» Shmoocon - Roger's Information Security Blog

Posts tagged ‘Shmoocon’

Shmoocon 2009 Day 2

February 8, 2009, 9:01 pm

I really shouldn’t have to wake up at 7:30 am on a Saturday and take the Metro into DC. Fortunately I thought the 10am talk was worth it.
Phishing Statistics and Intuitive Enumeration of Hosts and Roles
by Sean Palka
This talk is about a tool he created/uses in corporate engagements. But as with most things developed on company time, its not free to be released. The presentation is to give you ideas. And it does make me realize that could be a fun side project if I can’t get money for Phishme and I cant get ahold of Lunker.
The motivation for this tool is to justify to clients that phishing is a useful exercise. He also wanted the tool to gather reliable stats for reporting.
When phishing a company you may find that distribution lists are hit. You may find email forwarded from one user to another. Just as with a marketing campaign, webbugs, images and unique identifiers in URLs are used to determine who is following a link. Most mail clients no longer load images by default, so that cuts down somewhat on the capability to determine a message was read but the link was not clicked on. However, some companies may whitelist their own domain name allowing images to load automatically.
A bad guy phishing doesn’t care who responds. He just wants the credentials. But whitehat phsihing needs reports and attribution. You want to know who just visited the site without providing the phished for information. Your phishing site could have contained a browser exploit just as easily.
Tagging or using unique identifiers in URLs does not solve the problem of message forwarding or when a single user has logged in at multiple locations. While time can be used to determine the person probably didn’t drive home, that person could have used remote desktop. You just dont know if the message was forwarded or if the user is going from computer to computer trying the URL.
An audience member pointed out that you could use images and the client cache to determine if the same computer visits more than once. (I’m not sure how that would work if a proxy is used).
You may be able to determine “important” systems by the responses as well. If one computer has a higher than normal amount of responses it might be a helpdesk or admin checking our user reports. Obviously if NAT is involved, you need to do your phishing from internal.
Additionally you can determine social networks by seeing to whom the email is forwarded.
When a internal system is used for a phishing attack the following are pros/cons
- The firewall prevents external connections. Email may be forwarded externally and responses cannot get to your internal site.
- People may trust the internal IP and act differently.
- You don’t have to worry about your other security filtering getting in the way. This isn’t a test of your spam filter.
- you can build focused attack on victims.
Whitehat phishing attacks where the website is external have little ability to get the client IP. He said he hasn’t had a lot consistent success using PHP. This limits reporting capabilities when NAT is used.
I didn’t ask if he did customization to use the users names in the target emails.
He doesn’t include training in the tools (as Phishme does) because the focus of his tool is pentesting not security training. While this is understandable given his role at BAH, I think most people looking to do whitehat phishing are going to want to provide the immediate user feedback/training that has been proven to be effective.
Stranger in a Strange Land: Reflections on a Linux guy’s First Year at Microsoft
by Crispan Cowan
A lot of the talk, I felt I’d seen in either the SDL blog or from Jeff Jones’ blog. Basically slides pointing out the success of the Security Development Lifecycle at Microsoft. Security at Microsoft comes down to before the 2002 Bill Gates Memo and after. For those who don’t know, Microsoft shut down coding for a month and re-trained employees in secure coding practices. They then followed up and made sure people did it.
One of the big problems that isn’t going away is legacy. There are a lot of applications that rely on doing dangerous stupid things that they have been allowed to do. There is so much breakage you can do before people start to push back. (side comment, it was a huge deal for Microsoft to disable IIS by default in a desktop operating system. Their application vendors expected it to be there). It is hard to fix architecture issues without screwing old applications. The application base is the value in Windows.
One of the big problems is the massive dependence on local admin. UAC is the stick used to cause programs to write their application so it doesn’t require local admin rights. Its not UAC that sucks, its the crappy application that needs admin rights just to run.
88% of users participating in the feedback program leave UAC enabled.
Another metric they use is sessions that are UAC prompt free.
In Vista RTM, this was 50%.
With SP1, consumer desktops were at 65% and computers joined to a domain (work computers) was at 80%.
I assume this means the applications are getting improved to not need admin rights. It could mean people stopped using the crappy app.
Middling Everything with Middler
by Jay Beale
Obviously MITM is nothing new. What this project does is

