INSIGHTS, NEWS & DISCOVERIES
FROM IOACTIVE RESEARCHERS

Tuesday, October 30, 2012

3S Software’s CoDeSys: Insecure by Design


By Reid Wightman @ReverseICS


My last project before joining IOActive was “breaking” 3S Software’s CoDeSys PLC runtime for Digital Bond.
 
Before the assignment, I had a fellow security nut give me some tips on this project to get me off the ground, but unfortunately this person cannot be named. You know who you are, so thank you, mystery person.

The PLC runtime is pretty cool, from a hacker perspective. CoDeSys is an unusual ladder logic runtime for a number of reasons.

Different vendors have different strategies for executing ladder logic. Some run ladder logic on custom ASICs (or possibly interpreter/emulators) on their PLC processor, while others execute ladder logic as native code. For an introduction to reverse-engineering the interpreted code and ASIC code, check out FX’s talk on Decoding Stuxnet at C3. It really is amazing, and FX has a level of patience in disassembling code for an unknown CPU that I think is completely unique.

CoDeSys is interesting to me because it doesn’t work like the Siemens ladder logic. CoDeSys compiles your ladder logic as byte code for the processor on which the ladder logic is running. On our Wago system, it was an x86 processor, and the ladder logic was compiled x86 code. A CoDeSys ladder logic file is literally loaded into memory, and then execution of the runtime jumps into the ladder logic file. This is great because we can easily disassemble a ladder logic file, or better, build our own file that executes system calls.

I talked about this oddity at AppSec DC in April 2012. All CoDeSys installations seem to fall into three categories: the runtime is executing on top of an embedded OS, which lacks code privilege separation; the runtime is executing on Linux with a uid of 0; or the runtime is executing on top of Windows CE in single user mode. All three are bad for the same reasons.
 
All three mean of course that an unauthenticated user can upload an executable file to the PLC, and it will be executed with no protection. On Windows and Linux hosts, it is worse because the APIs to commit Evil are well understood.

 I had said back in April that CoDeSys is in an amazing and unique position to help secure our critical infrastructure. Their product is used in thousands of product lines made by hundreds of vendors. Their implementation of secure ladder logic transfer and an encrypted and digitally signed control protocol would secure a huge chunk of critical infrastructure in one pass.
 
3S has published an advisory on setting passwords for CoDeSys as the solution to the ladder logic upload problem. Unfortunately, the password is useless unless the vendors (the PLC manufacturers who run CoDeSys on their PLC) make extensive modification to the runtime source code.
 
Setting a password on CoDeSys protects code segments. In theory, this can prevent a user from uploading a new ladder logic program without knowing the password. Unfortunately, the shell protocol used by 3S has a command called delpwd, which deletes the password and does not require authentication. Further, even if that little problem was fixed, we still get arbitrary file upload and download with the privileges of the process (remember the note about administrator/root?). So as a bad guy, I could just upload a new binary, upload a new copy of the crontab file, and wait patiently for the process to execute.

The solution that I would like to see in future CoDeSys releases would include a requirement for authentication prior to file upload, a patch for the directory traversal vulnerability, and added cryptographic security to the protocol to prevent man-in-the-middle and replay attacks.

Wednesday, October 24, 2012

The WECC / NERC Wash-up

By Trevor Niblock @IzTheOcho



Last week in San Diego, IOActive spoke at both the Western Electricity Coordinating Council (WECC) and NERC GridSec (GridSecCon) conferences. WECC is primarily an auditor audience and NERC-CIP is compliance-focused, while GridSecCon is the community and technical security authority for the electricity industry in the U.S. There was a great turnout for both conferences, with more than 200 attendees across three days per conference. IOActive security researcher Eireann Leverett presented “The Last Gasp of the Industrial Air-Gap…”at WECC and participated in a discussion panel on Industry Best Practice for Grid Security at GridSecCon.

