Posted: 26 Jul 2008 12:00 AM CDT
Posted: 25 Jul 2008 03:58 PM CDT
Last night we decided to discuss a little more on the DNS vulnerability issue that’s been the hot topic everywhere in terms of detection and defense. Thanks to guest Chris Wilson for his invaluable insight into the snort signature we were provided by alexkirk in #snort on irc.freenode.net. We also discussed detection of encrypted traffic on [...]
This posting includes an audio/video/photo media file: Download Now
Posted: 25 Jul 2008 03:01 PM CDT
One of the things that I have always not understood about HIPAA is what teeth do these regulations have and who is going to enforce them. There are plenty of firms willing to take your money and rubber stamp you HIPAA compliant, but who is going to say your not HIPAA compliant and why should you care. Finally reading this article in Security Bytes it looks like the federal government has stepped up to enforce HIPAA and have put some bite behind the bark. Providence Health in Seattle was fined 100k by US Department of Heath and Human Services for losing data containing patients information.
I say good for the HHS! A few well publicized fines where people had to pay real money will go further in getting people to take HIPAA seriously than all of the other dog barking and warnings that have taken place to date. The same goes for other regulations and statues on compliance as well. Lets hear about some financial sanctions or penalties around PCI and you will see a drastic rise in compliance there as well. Rules and regulations without enforcement serve no purpose at all and hurt more than they help.
Posted: 25 Jul 2008 12:40 PM CDT
I came across these guys a month or so back when I was looking at topics for one of our shows, and I don’t remember whether I touched on them or not, but this project is definitely worth a second look. Their community seems small right now, but the idea behind what they’re doing seems [...]
Posted: 25 Jul 2008 11:51 AM CDT
With more details to come soon, we launch the next Catalyst onTour Adventure on Tuesday. After a quick stop at Hershey Park, we’re heading through Ohio to pick up some books and then into KC for the weekend. We’ll arrive in Vegas on Monday.
A few of us have been kicking around pulling together an informal, low-key, low-stress gathering while in BH. Since we’re bringing the RV (the whole point of the onTour approach), this is a good time to work out the “onTour Tailgate” series.
Since my Tuesday event got cancelled, I am looking at hosting people at our location on Tuesday, 4-7p. This allows time for BH and the evening parties - but also a chance to unwind and meet new people, make some friends, unwind. Depending on when people come in, I’d be happy to consider Wednesday or Thursday, too. (note: if you cannot make it Tuesday but want to meet/speak - shoot me a note and we’ll connect).
I know there are a lot of parties, events with booze and such. I see this as a chance to pull together, meet each other and have some time to kick back. There are no sponsors for the tailgate (though I wouldn’t refuse ‘em); instead, this is a self-supported event where everyone brings something and makes new friends.
More details/discussions here: http://www.securitycatalyst.org/forums/index.php?topic=900.0
Unless otherwise noted (or encouraged to go a different direction), plan for Tuesday 4pm. Here: http://www.oasislasvegasrvresort.com/
Companies Coming to Vegas
I am working on publishing a criteria list for pitches. I like learning about different solutions - but I want to make it easier to pitch me and explain the value. Look for something in the next 10 days. Meantime, if you’re going to be at BH and want to share your vision - shoot me a note and we’ll connect. I’ve already declared where I’m staying - and happy to meet anyone at the “rolling office.”
Posted: 25 Jul 2008 10:19 AM CDT
Now, a lot of people who work for small businesses called me an idiot for this.
And you know what? Maybe they are right :-)
When I was a sole sysadmin for a small ISP, I didn't share my passwords with management either. They never asked ... but that is not the point. I would not have passed "a bus test", which is "will a business still run if a sysadmin is hit by a bus" [or, "goes rogue", by whatever definition of "rogue"]
Keeping all this in mind, will you accept if you bank closes doors until they can figure out what the password is on their database? Didn't think so ...
So, my point was that, in my opinion, it is an unacceptable risk for all but the smallest organizations to have one person who have the power to control access to critical systems AND to place no controls (neither monitoring, auditing nor preventative) on his activity.
AND that is why, back in my ISP days, one day a boss came to me with an old ragged notebook and said "write down the passwords here." I did. The notebook went back into his pocket (and then, presumably, in some more "secure storage," like the back of his closet at home or something :-))
Posted: 25 Jul 2008 08:38 AM CDT
Posted: 25 Jul 2008 07:19 AM CDT
Good morning. The end of a strange week. I hope to be back to full stride next week with the postings. News is brief this morning but, I’ll update it later on today. In the meantime have a great weekend everyone!
Click here to subscribe to Liquidmatrix Security Digest!.
