What threatens information security or a review of the PHDays VII 2017 forum in Moscow
At the end of May, the PHDays VII annual practical safety forum was organized in Moscow, organized by Positive Technologies . The forum was attended by about 5,000 participants from various countries. We, the company INFORION, also took part in the forum and want to tell about the most interesting reports in our opinion:
Loopholes in LTE-modem core firmware (Andrey Lovyannikov)
')
Andrei Lovyannikov delivered a report on the analysis of the LTE modem core firmware Huaiwei E3372. As a result of the analysis, a device was obtained with traffic encryption completely disabled. The analysis was carried out according to the following scheme: identification of technical documentation on the device; microprocessor architecture detection; definition of operating systems; identification of the main API of the system associated with GSM; identifying the functions responsible for encryption.
During the reverse engineering, the functions responsible for traffic encryption were corrected, after which the modified firmware was packed and sewn into the device. Tests have shown that the device works fine with the assembled local base station without the support of encryption.
According to the results of this study, a report on the found vulnerability was sent to the company Huiawei and methods for solving the problem were proposed. As a result, the company introduced an updated version of the VxWorks kernel security. The researchers said they would continue to explore new versions of firmware in order to find new vulnerabilities already fixed versions.
Methods of protection of JAVA applications and their circumvention (Philip Lebedev, Andrei Lovyannikov)
Popular JAVA applications are not as reliable as they appear at first glance. Although applications have several methods of protection, they can be circumvented. Philip Lebedev and Andrei Lovyannikov from ASP reviewed the following methods:
1. modification of the original bytecode;
2. obfuscation of the source code;
3. use of dynamic class loading with possible encryption and code separation using.
And also the most interesting case of JAVA application protection was considered:
• Bootstrap Classloader;
• Extension Classloader;
• System Classloader - loads the main classes of the application;
• Secured Classloader - encrypts and decrypts loadable classes;
• Classloader 1;
•…
• Classloader N.
The authors of the report note that sooner or later all classes will be at least once loaded into memory, whatever the use of encryption and dynamic loading. Encryption keys will likewise be located in memory. Thus, using memory scanning, it is possible to get encryption keys and all classes of the original program, after which it becomes possible to decompile them with third-party software. This means that most of the ways to protect JAVA applications can be circumvented using well-known software tools and techniques.
Hacking accounts in WhatsApp and Telegram (Roman Zaikin)
Roman Zaikin proved that the WEB versions of WhatsApp and Telegram are very vulnerable. Virus attacks are aimed primarily at gaining control over user accounts on these networks. The implementation of the attack is based on the principle of end-to-end encryption, as a result of which the server does not know and cannot know which data is subject to transmission via a communication channel, as a result of which verification of the data being sent is impossible. WhatsApp and Telegram store message history on their servers (with the exception of secret Telegram chats), as a result of which, having gained access to the open session of the client side, it becomes possible to read the entire message history, receive and send new messages. The novel took advantage of these facts and modified the downloadable MIME data types in the WEB version of WhatsApp. A hybrid of a picture and an HTML page was formed with JavaScript code that sends open session data on the client side to the attacking backend controlled by the attacker, after which Roman successfully demonstrated this attack using the example of WhatsApp. To identify the Telegram vulnerability, it was necessary to create a hybrid of the above HTML page with JavaScript code and an MP4 file. The next step - the alleged "victim" was to open the infected document in a new tab, and activate the virus. This attack scenario was similarly demonstrated to the forum participants.