 
WECC

An auditors forum, what can I say…other than they do have a great sense of humor [they got Eireann’s Enron corporate failure joke], apparently enjoy a drink like everyone else and definitely need our help and perspective when it comes to understanding the disparity between being compliant and being secure. Day 1 was a closed session for WECC members only, where they discuss god only knows what. Day 2 is where IOActive got involved, with the morning session focusing on Cyber Security and explaining in a little more detail the security challenges the industry faces which are aligned to CIP audit and compliance programmes. Eireann, Jonathan Pollet and Tom Parker all gave great talks which some could argue were a little too technical for the audience, but they were well received nonetheless. More work is definitely needed with forums such as WECC and the NERC standards council to ensure the gap between CIP compliance and the actual state of Energy security is further reduced.


GridSecCon

The audience at GridSecCon was anything but a single area of expertise like we saw at the WECC conference. I engaged with folk from security, engineering, risk management, consulting, audit and compliance and technology backgrounds. From that its fair to say the Industrial Control System and Energy sector is a red-hot opportunity for new rules, new products, new ideas…and new failures! Eireann was in fine form again on the panel - which was made up of consulting, product vendors and Government - throwing in a quote from Trotsky, a Russian Marxist revolutionary. I laughed, but not sure the rest of the crowd appreciated the irony. European humor at work J.  I didn’t see as much as I would have liked to on the Supply Chain side of things including the term Security of Supply, which is widely used in Europe. More work is definitely needed in these areas and is something I will look at in 2013.

Day 1 saw some interesting talks on Social Engineering threats and a panel discussion on Malware threats to the sector. The threat of Social Engineering in the Energy sector in terms of awareness is clearly on the rise.  Positively, it seemed organizations were placing more emphasis [I said more, not enough] on educating SCADA Operations staff around Phishing and Telephony based attacks. Tim Roxy from NERC oversaw the Malware panel as participants openly discussed the threat of new Malware targeting the Energy sector, in particular the effects of SQL Slammer on SCADA systems and a review of the recent attack on Saudi Aramco (Shamoon Malware). It was unclear if the SCADA networks at Saudi Aramco were affected but obviously there are similar challenges in store as SCADA and Corporate networks continue to converge. The incident also triggered an unprecedented response exercise involving reviews of up to 120 of Saudi Aramco’s Plant sites across the Middle East region.
 
Day 2 was kicked off by an excellent Key Note talk by Admiral Thad Allen, [retired] US Coast Guard, on Incident Response and his view of the challenges national infrastructure security is facing in the US, which could easily be applied globally. Undeniably, Admiral Allen said complexity was the biggest challenge we face in securing existing and new national infrastructure. His talk gave examples of his experience in dealing with incidents such as hurricane Katrina in New Orleans, in particular, the importance of defining exactly what the problem is before even thinking about how to respond to it. Not correctly understanding the problem in relation to coordinating an effective response could mean an expensive and ineffective solution, which is exactly where the Energy sector sits today – “stop admiring the problem, start working on the solution.”


Technical vs. Risk Management – the age-old conundrum

It still surprises me to see after 15 odd years of our industry coming to the forefront and an estimated 50+ billion dollar spend in implementing technical security measures that we continue to see the topic of technical vs. risk management come up at these conferences. If technical solutions were security nirvana we wouldn’t be worried about anything today would we? Of course we need both areas, and each is an important as the other. Sure, the technical stuff may seem more interesting, but if we can’t sell the importance of what the tech tells us in a business language the overall security of the Energy industry will continue to struggle for traction. Likewise, the perceived notion that compliance to standards like CIP/ISO27000 etc. etc. keep us safe at night will continue to skew the real picture unless we can talk tech, risk and compliance at the same time.


What are the conferences missing?

Maybe I don’t attend enough conferences, and I understand client sensitivities in sharing this sort of information, but what these conferences need more of is a view from the field – what is actually going on below all the conversations about risk management, compliance and products. Again, stop admiring the problem, admit we have one by analyzing what’s actually going on in the field, and use this to inform programmes of work to solve the issues. We know what good looks like; only talking about it is as useful in the real world as a chocolate teapot…


Key Take Aways

Did I learn anything new? Of course I did, however a lot of the core messages like “we need to talk tech and risk management” and “sector-wide information sharing” continue to be old wine in new bottles for me, especially while governments set strict rules on who they value information from [who they deem as appropriate] and how it can be done [at their approval]. And it’s a little troubling if we have a whole industry sector with its concerns around the security of national infrastructure still trying to understand the importance of risk management or the gaps between compliance and actual security. Saying that, WECC and NERC are clearly making concerted efforts to move thing in the right direction.

