Sabtu, 31 Maret 2007

Help Johnny Long Go to Uganda

Long-time readers of my blog know I severely limit the number of non-technical stories I write here. I've probably written less than a dozen in over four years. This one definitely deserves to be posted, however.

I shook hands with Johnny Long at ShmooCon last week, but we didn't get a chance to chat. If you don't know Johnny Long, you haven't paid attention to the scene during the last few years! In short, Johnny invented Google hacking, and he's one of the nicest guys you could meet at a security conference.

Today I received an email from Johnny stating that he and his wife Jen are flying to Uganda in May to do missionary work. He's working for AIDS Orphans Education Trust. In his usual low-key manner, he's asking for help. He didn't specifically ask people outside of his email addressees to help, but I figure there are a lot of people who could contribute a few dollars to help defray the costs he and his wife must bear to fly and live in Uganda.

His trip is going to cost $4200 and I can guarantee not a penny will be wasted. How often do you get a chance to personally assist someone you know? Johnny has decided to crawl out of his digital shell and try to make a difference in the real world. If you want to join me in helping Johnny and his wife, send a contribution via PayPal to johnny [at] ihackstuff [dot] com.

Thank you for your time.

Cisco 802.1x Voice VLAN Authentication Bypass Vulnerability

Ok, last night i blogged about VoIP enumeration techniques and well it made me want to find exploits for Cisco products. I was reading at jake report and i must admit the guys at fishnet security do write excellent report. In the report, he mentioned that it is possible to bypass 802.1x port based secuirty by spoofing CDP packets and allow an attacker to gain access to the voice VLAN. Below depicts a short summary:

"Cisco switches are susceptible to an authentication bypass vulnerability, allowing attackers to gain anonymous access to the voice VLAN.

Attackers may spoof CDP packets, and impersonate a Cisco IP phone, in order to anonymously join the voice VLAN. This allows attackers to gain access to network resources without the expected 802.1x authentication sequence. As network administrators expect that switch port access is restricted to only authenticated users, a false sense of security may pervade.

Once attackers gain access to the voice VLAN, they may be able to launch further attacks against servers and other hosts, or eavesdrop on VOIP conversations. Further network attacks are also possible at this point."

I guess the authentication mechanism behind is the Extensible Authentication Protocol. Please go through the whole report because it is so good that it made me read twice. The report talks about the spoofing techniques, attack scenario and mitigation steps. The full report can be found here

As for spoofing CDP packets, you can use a tool call yersinia. This tool has multiple uses and one of those also includes being STP root. The installation for this tool is a pain for me, with the usual ./configure, make, make install. Howver i found a good site which allows you to download the package and install it off using dpkg -i yersinia_0.7.1-0.2_i386.deb. The link to the site is: http://www.enrici.com/debian/yersinia/0.7.1/. Below are pictures of the yersinia tool. You can use it off the GTK mode or Ncurses GUI.



Jumat, 30 Maret 2007

BotMaster Spamming



Generating mass traffic to your site in a small amount time = spamming? Ok, i just came across this tool from botmaster.net. Well, personally i wouldn't use this tool at all. What if someone reports me to the authority? Or what if someone proxy forward all the traffic to a FBI webform? On the other hand, you can earn money by telling someone that you can help his/her site to rank no 1 in google, but well that is conning to me. I once had a colleague who wanted his site to be rank 1 in google so badly that he is willing to pay USD $2000 for a service. That is crazy money for a proclaimed statement by any company. Well, i don't trust all these so called "SEO service" either. They either con you and say bye bye or they might drag the process to make you rank No 1 in google. I will let you guys to think what this tool can do good or do damage for you. Let me know?

For more on how to prevent yourself from being compromised by this tool, visit below:
sla.ckers

For the demo of this tool and how it can be used, visit below:
http://www.botmaster.net/movies/XFull.htm
http://www.botmaster.net/movies/XDemo.htm

Full Content Monitoring as a Wiretap

I received the following question today:

When installing Sguil, what legal battles have you fought/won about full packet capture and its vulnerability to open records requests from outside parties? I am getting concerns, from various management, regarding the legal ramifications of the installation of a system similar to Sguil in the state government arena. Do you have any advice for easing their worries? I know how important full data capture is to investigating incidents, and I consider it of paramount importance to the security of our state that we do so. Are there any legal precedents that can be cited?

Before I say anything else it is important to realize I am not a lawyer, I don't play one on YouTube, and I recommend you consult your lawyer rather than listen to anything I might say.

With that out of the way, I have written about wiretaps a few times before. Let me get these generic wiretapping issues out of the way before addressing the question specifically.

The pertinent Federal law is 18 U.S.C. §2511.

A great place to look for commentary and precedents on digital security issues is Orin Kerr's Computer Crime Case Updates. This search for wiretap may or may not be helpful.

Finally, for recent commentary by a lawyer (but not your lawyer), I recommend Sysadmins, Network Managers, and Wiretap Law (.pdf slides) by Alex Muentz. These notes from his LISA 2006 talk are helpful too.

I think the key element of the question originally posed was full packet capture and its vulnerability to open records requests from outside parties. It sounds like the question asker is worried about discoverability of full content data. I touched on this briefly in The Revolution Will Be Monitored.

My answer to this problem is what I would consider both practical and technically limiting: do not store more full content data than you need. For any modern production network, capturing and storing days or weeks of full content traffic can be an expensive proposition. For example, in one client location I have about 200 GB of space available for full content storage. That space allows me to save a little more than 10 days of full content, even with fairly draconian BPFs limiting what is stored. If for some reason I needed to produce that data to management or attorneys, I could only provide the last 10 days of information. If the event in question occured prior to that period, I just don't have it.

I do know of some locations that operate massive storage area networks to save TBs of full content. I do not advocate that for anyone but the most specialized of clients. I do recommend collecting the amount of full content (if possible, legally and technically) that works for your investigative window. For example, if you have a requirement to review your alert and session data such that you are never more than 5 days past an event of interest, you might want to save 7 days of full content. From an investigation point of view, more is always better. From a practical point of view, it might be too costly.

Remember that any network data collection should be considered a wiretap. Full content is the form of network data that most resembles a wiretap.

With respect to session data, I recommend saving as much of that as possible. In practical terms it comes down to the amount of space you're willing to devote to database files. At the same client I am collecting as many sessions as I can, without filters. 30 days of such session data is producing about 20 GB of uncompressed MySQL table files. As you can see I can store many more days of session data as compared to full content data. That means much more session data is discoverable. I might choose to limit storage of that session data to meet whatever guidance corporate legal counsel might provide.

Session data is like pen register/trap and trace data, because it does reveal content. I still treat it like a wiretap but it probably does not meet the same standards.

Event data, i.e. IDS alerts, take so little space as to not require any real storage consideration (compared to full content and session data). Therefore, the primary limiting factor is legal and policy, not technical.

I think anyone who really wants a better answer would do well to check our Prof Kerr's list, and potentially ask him. Alex Muentz would be another good resource.

VoIP Enumeration Technique released

Ok, i finally managed to finish my VoIP enumeration experiments and now its time to blog it here. I know it has been long waited, but well, i was rather busy with some other stuffs too. Before i start, i presumed that most of you guys who is reading my blog will have some basic knowledge of how SIP signaling works. There is a plethora of information regarding how SIP signaling works, so just google up and you will find it. The one i visit most is at iptel.org. In this experiment, the tools used are nmap, siVus, sipsak, ser pbx, debian OS, netcat, solarwinds toolset, x-lite softphone and wireshark.

