Posted: 22 Aug 2008 12:50 AM CDT
I almost think it’s time to create a new blog called “Security Stupidity”. The latest issue to catch my eye is Apple’s “it’s not a security problem because nobody noticed” declaration; Michael Arrington has pointed out that Apple has made it easy for someone to enumerate the me.com and mac.com email address range by making public folders that use the same name as the email address. I’m sure I can think of several dozen people who presented at Defcon a couple of weeks ago who could do this in a matter of hours.
Michael Arrington has this one dead to rights: the bad guys have probably already figured this one out and are taking advantage of it as you’re reading this. There’s no way to remove an account name from this list, which means that Apple has no way of fixing this information leak without a major overhaul of their systems. I didn’t sign up for a me.com address before and now I’m glad.
I hope you’re not using your me.com or mac.com addresses for anything major, because they’re about to become spam magnets. This is the real power of full disclosure: Michael Arrington tried to tell them, they didn’t do anything so he disclosed, now Apple is going to pay the consequences, along with everyone who owns one of these email accounts.
Rather than admitting they’re wrong and fixing the problem (if that’s even possible), Apple will probably continue to deny this is a problem. But once it becomes a widespread issue, they’ll probably still deny it and quietly step up their behind the scenes anti-spam efforts. And we all know how well that’ll work.
Posted: 21 Aug 2008 04:51 PM CDT
Posted: 21 Aug 2008 04:45 PM CDT
In July, I flew to India for my first visit. I visited Juniper’s India Engineering Center in Bangalore, met with Juniper engineers there, and gave a talk. In this podcast, I share my observations on this fascinating country.
This posting includes an audio/video/photo media file: Download Now
Posted: 21 Aug 2008 03:02 PM CDT
You might be interested in them. I've exported the presentation to PDF with each animation built as a separate slide - in some cases that means there are 5-6 slides with advancing bullets, graphics, etc. As annoying as that may be, it fixes the mess of the positional overlay problem you'll see if you view the PDF from the CD.
As an important note, my slides are designed to accompany my speaking, not the other way around, so in some cases they don't explain themselves. This is by design ;)
I will be giving updates to this presentation throughout the rest of the year since it's a presentation designed to communicate the virtualization "state of the art" as it relates to VirtSec. So, if you attend a conference and see this talk advertised, it will have new/updated content.
Be warned, this PDF is huge (~55 MB) because my slides are intensely graphical.
You can find the update here.
Posted: 21 Aug 2008 02:08 PM CDT
Shared passwords, especially shared VNC password remind me of the straw house from the three little pigs...
In addition to the previous post on having the Domain Users group in the Enterprise Admins group (FTW!) on my last trip the organization had decided to use VNC for workstation management instead of Dameware/Remote Desktop.
Why? I have no idea. At least with RDP and Dameware you can force admins to use domain credentials to log in. But for whatever reason they had chose to use VNC on their workstations, servers used RDP. The VNC sessions were password protected
Well they had some sort of video feed linked to a webpage so people could watch the feeds from a single webpage. A simple right click on the feed properties showed an un-obfuscated VNC password (even had a check box that could have starred it out...oops). Surely the VNC properties for the feeds wouldn't be the same VNC for the workstations right? Wrong, they were. Game over. We could now log into all the workstations. We were already Enterprise Admin and could psexec into the workstations but screen shots of watching people read their email just look so much better during the outbrief :-)
Posted: 21 Aug 2008 01:19 PM CDT
Ouch! ZDNet have a short article about a misconfigured PBX making 400 calls to some of the hottest countries around: Afghanistan, India, Yemen and Saudi Arabia. Very ugly .. hope that the details emerge. If anyone has more details email me or post here.
Promotional message: SIPVicious is free - test your SIP based PBX before someone else does ;-)
Update: Apparently it consisted of voicemail hacking - you know that thing from the 90s. So no VoIP or SIP involved, just plain old school default pin cracking.
Posted: 21 Aug 2008 12:40 PM CDT
Day in the life of a pentester.
This one is short and sweet. Some things you probably shouldn't do.
1. fail use clear text protocols
2. get caught not following your own password policies
& the best one
3. add your Domain Users group to the Enterprise Admins group...oops ;-)
Internal test, some simple ARP Spoofing and LDAP query caught in plain text, RDP in, create a user account and add them to the appropriate admin group...done.
