General: February 2008 Archives

VLC Media Player 0.8.6e is available to release multiple security vulnerabilities.

Security Advisory 0801
Summary : Format string vulnerability in the Web interface
Stack-based buffer overflow in the Subtitles demuxer
String buffer overflows in the Real RTSP demuxer
CVE references : CVE-2007-6681, CVE-2007-6682, CVE-2008-0295, CVE-2008-0296

Security Advisory 0802
Summary : Arbitrary memory overwrite in the MP4 demuxer
CVE reference : CVE-2008-0984

Security Advisory 0803
Summary : Arbitrary file overwrite and other abuses
through M3U parser and browsers plugins
CVE reference :

I've seen VLC showing up in the vulnerability scans more at work. People install it because it supports a wide variety of multimedia formats. One more non-standard app to get patched.

Last week, some Princeton researchers demonstrated a technique for recovering cryptographic keys from RAM.
Here's their Youtube video:

The typical security hype cycle then followed with articles from SANS: In Memory of Hard Disk Encryption? and then the usual computer trade mags, and then ultimately an AP story: Blast of cold air can open computer to hackers.

That latter article began "Want to break into a computer's encrypted hard drive? Just blast the machine's memory chip with a burst of cold air." Gee that sounds really about as easy as opening a Kensington lock. I can just imagine the bulletins sent out by corporate security departments all over the country.

"If approached by Jack Frost, do not let him spray your computer with cold air. Flee and notify your IT Security Department as soon as possible".

The truth is a little less dire. Yes, data remains in RAM a bit longer than you'd expect. Yes cold air could be used to preserve the data in RAM. However in practice this means an attacker would have to physically compromise your computer within one or two minutes of turning it off.

Here's what I think is important:
1. Users should never use standby unless they are aware that their data is at risk. Personally I advised that before this came out. So this is nothing new.
2. The system is vulnerable when its online but screen locked. Again, I dont think this is new.
3. When you turn your computer off, wait two minutes before you let someone plug in a unknown USB device or spray down the RAM with compressed air. Duh.

Non-technical people read these articles and they think the pain of full disk encryption wasn't worth it. Anytime a bad guy has physical access to the computer, you've got a problem. It seems that this attack works best in the lab and can be defeated with a few steps that you should be following anyway.

Winamp 5.52 has been released to correct a Ultravox streaming metadata stack overflow reported by Secunia. Users of Winamp are encouraged to upgrade immediately.

Here are some notes from Shmoocon day 2. Today was a return to the traditional Build It, Break It, and Bring it on tracks. Here are some notes/summaries from the sessions I attended. It was another fun day.

Active 802.11 Fingerprinting, Bratus, Cornelius and Peebles
How can you identify if an access point is legitimate or rogue? Does two way RSA crypto solve the problem of a rogue AP? The speakers would argue that if you are communicating with a rogue AP, the use of certificates could actually cause more information to be given away to the rogue. You could certainly be exploited in your communication as well if your wireless drivers have vulnerabilities.

Just as with OS fingerprinting through TCP, the wireless protocol can be abused to send unexpected traffic to the AP and fingerprint how it responds. They built a tool called Baffle using Ruby to perform this test. They were able to verify that the access point was using the driver that is expected.

If you're expecting a linksys AP and I set up a rogue linksys AP, this isn't going to help you, at least from my understanding of the talk. An audience member asked if this could be used with adhoc (client-to-client) connections as well. It cannot be used for that because the APs are much more chatty and have more negotiation.

The remainder of the time was a presentation on access point hiding. I did not catch the presenters name. Basically anything that has some room inside and has sufficient power could be refashioned to contain an AP. This assumes that you need to be stealthy about placing a rogue AP in the first place. The take home for me from this section of the talk was the question, "if an AP enabled itself at 2 am (either to let the hacker in, or to move some data out) would you catch that."

Smarter Password Cracking; Weir, Glodek
Not a lot new here.
Password cracking is getting tougher. Sometimes users are forced to pick better passwords. Often developers are throwing in a salt or hashing multiple times. A salt makes a precalculated table attack difficult. Multiple hashes attempt to increase the calculation penalty when trying a offline password attack. For example while Word's password mechanism was once trivial to break, Word now uses 5000 SHA1 and a huge salt.

