From Security Weekly Wiki
Jump to navigationJump to search


This episode is sponsored by Core Security Technologies, helping you penetrate your network. Rock out with your 'sploit out, because this new client site modules rock! Listen to this podcast and qualify to receive a 10% discount on Core Impact, worlds best penetration testing tool.

This podcast is also sponsored by Tenable network security. Tenable is a developer of enterprise vulnerability, compliance and log management software, but most notibly the creators of Nessus, the worlds best vulnerability scanner. Tenable Security Center software extends the power of Nessus through reporting, remediation workflow, IDS event correlation and much more. Tenable also offers a Direct Feed subscription for immediate access to new Nessus plugins, and compliance checks” Tenable – Unified Security Monitoring!

Announcements & Shameless Plugs

Live from the G-Unit Studios Welcome to Security Weekly, Episode 105 for April 25, 2008

Episode Media


Tech Segment: Tips For Snorting Your Network

There are many tools, both open-source and commercial, available for monitoring your network for intrusions. This is an extremely important part of your defense strategy, what you can't prevent you must try to detect. I find Snort one of the most valuable tools for this purpose. When coupled with a database and a web front end, you can gain insight into your network and use the information to detect attacks and understand your network better. Even with the proliferation of web application attacks and client-side exploitation, and IDS is still a must-have to detect attackers and malware as they move through your network. We covered Base in the Kevin Johnson interview, so I will show you a bit about Aanval, a semi-free (free for one sensor) front end for Snort and syslog. I much prefer Base, because I am used to the interface, but Aanval has some cool features. This is not an installation guide as it will leave out many details, but include some useful tips to get it all working. For this installation I used Debian and the following:

  • Snort 2.8.1
  • Aanval 3.3
  • Debian Etch (My package listing is here)

The first thing that I did was grab snort and configure it:

# wget http://www.snort.org/dl/current/snort-2.8.1.tar.gz
# tar zxvf snort-2.8.1.tar.gz 
# cd snort-2.8.1/
# ./configure --enable-pthread  --with-mysql --prefix=/opt/snort-2.8.1
# make
# make install

In the above command I am enabling multi-threading, with hopes that it will perform better on my quad-core CPU, mysql so we can write to the database, and telling it to install in /opt. I like to compile and isntall each version of snort in a separate directory, then make a soft link so I can easily switch between versions. Once installed, I have to create the rules, in this case I will use just the emerging threats rules:

# cd /opt/snort-2.8.1
# mkdir rules
# wget http://www.emergingthreats.net/rules/emerging.rules.tar.gz
# tar zxvf emerging.rules.tar.gz 

This places the latest emerging threats rules in the rules directory. Ideally we should also be installing oinkmaster to manage our rules, but I went out to lunch for sushi and ran out of time :) Now we need to grab some files from the snort build directory:

# mkdir etc
# cp /usr/src/snort-2.8.1/etc/* /opt/snort-2.8.1/etc/
# cd /opt/snort-2.8.1/etc/
# rm Makefile*
# cp snort.conf snort.conf.org
# grep -v "\#" snort.conf.org 
# grep -v "\#" snort.conf.org > snort.conf

In the above commands, I strip out the comments because they make the file really large and hard to read. I start with a cleaner copy and migrate from the old ond and refer back to it if I need more information that was contained in the comments. I make some changes to the snort.conf:

I go into the rules/ directory and get a list of the rules that I want and format them to be copied and pasted into the snort.conf (I could also redirect the output to snort.conf with ">> ../snort.conf").

# cd ../rules/
# ls -l *.rules | awk '{print "include $RULE_PATH/"$8}' | grep -v BLOCK
# ls -l *.rules | awk '{print "include $RULE_PATH/"$8}' | grep -v BLOCK >> ../etc/snort.conf

Set your HOME_NET variable:

var HOME_NET [,]

I disable these alerts because they are almost always FPs and generat noise:

config disable_decode_alerts
config disable_tcpopt_experimental_alerts
config disable_tcpopt_obsolete_alerts
config disable_tcpopt_ttcp_alerts
config disable_tcpopt_alerts
config disable_ipopt_alerts

I like to log the alers to a file and to the database:

output alert_syslog: LOG_AUTH LOG_ALERT
output database: log, mysql, user=root dbname=snort host=localhost

Yes, for this example, my Mysql root account has no password. This is bad, never do this.

