Tuesday, December 20, 2005
Guidance Hacked. Sounds like a good defense to me
higBHenry Lee! Do you remember Henry Lee? I sure do.
I remember watching Henry Lee get raked over the coals by the “dream team” for his handling of forensic evidence during the OJ Simpson trial. I took advanced placement biology in high school. One of our labs was a DNA lab. We got cells from the cheek of our mouths, used enzymes to cut open the cells and release genetic material, spun it up in a centrifuge, created gel molds, used the dye, took a picture and guess what? Even with my fingers covered in orange cheeto dust and being totally distracted by the school hottie, I still aced that lab. OJ Simpson is guilty guilty guilty. This just goes to show you that with the right combination of legal slime you can get a jury to think that an expert like Dr. Henry Lee is less competent then a dirty oily high school biology student.
If you haven’t seen it yet, check out the Washington Post’s article about Guidance Software: Hackers Break Into Computer-Security Firm’s Customer Database
Guidance Software makes encase which is the most widely used tool for imaging and analysis of computer hard drives. If there a case that involves computer evidence 99.9% of the time encase was the tool used to acquire the evidence. So why did Guidance go public and notify their customers of the breach? Is it because they are trying to do the right thing? Maybe. You can bet being a California company had something to do with it. So far the only thing we know about the breach was that hackers got to personal customer information including credit card numbers (with CVV, bad m’kay) …
What else could they have gotten to? I’m not saying that it is likely or probable that hackers also tampered with encase code. What I am saying is it probably wouldn’t be too hard to convince a jury of my mom and dad that it IS possible and COULD have happened.
Hacker defense attorneys, please send secureme blog 1 **billion**dollars for our legal consultation fee. Payment can be sent to securem@paypal.com.
-higB
Friday, November 25, 2005
Data Handling - Now more than ever
Trevor
Ok tell me this isn't scary:
A first: The Loudoun County Sheriff's Office will be the first law enforcement agency in the state able to use Blackberry cellular phones to access drivers license information, vehicle information and wanted status by either name or Vehicle Identification Number (VIN).I always read about Blackberry devices that are lost or stolen... Or even sold on eBay with all of the data still in them. Cops are people too and loose things all the time. Only most people don't carry around Blackberry's with access to the NCIC. Even moreworrisomee is that the officer can carry his Blackberry to the supermarket, the movies, the bar, etc. That thing would make for some awesome drinking games. But I'm sure he/she will NEVER abuse the device and run someone's name for the hell of it. Blackberry's latest server software allows a remote administrator to send a message to the device that will wipe it and render it useless if it is lost. However if you find a lost device around 4pm on a Friday, you'll have until around 10:30am Monday before the administrator rolls into the office to get your stalk on.
According to SheriffÂs spokesman Kraig Troxell, this technology allows access to Computer Aided Dispatching (CAD), the Virginia Crime Information Network (VCIN) and the National Crime Information Center (NCIC). Deputies who are often away from patrol vehicles, like Community Policing, Criminal Investigations and Traffic Safety, will be the first to have access on the phones so they can receive queries through VCIN and NCIC.
Friday, November 04, 2005
George Orwell was 25 years early...
n8It seems that nothing can stop the google juggernaut from observing, tracking and serving up custom ads to every facet of our lives. After indexing the web to provide search, we got a preview of what they were up to... zeitgeist is a voyeuristic look into what the planet wants to know about, and a little tease of the data mining capabilities to come. Unsatisfied with that, google found ways to index other things, usenet, news, shopping, email, Blogs, RSS, your desktop, IM, the entire world, where will it end? (Yes, I have heard about their bid to kill craigslist, and all the other things that are in the news, so please don't say "did you hear about fill_in_the_blank_with_the_next_idea_for_world_domination_from_google").
