Spliced feed for Security Bloggers Network |
Security Briefing: July 24th [Liquidmatrix Security Digest] Posted: 24 Jul 2008 07:40 AM CDT Thursday and I’m finally getting back into the swing of things. The bug that was good enough to take up residence and wreck the place seems to have moved on for the most part. Sorry about the low volume. Click here to subscribe to Liquidmatrix Security Digest!. And now, the news…
Tags: News, Daily Links, Security Blog, Information Security, Security News |
these tubes are quick [extern blog SensePost;] Posted: 24 Jul 2008 04:57 AM CDT Kaminsky's thunder has all but evaporated into a fine mist, and Ptacek has gone all silent. In the meantime, the MetaSploit crowd put their heads down and produced: http://www.caughq.org/exploits/CAU-EX-2008-0003.txt DNS poisoning for the masses. (If anything ever deservered the tag 'infosec-soapies', this would be it!!!) |
Metasploit Bailiwick DNS Exploit Adds Domains [RioSec] Posted: 24 Jul 2008 01:13 AM CDT Overnight the Metasploit DNS exploit module continues to evolve to more devistating effect. Perhaps most importantly, a new module was introduced based on feedback from Cedric Blancher named Auxiliary::Spoof::Dns::BailiWickedDomain, which replaces the nameservers for a domain, allowing an attacker to redirect all traffic for the entire domain through them. Showcasing the ease of use of the Metasploit Framework, this entire exploit is written in 330 lines, including comments! |
Posted: 24 Jul 2008 12:13 AM CDT Just got done reading the transcript of yesterdays great NAC debate between Joel Snyder and Richard Stiennon. As I predicted Snyder scored a knockout early on and it was mostly over from that point on. The knockout came earlier than I expected though, right off the first question. Each combatant was asked to define NAC and that was when it happened. Richard brought an EPAC (end point access control) to a NAC fight. That was akin to him bringing a rubber knife to a gun fight. A quick bullet between the eyes by Snyder and it was almost painlessly over for Richard. I have been preaching for some time about what I call complete NAC. That is a complete network access control solution, not just network admission control and certainly not end point access control. It is not an evil plot to extend Cisco/Microsoft dominance and most importantly Richard, no one and let me say this again, no one has ever said that NAC negates the need for a layered security model. NAC is just another layer in that model. Richard's comments deriding the .edu and .mil markets were also laughable. Richard, have you ever heard the term military grade? Are you seriously trying to say that enterprises take security more seriously than the military does? Come on now Richard. The bottom line is Joel Snyder is not only a sharp dude technically, but is street savvy enough to run circles around my friend Richard. He made Richard stay focused on the question at hand, did not let him wander and so Richard had to face reality a bit. I am sure Richard will still say NAC is useless and will admonish people about hanging out with the likes of the StillSecure crowd, but I guess some things will just never change. Except, I don't think Richard will be in anymore of these bouts. Maybe he can start selling a grill that takes the fat out of meat or perhaps a reality TV show like the other washed up palookas ? |
When your flight is DOA [StillSecure, After All These Years] Posted: 24 Jul 2008 12:04 AM CDT Last night I wrote about my first day of this weeks road trip and my hotel which doubled as a funeral parlor. Now it is Wed night and I am live blogging from the runway of DC Regan-National airport, on board a Delta flight which has been on this same runway and not moved for the past 2 and a half hours. I say I am live blogging this, but of course you are not live reading this. That is because I have no way to upload this to my server. You see the iPhone 3G for all the coolness, has no Internet sharing that I am aware of. My old windows mobile phone had Internet sharing and if I still had that you would be reading this live right now. But no, not with the iPhone. I was scheduled to connect in Cincinnati right about now. I am obviously missing that connection. I was flying from there to Columbus and driving about an hour and half from Columbus. I have a 9am meeting tomorrow. So unless I feel like renting a car and driving 4 hours whenever it is I land, I am pretty much missing my meeting tomorrow as