Tag Archives: security

Vegas hacker party schedule #defcon #blackhat #bsides

Just a couple of pointers, nothing major here. A pretty comprehensive-looking party schedule (in addition to the official page). Filling up crazy fast.

One event I don’t see there though is the DEF CON Shoot, Wed 26 18:00 and Thu 27 9:00

Part of why I love being in this field – I’m not really aware of any other global community with annual weeklong bashes in Vegas.

Your semi-definitive guide to #blackhat #bsideslv and #defcon 2017 – Vegas hacking!

2017-06-15 00.44.241

(my last year’s DEFCON badge – it winks at you with those terminator LED’s!)

Here is my subjective take on Vegas hacker’s Disneyland that’s happening end of July 2017. Please keep in mind that this year I’m trying to make it useful for web site/web service security – to that end, I sifted through 70+ talks to come up with a summary of what’s particularly interesting this year.

As for the parties… that’s for the follow-up post : )

High-level

BlackHat at Mandalay is more practical and by far the most expensive, it consists of three parts:

  1. 2-day trainings – ~$3k a piece
  2. Several days of hour-long briefings/talks – ~$2.5k includes all, and
  3. Expo floor which is free with either 1 or 2

Last year I took trainings, but this year I’m very much interested in website security briefings, so I plan to attend as many of the latter as possible.

BSidesLV is much more mellow, it’s under $100 bucks and more informal, people basically chill out in Tuscany Suites in between the “serious” stuff and present research, which can be interesting.

DEFCON, this year at Caesars, is definitely the most fun one, under $300 for everything. It has crazy talks, workshops, hackathons, CTF’s and just like the Renaissance Faire for geeks. They hack everything from poker to pacemakers to 747’s to implanting circuitry into your hands, also have tons of fun contests and a geek marketplace. It’s just super-fun, tho probably less useful for safeguarding a web service.

BlackHat Briefings – Totally Subjective Shortlist

Now, since BlackHat is absurdly expensive, I filtered out a few specific talks that seem worth visiting for website/web service security – all included with the admission ($2,395):

Cracking The Lens: Targeting HTTP’s Hidden Attack-surface

Don’t Trust The Dom: Bypassing XSS Mitigations Via Script Gadgets

Web Cache Deception Attack

A New Era Of SSRF – Exploiting URL Parser In Trending Programming Languages!

Friday The 13th: JSON Attacks

Practical Tips For Defending Web Applications In The Age Of Devops – potentially very interesting talk from Etsy on how to properly set up the whole security engineering process

Splunking Dark Tools – A Pentesters Guide To Pwnage Visualization

The Epocholypse 2038: What’s In Store For The Next 20 Years

Ichthyology: Phishing As A Science (walk through a series of real-world attacks conducted against a Bay Area tech company)

BlackHat (Web Security) Trainings

Those are very useful, they typically take 2 days, but tend to cost a ton (~$3k each). I took some last year, but this year I’m more interested in the briefings above. But still, these are the ones that I found very interesting for web security:

Engineering/app-level security training:

Whiteboard Hacking aka Hands-on Threat Modeling

Abilities Inc – Metasploit Mastery

Applied Data Science for Security Professionals

Visual Analytics – Delivering Actionable Security Intelligence

The Web Application Hacker’s Handbook, Live Edition – good intro as usual, but honestly, focuses too much on the obsolete and made-up simple attacks, could really benefit from a 2017-overhaul. But hey, maybe it will be brand new this year.

Talks I expect to be very useful for DevOps

Cloud Security Hands On (CCSK-Plus)

Advanced Cloud Security and Applied SecDevOps

 

And that’s it for now – see you there!! After all, it’s Vegas – good times all around!

Google Safe Browsing 3.0 clients

I’ve been using phpGSB GSB client for a while for pretty large volumes (~100k pages/hour). Looks like it finally croaked. Hasn’t been updated since March. So here is a brief survey of what else is out there:

I’m currently leaning towards the first option, may also try Go. I know, lazy, should have just implemented my own, but there is too much other stuff to do.

