Saturday, June 28, 2008

Everything you ever wanted to know about WAF (and more)

Is available over on the TS/SCI security blog.

http://www.tssci-security.com/archives/2008/06/15/what-web-application-security-really-is/
http://www.tssci-security.com/archives/2008/06/23/web-application-firewalls-a-slight-change-of-heart/
http://www.tssci-security.com/archives/2008/06/23/week-of-war-on-wafs-day-1-top-ten-reasons-to-wait-on-wafs/
http://www.tssci-security.com/archives/2008/06/25/week-of-war-on-wafs-day-2-a-look-at-the-past/
http://www.tssci-security.com/archives/2008/06/26/week-of-war-on-wafs-day-3-language-specific/
http://www.tssci-security.com/archives/2008/06/26/week-of-war-on-wafs-day-4-closer-to-the-code/
http://www.tssci-security.com/archives/2008/06/27/week-of-war-on-wafs-day-5-final-thoughts/

**As always on the TS/SCI blog, the comments is where the "real hotness" is and you should make sure you read them with each post.

Also check out this thread on Jeremiah Grossman's blog:
http://jeremiahgrossman.blogspot.com/2008/06/can-wafs-protect-against-business-logic.html

While I don't always agree with Dre, I have to admit that before I would drop $110k + yearly maintenance, I might have to crunch the numbers to see how much it would cost me for a real thorough web application code rewrite/review/& pentest before you get stuck with yet another appliance in the rack that you have to pay money for every year and I have to pay someone to run.

I'm not a SDLC guy but are we really to the point that we CANT write a secure web application for any amount of money? I would hope that isnt the case.

Read the posts. Dre and Marcin put it better than I ever will.

Quotes of the Week

Probably not going to be a weekly occurrence but wanted to share some quotes I heard this week and last week.

1. (For NoVA Drivers) "If you don't like being passed...F**king drive faster or get out of the left lane"

2. While in Hawaii for an assessment (yeah life is rough)... "We Hawaiian people are such nice, friendly, sharing people...that's probably why we don't have any land left" doh!

Free Advice For The Single People

If your significant other is talking about how they spent 4+ hours doing something in excel... DO NOT DO NOT DO NOT
1. Say "nothing should take 4 hours with excel!"
&
2. Start talking about how excel has these cool things called functions and how you can use functions to aggregate data in multiple worksheets...

more penalty points if they have been drinking and now you really cant talk your way out of it :-(

Wednesday, June 25, 2008

Hacker Defender Article in Hakin9 Magazine

Its been a year, might as well release to everyone else who hasn't bothered to just email me and ask for it :-)

from June 07 issue: http://www.hakin9.org/prt/view/back-issues/issue/690.html

Keep in mind

1. I wrote this over a year ago
&
2. I probably wont be rewriting it, so tailor comments accordingly

Hacker Defender: Rootkit for the Masses -- Link

Tuesday, June 24, 2008

Network Security Is Not Dead

There have been a few comments out on the blogosphere about NETSEC being dead. NETSEC is not dead, its not going to be dead for a LONG time if ever. If something is dead, I can unplug it, remove it from the rack, and never think about it again.

To me NETSEC is (short list) router ACLs, firewall rules, VLANs, IPSEC, & domain policy. I know thats not everything, but it should be enough to illustrate my point. We could also argue domain policy but I think that its a valuable and necessary piece of security in any MS network.

Now I agree that NETSEC as a primary defense and entry point is dead (there probably won't be another DCOM), I agree that client side attacks completely bypass firewall rules (initially--the exploitation piece anyway, the shell is another matter), I agree that the endpoint is now the new border, and I agree that Application Hacking (webapp, user, browser, etc) is where security IS/is heading.

What I don't agree with is that I don't need my firewall rules and router ACLs anymore. Some examples...