Inject javascript into HTTP
Store session ID
Intercept logout requests (even if you think you’ve logged out you haven’t
Replace https links with http links (your http bank site which only uses https for login is now logging in in clear text)

The purpose of the tool is:

Inject javascript into every page
inject temp or permanent redirects
Take over website with Browser exploitation framework
Compromise user with metasploit

Middler is available on the InGuardians website.
The Agreement
A group of friends set up a framework of rules to govern as they attempt to 0wn each others computers. When no one else will set up a capture the flag exercise for you, you hack on each other.
http://www.jointheagreement.com/
The Fast-Track Suite
by David Kennedy
The Fast Track suite will be available in Backtrack 4. Or check out the Fast Track website..
All I seem to remember is “pop a box.”
Very interesting point and click hacking. As I understand it, some Metasploit attacks were only available for old specific service packs, he has made the attacks more universal.
In Pen Testing, I believe people use Windows debug to convert the uploaded hex into binary. There is a built in 64 kb limit. He automates a way to get around that by supplying a new debug util (at least that is how I understood it).
In the demos he’d run an exploit upload vnc server and connect to it.
I didn’t get a chair during this talk so I dont have a lot of notes.

Tags: eMail, Microsoft, Phishing, Shmoocon, Spam
Category: General | Comment

Shmoocon 2009 Day 1

February 8, 2009, 7:41 pm

The next three posts will contain my notes from Shmoocon. This post contains notes from each session I attended on day 1. I’m not trying to necessarily reconstruct the notes into a coherent thought. Hopefully it will be somewhat readable.
Opening Remarks
by Bruce Potter
People are getting owned a lot.
Trends

Increased success in getting past our defenses
Increasingly malicious motivations. The bad guys aren’t after web defacements
In spite of the above, we haven’t changed our methods. Its a lot of the same
Spear phishing and drive-bys are unabated.

What we have is a Maginot line…in depth
Of 66 million websites indexed by Google, 5 percent had drivebys.
These sites with drivebys weren’t just the risky underbelly of the web. It was every category of website. I don’t think that is surprising to anyone who has paid attention to security.
These findings were published last year in in USENIX.
The malicious content on these sites was then scanned using three top Antivirus vendors. The best detection rate among these three vendors was only 75%. The worst was 30%. These are untargeted attacks. Imagine the ability of an attack targeted at your organization to cut through your antivirus defenses.
So What do you do?
NAC? Most people don’t have that deployed even if they’ve bought it.
Firewall Internally?
Token authentication?
Change jobs?
Digging ourselves out
As with most security talks and papers I felt like a solution wasn’t really there. Fixing fundamental problems. I’m not sure if Bruce defined this. If he means teach everyone to code securely, then burn to the ground existing software and start over. Well, keep waiting for that.

