As the Internet of Things becomes more and more part of our lives, the security of these devices is imperative, especially because attackers have wasted no time and are continuously targeting them.
Chen Ku-Chieh, an IoT cyber security analyst with the Panasonic Cyber Security Lab, is set to talk about the company’s physical honeypot and about the types of malware they managed to discover through it at HITB CyberWeek on Wednesday (October 18).
In the meantime, we had some questions for him:
Global organizations are increasingly experiencing IoT-focused cyberattacks. What is the realistic worst-case scenario when it comes to such attacks?
The use of IoT is increasingly widespread, from home IoT, office IoT to factory IoT, and the use of automation equipment is increasing. Therefore, the most realistic and worst case for IoT is to affect critical infrastructure equipment, such as industrial control systems (ICS), by attacking IIoT devices.
Hackers can affect the operation of ICSes by attacking IIoT, resulting in large-scale damage. Furthermore, protecting medical IoT devices is also important. Hacked pacemakers, insulin pumps, etc. can affect human lives directly.
What are the main challenges when it comes to vulnerability research of IoT devices?
Expanding from IoT devices to IoT systems. The main challenge is that IoT systems consist of various components. Most components have different software/firmware, hardware, etc. The discovery of vulnerabilities in IoT devices requires expertise in many fields – researchers need to know a lot about chips, applications, communication protocols, network protocols, operation systems, cloud services, and so on.
What advice would you give to an enterprise CISO that wants to make sure the connected devices in use in the organization are as secure as possible?
To start, CISOs should check whether the vendors of the products they plan to use care about product security. How do they deal with vulnerabilities? Do they have a PSIRT? Do they have a point of contact for vulnerability reports? And so on.
Once they settle on a product to use, they should make sure that best practices – e.g., safely configuring the device, applying security updates in a timely manner – are part of the internal processes. They should also check the security of the services the devices use, e.g., network services used by an IP camera. Finally, network defenses should be structured to effectively control the access rights of the various networked devices in the environment.
How do you expect the security of IoT devices to evolve in the near future?
As we move forward, governments will attempt to create security baselines with regulations and certifications (labelling schemes). New security standards for various sectors (automotive, aviation – to name a few) will also be created.
As IoT products use similar network security protocols or hardware components, IoT security will no longer be a unilateral effort by the manufacturers. In the future, manufacturers, suppliers of parts, security organizations and governments will cooperate more closely, and even achieve mutual defense alliances to ensure effective and immediate protection.
Microsoft 365 is used by over a billion users worldwide, so attackers are naturally deeply invested in compromising its security. One of the ways of making sure this suite of products is as secure as possible, is a bug bounty program.
During an upcoming presentation at HITB CyberWeek 2020, Ashar Javed, a security engineer at Hyundai AutoEver Europe, will share stories from his journey towards discovering 365 valid bugs in Microsoft Office 365. We took this opportunity to ask him about his work.
What are some of the most surprising findings of your bug hunting endeavor with Microsoft Office 365?
I found literally hundreds of bugs in Office 365 but my favourite are All your Power Apps Portals belong to us and Cross-tenant privacy leak in Office 365. In the earlier one, I was able to control the Power Portal sites via Insecure Direct Object Reference (IDOR) while in the later one, as an attacker you can reveal the Lync (Skype for business) status in a cross-tenant manner. An attacker could see that a particular user is online or be right back while at the same time also can reveal the custom location set by the victim.
How would you rate Microsoft Office 365 security in general?
Finding a bug in Microsoft 365 is a challenging task given Microsoft follows a Security Development Lifecycle. Furthermore, Office 365 receives a third-party vulnerability assessment every year.
Microsoft has a public bug bounty program for Office 365 open to anyone, so you could say security is built into the heart of Office 365.
What type of bugs did you find? What was the severity of the discovered issues?
I found all sorts of bugs ranging from a simple rate limiting issue to a critical SQLi in Dynamics 365. Further, I found hundreds of XSS issues in SharePoint. I also reported dozens of XSS issues in Outlook. Furthermore, I also found privilege escalation, SSRF and CSRF.
When it comes to the severity of the discovered bugs, it varies from a low severity issue to a critical one. Most of my bugs were rated high by Microsoft.
What’s your take on modern bug hunting in general? Do you work on your own or use a service for disclosure?
Bug hunting is still in early ages as a field. I would call it an amateur field where both parties (a bug hunter and a bug receiver) are learning.
Today’s hostile web environment makes it imperative for organizations to boost their security, and allowing bug hunters to inspect products is a win-win situation for both parties.
