The buzz around smartphone and tablet app hacking has started to increase even more since the beginning of the year. But also making some waves in recent weeks has been the application of existing technology to allow vehicles to communicate. Automobile companies have been in the news lately concerning the Vehicle-To-Vehicle (V2V) communication system. This tech basically allows cars to communicate signals to each other over a dedicated wireless infrastructure (the implementation of which is actually being funded).

Among my concerns was the idea that such an infrastructure might attract the curious-minded. Certainly there would be concerns over privacy (tracking?), spoofed signals, hijacked systems, and other shenanigans. If manufacturers embrace this on a wide-scale (perhaps if it becomes a safety requirement), and if it is implemented while making security a priority, the result could be a welcome addition to the safety capabilities of modern vehicles. On the other hand, if security is not properly taken into account, the result could be yet another potential target for attack and exploitation. Either way, for now, we can only speculate on what future automobile hacking may look like. After all, it’s impossible to know how secure it is until the technology is ready, in the field, and smart people start poking at it.

Sometimes you receive an encrypted e-mail that you can’t open. I don’t know about other clients, but Outlook doesn’t allow you to do much with e-mails that aren’t encrypted for you, and if you’re like me, you want more information. You want to know exactly what went wrong. So, here is a quick way of retrieving the information you need from an Outlook e-mail in order to find out which certificates were used to encrypt the e-mail.  (Note: This method may not always work, but I have found it useful many times in the past.)

(more…)

I just got a rather interesting email in my inbox. It’s from a travel document service. The email was about an order I had just made regarding a lost passport. Which is a bit of a trick, seeing as I’ve never done business with this company, I know exactly where my passport is, and I am not traveling internationally in the immediate future. So, at first I thought it was spam; I get emails like that all the time for services I didn’t request. Usually the spam filter catches them, but one or two do get through.

But, you know, I’d never seen this one before. I had to read it to see what the scam was. And that made it far more interesting. There’s no scam. The company is perfectly legitimate, and they’re not trying to sell me anything. It’s a real order confirmation for a real order. Benjamin Hartley really did make this request.

Just, you know, not me. My name isn’t common, but there’s at least one other person with that name. And he’s not at all careful about email addresses. I’ve had email from him in the past – or, rather, from organizations to whom he’s given my email address. I feel as if I know him. I know where he went to school; I know who he works for. I know who he donates money to. I think I even saw his birthday in one of the emails. And now I know he lost his passport. I know when he’s leaving the country. Oh, and I have all the confirmation information to get his replacement passport sent wherever I please, so if I really wanted I could have, well, quite a bit more.

I’m not going to do this of course. But I obviously could. This is potentially very damaging information. And it was just emailed to me. Not even signed or encrypted – just emailed. I’ve not been stalking this guy; I’d be happier to not be receiving this information, but it keeps coming. And, ironically, the one piece of personal information I don’t have about him is his contact information. Actually, that’s not true. I called the company, and – even though I was entirely clear to them that I was not the person who made the order – they still gave me his phone number, which is a whole different security failure.

This is really rather disturbing for two reasons. First off, my nominative doppelganger needs to be far more careful with his information. I don’t know why he doesn’t worry that he never receives the emails he’s expecting; maybe he forgets about them, or checks his email so infrequently that it doesn’t matter. But he’s not getting information which he clearly should be receiving, including some potentially compromising information. Second, the travel document service needs to be far, far more careful. They should have asked me to confirm my identity before discussing the order – at minimum a birthday, but a passport number or social security number would have been better. Of course, given that I told them beforehand that I was not the person who made the order, confirmation is the least of the problems there.

In technology, we’re generally good about confirming the destination for data. Our medium may not be secure, but the technology usually knows if it has connected to the right destination. But that’s because computers do it for us. Out here in meatspace, we’re not so careful. Like this other Benjamin, we generally just assume that our data will go to the right place – or if we don’t get it, then it’s not a problem, it just got lost. And like the travel document service, we simply assume that anyone asking about specifics must be allowed to know about them, and we don’t confirm. And that’s really all that needs to be done here – get a little confirmation that data is going to the right source before sending sensitive information. If that had been the case here, I wouldn’t have been handed this man’s personal information this way. As it is, though, it makes you wonder what other information might have gone astray. The other Benjamin is lucky; his personal information went to someone without ill intent. Others may not be so fortunate.