The other talks on day one were quick 25 minute talks, I didn’t always have notes.
Open Vulture – Scavenging the Friendly Skies
Open Source UAV Platform
Ethan O’Toole and Matt David
I didn’t take a lot of notes on this one. The talk was put together fine. It pointed out the existing/competing projects and how they were different.
Building the 2008/2009 ShmooBall Launchers
by Larry Pesce and David Lauer
When building a pressure based launcher, you’ll have problems with PVC tubing not being rated for the PSI.
The Day Spam Stopped (The Srizbi Botnet Takedown)
by Julia Wolf
We all know about McColo being taken offline in November and the corresponding drop in spam rates.
The bad guys lost their command and control of the botnet when McColo was taken down. The good guys figured out how the botnet was selecting the hostname/domain name used in the backup. (The exact math of that is probably available at blog.fireeye.com or look for the slides when available on the Shmoocon website). By registering those domain names they prevented the bad guys from regaining control.
Under U.S. law they felt they could not send out a “uninstall” command to the botnet army. It would also be risky since the botnet is in kernel and you could potentially BSOD the clients.
No one asked about the return of spam that has been reported in January. Is that other botnets taking up the slack? I thought I had heard that a Spanish ISP had brought the badguys ASN back online briefly allowing them to regain control.
Automated Mapping of Large Binary Objects
by Greg Conti, Ben Sangster, and Roy Ragsdale.
The goal of this project is to accurately identify regions in an arbitrary binary object.
Typically you would use a hex editor and a lot of elbow grease. This is trying to automate that, even to the point of identifying one type of encryption versus another.
I found the talk interesting. When you’re doing manual static analysis of files, this could come in handy.
Decoding the Smartkey
by Shane Lawson
Quickset Smartkey attempts to allow the consumer to rekey their lock without removing it from the door. It is also resistant to bumpkeying. Here is a video from Quickset on how to rekey.
Unfortunately, as this talk demonstrates, because of the technology used to allow rekeying it is possible to determine key height compromising the lock.

Tags: Antivirus, Backup, BSOD, Google, Phishing, Shmoocon, Spam
Category: Antivirus, General | Comment

Shmoocon 2009

February 6, 2009, 10:06 pm

I’m at Shmoocon 5 this weekend. Its my third time down there (missed 1 and 3). Always a good time.
This year’s event has 1500 attendees, 40% larger than last year. 30ish talks chosen from 100 submitted.
The opening remarks kind of paralleled what I’ve been thinking lately. The stakes are high. Yet any sort of targeted attack has a great chance of succeeding. Many of our defenses are the same layer repeated. “We’ve built a Maginot line…in depth.”

Tags: Shmoocon
Category: Uncategorized | Comment

Flash still not patched

June 3, 2008, 7:45 pm

Ryan Naraine took at look at the Google Analytics for a couple sites and notes that those visitors aren’t patching their flash.
I’m seeing the same types of thing he’s seeing when I look in the Google Analytics report for www.infosecblog.org.
Nearly 30% report that they are running unpatched Flash 9.0 r115.
You’d think if you were at a security blog, reading about Flash updates, that you might want to check if your Flash is up to date.
I’m a little surprised to hear people say that Adobe doesn’t have a Flash update mechanism. Until I killed the updater in our environment, users where prompted to update if one was available at the time they accessed a Flash applet.
At Shmoocon, one of the sessions discussed passive vulnerability fingerprinting like this. If you don’t have the ability to do authenticated scans on your look for opportunities like this to gather version information from the logs.

Tags: Adobe, Apple, Google, Patching, Shmoocon
Category: General | 2 Comments

I can hear you now

April 18, 2008, 9:41 pm

Joshua Wright, author of the SANS Security Wireless course I took recently and presenter of one of the better talks a this years shmoocon has a 5 minute video on bluetooth phone earpiece hijacking.
As he says in the intro, as states require hands free devices more and more people are turning to bluetooth headsets. But what of the security? See his video below:

