OFFICIAL SECURITY BLOG

CanSecWest: Day 1 Recap

March 13, 2014 | BY

The annual CanSecWest conference began on a sunny day in beautiful (but often rainy) Vancouver, British Columbia with well-known host Dragos Ruiu sporting an unusually flashy outfit.

Without further ado, the conference was underway.

Fighting Next-Generation Adversaries with Shared Threat Intelligence – Jacob West

To kick off the conference, this talk painted a bleak picture of the current state of information security skills and the lack of automation and collaboration within the industry. While having security courses given to students is a good thing, a more important one is to start software developers on the right path from the get-go. This was referred to as “robust programming” where coding with security in mind rather than coding for something that works, would solve many of our current security issues.

USB Flash Storage Threats and Threat Mitigation in an Air-Gapped Network Environment – George Pajari

This was a highly anticipated talk because of the recent badBIOS revelations. The presenter demonstrated a way to mitigate many of the security risks associated with using USB drives to transfer data to air-gapped systems.The method used an intermediate system called “sheep dip” where potentially hostile drives could be plugged in. The system would then only take the data and copy it onto another USB drive that could be plugged into the sensitive air-gapped machine. The idea is that any exploit (i.e. Stuxnet) would be stopped at the “sheep dip” system. However, a member from the audience asked a very pertinent question: what if the “sheep dip” system got compromised?

 No Apology Required: Deconstructing Blackberry 10 – Zach Lanier, Ben Nell

The two authors started with some tongue in cheek comment about how Canadians apologize for everything, before diving into Blackberry’s security. The talk was quite technical, describing how apps run with the same UID but within a separate GID (group ID). They talked about Blackberry’s .BAR format and listed some tools for testing purposes (BB Simulator, QNX software dev tool). They also evoked the ‘Balanced’ security technology to separate personal and corporate information, although they said it was simply based on file permissions.

Revisiting iOS Kernel (In)Security – Tarjei Mandt

This very detailed presentation dug deep into Apple’s Pseudorandom Number Generator (PRNG) on iOS 6, iOS 7 and briefly on OS X from seed generation (by iBoot) to seed recovery. It listed three areas of interest: kernel mapping, stack check guard and zone cookies. The author was very knowledgeable on this topic and did a live demo where he showed how to recover a seed using a technique known as backtracking. In addition to this method, he said that a robust PRNG should also resist direct crypto output attacks.

The Real Deal of Android Device Security: the Third Party – Collin Mulliner, Jon Oberheide

In an entertaining presentation, the two researchers laid the cards on the table by exposing how the fragmentation problem (in their study they listed 4,312 models) affecting Android has some serious impacts on security. They mapped out the ecosystem consisting of the Android Open Source Project (AOSP), the OEMs, and the carriers which all struggle with their own problem. Fragmentation also makes it hard to predict whether a vulnerability will affect another model, even if it is running the same Android version.

 Exploring RADIUS – Brad Antoniewicz

The last talk of the day was technical but made accessible by a colourful presenter. Radius is a networking protocol that provides centralized Authentication, Authorization, and Accounting (AAA) management for users that connect and use a network service. It is popular within enterprises for things such as corporate VPNs, etc. The speaker showed existing “fuzzing” tools used to detect vulnerabilities and some of his own. He also did a demo on how to exploit a Cisco appliance and execute arbitrary code on the target server by simply sending a command sent over a wireless network.

Day 1 was wrapped up by conference organizer Dragos, who hinted at some winners to the PWN2OWN competition who will be revealed the next day.

@jeromesegura


  • pajari

    With respect to my talk (USB Flash Storage Threats and Threat Mitigation in an Air-Gapped Network Environment) the feedback and comments I received at CanSecWest (both during the Q&A and during discussions afterwards) were invaluable and will enable me to improve the quality of the Sheep Dip Appliance (SDA). To address the specific question you raise (what if the “sheep dip” system got compromised?), there are several things I’m working on:
    (a) the sheep dip is running a different operating system with a different processor (Linux on ARM) than the typical Wintel systems on either side of the air-gap making it more challenging for malware to infect/compromise both the unprotected Wintel machine and the sheep dip; and
    (b) based on a suggestion from a CanSecWest we are changing the appliance to the Raspberry PI running from a read-only SD card meaning any compromise could only be memory-resident and would not survive a reboot. The operting procedure would require the SDA to be rebooted before the USB crossed back over the air gap.

    Also remember that the sheep dip is used in both directions so that compromising the SDA is only part of what is required for a successful exploit. A complete compromise would have to:
    (a) compromise the unprotected system that loaded the initial USB key;
    (b) compromise the SDA;
    (c) compromise the protected machine; and
    (d) re-compromise the rebooted SDA on the way back (else how to exfiltrate the desired information from the protected system).

    While it is still possible to conceive of such a series of compromises spanning different operating systems and chip architectures, one must admit operating with the SDA as proposed would be several orders of magnitude safer than not use the sheep dip.

    If anyone has other comments or suggestions, please put them here or email me at sheepdip (at) pajari.ca

    Thanks.

    George Pajari

  • Jérôme Segura

    Hi pajari,

    Thanks for the follow up comment on this. I enjoyed your talk and thought it was a cool idea.
    It’s normal that any new concept be scrutinized and hopefully that can improve on it.
    You’re right that having the sheep dip would thwart many attacks, although at the same time the power of such a system is in the fact that the attacker is not aware of it. There’s a risk that if the sheep dip is too-well documented, the attacker could build a module to target it.
    Kind of security by obscurity, or at least have a custom version of the sheep dip with specific defenses.