Add this to the file for the emerging threats rules:

var SSH_PORTS 22

Now cd /opt/ and type:

# ln -s snort-2.8.1 snort

Create the snort database and create the tables:

# mysql -u root
mysql> create database snort;
mysql> exit;

# mysql -u root --database=snort < /usr/src/snort-2.8.1/schemas/create_mysql 

# useradd snort
# mkdir /var/log/snort
# chown snort /var/log/snort
# # cp -r /opt/snort/lib/* /usr/local/lib/

Now you can start snort:

# /opt/snort/bin/snort -u snort -g snort -l /var/log/snort -c /opt/snort/etc/snort.conf -i eth1

I need to find or write a startup script for Snort. I was too lazy to do so today. Aanval was pretty easy to install:

# cd /usr/src/
# wget http://www.aanval.com/downloads/aanval-latest-stable.tar.gz
# mkdir /var/www/aanval
# cd /var/www/aanval/
# tar zxvf /usr/src/aanval-latest-stable.tar.gz 
# cd /var/www/aanval/apps/
# ./idsBackground.pl -start

Now naviate to your web server and go to the Aanval directory (http://myserver/aanval) and follow the instructions (point and click basically). Aanval has videos that describe how to add your snort sensors. Once you do that, you can start using Aanval.

Tech Segment: Listener Feedback!

Hi Paul

I wanted to write and tell you how much I appreciate your podcasts. I’m an older, self taught, IT mgr in a small company in Colorado and a total novice when it comes to real security knowledge. I recently received an Ipod from my kids for my birthday and I’ve been listening to tech podcasts since. I’ve listened to lots of tech and security podcasts and I think that you and Larry are the best resources out there. I really appreciate how you steer the discussions. You’ll often says something like “can you explain more about..” or “how can someone defend against..” to your guests. Because I’m a security newbie I take notes throughout your discussions. I’m working my way back through your podcasts but am only about two thirds of the way through them and consider them a great resource. I’m currently looking at Core Security, Sourcefire, and Tenable for trying to find the right tool for checking my network and we’ll hopefully be purchasing one soon but I was wondering if you could give me some counsel about which of the apps would be most beneficial or whether I'll need more than one. We have a small network, only fifty or so machines.

I heard on your last show that someone from Colorado sent you some beer, and we do have some fine microbreweries, but how did they get it to you, UPS? Red label? if I knew how, I’d send you some of my favorite for your sampling. Any, thanks a lot for your outstanding efforts.


Stories For Discussion

Automatic Patch-Based Exploit Generation - [mmiller] - This paper was a really good read, I would call it out of the box thinking. [Paul] - Agreed, this is really neat. However, I don't think the exploits will be all that reliable, mostly DoS. However, it saves people some work to develop exploits faster, so "here's the dos exploit based on the patch" can go to "here's a version of the exploit that provides remote command execution" very quickly. So, people this is what we are up against, what are we going to do about it? Most organizations have the lackadaisical attitude towards patching, get to it when we get to it, more important not to disrupt people checking their email. This will change and I can foresee a more aggressive patch strategy come into play. Of course, so many vulns and exploits exist months, years sometimes, before there is a patch, so is this just a moot point?

Foxit Reader Vulns OR Why you can't tell people to use different software and make them feel secure - [Paul] - I've noticed this trend for quite some time now where security professionals recommend that people use different software in order to provide security. For some things, this might provide better security, but its yet a small triumph in your defense in depth strategy because ultimately all software will have vulnerabilities. I am guilty, and do recommend that people use firefox over IE, however I have good reason because I much prefer the firefox patch cycle to IE, most malware will target IE, and the browser is such a common method of entry. However, don't make users feel secure just because they are using VLC instead of WMP, or Foxit reader instead of adobe, they will all have vulnerabilities and be targeted. Make them feel more secure by arming them with tools to check that all client software is patched, sensitive data is encrypted, strong passwords are in use, and their systems are hardened.

There is no spoon, or perimeter for that matter - [Paul] - We have long since known that the perimeter is dead, so lets start doing something about it. This article outlines some of the ways attackers are on the "inside" of your networks, and some more practical methods of defense. Like, how about have a password policy and enforce it and harden your systems.

More Wireless Driver Exploits, Intel 2200 - [Paul] - This is a very popular chipset and I would not be suprised if we see an exploit for this one. We have malware that spreads via USB drives, why not via wifi? This would be neat, infect a system and if it has a wireless card, download some special payload. This special payload contains an exploit for wireless drivers of cards in range. Once exploited, it spreads itself like a worm. This is a nice healthy way to build your botnet. However, since most systems are Windows, its hard to launch the exploit for a wireless driver because you need something like LORCON, which isn't supported on common chipsets.

