Posts tagged ‘Shmoocon’

« Previous Entries

Shmoocon 2012: Attacking Proximity Card Systems

February 4, 2012, 6:11 pm

Brad Antoniewicz of Foundstone presented at Shmoocon on attacking proximity card systems.   HID is the most well known brand of cards.   We’ll see if I can summarize accurately.

Like the virtual pickpocketing of credit cards, and bad guy can also clone proximity cards.   As some buildings, outside work hours you need a badge and PIN to enter the premises.   But during work hours, you could just walk right in and use a cloned card.

ProxmarkIII allows the researcher to read and emulate any RFID tag.   Badges are typically sequentially numbered.   If the cloned badge doesn’t have the access you need, you could brute force the badge reader.   It would take two years to test the entire card space at the rate of one per second.  But if you already have the company code and one of the badge numbers, that narrows things significantly.

Brad’s experience is people wont challenge you even as you stand at the badge reader for multiple minutes trying badge numbers, even with the reader beeping at each attempt.

Side note, employees are told not to let other people piggyback, but at best they hold the door and ask people to swipe a badge.   The beep doesn’t indicate success.   Only that something was read.

Unless the physical access logs are sent to a SIEM, many proxcard systems will not alert you natively to the brute force attack.   There is one hilarious drawback Brad mentioned.   Security may not react to the brute force attack, but one time they had flagged a particular account so when the bruteforce tried accessing as it, security responded fast.

In addition to clone/playback attacks there can be attacks against the badge reader itself.   Communication between the reader and the controller are serial.   Physical taps may allow recording of a range of badge numbers and PINs.   You only need one badge to access so this is a bit of piling on.

The HID controllers also were found to have security issues.   I am wondering why the controller would be addressable on the network, but  this is what he found.   Default passwords, undocumented accounts, passwords that can’t be changed from default.    The database had default passwords and was vulnerable to SQL injection.

With all this access he was able to send commands like “unlock all”.

I enjoyed this talk and felt the demonstrations were very effective.   Proxcard spoofing seems very James Bond and unlikely to be used in real life.   The problem is, how many times has attack been deemed unrealistic by management until management reads about it in the Wall Street Journal.

It is important then to add monitoring for bruteforce attacks where it does not exist.   Monitor for unusual access activity, or impossible access activity (being at two locations simultaneously).   While we can only pressure the vender to remove default accounts and allow passwords to be changed, be should make sure these devices are not accessible on the network where possible.

 

Tags: ,
Category: Physical Security  |  Comment

Autorun Attacks on Ubuntu

January 30, 2011, 1:46 pm

Just last week I was talking with a co-worker about the possibility of USB attacks on his Ubuntu laptop.   Using USB drives on Linux used to involve knowing mount commands.  Now it’s plug and play.   In the Infosec world, everything old is new again, so wondered whether some old Windows vulnerabilities would resurface now that there is more usability in his Ubuntu.

This morning I watched  Jon Larimer give a presentation  at Shmoocon on USB autorun attacks against Ubuntu 10.10.  I watched via the live stream.   The talk will eventually be archived online.   News of such would probably be posted at www.shmoocon.org/news.

By default, you should be prompted if a script attempts to autorun when you insert a USB drive in Linux.  So you’re left looking at what other code is executed when a USB drive attaches.   The USB driver, file system drivers and file system previews are the main areas targeted for exploitation.

Gnome Nautilus is the file brower used by ubuntu.   It will automount known file systems and create thumbnail images even when the screensaver is enabled and locked.   Over the years there have been many image exploitations.  

While apparmor and ASLR can make exploitation difficult, Larimer was able to generate an exploit that bypassed the screensaver lock allowing access to the system.

Protection against these types of attacks are similar to Windows.
1.  layer 8 protection.   Not picking up usb sticks in parking lots and putting them in your computer
2.  Staying current on patches. 
3.  checking your config settings for autorun

Tags:
Category: General  |  2 Comments

Pwned by Copier

January 29, 2011, 6:24 pm

 At Shmoocon 2011,   Deral Heiland “PercX” and Pete Arzamendi “Bokojan” gave a presentation titled, Printer to PWND: Leveraging Multifunction Printers During Penetration Testing.  I was watching via the live streaming.   There were some audio issues on the live stream for the first couple of slides.

