There are so many security conferences around the world… Some people already debated about this: Is it better to restrict the annual agenda to well-known events or let people start their own? IMHO, we need initiatives like this. It’s good to have a broad agenda with local conferences where local people can attend without spending huge amounts of money for travels and lodging (If you can go to conferences, let’s bring the conferences to you!) So, let’s welcome the newly born conference called “NoSuchCon“. The first edition was just organized in Paris across the last three days. Unfortunately, I was only able to attend the last day… If only I could expand my holidays like a filesystem! I joined Paris early the morning to attend the first keynote. Here is a quick review of the day.
Read More →
FIM or “File Integrity Monitoring” can be defined as the process of validating the integrity of operating system and applications files with a verification method using a hashing algorythm like MD5 or SHA1 and then comparing the current file state with a baseline. A hash will allow the detection of files content modification but other information can be checked too: owner, permissions, modification time. Implemeting file integrity monitoring is a very good way to detect compromized servers. Not only operating system files can be monitored (/etc on UNIX, registry on Windows, share libraries, etc) but also applications (monitoring your index.php or index.html can reveal a defaced website).
During its implementation, a file integrity monitoring project may face two common issues:
- The baseline used to be compared with the current file status must of course be trusted. To achieve this, it must be stored on a safe place where attacker cannot detect it and cannot alter it!
- The process must be fine tuned to react only on important changes otherwise they are two risks: The real suspicious changes will be hidden in the massive flow of false-positives. People in charge of the control could miss interesting changes.
There are plenty of tools which implement FIM, commercial as well as free. My choice went to OSSEC for a while. My regular followers know that I already posted lot of articles about it. I also contributed to the project with a patch to add Geolocatization to alerts. This time, I wrote another patch to improve the file integraty monitoring feature of OSSEC.
Read More →
Today, disk space is not an issue for most of us. I remember when my father came back at home with my first hard drive (80MB!) for my Amiga in the Nineties. My reaction was “Wow, we will never fill it!“. Today, if I make a sum of all my storage at home, I’m above 10TB! And I’m sure that I will have to add more capacity in the coming months. No, this blog post is not related to “big data” but more a reflection about how developers write applications today. Again, when I was learning programming languages, professors always remembered to the students to keep our eyes on our resources: memory, CPU cycles, I/O and storage. One of the golden rule was: “If you allocated memory, don’t forget to free it! malloc() means free()“. Yeah, at this time, there was no garbage collector. I’m a little bit nostalgic tonight! . Today, computer resources are not a problem anymore. Their prices continue to decrease and the reflex of most developers is just to add resources (“Your application is slow? Add 2 cores and 2 gig of memory“).
I’ll show you a good example of the explosion of resource requirements. Today I was performing some cleanup on my corporate laptop. Being a consultant, it runs plenty of tools such as management consoles provided by $VENDORS. Working for multiple customers running different versions of this product (a well-known firewall brand), I’ve different versions of the tools installed. Of course, I need to keep multiple versions because you need to use the right one to access the firewall running the corresponding version. Just have a look at this screenshot:
(Click to enlarge)
I wonder what will ask the next version of the console as disk storage…
Everybody already faced the same situation: Children like to compare with each others! Put kids in the same room and let them play. Comparisons will start soon: “My dad has a bigger car than yours“, “My plane flies better than yours“, “I can run faster than you“, etc. Sometimes, I’m feeling exactly the same during conversations about infosec products and I’m pissed of this. My opinion is that infosec people also tend to be proud of their security solutions and compare them to others. Like in a kindergarten…
It’s a fact, humans don’t like to assume their errors. It’s not easy to concede a bad choice and say that your security solution does not fullfill its job. But why pretend to have the top-notch-killer-device on the other side? Remember, years ago, the flame war between Linux and Windows users? (Honestly, I took part of this game when I was young)
Sometimes, colleagues or customers ask me what’s the best choice between “x” or “y“. It’s always difficult for me to answer such questions in a cold start situation. First of all because most of the time, I don’t have enough background to compare them. Of course, the market is full of studies and analyses like the well-known Gartner magic-quadrant. Those can help you to make a first selection. Some vendors ask research firms to make a comparison of their product with direct competitors. If they “asked“, it means they also “paid” for these researches. In a customer – supplier relation, the customer must be happy. May we be certain that the results of the study are fully independent? I’m in doubt…
Personally, the best solution is the one which will solve YOUR issue and match YOUR requirements in terms of:
- Integration in your environment
- Management & Support
Keep in mind that your information security is a big market place where all vendors would like their share of the cake… Select two or three solutions, ask for live demos, setup a PoC (“Proof of Concept“). This could cost time and money but you will have all keys in your hand to make the right decision. Don’t buy a brand, buy a solution!
