Aaaaah… Passwords! Why write a blog article about them. Everything has alreay been said about passwords. Everybody hates them because they are hard to remember, because we should change it regularly, because we have way too much of them. They are often present in security awareness campaign (see the article introduction picture). And despite this, people are still managing their passwords no matter how! I won’t repeat the same blah-blah about how to take care of your passwords, how to generate them, stop! Here is just another proof that human behavior won’t change.
A few weeks ago I bought Georgia Weidman’s book about penetration testing: “A Hands-On Introduction to Hacking“. Being overloaded by many projects, I finally finished reading it and it’s now time to write a quick review. Georgia is an awesome person. There are not many recognized women in the information security landscape and Georgia is definitively one of them, I already met her a few times during security conferences! She started her own company, she’s a great speaker and the author of the SPF (“Smartphone Pentesting Framework“). That’s why I did not hesitate to buy her book.
The book title contains the word “Introduction” and, as explains Georgia in her introduction, this is the kind of book that you dream of when jumping into the penetration testing business. It covers indeed many topics but don’t be fooled by the title, it contains many tips and examples that could be useful also to experienced pentesters. Why? Sometimes people ask me how to “work in security” and I always compare information security to medicine. You have many specializations. It’s even more true for a pentester: web applications, reverse engineering, wireless, mobile devices, etc… It’s practically impossible to have a strong knowledge in all those ever-changing topics! That’s why Georgia’s book is a good reference. This is a technical book which focus on practical examples.
Following the presentation that I made at the RMLL 2014 last week, I slightly changed my malware analysis setup. The goal is to make it fully operational “offline“. Indeed, today we are always “on“, Internet is everywhere and it’s easy to get a pipe. However, sometimes it’s better to not send packets to the wild Internet, even more when playing with malwares. We can be connected to a network with restricted access and some “exotic” ports won’t be authorized (ex: IRC). By allowing malicious code to connect to the world, we could trigger some firewalls, IDS or IPS if working in a corporate environment. If the malware is targeting a specific company or country, it can be suspicious to flood the C&C or any other resource with suspicious traffic (in this case, we are suspicious for the attacker). In short, “to live happy, live hidden”
I’m just back from Montpellier where was organised the 2014’s edition of the RMLL (“Rencontres Modiales des Logiciels Libres”) or LSM in English (“Libre Software Meeting”). This is a huge event similar to the FOSDEM in Brussels where people who love free software exchange views, researches and make some networking. The event location changes every year and this edition was organised in the south of France… not a bad place! The event is huge and is organized across a whole week, attracting a few hundreds of people. Within the main event, other small events are organised and talks are divided in multiple topics like:
And we are back to the Disneyland conference centre for the second day of Hack in Paris… It looks that the night was very short for many people (who hacked all night long?) because the planning started with a delay!
Today started the 2014 edition of Hack in Paris, a French security conference held in Disneyland Resort Paris – a very nice place for such kind of event! The conference started with a sunny sky over the conference centre in the New York hotel. I arrived just in time to register and to grab some coffee. Here is my wrap-up for the first day. Happy reading!
And here is the second day wrap-up. The day started with a sunny sky over Amsterdam. After a breakfast and a chat with the Help Net Security team, we moved to the rooms. Like yesterday, the main stage is dedicated to women for two keynotes. The first one should be Pamelo Fusco with her keynote title: “Behind the Crosswire” but she never arrived… No news from the speaker, maybe lost in the Amsterdam night life?
I’m in Amsterdam for the next two days to attend the new edition of Hack In The Box. This is a special edition with many improvements. First, it’s the fifth edition (already!) and the location changed to “De Beurs van Berlage”, a very nice place in the center of the city. Second, the normal conference is also held alongside with HITB Haxpo, a technology and security expo for hackers and geeks. This expo is open to everyone for free. Due to a holiday in Belgium and Holland, I joined Amsterdam smoothly without any traffic jam and was in time to grab my badge, some coffee and some 802.11x packets before the talks.
