My notes taken at Hackfest 2016 in Quebec City.
General
- www.security.fm french podcast
- www.isaca.org/cyber : cyber security nexus
HTTP2 DDoS
- Michael Bennett, @bennettaur, DDOS strike consultant, securitycompass
- Recently: 620Gbps against Krebs, mixed vectors; Tbps attack on OVH; Massive attack on Dyn
- HTTP2 binary proto, multiplexing, HPACK compression, server push, Prio/Dependency
- Http2 ~= tcp+http1.1
- Spec at http://httpwg.org/specs/rfc7540.html
- Imperva research https://www.imperva.com/docs/Imperva_HII_HTTP2.pdf
- See Google rule of thumb with http2
- Tornado lib in python
- Test with Apache HTTP with server push; 7MB of data pushed by server
- Google Chrome support
- 149x than w/o push
- Amplification attacks (small req, big response) 68:1 amp, similar to dns amplification but tcp (no reflection)
- Long lived tcp conn with multiplexing. intention is one conn per page. opens the door to slowloris
- iptables connlimit module against multiple conn attacks
- nload tool?
- Apache http2 faster than nginx
- nginx limit conn module, limit req module (still effective)
- Apache mod_evasive and ModSecurity still work
- Req rate limiting still effective
- Some tcp-level controls no longer work
- https://github.com/bennettaur/http2-ddos
Blue team reboot, proactive defence strategy
- Cheryl Biswas, threat intel sec, Haydn Johnson
- ioc, ioa (attack), coa course of action
- Tools: Carbon Black, SysMon, Log-MD, wireshark
- www.trendmicro.com/trendlabs-securityhintelligence/blackgear-espionage ...
- threat correlation: threat intel + data
- 4Cs: collect, consolidate, control, communicate
- big data tools: cisco opensoc, rita, breakoutdetection r package (twitter)
- sans ir: 7 steps prep, ident, containment, eradic, recovery
- cyber kill chain: recon, weaponization,
- seantmalone.com/docs... cyber kill chain
- ooda loop: observe orient decide act
Your [linux] configs are bad and you should feel bad
- Stephen Hall Security Compass
- linEnum in rebootuser.com
- blog.g0tmi1k.com blog basic linux priv escal
- use sudo NOEXEC flag, avoid wildcards
- Kerberos/sssd: tickets stored in /tmp (kinit, auth, sudo w kerb). use keyring (/etc/krb5.conf, /etc/pam.d/passwd)
- /etc/ssh/sshd_config: AgentAllowForwarding no
- ssh socket file in /tmp
- strings -a /proc/*/environ | grep SSH_AUTH_SOCK
- SSH multiplexing keeps ssh conn after disconnected. can be piggybacked over. 2fa not needed then
- Defend via /etc/sshd_config: Maxsessions 1
- Attack: $HOME/.ssh/config: host *;ControlMaster auto; ControlPath;ControlPersist
Exploit Kits: biggest threat you know nothing about
- Sunny Wear. @sunnywear www.sunnywear.org
- droppers, malvertising, spam
- Gate: redirect to exploit kit (iframe…)
- Probe: browser, plugins, is
- Exploit page.
- Payloads: maleare dl, spyware, malware
- Exploit kit platform: hosting, exploits, deliv. payload
- joe sandbox cloud
- as a service: malvertising, malware
- angler: 147 redir per mon, 90k targets per serv per day
- Evading: domain shadowing, 302 cushioning, custom encrypted payload (abuse digfie helman algo)
- blackhole dashboard
- Angler, Rig... Angler: flash adobe…
- Bromium mini vm, Cylance
- Taxii, stix
- Glasswire free and reasonable
- dns sinkholing
- Privoxy
- uBlock Origin
- Safescript/Noscript
Catching IMSI catchers
- Geoffrey @MrVaughan,@securityinnovation
- Harris Stingray is the most popular, used by police
- AIMSICD app (rooted)
- opencellid.org
- signal/openwhisper app
Hunting with LimaCharlie
- Opensource automated EDR
- Endpoint detection and response
BurpSmartBuster
- Patrick Mathieu @pathetiq
- Intro & call for help with plugin
Docker Security
- Builds on host/kernel sec.: Grsecurity kernel, SELinux/AppArmor….
- Daemon as root, socket to control
- cgroups hardware res. limits to limit (--cpu-shares, --memory…)
- namespaced resources (vol. uis/gid…). some still not namespaced (kernel, lsm, keyring…). still some holes in namespaces (CVEs)
- seccomp. granular controls for syscalls
Racing the web
- Aaron Hnatiw, @insp3ctre
- OWASP-AT-010, CWE-362
- Examples used:
- one time use coupon code
- bug bounty payout
- balance xfer between accounts
- check for crud operations
- RaceTheWeb.io (rtw). written in Go; demo at racetheweb.io/bank/withdraw
- CSRF could turn into race cond
- Defense via locks
- Python: threading.lock acquire(), release()...
- Go: sync.Mutex (lock, unlock)
- Do not use shared resources by sharing memory. Instead, share mem. by communicating
- PHP: no threading. “could” compile with --enable-sysvsem. Or do at db or file level
- ACID compliant DB (key is isolation).Serializable
- MySql: InnoDB
- Postgres: use SERIALIZABLE
- ORM: optimistic locking
Fixing the java serialization mess
- @ernst, pernst on linkedin
- Pierre Ernst
- CVE-2016-3437
- AC ED [00 05] bytes is a signature for java serializable; 50 in front: rmi call
- readObject()...
- jmx untrusted deserialization: auth is optional.
Pentesting cruises
- Pub addresses, Shodan, Whois
- Maritime Telecom Network
- Each ship has their range of IPs - e.g. 208.124.121.100-…
- marinetraffic.com, vesselfinder.com
- Example public services: pc anywhere, yelney on 2323, voip with default creds
- 67.21.16/24 maritime net
- Exploitable ssh
- CommBox login w lots of info (probably found via shodan)
Darkweb Economies
- Johnny Xmas, Benjamin Brown
- @j0hnnyXm4s, bbrowntalks@gmail.com
- Grams search engine (drugs…)
- Triton ATM default pin 1234
Internet of dongs
- renderlab.net, @ihackedwhat
- We-vibe lawsuit
- Follower and Goldfisk talk at Defcon
- internetofdon.gs, @internetofdongs
Untangling the dark web: unmasking onion services
- @SarahJamieLewis
- Top 5 risks:
- readable directories (backups, configs),
- exif metadata, cloned sites (mitm, mirrors),
- ssh fingerpinting (some also available outside of tor),
- localhost bypasses (server status, xampp, phpmyadmin, pwrsonal wikis, home energy mon.)
- Future
- p2p: OnionShare, Ricochet, OpenBazaar
- Moving away from browser
Make iOS Hacking Great Again
- @scriptingxss
- Tools: Hopper, IDA for reversing...
- JWT token (start with ey) can be decoded online, jwt debugger
- Realm db browser
- WebRTC can be used to scan internal network
- Cordova supports npm. Modules are not really code-reviewed for security.
- DB Browser for SQLLite
