Grey bar Blue bar
Share this:

Fri, 6 Sep 2013

Offence oriented defence

We recently gave a talk at the ITWeb Security Summit entitled "Offense Oriented Defence". The talk was targeted at defenders and auditors, rather then hackers (the con is oriented that way), although it's odd that I feel the need to apologise for that ;)


The talks primary point, was that by understanding how attackers attack, more innovative defences can be imagined. The corollary was that common defences, in the form of "best practise" introduce commonality that is more easily exploited, or at least degrade over time as attackers adapt. Finally, many of these "security basics" are honestly hard, and we can't place the reliance on them we'd hoped. But our approach doesn't seem to want to acknowledge the problem, and much like an AA meeting, it's time we recognise the problem.


If you had to look at the average security strategy or budget items, you often end up with a list containing a couple of these:


  • Compliance/GRC - building policies, auditing against them, responding to audits

  • Risk Management - enumerating and ranking all the info sec risks, prioritising them, and justifying spend to mitigate

  • Best Practises - strengthening passwords, pushing patches, configuration management, etc.

  • Technology - cue buzzwords - UTM, WAF, DLP, DAM, SIEM, IPS, AV

  • Staff - everyone needed to get the above stuff done: compliance specialists, risk specialist, security managers, device ops managers


But, the truth is many of these items don't actually block attacks, or the few that do, don't really counter the common bypassed used to side-step them. For example:


  • It's really hard to link risk-based priorities to meaningful technical priorities.

  • Compliance drives a "teach the test" approach with little incentive to create contradictory measurements.

  • Then how can we have a bunch of things called "best practise" when we can't honestly say we know how to defend. Even then, some BPs are practically impossible to achieve in anything but a point in time. And the main point of this talk; common practises have common bypasses.


The current place we seem to be in is akin to having everyone build a wall. Attackers get to evaluate the wall, figure out how to get over it, and add to their capability (i.e. get a longer rope). But once they have a longer rope, they can use it over and over again, and against more than one wall. So attackers, who are quite good at sharing, get to keep building their tool chain, while all defenders can do it to keep building a higher wall, and maintaining the increasingly untenable structure. By understanding how attackers attack, we can break out of this and try more innovative approaches.


The talk is illustrated with four broad examples: Passwords, Patches, Anti-Virus and DMZs. For each, the belief around specific configurations is discussed, and how those don't stand up to how attackers actually attack. For example, the way AV's believed to work doesn't seem to correspond with how easy they are to bypass, or the common configuration of standard password controls such as lockout, don't seem to take into account horizontal brute-force attacks.


The point I want to make here is somewhat subtle; if you walk away thinking I've described new attacks, then you've missed it, if you think I'm recommending "the basics" then you've missed it. Truthfully, maybe it's just that I didn't make it very well ... decide for yourself, here are the slides:

Thu, 5 Sep 2013

44CON 2013

In one week, it's 44CON time again! One of our favourite UK hacker cons. In keeping with our desire to make more hackers, we're giving several sets of training courses as well as a talk this year.


Training: Hacking by Numbers - Mobile Edition


If you're in a rush, you can book here.


We launched it at Blackhat USA, and nobody threw anything rotting, in-fact some said it went pretty well; our latest addition to the Hacking by Numbers training.


We created the course to share our experience testing mobile applications and platforms, and well, because lots of people asked us to. The course shows you how to test mobile platforms and installed applications for vulnerabilities. HBN Mobile provides a pretty complete and practical overview into the methods used when attacking mobile platforms and presents you with a methodology that can be applied across platforms (although we focus on iOS and Android). This course is mostly for existing penetration testers who are new to the mobile area looking to learn how to understand, analyse and audit applications on various mobile platforms.


For more information about the course, and to book a place, head over here.


Workshop: Malware Reverse Engineering


If we were marketing to hipsters, we'd use words like “bespoke” and “handcrafted” to describe this workshop. While it's not made out of yams, it was put together especially for 44con.


Inaki and Siavosh's workshop will cut through the black-magic often associated with reverse engineering and malware. Advanced attacks usually have some form of malware involved, and learning to pull these apart to understand the kill chain is an increasingly vital skill.


Using real malware used in attacks against large corporates, students will look at both behavioural analysis and code analysis, to determine what the malware does.


If you're keen to attend, speak to the 44con crew at the front desk on arrival.


Talk: 'Honey, I'm Home' - Hacking Zwave Home Automation Systems


Behrang and Sahand will be presenting the results of their research into smart homes on day two at 09:30am.


“Smart homes” employing a variety of home automation systems are becoming increasingly common. Heating, ventilation, security and entertainment systems are centrally controlled with a mixture of wired and wireless networking. In 2011 the UK market for home automation products was estimated at GBP 65 million, an increase of 12% on the previous year, with the US market exceeding $3 billion. Zigbee and Z-Wave wireless protocols underpin most home automation systems. Z-Wave is growing in popularity as it does not conflict with existing 2.4GHz WiFi and Bluetooth systems.


Their talk describes the Z-Wave protocol and a number of weaknesses, including how to build a low-cost attack kit to perform packet capture and injection, along with potential attacks on the AES crypto implementation. Bottom line: they can walk up to a house, disable security sensors, then open the front door. LIKE A BOSS