/var/log/messages
This section contains the latest news, announcements and thoughts from the MWR InfoSecurity team.
Full TextDeepSec 2009
Dec 03, 2009
Author: Ranjit Sandhu
The DeepSec security conference was held between November 17th and November 20th at the Renaissance Hotel next to the Imperial Riding School in Vienna. MWR InfoSecurity were invited to speak at the event for the second year in a row with Luke Jennings presenting a talk about attacking deployment solutions. The event was well managed and both attendees and speakers were well looked after by the organisers. The conference had a nice intimate feel to it and is focused across a range of topics that would be of interest to security consultants, security researchers and security managers in equal measure. The quality of the talks was of a good standard and some of those that stood out are outlined here:
Top 10 Security Issues Developers Don't Know About
Presenter: Neelay S. Shah
This presentation looked at a number of interesting issues that could assist security consultants when performing security assessments and also help to increase awareness among developers so they can ensure their applications are not vulnerable to them. The talk covered a wide variety of security issues including those associated with the use of IPC, named pipes, cryptography, applications that create new processes and the issues that can be manifested when developing and deploying Active X controls and thick clients. This talk is highly recommended whether you fall into the category of security consultant or developer and want to be aware of wider security issues that fall outside the OWASP top ten.
Ownage 2.0
Presenter: Saumil Udayan Shah
Saumil set the tone of his talk by commenting on how applications and software are becoming more complex and how secure coding practices often get overlooked when deadlines have to be met. He then talked about the different attack surfaces including browser attacks such as the use of a number of browser plugins that could be used to take control of a browser. He gave an example of an exploit that affects the PDF plugin for IE 7 that could be used to execute code on the victims’ host when they access his web page. In addition he talked about how the exploit could be distributed via the use of social networking sites.
He also explained how different security issues could be used to roll out exploits to mass targets by exploiting flaws in other systems. Saumil provided an example where he could use SQL injection to inject malicious code into a vulnerable area which would then execute code on the host of any user with vulnerable software and that used this web application functionality. This talk is recommended to anyone who wants to understand how browser plugins, malicious payloads and client side attacks can be used in combination to perform mass pwnage.
Stoned déjà vu - again
Presenters: Peter Kleissner and Michael Eisendle
The buzz around this talk immediately indicated that it was going to be something interesting due to the media interest and the fact that Peter may be facing a law suit in the near future. As a result of this he was not able to refer to his notebook when writing the talk as this had been seized as evidence. Nevertheless, the talk was still very interesting. Peter talked about the stoned bootkit which is a Windows bootkit that can gain unrestricted access to the entire Windows system even if certain whole disk encryption products are used. This is due to the MBR not being encrypted which is where the stoned bootkit is stored.
The second part of this talk was based on Michael's work on an RST (Remote Surveillance Tool) which is a toolkit that can be used to monitor and manipulate computers through the use of various technologies and Web 2.0 services.
Keykeriki - Universal Wireless Keyboard Sniffing For The Masses
Presenters: Thorsten Schröder and Max Moser
This talk focused on a universal 27 MHz wireless keyboard sniffer called Keykeriki that can allow keyboard strokes to be sniffed and commands to be executed at a distance of up to 75 meters. The guys showed a demo against a Logitech Wireless keyboard using the hardware and software that they have developed. This was a very cool talk and shows the importance of ensuring that hardware development is subject to the same security controls that software is. Further information on the talk can be found at:
http://www.remote-exploit.org/Keykeriki.html
eKimono: detecting rootkits inside Virtual Machine
Presenter: Nguyen Anh Quynh
There have been a number of talks on VM security in recent years so it was interesting to find out about this talk. Nguyen’s talk focused on eKimono, a Rootkit scanner for Virtual Machines that runs in the host machine and runs scans that can detect malware in the guest machine. After giving a introduction to VM architecture and eKimono, he then gave a demo of eKimono in action. This presentation applied to Windows machines running the Xen VM and this talk is recommended for all those who are interested in VM security or have to perform a security audit against VM hosts.
Cracking GSM Encryption
Presenter: Karsten Nohl
This talk focussed on A5/1 encryption and the fact that even though it has a number of flaws, there is still no public exploit available. Karsten hopes to change this in the next few months and this talk explained why GSM should not be used for security systems and how the A5/1 encryption is vulnerable to pre-computed rainbow table attacks. Although A5/1 rainbow tables have been generated in the past, they were never released, but it looks as if the project has picked up again. Only time will tell if they are to be released this time? For further information about his work go to:
http://www.reflextor.com/trac/a51/
A practical DOS attack to the GSM network
Presenter: Dieter Spaar
The first thing what was guaranteed to happen after this talk is an increase in the price of the TSM30 mobile phone. This is because Dieter used this phone to perform his DoS attack against a GSM network. In order to demonstrate this, Dieter had access to a test GSM network which had been appropriately provided by the powers that be. This talk is recommended for all those who have an interest in GSM security.
Presentation: DeepSec 2009 - Weapons of Mass Pwnage: Attacking Deployment Solutions
Dec 03, 2009
Luke Jennings presented at DeepSec '09 in Vienna, Austria regarding the security of deployment solutions and some of the recent vulnerabilities he discovered in Symantec's Altiris Deployment Solution. The slides for this presentation are available from:
Singing the Mainframe Security Blues?
