david wong

Hey ! I'm David, a security consultant at Cryptography Services, the crypto team of NCC Group . This is my blog about cryptography and security and other related topics that I find interesting.

OWASP Chicago June 2015

This evening I was at Braintree's office in Chicago for the new edition of the Owasp meeting. The offices were amazing and huge!

braintree

They had beer pong tables, ping pong tables, a mini-arcade and a bar! (all that right next to the workspace)

beerpong

Plenty of nice conference rooms

conf room

Some had whiteboard tables!

whiteboard table

And in the largest building of Chicago!

building

1 Trojaned Gems - You can’t tell you’re using one!

Brandon Myers, a security researcher at Trustwave, was the first one to talk. He found out that when you executed gem fetch or gem install, the ruby package manager, it would allow a Man In The Middle to do a DNS poisoning attack to redirect you to his servers. Even though everything happens over TLS! This is because gem doesn't check for the domain in the certificate of rubygems.org: it just checks that the server has a valid certificate and that's all. You would then download the gem on his server and... game over.

He said that the same thing was happening when developers were pushing their gems to rubygems.org ...

That's a shame, and way worse than the downgrade https attack of go.

One way of mitigating the first MITM would be to just use curl or wget directly with https://www.rubygems.org and do whatever the gem fetch does to get the gems. Because curl or wget should have a correct implementation of TLS that dodge fake DNS responses (that's why DNSSEC is useless if you query a https webpage with a correctly signed certificate).

To mitigate the second attack Brandon talked about signed gems, and that it was far from being efficient since none of the top gems are signed.

Two other problem were that if a fix comes around, gem update --system is vulnerable to the attack (since gem is itself a gem) and not using the fully secure gem signing allows some dependencies of not being signed (and thus a MITM would be able to modify those).

2 Attacking and Defending DevOps

Patrick Thomas and Alec Gleason followed by explaining how much they pwned their client with heartbleed, passwords in clear and github hooks. They then explained how you could get more information out of a pwned machine if there was git, vagrant, chef, docker and other non-crypto stuff installed on the machine.

All of this was facilitated by Devops,

a software development method that emphasizes communication, collaboration (information sharing and web service usage), integration, automation, and measurement of cooperation between software developers and other IT professionals.

https://en.wikipedia.org/wiki/DevOps

devops

They said it was still a good thing but if done correctly.

After that I went to Chisec meet some people of the security community!

Well done! You've reached the end of my post. Now you can leave me a comment :)