Posted: 21 Aug 2008 12:00 PM CDT
For the past few years, I've talked to many people about the insider threat. I don't spend too much time focused on the hardcore criminal element that plan an attack against their employer. I have mostly been thinking about the 35% of employees that claim they need to break policies in order to get their jobs done (see my post on Insider Threat - By the Numbers). And the unknown percentage of employees who break policies without being noticed (or in many cases without even knowing it).
A few days ago, security researcher Ira Winkler articulated one aspect of this very plainly.
Why is there a sudden epidemic of violations of sensitive personal information? The answer is, Because it's there.The scenario of an employee viewing sensitive information that they shouldn't be viewing is a fairly common example of real-world insider security breaches. While it won't likely lead to a $7 Billion loss, it could mean a failed audit, bad publicity, lost customers, or other lost business opportunities. In today's transparent business environment, it's only a matter of time before juicy information is made public. State Dept. employees were probably snooping on passport information for years before they found the 2008 presidential candidates. Then, it got out and became a news story.
Winkler goes on to note:
Anyone developing or maintaining information just better accept that their fellow workers will look at information and that they need to track and limit access. More importantly, they better look at their audit logs and specifically search for violations.I agree. One of the scenarios I often run into is where administrators require access to files (in order to manage access) but they don't require access to the information within those files. A good example is the admin who controls access to HR files and has the ability to open offer letters containing salary and other personal information. To Winkler's point, if the capability is there, they will likely open the files to take a peek. After all, they have been explicitly granted access to those files in order to do their jobs. Doesn't that make it OK? No. And to Winkler's final point, the admin would probably exercise additional restraint if they knew that file access was being monitored.
Posted: 21 Aug 2008 08:30 AM CDT
Someone broke into a FEMA PBX system over the weekend and made over $12,000 worth of calls to Asia. The article tries to pass this off like it’s just some old school attack that’s no big deal, but to me that’s more embarrassing than if they’d been hacked using some zero-day no one had ever heard of. Getting owned because you forgot to change a password is incompetence, which is much worse than getting hit by something you had no way of defending against.
It sounds like someone was upgrading the system and forgot to change a default password over the weekend. At that point all it would take is a scan of the system with an automated tool getting lucky and finding the right phone line. Likely there’d be little or no skill involved, just having the right tools at the right time. I’m betting there’s a consultant somewhere in Maryland looking for a new client.
Oh, and FEMA (Federal Emergency Management Agency) is a branch of the Department of Homeland Security. Good job guys.
Posted: 21 Aug 2008 06:52 AM CDT
Posted: 21 Aug 2008 12:16 AM CDT
During BlackHat USA, there were sightings of a mysterious white ninja. Witness reports claim he spoke with an english accent at 300 words per minute, raved on about sandboxing code, and plotted to take over the Web with a worm to wake people up (but just for a day). Anyone know who this phantom figure is?
Bonus points for posting the best photo caption. I'm thinking "practice safe output encoding".
Posted: 20 Aug 2008 07:17 PM CDT
I wanted to do a brief repost over here to direct everyone to the 5-part non-technical blog series that I did on cons (for the most part) and con experiences. This was my contribution to blogging following Blackhat / DEFCON.
Posted: 20 Aug 2008 06:28 PM CDT
Lynne Kiesling at Knowledge Problem imagines a refrigerator that is not only a kitchen appliance but also a network appliance.
By equipping refrigerators with an IP address and a web interface we could tell them to do things like ordering a new filter from a specified vendor at the appropriate time. Where it gets interesting is when you can also set power consumption policies based on the price of energy, time of day, contents of fridge and more.
I would like to have a fridge that would take an inventory of its contents and my cupboards (RFID anyone?) on a regular basis, compare that to my shopping list that it has access to over the network, place an order at my grocery stores, who then deliver the goods to my door.
As far as autonomous controls saving energy goes, her idea reminds me of an existing product by Lumisys that controls the brightness of the lights in a room, say a classroom or office, based on the the amount of daylight, how many people are in the room and where they are sitting. Lights near the window are dimmer than lights further away. If a cloud covers up the sun, the lights brighten automatically. Really cool stuff and usually a good idea for new construction.
