Tales from Room 641A

Twas the hours before takeoff, and all through the terminal
all peoples were surfing, clicking their mouse;
crowds eyed the power outlets with care
hoping soon the jerk with the ipad would soon leave there.
The script kiddies cackled with glee
while visions of pownage danced in their heads.
and me on my slappy, sipping my whiskey,
had just settled in for a long network cap.
When out on the network, there was such a dump
I sprang to the keys, and started to clatter
Clicking my windows away with a flash
Tore open the packets, and filtered my stash
Airmon on the wifi in promiscous mode,
gives spotlights into the traffic below
When, what to my wondering eyes should appear
but a batch of cookies, all on the air here
And a little old auth cookie, so fresh and now cached
I knew it a moment it must be facebook.
more rapid than D0D, their auth had been powned
I snickered, and frowned, and called them bad names
freacking 1d10T, PebCak, m0r0n, and louse
oh n00bs, oh wetware, oh dumbdumbs and accountants
To the ssl site, to the encrypted tunnel!
Now https, https, https all!

Firesheep: http://codebutler.com/firesheep

Firesheep is a Firefox addin that makes sidejacking a session easy as clicking a button. Sidejacking, or session hijacking is essentially sniffing someone’s session cookies from a connection and replaying them. This allows you to access their authenticated sessions, as if you were that individual.

There are two “mitigation” programs that are being touted around the internet:
We tested each program this past evening at a Black Lodge Research (www.blacklodgeresearch.org).

Fireshepard:

http://downloadsquad.switched.com/2010/10/29/fight-firesheep-with-fireshepherd/

This program in essence, floods a network with nonsense packets designed to crash firesheep.
The packets hit the wire with the following headers:

request+=”GET /packetSniffingKillsKittens HTTP/1.1\r\n”;
request+=”Host: www.facebook.com\r\n”;
request+=”User-Agent: Mozilla\r\n”;
request+=”Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n”;
request+=”Accept-Language: is,en;q=0.7,en-us;q=0.3\r\n”;
request+=”Accept-Encoding: gzip,deflate\r\n”;
request+=”Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n”;
request+=”Keep-Alive: 115\r\n”;
request+=”Connection: keep-alive\r\n”;
request+=”Referer: http://www.facebook.com/\r\n”;
request+=”Cookie: lsd=spsse; c_user=666660000; sct=01010101; sid=0; xs=3randomhashyes666666666;

Firesheep had no issue with functioning while fireshepard did it’s worst. It did begin to fill firesheep’s buffer, but the sheep never crashed. Firesheep could avoid this mitigation attempt by filtering out c_user=666660000 .

Blacksheep

http://www.zscaler.com/blacksheep.html

Blacksheep seems to work off a similar idea, but takes it a step further. It will drop fake credentials onto the network, and attempt to check for someone trying to use those credentials to log in. It is an interesting concept, but seems to us that you would have to sniff packets to see if others were trying to log in with the fake credentials. In other words, to defend your login, you need to sniff traffic.

We implemented Blacksheep, and it was quite easy to differentiate between real and fake credentials on the wireless.

In summary:

Both mitigation strategies provide no further protection from firesheep. Why were they released? Simple:
“They released them to be first to release a mitigation. It doesn’t have to be great when you are first. Much like virginity.”

We explored real mitigation strategies:

1. Utilize SSL. HTTPs everywhere is a nice plugin for Firefox that will help enforce that: https://www.eff.org/https-everywhere/
2. Utilize VPN tunnels/SSH proxies to securely tunnel the traffic out of the wifi.

As you can see, mitigation really depends on wrapping the cookies in some form of encryption. This seemed to be the best mitigation strategy we could devise.

October

Cyber Security Awareness Month

Please take a moment and review these 10 tips for keeping you safe and secure online.

1. Utilize strong passwords, and keep them private.

- A strong password is at least 8 characters long and contains numbers, letters and special characters.

2. Change passwords often, at least once per year.

3. Be conscious of where you enter your password.

- Accessing your bank accounts from a shared computer

4. Be careful who you share your PII with.  (Personally Identifiable Information)

PII is information, that alone or combined with other pieces of PII, can be used to uniquely identify an individual.  This can include:

- Social security Number

- Full Name

- Address

- Phone Number

- License Number

- License Plate

- Birthday

- Birthplace

Whenever someone asks you for any identifying information, be sure to ask yourself “Why do they need that”.

5. Lock your computer when your away. A couple of keystrokes can save you from being a victim.

- In Windows, you can press and hold the windows button and then press L. + L

- In Ubuntu, you can press   Ctrl + Alt + L.

6. Freebies often aren’t.

- Many “free” downloads on the internet contain spyware or malware. Be aware of what you are downloading and installing onto your computer.

7. Don’t tell the world when your away from home

- Social media is a powerful communications tool. Like all tools, it can be used for good or evil. Telling the world that your are vacationing in the Bahamas for the next week may sound harmless, but to a thief,

it is valuable intel. Wait until you get home to post those photos from the beach.

