21 Nov 2014

feedPlanet Grep

Xavier Mertens: NoSuchCon Wrap-Up Day #3

NoSuchCon VenueHere we go with a review of the last day. As usual, the social event had huge impacts on some attendees but after coffee everything was almost back to normal. The day started with Braden Thomas who presented "Reverse engineering MSP 430 device" or reverse engineering a real-estate lock box.

In US/Canada, such devices are used by real-estate agencies to store the keys of homes for sale. They allow to access the key when the owner is not present. Why focus on such devices? First, because they are used by many people and, usually, they tend to store crypto secrets into the flash. It's cheap and easy but not necessarily nice. There is a legacy key using cell radio but more and more users use the eKey (an IOS/Android app). Braden explained with many details all the steps he performed to be able to access the firmware and then to extract the crypto key. Guess what? The presentation ended with a live demo: Braden just successfully unlock a lock. During the presentation, he explained the different attacks that are available and a special one (that was successful) called "Paparazzi" attack: the goal is to use the flash from a camera against a decap chip to make it behave differently.

The Paparazzi Attack

Then, Peter Hlavaty talked about "Attack on the core". This talk went in the same direction as the one presented yesterday about bypassing security controls in Windows 8.1. On most operating systems, the kernel is the nice place to place malicious code. Why? Because modern o operating systems are more and more protected by implementing multiple controls. The talk focused on CLP3 to CPL0 ("Current Privilege Level"). Level 3 being the user mode and level 0 the kernel mode. Peter not only focussed on Windows but also on Linux and Android. That's clear: the kernel is the new target!

After a welcomed coffee break, Jean-Philippe Aumasson, renowned cryptographer, talked about… cryptography with a talk called "Cryptographic backdooring". Usually, cryptography means a lot of formulas, etc but Jean-Philippe's talk was very didactic! Why speak about backdoors? Because they are present in many crypto implementation and there is no official research paper on this topic. A backdoor can be used for surveillance, deception, … and also terrorists! There are also more and more backdoors in products and applications today.

Jean-Philippe on Stage

Jean-Philippe explained what is a backdoor. His definition is:

A feature or defect that allows surreptitious access to data

Based on weakened a algorithms or covert channels. But what is a good backdoor? It must be:

  • Undetectable
  • Principle of "NOBUS" (No One But Us, NSA term)
  • Reusable and unmodifiable
  • Simple

Then, he reviewed examples of backdoor and how they have been implemented. A very nice talk!

There was no lunch break for me because I attended a workshop about RF hardware: "Fun with RF remotes" prepared by Damien Cauquil. The goal of the workshop was to build a … RF door bell brute forcer. After an introduction to the RF technology and some demos to capture and analyse signals, it was a hands-on session. All participants received a door bell pack (a remote controller + door bell). The challenge was to hack the remote and make Damien's doorbell rings. It was a premiere for me. After soldering some components and some stress, it worked! Very nice workshop!

Fun wih RF Remote

And the last half-day started with Guillaume Valadon and Nicolas Vivet who presented "Detecting BGP hijacks in 2014". I arrived a bit late due to the hardware workshop. The first part was a recap about BGP, how it works, what are the features, etc. BGP hijacks are not new but they can have a dramatic effect! An hijack is a conflicting BGP announcement. It means that your packets are sent across not authorised networks (from a BGP point of view). The next part of the talk focussed on detected the hijacks. This is a critical step for ISP's. Guillaume and Nicolas explained in details the platform deployed worldwide to collect BGP messages and store them, then they are processed by OCAml. They can emulate a BGP router via some Python code. By putting all the components together, they are able to analyse the BGP announces and detect issues. But this is offline and consumes a lot of data. They also presented a real-time detection mechanism. A nice presentation with many details. I recommend to read the slides if you're working with BGP. Their conclusions are that such attacks are a real risk and that traffic must be encrypted and authenticated to prevent it to be read by 3rd parties.

Alex Ionescu came with a "surprise talk". The title was "Unreal mode: Breaking the protected process". It was a surprised talk because he received a last minute green light from Microsoft. Windows Vista introduced new protections at kernel level. In Windows 8.1, that model was extended to protect key processes even from admin and to mitigate attacks like pass-the-hash. Alex explained how digital signatues are working with the new versions of the OS. He also explained how process protection works (even with admin rights some processes can't be killed or accessed by debuggers. A mass of interesting information if you're working with Windows security models.

