SANS Las Vegas from October 26-27th will debut a new course titled "Embedded Device Security Assessments for the Rest of Us" which will teach students how to assess embedded systems of all varieties on pen tests and in your duties as a security professional. Register Here
Announcements & Shameless Plugs
Live from the PaulDotCom Studios Welcome to PaulDotCom Security Weekly, Episode 102 for March 20th, 2008
- PaulDotCom SANS Click-Through - Helps pay for cool stuff and general insobriety
- Network Security Projects Using Hacked Wireless Routers with Larry Orlando, FL. on Thursday, April 24
- Advanced Network Worm and Bot analysis with Steve Marcelino in N. Kingstown, RI on Tuesday March 25
- Cutting Edge Hacking Techniques with Paul in N. Kingstown, RI on April 15-16
- Pen Test Summit - June 2-3 to be attended by Larry
- Rhode Island Linux Install Fest - Come and install Linux, help people install Linux, install Linux on different devices and systems (at least show up for pizza and b**r)
Tech Segment: Wesley McGrew Presents msramdmp
Tech Segment: Nessus Upgrade 3.2.0
Some great new features:
- Support for IPv6 targets (for the Linux, FreeBSD, Solaris and Mac OS X flavors)
- Support for limiting the number of active TCP sessions in parallel (per host, per scan, per scanner)
- A new nessuscmd tool that lets one run quick scans from the command-line
- A new nessus-update tool that lets one update the Nessus engine from the command-line (on select platforms)
- The Nessus daemon can now detect hosts which are being turned off during the scan and stop scanning them
- The Nessus daemon can now detect when the network is congested and change the TCP settings appropriately
- Nessus user account access control rules are now more granular and can be used to prevent the scanner from connecting to certain ports or to use certain plugins
- The nessus command-line tool can read and write to and from a .nessus file
- Improved WMI support (see http://cgi.tenablesecurity.com/tenable/WMI.html)
I could not find the nessuscmd tool on OS X, but I Linux I had some fun:
root@pwnsg:/opt/nessus/bin# ./nessuscmd -V -i 10884 ownme.example.com Starting nessuscmd 3.2.0 Scanning 'ownme.example.com'... + Host ownme.example.com is up root@pwnsg:/opt/nessus/bin# ./nessuscmd -O -p1-1024 -U -V -i 10884 ownme.example.com Starting nessuscmd 3.2.0 Scanning 'ownme.example.com'... + Results found on ownme.example.com : - Host information : [i] Plugin ID 11936 | Remote operating system : Linux Kernel 2.6 on Debian 4.0 (etch) | Confidence Level : 95 | Method : SSH | | | | The remote host is running Linux Kernel 2.6 on Debian 4.0 (etch) - Port ssh (22/tcp) is open - Port http (80/tcp) is open - Port sunrpc (111/tcp) is open - Port https (443/tcp) is open - Port ideafarm-chat (902/tcp) is open root@pwnsg:/opt/nessus/bin# ./nessuscmd -O -p1-1024 -U -V -i 11154,22964 ownme.example.com Starting nessuscmd 3.2.0 Scanning 'ownme.example.com'... + Results found on ownme.example.com : - Host information : [i] Plugin ID 11936 | Remote operating system : Linux Kernel 2.6 on Debian 4.0 (etch) | Confidence Level : 95 | Method : SSH | | | | The remote host is running Linux Kernel 2.6 on Debian 4.0 (etch) - Port ssh (22/tcp) is open [i] Plugin ID 22964 | An SSH server is running on this port. - Port http (80/tcp) is open [i] Plugin ID 22964 | A web server is running on this port. - Port sunrpc (111/tcp) is open - Port https (443/tcp) is open [i] Plugin ID 22964 | A web server is running on this port through SSLv2. [i] Plugin ID 22964 | An SSLv2 server answered on this port. | - Port ideafarm-chat (902/tcp) is open [i] Plugin ID 22964 | A VMware authentication daemon is running on this port.
Stories of Interest
Vendor, vendor, vendor - [Larry] The vendor who was proud for securing Hannafords supermarket chain, seems to no longer be proud...
Hannaford Brothers hacked - [Larry] - This story is all over the news (and see our other related story as well), so I I will gloss over it a bit. Plain and simple, they got owned, and had 4.2 million CC and Debit card numbers stolen. Bad. However, as Martin McKeay pointed out, Hannaford's does something good (well at least better) when they store the info. They do not associate the card number info with name and address info. This makes the use of the numbers a little more difficult.
Mifare Classic hack explained - [Larry] - Wow, this has to be one of the most complex, dedicatd hardware hacks I've ever seen. The researchers evaluated the Crypto-1 cypher implementation as implemented on the chip with a microscope, and peeled back all 10 layers of the silicon. They then recreated the chip in Matlab...and discovered that the 16 bit random number generator was easy to manipulate.
The Honey Stick Project - [Larry] - Cool. Honey-anything is neat to me (but maybe not valuable). Either way, here some testing for a number of things that Paul and I talk about all the time. I particularly would like top review USB security. See this on a related note.
CC RFID hacking - [Larry] - By utilizing an actual PayPass terminal, Pablos is able to read RFID CC info from a wallet on his Mac. A simple yet, elegant hack of an existing device. Why? because the decryption of the RFID signal happens locally, and is then sent from the reader to the attached device in the clear. This is a clear use of using the technology to do the work for us, as an attacker. On another note, a lot of folks are giving Pablos crap for the $8 hardware comment. I've exchanged some e-mails with him and 3ric, and I can confirm that the hardware IS inexpensive - and certainly in the $8 range.
ZZZIIIIIIP! - [Larry] - Multiple vulnerabilities in archive pro-cessing.
