30 Oct 2014

feedPlanet Grep

Les Jeudis du Libre: Mons, le 20 novembre : Aperçu du développement d’applications Android


Robot AndroidCe jeudi 20 novembre 2014 à 19h se déroulera la 33ème séance montoise des Jeudis du Libre de Belgique.

Le sujet de cette séance : Aperçu du développement d'applications Android

Thématique : Internet|Programmation|Mobile

Public : Développeurs web|programmeurs|étudiants|…

L'animateur conférencier : François Stephany (Ta Mère SCRL)

Lieu de cette séance : HEPH Condorcet, Chemin du Champ de Mars, 15 - 7000 Mons - Auditorium 2 situé au rez de chaussée (cf. ce plan sur le site d'Openstreetmap; ATTENTION, l'entrée est peu visible de la voie principale, elle se trouve dans l'angle formé par un très grand parking).

La participation sera gratuite et ne nécessitera que votre inscription nominative, de préférence préalable, ou à l'entrée de la séance. Merci d'indiquer votre intention en vous inscrivant via la page http://jeudisdulibre.fikket.com/. La séance sera suivie d'un verre de l'amitié.

Les Jeudis du Libre à Mons bénéficient aussi du soutien de nos partenaires : Normation, OpenSides, MeaWeb, NextLab, Phonoid et Creative Monkeys.

Si vous êtes intéressé(e) par ce cycle mensuel, n'hésitez pas à consulter l'agenda et à vous inscrire sur la liste de diffusion afin de recevoir systématiquement les annonces.

Pour rappel, les Jeudis du Libre se veulent des espaces d'échanges autour de thématiques des Logiciels Libres. Les rencontres montoises se déroulent chaque troisième jeudi du mois, et sont organisées dans des locaux et en collaboration avec des Hautes Écoles et Facultés Universitaires du Pôle Hainuyer d'enseignement supérieur impliquées dans les formations d'informaticiens (UMONS, HEH et Condorcet), et avec le concours de l'A.S.B.L. LoLiGrUB, active dans la promotion des logiciels libres.

Description : Nul besoin de présenter Android, il est (presque) partout. Mais que se cache-t-il derrière ce système d'exploitation ? Quelles sont les composantes d'une application Android ? Quelles sont les limites imposées aux développeurs ?

François vous propose de faire un petit tour d'horizon de la plateforme. La présentation sera assez technique; il est donc conseillé d'avoir un minimum d'expérience dans les systèmes informatiques et/ou la programmation pour pouvoir suivre.

30 Oct 2014 5:54am GMT

29 Oct 2014

feedPlanet Grep

Dries Buytaert: W3C declares HTML5 standard final

After 10 years of development, the W3C has promoted HTML5 to "Recommendation" yesterday: http://www.w3.org/blog/news/archives/4167. W3C's "Recommendation" status is the highest level of maturation, effectively making the markup language a formal standard.

Almost 20% of the world's websites have adopted HTML5, so for many, HTML5 is nothing new.

Drafting the HTML5 standard appears to have been a difficult and tiring process. It took more than 50,000 email exchanges, and the group's bug lists record more than 4,000 errors and ambiguities that had to be resolved.

With HTML5 complete, you might wonder what is next for HTML? Take a look at HTML.next, the list of HTML.next proposed elements and attributes or the list of postponed feature requests.

The trend in development seems to be towards native mobile applications rather than mobile websites, but the future of HTML and its modular design has some interesting things in store. In the long run, I think the line between native applications and web applications will blur. I think the future is better integration and more seamless transitions between the two. Standards are important and can't be here fast enough!

29 Oct 2014 11:14am GMT

28 Oct 2014

feedPlanet Grep

Kurt Roeckx: DANE

I've been wanting to set up DANE for my domain, but I seem to be unable to find a provider that offers DNSSEC that can also do TLSA records in DNS. I've contacted several companies and most don't even seem to be offering DNSSEC. And if they offer DNSSEC they can't do TLSA records or rfc3597 style "unknown DNS resource record types". I would like to avoid actually running my own nameservers.

So if someone knows someone that can provide that, please contact me at kurt@roeckx.be.

Update [29 October 2014]:
Some people suggested that I set up a hidden master. I actually wanted to avoid that, but I guess I'm going to do that.

28 Oct 2014 6:42pm GMT

25 Oct 2014

feedPlanet Grep

Mark Van den Borre: Geert Noels over bankenlobby

U zat kort na de crisis in het Lamfalussy-comité dat een blauwdruk moest ontwerpen voor een hervorming van de financiële sector in België. Het eindresultaat was bijzonder vriendelijk. Hebt u die krachten zelf ondergaan?
Noels: 'Kijk, in dat comité is zes maanden lang ernstig gewerkt. Maar de voorstellen om 'too big to fail' en systeemrisico's aan te pakken, hebben de eindversie van ons rapport niet gehaald. Net zo min als mijn voorstel om een systemische schaal voor banken te ontwikkelen. Het plan was: hoe meer punten een bank scoort op die schaal, hoe hoger het risico voor de gezondheid van het financieel systeem. Op basis daarvan had je spaarders kunnen informeren of waarschuwen, als er tegenover de bovengemiddelde rente op hun spaarboekje ook bovengemiddeld risico schuilging. Een voorbeeld: KBC zou voor de crisis jaar na jaar gestegen zijn op die schaal, nadien jaar na jaar gedaald. En het zou het mogelijk maken om banken op een rechtvaardige manier te belasten. Mijn voorstel is niet gevolgd en vandaag betalen kleine banken proportioneel meer bankenbelasting dan grote. Neen, ik heb daartegen niet luidop geprotesteerd. Onze jurist zegt dat ik daarop beter niet terugkom, maar concludeer zelf maar wat er gebeurd is.'

oorspronkelijk artikel

25 Oct 2014 11:38am GMT

24 Oct 2014

feedPlanet Grep

Wouter Verhelst: Not using adirent

About a month ago, I received an upstream bugreport that the nbd-server wouldn't build on Solaris and its derivatives. This was because nbd-server uses the d_type field of struct dirent, which is widely implemented (in Linux and FreeBSD, at least), but not part of POSIX and therefore not implemented on Solaris (which tends to be more conservative about implementing new features).

The bug reporter pointed towards a blog post by a Solaris user who had written something he calls "adirent", meant to work around the issue by implementing something that would wrap readdir() so that it would inject a stat() call when needed. While that approach works, it seems a bit strange to add a function which wraps readdir to become portable. After all, readdir() does not always return the file type in d_type, not even on systems that do implement it. One example in which this is true is XFS; if one runs readdir() on a directory on an XFS filesystem, then everything will have DT_UNKNOWN as its filetype, indicating that you need to run stat() after all.

