Grey bar Blue bar
Share this:

Tue, 6 Sep 2011

Systems Applications Proxy Pwnage

[2011/9/6 Edited to add Slideshare embed]

I am currently in London at the first ever 44con conference. It's been a fantastic experience so far - excellent talks & friendly people.

Yesterday, I presented a paper titled "Systems Applications Proxy Pwnage" . The talk precis sums it up nicely:

It has been common knowledge for a number of years that SAP GUI communicates using an unencrypted and compressed protocol by default, and numerous papers have been published by security professionals and researchers dealing with decompressing this traffic.

Until now, most of these methods have been time consuming, convoluted and have focussed more on obtaining sensitive information (such as credentials) than a thorough understanding of the protocol used by SAP GUI.

During this presentation, the speaker will focus on the protocol used by SAP GUI. The speaker will demo and release a new tool-set to assist security professionals in parsing, decompressing and understanding this protocol, as well as demonstrate how this formerly sacrosanct protocol makes SAP applications potentially vulnerable to a wide-range of attacks which have plagued web applications for years.

The talk went very well. All demos worked perfectly. My newly authored toolset not only seems to have performed admirably during the presentation, but also seems to be in some demand...

As such, I'm pleased to announce the public release of two tools - SApCap and SAPProx.

SApCap is a Java-based packet sniffer, decompressor and protocol analysis tool for SAP GUI. It makes use of a third-party JNI interface for pCap (get it here) and a custom-built JNI decompression interface for SAP. You can download it here.

SAPProx is what I believe to be the world's first ever SAP GUI proxy. Think of it as WebScarab for SAP. You can download it here.

The programs are GPL, and the sources are also available from the relevant pages.

The custom JNI library used for decompressing SAP traffic is also available from the previously mentioned download pages in both binary and source formats. I have, however, only had the opportunity to build binary libraries for Mac OS/X, Linux (32-bit) and Windows (32-bit). I will add more binary libraries as soon as I get back to ZA and have access to some different build environments again.

If you're interested, a copy of my 44con presentation is available from here or below.

Fri, 19 Aug 2011

SensePost @ 44Con - Join us!

Until recently, there was a distinct lack of decent, high-quality technical security conferences held in the United Kingdom. Home to the Global Financial Centre, London, there isn't a shortage of industries who require secure applications and rely on secure infrastructure and applications to operate.

With this in mind, 44Con is the first combined information security conference and training event held in Central London. The con will provide business and technical tracks, aimed at government, public sector, financial, security professionals and Chief Security Officers.

SensePost will be attending the conference, with Ian de Villiers giving a ground-breaking talk on intercepting and modifying the protocol used by SAP GUI, including the release of a tool that facilitates assessments of said protocol. In addition, Ian and Daniel Cuthbert will be delivering a training course aimed at educating developers, and those involved in the deployments and life-cycle of applications, on the correct approaches required to protect applications from common threats.

Unlike other developer-centric courses, developers will actively be involved in breaking into their fellow students applications, whilst they try and prevent the attacks from taking place.

44Con will be held at the Grange City Hotel in London on the 30th August until the 2nd September.

Register to train with SensePost at 44Con.

Sun, 23 Aug 2009

John Viega's "the myths of security".. Really??

i go through a ton of books. Over the past 10 years, this has been dominated by books on computer security, computer science, programming (and some sprinklings of management classics).

I generally stay away from writing reviews, but was genuinely suprised at the number of 5 star reviews Viega's new book had received and felt i had to chime in.

I picked up "the myths of security" (what the computer industry doesn't want you to know) with hope, because O'Reilly books in general are well done and i really liked some of Johns previous books. Alas! I tried hard to think of a good thing to say about the book, and the best i can come up with right now is that "at least, it wont take up space on my bookshelf".

The book is tiny (48 chapters, where each chapter is between a paragraph to 2-3 pages) which isn't a bad thing, but it reads mostly as a collection of blog posts or hurriedly written notes-to-self.

Advertising++ The Foreword alone uses the word McAfee 14 times, and over the 48 chapters, the word McAfee goes on to appear about 65 times. This is acceptable on a blog, in a book i just paid for its slightly annoying.

Target Audience I agree with Bejtlich who cant figure the books target audience. One chapter might give explanations in crayon (presumably for the less sophisticated user) while the next chapter might give advice for how to label the security technology you plan to sell.

Consistency There are a number of times in the book where the author takes opposite sides of an argument (in different chapters). This is useful if coherently positioned as 2 sides of an argument, but if this is used on different arguments on different pages, it seems more like the author is merely choosing the position thats convenient to support his view at the time...

It's slightly odd when compared with his take on security spend to hear the author say this about the TSA and their "Security Theater": "But there's some hidden value here—it makes people feel safer. Whether it works well or poorly, it is better than nothing and it makes people feel better."

General whining (by me). The author dedicates a chapter to Mobile Phones titled "OK, Your Mobile Phone Is Insecure; Should You Care?". He concludes with: "Sure, there will always be the occasional virus for smartphones, but I don't see an epidemic emerging. At the end of the day, there is still lower-hanging fruit for the bad guys. It is still far easier for them to make money attacking traditional PCs and laptops then going after mobile phones. That may eventually change, but I'm not going to hold my breath."

I think the view that you only need to be worried about the ability of your device to withstand an attack "epidemic" is wrong on so many levels. Im far less worried about my iPhone becoming part of a botnet than i am of the fact that these days huge parts of my life are on it, and can be grabbed by Charlie Miller if he is willing to pay the $0.20 to send me a few SMS'es.

