SANS Las Vegas from October 26-27th will debut a new course titled "Embedded Device Security Assessments for the Rest of Us" which will teach students how to assess embedded systems of all varieties on pen tests and in your duties as a security professional. Register Here
Stories Of Interest
Surf Hentai on Free Wifi for MAX_LOLZ - [Larry - from user submitted] - Wow this is ridiculous. With this legislation in the US, if fully approved, it would require all those (including individuals) providing free WiFi to monitor all image traffic for child porn, as well as other offensive images - including Hentai (or basically "anime sex" - not all Hentai is bad!). Failure to report can result in fines of 150,000 initially, and 300,000 for each subsequent offense!
We are controlling transmission! - [Larry, also from user submitted] - REsearchers (Including Max Moser!) have analyzed the 27Mhz transmissions of wireless keyboards and found that it was very easy to capture keystrokes, and after 20-50 keystrokes, were recoverable in clear text. Even the encryption used by some vendors only use 1 byte of random data - that's only 256 different key values.
VLC vulns - [Larry, user submitted] - We suggest that our listeners use VLC for the stream, and because it rocks. So, be sure to update your software. On other notes, not a bad time to audit all of your software for updates!
DBA steals 8.5 Million records - [Larry] - Gah, that pesky insider threat. I was thinking about some ways to combat it, and and one of thithings that I was thinking about background checks. However most places do them before employment, and wouldn't catch anyone that hadn't commit a crime before. Code of ethics? Well, just break them. There is always a level of trust that is needed with IT (and other workers) that just can't be avoided.
7 things to get you fired - [Larry] - Here we go again. A list of 7 things to do to get around corporate policies, which in most organizations will get your butt canned. On another note, these are good things for professional security folks to be aware of - such as blocking proxy sites. I, for example, didn't know about Meebo!
Facebook tracking and Pr0n! - [Larry] - A few good plugins for Firefox to avoid sending tracking data. Sharing data can certainly reveal information hat may be considered a breach...
Physical security and Social Engineering - [Larry] - A 20 yr old man drove in to the St. James Gate Brewery, and hooked up to a trailer with 180 kegs of Guinness, 180 kegs of Bud, and 90 kegs of Carlsberg. How did he get away with it (before he got caught)? He looked like he belonged, and the guards ignored him.
Second Life Users Hackedvia the Apple Quicktime Vulnerability - [PaulDotCom] - Second Life, as weird and strange as it is, is being embraced by some major corporations (NIssan, Coke) and reportedly $1 million US dollars are exchanged EVERY DAY in Second life, a world with over 11 million residents! The ability to manipulate the economy, and make people say "I got hacked", is truly powerful and something that attackers are going to target in order to profit. If people can make a living in Second Life legitimately, just as in real life, people can make a living illegitimately as well.
Disclosure is Dead - [PaulDotCom] - Ahh, the good ole' disclosure debate. Both nullbyte and JG bring up really good points that I would like to discuss:
- Responsible disclosure costs the security researcher money when trying to navigate through the mess often associated with this process, and can often have negative consequences (i.e. bad press) for not only the security researcher, but the software vendor as well.
- There is a model in which a researcher can provide the vulnerability information to a 3rd party, who will then do the responsible disclosure piece. However in this model the users of the software and software vendor are the third/fourth ones to find out.
- Researchers get bad press for selling exploits, but why should they loose money and/or damage reputation?
- Final question, what if a software vendor discovers, or is made aware of, a vulnerability in their product but only decides to tell it customers via a private mailing list? This is not the same as notifying all of its customers (like via phone, snail mail, regular email). What, as a security researcher, do you do? If it fair to publicize your vulnerability to the world?