As such, I think a better approach is to use that fact so that things will just work on systems where d_type isn't available. The GNU autotools even have a test for it (AC_STRUCT_DIRENT_D_TYPE), which makes things easier. In the case of NBD, I've added that to configure.ac, and then added a touch of preprocessor magic to reuse the infrastructure for dealing with DT_UNKNOWN which is already there:

#ifdef HAVE_STRUCT_DIRENT_D_TYPE
#define NBD_D_TYPE de->d_type
#else
#define NBD_D_TYPE 0
#define DT_UKNOWN 0
#define DT_REG 1
#endif

(...opendir(), readdir(), ...)

switch(NBD_D_TYPE) {
    case DT_UNKNOWN:

(...call stat(), figure out if it is a file...)

    case DT_REG:

(...we know it is a file...)

    default:

(...we know it is not a file...)

this seems cleaner to me than using a wrapper, and has the additional advantage that the DT_UNKNOWN code path could receive some more testing.

24 Oct 2014 1:33pm GMT

Frank Goossens: Music from Our Tube; Wilco’s Impossible Germany

Nothing new, no ground-breaking beats nor exhilarating live Jazz-performances today, but "just" what I feel is an epic rock-song ("Impossible Germany") written by a great rock-band (Wilco);

YouTube Video
Watch this video on YouTube or on Easy Youtube.

Enjoy your weekend!

24 Oct 2014 12:25pm GMT

23 Oct 2014

feedPlanet Grep

Xavier Mertens: Hack.lu 2014 Wrap-Up Day #3

The Internet is broken

The third day is over! After the speaker dinner in a cool place and a very short night, I attended more talks today (no workshops). Let's go for the daily quick wrap-up…

The first talk was "Internet scanning - conducting research on 0/0" presented by Mark Schloesser from Rapid7 and is also a developer of the Cuckoo sandbox. The topic focused on the IPv4 address space of course. IPv6 could be nice for another talk but has many challenges.

Mark's vision of the Internet

Mark's vision of the Internet

Mark's topic was not only the scanning part but also wide data-gathering. Example: when the port 80 is publicly available, the website behind is crawled. People think that scanning the Internet takes time… months? In reality, there are quite performant tools today like masscan or zmap that are able to scan the complete Internet addresses space in less than one hour. Of course, this is theoretical because packets are processed by many routers which can affect the overal performances of the scan. Scanning the Internet is not a new topic and other projects exist for a while like Shodan, the shadowserver foundation, ErrataSec. Of course, Mark said that scanning the Internet is only performed for research purpose (in his case of course). He reviewed some interesting findings:

Mark presented a Rapid7 project called "Sonar" which helps to scan the Internet for specific ports/protocols. Here are some results:

Some recent findings?

To conclude, Mark said that, in such project, the collaboration is key! It is important to make data available to the infosec community. To achive this, a website exists: scans.io. It was a great talk to start the day!

The next talk was presented by Saumil Shah. Do we have to present him? Saumil is a very cool guy who comes always with new crazy ideas and who explains them with simple words and modesty. This time, he came with a talk called "Hacking with pictures".

Saumil on stage

Saumil on stage

Saumil has been delivering exploits for some years. When you write exploits, the first goal is work below the radar with techniques like:

In 2011, he came with a cool attack called "255 shades of grey" and today it was a new one called "IMAJS" which consists of an image with embeded JavaScript. The concept: The same file can be used twice:

<img src="image.gif>
<script src="image.gif"</script>

The evil trick is to use comments to hide the image data:

GIF89A/*xxxxxx*/=0;xxxxxx

The JPEG format is event more powerful thanks to the EXIF data! But the problem is that some caracters must be avoided.Another demo was an exploit using an heap spray attack to pop up, guess what, a calc.exe! This technique was called "Stegosploit" by Saumil and is based on the vulnerability labeleld MS14-035 by Microsoft. The next idea was to have an attack based on some kind of "time machine". The image is downloaded by the victim at a certain time but the exploitation occurs later. This could have a huge impact in incident response! Conclusions of this talk:

It was really a good presentation, my favourite of today!

After a short break, Paul Rascagnères and Eric Leblond presented "D&D of malware with exotic C&C". This was a good team: Paul is a respected malware researcher and Eric is a core developer of Suricata, the open source IDS.

Paul & Eric on stage

Paul & Eric on stage

Paul described different cases that he faced while doing malware analysis. How malwares communicate with their C&C servers? Then, Eric explained how to configure Suricata properly to catch the communications (while keeping the performances acceptable).

Conclusion of this talk: even if we have nice tools like dynamic sandox analysiss systems, it's still very useful to reverse the malware code to understand how the communicate and write powerful rules! Funny presentation made by two crazy guys!

Then, two presentations were scheduled but I did not follow them: Dominique Bongard spoke about WPS or "WiFi Protected Setup". After a good description of the WPS working principles (You know the button you have on your router or the sticker on the bottom), Dominique explained the weaknesses of this system.

Warning Sign

Warning Sign

The next one was not a technical talk but a review of the cyberwar between Russia and Ukraine. Glib Pakharenko explained what hapened before and during the war between the two countries. The cyber attacks started before the revolution and they are not only hacking or DDoS. It can also be:

A good example was the one of Russia which hacked SmartTV's in Ukraine and forced them to show terrorists channels!

The next talk was a presentation of mitmproxy by Maximilian Hils. This proxy plays man-in-the-middle and intercept HTTPS requests. This tools is free and basically allow you to inspect encrypted traffic between the browser and the server but not only! It can also:

The tools is console based and really deserve to be part of your regular toolbox!

mitmproxy demo

mitmproxy demo

And we continued with another talk. This one was called "How I hacked my city" by Amihai Neiderman. This was a walkthough talk. Amihai told us a story. How it begun when I discovered a strange SSID "FREE_TLV" broadcasted on the street. Curious, like many of us, he tried to connect to it and found more and more information.

Amihai on stage

Amihai on stage

He explained step by step like a novel how he successfully compromised the devices behind the wireless network. Starting from test standard passwords, SQL injections, download of the firmware (after being able to identify the vendor product) and how he successfully exploited the firmware.

The next talk focused on exploiting Virtualbox via the 3D acceleration feature. This was called "Breaking out VirtualBox through 3D acceleration" by Francisco Falcon. When I read the abstract of this talk, my first reaction was: "But, how many people use this feature with VirtualBox? Who's running games on VirtualBox?". Anyway, Francisco found a great way to abuse this feature! Note that the VirtualBox developers already warn users in the document: "This code may contain bugs".