well. What to do? a). Should I break out of this plane, run to the terminal and try to get on a flight home to Florida b). Go postal or c). Grin and bear it and try to remember that I love what I do and that is what flying in the summer is all about (actually that summer thing is full of beans, it is no better in winter with weather either!). So here is the update, we sat on the runway for 4 hours! Finally took off and landed in Cincinnati at midnight. I had no connection. Could not get a flight out in the morning, not rent a car and most hotels sold out. I am writing this from the coffee shop of the lovely (and I do mean lovely) Drawbridge Inn. I will miss my meeting in the morning and am booked on a flight home tomorrow. Ah, the life of a road warrior! |
Links for 2008-07-23 [del.icio.us] [Anton Chuvakin Blog - "Security Warrior"] Posted: 24 Jul 2008 12:00 AM CDT |
Posted: 23 Jul 2008 11:57 PM CDT I have written before about what a joke I think it is when people write that Microsoft's best days are behind it and that their corporate grave is already being dug. Google is going to usher in a new age of net centric computing and topple the once and future king. Yeah sure. Don Dodge had a good article up the other day about Microsoft's recent end of FY numbers. The Redmond rockets racked up over 60 billion (yeah with a b) in revenue last year, an 18% increase over the year before! They dropped 17.6 billion (again with a b) to the bottom line. To give it some perspective, Yahoo all told only does about 7 or 8 billion in gross revenue a year. Microsoft grew 9 billion in revenue last year. That is they grew organically more than a whole Yahoo. You can check out Don's article for more financial facts and figures. I ask you ladies and gentlemen, does this sound like the numbers of a company on the way down? If you were a betting person, would you be betting against this monster? I would not be. Do you think by 2011 things are going to fundamentally change? Next time someone tells you how open source, Linux, Google or anyone else is going to kill Microsoft try to put some of these numbers in prospective. |
Leveraging Client-Side Exploits In Your Pentests [Carnal0wnage Blog] Posted: 23 Jul 2008 11:17 PM CDT Wrapping up a pentest this week and got to do a little "user awareness training" with the current and unpatched ActiveX Control for Microsoft Access Snapshot Viewer exploit. Fsecure has a little writeup on it as well as securityfocus with POC code. This one is nice because its a auto download exploit. You call the ActiveX control and it downloads the file you specify to the location you specify. This is a great exploit from a user training perspective because you can make the binary as benign or dangerous as you want. I of course shoved a reverse shell out over FBP (firewall bypass protocol aka TCP 443). Delivery is simple enough, you create an email with a link (see my metagoofil post if you need help gathering those emails) and ask politely for users with elevated permissions on the network to click on it. You embed snapshot viewer code in that page, point the download location to somewhere fun like all users/startup, and tail -f /apache/access.log to see who browses the site, who enables the activeX control (your users do know better right? or you do have your default IE settings to high right?) and who downloads your binary. If all goes well, after lunch you'll have your shell :-) POC code from secfocus: http://downloads.securityfocus.com/vulnerabilities/exploits/30114.html |
The Art of Security and Why Security Vendors are the Root of All Internet Evil [Amrit Williams Blog] Posted: 23 Jul 2008 11:17 PM CDT I was reading a book entitled “A Whole New Mind: Why Right-Brainers Will Rule the Future”, it isn’t terribly well written and has the flow of an idea that was shoe-horned into a literary context, but interesting none the less. Anyway against the backdrop of DNSgate (btw - exploit code has been posted - here - thanks guys!) and the complete and utter failure of the security industry to offer anything beyond a never-ending hamster wheel of suites, widgets, add-ons, and modules, the book gave me pause as I reflected on what, for the most part, is a feeling of defeat and despair among security professionals. This is a feeling that ebbs and flows with the conference season and peaks generally around mid-year with the introduction of clever methods of attack and exploitation presented in the carnival like atmosphere of a Blackhat or *con.