In the last year or two several password troves have become available to all. In the past researchers didn't have a way to report on user password selection. After a myspace phishers collected passwords leaked, researchers now had a large collection of legitimate passwords. Many of the passwords were tremendously weak and thus not comparable to the enterprise password.

When setting out to crack passwords, it is helpful to figure how how the users select the passwords. This allows the cracker to have a better chance at success.

I was hoping to take from this lecture a script to analyze a list of passwords and display the tendencies found. I would like to be able to easily run a report that says: 30% of users passwords were reveals in testing. Of those 90 percent were in the format Aaaaaa11 (A=upper, a=lower, 1=any number). I don't see that script on his website, I'm going to check back later.

They're hacking Our Clients, Why are we focusing only on servers; Beale
This talk had two major sections. The need for patching clients, and a poor man's way to find clients that need patching.

In the first section Beale said that in pentesting engagements they now attempt to get to the internal network through client side attack. Often they are limited by engagement rules to the computers belonging to IT staff or security folk. Even with this set of users they are consistently able to perform attacks on the browser, mail client, Office, Adobe Reader, etc. Core Impact and Metasploit are two tools mentioned.

The bad guys moved to client side attacks years ago. Their biggest problem is managing all their owned boxes.

The question is asked, isn't this just social engineering. There are two responses to this. No, sometimes attacks autorun without user interaction. Yes, but the human firewall is imperfect. Even the most educated users get fooled. Its still appropriate for a pentest.

Comment from the audience - Once it reaches the user, freakin game over.
The attackers only have to find one vulnerable human or one vulnerable software install.

Isn't this a patch management problem, Beale asks rhetorically.
He says yes, but not every organization has patch management.
Also patch management, needs know about every system to patch it. It needs rights. It often doesn't patch every product. Most people don't have that complete an inventory of what is on their network.

To address these issues, the speaker proposed using User-Agent strings to self identify vulnerable systems. That information could be collected in HTTP proxy logs, and email servers. Vulnerable clients could be denied further access.

While you could do further things such as implement something like the Master Reconnaissance Tool to gather browser plug-ins, there is still vulnerable software that you don't address in this way.

Another idea is to look at the metadata for recently created files on your fileserver, sharepoint, in email. Apparently you can determine the version of the software used to create the document. A vulnerable version and a recently created document equal a problem that needs to be addressed.

Since I do vuln scan all online systems, and I do have a patch management system, the second part of the talk wasn't as interesting. It seemed like a lot of work just to catch a small number that missed the patch management and vuln scanning. I do see the usefulness in a University or other similar environment.

VOIP Hopper; Ostrom and Kindervas
This was strong talk demonstrating their new version of their voiphopper program. Most people outside that room think that a vlan is a security separator. The talk showed how easy it is to get onto the voice vlan. In IT there is also a low awareness of VOIP threats. People think, "you can't access corporate data from an IP Phone."

voiphopper now includes a Cisco Discovery Protocol generator making it really easy to pretend to be a VOIP phone.

Mitigation-
1. Use Cisco's phone CDP Security provided in 12.2.36 SE. This requires a phone to have power or it will shutdown the port. (one wonders how that would work in my case where a bad blade wasn't providing power for some ports, and I was given a brick for my phone instead of using power over ethernet).
2. MAC address filtering
3. Disable the pc port on the phone. (this is the lobby phones that should be have a pc plugged into them).

Got Citrix? Hack it!; Gupta
One audience member correctly asked for less IE vulnerabilities and more about Citrix I agree. The vulnerabilities presented all existed because Windows was not secured for the role the system was playing.

Gupta has a good point that people think putting something behind Citrix is equal to securely serving it.

We did not get to see a couple of demos because the wireless network was down during this session. I'd recommend either not relying on a unreliable medium for a presentation or have a video backup. We were left with a session cut short, and a feeling of disappointment.

I'm down at Shmoocon this weekend. I've been to two of the four Shmoocons. Apparently I only go on even years.

Here are some notes. This is probably going to be even less coherent than usual as its getting late and I need to be back down there tomorrow.

David Hulton, "Intercepting GSM Traffic"
As I understood it, this talk described a "known plain text" attack on the session key between a GSM phone and the tower. It still requires massive computational power. although the hardware and time cost is much lower for this attack that other previous attacks. The solution will probably be more networks switching to 3G.
wiki

David Smith, Forensic Image Analysis to Recover Passwords
This talk described his attempt to recover passwords from coredumps, swap, memory dump, logs , deleted temp files, slack space and internal history.

