as an identifier.
- Darknet monitoring - Monitor traffic destined for unused IPv4 address space blocks. It is possible to detect scanning from infected machines targeting the unused IPv4 regions.
- URL Shorteners - Short urls are commonly used to spread malware (e.g. tinyurl, bit.ly). It is possible to analyse the characteristics of users who have clicked known bad links. For example using goo.gl url shortener you can view usage statistics of who clicked the link e.g. OS, Browser etc.
- Direct Network Access - Possible to directly monitor network traffic .e.g. ISP.
- Direct Host Access - Microsoft is in best position as it can directly interact with Windows hosts, can count incidents from Windows Defender. Data currently not publicly available.
- Direct P2P enumeration - Crawl the botnet, asks peers who they know. Gather full list. Need to reverse protocol, can be difficult to break crypto.
Data Mining A Mountain of Vulnerabilities by Chris Wysopal
Chris works for Veracode where he focuses on secure code review. He presented findings from a comprehensive study of the vulnerabilities found in 9910 commercial and government applications (using static and dynamic analysis). He had correlated the vulnerabilities with the metadata of the applications (e.g. type of application, size, origin, language used) to find meaningful statistics.
- Most applications were internally developed 75%, 15% were commercial applications, 10% open source - 50% were built with java, 25% with .net.
- SQL injection was used in 20% of all attacks when 32% apps were vulnerable.
- XSS was used in only 10% of attacks when 68% apps were vulnerable.
- Information leakage was used in only 3% of attacks but 66% of apps were vulnerable.
- In Java, Coldfusion, .NET and PHP applications, XSS is the most common vulnerability.
- However when Adobe added a language level fix for XSS this helped fix the issue somewhat.
- C++ applications had completely different vulnerabilties e.g. buffer overflows, error handling.
- PHP had a lot of SQL injection and directory traversal issues, way more than Java and .net.
- The number of XSS vulnerabilities has remained steady over the last 2 years. Indicating it's not being exploited as much as other vulnerabilities and hence not being fixed.
- The number of SQL injection vulnerabilities has decreased over the last 2 years. Most likely due to the publicity SQL injection has received.
- Overall 86% of applications contain at least one vulnerability from the OWASP Top 10.
Industries and business:
- Which industries are getting their code externally tested?
- Finance, Software makers, Tech.
- Utilities is one of the worse performing. (but what about all that critical infrastructure?!?! uh oh.)
- Which industry is most secure?
- Finance is most secure.
- Surprisingly security products themselves were most insecure!
- Does size of company matter?
- No difference in number of vulnerabilities between public and private companies.
- No difference in number of vulnerabilities by company revenue.
- The bottom-line - Company size and revenue don't effect the quality of code!
Regarding vulnerabilities in mobile apps, the major differences here were related to the language chosen. As Android is Java based there is more XSS/SQLi where as iOS apps are written in objective C so have buffer management errors, directory traversal, not found in Java. However iOS apps are signed so are safer overall!
Chris finally talked about the software developers and how they are ultimately responsible for the quality of code. He presented a statistic that on average half of all developers don't understand security. When put like this it seems fairly obvious why there are so many security flaws in modern applications. More security awareness seems to be the answer.
6000 Ways And More - A 15 Year Perspective on Why Telcos Keep Getting Hacked by Philippe Langlois & Emmanuel Gadaix
This was an interesting talk, unfortunately I don't have a lot of experience with telco backbone infrastructure or protocols so found a lot of the presentation tricky to understand. One thing was clear though - telco's have a ton of serious security flaws.
The main issues are:
- Currently operators are focused on availability, fraud, it security, interception, spam.
- There are few experts in the field of telco security.
- The walled garden approach and a rigid industry dominated by big players.
- Scary how easy attacks are and they are happening behind closed doors.
Three evils plans (attack vectors) were presented:
- Use the victim to attack other web targets.
- Use the victim to attack internal resources.
- Use the victim to attack others through social networks.
- Bonus plan - Use the victim's browser to compromise the underlying system.
He described how his tools have evolved and referenced the below specifically:
JSPortScanner -> AttackAPI -> WebSecurify Suite -> Weaponry
Petko demo'ed a browser extension for chrome and firefox that had a range of attack functionality built in. This would allow a remote attack to use the persons browser as a pivot. I was particularly impressed by how light the extension seemed to be and how quickly it performed scans and analysed data. It really was a step up from Beef. Oh and the UI was really sexy.
The one area I asked Petko about was initial compromise which is something he didn't really explain. For a malicious attacker to use these techniques the target would need to install the malicious browser extension. While not as likely to succeed as say Beef, you only need to look at the prevailance of malicious apps to understand that people would be more than stupid enough to install this kind of application if packaged correctly.
Overall I was really impressed. I spoke to Petko at the end and he said that the project will be open source but is currently still under construction.
iOS6 Security by Mark Dowd & Tarjei Mandt
I was originally going to see a talk by the founders of the pirate bay but they apparently got detained in Bangkok and so couldn't make it to the conference. Instead I headed over to the iOS6 talk hoping to learn something new.
This was quite a technical talk digging into the new anti-jail-breaking protections (stack cookies, ASLR, Heap protections) put in place by Apple in iOS6. Having only limited experience with exploit design and next to no experience with the internals of iOS I did struggle to follow the talk. I gotta say though how impressed I was at the way these guys picked apart iOS with such ease. With everything these guys understood it was hardly surprising seeing them produce such a complex jailbreak (again!). All I kept thinking was "Why hasn't Apple hired these guys?".
"I Honorably Assure You: It is Secure”: Hacking in the Far East by Paul Sebastian Ziegler
In the final presentation of the day Paul talked about his experiences with IT security (and life in general) in Japan and South Korea. Having lived in Japan myself I was interested to find out how different or similar his experiences were to mine.
He started by talking about the god-like status given to white foreigners in Japan and how this can be used to do social engineering. He suggested foreigners could be broken down into three categories military, English teachers and business men and out of those categories the business man commands the most respect and so is perfect for social engineering. And all that is needed is a suit, magically once the suit is on you become immune to everything.
And in emergencies (when the suit doesn't work) just play the dumb foreigner card. Having done this myself I can confirm this is a very useful strategy!
He went on to talk about the prevalance of open wireless networks and use of WEP in Japan and how open networks are everywhere is South Korea. Then talked about SEED which is a government alternative to SSL that is deployed everywhere in South Korea. This has a knock on effect where users are forced to use legacy browsers as SEED doesn't support modern browsers. With users migrating from Windows XP to Windows 7 they have been forced to install IE6 on Windows 7 in order to use SEED websites. IE6 use was always high in South Korea because of seed but recently its actually been increasing! crazy eh.
Day two will be up tomorrow.