Undetectable hyper-visors? 10 seconds to Internet destruction? 1,001 ways to craft a nefarious browser attack? Conceptually these are pretty scary, especially if you are reading your email and Robert Graham singles you out during one of his side-jacking presentations and shows the world how easy it is to own you and how careless you are for being owned - you wall of sheep know who you are - honestly who wouldn’t want to throw in the towel and acquiesce internet dominance to a 15 year old svelte Norwegian hacker with a bad skin condition or a gang of Nigerian spammers. It would appear that doing business on the internet is like Dom Deluise swimming naked through shark-infested waters with an open wound while wearing a necklace of dead penguins and carrying a 3 lb salami. It has been argued time and again that the bad-guys have the advantage, that we are on the losing side of the OODA loop, that for the most part we are simply sitting ducks and the best we can do is choose to not sit so close to the gaping jaws of a large crocodile and pray that we do not become prey. I contend that feeling is misguided and incorrect. Although it has either been lost as inconsequential or we have been so blinded by the constant carpet-bombing of FUD marketing and the ongoing orgy of disclosure that we are simply numb to it, but we have an inherent advantage in that we use the right side of our brains, whereas the bad guys really have no need to, we are clever, we use art with science, we are driven to find the edge cases, we strive to find the unique and obscure - we believe it is the other way around, but that is a result of the complete incompetence of the major security vendors, who like the Diabetes product vendors, will forever keep us in a never-ending cycle of finger-pricking and insulin injecting security practices instead of actually solving the problem. Wait, what, we have the advantage? I know it sounds like security blasphemy, but don’t jump off the roller-coaster of semi-rational fun just yet, we still need to ride through the loop de loop.
The internet is resilient, business is even more so, and the good guys tend to spend more time on the problem than the bad guys. |
Penetration testing tools - Nikto [Hackers Center Blogs] Posted: 23 Jul 2008 06:00 PM CDT Nikto is a web server security assessment tool. It is designed to find various default and insecure files, configurations and programs on any type of web server. Definately one of the most preferred free web app scanners available.
After a small vacation I'm back on the series of the best tools for web application penetration testers. Last time we gave a look at dirb [...] |
Bristol-Myers Employee Data On Stolen Tape [Liquidmatrix Security Digest] Posted: 23 Jul 2008 05:20 PM CDT OK, I’m out of bed and starting to feel a little more human. So, first up. It seems that employees of the pharma giant Bristol-Myers Squibb are a little uneasy today. It turns out that a backup tape containing personal info on former and current staff was pilfered from the back of a delivery truck. Well, that’s gotta suck. From Network World:
I hope it wasn’t Iron Mountain again. They could use a break. While the 458 affected might seem like a small number consider this,
Now, that really sucks. |
Which Blogs Do I Read? [Anton Chuvakin Blog - "Security Warrior"] Posted: 23 Jul 2008 02:50 PM CDT Somebody asked me what blogs do I read? I figured I'd post my answer here:
In any case, hope it was useful! |
Metasploit DNS Exploit Now Reality [RioSec] Posted: 23 Jul 2008 11:33 AM CDT As previously predicted, HD Moore has checked in an exploit for the DNS vulnerability originally discovered by Dan Kaminsky. This auxiliary module is named "DNS BailiWicked Attack" (Auxiliary::Spoof::Dns::BailiWickedHost). Written by |)ruid and hdm, this appears to be a fully functioning, easy to use exploit. From the exploit module code: |
San Francisco locked out of its servers [Phillip Hallam-Baker's Web Security Blog] Posted: 23 Jul 2008 11:27 AM CDT A rogue system admin for the city of San Francisco locked the city computer systems and was holding the access key to ransom.
