PaulDotCom Security Weekly - Episode 240 for Thursday April 21st, 2011 - What we learned at Source Boston.
- Register now for Wednesday's Late Breaking Computer Attack Vectors Webcast Sponsored by Core Security - April 27th at 2PM EDT.
- El primer Episodio de PaulDotCom Espanol esta disponible aqui
- Born To Run (and Hack) - Don't forget to sign up for Hacker run! Team Pesce is training in April for Purple Stride on May 15th.
- PaulDotCom Blackhat Training Part 1 Sign up for "Offensive Countermeasures: Making Defense Sexy" as a two-day course at Blackhat July 30-31. Every student gets a FREE "Hack Naked" t-shirt and sticker!
- PaulDotCom Blackhat Training Part 2 Sign up for "Advanced Vulnerability Scanning Techniques Using Nessus" July 30-31 or August 1-2
- Larry is teaching SANS 617 SEC617: Wireless Ethical Hacking, Penetration Testing, and Defenses in the only country he is licensed to teach in - Canada! Catch him in Victoria May 9 to May 14th.
- Register now for the 8th Annual Charlotte ISSA Security Summit featuring the 3 buffest people in InfoSec: PaulDotCom, Ed Skoudis, and Chris Hadnagy, all on May 5th.
- DerbyCon : Louisville, Kentucky – September 30th to October 2, 2011. Catch Carlos Perez's training session - "Automating Post Exploitation with Metasploit".
Tech Segment: Trapping Attackers in Your WebLabyrinth
Step 1: Download it!
You can get Ben's awesome code from the WebLabyrinth Google Code Site. I then download it like this:
# wget http://weblabyrinth.googlecode.com/files/weblabyrinth-0.3.0.tar.gz
Step 2: Install it!
tar zxvf weblabyrinth-0.3.0.tar.gz cp * /var/www/labyrinth/
I sent Ben some corrections, here's what the commands should be:
mkdir /opt/weblabyrinth/ cat labyrinth.sql | sqlite /opt/weblabyrinth/labyrinth.db chown -R www-data:www-data /opt/weblabyrinth
I tend to install WebLabyrinth into "/labyrinth", which means your .htaccess file remains unmodified. However, You need to modify this line in config.inc.php:
$config['tracking_db'] = '/opt/weblabyrinth/labyrinth.db';
In order to get it to work, make sure you have all the modules installed:
aptitude install sqlite php5-sqlite3
Step 3: Send people to it
I've got a few different ways, the first is re-write rules:
RewriteRule ^/admin$ http://pauldotcom.com/labyrinth/ [R] RewriteRule ^/secret/$ http://pauldotcom.com/labyrinth/ [R]
Then use some robots.txt action:
# cat robots.txt User-agent: * Disallow: /privates Disallow: /pdc-only Disallow: /secret Disallow: /admin
Step 4: Check logs
You will now see people getting caught in the trap. This is great data to send to you SEIM. I have yet to play with the alerting, but want to mod it to write to a log, rather than email, so you can include that in your SEIM.
Stories For Discussion
- Iphone tracking - [Larry] - In light of all of the GPS metadata stuff thet we've covered, no apparently the iPhone actually tracks where you go too, based on some cell phone tower triangulation. While the iPhone doesn't appear to share that information outside of the iphone, it does include the information in clear text from iphone unencrypted backups. OSX tool only at the moment, but I bet it could be ported to windows. Might make for an interesting experiment. The tool has been artificially reduced for accuracy, but he real backend data has not been. Interestingly enough, the TOS for the iphone, etc has it clearly defined. (http://pastebin.com/EdFJr6iU0) however I think storing that info in cleartext is probably not a good idea. There is a "workaround" (http://technicalmusings.blogspot.com/2011/04/ios-consolidateddb-workaround-for.html) but it requires a jailbroken device with SSH access. Even more info on why they collect the info here: http://www.f-secure.com/weblog/archives/00002145.html
- Microsoft researches 3rd party bugs - good deal on MS doing vulnerability research and publishing stuff for third party software, using responsible disclosure. However I think that it would make more sense to do the research on their own products and release notifications when their stuff spills on to other products.
- Honest Achmed - [Larry] - Bug report requesting the installation of another root CA for Honest Achmed's Used Cars and Certificates with the purpose of "The purpose of this certificate is to allow Honest Achmed to sell bucketloads of other certificates and make a lot of money." In response to Mozilla's CA practices? "Honest Achmed promises to abide by these practices. If he's found not to abide by them, he'll claim it was a one-off slip-up in procedures and that policies have been changed to ensure that it doesn't happen again. If it does happen again, he'll blame it on one of his uncles or maybe his cousin, who still owes him some money for getting the car fixed." Nice, now, I'm not sure why it was denied, as it seems just as legit practices as any of the other CA's, but Achmed is at least honest about it…
- Get attacked? Shut down your internet! - [Larry] - That's what the Oak Ridge national lab did. Looks like they got compromised through some phishing via e-mail with a link for more info with exploited an IE 0day, referred to as APT!. As a result ONLY 1GB of data was exfiltrated. Employees wont have internet back for a period of 10 days or so. form the article John Pescatore is quoted as saying ""Advanced simply means it got past your defenses and persistent means it took you too long to detect it once it got in."
- Kasperky's Son Kidnapped - Its scary when the online criminals creep into the real world. I think we are going to see a shift from "cybercriminals" to just criminals. With so much at stake online, "cybercrime" will be just "crime". We've seen evidence of this already, and this is a bad/good example of just how important the crime is to the criminals. Crime is big business, I heard a great story from the CSO of GE. He reported that investigators found criminals using business techniques, like ROI and such, growth charts, to plot their criminal activity. While garbage collection and cigarettes may have kept people in business in the past, the new wave of crime is identity theft and credit cards.
- Facebook is more secure! NOT! - Don't get me wrong, two-factor authentication is great, to help prevent password abuses like weak passwords and brute-forcing. But that's where it ends. Also, SSL does help improve the privacy of your data IN TRANSIT, but thats it and where that ends. The dangers of Facebook are in the app itself. People click on shit, get socialy engineered, and leak their own damn information. That is the real problem with Facebook with respect to privacy and security. How we solve this problem is the real challenge. Funny, its the same for your web applications and your organizations. You can lock one thing down, but it doesn't solve the real problem, which is the cultural perception of security. People who use and develop the applications don't have any skin in the game of security. So what, I get a virus, I clean it up, and move on with life.
- DDoS is the Elephant in the Room - Forsure, downtime sucks. We put a lot of effort into keeping our networks running. So much so that change management prevents us from doing things like upgrading our firewalls and applying patches. Yet, we're hanging out on the Internet where a group of people can eat up our bandwidth and cost us money.
- APT is exaggerated - "Oh, we got hit by an APT" so therefore, its okay, there was nothing we could do. Whaat? If you get some malware, its not APT. In fact, we've lost site of what APT even really means, if the term ever meant anything at all. Here's the thing, its about integrity. If you've lost the integrity of your network and/or systems, you've lost. You can't strive to defend against malware, APT, or viruses, you have to defend your network and your data. Focus internally grasshopper, figure out what is important to your business, keep it running, and enforce integrity.