When it comes to my work, I directly report security issues to Microsoft instead of reporting via a service.
Driven by a strong curiosity to know how computers and computer programs are made, how they work, and how safe they are, Sheila A. Berta, Head of Security Research at Dreamlab Technologies, has been interested in cybersecurity since her early teens.
For the last several years, she has been conducting investigations in a variety of information security areas like hardware hacking, car hacking, wireless security, malware and – more recently – Docker, Kubernetes and cloud security.
“At the moment everything tends to migrate to containerized, serverless and/or cloud environments with a microservices focus, so DevOps and other IT professionals have been forced to learn how to implement and work with these infrastructures,” she explained her more recent research interests.
“The attack and defense techniques that can be applied in these environments are completely different from the techniques applied in ‘traditional’ architectures, so it’s very important that security professionals now acquire the necessary skills to competently protect these modern infrastructures.”
One of the ways they can achieve this is to attend a training course on the subject.
Virtual trainings through HITBSecTrain
During HITBCyberWeek, which is scheduled to start on November 15, Berta’s colleague Sol Ozzan will hold an online workshop focused on Docker and Kubernetes defense that will serve as a preview for a 2-day virtual training courses that the two will conduct through HITBSecTrain in February next year.
“Our Attack and Defense on Docker, Swarm and Kubernetes training at HITBSecTrain will provide attendees with the practical knowledge they need to analyze and secure containerized & Kubernetes-orchestrated environments,” Berta told Help Net Security.
“Our trainings have a lot of hands-on laboratories. We start with the Docker fundamentals and then jump into the labs with Docker Black Box and White Box analysis, as well as defense on containers and Docker images. At the end of the first day, we focus on Swarm (official Docker orchestrator) with a variety of practices in attack and defense.”
The second day is fully dedicated to Kubernetes. They start with the fundamentals of this technology and then dive into the hands-on with Black Box, Gray Box, and White Box analysis. Sophisticated attack techniques will be explained, as well as advanced security features that can be implemented in this famous orchestrator.
This is not the first time she has held a container environment-related training – she also did it at Black Hat USA 2020. But, as can be expected, they are continuously updating the materials: they have added lately more attack techniques in different Docker and Kubernetes components, such as the Docker Registry and Kubernetes Kubelet, and more open source tools that can be used to analyze and secure these infrastructures.
She also couldn’t help but speak highly of another 2-day training course that two other Dreamlab Technologies colleagues are set to hold in February.
“I had the pleasure of seeing how the trainers built the materials for the Attacking and Securing Industrial Control Systems (ICS) course and I have to say that it is the most practical training on ICS hacking I have ever seen. It even has practices for air-gap bypass techniques,” she noted.
“I believe practical experience is very important when it comes to this kind of topics. We have prepared a realistic ICS environment that students will access throughout the course to perform all the exploitation techniques explained by the trainers.”
For better or for worse, the global COVID-19 pandemic has confined most of us to our own countries (our houses and apartments, even), has changed how and from where we do our work, and has restricted our social lives.
The distractions and tools still available to help us battle our growing anxiety and sadness are few, but some of them, such as learning new things, are very powerful. Happily for all of us, many courses and trainings that were previously available only on-site are now virtual, opening new prospects and opportunities.
Among these new offerings is HITBSecTrain, an initiative launched by the organizers of Hack in the Box security conference, which has been offering deep-knowledge technical trainings in numerous cities (including Kuala Lumpur, Singapore, Amsterdam, Dubai, Bahrain, and Beijing) since 2003.
Known for featuring specialized security courses, HITB has worked with nearly 100 trainers across the years to offer cool, atypical trainings for security folks looking to hone their skills.
Now, in response to constant feedback from trainees who asked that HITB offer more specialized topics, more subject matter experts, more often in the year, they’ve set up HITBSecTrain, which will offer HITB trainings on a monthly basis instead of just during HITB conference events.
In October, the courses on offer taught attendees about big data analytics, malware reverse-engineering and threat hunting, bug hunting and cloud security.
In November, to coincide with the virtual edition of HITBCyberWeek 2020, 10 deep-knowledge technical trainings are being offered, covering topics such as: 5G security awareness, practical malware analysis and memory forensics, mobile hacking, secure coding and DevSecOps, applied data science and machine learning for cybersecurity, and more.
For now, while courses run virtual, classes are via livestream, with virtual lab environments and structured through a learning management system. All trainees will receive digital certs corresponding to their course choice, with additional badges awarded for completion of practical tests and quizzes.
