Looking back on SHA-1 deprecation to prevent similar issues in the future

Some of us have experienced interoperability issues when SHA-1 deprecation patches/enforcements were deployed. But, in theory, these issues could be avoided if we had strong proactive software dependency analysis and reactive regression testing practices.

Doing these properly in a continuous manner is extremely complex given all the dependencies in current distributed systems - where we start turning on encryption in more places where we don't have full control.

Doing a bit of a look back on the SHA-1 deprecation topic, I found these advisory services that have provided early warnings:

• Google Developers Feed - e.g.: Deprecation for SHA-1
• Google Security Blog - e.g.: SHA-1 sunsetting article in 2014 
• Apple Developer Forum - e.g.: SHA-1 deprecation
• Microsoft Security Advisories. e.g.: Deprecation of SHA-1 Hashing Algorithm for Microsoft Root Certificate Program and Windows Enforcement of SHA1 Certificates

And on more generic crypto blogs:

• Schneier blog. e.g. "SHA-1 is broken"
• SSL Labs - e.g. SHA-1 deprecation
• (this list could explode easily) 

So there will still be more patching to deprecate SHA-1 so for those of you that haven't looked into this issue, don't wait to investigate!

Hackfest 2016 Notes

My notes taken at Hackfest 2016 in Quebec City.

General

• www.security.fm french podcast
• www.isaca.org/cyber : cyber security nexus

HTTP2 DDoS

• Michael Bennett, @bennettaur, DDOS strike consultant, securitycompass
• Recently: 620Gbps against Krebs, mixed vectors; Tbps attack on OVH; Massive attack on Dyn
• HTTP2 binary proto, multiplexing, HPACK compression, server push, Prio/Dependency
• Http2 ~= tcp+http1.1
• Spec at http://httpwg.org/specs/rfc7540.html
  
• Imperva research https://www.imperva.com/docs/Imperva_HII_HTTP2.pdf
• See Google rule of thumb with http2
• Tornado lib in python
• Test with Apache HTTP with server push; 7MB of data pushed by server
• Google Chrome support
• 149x than w/o push
• Amplification attacks (small req, big response) 68:1 amp, similar to dns amplification but tcp (no reflection)
• Long lived tcp conn with multiplexing. intention is one conn per page. opens the door to slowloris
• iptables connlimit module against multiple conn attacks
• nload tool?
• Apache http2 faster than nginx
• nginx limit conn module, limit req module (still effective)
• Apache mod_evasive and ModSecurity still work
• Req rate limiting still effective
• Some tcp-level controls no longer work
• https://github.com/bennettaur/http2-ddos  

Blue team reboot, proactive defence strategy

• Cheryl Biswas, threat intel sec, Haydn Johnson
• ioc, ioa (attack), coa course of action
• Tools: Carbon Black, SysMon, Log-MD, wireshark
• www.quadrantsec.com/blog/the_false_positive_of_threat_intelligence  
• www.trendmicro.com/trendlabs-securityhintelligence/blackgear-espionage ...
• threat correlation: threat intel + data
• 4Cs: collect, consolidate, control, communicate
• big data tools: cisco opensoc, rita, breakoutdetection r package (twitter)
• sans ir: 7 steps prep, ident, containment, eradic, recovery
• cyber kill chain: recon, weaponization,
• seantmalone.com/docs... cyber kill chain
• ooda loop: observe orient decide act
• https://github.com/carnal0wnage/malicious_file_maker

Your [linux] configs are bad and you should feel bad

• Stephen Hall Security Compass
• https://cisofy.com/lynis
• linEnum in rebootuser.com
• LinuxPrivChecker.py on www.securitysift.com/download/linuxprivchecker.py
• blog.g0tmi1k.com blog basic linux priv escal
• use sudo NOEXEC flag, avoid wildcards
• Kerberos/sssd: tickets stored in /tmp (kinit, auth, sudo w kerb). use keyring (/etc/krb5.conf, /etc/pam.d/passwd)
• /etc/ssh/sshd_config: AgentAllowForwarding no
• ssh socket file in /tmp
• strings -a /proc/*/environ | grep SSH_AUTH_SOCK
• SSH multiplexing keeps ssh conn after disconnected. can be piggybacked over. 2fa not needed then
• Defend via /etc/sshd_config: Maxsessions 1
• Attack: $HOME/.ssh/config: host *;ControlMaster auto; ControlPath;ControlPersist

Exploit Kits: biggest threat you know nothing about

• Sunny Wear. @sunnywear www.sunnywear.org
• droppers, malvertising, spam

1. Gate: redirect to exploit kit (iframe…)
2. Probe: browser, plugins, is
3. Exploit page.
4. Payloads: maleare dl, spyware, malware

