In past years I never attended the RSA conference; it always came across as too much of a vendor show to me. This year I didn’t think I would go, until rsnake convinced me otherwise. So I bought myself an Expo Only pass. I had a lot of fun, meeting old time buddies from Foundstone and Mandiant, a bunch of clients, and partners. But I had the most fun just watching the show on the Expo floor. Must have been 300 booths and a gazillion sales people swarming them with those annoying mics trying to outspeak each other like barkers outside a souvenir store at a tourist destination. Companies doing raffles at their booths - I’ve seen that, but arcade car racing games like those at Dave & Busters, security “Jeopardy” shows every hour being hosted by ”slick” sales people, cheesy whack-a-fraudster, wannabe Houdinis showing off card tricks and free beer made the cut too. I wondered, do clients actually walk the floor to learn about new products? I think not. They do so for the free entertainment, adulation, and giveaways.  Makes one wonder, are the RSA booths worth their price tag? The smallest, and furthest ones, which you would see if you were really looking for, are worth an arm and leg. VC money well spent? Oh what a circus it was!

 - Rohyt

A lot of web applications use port 80 and 443, but don’t necessarily speak HTTP or live inside a web browser. Many of these web apps utilize rich content and compiled code, such as Flash/ActiveX/Java, that have the ability to open their own TCP sockets to remote servers, by-passing the browser’s network stack and any HTTP proxy the browser is configured to use.

All the JVMs I’ve used do let you specify a proxy for an applet to use, but in my experience, this process is sometimes a little clumsy. On top of that, this only helps if the applet is speaking HTTP, or some other known protocol for which a proxy exists.

Putting browser based applications aside for a moment, fat client applications (including those on mobile devices) will utilize port 80/443 as a sure-fire way through the firewall, even if they aren’t using a standard protocol like HTTP or SOAP/WS-Security.

WireShark, tcpdump, and other network sniffers can be helpful in these situations where you can’t get application data easily routed through a proxy. However, the ability to replay or modify data on the fly between the client/server is still a challenge. Add SSL encryption to the scenario, and typically you are S.O.L.

What we need is a socket based TCP proxy with SSL support. Such a proxy would capture traffic at the network layer, identify common protocols and accumulate requests/responses for MITMing, but also stream proprietary protocols while providing a mechanism for altering/fuzzing data on the fly.

Tools like WebScarab/Paros/Burp are great at what they do. But as soon as an application strays from a common protocol (security through obscurity anyone?) these tools lose some of their value.

I already have a proof-of-concept tool that has been invaluable to us in some recent pen-testing. Now, the plan is to tighten up the loose ends, add some features, and make it available for others to use.

I’d definitely be interested to hear what anyone has to say about such a tool. Do you think it would help you? Is there already something similar out there? Leave your comments below.

-Schmoilito

At this year’s RSA conference Ira Winkler went on to tell the audience about hacking into an energy company (via an authorized penetration test) using a targeted phishing email. Details are in this networkwold article: http://www.networkworld.com/news/2008/040908-rsa-hack-power-grid.html

“The penetration team started by tapping into distribution lists for SCADA user groups, where they harvested the e-mail addresses of people who worked for the target power company. They sent the workers an e-mail about a plan to cut their benefits and included a link to a Web site where they could find out more.”

Are we surprised they were successful? Absolutely not. We’ve been using this technique and responding to real incidents that that used spear phishing for quite some time now. But what if those same employees had already been “phished” through targeted awareness and then presented with the appropriate training material? What if you ran this exercise against all your employees regularly?

Phishme.com already has pre-built scenarios to make this training quick and easy. It has many generic domain names to choose from or you can register your own look-a-like domain.

There is no sense in paying a pentest company high dollar consulting fees to find out if your employees are vulnerable to phishing. I’m about to save your company a boat load of money.

Dear Magic Eight ball, I don’t currently conduct phishing attacks against my own employees as a means to train them. Am I vulnerable to spear-phishing attacks?

