Security

Black Hat DC 2008 Briefings

Devin A. Rychetnik — Tue, 26 Feb 2008 18:45:41 GMT

Last week I attended the Black Hat DC 2008 Briefings. The following is a list of the presentations I saw, the key concepts discussed as well as things I found interesting or didn’t know.

Summary of Black Hat DC 2008 Briefings

DAY 1 - Web App Track

Preparing for the Cross Site Request Forgery Defense

· A cross site request forgery (CSRF) can be used to force users to submit data to online web applications, sometimes manipulating their local cache or history.

· This vulnerability could make a user run a search query, fetch arbitrary image files or pages as well as post messages to online forums, or even manipulate their account.

· Two demos showed how this could be done using Netflix and Google.

· Basic way to prevent CSRF is to always require one parameter that the attacker would not know

Threats to the 2008 Presidential Election

· Online donations for presidential campaigns have been used more than ever in 2008

· Typo squatting such as www.hillaryclingon.com (mistype of www.hillaryclinton.com) is easy way people can get trapped or tricked

· Email squatting, for example, emails to something@hillaryclingon.com go to the unintended recipient

· Phishing sites that redirect donations to opposing candidate, the phisher or someone other than the intended candidate

· Denial of services attacks are possible by a high-number of small transaction donations at one time

· Browser data leakage, using a CSS link visited feature, website can determine whether you’ve viewed a webpage before

· Monitoring of people’s communications (i.e. FlexiSpy receives copies of SMS, call logs, emails and lets you listen to conversations on mobile device)

· Ransomware could be a virus, Trojan, or worm that encrypts your data and demands a ransom for it’s restoration

Bad Sushi: Beating Phishers at their Own Game

· www.phishtank.com is a collaborative website for tracking phishers on the Internet and has an open API for developers to integrate anti-phishing into applications

· Reality is scary, simple Google searches such as “Spam ReZulT” return numerous compromised online identities

· Phishing is easy, a number of phishing kits have been developed and are just copied, edited, and reused in most cases

· Phishers even phish each other, the author of a phish kit builds in his/her own feedback loop, which other phishers may or may not notice when modifying and reusing

· Root problem is that static identifiers & passwords are often used, resolution is to use two-factor authentication

· (ATMs are a target as well, ATM skimmers steal swipes of your debit card and record keypad touches)

URI Use and Abuse

· Some software such as Trillian, iTunes, Picasa expose a custom URI (for example, picasa://) that can be used in a browser

· This opens up the attack vector of vulnerabilities in the software to the Internet

· Registered URIs are kept in the registry of Windows (Macs have them too)

· Demos included using an exploit in Adobe Reader to cause a buffer overflow and using Google’s Picasa to steal the user’s pictures

Scanning Applications 2.0

· Web Hacking Incidents Database (WHID) is Web Application Security Consortium project dedicated to maintaining a list of web application related security incidents

· Web 2.0 applications differ from traditional ones in that they usually leverage dynamic client-side scripting and web services (see Pageflakes for numerous examples)

· Techniques for testing web 2.0 applications include

o determining the web service type via fingerprinting

o determining the AJAX library type via fingerprinting

o fuzzing information structures such as JSON, XML etc.

o crawling sites with the DOM as opposed to direct links

· Presenter offers free tools for scanning web 2.0 applications here

DAY 2 - Defense Track

DTRACE: The Reverse Engineer’s Unexpected Swiss Army Knife

· DTRACE was created at Sun and release with Solaris 10

· Now in Apple OS X, and soon to be in FreeBSD

· Allows you to trace an application at runtime in an almost root-kit like way

· Beauty of it is that it’s built into the OS and was designed to be the least intrusive on the application under trace

· Uses the language of D, which is a subset of C, but without control-flow constructs

· DTRACE toolkit gives you templates out of the box for seeing stack analysis, code coverage, heap analysis etc.

Dynamic Taint Propagation: Finding Vulnerabilities Without Attacking

· Taint propagation is a technique where you track your system code during execution and figure out what values are “tainted” by input that comes from outside

· A taint propagation tool would track inputs throughout the system and give you test coverage execution information of all possible input paths

· Fortify is a company that sells products that do this for .NET or Java

(un)Smashing the Stack: Overflows, Countermeasures, and the Real World

· Recommended reading, How to Writer Buffer Overflows, by Mudge

· Discussed defense mechanisms (such as StackGuard, DEP, ASLR) that have been built into operating systems to make exploiting overflows harder

Classification and Detection of Application Backdoors

· Backdoors exist in many applications and are sometimes purposely baked in

· Types include special credentials to bypass authentication and/or hidden functionality that can be used to do something extra to the system

· One example was given, the creator of Unix put a backdoor into the login prompt. To prevent people from seeing this backdoor in the code, since it was open-source, he hid the logic for putting the backdoor in the code inside the compiler. To prevent people from seeing that, he only distributed the compiler binaries and not the code. To prevent people from seeing the logic when the disassembled the binaries, he put code in the dissembler that stripped it out. Moral of the story is that backdoors exist many places we don’t know about

Botnet Population and Intelligence Gathering Techniques

· Botnets usually refers to a group of compromised computers (via a remote access trojan, RAT, for example) remotely controlled by a master

· They utilize DNS instead of IP addresses since you can create an almost infinite amount of domains using subdomaining and change them to point to new IP addresses

· Tools out there make it easy to set up a botnet (for instance, using the PoisonIvy trojan)

· Research at Georgia Tech is using DNS caching distribution patterns to estimate relative size of botnets that exist on the Internet

Information Operation in the Cyber Domain, Immunity Style

· Presenter was hired for a large-scale targeted attack on a private company

· This differed from other penetration tests in that they had no time limit

· They were able to compromise the network first through the email server and monitored all emails

· Then via a little social engineering and an ActiveX script vulnerability they installed an undetectable shell extension on user’s computers

· At that point they discovered that there was another segmented network that something was moving between with a USB keychain

· They modified a USB memory dump tool to write all the data from the keychain to disk and managed to compromise secret data from the segmented network

· (A Microsoft Research tool called Detours was used as part of the attack!)

