The „Cloud“ is a wonderful link between the BYOD disaster, data loss and broken security promises. Yet users of all kinds are lured into the web interfaces with eye candy. The German IT magazine Golem.de has published an article about the cloud security study of the Fraunhofer Institute for Secure Information Technology SIT. Researchers have put Dropbox, Cloudme, Crashplan, Mozy, Teamdrive, Ubuntu One and Wuala under scrutiny. The results should be a wake-up call for businesses who blissfully shove all kinds of data out into the thin air of the „Cloud“.
The quintessence of the study is that none of the listed „Cloud“ services can provide a basic security or even sensible encryption technology. Some registration forms do not verify the e-mail addresses entered. Some platforms do not use SSL/TLS. Some use their own protocols that are not published or even peer-reviewed (a decent protocol design featuring security is hard). Some do without client-based encryption and receive the client data unencrypted. Some data is accessible by obfuscated URLs (which you will never guess and which will never leak, of course). Some of these URLs even contain user names or other gems useful for hats of all colours alike.
The study contains more, and all these findings are a sign of bad or no security design. In turn all these storage platforms are no place for sensitive data. This should be reflected in your security policy (we’re sure you already have incorporated this into your policy documents).
If you really want to follow the trend (or just be cool), you might want to think about using superencryption (i.e. encrypting your data twice or more) or other additional security measures. Additional encryption won’t help you against badly formed URLs or other design flaws, but it’s better than nothing. The study has a more in-depth view of what you can do and what you should not do.
Posted in Discussion Security by .
May 12
14
Data Loss Prevention
Is this information random, confidential or public?
None of us likes to lose data. Usually data loss is tied to defects of storage media. You can counter physical data loss by having sufficient and recent copies of your data. This is where the logical data loss kicks in – unauthorised copies. Espionage thrives on these copies, and since information can be sold so does crime. Establishing a proper data loss prevention strategy and implementing it, requires a combination throughout all branches of information security.
First you need to define some classifications for all your data. Public, private and confidential is common. Then you must find all places where your data is stored. You noticed the small word „all“. Yes, that’s right, all places and every single bit of your data. If you start getting sloppy at this stage, your defence against data leaks will be sloppy, too. There are no short cuts.
Once you have done that you can start dividing your organisation into compartments according to the data classifications. You can use everything you already have, such as firewalls, proxies, every application level gateway and filter system. Some products on the market can even „retrofitted“ with data loss prevention capabilities. Don’t forget to extend your protection to all end points in use (this is the part where BYOD bites you in the back provided you allowed a zoo of arbitrary devices). You will have to spend some thoughts on devices using mobile phone networks, because you cannot shut them out (legally that is).
After you have done all of this, you can turn to removable storage devices, analogue leaks and human imperfections. You will have to keep an eye on your filtering devices. Until the Nobel prize for improved signature-based algorithms has been awarded to security researchers, you will have to deal with ever changing signatures of your data. There’s a plethora of data formats our there, and you most probably will not be able to reduce data transformations. In turn you have to accept that your data might change and might evade loss prevention. Malicious software does it all of the time.
So, are we done yet? Probably not, but it might be as good as it gets. Maybe you have some thoughts or experiences to spare and might want to tell us about it. Our CfPs for DeepSec 2012 and DeepINTEL are open. You can drop us a line by e-mail or comment to this posting as well. How do you eliminate data leaks? Please do tell.
Posted in Discussion Security by .
May 12
7
BYOD Madness
When it comes to computing we all like convenience, just like in other areas of personal or business life. It’s nice to use familiar tools. Provisioning is much easier for your IT department if your users bring their own hardware. So, let’s sprinkle this idyllic setting with some security in terms of malware protection, data loss prevention and policies. This is a recipe for a lot of fun and sleepless nights at the same time.
The laisser-faire bring your own device (BYOD) approach is all the fashion these days. Since your users really like to do serious business on electronics and software designed for entertainment, why not combine both ends of the spectrum and create a worse starting point than with using either one technology. While being able to view, edit and create confidential documents on your TV set is of major importance today, let’s not forget that having a minimum level of security is a requirement (until completely superseded by the need for entertainment electronics, which might be in 2013 or 2014).
