Friday, 4 October 2013

Notes from Derbycon 2013 - Day #1


It was my first time attending Derbycon and I gota say, what a conference! The atmosphere was a lot different to Blackhat/Defcon, less suits, less vendors and more real security guys direct from the trenches.

I found the talks a lot more interactive and most provided great practical advice for the everyday security admin. Along with the free beer my favorite bit was speaking to fellow attendees/speakers. Exchanging ideas, discussing problems and just meeting new people was awesome.

So I don't forget what I learnt (and cause I thought you guys might find it useful) I thought I'd do a quick write-up for each day. This is my own version of events and I've probably incorrectly described some talks, apologies in advance!

Also recordings of most talks can be found here: http://www.irongeek.com/i.php?page=videos/derbycon3/mainlist


#########################################################
Title: Pigs don't fly - Why owning a typical network is so easy and how to build a secure one
Link: http://www.scriptjunkie.us/
Link: http://ambuships.com/
What was it about:
Scriptjunkie provided an overview of some of the most effective ways to secure a network. He started off by describing common kill chains from initial compromise to exfiltration and how we can break them.

Defensive techniques included:
- Air gap as much as possible
- Prevent USB
- Prevent direct connections out (force traffic through a proxy)
- Prevent outbound DNS (force machines to use internal DNS)
- Block social networking
- Block inter-workstation access
- Don't allow outbound traffic from admins
- Lock down admin workstations
- Prevent Java/Office writing files to most locations
- Don't use file shares, use a CMS
- Use Ambush ips for monitoring

Silver bullets:
- Don't use passwords, switch to hardware tokens/smartcards
- Deny all NTLM logins

Getting rid of passwords and NTLM sounded nuts, but he had a valid point, by getting rid of passwords/hashes and using one time codes from hardware tokens/kerberos instead, it's going to be a lot harder for attackers to move around your network using pass-the-hash or password reuse. Microsoft already provide support for hardware token based authentication so implementation isn't as hard as people think. Legacy applications that don't support kerberos can have some issues though. Definitely something I'm going to look into further.

Lessons learned:
Test disabling NTLM and switching to purely kerberos. Long term enforce token only authentication. Implement as many of the defensive techniques as possible.


#########################################################
Title: IOC Aware - Actively collect compromise indicators and test your entire enterprise
Link: http://www.youtube.com/watch?v=NhOhfNrXIDI
What was it about:
IOC's (indicators of compromise) are an open xml format introduced by Mandiant to provide a way to detect malware using a combination of information including filenames, hashes, signature, paths. At the moment it's hard to find IOC's online and producing them is usually a manual process. Wouldn't it be great if we could automatically create and then search for IOCs? Well the guys in this talk had done just that.

They had used a honeypot (Dionaea) to collect samples which would be automatically submitted to an internal Cuckoo instance. They had created a custom plugin for Cuckoo that would generate IOC's from the Cuckoo analysis.
The generated IOC's were added to a master list that was then sent to software agents that had been deployed on workstations. The agent would search the workstation for the IOCs and report back results. If an attacker had used similar techniques on both the honeypot and workstations he'd be detected. Cool. For me the only issue with this system is that if the attackers don't attack the honeypot you don't get any IOCs.

Lessons learned:
Deploy a honeypot if you haven't already. Make sure you have a way to search your organisation for IOCs.


#########################################################
Title: Cash is King: Who's Wearing Your Crown?
Link: http://www.youtube.com/watch?v=k-qaAeXUBac
What was it about:
The guys presenting talked about how its possible to inject a dll into the Microsoft Dynamics GP product and proxy requests to the backend database. So if an attacker compromises one of the workstations belonging to your accounting staff they can remotely issue commands to the backend database when that staff member is logged in. Money transfers and account modifications all performed as the compromised user, awesome.

They mentioned that in many cases accounting reconciliation isn't completed often enough meaning fraudulent payments can go undetected for months. Also once one payment is detected as incorrect how do you know the rest of the payments/account information haven't been modified?