-without NETSEC do we still have DMZs?
-with no DMZs and no way to control who can talk to who on your network with either FW rules or router ACLs, what is going to stop the attacker once they exploit that web app and either get a shell or credentials to log in with?
-How do I stop the attacker once he has that shell with client side privileges? Do I just let them have free reign?
-How do I stop that outbound connection that alot of times can be caught with the right type of proxies (bluecoat and similar "appliances"). Is my layer7 FW going to catch that?

All of these people that say that network hacking is dead obviously don't have to do anything else in their pentests other than exploiting web applications. Unless you got really friggin lucky and that web application housed the data you were looking for, you are back to the old school network game of moving around the network, setting up shop on hosts in the LAN, doing privilege escalation and with no rules or devices in place what is going to stop the attacker from exfiltrating that data out without being seen? Where are your logs if you do catch them with no NETSEC devices?

thoughts? I'm wrong alot, so if I'm wrong do let me know.

Friday, June 20, 2008

More of why google ads rule

More on the updated FISA 2008 bill

From wired blog:

http://blog.wired.com/27bstroke6/2008/06/house-grants-te.html


"The bill allows the National Security Agency to order phone companies, ISPs and online service providers to turn over all communications that have one foreigner as a party to the conversation. If any Americans are party to the conversation, the government is supposed to mask their names, but these procedures to minimize privacy-invasion are easily overridden. The longstanding Foreign Intelligence Surveillance Act required specific court orders to wiretap phone and internet lines inside the United States, but did not regulate spying conducted on non-U.S. soil.

Under the so-called FISA Amendments Act of 2008, the government would need a court order to wiretap an American overseas, regardless of where the tap was. Under the current regime, targeted taps aimed at Americans overseas requires the sign-off of the attorney general.

The nation's telecoms will soon be freed from some 40 lawsuits accusing them of eavesdropping illegally, if the bill is passed into law as expected. The legality of the retroactive amnesty isn't clear, and groups like the American Civil Liberties Union and Electronic Frontier Foundation will likely challenge the provision on constitutional grounds."

I read about 20 pages of 100+ of the bill on the surface it seemed ok, but two issues bother me personally. First, it lets the ISPs off the hook for doing what their legal departments should have known and told them was illegal. In the military you are taught to never follow an illegal order, it should be the same outside of the military as well. Second, we mere virtual inches from a blanket wiretap on everyone deemed "a threat" and I've already heard from people that work at ISPs it doesn't take much to get a tap on your cable/DSL modem anyway. Sad times. Time to get good at PGP, TrueCrypt and secure protocols if you aren't there already.

For The Love Of God -- CISA != Pentester Either

I wasnt going to post about my CISA exam, but Dre's post on the CISSP got me motivated to do it even though its not really related.

Why CISA you ask? We'll they made me.

I'm not going to bitch and moan about the test (much). I took a whopping one question on the OSI model, alot of IT governance, and several on a dumbed down version of how PKI works. Dumbed down so much and with terms that made no sense that I had to sit there for a minute trying to figure out what they heck they were asking and I KNOW how PKI works. It was also poorly written, which I found surprising given the cert being around as long as it has. For the life of me I'll never understand why asking me a simple question in some obscure way makes me prove I know the material better. I understand that with math that might be the case but not with IT. Overall I felt it was very low tech, yet the CISA certification is now required for anyone doing CNA.

Work did send us to a 1 week bootcamp on the CISA, where my favorite quote of the class was "CISA, A technical certification for accountants"...yea! After a week of talking about it I would sum it up to say that the Auditor goes back and checks to see if the CISSP did his/her job properly and if their processes are meeting whatever requirements are required for that particular business.

Anyway, nothing in the course, books, or test helped me get or be better at the real duties of my job, I guess we could argue management and professional development but when you are talking a level 3 certification I want experience that helps me do my real job better not something that makes people that stopped being good at technical stuff long ago feel better about themselves.

Now let me cut the 8570 folks some slack, CNA is huge and pentesting is a small part of it. I can see that if you do IA inspections, blue teaming, or that kind of go through your checklists run a gazillion scanners vulnerability assessment stuff, the CISA is at least in your domain. Would having the CISA certification help them do their job better or prove that someone could do that job? I don't think so but its in their domain.