Alex on Stage

And to close the conference, a keynote was presented by Anthony Zboralski: "No Such Security". Anthony defines himself as "a bank robber". When he was young he played with many computers and quickly started to break stuff. After some issues with the Justice, he switched to security consultancy. His keynote was a suite of reflexion about the security that is implemented today by companies but also recommended by consultancy companies.

Anthony on Stage

The second edition of NoSuchCon is over! It is a great event with highly technical and nice presentation. I also met lot of new or old friends. The talks have already been published here: http://www.nosuchcon.org/talks/2014/.

21 Nov 2014 9:09pm GMT

Frank Goossens: Ik ben niet gelovig, maar …

… voor deze uitspraak laat ik Paus Franciscus hier wel graag aan het woord;

Men vindt altijd geld om oorlog te voeren, wapens te kopen en zonder scrupules financiële operaties te leiden maar er ontbreekt altijd geld om jobs te creëren, te investeren in kennis en om het leefmilieu te beschermen.
(Paus Franciscus in een videoboodschap op een congres over de sociale leer van de Kerk 21/11/2014 om 19:47:00).

Bron: deredactie.be (weliswaar zonder de contextuele links)

21 Nov 2014 8:14pm GMT

Fabian Arrotin: Updating to Gluster 3.6 packages on CentOS 6

I had to do yesterday some maintenance yesterday on our Gluster nodes used within CentOS.org infra. Basically I had to reconfigure some gluster volumes to use Infiniband instead of Ethernet. (I'll write a dedicated blog post about that migration later).

While a lot of people directly consume packages from Gluster.org (for example http://download.gluster.org/pub/gluster/glusterfs/3.6/LATEST/CentOS/epel-6/x86_64/), you'll be able (soon) to also install directly those packages on CentOS, through packages built by the Storage SIG . At the moment I'm writing this blog post, gluster 3.6.1 packages are built and available on our Community Build Server Koji setup , but still in testing (and unsigned).

"But wait, there are already glusterfs packages tagged 3.6 in CentOS 6.6, right ? " will you say. Well, yes, but not the full stack. What you see in the [base] (or [updates]) repository are the client packages, as for example a base CentOS 6.x can be a gluster client (through fuse, or libgfapi - really interesting to speed up qemu-kvm instead of using the default fuse mount point ..) , but the -server package isn't there. So the reason why you can either use the upstream gluster.org yum repositories or the Storage SIG one to have access to the full stack, and so run glusterd on CentOS.

Interested in testing those packages ? Wanting to test the update before those packages will be released by the Storage SIG ? here we go : http://cbs.centos.org/repos/storage6-testing/x86_64/os/Packages/ (packages available for CentOS 7 too)

By the way, if you never tested Gluster, it's really easy to setup and play with, even within Virtual Machines. Interesting reading : (quick start) : http://wiki.centos.org/SpecialInterestGroup/Storage/gluster-Quickstart

21 Nov 2014 3:08pm GMT

Frank Goossens: I see you baby, purging that spam!

all we are saying, is give ham a chance!While Akismet does a good job at flagging comments as spam, it by default only purges spam (from the comments and comments_meta tables) after 15 days.

So it's a good thing Akismet now has a filter to change the amount of days after which spam is removed. Below code (in a small plugin or in a child theme's functions.php) should do the trick.

/** tell akismet to purge spam sooner */

function change_akismet_interval($in) {
     return 5;

Happy purging!

21 Nov 2014 6:19am GMT

20 Nov 2014

feedPlanet Grep

Xavier Mertens: NoSuchCon Wrap-Up Day #2

NoSuchCon2014Here is my wrap-up for the second day of the conference NoSuchCon organised in Paris. Where is the first wrap-up will you maybe ask? Due to an important last minute change in my planning, I just drove to Paris yesterday evening and missed the first day! This is the second edition of this French conference organised in Paris at the same place. A very nice location even if the audio/video devices are not of a top-quality. The event remains also the same: one single track with international speakers and talks oriented to "offensive" security. This year, I was invited to take part of the selection commitee.

