I’ve been having a lot of trouble lately, feeling like I’m not doing the things I need to do to move towards my personal goals or ensure that I continue to do interesting work. As one of several things I’m trying to do, I’m trying to catalog things that have inspired me recently, or whose work I aspire to imitate. This is a no-particular-order list of classes, presentations, videos, papers, and other that remind me why I love working in Information Security, in hopes that it will help me find my mojo and enthusiasm for what I do again.

• Reverse engineering hardware for software reversers: studying an encrypted external HDD
• jtagsploitation
• RPISEC Modern Binary Exploitation
• RPISEC Malware Analysis
• Planning Effective Red Team Exercises
• Tales of a Bug Bounty Hunter
• IOActive Labs Research: Got 15 minutes to kill? Why not root your Christmas gift?
• CVE-2016-1562: Unauthenticated “filter” parameter leads to customer information leak in the DTE Energy Insight app – jeffq, published
• jhaddix/tbhm: The Bug Hunters Methodology
• An Introduction to radare2 – sushant94
• XSS via PNG Content Types
• Encoding Web Shells in PNG IDAT chunks
• Uber Bug Bounty: Turning Self-XSS into Good-XSS – fin1te

There’s a lot of debate going on right now about banning encryption. Now, some people might refer to this as a backdoor or “providing government access” or whatever term they’d like to use to discuss it, but as a security professional, I see only one thing as encryption: the kind that’s completely unbreakable, even by the FBI or the NSA or the Chinese government or anyone else. Anything else is simply not encryption, as it does not guarantee your confidentiality. So, I’m going to talk about banning encryption as equivalent to providing a government backdoor or any of the other clever ways it’s being spun.

First, I want to talk about why banning encryption will fail. Encryption software is a Pandora’s Box, and it’s already open. Attempting to ban all encryption would work about as well as banning nuclear weapons, banning guns, or banning drugs. The war on drugs alone is enough evidence that government bans do not have meaningful impact, and that the people who are affected the most are the innocent bystanders. Strong cryptosystems already exist, and attempting to ban them will result in insecurity for the masses, but criminals will continue to use the existing systems, resulting in no improvement in the ability to fight crime.

Further, so long as any government supports liberty and freedom, there will be other places to get their strong crypto. Even if companies in the United States and the United Kingdom are prohibited from distributing strong cryptography, there are nearly 200 other countries in the world where such software might come from. So, we can assume that criminals will continue to have access to these tools, while the legitimate users are deprived of their use.

So, if the US demands a back door in a previously-secure system, and the author complies, then China comes along and demands a back door, we end up with a swiss cheese of backdoors waiting to fall over. We know that governments can’t secure their own data, so what makes us think they’ll be able to secure their keys for these systems?

America’s constitution is based on foundations of freedom and liberty, and it seems we’ve been scared by our own politicans into giving up these freedoms. Anonymity and privacy are critical to democracy – they allow minorities to express their viewpoint without fear of retribution, they allow groups to organize, and they allow whistleblowers to do so safely. Cases like the breach of the Democrat donor database show how strong encryption could have protected privacy in the political process.

According to Human Rights Watch, “Strong encryption and anonymity are critical for protecting human rights defenders, journalists, and ordinary users in the digital age,” and the United Nations Commission on Human Rights states:

Encryption and anonymity, and the security concepts behind them, provide the privacy and security necessary for the exercise of the right to freedom of opinion and expression in the digital age. Such security may be essential for the exercise of other rights, including economic rights, privacy, due process, freedom of peaceful assembly and association, and the right to life and bodily integrity. Because of their importance to the rights to freedom of opinion and expression, restrictions on encryption and anonymity must be strictly limited according to principles of legality, necessity, proportionality and legitimacy in objective.

We’ve hit upon a critical era for society, and it’s important we don’t lose sight of the freedoms and liberties that have built what we have and have made America great. It’s because I believe in personal liberties that I support the EFF and the ACLU, and consider privacy my single most important issue in the 2016 election cycle.

Just a quick note to go with something I dropped on Github recently: pwnpattern is a python library and stand-alone script that replicates most of the functionality of Metasploit Framework’s pattern_create.rb and pattern_offset.rb. The patterns created are identical to those from Metasploit, so you can even mix and match tools.

There are several reasons I wrote this:

• You don’t need a full copy of metasploit installed for creating patterns for e.g., wargames, CTFs, etc.
• It loads much more quickly: on my machine, Metasploit’s pattern_create.rb takes 2.29s, my script takes 0.01s. This is due, of course, to dependencies (MSF’s requires the entire Rex library to be loaded) but it is kind of nice to not wait for things.
• It can be embedded in python scripts (just like Rex can be embedded in Ruby scripts).

Much like my notes from BSides Seattle, this will just be a quick dump of notes from the talks I attended today. (Almost) all talks are also being recorded by Irongeek, so this only serves to highlight what I considered key points of the talks I attended. Tomorrow, I’ll be doing my workshop (stop by and say hi) so my notes are likely to be considerably lighter.