Posted: 20 Aug 2008 03:57 PM CDT
MX Lab has detected and intercepted a new outbreak of the FedEx Tracking number trojan. It appears to be a variant
Subject is now “FedEx Tracking N_2545362053″ - where the number is random. The From address is spoofed and is not an official FedEx email address. So this email is easy to detect and when looking at the email from and body you should be able to identify this as suspicious.
The messages contains:
The attached malware is in a zip file named WD6128922.zip and contains the executable with file name WD6128922.exe.
As a reminder, FedEx will never give you tracking information in this way. All tracking regarding shipments is done on their web site. And if something went wrong, FedEx won’t send out an email with a Zip file attached.
The file is submitted to Virus Total at around 1:30 PM CET. MX Lab submitted the file for analysis around 9:17 PM CET and only 9 anti virus engines detect this variant. So be carefull not to open the zip file and especially don’t start the executable. Virus Total permalink and MD5: df73c2b3562ef157c10ba1a16b4c8885.
Posted: 20 Aug 2008 03:52 PM CDT
One of my key topics in my Blackhat presentation "The Four Horsemen of the Virtualization Security Apocalypse" focused on today's lack of state-synchronized high availability/load-balanced solutions for security virtual appliances that offer the same functionality as their physical appliance counterparts.
I used an example from a vendor I didn't name in one of my slides to illustrate that if you attempted to replicate the options you have today in physical appliances in a virtual construct, you would not be able to (using this particular solution suite as an example.)
That vendor was Check Point and I was referring to their SPLAT-based virtual appliance.
The version that was available for ESX environments when I created my presentation offered no load-balanced HA capabilities whatsoever as stated in the release notes.
However, today I received the announcement of Check Point's VPN-1 Virtual Edition (virtual appliance.)
Based upon what I am reading in the administrator's guide, VE now includes support for ClusterXL HA FW/VPN state-synchronized load sharing across one or more ESX hosts.
This is a great first step in the right direction.
We should expect more solutions to start arriving shortly to address many of the issues I brought up as the current "state of the art," and this is a good example of that.
There are numerous caveats and limitations, many of which I spoke directly about in my presentation with many of them related to the interdependencies of network topologies, virtual networking and interaction with VMware's integrated HA/clustering solutions...which was one of the other key topics in my talk ;)
You can find information regarding Check Point's VPN-1 Virtual Edition here.
Updated: If you read the release notes, you'll notice these little gems. I don't have the time to go through each of these limitations, but they're significant and go to the point that all things are not equal in V versus P:
I'll give them props for this one, though, given its refreshing honesty:
Posted: 20 Aug 2008 11:19 AM CDT
Some clever marketing by Lumension….it took me forever to find #8. Lack of vulnerability management.
Posted: 20 Aug 2008 09:11 AM CDT
If the possibility of ending up on the Wall of Sheep at Defcon and Black Hat wasn’t enough for you, Mike Perry is about to release a tool that automatically steals the Gmail ID’s of any non-encrypted sessions it finds. If you’re surfing on the free, public wi-fi at your local coffee shop, anyone with a modicum of computer skills will be able to sniff your traffic with this tool and take over your account. Of course, this has been possible for quite some time, but this tool brings the difficulty down to something the average script kiddy can do rather than having to be Robert Graham.
Gmail has been capable of running on SSL for quite some time, but it’s not something that’s enabled by default. I always typed the https in by hand, but I don’t completely trust that method. I’ve used Better Gmail2 in the past, but that doesn’t like FireFox 3 for some reason. There are also a number of scripts for GreaseMonkey that force Gmail to use SSL, but now Gmail has made it an option on the settings page. It’s on the bottom of the page and easy to miss if you’re not looking closely.
There’s no reason not to use HTTPS if you’re anywhere other than your home network. And quite frankly, there’s no real reason not to use it at home too. Google’s excuse that it might slow down your connection is pretty lame and if that’s the only reason you’re not using HTTPS, you need to rethink whether you should be accessing Gmail at all when remote.
Posted: 20 Aug 2008 01:38 AM CDT
Commtouch announced a new version of our GlobalView Mail Reputation Service, that incorporates enhanced reporting as well as enhanced logic capabilities. From earlier posts you’ve seen that zombies (aka bots) are responsible for almost all of the unwanted mail traversing the Internet. With even a not-very-good reputation service, you should be able to cut those quantities [...]