On Friday afternoon, I headed off to the airport for a trip to Chicago to visit a friend. I should have checked the flight status, because it turns out my flight was canceled. All other flights to Chicago were on time, and full. The über-helpful lady at Continental advised me to wait on stand-by. The end result was that I had to wait until 6AM Saturday for a flight to Detroit and a connection to Chicago. Damn. <sarcasm>On the bright side, my bag made it to Chicago by 11PM that night.</sarcasm>

I went home to sleep, and set my alarms for a 4AM wake up to make it back to the airport for my 6AM flight. I assumed I would get there in reasonable time, since I didn’t have to check in or check any bags. Unfortunately, I also didn’t pay any attention to the four S’s on my new boarding pass. At 5:50AM I was being molested by Boris, one of the TSA’s human pen-testers at Newark Liberty. Lucky me, I was selected for additional screening because I had made changes to my itinerary. Lady luck continued to shine on me since Boris, at 250+LB’s, is a gentle giant.

I don’t think my writing thus far as conveyed the anger and frustration I felt during this whole ordeal. And when I realized I had to endure additional security screening, my blood had begun to boil. However, at some point during my personal security assessment, my mind drifted into my happy place, and I had a moment of clarity.

Who else is more deserving of a more in depth security review then someone who is already pissed off at your airline, and could possibly snap with the next minor inconvenience or crying baby?

Any passenger traveling on an air plane is considered a threat. As individual passenger scenarios fluctuate, so does the individual passengers threat potential. In my particular situation, it was up to the airline to indicate to the TSA that I require additional screening, and they did this via the “SSSS” on my boarding pass.

Inside me there is a glimmer of hope that TSA folks have some ability to identify behavior patterns in people that could indicate an elevated threat potential in real time (like when I’m waiting inline to get screened). However, they most likely rely heavily on their technology/tools (metal detectors, xray machines, that crazy air blast thing, etc) for such dynamic analysis.

It’s really no different then a highly-skilled pen-tester being given a large number of applications to test in a very short period of time. In this case, the pen-tester would rely heavily on tools. There is no shortage of content on the Internet discussing the quality of such tools, so I’m not gonna go there in this post. However, I must ask the question, how good of an assessment can you perform on a web app using only the tools available on the market today?

What all this reminds me is that security in I.T. is no different then security in every other aspect of life. Threats are dynamic, and constantly in flux. Countermeasures deployed to protect us from threats must also be dynamic, and able to keep up with an ever changing threat landscape. If our tactics are static, threats will eventually go un-noticed, and we will get pwned.

At least, that’s what Boris softly whispered in my ear…

-Schmoilito

I’ve been mouthing off about the much anticipated arrival of my new EEE PC, and when it arrived at work for its glorious unboxing, my wonderful co-workers were ready to own me with a samba exploit -locked and loaded. Reference: ASUS Eee PC rooted out of the box

That’s what you get when you work in this industry. I had it coming I suppose. The EEE PC is just too damn cute. How could anybody forcibly overflow its cute tiny little heap! That’s just cold hearted pwnage.

A series of updates were released for the Asus EEE PC today, pdf reader, messenger, firefox, openoffice, the samba daemon of course, and some other tweaks.

Recognize! My EEE PC is patched like a mug now! Leave my lil’ EEE PC alone!

-higB

What is http://port139online.com:139/ ?

• Port139online.com:139/ IS a website
• Port139online.com:139/ IS a protocol
• Port139online.com:139/ IS a service (a service that tells you if your ISP is providing a tampered, filtered, limited, and incomplete service.)

I started port139online.com:139 to annoy the tech support agents at Cox Communications. I subscribed to their business Internet service because the sales rep told me that absolutely NO port filters existed for business customers. I don’t know if the sales rep lied to me on purpose to meet a quota, or if she just didn’t have all the information.