The very first talk was presented by Andrea Allievi who did a wonderful job around the latest Windows operating system kernel patch protection. The full title was "Understanding and defeating Windows 8.1 Kernel Path Protection". Andrea is the designer of the first UEFI bootkit in 2012. The first part of the presentation was a review of the most important terms around the Windows kernel protection:

The research started with the Snake campaign and the Uroburos bootkit. The bootkit can't affect Windows 8.1. Andrea reversed the bootkit and adapted it to defeat the patch protection. Windows 8.1 has a code integrity feature implemented completely different that windows 7. Andrea's approach was to use a kernel driver. The next step was to explain how does work the kernel patch protection and how to attack the Patchguard. Finally, Andrea presented new attack types and finished with a demo. Interesting presentation but the most important info is how to protect agains this? The exploit is very difficult to implement (it took 3 months to Andrea to achieve this) but use SecureBoot and don't trust any code downloaded from the Internet! (sounds logical).

The second talk was presented Benjamin Delpy who is well known for his tool, Mimikatz, one of the pentester's best friend in Windows environments! After a brief reminder/introduction to the Windows authentication methods (NTLM, Kerberos) and the associated attacks, Pass-The-Hash (NTLM) and Pass-The-Ticket (Kerberos), Benjamin explained what are "Golden Tickets": A golden ticket is a homemade ticket, not generated by the KDC.

Benjamin on stage

This means they aren't limited by GPO's and any data can be put into them. But the nice feature is their expiration! Once generated, the key does not change for … years! Then, Benjamin explained what is "Silver Ticket" (exactly such as a Golden Ticket, except the krbtgt key). Multiple demos were made by Benjamin. I especially liked the fact that Kerberos tickets dumped on OS X or Ubuntu (which can be part of a Windows domain) can be reused on Windows by Mimikatz! Who said that Mac computers are safe on a network? Benjamin continues to develop his tool which is more and more a must have!

After a coffee break, the next target was the Google Apps Engine. Nicolas Collignon investigated the security around this PAAS ("Platform as a Service") & Devkit used by many developers. The supported programming languages are: Python, Java, PHP & Go. The architecture is quite common and based on a load-balancer, a reverse-proxy, an application server and backend services (DB). The first part focused on the application. Nothing really change and classic attacks remain valid. Example: Developers still manipulate raw SQL queries, control raw HTTP responses and need to implement security features. If security controls are present, they are not always enabled by default. Example: the urlfetch API does not verify SSL certificates by default. Nicolas also explained how to obtain Python RCE ("Remote Code Execution") via a XMPP service. The next part was attacking the GAE infrastructure. This is difficult because it can't be reproduce in a lab. The provisioning API is a nice target because developers use weak credentials (hey, what's new here?) and also share credentials between production and development environments. A classic fail is to store the production domain key in a non-safe place! (Accessing this key is a dangerous as a compromised Windows domain admin account). The next part focused on the sandbox mechanism proposed by Google with many examples. Nicolas's conclusions are:

After the lunch break, Ezequiel Gutesman presented "Blended web and database attacks on real-time, in-memory platform". What is "in-memory" platform? Usually DBMS rely on disk to store their data but today they are solutions which store data in memory. Why? Memory is cheap today, there is an increase amount of data to process and performance is a key. Well-known solutions are Oracle, SQLserver and SAP HANA.

Ezequiel on stage

Ezequiel's research focused on SAP HANA. The solution is based on many components (DB, HTTP server) and provide a nice attack surface. This is a blended architecture. Instead of an application using a DB connection with limited (or unrestricted) access, the application is the same as the database user. User privileges should be restricted at the DB level. This changes the impact of classic attacks:

After the introduction, some attack vectors against HANA were reviewed. About SQL injections, HANA has a nice feature: history tables. If the user does not delete it, the information remains available! XSS attacks were reviewed as well as integration with the R-Server.

The next talk was the presentation of an awesome hardware project: the USBarmory. Andrea Barisani explained in details on the project started, how they developed the hardware and what issues they faced. The idea of this device was to provide a open-hardware running open-source software with:

  • Mass storage device with automatic encryption, virus scanning, host authentication and data wipping
  • OpenSSH client and agent for untrusted hosts (kiosk) router for end-to-end VPN tunneling, Tor
  • A password manager with integrated web server electronic wallet
  • A portable penetration testing platform low level USB security testing


The development started in January 2014 and the product should be available for sale in December.

