Notes from DeepSec 2007

While attending DeepSec 2007, I was making notes of the most interesting/surprising information presented. I hope they are useful; if you want more, slides from the presentations might be available on wiki.deepsec.net.

The Business Case for Removing Your Perimeter

B2B application interconnection, company mergers and divestments, and consultants working in the company’s offices made the idea of “my network” obsolete several years ago. Protecting from unauthorized network access (e.g. using firewalls) is ineffective; all applications need to be protected (by authenticating users or client applications) instead of assuming the network is secure.

New Security Model of Bluetooth 2.1

Current Bluetooth security model:

Small devices (e.g. headsets, mice) can’t be configured with a variable PIN. Their fixed PIN can be physically observed (if printed on the device) or brute-forced—allowing e.g. eavesdropping on somebody’s phone conversation.
Link keys never expire; once a key is extracted/guessed, it works forever.
Replay and MITM attacks are possible.
The link key is per-device, not per-service; it is not possible to allow a client to only access some functions of the device.

The newly proposed security model: “secure simple pairing”:

Uses ECDH (provides eavesdropping protection); MITM protection possible with user input.
Devices announce their UI capabilities (e.g. keyboard/display/one button/nothing), together select a suitable authentication mode.
A debug mode, using predefined keys, is provided; one side can force the other to use debug mode (because the other might not have any UI to enable debug mode).
No chips supporting 2.1 manufactured yet.

Economics of Information Security

Because UK banks are less liable for fraud than US banks, UK banks were comparatively careless about security and there was more fraud in UK
Software markets, with high fixed and low marginal costs, and with network effects, lead to natural monopolies. Firms therefore prefer short time-to-market to product quality, and they want to make it easy to create complements (plugins, add-on software), choosing simple-to-use APIs instead of secure APIs.
The software market WRT security is a “market of lemons”; proposed solution is to create a market for new vulnerabilities; then a product with high price offered for new vulnerabilities is supposedly more secure. (mitr: Who is supposed to buy the vulnerabilities?)
Third-party web site certificates are ineffective: e.g. TRUSTe places almost no requirements, and TRUSTe-certified websites are more likely to be untrustworthy than a random internet website.
Similarly, websites reachable via paid advertising are more likely to be untrustworthy than websites reachable from search results.
Possible remedies: make certification entities liable for damages; require publication of user’s complaints.
Phishing has become quite advanced: the “rock phish” group uses meaningless .com domain names (registrars used not to remove domains that didn’t infringe on trademarks); the DNS domains point to compromised machines acting as proxies; wildcard-like DNS is used, which results in many unique URLs for a single phishing site. The IP pool is automatically managed, adding new zombies for each zombie taken down.
Largest phishing targets: PayPal, EBay, Bank of America, Wachovia.
There are companies specialized for taking down phishing sites; they seem to react faster than bank’s in-house teams.
Median lifetime of a phishing site hosted on Yahoo! is 7 hours, much lower than its competition.

Windows Heap Protection: Bypassing Requires Understanding

(Really selling a “debugger” for reverse-engineering memory layout)

Windows XP SP2 heap protection: checks consistency of back and forward links; metadata XORed with a random key.
Windows Vista: each heap block contains a checksum.

Web 2.0 Application Kung-Fu – Securing Ajax & Web Services

Same-origin policy can be defeated using <script src="remote/url">; never send passwords and similar data in JavaScript sources files!
A XML POST request can be generated without XmlHttpRequest, using

<form…>
<input type=hidden name="<?xml version" value='1.0"?>'>

and so on…

kNAC!

Relying on applications installed on a computer to verify its security and communicate the fact to a central system is unreliable: the SQL Slammer worm propagated using only a single UDP packet!

Breaking and Securing Web Applications

Flash allows a web site to opt-in to receiving cross-domain requests by placing a crossdomain.xml file in a directory (not necessarily a root directory of the site); this might be problematic if a site lets users upload files and give them arbitrary file names.

Naked Security: The State of the Application Security Industry

PCI DSS certification is worthless: a certification can be obtained for $150 (which can’t pay for any reasonable security audit), and a certification was awarded to an online shop with a SQL injection in the “credit card number” field.

