Today Slashdot had a story about how a news story about an Australian transportation plan was broken early by a newspaper. The transport minister said the access of this information was akin to the newspaper trying to “pick the lock off a secure office and take highly confidential documents”.  What was the brilliant security plan that was supposed to be protecting this information?  The information was all stored on an unpublished URL with no security or authentication in place.

We in the security industry call this “security by obscurity“.  And it is not security at all. (more…)

The first night of ShmooCon is a wrap, at least for the presentations. First off, my shout-outs to all those that actually made it this year. The DC weather hasn’t been too kind to any of us, especially those traveling in specifically for this Con. But to those who made it, I salute you (even more so to those who had to walk a couple miles to get to their hotel because they didn’t make or take reservations at the Marriot).

(more…)

On Saturday, October 10, 2009, James Madison University hosted their second annual Cyber Defense Competition. This year, there were three teams made up of JMU students, and two teams made up of high school students with JMU student advisors. The attackers were played by employees of Gemini Security Solutions, Computer Sciences Corporation, some JMU alumni, and other friends.

The competition is based loosely on the setup of National Collegiate Cyber Defense Competition events. Each team is scored on their ability to correct problems on their network of machines, perform IT-related business tasks, keep critical systems operating, and defend their networks from the attackers. In the JMU competition, the defenders are allowed to work to secure their systems for one hour before the attackers are permitted to perform attacks. This is opposite what typically occurs in the national competitions – the attackers get to probe and attack the systems before the defenders are called in.

Last year we chronicled how the event transpired. This year, there were some differences in what worked, and what didn’t.

• Default Passwords: This was far less successful an attack than the year prior. Most every team had changed every externally-accessible password from its default. What was a cakewalk last year was quickly frustrating (for the attackers) this year.
• Running Older (vulnerable) Software/Processes: This was also less common. The only time these attacks were successful were when systems had to be rebuilt because they were damaged beyond the team’s ability to repair them, the teams forgot to re-patch the servers.
• Installing Unknown Software: The teams were once again given a business task to install software on a server, but the digital signature on the email was invalid. Only two teams installed this software, and both quickly noticed it was not what was expected and removed or patched it.
• Physical Access: A physical attack we performed – erasing the drives on all firewall machines by inserting a DBAN disc – turned out to be the difference in the competition. One team thwarted this attack by disabling the keyboard on their firewall. We only had 5 minutes of uninterrupted access to their systems and failed to get the drive erased on one team’s system. Being the only team standing while the others had to rebuild their firewalls completely allowed them to score enough points to win the competition.
• Web Application Security: The E-Commerce Site/Engine that was installed by default on the team servers was not well understood by the defenders. The attackers used knowledge of the system and its back-end firewall to install back doors and disable the site. Most teams either never got the web application running, or had it disabled for the entire competition.
• Not finding the real problem: This was less of a problem this time. The teams were effective at rooting out the causes of attacks and defending against them.

The teams were all very effective in configuring their firewalls to prevent attacks, and prevent successful privilege execution even when attacks were successful. For example, we had compromised one of the web servers and the ability to run system-level commands on it. Unfortunately, their firewall would not let us use any mechanism to download additional attack tools to the system (we tried ftp, telnet, ssh, tftp among others). As a result, while we could take down the website (which was already at our mercy), we couldn’t use this to attack other systems.

All in all, I believe everyone had an enjoyable and educational time. We look forward to the next competition!

If you followed or attended the recent Blackhat conference you may have heard a talk given by Peter Kleissner regarding his recent work on “Stoned Bootkit.” A bootkit is a boot virus that is able to hook and patch Windows to get loaded into the Windows kernel and thus getting unrestricted access to the entire computer. It is even able to bypass full volume encryption because the master boot record (where Stoned is stored) is not encrypted. The master boot record contains the decryption software which asks for a password and decrypts the drive. This is the weak point, the master boot record, which will be used to pwn your whole system. No one’s secure!

Peter even demonstrates getting past TrueCrypt’s full disk encryption.

Stoned-Vienna Bootkit Introduction from PaulDotCom on Vimeo.

For more info: http://www.stoned-vienna.com/

Questions about the trustworthiness of electronic voting machines have been in the news a lot over the last few years. Plenty of people acknowledge the potential for abuse of these machines, and discussions of how they can be used to swing elections are pretty common. A trait that these discussions share are hypothetical scenarios or instances where an attacker would need to have some kind of esoteric/insider knowledge about the hardware and/or software running the machine to mount an effective attack.

However, I recently came across a video detailing a real attack against a real voting machine, carried out by real engineers, using real tools and data, and showing very real results.

The Sequoia AVC Advantage, a pretty old piece of electronic voting equipment, was broken pretty badly by hardware reverse engineering and return-oriented programming. The following video shows how it was done by a team of computer scientists and engineers from the University of California, San Diego, the University of Michigan, and Princeton University:

More about the attack details here.