The other day I read this article over at /. and it seems that google may be entertaining a foray into television. It sounds plausible, as "convergence" happens, I think the lines will begin to blur between phone, Internet, Cable, radio and media in general. I think convergence is a good thing, why should I pay $75 a month for cell service, $50 for a landline, $50 for cable modem, another $75 for TV, $13 for satellite radio etc. etc. If I could pay one carrier for all of those services and get a nice discount, that would be cool right? What if that carrier was google? They are buying up lots of dark fiber to build a network, they have plenty of cash (currently trading in the $380's per share) they are looking into new mediums to sell their advertising (print ads anyone?). Why not TV, why not VOIP? Would you be willing to sell your soul, 'er I mean receive a discount on VOIP service if you had to endure a 15 second ad before you got dial tone? How about watching a 5 minute infomercial on how to get 'rock-hard-abs' that you couldn't 30 second skip through every time you turned on your TV?
I for one dislike advertising. I feel bombarded by it every day. I walked through Times Square in NYC last week. No, I didn't like it. I bet most of you reading this feel the same way. It seems to be a necessary evil that we are all forced to endure unless we want to pay premium prices. Think HBO vs. NBC. We pay a premium price for ad-free media. Google makes all of their money from ads. The (perceived) problem is that they don't own ALL media (yet). Yes, they own search. Yes they own free mail. They own a satellite. They are making a play to own RSS. Why is that? So they can sell more ads. How long will it be before they own a TV station?
When is the last time you looked at their privacy policy? You have never read it you lazy sod. Most people wouldn't bother. Ever been curious enough to look at the "non-personal" information that google desktop collects when you enable "Advanced Features" and sends back to the Ministry of Love I mean.. the corporate offices?
They even try to warn you in those big bold red funny words (is that a Seinfeld reference?)
Here is what its actually sending:
How that is an advanced feature I'll never know. Advanced surveillance maybe. Feature? No.
Ever wonder what kind of information they are collecting with all those cookies on *.google.com? Yeah, yeah, ph33ring cookies is so 1999. Im just trying to make the point that the Big Brother that George Orwell predicted was in fact the government. Not a corporation. The all seeing, all knowing, omnipresent entity is turning out to be google. They can index and correlate an amazing amount of information about a specific person. It remains to be seen whether Google can live up to its motto of "Do no evil".
"On the whole human beings want to be good, but not too good and not quite all the time"
--George Orwell
Friday, October 21, 2005
OWASP Top Ten is really the OWASP Top 6.5
higB
CIO/CSO: "I just went to a very important luncheon meeting. First, they bought me steak, then they showed me powerpoint about this new security list, then we got to watch STAR WARS! I want our websites to be OWASP Top Ten certified by then end of the week!"
Consultant: "Hello, I just completed CISSP boot camp. I am here to run OWASP Top Ten security scanning software and install a web application firewall! Cookies? Sorry, I'm diabetic."
Web Security Vendor: "Hah, suckers. ahem.. Did I say that out loud? Of course our software finds ALL vulnerabilities!!@#"
Dilbert "Maybe we should first start with password protecting the website? Or fixing our expired SSL certificate?"
Consultant: "I'm sorry that is not on the list!
People (management) love top security lists. Just ask anyone in the government. They get all goo-goo over the SANS/FBI Top 20. Application security didn't want to be left out, and that's why we have the OWASP Top Ten. When OWASP put together this list I don't think they were trying to build this "Check list" or set an accreditation standard. I think they just wanted to raise application security awareness and creating a list was probably the best way to bring web application flaws to light.
Let's take a look at the list:
OWASP Top Ten Most Critical Web Application Security Vulnerabilities
1.) Unvalidated Input
Information from web requests is not validated before being used by a web application. Attackers can use these flaws to attack backend components through a web application.
higB> Sure. Unvalidated Input (also known as Input Validation) is a big problem with web application security. Modern languages/frameworks like ASP.NET make it easier, but it still is a problem.
2.) Broken Access Control
Restrictions on what authenticated users are allowed to do are not properly enforced. Attackers can exploit these flaws to access other users' accounts, view sensitive files, or use unauthorized functions.
higB> Yup. I see this all the time.
3.) Broken Authentication and Session Management
Account credentials and session tokens are not properly protected. Attackers that can compromise passwords, keys, session cookies, or other tokens can defeat authentication restrictions and assume other users' identities.
higB> I see less and less of this. Most applications I test these days use the session cookies provided by the technology. aspsessionid, jsessionid, etc...