On a positive note, I was asked to think about a certification for pentesters for DoD for yet another update in the distant future. I personally don't have any experience with any (meaning I haven't taken the training or the test) that I would recommend. I think CEH & LPT is out, just ask an LPT and they'll tell you why. I will be looking in to the SANS GPEN or possibly the CEPT Link1 & Link2.

If anyone has any suggestions for certs to look into please post up. The "you don't need a certification" debate we can keep on another thread, we wont get be getting away from the need for certification in this case.

Thursday, June 19, 2008

And a little further in the toilet we go...

From wired blog:

http://blog.wired.com/27bstroke6/2008/06/dems-agree-to-e.html

"Breaking months of acrimonious deadlock, House and Senate leaders from both parties have agreed to a bill that gives the nation's spy agencies the power to turn a wide swath of domestic communication companies into intelligence-gathering operations, and that puts an end to court challenges to telecoms such as AT&T that aided the government's secret, five-year warrantless wiretapping program."

There isnt much to say if you read the article, its shameful the FUD still flows and becomes law in the name of terrorism 7 years after 9/11.

Wednesday, June 18, 2008

DIY Career in Ethical Hacking

My good friend Don Donzal of EthicalHacker.net spoke at the SANS Pentest Summit recently.

his slides and audio are available on the site

Main Link: http://www.ethicalhacker.net/content/view/201/1/

Slides: http://www.ethicalhacker.net/images/stories/columns/editor/diycareer/diy%20career%20in%20ethical%20hacking.pdf

Audio:
http://www.ethicalhacker.net/images/stories/columns/editor/diycareer/donzal_diycareerinethicalhacking_sanspentestsummit2008.mp3

He said some good things in the talk, here are two slides that bring alot of good information.


First slide I posted was on being honest with yourself about who you are, where you want to go, strengths and weaknesses, and the family concerns. Being gone alot isnt the best thing for a marriage.



Second slide was free or cheap ways to get there once you know where you want to go. I really like this slide because I would consider it the roadmap I have taken and I think its going pretty well.

The talk is about 50 minutes and worth the listen.

I had to laugh about his "flash resume" from back in the day, if someone sent me a flash resume I'd be too worried I'd be sending a reverse shell back to the guy by reading it.

Friday, June 13, 2008

EeePC 900 in galaxy "hacker" black

My father's day gift to myself arrived so I've been spending way too much time messing around with the EeePC 900.

Got canvas up and running with no issues



and metasploit, nmap and aircrack. I'll post some notes later but i havent run into anything that wasnt fixable by forums out on the net.

Maltego Community Edition Available

Paterva has released a community (free) edition of Maltego v2

From the site:

The Community Edition is limited in the following ways:

  • A 15second nag screen
  • Save and Export has been disabled
  • Limited zoom levels
  • Can only run transforms on a single entity at a time
  • Cannot copy and paste text from detailed view
  • Transforms limited to 75 per day
  • Throttled client to TAS communication
http://www.paterva.com/maltego/community-edition/

Tuesday, June 10, 2008

Scams are getting complex

The timing on this could not be better considering the discussion Chris and I have been having about users being to blame if they get scammed.

It almost happened to a good friend of mine last night. Thankfully she was wary and read the email through a few times.

She has been looking for an apartment in the city and finally found this amazing deal on Craigslist. Great price, awesome location, perfect. Too perfect. She emailed the owner, who just happened to be overseas on a work contract of some sort.

So they begin an email correspondence and go back and forth trying to work out the details. Then the 'owner' says that he/she would rather go through a 3rd party escrow agency as it's a way to protect both parties. I admit that up until this point everything sounded legit.

The 'owner' decided that RE/MAX would be the escrow agency and that he would start the process and that my friend would be receiving an email with details on how to transfer the money to the escrow agency, etc..