After several phone calls to Cox support, I finally got them to admit which ports they filtered (both inbound and outbound). They offered to reduce my bill by 45 dollars a month, but they would not remove the filters. I’m now a Verizon Business FIOS customer and couldn’t be happier with my pure, unmolested Internet.

Shortly after my Shmoocon presentation, Comcast went before the FCC. An executive vice president for Comcast lied to the FCC commissioner and the rest of the panel, when he said:

“I’m going to say again, on the record in front of this Commission, Comcast does not block any Web site, application, or Web protocol, including peer to peer services. Period. Doesn’t happen.”

Oh really? Well http://port139online.com:139/ IS a website AND an application AND uses a WEB PROTOCOL… and guess what? Comcast IS blocking it.

Read more about it here:

http://arstechnica.com/news.ars/post/20080225-comcast-and-net-neutrality-advocates-clash-at-fcc-hearing.html

And listen to the MP3 here: http://arstechnica.com/news.media/fcchearing25feb08.mp3

Reference: Comcast does block websites, ports, and protocols: http://taosecurity.blogspot.com/2005/07/what-does-your-isp-block-only-low-cost.html

http://www.dslreports.com/forum/remark,15481407

**** NOTE ****

You can only visit http://port139online.com:139/ from Internet Explorer. Firefox blocks many ports.

Someone beat us to the shmooball launcher.  It’s probably for the best since we were going to order parts from this company. We heard ambulances only take 180 seconds to get to the hotel.

The presentations were very hit or miss this year, with unfortunately a bit more of the latter.  I felt a lot of presentations would have fit a shorter turbo style time slot better than the hour long time slots.  For example, the ‘baffle’ application for wireless AP finger printing looks like a very cool first generation tool. Easy to use, hack around with, well researched, and makes pretty graphs. Score. Unfortunately they dragged out the presentation with the whole history of tcp finger printing and made us wonder what the students were IM’ing about as they sat on the stage trying not to look too embarrassed or bored.

Mad props go out to Brad Antoniewicz and Joshua Wright. Not only for releasing a cool tool for wireless PEAP/TLS client credential pwnage (FreeRADIUS - Wireless Pwnage Edition), but for fun presentation skillz and shmooball dodging.  Find the video for this one. It was probably my favorite talk of the con (not sure if the camera man caught the start of the talk though).

The guys at Vigilar also rocked with a new and improved version of VoIP Hopper; complete with practical usage scenarios and some good demos with a standard VoIP phone.  They showed how to get on to the corporate network bypassing vlans setup for the VoIP traffic. I could think of a number of locations I’ve been at where it would be handy to have this tool with me.

Our very own Jaime and Aaron got a lot of people thinking with their forced internet condom. They’re moving the web hosting provider, but there’s some good data about what ports ISPs are blocking over at portscan.us (and you can help add to the project as well).

I unfortunately missed h1kari’s (David Hulton) GSM talk due to train delays, but the word at the hotel bar was that it was one of the most techincal and interesting talks of the con.  His GSM rainbow tables may make things very interesting when the FPGAs complete in three months (anyone get a link to where that will be?).  Speaking of FPGAs, I’m proposing the FDA needs to start looking into these things since they’re basically giving every geek I know an erection that is lasting way longer than 4 hours.

And for more geek porn,  let me suggest the Solid State Drives Data Recovery Comparison to Hard Drives presentation.  Scott Moulton makes powerpoint look a commadore 64 next to his smoothly timed 3D graphics.  His guy also rocks for having them online for everyone to get jealous of… oh and teach us that deleting or wiping flash based drives is completely useless because of the wear-levelling process done by the controllers on these things. (and yes, I did sit there thinking of all the times I’ve futilely done PGP wipes of data on my flash drives). The good news though is that the recovery of that data sounds pretty damn hard at this time.  Also in good news, we can now write off a few power tools from home depot as business expenses since you’ll want a hammer now to “wipe” those drives.

