July 12, 2010

Hack In The Box first time in Europe

Tamas Rudnai

I have just come back from Amsterdam where I was a speaker at the Hack In The Box conference. HITB held its annual conference here in Europe for the first time. The event was hosted in the beautiful 'Venice of the North', Amsterdam (Netherlands), the home of canals, windmills, tulips, and probably the best cheese in the world. One of the most beautiful hotels in the heart of Amsterdam, the Krasnapolsky, offered a welcoming environment for this occasion. 


My subject was FireShark, which is an open source tool written by Stephan Chenette, our Principal Security Researcher at Websense. Stephan originally created an ultimate de-obfuscation tool by hooking Internet Explorer's DLLs and dumping eval and document.write calls. This tool was presented at Toorcon last year and the code was released. Later on he moved to a Firefox plugin where he could use proper APIs provided by Firefox, as opposed to hooking function calls in DLLs. He also added new ideas to the project which gave the tool new functionalities. Currently FireShark covers two main problems: ultimate de-obfuscation, and creating a graphical map of compromised Web sites. Both of these features are based on monitoring Firefox's internals to discover redirections, iframes and newly created DOM objects. Because the Web page is loaded into a real browser instead of an emulator, it does not matter how the obfuscation works: the browser sees all the results of the JavaScript code running while visiting the page, which is then logged by FireShark. No emulation is involved, therefore this is an 'ultimate de-obfuscation'. Later on this log can be analyzed to see the real intention of the code. Also in the meantime it logs all redirections and iframes made by the page, and that data can be post-processed to generate a nice graphical map about connections made to other Web pages. For example, if there is a mass-injection campaign we could see that all the compromised Web sites are making connections to one suspicious landing site. Will we discover something new by seeing all of these? Hopefully that question will be answered soon. 

This year at the HITB conference, we had the option to hear many very interesting talks from various security experts from all over the world, including deep analysis of shellcode, hardware hacking, and traveling to the Russian cyber underground. 

I attended the following talks: 

  • Keynote 1: Security Chasm - Dr Anton Chuvakin
    Anton is a well-known security expert and the author of many books about this subject. In his talk he emphasized the importance of focusing on real security issues rather than conceptual theories. He was wondering why people are more afraid of getting a fine by not wearing a seatbelt rather than worrying about the risk to their life. He also took a nice overview of the history of information security and a prediction on how it will be changed in the following 5 or 10 years. 
  • Breaking Virtualization by Switching to Virtual 8086 Mode - Jonathan Brossard
    Jonathan had a nice talk about the security issues of virtual machines, especially escaping code from virtualized servers. Server virtualization is very important nowadays, mostly used in Web hosting environments. As he pointed out, an attacker might take over the host computer breaking out of the virtualized hardware using an almost forgotten CPU mode, the virtual 8086 mode. 
  • From Russia With Love 2.0 - Fyodor Yarochkin
    Fyodor is an independent network security researcher who digs deep down into the world of the Russian cyber underground, revealing many of their secrets and myths. He explained how they are organized and why they do what they do - unsurprisingly it is all about the money. Fyodor also pointed out that many people do not even realize they are involved in a cyber crime. They get a temporary job offer over the Internet and once they finish their assignment they receive the money online. Sounds like a legitimate business; however, in the end the work is related to illegal activity.  
  • Keynote 2: Ten Crazy Ideas That Might Actually Change the State of Information Security - Mark Curphey
    Mark is the director of the MSDN Subscription Engineering team at Microsoft. He had some very interesting ideas about the fundamental issues of information security, and laid down 10 ideas that could change the security industry. He compared this work to how WHO stopped one of the deadliest diseases in the history of human kind, smallpox. Mark also highlighted that maybe security experts should work in the same way as a Chinese doctor: paid only if healthy, not when sick. 
  • Maltego 3: Start Your Engines - Reolf Temmingh
    Reolf is the founder of Paterva Ltd, the creator of Maltego. Maltego is an open source intelligence and forensics application. It can be used to connect information and their sources together revealing many interesting details about a subject or even about people. Fyodor was actually using Maltego for his findings about the Russian cyber underground. Reolf presented the capability of the new version 3 to the audience.  
  • Abusing Microsoft's PostMark Validation Protocol - Dimitru Codreanu
    Dimitru is a Senior Researcher at BitDefender. He did research on a GPU and FPGA-assisted application that can break Microsoft's PostMark Validation Protocol. This protocol helps with fighting against spam, and it was claimed that to break this system, the spammer needs to invest hundreds of thousands of dollars in hardware. Dimitru showed the weakness of the protocol and that using a GPU (graphical card like nVidia GeForce) or an FPGA card inserted into an ordinary PC could lead to signing 3-8 million mails per day with PostMark Validation, with an investment of only around a few hundred dollars.  
  • Subverting Windows 7 x64 Kernel with DMA Attacks - Cristophe Devine & Damien Aumaitre
    Cristophe and Damien are Security Researchers at Sogeti/ESEC and they made a very interesting showcase of how vulnerable our computing systems are to hardware-based attacks. They have inserted a PCMCIA card into a laptop running Windows 7 for a couple of seconds, which then accepted any random string entered to the Windows Logon screen as a valid password. They have pointed out that hardware that can use DMA (such as FireWire / IEEE1394, PCMCIA, ExpressCard and PCI card) is bypassing any security protocol in the operating system, leaving our computers open to attacks. 
  • Top 10 Web 2.0 Attacks and Exploits - Sheeraj Shah
    Sheeraj is the founder of Blueinfy and the author of many books on Web 2.0 Security. In his talk we got an overview of the top 10 Web 2.0 attacks, exploits, and hacking techniques. He also explained new tools and methodologies to prevent attacks like these. 
  • The Traveling Hackersmith 2009-2010 - Saumi Shah
    Saumi is the founder of Net-Square and the author of many books and tools. He was talking off the record this time about discovering security issues in online flight bookings and hotel room reservations during many of his travels. As it was off the record it would not be ethical to write down his subject in detail. He emphasized that he does not want to prove a point; however, overall my conclusion was that he was worrying about Web shops in general, how highly insecure they are, simply because either the developer does not know much about information security or because they just do not think a cyber criminal would target their site at any time.


The conference material can be downloaded from the HITB Web site.


About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.