SANS Las Vegas from October 26-27th will debut a new course titled "Embedded Device Security Assessments for the Rest of Us" which will teach students how to assess embedded systems of all varieties on pen tests and in your duties as a security professional. Register Here
Announcements & Shameless Plugs
PaulDotCom Security Weekly - Episode 307 for Thursday November 1st, 2012
- NEW Register for Offensive Countermeasures: Defensive Tactics That Actually Work being offered at SANS CDI.
- Be sure to check out the The Stogie Geeks Show! For cigar enthusiasts, by cigar enthusiasts.
- Bsides everywhere baby! Likely there is one near you, so check the web site www.securitybsides.com
- Larry teaching SANS SEC617 all over and coming to a city near you in 2013
Tech Segment: Charlie Eriksen
In recent episodes, the subject of mobile security has come up. Mobile security is something that's fairly new, and is ripe with security and privacy concerns if you go looking for them, as a result of how new the platform is, and how much of a gold rush it has been to develop this sort of software. This provides you with a platform which is easily snooped and attack on. As it happens, most mobile traffic is plain HTTP(S), which makes the barrier to entry very low for doing sniffing of traffic and such. One tool for doing so, which provides a lot of great features, is Burp Suite. We'll take a look at how you can set up your iOS devices to work with Burp and have a bit of fun.
The first thing you'll need is to install burp. What you'll need to do is extract the root certificate used by Burp for SSL traffic. This can be done with following steps:
- Point your browser of choice to use Burp as a proxy
- Go to a HTTPS page
- View the certificate that you're presented with, which is obviously not trusted
- Go to the certificate path/hierarchy, and export the PortSwigger CA certificate to a file named something like "burp.cer"
Now that we have a saved version of the burp root certificate, next step is loading it onto our iOS device(A link to instructions for Android can be found at the end). To do this, you can either send it as an attachment to the mail on the device if you have that set up, or you may serve it over http. In this example, we'll use python to serve up the file.
- Open a command prompt in the folder which you saved the file
- Execute this command: python -m SimpleHTTPServer 8088
- Now grab your iOS device, browse to the IP of the machine on port 8088, and you will be given directory listing of the folder.
- Click on the certificate file (burp.cer)
- You'll be taken to the System preferences application, where you're prompted to install the certificate
At this point, you need to now direct the iOS device to use Burp on your local machine as a proxy. You do this by:
- Go to the wireless settings for the device
- Click on the arrow on the right of the entry for the wireless network you are on
- Scroll to the bottom, and select Manual for proxy settings
- Input the IP of your burp machine on the local network, port 8080(By default)
- Open up burp, go to Proxy > Options
- Observe that the listener only listens to the loopback interface by default.
- Select the listener, click edit
- Select "All Interfaces", hit OK
At this stage, you should now be able to open any application or browser on your iPad, and Burp Suite is fully able to intercept most, if not all, HTTP(S) traffic! Only your imagination will now limit you from all the fun and interesting things you can discover with this! You can find some of the findings I made here(http://ceriksen.com/tag/ios/). Instructions for importing the Burp certificate into Android can be found here: http://support.google.com/android/bin/answer.py?hl=en&answer=1649774
- Hacking an old radar gun to interface with a laptop - Really cool hack, he took an old radar gun and hacked it to work with his PC. Still need to go back and watch the entire thing, but always wondered how the radar gun worked, and if I could hack something together that would make it so I could never get a speeding ticket ever again. I think the security of these systems have always relied on "it's illegal to do that" type thing. However, how would they ever catch you? Just note, I am exploring the possibilities, not suggesting that anyone break the law.
- Burp proxy opens Android SSL connections - I am excited to hear about how to do this, it seems to be getting a lot of press, and something we should have done long ago. Looking at any smartphone app's traffic over Wifi is an easy thing, lots of vulnerabilities to be discovered.
- Angry White Guy - I just don't believe their to be room for politics in security, we've got enough on our plate and enough things to disagree about. It is interesting how the picture was reverse engineered to show that it was in fact modified. In the end, this post does just that and nothing more.
- Five pieces of advice for those new to the infosec industry - Some good tips in this one, anyone has others to add? I'd say if you are new to the industry, listen to those who seem to have a solid understanding of security principals, and listen to them. This is one thing I did not do well, I thought I knew what needed to be done to be "secure" and I ran with it, even though my perception of what "secure" is defined as was severely warped.