If we can put the business and some fun together, so why the hesitation? For a while, I’m playing with flying toys. I already played with different models of RC helicopters and recently, I switched to another category: I bought a quadcopter. The idea to mix the technology of drones with WiFi audits popped up in my mind for a while. First of all, this is not something news. Darren from Hak5 had the same crazy idea before me (see the episode 1520). But there is a difference between watching a cool video and doing the same in real life. Thus, I decided to experiment the same! And if I could use it to perform WiFi assessments or pentest, it’s even more cool!
With a little delay, here is my wrap-up of the last OWASP Belgium chapter meeting. It was held at NVISO, an information security company located in Brussels which is known for its ApkScan tool. After some pizzas, drinks and chats with peers, two speakers came on stage. Amongst known faces, a lot of new people were present. That’s good to have fresh blood in such events!
The first speaker was Tiago Teles from Cigital. The title of his presentation was “Securing password storage – Increasing resistance to brute force attacks“. Passwords… a hot topic. Indeed, yesterday, eBay announced to have suffered of a data leak of users data. Passwords are in the wild now. Tiago explained how to handle properly the password of your users and started with a fact:
“Your passwords WILL be extracted from your system”
Thus, we have to make them unusable or at least make the attackers’ job more difficult. Modenr websites allow users to register and use credentials to buy stuff, to access private data, to organize their profile, etc. You’re responsible of those passwords and must protect them in the right way. After a review of the history of protections (do you remember the old /etc/passwd UNIX files with passwords hashed and stored in it, readable for everyone?) and the challenges we are facing, Tiago gave very interesting suggestions to protect the passwords against brute-force attacks. Hashing (with salt!) is a best practice. Why?
- They are unique
- They are resistant to collision
- They can’t be reversed
- They can’t be predicted
- They are… fast!
A technique to attack hashed passwords is to use rainbow tables but they also have limitations. To protect against brute force attack, Tiago explained what are adaptive hashes. They are designed to remove one of the properties of classic hashes: speed! Finally, Tiago give a very good advice to everybody: Be prepared to be attacked and to have a good communication plan! The slides are available here.
After a short break, the second talk was given by Daan Raman and Erik Van Buggenhout (from NVISO). The title was “A history of ATM violence – From blowing up safes over jackpotting to all-round malware“. ATM’s or “Automated Teller Machine” are used daily by most of us and are often nice targets for thieves. As said Erik: “We don’t need to ask why to target them! That’s were the money is…“. After a short history of ATM’s (did you know that they are currently 2.2 millions ATM’s worldwide?), Erik described the standard layout of a modern ATM. It is based on two main parts: the safe itself containing the money and a computer. The safe is usually quite well protected but the computer is vulnerable in many points. To learn how ATM’s work, Erik just bought its own and made some research! Computers used in ATM’s are classic computers with all the required I/O: USB ports, keyboard, mouse, CD player etc… Even if some physical attacks were reviewed with funny pictures, Erik & Daan focused on attacking the ATM via the built-in computer (which remains based on Windows XP in most cases). How?
ATM systems are based on a unique set of APIs that are developed by CEN/XFS (“eXtensions for Financial Services“). They allow to operated with the ATM devices like:
- Cash dispensers
- Identification card units
- Personal identification number keypads (PIN)
- Text terminal units
Like any API, there are two layers: vendor dependent and vendor independent. Using this API and some C code, Erik wrote a PoC tool called “ATMDispenser.exe” which can perform cash-out operations! To demonstrate the tool, a live funny demo was performed using Erik’s ATM fullfilled with fake banknotes. Of course, to install the malicious code, a physical access is required to the ATM but many people have access to it (maintenance team, cleaning teams). Sometimes the ATM is located in a public area. Funny note again, some computers are protected in the ATM rack with a lock and a key. This key looks to be the same for all ATMs and the lock has been opened by Erik in 10 mins using standard lock-picking tools. Nice presentation! The slides are available here.