From Security Weekly Wiki
Revision as of 18:44, 21 April 2011 by Pauldotcom (talk | contribs)
Jump to navigationJump to search


PaulDotCom Security Weekly - Episode 240 for Thursday April 21st, 2011 - What we learned at Source Boston.

  • Register now for Wednesday's Late Breaking Computer Attack Vectors Webcast Sponsored by Core Security - April 27th at 2PM EDT.
  • PaulDotCom Blackhat Training Part 1 Sign up for "Offensive Countermeasures: Making Defense Sexy" as a two-day course at Blackhat July 30-31. Every student gets a FREE "Hack Naked" t-shirt and sticker!
  • PaulDotCom Blackhat Training Part 2 Sign up for "Advanced Vulnerability Scanning Techniques Using Nessus" July 30-31 or August 1-2
  • Larry is teaching SANS 617 SEC617: Wireless Ethical Hacking, Penetration Testing, and Defenses in the only country he is licensed to teach in - Canada! Catch him in Victoria May 9 to May 14th.
  • Register now for the 8th Annual Charlotte ISSA Security Summit featuring the 3 buffest people in InfoSec: PaulDotCom, Ed Skoudis, and Chris Hadnagy, all on May 5th.
  • DerbyCon : Louisville, Kentucky – September 30th to October 2, 2011. Catch Carlos Perez's training session - "Automating Post Exploitation with Metasploit".

Tech Segment: Trapping Attackers in Your WebLabyrinth

Tech Segment: Installing & Configuring WebLabyrinth =

Step 1: Download it!

You can get Ben's awesome code from the WebLabyrinth Google Code Site. I then download it like this:

  1. wget http://weblabyrinth.googlecode.com/files/weblabyrinth-0.3.0.tar.gz

Step 2: Install it!

tar zxvf weblabyrinth-0.3.0.tar.gz

cp * /var/www/labyrinth/

I sent Ben some corrections, here's what the commands should be:

mkdir /opt/weblabyrinth/
cat labyrinth.sql | sqlite /opt/weblabyrinth/labyrinth.db
chown -R www-data:www-data /opt/weblabyrinth

I tend to install WebLabyrinth into "/labyrinth", which means your .htaccess file remains unmodified. However, You need to modify this line in config.inc.php:

$config['tracking_db'] = '/opt/weblabyrinth/labyrinth.db';

In order to get it to work, make sure you have all the modules installed:

aptitude install sqlite php5-sqlite3

Step 3: Send people to it

I've got a few different ways, the first is re-write rules:

RewriteRule ^/admin$ http://pauldotcom.com/labyrinth/ [R]
RewriteRule ^/secret/$ http://pauldotcom.com/labyrinth/ [R]

Then use some robots.txt action:

# cat robots.txt 
User-agent: *
Disallow: /privates
Disallow: /pdc-only
Disallow: /secret
Disallow: /admin

Step 4: Check logs

You will now see people getting caught in the trap. This is great data to send to you SEIM. I have yet to play with the alerting, but want to mod it to write to a log, rather than email, so you can include that in your SEIM.

Stories For Discussion

Larry's Stories

  1. Iphone tracking - [Larry] - In light of all of the GPS metadata stuff thet we've covered, no apparently the iPhone actually tracks where you go too, based on some cell phone tower triangulation. While the iPhone doesn't appear to share that information outside of the iphone, it does include the information in clear text from iphone unencrypted backups. OSX tool only at the moment, but I bet it could be ported to windows. Might make for an interesting experiment. The tool has been artificially reduced for accuracy, but he real backend data has not been. Interestingly enough, the TOS for the iphone, etc has it clearly defined. (http://pastebin.com/EdFJr6iU0) however I think storing that info in cleartext is probably not a good idea. There is a "workaround" (http://technicalmusings.blogspot.com/2011/04/ios-consolidateddb-workaround-for.html) but it requires a jailbroken device with SSH access. Even more info on why they collect the info here: http://www.f-secure.com/weblog/archives/00002145.html
  2. Microsoft researches 3rd party bugs - good deal on MS doing vulnerability research and publishing stuff for third party software, using responsible disclosure. However I think that it would make more sense to do the research on their own products and release notifications when their stuff spills on to other products.
  3. Honest Achmed - [Larry] - Bug report requesting the installation of another root CA for Honest Achmed's Used Cars and Certificates with the purpose of "The purpose of this certificate is to allow Honest Achmed to sell bucketloads of other certificates and make a lot of money." In response to Mozilla's CA practices? "Honest Achmed promises to abide by these practices. If he's found not to abide by them, he'll claim it was a one-off slip-up in procedures and that policies have been changed to ensure that it doesn't happen again. If it does happen again, he'll blame it on one of his uncles or maybe his cousin, who still owes him some money for getting the car fixed." Nice, now, I'm not sure why it was denied, as it seems just as legit practices as any of the other CA's, but Achmed is at least honest about it…
  4. Get attacked? Shut down your internet! - [Larry] - That's what the Oak Ridge national lab did. Looks like they got compromised through some phishing via e-mail with a link for more info with exploited an IE 0day, referred to as APT!. As a result ONLY 1GB of data was exfiltrated. Employees wont have internet back for a period of 10 days or so. form the article John Pescatore is quoted as saying ""Advanced simply means it got past your defenses and persistent means it took you too long to detect it once it got in."

Paul's Stories

The Interns' Stories

iPhone tracks your iMovements & then syncs to your iTunes!

Carlos' Stories