So far it all sounds great, everyone is protected, everyone is happy. My friend waits for the email and it does not arrive. She emails back and the 'owner' says that it was sent and to check her spam folder. Yes, you and I would immediately wonder why it ended up in the spam folder and check the headers and content. The average person, that sees so many legit emails end up in that folder won't though

So last night my friend decided to go ahead and get the process started. So she prints out the email to make sure she has the instructions correct. I'm sitting at my new mac when she comes over and asks me to have a look at the email.

The reply address looks a little odd she says.

athens-remax.com@newjersey.usa.com

um, yeah it does. Now the rest of the email is well formatted and looks really legit. I asked her where the original email was. So after opening her yahoo account and showing me the email I look at the headers to the email and surprise, surprise, the email is spoofed.

***
Return-Path:
Authentication-Results: mta209.mail.re3.yahoo.com from=remax.com; domainkeys=neutral (no sig)
Received: from 208.70.128.77 (EHLO smtp-gw51.mailanyone.net) (208.70.128.77) by mta209.mail.re3.yahoo.com with SMTP; Sun, 08 Jun 2008 23:28:29 -0700
Received: from mailanyone.net by smtp-gw51.mailanyone.net with esmtpa (MailAnyone extSMTP carasove) id 1K5arj-0006bc-OU for **********@yahoo.com; Mon, 09 Jun 2008 01:28:29 -0500
Received: from 127.0.0.1 (MailAnyone web AccountID 228933) by webmail.fusemail.com with HTTP; Mon, 9 Jun 2008 01:28:27 -0500 (CDT)
Message-ID: <1212992907.v2.mailanyonewebmail-228933@fuse48>
Date: Mon, 9 Jun 2008 01:28:27 -0500 (CDT)
Subject: RE/MAX Escrow Transaction
From: "ReMax.com"
***
A little bit of searching for mailanyone.net it seems that this service is often used to send spoofed emails.

After calling REMAX directly they confirmed that the email and 'transaction' was a scam.

Thankfully my friend was cautious enough, due to the amount of money involved, to question any unusual aspects of the email and transaction.

I wonder how many people are getting caught by scams like this one? It is not a simple link or website. These scammers obviously took a lot of time to develop this scam and to execute it in such a manner as to illicit trust from the user.

dean

Monday, June 9, 2008

blind phreaker pays verizon security officer a home visit

http://blog.wired.com/27bstroke6/2008/06/blind-teenage-h.html


"Less than two months after his celebrating his 18th birthday, a blind, East Boston-based phone hacker has been arrested for paying a Sunday afternoon visit to the Verizon security officer who'd been chasing him."

"Weigman allegedly persuaded a fellow hacker to drive him and his brother 66 miles to the home of William Smith, a Verizon security investigator who'd been monitoring Weigman's hacking and phoning in updates to the FBI. Smith was outside doing yard work when the three men drove up, according to an FBI affidavit. Weigman introduced himself and said he wanted to talk to Smith, who instead went inside and called the police."

not to say that calling the police wasnt the right move. 18 yr olds dont have the best track record of common sense and restraint in stressful or tense situations...

LAN Switch Security Book Review

LAN Switch Security: What Hackers Know About Your Switches

by Eric Vyncke and Christopher Paggen

4 stars

“Should be required reading for Pentesters”

LAN Switch Security provides enough information to leverage the most common layer 2 attacks a pentester would be interested in; MAC Flooding, VLAN Hopping, DTP attacks, and CDP Snarfing along with plenty of switching protocol details for the Cisco ninja wannabe.

With the exception of the white paper for the tool Yersinia there isn't much in the way of resources out there for conducting Layer 2 attacks and certainly nothing written to the technical level of LSS.

The discussion of Layer 2 attacks in the first few chapters of this book are excellent and easily worth the price of the book especially if you are responsible for securing switches or just breaking into and abusing them. Chapter 4's (“Are VLANS Safe?”) discussion on Dynamic Trunking Protocol is probably the most valuable for pentesters. The chapter covers using Yersinia to (hopefully) turn the port the attacker is connected to into a trunk port. This enables the attacker to see all traffic on all VLANS (pretty handy). In addition to exceptional background material on switching protocols and information on breaking the different switching protocols the book gives us quality information on securing those same protocols to include a good chunk of the IOS commands to implement the recommended changes.