Nov 17, 2009
Author: Martyn Ruks
As an Information Security Officer what is the one question that the non-technical executives ask you the most? Usually it's as simple as "Are we secure?" - and the answer had better be "Yes". Anyone who's had to back that answer up will have done their background research, been to conferences, read books and talked to their counterparts in other companies. Invariably this will have equipped you with knowledge of IT security from port scans and exploits through to Trojans and viruses. Armed with this knowledge you can understand the need for firewalls, IDS, anti-virus and how their effectiveness should be confirmed through penetration testing.
But what if your most critical data is held on a mainframe? Did they teach you about this at hacker boot-camp or in those hacking text books? But does that matter? After all, you know about IP and the ways that hackers try to attack your systems using it. You have firewalls on your network and have regular pen tests completed against your systems. Given this knowledge, the answer to the question is "Yes, we are secure".
But still there's that worry at the back of your mind - that there is something you haven't thought about. If you are in the information security industry you know about that voice, call it paranoia, call your natural distrust. What is it about the mainframe that makes you nervous? Is it the fact that - in essence - that big metal box downstairs is your business? Just what is it our subconscious trying to tell us.
Well, maybe that little voice in your head is trying to tell you to think outside the Internet Protocol. Your network is routing IP packets around and your firewalls are happily filtering the hostile ones. But what about the other protocols, whether it be IPX, SNA, DECnet, NetBIOS or OSLAN. Do you know what they are doing? Why they are there? What risks they expose? If you're having to think about the answers to those questions, then are you still so sure about the answer you gave to the Chief Exec?
Let's start to get this back into perspective then; for example, what if you have an IBM mainframe and it's not running an IP stack. Well, you‘re going to need to know about the protocols it is running; one that will almost certainly be present is the Systems Network Architecture (SNA). Let's start with a brief history lesson.
SNA was announced by IBM back in the late 1970s and was designed as a unified architecture that could connect user terminals to the mainframe. Whilst various extensions have been added to the architecture, the protocol itself has remained largely unchanged over the years. Indeed, the biggest changes have been in the ways the protocol has been deployed onto corporate networks. In the past, the network infrastructure included various hardware devices such as Cluster and Network Controllers and fixed line, point-to-point network links. In this environment SNA security wasn't a problem, it was reliable (when it wanted to be), and it was less exposed than it is today. But then - the types of threat that we see today just weren't as prominent.
Over the years this older hardware has gradually been replaced and now SNA traffic will probably be bridged over Ethernet or could be encapsulated using protocols such as Data Link Switching (DLSw). However, it is also possible to use an SNA gateway to convert IP traffic into SNA. So, while the core of the SNA protocol has remained essentially constant, new technologies have emerged and evolved around it; and it is for this reason that your network could be at risk.
It is a given that the protocols and technologies used today have their weaknesses (be they known or unknown) and that if they are configured incorrectly this can enable an attacker to gain access to your most critical data. This is equally true when they are used to provide your users with access to your mainframe.
So if SNA is so dangerous in modern environments why do we still use it? Well, firstly it would simply prove too costly to migrate the legacy applications which still use it; secondly, the dangers associated with these protocols are not widely understood, and certainly aren't documented anywhere.
So what can we do to mitigate the risk and ensure that our systems are secure? Before you can apply that good information security practice we mentioned earlier you will need to understand how your network operates. It will be much easier to understand the risks if you understand how SNA works. You should use all the resources at your disposal, including any colleagues or external companies who understand the protocols and their inherent risks. This knowledge is often lacked by those security professionals who have grown up in the age of IP.
So, by correctly identifying the risks that need to be mitigated you will be able to identify methods for introducing additional security controls. Only then will you be in a position to secure your networks in the most appropriate manner, and to know whether this can be accomplished through configuration changes, or if it will require a fundamental redesign of your network.
And, of course, if you are using another protocol rather than SNA, the answer will be the same. Understand the technology and how it operates in your environment as fully as possible, evaluate the associated risk and then minimise it in the most appropriate manner.
The biggest challenge in securing your networks is understanding the source of the risk. Once you understand this it is much easier to take the right approach to securing your network. And that means that the next time you are asked whether you're secure, you can answer with confidence
"Yes, we're secure!".
Attacking Altiris at DeepSec '09
Sep 07, 2009
Luke Jennings will be talking at DeepSec '09 in Vienna, Austria on 20th November 2009 regarding the security of deployment solutions and some of the recent vulnerabilities he discovered in Symantec's Altiris Deployment Solution.
https://deepsec.net/docs/speaker.html#PSLOT39
If you are interested in this, be sure to come along!
USB Research to be Presented at t2'09
Sep 01, 2009
Following the talk presented at Defcon 17 this year, Rafa continued his research in USB attacks and will provide an update of his research at T2 in Finland on Thursday 29th October 2009. The presentation will cover a wide range of security considerations for the use of USB devices. However, it will specifically focus on the evolution of an attack that can be delivered through a malicious USB device. The talk will also include discussion about the methods that can be used to identify and exploit vulnerabilities in USB drivers and their advantages and disadvantages.