Enumeration is the most important step in all hacking activities. Without a successful enumeration, you wouldn't know if a pbx server is running or what other services is running, so successful enumeration will lead to successful hack. I guess most of you guys know about the three way TCP handshake. Nmap can be used to perform SYN, ACK, Xmas, TCP and other scans. As for VoIP, there is no such options and the best open source tool to use is sipscan or maybe siVus. There are three different scans that can be used to perform a VoIP enumeration and they are the INVITE, OPTIONS and REGISTER request. You guys have to know how handshaking takes place for all three requests. Different scans will yield different result and if the pbx server is harden or patched, then enumeration becomes a little tricker.

I had managed to setup a SER pbx server without any mysql authentication. This is just for testing purpose only. The Session Initiation Protocol works quite similar to HTTP. With requests you get responses. The requests can be INVITE, REGISTER, OPTIONS, SUBSCRIBE, NOTIFY, REFER, CANCEL, BYE and the response is a number like 100, 180, 200, 303, 408, 500, 603 and many others. For a full list please refer to iptel's website. A successful request will always give a response 200 code, so please take note of that. For the screen shot below, i had successfully sent a INVITE request and you guys can see how the handshaking in wireshark take place.

This tells us that the user does exist in the pbx server, else a 401 or 404 response will be shown. Try this, setup a mysql authentication service and you wont see a 200 response code.

Below shows a screenshot of a REGISTER request. Notice the handshaking is different from the INVITE request.

A REGISTER request allows a user to register its username, password and some other details into the REGISTRAR. So as shown above, the pbx server does allow me to register.

You can use the serctl ul show command to see a list of users as shown below:

I had register two users, Ronald and test.

On the softphone side, if the pbx is setup correctly, all you have to do is launch the softphone and it will automatically register itself to the SER database.(Without authentication for my experiment) The softphone is easily to configure, you will have to enter the correct settings. Below shows a successful registration of the softphone to the pbx server.


To start the SER service, go to /etc/init.d and type sudo SER start. Once the service is started, you will see some text as shown below:


To check the SER service running in debian, use ps -ef | grep SER as shown below:


To monitor the responses omitted by the pbx server, issue the serctl moni command as shown below:

From the output, you can clearly see the highlighted 2XX response. This shows that there are 2 requests at the moment of testing and both requests are accepted. However, all other responses like 3XX, 4XX, 5XX or 6XX are 0. Which means that there is no bad requests supplied to the pbx server and so the server is not omitting any bad response.

Ok, now comes the enumeration technique. I use netcat to see if i am possible to successful see any response from the server. From the output of netcat, sad to say, there is no response from the server. Its either i type wrongly or the server is configured by default not to show responses. A snippet of netcat is shown below:


siVus was used next to scan the pbx server. The result only displays the port number and the User Agent(UA) which is x-lite softphone. It doesnt show the version or the software of the pbx server.


Sipscan was next. Because there is no authentication setup in the pbx server, all the responses from sipscan gived a 200 response. This means that if an attacker knows the ip of my pbx server, all he needs is just use a softphone and he can register without any password and start using the VoIP service. Of course, in the real world scenario, most pbx server is setup with passwords. My point here is, because my pbx server is setup without any authentication, that is why all the you see a 200 OK response. However, if a pbx server is setup with password, based on the different scan requests with INVITE, REGISTER and OPTIONS, you will see a 4XX response from the pbx server. This will allow you to enumerate user accounts. So after multiple tries and if you see a response like 401, you know that a user exist in the database and it requires authentication. Well, that is good enough having the username of the user. You had successfully enumerated a user in the database. This is a long process. However, you can always write a script to automate this process or you can choose to use sipscan which comes with a default userlist. You will have to update this list to perform a dictionary scan. Below is a snippet of sipscan:


Sipsak is known as the "swiss army knife " which blends well with SER and x-lite softphone. The options i use for sipsak is as below:

Send an OPTIONS request to test@192.168.1.23 and display received replies.

sipsak -vv -s sip:test@192.168.1.23


Trace the SIP path to test@192.168.1.23

sipsak -T -s sip:test@192.168.1.23


Insert a forwarding contact for myself at work to me at home for one hour and authenticated with password if required.

sipsak -U -C sip:WW@home -x 3600 -a password -s sip:WW@192.168.1.23


A usrloc test with additional invites send to the user.

sipsak -U -I -s sip:test@192.168.1.23 -vv


Send the instant message "Hell time!" to the colleague and show result:

sipsak -M -v -s sip:test@192.168.1.23 -B "Hell time!"

To update your hacking toolset you can visit this page: http://www.forinsect.de/pentest/pentest-tools.html

Of course, you can perform more VoIP hacks. The enumeration technique is just one part of it. Too see more VoIP hacking tools and its purpose, check this site out:
http://www.voipsa.org/Resources/tools.php. It has a whole suite of tools for VoIP. Each section has different specific use.

A point to note, please disable any SNMP services in any VoIP devices. Set a strong unguessable public and private SNMP community string if you need to use SNMP, or better still, use SNMP version 3 which provides strong authentication. Below is a snippet of solarwinds. You can use solarwinds to search for the MID and the OID for a specific vendor. Once the vendor is found, a wealth of information will be disclosed. This all happens if you use the default public community string, so keep that in mind.


Lastly, do you know that hardware VoIP phones download configuration setting file from TFTP servers to their firmware upon starting up. Most of us knows that TFTP server runs on UDP port 69 and provides no authentication. So what if you can compromise the TFTP server? You can then actually place rogue files in the servers to corrupt the hardware phones. Well, if you ask me how to check for the TFTP server IP address, you can always check it with your phone settings and normally one of the option will show you the TFTP server IP address. The Cisco IP phone 7940 and 7960 actually does show it. See my previous post. The best way to protect anyone from accessing the TFTP server is to use access-list to permit only certain IPs that can use the TFTP server. Well, there is more than just enumeration and this is just the beginning of VoIP hacking or you can call it phreaking. Once a successful username is found, you can perform MiTM sniffing to capture voice calls and also if you see my previous post, you can actually perform a rerouting of calls. This is all for now. I hope you guys like it. Let me know what you guys think?

Threat Deterrence, Mitigation, and Elimination

A comment on my last post prompted me to answer here. My thesis is this: a significant portion, if not the majority, of security in the analog world is based on threat deterrence, mitigation, and elimination. Security in the analog world is not based on eliminating or applying countermeasures for vulnerabilities. A vulnerability-centric approach is too costly, inconvenient, and static to be effective.

Consider the Metro subway in DC, pictured above. There are absolutely zero physical barriers between the platform and the trains. If evil attacker Evelyn were so inclined, she could easily push a waiting passenger off the platform into the path of an arriving train, maiming or killing the person instantly.

Why does this not happen (regularly)? Evelyn is presumably a rational actor, and she is deterred by vigilante justice and the power of the legal system. If she killed a Metro passenger in the state of Virginia she would probably be executed herself, or at the very least spend the rest of her life in prison. Hopefully they are few people like Evelyn in the world, but would more Metro passengers be murdered if there were no attribution or apprehension of the killers?

How do you think the Metro board would react to such an incident?

  1. Build barriers to limit the potential for passengers to land in front of moving trains

  2. Screen passengers as they enter Metro stations

  3. Mandate trains to crawl within reach of waiting passengers

  4. Add Metro police to watch for suspicious individuals

  5. Add cameras to watch all Metro stations

  6. Lobby Congress to increase penalties


My ranking is intentional. 1 would never happen; it is simply too costly when weighed against the risks. 2 would be impossible to implement in any meaningful fashion and would provoke a public backlash. 3 might happen for a brief period, but it would be abandoned because it would slow the number of trains carrying passengers. 4 might happen for a brief period as well, but the costs of additional personal make it an unlikely permanent solution; it's also ineffective unless the police is right next to a likely incident. 5 and 6 could happen, but they are only helpful for deterrence -- which is not prevention.

