It appears that Facebook is expanding their use of requiring users to send them a picture of a Government issued ID in order to unlock their accounts.
In other words, anybody with Photoshop (probably just Paint) can convince Facebook that they're who they say that are.
Really?
http://idealab.talkingpointsmemo.com/2013/01/instagram-asking-for-users-government-issued-photo-ids-now-too.php
If you can't authenticate a user - just admit so and move on. Don't engage in security theater and force legitimate users to place their own PII at risk (cause you know that some users will not sanitize the picture before emailing it in.)
Wednesday, January 30, 2013
Sunday, January 27, 2013
SQL Slammer
Here's a neat little post describing how David Litchfield discovered the bug which was eventually exploited by SQL Slammer.
It's all about curiosity, and picking at the edges when you find a crack in the veneer.
http://threatpost.com/en_us/blogs/inside-story-sql-slammer-102010
It's all about curiosity, and picking at the edges when you find a crack in the veneer.
http://threatpost.com/en_us/blogs/inside-story-sql-slammer-102010
Thursday, January 24, 2013
Sendmail all over again
OMG! I actually have troubles believing this - except the source is Krebs and the vendor has essentially admitted to it via a Tech Alert.
Barracuda Networks has been shipping firewalls, spam filters and VPN devices with undocumented back-door accounts. Allegedly, the back-door accounts include a password-free account with write access to the MySQL database that provides authentication information.
The only access control to these accounts is that they try to limit access to ssh connections from Barracuda owned IP addresses. Apparently they failed in this endeavor since other, unrelated, companies also have addresses in the permitted address blocks.
http://krebsonsecurity.com/2013/01/backdoors-found-in-barracuda-networks-gear/#more-18612
How on earth can a security device vendor ship a device with an open back-door account in today's environment?
Let me repeat that question:
How, in today's security environment, when truly serious and damaging attacks are the order of the day, could any provider of security devices knowingly ship security devices with open back-door accounts?
Back in the 90's we all learned not to do this thanks to the Sendmail WIZ account. Just to provide context, those were the days when you could still find Unix systems with guest accounts ... and yet we still understood that back-door accounts were a bad idea.
This is exactly the sort of thing we accuse the Chinese of doing as we drag them to congressional hearings and reject their equipment; and it turns out that a California based company has been doing it in a most egregious way for years. I'd be willing to bet the government, including the DoD, has lots of this equipment.
If I owned any Barracuda gear - today's project would be to confirm if this report is really true (it's so incredible, I still have trouble believing it.). If it did turn out to be true, I would immediately begin the process of removing all Barracuda equipment from my site.
Why such a dramatic response? It's not so much that this is a big gaping security hole, everybody has bugs. But any company that knowingly permits this sort of thing to ship, in 2013, must have a corporate culture that's totally devoid of any reasonable concern about protecting their customer. As they say, there's no fixing stupid.
This, BTW, is a terrific example of why Defense in Depth is so critical. The only defense against this vulnerability is to block all incoming ssh connections. Of course, for some unlucky individuals, the natural way to block these connections would be via their Barracuda firewall (!)
Barracuda Networks has been shipping firewalls, spam filters and VPN devices with undocumented back-door accounts. Allegedly, the back-door accounts include a password-free account with write access to the MySQL database that provides authentication information.
The only access control to these accounts is that they try to limit access to ssh connections from Barracuda owned IP addresses. Apparently they failed in this endeavor since other, unrelated, companies also have addresses in the permitted address blocks.
http://krebsonsecurity.com/2013/01/backdoors-found-in-barracuda-networks-gear/#more-18612
How on earth can a security device vendor ship a device with an open back-door account in today's environment?
Let me repeat that question:
How, in today's security environment, when truly serious and damaging attacks are the order of the day, could any provider of security devices knowingly ship security devices with open back-door accounts?
Back in the 90's we all learned not to do this thanks to the Sendmail WIZ account. Just to provide context, those were the days when you could still find Unix systems with guest accounts ... and yet we still understood that back-door accounts were a bad idea.
This is exactly the sort of thing we accuse the Chinese of doing as we drag them to congressional hearings and reject their equipment; and it turns out that a California based company has been doing it in a most egregious way for years. I'd be willing to bet the government, including the DoD, has lots of this equipment.