A number of us caught the phishing talk by Syn Phishus. I think we’ll have a full follow-up post on that (but just to clear one rumor we heard, no, he does not work for or have anything to do with phishme.com). He obviously agrees with us that mock phishing exercises need to be done… but I’d say our approachs to this differ greatly.

-b3nn

Intrepidusgroup had a good time at shmoocon this year.  Jaime and I would like to thank those that came to our presentation on Saturday to learn a little bit about the history of Internet service providers changing the Internet on us when it doesn’t fit their business model.

After seeing the crowd rip apart a few other speakers we are grateful to those in our audience. As a presenter, I feel for the others, but I’d have to agree that the database security (Why are Databases so Hard to Secure) presenter deserved the lynching. Total weak sauce. I tried to stick it out but after 30 minutes I had to bail on that talk.

Something Shmoocon attendees should know: Many of us did not find out our presentations were accepted until January 11^th 2008. That doesn’t give the presenter a whole lot of time to prepare if their talk relies on collecting a lot of data or building a new tool. Overall I think this late notification had an impact on the quality of a few talks.

Shanit Gupta! Hey man.. I had a good time catching up with you this year. I picked up a lot of good kiosk and citrix breaking techniques from you. I was aware of some of the hot-keys but you showed me a bunch of others I didn’t know about. I think you probably learned the hard way about the challenges of live demos. I think you broke every rule of live demonstrations.

1. Don’t rely on the Internet
2. Don’t rely on wireless for a presentation
3. And especially, don’t rely on the wireless network a hacker conference provides you for a presentation

Brad – wish I could have seen your talk (PEAP: Pwned Extensible Authentication Protocol) with Josh but it was just too damn packed. I heard you rocked it. Good job! I’ll catch it on the videos.

The Renderman talk was meh— a good talk for newbs I suppose but Airport hi-jinks is nothing new to traveling security consultants. 

Should shmoocon let the presenter label their talk as “stuff for newbs”?  Maybe, it’s a tough call. On one side it would let more advanced attendees seek out more challenging material… but on the other side no one wants to self-label themselves as a newb.  Especially if they are attending a conference with their work buddies.  I saw this all the time in the many years I taught the Foundstone Ultimate Hacking and Ultimate Hacking Expert classes.   80% of the class who skipped the Ultimate Hacking course shouldn’t of have.  All too often I’d have students in the expert class who couldn’t FTP or map network drives on the command line. For the cons though, I’m getting rather tired of these old-obvious hacks being re-named so the press can go bonkers with it — “café-latte attack” kill me now.

So after the Shmoocon there is one thing that is certain. I’m getting a damn Asus EEE PC. They are just too cool and I’m not sure why.

Later,

-higB

I just got back from The Credit Union Information Security Professionals Association 3rd annual National event in Austin Texas where Rohyt and I were talking to the folks about www.PhishMe.com.
I have never attended a CUISPA event before and welcomed the opportunity. It was refreshing to see this industry work together. Credit unions don’t have the budgets larger institutions do and many of their technologists wear multiple hats. Security is a group effort. (as it should be)

Two major takeaways I had from the conference:

1.) Credit Union security professionals have a can-do attitude and value networking with their peers to solve their security woes
2.) Don’t show up to a Credit Union event dressed in New York-Financial attire (unless you enjoy looking like that creepy sales guy)

On the heels of the CUISPA event is a good white paper I saw on BankInfoSecurity.com titled The State of Information Security 2008 - Survey Executive Overview (Free signup)

Tom Field (Editorial Director) did a good job putting the overview together. The top security issues I heard the Credit Union folks discuss are the same ones captured in this survey. (It’s good to see that this paralleled what I saw in person at CUISPA … too often these days a whitepaper is just a synonym for marketing fluff.)

Of course the #3 issue “3) Training - Employees, Customers Need More.” grabs our attention as our http://www.phishme.com/ moves from beta and inches towards launch.
I’m beyond excited.
-higB

p.s. If you happen to attend my ShmooCon 2008 presentation please be kind with the Shmooballs.