 Wicked Problems and Black Swans [Day 2 Key Note, Admiral Thad Allen]. Again, a great talk by Admiral Allen and some great perspective. A Wicked Problem: something we know is there but we don’t have an answer to [lack of Utilities investment in Grid security]. A Black Swan: an outcome so dire it doesn’t seem likely [Grid failure/compromise].
 
As I see it, we need to be more vocal in participating in the sector forums and share [in a generic fashion] what we are seeing in the field, which should further inform organizations like WECC and NERC with a view to continued security improvement across the sector.


 San Diego is hot, the Tex Mex food is great…and I’ll hopefully see you all at WECC & NERC in 2013!

Thursday, October 11, 2012

SexyDefense Gets Real

By Ian Amit @iiamit 
 
 
As some of you know by now, the recent focus of my research has been defense. After years of dealing almost exclusively with offensive research, I realized that we have been doing an injustice to ourselves as professionals. After all, we eventually get to help organizations protect themselves (having the mindset that the best way to learn defense is to study the offensive techniques), but nevertheless, when examining how organizations practice defense one has a feeling of missing something.
 
For far too long the practice (and art?) of defense has been entrusted to bureaucrats and was lowered down to a technical element that is a burden on an organization. We can see it from the way that companies have positioned defensive roles: “firewall admin,” “IT security manager,” “incident handler,” and even the famous “CISO.” CISOs have been getting less and less responsibility over time, basically watered down to dealing with the network/software elements of the organization’s security. No process, no physical, no human/social. These are all handled by different roles in the company (audit, physical security, and HR, respectively).
 
This has led to the creation of the marketing term “APT”: Advanced Persistent Threat. The main reason why non-sophisticated attackers are able to deploy an APT is the fact that organizations are focusing on dealing with extremely narrow threat vectors; any threat that encompasses multiple attack vectors that affect different departments in an organization automatically escalates into an APT since it is “hard” to deal with such threats. I call bullshit on that.
 
As an industry, we have not really been supportive of the defensive front. We have been pushing out products that deal mainly with past threats and are focused on post-mortem detection of attacks. Anti-virus systems, firewalls, IDS, IPS, and DLP - these are all products that are really effective against attacks from yesteryears. We ignore a large chunk of the defense spectrum nowadays, and attackers are happily using this against us, the defenders.
 
When we started SexyDefense, the main goal was to open the eyes of defensive practitioners, from the hands-on people to executive management. The reason for this is that this syndrome needs to be fixed throughout the ranks. I already mentioned that the way we deal with security in terms of job titles is wrong. It’s also true for the way we approach it on Day 1. We make sure that we have all the products that industry best practices tell us to have (which are from the same vendors that have been pushing less-than-effective products for years), and then we wait for the alert telling us that we have been compromised for days or weeks.
 
What we should be doing is first understanding what are we protecting! How much is it worth to the organization? What kind of processes, people, and technologies “touch” those assets, and how do they affect it? What kind of controls are there to protect such assets? And ultimately, what are the vulnerabilities in processes, people, and technologies related to said assets?
 
These are tough questions - especially if you are dealing with an “old school” practice of security in a large organization. Now try asking the harder question: who is your threat? No, don’t say hackers! Ask the business line owners, the business development people, sales, marketing, and finance. These are the people who probably know best what are the threats to the business, and who is out there to get it. Now align that information with the asset related ones, and you get a more complete picture of what you are protecting, and from whom. In addition, you can already see which controls are more or less effective against such threats, as it’s relatively easy to figure out the capabilities, intent, and accessibility of each adversary to your assets.
 