Posted: 20 Aug 2008 01:08 AM CDT
Someone asked me about blogging today and I realized I missed my own 5 year anniversary. Not my wedding anniversary, that’s next week, but the fifth anniversary of the day I wrote my first blog post “Here goes nothing“. I’d had a site about security for quite a while before that, but it was all manually coded HTML, it was ugly and, quite frankly, nearly impossible to update in anything resembling a timely manner. Then I found Movable Type, fought with it for about a week to get it installed, suffered the ridicule of my co-workers and started writing. Or maybe it was started writing and then suffered the ridicule, someone ask Ron Kehoe. Either way, it was definitely the start of a long and interesting journey.
The journey has definitely been worth it. I can say, without conceit, that I am one of the top security bloggers. Don’t believe me? Type “security blog” into Google and see for yourself. In the same vein, if you enter “security podcast“, the Network Security Podcast is the first entry you’ll see. I guess I should beware of hubris, since Google is a fickle mistress and that could change in a moment. I’ve been told the name of the blog was a brilliant stroke of SEO, but then I had to have search engine optimization explained to me, since I’d never heard the term before.
But blogging and writing was never about where I sit in the search results. It’s always been about learning for me. I had ideas when I started blogging, and even then I knew some were good, some were bad. I wanted to throw some of my ideas against the digital wall and see what would stick and what would stink. I’ve had a lot of ideas that people have agreed with, more that people have let flow by without comment and a few that have caused people to tell me that I’m an idiot at best. And some days I agree with them.
There’s three things about blogging that I’m thankful for. The first, and least important, is what it’s done for my writing skills. I never was a bad writer, but just writing on a daily basis has helped my writing immensely. I’m still an informal writer and never will be asked to write a book or anything, but five years of writing on a nearly daily basis has enabled me to at least express my thoughts in a way that most people can understand. I was good enough that Computerworld invited me to blog for them for a year, which would probably still be going on if other factors in my life hadn’t intervened. I like writing and blogging gives me a chance to do it on a regular basis.
The second thing I’m thankful for is some of the opportunities that blogging has opened for me. I already mentioned Computerworld, but there have been a lot of other doors that opened simply because I put myself out there with the blog. I never would have had an opportunity to work with Alan and Mitchell if Alan hadn’t contacted me after a particularly interesting blog post (I wish I could remember which one). I’ve been to RSA, Defcon, Black Hat, Shmoocon, IANS and more because I got press passes or people wanted me to see what they’re offering. I got an chance to do some video blogging for Podtech, which quite frankly was a heck of a lot more work than I ever thought it could be. A couple of years ago Symantec even flew me down to SoCal for a day trip to their headquarters, which just happen to be a couple of blocks from the Playboy office. It’s amazing what you find when you wander around in SoCal. And let’s not forget the annual RSA Security Bloggers Meetup, which I somehow ended up helping host!
But the most important thing about blogging is some of the friends I’ve made along the way. First off is my co-host, Rich Mogull. Without Rich there to keep me in the game, the podcast probably would have died a year ago, even if the blog continued. It’s hard to do a weekly podcast and having someone to take part of the load, to bounce ideas off of and just have a little energy when your tired can’t be overstated. With Rich’s help I hope to be blogging and podcasting for years more to come and maybe one day we can have a cage with Leo and Steve for a show on NPR. I’d bet on us; Leo’s getting old and Steve would probably get distracted by something bright and shiny mid-fight.
I’ve made more friends than I can list thanks to blogging, but I’m going to try anyways: Michael Farnum, Cutaway, Chris Hoff, Mike and Melina Murray, Jennifer Leggio, Jeremiah Owyang, David Mortman, Mike Rothman, Michael Santarcangelo, Rob Fuller, Alan Shimel, Mitchell Ashley, Michael Henry, Ryan Russell, Adam O’Donnell, Jack Daniel, Andy Willingham, Lori and Don MacVittie, Dan Kuykendall, Robyn Tippins, Paul Asadoorian, Larry Pesce, Ron Gula, Brian Krebs, Jennifer Jabbusch and Michael Dahn, just to name a few. I’ve probably missed as many as I’ve included and I apologize to those I left out; it’s been a long week and it’s only Tuesday. But I never would have met most of these people if it wasn’t for the blogging. I put myself out there for the world to see and these are some of the people who’ve responded with friendship. I actually get a little choked up thinking about it. Seriously.
