2 Apr 2017

Looking back on SHA-1 deprecation to prevent similar issues in the future

Some of us have experienced interoperability issues when SHA-1 deprecation patches/enforcements were deployed. But, in theory, these issues could be avoided if we had strong proactive software dependency analysis and reactive regression testing practices.

Doing these properly in a continuous manner is extremely complex given all the dependencies in current distributed systems - where we start turning on encryption in more places where we don't have full control.

Doing a bit of a look back on the SHA-1 deprecation topic, I found these advisory services that have provided early warnings:

And on more generic crypto blogs:

So there will still be more patching to deprecate SHA-1 so for those of you that haven't looked into this issue, don't wait to investigate!

10 Nov 2016

Hackfest 2016 Notes

My notes taken at Hackfest 2016 in Quebec City.

General

HTTP2 DDoS

  • Michael Bennett, @bennettaur, DDOS strike consultant, securitycompass
  • Recently: 620Gbps against Krebs, mixed vectors; Tbps attack on OVH; Massive attack on Dyn
  • HTTP2 binary proto, multiplexing, HPACK compression, server push, Prio/Dependency
  • Http2 ~= tcp+http1.1
  • Spec at http://httpwg.org/specs/rfc7540.html
  • Imperva research https://www.imperva.com/docs/Imperva_HII_HTTP2.pdf
  • See Google rule of thumb with http2
  • Tornado lib in python
  • Test with Apache HTTP with server push; 7MB of data pushed by server
  • Google Chrome support
  • 149x than w/o push
  • Amplification attacks (small req, big response) 68:1 amp, similar to dns amplification but tcp (no reflection)
  • Long lived tcp conn with multiplexing. intention is one conn per page. opens the door to slowloris
  • iptables connlimit module against multiple conn attacks
  • nload tool?
  • Apache http2 faster than nginx
  • nginx limit conn module, limit req module (still effective)
  • Apache mod_evasive and ModSecurity still work
  • Req rate limiting still effective
  • Some tcp-level controls no longer work
  • https://github.com/bennettaur/http2-ddos  

Blue team reboot, proactive defence strategy

Your [linux] configs are bad and you should feel bad

  • Stephen Hall Security Compass
  • linEnum in rebootuser.com
  • blog.g0tmi1k.com blog basic linux priv escal
  • use sudo NOEXEC flag, avoid wildcards
  • Kerberos/sssd: tickets stored in /tmp (kinit, auth, sudo w kerb). use keyring (/etc/krb5.conf, /etc/pam.d/passwd)
  • /etc/ssh/sshd_config: AgentAllowForwarding no
  • ssh socket file in /tmp
  • strings -a /proc/*/environ | grep SSH_AUTH_SOCK
  • SSH multiplexing keeps ssh conn after disconnected. can be piggybacked over. 2fa not needed then
  • Defend via /etc/sshd_config: Maxsessions 1
  • Attack: $HOME/.ssh/config: host *;ControlMaster auto; ControlPath;ControlPersist

Exploit Kits: biggest threat you know nothing about

  1. Gate: redirect to exploit kit (iframe…)
  2. Probe: browser, plugins, is
  3. Exploit page.
  4. Payloads: maleare dl, spyware, malware
  • Exploit kit platform: hosting, exploits, deliv. payload
  • joe sandbox cloud
  • as a service: malvertising, malware
  • angler: 147 redir per mon, 90k targets per serv per day
  • Evading: domain shadowing, 302 cushioning, custom encrypted payload (abuse digfie helman algo)
  • blackhole dashboard
  • Angler, Rig... Angler: flash adobe…
  • Bromium mini vm, Cylance
  • Taxii, stix
  • Glasswire free and reasonable
  • dns sinkholing
  • Privoxy
  • uBlock Origin
  • Safescript/Noscript

Catching IMSI catchers

Hunting with LimaCharlie

BurpSmartBuster

  • Patrick Mathieu @pathetiq
  • Intro & call for help with plugin

Docker Security

  • Builds on host/kernel sec.: Grsecurity kernel, SELinux/AppArmor….
  • Daemon as root, socket to control
  • cgroups hardware res. limits to limit (--cpu-shares, --memory…)
  • namespaced resources (vol. uis/gid…). some still not namespaced (kernel, lsm, keyring…). still some holes in namespaces (CVEs)
  • seccomp. granular controls for syscalls

Racing the web

  • Aaron Hnatiw, @insp3ctre
  • OWASP-AT-010, CWE-362
  • Examples used:
    • one time use coupon code
    • bug bounty payout
    • balance xfer between accounts
    • check for crud operations
  • RaceTheWeb.io (rtw). written in Go; demo at racetheweb.io/bank/withdraw
  • CSRF could turn into race cond
  • Defense via locks
  • Python: threading.lock acquire(), release()...
  • Go: sync.Mutex (lock, unlock)
  • Do not use shared resources by sharing memory. Instead, share mem. by communicating
  • PHP: no threading. “could” compile with --enable-sysvsem. Or do at db or file level
  • ACID compliant DB (key is isolation).Serializable
  • MySql: InnoDB
  • Postgres: use SERIALIZABLE
  • ORM: optimistic locking

Fixing the java serialization mess

Pentesting cruises

  • Pub addresses, Shodan, Whois
  • Maritime Telecom Network
  • Each ship has their range of IPs - e.g. 208.124.121.100-…
  • marinetraffic.com, vesselfinder.com
  • Example public services: pc anywhere, yelney on 2323, voip with default creds
  • 67.21.16/24 maritime net
  • Exploitable ssh
  • CommBox login w lots of info (probably found via shodan)

Darkweb Economies

Internet of dongs

Untangling the dark web: unmasking onion services

  • @SarahJamieLewis
  • Top 5 risks:
    • readable directories (backups, configs),
    • exif metadata, cloned sites (mitm, mirrors),
    • ssh fingerpinting (some also available outside of tor),
    • localhost bypasses (server status, xampp, phpmyadmin, pwrsonal wikis, home energy mon.)
  • Onionscan,Released in April for mapping dark web services
  • Future
  • p2p: OnionShare, Ricochet, OpenBazaar
  • Moving away from browser

Make iOS Hacking Great Again

  • @scriptingxss
  • Tools: Hopper, IDA for reversing...
  • JWT token (start with ey) can be decoded online, jwt debugger
  • Realm db browser
  • WebRTC can be used to scan internal network
  • Cordova supports npm. Modules are not really code-reviewed for security.
  • DB Browser for SQLLite

XSS Auditor Bypass Workshop

OWASP CTF

CMD+CTRL CTF