Zero Byte Scripts Still Effective

Devin A. Rychetnik — Mon, 12 Nov 2007 14:21:00 GMT

Many antivirus programs are still susceptible to this evasion technique:

Original post: http://blog.didierstevens.com/2007/10/23/a000n0000-0000o000l00d00-0i000e000-00t0r0000i0000c000k/

News article: http://www.vnunet.com/vnunet/news/2202468/hackers-wreak-havoc-zero-byte

Cryptographic Solutions for .NET Developers: Hashing and Encryption

Devin A. Rychetnik — Mon, 06 Aug 2007 10:28:11 GMT

Here is a pretty good introductory article on crypto in .NET: http://www.codeguru.com/csharp/.net/net_security/encryption/article.php/c14033__1/.

WCF NetTcpBinding Lessons Learned

Devin A. Rychetnik — Wed, 13 Jun 2007 02:43:28 GMT

I just got done with a long afternoon of implementing a Windows Service to self-host my WCF service. It was a bit trickier than I thought it would be so if I can save you the headache I'll be happy.

A good place to start is by reading these two MSDN articles:

http://msdn.microsoft.com/msdnmag/issues/06/02/WindowsCommunicationFoundation/

http://msdn.microsoft.com/msdnmag/issues/07/06/ServiceStation/

Next, you'll want to understand these support articles:

http://msdn2.microsoft.com/en-us/library/ms733768.aspx (I needed this to get the wsdl stuff working)

http://msdn2.microsoft.com/en-us/library/ms733925.aspx (need to do this before TcpNetBinding will work)

http://msdn2.microsoft.com/en-us/library/ms731758.aspx (an example app hosting WCF)

http://msdn2.microsoft.com/en-us/library/ms750530.aspx (more on self-hosting)

Kerberos Authentication Protocol

Devin A. Rychetnik — Wed, 30 May 2007 04:56:13 GMT

I was curious to understand Kerberos on a much deeper level so I decided to gather some resources in order to learn what was really going on under the hood:

Kerberos Wikipedia.org
http://en.wikipedia.org/wiki/Kerberos_%28protocol%29

Kerberos Explained (Windows Server 2000)
http://www.microsoft.com/technet/prodtechnol/windows2000serv/maintain/security/kerberos.mspx

Introduction to Kerberos Webcast (Windows Server 2000)
http://support.microsoft.com/default.aspx?scid=kb;en-us;822248

Kerberos Auth in Windows Server 2003
http://www.microsoft.com/windowsserver2003/technologies/security/kerberos/default.mspx

Kerberos Network Authentication Service (V5)
http://www.ietf.org/rfc/rfc4120.txt

Nice Rootkits Review

Devin A. Rychetnik — Thu, 18 Jan 2007 18:59:00 GMT

This review on rootkits might save you some day: http://www.informationweek.com/news/showArticle.jhtml?articleID=196901062&pgno=1.

Asp.Net Anti-Cross Site Scripting Library

Devin A. Rychetnik — Tue, 12 Dec 2006 05:51:00 GMT

For defence in depth, developers may wish to use the Microsoft Anti-Cross Site Scripting Library to encode output. This library differs from most encoding libraries in that it uses the "principle of inclusions" technique to provide protection against XSS attacks. This approach works by first defining a valid or allowable set of characters, and encodes anything outside this set (invalid characters or potential attacks). The principle of inclusions approach provides a high degree of protection against XSS attacks and is suitable for Web applications with high security requirements.

http://msdn2.microsoft.com/en-us/security/aa973814.aspx

Use SecureString in .NET 2.0 for Confidential Text

Devin A. Rychetnik — Fri, 01 Dec 2006 18:28:00 GMT

SecureString Class

Represents text that should be kept confidential. The text is encrypted for privacy when being used, and deleted from computer memory when no longer needed. This class cannot be inherited.

Namespace: System.Security
Assembly: mscorlib (in mscorlib.dll)

http://msdn2.microsoft.com/en-us/library/system.security.securestring.aspx

Database Security Research

Devin A. Rychetnik — Thu, 30 Nov 2006 19:32:00 GMT

David Litchfield has found an interesting new security vulnerability in Oracle databases and also done a comparison on whether Oracle or SQL Server is more secure.

Dangling Cursor Snarfing: A New Class of Attack in Oracle - http://securitywatch.eweek.com/cursor-snarfing.pdf

Which Database is More Secure? Oracle vs. Microsoft - http://www.databasesecurity.com/dbsec/comparison.pdf

SQL Truncation & Injection Attacks

Devin A. Rychetnik — Sat, 28 Oct 2006 08:37:00 GMT

Two useful MSDN security articles on preventing SQL injection attacks...

Stop SQL Injection Attacks Before They Stop You: http://msdn.microsoft.com/msdnmag/issues/04/09/SQLInjection/

New SQL Truncation Attacks And How To Avoid Them: http://msdn.microsoft.com/msdnmag/issues/06/11/SQLSecurity/default.aspx