According to an article published last week, it is apparently possible to construct a signed PDF that can have its underlying data changed such that the signature is still valid, but the presentation of the data is changed.  It’s a neat trick, but there are a few things that mitigate the risk inherent in the vulnerability:

1. The signature has to be applied to a carefully crafted PDF file.   A PDF file that you create and sign is unaffected by this attack;  if you examine the data within the file, the presentation data for both the “recommendation” and “order” documents is present in both.  Obviously, you will not be adding rogue data into your own PDFs before signing them.
2. As stated in the article, it’s not really clear that the PDFs used in the proof of concept are syntactically valid PDF files.  However, Acrobat does open and display them as the attack intends, so that may be irrelevant.  Although, an Acrobat security update could fix the issue if this is the case.
3. It appears as though, by looking at the proof of concept documents, that the special construction of the PDF requires precise byte positioning in the file for the various objects used in the attack.  It is not mentioned in the article, but it may not be true that such a document can be constructed with a blank signature field that can be signed in Acrobat and subsequently attacked using this method.

It will be interesting to see what, if any, response Adobe has to this publication.  I know my way around the PDF standard (as it pertains to digital signatures) fairly well, but I’m by no means an expert.  It seems to me, though, that this attack requires several things, including the execution of the initial digital signature, to be performed in a precise way, which may mitigate the risk of the attack working in a real-world scenario.

With a new version of Backtrack around, many people may be ready to take the plunge into learning it. This is a little late for those of you who decided to try it at Blackhat/Defcon, but ShmooCon will be coming up in a few months…

Apt is the debian packaging system. It’s found in all debian based Linux distros – like K/Ubuntu and Backtrack. If you’re going to be at a hacker conference, the least you can do is update your system before you go! Packages are generally GPG signed by the maintainer, and debian keeps a list of trusted GPG keys updated on your system (debian-keyring debian-archive-keyring are the debian specific packages). Apt checks these signatures to help ensure that you’re not downloading rogue signatures.

Apt has two configuration files. For the most part, you’ll only use one: /etc/apt/sources.list The other (/etc/apt/apt.conf) is used in specific instances – such as with a proxy server.

sources.list has a list of all of the sources (repositories) you’d like to look through for packages. The default list is generally OK for non-desktop (i.e. server) users. If you’d like to install various media players and other non-GPL licensed packages, you’ll have to add to this file. The general format is
type baseuri distribution [component comp2 ...]
Where type is *generally* deb – sometimes deb-src indicating that the repository contains .deb files that are either pre-complied (deb) or are source packages (deb-src).

Make sure you know what the repositories are before you add them! If you add a rogue repository, signatures are not going to help you – they’ll all verify!

Once your sources.list is updated, you can generally leave it alone unless you want to switch to a new version of debian/ubuntu/etc.

On a regular basis, you need to run “apt-get update” with root privileges. This will update the list of packages that have been updated on the repositories. “apt-get upgrade” will just go ahead and upgrade everything for you – which is the easiest option, but sometimes, not what you want. “apt-get upgrade -u -s” will tell you what’s going to be upgraded, but not actually do anything. If you want to upgrade some things, but not others, you’re kinda stuck using “apt-get install package-name” for each individual package. It’s not the best solution, but you can hold a package with dpkg: “echo package-name hold | dpkg –set-selections” and it will *never* be updated.

In general, “apt-get update” followed by an “apt-get upgrade” will get you updated to the latest packages and, hopefully, less vulnerable to attacks and exploits.

This past week at Defcon the social engineering capture the flag competition was hotter and more controversial than ever. Contestants were given their target company two weeks in advance for research purposes. During the actual competition contestants called employees at the target companies to gain sensitive information. The overall result: A big fat fail for the human element.

As more companies begin to take security seriously budgeting for pen tests, equipment, etc. often the human element of security falls through the cracks. As shown at the Defcon competition, all the locks, both physical and network based, can’t stop an attacker if an employee ushers her through the door.