And now, the news…
Posted: 25 Jul 2008 12:00 AM CDT
Posted: 24 Jul 2008 11:00 PM CDT
I came across this the other day and bookmarked it so I could write about it. This is a short list of some of Mark Cuban’s rules for startups. I’ve never started a company and to this point of my career have never been involved in a startup. I’m sure somebody reading this has and might find this useful. Its a little old but interesting just the same.
Posted: 24 Jul 2008 08:24 PM CDT
So, unless you’ve been hiding under a rock for the last little while you’ll know that Dan Kaminsky broke DNS in a rather big way.
And you’d know that the gory details hit the tubes of the internet a couple days ago.
Hell, there was even a poem about the whole mess. (bless you Hoff)
Now, the DNS ’sploit has been weaponized. HD Moore and company over at Metasploit have released it. For a full write up on it check out our friend, Nate McFeter’s, blog posting on the DNS exploit. Yes, it is being actively exploited.
This storm has of course reignited the inevitable (and tiresome) disclosure debate. Let me save you the trouble and cut right to the chase…
PATCH YOUR FSCKING DNS SERVERS.
Consider yourselves warned…again.
OK, I’m tired talking about this subject. What else is going on in the world?
Posted: 24 Jul 2008 06:46 PM CDT
The DNS vulnerability drum beat goes on. Based on a recent CERT Report published today at least 2/3 of Austrian recursive name servers have not yet been patched. The conclusions are rather grim so far – more than two thirds of the Austrian Internet’s recursive DNS servers are unpatched while at the same time the upgrade adoption [...]
Posted: 24 Jul 2008 05:23 PM CDT
Thanks to Rich, I had an opportunity to write a review of SecuriKey Professional for MacWorld. They sent me the USB key fobs, I played around with it for a couple of weeks on my MacBook Pro, and I generally liked the product. The only thing I wish they’d do is enable whole disk encryption, which may be a future feature. In any case, give it a look and tell me what you think.
By the way, SecuriKey has a Windows version too.
Posted: 24 Jul 2008 04:28 PM CDT
In case you haven’t heard yet of the massive DNS vulnerability discovered by Dan Kaminsky (US CERT advisory here) don’t forget that DNS is as common in process control environments as they are in Enterprise IT and this advisory affects us just as keenly as our corporate cousins. How many control systems use DNS to resolve the addresses of PI servers and other infrastructure? Be sure to check and patch your DNS servers!
For reference, the Microsoft patch for this vulnerability is MS08-037 and was released with the July patchset.
Posted: 24 Jul 2008 02:48 PM CDT
Maybe I should call it "on stupidity" and add it to my "Nobody Is That Dumb... Oh Wait" series?
Really, when I've heard about it first, I was like "ah, come on, I am sure the journalists are just mis-reporting it; nobody is that dumb in their approach to system security."
Well, they really were that dumb.
Honestly, from the "blatant disregard of common sense", this is very, very high on the list (many in security agree, some in IT disagree). This is where the words "a huge data security risk" really sound like a mild understatement.
But you know what is the most scary about this case? The fact that there are MANY organizations who manage their networks the same way: one admin with ALL the access and NONE of the monitoring.
One person + ALL access + NO accountability = you are screwed!
Also, in light of this, do you still think that "insider attacks" is some kinda security vendor propaganda? Well, go tell Terry Childs that :-) Even though some people still think that he is a good guy (more on that on Slashdot)
What also caught my attention is that some retard called his bail ($5m) "ridiculously high." Well, if he was an outside hacker, say a Romanian script kiddie, jailed for hacking SF network, would they release him for $5m? Maybe not! Now, do you get that this case is actually MUCH WORSE! Hacker might have gained access to many assets; this guy did have access.
Are you OK with it?
If not, do something - start logging and monitoring (and then controlling) their actions! If you think you cannot control them, then just monitor; if you think you can neither control nor monitor, then at least log them so they will know that there will be enough good evidence to let them rot in jail for many years ... Or, if you prefer an easier alternative, stop calling your business YOUR business.
Possibly related posts:
Posted: 24 Jul 2008 01:55 PM CDT
One of my responsibilities as security cruise ship entertainment director is to distill the most complex things down into bite-sized digestible nuggets of chewy informative goodness whilst ensuring a good time is had by all.
It is in this spirit that I offer this gem regarding the release of PoC/Exploit code by supposed "whitehats" immediately after the disclosure of a nasty vulnerability. This post is random, of course, and is in no way a reference to any current event.
This quip was brought to you via Twitter which managed to stay up and functional long enough for me to tweet it:
That is all.
