Tales from Room 641A

Summation of Decon 18:   Awesome.

Pros:  10,000+ people, including some of the brightest minds in security.  Terrific Contests, great Hacker talks,  and just the right amount of party.

Major thanks to all the organizers, vendors, speakers and most of all the Goons.  Ever try herding 10,000 cats?  The goons did it, and did it well.

Cons:   Major long lines for friday/saturday talks (Blame Dan Kaminski?) ,  Power being out in the hotel room for about 15 hours ( I swear we left the Mainframe at home….),  and some blistering heat the two times I dare venture outside the safety of the compound.

Top personal moment from the con:  Social-engineering contest, hands down.

Take a moment and check out:    ISC SANS PORT 5060

It appears that the sources/day was on the rise again.  I recently ran into a situation where it appears that someone was using wunderbar_emporium root kit to own a system. Then the system started attempting traffic out on 5060.

So, apparently wunderbar_emporium was mitigated by a kernel update : http://serverfault.com/questions/72986/how-to-prevent-wunderbar-emporium-rootkit    , but of course a lot of enterprise systems do not do frequent kernel updates. It’s not practical, cost effective, or even possible in most of the HA environments.  You have to fight to get an hour Change window at times.

It appears that the code takes advantage of CVE-2009-2692

Now the fun begins, I get to peer into the source code of wunderbar and see if I can figure out what makes it tick.  Probably not, but hey, maybe I get lucky.

Youtube of exploit

Spy Story

How successful is a spy?  Well, when your neighbors only have this to say when your arrested

”They couldn’t have been spies,” she said jokingly. ”Look what she did with the hydrangeas”

You must be doing pretty well. At least now we know that Russian intelligence training includes botany.

On a more techie note, apparently some of the communcation techniques used involved steganography.  To sum up steganography is hiding something within an image file, wether that be another image, text, or other form of data.

Pac-man returns?

A kids tv show revolving around pacman? So, he’s a slacker, who eats some magic pills,  gets really hungry, and ends up running around trying to eat ghosts?

Some games should not be tv shows..

EFF launches Firefox plugin to use ssl by default

Check it out. Install it for your friends, family and loved ones, because most likely, they won’t ever hear about it.

 Only you can prevent unencrypted transmission of private data.

Welcome again to another look at the ATT mishap.  Part two of our story takes us deep into the realm of the deadly SIM…

In summation, researchers have shown that some of the major telecommunications carriers make it possible to determine your IMSI number from you ICCID number.   What once was not a big deal, now becomes more of a problem.

The IMSI ( International Mobile Subscriber Identity) can theoretically give a malicious attacker the ability to track, intercept (with some work/tinkering/and some tower action) and perform other not nice nastiness.

Chris Paget posted quite a nice blog on it.

Apple Insider Story

“Black hat hackers have exploited a security flaw on AT&T’s web servers which enabled them to obtain email addresses from the SIM card addresses of iPad 3G users. “ 

Alright people, lets take a moment to consider this. AT&T’s servers would respond to a specific  html request containing a user’s ICC-ID with the email address associated with that account. 

Bad?  YES.   

End of the world?  No.       Email addresses really are not secure data. Yes, it is annoying that someone now has the email addresses for a slew of government, .mil, CEO’s and other high end individuals. Will there be a huge security backlash due to this?  Most likely not. 

What has happened?  A prebuilt list of verified emails allows spammers and other nefarious folks (phishers, etc etc) a nicely built target list of known good addresses. 

How is this different from day today? Without the list, the “attacker” would either have to send “discovery” emails to variations on email addresses to discover which is live and which is not.  If the discovery email is not bounced back as “no address found” then it is possible they found the right address. Downside, many companies use filters or catch-alls to make sure that bounce back messages do not go out.

As for the ICC-ID, I can’t comment, I’ll have to trust the experts  that say:

“Mobile security consultant and Nokia veteran Emmanuel Gadaix told us that while there have been “vulnerabilities in GSM crypto discovered over the years, none of them involve the ICC ID… as far as I know, there are no vulnerability or exploit methods involving the ICC ID”

Let’s watch and see if something spawns from this.  The security company did say they shared the script with 3rd parties….

Some good light reading on the Underwear bomber and the blame game that followed.  

Schneier on intelligence

Quoting Mr. Schneier –

“Nor do I consider Christmas Day a security failure. Plane lands safely, terrorist captured, no one hurt; what more do people want?”

They want the impossible, the untouchable ultimate security that nothing ever penetrates and can never penetrate. Their goal is shiny, but unreachable. They could eliminate all possibility of terrorist attacks on commercial flights by permanently grounding all commercial traffic…. it’s akin to securing a computer by melting it down into a nice shiny hubcap.

The best we can do is to simply do our best.  Apply appropriate rigor to our defense and policies, within the constraints of our environment, wether those be budgetary, legal, ethical, etc.

From this article out of eweek

—“There is such a thing as security through obscurity,” Hilwa added, “and it can be quite effective in certain settings. If I wanted to have the least attractive stack for virus and malware attacks, I would use the most obscure stack I can find, potentially including custom-developed components.”—-

Al Hilwa’s IDC Profile  which sadly seems to lack any security experience.  His Linked-IN resume also doesn’t show an ounce of security background.   

I guess we must excuse Mr Hilwa for making such an obviously flawed and universally stupid statement.  But, to be thorough, let’s rip it apart piece by piece:

1. “There is such a thing as security through obscurity,”

       I guess I can’t argue with that…  there is. It is horrible and almost worthless security, but it’s security. An example of security through obscurity would be having the company phone directory unpublished. It provides a minimal level of security, but anyone who wants to determine the CEO’s direct line can do so with a little rigor and some social skills.  If there is something to gain by hacking a target,  there will be hackers attempting to break it.

2. and it can be quite effective in certain settings.

Please Mr. Hilwa, make a list of those quite effective settings in regards to computing…   It will be a rather short list. 

3.If I wanted to have the least attractive stack for virus and malware attacks, I would use the most obscure stack I can find, potentially including custom-developed components

Anyone who has ever worked a microsoft product knows, they already have some of the least “attractive” stacks and customizations to work with. Yet they are a prime target for security vulnerabilities, hacks, and intrusions. Why?  Because there is much to be gained by hacking a Microsoft system. Banks, governments, private business, all the way down to your local churches most likely have some version of MS running somewhere.  The effort versus reward basis is quite nice in the windows world, as one vulnerability can be applied to many lucrative systems.

People will attempt to counter with the concept that “Apple has a big market share, why are they not affected as much?”  Apple is not hosting a large chunk of the Worlds information. Criminal hacking groups don’t want to target Jimbo Jones with his slick hair and iphone. He is small change compared to a SSN database in virgina.

Mr. Hilwa, you have a terrific set of experience in the computer world. I would just ask that you get a little more education in the security side before making such statements.