Wednesday

Overview of the OWASP BE Chapter meeting (4 feb 09)



The Belgian OWASP chapter meeting, started with some announcements. Some owasp people seem to have started a podcast (owasp.org). It should also be available in iTunes. I have to check that one out.
Next, the people from FOSDEM got a change to announce their event (security4all.be) next weekend since one of the presentations is about the OWASP testing guide.
The third announcement was the OWASP Europe 2009 event (owasp.org). This time hosted in Poland. And last but not least was the next OWASP BE Chapter meeting on the 4 of March featuring Gary McGraw. I would say, save the date.

After these small announcements, it was time for Alexander Meisel, CTO and founder of art of defence to kick off: Best practices for Web Application firewalls. I'm not going to rehash the presentation because it's all available in a paper (updated the link to the english version) that was written to give a better understanding in how and where Web Application Firewalls should be used. Have a look.

The second presentation was Evil Markup, browser issues and other obscurities (by Mario Heiderich). Did anyone ever Google for 'secure browser'? Ironically, nor Firefox nor Opera is listed. Mario showed some vulnerability statistics about the different browsers but it's not just about the browser. A lot of interesting technology will be embedded in browsers that will allow for exploitation. Concepts like inline svg, xxe, HTC via image, label of death, etc were mentioned. If you want to have an idea what this is about, have a look at this blog: malicous markup.

The last and most anticipated presentation was Research on Belgian bank trojan attacks (by Richard Bennett, software consultant).
Someone who researched this topic in his spare time. After some of the reported attacks in the Belgian media, Richard started collecting and condensing all available information about the issue. A lot of the published information was too complex for the average user. The Trojan we are talking about is Mebroot aka Sinowal also known as the boot sector trojan (security4all). A funny observation of his was that Symantec reports Mebroot as a low risk (Symantec.com).
When infected, the victim's emails and logins from the mails are stolen first. Together with his bookmarks. Mebroot sends it in a nice encrypted package to the botnet.
In some cases, the malware has thus obtained the credentials of webmasters, infecting those sites with it. In some cases, it works really well in a social engineering kind of way. Some websites are automatically trusted by users like for example embassies. People will follow instructions that those websites give them without thinking too much about it.

Who is behind the attack. A lot of the research gathered by Richard pointed to the Russian Business Network (security4all). No strangers to us. Remarkably is that the RBN used an agile development method, releasing a new version every three days. Really organized by using money mules to deliver the money to them and complete with marketing department and everything.

The question is, how do we solve the issue of banking trojans? Telling that the user is responsible and that he must use an antivirus and firewall is a loosing battle according to the presenter. There was a really good debate at the end of possible solutions. Some of them are present in his research paper which will be published soon. As a conclusion, we can say, this is a topic that must be further looked into.

An excellent OWASP meeting to start the year with !!!

For a second review of this evenings session, have a look at the rootshell blog.

(Photo under creative commons from ggee's photostream)

2 comments:

Joeri said...

For those of you that want to read the paper in English this is the link below:

https://www.owasp.org/images/a/a6/Best_Practices_Guide_WAF_v104.en.pdf

phil said...

You forgot to tell they also gave a chance to the BruCON team to announce their great conference (security4all) to come \o/