iSec Open Forum Bay Area
It feels like the infosec community in the Bay Area is just getting warmed up toward the end of the year with another quarterly iSec Open Forum. As a small and local security event, it usually hosts novel security topics from local security professionals that may not appear in more mainstream events. After getting to the talks area at the end of a long hall with folks from Dropbox zooming by on their skateboards and razorblades, I found an infosec crowd of about a hundred or so people ready to learn and connect.
Below are my notes from the event:
Securing Ruby Gems
Package management systems like RubyGems.org have to defend against a number of attacks ranging from benign denial of service types (slow retrieval, freeze attack, rollbacks) to more serious like someone uploading/replacing arbitrary packages. The theoretical threat became a real exposure in January 2013, when RubyGems.org servers were hit with a code execution exploit. As a result of the compromise packages managed by the site could have been modified with malicious code resulting in a widespread disaster for the Ruby community. Because the majority of gems were not signed, due to the cumbersome process that currently exists, site admins were forced to use an error prone process of verifying gem checksums from their mirror sites.
As part of a week long hackathon, Xavier and his team set out to solve gem signing and verification challenge by using an existing project - The Update Framework (TUF). The framework was designed to create a secure and standardized way for software update systems to check for updated versions of files and retrieve them when available. Xavier discussed an additional challenge of distributing responsibilities for signing packages between a hybrid of developer keys, automatic online signing by a robot and manual offline signing by site admins. This approach creates a compromise between making updated packages available as soon as possible (signed only by developers and the automated online system) while introducing additional level of assurance by requiring administrators to periodically sign verified packages.
As a regular user of packaging systems, I found the discussion of the underlying security issues particularly revealing. With the growing list of Attacks on software repositories, additional research in the area may be very timely.
- Proof of concept implementation of The Update Framework (TUF)
- The Update Framework Overview
- A Look in the Mirror: Attacks on Package Managers
- Package Management Security
- RubyGems.org Compromise
Special Agent Jeff Miller from the Computer Intrusion Squad of the FBI presented some of the attack vectors and trends that he has been tracking. Some well known attacks such as spear phishing and social engineering were discussed. Jeffrey observed that the "Anonymous style" DDOS attacks were on the decline while more serious attacks resulting in database compromises were becoming more prevalent.
There was an interesting discussion about FBI working with the private sector to collect logs from the compromises as well as the tendency (and no legal requirement) for companies to be silent to the public about such events. Jeffrey also mentioned well established treaties with Western European countries used to assist in cyber investigations and a complete lack of them with Eastern European countries.
Introspy: Security Profiling for Blackbox iOS and Android
Alban Diquet and Marc Blanchou presented a new tool, Introspy, used for dynamic analysis of iOS and Android blackbox apps. By developing Introspy, Alban, Marc and another developer, Tom Daniels, are trying to address the general lack of automated vulnerability analysis tools for mobile applications.
Introspy consists of two parts. The platform specific Tracer component is used to monitor application's sensitive API calls (and parameters) and aggregate them in an SQLite database. The tracer is implemented using different versions of Mobile Substrate for iOS and Android. The generic Analyzer component consists of a python script that runs on analyst's computer which retrieves SQLite database entries generated by tracers and generates an HTML report. The HTML report consists of several API class tabs containing chronological order of API calls and their parameters (e.g Crypto, IPC, SSL, etc.). The most interesting part of the report is a section on automatically detected vulnerabilities (e.g. The use of static IVs, lack of certificate verification, using weak cryptographic modes, etc.)
There has been a general trend to automate tedious mobile app analysis tasks traditionally performed by general purpose tools like gdb, cycript, otool, Class-Dump-Z, etc. For example, AppSec Labs released their iNalyzer last year and NESO Security Labs produced a powerful tool called snoop-it (currently in closed beta). However, what distinguishes Introspy from other mobile app analysis tools is its ability to detect common vulnerabilities by parsing insecure calls to sensitive APIs. At the moment, iOS analyzer includes about 16 signatures to detect things like the use of Weak PRNG, Null Initialization vector, HTTPS to HTTP redirection, exposed URL schemes and many more. With a growing list of vulnerability signatures Introspy may very well become a standard tool in mobile pentesters' toolkit.
Hackers Wanted (also known as Can You Hack It?) is a documentary directed and written by Sam Bozzo, Trigger Street Productions and narrated by Kevin Spacey. The documentary explores different subgroups of the hacker culture and how they affect our computerized world. Hackers Wanted includes a wide range of interviews with people from hacker, information security, law enforcement, higher education and journalist communities. It also includes a large segment covering the life, breakins, the arrest and sentencing of Adrian Lamo. Read more.
Cybercops is a Channel 4 UK documentary first aired on December 21st 2000. The documentary explores threats to the e-commerce at the turn of the century and the work done by various private companies and law enforcement agencies to defend it and to prosecute the offenders. Read more.
baythreat 4 - day two
After a great day of hanging out with old and new friends all while getting inspired to start breaking/researching anything ranging from 50 year old behemoths to Internet enabled light bulbs, I raced down peninsula to the epicenter of Bay Area's security community at Hacker Dojo. Baythreat Day Two has begun.
In a terrible miscalculation of a sleeping schedule I have regretfully missed several morning talks; however, below are the writeups of another series of excellent presentations from the breaker track for the remainder of the day. Read more.
baythreat 4 - day one
The year is almost over, but the infosec community in the Bay Area shows no signs of slowing down with the fourth annual BayThreat conference happening this Friday and Saturday. I always loved smaller hacker cons for their much more personable feel and few carefully selected talks that you can see without missing a dozen others. I love BayThreat not only because it is a local event, but also due to the overall quality of the talks and organization being on par with many of the larger cons.
BayThreat 4 marks the return to the Hacker Dojo, albeit at a different location, which in my opinion is even better than the original. Below are a few writeups on the talks from the breaker track that I had a chance to attend. Read more.
All original content on this site is copyright protected and licensed under Creative Commons - Attribution, NonCommercial, ShareAlike 4.0 International.