Create secure code with Secure Code Bootcamp

Software development contains many aspects which the developer has to take care and think about. One of them is information security and secure code which affects the product and its users. There are different ways to learn information security and how to create secure and quality code and this time I'll shortly go through what Secure Code Warrior Secure Code Bootcamp has to offer.

For the record other good resources I've come across are Kontras application security training for OWASP Top 10 and OWASP Top 10 API, hands-on approaches like Cyber Security Base MooC, Wargames, Hack the Box and Cybrary.

Secure Code Bootcamp

Kick-start your journey to creating more secure, quality code with Secure Code Bootcamp - our free mobile app for early-career coders.

Secure Code Bootcamp

Secure Code Warrior provides a learning platform for developers to increase their software security skills and guide each coder along their own preferred learning pathway. They have products, solutions and resources to help organization's development teams to ship quality code and also provide a free mobile app for early-career coder: Secure Code Bootcamp.

Application presents common vulnerabilities from the OWASP Top 10 and you get badges as you progress through each new challenge, unlocking new missions as your progress. It teaches you to identify vulnerable code with first short introductions and explanations for each vulnerability of how they happen and where. Each topic is presented as a mission with briefing and code inspection tasks.

OWASP Top 10 are:

The Secure Code Bootcamp covers 8 of the Top 10 list as the last two are more or less difficult to present in this gamified context, I think.

Mission briefing contains couple of minute theory lesson of the given vulnerability and teaches you what, where and how to prevent it.

After briefing you're challenged with code examples in the language you've chosen (Node.JS, Python:Django, Java:Spring, C# .NET: MVC). You practically swipe your way through code reviews by accepting or rejecting them. Reading code on mobile device screen isn't optimal but suffices for the given task. Works better for Node.js than for Java Spring.

Code inspection isn't always as easy as you would think even if you know what to look for. After succesfully inspected couple of codes you're awarded with a badge. The briefing tells you what to look for in the code but sometimes it's a guess what is asked for. The code inspection requires sometimes knowledge of the used framework and inspection is done without context for the usage. Almost every inspection I got 1 wrong which gave me 75% accuracy.

Summary

The approach to teaching security topics this way works ok if you're code oriented. You'll learn the OWASP Top 10 in practice by short theory lessons with pointers to how to prevent them and test your code inspection skills for noticing vulnerable aspects of code fragments. Having swiped through the bootcamp the code inspection parts were not always so useful.

The marketing text says "progress along multiple missions and build secure coding skills." and "Graduate with fundamental secure coding skills for your next step as a coder." and that is in my opionion a bit much to say. The bootcamp teaches the basic concepts of vulnerabilities and how they look on code but doesn't teach you to code securily.

In overall the Secure Code Bootcamp for OWASP Top 10 vulnerabilities is a good start for learning what, where, how and why vulnerabilities exists and learn to identify them. You can do the bootcamp with different languages available so replayability value is good.

Notes from HelSec Virtual Meetup 1

This year has been challenging for meetups and gatherings but one good side of the restrictions was that remote work has become more acceptable and also meetups and conferences have invested to streaming and virtual participation which is great for people living in an area where there's no meetups.

In early May HelSec kept their first Virtual Meetup with great topics. Here's my short notes (finally four months later). The meetup was streamed via HelSec Twitch channel and the discussions were in HelSec Events Discord. The meetup recording is available from Twitch.

HelSec Virtual Meetup 2020-05-07

HelSec Virtual Meetup #1 (7.5.2020)

Fighting alert fatigue and visibility issues in SOC

Juuso Myllylรค from OptimeSys talked about fighting alert fatigue in security operations center (stream from 41:41 onwards). The goal in the talk was to improve automated detection, introduce "detection logic killchain" framework he has worked on as his master's thesis and shift our minds from signature based detection and move towards intelligence based.