Posted: 24 Jul 2008 01:24 PM CDT
This whole DNS issue has become a "circus" to put it in the words of Chris Hoff. First there was the ruckus around the fact the Dan Kaminsky was only releasing some details of the vulnerability. People called him names and said unkind things about him. Then he met with a group of people and gave them details. They agreed with him that it was a bad thing and that we needed to patch now. Those who said things about him apologized. Then people started publically speculating about what the problem could be. Those that knew were sworn to secrecy. The rest of us were left to make our own guesses or talk about what we heard others say it might be. Then Havlar Flake put his cards on the table and the guys at Matasano confirmed his speculation. That opened up a whole new series of discussions. Why did Matasano have a post read to go? Why did they post it and then retract it? Was it an accidental posting or done purposefully? Some got mad at them and others praised them for giving us the details.
Now HD Moore has released an exploit for Metasploit. This makes it much easier for script kiddies and others to now use this against unpatched DNS servers. It also makes it much easier for the bad guys who don't already have a exploit to get one to use against the rest of us. All of this has led to lots of discussion on the internet and twitter. Should HD Moore have released an exploit? But the bad guys probably already have one so what does it matter. If he didn't do it someone else would. Etc... Some of the comments are valid and some are just stupid. Some are speculating that HD, the Matasano team and others are trying to steal Dan's BlackHat spotlight. Then there is the whole arguement as to wether or not Dan should even have a BlackHat talk planned on this.
I am a proponent of tools such as Metasploit and Core Impact. I think that they serve a good purpose for those of us in information security. I use Metasploit myself to test my systems. Even if they can be used for bad that doesn't mean that they don't have their place in the world of technology. If we didn't have them to test our systems with then we wouldn't really know how vulnerable we are. But I think that HD stepped over the line with releasing this exploit at this time. There is NO valid reason for it to be released. There are LOTS of other ways to test if your system is vulnerable. You can go to Dan Kaminsky's site and test it there. If it's a windows machine you can run windows update. If it's a *nix system you can check to see when the last patch was applied. Lots of ways besides using Metasploit. Not to mention that it hasn't been that long since the patches were released. Lots of companies haven't patched yet due to testing, apathy, ignorance of the issue, etc.. From all I can tell AT&T still hase lots of unpatched servers used by the IPhones and DSL service. @Techdulla on Twitter commented that he called his ISP to ask them why they hadn't patched and one of their engineers said "What Patch are you refeering to?" I'm afraid that is the response of lots of DNS admins.
As security professionals we have to be responsible in how we practice our profession. If not then we are putting ourselves and our users at risk. We are even putting others at risk with our actions when we are irresponsible. Just as the guys at Matasano were irresponsible for having a ready to go post with details on the DNS vulnerability HD acted irresponsibly by releasing a exploit for this. We can't just do something to be the first on to do it. We have to act in a responsible manner or we risk losing the credibility that we have built within the community of other information security professionals.
Now I'm going to ask your opinion. I'll put up a poll shortly that I'd like you to participate in. Here is the question and the answer choices.
Should HD Moore have released an exploit for the DNS Vulnerability?
A. Yes, we deserve to have it
B. Yes, if he didn't someone else would
C. Yes, the bad guys already have their own
D. No, it was irresponsible of him to do so
E. No, it's too early and several people haven't patched their servers yet.
F. No, we don't need WhiteHat exploits.
Posted: 24 Jul 2008 01:05 PM CDT
Here is a very fun web conference on logs and logging by ISC(2); all sections are interesting, here is what mine is about:
"There are many other mechanisms of accountability in an organization, but logs are the one that pervades all IT. And if your IT is not accountable, your business is neither. Thus, if you tend to not be serious about logs, be aware that you are not serious about accountability. Is that the message your organization wants to be sending? The presentation will cover how logs can be used organization-wide to establish accountability of users, power-users, other IT as well as partners and others accessing systems and using your information. How to you make sure your users are accountable for their actions? How can you track their activities, if needed? How can auditors review the audit trails of various activities? Broad organization-wide log collection and analysis is the way to solve these and other problems related to accountability."
Posted: 24 Jul 2008 12:40 PM CDT
As many of you already know this DNS vulnerability has taken the community as a whole by storm. For you snort guys out there, here is the latest DNS signature that may help you detect such activity. Props to alexkirk from the #snort channel for hooking us up! Implement at your own risk! [...]
Posted: 24 Jul 2008 10:24 AM CDT
There’s little or no excuse for someone as big as AT&T to not be patched yet!
Mubix took a shot of his iPhone as proof that AT&T is screwing the pooch on this one. It was suggested recently that the IP shown there might actually be the public IP of the iPhone. Has anyone done any research into this?