Francisco on stage

Francisco on stage

Before explaining how to exploit the feature, he explained how it works. VirtualBox 3D acceleration is based on Chromium, a library that allow remote rendering of graphics (but nothing related to the browser). The flow of data is the following:

host hardware -> host OS 
                 -> VirtualBox hypervisor (chromium server) 
                    -> Guest OS (vboxguest.sys) 
                       -> OpenGL client

The second part of the talk was dedicated to the detailed explanation of how to exploit this architecture.

My last talk was the one of Garcia Sebastian who presented a nice way to detect botnets activities via the network traffic ("Botnets Behavioral Patterns in the Network").

Sebastian on stage

Sebastian on stage

The idea behing this talk was based on the following question: How do we detect malwares? We can analyze binary files (the malware itself) or the generated traffic (to exfiltrate data, to communicate with the C&C). The files analysis can be static, dynamic but remains complex. And, it's the same for the network traffic. What are the performed actions and how they change? An interesting statistics is how we analyse the network traffic?

The next question is: Is it working?

What's not working?

Sebastian's idea was to focus on single connections (which is related to a specific action like: a DNS resolution, access to Google, a spam sent). He needed aggregation and created a 4-tuples based on: the source IP, the destination IP, the destination Port and the protocol. Then he explained how the model was created by analysing the behavior of each 4-tuples by extraction 3 features of each flow:

Based on the sizes of the flow, Sebastian explained how to assigned a specific caracter to it (36 states possible). Based on this model, he was able to build a botnet dectection model based on the Markov Chain. A nice research and a nice talk!

I did not attend the last talk. The day finished with the celebration of the CTF winners. The regular conference is now over. Tomorrow, no more regular talks, just a few workshops are still scheduled. Good edition of hack.lu which remains a conference with a specific atmosphere. See you next year for the 11th edition!

Note: the slides are available here.

23 Oct 2014 9:37pm GMT

22 Oct 2014

feedPlanet Grep

Xavier Mertens: Hack.lu 2014 Wrap-Up Day #2

Security FlawsThe second day is over! I'm just back from a great speaker dinner in Esch s/Alzette. It's time to write a quick wrap-up. There was again some Cisco forensics workshops on the schedule, that's why I was not able to attend all today's talks.

The second day opened with Marion Marshalek's keynote called "TS/NOFORM". This title is derived from the document classification used by the United States. Marion started with an nice introduction based on Starwars characters to finish by a fact: Today, it's not Starwars anymore but Cyberwars! Cyber means a lot of threats, by example, the control of media, the intellectual property being stolen, nation states spying (and being hacked), the loss of corporate data. Then she explained in details how some malware were tracked. Interesting fact: it's quite easy to detect the location/nationality of the malware developers by analysing the vocabulary and texts used in the code.

The first regular talk was presented by Claudio Guarnieri. He is a well-known security research mainly know thanks to the Cuckoo project (he's the leader of this project). His presentation was called "Embrace the Viper and live happy". Claudio presented his new baby called "Viper".

Claudio on stage

Claudio on stage

The idea of the tool came from the mess that we are all facing around our files (samples) and tools. What about exploits? They are written using multiple tools and languages and it became unmanageable to keep them properly stored. That's why HD Moore created the Metasploit framework a few years ago. And what about malware analysis? According to Claudio, it is exactly the same: we have multiple tools, producing multiple output in many formats. They are hard to integrate! "It sucks". Claudio started a project called VxCage to make filesystems cleaner but it was never finished. Today, Viper is born. It's a framework to store and manage samples. It provides an analysis module to inspect your samples and provides an easy way to create new modules. The project is written in Python. Right now, it is just a shell but other user interface could be possible. There is also a REST API. The structure is based on:

Some examples of existing modules are: Radare2, searching for known shell code patterns, analysis of PDF or Office documents, etc… The product is not perfect but works quite well. Claudio makes lot of nice demos. It seems very easy to use with simple and powerfull commands. Claudio said that some modules are incomplete, it lacks of scripting and automation. The product must still be improved but looks great. It is a community project and Claudio is looking for developers/contributors. Viper is available here.

The next talk focused on TR-069, a technical specification called CWMP ("CPE WAN Management Protocol"). It was presented by Shahar Tal. It defines a protocol used for remote management of end-user devices (the Internet box that we all of us have at home) and is based on SOAP/HTTP. Communications are performed between the user's devices and a central server called ACS ("Auto Configuration Server").

Shahar on stage

Shahar on stage

Basically, with TR-069, you allow "somebody" to access your device. The question which comes in mind immediately is: who do you trust to run code on your device at any time without approval? The Shahar's idea was to focus to the ACS instead of the router (which has already been targeted too much!). What is an ACS is compromised? The attacker could:

The first step is to find an ACS! How to achieve this? By compromising a router and checking the traffic or activity. By sniffing your own traffic or by scanning the Internet. Once found, the ACS becomes a regular target and, guess what? Many of them are not properly managed/configured. Shahar reviewed different examples of ACS and how they were compromised. Two examples:

About bad configurations, if SSL is available, according to Shahar, only 15% of them are using SSL to manage their CPE! Interesting talk! If you compromise an ACS, you can potentially own thousands of home routers!

Then, Fyodor Yarochkin, a regular speaker at hack.lu, came to present "Detecting bleeding edge malware: a practical report". Fyodor is good at presenting research about monitoring malicious activities, malwares and botnets. For him, when you're compromised, you need to detect properly the who, when, how. The identification of the threat is very important. Fyodor explained how he tracked malicious on-going malware campaigns via DNS and HTTP monitoring. This correlated with public information. As example, he detected an attacker changing its domain name every 3 minutes, impressive!

Fyodor on stage

Fyodor on stage

I just had a quick look to the talk about USB fuzzing. He was presented by Jordan Bouyat. It was very close to the one that I attended at BlackHat last week! To resume briefly, USB fuzzing is interesting because USB ports are available everywhere today! After a short introduction about the USB and its features (bus, detection, etc), Jordan explained the approach his company used to setup an USB fuzzing lab. Based on Qemu, the solution has pro & con:

I expected a lot from the next talk. I was curious about the tool called WiHawk aka the "router vulnerability scanner". If previously, we saw a talk about TR-069 which focused on ACS servers to pwn home routers, this talk focused again to them. Anamika Singh quickly resumed what is a router and what are its core features: route processing (deciding where to send packets), packets forwarding and special services like filters (ACL) or NAT. She started with a simple example where a password was discovered via an analyse of a router firmware and binwalk. Classic! Then she explained what is the purpose of the WiHawk and described its features. Based on IronWasp (it must be installed on top of it), the framework provides the following checks:

The target can be specified as a single IP address, a network or, more interesting, a Shodan query (GeoIP - city, country, etc). This is an interesting tool but based IronWasp which needs .Net! According to the website, it runs under Linux with wine… To be tested!

