Tales from Room 641A

Firesheep: http://codebutler.com/firesheep

Firesheep is a Firefox addin that makes sidejacking a session easy as clicking a button. Sidejacking, or session hijacking is essentially sniffing someone’s session cookies from a connection and replaying them. This allows you to access their authenticated sessions, as if you were that individual.

There are two “mitigation” programs that are being touted around the internet:
We tested each program this past evening at a Black Lodge Research (www.blacklodgeresearch.org).

Fireshepard:

http://downloadsquad.switched.com/2010/10/29/fight-firesheep-with-fireshepherd/

This program in essence, floods a network with nonsense packets designed to crash firesheep.
The packets hit the wire with the following headers:

request+=”GET /packetSniffingKillsKittens HTTP/1.1\r\n”;
request+=”Host: www.facebook.com\r\n”;
request+=”User-Agent: Mozilla\r\n”;
request+=”Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n”;
request+=”Accept-Language: is,en;q=0.7,en-us;q=0.3\r\n”;
request+=”Accept-Encoding: gzip,deflate\r\n”;
request+=”Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n”;
request+=”Keep-Alive: 115\r\n”;
request+=”Connection: keep-alive\r\n”;
request+=”Referer: http://www.facebook.com/\r\n”;
request+=”Cookie: lsd=spsse; c_user=666660000; sct=01010101; sid=0; xs=3randomhashyes666666666;

Firesheep had no issue with functioning while fireshepard did it’s worst. It did begin to fill firesheep’s buffer, but the sheep never crashed. Firesheep could avoid this mitigation attempt by filtering out c_user=666660000 .

Blacksheep

http://www.zscaler.com/blacksheep.html

Blacksheep seems to work off a similar idea, but takes it a step further. It will drop fake credentials onto the network, and attempt to check for someone trying to use those credentials to log in. It is an interesting concept, but seems to us that you would have to sniff packets to see if others were trying to log in with the fake credentials. In other words, to defend your login, you need to sniff traffic.

We implemented Blacksheep, and it was quite easy to differentiate between real and fake credentials on the wireless.

In summary:

Both mitigation strategies provide no further protection from firesheep. Why were they released? Simple:
“They released them to be first to release a mitigation. It doesn’t have to be great when you are first. Much like virginity.”

We explored real mitigation strategies:

1. Utilize SSL. HTTPs everywhere is a nice plugin for Firefox that will help enforce that: https://www.eff.org/https-everywhere/
2. Utilize VPN tunnels/SSH proxies to securely tunnel the traffic out of the wifi.

As you can see, mitigation really depends on wrapping the cookies in some form of encryption. This seemed to be the best mitigation strategy we could devise.

Some good light reading on the Underwear bomber and the blame game that followed.  

Schneier on intelligence

Quoting Mr. Schneier –

“Nor do I consider Christmas Day a security failure. Plane lands safely, terrorist captured, no one hurt; what more do people want?”

They want the impossible, the untouchable ultimate security that nothing ever penetrates and can never penetrate. Their goal is shiny, but unreachable. They could eliminate all possibility of terrorist attacks on commercial flights by permanently grounding all commercial traffic…. it’s akin to securing a computer by melting it down into a nice shiny hubcap.

The best we can do is to simply do our best.  Apply appropriate rigor to our defense and policies, within the constraints of our environment, wether those be budgetary, legal, ethical, etc.

—Caution: Below you will find what some may term as a rant.—

Telnet- (TErminaL NETwork) is a network protocol used on the Internet or local area networks to provide a bidirectional interactive text-oriented communications facility via a virtual terminal connection. (Wikipedia) 

English translation:   Telnet, a simple way to connect one computer to another. Great for command line work. 

Now what is my beef with Telnet?  Nothing..   My beef is with the implementations of telnet.  Telnet is an “in the clear” communication. That means that data transmited over a telnet connection is sent with no encryption, no obfuscation,  and no joy…

What is telnet commonly used for you might ask?  In computing environments you will see telnet used as a remote command line access system. Administrators and users alike log into servers across the network, and perform what ever tasks required. 

You can probably see the issue I am getting at, and thousands of security professionals before me have gotten at…   An administrator, with root access,  logs into a server using telnet. Their credentials (username/password) are sent in plaintext. Someone sniffing packets on the network has a chance to grab those credentials. Now your administrative access has been owned.

But Josh, I’m on a switched network, packet sniffers can’t get my traffic, that would only work on a hub or wireless.  A good observation,  but not true.  Your switched network offers a little protection against it,  but is not difficult to get around .

So what does this mean?  Is the worlded doomed to telnet horror? 

There is a simple solution my friends.. not elegant, not bulletproof, but better than telnet.  A simple SSH connection.   It does require a ssh server on one side of the connection and a ssh capable client on the other, but the encryption benefits far out way the small cost (cpu cycles wise) in most cases.

So, the next time you find yourself typing the word telnet…  stop and think.. Do I really need to use telnet? Or can I move into the 21st  century and enter the SSH world.

VA Laptop Stolen

Another Laptop containing sensitive data has been stolen. Another un-suspecting poor joe is now put at risk of identity theft.     Let’s read and think…  how can we fix this??

1. Require encryption on all devices that connect to your network?

“A seven-month cybersecurity review undertaken last year at the behest of VA secretary Eric Shinseki found that more than 28% of the VA’s vendor contracts were missing required clauses about information security, and contractors on 578 contracts actually refused to sign the clauses.”