SPAN & RSPAN vs Physical Taps: Important note from TaoSecurity - [PaulDotCom] - Here is my quote of the week from our good friend Richard Bejtlich: "...a SPAN port is a girlfriend, but a tap is a wife." Couldn't be more true! I managed an IDS infrastructure where I had three IDS sensors getting traffic from a Cisco SPAN. On this hardware it left only one other SPAN for troubleshooting or another IDS. There were times where I'd look at my IDS, and there was not traffic. The network guys answer,"Oh, I needed that SPAN for something else", or , "Well, our firewalls failed over and traffic went to another VLAN, oops". Unacceptable, what if the TJX-like hack occurred during that window? Explain that to your CIO, then ask him to sign off on a tap :)
Becoming An Insider - [PaulDotCom] - GNUcitizen makes a good point, if you are not an inside, then become one and social networks are a great way to do that. Think about it, as far as threats go, the insider threat problem is the worst. We talk about how to penetrate a companies security all the time, the most successful methods land us on the internal network, as an insider! What if the attack was not as noticeable as walking in behind someone, USB keys in the parking lot, or Wifi hacking , but actually taking over someones social network identity to collect information, spy, etc...? My other quote of the week, "Hacking is more about outsmarting those that have put the restrictions on [the information in] first place." So now I guess we need an IDS for everyone's social networks...
Microsoft's Wireless Keyboards Cracked - [PaulDotCom] -
First of all, XOR is not encryption! And yes, cracking this with a small handheld computer is possible, and a deadly attack. Physical security conntrols are important, and wireless keyboards are stupid, don't freaking use them! Read the whitepaper with limited techincal details here.
(OXR Example: 010100111001 becomes 101011000110, anyone know what decimal number this is?)
Building a Botnet with RDP - [PaulDotCom] -
I never trusted Microsoft's terminal services and underlying protocol RDP (Remote Desktop Protocol). It seemed to me that it was never designed with security in mind, as proven by the fact it is vulnerable to MITM attacks because it uses the same security cert in every copy of windows. Now its revealed that an RDP server can write files to any client that connects. This is bad, however if I own your server, chances are I own all the juicy data anyhow. However, many organizations will setup an RDP system as a proxy of sorts, it has no information but allows people to RDP through it to other systems. Owning this server and then owning clients may be worthwhile. Also, many people use RDP to get into their desktops, so a "worm-like" malware would be neat. Defense: Don't use RDP, use Radmin or the commercial version of VNC with encryption. Hey, its software, has vulnerabilities, but its better than RDP. SSH is also a really good option.
Cisco 7940 DoS Exploit - [PaulDotCom] - So I saw this one while at work, and looked over and saw one of these models sitting on my desk. After a brief moment of panic, and some testing with the provided exploit, turns out we aren't running SIP. SIP is just bad, and I hope to talk more about that after next week when I attend VoIP training. This also got me to thinking, hey my phone runs an OS and can be exploited, sweet! Then I got thinking, hrm, some phones allow users to plug directly into the phone for access to the LAN, what if you could hack into a phone and sniff the data from the PC? An attack that I would like to see some to light! VoIP deployments should have a separate network for voice and data, using two separate ports, but then how does that help save money?
Download Malware, er files, to your iPhone - [PaulDotCom] - So many cool hackers are producing all sorts of fun software add-ons for the iPhone. This must really piss Apple off, but hey they missed the boat when it came to making software for mobile devices and decided to lock everyone out of it. They should have taken notes from Nokia, who has it down, see letting the world make software for your devices saves you the trouble! However, it has serious security repercussions. now that we have all of this wonderful software, installers, and downloaders on everyone's iPhones, all it takes is some malware to infect them and its game over (ipwn could even be the payload!).
VLC Remote Exploit - [PaulDotCom] - So, first go read the Core description, as always its very good. Since this is an open-source application, they include extensive debugging information. Second, it works on VLC versions 0.86, 0.86a, 0.86b y 0.86c. I think its to the point now that if you are an organization you first need to be managing your desktops, and second you need to be managing the media player software on each an every one of them. We've seen a huge number of exploits for Quicktime, VLC, and others, all exploitable via the lovely web browser. So, get patching...
Hacking an NYC Taxi - [PaulDotCom] - People just don't understand that if you put a Windows computer with no controls in front of the general public, people will hack them! You need to implement a secure kiosk, esp on machines in cabs that take CC information. I've been confronted with a few kiosks when pen testing, and at one customer site it was so locked down that I could not:
- Access an inserted USB thumb drive - Use "File - Open" or "file:///" in the browser - Access the hard drive - Download or copy anything to the hard drive - Use "File - > Run..."
It was obvious that someone spen some serious time locking these down, to the point where I gave up and moved on. Does anyone know of a good guide for creating a Windows Kiosk?