Pros:

-All the chapters using Yersinia for attacks and the overview of Yersinia
-The structure (Technology Overview, Discussion of the Vulnerability, Remediation) of each chapter works well
-Plenty of Cisco IOS command line specifics to get the job done
-Really good overviews of the switching protocols, how to break them, and how to secure them
-Discussion of data planes and control planes

Cons:

-Check out the cons of Richard Bejtlich & Stephen Northcutt...all valid
-No discussion of minimum lab requirements to set up a lab to reproduce the attacks
-I lost interest from part II onward, probably because most of the attacks don't give you much (if any) in the way of privileges and it got fairly deep into switching protocols I don't usually deal with and the book seems to drift. I'm not sure what happened but the book doesn't end as strong as it begins.
-Some repeating of material in different chapters

I gave the book 4 stars mostly due to editing issues, lack of lab guidance to reproduce the attacks,and the fact that I lost interest in the book toward the end. Even though I lost interest toward the end I still recommend this book for anyone interested in breaking Layer 2 or securing it.

Links:

http://www.yersinia.net/doc.htm
http://www.yersinia.net/attacks.htm

Yersinia article from hakin9 magazine (sorry couldnt find the full one, this link is for pay after the first page)

Sunday, June 8, 2008

Updated DoD 8570.1M (draft) -- CISA/GSNA required for pentesters

If you do any IA work for the US government its probably worth taking a look at this draft to see what's coming down the pipe.

www.dtic.mil/whs/directives/corres/pdf/857001m.pdf

of interest to me is the new requirement to get the CISA or GSNA if you do any sort of "Auditing" to include pentesting.

"C11.6.1. CND-AU personnel perform assessments of systems and networks within the NE or
enclave and identify where those systems/networks deviate from acceptable configurations,
enclave policy, or local policy. CND-AUs achieve this through passive evaluations (compliance
audits) and active evaluations (penetration tests and/or vulnerability assessments)."

Not to get back into the whole Not a CISSP thread or CEH != pentester debate but I'd like to hear other people's opinion on the validity of basically requiring the CISSP and now CISA if you do pentesting for DoD. I have no experience with the SANS GSNA material, so I have no comments.

I'm studying for the CISA now and there is very little if anything that applies to pentesting. Painful is the only word I can think of right now to describe it. But I'm taking my own advice by sucking it up, learning the material, taking the test, and going back to doing what I was doing.

In case anyone is still in the dark, auditing != pentesting.

Hey United Airlines...Try Actually READING The Question

Its Sunday and I'm bitching.

We fly United Airlines alot for work and I'm getting close to getting my premier status and finally becoming a person according to United. In fact, on my next trip I'll reach enough miles on the outbound flight. Me hating to wait in line and being too paranoid about coughing up all my biometric info for the fly clear stuff I asked if United could "pre-upgrade" me based on the fact I will archive the required number of miles on the flight.

Here is the question I posed:

From: ME
To: United Airlines Web Question Form
Hi,I have an upcoming flight to Hawaii and will be gathering enough miles to become premier on the outbound leg of that flight. I wanted to see if it was possible to be upgraded to premier before the flight so i could use the premier check-in line at the airport.

thanks in advance.

and the response.

Thank you for your e-mail. Elite status is earned by our most frequent flyers. To qualify, you need to earn a given number of Elite Qualifying Miles (EQM) or Elite Qualifying Segments (EQS) in one calendar year. EQM and EQS can be earned by flying on United, Ted, United Express or any Star Alliance member airline and by participating in various promotions. Please visit www.united.com/staralliance or www.staralliance.com for an up-to-date list of Star Alliance members.