Threat detection pyramid

Threat detection framework based on design science research method:

  1. Identify: What is a threat? What kind of things make up a threat?
    1. Mitre's ATT&CK framework
    2. Mitre's ATT&CK: Design and philosophy
    3. Example: hijacked Azure AD account detection
    4. Tactic = initial access
  2. Detect: How we can detect a threat?
    1. Logs, logs, logs
    2. Technique detection is also valid
    3. Example technique: valid accounts or phishing
  3. Use Case: Search queries, log sources, etc.
    1. Convert your idea into a security information and event management (SIEM) search query
    2. Procedures: many APT (Advanced Persistent Threat) groups have used valid accounts as an entrypoint
  4. Demonstrate:
    1. Deploy the use case
  5. Evaluate: evaluate detection logic
    1. Analyze the SIEM logs once your SIEM use case has been deployed
    2. e.g. check Azure AD audit logs, eliminate non-related data
    3. Applies also to threat hunting
  6. Communicate: Document your detection logic in Sigma form
    1. Can be shared with others, try to be SIEM agnostic

iPhone BFU Acquisition and Analysis

The meetup continued with iPhone forensic from @1:19 by Timo Miettinen from Nixu. The presentation explained first how the iPhone iOS filesystem's two main partitions are protected: non-encrypted System and encrypted Data. Data partition is encrypted with burned-into-hardware UID key. The files have additionally 4 classes of Data Protection.

From forensics point of view access to data is protected with many layers: USB connectivity is restricted; Logical extraction is divided to iTunes backup + some media files, password protected backups contain more data, backup password can be reset but has deviations; Full file system extraction needs jailbraking the device; iCloud extraction (synced backup).

The case talked in the talk was a lost iPhone which was later returned by law enforcement. The question was: What was done with it while missing? Was it stolen or just inspected by friendly authorities? Phone was powered off and passcode was changed.

So they had BFU device in their hands for data extraction: device that has been powered off or rebooted and has never been subsequently unlocked. The amount of the data they can theoretically get is really limited.

In BFU the file encryption keys are wiped from the device RAM and only unencrypted class D protected files are available. Biometric authentication is not possible, USB restricted mode is enabled (need biometric authentication or passcode to activate data connections), lockdown records become useless (logical data acquisition impossible) and passcode recovery attack falls to BFU speeds.

Acquisition methods:

  • Utilizing exploits and jailbreaks:
    • checkm8: unpatchable bootrom exploit released by axi0mx on September 2019 which enables jailbreaks, activation lock bypass etc.
    • checkra1n: jailbreak released on November 2019 which utilizes the checkm8 exploit to run unsigned code on an iOS device. Doesn't always pass the USB restricted mode, depends on the combinations of hardware and software versions.
  • Open source and free tools:
    • libimobiledevices has collection of useful tools:
      • SSH over USB using iproxy
      • ideviceinfo gives iOS and HW versions
      • idevicecrashreport gets crash logs from the device
      • many more
    • ios_bfu_triage: extract avaible data
    • iTUnes if you don't have the BFU restriction
  • Commercial tools: Belkasoft Evidence Center, BlackBag Mobilyze, Cellebrite UFED / Physical Analyzer, Elcomsoft Phone Viewer, Magnet AXIOM, MSAB XRY, Oxygen Forensics Extractor

In their use case the checkra1n jailbreak didn't work and USB restricted mode was activated. Also some of the commercial tools enabled to extract some data but wasn't able to read the archive format the software created. They decided to the analysis manually which is a good idea even if the tools are working.

Some open source or free tools for analysis:

  • APOLLO (Apple Pattern of Life Lazy Output'er): parses pattern of life data from databases and properties into human readable format.
  • iOS sysdiagnose forensic scripts: parses iOS sysdiagnose logs.
  • iPhone Backup Analyzer: allows the user to browse the content of an iOS backup.
  • iLEAPP (iOS Logs, Events, And Preferences Parser)
  • iBackup Viewer: browse the content of an iOS backup and extract files.
  • ftree: crawl any directory and identify all files etc.
  • deserializer: converts from NSKeyedArchive to normal plist
  • For reading plists you can use: plutil -p <filename>
  • DB Browser for SQLite
  • Google's protobuf utilities (protoc)

When doing analysis you should look for plists, binary plists, plists in plists, blobs may contain binary plist files and SQLite databases (Shared Memory file .shm, write ahead log .wal). Some applications store data in protocol buffers (protobufs) in SQLite database blobs, plist files or just data files. Tools find most of the interesting data but you can make your own script to dump all text files, convert plist files to readable format, dumps data from every database, get all embedded binary plists from plist files and databases and convert them to readable format.