Now, get to work! But don’t open that firewall console or that IPS dashboard. “Work” means gathering intelligence on your threat communities, keeping track of organizational information and changes, and owning up to your home-field advantage. You control the information and resources used by the organization. Use them to your advantage to thwart threats, to detect intelligence gathering against your organization, to set traps for attackers, and yes, even to go the whole 9 yards and deal with counterintelligence. Whatever works within the confines of the law and ethics.
 
If this sounds logical to you, I invite you to read my whitepaper covering this approach [sexydefense.com] and participate in one of the SexyDefense talks in a conference close to you (or watch the one given at DerbyCon online: [http://www.youtube.com/watch?v=djsdZOY1kLM].
 
If you have not yet run away, think about contributing to the community effort to build a framework for this, much like we did for penetration testing with PTES. Call it SDES for now: Strategic Defense Execution Standard. A lot of you have already been raising interest in it, and I’m really excited to see the community coming up with great ideas and initiatives after preaching this notion for a fairly short time.
 
Who knows what this will turn into?

Tuesday, October 2, 2012

Impressions from Ekoparty


By Francisco Amato @famato (Ekoparty founder and organizer)

Another ekoparty took place in Buenos Aires, Argentina, and for a whole week, Latin America had the chance to meet and get in touch with the best researchers in this side of the world.

A record-breaking number of 150 entries were received and analysed by the excellent academic committee formed by Cesar Cerrudo, Nico Waisman, Sebastian Muñiz, Gerardo Richarte, Juliano Rizzo.

There were more than 1500 people who enjoyed of 20 talks without any interruption, except when the Mariachis played.

Following last year’s ideas, when ekoparty became the last bastion of resistance to rebellion against machines, this resistance had to move out of the earth to fight the battle of knowledge sharing in another world.

IOActive again accompanied us with all their research team with an excellent stand that included a bartender and a bar throughout the event. IOActive went for more and also sponsored the VIP dinner to honor all exhibitors, organizers and sponsors, who accepted the challenge: Argentine asado vs. Tacos, prepared by their own research team. It was a head-to-head contest, but the advantage was that the meat was from Argentina :)

We would like to thank all the researchers, participants, sponsors that contribute to ekoparty’s growth! See you back next year to find out how this story goes on!



By Jennifer Steffens @securesun


For those who know me, I'm no stranger to the world of conferences and have attended both big and small cons around the world. I love experiencing the different communities and learning how different cultures impact the world of security as a whole. I recently had the pleasure of attending my second Ekoparty in Buenos Aires with IOActive's Latin American team and it was again one of my all time favorites.

To put it simply, I am blown away by both the conference and the community. Francisco, Federico and crew do an amazing job from start to finish. The content is fresh and innovative. They offer all the great side acts that con attendees have grown to love - CTF, lock picking stations, giant robots with lasers, a computer museum as well as the beloved old school Mario Brothers game. Even the dreaded vendor area is vibrant and full of great conversations - as well as a bit of booze thanks to both our bar service and Immunity's very tasty beer!

But the real heart of Ekoparty is the community. The respect and openness that everyone brings to the experience is refreshing and gives the conference a very "family-like" feel - even with 1500 people. I met so many interesting people and spent each day engaged in inspiring conversations about the industry, the culture and of course, how to be a vegetarian in Argentina (not easy AT ALL!).

A special thanks to Federico and Francisco for the invitation and generous VIP treatment throughout the week. It was a great opportunity for us to bring IOActive's Latin American team together, which now includes 12 researchers from Argentina, Brazil, Colombia and Mexico; as well as meet potentially new "piratas" in the making. I am amazed every day at what that team is able to accomplish and am already looking forward to Ekoparty 2013 with an even bigger team of IOActive "piratas" joining us.

¡Gracias a los organizadores, speakers y asistentes de la Ekoparty 2012. La semana fue fantástica y espero verlos el año que viene!

