Editor’s note: Updated December 14th 2020 to include CCC presentation and December 16th 2020 to include No cON Name presentation.
This month, members of NCC Group will be presenting their work at the following conferences:
- Jon Szymaniak, “Guiding Engineering Teams Toward a More Secure Usage of U-Boot,” to be presented at the Open Source Firmware Conference (Virtual – December 1-3 2020)
- Ivan Reedman, “Secure by Design, still a USP in a competitive environment,” to be presented at the IoT Security Foundation Conference (Virtual – December 1-4 2020)
- Juan Garrido, “Bypassing Security Controls in Office 365,” to be presented at CCN-CERT Conference (Virtual – November 30-December 4 2020)
- Rory McCune, “Mastering Container Security v4 – Extended Edition” Training, to be presented at Black Hat Europe 2020 (Virtual – December 7-10 2020)
- Daniel López Jiménez, “Understanding and Hiding your Operations,” to be presented at No cON Name (Virtual – December 19 2020)
- Dan Hastings, “Solitude: A Privacy Analysis Tool,” to be presented at Chaos Communication Congress 2020, (Virtual – December 27-30 2020)
Please join us!
Guiding Engineering Teams Toward a More Secure Usage of U-Boot
Jon Szymaniak
Open Source Firmware Conference – Virtual
December 1-3 2020
With its rich feature set, regular release cycle cadence, and adoption into silicon vendors’ board support packages, it is no wonder that the Open Source Das U-Boot bootloader has become so ubiquitous throughout products spanning a breadth of application domains. However, much of what makes U-Boot so helpful to embedded systems engineers can be a double-edged sword; permissive functionality and readily available reference configurations represent a form of “security debt” that must be paid off by the engineering teams integrating U-Boot into their product. In both public research and private security assessments, it is commonly found that devices are vulnerable to abuse as a result of product vendors failing to invest adequate time and effort into securing their U-Boot configurations and customizations.
This talk will describe common security failure patterns observed during security assessments of products using U-Boot, introduce NCC Group’s “Depthcharge” toolkit built to support U-Boot security auditing, and present its new functionality that is aimed at providing engineering teams with a means to avoid inadvertent inclusion of functionality that may be an ill-fit for their specific security objectives. At a higher level, this talk aims to foster discussions about how we call all help ensure that product development teams customize, configure, and deploy U-Boot more securely, such that end users remain safe.
Secure by Design, still a USP in a competitive environment
Ivan Reedman
IoT Security Conference 2020 – Virtual
December 1-4 2020
How to create a good security posture and use this as a unique selling point when competing with low cost competitors to gain market share and increase margins.
Bypassing Security Controls in Office 365
Juan Garrido
CCN-CERT Conference – Virtual
November 30 2020-December 4 2020
On November 30th, Juan Garrido, Managing Security Consultant at NCC Group, will be presenting at CCN-CERT on Bypassing Security Controls in Office 365.
In this talk, Juan will describe and demonstrate multiple techniques for bypassing existing Office 365 application security controls, showing how data can be exfiltrated from highly secure Office 365 tenants which employ strict security policies in order to restrict access to a range of predefined IP addresses or subnets, or configured with Conditional Access Policies, which are used to control access to cloud applications.
Juan is passionate about security, with over ten years in the industry, he’s not only worked on numerous security projects and judicial investigations, but also written several technical books and security tools including VOYEUR and AZUCAR. Juan has been recognized by Microsoft as MVP (Microsoft Most Valuable Professional) for over five years running and has spoken at many renowned conferences including RootedCon, DEFCON, GsickMinds, BlackHat, BSides and Troopers.
Training: Mastering Container Security v4 – Extended Edition
Rory McCune
Black Hat Europe 2020 – Virtual
December 7-10 2020
The course will start by looking at Docker and how Linux containers work, covering the basics of using Docker and good security practices around creating Docker images.
We’ll also be covering fundamental Linux security concepts such as namespaces, cgroups, capabilities and seccomp, along with showing how to secure (or break into) container-based applications. The course will then move on to the world of container orchestration and clustering, looking at how Kubernetes works and the security pitfalls that can leave the clusters and cloud-based environments which use containers exposed to attack. Additionally we’ve got practical examples of configuring key Kubernetes security controls such as RBAC, PodSecurityPolicies and Network Policies.
There is also content covering key operational security concerns in containerized environments like logging and monitoring, and a look at what tooling is available to detect and respond to attacks against container based systems. For the attackers we’ll also cover options for bypassing runtime security systems that might be in place.
The course has core modules which we’ll cover as well as an array of bonus content which will be covered if there is time. The bonus modules focus on areas like Docker and Kubernetes security tooling, the details of prominent container security vulnerabilities and exploits and also look at the world of Windows containers. At the end of the four days we’ll have a range of systems to practice some of the skills learned during the course.
Course Syllabus:
- Docker Basics – Review of basic Docker commands and how Docker handles networking.
- Creating Docker Images – Covering how to create Docker images with examples around security tool creation.
- Container Fundamentals – This delves into Linux container primitives, such as namespaces, cgroups, capabilities and seccomp filtering, essentially showing how container security is applied.
- Docker Security – This looks at primary security concerns around the use of Docker Engine, including common pitfalls and how to attack or mitigate them.
