Living at Shmoocon

Welp, I'm in Washington DC following the aftermath of Shmoocon 2010. Despite me being an avid security/hacker con goer, this was my first.
Let me start by saying that "aftermath" is no exaggeration. Between the 24+ inches of snow and the crazy antics one can only find at a hacker convention, aftermath may even be a weak term. Due to the snow, the city shut down... all forms of life ceased to exist and the president was driving a monster truck around town. Okay, not really, but me and my fellow Americans have been stuck in the hotel and DC for the past 3 days which basically no place to go.
The conference itself was a great time. I always enjoy meeting a bunch of different people, and seeing familiar faces from other cons like DEFCON, which I try to attend as much as possible since first speaking there in 2007.
On to some more technical stuff... in my opinion the most exciting application to come out of Shmoocon this year was Airdrop-ng. Airdrop-ng will be becoming another part of the Aircrack-ng suite of tools. It's purpose is to deauthenticate clients from wireless access points. Not only will it deauthenticate them, it will also keep them deauth'd. And the cool part about the whole thing was the ability to write rules on what to deny/allow access to. I think it will be a great tool and will be useful in penetration test type scenarios where rogue access points are in the scope of exploitation.
Some other talks I really enjoyed were the FireTalks. 15 minute blurb type talks that get down to the point of the talk and just the details - my favorite. Two that stuck out were the Social Engineering Toolkit presentation by Dave Kennedy and the SHODAN for Penetration Testers talk by Michael Schearer. The Social Engineering Toolkit is basically a tool that will assist in Social Engineering type attacks - phishing, e-mails, etc.. SHODAN is a machine search engine - it fingerprints headers from millions of IPs and puts them in a database for searching. Both of these tools are very useful and fun to toy around with. I would recommend picking up these slides after they've been published.
In closing, I also picked up some physical hacking skills when I was here and honed my lockpicking skills a bit.
Overall a great time and something I will look forward to returning to. Hopefully with less snow.
Speaking of less snow... I hope I can get out of DC sometime today...

ShmooCon 2010

Here I am at ShmooCon 2010 right in the middle of what people here in Washington DC are calling Snowpocalypse 2010. The Metro, busses, and taxis are all closed down and essentially the city has shut down. Being from Cleveland I find it a little laughable but it’s still a pretty bad storm. Well that hasn’t stopped ShmooCon from going strong.

This being my first hacker con it took me a little while to get acclimated to what kind of talks would be interesting and relevant to me as a network/firewall security guy. The first talk I found interesting was about an OWASP project called OWASP BWA (Broken Web Application). This project combines many of the web app testing programs into one place to help you sharpen your web app testing skills. You can install the iso in a VM as a place to test against. BWA combines Mutillidae, WebGoat, etc with some old versions of real programs like phpBB 2.0.0 and WordPress 2.0.0. Essentially it’s a one stop shop for broken web apps. The thing I found especially interesting was that it integrates with many WAFs like mod_security. This way you can test your WAF (Web App Firewall) to see how much it’s really blocking. This seems like a decent way to audit your WAF yourself. It’s good from time to time to test your firewalls to make sure they’re blocking everything they claim/should be.

The other talk that I found interesting was a demonstration of a Perl script that someone wrote to exploit the most recent VMWare vulnerability. Using an XSS attack the script (called gueststealer) can be put on to the hypervisor and it will steal the vmdk and vmx files of all the guest machines running there. So if you haven’t done your VMWare patches I suggest you start putting plans in place to get that done.

Another thing I’ve learned is a bit about lockpicking. I spent some time with some other con attendees learning how to pick from them. I got through a few 3pin locks and a Master lock rather easily. It definitely scared me a little how easy it was. The easiest lock to get through I thought was the wafer locks which you see a lot on filing cabinets and car doors. A set of wafer keys will get you into those cabinets and cars in literally seconds. It makes me glad our stuff is stored encrypted and and not in a filing cabinet somewhere.