If I owned any Barracuda gear - today's project would be to confirm if this report is really true (it's so incredible, I still have trouble believing it.). If it did turn out to be true, I would immediately begin the process of removing all Barracuda equipment from my site.
Why such a dramatic response? It's not so much that this is a big gaping security hole, everybody has bugs. But any company that knowingly permits this sort of thing to ship, in 2013, must have a corporate culture that's totally devoid of any reasonable concern about protecting their customer. As they say, there's no fixing stupid.
This, BTW, is a terrific example of why Defense in Depth is so critical. The only defense against this vulnerability is to block all incoming ssh connections. Of course, for some unlucky individuals, the natural way to block these connections would be via their Barracuda firewall (!)
Tuesday, January 22, 2013
Backtrack moving forward
The folks who have brought us Backtrack are preparing to release the new version. Instead of just putting out another static distribution, they've gone to a fully upgradable version that will allow them to maintain current versions of their tools. A hugely bigger task, and way more useful for us - the users.
It's going to be renamed to Kali. I can't wait to play with it.
Cool video teaser follows.
Saturday, January 19, 2013
Is DDOS free speach?
So I finally got around to poking at the "We The People" petitions that you can submit to the White House; and guess what I found?
A petition to equate DDOS attacks with a protest march. In other words, DDOS is just a form of free speech!
https://petitions.whitehouse.gov/petition/make-distributed-denial-service-ddos-legal-form-protesting/X3drjwZY
I think the big flaw with the petition is that individuals hitting reload on a web site is very different than pointing a botnet at a web site, or sending a hundred ping-of-death packets to a web site.
For better or worse, it looks like the petition is not getting much support.
Goodbye Passwords, Don't Let The Door Hit You ...
Google already provides a version of two-factor authentication for gmail - via sending you a one-time password via SMS when you login. But now they're looking to take it all the way and be done with the password.
http://www.wired.com/wiredenterprise/2013/01/google-password/
I've been toying with trying the Yubico authentication token. Maybe it's time ...
What Can We Learn from Pickpockets?
I thought the following was really interesting ... an insiders view of pickpocket "technique".
http://www.newyorker.com/reporting/2013/01/07/130107fa_fact_green?currentPage=all
So what can we as IT security folks learn from pickpockets? It turns out, pickpockets ultimately are experts in distraction, and distraction might be a useful tool in an attackers toolkit.
It has obvious implications for social engineering, but I think distraction can also be a useful technical tool. For example, the claim is that the recent rash of DDOS attacks against banks is meant to distract them from more subtle attacks focused on stealing money.
If you find that your web site is being barraged by a senseless DOS, maybe there's something else going on in another part of your network also!
Wednesday, January 16, 2013
This is why we review our logs ...
Presented here for your amusement ... A variation of the Insider Threat in which our intrepid insider (who works for a "Critical Infrastructure" entity) finds it convenient to FedEx his actual RSA SecureID Token to somebody in China. He did this so the person can VPN into the corporate network. And no, he wasn't selling secrets to the Chinese. And no, it wasn't to a co-worker. :-)
Here's the original report (must of been a fun investigation):
http://securityblog.verizonbusiness.com/2013/01/14/case-study-pro-active-log-review-might-be-a-good-idea/
I'm casting about for an explanation why a sane, experienced and apparently intelligent man could do something this monumentally stupid. Crystal Meth?
The only thing stupider would be if he wasn't caught ... which he wasn't for quite awhile.
Tuesday, January 15, 2013
More State Sponsored Hacking - Red Dawn
We've reached the point that this should inspire a yawn, but I'm still surprised to hear about another persistent long-term information warfare effort being discovered.
In this case, for at least 5 years somebody has been compromising diplomatic and government computers in a variety of countries - stealing classified documents the whole time.
http://www.securelist.com/en/blog/785/The_Red_October_Campaign_An_Advanced_Cyber_Espionage_Network_Targeting_Diplomatic_and_Government_Agencies#page_top
This is still being researched, so we've yet to learn the full extent of this attack ...
Pentesting with the Raspberry PI
I love the flood of cheap computing resources. I've got a Raspberry PI sitting on the shelf now, just waiting for me to have a bit of spare time.