Finally, my last talk was the one of Frederik Braun: "We're struggling to keep up" (a brief history of browser security features). The talk was based on the past, present and future of browsers. Today, "the web is the platform" said Frederik! He showed two screenshots which perfectly resume the history of browsers. The first one is the Yahoo! homepage in the years 2000. The second one is gmail.com with plenty of nice features (fully dynamic web-content). Another fact: browsers are everywhere, event in your car! From the past, we always improved the browser to fix security issues: HTML is stateless protocol, we invented cookies. We used plain-text communications? We invited HTTPS. It was opt-in? We implemented HSTS. It's just a whack-a-mole game! Then Frederik review the present issues and the future… Frederik's conclusion? The browser can aid to secure the website!

The last talk was the same of presented last week at BlackHat: "Evasion of high-end IDPS devices at the IPv6 era" by Enno Rey, Antonios Atlasis, Rafael. Tomorrow, nice talks are scheduled! Stay tuned for more news…

22 Oct 2014 10:32pm GMT

Frank Goossens: Tweaking WordPress’s Expound theme’s menu

I'm helping on a site for a not-for-profit for which we selected "Expound" as the base theme. I like Expound; it looks great, there's no jQuery- or webfont-cruft to worry about and although the CSS comes with a seperate reset.css-file, it does (Auto-)optimize perfectly.

But I wasn't happy with the menu color-scheme and with the fact that the menu lacked an indication that a child page of a main entry was being shown instead of the page of that main entry itself (confused much?).

Anyway, this is what I ended up with;
wordpress expound theme menu tweaked

For those wanting to do something similar, this is the relevant CSS in my child theme;

/* don't want no blue */
.navigation-main .current-menu-item > a {
        background: #557B47 !important;
}

/* triangle should not be blue either, need it to be a bit bigger */
.navigation-main ul > .current_page_item a:after, .navigation-main ul > .current-menu-item a:after, .navigation-main ul > .current-post-ancestor a:after, .navigation-main ul > .current-menu-parent a:after, .navigation-main ul > .current-post-parent a:after {
        border-top: 10px solid #557B47 !important;
        bottom: -14px;
        z-index: 1000;
}

@media screen and (min-width: 600px) {
  /* if page from submenu, add line under parent item to show your in that submenu */
  .navigation-main ul > .menu-item {
        border-bottom: 6px solid #3A3A3A !important;
  }
  .navigation-main ul > .current_page_item, .navigation-main ul > .current-menu-item, .navigation-main ul > .current-post-ancestor, .navigation-main ul > .current-menu-parent, .navigation-main ul > .current-post-parent {
        border-bottom: 6px solid #557B47 !important;
  }

  /* but not in submenu */
  .navigation-main .sub-menu > .menu-item {
        border-bottom: 0px !important;
  }

  /* less padding at the bottom to compensate for that extra line */
  .navigation-main a {
        padding: 10px 10px 4px !important;
  }

  /* except when in submenu */
  .navigation-main .sub-menu a {
        padding: 10px !important;;
  }
}

/* change color to default brown if child-item is active */
.navigation-main ul > .current_page_item, .navigation-main ul > .current-menu-item, .navigation-main ul > .current-post-ancestor, .navigation-main ul > .current-menu-ancestor, .navigation-main ul > .current-menu-parent, .navigation-main ul > .current-post-parent {
        background: #3A3A3A !important;
}

Have fun!

22 Oct 2014 3:22pm GMT

21 Oct 2014

feedPlanet Grep

Xavier Mertens: Hack.lu 2014 Wrap-Up Day #1

Hack.lu 2014

Hello Dear Readers, my agenda is quite hot at the moment, after attending BlackHat last week in Amsterdam, I'm now in Luxembourg until Friday to attend the 10th edition of Hack.lu. The conference organized in Luxembourg has already reached a decade! Congratulations to the organizers for the event that I'm attending since 2008! It remained since the beginning in my favorite top-three for the following reasons: nice atmosphere, good sizing (not to big not to small), most visitors are regular ones and allow me to meet them once (or two) times a year.

As usual, the first day started via a first bunch of workshops. They are very interesting because, compared to regular talks, you're not passively listening to the speaker but you are doing practical stuff to learn a new tool, protocol. My first choice was to attend a workshop about the ELK stack prepared by Christophe Vandeplas. ELK means "Elasticsearch, Logstash & Kibana" and allows you to collect, parse, store data for further processing. Christophe explained the basic of each components and how to perform forensics investigations based on ELK. I was already using ELK at home to process my logs but, honestly, Christophe gave me some ideas to improve my setup, he has a really good knowledge of this platform. Besides the workshop, he also maintains a Github repository with interesting content to help you in your daily ELK operations. Besides the classic usage which is collecting logs from your infrastructure (firewalls, proxies, servers, …), ELK can also be used to perform pure forensics investigations. Christophe explained how he performs this tasks. The example was given with the analyze of a piece of malware. The complete path is:

  Sandbox -> Pcap file -> Analysis via Suricata with generated EVE events (JSON) -> Logstash

The next workshop was the one of my friend Didier Stevens & myself about Cisco forensics investigations. We gave this workshop for the first time during BruCON and we were invited to provide it in Luxembourg. If you did not attended those conference, don't forget that we propose an online lab which allow you to perform the exercises proposed during the workshop. Two sessions were organized today and the first one was fully booked.

After the workshop, I joined the main room to attend the last talks of the day. I attended the last minutes of "Bypassing sandboxes for fun… Profit will be realized by sandbox vendors" by Paul Jung. Today vendors are using sandboxes in more and more products and claim that they are the best way to analyse the behaviour of malicious applications. But this remains a "cat & mouse game". Malware developers have techniques to detect when their code is executed in a sandbox but also how to evade this "secure" environment. I attended only the last 10 mins of the talk which looked very deep and technical.

The next talk was presented by a French guy: Serge Guelton. He presented a research about Python: "Python code obfuscation: improving existing techniques". Serge explained the different techniques that can be used to obfuscate Python code. For each techniques, he reviewed the pro & con. There can be multiple reasons to do this, a good example is the Dropbox client which is written in Python.

Finally the day ended with a very long presentation by Xeno Kovah about "Extreme privilege escalation on Windows 8 / UEFI systems". For sure, the word "extreme" was a good choice. Xeno explained that, once a machine has been compromised, we can go further and we expect:

The talk explained deeply how the BIOS of a machine can be accessed from the operating system and also compromised. The day ended with a nice walking dinner with all the attendees and many interesting conversations with peers. I apologize for the lack of coverage of this first day, tomorrow should be more complete! Stay tuned!