I spent Friday evening attending the FireTalks. A series of 15 minutes talks not technically sanctioned by ShmooCon but with some talented people sharing what they know/learned/built. The most interesting of which being the SET v0.4 talk given by Dave Kennedy. He did a good job despite having real snowballs being thrown at him while he was presenting. I’ve seen his work on SET presented before but he has added some great features like exploits for Mac, Linux, as well as Windows which was the only OS supported before. He also put in self-signed Java applets so the user thinks the applet running is actually from the legitimate site that you just cloned. If you want to test how good your company’s security awareness policy is use SET (shameless plug: And once you’ve tested call us at Hurricane Labs to help you get to where you need to be).

I’m looking forward to more learing tomorrow and I’ll let you know what happens.

Talk to you then,


Matt




PS – You’re probably reading this on Saturday when I posted it. I didn’t post on Friday because the wireless here isn’t all that secure and I couldn’t pick up the wireless from our hotspot up in my room. In case you don’t know, NEVER use the wireless at a security conference. It’s just asking for trouble.

CodeMash 2010

I've had the pleasure of spending yesterday and today (and I'll be here tomorrow too) at the 2010 CodeMash conference in Sandusky, at the spectacular Kalahari resort (if you've never been here, its way worth it). We attended the "precompiler" presentations yesterday, and have been to 3 presentations so far today. While the conference seems very heavy on the Microsoft and Ruby fronts (almost every presentation has had C# or Ruby code, some of them have had both), there's a lot of good stuff to come away with anyways.

For example, the two presentations we attended yesterday discussed test-driven development, something I'd never experienced before. In addition, the presentations both discussed the merits of OOP, specifically when narrowing classes down to one particular function each. This was something I'd encountered before, but never really understood -- why would I want to create a class for something I'm only doing once in one place? It wasn't until discussing a very simple problem - how to write an application to handle cash register functions - that I finally understood, thanks to the help of a fellow attendee whom I'd never spoken to before, the instances when programming like that is especially useful.

The keynote today was presented by Mary Poppendieck, who explained to us how businesses can push responsibility and decision-making as far down as possible in the IT department in order to drive up efficiency and productivity. She also discussed at what point in the development cycle developers normally freeze changes to test for bugs. The most common response is 2/3 of the way through the cycle, but often as much as 1/2 of the cycle is devoted to testing. She went on to explain that the most efficient companies spend just 1/10th of the cycle on testing, as they've developed methods of identifying bugs earlier and/or preventing bugs to begin with.

Other than the keynote, we attended an excellent presentation introducing attendees to Adobe Flex, the open source SDK for creating Flash and Adobe Air applications, a presentation introducing attendees to jQuery, a JavaScript library for manipulating the DOM, making AJAX requests, and creating animations, and a presentation on NoSQL, a group of alternative databases, such as CouchDB and Cassandra, that are less structured than typical databases such as MySQL or PostgreSQL.

All in all, this is so far an EXCELLENT conference, and if you do any sort of programming, I highly recommend attending next year. If nothing else, your hotel reservation includes passes to the waterpark :) But come for the waterpark, and stay for the talks.

Compliance and Security Through Open Source Technology - WEBINAR

Hurricane Labs had a webinar today on achieving compliance and security through Open Source technology. We had a great turn out and the attendees were able to take away with them some useful information.

Below is a link to the webinar recording. Feel free to check it out.
http://hlurl.com/6q

We will be doing this webinar again on February 9, 2010. If you would like to hear it live and be a participant so you can ask questions or add your comments, please register at http://hlurl.com/6l.

For more information about this event, please go to http://hlurl.com/5o. And, of course if you have any questions let us know by contacting sales@hurricanelabs.com.



So You Wanna Be a (Security) Superstar?

