SANS Las Vegas from October 26-27th will debut a new course titled "Embedded Device Security Assessments for the Rest of Us" which will teach students how to assess embedded systems of all varieties on pen tests and in your duties as a security professional. Register Here
Announcements & Shameless Plugs
- Security Weekly Sans Discounts! - Helps pay for cool stuff and general insobriety
- Network Security Projects Using Hacked Wireless Routers with Larry Orlando, FL. on Thursday, April 24
- Advanced Network Worm and Bot analysis with Steve Marcelino in N. Kingstown, RI on Tuesday March 25
- Cutting Edge Hacking Techniques with Paul in N. Kingstown, RI on April 15-16
- Pen Test Summit on June 2-3 to be attended by Larry
- Rhode Island Linux Install Fest - (at least show up for pizza and b**r)
There have been many vulnerabilities and exposures regarding social network sites. In this segment, with a little help from Twitchy (back from the dead), we will cover:
- Social Networking Evil Twin Attack
- How XSS attacks caused many problems
- Why your information is not safe
- Prevention from harm on social networking sites
Stories of Interest
http://blog.tenablesecurity.com/2008/02/shmoocon---dont.html - Need to read and comment on this one, meant to do it since it was posted.
The Sim Toolkit Research Group - [Paul] - This is interesting research. Looks like SIM cards support Java, which means you can write cool stuff and make it do things like: "It's possible to open gprs connection, make phone calls or redirect phone calls (e.g. remote phone tapping)." I can forsee mobile phone trojans taking advantage of this research, if they haven't already. I believe that we haven't seen more mobile phone trojans because of code stability, the platforms stink for developing apps. Protection? Depends on the delivery mechanism, certain code signing and the ability to prevent the user from install apps help, however what happens when an app can take advantage of a vulnerability and get delivered via an SMS message? History will repeat itself...
Hacking Medical Devices - [Paul] - A few things on this one, first, more vendors should be doing this (hiring security professionals to test their products in the lab). Second, the response from the vendor needs to be way better than: "To our knowledge there has not been a single reported incident of such an event in more than 30 years of device telemetry use, which includes millions of implants worldwide," uuuuhm, your devices can be pwned and put patient safety at risk, what is your response to that? Oh, right:
"St. Jude Medical, the third major defibrillator company, said it used "proprietary techniques" to protect the security of its implants and had not heard of any unauthorized or illegal manipulation of them."
There is no such thing as a "proprietary technique", especially when it comes to technology, and especially when it comes to wireless technology. Security through obscurity is a layer in your defense, but if it is the only layer you will be defeated eventually. Also, just because you've never had a security incident doesn't mean you should not implement proper security. "I haven't had a cavity in a while, so I will just stop brushing my teeth, flossing, and using mouthwash altogether", the problem with that it? Its going to be okay in the beginning, then its going to stink, people will notice, and then your teeth will rot and fall out. Preventing is key.
More From Larry:
The way to a hacker's heart - [Larry] - ...is through his wireless pacemaker. Researchers have been able to utilize commodity hardware and a PC (albeit $30K worth), to intercept and transmit wireless signals to a pacemaker telemetry system without the use of the "approved" equipment. As a result, the researchers were able to read patient data from the pacemaker (including name, and other identifiable information). They were also able to "disable" the device, or send commands to effectively harm a potential patient.
Certainly possible, but it requires an attacker to have alleged gobs of equipment, it is currently expensive, and you need to be with in a few inches of the target. Given the natural progression of similar attacks, I can see the hardware and requirements becoming smaller, and less expensive. The distance thing isn't a big deal to me, as you need to get close to steal RFID...and that is a perfectly valid attack.
RFID Pwned again - [Paul] - If you live in the Netherlands, all rfid are belong to attackers. I think that RFID should be one form of authentication, not just the one that we soley rely on. Any encryption you can put into that small of a chip will be cracked by someone, somewhere, at least for quite some time.
More From Larry:
Mifare RFID encryption broken - [Larry] - Two independent groups of researchers claim to have been able to crack the encryption methodology in use for protecting Mifare RFID chips. As a result, these cards can be potentially cloned. Both groups will be releasing demonstrations of the attack over the coming weeks, so expect to see this turning up in tools ASAP.
So why does this matter? Mifare RFID chips are the most common used in Access control, and payment systems (at least in the UK - the oyster card). If I recall correctly, this is also the same chip used in many auto manufacturers, and even in payment systems here in the US.
Hack into a Windows PC - no password needed [byte_bucket] - "A security consultant based in New Zealand has released a tool that can unlock Windows computers in seconds without the need for a password. Adam Boileau, a consultant for ([www.immunitysec.com/ Immunity, Inc]) first demonstrated the hack, which affects Windows XP computers but has not yet been tested with Windows Vista, at a security conference in Sydney in 2006, but Microsoft has yet to develop a fix." The tool (winlockpwn) and additional information can be found here on Boileau's website. [Paul] - If this attack were to become practical for pen testing I think we'd have a winner. The ability to read memory has some clear advantages. I'd like a USB dongle to read memory, parse the juicy information, and send it along to me. This should be built into the Core agent and built-into the U3 toolkits. The attack has been around forever, now lets make it practical. What a great way to gain access to the system on a pen test too, accessing locked workstations, etc.. I wonder if this can be used to bypass kiosk protections? Typically you will find a kiosk in a public area on a pen test, would be neat to pwn it fast just by inserting a USB thumb drive.
