Episode334

From Paul's Security Weekly
Jump to: navigation, search
Palo Alto Networks
Tenable Network Security
The SANS Institute
Pwnie Express
Black Hills Information Security
BlackSquirrel
Onapsis

SANS Las Vegas from October 26-27th will debut a new course titled "Embedded Device Security Assessments for the Rest of Us" which will teach students how to assess embedded systems of all varieties on pen tests and in your duties as a security professional. Register Here


Episode Media

Weekly-344.mp3 Mp3

Announcements & Shameless Plugs

Security Weekly - Episode 334 for Thursday June 6th, 2013

  • We have a special announcement! Security Weekly and Black Hills Information Security have joined forces to offer the best in penetration testing services! Gone are the days of copy and paste Nessus results in a pentest! Visit BlackHillsInfosec.com for all your training, Offensive Countermeasures and Assessment needs!
  • We are looking for sponsors for monthly webcasts in conjunction with SANS - contact paul -at- hacknaked.tv for details!
  • Security BSides Rhode Island Two-Day Conference on June 14th and 15th tickets are almost sold out. Tickets are still ON SALE at WePay.com. Featured presentations from the soon-to-be-famous but currently still-available-for-autographs Alison Nixon, as well as from Josh Wright , Kevin Finisterre, Kati Rodzon, Mike Murray, Bruce Potter, Joe McCray,Ron Gula, Ben Jackson, Dave Maynor and the entire Security Weekly crew!
  • The Stogie Geeks Show! - Kick some ash with the Stogie Geeks, Sunday nights at 8:30PM EST. Come have a cigar with us! If you are in the Rhode Island area please visit our sponsor the Havana Cigar Club, its an awesome place to have a drink! Make sure you print out your $5.00 off coupon here!

Interview: Andy Ellis

Andy Ellis is Akamai's Chief Security Officer, responsible for overseeing the security architecture and compliance of the company's massive, globally distributed network. He is the designer and patentholder of Akamai's SSL acceleration network, as well as several of the critical technologies underpinning the company's Kona Security Solutions. He can be found on Twitter as @csoandy

  1. How did you get your start in information security?
  2. What advice to you have for those just getting started in information security?
  3. Most folks think of Akamai as a content caching company, what role does security play?
  4. It would be bad if someone were to gain access to Akamai's caching service, in that I could use it to take over the world for example, what are some of the measures in place to control access and provide security?
  5. How to you effectively manage change control and system hardening across your entire infrastucture?
  6. Tell us about some of the data you are able to collect and how it has been used as a valuable resource for customers and the community?
  7. How do you help customers with security, for example, with carding rings?
  8. What sort of metrics do you use to support security in your environment?

5 Questions:

  1. Three words to describe yourself
  2. In a game of ass-grabby-grabby do you prefer to go first or second?
  3. If you could stroke just one person's beard for hours on end whose would it be, Jack Daniel, Josh Corman's or Martin McKeay?
  4. If you were to write a book about yourself, what would the title be?
  5. If you were a serial killer, what would be your weapon of choice?

Tech Segment: Greg Hetrick on SRPs

Greg is an Intern with Security Weekly and a Senior Security Engineer for a financial services firm. Greg specializes in Vulnerability management, penetration testing and security architecture. He's on tonight to cover his blog post on Windows Software Restriction Policies.

Full Blog Post http://securityweekly.com/2013/05/thwarting-client-side-attacks.html

Setup

SRP is easy to setup via Group Policy Object (GPO). Inside GPO editor create New Software Restriction Policy. Once create the default will be setup. You can look around to see basic options. Here is my tested setup.

Enforcement: Select "All Software files" and "All users except local administrators"

<image>

Under Designated File types: Remove type LNK - this will make sure that shortcuts placed outside of the designated execution directories will run. When I initially tested what I thought would work none of the shortcuts on the toolbar or desktop would launch an application and I found this to be the issue.

<image>

Ignore trusted publishers, this is used if we are limiting applications based on the certificate authority.

Select "Additional Rules"

The default execution directories will be selected.

%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot% %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir%

Since mine is 64bit Windows I added

%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)%

Security level for these are all going to be "Unrestricted" I want them to be able to execute as normal.

Now back under "Security Levels" the default setting is Unrestricted, since we are changing users over to defined execution directories I want to set anything not specifically allowed in the Additional Rules section to "Disallowed." So we change the default to Disallowed.

Save this and run gpupdate /force on the target machine.

Setup the attack

Now to test a client side attack using SET. I am going to use the java attack method. 1 -> Social-Engineering Attacks, 2 -> Website Attack Vectors, 1 -> Java Applet Attack Method, 1 -> Web Templates, 1 -> Java Required, 2 -> Windows Reverse_TCP Meterpreter, 16 -> Backdoored Executable - Enter port of listener (default 443)

Fire it up and wait till it starts the payload handler.

Once the handler is started you are ready to test the attack. Go ahead and run the unsafe java applet.

You will notice that the the site is responding but the java applet is unable to execute the payload.

After attempting this and being successful, I tried running SET with PowerShell Injection and to my surprise the attack succeeded. I realized with PowerShell the payload was running from the C:\Windows\sysWOW64\WindowsPowerShell directory which by default is explicitly allowed. To defeat this attack I added the path to the list of Additional Rules and set it to "Basic User", retested the attack with PS Injection and the attack failed as expected. I tested this with multiple payloads and encoding methods and everyone of them did not result in a successful attack. On 32bit systems PowerShell is located in C:\Windows\System32\WindowsPowerShell\v1.0\ so that directory will need to be accounted for as well.