4.) Cross Site Scripting (XSS) Flaws
The web application can be used as a mechanism to transport an attack to an end user's browser. A successful attack can disclose the end user?s session token, attack the local machine, or spoof content to fool the user.
higB> Umm no. The root cause of Cross site scripting is lack of input validation. Now we are down to the OWASP Top 9.
5.) Buffer Overflows
Web application components in some languages that do not properly validate input can be crashed and, in some cases, used to take control of a process. These components can include CGI, libraries, drivers, and web application server components.
higB> If I lost both of my arms in a tragic car accident I could still count on my fingers the number of times I have found "buffer overflow" prblems in web applications. I'm not going to get into it here but this is complete BS. Also, lack up input validation would be the root cause. OWASP Top 8.
6.) Injection Flaws
Web applications pass parameters when they access external systems or the local operating system. If an attacker can embed malicious commands in these parameters, the external system may execute those commands on behalf of the web application.
higB> INPUT VALIDATION again. OWASP Top 7.
7.) Improper Error Handling
Error conditions that occur during normal operation are not handled properly. If an attacker can cause errors to occur that the web application does not handle, they can gain detailed system information, deny service, cause security mechanisms to fail, or crash the server.
higB> Attackers usually "cause errors to occur" with unexpected input. I supposed there are other ways to do it so,... OWASP Top 6.5
8.) Insecure Storage
Web applications frequently use cryptographic functions to protect information and credentials. These functions and the code to integrate them have proven difficult to code properly, frequently resulting in weak protection.
higB> Sure.
9.) Denial of Service
Attackers can consume web application resources to a point where other legitimate users can no longer access or use the application. Attackers can also lock users out of their accounts or even cause the entire application to fail.
higB> Ok. I have ran into many instances where you can enumerate usernames based on error messages then lock out all those accounts.
10.) Insecure Configuration Management
Having a strong server configuration standard is critical to a secure web application. These servers have many configuration options that affect security and are not secure out of the box.
higB> Yes. People are still screwing this up.
The problem with these lists is when security vendors twist and mold them into their products. Then all the other vendors have to follow suit because their customers use stupid things like this when building their competitive matrixes. The icing on the cake is when an organization such as Visa/Mastercard/Amex cements it by putting stuff like this into their PCI compliance check list. Stop the madness!
-higB
***
AJAX Security?
n8With all the hype surrounding AJAX lately, I have been snooping around
to try to read up on this fun, exciting, revolutionary, web 2.0, rich
web application, blah, blah, bleh, buzzword, buzzword-enabled, turnkey,
technology.
Seriously, there is a lot of hype surrounding AJAX recently, and there
ins't much talk about the security implications of it. I recently had
the opportunity to test a AJAX-ish web mail application. I was
impressed with the features that could be achieved in a web application.
Drag and Drop, right click, not having to refresh the entire page
every time you clicked on everything, etc.
Under the covers, it looked awfully familiar, with one obvious
difference. Lots and lots of POSTs. The POST requests had nothing
particularly noteworthy in them, the same things you would find in any
other application, Session management stuff, unique identifiers,
messageIDs, actions, etc. Normal POST parameter stuff.
Aside from the extensive use of XML and Javascript, this application
felt like most others, so it must be vulnerable to the same stuff as
every other web app right? Yup.
In this case, the developers did a pretty good job of validating user
input, so if you stuffed in an odd character here, an apostrophe there,
and a script tag for good measure, you got some generic XML parse error.
Being "asynchronous" meant the end user never had to suffer through all
the error messages, but they were there. Once I figured out that I
needed to be more selective in fuzzing parameters, I began to see some
more interesting errors.
The moral of the story is that there ins't anything terribly exciting or
noteworthy specific to AJAX apps from a security perspective. Rather
the same old rules still apply. Good user input validation, strong
session management, authorization check etc. still need to be done. Go
read the OWASP top 10 if you dont know what Im talking about.
I have no doubt that some of these new AJAX apps will fail
spectacularly. It wont be any new or revolutionary exploit method, but
the same thing that web developers continue to get wrong time after
time. It might be creative use of Javascript to achieve hero status, or
failure to properly validate the XML schema allowing some new and
interesting functionality in the application... stay tuned, it should
be fun. Testing web apps for a living has taught me one thing.