It was worrying to hear that the payment processing systems for online games have better controls than most ERP and financial systems.

Lessons learned:
Third party financial systems don't provide tight enough audit and change control.


#########################################################
Title: Windows Owned by Default
Link: http://www.youtube.com/watch?v=SVqiDdVS7Wo
Link: http://technet.microsoft.com/en-us/magazine/2009.06.act.aspx
What was it about:
This was an interesting talk about the Windows Application Compatibility Toolkit and how it can be used to change how commands and programs execute. The toolkit is offered by Microsoft and helps old software work on newer versions of windows. It appears to use some kind of dll injection or rootkit functionality to intercept system calls and redirect execution. So instead of loading for example the default modern version of a dll or registry key you create whats called a "shim" and this shim will redirect the program to the old version of the dll or registry key.

An attacker can abuse this to load and hide his own malicious files and because child processes inherit parent settings if you create a shim targeting explorer.exe any program running in windows will inherit the settings and run with modified settings.

You do need to be admin on the box to install the toolkit so it's more of a post exploitation tool but used correctly it can hide malware really well and drive incident responders nuts. Or vice versa if you create a honeypot with Application Compatibility Toolkit installed the attackers will waste time going round in circles instead of attacking your other systems.

Lessons learned:
Look out for malware abusing Windows Application Compatibility Toolkit. Also setup a honeypot using this.


#########################################################
Title: RAWR - Rapid Assessment of Web Resources
Link: http://sourceforge.net/projects/rawr-webenum/
What was it about:
Awesome new tool to scan a network and grab screenshots from websites. There are a few scripts out there that do this but I've not seen anything that worked this well. RAWR provides a command line to issue search commands, give it an ip+port and it'll run nmap, Bing reverse DNS and SSL checks against your ip range.

All screenshots are viewable and searchable through a nice web interface. The tool is still under active development with new features on the way. Overall a great tool for attackers and defenders alike.

Lessons learned:
Grab a copy of RAWR and scan your internal/external network you may be surprised by what you find :)


#########################################################
Title: Decoding Bug Bounty Programs
Link: http://www.youtube.com/watch?v=ur1azUTgmvU
What was it about:
Jon presented a great interactive talk about how/why bug bounties operate. I found the Paypal stats quite interesting, for example, did you know 44% of bugs are the submitter's one and only submission and 80% of bug submissions are sent in by researchers who submit less than 10 bugs.

Also we were lucky enough to have the folks who run Microsoft's bounty program, the head of Firefox's program and the Bugcrowd guys in attendance who all had interesting things to say.

Lessons learned:
Bug bounties are the future!


#########################################################



Questions/comments/corrections - leave a message below.

Derbycon day #2
http://pwndizzle.blogspot.com/2013/10/notes-from-derbycon-2013-day-2.html

8 comments:

  1. Drug misuse or substance misuse is a boundless issue. Albeit mainstream society has made certain generalizations for the drug abuser, all are helpless to drug compulsion. The power of fixation, the kind of substance manhandled and the impacts may shift dependent on the hereditary cosmetics of the person among other natural variables. It is cheering to take note of that drug habit is treatable. This treatment procedure is additionally called drug rehabilitation.
    recovery quotes
    addiction quotes

    ReplyDelete
  2. The YesPornPlease Blog is a relaxed weblog with masses of intercourse industry related articles so you can examine. All that you'll find here is flawless provocative, in every practical sense exquisitely created, and very informative. Subjects collection from site affirmations and updates to porn megastar interviews, real nearness sex direction, thing dispatches and an entire part progressively conspicuous. Do you ever ask why youth and analyst porn is so standard? There is a touch of making generally it. Do you ever ponder generally the porn seeing conduct of women in 2019? You will find that at the site as suitably. Do you have any idea what the most sweltering excursion of the yr is? They have a story to teach every one of you around it, and they have the horny pictures to back it up. It's Fourth of July, through the way, yet I likely didn't have to unveil to you that. What isn't horny about amazing youngsters who are set up to party in for all intents and purposes zero clothing on a rankling mid year day?
    yespornplease
    yespornplease.com

    ReplyDelete
  3. Indeed yespornplease presents to you the best free pornography recordings you can discover on the net.