Earlier I said Evelyn is a rational actor, so she could presumably be deterred. She could also be mitigated or eliminated. Imagine if Evelyn's action was a ritual associated with gang membership. Authorities could identify and potentially restrict gang members from entering the Metro. (Difficult? Of course. This is why deterrence is a better option.) Authorities could also infiltrate and/or destroy the gang.

Irrational actors cannot be deterred. They may be mitigated and/or eliminated.

Forces of nature cannot be deterred either. Depending on their scope they may be mitigated, but they probably cannot be eliminated. Evelyn's house cannot be built for a reasonable amount of money to withstand a Category V hurricane. Such a force of nature cannot be deterred or eliminated. Given a large enough budget Evelyn's house could be built to survive such a force, so mitigation is an option. Insurance is usually how threats like hurricanes are mitigated, however.

Everyone approaches this problem via the lens of their experience and capabilities. Coders think they can code their way out of this problem. Architects think they can design their way out. I am mainly an operator and, in some ways, an historian. I have seen in my own work that prevention eventually fails, and by learning about the past I have seen the same. In December 2005 I wrote an article called Engineering Disasters for a magazine, and in the coming weeks a second article with more lessons for digital security engineers will be published in a different venue.

I obviously favor whatever cost-effective, practical trade-offs (not solutions) we can implement to limit the risks facing digital assets. I am not saying we should roll over and die, hoping the authorities will catch the bad guys and prevent future crimes. Nevertheless, the most pressing problem in digital security is attribution and apprehension of those perpetrating crimes involving information resources. Until we take the steps necessary to address that problem, no amount of technical vulnerability remediation is going to matter.

Kamis, 29 Maret 2007

Cisco PIX Firewall capture command

Ok, so most of us knows about packet sniffer like tcpdump and wireshark. These two are the best open source sniffers that is freely available in the market today. But, most of us also know that majority of the company are using switches now rather than the good old hub because of the bad architecture of how a hub works. Well, to sniff all traffic from a switch you would need to perform ARP spoofing, but to sniff traffic from a hub, just install your sniffer on your machine and start sniffing from the network. Well, i guess for cisco switches, you can try to install Cisco Dynamic Arp Inspection to defeat ARP spoofing. Personally, i had not tried that, but you can read more about it here: http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_guide_chapter09186a00804357b1.html

My point today is not about ARP spoofing, instead i would love to talk about the capture command from the PIX firewall. This command functions almost like a sniffer where you can choose to sniff all the traffic that traverse through the firewall. Besides that, you can also do filtering based on IP addresses and port numbers. Moreover, this command can also be used for troubleshooting if you were to setup multiple servers or networks. Personally, i had tried it 2 years back when i was configuring a firewall, and there is no questions about it that it is so good to have a sniffer like command in the firewall. Well, I shan't go deep into details of how to use or configure this command, because a simple yet detailed article had been published. Let me know what you guys think?

http://www.computernetworkinghelp.com/content/view/40/1/

Remember that TJX Is a Victim

Eight years ago this week news sources buzzed about the Melissa virus. How times change! Vulnerabilities and exposures are being monetized with astonishing efficiency these days. 1999 seems so quaint, doesn't it?

With the release of TJX's 10-K to the SEC all news sources are discussing the theft of over 45 million credit cards from TJX computers. I skimmed the 10-K but didn't find details on the root cause. I hope this information is revealed in one of the lawsuits facing TJX. Information on what happened is the only good that can come from this disaster.

It's important to remember that TJX is a victim, just as its customers are victims. The real bad guys here are the criminals who compromised TJX resources and stole sensitive information. TJX employees may be found guilty of criminal negligence, but that doesn't remove the fact that an unauthorized party attacked TJX and stole sensitive information. Unfortunately I believe the amount of effort directed at apprehending the offenders will be dwarfed by the resources directed at TJX. That will leave those intruders and others like them to continue preying on other weak holders of valuable information.

Update: At least US credit card holders don't have it as bad as our friends in the UK.

VMware Server 1.0.2 on Ubuntu 6.10

Previously I documented installing VMware Workstation 6 Beta on my Thinkpad x60s. I decided to uninstall Workstation and install VMware Server 1.0.2. I should have used the vmware-uninstall.pl script but even without using it directly I managed to remove the old Workstation installation without real trouble.

Running Server on Ubuntu 6.10 (desktop) required me to add a few packages. I found Martti Kuparinen's installation guide very helpful. I had to add the following packages to ensure a smooth Server installation.

sudo apt-get install xinetd
sudo apt-get install libX11-dev
sudo apt-get install xlibs-dev

I did not have to install linux-kernel-headers.

I was really impressed that Martti provided a patch for two scripts that did not work correctly out of the box. When I applied the patch I was able to start VMware's Web server and access it via my browser.

richard@neely:/tmp$ wget http://users.piuha.net/martti/comp/ubuntu/httpd.vmware.diff
--13:52:24-- http://users.piuha.net/martti/comp/ubuntu/httpd.vmware.diff
=> `httpd.vmware.diff'
Resolving users.piuha.net... 193.234.218.130
Connecting to users.piuha.net|193.234.218.130|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2,973 (2.9K) [text/plain]

100%[====================================>] 2,973 --.--K/s

13:52:25 (1.81 MB/s) - `httpd.vmware.diff' saved [2973/2973]

richard@neely:/tmp$ cd /
richard@neely:/$ sudo patch -b -p0 < /tmp/httpd.vmware.diff
Password:
patching file /etc/init.d/httpd.vmware
patching file /usr/lib/vmware-mui/src/lib/httpd.vmware
richard@neely:/$ sudo netstat -natup | grep vm
tcp 0 0 0.0.0.0:8333 0.0.0.0:*
LISTEN 5205/httpd.vmware
tcp 0 0 0.0.0.0:8222 0.0.0.0:*
LISTEN 5205/httpd.vmware

Thanks to this guide I made this addition to /etc/xinetd.d/vmware-authd so the vmware console on port 902 TCP didn't listen on all interfaces:

bind = 127.0.0.1

To prevent the Web server from starting at boot and potentially listening on a hostile network, I removed the x bit from the script in /etc/init.d so it would not be started at boot. I can start it manually.

richard@neely:~$ sudo chmod -x /etc/init.d/httpd.vmware
richard@neely:~$ sudo sh /etc/init.d/httpd.vmware start
Starting httpd.vmware: done

I noticed while installing the packages the suggestion to run apt-get autoremove, so I did once everything was installed.

richard@neely:~$ sudo apt-get autoremove
Password:
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages were automatically installed and are no longer required:
libnl1-pre6 network-manager libnm-util0 dhcdbd
The following packages will be REMOVED:
dhcdbd libnl1-pre6 libnm-util0 network-manager
0 upgraded, 0 newly installed, 4 to remove and 0 not upgraded.
Need to get 0B of archives.
After unpacking 1217kB disk space will be freed.
Do you want to continue [Y/n]? y
(Reading database ... 115360 files and directories currently installed.)
Removing network-manager ...
* Stopping NetworkManager daemon [ ok ]
* Stopping NetworkManager dispatcher [ ok ]
Removing dhcdbd ...
Removing libnl1-pre6 ...
Removing libnm-util0 ...

I have VMware Server running well on Ubuntu now.