Skipping the sarcasm you might have noticed that BYOD is a lie. Unless you can do without security (measures), you cannot let BYOD be unspecified. I might bring my old Amiga computer and my self-engineered cell phone (complete with a custom OS). And if you slap some requirements on the trendy BYOD stance, then you got BTDWAYTBBWHSRN instead – bring the device we allow you to bring because we have some requirements now. Sounds a lot less catchy, doesn’t it?
BYOD proponents might point out that there will be some OS hardening going on, and that there will be an agent installed that will handle all things malware/DLP/spam/policy. Nice argument, but instead of taming the zoo of code this approach will only bring you a step closer back to the realm of magic where every problem stemming from complexity will be solved by adding more of it. Only gadget vendors have a vested interest in pushing/supporting BYOD.
If you have experience how BYOD can be managed without buying lots of (alcoholic) drinks, let us know by submitting a talk to the DeepSec CfP manager. Hardware vendors do not need to apply.
Update: If you think that BYOD saves you some money, think again. Blackpool Council has found out that it doesn’t.
Posted in Discussion Security by .
May 12
6
Unlearn to Hack?
Security is heavily influenced by the inner workings of the (human) mind. We all know about social engineering and tricks used by con men. The game of smoke and mirrors now hits the „uncontrolled spread of hacking tools“. We have already pointed out that the European Union is preparing a proposal for „banning“ „hacking tools“. There is now a case on-line where a print magazine was allegedly removed from the shelves of Barnes & Noble. Apparently the cover story was too dangerous, because it announced how to „teach you to break into networks, exploit services running remotely, beat encryption techniques, crack passwords, and more.“ The real dark side of this story is that these skills are discussed at most self-respecting security conferences. These skills are even part of a very basic job description in the field of system administration. Universities teach classes covering very similar topics.
How did the editors of the magazine react? They put the cover story on-line. While the countermeasure circumvents the censorship of the book shelves, it doesn’t address the deeper mindset problem at work. The discussion about dual-use goods is very old. We have seen the crypto wars (which may be resumed again), we have the discussion of introducing backdoors to software (again and again), and now the discussion turns to „hacking tools“. No matter how many rules you might think of, the problem stays in the mindset. This is exactly why criminal intent comes into play. You can subvert a lot of harmless tools to do bad things. This doesn’t start with the Internet, software or computer hardware. It starts with screwdrivers, axes, words or brilliant ideas. We know, this is no news, the range of „hacking tools“ is vast. We just hope that removing educational literature from book store and the Internet won’t be a new trend. Otherwise we will need to host future DeepSec events at secret locations. Come to think of it, we might adopt some rules, too.
- You do not talk about SECURITY RESEARCH.
- You DO NOT talk about SECURITY RESEARCH.
- If a code says “stop” or goes limp, taps out the research is over.
- Only two hackers to a research.
- One research at a time.
- No NDAs, no lawyers.
- Research will go on as long as it has to.
- If this is your first night at SECURITY RESEARCH, you have to hack!
Let’s hope we never get there.
Posted in Discussion High Entropy Security by .
Let’s assume you have put proper security measures into place and you have spiced them up with proper policies so that everyone always knows what to do in certain situations. So far, so good. Now let’s combine this solid security framework with something out of the ordinary. Catastrophic storage failures are a very good example. Imagine your shared storage array goes AWOL (including the disk images of your precious virtualised servers). In this case your operating status has gone from „all green“ to „full red alert“. Your staff can’t restart the storage array, so you have to rely on experts in the field of data rescue. Due to the critical nature of the data you yank out the disks, label them and send your storage components by messenger to a laboratory. Since time is crucial your operators bypass all security checks, hand the drives over to the messenger which in turn disappears to deliver them. If this sounds realistic, please read on.
Emergency situations put your security to its limits. In the case of data loss there’s also a lot of adrenaline to go around. Of course you have backups, but you may not have a high availability system. Additionally virtualised servers keep live data that might not be mirrored or stored in the backup yet. Have you thought about this situation in advance? Who has the security clearance to remove storage components from your inner sanctum and bypass every security device? Data rescue experts are a crucial asset to your IT resources, but most certainly they will be external to your organisation. How to you select the most trustworthy partner for data rescue? Do you prefer a company that sends your disks all around the globe and cannot account for everyone having access to your data? You know that digital copies can be made easily in emergency situations. What’s your plan to keep up security under these circumstances?
