6 C
Monday, November 20, 2017
Home Tags Multiplexing

Tag: Multiplexing

Quartet of weaknesses include ancient vuln from 2009 Black Hat Security researchers have unearthed four high-profile vulnerabilities in HTTP/2, a new version of the protocol. HTTP/2 introduces new mechanisms that effectively increase the attack surface of business critical web infrastructure, according to a study by researchers at data centre security vendor Imperva and released at the Black Hat conference on Wednesday. Imperva’s researchers took an in-depth look at HTTP/2 server implementations from Apache, Microsoft, NGINX, Jetty, and nghttp2. The team discovered exploitable vulnerabilities in all major HTTP/2 implementations that it reviewed, including two that are similar to well-known and widely exploited vulnerabilities in HTTP/1.x. The quartet of HTTP/2 attack vectors include: Slow Read – An attacker could use a malicious client to read responses very slowly, creating a traffic jam in the process using the same mechanism as the well-known Slowloris DDoS attack, released in 2009 and thrown against major credit card processors back in 2010.
Security flaws in the application layer of HTTP/2 implementations make the attack possible.

The Imperva team picked up variants of this vulnerability across most popular web servers, including Apache, IIS, Jetty, NGINX and nghttp2. HPACK Bomb – This compression-layer attack resembles a zip bomb attack.

A potential hacker crafts small and seemingly innocent messages, which unpack into gigs of data on the server-side, consuming memory resources so as to slow down or crash targeted systems. Dependency Cycle Attack – The attack subverts the flow control mechanisms that HTTP/2 introduced for network optimisation.

A malicious client crafts requests that induce a dependency cycle, forcing the server into an infinite loop as it tries to process these dependencies. Stream Multiplexing Abuse – The attacker uses flaws in the way servers implement the stream multiplexing functionality to crash systems. “The general web performance improvements and specific enhancements for mobile applications introduced in HTTP/2 are a potential boon for internet users,” said Amichai Shulman, co-founder and CTO of Imperva. “However, releasing a large amount of new code into the wild in a short time creates an excellent opportunity for attackers. While it is disturbing to see known HTTP 1.x threats introduced in HTTP/2, it’s hardly surprising.

As with all new technology, it is important for businesses to perform due diligence and implement safeguards to harden the extended attack surface and protect critical business and consumer data from ever-evolving cyber threats.” HTTP/2 adoption is picking up pace.

According to W3Techs, 8.7 per cent of all websites, approximately 85 million sites, use HTTP/2, an almost fourfold increase from just 2.3 per cent in December 2015. Implementing a web application firewall (WAF) with virtual patching capabilities can help enterprises to protect their critical data and applications from cyber attack while introducing HTTP/2, according to Imperva ( leading supplier of WAF technology). More details of Imperva’s research are here (pdf) (infographic here). ® Sponsored: Global DDoS threat landscape report
When Black Hat convenes next week in Las Vegas, it will be a rich environment for gathering tools that can be used to tighten security but also -- in the wrong hands -- to carry out exploits. Researchers presenting generally point out the value these releases hold for researchers like themselves who operate in experimental environments as well as for enterprise security pros who want to build better defenses against such attack tools. Presenters will detail a broad range of exploits they've carried out against devices, protocols and technologies from HTTP to internet of things gear to the techniques penetration testers use to test the networks of their clients. Here is a sampling of some of the scheduled educational briefings coming up next week along with a description of the free tools that will accompany them.  HTTP/2 & QUIC -- Teaching Good Protocols To Do Bad Things Presenters: Carl Vincent, Sr.
Security Consultant, Cisco, and Catherine (Kate) Pearce, Sr.
Security Consultant, Cisco
These two researchers took a look at HTTP/2 and QUIC, two Web protocols used to multiplex connections.

The researchers say they are experiencing déjà vu because they have found security weaknesses in these protocols that are reminiscent of weaknesses they found two years ago in multipath TCP (MPTCP).

Back then they discovered that because MPTCP changed paths and endpoints during sessions, it was difficult to secure the traffic and possible to compromise it. "This talk briefly introduces QUIC and HTTP/2, covers multiplexing attacks beyond MPTCP, discusses how you can use these techniques over QUIC and within HTTP/2, and discusses how to make sense of and defend against H2/QUIC traffic on your network," according to the description of their talk.

They say they will release tools with these techniques incorporated. Applied Machine Learning for Data Exfil and Other Fun Topics Brian Wallace, Senior Security Researcher, Cylance, Matt Wolff, Chief Data Scientist, Cylance, and Xuan Zhao, Data Scientist, Cylance This team applied machine learning to security data to help analysts make decisions about whether their networks are facing actual incidents.

