This is my wrap-up for the second day of Troopers15. Before the review of the talks, a few words about the conference. The venue is really nice as well as the facilities. A good WiFi coverage (IPv4/IPv6) and even a dedicated GSM network! “ Troopers ” SIM card were available for free at the reception desk. Besides the classic activities, a charity auction was also organized to help organizations to realize projects around the Internet like installing a satellite link in a refugee camp.
The second keynote was assigned to Sergey Bratus , Research Assistant Processor at Dartmouth College. Sergey is an amazing speaker! His keynote title was “ My favourite things ”.
Sergey explained via multiple examples how we are facing impossible problems against we cannot fight: The fact of hard vs (probably) impossible. Examples: Hard is flight and impossible is the perpetual motion. Computer programs rely on inputs. A classic path is:
input -> processing -> output.
And, nothing new, we cannot trust inputs. The idea presented by Sergey is to clearly split the analyse of inputs and processing. To sanitise inputs, we need to parse the data but writing parsers is very difficult. As he said: “ Parsers is like crypto, don’t write them by yourself ”. He demonstrated how some quick patches in popular applications (Apache, NGinx) are stupid checks and could be avoided by writing correct parsers of data. Other examples were reviewed:
- The heartbleed SSL bug
- The Apple “goto fail;” bug
- The GNU-TLS Hello bug
Sergey recommended a parser called Hammer . You must have a bright line between the input stream & validation and the processing (malloc(), memcpy()). The final tip provided by Sergey was: Simplify the inputs, use a grammar and keep it simple.
For the talks, my first choice was to go to the “ defence ” track where Friedwart Kuhn presented “ How to Efficiently Protect Active Directory from Credential Theft & Large Scale Compromise ”. It was based on a real-world expertise. Microsoft is present in almost every company network with its ActiveDirectory architecture. The first question asked by Friedwart was: “ Do you think that you/your AD is safe? ”.
For a while, ActiveDirectory infrastructures have been targeted by multiple attacks: Pass-the-Hash, Golden Tickets, etc. I liked the comparison with Terminator-2 who can impersonate anybody and bypass security controls. Stolen credentials remain a major threat today. To explain how the authentication processes work in the Windows operating systems would require much more than a 1-hour talk but Friedwart made a good compilation of the most common terms and protocols (the LSASS process, NTLM, Kerberos, etc). Keep in mind that for most versions of the Microsoft OS, data are still stored in memory which makes them readable by many tools (like mimikatz ). Friedwart also insisted in the fact that other operating systems are vulnerable too. Ubuntu stores the Kerberos tickets in temporary files. And the root account can access all of them. After this introduction (with a white-hat), Friedwart switched to the black-hat side and explained how easy it is to look at credentials theft & reuse. He explained what is the “ pass-the-hash ” attack and the “ Golden Ticket ” attack. He made a live demo and created a Golden ticket valid for ten years(!).
Finally, Friedwart explained how to mitigate such attacks. He split the response in two slides. One for the management based on three major steps:
- Reorganise the administrative practice/management of AD and critical services
- Add more controls
- Implement security logging & monitoring
The good news: this does not require huge investments! The other slides explained mitigation techniques from a technical point of view. The idea is to design and implement in 3 tiers: DC / Servers / Workstations. You also need to separate stuff and use the ESAE forest (a service offered by Microsoft). To mitigate attacks, there is not much to do if you already implemented the above requirements. A last tip: Reset the KRBTGT account on a regular basic and of course… monitor your logs!
My second choice was about CVE-2011-2461. Luca Carettoni and Mauro Gentile . Adobe Flex (now Apache Flex since 2011) is an open source SDK to build SWF files. It provides a lot to fools and classes to develop interactive apps. Starting from Flex V3 apps support dynamic localization (multiple languages). This can be done at compilation time or dynamically using a component called Resource Module. It allows to change text labels without recompiling the app. Resource pre-loading by passing FlashVars in the HTML wrapper. SOP is available in Adobe plug-ins. (Same Origin Policy). What if a malicious web page can ask Flex apps to load arbitrary resource modules? This is CVE-2011-2461.
Some exploitation scenarios?
- Same-Origin Request Forgery
- UI Redressing (changing the app test -> phishing, etc)
- XSS in older versions of Flash Player
They performed life demo of the vulnerability. To conclude:
- It’s a cool bug
- CVE-2011-2461 was patched in the Flex SDK
- No technical details were published
The last question was: Are they application still vulnerable? Four years later? Yes of course! To identify such application, the speakers developed a cool called ParrotNG . It can be used from the command line or, even more powerful, as a BurpSuite plug-in. Finally, keep in mind that all files must be patched and the player does not help. Suggestion to Adobe: implement checks into the player to block vulnerable applications.
After the lunch, Martijn Grooten , from Virus Bulletin, presented “ The stat of email in 2015 ”. More precisely, the talk was how to fight against spam which remains a major issue today. Everybody uses email for years. It did not change since the 90’s. One fact: Alice can send a mail to Bob without prior permission, this is called “ unsolicited mail ” (spam). To cancel spam, email must be redesigned!