Security and HR should talk - [Larry] - One thing that I think is important with security policies is the unilateral enforcement of of the policies. One thing that becomes disappointing is all of the work that goes in the enforcement of the policy, and the offender is given a slap on the wrist, and the incident is swept under the carpet. This, in my opinion is a bad thing.
Social Networking Evil Twin Lands Somone in Jail! - [PaulDotCom] - Some countries frown upon this type of attack, esp. if you live in Morocco. "A Moroccan computer engineer who was imprisoned for creating a fake Facebook profile of King Mohammed VI's younger brother said Wednesday he only did it out of admiration for the prince." Yikes, he was eventually granted a pardon, but goes to show you how serious this attack could be. Good thing for Larry and I we live in the US and were just impersonating Twitchy :)
PwN To Own - Cansec 2008 - [PaulDotCom] - So rather than just a single mac book pro, there will be a Windows, OSX, and ubuntu Linux laptop for hacking. Prizes include $10,000 for a 0day on any platform. This year there will be more strucutre, and care, as to not let a 0day slip into the wild over the wireless or bluetooth networks. I think this is a fun exercise, and I hope that more than one bug is found and properly disclosed. This can be good for the vendors as well, they get some free security research out of it! So, have at it guys, find lots of bugs and hopefully we will see patches.
http://www.linuxdevices.com/news/NS7602396677.html Linux Zigbee Embedded devices for home security?] - [PaulDotCom] - I dunno, maybe its just me, but I don't trust any qireless signal when it would come to my home security system. Also, as zigbee becomes more mainstream, what ARE the security implications. Well, lets take a look and learn from history:
- 900MHz cordless phones and headsets - pwned
- 802.11 - pwned
- "Secure" 802.11 (WEP/WPA/EAP) - pwned
- Bluetooth - pwned
So, if history is correct, Josh Wright will crack zigbee, setting us all free like Neo from the Matrix....
Taosecurity - Ten themes from recent security conferences - [PaulDotCom] - Nothing really new to us here, basically, every organization has compromised machines, but most don't know it, we can never implement 100% security networks, but we can make it cost prohibitive for the attackers. If you are of a signifigant size or interest, you are a target, and therefore have to raise the bar higher.
Poor Session Handling and Authentication - Voter reg forms readable - [PaulDotCom] - This is a testament to the very sad state of web application security. There was a site with an online voter registration page. Simply changing your voter ID, you could get other people's voter registration data. Nice. Session handling is something that automated web application scanners almost always miss, and something you need to test for manually. Goes to show you, just looking for XSS and SQL injection is not good enough, its just the start. Getting into the programmer's head and figuring it out is always the best way.
Honey Stick Project - Social Experiments with USB keys - [PaulDotCom] - Pwning people with USB keys is great fun, and often very successful. You can leave them in the parking lot, give them to the secratary to print a document, and pose as the help desk employee and just insert the key as part of "normal maintenance". However, this site brings up some good points, would you pick up a piece of pizza that was lying on the ground, even if you were starving? If your answer is, "depends on how wasted I was", then you have to go check out this site.
iPhone Bootloader Attack - [PaulDotCom] - The iphone dev team claims to have "jailbreak" functionality on the new, unreleased, Apple iPhone 2.0 firmware. The basis of the attack is that they figured out a way to circumvent the bootloaders checking of RSA signatures. This gives them direct access to the flash, which is essentially game over. This attack is scary for several reasons. First, it means that arbitrary code running on the iPhone is now a reality because access to the flash means you control the entire systems. THis means you can install applications, and evil ones at that. This also means that you can replace the operating system with one of your own, just like our examples in the WRT54G world.
Scariest Thing According to Panel at Source Boston: Certified Pre-0wned Devices - [PaulDotCom] - People don't think about security in a holistic fashion and consider every avenue for attack. As we "solidfy the perimeter", which means nothing because there is no perimieter, attacker are accessing systems and bypassing security in ways that most have never thought of. Think of every device (camera, picture frame, usb drive, firewire drive, ipod, removable media of any kind) as an attack vector. This can become a potential way behind your defenses, especially given most manufacturing is done overseas. What is our defense? Anti-virus you say? I hope you have a better answer than that, for you sake...
Vishing Scam Example - [PaulDotCom] - This is a great example of how attacks will proliferate against our users in ways that we have little methods of defense (right now anyway). The attackers setup a VoIP service, hijacked or setup themselves, then sent text messages to users informing them to call this number to verify their account. No email or browser phishing protect to save you here, only whatever is on your cell phone to protect you (nothing) and good ol' alert users (ha!!!!). The interesting thing is that users were targeted by geographic region, meaning that the attackers had information about users phone numbers (most likely from penetrating another system). The attack that sent the emails went like this: "ompromise of a Web site called whitehousechronicles.com. The attackers broke into the site by exploiting an ancient flaw (in Internet time) in Horde, a free Webmail utility. Once there, they installed a bunch of scripts on the Web server; several of the scripts contained millions of provider- and region-specific phone numbers that would receive the vishing messages, while another listed the credentials needed to log into and send e-mail from dozens of outside e-mail servers.". Nice. Even better, they compromised an email account for "abuse@<some canadian beer company>.com". The password was.....wait for it....abuse. *sigh* Remediation, scan for known vulnerabilities and use a tool like hydra to test for default/stupid passwords would have thwarted a portion of this attack. Defense against the SMS message, where does the provider get involved? Text messages are revenue generators for cell phone companies (unlike how email is a freebie from an ISP). So, its not in their best interest to block them!
Attacking Smart Cards - [PaulDotCom] - A former MS employee has developed a fuzzer that targets the middleware used by smart cards.