In his Epilogue, he writes: "But instead of preaching that the customer is hosed, I'm preaching that the security industry is hosed—I don't think customers are hosed at all." which is an interesting contrast to his chapter on PKI that ends with "That leaves the Internet fundamentally broken."..

Of course the lines that most bothered me were in the chapters on Privacy and Anonymity. Privacy gets just under 200 words but includes the classic line: "privacy is nice in theory, but if you don't have anything to hide, what's the big deal?"

Hmm.. OK.. lets see the take on anonymity before responding.

Anonymity gets 166 words (wow - 100 words more than the word McAfee!) and once more ends with the classic: "Oh, and I've got nothing to hide anyway…."

The author cites the example of Zero-Knowledge, who built a paid service to surf anonymously which "worked pretty well, but nobody cared".

Once more, i think there is so much wrong here, that im not sure where to start. Having to convince someone that Privacy is important even if you cant sell it seems like a pretty old argument to be having..

In general, i think its safe to say that the book left me disappointed, and a little bit afraid that somewhere decision makers could be forming an opinion on an entire industry based on ~250 words dedicated to a topic that deserves much more thought..


Sat, 16 May 2009

How Good Companies Fail..

In early 2002 i recall reading and falling in love with Jim Collins book: "From good to Great". I recall being so excited by some passages that i typed out whole paragraphs and sent them around to the rest of the office..

For my last birthday Deels got me Collins other book "Built to Last: Successful Habits of Visionary Companies".

It seems as if he has done it again, with his new (soon to be released) book called "How The Mighty Fall: And Why Some Companies Never Give In"

Businessweek posted [an excerpt from the book], and i wanted to post an excerpt of that excerpt. He covers the 5 stages of a failure (im pasting 3 of them):

  1. HUBRIS BORN OF SUCCESS Great enterprises can become insulated by success; accumulated momentum can carry an enterprise forward for a while, even if its leaders make poor decisions or lose discipline. Stage 1 kicks in when people become arrogant, regarding success virtually as an entitlement, and they lose sight of the true underlying factors that created success in the first place. When the rhetoric of success replaces penetrating understanding and insight , decline will very likely follow
  2. UNDISCIPLINED PURSUIT OF MORE Hubris from Stage 1 ("We're so great, we can do anything!") leads right to Stage 2, the Undisciplined Pursuit of More—more scale, more growth, more acclaim, more of whatever those in power see as "success." Companies in Stage 2 stray from the disciplined creativity that led them to greatness in the first place, making undisciplined leaps into areas where they cannot be great or growing faster than they can achieve with excellence—or both. When an organization grows beyond its ability to fill its key seats with the right people, it has set itself up for a fall. Although complacency and resistance to change remain dangers to any successful enterprise, overreaching better captures how the mighty fall. Discontinuous leaps into areas in which you have no burning passion is undisciplined. Taking action inconsistent with your core values is undisciplined. Investing heavily in new arenas where you cannot attain distinctive capability, better than your competitors, is undisciplined. Launching headlong into activities that do not fit with your economic or resource engine is undisciplined. Addiction to scale is undisciplined. To neglect your core business while you leap after exciting new adventures is undisciplined. To use the organization primarily as a vehicle to increase your own personal success—more wealth, more fame, more power—at the expense of its long-term success is undisciplined. To compromise your values or lose sight of your core purpose in pursuit of growth and expansion is undisciplined.
  3. DENIAL OF RISK AND PERIL As companies move into Stage 3, internal warning signs begin to mount, yet external results remain strong enough to "explain away" disturbing data or to suggest that the difficulties are "temporary" or "cyclic" or "not that bad," and "nothing is fundamentally wrong." In Stage 3, leaders discount negative data, amplify positive data, and put a positive spin on ambiguous data. Those in power start to blame external factors for setbacks rather than accept responsibility. The vigorous, fact-based dialogue that characterizes high-performance teams dwindles or disappears altogether. When those in power begin to imperil the enterprise by taking outsize risks and acting in a way that denies the consequences of those risks, they are headed straight for Stage 4
Managing high performance teams, and well performing companies is a constant battle against the forces of darkness, and like most of his work, all i can say is "Preach brother.. Preach.."

Sun, 22 Feb 2009

HITB08 - Marcus Ranum Keynote on CyberWar..

I just managed to pull the HackintheBox torrents for their [2008 talks]. (SensePosters can grab a local copy [here]).

I watched Marcus Ranums "Cyberwar is Bullshit" talk. A talk that was truly wince-worthy! While the talk will make you scream at the screen a few times, it is worth watching just to see the Q&A section after the talk.. It's quite clear that Ranum gets owned more thoroughly than his online gallery did.


Roberto Preatoni of WabiSabiLabi fame confronts Ranums simplistic views of cyber warfare with some pretty straight forward questions, to which Ranum is forced to concede "You got me there".

Another question from the audience included more lashings - with an added underhanded "USA lost in Vietnam without nuclear weapons" comment thrown in for good measure.

Overall, i think Ranum enjoys being contrarian.. I think over the last few years he has become famous for it.. But i think to completely bull@#$@# cyberwar, while setting such narrow definitions for what constitutes a war skates dangerously close to the thing that Ranum often complains about - Sensationalist topics shrouded in geek mystique that get eaten up by the popular press.. The talk was disappointing.. Ranum is indeed much better than this..