What’s really interesting is the ease in which they were able to get a voting machine to play with in the first place. They didn’t steal one or bribe a government worker. Instead, they bought 5 of them… online… from a government surplus auction for less than $20 a pop. Craziness… especially considering some states still use these same machine models. A few months later and these guys have a well-structured attack that can swing the vote any way they want.

This just goes to show how thin the line is between hypothetical voting machine attacks carried out by insiders with special knowledge and real voting machine attacks carried out by smart people with a couple of dollars and some spare time on their hands.

Damn Vulnerable Web App (DVWA) has released an updated version (v1.04) of their PHP/mySQL web application that is intended to be attacked. It’s intended to be run on a local (closed) network as a learning tool for exploits and vulnerabilities. As it sits now, it pretty much contains a lot of the basics – brute force, command execution, file inclusion, SQL injection, and XSS.

(more…)

With Windows holding 89.6% of the global market share, it is a very large target. This is one of the reasons Windows is targeted so much by malicious attacks. Not very hard when you’re such a big target. So, what if you could change that and make your Windows machine/server appear as something else, even to the most notable of sniffing tools (Nmap, P0f, Ettercap, etc.)? Well, you can.

(more…)

This concludes parts 1, 2 and 3 of our Sniffing Networks series. This part is a little less technical, but I still recommend that you be familiar with the first three parts.

In part 3 of our series, I showed you how to use Wireshark to sniff traffic and hopefully gather some passwords. It’s a lot of digging through a haystack to find a needle. It works, and if you know some of the protocols, you can search for keywords to help you. But if you’re just lazy, there are two excellent tools for just passwords: dsniff on Unix, and Cain & Abel on Windows.

Both tools do a little bit more than sniffing and support things like ARP spoofing and man-in-the-middle attacks. dsniff is old and not updated much any more, but it’ll pick up clear text passwords quite well. Cain & Abel is kept fairly up-to-date. However, both only deal with protocol specific passwords. So you’re not going to sniff any webpage passwords through them. You’ll still have to look for those passwords manually.

Cain & Abel is a whole lot more than just a sniffer; I suggest you play with it. However, what we’re concerned about is the sniffing capabilities. If you select the sniffer tab at the top, and the passwords tab at the bottom, then click on the “Start Sniffer” button near the top, you will see any protocol passwords it can see. In the screenshot, I had to force a cleartext password to go across the wire, as almost everything on our network is encrypted. I logged into an FTP server anonymously. Cain & Abel picked that up.

Cain & Abel

As you can see down the left side, there are a few types of passwords that can be picked up.

Dsniff is all command line, and doesn’t pick up as many protocols, but it works for most of them. In the screenshot, I used the -d option, but it’s not necessary.

Dsniff

You can see that it can be pretty easy to sniff cleartext passwords, so don’t use them!

Each Thursday, Security Musings features a security-related technology or tool. Featured items do not imply a recommendation by Gemini Security Solutions. For more information about how Gemini Security Solutions can help you solve your security issues, contact us!

Verizon Business has released their 2009 Data Breach Investigations Report [pdf] and an accompanying blog post.

2008 was a crazy year in the world of data breaches… The percentage of breaches in our caseload involving financial service organizations, targeted attacks, and customized malware all doubled in 2008. It’s sure to win me the “Captain Obvious Award” from the Securitymetrics list, but organized crime activity increased and was responsible for over 90% of the 285 million records compromised.

The report is sure to be a good read. We linked last year’s report, and this year’s report has some improvements–it is based on more data was collected more often, and goes into a lot more detail than the previous report. 285 million is a lot of compromised records. Wonder if mine was one of them.

Grendel Scan is a powerful web application scanner that can help you identify potential security gaps across your websites. There are a number of web application scanners freely available (Tim reviewed w3af last week), but Grendel Scan has a number of features that make it a useful tool for administrators, in particular those who may not have much (or any) penetration testing experience but are looking to close potential vulnerabilities across their web applications.

• Unlike w3af, Grendel Scan’s GUI interface is fully functional. You only need to identify a place to store the scan files and a URL to get started.
• Grendel Scan works mostly in the background and doesn’t require much attention once the scan gets going.
• The final report is generated in HTML so you can view it in a very readable format in any web browser. The particular type or specific vulnerabilities, their risk ratings, as well as recommended fixes are clearly organized in the report. You can also pause the report and generate them on the fly.
• Works on Windows for administrators who are scared of Linux or Macs (you’d be surprised).

Although the final output from Grendel Scan is well organized, you’ll need some programming and security knowledge to decipher it. That’s when it’s time to call in the security guru to take a look for guidance. Grendel Scan is free for download and a useful tool for a wide range of experience levels.

Each Thursday, Security Musings features a security-related technology or tool. Featured items do not imply a recommendation by Gemini Security Solutions. For more information about how Gemini Security Solutions can help you solve your security issues, contact us!