He is currently working in perl to search for strings of a certain length and then gives them an entropy score.
A audience member suggested starting with a clean OS image to easily rule out the OS files from the gathered strings.

In terms of defenses, I would start with not saving passwords in easily reversible forms (browser saving password for example). Next, I would consider wiping the free space. Full disk encryption would be the best defense assuming you dont get caught while the computer is booted.

Syn Phishus, Unauthorized phishing exercise
This is talk I was most looking forward to. Syn, as a security contractor, decided to phish the computer security department (consisting of 200 employees). He created a phishing campaign announcing the companies ID theft insurance vendor signup. If users clicked on the link in the email, they were prompted to log in using domain credentials, if they hit submit or cancel they were counseled not to be so dang gullible.

The goals for this project were to raise security awareness, demonstrate that policies require enforcement and education, get corporate communications to sign their email and create a service the company could sell. He didn't tell anyone before doing it. He didn't want anyone else to take the risk. He tried to make it easy for IT security to respond to by putting information in the comments on the phishing site, and by using a computer connected to the corporate vpn for his phishing attack.

As you might expect this did not go over well with his company. Doing something like this is definitely a career limiting event. You should always have a get out of jail free card, that is something in writing authorizing you.

edited to remove incorrect assumption about Syn and another phishing venture. Sorry about that.

Deral Heiland, Web Portals
This talk was about a pentest facilitated by the company's internet portal.

Portals provide easy access to corporate data. They call also be huge threats to the internal network.

The problem with this particular (unspecified) portal is two fold. One is it accepted unauthenticated traffic and two, the portal had full access to the network. The portal accepted and processed GET commands so you could create a query to the portal that would have it open a website on the internal network. By trying common internal address space, you could find anything running a webserver. This ranged from things like printers, Compaq Lights Out board, network equipment, the SAN administration. Bad news for the company if a hacker had uncovered this.

This is why they should have required strong authentication for everything on that server. The server should also have been filtered from internal access so that only required services could be accessed. A layer 7 firewall could have prevented the portal from being exploited as well.

Isaac Mathis, Hacking the Samauri Spirit
This was actually a intersting talk about how differences in culture influence security.

Deviant Ollam, Latest News on Bump Key Attacks
This was fairly routine for anyone who is up on bumpkeys.

Anti-bumping technology is starting to make its way into common consumer level locksets. Masterlock and Kwickset appear to be gearing up to sell consumers on this added protection.

I can not find a statement on Adobe’s website saying they no longer support reader/acrobat versions earlier than 8, but actions speak louder than words.

The security bulletin for the vulnerability currently being exploited states:
Acrobat and Adobe Reader 7.0.9 and earlier versions are also affected by these vulnerabilities. Adobe will provide further information as to the nature of the vulnerabilities via the company's Security Bulletins and Advisories page (http://www.adobe.com/support/security/) once updates are available for all affected versions of Acrobat and Adobe Reader.

That is not very reassuring because the last Adobe Reader/Acrobat security bulletin said the same thing.
Adobe will be providing an update to Adobe Reader 7.0.9 and Acrobat 7.0.9 at a later date.

That update hasn't been released.

We have a large number of users still running 7.0.9 Standard or Professional. I don't expect them to be all that excited about ponying up the dough for the upgrade to 8.x. Version 7 isn't supported with Office 2007 or Vista so they'll have to upgrade fairly soon anyway.

There has been growing talk (in general, not at work) about Adobe Reader and Acrobat alternatives. Adobe's product has become more and more bloated. They then have security bulletins as a result of these extra features. FoxIt Reader doesn't have any reported security vulnerabilities. I don't have any experience with FoxIt, but it sure seems like time to investigate a change that doesn't require multiple updates per year.

Update: Not so fast...
On February 20th, Adobe updated its security bulletin to say:

Acrobat and Adobe Reader 7.0.9 and earlier versions are also affected by these vulnerabilities.

Adobe is planning to release an update to Adobe Reader and Acrobat 7 by the end of May 2008 to resolve these security issues in those versions of the products

Secunia has released Personal Software Inspector (PSI) 0.9.0.1. As I've blogged about before Secunia PSI is software for the home user that reports software that is vulnerable or no longer updated by the manufacturer.