Tags: Bluetooth, SANS, Shmoocon
Category: General | Comment

Shmoocon Day 3

February 22, 2008, 5:42 pm

On the final day of Shmoocon I went to two talks. Here’s some notes.
I’m still fighting the cold that hit just after the conference. Three days of sick people on the metro and in a hotel ballroom seem to have taken their toll.
Dan Griffin, Hacking Windows Security
This talk presented four tools, three developed while working for Microsoft and are available on MSDN.
Hacking smartcards was an interesting concept for fuzzing smartcard middleware. I’m not sure if it was the early start to the day or not, but I didn’t understand if this was a problem in the smart card driver software as it comes in Windows or if this would be smart card software already written.
“Smart Cards have a vm and shouldn’t be treated as trustworthy.”
The other parts of the talk were using “hack” in the older white hat sense of the word. He showed how to add a new algorithm such as twofish to Windows.
PEAP: Pwned Extensible Authentication Protocol, Wright, Antoniewicz
If you’re up on wireless security you probably know this. Otherwise its a good presentation. Worth checking out when posted to shmoocon.org.
With EAP, your Access Point and Radius server are exposed to the world. Does it seem like a good idea for a RADIUS server to be so attackable?
To this point the supplicant and radius server code have not been explored thoroughly. This is a great opportunity for research.
EAP- MD5 not RFC4017 complaint
No support for encryption key delivery
No native supplicant in windows
eapmd5pass- a tool to read pcap file or monitor and brute force the password.
LEAP
Security through obscurity with proprietary protocol
MSCHAPv1 -
attacked through asleap tool
EAP-FAST
Uses PAC – protected authentication credential
But the PAC is transmitted anonymously by default (Eap FAST Phase 0)
If you use manual PAC provisioning now you have a cumbersome process that must be repeated as the PAC expires.
A rogue AP could be used to get the clients MSCHAP credentials.
EAP-TTLS
Mutual authentication between client and servers.
Can still screw things up by not verifying the server certificate. This allows anyone to impersonate the Radius server.