Tor Exit Nodes Doing SSL MITM Attacks - [PaulDotCom] - MITM attacks are common, and in use in the wild, and have been for quite some time (despite Bruce S. comments). So here's the thing, use Tor to provide you with anonymity, not security. You should not use Tor when, for example, doing your online banking, or logging into some other sensitive web site. Use Tor when you want to Google for how to grow illegal plants, for example.
Other Stories Of Interest
Baby Security Gadget Of The Week: Dish-Throwing Protection - [PaulDotCom] - So many parents describe feeding time as "hell" or "chaos", primarily due to the flying food and flatware. Well, this gadget can solve some of these problems by using a suction cup to attach the dish to the table. Neat, now if we could only do that with the users mouse to prevent them from getting pwn3d....
VERY IMPORTANT POLL - [PaulDotCom] - A woman's most favorite sexual position, according to an iVillage poll, is...... Doggy Style. All I have to say to that is, "Woof!".
Listener Submitted Stories
Detecting Session Hijacking Attacks in IEEE 802.11 Networks [mmiller] - This linked computer world story is light on details.
Dr Smith's other research papers [mmiller] - This link provides a list of Dr Smith's other papers and ISBN numbers for the publications they are in.
MD5 Proven Ineffective for App Signatures [byte_bucket] - Marc Stevens (CWI), Arjen K. Lenstra (EPFL) and Benne de Weger (TU/e) present a paper and PoC illustrating how trust in MD5 as a tool for verifying software integrity, and as a hash function used in code signing, has become questionable
Questionable Data Mining Concerns IRC Community [byte_bucket] - "Two days ago an article on TechCrunch about IRSeeK revealed to the community that a service logs conversations of public IRC channels and put them into a public searchable database. What is especially shocking for the community is that the logging bots are very hard to identify. They have human-like nicks, connect via anonymous Tor nodes and authenticate as mIRC clients ... As a result, Freenode, the largest FOSS IRC network in existence, immediately banned all tor connections while the community gathered and set up a public wiki page to share knowledge and news about IRSeeK."
Websites sell secret bank data and PINs [byte_bucket] - "Security breaches that are allowing the financial details of tens of thousands of Britons to be sold on the internet are to be investigated by the country’s information watchdog."
We know what you typed last summer [byte_bucket] - "An interesting advisory comes from guys at remote-exploit and dreamlab technologies dealing with the (in)security of common non-bluetooth wireless keyboards (from Microsoft and Logitech). According to the whitepaper released on the subject only the actual key pressed is transmitted in encrypted form, all other communication such as keyboard identification, metakeys (Shift, Alt, etc.), and other data are all transmitted in clear text. Furthermore, the encryption scheme used for keystroke data consists of "a simple XOR mechanism with a single byte of random data generated during the association procedure". What this means is that not only can you quickly brute force entire key space (256 combinations), but you can actually obtain the encryption key by intercepting the initial association of keyboard and receiver (as demonstrated in this video)." ...
Build Your Own Botnet with RDP [byte_bucket] - jms' (OpenRCE) blog posting about some scary features of RDP.
Internet Explorer and FIreFox Vulnerability Analysis [byte_bucket] - Jeff Jones (Microsoft) has written a controversial analysis of vulnerabilities in Internet Explorer and FireFox. Update - Here is a response from Mozilla Critical Vulnerability in Microsoft Metrics
Security in Ten Years [byte_bucket] - Bruce Schneier (BT Counterpane) and Marcus Ranum (Tenable Security) discuss security in ten years ... "I believe it's increasingly likely that we'll suffer catastrophic failures in critical infrastructure systems by 2017" -- Marcus Ranum
PhotoRec [byte_bucket] - " is file data recovery software designed to recover lost files including video, documents and archives from Hard Disks and CDRom and lost pictures (thus, its 'Photo Recovery' name) from digital camera memory. PhotoRec ignores the filesystem and goes after the underlying data, so it will still work even if your media's filesystem has been severely damaged or re-formatted."
Facebook admits Beacon tracks logged-off users [byte_bucket] - from the article "Facebook's controversial Beacon ad system tracks the activities of its users even if they are logged off from the social-networking site and have previously declined the option of having their activities on specific external sites broadcast to their Facebook friends, a company spokesman said via e-mail." Update: Facebook caves in to Beacon criticism
VLC Activex Bad Pointer Initialization Vulnerability [byte_bucket] - from the advisory ... "A vulnerability has been found in the ActiveX control DLL (axvlc.dll) used by VLC player. This library contains three methods whose parameters are not correctly checked, and may produce a bad initialized pointer. By providing these functions specially crafted parameters, an attacker can overwrite memory zones and execute arbitrary code." Vulnerable packages - VLC media player version 0.86, 0.86a, 0.86b y 0.86c.