The change log here lists a few interesting improvements.

• Improved intelligence to make it even easier for non-technical users to patch their applications. Special rules for Adobe Flash and Sun Java have been implemented.


• The Secunia PSI is now able to determine if the detected Adobe Flash versions are an ActiveX Control (IE), a Firefox plug-in, an Opera plug-in, or a general Operating System plug-in.


• The Secunia PSI is now able to determine if the detected Sun Java versions requires an uninstall (the Sun Java installer does not automatically uninstall old versions when you upgrade to their latest version).


• When hovering your mouse over an application name the Secunia PSI will now always display the exact path to where the application is installed.

Keeping third party application patched is critical for computers used on the Internet.

The CA Security Adviser Research blog has an interesting entry today following the trail of suspicious credit card charge.

Do you review your monthly statement for suspicious charges? Do you look over every charge or just the bigger ones? A fraudster may fly under your radar with a $5 charge. That can accrue to quite a bit of money if they hit enough people.

Review your bills. Whether its fraud or when the phone companies tacks on a monthly fee for long distance, you want to know about it as soon as possible.

If you're heading down to to Shmoocon in DC February 15th to 17th, allow extra time if you're taking Metrorail. Metro is performing platform repair at the Metro Center stop. WMATA recommends allowing an extra 30 minutes. This should start late enough to not be a problem Friday, but it will be annoying Saturday and Sunday.

Parking at the Wardman Park Marriott is $13/hour ($28/day). I dont know of alternative parking down there.

As I was driving into work this morning, my blackberry was flooded with Trojan.Zonebac alerts. When I got into work, I could see that a single computer at one of our sites was getting this detection on pretty much every major exe. When I read the Technical writeup of Trojan.Zonebac at Symantec, I found out why. Zonebac searches for files referenced in the following registry subkeys:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

For all the files found referenced in the registry subkey values, the Trojan creates a copy of the referenced file in a folder named "bak" at the same path as the original file. Then the Trojan will replace the original file with a copy of itself.

Now that is a mess. Normally, I see it as a fun challenge to clean machines, but in this case with so many EXEs suspect, and with the computer being remote, it seemed to be a better bet to wipe the system.

This evening the SANS Handler Diary had an entry revealing that the Adobe Reader/Professional vulnerability is currently being exploited and Zonebac is being dropped. That explains what happened.

It looks like I may have to move up my implementation of Adobe Reader 8.2.1

Brian Krebs' writeup on this reports that according to iDefense this was spreading through banner ads. http://blog.washingtonpost.com/securityfix/2008/02/hackers_exploiting_adobe_reade.html

Dark Reading has an article reporting on a presentation Peter Tippett gave at the Computer Forensics Show in Washington DC.

He said that IT Security departments are wasting their time and a third of current security practices are useless.

Its not necessarily new thought.
It is really easy to get caught up in the patching hamster wheel.
Its easy to believe that products will solve your security problem.
A lot of security spending and effort is regulation based. Is your data more secure because users are required to have 12 character passwords that are changed every 60 days.

Is hard to get separation and look at security from new angles.

We pulled the trigger deploying Quicktime 7.4 to all users yesterday, so as we've grown to expect, Apple releases Quicktime 7.4.1 today. While we knew another update was coming, you just can't wait forever for a update to post.

The Quicktime download is in the usual location. If you are running iTunes, just grab that update. Apple's security bulletin is here.

At the beginning of the year, Guardian Edge transitioned support to an integrated voice response (IVR) system. Since then it seems impossible to call and speak to a live person.

I don't generally like to call any support phone number. Most matters should be resolvable by checking the manual, reading the knowledge base, or opening a ticket via email or web form. When I do have to call support its because I really need an answer now, and don't mind waiting on hold for a bit to get it.

The old Guardian Edge support fit that model perfectly. I could call, and normally get someone right away.
The new Guardian Edge support model is geared toward never speaking to anyone. If you call, a voice response system asks if the number you are calling from is the one associated with your account. Next even though they've already identified you by phone number the IVR asks for your support ID number. After that you can leave voice mail describing your case. In each case I've had since this change, the support technician replies by email in 4-6 hours. God help you if that answer doesn't resolve the issue because the case will get lost after that.