Tags: Microsoft, Passwords, Shmoocon
Category: Uncategorized | 1 Comment

Shmoocon 2008 Day 2

February 16, 2008, 7:25 pm

Here are some notes from Shmoocon day 2. Today was a return to the traditional Build It, Break It, and Bring it on tracks. Here are some notes/summaries from the sessions I attended. It was another fun day.
Active 802.11 Fingerprinting, Bratus, Cornelius and Peebles
How can you identify if an access point is legitimate or rogue? Does two way RSA crypto solve the problem of a rogue AP? The speakers would argue that if you are communicating with a rogue AP, the use of certificates could actually cause more information to be given away to the rogue. You could certainly be exploited in your communication as well if your wireless drivers have vulnerabilities.
Just as with OS fingerprinting through TCP, the wireless protocol can be abused to send unexpected traffic to the AP and fingerprint how it responds. They built a tool called Baffle using Ruby to perform this test. They were able to verify that the access point was using the driver that is expected.
If you’re expecting a linksys AP and I set up a rogue linksys AP, this isn’t going to help you, at least from my understanding of the talk. An audience member asked if this could be used with adhoc (client-to-client) connections as well. It cannot be used for that because the APs are much more chatty and have more negotiation.
The remainder of the time was a presentation on access point hiding. I did not catch the presenters name. Basically anything that has some room inside and has sufficient power could be refashioned to contain an AP. This assumes that you need to be stealthy about placing a rogue AP in the first place. The take home for me from this section of the talk was the question, “if an AP enabled itself at 2 am (either to let the hacker in, or to move some data out) would you catch that.”
Smarter Password Cracking; Weir, Glodek
Not a lot new here.
Password cracking is getting tougher. Sometimes users are forced to pick better passwords. Often developers are throwing in a salt or hashing multiple times. A salt makes a precalculated table attack difficult. Multiple hashes attempt to increase the calculation penalty when trying a offline password attack. For example while Word’s password mechanism was once trivial to break, Word now uses 5000 SHA1 and a huge salt.
In the last year or two several password troves have become available to all. In the past researchers didn’t have a way to report on user password selection. After a myspace phishers collected passwords leaked, researchers now had a large collection of legitimate passwords. Many of the passwords were tremendously weak and thus not comparable to the enterprise password.
When setting out to crack passwords, it is helpful to figure how how the users select the passwords. This allows the cracker to have a better chance at success.
I was hoping to take from this lecture a script to analyze a list of passwords and display the tendencies found. I would like to be able to easily run a report that says: 30% of users passwords were reveals in testing. Of those 90 percent were in the format Aaaaaa11 (A=upper, a=lower, 1=any number). I don’t see that script on his website, I’m going to check back later.
They’re hacking Our Clients, Why are we focusing only on servers; Beale
This talk had two major sections. The need for patching clients, and a poor man’s way to find clients that need patching.
In the first section Beale said that in pentesting engagements they now attempt to get to the internal network through client side attack. Often they are limited by engagement rules to the computers belonging to IT staff or security folk. Even with this set of users they are consistently able to perform attacks on the browser, mail client, Office, Adobe Reader, etc. Core Impact and Metasploit are two tools mentioned.
The bad guys moved to client side attacks years ago. Their biggest problem is managing all their owned boxes.
The question is asked, isn’t this just social engineering. There are two responses to this. No, sometimes attacks autorun without user interaction. Yes, but the human firewall is imperfect. Even the most educated users get fooled. Its still appropriate for a pentest.
Comment from the audience – Once it reaches the user, freakin game over.
The attackers only have to find one vulnerable human or one vulnerable software install.
Isn’t this a patch management problem, Beale asks rhetorically.
He says yes, but not every organization has patch management.
Also patch management, needs know about every system to patch it. It needs rights. It often doesn’t patch every product. Most people don’t have that complete an inventory of what is on their network.
To address these issues, the speaker proposed using User-Agent strings to self identify vulnerable systems. That information could be collected in HTTP proxy logs, and email servers. Vulnerable clients could be denied further access.
While you could do further things such as implement something like the Master Reconnaissance Tool to gather browser plug-ins, there is still vulnerable software that you don’t address in this way.
Another idea is to look at the metadata for recently created files on your fileserver, sharepoint, in email. Apparently you can determine the version of the software used to create the document. A vulnerable version and a recently created document equal a problem that needs to be addressed.
Since I do vuln scan all online systems, and I do have a patch management system, the second part of the talk wasn’t as interesting. It seemed like a lot of work just to catch a small number that missed the patch management and vuln scanning. I do see the usefulness in a University or other similar environment.
VOIP Hopper; Ostrom and Kindervas
This was strong talk demonstrating their new version of their voiphopper program. Most people outside that room think that a vlan is a security separator. The talk showed how easy it is to get onto the voice vlan. In IT there is also a low awareness of VOIP threats. People think, “you can’t access corporate data from an IP Phone.”
voiphopper now includes a Cisco Discovery Protocol generator making it really easy to pretend to be a VOIP phone.
Mitigation-
1. Use Cisco’s phone CDP Security provided in 12.2.36 SE. This requires a phone to have power or it will shutdown the port. (one wonders how that would work in my case where a bad blade wasn’t providing power for some ports, and I was given a brick for my phone instead of using power over ethernet).
2. MAC address filtering
3. Disable the pc port on the phone. (this is the lobby phones that should be have a pc plugged into them).
Got Citrix? Hack it!; Gupta
One audience member correctly asked for less IE vulnerabilities and more about Citrix I agree. The vulnerabilities presented all existed because Windows was not secured for the role the system was playing.
Gupta has a good point that people think putting something behind Citrix is equal to securely serving it.
We did not get to see a couple of demos because the wireless network was down during this session. I’d recommend either not relying on a unreliable medium for a presentation or have a video backup. We were left with a session cut short, and a feeling of disappointment.

Tags: Adobe, Backup, Cisco, eMail, Passwords, Patching, Shmoocon
Category: General | Comment

Shmoocon 2008 Day 1

February 15, 2008, 9:58 pm

I’m down at Shmoocon this weekend. I’ve been to two of the four Shmoocons. Apparently I only go on even years.
Here are some notes. This is probably going to be even less coherent than usual as its getting late and I need to be back down there tomorrow.

