Security Wannabe

HeadHacker.net Launch

2010-03-15T15:29:55+01:00

If you’re curious about social engineering and want to dig deeper, check out HeadHacker.net, a new blog about social engineering, hacking, hypnosis, mentalism and influence by Dale Pearson.

Dale is kicking off with a blog series explaining the basics. His latest post on hypnosis makes interesting reading as it dispells some common myths that I’ve even heard information security professionals recite as fact….

I look forward to reading more, as Dale is a no-nonsense type of guy and does his homework.

Unbelievable That This Went Unnoticed for So Long

2010-01-17T15:04:50+01:00

What Linux specific software would you consider has arduous and scrutinising source code security reviews?

Aside from “the kernel”, you might have said the Linux firewall: Netfilter.

The title of this post is a quote from a suprised Linux Netfilter team member, in response to a bug report from Florian Westphal.

Florian noticed that non-privileged users could add/delete/modify Ethernet Bridging ACLs, actions normally restricted to the system administrator.

Can I Haz Evil Client?

To exploit the vulnerability, you need a custom client. The official ebtables utility won’t let you abuse the bug as it makes a privileged call for a raw socket (SOCK_RAW) long before calling the vulnerable kernel code. Since SOCK_RAW requires network admin capabilities (CAP_NET_ADMIN) normal users Do Not Pass Go.

To become a link layer $DEITY, an attacker could remove the privileged calls from the stock ebtables client or write a small program that just calls the vulnerable netfilter kernel routine (do_ebt_set_ctl).

Where Did I Put That Check?

The side effect of that earlier SOCK_RAW call was unintentional auditor misdirection. If you audit the client code – without referring to the kernel code – you completely miss the bug.

This “slap on the forehead” bug is an excellent reminder that when we review “systems” for security weaknessses, we need to evaluate related components, aswell as their interactions (“intended vs. actual”). If we don’t, we’re only looking at half the picture. This approach doesn’t just apply to code audits though: its equally valuable during real-world process audits.

Although a surprising omission, there is no suggestion this vulnerability was caused by premeditated client side security. That happens when misguided developers embed security checks solely in the client, often in the belief that no-one is as smart as they are. Vulnerability databases tell a different story.

What Can Developers Do About It?

An effective avoidance strategy for this type of bug is for developers to externalise their assumptions through the development of test cases (comments in code are nice, but give me a test case anyday). Test cases embody developers intentions and in the process, help keep the gun from the developers feet.

(via: CVE-2010-0007: Linux kernel netfilter ebtables Missing Check)

Image credit: bommelmützenkind

The Google Breach, or How Running Their Archrivals' Software Cost Them

2010-01-14T15:25:01+01:00

Update: McAfee investigation points to IE zero day. This finding makes my point for me.

In our investigation we discovered that one of the malware samples involved in this broad attack exploits a new, not publicly known vulnerability in Microsoft Internet Explorer. We informed Microsoft about this vulnerability and Microsoft is expected to publish an advisory on the matter soon.
[…]

While we have identified the Internet Explorer vulnerability as one of the vectors of attack in this incident, many of these targeted attacks often involve a cocktail of zero-day vulnerabilities combined with sophisticated social engineering scenarios. So there very well may be other attack vectors that are not known to us at this time. That said, contrary to some reports our findings to date have not shown a vulnerability in Adobe Reader being a factor in these attacks.

I’m intentionally keeping my commentary on this issue brief (there is already enough).

The attack vector against the Google corporate network is reported as an email with an attached PDF backdoor; i.e. the exploit relies on a security vulnerability in a local installation of Adobe Reader.

Google is web services. And they regularly remind us that they “eat their own dog food” by relying on those same services to run their business.

Google’s vision is the world run ChromeOS, a thin OS with just enough capabilities to plug into, and interact with, Google Services.

Google’s arch-enemy, Microsoft is about software (and now software + services). With a historical stranglehold on the endpoint, it’s hard to do business without running MS on at least some endpoints.

Google must be running Adobe Reader on something. I suspect – but I don’t know – that this is Windows.

How ironic is it that internal use of their rivals’ thick client desktop software (as the underlying platform) and 3rd party software – the very antithesis or the Google philosophy – was the key enabler in the breach?

(yes, web services and browsers introduce their own security issues)

There’s no suggestion so far that Microsoft software was at fault. The culprit appears to be Adobe. But “sophisticated” post-exploitation pivoting and data exfiltration software doesn’t just drop out of thin air. Nor does the implementation of stealth features. This stuff takes time to develop and embed. Sure, post-exploitation code exists for other platforms but APT consistently targets Windows based Corporate America. What was it Dr Geer (et al) warned us of?

