The need to evolve defensive security to offensive security

This morning I saw a job offer from Facebook looking for offensive security engineers and I thought it would be a wonderful opportunity to explore this idea and its application in corporate security.

Traditionally information security in enterprises has a defensive role based on different products (firewall, anti-virus, IDS, etc.). But when week after week we read in the media as businesses of all sizes are attacked and owned, something is wrong here!

Internet and its dangers have evolved but corporate security has not: too many companies follow decades old security schemes to protect their information.

As Nation-States develop not only their defensive capabilities but also their offensive capabilities, businesses should also enhance their offensive capabilities, not to attack other companies but to assess their own security effectively.

It is impossible that security consultants / pentesters with a limited time are able to truly verify the security of a company, which unfortunately is the model that most companies follow. No one presses the doctor when operating or the plumber when fixing a problem, but we press all the time security consultants to obtain compressive results in a short space of time.

It is necessary that corporate security evolves with offensive staff who truly understand the attackers (attacker mindset), who are capable of attacking systems and applications and have some freedom to do this in the company. These individuals are who can raise security to the next level.

Their objective is to constantly attack the company using actual techniques to discover the weak points and strengthen them, analyze malware identified in the company and even set traps to the attackers (honeypots). We should not confuse with Counter-Hacking, the idea that if we are attacked we must respond by attacking. No company should use its offensive capabilities to counter attack as this can unleash all kind of problems (legal and ethical). We must only use offensive capabilities internally to improve security, period.

Companies that do not evolve their security to a defensive and offensive model and enhance not only the technology but also its processes and people (the famous pyramid: people, processes, and technologies) are doomed to be owned for lifetime.

Has your company offensive security capabilities? How are they used?

— Simon Roses Femerling

Posted in Pentest, Security | Tagged , , , | 2 Comments

VULNEX Award and RSA USA speaker experience!

February has been both very interesting and busy! On February 17th I had the pleasure of collecting the first award of VULNEX by Spanish security magazine Red Seguridad for IT Innovation for our collaboration with DARPA (Defense Advanced Research Projects Agency of the Department of Defense, USA) which produced BinSecSweeper, a technology that allows us to verify the security posture of any binary.

You can find a great chronicle of the event here and below I am including a photo of the trophy 🙂

Trofeo_VULNEX

On 24-28 February I did attend for the first time the legendary RSA USA conference in San Francisco, in which I participated with a talk on security in software development and using BinSecSweeper to assess binaries entitled: “Writing Secure Software is hard, but at least add mitigations!“. I take this opportunity to thank attendees for the good feedback, I’m glad that so many liked my presentation! And of course also thank the organization for a great event.

RSA

The presentation is already available on VULNEX website.

BinSecSweeper_RSAUSA2014_1

BinSecSweeper_RSAUSA2014_2

It was my first time at RSA USA but certainly won’t be the last! In my opinion a must-attend event for all cybersecurity professionals.

Until next year!

— Simon Roses Femerling

Posted in Conference, Privacy, Security, Technology | Tagged , , , , , | Leave a comment

Enterprise Computer Security must CHANGE

Last week I had the pleasure of giving a talk entitled “Cyber Security: time for change” on my vision of corporate cyber security posture during an event organized by Page Personnel Spain (thanks for having me!), and I already advance that a change is much needed to combat the constant threats on the Internet.

The talk began with a description of the different attacker profiles from casual attackers, employees, hacktivists and cybercrime to Nation-State attackers and how security defenses are less effective depending on the attacker.

Every week we can read in the media about companies being compromised. If we look back in recent years companies like Google, Sony, Citi, RSA, Northrup Grumman, and the list continues, have been successfully attacked. These are companies with large resources and possibly a decent level of security (firewalls, IDS, anti-virus, patches policy, etc.) and still have not been able to defend themselves.

Much is being said about APT as sophisticated attackers, but it is not correct: they just know how to use their offensive capabilities more efficiently and only need one security flaw to compromise systems.

There is a security principle which I call “Reverse Continuous Assessment” that I usually speak about to my clients. It means that any computer connected to the Internet is “audited” at least once a week by some actor, what means that every system on the Internet is constantly “audited”; hence companies can no longer use the lame excuse: “we have no enemies; no one wants to attack us”. I always recommend performing periodic security assessment to know the status of our security and where to improve.

It is clear that we need a change to effectively protect ourselves. Today too many companies solely base their security strategy on the purchase of products such as firewall, IDS, antivirus, etc., which are technologies of earlier decades and clearly inadequate. There is a quote from Albert Einstein that shows this need for change: “Insanity: doing the same thing over and over again and expecting different results.”