With the new virtual format, HITB trainers are incorporating more interactive quizzes, collective exercises and practical assessments into their courses that will help trainees engage better with the content and with each other. This will also help to understand better whether trainees have effectively gained the skills they sought from their course.
Leszek Miś is the founder of Defensive Security, a principal trainer and security researcher with over 15 years of experience. Next week, he’s running an amazing online training course – In & Out – Network Exfiltration and Post-Exploitation Techniques [RED Edition] at HITBSecConf 2020 Singapore, so it was the perfect time for an interview.
What are the main characteristics of modern adversary behavior? What should enterprise security teams be on the lookout for?
This is a very open question as it depends on the attacker’s skillset and offensive experience. Modern adversaries like to behave in various ways. Don’t forget it’s also closely related to what the target is, and the attacker’s budget.
From what we are seeing in the wild, in most cases an adversary uses a combination of publicly available tools like RATs, offensive C2 frameworks powered up by a big amount of post-exploitation, and lateral movement modules, along with advanced and well-known tactics, techniques and procedures. The goal is to get initial access to the network, pivot over the systems, networks or even OS processes, escalate the privileges if needed, find out the interesting data assets, copy and hide them (sometimes in very unusual network locations), and eventually persist and exfiltrate the data by using a different set of communication channels.
Advanced attackers like to blend into network traffic of the target to become even more stealthy. Adversaries also like to make major modifications to open source tools for making detection harder. CVEs in the form of 0-day or 1-day exploits are often in use.
Big network environments are very hard to maintain and even understand – attackers are very good at that. Proved protection and detection are hard to achieve too. One single parameter or argument visible from the process list could make a significant difference
That’s the reason why companies should constantly test their environments against TTPs. The baseline profiling of your core network components, OS, devices and apps, adversary simulations, achieving full visibility and analytics across many different network data sources, correlation, and understanding of how each component affects the other one seems like a good approach for dealing with cybersecurity risks.
It’s not about if, it’s about when you will become a target. You need to be prepared. That’s the reason why at least understanding of publicly available offensive tools and techniques is crucial in the fight against attackers. We have to train, and learn new stuff every single day as attackers do. We have to test our assumptions in the field of purple teaming where two teams: the red one and the blue one work together simulating real threats and doing detection research at the same time. Without threat hunting, you are blind.
Based on what the market is saying, having a dedicated defensive/offensive training environment ready to use out-of-the-box is a good path that allows us to be prepared. We cannot, however, do much without:
- Understanding what the real threat is
- Solid technological base
- Skilled teams and risk-aware management
- Being up to date
- Dedicated budget for training
- Research time
- Desire to learn.
Based on your experience, what are the most significant misconceptions when it comes to network exfiltration? What are training attendees mostly surprised about?
The most significant misconception when it comes to network exfiltration is incorrect believing that something is impossible without checking: “This box does not have direct internet access so you can’t steal data from it.” Really? That’s the power of the pivoting and the lateral movement phase. During an adversary simulation, it’s always the case.
Show me or let me simulate your scenario and I’ll understand. Training attendees are surprised mostly about two things. The first is the ease of performing certain elements of the attack and the number of possibilities. The second one is related to chained attack scenarios. Whenever you are skilled enough to combine / chain together different techniques, tools, or “exotic” communication channels – you are the winner. You have to spend lots of hours playing to understand and make a progress.
“Feeling the network” is very important. I found also as a very surprising number of possibilities in terms of using valid, normal network channels like cloud-based services for exfiltration or C2. SSH over a Google service? Data exfiltration over Dropbox? C2 over a Slack channel? Is it really possible and so easy at the same time?
What’s your take on using open source tools within an enterprise security architecture?
I have two points of view, they are related to the offensive and defensive side and both are positive. In short, I believe they should be a part of every company’s cybersecurity strategy.
From the offensive perspective, it’s amazing how many free open source tools help with the execution of adversary simulations, penetration testing services or just doing research. Open source delivers flexibility – and I am sure most of the red teamers use or create open source projects while working for large companies. It’s a great value for everyone. Recently, blue teams have started doing the same and we’re seeing some powerful knowledge out there.
From a defensive point of view, OSS is in use almost everywhere and assuming that even if a huge part of the enterprise infrastructure is based on commercial products, you will find open source components. Many commercial products would not be possible without OSS.
I am a big supporter of having critical, security areas covered by OSS. Just to name a few: Zeek IDS, Suricata IDS, Moloch, OSquery and Kolide Fleet, ModSecurity as WAF, Volatility Framework for memory analysis, auditd, iptables, LKRG for Linux kernel hardening, Graylog, Wazuh / OSSEC, (H)ELK, eBPF, theHive, MISP, Sigma rules – it is impossible to list all of them here. These are all very stable projects that can be used as supporting technology or for creating your own SOC environment from scratch. Big kudos to the open source community!