David Hulton, “Intercepting GSM Traffic”
As I understood it, this talk described a “known plain text” attack on the session key between a GSM phone and the tower. It still requires massive computational power. although the hardware and time cost is much lower for this attack that other previous attacks. The solution will probably be more networks switching to 3G.
wiki
David Smith, Forensic Image Analysis to Recover Passwords
This talk described his attempt to recover passwords from coredumps, swap, memory dump, logs , deleted temp files, slack space and internal history.
He is currently working in perl to search for strings of a certain length and then gives them an entropy score.
A audience member suggested starting with a clean OS image to easily rule out the OS files from the gathered strings.
In terms of defenses, I would start with not saving passwords in easily reversible forms (browser saving password for example). Next, I would consider wiping the free space. Full disk encryption would be the best defense assuming you dont get caught while the computer is booted.
Syn Phishus, Unauthorized phishing exercise
This is talk I was most looking forward to. Syn, as a security contractor, decided to phish the computer security department (consisting of 200 employees). He created a phishing campaign announcing the companies ID theft insurance vendor signup. If users clicked on the link in the email, they were prompted to log in using domain credentials, if they hit submit or cancel they were counseled not to be so dang gullible.
The goals for this project were to raise security awareness, demonstrate that policies require enforcement and education, get corporate communications to sign their email and create a service the company could sell. He didn’t tell anyone before doing it. He didn’t want anyone else to take the risk. He tried to make it easy for IT security to respond to by putting information in the comments on the phishing site, and by using a computer connected to the corporate vpn for his phishing attack.
As you might expect this did not go over well with his company. Doing something like this is definitely a career limiting event. You should always have a get out of jail free card, that is something in writing authorizing you.
edited to remove incorrect assumption about Syn and another phishing venture. Sorry about that.
Deral Heiland, Web Portals
This talk was about a pentest facilitated by the company’s internet portal.
Portals provide easy access to corporate data. They call also be huge threats to the internal network.
The problem with this particular (unspecified) portal is two fold. One is it accepted unauthenticated traffic and two, the portal had full access to the network. The portal accepted and processed GET commands so you could create a query to the portal that would have it open a website on the internal network. By trying common internal address space, you could find anything running a webserver. This ranged from things like printers, Compaq Lights Out board, network equipment, the SAN administration. Bad news for the company if a hacker had uncovered this.
This is why they should have required strong authentication for everything on that server. The server should also have been filtered from internal access so that only required services could be accessed. A layer 7 firewall could have prevented the portal from being exploited as well.
Isaac Mathis, Hacking the Samauri Spirit
This was actually a intersting talk about how differences in culture influence security.
Deviant Ollam, Latest News on Bump Key Attacks
This was fairly routine for anyone who is up on bumpkeys.
Anti-bumping technology is starting to make its way into common consumer level locksets. Masterlock and Kwickset appear to be gearing up to sell consumers on this added protection.

Tags: eMail, Passwords, Phishing, Shmoocon
Category: General | 2 Comments

Shmoocon Commuting

February 10, 2008, 6:44 pm

If you’re heading down to to Shmoocon in DC February 15th to 17th, allow extra time if you’re taking Metrorail. Metro is performing platform repair at the Metro Center stop. WMATA recommends allowing an extra 30 minutes. This should start late enough to not be a problem Friday, but it will be annoying Saturday and Sunday.
Parking at the Wardman Park Marriott is $13/hour ($28/day). I dont know of alternative parking down there.

Tags: Shmoocon
Category: General | 1 Comment

ShmooCon: Network Black Ops

January 14, 2006, 12:04 am

Dan Kaminsky received fame a few months ago by querying DNS cache results to see how many DNS servers worldwide had cached the resolution of the fqdn used to check in by machines with the Sony rootkit. He talked about that as well as IP Fragmentation attacks, DNS poisoning, and the trouble you get into when scanning all the dns servers on the internet.

Tags: DNS, Shmoocon
Category: General | Comment

Roger's Information Security Blog