Oh, by the way, this year Hack.lu implemented the same kind of wall of sheep like BruCON:

Credits to @Kaweechelchen

Credits to @Kaweechelchen

21 Oct 2014 10:31pm GMT

20 Oct 2014

feedPlanet Grep

Joram Barrez: My Five Rules for Remote Working

A couple of weeks ago, there was a stir (again) about remote working and its succes and/or failure: it was reported that Reddit, the website where many people lose countless of hours, were forcing all their employees to move to SF. After a similar thing happened at Yahoo last year it made me think about why remote work is such […]

20 Oct 2014 8:33am GMT

17 Oct 2014

feedPlanet Grep

Philip Van Hoof: De Fabeltjeskrant

https://www.youtube.com/watch?v=lIWy8taP1rE

Want daarin staat precies vermeld, hoe het met de dieren is gesteld.

17 Oct 2014 11:29pm GMT

Xavier Mertens: BlackHat Europe 2014 Wrap-Up Day #2

BlackHat Day 2

Yesterday evening, I had a nice dinner with awesome infosec folks. We faced a massive "Deny of Sushi" attack but we survived! So, I'm just back from Amsterdam and here is my small wrap-up for the second BlackHat day.

My first choice was to attend a talk about IPv6. Antonio Atlasis, Enno Rey and Rafael Schaefer presented "Evasion of high-end IDPS devices at the IPv6 era". They are regular speakers at BlackHat and always present interesting researches. Belgium is facing a massive trend in IPv6 usage since the major telco enabled this protocol for more and more of their residential users. Please don't think "But I don't use it in my environment!". IPv6 is at your door!

IPv6 VS. IDPS

IPv6 VS. IDPS

They started the research by building a lab to play with IPv6 and IDPS and, guess what, they found interesting stuff. They made an introduction about IPv6 extension headers. An IPv6 datagrams looks like a train… A train is composed of wagons. IPv6 packets can have multiple extension headers. They are not vey used today but each IPv6 stack have to support them. Examples of extensions:

There is a recommended order. All should occur at most once. So, how a device should react if this is not the case? Interesting: RFC 7045 says: it SHOULD NOT discard packets contains unrecognised extension headers. What are the common problems that IDS are facing?

  1. Too many things are variable:types, sizes, order and number of occurrences of each one. Also the fields are variable. We can define IPv6 as a function with many parameters: f(v,w,x,y,z).
  2. Fragmentation! Both fragmentable and unfragmentable parts may contain any IPv6 extension headers, this makes the problem number one more complicated to handle.
  3. How extension headers are chained? (using the Next Header field)

Based on these problem, you can now imagine how difficult it is for an IDPS to inspect properly IPv6 packets! What can go wrong? Chiron, an IPv6 penetration testing framework, has been used to test IPv6 extension headers. They tested fours IPS: 2 open sources and 2 well-known commercial solutions. Each solution was tested agains 12 different evasion techniques. All of them have been reported to the vendors/developers. Some were patched quickly, for others if took longer time and, guest what, others still remain open. To demonstrate this, the speakers performed several live demos:

What could be done? If you are using an IDPS…

Technical mitigations: Implementation of RFC 7112. Configure your devices to drop IPv6 extension headers not used in your network. Sanitize packets before they reach your devices. A very interesting, well prepared with demos working out of the box!

The next talk was chosen purely by curiosity: "Gyrophone - Recognizing speech from gyroscope signals" by Yan Michalevsky, Gabi Nakibly and Dan Boneh.

Gaby & Ivan on stage

Gaby & Ivan on stage

How to record speech without using the built-in microphone? All smart phones have a small device called a gyroscope. To record speech on a mobile device, the main problem for an attacher is how to access the microphone because the access must be approved by the user. But sensors can be freely accessed by apps like… the gyroscope! Why? Because it is not considered as a security or privacy threat. The gyroscope can be accessed from browsers using a simple JavaScript piece of code. They are two major vendors on the market but they both work in the same way. Gyroscopes are very sensible to acoustic noise. To resume: Our voice makes waves which generate vibration. They impact the gyroscope!

Impact of speech against a gyroscope

Impact of speech against a gyroscope

Based on this fact, gyroscopes are (lousy but still) microphones! Sample rate to the gyroscope is limited by the OS (max 200Hz). To give you an idea, a male speech is around 85-180Hz and a woman speech around 165-244Hz. Listening to a map at 200Hz is not efficient but algorithms can be used to perform a deeper analyse for us. That's what explained the speaker during the rest of the talk. They described the lab they put in place to record enough samples and the different techniques used to:

Depending on the samples and techniques, the results varied but they also demonstrated how the detection rate could be improved by using multiple devices sampling at the same time. Some other attacks:

What are the defences against this attack? A range of 0-20Hz should be enough for most application to sample the gyroscope. Higher ranges should be allowed only to trusted applications (like the microphone). The idea was very good but, after the theory, I would expect some demos.

After a first coffee break, let's continue with "Revisiting XSS sanitisation" by Ashar Javed. More precisely, the talk focused on WYSIWYG editors like we can find in thousands of websites such as forums, CMS (blogs) but also more corporate applications like ticketing systems. They allow you generate nice content by inserting pictures, bold, italic texts, links etc. Froala is a very common editor using my many websites. Imagine a major vulnerability is this editor, you have a very broad surface attack! And developers of such editors are proud to claim they have thousands of customers! Another example if TinyMCE used by WordPress (that I'm using right now to write this post). What to say about XSS? As said Ashar: "They were there, they are and they will be!"

Ashar on stage

Ashar on stage

Ashar reviewed some example of XSS vulnerabilities a found in text editors. He received some money from bug bounty programs for this but he was also banned or his account disabled from some sites. Ashar explained step by step in a very didactic way how he successfully abuse so many websites which rely on third party libraries or code. He started with an XSS based on width:expression on IE7 and switched also to other browsers. What are the common injection points in WYSIWYG editors:

Ashar reviewed all of them, always with good examples. He also provided some nice slides which explain how to quickly found XSS using common browsers. The presentation ended with a question: "Why all WYSIWYG editors are vulnerables?". According to Ashar, the answer is based on two components: Transfert of responsibility and laziness. Developers think that it's up to the site owner to take care of data received by the client and webmeisters rely on 3rd party code that should block all such kind of attacks. Finally, some tips were given to efficiently block XSS attacks. To prove this, Ashar started a project and asked people to break into his application. As of today, 82K (!) attacks were executed against the webpage and none succeeded. A last message to developers: if XSS attacks are bad to block, don't forget to use httpOnly cookies to prevent them of being stolen!

The last half-day started with Erik Peterson who presented "Bringing a machete to the Amazon".