The Social Engineering Competition was put on by Social-Engineer.org which is an excellent place to learn more about social engineering. Don’t let a lack of employee awareness of social engineering attack vectors undermine your security program.

Most of the BlackHat 2010 talks aren’t off the ground yet and already this week has been busy for news and announcements. We already noted the DMCA updates earlier this week (which have been grossly over-hyped – see why that is here). Now on to the bigger story. No, it’s not Apple’s mouse-killer, nor is it the plethora of next-gen batteries that are now available (Apple, Toshiba (for cars), etc.). Nor is it the BlackHat talk about intercepting GSM-based mobile communication, nor is it the availability of cloud-based WPA/WPA2 cracking services, nor is it the publication of a 2.8GB database of information collected from public Facebook pages (see Joey’s commentary for more).

In my mind, the biggest, most important news this week is the release of the 2010 Verizon Business Data Breach Investigations Report (DBIR), which includes data from Secret Service investigations. It’s too lengthy to provide a reasonable summary here and now, but I wanted to bring this to your attention. If you read only one data breach report this year, then it should be the Verizon DBIR 2010.

Incidentally, if you’re looking for another data breach report to read, check out the one also released recently from the Digital Forensics Association “The Leaking Vault – Five Years of Data Breaches.” It does not present any new data, but it rather provides a fresh and interesting analysis of a compilation of existing data breach repositories (primarily DatalossDB.org).

People are relieved. In what has quickly become one of the mainstream tech media’s darling stories of the day, the U.S. Library of Congress has apparently woken up to find itself a decade into the 21st century and has released an updated list of allowed circumventions that do not qualify for punishment under the Digital Millennium Copyright Act’s (DMCA) anti-circumvention clause. In a nutshell, you can rip (DeCSS) movie clips for fair use, you can jailbreak your iPhone (whether it be to install software or to hop providers), you can hack video games (for “good faith” security purposes, mind you, and consoles seem to be excluded), you can bypass hardware dongles that have become obsolete (fairly narrow ruling here), and you can enable read-aloud for ebooks, even if the publisher is still living in the Dark Ages and has flipped a bit to disable it.

In a little more detail, the 6 new rules are:

1. You can circumvent CSS in order to digitize short clips of movies IFF you have an educational use, are making a documentary, or are making a noncommercial video. Nothing is said about archival purposes, and they explicitly cite DVD, but it’s believed that archival is already covered under DMCA, and that Blu-Ray would be covered by logical extension.
2. You can circumvent wireless telephone access controls (“root” or “jailbreak” them) in order to install other software. This finding seems to directly target Apple (and maybe Google), who doesn’t like it when people jailbreak the phone. Mind you, there’s nothing here that would prevent them from bricking your jailbroken phone in an upgrade… they just can’t sue you about it under DMCA (makes reading contracts all that much more important).
3. You can install an alternative image (firmware or software) on wireless telephones to enable them to connect to a provider. It’s not completely clear what this is about, but it seems that it could address a couple different scenarios. First, it may be talking about unlocking a phone to allow it to be used on an alternative carrier’s network. Or, second, it may be talking about installing an alternative OS on the device (such as replacing Windows Mobile with Android).
4. Circumventing access controls (e.g. DRM) for security testing of locally installed video games is permitted, assuming the testing is performed in good faith. The wording would seem to exclude gaming consoles, and may also exclude network-based testing of gaming sites.
5. Hardware dongles can be circumvented IFF the dongles are obsolete (pertains to: “Court Backs Dismissal of Digital Copyright Claim“) This would not, however, seem to allow one to bypass dongles for products like EnCase when the product still exists and can be upgraded accordingly (i.e. if you can replace the dongle, then you must do that rather than circumvent the control).
6. Circumvention of access controls is permitted with ebooks in order to enable read-aloud functions or using screen readers to put the text into an alternative format.