|
The Not-So-Sweet Life of Supplicants [Security Uncorked] Posted: 23 Jul 2008 10:23 AM CDT There are plenty of integration and configuration challenges when we look at 802.1X, but one of the most notable issues is choosing the right supplicant to best serve your end users. Some of the major obstacles we face with 802.1X center around creating a smooth end user experience. We, as integrators, have the distinct ability to make ‘whatever’ work- we find a way. But, what I hear most from my customers is “it has to be easy for the end user.” (Sometimes they go on a little further, but I’ll leave it at that.) Why does it matter? Wireless, wireless, wireless. Although wired 1X is popular with our customer-base, the world isn’t quite flocking to it yet. However, 802.1X is certainly the best way to increase security and ease management of wireless networks. It’s standard, it’s flexible, it’s widely-supported by devices and endpoints and it eliminates the need for pre-shared keys or secondary passwords. It’s what most enterprises, government and educational organizations are implementing now, so it’s important. What are some of the problems? The end user will have some adjustments to make, and network admins and support desks aren’t always thrilled with the propect of re-training users for these expectations.
There are plenty more, but this hits on the major concerns of most organizations planning to implement 802.1X (wired or wireless). How do we address the issues? There are different ways to deal with the complexity of supplicant and end-user interactions. First and foremost, a good end user training program will be needed. There’s a learning curve, but eventually end users will get it- we just have to make sure the transition for ‘now’ to ‘got it’ is smooth and doesn’t overwhelm help desk resources. As the operating systems and clients progress, we’re seeing more integration and the ability to share 802.1X information between disparate pieces of the endpoint. In the meantime, there are also 3rd-party supplicants that can ease several of the pains. Cisco’s Secure Services Client (acquired from Meetinghouse’s Aegis supplicant) and Juniper’s Odyssey Access Client (acquired from Funk) both offer options and configurations not currently available in native OS supplicants. (For example, both offer the GINA shim for integrating Windows 1X login with Novell as well as multiple profile support.) Although I haven’t tried it, my understanding is you can still operate both of these clients independent of the controllers provided from the same vendor. Is it a deal-killer? It can be. The struggle to provide a smooth transition for end users is often a deal-killer for organizations looking at deploying 802.1X. Although there are ways to combat most of these obstacles; often the time, planning and money required to proceed make it unattractive enough to abandon the project. In most cases, the more heterogeneous the endpoint environment is, the less attractive the solution becomes. In an all-Microsoft environment, you can have an 802.1X framework up in a matter of hours. With a mix of authentication directories, endpoint OSs and user expectations, you could spend weeks or months ironing out the details. The good news. Yes, there’s some good news here. The increased adoption of 802.1X is continually leading to increased integration of the software, operating systems and clients on endpoints. While 802.1X may never reach ‘plug-and-play’ status, pretty soon the integration will reach a point where configuration is simplified enough for more wide-spread adoption, even in the most diverse environments. Just hang tight, we’ll get there! # # # |
Good stuff in the SCC [Andy, ITGuy] Posted: 23 Jul 2008 09:38 AM CDT I just wanted to take a minute and point you to a couple of good conversations going on in the Security Catalysts Community.
|
Wired 802.1X and Windows XP SP3- Yes you can! [Security Uncorked] Posted: 23 Jul 2008 08:59 AM CDT I’ve gotten a lot of questions recently about using 802.1X on the wired interface with Windows XP SP3. In the past few weeks I’ve also stumbled across a lot of forum posts, blogs and articles stating you ‘can’t do wired 802.1X with XP SP3.” Well, sure you can! There is a little trick now, though. As part of the move to the Microsoft NAP integration, they’ve broken out the wired and wireless supplicant management into two pieces. Until SP3, all 1X was handled in the Wireless Zero Configuration (WZCSVC) service. The wired 1X supplicant is handled now by a different service and must be manually started.