Telespoof

Ok, this is my 50th post and i am going to introduce a service call spoofing caller ID. I had known this service a few months back, but it just came into my mind that i had to blog this. Personally, i had not tried it before, so i can't really comment on it. From the reading the FAQ, it is cheap, anonymous and best of all it is simple. Imagine this, calling without anyone knowing your real number? What can you do with it? hehehe, i will let you guys run wild imagination...


http://www.telespoof.com

Cracking Wireless Network

Ok, i bet most of the people do know how to break wireless networks, but still it is good to post it here. The software that i am going to use is Aircrack-ng. The reason i use this software is because it is open source, fast and has a suite of tools that can perform a hell lot of tasks. Ok, so in order to sniff and break wiressless networks, you will need to place your wireless network card in promiscuous mode and sniff sufficient amount of Initialization Vectors. For more information on how many IVs to sniff, please visit the aircrack-ng website. To crack WEP, it is as simple as 123, as long as you have enough IVs. But to crack WPA, because of the 4 way handshake authentication protocol, you would need to sniff until a handshake takes place between a wireless client and the access point and force the client to reauthenticate, and then you can start a deauth attack with aireplay-ng. For more information, please read here the faq at http://www.aircrack-ng.org/doku.php?id=faq. Make sure you go through it.

Rabu, 28 Maret 2007

Googling Cisco Call Manager and Extra VLAN config

ok guys, this is the final series of VLAN configurations i made. Unitl i made new discoveries, enjoy these:


Configuring VLAN 10 on multiple interfaces.


Configuring dynamic trunk on multiple interfaces, please note that it is not secure due to VLAN hopping.


Configuring telnet on the switches, now EVERYONE knows it is very insecure. Use ssh instead


Configuring IP address on the vlan interface.

Ok, as i am still doing the VoIP testing methodology for you guys, i happen to stumble across a this:

This is bad practice, but only 4 companies managed to get on the google list. The string is inurl:"ccmuser/logon.asp"

Mesh vs Chain

When Matasano Chargen suggested reading Nate Lawson's blog, I immediately added it to my Bloglines collection. Today I read Building a Mesh Vs a Chain and Mesh Approach vs Defense-in-Depth. Nate's basic premise is this:

When explaining the desired properties of a security system, I often use the metaphor of a mesh versus a chain. A mesh implies many interdependent checks, protection measures, and stopgaps. A chain implies a long sequence of independent checks, each assuming or relying on the results of the others.

With a mesh, it’s clear that if you cut one or more links, your security still holds. With a chain, any time a single link is cut, the whole chain fails.


He explains why mesh != defense-in-depth:

A commenter suggested by email that the mesh concept in my previous post is very similar to defense-in-depth. While they are similar, there are some critical differences that are especially important when you apply them to software protection.

Defense-in-depth comes from military history where a defender would build a series of positions and then fall back each time the enemy advanced forward through the first positions. This works in security as well. For instance, a web server may be run in a restricted chroot environment so that if the web server is compromised, damage is limited to the files in the restricted directory, not the whole system.

The mesh model, on the other hand, involves a series of interlocking checks and enforcement mechanisms. There is nothing to fall back to because all the defenses are active at the same time, mutually reinforcing each other. This concept is less common than defense-in-depth for network security use due to the difficulty of incorporating it into system designs. However, it is extremely common in cryptography.


I suggest reading both posts for more information. I found this design idea very interesting, but I agree that implementing it outside of cryptography seems difficult. It would be neat to devise more mesh-based systems.

Security Operations Fundamentals

Last year I last wrote:

Marcus [Ranum] noted that the security industry is just like the diet industry. People who want to lose weight know they should eat less, eat good food, and exercise regularly. Instead, they constantly seek the latest dieting fad, pill, plan, or program -- and wonder why they don't get the results they want!

You might be wondering about the digital security equivalent to eating less, eating good food, and exercising regularly. Addressing that subject adequately would take more than this blog post, but I want to share the steps I use as a consultant when encountering a new client's enterprise.

You'll notice that these steps fit nicely within Mike Rothman's Pragmatic CSO construct. These are a little more specific and focused because I am not acting as a Chief Security Officer when I work as a consultant.

  1. Instrument sample ingress/egress points. What, monitor first? That's exactly right. Start collecting NSM data immediately (at least session, preferably alert, full content, session, and statistical). It's going to take time to progress through the rest of the steps that follow. While working on the next steps your network forensics appliance can be capturing data to be analyzed later.

  2. Understand business operations. Replace business with whatever term makes you more comfortable if you are a .gov, .mil, .edu, etc. You've got to know the purpose of the organization before you can understand the data it needs to do its job. This requires interviewing people who know this, preferably business owners and managers.

  3. Identify and prioritize business data. Once you understand the purpose of the organization, you should determine the data it needs to function. Not all data is equal, so perform a relative ranking to determine the most important down to least important. This work must be done with the cooperation of the businesses; it cannot be security- or consultant-driven.

  4. Identify and prioritize systems processing business data. By systems I mean an entire assemblage for processing data, not individual computers. Systems include payroll processing, engineering and development, finance projections, etc. Prioritize these systems as you did the data they carry. Hopefully these two sets of rankings will match, but perhaps not.

  5. Identify and prioritize resources comprising systems. Here we start dealing with individual servers, clients, and infrastructure. For example, the database containing payroll data is probably more important than the Web server offering access to clients. Here tech people are more important than managers because tech people build and maintain these devices.

  6. Define policy, profile resources, and identify violations. Steps 2-5 have gotten you to the point where you should have a good understanding of the business and its components. If you have a policy, review it to ensure it makes sense given the process thus far. If you haven't yet defined a policy for the use of your information resources, do so now.

    Next, profile how those resources behave to determine if they are supporting business operations or if they are acting suspiciously or maliciously. I recommend taking a passive, traffic-centric approach. This method has near-zero business impact, and, if executed properly, can be done without alerting anyone insider or outside the company acting maliciously. Here you use the data you started collecting in step 1.

  7. Implement short term incident containment, investigation, and remediation. I have yet to encounter an enterprise that doesn't immediately find a hot-button item in step 6. Put out those fires and score some early wins before moving on.

  8. Plan and execute instrumentation improvements. Based on step 7, you'll realize you want visibility across the entire enterprise. Increase the number of sensors to cover all of the areas you want. This step encompasses improved host-centric logging and other visibility intitiatives.

  9. Plan and execute infrastructure improvements. You'll probably decide to implement components of my Defensible Network Architecture to take a more proactive stance towards defending the network. You may be able to reconfigure existing processes, products, and people to act in a more secure manner. You may need to design, buy, or train those elements.

  10. Plan and execute server improvements. Here you decide what, if any, changes should be made to the resources offering business data to users, customers, partners, and the like. Maybe you want to encrypt data at rest as well as in motion. Maybe you decide to abandon an old Web framework for a new one... and so on.

  11. Plan and execute user platform improvements. This step changes the gear users rely upon, so it's the last step. Users are most likely to resist that which they can immediately see, so tread carefully. Improvements here involve OS upgrades or changes, moves to thin clients, removal or upgrades of software, and similar issues.

  12. Measure results and return to step 1. I recommend using metrics like those I described here. Measure Days since last compromise of type X, System-days compromised, Time for a pen testing team of [low/high] skill with [internal/external] access to obtain unauthorized [unstealthy/stealthy] access to a specified asset using [public/custom] tools and [complete/zero] target knowledge, and so on.


You may notice steps 8-11 reflect my TaoSecurity Pyramid of Trust. That is no accident.

It is also important to realize that steps 8-11 are based on data collected in step 1 and analyzed in step 6. Enterprise security improvements should not be driven by the newest products or concept. Improvements should be driven by understanding the enterprise and specifically the network. Otherwise, you are playing soccer goal security by making assumptions and not judgements.

Only when you understand what is happening in the enterprise should you consider changing it. Only when you realize existing processes, products, and/or people are deficient should you consider changes or additions. Think in terms of what problem am I trying to solve, not what new process, product, or person is now available.