Blogging has helped me grow as a security professional and as a person. I’ve put my ideas out there and people have responded. I’ve been able to use that feedback to learn and grow. People have recognized the willingness to communicate and opened doors that I never even knew existed before. And I’ve made such a wide ranging, supportive group of friends that I know I never could have made without the blogging. I’m truly thankful, if not exactly humbled.
I’m looking forward to blogging for the foreseeable future. It feels like I blinked and five years have gone by. I hope I’m still blogging in another five years, but who knows what the future will bring. If it’s anything like the last five years, I can’t imagine where I’ll end up, but it’ll definitely be an amazing journey. And I’ll learn a lot along the way.
Posted: 20 Aug 2008 01:06 AM CDT
I was on the road today and let Rich handle this week’s podcast, a decision I may regret if it earns us an ‘explicit’ tag in iTunes! Rich has posted our twelfth and final interview from the Black Hat/Defcon adventure, and appropriately this is an interview with Rich and everyone else from the panel he was on. There was drinking (and Larry) involved, so some of the language might be a bit more than we usually use on the podcast. It was a ton of fun and I might just be recovered by this time next year.
This posting includes an audio/video/photo media file: Download Now
Posted: 19 Aug 2008 01:15 PM CDT
I thought this was interesting... I don't seldom have emails that are this long, but since every survey submission is seen as part of the same resonse, I've been seeing it. It appears as though every 61 messages, the thread is cut and a new one is started. Has anyone else seen this and possibly experienced a different number? If everyone else is indeed seeing 61, does anyone know why?
Does anyone from Google read this? If so, why cut the threads at 61?
Side Note; Anyone know when Google Apps will be getting the 'Always use SSL' checkbox?
Posted: 19 Aug 2008 09:34 AM CDT
Thanks to everyone who's filled it out, for those of you that haven't... you still can (survey). A large number of people are prefering to stay anonymous, but I have gotten some rather interesting comments. To date 169 people have filled out the survey. If all goes well, I'm hoping to start analyising the results after about a week or so.
To clarify, for anyone who reads this first... When I say Denial of Service, I'm not considering packet flooding (these days you essentially need DDoS for that)... I'm thinking single packets that cause servers to crash, or malformed pages that cause browsers to crash. That being said, I don't want to influence anyones answers... that's why I provided plenty of places for notes. Feel free to tell me what you really think.
Lastly, in the goal of making an interesting whitepaper out of this, I've started contacting vendors. Currently I've contacted Adobe, Apple, Google, Microsoft, Red Hat and Sun. I've asked them to answer the survey (and provide me with unique information via email that they will put in the name, email and url portions (for proper identification)) and I've passed on a few vendor specific questions. I've taken the route of contacting their PR agencies, so we'll see what happens.
Posted: 19 Aug 2008 07:48 AM CDT
In light of the recent upsurge in interest over the Insider Threat, I’ve decided to write a little about some of the various controls that can be put in place to minimize the risk posed by malicious insiders.
(A note to small and medium sized businesses - our employees tend to wear “many different hats” as the saying goes and therefore pose much more of a risk than in larger organizations where duties are more segmented. As such, when hiring or promoting someone into a position of trust, it may behoove you to dig a little deeper into their background.)
Information Risk Management is about more than installing and monitoring a technological control. Technological controls only constitute one-third of the equation. The other two elements are People and Process. It is important that we work with the HR and Legal departments to ensure that we adequately cover these elements. We each have roles to play in protecting our organizations.
One of the areas where information risk management can provide valuable input is in the area of personnel screening. (There are other areas that I’ll deal with in other blog posts) Personnel screening involves the process of vetting individuals to ensure they meet a minimum set of requirements before they are given access to information systems. What those requirements are varies by organization and can be influenced by laws, policies, regulations, standards, and guidelines. HR and Legal may be up on the laws pertaining to employees and operating a company but they may not be as familiar with the regulations concerning the protection of information. Even if an organization is not obligated to screen employees, it may be in their best interest to do so for roles designated as “Positions of Trust.”