If you were Google, what software would you mandate for employee endpoints now?

6 New Year Security Resolutions for This Security Wannabe

2009-12-31T13:40:24+01:00

In 2010, I will:

Put my RSS reader on a Crash Diet

I don’t know about you, but seeing ‘1050 unread items’ in my feed reader does not fill me with pleasure. Instead, it starts to feel like “yet another inbox”. I don’t need another one of those :).

As of yesterday, I’ve switched from 500 feeds to about 60. This is my loyalty vote for bloggers I admire/respect and a reflection of an “essentials” only attitude.

I’m going to miss some stuff, but what’s the worst that could happen? Twitter makes up for some of the ground, but ultimately, I’m not going to lose any sleep over this. I hope it leads to me getting more out of my feeds. If you do the same and end up unsubscribing from this blog (shock, horror!) – no hard feelings – I’ll send the free suitcases of money somewhere else ;)!

I’m aware of other ways to remedy feed overload (Postrank, Yahoo! Pipes etc) but for now I’m keeping it simple.

To keep high volume information security and global news sources out of my feed reader, I’m using Netvibes. I’ve set this up with a single page containing key sources – in a multi-column overview page I can scan incredibly quickly. Netvibes will be closed unless I’m actively checking it.

Reduce my Dependence on Google

Google offers some very seductive services for free. They “just work”, are easy to use and efficient. I know, as I use a ton of them!

I’m increasingly concerned at the amount of the web and web experience that Google owns. This isn’t news in some ways and in the past I accepted the trade-off. My primary concern is protecting my privacy, rather than security.

It will be painful to transition away from Gmail and will take time.

For search I am switching to Bing.

Right now, I’m using Chrome (for performance reasons) to run Gmail and Google Reader – that’s it. Firefox for everything else.

Get off self-hosted Wordpress

Wordpress is featureful blogging software with a pretty featureful security track record (!). I like technologies that are low maintainance and don’t leave me wide open to automated threats and/or script kiddies. The Wordpress team are slowly making security improvements to the codebase and I’m grateful for my use of the software, but I don’t want to feel “dirty” running PHP in 2010 ;-) Oh, and Wordpress plugins are even worse from a security perspective than Wireshark plugins. Tip: If like me, you tried and failed when googlng “secure blog software” et al, you’ll appreciate the search term “static website generator”. As regular readers will know, I’ve already switched this blog to Webby and it’s great – no dynamic code, no security worries. For my needs, Webby is excellent.

Compartmentalise my OSX Applications

I love my MacBook Pro and I like OSX. But I know it is less mature than either Windows or Linux from a security perspective. Apple does ship OSX with a program sandboxing feature, but it’s only turned on for a handful of applications. I’ve created a sandbox profile for Firefox on OSX and plan to do so for other apps that take inputs from untrusted sources. This will be an on-going process, both in terms of policy tweaking and applications contained.

Minimise my Browser Attack Surface

This is related to sandboxing, but more about attack surface reduction than containment. I created a new Firefox profile and installed just 3 plugins; for ad-blocking (AdBlock Plus), Javascript and plugin control (NoScript) and password management (1Password). I can still run the full-flavour Firefox is for some reason I need to but this is no longer my default. Whilst this does nothing to eliminate Firefox vulnerabilities, it does reduce the exploitation opportunties. Plus, Firefox is damned fast again now! Do you really need all those add-ins?

Switch Gears with Twitter

I’m a fan of twitter and don’t feel the need to apologise for it.

In the past year, I have gained enormously by following and interacting with smart security peeps (and others outside of my infosec world). It’s lead to collaborations that would have either been slower to happen otherwise, or simply would not have happened. However, it can be challenging in terms of attention management.

I’ve recently switched to using NutshellMail as a short term measure for periodic, timed delivery of incoming tweets by email. This immediately reduced task switching as I can close my twitter client without fear of missing out (or leaving the client running and getting sucked in).

This approach probably won’t work for you if you use twitter for conversations. I don’t as I simply find it too clunky. I do interact though and I don’t want to lose that in the process. I will be less “real time” but 4 hourly intervals is good enough for me.

The other benefit is “inbox reduction”. Now tweets come via a single email to my personal inbox. I don’t have to “look somewhere else”. Not just Twitter, but Facebook and LinkedIn (although not Groups) too.

I plan to post more as I make progress on these items. I welcome your feedback.

All the best for 2010.