Scammin' on Social Networks - [Paul] - Why do people want my facebook password?

Social Networking Threats OR How I got pwned on LinkedIN - [Paul] - So a company created a fake employee onLinked in called john smith. They got TONS of people to add him and were able to gain information. I really like this idea, similar to the evil twin attack, its almost like an information privilege escalation for social networking sites. The paper/presentation states many of the same things we have been saying about social networking sites. However, "don't use them" is not an option, as is "only add very trusted people". Defeats the purpose.

BT home hub WiFi keygen - [Larry] - More BT home hub pwnage from GNU.

Backup Tape stolen - [Larry] - Encrypt everything!

Metagoofil update - [Larry] Mmmm, now with mac addresses, but bad for OSX.

MiFare more pwned - [Larry] - No more rainbow tables! algebra to the rescue!

RFIDIOT! - [Larry] Now for windows, with even more idiot :-)

Ugly sql injection - [Larry] - In this case, I guess sex offenders are OK.

IIS pwnages solved? - [Larry] - ISC analyzing a tool with Chinese GUI...Possible new 0-day?

Penetrate and Patch or Polish a Turd - [Larry] - discuss...

Get paid for backdoor access - [Larry] - Sounds like porn, doesn't it? It may be, considering that it is for printers, routers and storage...embedded devices!

ICQ command and control - [Larry] - I thought IQQ was dead. How about gadu-gadu or skype?

Humor aka freaking Priceless

Stuff White People Like - [Paul] - Talked about on cyberspeak, this site is great. I love new balance, bottled water, sushi, and all those other things white people like, and I'm white!!!

Trust... - [Larry] - Ahhh, to be 14 again...

It's all about input validation - [mmiller] - RE: The Oracle "safe" inputs story below.

Listener Submitted

China selling counterfeit network hardware? Say it's not so. - [mmiller] - There may be some FUD in this story. The reality is espionage (State sponsored or Corporate sponsored) happens all the time. Even between allies and non-allies in times of peace and war. Fire sales should only be a plot line in a movie, not reality. My personal take on this is any time you buy equipment and put it into a production environment. Make sure you register it with the manufacture and test it before putting it into production.

Usenix Paper: Designing and implementing malicious hardware - [mmiller] - I have only skimmed this paper and it looks like a good read.

Diebold now admits ATMs are more secure than voting machines - [mmiller] - This is a very controversial issue in the United States. With out adding to the fuel to the fire. This may have been solved with training, quality assurance testing, process and policy auditing, real independent hardware and security auditing and hardware / software education. Then again security snake oil has been around for years.

ISPs playing with NXDOMAIN responses - [mmiller] - It's funny how the FCC will have public meetings on P2P traffic shaping, but not this?

Another Quicktime 0-day - [byte_bucket] - PDP (GNUCITIXEN) has found YAQTZD. Details of the actual vulnerability have not been disclosed but a video is available showing and exploit.

WiFi keygen tool for BT Home Hubs released - [byte_bucket] - Adrian Pastor released this tool at HITBSecConf2008 in Dubai.

Pen testers' regulatory body launched - [byte_bucket] - The Council of Registered Ethical Security Testers was was formally launched Wednesday, April 23, 2008 at the Infosecurity Europe expo in London. Is this a good thing?

College cyber-security champs crowned - [byte_bucket] - A team from Baker College in Flint, Michigan took first place in the competition. The students were placed in charge of a simulated business network and subjected to a hostile attack. They were then graded on their ability to maintain and operate the network. -- Note to Paul: good place to do some recruiting :-)

New Attack Exploits "Safe" Oracle Inputs - [byte_bucket] - Security researcher David Litchfield has released technical details of a new type of attack that could give a hacker access to an Oracle database. Called a lateral SQL injection, the attack could be used to gain database administrator privileges on an Oracle server in order to change or delete data or even install software, Litchfield said in an interview on Thursday. Litchfield first disclosed this type of attack at the Black Hat Washington conference last February, but on Thursday he published a paper with technical details.

Bluetooth Surveillance Tested In the UK - [byte_bucket] - The movements of students, residents and workers of the city of Bath were anonymously tracked by listening out for their bluetooth-enabled devices as they move around the city as part of a research project at the University of Bath in the UK.