This episode is sponsored by Core Security Technologies, helping you penetrate your network. Rock out with your 'sploit out and check out the client side exploit and web application testing modules! Listen to this podcast and qualify to receive a 10% discount on Core Impact, worlds best penetration testing tool.
This podcast is also sponsored by Tenable network security. Tenable is a developer of enterprise vulnerability, compliance and log management software, but most notibly the creators of Nessus, the worlds best vulnerability scanner. Tenable Security Center software extends the power of Nessus through reporting, remediation workflow, IDS event correlation and much more. Tenable also offers a Direct Feed subscription for immediate access to new Nessus plugins, and compliance checks” Tenable – Unified Security Monitoring!
Announcements & Shameless Plugs
Live from the G-Unit Studios Welcome to Security Weekly, Episode 119 for August 21st, 2008
Welcome to Security Weekly, a show for security professionals, by security professionals.
- Security Weekly SANS Click-Through - Go there, register for fabulous SANS training! Go now!
- ICE (Integrated Cyber Exercise) - Oct. 1-3 at SANS Las Vegas!
- Larry and I will each lead a team, names to be announced
- Attendance and participation is FREE, come join one of our teams!
- 4 Networks, 1) Attackers 2) Defenders 3) Public/Internetish 4) Spectator Room
- Looking for food/drink sponsor
- Featuring wireless, voip, and SCADA!
- Help support Security Weekly with your donations. Visit http://securityweekly.com and press the DONATE button.Note: Thanks to listener Ken for the donation!
- NS2008! Paul giving keynote: Things That Go Bump In The Network: Embedded Device (In)Security and teaching SEC535, Network Security Projects Using Hacked Wireless Routers! Don't forget our live podcast!
- Check out the new beer listing.
Mini-tech Segment - SamuraiWTF
Kevin Johnson has done an awesome service to the community here. SamuraiWTF, as we've talked about briefly is a live CD full of Web app testing tools. Right now it is development "alpha', so there are still a few issues that are being resolved. They've even gone far enough to configure Wine to include some of the windows tools.
Note on logging in: (which will be better documented) The user to login as is "samurai" with the password of "samurai"
Some of the tools that we've talked about on the show in the past are included on the CD - HTTPrint, Nikto, Paros Proxy, the Burp Suite, Maltego CE and Gooscan.
I was real happy to see Grendel included as well, which was released right about DEFCON time. Grendel is pretty easy to use, and even provides a local proxy for additional manual testing, a la burp and Paros.
DirBuster (from OWASP) will brute force directories on a webserver to see if they exist. It likes a file to pre-populate (aka a "rainbow table"), but I wasn't able to locate a list on the CD in a few seconds, so I elected to do a brute force.
It found some stuff right off on the site I tested (with permission), however with the default thread count, it would take 62254470 Days to complete! As you can see from the screen shots, I have at least one directory to follow up on.
I was hoping for some good bookmarks in the browser. I was happy to find the local install of BeEF, Ajax Shell, PHP Shell, and the local wiki - great for documenting your findings!
Of course, they also included w3af- the Web application Attack and Audit Framework, including the nice gui. w3af is similar in concept to Nessus, in that you define a host, and pick tests to run against it. It also adds the features of Metasploit, in that it can exploit its findings and deploy connection methods.
I must say the guys have done a fantastic job at the "first pass" development release to include some awesome, helpful tools all in one place. You can be sure that I'll be keeping this one around!
Kevin is always looking for feedback, tool suggestions and feature requests, so feel free to download, USE it, and offer kevin some feedback. His contact info can be found at the project site samurai.intelguardians.com
Tech Segment: Software Update Security with Derek Callaway
Typical advice for keeping a system secure includes keeping your software up-to-date; however, updating software actually has the potential to make your system less secure. Derek has published a number of advisories through his company (Security Objectives) pertaining to software update vulnerabilities of various vendors including Lenovo, PartyGaming, and Cygwin.
evilgrade is a tool for exploiting software update vulnerabilities that was first presented (but not released) at EkoParty 2007, an Argentinian security conference. evilgrade was released by Francisco Amato of InfoByte Security Research in late July, 2008. This event seems to have officially brought software update security to the attention of the vulnerability research community. evilgrade is particularly useful with when used in conjuction with KARMetaSploit and/or Dan Kaminsky's DNS Cache Poisoning attack although other Man-in-the-Middle techniques such as ARP redirection are sufficient. There is talk of integrating evilgrade into the Metasploit project. ISR-evilgrade is currently at version 1.0. Currently it has exploit modules for: Java, WinZip, Winzmp, MacOS, OpenOffice, iTunes, LinkedIn Toolbar, DAP (Download Accelerator), Notepad++, and Speedbit. Look for a new version of evilgrade with more exploit modules in the not too distant future.
Before updates were delivered over the network, they were usually delivered on tape by private courier. At one of the HOPE conference's social engineering panels, Kevin Mitnick spoke about an analog man-in-the-middle attack where he dressed up as a UPS delivery guy and delivered a trojanned tape himself. In 1983, Digital Equipment Corporation (DEC) created the first remote delivery of software updates at their Colorado Springs facility for their OpenVMS operating system. Once the Internet became ubiquitous software starting allowing the user to update their software over the Internet.
Different types of software updating:
Automatic (software automatically downloaded and installed) Semi-Automatic (software notifies user update is available, but must take action to intsall) Manual (user must take action to determine if an update is available)
Clearly, the fully automatic type is impacted the most when it comes to updater vulnerabilities. Most updaters use HTTP(S) so it's just a matter of creating a web server that looks like the real update server but pushes out trojans with the updates. Some updaters will download the patch from within the program, others will open up a browser window with a URL to the vendor's site which usually isn't HTTP(S).