That might help..  except you are letting contractors, who want your business, to flat out refuse to sign the agreement that they will encrypt devices connecting with the VA.

— Interesting note. How good is 256 AES Encryption with a password of abc123?  So in the encryption clause, do we also detail required password policies (length, change dates, etc?)

2. Don’t allow contractors to use private equipment to access the VA?        This raises alot of questions. What kind of contractors are they? Are we talking IT people?  HR people?  Are they shifting records? Doing field VA reporting?     Until we can define the divisions of employees,  we cannot clearly think about who can use private gear and who cannot.          A small statement though…    I personally would never let a privately own laptop onto my internal corporate networks. Period.  There is guest access and vpn connections into DMZ’s for that. If they require more access, they can be issued a company laptop, with company encryption, company policies, and company control.

3. Dumb Terminal access to VA Records?         Instead of having local copies of a VA form, you issue each contractor a cell card. They can then collect data into a web application  (Https please…)  and submit it there.  If they need to access records, they can once again access a secured web page.  Heck, maybe we use multi-factor auth?  (PW,  RSA Key, etc etc).  The systems could be booted from cd with a simple OS, browser, etc. Then at the end of the day, a drive wipe can be run to write random data to the free space on the drive and ram.      At least there if the laptop is stolen, the thief i most likely not going to get a thing. (most likely, I KNOW! someone can prove me wrong out there.)

What about you? Any ideas on how we can make the access to VA documents safer?  Here is my scenario challenge to you.

1. You are the VA CISO. (god I hope they have one…)   You have 200 Field contractors across the country that go out and collect VA information (ssn, name, address) and  explain benefits to Vets (need to access the vet records) currently on the system.     How do you do this securely?

“Germany’s top criminal court ruled Wednesday that Internet users need to secure their private wireless connections by password to prevent unauthorized people from using their Web access to illegally download data.

Internet users can be fined up to euro100 ($126) if a third party takes advantage of their unprotected WLAN connection to illegally download music or other files, the Karlsruhe-based court said in its verdict.”

– Please read entire article so as to not be taken out of context:

Let the dissection begin:

1. Does the court have the power to specify what level of security is put in place? Can the users simply put wep, password 12345 and it pass muster?

If the courts do regulate the level of wireless security, where does their power stop? Can they then enforce a certain level of wired security? IE: Shielded and secured network cables?

2.  With the ease that many (i said many, not most) Wireless ap’s can be cracked, does the German court really expect to stop the flood of illegal downloads?

3. What about coffee shops, or locations with public wireless?  I know some do use a shared key, or time based key for their wifi,  but are they also going to be held responsible for activities committed on their network?  If so, does that mean each coffee shop and wine bar in germany needs to hire a security “expert” to watch for illegal actions?

–   Ok, so I’ve gone movie plot threat slightly, but, all in all the court ruling is slightly rediculous,  slightly logical.  It will make people think more about putting security on their wifi, but the fact that the government is mandating private owners security levels…  slightly frustrates me.

It will be interesting to see further cases regarding this, as the recording groups can use this to attempt to pursue cases against those “aiding and abetting” criminals

So I was cruising 4chan looking for some new off the wall pics or gifs. (always have some good ones) when I saw a mention of a place called 12chan. I made the mistake of looking it up.

Let me preface by saying I support freedom of speech and net neutrality, but.. I can’t support this.

http://www.encyclopediadramatica.com/index.php/12chan (wiki-esk explanation of 12chan , not official!)

12 chan seems to be a channel devoted almost entirely to pedophiles. How it continues to operate without issue, is somewhat of a mystery to me.  While channels such as this exist, the exploitation of children will continue.  (if need exists, someone will supply)

The current IP reports assigned to the Netherlands (Amsterdam to be precise), and the dns name is registered to a man in Australia.

Domain ID:D129541584-LROR
Domain Name:12CHAN.ORG
Created On:26-Sep-2006 02:35:26 UTC
Last Updated On:13-Nov-2009 00:30:20 UTC
Expiration Date:26-Sep-2011 02:35:26 UTC
Sponsoring Registrar:Network Solutions LLC (R63-LROR)
Status:CLIENT TRANSFER PROHIBITED
Registrant ID:43937107-NSI
Registrant Name:Trevor Issac
Registrant Street1:37 Tranquility Cct
Registrant Street2:
Registrant Street3:
Registrant City:Helensvale
Registrant State/Province:Queensland
Registrant Postal Code:4212
Registrant Country:AU
Registrant Phone:+1.61413590441
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:

I just don’t get it.  I can understand the want for some to look at adult images/videos on the web. But what is it about the illegal and somewhat sickening images of the 12chan and boards like it?

What can be done?  Are we truly helpless in this internet world?

Schneier on TSA

Good evening fellow hat wearers. After a recent trip to Seattle, I have a little security venting to do. My flight plan was home to chicago— chicago to Seattle.

My flight to chicago was rather uneventful, enjoyable even. Arriving in Chicago, I made my way to the transfer gate. As we lined up like cattle to enter the pen, I noticed 3 TSA agents and a little push cart by the door.. oh whatever could be happening?

On the loud speaker ” We will begin boarding now… and the TSA will be doing random screenings of carry on luggage” Great…

In Short.. Yes I got picked. Yes I made it through fine.

To vent: The TSA inspection was pure CYAS (Cover Your Ass Security). The inspection was an opening of one of my backpacks zippers, glancing in, and waving me on. (note: my pack has no less than 5 different zipper compartments, and was loaded with wires and electronics) A true waste of time and resources.