Erik on stage

Erik on stage

Forget all the *AAS abbreviations! From a single perspective: "Cloud like AWS is an operating system". It has memory, disk and allows you to run applications. Cloud infrastructure is code. Traditional applications are a small part of the whole system (Java, .Net, etc) and the majority of the system is provided by AWS. And like any application, after a few months, it can become a mess if not properly managed. Forklifting is also dangerous. Forklifting is the process of taking legacy data centre application and loading them into the cloud. This can be expensive and dangerous:

Emergent security: An individual component can be secure but once placed in the cloud, the system becomes insecure. Example: Internet weather - some datacenters can be subject to unpredictable, non-persistent or network latency issues. This is very similar to the DevOps concept. "In the cloud, the king of the jungle is the API". API keys are the key of your security. Impact?

API can bypass classic security controls: You have an IPS, FW? API can snapshot your VM, mouth snapshot on another VM and extract info. How to get access to API? Via Github of course! Search for "SECRET_ACCESS_KEY". What about an API honeypot? Your keys will be stolen in less than 60 mins! :) What about cloud metadata? They contain useful info like startup script and AWS access credentials. Not only AWS but all cloud providers have it (except Azure ;-). There is nothing wrong with metadata … as long as you are aware of them and protect them. Old vulnerabilities, new life thanks to the AWS cloud. Ex: CVE-77 (command injection). Control access to the API and restrict access based on IP but it does not solve the problem! Your bill is not an IDS : "Wow, I got a big bill, something wrong must happen" ;-) Implement API logging, by default it's off! Turn on CloudTrail and use Logstash (as example). DevOps culture tends to "fail open". Developers are new to the cloud. Their goal is "just to make it work". Leaking taks! Tags are very nice to keep information (ex: owner of the machine, contacts, …) but please don't put your password or API key inside tags! Back to the title of the presentation: Machete is a tool to:

Other tools that could be interesting:

Very nice presentation but the introduction to AWS cloud and the associated risks was a bit long (IMHO). I'd expect some nice demos of Erik's tool.

The next presentation was dedicated to the new OS X version. Version 10.10 called "Yosemite". Good synchronisation, it was just released yesterday. This versions was already available to developers (and security researchers). It was reviewed, from a security point of view by Ming-chieh Pan and Sung-ting Tsai

Sung-ting & Ming-chieh on stage

Sung-ting & Ming-chieh on stage

They analysed the changes implemented by Apple in its new version of their operating system and found some findings. They started with a review of the rubilyn root-kit publicly released 2 years ago. Then they reviewed how to installed (offensive) and detect (defensive) a root-kit on the new version of OS X. A good idea was to present all the examples (system calls) with their Windows version (most people have more knowledge of the Microsoft environment). The talk was very technical and above my knowledge, very difficult to follow but, according to a friend, it was good. Finally, they presented their tool called SSV-X ("System Virginity Verifier"), especially adapted to OS X.

And the second day finished for me with "Reflected file download - A new web attack vector" by Oren Hafif. After a funny introduction about himself, Oren explained in details what is RFD and what is behind this attack. The presentation focused on the objectives of RFD, understanding how it works. Both defenders and attackers are impacted: how to detect and report but how to prevent. calc;exe:

calc.exe, the security researcher's best friend

calc.exe, the security researcher's best friend

The attack is quite straight forward: A user clicks on a valid link, a malicious file got downloaded from google.com, the file executes immediately once clicked. The key in this attack is: how do we trust downloads and how do we trust websites? As example, we trust online banks websites because that have a lot of locks on the page, they use HTTPS, the url bar is green, etc… Four out of five people will trust a download based on the domain! Based on the Google autocomplete feature, Oren explained step by step how this attack works. Starting from a simple 'rfd' search string up to a 's;.setup.bat/?q=rfd"||calc||'. This attack also abuse of stupid browsers behaviour which allows files containing "install", "setup" or "update" in the filename! An advanced attack could be to use Powershell to download the rest of the payload. It will ask for admin rights but using the standard dialog box that people trust of course! Finally, Oren reviewed some ways to fix this issue:

In the mean time, Google fixed the issue but, according to Oren, there are tons of vulnerable websites online! Very nice presentation which, I'm sure, gave lot of ideas to the pentesters present in the room!

Next to the classic briefings, there was also an Arsenal session organized by Netpeas and Toolswatch with very interesting tools. Don't hesitate to have a look at them:

That's it for this edition of BlackHat! I only attached 25% of the scheduled talks and, in my selection, some were excellent, other less but a broad scope was covered. Two remarks about the organization: change your WiFi and catering providers ;-)

Game over!

Game over!

17 Oct 2014 8:27pm GMT

16 Oct 2014

feedPlanet Grep

Paul Cobbaut: space

It takes a small effort to keep up to date on space news. Here's a summary of some current space flights that I like.


New Horizons
In 2015 we will see Pluto (a dwarf planet) for the very first time. This is the best picture we have of Pluto today:


New Horizons should improve this picture gradually from February to August 2015, yeah!

Dawn
Remember Ceres, the dwarf planet between Mars and Jupiter. Only 900km accross, yet it could have more fresh water than planet Earth, and it holds about a third of the mass of the Asteroid belt. Dawn will give us a first look at Ceres in February 2015, yeah!


China to the Moon
Many people laugh with the Chinese space program, they shouldn't! They launched Chang'e 3 to the Moon in December 2013, and released a rover that is still operational today. Never mind that it stopped driving in January 2014, having a bunch of instruments operate for more than 10 months at -150 and +100 degrees Celcius is *amazing*.
Chang'e 4 will launch 23 October 2014 to fly to the Moon and back, testing return to Earth. Chang'e 5 will collect some rocks from the Moon in 2015 and fly them back to Earth. How long will it take before they send people ?
My guess is they won't just plant a flag, they will go to the Moon to do real long term science.


Elon Musk
Elon Musk is a man with a clear vision. He wants to put a million people on Mars as soon as possible. He is currently in charge of SpaceX (and also CEO of Tesla). They already had four or five flights to the International Space Station with their own rockets and their own spacecraft. My best guess is that they will have an unmanned Mars landing in about six years, and manned around 2025-ish.