In case you haven’t thought about these questions, you should probably think about them before you enter „red alert“. Albeit no one wants to use data rescue resources during normal operation, you have to address this issue in advance. Isolated storage components are both a breach in security and a potential data leak if handled in a wrong way. Attacks might even provoke a failure in order to get access to your storage system (performed through a well-timed messenger-in-the-middle attack). All it takes is to send a courier first – unless the data rescue process itself is compromised. Industrial espionage often exploits third-parties that are used for specific tasks or products. Make sure your „web of trust“ still holds in emergencies. This is best ensured by preparation and testing. If fire drills are done on a regular basis, why not do data rescue drills as well?
Posted in High Entropy Security by .
What exactly is a hacker tool? The answer to this question depends on who you ask. To McGyver it would probably everything, to a hacker it would be any suitable tool and to a politician it would be anything that cannot be easily understood. The English Wikipedia has no entry on hacker tool. So what is it and why should we care?
Care comes first. We have to care because the European Union is working on banning hacking tools. This is no news for some parts of Europe. Germany has tried to address the nebulous hacking tools issue in 2007. The law has drawn a lot of critic from security researchers. Some even moved their research abroad to avoid operating in a grey area of the law. There’s an open letter to the German Bundestag explaining the fears of criminalising security research. While the European proposal for banning software may be aimed at „blackmarket tools“ (whatever this may be, the term just adds one level of uncertainty) it may hit your own fuzzers, Metasploit, Wireshark, your operating system, compilers, cell phones, assemblers, ping, telnet, carrier pigeons, nmap and even more. We agree with EFF’s international rights director Katitza Rodriguez and ask legislators to take the intent of use into account. If this is not done, then even lawful interception measures might count as hacking tool and thus backfire on criminal investigations.
The law might even completely change the landscape of computing (apart from driving security conferences into non-existence). It’s interesting to read the quote by rapporteur Monika Hohlmeier (EPP, DE): „No car manufacturer may send a car without a seatbelt into the streets. And if this happens, the company will be held liable for any damage. These rules must also apply in the virtual world.“ The analogy is great, but what do digital seat belts look like? Is it sufficient to present a pop-up with a warning sign? Do you need to lock the OS into a proprietary black box? We’ve seen a lot of seat belts break in the past years of DeepSec conferences. Yet no vendor/manufacturer has been held liable. The GSM network has been stripped of many seat belts to the point of being insecure, all without consequences for end user behaviour and manufacturers.
Since we deal a lot with hacking during and outside the DeepSec conference, we like to involve our speakers and all participants of DeepSec. We are monitoring the proposals, and we are in contact with members of parliament regarding the future of security research. Additionally if you have ideas on what hacker tools could be, let us know. The power of analogies is always useful to illustrate consequences.
Posted in Discussion Internet Stories by .
Apr 12
17
Let’s talk about War
Extreme situations, entropy eruptions and unforeseen problems caused by complex interactions between a plethora of components are prime story material. You can use it in (science) fiction, you can use for breaking news, you can use it for scaring your children, you can use it for advertising and you can use it when talking about information security. Maybe this is why talking about „cyberwar“ is all the fashion these days. Let’s follow the trend and introduce the issue with style:
No boom today. Boom tomorrow. There’s always a boom tomorrow. What? Look, somebody’s got to have some damn perspective around here! Boom. Sooner or later. BOOM! — Lt. Cmdr. Susan Ivanova, Babylon 5
This statement from a fictional character pretty much sums up the issue (plus it contains exactly the required amount of sources to get you published by most media). It also automatically answers all questions, especially if we talk about war be it cyber or otherwise. The German news site Spiegel Online (SPON) has a recent article covering the issue if depending on IT systems, (not) properly dealing with complex software and (not) hardening your IT infrastructure. Most companies have no fall-back procedures once their digital lifeline is severed or compromised. They have turned back in time to become teenagers addicted to text messaging. The same is true for governments. Remember the DigiNotar incident and its impact for e-government. IT security can’t keep up because of economic pressure (or corporate greed, decide for yourself). For every 100 lines of code audited there are 10.000 lines of code freshly written and deployed, according to the author of the SPON article. Hardening systems and doing secure infrastructure design is simply not done or done sloppily. The article concludes that the digital modern society simply cannot withstand „cyberwar“.