- Docker Logging – Looking at how Docker handles logging both at the container level and also at the Docker daemon level. Includes coverage of how to ensure that important security log events are captured when running in containerized environments.
- Docker Runtime Security – A look at setup and configuration of Falco as a runtime security product in containerized environments.
- Docker Forensics – Covers how existing container tooling can be used to assist in incident response and forensics.
- Introduction to Kubernetes – Here we’ll cover the Kubernetes container orchestration platform and look at how it’s architected and composed. The goal is to familiarise students with how the platform operates so they can understand key areas of security concern/points of attack.
- Kubernetes Networking – The way that Kubernetes handles networking is an important concept to fully understand when looking at securing and attacking clusters. This module will look at some the main ways this is approached and the underlying technologies used (e.g. iptables, eBPF)
- Kubernetes Basic Security – This module looks at three major threat models for Kubernetes clusters (external attackers, compromised containers, and malicious users) and walks through the likely attack paths that each would take, showing practical approaches to exploiting Kubernetes security weaknesses.
- Kubernetes Authentication Authorization – This module looks at how Kubernetes handles Authentication and Authorization, focusing on some of the weak points and common pitfalls which could allow attackers to compromise a cluster.
- Kubernetes Policy Security – This will focus on some of the key policies which need to be implemented to have a secure cluster, covering Network Policies and Pod Security Policies. It will also look at some alternatives to the native Kubernetes options which are growing in popularity, such as OPA and k-rail.
- Kubernetes Ecosystem – There are a number of products which are very commonly deployed alongside Kubernetes (e.g. Helm, Prometheus). This module will look at common security weaknesses in these products and how to address them.
- Kubernetes Application Hardening – This module looks at how developers can harden application manifests as they’re deployed to clusters and also covers some open source tools that can be used to ensure manifests are appropriately configured
- Kubernetes Logging – A look at how Kubernetes handles logging and monitoring for containers and system components
- Kubernetes Auditing – This module covers Kubernetes auditing feature and how it should be tuned to ensure that appropriate events are captured without large amounts of extraneous information being gathered.
- Extras – Depending on how fast the students have been working through the course content, some extras can be covered, such as looking at the wider Docker ecosystem, alternative container runtimes
- Windows containers, common Kubernetes security tools, Kubernetes vulnerabilities and Kubernetes vulnerabilities.
- CTF – At the end of the course materials a number of clusters with security vulnerabilities will be available for students to practice the attacks described during the course.
Understanding and Hiding your Operations
Daniel López Jiménez
No cON Name – Virtual
December 19 2020
Operational Security (OPSEC) is one of the most important aspects to consider in Adversary Simulations (usually called “Red Teaming”). When talking about OPSEC, it is common to think around matters like AV/EDR evasion, avoiding “noises” or using builtin/legitimate tools whenever is possible. In fact, the scope of the term OPSEC is usually wider than that. OPSEC usually refers to the identification and protection of data that could be useful for an adversary. In Adversary Simulations, the adversary is the organisation’s security team (Blue Team) and the goal is to improve their detection capabilities. This is why the maturity of an organisation should dictate the complexity required to carry out these operations, so that the objectives are met with the minimum effort, as it would do an attacker in real life. For example, for experienced Blue Teams, the mere fact of using legitimate tools such as net.exe (e.g. “net users /domain”) or powershell.exe could be a reason for the whole operation to be discovered, whereas in other organisations or situations these same actions could remain completely unnoticed. In this talk we will discuss how you should review and understand your own toolset and procedures in order to gain OPSEC. We will comprehend how to deal with trade-offs, and why understanding your adversary is key in that matter. In addition, sources of detection (disk, memory, network…) and resources commonly employed by defenders (events, hooks, callbacks…) will be explained visually and practically to help you building and improving your operations. Understanding and Hiding your Operations’ goal is to be a resource for comprehending the meaning of OPSEC and creating awareness in your operations, so as you can successfully face – and improve – experienced security teams and their detection capabilities.
Solitude: A Privacy Analysis Tool
Dan Hastings
Chaos Communication Congress – Virtual
December 27-30 2020
Solitude is an open source privacy analysis tool that enables anyone to conduct their own privacy investigations. Whether a curious novice or a more advanced researcher, Solitude makes the process of evaluating an app’s privacy accessible for everyone.
Oftentimes the only way for the end user to figure out where their private data goes once they enter it into a web application or mobile device is through the apps privacy policy. Privacy policies not only have a notorious history of being difficult to understand but don’t always tell the truth about an application’s data collection practices. Solitude was built to make proxying your web and mobile traffic easier and make the process of conducting privacy investigations of your favorite apps more streamlined and straight forward. Solitude can be configured to look for any data that you input in a mobile or web application and reveal where that data is going. The application inspects all outbound HTTP traffic, looks for various hashes of your data and recursively decodes common encoding schemes (base64,URL). This talk will discuss how Solitude is built, how to use it and give some real world examples of privacy violations discovered in the wild using Solitude. The real world examples will cover different approaches for finding different classes of privacy issues and how to use Solitude to accomplish this.
Note: At time of writing, all CCC event tickets have been claimed, but all presentations will be streamed openly at https://media.ccc.de/. Details about tickets and streaming of CCC/rC3 are available here: https://events.ccc.de/2020/12/03/rc3-ticket-update/