Posted: 24 Jul 2008 09:59 AM CDT
As everyone knows, Matasono accidentally released confirmation of the DNS vulnerability. And rumor has it there’s been unstable code to take advantage of it since last week and stable code since earlier this week. And HD Moore has released a Metasploit plugin for the vulnerability. It’s in the wild, it’s starting to be used, and if you haven’t patched already, you need to get it done ASAP. I’ll be the first to state I’m not a DNS expert, but the people I’ve talked to that are say patch immediately.
I have talked to a number of people about Dan’s DNS vulnerability and even most of the people who initially said this event was being overblown are now starting to say patch as quickly as you can. My employer, Trustwave, takes this event seriously enough to send out an alert to our clients, something I haven’t seen them do before. We have some very talented engineers and if they’re taking this seriously, you should too. So quit reading this post and go patch already!
As an aside, Thomas Ptacek and the crew from Matasano were at ChiSec last night, and they’re feeling, or at least acting, very mollified for their part in this debacle. There are a dozen ways they could have handled this better and they know it. But sometimes stuff happens. I gave Thomas a hard time to his face last night, now I’m done harping on him. As Chris Hoff was Twittering last night, there’s a serious problem with the security researcher community where being the first to discover and disclose an incident like this is more important than getting the problem solved for as many companies as possible. And that’s not likely to change any time soon. It’d be nice if it did, but there are too many people who rely on this sort of publicity to fuel their businesses and their egos. Such is human nature.
If you’re still reading this, you better be patched already. And if you work at AT&T, why haven’t you patched the servers my iPhone uses yet?!
Posted: 24 Jul 2008 07:40 AM CDT
Thursday and I’m finally getting back into the swing of things. The bug that was good enough to take up residence and wreck the place seems to have moved on for the most part. Sorry about the low volume.
Click here to subscribe to Liquidmatrix Security Digest!.
And now, the news…
Posted: 24 Jul 2008 07:36 AM CDT
At first I thought “oh, that’s cool”, but then I learned the category my research had been nominated to: Most Overhyped Bug. At first I had kind of mixed feelings whether or not I should be happy about it, but to be honest, there is nothing negative about their comments:
GNUCITIZEN and pagvac initiated a media blitz over this vulnerability which allows a malicious web page to use a CSRF attack to bypass authentication and modify the settings on the most popular home DSL router in the UK. This could allow a remote site to disable your firewall, modify your DNS server settings, or enable remote administration of your router. The bug was real, but it was accompanied by such a massive media campaign that it surely deserves a nomination.”
Fair enough, it received a lot of media attention which is true, but we did not actually PR these findings (believe it or not), but rather answered questions formulated by the media mainly via email.
If you are not familiar with the Pwnie Awards, it’s an informal ceremony organized by several known researchers which attempts to highlight the events during the last year in the Infosec industry. This year is only the second edition of the awards. The ceremony is meant to be a bit humorous, as in “making fun of the infosec industry” kind of thing. The winners announcement actually takes place during the BlackHat Vegas briefings. I will definitely do my best to attend the ceremony as Alexander Sotirov told me I was invited. Sweet!
My favorite quote from the Pwnie Awards site is from the “Lifetime Achievement Award” category which states:
Like mathematicians, hackers get off on solving very obscure and difficult to even explain problems. Like models, hackers wear a lot of black, think they are more famous than they are, and their career effectively ends at age 30.
Posted: 24 Jul 2008 06:45 AM CDT
Or wasting our time trying?
Amrit's latest post has me thinking about what's been one of our brew pub round table topics lately.
There is an old joke about the hikers who cross paths with a grizzly bear. The first hiker immediately takes off his hiking boots and puts on his running shoes.
The second hiker: "why are you doing that - you can't out run the bear".
First hiker: "I don't need to out run the bear, I only need to outrun you".
In a sense, if hacking today is focused on profit rather than challenge or ego, as perhaps it once was, then the miscreants will likely follow the least cost or least resistance path to their goal (marketable data, marketable botnets). If that is true, our goal needs to be to outrun the other hikers, not the bear.
Fortunately there appears to be a limitless supply of slow hikers (clueless developers, sysadmins, security people and their leadership, or more likely - competent developers, sysadmins and security people led astray by clueless leadership).
We need to focus on out running them, not the bear.
|You are subscribed to email updates from Black Hat Security Bloggers Network |
To stop receiving these emails, you may unsubscribe now.
|Email Delivery powered by FeedBurner|
|Inbox too full? Subscribe to the feed version of Black Hat Security Bloggers Network in a feed reader.|
|If you prefer to unsubscribe via postal mail, write to: Black Hat Security Bloggers Network, c/o FeedBurner, 20 W Kinzie, 9th Floor, Chicago IL USA 60610|