What advice would you give to those just entering the cybersecurity industry and want to work in security operations? What skills should they develop?
Based on my experience I would say that learning the basics is key, without a solid foundation you’ll never understand how things work. I would suggest learning how the network works, how Linux internals work. You should patch and compile your own Linux kernel, and play with system rootkits trying to detect them from the defensive side.
The same small step approach applies to a Windows infrastructure: AD internals, LDAP, Kerberos, GPO, DNS, etc. – all of them matter. At the same time, you could learn virtualization techniques and start doing your first programming steps to eventually get into exploitation or reversing. Making your own research lab or using ready-to-use platforms like PurpleLabs should give you a nice acceleration.
The short and simple answer does not exist, but stubbornness, discernment, enthusiasm, an open mind, hard work, and thousands of hours spent at the computer learning new stuff will eventually allow you to choose the right path in the cybersecurity world.
HITB Lockdown 002 will feature a number of hands-on technical trainings, taking place July 20-23, 2020.
Advanced ICS Hacking
Trainer: Yamila Levalle (Security Researcher, Dreamlab Technologies), Sarka Pekarova (Security Researcher, Dreamlab Technologies).
From Zero to Hero: Pentesting and Securitization of Docker Swarm & Kubernetes Environments
Trainer: Sheila A. Berta (Head of Research, Dreamlab Technologies) & Sol Ozzan (Security Researcher, Dreamlab Technologies).
Practical Intro to Embedded Attack & Defense
Trainer: Lior Yaari (Founder, Imperium Security).
Hacking Android,iOS and IoT apps by Example
Trainer: Abraham Aranguren (CEO, 7ASecurity), Abhishek J M (Security Trainer, 7ASecurity) & Anirudh Anand (Security Engineer, CRED / Security Trainer, 7ASecurity).
A Practical Approach to Malware Analysis and Memory Forensics
Trainer: Monnappa K A (Information Security Investigator, Cisco Systems).
In & Out – Network Exfiltration and Post-Exploitation Techniques [RED Edition]
Trainer: Leszek Miś (Founder, Defensive Security).
Linux Heap Exploitation
Trainer: Dr Silvio Cesare (Managing Director, InfoSect).
Advanced Fuzzing & Crash Analysis
Trainer: Richard Johnson (Director of Security Research, Oracle Cloud Infrastructure).
In anticipation of his keynote at HITB Security Conference 2020 in Amsterdam, we talked to Jon Callas, a world-renowned cryptographer, software engineer, UX designer, and entrepreneur.
Before joining the ACLU as senior technology fellow, he was at Apple, where he helped design the encryption system to protect data stored on a Mac. Jon also worked on security, UX, and crypto for Kroll-O’Gara, Counterpane, and Entrust. He has launched or worked on the launches of many tools designed to encrypt and secure personal data, including PGP, Silent Circle, Blackphone, DKIM, ZRTP, Skein, and Threefish.
You’ve been in the cybersecurity industry for a long time, taking on a variety of roles. What advice would you give to those just entering this industry? What pitfalls can they expect?
There are things that have been true for technical people for decades and will continue to be true.
Expertise gets common, gets automated, and then the people push buttons on the automated tool think they are experts; they might be. About half the things you know will be obsolete after five years, so you’ll have to learn new things and maybe pivot your career.
The best thing to work on is always something that excites you. Everyone does a good job on what they like and bad on on things that bore us. When (not if) you need to make a change, it might take a couple of years. A once-in-a-lifetime opportunity will come to you every year or two. If you miss this one, there will be another. And yet, the right opportunity never comes at the perfect time.
Technology changes, people are the same. People will always be lazy. They’ll always forget things and lose things. Assume stupidity over malice. Build your systems so they take advantage of people’s flaws when you can, or at least won’t be destroyed when they don’t know and don’t care.
Year after year, data breach losses continue to rise. What is the cybersecurity industry doing wrong? There’s plenty of innovation, yet most organizations fail at basic security hygiene.
I think you’re hitting on the exact thing. It’s closely related to what we were talking about before — people are lazy, stupid, and don’t want to spend money. They will want to know why then need to buy a lock if no one has broken in.
A cybersecurity company will have a brilliant idea, and that brilliant idea will be a solution to some problem, and often prevention would have worked better. Meanwhile, it’s really hard to sell prevention both as a company and as a cybersecurity group. It’s hard to show metrics about what was prevented.