Persons occupying “Positions of Trust” are those who have special duties or special access to information not available to other employees and are expected to exercise some sort of professional or managerial discretion. Typically these employees receive less supervision than other employees. Since an organization delegates authority to these individuals it should sufficient information at its disposal to make an informed decision.
In order to do this an organization must first lay the appropriate ground work. This includes reviewing their policy and procedures to make sure that they have a formal documented policy that addresses the purpose, scope, roles and responsibilities involved in instituting and enforcing personnel security measures. The organizations commitment to security and how it intends to coordinate its actions among its various departments should also be clearly spelled out.
The next step would be to categorize all of its positions with regard to the authority they exercise. Care must be taken here because it is easy to be too granular in this exercise. Simple is better. Various roles will emerge and as they do, the organization should establish screening criteria for individuals filling these roles. For example:
All Managers (every two years)
Senior Manager/Corporate Officers (every two years)
These are of course just examples and the details will vary by industry, business size, etc. HR and Legal will have their own thoughts on what types of checks need to be done and since they are ultimately responsible for these activities the final decision must rest with them. There are state and federal laws that pertain to background checks. The Privacy Rights Clearinghouse does have a good summary page. What is important from our perspective is that Information Risk Management has some input to the decision making process.
HR and Legal also hold the ultimate responsible for ensuring that a formal sanction process is implemented for personnel failing to comply with established policies and procedures. It should be included as part of the general personnel policies and procedures and specific enough to ensure equal treatment for all employees. Phrases such as “Appropriate action may be taken” are not specific enough where as being too specific can tie an organizations hands. My recommendation here is to make sure that the organization identifies the criteria for automatic termination and everything else can dealt with as “appropriate action.” (I would also argue that the minimum that should be prescribed for a policy violation is a written reprimand placed in the employee’s record.) Information Risk Management has the responsibility to detect and provide evidence of a violation but HR/Legal is the adjudicator.
Do you need to run a background check on every employee? Laws and Regulations notwithstanding, I’d say no. Depending on the size of your organization, the added expense may be cost prohibitive. There are also legal concerns with the practice of personnel screening. You should consult with your legal council before instituting any such program so that you know what your obligations and responsibilities are.
On the whole, I think you will find that the benefits far outweigh the issues when it comes to personnel screening.
Posted: 19 Aug 2008 03:23 AM CDT
How ironic - malware distributors are using the vulnerabilities inherent in IE (and other browsers) to distribute malware purporting to be an Internet Explorer update! The spammers did a few things to make the message appear to be legitimately from Microsoft, spoofing a Microsoft from address, and copy-pasting the MSN text into the bottom. Of course, [...]
Posted: 19 Aug 2008 12:32 AM CDT
Ok, so we have everything up and running (first post) and waiting for some random person...err your lab wifi box to connect to Karmetasploit.
We take a look at our current network connection before airbase-ng starts doing its thing.
*Note the blistering connection I had at the hotel.
Now we take a look at some of the available APs after airbase-ng starts doing its thing.
And lastly my computer connected to the hhonors AP
After that we open up our browser and try to go to google.com and we get the portal page that karmetasploit presents.
But as soon as we click enter or try to browse to a different URL a whole bunch of iframes start doing their thing trying to do the cookie theft and exploitation. You can see it in the bottom left corner.
Here we can see the result of ipconfig /all and see that my DHCP Server and DNS server is from karmetasploit.
A shot of airbase-ng doing its thing
Iphones connecting up
POP password gathering
I saw the SMB Relay attack attempted a couple of times but I didnt see any of the other client side attacks being launched. Not sure what the issue is. I'm going to try it with a known vulnerable version of IE6 and see if I can get some better results. First instinct is that the browser enumeration code in browswer_autopwn isnt working quite right therefore not sending and clients sides out, but I could be wrong.
That's it for now.
|You are subscribed to email updates from Security Bloggers Network |
To stop receiving these emails, you may unsubscribe now.
|Email Delivery powered by FeedBurner|
|Inbox too full? Subscribe to the feed version of Security Bloggers Network in a feed reader.|
|If you prefer to unsubscribe via postal mail, write to: Security Bloggers Network, c/o FeedBurner, 20 W Kinzie, 9th Floor, Chicago IL USA 60610|