In their case they found out that the phone was reinstalled 12 hours after it was lost. Mobile banking, social media and instant messaging applications were installed. The device was used to communicate with several contacts and used around the city. The phone was stolen and reinstalled with intention to use it.

Still Fuzzing Faster (U Fool)

Joona Hoikkala talked about Web Fuzzing and using fuff tool for fuzzing directories, login, basic auth, virtual domain, content id:s and more. Follow the talk from the stream at 2:19:00 and the demo starts around @2:33:00. The slides are good starting point.

Kind of reverse but describes web fuzzing

You can use fuzzing with different input contents to target i.a. GET parameters (names, values or both), headers (Host, authentication, cookies, proxy headers) and POST data (form data, JSON, files). What to look for (matching)? Response codes, content (regexes) response sizes (bytes, # of words).

Resources: SecLists

Price of a digital identity

Laura Kankaala, from Robocorp and Team Whack fame talked about the price of a digital identity starting at 3:20:40. Data is central, security - privacy: how companies view data and how data sellers view data.

Digital identity:

  • What we are
  • What we have
  • What we produce

Laura also presented that ~90-99% of data collected is dark data which is collected but not really utilized. But we are just getting started. But it's good to remember that our data belongs to us. We give permission to collectors and controllers.

Do you know what's your data worth? Data is valuable and for example there are companies like doc.ai and datum which tries to monetize it so that also user gets part of it. But yet the data is used more for targeted ads, providing content just for us, increasing efficiency and creating better services. And of course every one remembers Cambridge Analytica and (trying) to affect electoral processes in the US.

The most valuable things being sold online are: credit cards, identity numbers, passports, credentials, phone numbers, home address. Passports are quite logical of value and e.g. France passport goes for $124, USA $115, Canada $103, UK $60 and so on, depending of the data included with it.

Kankaala talked about how the collecting of our data has sneak to our lives (e.g. social credit systems). Companies collect data and when our normal live becomes very tangled with our live online it becomes easier to monitor us, to see what we're up to and to moderate our behaviour. We need to be careful when we allow new type of access to our live, e.g. COVID-19 tracking.

Regulation, awareness and education is at least a patch to some of these issues. We are hackers and we should be the pathfinders and show people that it doesn't have to be that if something works the way it does today and although it works it doesn't mean it works right or ethically.

We are all vulnerable

Magnus Lundgren from Recorded Future told a tale of two databases, a panda and someone who was listening starting at 4:25:00.

There's a race of when vulnerability is found and assigned a CVE number until it's either patched or exploited. 12 517 CVEs were first published on NVD in 2016-2017 and it takes average 33 days until an initial assesment of the vulnerability is made available via NIST's NVD. For example Dirty Cow (CVE-2016-519) it took 21 days to initial release on NVD but it took only 8 days to create an exploit (Proof of Concept shared on Pastebin) for it and sold/shared on the deep and dark web.

A tale of two databases: NVD (NIST) and CNNVD (CNITSEC). In the Chinese CNNVD it takes on average only 13 days compared to 33 days on NVD for initial assesment. The difference comes from the detail that CNNCD is doing active collection while NVD is doing passive collection from vendors. But always it doesn't be that way like it was the case with some Android backdoor where it took 236 days from CNNVD and 60 days from NVD. It takes longer for CNNVD to publish high threat vulnerabilities than low threat ones and during the publication lag Chinese APT groups are exploiting those vulnerabilities.

When the Recorded Future published a blog post identifying 343 "outlier" CVEs (regarding the issue the of CNNVD lag) CNNVD backdated 338 of those CVEs. Someone was listening.

Conclusions:

  • Deep / Dark web monitoring of activity is crucial for a good patching cadence.
  • Magic can be done with threat intel data that has been organiced for analysis.
  • Chinese intersection is particularly vicious for foreign companies: Ministry of State Security (China) runs multiple threat actors e.g. APT3, runs CNNVD and cherry picks CNNVD vulnerabilities for targeting.

Resources: Inside Security Intelligence podcast