The Eurotrash Security Podcast - Security With Funny Accents

2009-11-16T00:47:43+01:00

What happens when a bunch of us Europeans get together at Brucon and decide there isn’t enough European security podcast action?

The Eurotrash Security podcast" is born!

Here’s the blurb:

We will start with a monthly podcast, featuring (European) guests from the Infosec community. We aim at providing a technically inclined podcast that will provide both offensive and defensive topics and hopefully some pretty good discussions on a plethora of subjects.

The podcast is co-hosted by Wim Remes (@wimremes), Chris John Riley (@chrisjohnriley), Dale A. Pearson (@daleapearson) and myself (@craigbalding).

We recorded Episode 1 earlier this month and saw a couple of hundred downloads in the first few days (which came as a pleasant shock).

If there is a topic you’d like to hear featured, a european security practitioner you’d like interviewed or anything else, drop us a note.

In iTunes, click Advanced→Subscribe to podcast and drop in this link

U, V or W for Incident Recovery

2009-10-04T22:23:29+02:00

The Economist recently ran a piece describing 3 possible recovery shapes for the global economy.

… But the more interesting question is what shape the recovery will take. The debate centres around three scenarios: “V”, “U” and “W”. A V-shaped recovery would be vigorous, as pent-up demand is unleashed. A U-shaped one would be feebler and flatter. And in a W-shape, growth would return for a few quarters, only to peter out once more.

What struck me was the resemblance these shapes have to the response and recovery phases of real world computer security incidents. The shape says a great deal about the relative maturity of an organisations incident response capabilities.

V

The organisation has a well defined plan for rapidly responding to incidents.

Incident responders are clear on their mission, are empowered, equipped and well practised.

Key operational assets are identified and have well defined recovery procedures that are regularly tested by the IT team.

The defenders maximise their home advantage through building visibility in to help them quickly identify intruder activity and determine the extent of a possible breach.

Emergency contact procedures and numbers are regularly proven.

The network can be reconfigured dynamically to enable only “mission critical” internal and partner traffic during a severity 1 security incident (without bringing down the business).

IT teams are able to prove elements of system, application and data integrity against known, trusted baselines. Where this is not possible, recovery from trusted media is not only possible, but practised.

Discoveries about intruder methods and preferences from system and network forensics directly feed into build standards and monitoring systems. Vulnerability assessment checks are quickly updated and key assets rapidly scanned and remediated as appropriate to close open doors known to be preferred by intruders.

Sharing of threat intelligence with peers in the same vertical is the norm rather than the exception. Secure communication methods are already in place and the limits of such communication clearly defined in advance.

Post-incident procedures include root cause analysis driven by an experienced facilitator who either directly leads the change activity or hands off to someone with sufficient leadership to do so.

This organisation can continue core operations during an incident, can quickly recover and is able to bolster defence and detection rapidly to block or reduce the impact of repeat attacks from known groups.

U

Aspires to be a V organisation but fails to hire sufficiently experienced individuals to rapidly respond in the right direction.

Lacks management conviction and understanding about the true nature of today’s threat.

Fails to properly identify ancillary devices relied upon by key assets thus under-performs when it comes to recovery time.

Intelligence from forensics is partial and not fully acted upon. Intruders persistence mechanisms are discovered piecemeal and co-ordination between defender groups is only partially effective.

Some information sharing with peer organisations happens but its effectiveness is muted by managements teething concerns around trust and competition.

This organisation recovers from the attack but the process is painful, tiring and more expensive than it needs to be. The impact of the breach is bigger and probably not fully quantifiable.

The CISO survives by the skin of his teeth. His best people will leave if they don’t sense real appetite for change. They won’t want to go through that experience again.

W

This type of organisation hires in the IR talent on demand though outside contractors.
These hired hands are true experts – experienced, sharp and responsive.

The problem is they can’t possibly understand the business context. Nor can they wrap their arms around a large enterprise network in a highly compressed time-frame. They are handicapped by the lack of rapport they have with the various interest groups across the organisation, relying more on the power vested in them by senior management.

They do bring impressive tools and techniques to bear and impress some of “the locals”.

They work 24×7 to contain the intruders but are hampered by a lack of nimbleness in other teams they rely on to make changes to infrastructure. They foresee this (they are not new to this game) and circumvent where they can.

They stop the bleeding.

The patient – in the form of senior management – “feels better” again. Then management start weighing up the costs of having them around.

The consulting firm is kept on retainer but the star players are moved on to the next client site to fight the next fire.

But the intruders come back: better tooled up, more resourced and significantly better informed about the targets internal network.