Basically, they’ve found two key things.   Most enterprises aren’t updating their multifunction copiers even when they update all the Windows boxes and these copiers contain security issues.  

The presenters found that on many copiers website security occurred on the front page website.   If you knew the address of subsites or in some cases if you provided a double forward slash, no authentication is required.   Of course when most copiers are using a default password, this isn’t especially significant.  Even when companies do change the default password, some of these copiers are giving it away in the source code of the webpage.

So how is this useful?   Sometimes copiers are configured with Active Directory credentials to allow copier users to perform LDAP lookups to Active Directory.    Sometimes domain accounts are saved on the copier to implement “scan to share” functionality.   The scanned job is saved to a network share using a domain account.   Hopefully you haven’t used a privileged account for such a trivial task.   If you have game over, the account username and password may not be well protected.   If it is a limited rights account, it can still be used to access Active Directory and query for an accounts list.  

The presenters went on to give several examples where they have used information gathered from multi-function copiers in penetration tests.

To make things more difficult for attacks:
1.  Change the factory default passwords
2.  Patch the systems, roll out updated firmware
3.  Consider putting printers on isolated vlans.   The payroll printer doesn’t need to be accessible by all.
4.  Obviously don’t use privileged accounts on the copier.

Tags:
Category: General  |  3 Comments

OpenDLP – Shmoocon 2011

January 28, 2011, 9:24 pm

Andrew Gavin presented on OpenDLP at Shmoocon 2011 today in Washington DC.  From an attackers or pentester’s perspective, you’ve gained access, now how do you gather information.   From a defender’s perspective, how can you find out where people have files that they shouldn’t.    

OpenDLP has two components; an agent and a website.   The website is used to configure, initiate scans, and read reports.   The agent installs on target computers, greps the target data, reports back and uninstalls itself.  There are open source projects to help you find PII in your company, but they involve remote scanning.   All the work is performed by the remote scanning computer, and files need to be transferred across the network.   OpenDLP is much faster than these solutions because it is agent based and the work is performed by the clients.   There is a similar project myDLP that is agent based.   I didn’t catch the relationship, if any, between the two.

You can’t protect what you don’t know about.   Yet management is unlikely to implement a costly DLP project until an auditor tells them you must have it.   Free, Open Source OpenDLP sounds like an interesting project to find those process issues management didn’t really want to know about in the first place.  

Perhaps it’s because it is presented at a hacker conference, but I feel a bit hinky about providing domain admin credentials to this software and telling it to install agents on all my computers.   May be best to do a code review and compile it yourself.

Tags:
Category: General  |  4 Comments

Shmoocon 2011 Intro

January 28, 2011, 9:03 pm

I lost the stampede that was the Shmoocon 2011 registration.  As a result, I’m watching this year’s festivities through live streaming on uStream. 

This year the network is a lot more solid so far.    However the internet camera seems to be an afterthought.   When not showing the slides, it is pointed at the chest of the speaker.    (make your own joke about that).   Several times they cut the feed during the breaks between speakers and didn’t get back for the start of the next speaker.

There were some audio problems during the introduction by @gdead.   So I missed out on any reason for this being the last year of the shmooballs.   Was there a liability concern?   Or had it pretty much run it’s course.   When was the last time someone threw a shmooball to call BS rather than to give a friend a hard time?   I’d also be curious about the change in venue.   Was it cheaper rates or was the con asked not to return after the blizzard induced food riots of Shmoocon 2010?

In many ways I jinxed myself.   I when I saw the conference had moved motels I said I wasn’t sure I wanted to go.   Fate laughed at that and didn’t let me get the golden ticket.   So instead this afternoon I set up shop in the “virtualization pit” at work, grabbed some free pepsi from the fridge, and watched the con on the big screens.  And I didn’t even have to ride the Metro.  