In my view, organizations must create a true security strategy involving the entire company and changing their mentality. First of all, they must be clear on what information is valuable, what classification it has and where it is located (usually scattered throughout the organization). Only after this exercise they can begin to design their security strategy. How are they going to protect themselves when they do not know what or from who?

The security strategy should target three fronts: technology, processes and people. Just buying security products is not a real security strategy since it only applies to technology, neglecting processes and people who are equally or even more important.

Instead of intelligence I prefer to talk about vision, getting to know our organization and knowing what must be protected and from whom. Some aspects that our security strategy should address are the following:

1) 100% dedicated security team: I understand that it is difficult for many organizations, but security is much more than managing anti-virus and firewalls. It is absolutely necessary to have qualified and dedicated staff to this task. Their training should be defensive in nature and periodic (at least annual), and it is also recommended that they have some basic offensive training to understand where attackers can come from and how to repel them.

2) Training: the entire organization must receive security awareness training tailored to their jobs so they understand and avoid the dangers of the Internet, malicious documents, social networks risks, etc. Today the cost of online training is very affordable so there is no excuse.

3) Active defenses: security defenses tend to be passive, waiting to be attacked, but they should be active. It doesn’t mean to attack the attackers -which may be even illegal because we don’t know if we counterattack the attacker itself or another victim-, but make them lose their time, waste resources or even detect and identify them by using technology such as honeypots. A fantastic project for this concept is Active Defense Harbinger Distribution (ADHD).

4) Evaluate software security posture: companies have many applications installed on their systems and the security is entrusted to the software developer, but IT and/or security staff should be able to assess all these software. Security verification technologies such as VULNEX BinSecSweeper help in this regard.

5) Secure development: I will never get tired of talking about the need of developing secure software, be it a website, a mobile App or other software, since today most attacks are due to insecure applications. Much to improve in this area!

6) Greater use of security Open Source software: organizations have a tendency to buy commercial security products since they have often a better interface; however there are many security fantastic open source solutions (IDS, antivirus, firewall, etc.) that combined with commercial security products can greatly improve corporate security.

No doubt there are many more areas for improvement in the security strategy, but the ones described here are a good start. To achieve this without dying, we must have a capable team (people) and document everything (processes). Do not write hundreds and hundreds of pages that no one is going to read, but simple and well-structured documents describing the security processes and tasks.

Nobody says it is easy, but for sure it is necessary if we want to improve corporate security and protect ourselves from threats on the Internet; meanwhile we will continue watching in the media companies of any kind being compromised…

What is your opinion of the security strategy in organizations: works or not?

— Simon Roses Femerling

Posted in Pentest, Privacy, Security, Technology | Tagged , , , , , | Leave a comment

AppSecUSA & BinSecSweeper Talk

Last week the OWASP AppSecUSA 2013 conference was held in the legendary New York City , where I had the pleasure of giving a talk on security software development title “Verify Your Software for Security Bugs” and present my new project BinSecSweeper, a technology that allows you to verify the security posture of any binary on different platforms.

The development of BinSecSweeper was possible thanks to an R&D grant from the DARPA Cyber Fast Track (CFT) program to improve the security in software development. For more information, I recommend to read the description of the project here.

The conference took place at the Marriot Marquis hotel in Times Square, in the heart of Manhattan, and more than 1500 people interested in security did attend! As always in the OWASP events we could see well-known faces in the world of security with which I had the pleasure of chatting as well as new faces. A greeting to all those people!

As expected, this year many talks focused on mobile security, mainly Android and iPhone. Also there were many talks about Web security and OWASP projects, although I have to admit that some talks were not up to par.

Please find below some screenshots of BinSecSweeper, that will be published soon 😉

bss1
Fig. 1 – BinSecSweeper auditing a Windows binary under Linux

bss2
Fig. 2 – BinSecSweeper auditing a Linux binary under Linux

Thanks to the AppSecUSA team for a great event organization, it has been a pleasure to participate! See you in future editions!

— Simon Roses Femerling

Posted in Conference, Pentest, Security, Technology | Tagged , , , , , , , | Leave a comment

Book Review: iOS Hacker’s Handbook

I have been wanting to read this book for a long time, finally I managed to make time and I have to admit that it has exceeded my expectations. This magnificent work written by reputed experts in iOS, one of the top mobile platforms, on mobile security such as Charlie Miller, Dion Blazakis, Dino DaiZovi, Stefan Esser, Vincenzo Iozzo, Ralf-Philip Weinmann reveals the secrets of Apple mobile operating system.

iOS Hacker’s Handbook (ISBN: 978-1-118-20412-2) is a fascinating and very technical reading that takes us into the inner working and security of iOS to find vulnerabilities and develop exploits.