Then came spam filters… content based and filters but, still today, it remains a cat & mouse game. Spammers realised that they can be someone else and use bots. So, how to mitigate the spam problem?
- Content-based filters
- IP / domains blacklists
- Outbound filters (ISP’s)
- Botnets takedown!
- Anti-spam legislation
- Use new technologies like SPF, DKIM, DMARC
What is SPF (Sender Policy Framework)? Think about asking via DNS requests if an IP address can send emails for a domain. DMARC is a mix of SPF/DKIM. The status today is that spam is fairly well mitigated. Note that current anti-spam infrastructure remains vulnerable to big changes. Then, IPv6 came and change the landscape! Good news and bad news: Email runs properly on IPv6 (layer 7) but… spam filters makes heavy uses of … IPv4… Why not keep them on IPv4? We don’t need so many IPv6 servers…Can’t stop IPv6 deployment… Solutions? Adapt blacklists to IPv6?
Then Martijn, switched to the next big issue with emails, privacy! In email, there was the before and post-Snowden era… Encryption is popular but… if mails are sent to the 1st smtp hop using TLS, what about the other relays? PGP to the rescue! PGP is not easy no scalable and leaks a lot of metadata! A few words about DIME (Dark Internet Mail Environment) Encrypted + very low amount of metadata. DMTP is an extension of SMTP. DIME has been written by people who understand email. It integrates smoothly into email and allows users to place trust in servers (webmail). Users don’t need to understand crypto! Can we be optimistic? We have collectively shown that we’re very good at fighting spam. DIME includes various levels of security and trust. Spam filters can be integrated into those.
The next talk was “ Weapons of Mass Distraction – Sock Puppetry for Fun & Profit ” by Marco Slaviero and Azhr Desai . I was also curious about the title that’s why I deduced to attend their presentation.
Internet being a media, it was already disconnected from times to times by governments (ex: Egypt, Tunisia). But instead of stupidly cutting down the Internet, the same governments found that it can also be used to control their citizens. UGC (“ User Generated Content ”) became more and more important across the last years. Everybody can generate some content on blogs, social network. UGC is the new paradigm. How will the government censorship handle UGC? Censorship 2.0 is profoundly important. With such amount of data created online, how can we affect the way they receive attention from people. The research made by Marco and Azhr is based on sock puppets. What is a sock puppet? Here is the Wikipedia definition: A sock puppet is an online identify used for purposes of deception. The questions posed by the speakers were:
- What can be done?
- What will be done?
- What is being done?
The challenge is to measure efficiency of your increase/decrease of attention? How to divert the attention of your readers? They reviewed multiple ways to share information and applied different scenarios:
- Mailing lists
- Online polls
- News sties
- Comment systems
It was very interesting to see how people will react differently to a message if it is posted alone or a new message with several replies. Is there real sock puppet in the wild? Yes, this happens. How to attract them? Use hot topics or controversial. The analysed the relation between the registration times and the posted comments time. The suck puppet army is really active on the following forums: CNN & AJ English and Jerusalem Post. They used https://disqus.com/ to achieve this. What are the topics?
But who’s behind this army? They have no idea. The conclusion to this talk: all UGC sites have been trivial to manipulate!
Finally, the latest talk was “ Wallstreet of Windows Binaries ” by Marion Marschalek and Joseph Moti . For a while bugs have names, logos, websites. They have better documentation that before because today it’s cool to find a bug! Researchers need their 5-mins of fame.
Moti explained why the 0-day business is very close to the trading rules:
- Do not be greedy/emotional
- Accept that you can lose and it is okey (got patched before the sale)
- Always have a plan and it should come with a lot of patience
- Do not fall in love with the stick.
- You better be familiar with the stuff you’re going to buy
- Do not think too much
- Remember that one day you’ll need to sell nothing goes up forehead
Finding a 0-day is like having a stock: you have to value it, you can sell it, you can trade it with another 0-day. How to value a 0-day: IPO (Initial Public Offering). Value depends on the market. The market decides of the value not the developer! Insider trading? Prohibited… if you are working for the target and have access to sources/tools/docs. Buy and sell the same 0-day multiple times? Exclusive vs shared sale. Where do you trade? O-day? white or black market. White : ZDI, I-defense, black? more money! If you go to the black market, you need a broker who will take it, valuate and search for customers (with a percentage as commission). Windows vulnerability API/keyword. as companies have code: ex: GradientFill -> Fill.
Finding vulnerabilities by rating functions? Marion’s tool is called “ Wallstreet ”. Data analytics for cheap people: Marion showed a picture with sheep, one of them being black. How to separate the black sheep from others?
- Problem: Find Frank the black sheep
- Attributes: Hair length, color
- Attributes evaluation: Sound won’t work
- Fine graining: 2 colors only
- Magic: SELECT * FROM … WHERE color=‘black’
The tool is based on:
- HexRays decompiler
- Python Magic
The presentation ended with a demo how to find which process load a specific DLL which could lead to a compromized system.
It’s already over for me. I drove immediately back to Belgium after the last talk. First amazing experience with TROOPERS! Thanks to the crew and particularly to Erno to welcome me.