Let’s step back and invoke the power of analogies by forgetting about „cyber“ for a moment. Our office has no bomb-proof roof and no bunker. We have no checkpoints with armed guards on the way to the entrance. We haven’t piled sandbags in front of the windows. We do not issue bullet-proof vests to our staff. We do not own any armoured vehicles to get around. We maintain no air force and we cannot call in close support, neither by plane nor by artillery. All in all we are very ill-prepared for a war. Why have we skipped all of these necessary measures to improve our security? Well, firstly we cannot afford it, and secondly the risk for incidents where security breaches are done by shrapnel or bullet are luckily quite low.
Turning back to „all things cyberwar“ you will now better understand why the IT infrastructure is like it is. It’s all about risks, and a „cyberwar“ is nothing like a „real war“. You cannot add „cyber“ and keep thinking of „war“. Shutting down the IT infrastructure of a national economy can be done by politics, natural disasters, the energy market and by the supply of electronics including the raw materials to produce them. How many IT departments do you know who have taken tsunamis and floods in Asia into account? Do you know where your electronics and storage hardware comes from? Do you know how it is transported? Where are your digital assets and how are they connected? Maybe you should start to think about these things before you think about preparing for war, cyber or otherwise.
True, there are threats that use the network or computers, but the Morris Worm turns 24 this year, the Internet is more than 40 years old (depending which event you use as a marker for birth), but now we’re talking about „cyberwar“? We should talk about risks and security intelligence first. This is exactly the reason why we are preparing the DeepINTEL event – to give you the big picture and the knowledge how to deal with information security strategically.
Posted in Discussion High Entropy Stories by .
Apr 12
15
Pattern, Matching and IT Folklore
Every once in a while there is a lively discussion about the efficiency of pattern-based security measures. Usually you see these discussions in the wake of security software tests. Mostly it concerns intrusion detection, malware filter or spam filter tools. As soon as you are trying to implement filters or detection, you will need some criteria to base decisions on. It doesn’t matter if you apply whitelisting, blacklisting or a mixture of both. Even if you add some intricate algorithms ranging from good ideas to artificial intelligence you still need to base the decision on something. Patterns and signatures is still the way to go. So why do these discussion about „all methods using patterns/signatures are snake oil“ stem from?
Let’s take another pattern-based defence mechanism as an example – our immune systems. It is used as a prime analogy for anti-virus software (of course the use of virus in this context is another analogy). We all got a working immune system, but we still get sick. The immune system works best against threats which have been detected before. Still there’s „biological malware“ around that cannot be fought since there is no cure. How do we deal with this imperfect design? Well, we manage the risks to the best of our ability. There is no other way. Basically you do the same as you do in the digital world. You can reduce exposure. You can add additional layers (such as protective clothing or hygiene procedures). Yet 100% protection is the theoretical limit which you will never attain. This fact is clear to every medical, biological or security expert. Why do we keep repeating the discussion about the imperfections about pattern/signature based mechanisms then?
The cause is most probably rooted in the mindset. System administrators have hear statements like this before: „I got anti-virus software, I can open any e-mail and visit every web site without caution.” On the other hand here’s something you won’t hear very often: „I can drink raw sewage, because I have an immune system.“ This is quite an inconsistency. It also illustrates how analogies do not work. Just by calling a piece of code a „virus“ and the deployment of filter software „to inoculate“ you do not get more than the cosy feeling of self-deception. The same is true for all the other bells and whistles found in web browsers for example. In turn this realisation is no breaking news and no scientific breakthrough. Sorry to have wasted your time, but these things can’t be stated often enough.
However if you have some breaking news or a scientific breakthrough when it comes to decision algorithms for security software, please let us know. The Calls for Paper for DeeSec 2012 and DeepINTEL are the prime place to put your discovery. In the meantime, please don’t start yet another discussion about the drawbacks of patterns and signatures. We already know.
Posted in Discussion High Entropy Security by .