Secure USB thumbdrives cracked - [Larry] - An analysis of some secure thumb drives that require a fingerprint to access the secured volume, we easily defeat-able by issuing a single USB command. This single command allows unauthorized access to the secure volume without accessing the scanner. Seems like a easy attack to me.
Insert comments about good technology, but being wary if actual implementations. Encryption, etc.
I also heard of another story...missing at the moment...but it related to bypassing the fingerprint reader by opening the device and soldering a single jumper to enable permanent read access to the secure volume.
Smallest Linux Computer - [Paul] - Think of places you could hide this! Okay, not there! Well maybe, but as devices get smaller and more powerful they will become more difficult to secure. Why? How do you stop these from getting planted in your network? Its also difficult to make sure no one is stealing them from your facility, in well, you know where.
Public Transportaion design flaw - [Larry] - Here's an example of how to think outside of the box for security. Some San Francisco municipal busses are electric powered - and the power button is on the outside un an unlocked, easily accessible compartment. Turn the power off and the busses don't move, can't contact dispatch, and have no lighting....
How does this design flaw relate to security? Glad you asked!
Router Hacking Contest - The Results - [Paul] - All sorts of fun hacks for embedded systems. One I found interesting was the Boa auth bypass (http://www.milw0rm.com/exploits/4542) where you can overwrite the password on the device by sending a really long username to the super wicked secure Basic Authentication login. W00t!
Companies ban Social networking - [Larry] Mostly due to time wasting, and malware. However consider the Web 2.0 marketing strategies in this risk analysis.
Cisco Reveals Patch Cycle - Twice per year! - [Paul] - So, customers want a regular patch cycle and Cisco decided on twice per year. W-T-F, you've got to be kidding me. Patches need to be released ASAP and if a company wants to adopt their own patch cycle, the so be it, and do it according to their own risk calculations. This is the same problem I have with Apple and Microsoft, release patches when they are available. Who are they to say that I'm not "Ready" to apply that patch? Or, the patch isn't stable enough. Thats crap, give me the patches and let me choose. We're already behind the curve (exploits don't wait for patches to be installed), at least give us a fighting chance.
ATM hacking not in the cards - [Larry] - Don't hack the cards, hack the ATM. My quote of the day:
Bruce Schneier concurs. He told heise online: "Windows computers are notoriously insecure, so using them for secure banking seems like a mistake. … moving from a special-purpose computer to a general-purpose Windows computer means that you assume all the risks of running a Windows machine. Was that a surprise to anyone?"
If you pwn, or own, a ZyXel router, read this - [Paul] - Wow, holy vulnerabilities batman! Some of the issue include default write SNMP strings (which means change the device config, and change web pages to insert XSS and other nasties). You can also use it to ping sweep the internal network, change DNS servers. Just nasty stuff! Looks like you can get OpenWrt and uClinux on some of these devices (http://wiki.openwrt.org/OpenWrtDocs/Hardware/ZyXEL/Prestige_660HW-61), however you will need some experience with embedded device hacking/firmware/dev to do it.
Hack memory via firewire - [Larry] - Gain access to memory on a windows XP system over firewire, and steal contents of memory - including whole disk encryption keys, and other sensitive data. This comes on the tail of McGrew Security's RAM dumper, a tool that he authored in response the memory freezing research
msramdmp: USB-bootable RAM Dumping Utility [Wesley McGrew - cs_weasel] - I noticed that the Princeton researchers who published the encryption key attack described last episode haven't released the utility they used to dump RAM with a USB drive, so I went ahead and wrote my own. If you're looking to play with this neat "attack", then this should get you started. There's plenty of interesting things you can carve out of RAM, even if you're not looking for encryption keys.
Chinese backdoors "hidden in router firmware" [byte_bucket] - Conspiracy theory or real threat? You decide.
CORE: Multiple vulnerabilities in Google's Android SDK [byte_bucket] - "Several vulnerabilities have been found in Android's core libraries for processing graphic content in some of the most used image formats (PNG, GIF an BMP). While some of these vulnerabilities stem from the use of outdated and vulnerable open source image processing libraries other were introduced by native Android code that use them or that implements new functionality."
Review of 7 secure USB drives [byte_bucket] - Paul mentioned the IronKey in last week's episode. Here is a review of the IronKey along with 6 other "secure" USB drives. [cs_weasel] One of which is so horrible they were easily able to bypass the combination keypad by disassembling the drive. They're sketchy on the details, but from what they did write, I imagine there's probably just an "activate" line on the board that's connected when the correct key is entered.
For Your Enjoyment
Things on Paul's "hacker" keychain