Its 11 chapters are full of source code (recommended to understand C and ASM) describing the security architecture of iOS such as encryption, sandboxing, different types of memory protections and code signing to find vulnerabilities through reverse engineering and fuzzing and develop exploits using modern techniques such as ROP.

Some of the crown jewels include the study of real vulnerabilities which have been used to win the mythical Pwn2Own contest, understanding and development of our own jailbreaks and debugging and exploitation of iOS kernel.

Taking into account that the rise of exploits sale and the price of iOS 0day for sure is a very serious and lucrative business, you must read this book (check the Forbes article on the subject)!

The work is focused on the iOS platform so no vulnerabilities and exploitation of Apps are covered, anyway for this topic there are plenty of references so we don’t miss it at all.

Without a doubt this book is a compulsory reading for any security expert who wants to delve into the bowels of iOS at the lowest level. I recommend reading the book few times to assimilate the concepts well and downloading the enclosed source code as it contains various interesting tools that we would need to exploit iOS.

I will take the opportunity of this post to mention that the company VULNEX is offering training on mobile hacking that I am sure may interest you 🙂

Score (1 rose, very bad / 5 roses, very good): 5 Roses (Recommended Reading)

— Simon Roses Femerling

Posted in Books, Pentest, Security, Technology | Tagged , , , , , , , , | Leave a comment

AppSec: Myths about Obfuscation and Reversing Python

Python is an easy and powerful programming language that allows us to write sophisticated programs: Dropbox and BitTorrent are excellent examples. It is common that Python programs are delivered in source code, but in some cases different techniques like obfuscation and compilation are applied to protect the code from curious eyes. But do these techniques really work?

In this article we will see some tools that supposedly help us to protect our code and how easily they are subverted.

We have two example programs written in Python: the first one is a simple function that asks for a password and shows a message; the second one is the same but this time we have used a class.


def main():

        a = "toomanysecrets"

        res = raw_input("Please enter your password: ")
        
        if res == a:
                print "ACCESS GRANTED"
        else:
                print "ACCESS DENIED"

if __name__ == "__main__":
	main()

secretapp1.py


class DoMain:

        def __init__(self):
                self.a = "toomanysecrets"

        def Ask(self):
                res = raw_input("Please enter your password: ")

                if res == self.a:
                        print "ACCESS GRANTED"
                else:
                        print "ACCESS DENIED"

if __name__ == "__main__":
	dm = DoMain()
	dm.Ask()

secretapp2.py

Suppose I don’t want to deliver these programs code, then I have several options. Our first option is to obfuscate the code, thus making it difficult to read.

Pyobfuscate

This program allows you to obfuscate the code but it is still completely valid for the Python interpreter. Here is an example with SecretApp1 and SecretApp2.

simonroses_python_cap1
Fig. 1 – Obfuscated secretapp1

simonroses_python_cap2
Fig. 2 – Obfuscated secretapp2

At a glance our code makes no sense, but if you look closely at the result we see the text strings in the code and we can recognize Python syntax. It is not too difficult to reconstruct the original code from the obfuscated code.

Despite its limitations, I invite you to visit the tool website to check its possibilities.

Htibctobf

This tool was originally written to solve a challenge in a hacking competition at the Hack in the Box conference. I recommend reading this great article to learn more about it.

Unlike the previous tool, Htibctobf obfuscates Python code by modifying the AST (Abstract Syntax Trees). When you run this tool, we can see our obfuscated Python code in Fig. 3 and Fig. 4.

simonroses_python_cap3
Fig. 3 – Obfucated secretapp1

simonroses_python_cap4
Fig. 4 – Obfuscated secretapp2

We can see the obfuscated code, including text strings, despite that it is not too difficult to reconstruct the original code as well.

Without a doubt an interesting concept with many possibilities, nevertheless it requires improvements to be useful.

In some cases perhaps it is enough to obfuscate the code, but let’s look for other options to protect our code more effectively, therefore we will have to resort to compile our Python code to create an executable.

Py2exe

Possibly one of the most popular choices to turn Python code into a Windows executable. Py2exe

First we have to create a file called Setup that includes a reference to the program we want to build/compile. See setup script.


from distutils.core import setup
import py2exe

setup(console=['secretapp1.py'])

setup.py

We are now ready to compile our Python code into a Windows executable, so let’s run py2exe. See Fig. 5.

simonroses_python_cap5
Fig. 5 – Build secretapp1.exe

Once the building process is completed, py2exe creates a directory called “dist” which includes our executable and some necessary libraries. In Fig. 6 we can see that py2exe completes successfully and we execute our program in exe format.

simonroses_python_cap6
Fig. 6 – Build completed!