Back in 2007 a group of American hackers went to Germany and toured this esoteric place known as a hacker space. They liked what they saw and quickly founded the first hacker spaces in the United States. The goal was to set up collective spaces where curious types could come in and work on personal and group projects, often involving equipment that isn’t feasible to have in your living room. Cut to the end of 2010 and hacker spaces are established all over the globe, with the United States completely obscured by red balloons on the hacker spaces map.

Since the beginning, hacker spaces has grown into a phenomenon in its own right. There are panels on hacker spaces at many of the major information security conference such as HOPE, and Defcon.Hackerspaces.org hosts inter hacker space events such as a synchronous hackathon and call-ins to find out what’s going on with hacker spaces around the globe.

In addition to being a facility to work hard on a big project, hacker spaces are also an excellent venue for some downtime. Come in and relax, meet new people, kick back, and talk about what you’ve been working on or even just a great book you read the other day. Being part of a hacker space can be a career boost from the social side as well. Getting to know other people in the field can only help on the quest for the holy grail of information security careers. There’s no better way to get where you are going than to get to know and learn from the people who are already there. Additionally if you are a bit shy about approaching that famous person in the corner, consider volunteering for hacker space leadership. Next time you see someone you idolize in the space you’ll be able to walk right up and say, “Hi, I work for . Thanks for coming to our event.”

Hacker spaces aren’t all about tinkering with cool toys either. For instance many hacker spaces have a strong artistic community as well. Open mic nights, reading groups, photography workshops, etc. are featured at many hacker spaces. Gumbo Labs, a hacker space I recently visited in New Orleans, Louisiana is a space of hackers and artists alike. They even share the building with groups that build floats and decorations for one of New Orleans’s annual Mardi Gras Krewes.

If you are a local reader check out Reverse Space a new hacker space that just opened its doors in Herndon, Virginia. Still in its early stages of development, members of this startup space will directly influence the direction the space takes. Currently in the works are a cyber warfare center for malware analysis, proof of concept development, and practicing penetration testing techniques. Additionally, Reverse Space has facilities for hardware hacking and rapid prototyping such as two Z corp 3D printers. Bring your passion for learning and your ideas for projects and events you would like to participate in, and join us at Reverse Space.

Hackerspaces.org has a list of all hacker spaces currently active as well as in the planning stages. Go here to find one in your area. If there is not an active hacker space in your community, the site also provides resources on starting up your own hacker space. All you need is a few people with a shared passion for learning and a little bit of motivation, and you are on your way.

Recently I found myself playing red cell at Computer Sciences Corporation’s Cyber Defense Competition. By the time I heard about it, the competition was well underway, students were crying and vomiting all over the competition room (I exaggerate) and Meterpreter shells on every student network. I quickly ran into Tim Rosenberg from White Wolf Security and found some space at the red cell table for me and my Backtrack netbook. I spent the rest of the day harassing my former team from James Madison University, as well as 3 other school teams from the Virginia/D.C./Maryland area.

Rarely as a pentester will you find a gig where the scope includes defacing websites with lolcats, chatting with employees through Nuclear RAT, and just plain bringing the network down. At a cyber defense competition anything goes, from social engineering to DDOS within the last hour of competition. As a junior penetration tester, cyber defense competitions are a good place to practice your craft experimenting with new techniques outside of your home lab environment. It’s also a good time to watch the more experienced red team members at work picking up tips to improve both at play and back at work.

White Wolf Security has added an additional element to the game since I last played in one of their competitions in 2009. In addition to wreaking as much havoc as possible and inducing vomiting among the student teams, this time the red cell had specific tasks to complete like competitors in a capture the flag event. Individual red team members scored points for completing tasks as well as being the first person to “phone home” from a penetrated student machine.

There was a mixed bag of machines in the student networks. In a one day competition, you won’t see as much patching and other vulnerability solutions cropping up as at longer competitions. Having spent two years on the student side I know it is a hard enough task to keep the networks up and abreast of business injects. The boxes ranged from vulnerable to ms08_067_netapi or a default xammp install, to boxes with no outward facing vulnerabilities. On the whole the flags were challenging for a one day competition, residing on boxes without any vulnerabilities with publicly available exploits. I look forward to another try at it at the Collegiate Cyber Defense Competition Mid-Atlantic Regionals this spring.

My only criticism of the new setup is that I would hate to lose the camaraderie of the red team by turning it into an individual competition. The most fun I had all afternoon at the competition was teaching a couple of CSC employees who had joined in the fun how to use Metasploit. Working together and sharing techniques is the best part of playing red team. Perhaps in the future the red cell should break into small teams like the student teams. Then we can move forward with the challenges for red cell without losing the mentoring and teamwork among red cell members.

