Hows My OpSec? Security Con Badges, the Wall of Sheep, Hit Points and You

Posted on November 08, 2010

Hash Days Badge from hashdays.ch
Hash Days con badges waiting for collection (tech specs)

Are you sometimes embarrassed by the lack of security hygiene demonstrated by so-called security professionals at hacker cons? Do you find the Wall of Sheep statistics depressing? Do you wish that those make a living out of telling everyone else how to “do security” should start practicing some themselves?

Here’s a suggestion to bring in some real accountability. I mentioned this idea to a few peeps at Brucon who seemed to like it…

Given that more and more hacker cons run a Wall of Sheep and supply attendees with a con badge decked out with CPU, display and even RFID…why not link them together and throw in the gaming concept of health points as a public display of an attendees’ opsec?

All attendees start with the same number of health points (e.g. 5). The con badge displays a light for each health point remaining. Each time the Wall of Sheep sniffs out valid credentials on the con network, a signal is sent via RFID to the attendee badge of the person practising bad opsec. The badge emits a beep and a light goes out on badge “health bar” – they just lost a health point – and everyone can see it. You could even throw in a little traffic shaping goodness – no speedy feedz for you “Mr 2 Health Points” (zero points = no more con network access).

You might be wondering how to determine which badge to send the signal to?

Imagine that to even get on the con network in the first place, you have to use your con badge as an authenticator. Yup, con badge as hard token if you will. If that sounds too fancy or requires too much from the badge, just give each attendee a unique userid and password for Interwebz access when they register at the door, then link the userid to the con badge. No access without authenticating. Sure, there’s some admin overhead here but just imagine the good you’ll be doing the industry ;-).

But…but…but…someone might hack the system/shouldersurf my password/play layer 2 games/impersonate me etc etc and cause my health points to be deducted!?! Awesome – it’s a hacker con after all ;-).

P.S If you’ve already done this or seen this somewhere, let us know in the comments.

Twitter to Fortune - Converting Tweets to UNIX Fortune

Posted on October 01, 2010

Warning: this post is not very security related…

Do you follow any infosec people on the Twitter that consistently make you laugh? Or whose tweets seem strangely proverb-like? (you get to define strange).

I follow a few such tweeps like and the problem is their tweets get lost in the stream, unlikely to resurface after an initial flurry of retweets.

As a fan of ye olde UNIX fortune program – but often not the fortunes themselves – I wanted to inject some twitter wisdom (!). Instead of receiving a famous quote or not-so-funny joke from one of the existing fortune data files, I wanted to create my own with tweets from one of my favourite twits.

A short time later and tweet2fortune.py was born.

This python script is simple:
– you tell it which (public) twitter handle to grab tweets from
– it grabs the tweets, filters out retweets/replies and tweets containing URLs
– then formats them in fortune(1) file format (a % separated text file essentially)

All you need to do is redirect the output to a file using standard UNIX redirection, generated a fortune index file and you’re set:

$ tweet2fortune.py jack_daniel > jack_daniel_tweets
$ strfile jack_daniel_tweets

Now, anytime I want to hear a nugget of knowledge from Jack Daniel, I just run:

$ fortune jack_daniel_tweets

and I get…

I know, let’s simultaneously panic and fawn over Stuxnet while our
domain admin pw is password, and our CMS is a default install.
— @jack_daniel

In reality, I run fortune from my ~/.bash_profile so I receive a twitter powered fortune each time I log in.

The script is simple and can easily be adapted for more use-cases, I encourage you to tweak away.

Enjoy ;-)

HeadHacker.net Launch

Posted on March 15, 2010

HeadHacker.net on mentalism, hypnosis, misdirection and influence

If you’re curious about social engineering and want to dig deeper, check out HeadHacker.net, a new blog about social engineering, hacking, hypnosis, mentalism and influence by Dale Pearson.

Dale is kicking off with a blog series explaining the basics. His latest post on hypnosis makes interesting reading as it dispells some common myths that I’ve even heard information security professionals recite as fact….

I look forward to reading more, as Dale is a no-nonsense type of guy and does his homework.

Unbelievable That This Went Unnoticed for So Long

Posted on January 17, 2010

Hiding, with 20-20 Vision

What Linux specific software would you consider has arduous and scrutinising source code security reviews?