Written by Rick Deacon

Recently I've been faced with a very difficult type of question... and it isn't even technical. No, it's not the typical 'How do you find a buffer overflow?' or 'Can you write me code entirely in assembly... in 20 minutes?'... it's much more difficult to answer. It's answer, to many people, may be the 'key' they are looking for in this industry. The question is very often phrased as "So what did it take for you to get where you are?" or "How do I get into the security industry?" and even sometimes "How do I become a hacker?"

There are many different approaches to this subject, and I firmly believe there only a few ways to truly succeed in security or IT in general. A lot of people assume four years of school is going to land you your dream job, where you're a hacker in your own peaceful office behind a wall of 6 monitors watching packet captures fly by on one screen while simultaneously watching The Matrix on the other and texting your girlfriend(s) about which restaurant you're renting out tonight. That may work for some but that doesn't always happen. In fact, most of the time it doesn't. That same sort of mentality is what I see currently when people are picking their majors/careers, which mind you, is a decision which usually affects you the rest of your life. Many people tell me about how they know "a little" about computers but they're going to learn the rest of what they need no problem... that's what school is for, right? Wrong. From my experience, it takes a lot more than just four years of school to get ahead, especially in security. It takes a mindset that pushes and drives you to understand what's going on an intricate level. Taking a test and naming pieces of hardware off of a computer isn't going to get you very far. Certification courses and advanced networking courses are always going to help you learn and ARE necessary, but they're not going to teach you about the mental anguish you're going to endure when you to try apply the concepts, and for some reason unbeknownst to man, the darn thing just won't work. On that note... if you somehow think this won't ever happen to you, think again :). This applies even more so to information security because the knowledge that penetration testers, hackers, system administrators and developers have is far more than just what you learn in a book or from taking a quiz. It's a conglomeration of experimentation and research on your OWN time mixed with the drive to understand the inner workings of things that no normal human being should want to know. Falling into this sort of field very rarely happens and the security mindset and mentality isn't something that can always be taught.

The whole concept and topic of teaching and learning on this subject is a whole blog in and of itself... but essentially you can never stop learning in this field. If you're not "with it" on what's going around in your industry or community, you might as well forget it. You won't ever get anywhere having a mundane view of what's going on. The security industry is dynamic. Visit any Full Disclosure mailing list or website and see how much is updated on a daily basis... it's somewhat ridiculous.

In the defense of all certification and course instructors out there, there is always something to learn. Sometimes the best way to learn is behind a desk listening to someone, whether it be a teacher or just someone who knows something you don't.

So back on direct topic here... what should someone do when they want to be part of this industry? Always be learning, always be listening and always be aware. Be learning about what's new and out there and by that I don't mean just read an article. if it's a new application... setup a personal 'testing' network and try it out. If it's a new vulnerability, setup a virtual machine and go hack yourself. Be listening to what people of intelligence have to say when it comes to the manner. If they know more than you, don't try to act like a know it all. It won't get you anywhere. Be aware, most importantly. Be aware of what's going on in the industry. A great place to do this is Twitter. You'd be surprised what can be learned by following some influential and smart people on Twitter. (Like @hurricanelabs and @rickdeaconx for example. ;))

Obviously there is not going to be a magic silver bullet. It's always going to take work and no one is going to give you the answer to solve all questions. Do what you love, and if you don't love to do it... don't bother. Especially in IT.

Four Steps to a Security Mindset

Written by: Matt Yonchak

 If you’ve read our newsletters before, we’ve talked about securing things from networks to web apps and hopefully have given some perspective and tips for how to do so. Recently a colleague (Rick Deacon) of mine gave a talk here at our office about what the proper mindset for a security professional should be. It got me thinking about how to develop that way of thinking and approach to my work. I think it comes down to four ideas and when you put them together it really helps you understand where we need to be and sometimes where we fall short. None of these things on their own necessarily equal security but if you keep them in mind as you work I think it enables us to better secure the networks and information we’re tasked with keeping safe.