Thanks to Computer Sciences Corporation, White Wolf Security, all the sponsors, and student teams, for another great competition. If it wasn’t for you guys I wouldn’t be lucky enough to be in this industry.

The din has increased of late over the “need” for AV on all Macs. Historically, there haven’t been a lot of overt malware threats to the platform, and thus it has persisted as a special case, for better or for worse. Commercial solutions have existed for years, and yet in the past few weeks some of those packages have been released for free (presumably because they’re not making much money anyway).

Some cite “Boonana” as the latest “big” threat since Koobface…

• New Mac Trojan uncovered: “Boonana”
• New Java trojan attacks Mac OS X via social networking sites

Of course, then the threat is downplayed…

• Intego classifies new Mac trojan threat as “minimal”

Nonetheless, it seems that there *is* Mac malware…

• Free anti-virus for Mac – 150,000 active users and plenty of malware found

Note that most of the stats in that report, however, seem to apply to either harmless files or cross-platform (Java) attacks

Nonetheless, there are several free AV and security tools out there that you might consider.

• http://www.apple.com/downloads/macosx/networking_security/index_top.html

Notable on the list are the free Sophos Mac AV, ProtectMac AV, ClamXav for Mac… you might also be interested in MacScan, which helps supplement AV in looking for other forms of cruftiness, and Little Snitch, which helps you monitor resources and connections that may or may not be good or approved.

Bottom line: Don’t panic, but start considering adding some security tools to your Macs. If you’re using Macs in the enterprise, then it’s probably a good time to start thinking about how to manage and scale security solutions (which you should be doing already, assuming you’ve not already gone down this path).

In talking to Peter last week, I asked him a question which we realized was pretty much impossible to answer:

How do you measure security strength?

That is, we know that an 8-character password with upper-case letters, lower-case letters, numbers, and special characters is definitely stronger than a 6-character password with only letters and numbers. But how much stronger is it?

Unfortunately, that’s incredibly hard to answer.

Of course, we know that there is no such thing as bulletproof security; if an attacker has sufficient time and resources, any security measure can be surmounted. Passwords can be broken, encryption can be cracked, etc. Given that the goal of security is to keep an attacker out, perhaps the most direct way to measure the effectiveness of security is, “How much effort will it take for the attacker to defeat it?”

This can be expressed in a fashion rather similar to programming complexity, using “Big O” or “asymptotic” notation. Which is useful because it communicates a key concept: multiple layers of poor security are not equal to one layer of good security. One might be inclined to think that, for example, requiring three weak password authentications is better than just one weak password authentication. But, while the difficulty in breaking one password is O(n), the difficulty in breaking three passwords is just O(3n) – which is, asymptotically, the same thing!

For real security improvements, the cost of defeating the security must be a higher order of complexity – it must be O(n log n), or O(n^2) or the like. That’s a real improvement over O(n). In the real world, this means adding levels of complexity to a password, requiring a hardware token, or adding in biometric identifiers.

But even expressing security in terms of complexity won’t really work: it doesn’t account for the myriad ways which attackers might use. Keeping passwords as an example, you may require strong passwords which truly are an order of magnitude harder to defeat than simple passwords… but if you’re not using good encryption for transmission, you’re no more secure. And even if you’re using good encryption, a wrench can still get the password (not that I advocate this method, of course, and especially not when my kneecaps might be involved!)

So, realizing that there are no easy fixes, and that attackers can be resourceful, how do you measure the level of security?

Well, so far the best idea I’ve seen has been to create a composite score based on your vulnerability to various attack vectors, giving weight depending on the expected likelihood of a given vector. Yes, that’s right: benchmarks.

And ultimately, you don’t want to get too hung up on the score. With benchmarks, you can usually manipulate to get whatever score you want. It’s just a number; the question is whether you’re secure. So use a metric, or pick a team that uses a metric, which you believe realistically reflects the threats you expect to see. And whatever the answer you get, the question is binary: “Am I secure enough?”

By the time you read this, we may have run out of IPv4 addresses. If we haven’t, it’s coming soon; almost certainly by the end of 2010, though extreme measures may yet continue into 2011.

The obvious solution is to adopt IPv6, hermit crab-like, moving to the bigger, better shell.

But is IPv6 better?