Additional coverage:

• The DMCA vs “Reverse Engineering” Software
• TechCrunch: Now Legal In The U.S.: Jailbreaking Your iPhone, Ripping A DVD For Educational Purposes
• EFF Wins New Legal Protections for Video Artists, Cell Phone Jailbreakers, and Unlockers

Web application hacking is big business. Even the traditionalist network penetration testers are crossing over to the new security rock and roll scene. The average individual doesn’t know what DNS does, and if I said, “I knocked over the internet by attacking BGP,” at a cocktail party, guests would probably suspect I just said something vulgar. On the other hand, “You are a hacker? Can you get credit card numbers off websites?” is a common reaction from even the computer unsavvy. My answer, “Yes, most websites suck.”

So how do you make your websites not suck? My colleague recently posted about OWASP’s ESAPI. Additionally, OWASP developed Webgoat, arguably the go-to training tool for web application hacking n00bs to cut their teeth. On top of giving hackers a chance to bring down websites in more than a dozen ways, several Webgoat lessons include a lab section. These labs include not only hacking the website, but also delving into the code to find the flaw that causes the vulnerability, fixing it, and testing the attack again. Getting down and dirty with the actual code is instructive for penetration testers and coders alike.

Webgoat labs should be mandatory for all website coders. Please start writing code that doesn’t suck so the web application hackers will stop getting so much attention and people will start paying attention to my mediocre attempts at hacking the infrastructure. Let’s call it the “Georgia for infosec prom queen” project shall we?

I recently had a project to help spec out a DLP project for a customer from a high-level perspective. Having never done anything with DLP previously I embarked on a research mission. What I found was interesting. There’s not much out there on the intarwebs. As such, I thought I’d offer a few quick suggestions, just in case you want to go research solutions, too.

1. Start with Securosis! Their reports are freely available, comprehensive, and more informative than anything else I found.
2. Search for Gartner and Forrester reports. While these analyst firms charge for their reports, vendors will often post them for free. Specifically, try these search strings:
   • “forrester wave content security suites”
   • “gartner magic quadrant data loss prevention”
3. Beware DLP (as in Digital Light Processing) from Texas Instruments. You might need to use advanced search functions to -television -TI and so on.

Happy hunting!

I’m fairly certain I unwittingly committed a serious crime. I went through airport security using someone else’s boarding pass, bearing a name that only resembled my own completely legitimate and self-representative government-issued ID in that our last names shared the same first letter. The TSA agent, you know the one, with the little hologram-checking flashlight, looked at my ID, my boarding pass, my ID again, me. I thought he seemed a tad skeptical, taking longer than necessary on a process he must step through about a million times a day. I will admit that passport photograph was taken when I was 16, and I can look a little like a fraud at 7 am after several nights of limited sleep. Rather than being annoyed at the slight holdup, though said lack of sleep had me about at the end of my rope with the usual ubiquitous airport annoyances, I realized this man was only doing his job to protect my safety. I can certainly hang around an extra 30 seconds so I don’t get blown to bits. Then he marked a bunch of esoteric jargon on the boarding pass I was not yet aware was not mine and sent me on through security. Who needs Bruce Schneier’s boarding pass switching trick when you can make it through security with just any old boarding pass that you find lying around the airport?

I thought there might be a snafu in the whole thing once I realized the flight I was waiting for was not my own and examined the boarding pass realizing Mr. W____/S____ was not in fact me. The problem I anticipated was the lack of said marks on my boarding pass. However, this was not the case, and I boarded my correct flight without incident.