Meet the macOS vulnerabilities - 2016 (Patrick Wardle)
Patrick Wardle - a former employee of the NSA and NASA - presented his report describing the most popular malware for the macOS operating system. Due to the lower prevalence of this operating system, under macOS there is much less malicious software than under Windows, but its number continues to grow. The most striking example was the KeRanger coder. The attackers hacked the official website of the Transmission torrent client, placed their code in the program, recounted the hash sums and re-signed the distribution kit with a digital signature, then uploaded it to the official website, which caused the machines to become infected. The malware encrypted files in the system and demanded a ransom of 1 bitcoin. Another characteristic example from the report was the installation on the machine of the victim of the old version of the LittleSnitch firewall, which contains a dangerous vulnerability and has access to the functions of the system's core. The author described the main spreads of malware in the system and highlighted the main ways of protection: the Gatekeeper utility is an unsigned code blocker; KnockKnock / BlockBlock utilities - monitors of demons and system events.
DDoS attacks in 2016-2017: coup (Artem Gavrichenkov)
Artem Gavrichenkov in his report drew the public’s attention to the modern possibilities of DDoS attacks, and also conducted a brief excursion into the history of their modifications. In his report, he gave a list of the most common vulnerable protocols (DNS, LDAP, NetBIOS, etc.), many of which were designed at a time when no one thought about security. The author drew attention to the nature of the old DDoS attacks: a small request to the server generated a disproportionately large response, as a result, a large number of nodes were not required to disable the server. New attacks use a large number of infected machines and “smart” things, combined into botnets to attack services. Conclusions were made about network architectures, the increase in DDoS attacks was predicted as a result of the proliferation of the Internet of Things (IoT).
Hacking Live: How Hackers Get into Your Systems (Sebastian Schreiber)
The report of Sebastian Schreiber was more like a certain performance than a technical report. Sebastian described and demonstrated a series of impressive attacks:
• DOS-attack on the WEB-server (sending specially formed requests stopped the processing of incoming connections due to an SSL error);
• interception and playback of wireless keyboard and mouse messages using the Raspberry Pi and radio antenna;
• own modifications of malware based on the common Android malware framework (the demonstration included an analogue of the WannaCry crypto-fiber, spy functions with taking pictures from the device’s cameras and downloading them to a remote server);
• sending SMS messages from an arbitrary sender (a random person was selected in the hall, an SMS message was sent to him from number 900, owned by Sberbank);
• attacks on USB keys with a built-in implementation of strong asymmetric encryption (attacks are directed not at the encryption scheme, but at the weak implementation thereof);
• bypass of signature checks of antiviruses (with the help of an analogue of the utility Veil Evasion).
Anthology of antifraud: transition to mathematical models using elements of artificial intelligence (Alexey Sizov)
Alexey Sizov in his report shared with the public mathematical methods with elements of artificial intelligence to detect fraud. The task of detecting fraud was reduced to a binary classification, but it was complicated by the need for a short learning time and fast reaction rate. Possible tools for implementing machine learning were demonstrated, and the pros and cons of machine learning algorithms were described. Separately, the gradient boosting method was selected using the XGBoost library, the random forest method for detecting fraud and the K-means method for detecting anomalies. In addition, the main pitfalls of this task were described. According to the authors, the greatest complexity of this topic is not an interpretable result.
Mobile vulnerabilities (Dmitry Kurbatov)
Dmitry Kurbatov and his colleagues in their report on the vulnerabilities of mobile networks, showed real threats, waiting for any user of mobile networks 2G, 3G, 4G. The report described in detail the vulnerabilities of the SS7 protocol (2G and 3G networks) with the relative ease of their implementation, a whole range of attacks against the user were shown - from a simple denial of service attack and revealing the user's location to intercepting SMS and voice messages. The authors described the vulnerabilities of the DIAMETER (4G) protocol and showed that most of the attacks they described are possible in this standard. The reasons for the emergence of such threats were described, and recommendations were made on the treatment of mobile networks as an untrusted communication channel.
Bypass security checks in mobile app stores (Paul Amar)
Paul Amar presented his report on circumventing security checks in mobile app stores. The author described the mobile development cycle using the Apache Cordova (Hybrid App) toolkit, after which he demonstrated the ability to update the application remotely bypassing the mobile application store (App Store, Play Market, etc.). Thus, this method creates a new range of problems in the security of mobile devices.