And the last talk was the one of Richard Johnson who spoke about fuzzing application with "Fuzzing and patch analysis: SAGEly Advice". It started with an introduction to automated test generation. The goal is to target a program with a full coverage of all possible states influenced by external input. This can be done via two approaches:

If fuzzing is very interesting, it has limitations because it cannot cover all possible states (a fuzzer tool is unaware of data constraints). That's where concolic testing can help. Richard explained the concept in details with many examples. Finally, a tool was presented: Moflow::Fuzzflow and some real-life example where the tool was used to find vulnerabilities in software.

The day ended with a nice social event. Stay tuned for the last set of talks tomorrow!

20 Nov 2014 9:03pm GMT

Dries Buytaert: Weather.com using Drupal

Drupal sites

One of the world's most trafficked websites, with more than 100 million unique visitors every month and more than 20 million different pages of content, is now using Drupal. Weather.com is a top 20 U.S. site according to comScore. As far as I know, this is currently the biggest Drupal site in the world.

Weather.com has been an active Drupal user for the past 18 months; it started with a content creation workflow on Drupal to help its editorial team publish content to its existing website faster. With Drupal, Weather.com was able to dramatically reduce the number of steps that was required to publish content from 14 to just a few. Speed is essential in reporting the weather, and Drupal's content workflow provided much-needed velocity. The success of that initial project is what led to this week's migration of Weather.com from Percussion to Drupal.

The company has moved the entire website to Acquia Cloud, giving the site a resilient platform that can withstand sudden onslaughts of demand as unpredictable as the weather itself. As we learned from our work with New York City's MTA during Superstorm Sandy in 2012, "weather-proofing" the delivery of critical information to insure the public stays informed during catastrophic events is really important and can help save lives.

The team at Weather.com worked with Acquia and Mediacurrent for its site development and migration.

Weather channel

20 Nov 2014 4:06pm GMT

19 Nov 2014

feedPlanet Grep

Mattias Geniar: The PHP circle: from Apache to Nginx and back

As with many technologies, the PHP community too evolves. And over the last 6 or 7 years, a rather remarkable circle has been made by a lot of systems administrators and PHP developers in that regard. The A in LAMP

Read more ›

The post The PHP circle: from Apache to Nginx and back appeared first on ma.ttias.be.

Related posts:

  1. Porting standard Apache's mod_rewrite rules to Nginx Most webframeworks will provide you with a .htaccess file that...
  2. Nginx: password protect a directory Nginx is a very powerful webserver, often used as a...
  3. Avoid 'AllowOverride All' in Apache to limit disk I/O access Apache has an option called "AllowOverride" which allows you to...

19 Nov 2014 11:16pm GMT

Mattias Geniar: Yet Another Microsoft Windows CVE: Local Privilege Escalation MS14-068

As if the SSL/TLS vulnerability dubbed MS14-066 last week wasn't enough, today Microsoft announced an out-of-band patch for a critical Privilege Escalation bug in all Windows Server systems. This time, Kerberos gets patched. A remote elevation of privilege vulnerability exists

Read more ›

The post Yet Another Microsoft Windows CVE: Local Privilege Escalation MS14-068 appeared first on ma.ttias.be.

Related posts:

  1. Microsoft SSL/TLS vulnerability MS14-066 It's peanut butter patching time. And it's urgent: MS14-066 Vulnerability...
  2. How To Bypass Windows 98's Security System Here's an awesome animated gif that'll show you how to...
  3. How To Reset A (Administrator) Password On A Windows Server 2003 There are several tools to reset a user password on...

19 Nov 2014 7:35am GMT

Frank Goossens: Music from Our Tube; Hazey by Glass Animals

Heard this in a TV show a couple of days ago, the percussion made me Shazam it;

YouTube Video
Watch this video on YouTube or on Easy Youtube.

Glass Animals with "Hazey" from their debut album "Zaba".

19 Nov 2014 5:15am GMT

18 Nov 2014

feedPlanet Grep

Mattias Geniar: Make HTTPerf use a proxy for connections

I like HTTPerf. It's a simply tool for a simply job: start HTTP calls and benchmark a remote system. But the CLI syntax for making it work with proxies is ... cumbersome. So, here's how to get it to work.