Aside from “the kernel”, you might have said the Linux firewall: Netfilter.

The title of this post is a quote from a suprised Linux Netfilter team member, in response to a bug report from Florian Westphal.

Florian noticed that non-privileged users could add/delete/modify Ethernet Bridging ACLs, actions normally restricted to the system administrator.

Can I Haz Evil Client?

To exploit the vulnerability, you need a custom client. The official ebtables utility won’t let you abuse the bug as it makes a privileged call for a raw socket (SOCK_RAW) long before calling the vulnerable kernel code. Since SOCK_RAW requires network admin capabilities (CAP_NET_ADMIN) normal users Do Not Pass Go.

To become a link layer $DEITY, an attacker could remove the privileged calls from the stock ebtables client or write a small program that just calls the vulnerable netfilter kernel routine (do_ebt_set_ctl).

Where Did I Put That Check?

The side effect of that earlier SOCK_RAW call was unintentional auditor misdirection. If you audit the client code – without referring to the kernel code – you completely miss the bug.

This “slap on the forehead” bug is an excellent reminder that when we review “systems” for security weaknessses, we need to evaluate related components, aswell as their interactions (“intended vs. actual”). If we don’t, we’re only looking at half the picture. This approach doesn’t just apply to code audits though: its equally valuable during real-world process audits.

Although a surprising omission, there is no suggestion this vulnerability was caused by premeditated client side security. That happens when misguided developers embed security checks solely in the client, often in the belief that no-one is as smart as they are. Vulnerability databases tell a different story.

What Can Developers Do About It?

An effective avoidance strategy for this type of bug is for developers to externalise their assumptions through the development of test cases (comments in code are nice, but give me a test case anyday). Test cases embody developers intentions and in the process, help keep the gun from the developers feet.

(via: CVE-2010-0007: Linux kernel netfilter ebtables Missing Check)

Image credit: bommelm├╝tzenkind

The Google Breach, or How Running Their Archrivals' Software Cost Them

Posted on January 14, 2010

Update: McAfee investigation points to IE zero day. This finding makes my point for me.

In our investigation we discovered that one of the malware samples involved in this broad attack exploits a new, not publicly known vulnerability in Microsoft Internet Explorer. We informed Microsoft about this vulnerability and Microsoft is expected to publish an advisory on the matter soon.
[…]

While we have identified the Internet Explorer vulnerability as one of the vectors of attack in this incident, many of these targeted attacks often involve a cocktail of zero-day vulnerabilities combined with sophisticated social engineering scenarios. So there very well may be other attack vectors that are not known to us at this time. That said, contrary to some reports our findings to date have not shown a vulnerability in Adobe Reader being a factor in these attacks.

I’m intentionally keeping my commentary on this issue brief (there is already enough).

The attack vector against the Google corporate network is reported as an email with an attached PDF backdoor; i.e. the exploit relies on a security vulnerability in a local installation of Adobe Reader.

Google is web services. And they regularly remind us that they “eat their own dog food” by relying on those same services to run their business.

Google’s vision is the world run ChromeOS, a thin OS with just enough capabilities to plug into, and interact with, Google Services.

Google’s arch-enemy, Microsoft is about software (and now software + services). With a historical stranglehold on the endpoint, it’s hard to do business without running MS on at least some endpoints.

Google must be running Adobe Reader on something. I suspect – but I don’t know – that this is Windows.

How ironic is it that internal use of their rivals’ thick client desktop software (as the underlying platform) and 3rd party software – the very antithesis or the Google philosophy – was the key enabler in the breach?

(yes, web services and browsers introduce their own security issues)

There’s no suggestion so far that Microsoft software was at fault. The culprit appears to be Adobe. But “sophisticated” post-exploitation pivoting and data exfiltration software doesn’t just drop out of thin air. Nor does the implementation of stealth features. This stuff takes time to develop and embed. Sure, post-exploitation code exists for other platforms but APT consistently targets Windows based Corporate America. What was it Dr Geer (et al) warned us of?

If you were Google, what software would you mandate for employee endpoints now?