VoIP Auditing Tools

Ok, so i am going to go attend a hacking course in Hack in The Box with The Grugq. Yes guys, i do know how to audit VoIP, but i would love to learn advanced VoIP hacking from the best of the west. If you guys read the HITB website, he developed a tool called Tactical VoIP Toolkit which does basic and advanced attacks. Just a few minutes ago, i found another commercial tool called VoIPaudit which cost USD $10000. Personally, i feel that open source tools are much and way better than close source. I don't know how this tool fair, but i think it is way too pricey to buy. Well you can get it from here if you have the money to spare. I will update you guys once i try the tool from the Grugq. And yes, i am still working on basic VoIP auditing on my PBX right now, i had captured screenshots and am going to release here once i am done. Let me know what you guys think?

Selasa, 27 Maret 2007

TCNiSO Modem Hacking

Ok, i almost forgot about DerEngel for some time now. I was reading his book "Hacking the Cable Modem" 2 months back and i was really amazed by how small little things he found would lead to bigger hacks. The book is very insightful and teaches you how to do soldering and do modem hacking. Well, i am not good in reverse engineering, programming nor soldering. However this book really made me looked into how "real" hackers actually worked. In the end, it all boils down to teamwork for a successful hack. Buy this book if you are interested in modem hack or visit his website at http://www.tcniso.net/. You can find videos and other extra stuff that you won't find elsewhere. Below is a small image of the book and the excerpts



"When shopping for cable modems, you'll come across several different kinds. Almost all cable modems available in retail stores are DOCSIS-certified, which means that they will work on the network of any Internet service provider that supports DOCSIS. Most new cable modems come with an Ethernet port, a coaxial connector, and a Universal Serial Bus (USB) interface. More expensive models may come with additional features, such as Voice over IP (VoIP) support or a wireless access point (WAP)." From chapter 2, The Cable Modem Showcase

Yet Another Content Generator

Ok, guys listen yup. If you have a site and would love to boost your contents, please try YACG. It is open source which means it is free. You can also include your own scripting code if you know how to code and best of all, it is easy to use and you can cuztomize it. Check it out here: http://getyacg.com

"It's based on hooks so you can add your own code without having to change anything, also it's very intuitive. For example, if you have a page about 'Ferrari' and you put the script will automatically display a video from Youtube related to 'Ferrari'. There are a lot of hooks like that, and more being developed!"

Testing for Cisco VPNs


Note: image from ike-scan wiki

Ok guys, I know ike-scan is out there for some time, but still i would love to blog about this. Cisco VPNs runs on UDP port 500 and most of us knows that Cisco VPN Concentrator 3000 is vulnerable to multiple attacks like DoS and Buffer Overflow. ike-scan will actually test for the presence of VPNs and check if the VPN is able to be forced into the Aggressive mode for cracking later on. And once the PSK is cracked, connection to the vulnerable server should be no problem. Personally, i had tested multiple VPNs and only find a Cisco VPN Concentrator 3000 vulnerable. Well, if you would love to know how to pen-test VPN, check out the following articles below:

http://www.nta-monitor.com/wiki/index.php/Ike-scan_User_Guide
http://www.securityfocus.com/infocus/1821

It will be very useful if you can go through the whole article and understand how IPSec works. As a penetration tester, below are the few commands i always used in the command prompt:

C:\ikescan>ike-scan xx.xx.xx.xx
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)

Ending ike-scan 1.9: 1 hosts scanned in 2.531 seconds (0.40 hosts/sec). 0 retur
ned handshake; 0 returned notify

C:\ikescan>ike-scan -auth=3 xx.xx.xx.xx
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)

Ending ike-scan 1.9: 1 hosts scanned in 2.484 seconds (0.40 hosts/sec). 0 retur
ned handshake; 0 returned notify

C:\ikescan>ike-scan -auth=1 xx.xx.xx.xx
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)

Ending ike-scan 1.9: 1 hosts scanned in 2.484 seconds (0.40 hosts/sec). 0 retur
ned handshake; 0 returned notify

C:\ikescan>ike-scan -auth=64221 xx.xx.xx.xx
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)

Ending ike-scan 1.9: 1 hosts scanned in 2.484 seconds (0.40 hosts/sec). 0 retur
ned handshake; 0 returned notify

C:\ikescan>ike-scan -sport=0 -auth=64221 xx.xx.xx.xx
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)

Ending ike-scan 1.9: 1 hosts scanned in 2.484 seconds (0.40 hosts/sec). 0 retur
ned handshake; 0 returned notify

C:\ikescan>ike-scan -multiline -sport=0 --trans=5,2,1,2 --aggressive xx.xx.xx.xx
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)

Ending ike-scan 1.9: 1 hosts scanned in 2.468 seconds (0.41 hosts/sec). 0 retur
ned handshake; 0 returned notify

C:\ikescan>ike-scan -multiline -sport=0 --trans=5,2,1,2 --vendor=00 xx.xx.xx.xx
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)

Ending ike-scan 1.9: 1 hosts scanned in 2.453 seconds (0.41 hosts/sec). 0 retur
ned handshake; 0 returned notify

C:\ikescan>ike-scan -multiline -sport=0 --trans=5,2,1,2 --vendor=f4ed19e0c114eb5
16faaac0ee37daf2807b4381f xx.xx.xx.xx
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)

Ending ike-scan 1.9: 1 hosts scanned in 2.453 seconds (0.41 hosts/sec). 0 retur
ned handshake; 0 returned notify

C:\ikescan>ike-scan -multiline -sport=0 --trans=5,2,1,2 --aggressive xx.xx.xx.xx
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)

Ending ike-scan 1.9: 1 hosts scanned in 2.468 seconds (0.41 hosts/sec). 0 retur
ned handshake; 0 returned notify

C:\ikescan>ike-scan -multiline -sport=0 --trans=5,2,1,2 --aggressive xx.xx.xx.xx
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)

Ending ike-scan 1.9: 1 hosts scanned in 2.468 seconds (0.41 hosts/sec). 0 retur
ned handshake; 0 returned notify

C:\ikescan>ike-scan -multiline -sport=0 --trans=5,2,1,2 --aggressive xx.xx.xx.xx 443

As you can see the list goes on and on. In the last example highlighted in black, i specify the port to check if the VPN is running at port 443. I know Nortel can have VPN gateways running on SSL. The above results are from a Nortel VPN Gateway.

If you successfully found a vulnerable VPN server, the response would be as shown below:

C:\ikescan>ike-scan -v -s 0 xx.xx.xx.xx
Starting ike-scan 1.8 with 1 hosts (http://www.nta-monitor.com/ike-scan/)
xx.xx.xx.xx Main Mode Handshake returned HDR=(CKY-R=fb07f15c64c1fef9) SA=(En
c=DES Hash=MD5 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800) VI
D=4048b7d56ebce88525e7de7f00d6c2d3c0000000 (IKE Fragmentation)

Ending ike-scan 1.8: 1 hosts scanned in 0.114 seconds (8.77 hosts/sec). 1 retur
ned handshake; 0 returned notify

--------------------------------------------------------------------------------------------------


C:\ikeprobe>ikeprobe xx.xx.xx.xx
IKEProbe 0.1beta (c) 2003 Michael Thumann (www.ernw.de)
Portions Copyright (c) 2003 Cipherica Labs (www.cipherica.com)
Read license-cipherica.txt for LibIKE License Information
IKE Aggressive Mode PSK Vulnerability Scanner (Bugtraq ID 7423)

Supported Attributes
Ciphers : DES, 3DES, AES-128, CAST
Hashes : MD5, SHA1
Diffie Hellman Groups: DH Groups 1,2 and 5

IKE Proposal for Peer: xx.xx.xx.xx
Aggressive Mode activated ...