SWF Intruder [byte_bucket] - "SWFIntruder (pronounced Swiff Intruder) is the first tool specifically developed for analyzing and testing security of Flash applications at runtime. It helps to find flaws in Flash applications using the methodology originally described by Stefano Di Paola in Testing Flash Applications (May 2007) and in Finding Vulnerabilities in Flash Applications (Nov 2007)."
Microsoft reopens wpad vulnerability from 1999 [sfirefinch] - Reported last week at a "ethical hacker conference" in New Zealand by Beau Butler, the WPAD vulnerability allows you to perform a man-in-the-middle attack for hostnames that do not have a FQDN.
Two New Mac DoS Exploits [sfirefinch] - Two new mac exploits have hit milw0rm.
Still a Quicktime 0-day out there [sfirefinch] - The Quicktime Buffer overflow is NOT the one that WabiSabiLabi has. So, there is still one out there.
Malware Targets E-Banking Security Technology [byte_bucket] - "A new class of malicious software contains a feature specifically designed to thwart online security technology implemented by Bank of America and many other financial institutions that allow their customers to monitor and make changes to their accounts via the Internet."
Hacking a NYC taxi [byte_bucket] - the link says it all ...
Expert Commentary on SPAN and RSPAN Weaknesses [byte_bucket] - Richard Bejtlich (Tao Security) blogs about taps vs. SPAN ports ... "This is the simplest way for me to compare SPAN ports to taps: a SPAN port is a girlfriend, but a tap is a wife. It takes a real level of institutional commitment to install a tap, and the rewards are long-lasting. A SPAN port is a temporary fling subject to break-up (i.e., deactivation)."
Microsoft Turns To Inkblots For Password Generation [byte_bucket] - "Microsoft thinks the fact that no two people look at an inkblot the same way can be used to help generate more secure computer passwords."
Hackers force mass website closures [byte_bucket] - "Hundreds of websites have been shut down temporarily by one of the largest web hosting companies (Fasthosts) in Britain after the personal details of customers were stolen by computer hackers."
Cisco 7940 IP Phone Remote Denial of Service Exploit [byte_bucket] - ... has been posted to milw0rm.
U.S. House of Representatives vote on illegal images sweeps in Wi-Fi, Web sites [byte_bucket] - "The U.S. House of Representatives on Wednesday overwhelmingly approved a bill saying that anyone offering an open Wi-Fi connection to the public must report illegal images including "obscene" cartoons and drawings--or face fines of up to $300,000."
Full Disclosure is dead [byte_bucket] - Jeremiah Grossman (WhiteHat Security) discusses his position on full disclosure.
Study reveals that most Americans have false sense of online security [byte_bucket] - "More than half of computer users who think they are protected against online threats like spyware, viruses and hackers actually have inadequate or no online protection, according to an independent research study conducted for Verizon."
Guarding Your Social Security Number [byte_bucket] - "Requests to provide our Social Security numbers have become so common that many people just assume they have no choice but to hand it over. That's actually not true, but having that knowledge is only half the battle. The real challenge is convincing the people who automatically request such information that you really don't have to give it to them."
Canadian Passport Website Falls For Oldest Privacy Breach On The We [byte_bucket] - "security flaw in Passport Canada's website has allowed easy access to the personal information - including social insurance numbers, dates of birth and driver's licence numbers - of people applying for new passports."
Ranum's Wild Security Ride [byte_bucket] - "Marcus Ranum dispels firewall myths, revives Medieval horsemanship, and rants about researchers"
TJX Settles With Banks for $41 Million [bute_bucket] - "TJX Companies has reached an agreement with Visa USA by which it will establish a $40.9 million fund for banks whose credit cards were exposed in the retailer's mammoth security breach earlier this year."
All Sans events are to be proctored? [sfirefinch] - "Not only is SANS ditching @home testing, but they are also ditching open-net!"
Conferences / Presentations
Presentations from HITB 2007 [byte_bucket] - conference held December 3-6 2007 in Kuala Lumpur, Malaysia