Here's a blog entry from last summer that I just came upon, where g13net ported BEEF to the Raspberry.
http://blog.beefproject.com/2012/07/raspberry-pi-with-side-of-beef.html
It turns out, this is just part of g13's pentesting toolkit for the Raspberry:
https://github.com/g13net/PwnBerryPi
Looking at G13's blog, I also found a reference to another pentesting distribution for the Raspberry:
https://github.com/pwnieexpress/Raspberry-Pwn
Saturday, January 12, 2013
Fundamental Bug - 4 Years of Bad Stock Trades
Not exactly a security issue, but it ought to be. The third largest US stock exchange operator had a systematic bug in its trading software. It was undiscovered for over 4 years and it cost their clients over $400k - not a lot of money relatively speaking. But it's been there for 4 years!!
http://www.bloomberg.com/news/2013-01-10/bats-says-system-errors-caused-pricing-problems-over-4-years-1-.html
How could this not be found in testing! What does their software life-cycle look like? What other undiscovered bugs are lurking in their system?
Wednesday, January 9, 2013
ABEND
For those who think "mainframes are dead", or worse yet boring - here's a few tidbits about current mainframes. They can be just as vulnerable as "regular" computers. :-)
https://isc.sans.edu/diary/The+80%27s+called+-+They+Want+Their+Mainframe+Back%21/14869
BTW, here's another resource:
http://iase.disa.mil/stigs/os/mainframe/z_os.html
Unfortunately, I couldn't find the WOPR STIG - but I'll keep looking.
Stop me before I buy again
I couldn't resist, I just ordered a TP-Link WR703N wireless router.
The thing is smaller than a credit card (5.7 x 5.7 x 1.8 cm) and can be hacked to run dd-wrt. It's got an Ethernet and USB port. Oh, and it can be had for around $25! And it's tiny!
It's a very low power device, allegedly it averages .5 watts - the WIFI antenna is just a corner of the circuit board, so the range is limited. It's only got 4 MB of Flash and 32 MB of RAM, so it's a tight computing platform. But it's only $25. And it's tiny!
The user interface is only in Chinese, and it's manufactured in China. So both for usability, and so that I can have some sense of trust in it, I think installing dd-wrt is mandatory.
There is a major fly in the ointment though. In the last month or so, the factory introduced a code change that breaks dd-wrt. The dd-wrt folks are working on a fix, so it sounds like the issue will be resolved soon.
I'll probably just use it as a portable WIFI for when I'm on the road. But lots of other folks are using it for more advanced projects.
Some links:
http://www.cnx-software.com/2012/07/19/tp-link-wr703n-23-hackable-openwrt-wi-fi-802-11n-router/
http://dangerousprototypes.com/forum/viewtopic.php?f=19&t=4325&p=42562#p42562
http://www.instructables.com/id/How-to-set-up-OpenWRT-on-a-pocket-router-WR703N/
http://wiki.openwrt.org/toh/tp-link/tl-wr703n
http://www.tp-link.com.cn/pages/product-detail.asp?d=225 (manufacturer's page, in Chinese. Google translate does a pretty good job with it)
dd-wrt page for this device. Check here to see if the current problem has been fixed.
http://wiki.openwrt.org/toh/tp-link/tl-wr703n
The thing is smaller than a credit card (5.7 x 5.7 x 1.8 cm) and can be hacked to run dd-wrt. It's got an Ethernet and USB port. Oh, and it can be had for around $25! And it's tiny!
It's a very low power device, allegedly it averages .5 watts - the WIFI antenna is just a corner of the circuit board, so the range is limited. It's only got 4 MB of Flash and 32 MB of RAM, so it's a tight computing platform. But it's only $25. And it's tiny!
The user interface is only in Chinese, and it's manufactured in China. So both for usability, and so that I can have some sense of trust in it, I think installing dd-wrt is mandatory.
There is a major fly in the ointment though. In the last month or so, the factory introduced a code change that breaks dd-wrt. The dd-wrt folks are working on a fix, so it sounds like the issue will be resolved soon.
I'll probably just use it as a portable WIFI for when I'm on the road. But lots of other folks are using it for more advanced projects.