    That is the reason yespornplease is your best choice with regards to picking XXX porno. You can't, and you would prefer not to pass up all that we've gathered for your delight. You would not quit watching the best recordings realizing which is the page where you will discover them. You have effectively discovered it and you can not miss the second to load up with joy taking a gander at the most sweltering and tasty Internet. All deliberately chose with the goal that every video puts you at a thousand and you generally need to return for additional. Of that we are certain, you will like such a lot of that you will return.

    We as a whole know the xxx recordings of yespornplease however on our site you can discover the cream de la cream, separating the inferior quality substance. You will presently don't need to sit around investigating recordings and picking the ones with the best quality and substance, we will do it for you.

    We're staying put and you'll wind up thinking of us as the best form of yespornplease we buckle down for. We need to please tastes and stay perpetually, we realize that this is accomplished exclusively by offering quality and that is our main thing. That is the reason we welcome you to visit us. We realize that once you see the nature of our material, you will get diligent to our page.
    A page where your porno minutes will be the most agreeable and best. You will not need to move from here. You can appreciate and fill yourself with joy without leaving our site briefly.

    Need to see free versatile pornography in excellent and HD?

    On our site you will appreciate watching the best yespornplease.com motion pictures. We sincerely feel that our guests merit what we think they merit. Great, enduring, top notch motion pictures. They merit not to lose subtleties of the scenes introduced by every film they need to see. That is conceivable, in light of the fact that we have an assortment of the best films in HD quality. So you can appreciate the best of the most sultry and distorted snapshots of every video you need to see.

    Yespornplease is the ideal spot to observe free pornography video here you will track down the best pornography recordings of the whole organization.
    In the event that you can appreciate quality and assortment here. Yespornplease have great material, complimentary and we are continually reestablishing. So you can be certain that with us your fun and joy won't ever end. Try not to make due with something tolerably great, in case you will track down the best on this page.

    We offer free pornography video XXX so you can make the most of your sexuality

    Why yespornplease and not another page?
    Since there could be no other spot like Yes pornography where to observe free pornography recordings of the greatest HD quality and totally horny, similar to our site. Make the most of your sexuality to the greatest, make some great memories and get those climaxes you need such a huge amount with the material we have for you.

    yespornplease is the spot, come in and you will consider that to be with the expectation of complimentary pornography films we have no opposition. We are the awesome. There could be no other equivalent and there will not be. We work pondering your fulfillment consistently. We search for simply the best material.

    ReplyDelete
  4. YouTube is mandatory for every business now to grow in social marketing and we at YTBPals will help you to gain unlimited free subscribers at cheap rates. We are most trusted and valuable platform in market.



    Also checkout our other sites

    For pii email e9d48ac2533bded18981 visit now [pii_email_e9d48ac2533bded18981]

    to get Free guest posting, Explore now LetMePost

    ReplyDelete
  5. How To Choose The Correct Manicure And Pedicure Kit online
    There are many pedicure and manicure kit online that you can purchase. Choosing the perfect kit for yourself can be challenging.
    The First thing you should keep in mind is the size of the bag. If you will use it in your house and keep it there, then you do not have to worry about the size, but if you are planning to travel, then you should buy a smaller size kit, so it is easy to transport.
    Second, choosing the correct pedicure and manicure kit tools according to your personalized problems. You should identify your problem areas and buy tools accordingly.
    Third, decide the quality of the tools you want. Proper quality tools can be a little expensive, but they will last longer and give you better results.

    ReplyDelete