A few days ago we received a call from a journalist who was researching for an article about a system about parking place management. Motorists have a hard time finding a place to park in busy urban areas. This is why Austrian researchers thought of fitting street lamps with cameras that monitor parking areas. The cameras report the images to a system that identifies free parking sites and reports available spots to drivers by means of their satnav. The journalist wanted to know how safe this is and if there might be a threat to privacy. The answer is not that easy. In this context it typically resolves to the style of Radio Yerevan and starts with „In principle yes, but …“. In our case it depends on the details of the implementation.
Brevity and sensible reduction of details is the key to explain difficult problems. It can quickly turn into a difficult problem itself when assumptions are involved. Let’s take the parking space cameras as an example. The basic components are the cameras, a system doing the processing of the images and a component that tells the satnav (which one?) about the free parking lots. If you claim that „in theory there should be no or only a negligible impact on privacy/security“ you heavily lean on a lot of idealistic assumptions. Unless you have answers to the following questions you will not be able to give qualified answers.
- What data is exactly transmitted between all the components involved?
- How do the cameras transmit the images to the backend system?
- What happens to the images during/after processing? How are they stored? How are the backups implemented?
- Are the cameras/servers hardened?
- Which satnav(s) are supported?
- How does the backend system transmit data to the satnav(s)?
- How can all components involved be accessed? Are there restrictions for access in place?
The list is most probably incomplete. Hopefully the question illustrate that an innocuous question can trigger many in-depth questions. Security researchers (usually) know this, but others not involved with security might not understand. Please do not use these questions as arguments against the parking lot project. It serves as an example, and the project manager has assured that the camera images will only be stored temporarily and that no license plates will not be decipherable.
We admit. We could not resist. Bazinga! Writing articles to be published on 1 April is fun, and you probably should not read any news on this day (or blog articles or anything, don’t even talk to people until 2 April). If you consider the disinformation practised on All Fools’ Day and connect it to security the fun stops. You rely on information and its accuracy to counter threats. So in turn disinformation can be regarded as a hacker tool. Social engineering people probably know this already.
Since our CfPs for DeepINTEL and DeepSec 2012 are open: If you explore disinformation as a hacker tool and can show its impact on the security routine of potential targets/defenders, why not turn your findings into a presentation and send it to us? We want to know all about your (digital) smoke and mirrors!
IT security has grown into a cornerstone of our modern society. We rely on data integrity, availability, and we do not wish our personal or business data to be mirrored on pastebin.com or other web sites. 2011 has been full of high-profile security-related incidents. 2012 will most certainly continue in this fashion. This cannot go on forever. Therefore we decided to address the lack of IT security conferences and boost their number considerably. Starting with 1 January 2013 we start the DeepSec 365 Conference Track – 365 DeepSec security conferences in 2013, one every day!
We are currently finalising the deal with our conference venue. Even the tourism industry has acknowledged that there really is nothing besides hosting IT security events. Forget skiing, spas, clubbing, museums, sightseeing and all that, you want to see exploits, risks and mitigations, right? Yesterday we got the confirmation from the hotel. Having 365 DeepSec conferences per year is a great opportunity for speakers. If you miss the deadline of a CfP, then there’s always a next deadline tomorrow. You can submit your content every day, even on a Sunday. If your proposal is rejected for DeepSec 2013/178 you might be luckier for DeepSec 2013/227, who knows. That’s a great stimulus for security researchers and lessens the impact of stress due to missing deadlines. This also means that we can have 365 Security B-Sides! How cool is that?
There will be some administrative changes, too. We will redirect from our web site to our Twitter feed. With 365 conferences going on, everything is in motion, so Twitter is a much better way to publish the schedule, changes and everything else related to the conference of the day. Conferences will be numbered for your convenience (i.e. DeepSec YYYY/NNN). Of course there will be workshops, too, but we haven’t figured out how to number them yet. Keep in mind that there will be no 365 conferences in leap years. We propose to use every 29 February as a memorial day for all those who neglected to take IT security seriously. Parliaments around the world should adopt this day as national holiday.
See you soon in 2013 – every day!
Posted in Administrivia Conference High Entropy by .