There is more:
-Rosetta (circling a comet!) with Philae
-Juno

-the Chinese space station (construction from 2018 till 2022-ish)
-the American rovers on Mars
-lot's of satellites around Mars
-and the Voyager probes are still alive






16 Oct 2014 6:37pm GMT

Xavier Mertens: BlackHat Europe 2014 Wrap-Up Day #1

BlackHat EuropeBlackHat is back in Amsterdam and here is my wrap-up for the first day. It rained all my way to Amsterdam this morning but it will not prevent motivated people to join the Amsterdam RAI where is organised this 2014 edition of BlackHat Europe! They moved from the center of the city to a bigger conference center. Nice place, but far away from bars and restaurants. After the classic registration process and a nice breakfast, let's go with today's talks. As usual, Jeff Moss opened the conference with some facts about the event. Interesting: this year 50% of the audience is coming for the first time! Fresh blood is always good. People came from 68 different countries (eg Brazil, Surinam, Ukraine,..). Jeff's message was also: feel free to ask questions, participate and learn… The community is very important.

The day started with the Adi Shamir's keynote and some crypto. Ouch, crypto is hard to start a day but, after some theory, funny stuff was explained. Adi is currently the Borman Professor of Applied Mathematics at the Weizmann Institute of Science and his main area of research is cryptography. He is a co-inventor of the RSA algorithm. To resume, he's the "S" of RSA!

Adi on stage

Adi on stage

Today, writing paper about mathematical cryptanalysis is getting easier because we have many more targets to attack and more tools. But the definition of success also changed: it's not only finding the secret key but comparing output of a system with garbage. On the other side, it's also getting harder to get a practical impact: mathematical attacks had forced practitioners to dump cyphers. For years, we faced examples of attacks against crypto: DES, WEP, MD5/SHA1, etc… Then Adi came back to one of the simplest side-channel attack: power analysis. The goal is to check the fluctuations of power consumed by a device when it performs crypto operations. Can we use this technic to break the RSA scheme? Can we compare curves when coing mathematical operations and compare them. A paper was published at crypto2014: RSA key extraction by listening to computer. The question which then comes is how effective are tempest protections? Adi started to work on a new research: long range bi-directional communication with an air gapped computer system containing only untempered hardware. I played with this for the last few weeks. Imagine a nice building (pentagone) with many secrets. B. Schneier suggested to use an air-gap to protect from NSA. Really? First, the hardware solution is to install a mini-transmitter to the device. This requires just a one-time access to the device. Simple but very intrusive! And what about a software solution? In this case, again we need a one time access to the machine to plant a malware (via a USB stick, a phishing campaign, …). But once done, how to "talk" to the planted malware? That's the "holy grail" of cyber-attacks: How to communicate with this device in an inaccessible location, let's say 1200m away from the target. Challenge accepted by Adi! Using a simple scanner/printer and one flash light, Adi explained how we can send data to the printer by flashing the lights with specific sequences. The next step was to test the same from far away with a lazer. Adi wrote an application to program the laser to send messages. A possible attack scenario is the following: a malware initiate a scan at a certain time, get the scanned image and interpret it. But this can be very suspicious. Otherwise, let the victim scan a real document and use the lines from the edges! But what about ex-filtration of data? How to use the printer in the reserver direction? The attacker can pick up the scanning light emanating at night from the dark room. This is very slow. To improve the view to the printer, Adi used a drone to record lights from a higher position. In conclusion, they called the new technique "SCANGATE". Take care of your all-in-one printers and a as countermeasures, use black curtains or put the devices away from any external lights. This was a very nice keynote but practically the scenario is very difficult to implement in the real life but it makes you realize that attackers can have plenty of ideas!

BlackHat being a four-tracks conference, it is mandatory to make choices amongst the huge amount of interesting talks. The first one for me was a talks about Network Attached Storage (NAS) systems: "N.A.S.TY Systems that store network accessible shells" presented by Jacob Holcomb. A scaring fact to start: 100% of systems tested were vulnerable…And recently, Qnap was found to be vulnerable to shellshock. Jacob's proof-of-concept was to develop a self-replicating code across devices. Many people / companies use NAS, so the attack surface is very big. Some key players: QNAP, Seagate, Netgear, D-Link, Buffalo. Classic configuration services are telnet, ssh, http but they also have an unnecessary service: a link to the "cloud". 50% can be compromised without authentication and 22 CVE numbers were assigned by MITRE. Far worse than routers!

Jacob on stage

Jacob on stage

The testing methodology used by Jacob was classic: scanning, banner grabbing. investigating running services, analysing web applications, static code analysis and fuzzing. Different type of vulnerabilities were discovered: command injection, XSS, buffer overflow, lack of access control, info disclosure, backdoor, broken session management. Jacob gave some tips (countermeasures) for developers like to use the available API instead of calling system(). If you don't have an alternative, just allow expected commands, nothing else!

What about a mass e exploitation Jacob performed a demo of his N.A.S.Ty worm… He focused on 3 targets: D-LINK DNS345 - TRENDnet TN-200 / TN-2011T1 and WD MyCloud EX4 but others may be vulnerable too! How does it work?

  1. Scan for tcp/80
  2. Fingerprint
  3. Exploit
  4. Download & run the code
  5. Rinse and repeat

Jacob did a life demo of his worm against NAS located in the room. Once the worm infected a NAS, it kills itself and start scanning for other victimes from the newly infected NAS. Note that it does not check if the NAS is already infected. This means that more worms can run simultaneously and make some kind of DoS (slow response, bandwidth usage). A special mention to the project "hack routers and get paid" (see sohopelesslybroken.com. What about the remediation? For the vendors: transparent patch management, add security checks, apply security principles (like least privileges). For consumers: harden your devices! The worm part was interesting but we already knew that devices like NAS's have a very weak security maturity!

After a first coffee break, my heart was balancing between SmartMeters and the "Internet of Things" stuff. As I already attended presentations about SmartMeters in the past, I decided to follow Candid Wueest's talk, called "Quantified self - A path to self-enlightenment or just a security nightmare". Candid started with a definition of "quantified self". Is it a new buzzword? The goal of those technologies is to record everything about your life (sleep cycles, calories, steps, heart beats etc…) .

Candid on stage

Candid on stage

Candid put some focus on fitness devices like the Fitbit wristband. This device records information via sensors and share them with a computer (or mobile device). Data are also sent to the cloud to perform interesting statistics and share the data with the user's friends. Basically, if we introduce more data moves, we also increase the risks. (device, laptop/phone and finally cloud). The first issue reported by Candid was the unintentional data leak or the secret life of mobile applications. Amongst the different apps that were tests, they contacted in average 5 different domains and the winner contacted 14! Connections are used to exchange data with advertisement networks, the application provider, the OS provider, some social medias, etc. Always verify the default settings of your application. A bad example if Fitbit which add once the "sexual activity" visible to all by default! Then, passive information can also be leaked. If a publicity is displayed after the completion of an exercise, the traffic to the advertisement network can be used to detect when the user is doing some exercises. Health kits may contain PII ("Personal Identifiable Information") but 52% of the tested apps do not have a privacy policy. Your data are already analysed today. Candid gave the example of the earthquake in San Francisco where who was asleep at this time was analysed. Worse, 20% of tested apps send HTTP POST requests in clear text. And, if they use SSL, they accept self-signed certificates and don't check revocation lists. Some cloud applications are also very bad. Some allow users enumeration ("GET /api/user/xxx") others implement open relay via sendmail.php. The next part of talk was dedicated to devices using the Bluetooth low energy. It's possible to scan for interesting devices and learn some information. As a proof-of-concept, Candid developed a "Blueberry Pi" based on a Raspberry, a USB4 dongle and a portable battery. When scanning sport events, you can collect plenty of data. He also scanned the BlackHat attendees but detected only 8 devices. The conclusion of this research? Your digital footprint will be (is already?) everywhere. Tale care when using health devices, when not used, turn off Bluetooth or the device itself, keep them updated (which is also a challenge). Look for a vendor with a security policy. This was a nice talk with a different approach of the Internet of Things.