Give a man enough rope, and they will end up 6 inches short. 'er hang
themselves or something.Friday, October 07, 2005
Cain and Abel: Wireless Zero Configuration Information Disclosure
higB
I was cruising FrSIRT yesterday when I read this title “Microsoft Windows Wireless Zero Configuration Information Disclosure”I got pretty excited thinking there was a remote way to pull WEP keys off of people’s systems. That feeling soon passed when I realized it was only useful for local abuse. Still, being able to pull WEP keys and SSID’s in plain text for every wireless interface wasn’t something that I was able to do before reading this “Advisory.”
My Cliff Notes from the following advisory: http://www.soonerorlater.hu/index.khtml?article_id=62
There is a poorly documented dll (Wzcsapi.dll) that lets you make a call via RPC WZQueryInterface to get SSID and WEP keys in clear text. WPA pre-shared key’s are not disclosed.
So I grabbed the code from here: http://www.frsirt.com/exploits/20051006.wzcsapiuse.cpp.php
Here is the output of the tool:
D:\downloads\Hack_Tools>WZCExploit.exe
{58CDAE3D-E5A7-4A46-BEA2-16872CA33E23}
funkDAfied:JK\]^:;<=>*+,
Varig Lounge:
neptune:
VAAJFK LNG AP:
catholicnet:
concourse:
ATL-WIFI:
uhlux:
Seaport:
tmobile:
flymanchester:
STSN:
linksys:
ColorBroadband_South:
wireless_network:@ABCDenot!@#$
Biznatch_Wireless:câ♂ºh
afribone:
Regarding WEP,.. when you are setting up a network profile using the Wireless Zero Configuration service you can create either use 40 or 104 bit WEP keys. This is accomplished by entering a 5 or 13 character ascii string. Alternatively you can enter a 10 or 26 hexadecimal characters. The problem with the “exploit” in the advisory is it assumes all of your WEP keys will be printable ascii, and in the case of Biznatch_Wireless, it is not.
My buddy Eric Heitzman (check out his blog here) and Neelay Shah worked in a %0x into the print statement so you get the ascii and the hex:
D:\downloads\Hack_Tools>wzc.exe -h
Wireless Zero Configurtion WEP Key Local Information Disclosure
Usage: wzc
- make sure the Wireless interface is turned on
- this feature is also in Cain 2.7.7+
Output is in the format: SSID
D:\downloads\Hack_Tools>wzc.exe
{58CDAE3D-E5A7-4A46-BEA2-16872CA33E23}
funkDAfied JK\]^:;<=>*+, 4a4b5c5d5e3a3b3c3d3e2a2b2c
Varig Lounge
neptune
VAAJFK LNG AP
catholicnet
concourse
ATL-WIFI
uhlux
Seaport
tmobile
flymanchester
STSN
linksys
ColorBroadband_South
default
wireless_network @ABCDenot!@#$ 4041424344656e6f7421402324
Biznatch_Wireless câ♂ºh 6383ba768
Afribone
The “exploit” was GPL’d, so download the modified version of wzc.cpp here which also included a nice .exe for all you slackers who don't want to install visual studio.
I emailed mao at oxid.it this morning about putting this into Cain and Abel. It seems like a tool like this would be right at home with the box reveal, lsadumper, etc… Three hours later Cain and Abel 2.7.7 was released with the new “Wireless Password Dumper” feature. Now that is service!
Here is the magic button:
Results:
This looks promising but it looks like there is a bug in the way Cain implemented this. It appears to be truncating everything to 5 character ascii (look at the wireless_network output compared to above) which means this tool wont work with 13 character WEP keys. I submitted the bug to oxid.it. I’m sure he will fix it.
-higB
Thursday, September 15, 2005
NOVA ISSA Meeting
Trevor
So n8 and I went to the NOVA ISSA meeting tonight. ISSA is the Information Systems Security Association. Tonight's speaker was Joe Jarzombek from DHS. His topic talk is titled: "Software Assurance: A Strategic initiative of the US Department of Homeland Security to promote Integrity, Security, and Reliability in Software - Considerations for Advancing a National Strategy to Secure Cyberspace." The NoVA ISSA chapter is VERY gov/gov-contractor heavy. Big surprise.
