I would like to invite you to this years OWASP BeNeLux Event, I won't give a talk this year but I happily invite you as part of OWASP BeNeLux Program Committee:

Quick Facts

• Date : 29-30 Novembre 
• Location: Leuven (Belgium)
• Price : Free
• Places : Limited (First registered, First serve)
• Register here
• Conference Schedule
• Training Schedule

Agenda

The agenda is a sound mix between Application Security, Forensics,  Risk Management and represents the current security landscape at large rather well: Building security into Applications in Enterprises, Managing Application Level Vulnerabilities, Source code review on a large scale. It also has 2 innovative talks on exploit mitigation and sandboxing javascript. 

• Browser Security - John Wilander
• Sandboxing Javascript -  Lieven Desmet
• Body Armor for Binaries - Asia Slowinska 
• Forensics - Marc Hullegie and Kees Mastwijk 
• Streamlining Application Vulnerability Management: Communication Between Development and Security Teams  - Dan Cornell 
• Code review for Large Companies - Ruediger Bachmann
• Making Security Invisible by Becoming the Developer’s Best Friends - Dinis Cruz
• OWASP Top 10 vs Drupal - Erwin Geirnaert
• Panel Discussion about the legal aspects of penetration testing

Especially the talk about javascript sandboxing (JSand) has all my attention as it represent an interesting challenge that is hard to get right knowing the context within which javascript operates. It claims to be complete, requiring no Browser modifications and enforced client-side. The talk will also given at ASAC 2012 

Venue

Both the training day and the conference day take place at:

KU Leuven (University of Leuven)
iMinds-DistriNet Research Group
Celestijnenlaan 200A
B-3001 Heverlee
How to get there: http://distrinet.cs.kuleuven.be/about/route/
Hotel details: https://www.owasp.org/index.php?title=BeNeLux_OWASP_Day_2012#tab=Venue

[ Updated : Added  "10 Common Mistakes of Incident Responders" at the bottom]

The following post will brake one major rule I adhere to  when blogging, a post shall have not more than 10% of content that is not authored by myself. The content of this post resonated so well with me however that I decided to make an exception.

The following is attributed to Alit-Reza Anghaie a.k.a Packetknife.com. For those of you in similar situations I can only warmly recommend to consider and follow the advice. The emphasis is mine.

[Start of Excerpt] 

Alit-Reza Anghaie

I've had a fairly long and quite unintentional career in InfoSec ranging from Academic to Entertainment to Defense. Along the way a lot of mistakes were made or observed. This post marks the first in many installments to share lack of foresight turned into a graying face ghillie.

I'm not quite sure of the right format but I'm going with a Top Twenty - so I'll keep on the biggest pain points as I see them.

Read more »

A post within the "straight to the meat" category :

There was a talk at Defcon 20 entitled "Defeating PPTP VPNs and WPA2 Enterprise with MS-CHAPv2", by Moxie and David Hulton - the talk announced the implementation of a tool that reduced the security of MS-CHAPv2 to the strength of a single DES encryption.

This post gives a quick rundown with references on what you need to know, enjoy - Thierry




History :
1999 - Bruce Schneier and Mudge document the vulnerability [2]
2011 - Sogeti releases POC performing the same attack against MS-CHAPv2 [4]
2012 - Defcon Talk detailing the flaw and  release of SAAS to crack the key within 23hours [3]

Read more »

I updated BTCrack Open Source Edition (BTCrack OSS) to version 1.01 by patching 2 bugs that were reported by Michael Ossmann and Carl Dunhamm.

Description

The  primary goal of BTcrack is to crack/recover the PIN and reconstruct the link-key from a previously captured Bluetooth pairing exchange. Together with Eric Sesterhen I released an open-source version of BTcrack in 2006 which since then is part of the tools included in Backtrack. You will find more information on BTCrack  and a POC video here.

Read more »

Publications

• In a blink of an eye - there goes your AES Key
  Advances in extracting keying material from Hardware (FPGA)
• Visualising Botnets
• Why allowing active ipv6 stacks on your network is a bad idea (but we don't route ipv6)
• A bad couple of years for the cryptographic token industry - must read
  Ouch, the biggest names included. TLDR; Don't use PKCS#1v1.5 padding for RSA and use authenticated encryption.
• Ron was wrong, Whit is right – Weak keys in the internet

Tools

• List of Volatility Plugins
  Leading the Open-source memory analysis field (Forensic, IR, exploit dev)
• IDA Toolbag
  Excellent new set of tools for IDA PRO
• Inception
  Upto-date Firewire Toolchain to dumping memory over the firewire interface. This allows also to unlock locked workstations as Firewire, per design, allows full access to memory over DMA.
• Cryptshark
  .NET library using  Blowfish, BCrypt, SCrypt, and PBKDF2 for any HMAC - following my blog post on how to store password securely, if your into .NET give it a look.

Flame

• Bitdefender Analysis of Flame (3rd update)
  Apart from the interesting information this post includes what appears to be a complete list of  IOCs (Indicator of compromise) for this variant of FLAME.
• The link between Stuxnet and Flame (Bitdefender)
• Kasperkys take on the link between Stuxnet and Flame
• FLAME – The Story of Leaked Data Carried by Human Vector - must read
  How FLAME used the human factor (inc. USB) to bridge the air-gap between networks.