Read more ›

The post Make HTTPerf use a proxy for connections appeared first on ma.ttias.be.

Related posts:

  1. Debugging HTTP requests to PHP via the CLI You're a sysadmin. You love the CLI. You use PHP....
  2. There Are HTTP Headers, And Then There Are HTTP Headers Sounds confusing? No worries, it's really not. Here are some...

18 Nov 2014 6:00pm GMT

Mattias Geniar: A Certificate Authority to Encrypt the Entire Web

Eff.org today announced A Certificate Authority to Encrypt the Entire Web. The biggest obstacle to HTTPS deployment has been the complexity, bureaucracy, and cost of the certificates that HTTPS requires.eff.org Completely agree. Especially the cost, since most certificates are automated

Read more ›

The post A Certificate Authority to Encrypt the Entire Web appeared first on ma.ttias.be.

18 Nov 2014 4:00pm GMT

Mattias Geniar: Follow-up: 3 years of automation with Puppet

Yesterday I blogged about my lessons learned after 3 years of using Puppet. In reply, @roidelapluie also posted his list of lessons learned. Accidentally, also after 3 years. Go figure. And he touches on topics I didn't think of, but

Read more ›

The post Follow-up: 3 years of automation with Puppet appeared first on ma.ttias.be.

Related posts:

  1. 3 Years of Puppet Config Management: lessons learned A little over 3 years ago, I started using Puppet...
  2. Puppet performance troubleshooting: using the built-in profiler in standalone puppet apply Previously, it was only possible to do Profiling of a...
  3. Setting custom puppet facts from within your Vagrantfile You may want to set custom puppet facts in your...

18 Nov 2014 7:27am GMT

17 Nov 2014

feedPlanet Grep

Mattias Geniar: REST API best practices and versioning

This is a short and nice read: Some REST best practices. I especially like the versioning part, which I've been (trying to) tell for years. API versions should be mandatory. This way, you will be futureproof as the API changes

Read more ›

The post REST API best practices and versioning appeared first on ma.ttias.be.

17 Nov 2014 8:11pm GMT

Mattias Geniar: The Chocolatey Kickstarter: Making Windows More Like Linux

Remember when I said Microsoft has an Open Source strategy? Well, this could fit right in. Except it isn't from Microsoft. The Chocolatey Project is an independent effort of porting the package managers we all love and use in Linux

Read more ›

The post The Chocolatey Kickstarter: Making Windows More Like Linux appeared first on ma.ttias.be.

Related posts:

  1. Microsofts Open Source Strategy If Microsoft ever does applications for Linux it means I've...
  2. Converting Windows 2008 Server To A Workstation What if you're happy with how Windows Vista works and...
  3. Overview of Windows User Accounts (including for IIS) After installing Windows Server 2003, with or without IIS (Internet...

17 Nov 2014 5:07pm GMT

Mattias Geniar: Remove a single iptables rule

How do you remove a single iptable rule from a large ruleset? The easiest way is to delete the rule by the chain-name and the line-number. Here's an example. ~# iptables -n -L --line-numbers Chain INPUT (policy ACCEPT) num target

Read more ›

The post Remove a single iptables rule appeared first on ma.ttias.be.

Related posts:

  1. Remove mail from a postfix queue on Linux When running Postfix, it's very easy to delete an e-mail...
  2. Letting memcached only listen on localhost on CentOS/RHEL Since memcached doesn't have authentication (yet), it's advised to make...
  3. Compile HAProxy With TPROXY Support After having compiled the kernel & iptables with tproxy last...

17 Nov 2014 4:04pm GMT

Mattias Geniar: 3 Years of Puppet Config Management: lessons learned

A little over 3 years ago, I started using Puppet as a config management system on my own servers. I should've started much sooner, but back then I didn't see the "value" in it. How foolish ... Around 2011, when

Read more ›

The post 3 Years of Puppet Config Management: lessons learned appeared first on ma.ttias.be.

Related posts:

  1. Puppet performance troubleshooting: using the built-in profiler in standalone puppet apply Previously, it was only possible to do Profiling of a...
  2. Follow-up: 3 years of automation with Puppet Yesterday I blogged about my lessons learned after 3 years...
  3. Setting custom puppet facts from within your Vagrantfile You may want to set custom puppet facts in your...

17 Nov 2014 1:31pm GMT