 
By Cesar Cerrudo @cesarcer

This was my 5th time presenting in Ekoparty (I just missed one Ekoparty when my son was born :) ), Ekoparty is one of my favorites conferences, I feel like a part of it, it’s on my own country which makes it special for me. It’s nice to get together with all the great Argentinean hackers, which by the way are very good and many, and with a lot of friends and colleagues from around the world. During all these years I have seen the growth in quality and quantity, I can say that this conference is currently at the same level that the big and most known ones and every year gets better.

This year I had the honor to give the aperture keynote “Cyberwar para todos”  where I presented my thoughts and views on the global Cyberwar scenario and encourage people to research the topic and get their own thoughts and conclusions.

We sponsored a VIP dinner where speakers, sponsors and friends enjoyed a great night with some long awaited Mexican tacos! Also we had a nice booth with free coffee service in the morning and open bar after noon, I don’t think it’s necessary to stress that it was a very, very popular booth :)

The talks were great and there was lot of research presented for the first time at Ekoparty, just take a look at recent news and you will see that this is not just “another“ conference. Last time I remember a security/hacking conference got so many related news was Black Hat/Defcon. We could say Ekoparty is becoming one of the most important world security/hacking conferences.


 By Stephan Chenette @StephanChenette


OK I'll try my best to follow Cesar, this years keynote speaker, Francisco, one of the founders of EkoParty and Jennifer our CEO in giving an impression of the EkoParty conference. If you haven't been to EkoParty, stop what you're doing right now, check out the web site (http://ekoparty.org) and set yourself a reminder to buy a plane ticket and a entry ticket for next year - because this is a con worth attending. If nothing else you'll learn or confirm what you had thought for years: that the Latin American hacker community is awesome and you should be paying attention to their research if you haven't been already.

Three days long, EkoParty is compromised of a CTF, Lock picking area, training, and 20 interesting talks on research and security findings. The venue is something you'd expect from CCC or PH-Neutral: An Industrial, bare-bones building loaded up with ping pong tables and massive computing power with no shortness of smoke machines, lights and crazy gadgets on stage...oh and as you read above in Francisco's summary, a Mariachi band (hey, it is Argentina!).

The building reminded me of the the elaborate Farady cage Gene Hackman had set up in the movie Enemy of the State that was used to hide from the CIA. Except Eko Party was filled with around 1500 attendees and organizers.






IOActive sponsored a a booth and tried their best to provide the attendees with as much quality alcohol as possible =] 

Our booth is where I spent most of my time when not seeing talks, so that I could hang out with IOActive's Latin American team members originating from Mexico, Brazil, Colombia and Argentina.


I saw a number of talks while at EkoParty, but I'm sure most of you will agree the three most noteworthy talks were:

  • CRIME (Juliano Rizzo and Thai Doung)
  • Cryptographic Flaws in Oracle Database Authentication Protocol (Esteban Fayo)
  • Dirty use of USSD Codes in Cellular Network (Ravi Borgaonkar)
I won't go into details on the above talks, as more information is now available online about them.

I was lucky enough to be accepted as as speaker this year and talk on research focused around defeating network and file-system detection. My past development experience is on detection of threats, but as I stated in my presentation: You must think offensively when creating defensive technology and make no mistake of overselling it's limitations - a problem most salespeople at security companies have these days.

I spent about 75% of my time reviewing various content detection technologies from the last 20 years and explaining each one of their limitations. I then talked about the use of machine learning and natural language processing for both exploit and malware  detection as well as attribution. 

Machine learning like any technology used in defense, has it's limitations and I tried to explain my point of view and importance of not only having a layered defense, but having a well thought  out layered defense that makes sense for your organization. 

As I stated in my presentation, attackers have several stages they typically go through to pull off a full attack and successfully ex-filtration data:

  • Recon (Intelligence gathering)
  • Penetration (exploitation of defenses)
  • Control (staging a persistent mechanism within the network)
  • Internal Recon
  • Ex-filtration of data
In my presentation I looked at the reality in offensive techniques against detection technologies: Attackers are going to stay just enough ahead of the defense curve to avoid detection.