News

• Humanity escapes the solar system

Tools / Techniques

• How to Extract Flash Objects From Malicious MS Office Documents
• Burp plugin for scanning GWT and JSON HTTP requests
• SQLite3 Injection Cheat Sheet
• Unoffical Guide to scapy
  Scapy is immensely powerfull as a seperate tool or as instrumented within your scripts. This guide is a good start.
• Andrubis: A Tool for Analyzing Unknown Android Applications

Flame / Malware

• Flame gets suicide command
• Analysis & pwnage of herpesnet botnet (Malware.lu)
  The Malware.lu crew analysed the herpes bot in depth and stumbled up on an SQL injection flaw server-side. Hilarity ensues - must read.
• Why Antivirus Companies Like Mine Failed to Catch Flame and Stuxnet
  Mikko's mea culpa
• Operation Olympic Games, Project X, and the assault on the IT security industry

Microsoft's Certificate Fiasco

• Microsoft Emergency Bulletin: Unauthorized Certificate used in "Flame 
• ‘Flame’ Malware Prompts Microsoft Patch
• Microsoft certification authority signing certificates added to the Untrusted Certificate Store
• Flame: Before and After KB2718704
• Flame, certificates, collisions. Oh my. - Must read

Misc

• Samsung bug bounty
  Samsung went the bug bounty root after flaws within samsung TVs have been published. I personally welcome bug bounty, it is however clear that most of them are used as a tactic to tame and control the news on vulnerabilities.
• Historic view on Password Security
  A very good and informal run down of how passwords have been secured in the past ad today by Solar Designer. I used and referenced this presentation in the blog post "Storing password securely - hashses, salts and bit stretching put into context"
• The Four Critical Security Flaws that Resulted in Last Friday's Hack - Must read
• Inside Flash Player Protected Mode for Firefox

Introduction

Due to the latest row of high profile websites being compromised and parts of the password hashes being published here's a quick crash course on storing passwords "securely", for those that want a quick heads up. In this case I'd define securely as "Offering a suitable time window of resistance against recovery after being compromised". I will keep this post short and sweet and use links where possible for those interested in more information.

Update:  After reading this blog post read the interview of Brian Krebs with Thomas H. Ptacek on the matter. 
Update: Wrong bcrypt link fixed, update the Year bcrypt was presented.

 

Details

Putting things into perspective, below are the most common forms of storing passwords (order from worse to best) :

• Storing credentials in clear text
• Storing credentials using a hash (MD5, SHA, SHA256) 
• Storing credentials using unique salt per entry and a hash (MD5, SHA, SHA256)
• Storing credentials using bit/key stretching mechanisms or being overall time expensive (PBKDF2, bcrypt, scrypt, phpass)

Read more »

My Reads

• The Vulnerabilities Market and the Future of Security
  Bruce Schneier comments on the evolution of the Vulnerability Market and it's implications, the essay is surprisingly good supplement to the presentation I gave at OWASP on the Matter.
• SEC Guidance is a Really Big Deal
  New SEC guidance on Whistle-blowers and it's impacts on necessity of disclosing Security Breaches
• Data Breach Notifications in the EU
  ENISA review of the current situation in the implementation of data breach notifications requirement, set up by the Article 4 of the reviewed ePrivacy Directive
• The Endowment Effect in Information Security
  An attempt to explain the cognitive dissonance on the perception of Risk
• Attacking Cloud Infrastructures by Malicious VMDK Files
  A presentation by ERNW on how to attack cloud infrastructure using Virtual Hardisc integration that is under complete control of the attacker. Nice tricks allow for access to ESX host data and even mapping other ESX mapped drives. This goes to show again that any input data that can be directly or indirectly controlled by an untrusted party (even config files) need to be covered in your initial treat model as to address or accept it at a later stage.
• Over-55s pick passwords twice as secure as teenagers
• 6 Reasons why Business Managers Ignore Risk
• Hardware Hacking with Python

News Articles

• Confirmed: US and Israel created Stuxnet, lost control of it
• Obama Order Sped Up Wave of Cyberattacks Against Iran

Miscellaneous

• Good Practice Guide for Computer-Based Electronic Evidence
• A list of Free Forensic Tools

Updated Posts :

• The Post "Attacker Classes and Pyramid " has been updated to the third iteration. The post was updated in terms of coherency but I also added my OWASP BENELUX presentation entitled "The Rise of the Vulnerability Markets - History, Impacts and Mitigations". The presentation underlines the rationale behind the Attacker centric concept and the proposed Attacker Triad.

Slide Deck :
 

Notable excerpts : 
The analysis of 54 exploit kits (mapped to the Opportunitsts/Mass-market class) lead to the following results:

Results : In order to protect against all tracked exploit-kits you had to patch 19 vulnerabilities in 2009, 24 in 2010 and 4 in 2011. That should be hardly a challenge and confirms the sophistication put forward in the Attacker Triad.

 The analysis of 54 exploit kits (Source: Contagio) lead to the following results:

Following up on my blog post a few months ago entitled "PCI compliance, Security in isolated systems and Parking Tellers Part 1" - I took a brief look the other day at another Ticket issued by a Parking Teller in Luxembourg.

Updated :

• Clarified some of the explanations
• Masked Luhn number

Read more »

Ever since I started my career in information security I was both interested and intrigued by metrics applied to vulnerabilities (or metrics in general for that matter). CVSS is certainly not new and I had to make the choice whether to use it or not in the past and I always wanted to share some issues I had with it. This blog post laid dormant in DRAFT state since 8 months and I decided to publish it in parts rather than wait another year to finish it.

This blog series will explain a few elements of CVSS and in particular the points I feel are unclear, misleading, old or simply unfit for purpose.

This post assumes that you are accustomed to CVSS, if you are not, you may want to have a look at : http://www.first.org/cvss/cvss-guide.html

Read more »