The organisations management suddenly finds itself back on the incident response roller coaster heading downhill fast.

The consulting all-stars will be brought back on-site as soon as they can be freed up and will eventually succeed in regaining control. But the recovery costs are at least double, the breach costs are likely more than double (the intruders had time to optimise their data extrusion methods) and the organisation still doesn’t have a sustainable strategy.

But, they may stand the best chance of bypassing the U shape completely as they’ve now been burnt twice and its cost them considerably. They also know what the right talent looks like. They may even poach from the consulting company…

Which leaves just one question: how many V style organisations do you know?

Eureka! White Hat vs Black Hat vs Ethical Hacker

2009-10-04T19:22:27+02:00

Image credit Andreas Nilsson

I normally steer clear of discussions that attempt to define hat colour as the Return on Energy Expended (RoEE) is consistently low. But I heard something last night that finally nails the definitions and thought I’d share.

Black Hat = A person that attacks a sytem without the authorisation of the owner.

White Hat = A person that attacks a system with the authorisation of the owner .

Ethical Hacker = A failed attempt at linking “ethics” to “hacking” that ends up describing a subset of White Hat and Black Hat hackers!

Ethical Hacker falls short because it makes the assumption that Black Hats are not ethical. For example; hacktivists take the actions they do from a very strong sense of ethics whilst clearly demonstrating Black Hat behaviour (i.e. attacking systems without authorisation). You may not share their ethics but that doesn’t mean they don’t have ethics.

Summary = Don’t presume to link ethics (or motivation) to hat colour. It doesn’t work. Think “authorisation” instead.

Sidepoint from me: I’ve noticed people calling themselves ‘grey hat’ as if to give off some kind of darkish aura and be one of the cool kids. The definitions above don’t leave space for ‘grey’. You either break in with permission or you don’t. If you choose to do both, then you are both a Black Hat and a White Hat – you don’t get ‘grey’ – it doesn’t exist!

This insight courtesy of Professor Tom Wilhelm during an interview on PaulDotCom Episode 169

Thoughts From BruCON

2009-09-21T21:31:50+02:00

Photo courtesy of Dale Pearson

Hacking for B33R!

The first BruCON took place in Brussels, Belgium this past Friday and Saturday.

It was organised by Sebastien, Filip, Pieter, Philippe and Benny (web, twitter) and their band of merry men (aka “the crew”) and they just set the bar for new security conferences. This did not feel like a version 1.0 conference at all.

The “Surf House” conference facilities were excellent – both the main conference room (with 5 large projector screens) and the “lounge” area (complete with bar, lighting and booming sound system) made for a relaxing space

The talks were solid – good mix of technical and not-so-technical drawn from a mix of European countries and the US. The goal for next year is to increase the number of Belgians presenters – a good idea IMO and something that shouldn’t be hard to do based on some of the locals I chatted with.

My talk was called “The Belgian Beer Lovers Guide to Cloud Security” (slides). I was last on the schedule so employed some cheap tactics to boost numbers and keep people awake (beware the free beer ploy!). I can confirm that the allure of Belgian beer proved a valiable tool in the fight against “mind trips”…

Chris John Riley (web, twitter) did a sterling job blogging the talks.

The event was recorded and the videos will be uploaded shortly (I’ll update this post with a link).

The Belgians sure know how to run a decent hacking con – I definitely plan to attend next year. To be informed when the next BruCON happens, you should join this mailing list.

Administrivia

2009-09-08T21:41:48+02:00

Dearest Reader,

First off, I’m moving away from Wordpress so expect some hiccups as the blog transitions (especially around RSS).

Secondly, I will blog more. More posts about infosec tech, less on career/development. Based on the number of posts thus far, this point may well be moot. To that end, I’m “importing” some blog posts I wrote elsewhere during my “unfaithful” blogging period. I’m sure that will mangle the RSS feed so you may see some duplicates.

If you don’t like what you see, feel free to move along – no hard feelings eh?

I’m off to flick some switches…

Cheers,
Craig

Update: old comments currently barfed – plan to fix (I value the comments). Oh, and from the department of the obvious, I forgot to mention the design change. I’m sure to tweak as we go along but happy so far.

Handy Hardware Cheatsheet for Forensic Teams

2009-07-21T21:26:38Z

via media.techtarget.com

This handy hardware cheatsheet helps visually identify numerous common PC components. Great for desktop support, even better for forensics teams. This could be issued to trained First Responders stationed at remote locations.

Source: http://sonic840.deviantart.com/art/Computer-hardware-poster-1-7-111402099 (via Rob S at work).