Just because SSL is in use, doesn't mean the updater is secure. The update client must properly verify the server's certificate. An example of improper certificate verification in a software Updater is the Lenovo advisory Derek published (CVE-2008-3249.)
Creating digital signatures for packages does not always prevent attacks either, especially if the integrity of the update server itself is not validated. An old package's hash is valid because it was signed with the real vendor's key. A rogue update server could cause a downgrade to an old vulnerable version and then exploit it.
These attacks can also affect entire operating systems. Take for example Linux distributions that have mirrored servers for their package systems. On August 14, the Fedora project leader told users to not update their software as a precaution because of a mysterious Fedora Project server outage.
Cryptographically verify the update server with PKI (Public Key Infrastructure.)
"Derek Callaway is a security consultant with Security Objectives Corporation. His company is currently developing a dynamic binary analysis debugger. More information and demos are available at security-objectives.com."
- Security Objectives Advisories - http://www.security-objectives.com/advisories.html
- Updating the Updater: System of Systems (Security Objectives' Blog) - http://systemofsystems.wordpress.com/2008/05/25/updating-the-updater/
- ISR-evilgrade, InfoByte Security Research - http://www.infobyte.com.ar/developments.html
- Karmetasploit - http://www.metasploit.com/dev/trac/wiki/Karmetasploit
- Thinkvantage SystemUpdate Missing SSL Certificate Chain Verification - http://secunia.com/advisories/30379
- Mystery Fedora Disruption Prompts Security Fears - http://www.theregister.co.uk/2008/08/19/fedora_outage/
Stories For Discussion
FEMA phones hacked for toll calls - [Larry] - Yep, hackers broke in to the phone system and were able to place $12k in calls to Europe and Asia. The security consultant claims that the hack is "old school". Certainly, but we all know when there is money to be saved or made, the attack is certainly one attackers look for. Now, the method in which the hack was conducted? Even more old school - they attacker apparently utilized the default administrative password. FEMA blames the contractor that set up the system for leaving this open. Time for someone to start examining that contract... And yes, FEMA is a division of DHS, the same folks who are ultimately responsible for the TSA fun cavity searches at US airports. It gets better - allegedly DHS put out a notice for this type of system vulnerability in 2003... [Paul] - Hackin like its 1989! Love it! I find the motivation interesting, what kind of calls were being made? Typically, I would imagine, that hacking into a phone system is exploited for profit, shady telemarketing calls, VoIP Phishing, etc... Was it really just to make long distance calls? And why does everyone blame the contractor? Was the contractor the only one who knew that the password was set to the default?
Is that a lockpick in your pocket, or are you just happy to see me? - [Paul] - Bill over at i-hacked.com did a great job with this posting which details hiding a lockpick set in your luggage. It seems its quite easy to sneak a screwdriver and hide stuff in the tube for the pullout handle on a roll-away. One interesting thing he says, "I took some measurements and found out that I really couldn't pack much more than a few cubic inches (perhaps 8 or 9 fluid ounces) into both tubes combined." I want to see the picks where bill fills his luggage handles with water :) This is pretty scary, and has many parallels into the digital world. First, trojans are effective (pause for laughter). Hiding in emails, web pages, you name it, eventually they will be successful. Second, defense in depth is important, you can't just rely on the x-ray machine or your firewall for security, you need other layers. Lastly, intelligence is key, do you think the TSA read Bill's post and adjusted their defenses accordingly? Probably not, but I bet Bill is on a list somewhere ;)
Combatting Stego - [Larry] - I thought that this was an interesting approach - just add your own stego over top on systems where you can automate.
Portscan In One Line - [Paul] - I'm very much a command line person. Maybe its because I started on and Apple IIe and worked my way to DoS, then after a brief and frustrating stint with Windows, I found Linux/UNIX and fell in love with the command line. Its just so sexy! So is portscanning in one line of bash compliments of shell-fu.org. Below is my slightly modified version:
HOST=192.168.1.97;for((port=1;port<=65535;++port));do echo -en "$port ";if echo -en "open $HOST $port\nlogout\quit" | telnet 2>/dev/null | grep 'Connected to' > /dev/null;then echo -en "\n\nport $port/tcp is open\n\n";fi;done | grep open
Search engines uncover potential Olympics "fraud" - [Larry] - Note, not a political commentary on China, the Olympics or the IOC. Stryde Hax (and apparently the AP as well) used Google.cn and Baidu so search for information about the age of China's star, gold winning gymnast He Kexin. From Excel documents found from "official" Chinese sources (Like the state run Chinese Gymnastics Association) list her birth-date as 1994, in contrary to her passport, which lists 1992. After access, the documents disappeared, but remained in search cache, then not in Google's but still in Baidu's. An important pont to be careful about what gets put on the internet - expand here!
IE Zone Bypass = Bad - [Paul] - I never trusted the zone in IE, and here is one example why. You can bypass them and gain access to read local files. Ouch.
Cisco Shell codes - [Larry] - Neat. Yay or full disclosure. Some patches for IOS to enable backdoor VTY/TTY sessions with a priv of 15 with no password.
Force SSL For Gmail - [Paul] - All I have to say is FINALLY.
DEFCON r ful ov hackrz - [Larry] - Wow, I love it when lawyers get it wrong.
Helpful tools for malware removal - [Larry] I know we all get calls form family to fix computers, usually for malware. Here's a great tool to gather all of the applicable tools in a jiffy. We of course know that the only way to totally remove the problem is a format and install Linux. :-)
crcerror - Check out this new podcast. It features some not so sober Americans and one Canadian.