(Stephan Chenette's presentation on
"the Future of Automated Malware Generation")
For example with Gauss and Zeus we've seen dlls being encrypted with a key only found on the targeted machine and downloaded binaries encrypted with information from the infected host - FYI - encrypting binaries with target information basically kills the possibility of any behavior sandbox from being able to run the binary outside of it's intended environment.

So maybe attackers of the future will only make incremental improvements to thwart detection OR maybe we'll start seeing anti-clustering and anti-classifications added to the attacker's arsenal as machine learning is added as another layer of defense - The future is of course unknown - but I do have my suspicions.

In my concluding slides I stressed that there is much improvement that can be made on the side of detecting the threat before it happens as well as making sure that a defensive strategy should be layered in a manor that focuses on making the attacker spend, time, resources and different skill levels at each layer, hopefully comprising enough of his or herself in the process and giving the targeted organization enough time to mitigate the threat if not halt the attack all together.

This was by far the largest crowd I've ever spoken in front of and goes down as one of the best conferences I've attended. Thanks again EkoParty committee for inviting me to present, I'll try my best to be back next year!!





By Ariel Sanchez

We had the opportunity at the Ekoparty to attend  presentations which a show high level of innovation and creativity.

Here are some personal highlights:

 *The CRIME Attack presentation by Juliano Rizzo and Thai Doung

 *Trace Surfing presentation by Agustin Gianni

 *Cryptographic flaws in Oracle Database authentication protocol presentation by Esteban Fayo


I can't wait to see what is coming in the next ekoparty!



By Tiago Assumpcao @coconuthaxor

If my memory is accurate, this was my fourth EkoParty. From the first time to now, the numbers related to the conference have grown beyond my imagination. On the other hand, EkoParty remains the same on another aspect: it has the energetic blood of Latin American hackers. Too many of them, actually. Buenos Aires has a magical history of popping up talents like nowhere else. And the impressive numbers and quality of EkoParty, today, definitely have to do with that magic.

There were many great talks, on a wide range of topics. I will summarize the ones I mostly appreciated, being forced to leave aside the ones I didn’t have the chance to catch.

Cyberwar para todos, I’ve seen people complaining about this topic, either because it’s political (rather than technical), or because “it’s been too stressed” already. In my opinion, one can’t ignore how the big empires think of information security. Specifically, here is what I liked about this talk: the topic might have been stressed in North America, but the notion of cyberwar, per Gen. Keith Alexander’s vision, is still unknown to most in South America. A few years ago, the Brazilian CDCiber (Cyber Defense Centre) was created and, despite effort coming directly from the President, the local authorities are still very naïve, to say least, if compared to their rich cousins. Cesar raises questions about that.

Satellite baseband mods: Taking control of the InmarSat GMR-2 phone terminal, this was probably my favorite talk. They showed how a user can easily modify satellite phones at will, poking data that comes in and out of the device. Furthermore, the presenters showed how communication technologies very similar to GSM, when applied over a different medium, can open whole new vectors of potential attacks. Finally, Sebastian “Topo” Muniz is one of the most hilarious speakers in the infosec industry.

Trace Surfing, this is one of those rare talks that resolve hard problems with very simple solutions. Agustín showed how one can retrieve high-level information about the Windows heap, during the course of an execution trace, simply by tracking ABI specifics at call-sites of choice. The simplicity of his solution also makes it really fast. Great work!

PIN para todos (y todas), basically Pablo Sole created an interface that allows one to write Pin-based tools to instrument JavaScript. I heard it’s impressively fast.


What I really wanted to have seen, but couldn’t…

OPSEC: Because Jail is for wuftpd, unfortunately, they had Grugq speaking at 9am. I can’t digest humour so early and will have to ask him for a secondhand presentation.

Literacy for Integrated Circuit Reverse Engineering, very sadly, I didn’t catch Alex’s presentation. But if you are into reverse engineering modern devices, I would recommend it with both my eyes closed, nonetheless.