8. Stay up to date.

- Technology is ever evolving, and security is on the forefront of that evolution. As new attacks and weaknesses are discovered, you must take action to defend against them.  Keep your systems up to date with

patches and updates, whether automatically or manually.

9. Be aware of your surroundings.

- When accessing any secure site (banks, email, records) you should see a SSL-URL in the browser.  If the site is not SSL secured, think twice before submitting your personal data and passwords to it.

- http://www.us-cert.gov/ -   Not secured by SSL

- https://www.us-cert.gov/ –   Secured by SSL

10. Don’t be a Click Monkey.

-  Take a moment to read a window when it pops up, instead of speed clicking through them.  You never know what you are clicking OK to.

For further reading:

http://www.us-cert.gov/cas/tips/

http://www.staysafeonline.org/in-the-home/protect-yourself

Please note.. There are exceptions to every rule, and security tips are no exception . These tips are only rough guidelines. Surf smart, live smart people.

Summation of Decon 18:   Awesome.

Pros:  10,000+ people, including some of the brightest minds in security.  Terrific Contests, great Hacker talks,  and just the right amount of party.

Major thanks to all the organizers, vendors, speakers and most of all the Goons.  Ever try herding 10,000 cats?  The goons did it, and did it well.

Cons:   Major long lines for friday/saturday talks (Blame Dan Kaminski?) ,  Power being out in the hotel room for about 15 hours ( I swear we left the Mainframe at home….),  and some blistering heat the two times I dare venture outside the safety of the compound.

Top personal moment from the con:  Social-engineering contest, hands down.

Take a moment and check out:    ISC SANS PORT 5060

It appears that the sources/day was on the rise again.  I recently ran into a situation where it appears that someone was using wunderbar_emporium root kit to own a system. Then the system started attempting traffic out on 5060.

So, apparently wunderbar_emporium was mitigated by a kernel update : http://serverfault.com/questions/72986/how-to-prevent-wunderbar-emporium-rootkit    , but of course a lot of enterprise systems do not do frequent kernel updates. It’s not practical, cost effective, or even possible in most of the HA environments.  You have to fight to get an hour Change window at times.

It appears that the code takes advantage of CVE-2009-2692

Now the fun begins, I get to peer into the source code of wunderbar and see if I can figure out what makes it tick.  Probably not, but hey, maybe I get lucky.

Youtube of exploit

Spy Story

How successful is a spy?  Well, when your neighbors only have this to say when your arrested

”They couldn’t have been spies,” she said jokingly. ”Look what she did with the hydrangeas”

You must be doing pretty well. At least now we know that Russian intelligence training includes botany.

On a more techie note, apparently some of the communcation techniques used involved steganography.  To sum up steganography is hiding something within an image file, wether that be another image, text, or other form of data.

Pac-man returns?

A kids tv show revolving around pacman? So, he’s a slacker, who eats some magic pills,  gets really hungry, and ends up running around trying to eat ghosts?

Some games should not be tv shows..

EFF launches Firefox plugin to use ssl by default

Check it out. Install it for your friends, family and loved ones, because most likely, they won’t ever hear about it.

 Only you can prevent unencrypted transmission of private data.

Welcome again to another look at the ATT mishap.  Part two of our story takes us deep into the realm of the deadly SIM…

In summation, researchers have shown that some of the major telecommunications carriers make it possible to determine your IMSI number from you ICCID number.   What once was not a big deal, now becomes more of a problem.

The IMSI ( International Mobile Subscriber Identity) can theoretically give a malicious attacker the ability to track, intercept (with some work/tinkering/and some tower action) and perform other not nice nastiness.

Chris Paget posted quite a nice blog on it.

Apple Insider Story

“Black hat hackers have exploited a security flaw on AT&T’s web servers which enabled them to obtain email addresses from the SIM card addresses of iPad 3G users. “ 

Alright people, lets take a moment to consider this. AT&T’s servers would respond to a specific  html request containing a user’s ICC-ID with the email address associated with that account. 

Bad?  YES.   

End of the world?  No.       Email addresses really are not secure data. Yes, it is annoying that someone now has the email addresses for a slew of government, .mil, CEO’s and other high end individuals. Will there be a huge security backlash due to this?  Most likely not. 

What has happened?  A prebuilt list of verified emails allows spammers and other nefarious folks (phishers, etc etc) a nicely built target list of known good addresses. 

How is this different from day today? Without the list, the “attacker” would either have to send “discovery” emails to variations on email addresses to discover which is live and which is not.  If the discovery email is not bounced back as “no address found” then it is possible they found the right address. Downside, many companies use filters or catch-alls to make sure that bounce back messages do not go out.

As for the ICC-ID, I can’t comment, I’ll have to trust the experts  that say:

“Mobile security consultant and Nokia veteran Emmanuel Gadaix told us that while there have been “vulnerabilities in GSM crypto discovered over the years, none of them involve the ICC ID… as far as I know, there are no vulnerability or exploit methods involving the ICC ID”

Let’s watch and see if something spawns from this.  The security company did say they shared the script with 3rd parties….