Hijacking Virtual Machine Execution for Fun and Profit

Describes techniques for modifying behavior of Xen virtual machines, assuming control of domain 0; very similar to what common debuggers do.

Note that this makes renting virtual machines much less secure than renting physical computers.

Audit of the RFID ePassport and the concepts

RFID passports were not designed by IT security experts: government asked banknote/passport printing companies, who subcontracted to smartcard producers.
The standard is defined by the International Civil Aviation Organization.
Fingerprint/iris image hash algorithms are patented; instead of mandating their international use, fingerprints/iris images are stored as JPEG or JPEG2000; anyone who can access the passport data (not only your government, but any government allowed to read your passport) can fake your fingerprints!
Some passports have unique ID (like network card MAC); this allows anyone to track the person, and e.g. prepare personalized bombs that go off when the person is near. Nowadays this should be solved by using a random ID for each connection; nevertheless anyone who can access the passport data can identify you uniquely anyway.
Data access control:
- Basic access control: By data contained in the machine-readable zone (read using OCR). The data is not very hard to guess, and easy to copy (e.g. a hotel may make a copy of your passport).
- Extended access control: requires a certificate from the issuer; no international standard. Because the passport has no clock, certificates can’t expire or be revoked. This is worked around by remembering the last date seen on a certificate—if someone creates a valid certificate with date in the future, any passports that see the certificate will ignore older certificates and become useless.
The passports are evaluated for security, but the systems that access the data are not (and some of the responsible managers did not understand this is risky).
Passport signature checking is possible only after parsing and decoding all payload, apparently including image decompression; JPEG2000 is complex and there is a high risk of vulnerabilities in JPEG2000 parsers.

Destructive Data – Designing Inputs that make Software Fail

A good overview of things to check in code that handles untrusted data. A database of common “weaknesses” is being created at cwe.mitre.org.

The Three Faces of CSRF

In addition to CSRF, describes possiblities to explore/attack the client’s network (even if it is behind NAT) from an untrusted website.

JSON data formats: should be pure data ({…}), not executable code (new MyClass(…)), otherwise the data can be read from other sites using <script src="…">.
XmlHttpRequest allows “syn scanning” the local network. As a starting point, Java applets are allowed to create a socket to the original server; with such a socket, the applet can discover the address of the local endpoint of the socket (includes client’s “private” IP address if behind NAT).
A “syn scan” might encounter a HTTP server using HTTP authentication; an authentication popup could make the user suspicious—but display of the popup can be avoided by using an invalid URL that still makes the client connect to the target.

Disruptive Modernization of Legacy Systems

About evolution of AS/400 and vulnerabilities exposed by additional functionality.

AS/400 has 2 separate UNIX environments (QSH, which supports EBCDIC, Java, MQ, and PASE, which supports native AIX binaries, apache, php, ssh), and 2 different filesystems (UNIX-like root file system, and a legacy /QSYS.LIB).
OS/400 strictly separate “programs” and “data”—but only on QSYS.LIB; Java classes are considered data!
Originally clients used dumb terminals: there was nothing to attack on the terminals, and users could perform only actions supported by the application.
Nowadays, many UNIX-like services are supported by the servers, and clients can run commands on the server (using e.g. quote rcmd within a FTP session); clients are regular PCs that can be attacked by the servers; a “start PC command” server command can be used to execute commands on the client, e.g. opening a shell that listens on a socket.

The RFID Guardian

The RFID guardians is “a device for RFID privacy”; it contains a software radio, it can act as a RFID reader, RFID emulator, and it can selectively block RFID tags; it works more or less as a regular network firewall. For UI, it supports a Bluetooth interface.

Jamming replies: the collision-avoidance protocol of RFID nodes uses predictable time slots, so the guardian generates collisions until the host gives up. In addition to the necessary collisions, a few more random jam times are added to avoid fingerprinting RFID nodes by their time slot signature.

Jamming commands: the guardian listens to the command, and decides whether to block the CRC and end-of-frame marker.