Tags:
Category: General  |  Comment

Common Sense

February 8, 2010, 8:23 pm

Does anyone really think that sneezing into your arm is common sense? I suspect that if you do you must have small kids and have been trained by some sort of Elmo video. I don’t recall any mass agreement on sending snot flying into my shirt sleeve as a method of good hygiene.
At Shmoocon Bruce Potter compared the common sense of sneezing into your sleeve (to him apparently a good thing) with common sense security steps. Maybe he’s right, a password policy is kind of like getting snot all over yourself.
My notes seem to have mangled the opening remarks from Shmoocon 2010. The general summary is that it’s a waste to spend a boatload of money on security when you don’t have your policies and procedures clear. You’ve got to start with the basics.
A password policy needs to be applied consistently across all systems. Often the development can be compromised and then hop back across to the production systems. The dev systems need policy as well.
Network segmentation is important. Soft gooey center anyone?
Auditing. If you aren’t watching, how do you know something bad happened.
We laugh at the TSA, but they have fair less fail in their results.

Tags: ,
Category: General  |  5 Comments

Shmoocon versus the Snowpocalypse

February 6, 2010, 10:38 am

Shmoocon is this weekend. The city is starting to look like something from The Day After Tomorrow.

I live in the DC suburbs, and had considered grabbing a hotel room to take part in what has to be the craziest Shmoo ever. The hotel rates when I checked online were lower than the Shmoo rate. But then I’d still have to pay an insane rate for hotel garage parking. And the Donner party jokes were worrying me too. I could see the hotel running out of food and everything else being closed.

I drove into Ballston on Friday. In December Metro closed the above ground stations without a lot of warning. I knew they’d do it again if snow got to 8 inches, Ballston is the last underground station on the Orange line. Metro didn’t close the above ground lines until 11 pm so that move was unnecessary. The drive back from Arlington out to Clifton was fun.

Today there is no way I’m getting out, so I’m watching what I can on live streaming. I’ll review my notes from yesterday and post if I can come up with anything semi-coherent.

Tags:
Category: General  |  Comment

Gartner Information Security Summit

June 28, 2009, 8:43 pm

I’m at the Gartner Information Security Summit in National Harbor for the first part of this week. The next few blog entries will be notes from the talks I attended.
I’m a bit surprised to be paying $18 a day to park outside the beltway. (National Harbor’s website claims $11, I guess the hotel garage is more). It will be reimbursed, but still its annoying.
I wonder if there is a lot of crossover between people at this conference and people at Shmoocon? It gave me a chuckle anyway. Probably shouldn’t break out the “I hack charities” t-shirt for this Gartner conference.
As I feared, the usual lack of power options was in full effect. In one room, I was able to right by outlets, in another only folding walls were nearby. I didn’t see any power. Looks like my decision to not bring a laptop today was a good one. I’d love to use the tablet for handwritten notes, but at this point the battery life is barely an hour. My mini has some great battery life, but I’m not sure the small keyboard would allow me to take notes very fast. No big deal, its better to not have to protect a laptop.

Tags:
Category: General  |  Comment

Social Skills and the Security Professional

February 9, 2009, 4:49 pm

Just how important is it for the Security Professional to have social skills?
It seems like a broken record. In addition to having degrees, certifications and experience. We are now supposed to glide seamlessly into the board room and converse equally well about business units and legal briefs. Its not enough to be technically competent, you’ve got to have a good golf game.
At Shmoocon in the closing plenary an audience member asked for a talk next year on preparing a 30 second security elevator talk. If you’re not familiar with the concept, it is that you have a brief elevator ride with an exec. You have their ear. How do you sell security before the door closes. My VP always asks “are we secure” when I see him. I’ve been told by my Infosec brethren that the answer is yes. Personally I think the answer is “HELL NO as long as users have local admin rights”. Or perhaps a joke, “you aren’t in handcuffs yet, so we must be doing something right.”.
Bill Brenner of CSO online obtained a good quote from the Hoff, Chris Hoff of Unisys and the Rational Security blog.

“The notion that everyone involved in security needs to be able to put themselves out there, get up and give a presentation to the board of directors is ridiculous. We still need skilled operators in the trenches, continuing to do what they do in the basement. Do I want to discourage someone who is fantastic at pen testing by telling them their career will be limited if they can’t put together a PowerPoint presentation for the board?