1 – Awareness
 
When I say awareness, I’m referring to an in-depth knowledge and understanding of your network as a whole. Knowing your network is so much more than having a Visio diagram. It’s seeing the big picture. It’s using all the tools at your disposal to put the puzzle pieces together. Where I think we get caught up is in our lack of vision. Events on our networks are not islands unto themselves and understanding those relationships is imperative to understanding the network from a security point of view. The other important step to network awareness is to have the proper tools in place. There are plenty of Open Source tools out there that will give you a better perspective into what’s happening on the network. Nagios, Snort, NTOP, OSSEC, and TCPTrack just to name a few. So in short my suggestions here would be to understand that you need to see the big picture and gather tools that can help you do so.

2 – Correctness
 
I think if you set something up correctly you inherently secure it better. Creating service accounts so things aren’t running as root or administrator, or formatting your firewall rulebase properly are just a couple examples of this. If we can stick to the fundamentals we really give ourselves a leg up on security. Now I understand that we aren’t always put in situations where we can make sure things are setup correctly. Everyone is handed things to secure that when we look at them we scratch our heads and say “Really? You did it like that?”. Those situations are the world we live in, but be ready to BandAid those situations when they arrive. If you’re handed poorly written code to secure be quick with an application firewall to front end it. A big part of this is a good security awareness program. If you can at least keep security in the back of the developers and application teams’ mind, you’re taking a step in the right direction.

3 – Attention to Detail
 
The devil is in the details right? Same thing applies to security. I talked with our penetration testers and went over some of the common things they see when doing an assessment and found that a lot of the problems could be corrected pretty easily by paying attention to the little things. Making sure that there aren’t unnecessary services running, closing open ports, and making sure machines are patched are a few of the things that lead to bigger security issues. Those things are everyday problems that are sometimes overlooked. Patching, for example, seems routine but wow that’s a big one. Unpatched machines are like inviting hackers to come sit down at your unlocked computer. If we cut down on the small mistakes we limit the attack vector for the bad guys.

4 – Assurance (Auditing)
 
I don’t necessarily mean this in the normal “IT auditing” sense of the term. Think of it more as security auditing done by you. A big part of this is to audit your current infrastructure and see what steps can be taken to secure it better, but another part is basically upkeep. Make sure that the security countermeasures you have in place are actually still there and functioning. An example of this may be to make sure that hard disk encryption is on every laptop that your help desk builds and sends out to parts unknown. The goal here is constant vigilance. The security mindset is just as much about a healthy dose of paranoia as anything else and good checks on your current security measures will ensure that the devil in those details isn’t running loose on your network.
 
Information security is sold by many vendors as exploits and hackers but the key to security really is in the details. If you understand what’s going on, you do things correctly from the outset, pay attention to the little things, and keep track of the measures you have in place, those exploits and hackers will sit knocking at your front door with no way in.

Password hashes for Check Point Edge Appliances (Vulnerability Announcement)

Hurricane Labs has responsibly disclosed a security issue to Check Point Software related to their Edge line of products. The details are as follows:

Summary
-----

While writing a utility for a client to do automated password changes on a large installation of Edge appliances one of our engineers discovered a flaw in Check Point's password hash. The hash was completely predictable with some simple techniques (documented in the code). A utility was written that could both create a hash from an entered plain text password and reverse a given hash to plain text when entered.

-----

Severity
-----

We call this one a moderate vulnerability as you can only get the hash from an exported configuration file and simply protecting the admin interface and any exported files will protect from this exploit.

-----

Links
-----

edgepwutil Google Code Page
Check Point Software's Site
Check Point's Edge Product Page
Sofaware's website
Check Point's SK article

-----

Mitigation
-----

Protect access to the admin interface of your Edge box. Encrypt any exported configuration files laying around on filesystems, etc.

There is currently no firmware fix for this but a SecureKnowledge article has been posted, it's sk43332.

-----

Affected Versions
-----

We believe that all versions of Check Point's Edge appliances and Sofaware's safe@office/home products are vulnerable.