Keynote: A Declaration of the Independence of Cyberspace

John Perry Barlow, co-founder, EFF

While not at all a technical talk, John Perry Barlow is an inspiring speaker and an amazing visionary. His appreciation of the politics involved in “cyberspace” is on point, and it really made me think.

While he first related the story of the events leading up to the founding of the EFF, including the writing of the Declaration of the Independence of Cyberspace, but to my mind, the most interesting part of his keynote was the Q&A.

• What does it mean to be patriotic in cyberspace?
  • First have to define patriotism in general.
    • JPB defines as “allegiance to a common belief system”
  • The biggest threat is dismantling the common belief system under the guise of patriotism: as in the erosion of the bill of rights, etc.
  • The government is currently fighting for cultural dominance
    • It’s a battle that’s beeen going since the mid-60s, government powers are stuck in the 50s, the cold war, etc.
    • Government doesn’t adapt to times well
    • 60s culture is slowly winning, but still not certain
• How can we create more awareness of the EFF in young professionals & CS students?
  • That’s a really tough question, and if I [JPB] had the answer, the EFF would already be doing it.
  • However, informed individuals sharing the information helps.
  • EFF will continue defending the open network end-to-end.

Scan, Pwn, Next! – exploiting service accounts in Windows networks

Andrey Dulkin, Matan Hart, CyberArk Labs

• Service Accounts have a variety of properties that make them interesting to an attacker
  • May not have password complexity/expiration
  • Often overprivileged as privileges may be granted to try to fix a problem, even if not needed
  • Account may be used on multiple machines, exposing the credentials more
• Account types
  • Out accounts: automated processes, reach out to others
  • In accounts: listening services
  • Mixing an account into both types makes lateral movement trivial (compromise service, use to move to other box)
• Service principal name (SPN)
  • Created Automatically
  • Password hash used as shared secret
• Any user can request a ticket to any SPN
  • Encrypted with unsalted RC4 by default, key is NTLM hash of SPN password
  • Can be configured to use AES-128 or AES-256
  • Hashcat can offline crack the ticket to recover plaintext password
    • 7 mixed case alphanumerics takes about 10 hours on single GPU

Breaking Honeypots for Fun and Profit

Itamar Sher, Cymmetria

• Can be used to introduce the “fog of war” aspect
• OODA loop: Observe, Orient, Detect, Act
• Honeypots also serve as a decoy
• Several general types
  • Low interaction
    • Useful mainly for malware & scanning detection
    • Can be easily fingerprinted
  • High Interaction
    • Real machine
    • Heavily instrumented
• Only thing worse than an ambush that fails is an ambush that is detected by the adversary
  • Can be used to distract incident responders
  • Can be used to send malicious/misleading data
  • Constants are easily detected (e.g., conpot)
• Artillery Honeypot
  • low interaction
  • Blocks IP
  • Spoofing leads to DoS
• Kippo
  • Medium interaction
  • Allows some simulated commands
  • Team is good at fixing issues
  • wget allowed now
    • Could be used for DDoS
    • or portscanning/host enumeration
• Dronaea
  • Low interaction
  • Goal is to gain copy of malware
• General Problems
  • Fixed values
    • Build dates
    • Sizes
    • Names
    • Serial numbers
    • etc.
  • Partially implemented services
    • missing implementations of most commands
  • Users that respond to multiple passwords

IoT on Easy Mode (Reversing Embedded Devices)

Elvis Collado

30 minute speed talk on reverse engineering & exploiting vulnerabilities in embedded devices.

• Useful things:
  • Binwalk
  • IDA
  • Radare2
• Use Qemu, build basic source in C, disassemble to understand assembly of architecture
  • Use breakpoints to understand what particular instructions do (break, before/after comparison)
• GPL to see plain source
• Beginning kit
  • FT232H adapter
  • Multimeter
  • Soldering Iron
    • Solder
    • Wick
    • Desoldering pump
  • Header pins
  • wire
• Intermediate kit
  • (Beginning +)
  • Shikra
  • JTAGulator
  • Logic Analyzer
  • USB Microscope
• Find UART
  • Use FCC ID to find high-res photos to find pinouts, etc.
  • Find Ground First
    • Multimeter with sounds help
  • TX/RX swapped
• DVRF (Damn Vulnerable Router Firmware) project
  • Inspired by DVL, DVWA
  • MIPS 32 LE
  • E1550 router based
  • https://github.com/praetorian-inc/DVRF

I probably should’ve posted this days ago, but on Monday, I’ll be teaching a Web Security workshop at BSides San Francisco along with Niru. While capacity is limited, we may have a few additional seats, so if you’re interested, drop by and see what we’ve got.

Workshop description:

Web applications can fail in a variety of ways, from Cross-Site Scripting to SQL Injection and more. Join us for a look at a variety of common web vulnerabilities, including Cross-Site Scripting, Cross-Site Request Forgery, Weak Authentication, Logic Errors, and more – and an opportunity to test your web hacking skills against a simulated online bank. We’ll be covering the vulnerabilities from the ground up, but a basic understanding of web applications (i.e., HTTP, HTML, and JavaScript) and browsers would be useful background.

Participants will need to bring a laptop. Prior experience with server-side programming and an understanding of how web apps are built is recommended.