Thus we have a kind of evolutionary process here. The companies we see being successful are the ones selling things people want to buy. There are a lot of companies selling things people need but they don’t want to buy and those companies struggle.
That’s why what we see of the cybersecurity industry is not addressing these basic issues. And yet, the organizations that are failing are failing because they don’t want to do those basic things.
I snark that CISO stands for Chief Intrusion Scapegoat Officer. The CISO is the person that you fire because the bad thing they said was going to happen unless measures were improved really happened. It’s their fault that measures weren’t improved, right? I know security officers who have left their job because they weren’t being listened to and knew that the inevitable breach would be blamed on them.
What’s your take on the global privacy erosion brought on by large social networks?
I’m really glad to see policy reactions coming from that. I like GDPR. I like CCPA (the new California privacy act). No, they’re not perfect. As time goes on, likely we need to tweak or come up with interpretations of the gray areas in each, but they’re good. We need both policy and technology to protect us, along with privacy norms. We technical people tend to scoff, but norms work.
Today, most web sites are using TLS and that’s a norm; we expect that a site will use TLS and that expectation is a norm. The technical backing for that new norm is that we changed from presenting a lock for TLS, but for saying that the lack of it is not secure.
How do you expect encryption technologies to evolve in the next decade? What would you like to see implemented/created?
I expect that we’ll see a number things sorted out in choices for post-quantum public key crypto, but still talking about the eventuality of quantum computers. I expect we’ll still be waiting for homomorphic encryption to be efficient enough for the uses we’d like, as well as waiting for multiparty computation to speed up more. I expect we’re still going to have law enforcement wanting to get into encryption, as well.
In related fronts, I’m hoping we’ll have more verification like certificate and key transparency, formally verified implementations of important algorithms, and a number of interesting new protocols.
I think that the important thing for us all to remember is that encryption is a technology that implicitly rearranges power. It is implicitly political as well as personal. I think that this is why everyone finds it alluring.
In anticipation of his keynote at HITB Security Conference 2020 in Amsterdam, we talked to internet pioneer Dr. Paul Vixie, Farsight Security Chairman and CEO.
Dr. Vixie was inducted into the internet Hall of Fame in 2014 for work related to DNS and anti-spam technologies. He is the author of open source internet software including BIND 8, and of many internet standards documents concerning DNS and DNSSEC.
You’ve worked in the DNS field for more than three decades, how have things changed since the late 1980s?
The internet is the biggest thing ever to happen to human society, but likewise commercialization and privatization was the biggest thing ever to happen to the internet. nothing about the internet’s technology or governance was ready for general exposure to humanity – it was built by academics for their own purposes.
Denial of Service attacks, spam and other fraudulent transactions, inappropriate monetization of public resources, and unnecessary centralization have all thrived along with the internet itself, because the people who designed and deployed the fundamental architecture and infrastructure of the internet did not know and could not have believed that nothing which can be abused won’t be. Well, now we know that, but it’s late.
We’re seeing a steady push to move access side DNS away from customer networks and towards companies like Cisco, Google, IBM, and Cloudflare. What are the risks and costs, and who pays them?
I’ve often said that if the internet was a territory, then the DNS is its map. That’s now broadly understood by the tech sector, and their response is to centralize DNS either for their own leverage or to prevent others from having such leverage.
Centralization is not and never was necessary or beneficial for DNS, and the costs of centralization will be more surveillance, more fragility, more complexity, and more security bypasses. I’ve left instructions in case I perish, so on my tombstone it will be written, “run your own recursive DNS”.
What’s your take on DNS over HTTP?
i think a lot of technologists were enraged by the Snowden disclosures of 2013, and they’re dedicated to creating a user-centric network without any possible controls or monitoring. they tell us, we can’t trust network operators, or our operating systems.
What I’ve told them in reply is, we can’t trust our apps which might be malware or infected, nor our users who might be intruders or malicious insiders, and “going dark” will limit good surveillance and controls (by private network operators, and endpoint security products) and empower new kinds of e-crime and e-abuse, in at least the same and probably greater magnitudes than whatever benefit we get by limiting nation-state surveillance efforts.
We needed a balance, but DNS over HTTP is a new extreme.
How do you envision DNS security evolving in the near future?
It’s all going to be encrypted, even the parts which are public information containing no personally identifiable information.
This will trigger a new arms race as to who gets to encrypt what against whom. Managed private network operators are going to have to figure out how to prevent DNS over HTTP from bypassing their enterprise and family security controls, and there will be hell to pay in the form of new complexities and collateral damage. It’s going to take years for a new equilibrium to evolve out of this mess.