This was already the third edition of BSidesLondon today! Time flies! Being busy yesterday, I just reached London in the morning and arrived just in time for the administrative tasks (registration, pick-up a t-shirt, goodies), grabbing some coffee and shaking some hands. BSidesLondon is definitively growing in size and quality: A huge number of attendees, two tracks, a rookie track, a job fair, workshops and lightning talks. Even the sun was present over London, no fog at all! Two tracks means you have to make choices! Here is the brief overview of my schedule.
Read More →
The last weekend, an ethical hacking event was organised in Belgium. The Hacknowledge Contest joined Charleroi and was hosted at the CPEHN. This event was previously organised only in France thanks to the initiative of the ACISSI. Last year, they decided to open their challenges to other countries. The current list of participating countries is: Côte d’Ivoire, Maroc, Benelux, Espagne and France. The organisers are already looking to extend their list with other countries. If you are interested, maybe contact them.
Initally, I registered a small team with a colleague and finally we were five ethical hackers/friends to participate as “UID(0)“. So, we joined Charleroi Saturday afternoon to attend a bunch of small talks around information security. Small event and a relaxed atmosphere. The covered topics were:
- Zataz.com, the well-known French website and the process in place to notify organizations of data breaches and/or security issues.
- The security of our payment cards starting from old models based on a magstripe up to the state-of-the-art (but not from a security point of view) NFC chipsets.
- A nice presentation about social-engineering with lot of funny examples (my preferred presentation by Seb Baudru, see the picture below)
- IPv6 & security
- An overview of the security landscape in Belgium (latest major security incidents and who contact in case of issues – CERT.be, FCCU, etc)
After a break and the registration of all teams, the challenges started for a period of 12 hours (Saturday 10PM to Sunday 10AM). No CTF, no blue team nor read team but a list of challenges to solve similar to the SANS Netwars. Each challenge solved gives you points. Seventy challenges were categories were split in the categories like:
- Web technologies
- Hardware (lockpicking, Teensy, barcodes, …)
It was very friendly with good times, music. We finished at the third position but very close to the second team… Only the first two teams won, too bad! The final contest will be organised in France and the winning team will receive a very nice price: a trip all-inclusive to Las Vegas to attend the DefCON security conference!
I don’t often participate to events like this one. I liked the limited number of teams (5) and the friendly atmosphere between the team. Not too small, not too big, well organized. The event was also covered by some Belgian media.
The contest is closed. All tickets have been assigned.
Dear readers, I’ve some gifts for you! I’m very proud (and surprised!) to have been nominated to the European Security Bloggers Awards in two categories: “Best Personal Security Blog” and “Best Security EU Twitter“. To thank you for these nominiations (and first of all for reading/following me), I’ve some tickets to distribute for two nice security events in Paris (DisneyLand Convention Center).
The first one is Hack In Paris which will be held from 17th to 21st of June. Then, La Nuit du Hack will follow during the weekend. Both are very good events with renowned international speakers. To give you an idea, have a look at my 2012 wrap-ups (day 1 and day 2). A first version of schedule has already been published. The organizers provided me 2 x 10 tickets for both conferences. It won’t be fair to simply distribute them to the first comers so here is a small contest! Answer the following question: (tip: the answer is on my blog)
“After the last edition of BlackHat Europe in Barcelona, I waited my flight back to home with a good friend of mine. Who is it?”
Send your answer by email only to xavier[at]rootshell[dot]be. The following information must be provided in the mail:
- Subject: Contest HIP/NDH 2013
- My friend’s nick, Twitter or full name
- Your ticket preference (HIP, NDH or both)
Good luck! Some rules:
- Be sure to attend the conference (in Paris, June 2013) and not waste tickets
- Travel & hotel costs are not covered and must be paid by the winners
- HIP tickets are not valid for trainings (only talks)
This year, I won’t be able to attend the conference during the week. But I will join Paris for the weekend, see you there!
PS: Don’t forget to vote!
“I’m not a number, I’m a free man” said Number 6 in the serie called “The Prisoner” (for the oldest amongst us). The serie was broadcasted in the Sixties but we have to admit that, still today, we are only numbers! And this will be worse in the coming years.
Personally, I’m not against being a number if controls are properly implemented. Numbers are easy to be indexed, to be sorted and searched. Numbers are a good way to identify things or people but they can easily be spoofed. As Wikipedia says:
“In the context of network security, a spoofing attack is a situation in which one person or program successfully masquerades as another by falsifying data (in this case the number) and thereby gaining an illegitimate advantage.“
Read More →
And we are back for a second day full of fun and pwnage! It was a rainy day on Amsterdam today but water will not prevent hackers to meet again! I joined the hotel for the breakfast in time.
Read More →