London Trust Forum

I was invited to attend the London Trust Forum organised by NCC where Andy Davis talked about CANimation and highlighting the security threats to automotive systems. A very interesting talk on how you can hack into cars when you have physical access to them or in some occasions, remotely! 

It was really nice to see familiar faces at the event and catch up with Dr. Jessica Barker (@drjessicabarker), David Middlehurst (@dtmsecurity) , @netbiosX and @Emil_i.

Looking forward to the next Trust Forum event already!

BSides Manchester 2014

It was really nice to be invited to present at BSides Manchester (@BSidesMCR) this year [1]. Very interesting talks and one of the most organised events I have ever been. On-time information on the website and clear instructions about the event . I really enjoyed both days and tried to attend as many talks as I could. 

On the second day, I was presenting about the security of Point of Sale (POS) devices. These devices have a number of “features” which can be used to allow someone to deviate from payment process in a number of different ways. More specifically, it is possible to complete a transaction without actually being charged, pay with someone else’s card without knowing the PIN or even get paid instead of paying. The presentation gave a good understanding on how these devices work and basically demonstrated a number of “magic tricks” on how one could actually live for free! I was overwhelmed from the number of people attended the talk and their enthusiasm on the subject. Thank you all for your kind words, tweets and re-tweets, much appreciated.

The Subterfuge Project called Artemis

Artemis [1] is an advanced malware simulation suite capable of emulating the Advanced Persistent Threat (APT). Artemis raises the bar allowing ethical hackers and penetration testers the luxury of an advanced set of features equivalent to many of the tools employed by criminal gangs today. By abstracting polymorphism to a server based platform at cevincere.com Artemis is able to stay one step ahead of anti-virus vendors, and ensure that penetration testers can give their clients the value that they deserve.

[1] https://code.google.com/p/subterfuge/

BSides London 2014 - POS Devices

I was given the opportunity to present at this year's BSides London [1]. The talk was a 15 minutes presentation about Point of Sale (POS) devices, during a no-camera, no-recording session due to the sensitive content. 

I have been researching the features of POS devices for more than a year and I wanted to share my findings before someone else does something similar. However, due to the fact it is not easy to fix the issues overnight, I decided to keep the presentation "behind closed doors". During the presentation I demonstrated how it is possible for anyone to become a "hacker" and abuse these little devices with simple key combinations. 

Critical OpenSSL vulnerability

OpenSSL released a security advisory yesterday (7/Apr/2014) regarding the TLS heartbeat read overrun (CVE-2014-0160). [1] This is a CRITICAL vulnerability affecting 1.0.1 and 1.0.2-beta releases of OpenSSL, including 1.0.1f and 1.0.2-beta1.

An attacker can read memory contents of the remote server . The server will not crash or otherwise exhibit suspicious behaviour. Successful exploitation leaks usernames, passwords, web application session cookies or other sensitive information. 

Currently, some of the vulnerable websites are: 
yahoo.com
okcupid.com
flickr.com

The quickest way to test your server is by using the following link:
http://filippo.io/Heartbleed/

Remediation:
Affected users should upgrade to OpenSSL 1.0.1g. The alternaltive at this point if you cannot upgrade to OpenSSL 1.0.0g is to recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS

For remediating against an Apache install you will also need to upgrade libssl (libssl1.0.0).

Note that Ubuntu 1.0.1-4ubuntu5.12 of OpenSSL resolves the issue.

Temporary Snort signatures:
a) alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"Heartbleed attack with ssltest.py";flow:to_server,established; content:"|18 03 02 00 03 01 40 00|"; rawbytes; isdataat:!1,relative; reference:cve,2014-0160; sid: 6000000; rev:1;)

b) alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"Heartbleed attack";flow:to_server,established; content:"|18 03|"; rawbytes; depth:2; byte_test:1, &, 3, 0, relative; byte_test:2, >, 200, 3, relative, big; reference:cve,2014-0160; sid: 6000001; rev:2;)


[1] http://www.openssl.org/news/secadv_20140407.txt