Next to the lunch, Dan Koretsky talked about VDI ("Virtual Desktop Infrastructure") with a presentation called "A practical attack against VDI solutions" and with more focus on mobile VDI solutions. What is VDI? The technology allows the user to have a remote desktop on any device: with three big advantages:

What are the threats with mobile VDI solutions? The first threat is directly related to "mRat" or "Mobile Remote Access Trojan" which record keys (key-logger). With the help of Checkpoint, lot of traffic was analysed and some interesting stats grabbed:

Compromised mobile devices stats

Compromised mobile devices stats

The second threat is to grab credentials locally on Android. The third one is screen scrapping. This can be done using an access to the clipboard (CTRL-A then CTRL-C) or screen recording. Finally, the fourth threat is playing a MitM attack. Nothing fancy in this presentation, nothing new, we already know that a solution like VDI is good as long as the end-point is not c compromised Finally, the last five minutes were more marketing with details about the solution developed by Dan's company.

In a short presentation, Sergej Schumilo and Ralf Spennenberg presented their research called "Don't trust your USB" or how to find bugs in USB device drivers? Do you remember Teensy? This small USB device was able to compromise a device by simulating a keyboard and sending keystrokes to the victim. But what's the new motivation? To compromise a system via the USB bus. This research was done using massive usage of virtual machines with systematic and comprehensive fuzzing. The talk explained how to perform this task at a very high performance rate.

My next choice was "How I hacked your ATM with friend's Raspberry Pi" presented by Alexey Osipov and Olga Kochtova. The topic looked interesting with a new way to use a Raspberry Pi computer. The presentation started with a small history of ATM's. Did you know that the first ATM was installed in 1967 by Barclay's bank? If at the beginning it was not seen as a revolution, today, we could not live without an ATM close to us to get some cash! That's also why ATM's are nice targets: they contain money.

Alexey & Olga on stage

Alexey & Olga on stage

Then the speakers explained their motivations behind this research? Banks are curious! Usually, the attack scenario starts with a malware injected into the ATM thanks to a physical access. It is injected using an USB stick or a CDROM. The most know attack is the one performed by Barnaby Jack "ATM Jackpotting". They are also physical attacks (skimmers and pin readers). But, how hard is it to get inside an ATM? The ATM has two major zones: a "service" zone where maintenance can be performed and where the computer is installed and the "safe" zone where is stored the money. Usually, the service zone is protected by a plastic cover with a single lock. The safe zone is made of steel and concrete with rotary code or electronic locks and two types of locks. The next part of the talk was a description of the attack using a Raspberry Pi connected to the computer and remotely accessible. Once access to the ATM, a Raspberry can be installed connected to the USB bus (+ battery + wifi). They briefly explained how the attack was performed but with not many details. The presentation made during the OWASP Belgium chapter in May was much more complete! Conclusion of this talk: The service zone is important and must be properly secured, current methods of protection is not enough. Here again, nothing brand new…

If I was a bit disappointed by the presentation that I followed in the afternoon, the last one of the day was the best one (IMHO). The last talk was "Firmware.RE - Firmware unpacking, analysis and vulnerability discovery as a service" by Jonas Zaddach.

Jonas on stage

Jonas on stage

The idea of this research started with another fact: Embedded systems are everywhere! They can do a lot of things but it's even more funny to make them talk to each others and even more to the Internet! (IoT). The classic type of embedded systems are routers, printers or VoIP systems. Jonas reviewed some nightmare stories (backdoors for routers and abusing PostScript with printers). And many many other devices… The problem is that analysis all those devices requires a lot of time. This can't be performed manually. The idea of the research was to make a large scale analysis to see if embedded systems suffer of the same vulnerabilities. But the problems with large scale analysis are:

How to automate this?

The big advantage is that the analysis is non intrusive, it can be performed online and it is very scalable but mainly challenges remain! The first challenge is how to get the firmware? They are multiple sources and ways to get them. There was no large scale firmware datasets available. They downloaded lot of firmwares but some of them were not available. The second challenge was the firmware identification: How to detect firmware across thousands of files? How to reliability unpack and learn formats? Example: upgrade a printer via a PS file, how to detect it as a firmware? The architecture they developed is based on a crawler which downloads and stores firmware in a db. The firmware is sent to the cloud application for analysis (unpack, static analysis, fuzzy hashing);. A password hash cracker is also available to crack found passwords. Everything is managed by a web interface. As of today, the crawler already collected 759K files (1.8TB) From those files, 1.7M files were extracted! What were the common issues found:

The analysis system will be available to everybody and do not hesitate to submit your firmware. The tool is available at the following address: www.firmware.re (It will be publicly available soon after the conference). The first day was closed by a reception in the business corner where people did some networking. See you tomorrow for the second day!

16 Oct 2014 5:43pm GMT

Dries Buytaert: Acquia a leader in Gartner Magic Quadrant for Web Content Management

Topic:
Drupal
Acquia

You might have read that Acquia was named a leader in the Gartner Magic Quadrant for Web Content Management.

It's easy to underestimate the importance of this recognition for Acquia, and by extension for Drupal. If you want to find a good coffee place, you use Yelp. If you want to find a nice hotel in New York, you use TripAdvisor. Similarly, if a CIO wants to spend $250,000 or more on enterprise software, they consult an analyst firm like Gartner. So think of Gartner as "Yelp for the enterprise".

Many companies create their technology shortlist based on the leader quadrant. That means that Drupal has not been considered as an option for hundreds of evaluations for large projects that have taken place in the past couple of years. Being named a leader alongside companies like Adobe, HP, IBM, Oracle, and Sitecore will encourage more organizations to evaluate Drupal. More organizations evaluating Drupal should benefit the Drupal ecosystem and the development of Drupal.

16 Oct 2014 12:23pm GMT