How did I end up with someone else’s boarding pass? By what strange luck did I happen to have my own boarding pass waiting in the bottom of my backpack to save the day, no doubt saving me from a lot of awkward questions, possible detainment, and at the very least missing my flight by having to go back out through security to get the whole mess sorted out? As it happens, I took advantage of the online check-in and boarding pass printing option the evening before the flight. I decided to check my bag (mainly because I didn’t feel like lugging around my mammoth cissp book in not one but two airports). So I had to wait in line at the kiosks anyhow. I did not instruct the kiosk to print out another copy of my boarding pass; however before taking off towards security, I noticed a boarding pass in the kiosk. Not one to leave personal information lying around, I grabbed the pass, assuming the kiosk was living up to their generally unreliable reputation. Now that I had two copies of my boarding pass, why wouldn’t I opt to use the thick, newly printed one rather than the day old, wrinkly one cluttered with weather and restaurant information? I should have inspected the boarding pass for accuracy; I humbly admit this. I’m sure kiosks spit out the wrong boarding passes on occasion and even more often dazed and overwhelmed individuals leave their boarding passes behind. In my defense it was quite early, I suffer from severe flight anxiety that only massive doses of Xanax can assuage, and I did after all have another boarding pass on hand that I had carefully inspected for accuracy.

I did not attempt to board the other individual’s flight, but I did feel somewhat concerned for my safety. I won’t go into the specifics of ideas that came to mind for how black hats and terrorists might leverage this lack of constant vigilance on the part of TSA employees. I have enough trouble flying with fears of mechanical failure and turbulence. So please Washington Dulles International Airport and any other airports with this problem, step it up. Our safety is on the line.

Not to mention I had my lock picks in my bag by mistake and no one noticed.

I’m greatly amused. In 2008, former Gartner analyst Richard Stiennon said that NAC was worthless (see “Don’t even bother investing in Network Admission Control“). In a face-to-face debate on the topic a couple months later, Joel Snyder allegedly defeated Stiennon on the topic (and quite handily, if you agree with the account by then-NAC-vendor-CTO Alan Shimel). It’s interesting, then, that 2 years later Snyder has come out and basically declared the NAC market a complete mess and not really worth the cost.

Said Stiennon in 2008:

“Put it this way: Can you secure your network without NAC? Yes. Does NAC in anyway reduce your overall costs? No. Does NAC tie you down to one vendor’s eco-system? Yes, if you go down the Cisco, Juniper, or Microsoft route. Does NAC make you more secure? No.

“Then why would you invest in NAC?”

(more…)

I got a chance to see the Metasploit Express beta in action last week at NoVa Hackers. I was planning on writing about my impressions, but there is plenty out there from people who have spent a good deal more time in front of the beta than I have. Instead, I’m going to delve into pertinent questions a company should ask itself to see if Metasploit Express fits into the security program.

I am a fan of Core Impact, not only because they let me into their party at Blackhat Las Vegas last year. They make a good product. However, a common scenario I have seen in my experience as a security consultant is companies just purchasing flashy products without thinking about how these products will integrate into the security program. The Core Impact sales team comes in with their vulnerable machines and does the point-and-click to root. Then, the general consensus is “We’ve got to get that. It’s shiny!” The problem is when Core Impact shows up on the corporate network it doesn’t get any shells. Why? Because the customer is using Core Impact specifically for patch management which they already have under control. If a strong patch management system is already in place on the network, the default network scan from Core Impact will yield very little.

Metasploit Express builds off a very powerful open source tool with a wide variety of capabilities. It is quite possible that the product will be able to fill a gap in your security program. However, without researching your company’s needs, risks, and what Metasploit Express can do to meet them, you won’t get the most out of Metasploit Express. Sleek interfaces and support from Rapid7 cannot make up for a lack of understanding of your particular security needs.

On the whole, I’m glad to see Metasploit potentially reach a wider corporate audience with Metasploit Express. It seems in many cases Metasploit in its current form is considered a hack tool and passed over for products such as Core Impact that have a company backing and a hefty price tag. So long as I can still use community supported Metasploit for my everyday vulnerability research, I’m happy to see Metasploit get the piece of corporate pie it has long since earned.