By Lucas Apa @lucasapa

What begun publicly as an e-zine in the early century now arises as the most important latin american security conference "ekoparty". All the latin american team landed Buenos Aires to spend an amazing week.
My "ekoparty week" started on monday where I got invited to attend a "Malware Analysis Training" by ESET after solving a challenge of "binary unpacking" posted on their blog. First, two intensive days were held with paid trainings which covered the following topics: cracking, exploiting, sap security, penetration testing,  web security, digital forensics and threats defense. Every classroom was almost fully booked.

The conference started on Wednesday in "Konex Cultural Center", one of the most famous cultural centers especially for music and events. The building used to be an oil factory some decades ago.
On Wednesday, our CTO Cesar Cerrudo, was the main keynote of the day.
Many workshops were open for any conference assistant for the rest of the day.

At night we enjoyed a classic "Mexican Grill" at IOActive's party where VIP guests were invited. The meal was brought you by Alejandro Hernández and Diego Madero, our Mexican Security Consultants.
On Thursday and Friday were the most awaited days since the presentations were going to start.

My favorite talks were:

*Taking control of the InmarSat GMR-2 phone terminal (Sebastian Muñiz and Alfredo Ortega): Without modifying the firmware image, researchers managed to send AT commands to the phone terminal to write arbitrary memory. They copied binary instrumentation code for logging and hooking what really sends the phone on common actions like sending SMS. Then, they wrote the "data" section for redirecting the flow at some point and discovered that messages sent to the satellite "might" be vulnerable to
"memory corruption" if they are preprocessed by the satellite before retransmision. No satellites were harmed.


*VGA Persistent Rootkit (Nicolás Economou and Diego Juarez): Showed a new combo of techniques for modifing reliably the firmware of a VGA card to execute code or add new malicious basic blocks.

*The Crime (Juliano Rizzo and Thai Duong): The most awaited talk revealed a new chosen plaintext attack where compression allowed to recognize which secuences of bytes were already on the TLS data. The attack works like BEAST, with two requirements: capture encrypted victim's traffic and control his browser by using a web vulnerability (or MITM on an HTTP service). When forcing the browser to issuing some specific words on the HTTP resource location, they figured that if that portion of the random string is already on the cookie the TLS data gets more compressed. This allows to bruteforce to identify the  piggybacked cookie that is automatically added to the request.

*The Future of Automated Malware Generation (Stephan Chenette): Our Director of R&D showed how different AV's performs approaches for detecting malware mostly failing. It is difficult to defend ourselves in something we dont know but we must remember that attackers are also having fun with Machine Learning too !

*Cryptographic flaws in Oracle DB auth protocol (Esteban Fayó): When authenticating a user, Oracle uses the hashed password (on the database) as the key for encrypting the server session (random). The user hashes its password and then tries to decrypt the encrypted session that the server returned. The problem is that is possible to recognize if this decryption returns an invalid padding so the initial password can be tried offline. This allows to bruteforce the process of decrypting locally till a valid padding occurs (sometimes it colides with a valid padding but it's not actually the password). This vulnerability was
reported to Oracle 2 years ago but no patch was provided by them till then.


 

By Alejandro Hernández @nitr0usmx

After a 10 hours delayed flight, finally I landed to Buenos Aires. As soon as I could, I went straight to the VIP party to meet with the IOActive team and to prepare some mexican tacos and quesadillas (made by Diego Bauche @dexosexo).

The next day, Thursday, I had the chance to be at the Stephan Chanette's talk (@StephanChenette), which was a really interesting presentation about automated malware generation and future expectations. His presentation had a good structure because he started with the current state of malware generation/defense and later he explained the future of malware generation/defense passing through the actual malware trends. The same day, I enjoyed the Esteban Fayo's talk (@estemf) because he showed a live demo on how to crack an Oracle password taking advantage of some flaws in the Oracle authentication protocol.

The venue, KONEX, the same as the last year, was really cool, there were vendors booths, old computers, video games (where I spent like two hours playing Super Mario Bros) as well as a cocktail bar, obviously the IOActive booth ;).

In conclusion, I really had a great time with my fellow workers, drinking red wine and argentine asado, besides amazing conferences.

Definitely, I hope to be there the next year.