Attribute Settings:
Cipher DES
Hash SHA1
Diffie Hellman Group 1

0.000 3: ph1_initiated(00443ee0, 003b4760)
0.016 3: << ph1 (00443ee0, 244)
0.016 3: >> 84
0.016 3: sx_recv_notify: error 14
0.016 3: sx_purge_spi: implement me - 0
2.516 3: << ph1 (00443ee0, 244)
2.516 3: >> 84
2.516 3: sx_recv_notify: error 14
2.516 3: sx_purge_spi: implement me - 0
5.531 3: << ph1 (00443ee0, 244)
16.047 3: >> 84
16.047 3: sx_recv_notify: error 14
16.047 3: sx_purge_spi: implement me - 0
19.547 3: ph1_disposed(00443ee0)

Attribute Settings:
Cipher DES
Hash SHA1
Diffie Hellman Group 2

19.547 3: ph1_initiated(00443ee0, 003b4c08)
19.578 3: << ph1 (00443ee0, 276)
19.578 3: >> 437
19.625 3: ph1_get_psk(00443ee0)

*****************************************************************************
* System is vulnerable!! See http://www.securityfocus/bid/7423/ for details *
*****************************************************************************

VLAN Trunking Protocol configurations

Ok, here is my next installment, configuring VTP. How VTP work is you configure VLANs in your switch and this information is propagated throughout to other domain in other switches with the VTP advertisements. As you know that VLAN hopping attacks is possible by enabling Dynamic Trunking Protocol, so here in my configuration, i manually configure the trunk instead of using DTP. This is shown in my example with the command "switchport mode trunk". In my configuration, i had also set a VTP password for protection. Lastly, VTP domain name must be set on the switch, else no VLANs can be configured on the switch. For more detailed exaplaination and configuration samples, please visit this link here:

http://www.cisco.com/warp/public/473/21.html

Ayoi on the Importance of NSM Data

At my ShmooCon talk I provided a series of case studies showing the importance of Network Security Monitoring data. The idea was to ask how it would be possible to determine if an IDS alert represented a real problem if high-quality data didn't exist. Alert management is not security investigation, and unfortunately most products and processes implement the former while the latter is truly needed.

I noticed that Ayoi in Malaysia posted a series of blog stories showing his investigative methodology using NSM data and Sguil (Not Only Alert Data parts I, II, and III). These posts demonstrate several alerts and compare data available via an alert management tool like BASE versus a security investigation tool like Sguil. I am glad to see these sorts of stories because they show how people in the trenches do their jobs.

I have yet to meet an analyst -- someone responsible for finding intrusions -- who rejects my methods or the need for collecting NSM data. Almost everyone who argues against these methods is not directly responsible for the technical aspects of personally detecting and responding to intrusions.

Senin, 26 Maret 2007

SANS Software Security Institute

Today I attended a free three-plus-hour seminar offered by the new SANS Software Security Institute. This is part of SANS dedicated to software security. I recommend reading their press release (.pdf) for the full scoop, but basically SANS is introducing a Secure Programming Skills Assessement, additional training (eventually), and a certification path. Other people will summarize the program, so I'd like to share a few thoughts from the speakers at today's event.

  • Michael Sutton from SPI Dynamics said that the idea of assembling a team of security people to address enterprise vulnerabilities worked (more or less) for network and infrastructure security because the team could (more or less) introduce elements or alter the environment sufficiently to improve their security posture. The same approach is not working and will not work for application security because addressing the problem requires altering code. Because code is owned by developers, the security team can't directly change it. This is an important point for those who think they can just turn their CSIRT loose on the software security problem in the same way they attacked network security.

    Michael also said no security is trustworthy until trusted. (He actually said "trusted." There's a difference. Anyone can "trust" software. The question is whether it is worthy of trust, i.e., "trustworthy.")

  • Alan Paller made a few comments. He said we have 1.5 million programmers in the world, so training all of them probably isn't an option. He said SANS is working with Tipping Point to create a "Programmer's @Risk" newsletter like the existing vulnerabilities @Risk newsletter. Alan repeated a recommendation made my John Pescatore that organizations should run security tests against bids as well as upon acceptance.

    Alan noted that software testing should be considered a part of a "building permit" (pre-development) and a second "occupancy permit" (deployment in the enterprise). Alan also said PCI is the only worthwhile security standard. Others just require writing about security, while PCI requires a modicum of doing security. (Mark Curphey disagrees!)

  • Jim Routh of DTCC said it's important for developers to recognize that security flaws are software defects, and not the security team's problem! His team of 450 inhouse developers uses three stages of testing: 1) white box for developers; 2) black box for integrators; and 3) third party for deployment.

  • Mike Willburn from the FBI said FISMA C&A results in "well-documented" systems that score well on report cards but are "full of holes." Bravo.

  • Andrew Wing from Teranet said he doesn't let an inhouse project progress to user acceptance training unless it scores a certain rank using an automated software security assessment tool.

  • Jack Danahy from Ounce Labs stressed the importance of contract language for procuring. The OWASP Legal Project also offers sample language. Alan stressed the need to build security into contracts, rather than relying on the vague concept of "negligence" when security isn't explicitly included in a contract.

  • Michael Weider from Watchfire said he fears user-supplied content will be the next exploitation vector. I shuddered at the horror of MySpace and the like.

  • Steve Christey mentioned SAMATE (Software Assurance Metrics And Tool Evaluation).


That's what I can document given the time I have. Thanks to SANS for their leadership in this endeavor.

Manipulating Packet Captures

While capturing traffic at Hack or Halo I realized the timestamps on the packets were off by one hour. Apparently I didn't patch this infrequently used Hacom box for the recent DST change.

I captured traffic using Sguil's log_packets.sh script, which uses Snort to write a new full content trace every hour. For the first round of the contest, the script produced two traces. I combined them using Mergecap, bundled with Wireshark.

richard@neely:/var/tmp/shmoocon2007$ mergecap -w shmoocon_hack_rd1.pcap
snort.log.1174770982 snort.log.1174773600

The Capinfos program accompanying Wireshark summarizes the new trace:

richard@neely:/var/tmp/shmoocon2007$ capinfos shmoocon_hack_rd1.pcap
File name: shmoocon_hack_rd1.pcap
File type: Wireshark/tcpdump/... - libpcap
Number of packets: 719534
File size: 155340234 bytes
Data size: 143827666 bytes
Capture duration: 4587.056482 seconds
Start time: Sat Mar 24 17:17:41 2007
End time: Sat Mar 24 18:34:08 2007
Data rate: 31355.11 bytes/s
Data rate: 250840.89 bits/s
Average packet size: 199.89 bytes

I decided to alter the timestamps using Editcap, also packaged with Wireshark.

richard@neely:/var/tmp/shmoocon2007$ editcap -t 3600 shmoocon_hack_rd1.pcap
shmoocon_hack_rd1_timeadj.pcap

Now the timestamps are correct.

richard@neely:/var/tmp/shmoocon2007$ capinfos shmoocon_hack_rd1_timeadj.pcap
File name: shmoocon_hack_rd1_timeadj.pcap
File type: Wireshark/tcpdump/... - libpcap
Number of packets: 719534
File size: 155340234 bytes
Data size: 143827666 bytes
Capture duration: 4587.056482 seconds
Start time: Sat Mar 24 18:17:41 2007
End time: Sat Mar 24 19:34:08 2007
Data rate: 31355.11 bytes/s
Data rate: 250840.89 bits/s
Average packet size: 199.89 bytes

I'm getting these traces to Shmoo now so they can be shared.

The Tipping Point

Been reading a lot on the book "The Tipping Point" by Malcom Gladwell. For those of you who are inspired to accomplish big things in life, you should read this amazing book. It illustrates how small little things in life can actually spread rapidly throughout the world and consider them as epidemics. For those who loves marketing or starting to build a brand for yourself, this is absolutely the book for you. An excerpt from the book in chapter 2:

" Epidemics have three primary characteristics:

1) contagiousness
2) rapid change
3) very importantly, small changes can have big effects

The "Tipping Point" is the moment of critical mass when rapid change occurs.