- Halloween Tech Monsters ¬´ Core Security - This is one of Alex's best posts in some time, check this out: Ghosts ‚Äì Security teams haunt IT like a ghost. They swoop in to cause chaos by demanding project security audits. Witches ‚Äì Analysts are the witches (think Macbeth) staring into their bubbling cauldrons and making grand prophesies about the horrible future about to befall us all. Shape Changers ‚Äì Good, white-hat pentesters are shape changers. They have the ability to morph and change to match their environments. Oh, and zombies, though I prefer a lawnmower ala Dead Alive to kill my zombie onslaught.
- The Script Kiddie 5-step program - Here is Chris's take on this: Understand your tools Understand the protocols Learn to fix a tool/script that‚Äôs broken Try to adapt a tool/scripts to improve them Write your own tool/scripts So true, you need to understand how your tools work and what they are doing to make use of them. Protocols are super important, pick a protocol that is popular, read all about it, then move on to the next one. Important to write some of your own stuff, but most of the time someone has written something pretty close that you can borrow, use in place of your own stuff, or build upon.
- Stealing Your Neighbors‚Äô Keys with a Drinking Glass - How real are side channel attacks against VMs? Problem enough to write a paper about it I guess.
- Moving to a career in IT security | Computerworld Blogs - Its something I tell people all the time that want to get started in information security. You need a solid foundation of IT skills, then you can be an excellent infosec professional. Sometimes programmers or IT admins want to get into security, I'd say you are already 30-40% there my friend!
- Companies Should Think About Hacking Back Legally - Of course this one got my interest, as I am speaking about it next week and help maintain 4 days of courseware on the sibject. He says something interesting here: For example, a corporation could place code on a bot that has infected its network, Willson says. Eventually, that code might be transferred back to the attacker's command and control server, and could be programmed to block the attacker's communications path. I'm not sure I agree with putting my own code inside the attackers code. If its discovered, you could get yourself in big trouble. I tend to lean towards puting code on your own systems and programs. Legality aside, this could be used as a way to attack you.
- Huawei reaches out to critical German hacker over router flaws - HUrray for Huawei! Just because they are "reaching out" doesn't mean crap either, they can still take their time fixing stuff and not respond, if they want to. I think this is just PR.
- Windows 8 'penetrated' says firm which sells to world's spy agencies - VuPen claims to have 0day for Windows 8, yawn. What is the deal with them anyhow? In any case, this is not really a big deal, as no one is really running Windows 8 yet, and if it gains widespread adoption, they will have likely fixed the 0day. I just can't help but think Windows 8 is going to be the "Windows ME" and "Windows Vista" of Microsoft releases, the one you skip and wait for the next one...
- What's your Status Steven? - [Larry] - the things that you learn every day. Apache has a server-status default page as part of Mod_status that tells you info about who is connected, and to what URL. Interesting if keys are included as part of the URL. If nothing else you get remote IP addresses of systems that are connected.
- SSL not so good [Larry] - Well, SSL is mostly ok, but the libraries and APIs used to implement the usage of SSL are not ver good. This study looked at a multitude of items and found that a good number of applications from mobile devices to other apps that used SSL would happily accept (without prompt to the user), self signed, invalid or valid (but for the wrong organization) certificates for the apps. Banking, Messaging, remote management and payment services were all found to have flaws. The most "vulnerable" mobile platform? Android. (come take SANS 575…)
- Winn's insight - [Larry] - I loved this article from Winn Schwartau (I may not always agree with him on all counts, but this I do). Basically his argument is that HR and government needs to start understanding geeks and geek culture if they want to hire for and from that population. The qualities that make us an HR nightmare" often make us perfectly suited to the job because of what makes us a nightmare. That said, it does not make us any less trustworthy or capable of our jobs.
- US Bank under CYBER ATTACK! - [Larry] - In other, related news, water is also wet. I'm also going to make you drink…I mean, seriously, the U.S. Homeland Security Secretary Janet Napolitano has to come out and say this like it is a new thing? Um, I'd argue that banks have been under cyber attack since they first started with some sort of cyber presence - all the way back to freaking modems in the data center, in say, in 1985. No wonder that our government gets failing security grades, when the folks at the top of the chain that are supposed to be in the know some out with statements like this that appear to be about 30 years behind the time.
- Numbers is hard. There is so much wrong here, I don't know where to start.
- More government FUD from DHS Secretary Janet Napolitano this time. Yes, financial institutions are under attack, but according to The Hill, Napolitano sounded the alarm about the attacks at a cybersecurity event hosted by The Washington Post, but declined to provide any details about them. No details? Then shut up.
- Researcher releases tools to switch off PLCs Digital Bond researcher Reid Wightman has found more SCADA fail.
- Zeta drug cartel allegedly kidnapping technicians to build and maintain their wireless network.