They say lacking an understanding of machine learning can leave you at a disadvantage when analyzing problems. "We will walk the entire pipeline from idea to functioning tool on several diverse security-related problems, including offensive and defensive use cases for machine learning," they write in describing their briefing.

They plan to release all the tools, source code and data sets they used in their research.

They'll also include an obfuscation tool for data exfiltration, a network mapper and a command and control panel identification module. GATTacking Bluetooth Smart Devices - Introducing a New BLE Proxy Tool  Slawomir Jasek, IT Security Consultant, SecuRing The internet of things is rife with devices that make use of Bluetooth Low Energy, but they don't always take advantage of all the security features of the technology. "A surprising number of devices do not (or simply cannot - because of the use scenario) utilize these mechanisms," says researcher Slawomir Jasek in his written description of his talk.
Instead, security is provided by a higher-level Generic Attribute (GATT) profile to protect communications between IoT devices and their controllers, such as mobile phones. He says it's easy to spoof an IoT device and trick the phone into connecting to it, setting up a man-in-the-middle (MITM) attack. "[J]ust imagine how many attacks you might be able to perform with the possibility to actively intercept the BLE communication!" he writes. He will release aBLE MITM proxy tool that "opens a whole new chapter for your IoT device exploitation, reversing and debugging." Secure Penetration Testing Operations: Demonstrated Weaknesses in Learning Material and Tools Wesley McGrew, Director of Cyber Operations, HORNE Cyber This speaker says that penetration testers are often trained using widely available materials that can lead to inadequate protection of their clients' data and the pen-testing procedure itself. "Malicious threat actors are incentivized to attack and compromise penetration testers, and given current practices, can do so easily and with dramatic impact," he says. McGrew will demonstrate techniques for hijacking testers' procedures and release all the tools he uses in the demo. Does Dropping USB Drives in Parking Lots and Other Places Really Work? Elie Bursztein, Anti-fraud and abuse research lead, Google Everybody knows that if you drop USB keys in a parking lot, they will be picked up and a high percentage of them will wind up plugged into computers.

Bursztein says his research included dropping 300 USB sticks in a parking lot. 98 percent were picked up and of those, 48 percent were not only plugged into a computer, but files on them were opened. His talk will analyze why people pick up these sticks, and he will release a tool to help mitigate these attacks.  I Came to Drop Bombs: Auditing the Compression Algorithm Weapon Cache Cara Marie, Senior Security Consultant, NCC Group Decompression bomb attacks use specially crafted compressed archive files that, when they are unpacked, tie up applications to such an extent that they crash.

But not all compression algorithms are equally suitable for the task. Marie has audited a great number of these to find out which are the best bomb candidates and will release them at the conference.

They can be used by researchers to test the susceptibility of applications to these particular attacks. Pwning Your Java Messaging with Deserialization Vulnerabilities Matthias Kaiser, Head of Vulnerability Research, Code White Messaging in Java environments relies on serialization, the conversion of objects into series of bytes.

Deserialization is turning the series back into objects.

There have been ongoing improvements in Java deserialization exploits that make it possible to attack the applications that use Java messaging. Kaiser will talk about implementations that are vulnerable and release the Java Messaging Exploitation Tool to help users identify and exploit these systems. Access Keys Will Kill You Before You Kill the Password Loic Simon, Principal Security Engineer, NCC Group The speaker, Loic Simon, uses this example: Keys used to access the Amazon Web Services infrastructure are often stored unencrypted and spread around among developers, creating a security weakness.

This could be addressed by use of multi-factor authentication, which some users may avoid because it is more cumbersome than they'd like.
Simon will show how MFA can be employed regardless of what authentication method is used, and will release a tool "used to allow painless work when MFA-protected API access is enforced in an AWS account."  Viral Video - Exploiting SSRF in Video Converters Maxim Andreev, Sowtware Developer, Mail.ru Group, and Nikolay Ermishkin, Information Security Analyst, Mail.ru Group The free FFmpeg libraries boast tools for converting multimedia formats including conversions for playlists that feature links to other files.

This talk will consider how to exploit server side request forgery in processing these playlists.
It shows how such SSRF against cloud-based servers can give full access to services such as Amazon Web Services, as well as attacks on Facebook, Telegram, Microsoft Azure, Flickr, Twitter services, Imgur and others.

The speakers will release a tool to detect and exploit this vulnerability. This story, "Black Hat: 9 free security tools for defense and attacking" was originally published by Network World.