Mar 12
21
Use Key Content for your Key Notes
There is some discussion about certain key note talks in the blogosphere and on mailing lists. Apparently there has been too much mentioning of mayhem and company ads lately. We will judge about this as soon as we have watched the video recordings of these talks. Until we have done that we’d like to point out that all our key note presentations go through the same Call for Papers mechanism as the „regular“ talks. This is true for DeepINTEL and DeepSec alike. It has also been true for all past DeepSec conferences.
While we don’t mind provocative content, we still like our speakers to present high quality content. Paid content on the contrary is not always of high quality. As soon as you enter the realm of sponsored talks you’ll suddenly realise that presentations morph into screen plays of your favourite security soap opera. We are going to die, no doubt about it, but Ebola turning digital might not be the cause. Hard facts and solid research with verified arguments can be entertaining and illuminating, too. Presentations featuring this content have more impact by far. This property can be applied to key notes. There’s nothing wrong with some speculation every once in a while. Security research is all about creative ways to breaks stolen eggs for your own omelette and finding ways to avoid it (pardon the bad analogy). However please don’t forget to back your claims properly. If you call yourself a security researcher, then don’t forget the bit about the research (you know, the part about arguments, references and proofs).
The Calls for Papers for both DeepINTEL and DeepSec are open and accept key note presentations. If you think of presenting some ads for your company, please be a sponsor and contact us.
Posted in Administrivia Security by .
Wired’s Danger Room has an article about how ubiquitous computing and smart homes are eagerly awaited by the CIA to turn your networked environment into a gigantic spy tool. CIA Director David Petraeus very much likes the „Internet of things” as an information gathering tool. Security researchers can’t wait, too. However they have a very practical approach by pointing out the missing security design. Smart homes might be very dumb after all, and they might not be a „home“. If your home turns against you and breaches your privacy, it’s not a home any more. Plus the next „digital Pearl Harbor“ (whatever this means) might start in your refrigerator. Who knows?
This is a very simplistic view on the „Internet of things”. If things automatically turn into sensors and report useful information once they get networked, then why do IT departments spend so much money on monitoring systems, fraud analysis, data loss protection and intrusion detection? Shouldn’t they use the „Internet of things” approach, link everything and shove all queried data into a couple of databases? Well, people do this already, but with limited success. Collecting the data is the first step (provided the interfaces and data formats don’t work against you). Your analysis doesn’t stop there. You have to work with the data and have to apply some algorithms and procedures. You need to know what baselines are. You need to identify anomalies. You need to find meaningful correlations. This is where the hard work will be done. Usually everyone who’s just collecting any and lots of data has no clue what to look for.
Since we are talking about future networks, there are some „what ifs“ involved. What if your part of the „Internet of things” turns hostile or against you? Could the CIA’s (or anyone’s) own smart home be invaded and bugged by attackers? Given the sound and secure design of every single network protocol in the past this scenario is quite likely. True, sarcasm isn’t very helpful, but please talk to security researchers and remind yourself not only to see the advantage of technology in place. If you have to deal with risks, stay sceptical. Cutting network cables is a very efficient filter. Applied to real existing IT architecture it simply means that you have to be careful how your network allows access to and from the Internet or other untrustworthy networks. Networking everything is convenient, but make sure how and design the access controls.
Fortunately you don’t have to wait for the „Internet of things”. While smart homes are still more common in the future, smart phones are already here. The same is true for entertainment electronics which is required to phone home for receiving information about revoked decryption keys. Web browsers are a good start, too. Don’t let yourself be fooled by gadgets and high-tech. If the „Internet of things” was a strategic advantage for the CIA, then Iraq and Afghanistan would probably be the first countries to deploy smart homes throughout the country. Regardless if you are in the espionage, security intelligence or IT business, try to work with existing technology first, then improve gradually.
Posted in Communication High Entropy Security by .
Since information technology relies heavily on analogies (as does lot of other „cyber“ things), we have a question for you. What do an intercepted phone call, infectious diseases and nuclear waste spilling into the environment have in common? Faulty containment. The Naked Security blog explains in an article how Anonymous was able to record the FBI phone call whose audio file was published in January 2012. Apparently „an Irish Garda police officer who was invited to attend the conference call about ongoing hacking investigations forwarded the message to a personal email account“. This personal e-mail account was compromised, and the information about the conference call was used to participate and to record the audio stream. This teaches a couple of lessons.