For those who like hot-linking other people’s code

… life just got a bit safer. Browsers are starting to implement a (relatively easy) way to check integrity of the stuff you hot-link in your code – Chromium is adding this feature now. So that you and your visitors don’t get goatse’d by some mean person on the other end. All you have to do is add this integrity bit to the links you pull from other websites, and you can be sure to always serve – or gracefully fail to do so – the same content no matter what kind of hell breaks loose on that other server:

<script src="https://code.jquery.com/jquery-1.10.2.min.js"
integrity="ni:///sha-256;C6CB9UYIS9UJeqinPHWTHVqh_E1uhG5Twh-Y5qFQmYg?ct=application/javascript">

Ok, so hot-linking jQuery is just lazy, I know, but there is way more third-party code out there than most people realize – stuff like Google Analytics, ads and other widgets are routinely pulled from third-party servers by websites all over the Interwebs, and this is a great first step to add some kind of checks to this mess.

So what is mobile #malware exactly?

Sifting through endless Virustotal scans, you realize that it’s not easy at all to define what exactly mobile malware is. Literally 90% of antivirus-reported malware APKs are nothing but trivial or repackaged apps with some annoying adware library slapped on top of it that doesn’t even do anything really bad. Why exactly is mobile malware so elusive and not as clear-cut as the good old desktop viruses? A couple of things come to mind:

  • The juicy parts often stay remote: unlike the classic desktop viruses and rootkits, a lot of mobile functionality remains on the server. So an app collects your banking password and sends it to server, that’s bad, right? Not if it’s a Bank of America server. What if it’s an Akamai or an EC2 server? What if it’s a Mint finance app server? This gets blurry really fast. Same with location apps – when an app constantly sends your location to a server, it’s cool if it’s your own account, and it’s suddenly not cool at all when someone else has access to that information on the server. Hard to automatically tell that just by looking at the mobile app tip of that iceberg. That’s why AV vendors came up with a euphemistic label “surveillanceware”, which means, “I have no idea if this app is bad or not, you have to look at it in your own context”.
  • No need to get sophisticated: most of what’s labeled as mobile malware are small-time scams. In the mobile world, there is no such thing as a multi-million dollar botnet industry commercially used for:
    • running spam
    • staging DOS attacks
    • collecting and laundering information

    I guess mobile can be useful only for the last point right now, we’ve yet to see the first two on mobile. So no need to build autonomous sophisticated botnet clients that pack tons of revealing functionality and patterns with them. Consequently, a lot of mobile scams look rather plain and not very different from regular apps.

  • No silent infections: it’s pointless to do port scanning and hard to use drive-by browser exploits on mobile. Combined with no incentive to make things complicated, the main vectors to get into someone’s phone are social engineering and brand abuse. Both of those are difficult to detect automatically, leaving a huge gray zone. Even the SMS scams: lots of legitimate apps have “share via SMS” functionality, good luck telling that from malware propagating itself via SMS, or sending messages to paid numbers that only become plaintext right before the message is sent.

So this leaves the traditional antivirus vendors especially helpless on mobile, best they can do so far is to report noisy adware or a few true malicious outliers that get outside the gray zone.

Android “antivirus” scam – still on Yahoo ad-running sites #malware

This year-old scam has resurfaced very prominently, and I’ve run into it on various websites that show Yahoo ads, indicating pretty massive malicious advertisement volume. A browser pop-up says the following:

Virus Affecting your Android? Turn on Virus Scanner NOW!

If you click “OK”, you can be taken to a variety of destinations, including:

  • a spammy but legit-looking dating app on Google Play with 50mil(!) downloads – I’d imagine malicious ads are partly responsible for that number, maybe via an affiliate?
  • a selection of some shady dating/porn sites
  • and best of all, a step-by-step guide for you to enable app install from unknown sources on your phone, and download a modified version of “Android Armour” APK binary with God knows what added functionality:

disable-play-only

Very impressive, considering these friendly folks are basically talking people into opening up their phones to every other kind of evil garbage that comes up next.

I ran into this a bunch of times over the last few weeks, as recently as this weekend on Tumblr. I know Yahoo is trying to squash these as fast as humanly possible, but until then, beware. And again, in US, it’s a good idea to never install anything on Android from anywhere other than Play.

how not to do passwords #security

Some choice quotes from Fidelity’s website password policy:

  • Use 6 to 12 letters and/or numbers
  • Do not use symbols, punctuation marks, or spaces (e.g., #,@, /, *, -.)

Fidelity, really? 1999 called and it desperately wants it 12-character limit and no-symbols restriction back. Could expect better from a trading service.