I will spare you all of the acronyms and regulations that they are working on. Bottom line is that they are sorta re-doing the Rainbow Books. Which worked so well the last time. But this time they are trying to "work with private industry" to understand what's going on.
It's like your step dad trying to talk all cool to you. It's all awkward and you sit there staring at your bedroom door wishing he'd leave so you can go back to playing Rescue Raiders on your Apple //e. Finally you yell out "YOU'RE NOT MY DAD TODD!!!"
Well, here are the feds again trying to get private industry to give them products that are secure and don't come with a backdoor that lets
See, this is all part of DHS trying to wrap its arms around the
Didn't work. As it turns out, it's hard as hell for the feds to get the private sector to do things. Unless you slap a little SOX or other standards action on them, they won't budge. The private sector is too busy making money to care.
So that's my first issue with the initiative to secure cyberspace. Didn't work before, won't work again. Government will probably follow the standards with tunnel vision while the rest of the private sector (which comprises a great deal of critical infrastructure) will ignore them and continue to be exposed to risk.
My second issue with DHS's plan is that even if you had secure code and strong standards, the feds will just screw up the implementation. No offense to any readers but the federal government has a very hard time attracting, using, and retaining quality security people. People either get fed up with all the BS or they can get paid somewhere else. So what if write code that can't be overflowed. Big deal, just find an admin that works 10-4 and abuse a mis-configuration of the "trusted" software. Those of you who perform security assessments know what I am talking about. Sure you use buffer overflows when pen-testing. But a lot of your findings are mis-configurations.
Government contractors aren't much better. I have a lot of friends who do .gov contract work and they have horror stories about co-workers who deal with security at government agencies. It's scary.
Software is getting more complex. Writing better software that can't be directly abused (buffer overflows) is a great start. Might knock down some worms or something. But even a well-engineered aircraft that is very safe can crash if the pilot forgets to operate it properly.
Some of the questions from the crowd weren't so hot either. A few people who were feds were asking about application security scanners like they had never heard of them until 60 Minutes did a piece on it. Holy hell people. Government people need to get out of their echo chamber and look around. Banks figured this years ago and now test their web applications. If only there was a web of interconnected computer systems that allowed for the open exchange of information. And only if there was a free, easy to use tool that could search this information and return highly accurate results.
Highlights of the meeting include talking to our good friend Richard Bejtlich from Tao Security. Richard is such a nice down to earth guy who totally get's what we're talking about. Nate and I felt like he was the only one in the room that got it.
So the ISSA meeting tonight was good just so I can be reminded that this industry isn't going anywhere. They also had some awesome cookies and punch.
Tuesday, August 16, 2005
Holy over-reaction
Trevor
Ok I know that the media sensationalizes things. They have to sex up boring stories so people will watch. They have to dumb-down complicated things so even the slowest person can grasp the concept. They have done this sort of thing before.
But CNN is so blowing the new Zotob worm issue so way out of proportion. I am watching Wolf Blitzer on the new CNN show "Situation Room" flipping out over this thing. And it is making me sick. CNN.com is now running a red banner for "BREAKING NEWS" However CNN International reported on the worm YESTERDAY. So how in the hell is this breaking news?!?! CNN is single-handedly causing millions of moms to call their computer-literate sons to ask if they are going to get the worm.
CNN has no facts or numbers what so ever. They are admitting that computers at CNN, AbcNews, and Cattipillar, Inc. are shutting down. Microsoft is calling this "low impact". TrendMicro is saying that they aren't seeing it. The Internet Storm Center is "GREEN". This is such crap. They have Ali Velshi on a live video feed sputtering about giving insane reasons to why this worm is loose.
Yeah I know worms can be damaging and a pain in the ass. You got to keep your staff late and patch a bunch of systems. But honestly, most people who I talk to are so used to dealing with a MS worm that they almost yawn when a new one comes out.
Quick media poll on who have the word "worm" or "virus" on the top part of their home page:
CNN: Yes
FoxNews.com: No
MSNBC: Yes
ABCNews: No
Reuters: No
News.com: No
Slashdot: No (earlier but not now)
So my message to CNN: Report on something useful and stop humping this story. You guys look like jackasses. And this is coming from someone that uses a terrible avatar on his blog.