Tags: ,
Category: General  |  2 Comments

Shmoocon 2009 Day 3

February 8, 2009, 10:25 pm

Enough with the Insanity: Dictionary Base Rainbow Tables
by Matt Weir
http://reusablesec.googlepages.com/
Defense against offline password cracking
1. salt
2. Make it computationally expensive, 100 X SHA1.
Unless of course you salt it wrong.
WPA and WPA2 keys are salted with the SSID. NTLM uses the username as a salt.
The Problems with Rainbow Tables

  • Probabilistic in nature
  • Long creation time
  • Two hashes take twice as long to crack as one
  • Collisions result in a lot of wasted work

Traditional Rainbow Tables have been brute force attacks. However as Lanman hashes are increasingly disabled, and some organizations have implemented long password requirements (14 characters and up) we need to look at other methods. I’ve found NTLM Rainbow Tables to be massive. In my experience, any organization that has a strong password requirement can’t use NTLM Rainbow Tables. Last time I looked there wasn’t a Rainbow Table with length up to 8 and UPPERS, lowers and numbers. It would be too big.
So what do you do? Over at freerainbowtables.com you can download hybrid rainbow tables. From what I see its only really short passwords. I though Matt said they had a version of rcrack to generate your own hybrid rainbow table. That would be pretty cool.
I currently do this through bruteforce looking for the following.
Aaaa11122 where
A = UPPERS. So in this case the first letter is a upper case letter.
a = lower. In this case characters 2, 3 and 4 are lower case letters.
1 = lowers or numbers. So positions 5, 6 and 7 are lowers or numbers.
2 = lowers, numbers or ! So positions 8 or 9 have that.
I suspect a rainbow table looking at length 8 or 9 with that combination would save me time in the long run.
Matt has developed a dictionary based rainbow tables generator available at the URL at the top of this entry. It can take a dictionary and use common word wrangling rules to create rainbow tables. You can also check for common keyboard combos and double passwords. People often double their current password to meet lengthy password requirements.
I currently use Inside Pro’s Extreme GPU Bruteforcer. (Its much cheaper than Elcomsoft.) The software is cheap and a NVidea GeForce 8800 GT is relatively cheap as well. While watching this talk I was wondering about GPU bruteforcing versus Rainbow Tables. If I can do a hybrid Rainbow Table, is it then possible to write software to do a hybrid attack using the GPU. Or does the way a GPU work make that a bad idea?
JSunpack
By Blake Hartstein
JS Unpack is a javascript unpacker available online at jsunpack.jeet.org
It may be available as a download to run locally at some point.
The Problem:
There is a large volume of malicious javascript files. These encoded/encrypted javascript exploits are difficult to analyze.
In the past you would need to manually attempt to decode it by downloading it, attempting to modify it to be ‘safe’ and then run it. This is kind of dangerous and requires a sacrificial lamb.
To defeat manual analysis the malware creater would use escape sequences, encryption based on tags (so if you change a tag, it wont decrypt), Environmental variables as an encryption key, version detection, timing, and blacklisting. Additionally exploit kits can set their website to only service the malware once to an IP.
After manual methods, more automated efforts have occurred such as JSDecode by Dave Zimmer, the Ultimate deObfuscator by Stephen Chenette of Websense and Malzilla.
JS Unpack has the following goals

  • Safety – not requiring a sacrificial lamb
  • Archive content
  • Simulate the Browser and plugins (pdf and flash)
  • Combine the best hooking techniques
  • Enable analysis despite IP blocking
  • Integrate with IDS, crawling and other research

ClamAV is used to statically unpack executables
Plenary Session: Tough Security for Tough Times
This is mostly random notes from the session:
Security spending is holding steady due to compliance requirements and increasing threats.
The half life of security knowledge is 18 months.
This came back in a discussion of security degrees. Engineering constants don’t change. But very quickly the degree you received could be seen as useful as a diploma form the punch card era.
DLP is seen as taking off by one analyst. (I guess when everything is DLP, it must get a lot of sales)
Management needs to understand that security isn’t overhead.
The bad guys have learned to stay below the radar. Business will ignore it as long as a threshold isn’t exceeded.
How do you grow security talent that can relate to business.

Tags: , ,
Category: General  |  Comment
« Previous Entries