6 New Year Security Resolutions for This Security Wannabe

Posted on December 31, 2009

In 2010, I will:

Put my RSS reader on a Crash Diet

I don’t know about you, but seeing ‘1050 unread items’ in my feed reader does not fill me with pleasure. Instead, it starts to feel like “yet another inbox”. I don’t need another one of those :).

As of yesterday, I’ve switched from 500 feeds to about 60. This is my loyalty vote for bloggers I admire/respect and a reflection of an “essentials” only attitude.

I’m going to miss some stuff, but what’s the worst that could happen? Twitter makes up for some of the ground, but ultimately, I’m not going to lose any sleep over this. I hope it leads to me getting more out of my feeds. If you do the same and end up unsubscribing from this blog (shock, horror!) – no hard feelings – I’ll send the free suitcases of money somewhere else ;)!

I’m aware of other ways to remedy feed overload (Postrank, Yahoo! Pipes etc) but for now I’m keeping it simple.

To keep high volume information security and global news sources out of my feed reader, I’m using Netvibes. I’ve set this up with a single page containing key sources – in a multi-column overview page I can scan incredibly quickly. Netvibes will be closed unless I’m actively checking it.

Reduce my Dependence on Google

Google offers some very seductive services for free. They “just work”, are easy to use and efficient. I know, as I use a ton of them!

I’m increasingly concerned at the amount of the web and web experience that Google owns. This isn’t news in some ways and in the past I accepted the trade-off. My primary concern is protecting my privacy, rather than security.

It will be painful to transition away from Gmail and will take time.

For search I am switching to Bing.

Right now, I’m using Chrome (for performance reasons) to run Gmail and Google Reader – that’s it. Firefox for everything else.

Get off self-hosted Wordpress

Wordpress is featureful blogging software with a pretty featureful security track record (!). I like technologies that are low maintainance and don’t leave me wide open to automated threats and/or script kiddies. The Wordpress team are slowly making security improvements to the codebase and I’m grateful for my use of the software, but I don’t want to feel “dirty” running PHP in 2010 ;-) Oh, and Wordpress plugins are even worse from a security perspective than Wireshark plugins. Tip: If like me, you tried and failed when googlng “secure blog software” et al, you’ll appreciate the search term “static website generator”. As regular readers will know, I’ve already switched this blog to Webby and it’s great – no dynamic code, no security worries. For my needs, Webby is excellent.

Compartmentalise my OSX Applications

I love my MacBook Pro and I like OSX. But I know it is less mature than either Windows or Linux from a security perspective. Apple does ship OSX with a program sandboxing feature, but it’s only turned on for a handful of applications. I’ve created a sandbox profile for Firefox on OSX and plan to do so for other apps that take inputs from untrusted sources. This will be an on-going process, both in terms of policy tweaking and applications contained.

Minimise my Browser Attack Surface

This is related to sandboxing, but more about attack surface reduction than containment. I created a new Firefox profile and installed just 3 plugins; for ad-blocking (AdBlock Plus), Javascript and plugin control (NoScript) and password management (1Password). I can still run the full-flavour Firefox is for some reason I need to but this is no longer my default. Whilst this does nothing to eliminate Firefox vulnerabilities, it does reduce the exploitation opportunties. Plus, Firefox is damned fast again now! Do you really need all those add-ins?

Switch Gears with Twitter

I’m a fan of twitter and don’t feel the need to apologise for it.

In the past year, I have gained enormously by following and interacting with smart security peeps (and others outside of my infosec world). It’s lead to collaborations that would have either been slower to happen otherwise, or simply would not have happened. However, it can be challenging in terms of attention management.

I’ve recently switched to using NutshellMail as a short term measure for periodic, timed delivery of incoming tweets by email. This immediately reduced task switching as I can close my twitter client without fear of missing out (or leaving the client running and getting sucked in).

This approach probably won’t work for you if you use twitter for conversations. I don’t as I simply find it too clunky. I do interact though and I don’t want to lose that in the process. I will be less “real time” but 4 hourly intervals is good enough for me.

The other benefit is “inbox reduction”. Now tweets come via a single email to my personal inbox. I don’t have to “look somewhere else”. Not just Twitter, but Facebook and LinkedIn (although not Groups) too.


I plan to post more as I make progress on these items. I welcome your feedback.

All the best for 2010.