Obviously, it has more address space. Far more address space. And features, oh the features.

Which is something of a problem, really…

IPv6 is chock-full of features, especially security. Which is great, except that these take up space. The fixed part of the header alone is 320 bits, about twice the size of an IPv4 header, and roughly as large as a typical IPv4 packet. Add in other extensions, and you’ve got a pretty gargantuan packet.

Now, it’s possible to work with a big packet; sometimes a really big packet is even a good idea. Other times, not so much. It’s an awful lot of overhead for the tiny packets which comprise the majority of packets sent…

But the real problem is one of philosophy. IPv6 tries to do too many things, to provide too many features. This doesn’t, as a general rule, work out well. The tools which stand the test of time aren’t intelligent, feature-rich toys. They’re simple, streamlined creatures which do one thing Very Well. Consider: does your VoIP phone use MGCP? Of course not; they use SIP. When was the last time you wrote code in Algol? But lo, COBOL is still in use today. And think about HTTP: one of the most commonly used protocols, and it has only been updated once since it was introduced. In each and every case, the simple, limited option has outlasted or supplanted the heavy, feature-laden one.

What does this all mean? Well, we’re going to go with IPv6. Slow as adoption has been, there has been major investment into it, and there aren’t any viable alternatives. But we’re going to outgrow the IPv6 features. We’re going to reach the point where its security is inadequate, the routing techniques it aids are obsolete, and there are new concepts which need to be addressed. IPv6 is going to become obsolete. Maybe it’ll be around a while, but it won’t be long. And yet the simple protocols will still be around. Maybe when we design the next version of IP, we’ll keep that in mind.

The big news of the week, emanating from Toorcon 12, is the release of Firesheep. This tool makes SideJacking – that is, “hijacking an engaged Web session with a remote service by intercepting and using the credentials that identified the user/victim to that specific server” – painfully simple for anybody to use. How easy? Well, let’s see… you download and install Firefox… and then you download and install the Firesheep extension to Firefox… and then you restart Firefox and run the tool to start hijacking sessions… that’s it! Simple enough for ya?

SideJacking is not a new concept, nor is the existence of tools. Robert Graham of Errata Security made a bit of a splash with his tool Hamster back at Black Hat 2007 (also see “Wi-Fi SideJacking opens eyes at BlackHat“). And, really, the concept of intercepting and hijacking sessions is even older than that. Poor session management continues to be on the OWASP Top 10 list, as does the lack of adequate transport layer protection (that is, SSL/TLS for web sites).

(more…)

When did password cracking get so hard? Remember LM hash? Obsolete since Windows NT, until Windows Vista it was on by default for backward compatibility. Even back in the day an external hard drive easily had enough room for a full set of rainbow tables and generating them only took a few days at most, depending on your computer speed. That is to say, brute forcing was actually possible. Even your moderately security conscious types who actually paid attention to complexity rules could fall victim to a password attack if their account was on any machine with LM hashes turned on.

Now it’s all NTLM hashes in the Windows world, and frankly brute forcing NTLM just isn’t feasible for your average me. The basic weaknesses in LM hashes such as 7 character chunks and all caps are no longer present. I was going to write some sort of analogy for how much space you would need to store just rainbow tables for alpha numeric characters with a maximum length of 10, but it started to give me a headache and I stopped. This leaves me with the word list option, to make an educated guess about what the password might be over and over again until either I am successful or I get a job as a street musician.

It’s been 15 years since Hackers the movie came out, and love, sex, secret, and god, won’t get you as far as they used to in password guessing. On a domain and even locally, administrators can set complexity and length requirements for passwords. Additionally user awareness is up. No doubt Password1 will still get you a few accounts within an organization, but more users, particularly the IT people, the ones with administrator accounts, are moving to the $frdh$OI!6G@ side of the spectrum (The downside of this of course is that $frdh$OI!6G@ is probably on a post-it somewhere). With letter, number, and symbol rainbow tables, I could crack $frdh$OI!6G@ in LM hash effortlessly, but it’s not going to be in any wordlist anywhere.

So why do I want to crack your password anyway? Password hashes are pretty well protected. If I can get the hashes, chances are I’ve successfully compromised the machine in question. However the one thing no hashing algorithm or security policy can fix is a user’s propensity to use the same password for multiple accounts. If I have the plaintext of your password for one machine or domain, it is very likely I will be able to authenticate on another.

It seems like dumping hashes isn’t as exciting as it used to be. I guess someone is doing something right.