A detailed program of the conference can be found on the official website:
www.phdays.ru/program
Loopholes in LTE-modem core firmware (Andrey Lovyannikov)
')
Andrei Lovyannikov delivered a report on the analysis of the LTE modem core firmware Huaiwei E3372. As a result of the analysis, a device was obtained with traffic encryption completely disabled. The analysis was carried out according to the following scheme: identification of technical documentation on the device; microprocessor architecture detection; definition of operating systems; identification of the main API of the system associated with GSM; identifying the functions responsible for encryption.
During the reverse engineering, the functions responsible for traffic encryption were corrected, after which the modified firmware was packed and sewn into the device. Tests have shown that the device works fine with the assembled local base station without the support of encryption.
According to the results of this study, a report on the found vulnerability was sent to the company Huiawei and methods for solving the problem were proposed. As a result, the company introduced an updated version of the VxWorks kernel security. The researchers said they would continue to explore new versions of firmware in order to find new vulnerabilities already fixed versions.
Methods of protection of JAVA applications and their circumvention (Philip Lebedev, Andrei Lovyannikov)
Popular JAVA applications are not as reliable as they appear at first glance. Although applications have several methods of protection, they can be circumvented. Philip Lebedev and Andrei Lovyannikov from ASP reviewed the following methods:
1. modification of the original bytecode;
2. obfuscation of the source code;
3. use of dynamic class loading with possible encryption and code separation using.
And also the most interesting case of JAVA application protection was considered:
• Bootstrap Classloader;
• Extension Classloader;
• System Classloader - loads the main classes of the application;
• Secured Classloader - encrypts and decrypts loadable classes;
• Classloader 1;
•…
• Classloader N.
The authors of the report note that sooner or later all classes will be at least once loaded into memory, whatever the use of encryption and dynamic loading. Encryption keys will likewise be located in memory. Thus, using memory scanning, it is possible to get encryption keys and all classes of the original program, after which it becomes possible to decompile them with third-party software. This means that most of the ways to protect JAVA applications can be circumvented using well-known software tools and techniques.
Hacking accounts in WhatsApp and Telegram (Roman Zaikin)
Roman Zaikin proved that the WEB versions of WhatsApp and Telegram are very vulnerable. Virus attacks are aimed primarily at gaining control over user accounts on these networks. The implementation of the attack is based on the principle of end-to-end encryption, as a result of which the server does not know and cannot know which data is subject to transmission via a communication channel, as a result of which verification of the data being sent is impossible. WhatsApp and Telegram store message history on their servers (with the exception of secret Telegram chats), as a result of which, having gained access to the open session of the client side, it becomes possible to read the entire message history, receive and send new messages. The novel took advantage of these facts and modified the downloadable MIME data types in the WEB version of WhatsApp. A hybrid of a picture and an HTML page was formed with JavaScript code that sends open session data on the client side to the attacking backend controlled by the attacker, after which Roman successfully demonstrated this attack using the example of WhatsApp. To identify the Telegram vulnerability, it was necessary to create a hybrid of the above HTML page with JavaScript code and an MP4 file. The next step - the alleged "victim" was to open the infected document in a new tab, and activate the virus. This attack scenario was similarly demonstrated to the forum participants.
Meet the macOS vulnerabilities - 2016 (Patrick Wardle)
Patrick Wardle - a former employee of the NSA and NASA - presented his report describing the most popular malware for the macOS operating system. Due to the lower prevalence of this operating system, under macOS there is much less malicious software than under Windows, but its number continues to grow. The most striking example was the KeRanger coder. The attackers hacked the official website of the Transmission torrent client, placed their code in the program, recounted the hash sums and re-signed the distribution kit with a digital signature, then uploaded it to the official website, which caused the machines to become infected. The malware encrypted files in the system and demanded a ransom of 1 bitcoin. Another characteristic example from the report was the installation on the machine of the victim of the old version of the LittleSnitch firewall, which contains a dangerous vulnerability and has access to the functions of the system's core. The author described the main spreads of malware in the system and highlighted the main ways of protection: the Gatekeeper utility is an unsigned code blocker; KnockKnock / BlockBlock utilities - monitors of demons and system events.