• Exploit kit platform: hosting, exploits, deliv. payload
• joe sandbox cloud
• as a service: malvertising, malware
• angler: 147 redir per mon, 90k targets per serv per day
• Evading: domain shadowing, 302 cushioning, custom encrypted payload (abuse digfie helman algo)
• blackhole dashboard
• Angler, Rig... Angler: flash adobe…
• Bromium mini vm, Cylance
• Taxii, stix
• Glasswire free and reasonable
• dns sinkholing
• Privoxy
• uBlock Origin
• Safescript/Noscript

Catching IMSI catchers

• Geoffrey @MrVaughan,@securityinnovation
• Harris Stingray is the most popular, used by police
• https://citizenlab.org/wp-content/uploads/2016/09/20160818-Report-Gone_Opaque.pdf
• AIMSICD app (rooted)
• opencellid.org
• signal/openwhisper app

Hunting with LimaCharlie

• Opensource automated EDR
• Endpoint detection and response
• https://github.com/refractionPOINT/limacharlie

BurpSmartBuster

• Patrick Mathieu @pathetiq
• Intro & call for help with plugin

Docker Security

• Builds on host/kernel sec.: Grsecurity kernel, SELinux/AppArmor….
• Daemon as root, socket to control
• cgroups hardware res. limits to limit (--cpu-shares, --memory…)
• namespaced resources (vol. uis/gid…). some still not namespaced (kernel, lsm, keyring…). still some holes in namespaces (CVEs)
• seccomp. granular controls for syscalls

Racing the web

• Aaron Hnatiw, @insp3ctre
• OWASP-AT-010, CWE-362
• Examples used:
• one time use coupon code
• bug bounty payout
• balance xfer between accounts
• check for crud operations
• RaceTheWeb.io (rtw). written in Go; demo at racetheweb.io/bank/withdraw
• CSRF could turn into race cond
• Defense via locks

• Python: threading.lock acquire(), release()...
• Go: sync.Mutex (lock, unlock)
• Do not use shared resources by sharing memory. Instead, share mem. by communicating
• PHP: no threading. “could” compile with --enable-sysvsem. Or do at db or file level
• ACID compliant DB (key is isolation).Serializable
• MySql: InnoDB
• Postgres: use SERIALIZABLE
• ORM: optimistic locking

Fixing the java serialization mess

• @ernst, pernst on linkedin
• Pierre Ernst
• https://research.trust.salesforce.com
• https://goo.gl/rOpF0u
• https://drive.google.com/drive/u/0/mobile/folders/0Bxlxy5_8EBJyWDVLUUpMMktKdjA
• CVE-2016-3437
• AC ED [00 05] bytes is a signature for java serializable; 50 in front: rmi call
• readObject()...
• jmx untrusted deserialization: auth is optional.

Pentesting cruises

• Pub addresses, Shodan, Whois
• Maritime Telecom Network
• Each ship has their range of IPs - e.g. 208.124.121.100-…
• marinetraffic.com, vesselfinder.com
• Example public services: pc anywhere, yelney on 2323, voip with default creds
• 67.21.16/24 maritime net
• Exploitable ssh
• CommBox login w lots of info (probably found via shodan)

Darkweb Economies

• Johnny Xmas, Benjamin Brown
• @j0hnnyXm4s, bbrowntalks@gmail.com
• https://youtu.be/CWXH7AagfrI
• https://github.com/johnnyxmas/Talk_Decks/blob/master/2016/Hackfest%20Canada%20(Infinity)/How_I_Darkweb_Economies(And_You_Can_Too).pptx
• Grams search engine (drugs…)
• Triton ATM default pin 1234

Internet of dongs

• renderlab.net, @ihackedwhat
• We-vibe lawsuit
• Follower and Goldfisk talk at Defcon
• internetofdon.gs, @internetofdongs

Untangling the dark web: unmasking onion services

• @SarahJamieLewis
• Top 5 risks:
• readable directories (backups, configs),
• exif metadata, cloned sites (mitm, mirrors),
• ssh fingerpinting (some also available outside of tor),
• localhost bypasses (server status, xampp, phpmyadmin, pwrsonal wikis, home energy mon.)
• Onionscan,Released in April for mapping dark web services

• Future

• p2p: OnionShare, Ricochet, OpenBazaar
• Moving away from browser

Make iOS Hacking Great Again

• @scriptingxss
• http://tiny.cc/hackfest
• aaron.guzman@owasp.org
• Tools: Hopper, IDA for reversing...
• JWT token (start with ey) can be decoded online, jwt debugger
• Realm db browser
• WebRTC can be used to scan internal network
• Cordova supports npm. Modules are not really code-reviewed for security.
• DB Browser for SQLLite

XSS Auditor Bypass Workshop

• http://xss.zhack.ca/hackfest/
• http://slides.com/olivierarteau/xss-auditor-bypass#/

OWASP CTF

• https://owasp.zhack.ca/

CMD+CTRL CTF

• https://cmdnctrl.net/