How do you start the Wired AutoConfig service? Two ways, the end user (or admin) can do it manually on the endpoint, or you can push it out with group policies. Instead of duplicating a lott’a text, you can find detailed instructions for manual and pushed wired 1X configurations on Microsoft KB article 953650. You can also learn more about Microsoft NAP integration in the Network Access Protection Q&A site. # # # |
For your hacking pleasure - Cold Boot utilities released! [Data-Centric Protection and Management] Posted: 23 Jul 2008 08:32 AM CDT Interesting news over the weekend. Looks like one of the original researchers from the Princeton Cold Boot attack work, Jacob Applebaum, published all the utilities they used to break full disk encryption products. We, at BitArmor, have talked a bit about cold boot and how we protect against it. Our CEO Patrick and a few of our senior engineers will be presenting at Black Hat on techniques to prevent this attack - check out his perspective as well from his Princeton days. |
Hoff: DNS Debacle In Poetic Review [Liquidmatrix Security Digest] Posted: 23 Jul 2008 05:41 AM CDT T.S. Eliot, eat your heart out. A poetic contribution from Chris Hoff, “The DNS Debacle In Poetic Review“. Love it. Tags: Chris Hoff, Dan Kaminsky, DNS, Halvar Flake, Matasano |
On DNS [Anton Chuvakin Blog - "Security Warrior"] Posted: 23 Jul 2008 12:24 AM CDT I was preparing a long and thoughtful post on the "DNS issue" (mentioning this, this, this, etc), but it was all in vain. This is the last and final word on it. Thanks Rich for the link (he understates and calls it just "genius" :-)) All bow to Hoff's wisdom - and poetic super-powers, of course :-) |
Links for 2008-07-22 [del.icio.us] [Anton Chuvakin Blog - "Security Warrior"] Posted: 23 Jul 2008 12:00 AM CDT
|
Posted: 22 Jul 2008 11:45 PM CDT |
The DNS Debacle In Poetic Review [Rational Survivability] Posted: 22 Jul 2008 11:32 PM CDT A few months ago
The blog quickly was pulled
There's two sides to this issue -- Happy patching everyone! ;( /Hoff |
At SANSFIRE 2008 in Washington, DC [Anton Chuvakin Blog - "Security Warrior"] Posted: 22 Jul 2008 09:01 PM CDT I just landed at Washington, DC to speak at SANSFIRE tomorrow (my Lunch and Learn on "Log Management 'Worst Practices'" is on Wednesday, July 23rd - come over, it will be fun!) LogLogic Lunch and Learn Presentation Want to learn all the embarrassing mistakes and pitfalls that await you on the path to log management nirvana? Attend "'Worst Practices' of Log Management" presentation by LogLogic's Logging Evangelist Dr Anton Chuvakin that covers all the things that can go wrong while planning, evaluating, deploying and running a log management solution. Insufficient planning, unrealistic expectations, choosing tools on price alone, lack of logging configuration guidance are among such "worst practices." Each common "worst practice" will be accompanied by suggestions to avoid the errors and do things correctly! Everybody touts "best practices", but this is the place to learn how to avoid the opposite - and have fun in the process. if you want to meet, drop me an email/call or just show up for "lunch and learn." Unfortunately, I am going back right after my presentation tomorrow... |
Posted: 22 Jul 2008 05:46 PM CDT Hat tip to Rothman for this. I don't know if Stiennon is off his meds or simply needed to re-post something from 2001 to meet an editorial quota, but his Network World article titled "The Most Important Networking Trend of 2008" ties thus far with the "Evolution of Dance" as my vote for most entertaining Internet content. Richard's epiphany goes something like this:
Oh, crap! Somebody better tell Cisco! So despite the fact that Cisco ASR1000 is positioned as an edge device as are these crazy solutions called UTM devices, it seems we're all missing something because somehow a converged edge device now counts as being able to provide a "secure network fabric?" In closing, allow me to highlight the cherry on top of Stiennon's security sundae:
Yes, Richard, I do believe I have noticed this... Funny stuff! /Hoff |
You are subscribed to email updates from Black Hat Security Bloggers Network To stop receiving these emails, you may unsubscribe now. | Email Delivery powered by FeedBurner |
Inbox too full? Subscribe to the feed version of Black Hat Security Bloggers Network in a feed reader. | |
If you prefer to unsubscribe via postal mail, write to: Black Hat Security Bloggers Network, c/o FeedBurner, 20 W Kinzie, 9th Floor, Chicago IL USA 60610 |
No comments:
Post a Comment