SANS Las Vegas from October 26-27th will debut a new course titled "Embedded Device Security Assessments for the Rest of Us" which will teach students how to assess embedded systems of all varieties on pen tests and in your duties as a security professional. Register Here
Tech Segment: Google Queries To Run Against Your Own Domain
Google hacking is certainly not new, and we give much credit to Johnny Long (http://johnny.ihackstuff.com) and the rest of the Google hacking community. However, we'd just like to share some of the fun and interesting Google queries that we have been running lately that serve to help secure our clients and, well, offer some just plain fun:
1) "allinurl: account_manage.php" - Not only does this one return many different login screen (which you can attempt default passwords and brute force), but the first result is just an example of some of the fun to be had with returned pages.
2) "allinurl:sunshop" - So, there was a vulnerability, and associated exploit posted to milw0rm, for Sunshop 4.0. Using the "allinurl" function I attempted to find sites running Sunshop, in an attempt to do so it appears that everyone wants to give me their web server directory structure in the form of PHP errors. LAME, I know, but so prevelant.
3) "teen hardcore site:<your site>" - Unless you are a porn company, this search should turn up no hits. However, if you are not a porn company it can reveal areas of your web site that offer great entertainment and allow you to easily slip by web proxies. I mean, uhm, it will identify areas of your site that need immediate attention as they probably contain a web app that allows uploads.
4) "type: html viagra site:<your site>" - This is another way to find the same thing as #3, and potentially help you with your, er, uhm, issues...
5) "site:<your site> filetype:php inurl:id" - This one is a work in progress. By searching for files of type php, you can sometimes find applications that are accepting parameters by looking for "id" in the URL. Then, use a trick I got from Erratasec, replace the fields with ' and find many SQL injection vulnerabilities.
Some of Bob's favorites:
6) "filetype:rdp rdp" Bob will go into details for the LOLZ.
7) "filetype:pst pst"
So, lets teach you how to fish instead of just throwing salmon at you:
Step 1 - Go to security.nnov.ru and find the "Daily Web Application Vulnerabilities" page
Step 2 - Find a good one, like http://securityvulns.com/Rdocument879.html
Step 3 - Read it, and come up with a Google search to find it, such as "myphotographer inurl:ee"
Step 4 - Within the results, you should see vulnerable pages. For this one, replace "ee" field value with your SQL statement for MAX LOLZ.
You now have something to do each day with respects to web application security :)
Stories For Discussion
Skype Phone is an evil hacking tool? - [Paul Asadoorian] - This goes for all devices that love to just associate to open wireless networks and start using them. More and more cases are cropping up, so will you go to jail for using a skype phone? What about an iPhone? Is this a legal or technical question or both?
Setting UP WPA for the rest of us - [Paul Asadoorian] - Just for "Steve_C".
Bank of India = pwned - [Larry] - Looks like the Bank of India's website got hacked, and was distributing malware to visitors. Yikes! Now I don't know about BoI's services, however, I can think of some more interesting things to do with a banking site, and distribute malware - how about capture login credentials to online banking!
Cisco Router DoS Vulnerability - [Paul Asadoorian] - I was not aware of Public Router Servers. Apparently they are setup for the sole purpose of people obtaining route information, ala traceroute. However, there are such things as a route monitor, "which are accessible to anyone via Telnet and can be used to execute the command in question.". Yikes! Looking Glass Servers provide a web interface and limit the commands, however I still deem these as risky business for the most obvious reason, what if the looking glass software has a vulnerability?
More Sony Rootkits - [Larry] - This time on USB thumb drives with FileVault. This one doesn't seem as bad to me, which I'll explain why, nor does it seem to have as many of the capabilities as the Audio CD rootkit. Either way, F-Secure is working directly with Sony.
VMWare Acquires HIP company - [Paul Asadoorian] - A bit of a follow-up from our Interview With Intelguardians on the security of VM. HIPs could be a great way to prevent escapes, as you could write signatures to theoretically monitor the com channel (what VMware calls the "backdoor") and make certain that only legitimate "traffic" is going across it. I am bit concerned about VMware actually running this, and would prefer a third party tool for checks and balances.
Keeloq Cracked - [Larry] - This is the encryption that is used to protect all of those wireless cary keys used to open and start some of those new, fancy cars. By attacking the encryption, the researchers were able to recover the encryption keys, by reducing the brute forcing from 100 million keys to 85,000. Wow, use tried and tested encryption schemes!
Hack.Lu Conference Agenda - [Paul Asadoorian] - Some good talks listed, however the one I was interested in seems to have been cancelled, "Hijacking Virtual Machine Execution for Fun and Profit", interesting... Keep a close eye on these.
Skype outage due to Windows patches? - [Larry] - Ok, so this has probably been beat to death, but I call shenanigans. Windows patches took out Skype because of reboots? With that argument, it would happen once a month. Either way, clearly patch deployment needs to be planned carefully with critical systems.
Five Wireless Threats You May Not Know - [Paul Asadoorian] - Authored by Josh Wright, this paper provides an overview of some of the latest wireless threats. Top on the list of Rogue APs, weaknesses in PEAP and/or TTLS connections, and more.
SCADA pwnage - [Larry] We've said it before, and we'll say it again. SCADA security (or lack thereof) scares us. These folks claim that this was one of the easiest tests they have done, and pwned a nuclear power plant when they were done.
There are hackers working for Microsoft - [Paul Asadoorian] - Can't wait to see what gets posted here! This is a blog from MS security division, which is usually kept under close wraps.
Malware, now with more Wireless! - [Larry] - A plugin for BOINC (malware, or distributed computing you pick), that allows for the client to discover wireless networks. This is frightening. I think that someone just wanted to be the top contributor on WiGle.
If you haven't upgraded to Bind 9, right now is a good time - [Paul Asadoorian] - Bind 8 is now end of life, if you care at all about the security of the Internet and you run a Bind server, upgrade now. Also, implement security on your Bind server too, like don't allow recursive lookups and all that.
10 lousy security promises - [Larry] - EPIC_LOLZ. Gosh, do I love vendor claims. Let's read along and have a laugh.
Bitchx gets Bitch Slapped - [Paul Asadoorian] - Nice little exploit for Bitchx, requires that you force a client to connect to your server. It would be really evil to build this into an existing IRC server via a bot (i.e. whenever someone joins the channel they get the exploit). Sorry, thinking with my evil hat.
189 miles - 5Ghz WiFi - [Larry] - All with off the shelf hardware. Looks like that threst on the distance of wireless attackers is long, even with 5Ghz.
Other Stories Of Interest
Upskirt Wifi Web Cam - [Paul Asadoorian] - LOL!
Sexy Girls moan your IP - [Larry] - That's it! We officially need PDC girlz.