Vegas 2011 Review: Pentultimate Hack

Conference: B-Side
Title: Pentultimate Hack – Manipulating Layers 8 & 9 of the OSI Model (Management & Budget)
Speaker: Rafal Los (aka Wh1t3Rabbit)

This talk was well prepared but not as dynamic and entertaining as the Schuyler Towne talk (fortunately I attended the Towne talk and they had coffee by now).  It had alot of buzzwordology and business clichés in it but I mean that in a good way.  Knowing business-speak is unfortunately a cost of doing business so it was grating but valuable to attend this talk.  He spoke of how security is typically a bolt on or an afterthought and really needs to be thought of as part of the core business plan.  What often happens is some application that is going to generate $20 million in revenue gets audited and found to be full of security holes and that justifies $750,000 to harden it up.  It usually takes those big money projects to drive the security side of things.  He also spoke of the plight of the CSO or pen tester, specifically that they are implicitly to blame if any compromise happens but it is actually under pressure of the project manager that products ship despite the warnings of pen testers or the CSO.  So he recommends requiring the project manager to sign a document absolving the CSO or pen tester(s) of responsibility if he/she intends to ship a product against recommendation to the contrary.  He also recommends schmoozing the legal counsel as that gives political leverage in these situations.

Summary:  this guy is giving very good advice to CSOs and pen testers which, if they heed it, will create a climate in which vulnerability scanners should become more popular.

NT OBJECTives announces NTODefend, automatic WAF & IPS rule generation

Do your WAF and IPS rules fit like a custom suit or an off the rack one?

Announcing NTODefend

NT OBJECTives is excited to announce the general availability of NTODefend, a software solution that enables enterprise security teams to quickly, easily and automatically create “perfect-fit” custom rules to patch Web Application Firewalls (WAF) or Intrusion Prevention System (IPS) against web application vulnerabilities discovered in automated NTOSpider scans.

Read the full NTODefend press release.
Visit NTODefend’s web page for additional details.

NTODefend goes beyond standard, one-size-fits-all WAF rule generation to create stronger customized rules, while also allowing for rule modification. It combines NTOSpider’s knowledge of the application functionality with an understanding of specific vulnerabilities to be the first tool to create “perfect-fit” custom rules that effectively block bad traffic while letting the good traffic flow through. With these rules, NTODefend also tunes an IPS to behave like a WAF.

A comprehensive application security approach addresses the entire software development lifecycle, from development through production. Security teams use two primary kinds of tools to help them identify, patch and resolve application security issues in production applications, dynamic application testing products and web application firewalls (WAF). The ideal production solution includes a dynamic application testing tool that understands your WAF so the two can share information to automatically patch vulnerabilities that haven’t yet been fixed in the source code.

NTODefend Product Features

  • Automated Custom Rule Generation for WAF/IPS Quickly and easily generate custom rules, and if needed modify these rules, to patch vulnerabilities on WAF/IPS, using the results from NTOSpider scans.
  • Vulnerability Report Selection – Quickly select which vulnerabilities to patch and automatically generate the highly targeted filters for the user’s particular WAF/IPS solution.
  • Re-scan Ability to Confirm Effectiveness – NTODefend enables security teams to conduct a quick re-scan applications to confirm the trained WAF/IPS effectiveness. Now, teams can quickly confirm that target vulnerabilities are patched and that good traffic can continue to flow through as expected, eliminating the risk of false positives & false negatives and dramatically reducing QA time.
Visit NTODefend’s web page for additional details.

Vegas 2011 Review: Transparent Botnet Command and Control for Smartphones over SMS

Conference: B-Sides
Title: Transparent Botnet Command and Control for Smartphones over SMS
Speaker: Georgia Weidman

The title actually says most of it.  SMS is used because it is easy to conceal the botnet.  Malware on phones often announces its presence by draining the battery and piggybacking into SMS packets solves that.  And SMS is fault tolerant.  It is within the protocol itself to resend the message if there is no acknowledgement.  The protocol extends to the hacker the courtesy of persistently communicating the attack to its destination.  The balance of the talk encompassed the technical details of what an SMS packet looks like and how you craft the attack.

Summary:  this talk provided good general security knowledge.  I’m not sure if we (NTO) will ever scan smartphones.  That is an interesting business prospect though… I have never heard of a smartphone app scanner… one targeted specifically to phone apps.

Security B-Sides Vegas 2011 Review: How to Hide Your Pr0n

Conference: B-Sides
Title: How to Hide Your Pr0n
Speaker: Orlando Barrera II and Josh Sokol

Pr0n being a fanciful distortion of “porn”… itself a fanciful name for any data you value and might want to hide.  The speakers started by noting several stupid ways to hide data (hidden files, deep directories, etc) then got down to the good ways… encryption being step one.  In the current political climate (terrorism etc), there is a law which states that the mere presence of encryption is itself suspicion, i.e. that one can be prosecuted for refusing to supply credentials to an investigator under certain circumstances.  So in addition to encryption, one must establish “plausible deniability.”  That is, hide the data and leave no traces that suggest its presence anywhere on any computer you are afraid might be searched.  Steganography is the proffered solution to this.  Steganography is concealing data in some differently-purposed file.  For example, take a lossless encode of an image like PNG and use the least significant bit of each pre-encode pixel to hold the data.  Since in any photographic data, those bits are quite plausibly noise, they can be used to store data.  On a previous Defcon, someone spoke of using whitespace in HTML source to store attack data.  That speaker did not call it steganography and the purpose was attack, not solely concealment, but conceptually, it is basically the same thing.  So, encrypt the files, stego them into image files or whatever, then store the stegoed files in the cloud.  Obviously, this is the ultra paranoid extreme but of course that’s what security is about.  The speakers mentioned that Al Quaeda were communicating data to their operatives by stegoing it into pornography images posted on the Usenet.

My reactions:  this talk inflamed my anti-establishment and paranoid sentiments.  Specifically, I wonder what happens when someone with something like encrypted bank info, encrypted personal info, any info that a private citizen might want to encrypt for quite valid reasons (identity theft etc) could be acquired by legal machinations claiming to be concerned about terrorism, child porn, etc.  Terrorism and child porn are such high fear provokers that any hint of either is so provocative that they can and have had their definitions stretched to rather dubious extremes.  So I’m not rushing to stego all my data but I am concerned that authorities are being granted purview over information beyond their ability to wield such power responsibly.  But that Al Quaeda stuff is rather unsettling as well.  So I fear both the terrorists who are called terrorists and the terrorists that work for the government.  I also think this talk may prove to have some direct relevance to our product.  We might want to write a stego detector module… more for the concealing attacks in webpages variety than the stashing data in images variety although the latter could have assessment relevance as well.