I ran two other tests, the first was using EXE embedded PDF and an older version of Adobe Reader (9.3). SRP was able to successfully stop this attack.

Finally I tested a physical attack using a USB Rubber Ducky Human Interface Device (HID) from the folks over at hak5 (www.hak5.com). I used a great little payload generator found over on google code (https://code.google.com/p/simple-ducky-payload-generator/ ) It is pretty slick and simple, I used a meterpreter powershell injection payload that didn't attempt to elevate privileges. SRP was able to successfully stop this attack. If the user had admin privileges and entered in creds in the UAC window it would have worked since I allow Local Admins unrestricted access.

In Production the are likely other directories where code needs to execute, those will need to be added to the allow list. As the config is done, administrators will be able to bypass these rules for installation of software etc. Administrators will also need to ensure that ACLs are properly set since a curious user could move executables into the approved directories and run them. While this is like a bit tough to implement in a very large organization this is a very effective method for stopping client side attacks.

To find other executable directories in use in your environment enable SRP with defaults (fully unrestricted) and set the following registry key:

"HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers" String Value: LogFileName, <path to log file>

This will log the executable and the directory it was run from a little data mining can determine were applications need to execute from. Also Inventory Collector from Application Compatibility toolkit can assist in this task.


Announcement

  • Larry teaching SANS SEC617 all over and coming to a city near you in 2013. It isn't too Late to sign up for my class in San Diego this May! (actually, it is, so sign up for SANSFIRE next month and NS2013 in Vegas!)
  • We have a special announcement! Security Weekly and Black Hills Information Security have joined forces to offer the best in penetration testing services! Gone are the days of copy and paste Nessus results in a pentest! Visit BlackHillsInfosec.com for all your training, Offensive Countermeasures and Assessment needs!

Stories

Paul's Stories

  1. Belarus Becomes World's Top Spammer - So, SPAM kingpins do not reside here, but rather just compromised a bunch of machines and are using it to SPAM the world. Interesting, a new country for everyone's stats, one many may not have heard of before, and to be honest had I not been in a College program with exchange students and professors from belarus, I would not have either. Funny though, 99% of the email coming from this country is now SPAM.
  2. You Can Now Eat Your Passwords - I can't even believe this: Another experimental idea is a password pill you swallow - that transmits a signal to devices outside the body. Put 30 seconds on the clock and see how many funny things we can say: Shit, I just crapped out my password. A secure password! Thats a tough pill to swallow. Someone stole my password! Oh, that was just a stomach pump because I drank too much. How did she die? Oh, she overdosed on passwords.
  3. Hackers Spawn Distributed Supercomputer On Way To Chess Record - Why Chess? I mean, a botnet would be so much more profitable.
  4. IT departments won't exist in five years - Yes! IT departments are dead! WTF. so, its all moving to the cloud and people wil bring their own technology. One problem with that is that that leaves out security entirely, which means even more successful pen tests, if thats even possible.
  5. How to see if your antivirus is actually working - Just go visit some porn sites. Its way more fun.
  6. GDS Blog - GDS Blog - Using Nessus to Audit VMware vSphere Configurations
  7. There is no Onion – The Painful Reality of Defense in Depth
  8. Bypassing internet filtering with Lahana
  9. Counter-Strike? | CSO Blogs

Jack’s Stories

  1. Classic Marcus Ranum, audio of his presentation at AusCERT.
  2. Decrypt or not, make up your mind! Judge in Wisconsin child porn case reverses earlier order. This Fifth Amendment case may have significant implications for privacy and forced decryption. Convicting bad guys is good, twisting the Fifth Amendment is bad.
  3. The case for a government bug bounty program Interesting take from Dennis Fisher. Favorite quote: "This plan certainly wouldn’t solve the entire problem. Nothing short of unicorns writing magical bug-free software will do that."
  4. The platform monoculture question comes back again. This time around the widespread adoption of Android is the trigger- but is the mess of Android diversity really a monoculture?
  5. Oracle is going to fix Java security. And they mean it this time. Really. They promise.
  6. Police stumped by car thefts. Police are trying to figure out what appears to be a significant flaw in some vehicles' keyless entry systems.
  7. Another bot takedown by our friends at Microsoft.

Allison's Stories

  1. Verizon forced to hand over telephone data – full court ruling Someone leaked a top secret court order requiring Verizon to share all "metadata" of all their customers for the past three months. The contents of the conversations are not included but the caller and recipient, as well as some location data are all in the logs. It appears that this order covers all calls made by US citizens within the United States as well. This link contains the text of the top secret order. related: http://i.imgur.com/2Ausqad.png
  2. China, US agree to talks on cyber theft and espionage I'm not sure how this is supposed to work when there is no trust in this relationship. I suspect it's entirely symbolic and hollow.
  3. IPS market to grow on back of worry over APT attacks I wonder how much it's really going to grow. For the APT signature sets I have seen, the signature effectiveness is largely because of their limited distribution. AV is largely worthless because any schmuck can check their malware against AV before deploying. I don't see any broadly deployed APT signature set as being effective. We'll see how it goes.
  4. Utility Blackouts as a Weapon The implications of attacking powergrids are interesting. No doubt certain countries might want to get back at us for attacking their nuclear power plants. I guess it all hinges on whether or not those attackers can find a nasty enough vulnerability.
  5. Study asks what happens to hacked data This is also interesting. It may not be obvious to a bot herder that some stolen information may be useful, and who it may be useful for.