Some links:
http://www.cnx-software.com/2012/07/19/tp-link-wr703n-23-hackable-openwrt-wi-fi-802-11n-router/
http://dangerousprototypes.com/forum/viewtopic.php?f=19&t=4325&p=42562#p42562
http://www.instructables.com/id/How-to-set-up-OpenWRT-on-a-pocket-router-WR703N/
http://wiki.openwrt.org/toh/tp-link/tl-wr703n
http://www.tp-link.com.cn/pages/product-detail.asp?d=225 (manufacturer's page, in Chinese. Google translate does a pretty good job with it)
dd-wrt page for this device. Check here to see if the current problem has been fixed.
http://wiki.openwrt.org/toh/tp-link/tl-wr703n
Where's Ralph Nader when you need him?
Here's a nice, detailed, review of Moxie Marlinspike's NT hash cracking service. You send them a "token" derived from a captured NT hash, and for $200 off your credit card, they'll send you a DES key which collides with the "original" key to produce the captured hash.
In the article, they go through the process of using arpspoof to collect an iPhone's VPN connection and then using Marlinspike's service to obtain a collision key to subvert the PPTP VPN connection. The review provides a clear description of how to go through the process and effectively makes the point that using PPTP is a very bad idea these days.
However, to me the really interesting part is that the article is something of a review of Marlinspike's service, and ends up being a mixed review. It's a mixed review not because it doesn't work, but because the customer service is lacking in niceties - not enough hand holding and not providing a credit card receipt! This is an online key cracking service that can be used for very malicious purposes, and the review is dinging them the way most people would ding Sears. In other words, hacking ... compromising cryptographic authentication systems ... is starting to become a retail service!
http://h-online.com/-1716768
I'm waiting for the Consumer Reports review.
In the article, they go through the process of using arpspoof to collect an iPhone's VPN connection and then using Marlinspike's service to obtain a collision key to subvert the PPTP VPN connection. The review provides a clear description of how to go through the process and effectively makes the point that using PPTP is a very bad idea these days.
However, to me the really interesting part is that the article is something of a review of Marlinspike's service, and ends up being a mixed review. It's a mixed review not because it doesn't work, but because the customer service is lacking in niceties - not enough hand holding and not providing a credit card receipt! This is an online key cracking service that can be used for very malicious purposes, and the review is dinging them the way most people would ding Sears. In other words, hacking ... compromising cryptographic authentication systems ... is starting to become a retail service!
http://h-online.com/-1716768
I'm waiting for the Consumer Reports review.
Monday, January 7, 2013
Software Radio ... very cool
Remember when we used to walk around with modified Pringles cans as a WIFI antenna? How quaint!
Soon, receiving or transmitting data via radio will simply be a software problem. Grab a module via CPAN and hack up some code.
http://h-online.com/-1775971
Ignoring the obvious stuff (digital cell phones, Bluetooth, WIFI, NFC, RFID), any bets on when a generic Tempest viewer will be on BackTrack? :-)
With the advent of ubiquitous software radio, I think that radio will be the next domain for security challenges.
I can hardly wait ...
Soon, receiving or transmitting data via radio will simply be a software problem. Grab a module via CPAN and hack up some code.
http://h-online.com/-1775971
Ignoring the obvious stuff (digital cell phones, Bluetooth, WIFI, NFC, RFID), any bets on when a generic Tempest viewer will be on BackTrack? :-)
With the advent of ubiquitous software radio, I think that radio will be the next domain for security challenges.
I can hardly wait ...
Intro
This blog is where I collect "things" related to computer security.
A "thing" could be a reference to news or some analysis that I consider worth noting, a dangerous or elegant attack, a cool tool or something that I've done and feel is of interest to others. If I'm feeling lost in Cyberspace, I may post a pleas for help here.
If my first response is "OK, now we're really doomed", it'll likely end up here.
Everything here is my opinion and does not represent that of my employer or the alien slug attached to my brain stem.
A "thing" could be a reference to news or some analysis that I consider worth noting, a dangerous or elegant attack, a cool tool or something that I've done and feel is of interest to others. If I'm feeling lost in Cyberspace, I may post a pleas for help here.
If my first response is "OK, now we're really doomed", it'll likely end up here.
Everything here is my opinion and does not represent that of my employer or the alien slug attached to my brain stem.
Subscribe to:
Posts (Atom)