DDoS attacks in 2016-2017: coup (Artem Gavrichenkov)
Artem Gavrichenkov in his report drew the public’s attention to the modern possibilities of DDoS attacks, and also conducted a brief excursion into the history of their modifications. In his report, he gave a list of the most common vulnerable protocols (DNS, LDAP, NetBIOS, etc.), many of which were designed at a time when no one thought about security. The author drew attention to the nature of the old DDoS attacks: a small request to the server generated a disproportionately large response, as a result, a large number of nodes were not required to disable the server. New attacks use a large number of infected machines and “smart” things, combined into botnets to attack services. Conclusions were made about network architectures, the increase in DDoS attacks was predicted as a result of the proliferation of the Internet of Things (IoT).
Hacking Live: How Hackers Get into Your Systems (Sebastian Schreiber)
The report of Sebastian Schreiber was more like a certain performance than a technical report. Sebastian described and demonstrated a series of impressive attacks:
• DOS-attack on the WEB-server (sending specially formed requests stopped the processing of incoming connections due to an SSL error);
• interception and playback of wireless keyboard and mouse messages using the Raspberry Pi and radio antenna;
• own modifications of malware based on the common Android malware framework (the demonstration included an analogue of the WannaCry crypto-fiber, spy functions with taking pictures from the device’s cameras and downloading them to a remote server);
• sending SMS messages from an arbitrary sender (a random person was selected in the hall, an SMS message was sent to him from number 900, owned by Sberbank);
• attacks on USB keys with a built-in implementation of strong asymmetric encryption (attacks are directed not at the encryption scheme, but at the weak implementation thereof);
• bypass of signature checks of antiviruses (with the help of an analogue of the utility Veil Evasion).
Anthology of antifraud: transition to mathematical models using elements of artificial intelligence (Alexey Sizov)
Alexey Sizov in his report shared with the public mathematical methods with elements of artificial intelligence to detect fraud. The task of detecting fraud was reduced to a binary classification, but it was complicated by the need for a short learning time and fast reaction rate. Possible tools for implementing machine learning were demonstrated, and the pros and cons of machine learning algorithms were described. Separately, the gradient boosting method was selected using the XGBoost library, the random forest method for detecting fraud and the K-means method for detecting anomalies. In addition, the main pitfalls of this task were described. According to the authors, the greatest complexity of this topic is not an interpretable result.
Mobile vulnerabilities (Dmitry Kurbatov)
Dmitry Kurbatov and his colleagues in their report on the vulnerabilities of mobile networks, showed real threats, waiting for any user of mobile networks 2G, 3G, 4G. The report described in detail the vulnerabilities of the SS7 protocol (2G and 3G networks) with the relative ease of their implementation, a whole range of attacks against the user were shown - from a simple denial of service attack and revealing the user's location to intercepting SMS and voice messages. The authors described the vulnerabilities of the DIAMETER (4G) protocol and showed that most of the attacks they described are possible in this standard. The reasons for the emergence of such threats were described, and recommendations were made on the treatment of mobile networks as an untrusted communication channel.
Bypass security checks in mobile app stores (Paul Amar)
Paul Amar presented his report on circumventing security checks in mobile app stores. The author described the mobile development cycle using the Apache Cordova (Hybrid App) toolkit, after which he demonstrated the ability to update the application remotely bypassing the mobile application store (App Store, Play Market, etc.). Thus, this method creates a new range of problems in the security of mobile devices.
A detailed program of the conference can be found on the official website:
www.phdays.ru/program
Source: https://habr.com/ru/post/330866/
All Articles