When an Epidemic Tips, it tips because of a change in one of the follow:

The Law of the Few - social epidemics are driven by the efforts of a talented few. Gladwell characterizes them as: Connectors - people specialists who know many people, Mavens - information specialists who love to spread information, and Salesmen - persuasion experts. It turns out I am not one of these few :)

Stickiness Factor - does the message make a significant impact? Small but critical changes to a message can radically affect its stickiness. The quality of the message is not the issue.

Power of Context - humans are incredible sensitive to context. For example, removing graffiti and subway fare cheaters substantially reduced serious crime in New York City subways."

Minggu, 25 Maret 2007

ShmooCon 2007 Wrap-Up

ShmooCon 2007 ended today. Only four talks occurred today (Sunday), and only two of them (Mike Rash, Rob King/Rohlt Dhamankar) really interested me. Therefore, I went to church with my family this morning and took lead on watching the kids afterwards. I plan to watch those two interesting talks once they are released as video downloads. (It takes me 1 1/2 - 2 hours each way into and out of DC via driving and Metro, so I would have spent more time on the road than listening to speakers.)

I also left right after Bruce Potter's introductory comments on Friday afternoon. If it hadn't been for the NoVA Sec meeting I scheduled Friday at 1230, I probably would have only attended Saturday's sessions. I heard Avi Rubin's 7 pm keynote was good, and I would have liked to watch Johnny Long's talk. Otherwise I thought spending time with my family was more important.

That leaves Saturday. I spent the whole day at ShmooCon, from the first talk to the end of Hack or Halo. I began the day with Ofir Arkin from Insightix. (I actually spent about half an hour chatting with Ofir Friday afternoon, which was cool. I also spent time Friday speaking with several people I recognized.) Ofir demonstrated that just about all Network Admission Control concepts and implementations are broken. He only covered about half his material, but I left wondering who would bother spending thousands or millions on NAC when it doesn't seem to work and is fighting the last war anyway.

Ofir emphasized that knowledge of the enterprise is the key to network defense. He pointed out that NAC products which provide a shared medium quarantine area are exactly where an intruder wants his machine to be delivered. Once in that area he can attack the weakest, non-compliant systems on the same subnet or VLAN used by the quarantine. Using PVLANs an avoid this problem, but only if not subject to VLAN hopping attacks. Ofir questioned whether per-port security is ever feasible, especially in an age of increasing use of VMs.

One basic take-away for me was this: if I find myself on a network requiring NAC, do the following.

  1. Find the nearest printer.

  2. Unplug the network cable.

  3. Connect the network cable from the printer to a hub, and connect the hub to the network port.

  4. Connect my laptop to the hub.

  5. Sniff printer's MAC address and IP address.

  6. Disconnect the printer.

  7. Assign the printer's MAC and IP address to my laptop, and access the network.


While this will not work everywhere, it's probably going to work in enough places to make NAC a questionable prospect for physical defense. Hosts connecting via VPN are another issue.

After Ofir spoke I saw Joel Wilbanks, Matt Fisher, and Mike Murphy talk about incident response when Web applications are attacked. They made the point that Web app incidents don't usually leave artifacts (think files on the hard drive) on the victim. Web app forensics becomes a log analysis exercise. If no logs exist (Web, database, OS, etc.), you're hosed. They recommended populating database tables with honeytokens and writing custom IDS signatures to alert on the presence of those tokens in network traffic.

During their presentation several attendees questioned the role of SSL for inbound connections. The speakers recommending terminating SSL at an accelerator, and passing clear text by an IDS before sending it to the Web server or re-encrypting it. At least one of the attendees was shocked -- shocked -- to consider passing "sensitive" data in the clear like that. I have never understood this argument. The question is simple: do you care to know what is being carried in SSL, or do you not care? If you do care (and you should), architect your enterprise so you have visibility into what's happening. If you don't care, tell me so I can avoid doing business with you.

As far as SSL is concerned, I consider inbound SSL a solved problem. Outbound SSL, as might be used for a command and control channel, is not solved -- unless you want to break SSL and teach users to accept a man-in-the-middle attack scenario. I worry about outbound SSL, not inbound.

I had lunch with Joe Stewart, so in some sense I didn't really miss his talk. He was nice enough to share his thoughts with me on his next Sandnet and other projects.

My talk happened at 1300. This means I missed Billy Hoffman release Jikto, so I plan to download his talk (and Joe's) when available. I was really pleased by the outcome. The room was totally filled and people were standing outside the room listening. Thanks to everyone who attended. I wish we had more time for questions, so feel free to leave a comment here or email if you have unanswered issues.

After my talk I listened to Raven talk about backbone security. She is fuzzing key routing protocols (RIP, OSPF, EIGRP, BGP, etc.) by mainly attacking open source implementations. She just got a Cisco 2600 series router so IOS is her next target. If she is getting results doing this work in her spare time sitting in airports, you can only imagine what funded, dedicated teams are doing with budgets for equipment and manpower.

I spent the next hour chatting with familiar faces in the area near the talks. Marty McKeay was there, along with Mike Rash, Jamie Butler, and Bret Padres and Ovie Carroll from the CyberSpeak Podcast. (Sorry I couldn't get back to you guys in time!)

At 1600 I squeezed into Dan Kaminsky's talk. Before he started I had a chance to chat briefly with Mike Poor and Ed Skoudis from Intel Guardians. Mike and Marc Sachs (who I saw independently) were not happy with my TCP options analysis. Oh well!

I felt bad for Dan. The poor guy showed remarkable resolve trying to speak, despite an attendee who felt compelled to interrupt every fifth sentence. Dan had to dodge plenty of Shmoo balls while explaining slides with way too many words on them. I think Dan's research is way outside the realm of what most security people do, but probably perfect for a paper at USENIX.

I stayed in the same room to listen to Josh Wright and Mike Kershaw talk about LORCON. As their Web page states: LORON is "a generic library for injecting 802.11 frames, capable of injection via multiple driver frameworks, without forcing modification of the application code." Basically, if you write a wireless packet injector, you should use LORCON. Don't write something for a specific wireless driver -- let LORCON handle that for you. I was really impressed, especially since I had never seen Mike (author of Kismet) and Josh (lots of tools, cool research) in person. In addition to LORCON they mentioned this WiFi frame injection patch for Wireshark.

When their talk was done I headed over to the Hack or Halo room. I set up my Hacom Lex Twister on a SPAN port (argh, yes, I forgot a tap) and captured the traffic from the Hack contest. I monitored it live with Sguil, which was fun.

Overall, I was again impressed by the organization and manpower demonstrated by ShmooCon. I was less impressed by the overall slate of talks, but I think the quality of attendees compensated for that. The first ShmooCon in 2005 attracted about 350 people. The second had about 800. This year nearly 1200 people attended. I was very thankful to attend and speak and I look forward to at least attending next year.