- Conference calls can be attended by having the correct string of characters (i.e. a code or link in an e-mail).
- Interception boils down to getting the correct string of characters and to use it at the right time (so please adjust your mental images regarding the word interception, few use wires or antennas for this now).
- A string of characters was taken out of its containment and got exposed to the environment.
A lot of security researchers talk incessantly about containment in the shape of multiple barriers and defence in depth. That’s the theory. In practice convenience, mistakes, purpose and a whole of of other makes us take short-cuts from time to time. This is a combination of human nature, habit and underestimating the value of information. Packing work-related data on USB sticks or forwarding it to external accounts is wide-spread. Working from home or from being on the road has become a lifestyle. It has proven to be effective in eroding the containment security administrators have tried to set up. Unless your security staff can defend itself to this siege, your containment will always be broken. You may be lucky, but once a „satellite“ account is broken, the attackers can use the leaked information against you.
Of course this is a simplified view, but it is a good analogy which can be put to use. If habits are the problem, you probably won’t solve the problem by technological gadgets alone. Keep your reactor core tightly shut, mind the containment, deal with the waste, stay clear of outbreaks, disinfect and always remember that „everybody lies“. (Source International Movie Database and the news ☻)
Posted in High Entropy Security Stories by .
Sometimes you have to get dirty, sometimes it’s fun to get dirty. No it’s not what might come to mind, it’s about the dirty business of information security: you have to break things to see if they are secure enough and to learn about weak points. But what to break? Your own systems? Someone else’s systems? Best is to stay clean when selecting your target for the dirty business (we talked about offensive security recently).
Most fun are “Capture the Flags” challenges, also known as war-games, which are frequently offered to the security community to test abilities and learn new stuff. I recently found a CtF challenge that looked quite fun and we started a 2-day session at the Metalab, the Hackerspace in Vienna with a group of 6 or 7 people with different core areas, knowledge and background but all them creative, motivated and proficient in their special field. A perfect team to attack a Ctf!
Stripe has published a Capture the Flag on Feb 22nd and it will be open for still a while, so if you want to test your hacking-skills: try it out. It’s most fun if you do it in a team. I don’t want to spoil the fun others so there will be no details, just some teasers to make you curious:
First Challenge:
This was quite easy, although I have to admit that the others showed me how to do it. A suid executable was provided and the source code was available.
Teaser: what will happen, if you enter “date” at the system prompt? Are you sure?
Second Challenge:
Again, simple: A web based attack with the source code available.
Teaser: Just look carefully, what information is sent to the server. Is it secured?
Third Challenge:
This one was tricky, it’s time to refresh your C-skills. Source code available.
Teaser: If you can’t jump forward then go back, just make sure you land on the right spot!
Fourth challenge:
Looks simple but it’s not easy to exploit, a small C-program which allocates a buffer. Again your C-skills are helpful and your knowledge of the memory layout (oh darn when you notice). And seek help from your friends on the internet -they have something what you need.
Teaser: The longer the slide, the bigger the fun -and again and again and again.
Fifth Challenge:
Oh boy, oh boy: a python client/server web-application. Source provided, looks good and robust. We didn’t find any insecure handling of user provided data. Oh wait…
Teaser: Can I have a side of pickles with that?
Sixth Challenge:
That took longer than expected, C-source provided. Char by char password compare, a pretty short buffer to exploit, actually it’s not exploitable. Input length validated etc… robust code. This took us longer than expected. We developed four approaches, two of them were not leading anywhere. But the other two were successful and we made a little race.
Teaser 1: If the channel you are watching is boring switch to another.
Teaser 2: If everything is happening too fast, can you make it halt?
Our reward:
__ (__) ||______________________________ || | || _ _ | || ___| |_ _ __(_)_ __ ___ | || / __| __| '__| | '_ \ / _ \ | || \__ \ |_| | | | |_) | __/ | || |___/\__|_| |_| .__/ \___| | || |_| | || | ||~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ || || || || Please enter your preferred handle: MetalabLoungeTeam Welcome, MetalabLoungeTeam! the-flag@ctf4:
I hope you will have as much fun as we did, as soon as the CtF is closed we will discuss the steps in detail.
Thanks again to the Stripe team for the CtF. A must for pen-testers and red teams.