Once you qualify for elite status, your account is automatically upgraded. Members need to requalify each year. Elite status is not determined by the current balance of redeemable miles in an account. The three levels in our Elite program are:

Premier = 25,000 EQM or 30 EQS

Premier Executive = 50,000 EQM or 60 EQS

1K = 100,000 EQM or 100 EQS

**Yes all the information available on the website

To date, in 2008, you earned 22,053 Elite Qualifying Miles and 8.5 Elite Qualifying Segments. If you meet the elite membership criteria we can upgrade your status.

** More information I see when I log in

I wish you success in attaining your desired status.

** Then upgrade me!

Please contact us again if you have any questions concerning your Mileage Plus account.

Gisselle Dawson

Yup got it, pretty much what I stated in the question but no real answer. Now I figured the answer would be no, but you could at least read the friggin question and say no. At least I'll be a person on the return flight.

**Update, I actually sent a follow up email saying read my question and basically got the same response without a real answer (again). I wont bother putting it in here.

Friday, June 6, 2008

British ISP Syping On Users

Ok, this one is a little bit Dale Gribble...

From Wired Blog:

"An internal British Telecom report on a secret trial of an ISP eavesdropping and advertising technology found that the system crashed some unsuspecting users' browsers, and a small percentage of the 18,000 broadband customers under surveillance believed they'd been infected with adware."

"Those boxes inserted JavaScript code into every web page downloaded by the users. That script then reported back to Phorm the contents of the web page, which Phorm used to create ad profiles of a user. Additionally, Phorm purchased advertising space on prominent web sites, showing a default ad for a charity. But when a user who had previously looked at car sites visited one of those pages, he instead got an advertisement for car insurance."

http://blog.wired.com/27bstroke6/2008/06/isp-spying-made.html

1984 was a typo! -- No Place to Hide Pseudo Book Review

I really blame phn1x for actually answering my question of what Safeway does with the information of what you buy and suggesting the book "No Place to Hide" by Robert O'Harrow.

Google Books Link:
http://books.google.com/books?hl=en&id=caydrFMa1mIC&dq

I won't do the typical review I do because its not a "tech" book but I will say that it was eye opening. I'm embarrassed to not know the scope of information (and how easily we give it up) that is being accumulated about us by different commercial organizations (ChoicePoint, Acxiom, and more), computer generated models of our likes and dislikes formulated and sold to various vendors, private information about us from marriage, mortgages, books checked out from the library, you name it, and of course that information being easily sold to the government so they can live up to laws forbidding the government from spying on citizens by the government itself not actually doing the spying but merely buying data and services from these vendors.

I don't want to go all Dale Gribble (more) but some fun/spooky/scary things from the book.

1. you dont have to fill out warranty cards that ask for all that personal info like how much you make and what kind of car you drive. By law all products have a 1 yr warranty without you having to mail in that registration card.

2. your phone number is your new SSN and the "key" tying good chunks of your data to you. Add your zip code to make sure there are no mistakes.

3. where do these companies get the data? From: telephone directories, voter registrations forms, tax assessor offices, questionnaires, warranty cards, catalog buyer behavior information, and product registration forms.

4. who generated the initial no fly lists? yep those companies.

5. best part, all the data policing is done by the companies and not the government.

And for a real world example, in my mailbox yesterday was some junk mail from some Baptist church. Of course called and said thanks for the letter but how the f**k did you get my name and address. The utility company gave it to them...WTF.

EFF and EPIC can expect good donations this year, as long as they don't write down my name and address so the government doesn't have its initial start list of dissidents when things go south. But its probably waaaaaaay to late to worry about that. I know I'm already on that list.

For Cons of the book, read the reviews on amazon they mostly say the same thing. Basically great information, but no remediation. fI there even is any at this point.

If you want to see what they have on you, at least ChoicePoint appears to do this for free if you are willing to cough up some information.
http://www.choicepoint.com/consumer/all_products.html

also opt-out info:
http://www.privacyatchoicepoint.com/optout_ext.html