We could now distribute this binary without fear to give out our code or maybe not?

Py2exe_extract

This tool allows us to extract Python object file within the executable created using py2exe, basically inverting the process. Py2exe_extract

In Fig. 7 we can see how we use py2exe_extract to get the object file secretapp1.pyc (the content of this file is platform-independent and is known as Bytecode) from secretapp1.exe.

simonroses_python_cap7
Fig. 7 – Exctracting object file

Now let’s explore ways to get the code from this object file.

Unwind

Unwind is a disassembler for Python Bytecode that can be used to analyze object files “.pyc”. For this example, I’ve written a simple script in Python, mytest.py, that imports the disassembler and analyzes the pyc file. See code below.


import unwind

print(unwind.disassemble('secretapp1.pyc'))

mytest.py

With this script you can run the following command and get a disassembly of the object file. See Fig. 8.

simonroses_python_cap8
Fig. 8 – Python Bytecode

For low level lovers this will be your favorite choice 😉

Uncompyle2

Another option is to use a decompiler like uncompyle2 to get the code directly from the object file “.pyc” without having to go through the disassembly as we previously saw.

This tool is powerful and easy to use as you can see in Fig. 9 using a simple command we get the source code for secretapp1.pyc.

simonroses_python_cap9
Fig. 9 – Secretapp1 code from object file

Wow, we got source code!

Throughout the article, we have seen some obfuscation and compilation techniques to protect Python code, but we have also been able to subvert the entire protection quite easily 🙂

The following are other Python compilers that can be used in Windows, Linux, or MacOS, but they suffer from the same problems described in this article.

We could also analyze and subvert binaries using tools such as IDA PRO or Immunity Debugger but I will leave it for a future post. Another interesting tool that I have not mentioned is pyREtic, which is an extensible framework for in-memory Python Bytecode reverse engineering.

For an attacker to get the Python code is a matter of time, however to make things really difficult from a defensive point of view we have to combine different protection techniques.

Do you protect your Python programs? Which methods do you use?

— Simon Roses Femerling

Posted in Pentest, Privacy, Security, Technology | Tagged , , , , , | 13 Comments

Book Review: Mob Rules. What the Mafia Can Teach the Legitimate Businessman

While reading the book synopsis, we realize that this is not the typical book of how to succeed in business. Written by Louis Ferrante, former mobster of the Gambino family and converted writer, compare us the structure of the mafia and its peculiar style of doing business for success in the business world.

Mob Rules: What the Mafia Can Teach the Legitimate Businessman (ISBN: 978-1591843986) is a different and easy to read book that describes lots of basic and logical tips to succeed in business that many entrepreneurs and executives should read and above all apply.
Throughout its three sections (soldier = employee, capo = middle management and don = executives) divided into 88 lessons the book details how the mafia applies these concepts to succeed in business.

The work is full of references to real cases of the mafia and ancient history as examples of what to do or not in business. All of these case studies have been very well selected and in addition are interesting and enhance the message of the author.

For years the Art of War by Sun Tzu has been referenced as the work to apply in business but no doubt Mob Rules is a work to be considered for doing business as well.

The negative point of the work is that some lessons are very basic and do not bring much to the reader.

I recommend the book if you want to apply the lessons for doing business or just enjoying reading a curious book filled with testimonials about the mafia.

Score (1 rose, very bad / 5 roses, very good): 4 Roses (Recommended Reading)

— Simon Roses Femerling

Posted in Books | Tagged , , | Leave a comment

OWASP Top Ten 2013 free workshop

Yesterday, July 17th, I taught a free workshop about the OWASP Top Ten 2013 which was published recently that describes the 10 most common vulnerabilities in Web applications. This free workshop is a collaboration between the Catedral de Innovación of the City Council of Madrid, Spain and VULNEX to raise awareness about cyber security.

You can download the presentation from VULNEX website.

If you develop web applications, this document is for you!

Here I leave a photo of the workshop 😉

vulnex_OWASP_17junio13

I would like to thank the Catedral de Innovación and all attendees.

Until the next event!

What topics would you like me to cover at upcoming events?