Update: I forgot to ask -- if you liked my talk, please send feedback to feedback [at] shmoocon [dot] org. Thank you!

sla.ckers

Ok, just got a message from Rsnake giving me the permission to use his banner. Rsnake is one of the top web application god in the Web application industry today. I am a huge fan of him and is constantly visiting his forum and blog to gain new sights and information. Recently, people from sla.ckers forum designed a cool banner to be used in the sla.ckers forum and since i am one of his fan, i got to blog his banner down here. Feel free to visit the sla.ckers here:

http://sla.ckers.org/forum The lights you see in the banner is where all the ha.ckers are at work :)



Rsnake, how about a banner for Jeremiah? :)

Cisco IOS Authentication Proxy Vulnerability

Ok, so does the authentication proxy which is vulnerable to remote exploitable buffer overflow condition. Well, this only affects cisco products which is configured for telnet and ftp authentication proxy. Fixes, mitigation and workaround had been published here:

http://www.cisco.com/warp/public/707/cisco-sa-20050907-auth_proxy.shtml

CBAC vulnerabilities

Ok, last night i blogged about CBAC and its powerful features. It is really a useful feature to have in your firewall. A sample configuration was included in that blog. Well, i only included a small snippet of the configuration but the fact is there is more than that. If you explore deeper, you will find additional features for CBAC. Sad thing to mention is older version of IOS using CBAC suffers from DoS attacks involving fragmentation of IP packets. (you can use hping to actually do fragmentation) So please patch your IOS version. More information can be found here:

http://www.cisco.com/warp/public/770/nifrag.shtml

Unfortunely, CBAC also suffers from another vulnerability which allows denied traffic to pass by the dynamic ACL. More can be found here:

http://www.cisco.com/warp/public/707/IOS-cbac-dynacl-pub.shtml

Sabtu, 24 Maret 2007

Boosting Linksys Router Signal

Ok, i happen to stumble across this site http://www.thibor.co.uk/ where you can upgrade your linksys router firware to enhance your signal strength. So, thats to say that no antennas or any range boosters. Well, sad to say that they only support a few models of linksys routers and mine is not included in their list :(

More support for linksys products can be found here: http://www.linksysinfo.org/index.php

IP NAT Pool

Ok, last night i did a small configuration for NATing. I guess most networkers would know what NAT is used for so the configuration is shown as below. Well, in this example you would see the serial interface is down. This reason is simply because i set the interface to a private ip range instead of the public range. As for the other commands, it is pretty simple though. Well, this is just a basic NAT configuration.

Blogging from ShmooCon Hack or Halo

So much from my lousy camera phone. That's my best attempt to show Sguil monitoring traffic at the ShmooCon Hack or Halo contest. I plan to share the network traffic from the hacking contest when I get the opportunity. Thanks to WXS and the ShmooCon crew for letting my attach a sensor to the network.

Other Cisco Security Router features.

Alright, the other day i provided a list of features that can be used to harden the Cisco router and i am going to finish it here today with the commands.
For PAM to work, you can issue the commands below:

config t
ip port-map telnet port smtp 2525
exit


This will map a standard smtp port which is port 25 to a non-standard port 2525. You can also attached an access-list to restrict only a specfic hosts or user to the smtp server using list xx (where xx is the access-list number) at the end of the ip port-map command.


Cisco Firewall comes with basic configuration for IDS by default. However, you can always add on for more signatures and advanced configuration settings to thwart off attacks. For IPS and IDS configuration, refer to the link below for more detailed step by step explaination:

http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800ca7c6.html


Setting up an authentication proxy in the Cisco router using tacacs+. This will require user to authenticate first before allowing traffic to the internet.

config t
aaa new-model
aaa authorization auth-proxy default group tacacs+
aaa authorization auth-proxy default group tacacs+
tacacs-server host 192.168.1.4
tacacs-server key cisco
ip auth-proxy name httpAuthentication http
interface Ethernet0/1
ip auth-proxy httpAuthentication
exit


Use the show ip auth-proxy cache to check for user statistics. A sample example can be found below:

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_configuration_example09186a008009466e.shtml

Transparent Layer 2 Firewall

Ok, i got to blog this. Personally i had not configure a Layer 2 transparent firewall in a Cisco Router but this seems interesting, useful and powerful feature to me. I never knew that modern cisco routers have Layer 2 firewall capabilities until this very moment. This transparent firewall somehow works similarly to Layer 3 firewall except that it is totally transparent and requires bridging to be configured. Both Integrated Routing Bridging (IRB) and Bridge Virtual Interface (BVI) needs to be configured in order for it to work.

" A transparent Cisco IOS firewall acts as a Layer 2 transparent bridge with context-based access control (CBAC) and ACLs configured on the bridged interface."

So, transparent firewalling works in accordination with CBAC too which provides even more stringent security measures against interfaces. So on the same router, i can have both Layer 2 and Layer 3 firewall running at the same time with IRB providing Layer 2 bridging on interfaces and BVI providing Layer 3 routing of packets. A detailed step to step configuration and explaination can be found here:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/123t_7/gt_trans.htm

I am looking forward to configure a Layer 2 transparent firewall one of these days :)

CBAC configuration example

The other day i was blogging about Cisco's CBAC feature that can be used a application firewall to monitor application layer protocols. Since it creates only session tables based on outbound traffic and blocking inbound traffic, this feature also blocks port scanning, a common technique used by hackers. If someone tries to port scan using nmap or some other tools, because this feature is blocking inbound connections, the port scans yields nothing useful, thus protecting the servers and shield off most hackers. Below is a basic CBAC configuration example.

config t
access-list 123 deny ip any any
access-list 129 permit tcp any any eq smtp
ip inspect name smtp tcp
interface Serial0/0
ip access-group 123 in
ip access-group 129 out
ip inspect smtp out
exit


Issue the show ip inspect allto see all configuration rules or show ip inspect sessionsto see the current CBAC in action.

And you can read more at the following links:

http://www.ciscopress.com/articles/article.asp?p=26533&seqNum=5&rl=1 (configuration step by step)

http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120t/120t1/fw3600.htm (sample scenario)

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_configuration_example09186a008064730a.shtml (simple example)

http://www.ciscopress.com/articles/article.asp?p=26533&rl=1 (CBAC to protect DoS)

Jumat, 23 Maret 2007

Taking the Fight to the Enemy

ShmooCon started today. ShmooCon leader Bruce Potter finished his opening remarks by challenging the audience to find anyone outside of the security community who cares about security. I decided to take his idea seriously and I thought about it on the Metro ride home.

It occurred to me that the digital security community fixates on vulnerabilities because that is the only aspect of the Risk Equation we can influence. Lines of business control assets, so we can't decrease risk by making assets less valuable. (That doesn't even make sense.) We do not have the power or authority to remove threats, so we can't decrease risk by lowering the attacks against our assets. (Threat mitigation is the domain of law enforcement and the military.) We can only address vulnerabilities, but unless we develop the asset ourselves we're stuck with whatever security the vendor provided.

I would like to hear if anyone can imagine another realm of human endeavor where the asset owner or agent is forced to defend his own interests, without help from law enforcement or the military. The example can be historical, fictional, or contemporary. I'm reminded of Wells Fargo stagecoaches being robbed as they crossed the West, forcing WF to hire private guards with guns to defend company assets in transit. As a fictional example, Sherlock Holmes didn't work for Scotland Yard; victims hired the Great Detective to solve crimes that the authorities were too slow or unwilling to handle.

As I've said many times before, we are wasting a lot of time and money trying to "secure" systems when we should be removing threats. I thought of this again last night while watching Chris Hansen work with law enforcement to take more child predators off the streets. Imagine if I didn't have law enforcement deterring and jailing criminals like that. I'd have to wrap my kids in some sort of personal tank when I send them to school, and they'd still probably end up in harm's way. That's the situation we face on the Internet. There's no amount of bars over windows, high fences, or other defenses that will stop determined intruders. Removing or deterring the intruders is history's lesson.

This FCW article has the right idea:

The best defense against cyberattacks on U.S. military, civil and commercial networks is to go on the offensive, said Marine Gen. James Cartwright, commander of the Strategic Command (Stratcom), said March 21 in testimony to the House Armed Services Committee.

“History teaches us that a purely defensive posture poses significant risks,” Cartwright told the committee. He added that if “we apply the principle of warfare to the cyberdomain, as we do to sea, air and land, we realize the defense of the nation is better served by capabilities enabling us to take the fight to our adversaries, when necessary, to deter actions detrimental to our interests...”

The Stratcom commander told the committee that the United States is under widespread, daily attacks in cyberspace. He added that the country lacks dominance in the cyberdomain and that it could become “increasingly vulnerable if we do not fundamentally change how we view this battle space.”


Put me in, coach. I'm ready to play, today.