We paid for phone support. This doesn't seem like phone support to me. I have tried to address these concerns with Guardian Edge.. The person heading the project corrected a routing problem with my support ticket. They did not address what I feel is a loss of service.

This sort of thing happens a lot with expanding companies. They have more callers and don't have the trained bodies to handle the calls. I still find it very disappointing

Adobe Reader 8.1.2 is out, download here.

There are not any new security advisories for Adobe Reader at this time. Until I hear otherwise, this may just be a bugfix release.

Update:The 8.1.2 release notes are available. The summary states "The Adobe Reader 8.1.2 update addresses a number of customer workflow issues and security vulnerabilities while providing more stability."

Update 2 Symantec Deepsight reports that a proof-of-concept exploit is available to members of the Immunity Partners Program.

Psychology Today has an article on peoples ability to assess risk.

We substitute one risk for another.

Insurers in the United Kingdom used to offer discounts to drivers who purchased cars with safer brakes. "They don't anymore," says John Adams, a risk analyst and emeritus professor of geography at University College. "There weren't fewer accidents, just different accidents."

Why? For the same reason that the vehicles most likely to go out of control in snowy conditions are those with four-wheel drive. Buoyed by a false sense of safety that comes with the increased control, drivers of four-wheel-drive vehicles take more risks. "These vehicles are bigger and heavier, which should keep them on the road," says Ropeik. "But police report that these drivers go faster, even when roads are slippery."

Both are cases of risk compensation: People have a preferred level of risk, and they modulate their behavior to keep risk at that constant level. Features designed to increase safety—four-wheel drive, Seat belts, or air bags—wind up making people drive faster. The safety features may reduce risks associated with weather, but they don't cut overall risk. "If I drink a diet soda with dinner," quips Slovic, "I have ice cream for dessert."

Its not much of a leap to see how this effects computer security.

• I'm using a minority browser that brags about how secure it is. I guess I can browse where ever I want and click on anything.


• I have a new security suite, it will detect anything bad that happens


• The SMTP scanner hasn't let through a virus yet, therefore I can open any attachment that comes in without consequence
  

The safety improvements in cars aren't supposed to replace intelligent driving decisions. Security software provides layers of protection, it doesn't replace informed choices.

Link originally seen at Schneier's Bog

More and more wired peripherals are connected to the office computer, yet at the same time people want to be more wireless. They want a wireless keyboard, a wireless mouse and a wireless headset. Its a little bit ironic that people accept wires for their non-work related USB devices, but they "can't stand the clutter" when it comes to using standard keyboards and mice.

This article from DarkReading reports on the ease of interception of wireless headset technologies and how they used information gathered through that means to socially engineer themselves into a badge and desk inside a company they were hired to pentest. Not only could they listen to phone conversations with a off-the-shelf scanner, in some cases the headset remained active after a call ceased, this effectively bugged the office!

A UPI version of the article spoke to Bob Hayes, managing director of the Security Executive Council who downplayed the issue.

"There are a lot of threats that are technically possible," he said, pointing out that monitoring telephone conversations that way without permission was a federal crime. "Why would I do that," he asked, "when I could get the same information a dozen different ways?" For instance by going through someone's garbage, pretext phone calling, or eavesdropping on conversations at trade shows.

It not as if this is a far fetched Hollywood style plot. Its one thing to do a risk analysis and determine its not worth taking action. Its another to just say "we've got bigger fish to fry".

Jack Johnson, former chief security officer for the Department of Homeland Security and now a partner in the Washington federal practice at Price Waterhouse Coopers had a more common response. "In general when it came to new technology, "ease -of-use considerations tend to trump security."" Its only later that the vulnerabilities are discovered. The CxO has to have the cool toys today.

One would wish that after so many years we would stop making the same mistakes. Security needs to be baked in early on. It cannot be the dismissed factor in the triad of Security - Usability - Cost.

Wireless keyboards are also an issue. In November 2007 DreamLab Technologies announced that due to weak encryption in Microsoft wireless keyboards they were able to capture and decrypt keystrokes. Would you intentionally set yourself up for wireless keystroke logging?

Now maybe I'm just jealous that my plantronics headset is from the last millennium and I'm using a standard dell USB keyboard. But it seems to me that the inherent risks in going wireless need to be addressed in any product used in the enterprise. It would be for the best if standards were followed in a company and products analyzed rather than implementing a hodgepodge of whatever is personal preference.