— Simon Roses Femerling

Posted in Security, Technology, Threat Modeling | Tagged , , , , , , | Leave a comment

A Spanish startup selected by the DARPA Cyber Fast Track (CFT)

The security landscape changed in August 2011 at the Black Hat Conference when the legendary hacker of the L0pht Peiter “Mudge” Zatko presented the new program Cyber Fast Track (CFT) (DARPA-PA-11-52) from DARPA (Defense Advanced Research Projects Agency of the United States Department of Defense) to finance R&D projects by hackers and SMEs. Detailed information about the program is available on DARPA CFT website (currently offline). DARPA CFT

The idea is simple, times have changed and hackers and small businesses are the ones who have ideas and agility to innovate but not the resources, and this is precisely what the program brings. Many countries should take note of this innovative idea that enhances creativity and R&D.

To facilitate the admission process a series of documents and guides was released. The idea was to streamline and simplify the process for people not accustomed to dealing with government bureaucracy. No doubt a great idea and a great help.

Besides being an unusual event for DARPA to finance hackers (I think that it was the only program of its kind in the world), more unusual was the fact that this program was open to any hacker and security boutique around the world!

Through the company I funded last year VULNEX, a startup specializing in cyber security located in Madrid, we decided to try our luck and created a proposal for R&D that we sent in August 2012 and five days later we received a call from the DARPA communicating that they had accepted our project, incredible.

The objective of the project was to improve security in the software development lifecycle. The project duration was five months analyzing the different compilers (Visual Studio, GCC and LLVM) and versions to determine security/mitigations measures offered, its effectiveness and how they affect the binaries produced.

With this in-depth analysis, the second and third phases of the project consisted in developing two technologies to help developers to produce secure software.

One of the technologies developed is BinSecSweeper, a powerful and easy-to-use tool to analyze binary security posture. The tool is open source, cross-platform and capable of analyzing different types of binaries and architectures. BinSecSweeper will be available on VULNEX website soon.

It is a pity that DARPA did close the CFT program last April 1, 2013, in which about 500 projects of more than 1500 received have benefited. The selected projects have been very interesting tools and are presented in top security conferences, I would recommended to do a web search to find many of these projects.

Certainly a disruptive idea that has been of great help for hackers and SMEs, and for us VULNEX, a Spanish startup, a pleasant experience to collaborate with DARPA and our technology presented at internal events 🙂 

From here we will like to thank Mudge, DARPA and the staff of BITSystems (responsible for the CFT management), great folks!

Thank you!

Did you know about the DARPA CFT? What do you think?

— Simon Roses Femerling

Posted in Business, Pentest, Security, Technology | Tagged , , , , , | Leave a comment

What’s the point of reporting 0day?

In the last weeks the news related to PRISM has not stopped since leaked by Edward Snowden, who worked for Booz Allen Hamilton, a defense contractor for the NSA.

One interesting outcome of these leaks is the NSA access to 0Day vulnerabilities on Microsoft products and who knows if other big companies as well (Google, Apple, Adobe, etc.) under the cooperation programs Microsoft Active Protections program (MAPPS) and the Security Cooperation Program (SCP). The first program is for security companies and the second for government agencies -for example the Spanish intelligence agency (CNI) is a member of this program- in order to be informed first when vulnerabilities appear to be able to protect themselves before the security patch is released and to update their security products.

These programs were created for defensive purposes, but they raise an interesting issue: the use of this information for offensive purposes.

Finding vulnerabilities in products from large companies is increasingly more expensive so access to information about 0day by intelligence agencies makes them gain time and save resources. Now they only have to develop exploits to attack any system, remember that the security patch has not been published yet…

Countries wishing to establish offensive and defensive capabilities should create national programs that offer financial rewards (depending on a scale) to individuals that inform them of 0Day.

Large software and big Internet companies are mainly American but many vulnerabilities are discover and reported by foreign security experts. If there were a national program in place on vulnerability reporting they could first inform their Government and not the software companies.

The question is why to report vulnerabilities to software companies so they in turn inform their intelligence agencies to carry out offensive actions against other nations?

Remember that 0Day vulnerabilities and exploits have economic value today, and many public and private companies pay good money for them.

Quite honestly we should not be surprised by NSA acts since at the end their mission is national security using all possible means (legal ¿?), the same as many countries’ intelligence agencies.

What is clear is that the PRISM case may have more consequences to the United States as seemed at first, and certainly many countries will change their policies on defensive / offensive cyber security.

It will certainly be interesting to see how cyber security policies evolve in countries in the coming years.

What changes do you think are necessary in cyber security policies?

— Simon Roses Femerling

Posted in Business, Microsoft, Pentest, Security, Technology | Tagged , , , , , , , , , , | Leave a comment