I’m sitting at Dulles airport right now, at gate C19, on my way to Vegas. I’m excited to catch up with friends and colleagues at BlackHat this year.  I realized a few days ago that my 81 slide presentation for DefCon isn’t for a 75 minute slot.. instead I’ll be trying to fit it into a 50 minute slot! Wish me luck!

Public Wifi is so dicey… I would never use it for anything other than entertainment during delays.  If I need to get work done I hop on EVDO.  Captive portals are everywhere… and if you pay much attention to security you probably know how easy it is to MAC change and steal wireless services.  These captive portals are interesting me because the service is so dangerous to use. One bad guy with Cain and Abel can really wreck havoc.
 T-mobile hot spots are no longer the only targets - ATTWIFI, pcswifi, and others are all fighting over this precious spectrum.   I decided to check out the other captive portals to see if they are doing anything better then MAC address authorization.  Look what I ran into:

What is “Other Provider”? Intrigued I put in some bogus credentials to see if the next screen would prompt for a non-listed hot-spot service provider like Boingo. Nope… I just got an authentication failure screen. I wonder how many users will supply AT&T with non-AT&T credentials.  Not good AT&T. You shouldn’t have an “Other Provider” category.

–higB

Jack Germain interviewed me on the security implications of peer-to-peer file sharing programs. Excerpts from that interview can be found in this article that discusses the grilling of the LimeWire CEO by a congressional committee.

Personally, I stay away from P2P prgrams other than Skype voice chat. Yes, Skype voice conversations are peer-to-peer.

 -Rohyt

Those of us at the PhishMe blog would like to remind everyone of a very important lesson from our parents (and restaurants bathrooms). “Wash your hands”. The motto should be repeated by the camera man of those Harry Potter pictures reported on earlier in the week. Looks like a little Exif meta data wasn’t cleaned off the photos… or was it? What’s better than washing your hands? Setting up someone else to look like the dirty one; two Exif editors quickly came to our attention. While it’s much more plausible that someone would just shoot pics and forget about the Exif data attached to them, it’s not impossible that the data may have been edited to incriminate someone else. 

Simply reading the Exifer home page though reminds me of another important lesson: “Know your tool”… (maybe that was also in a bathroom somewhere too though). In short, tools often leave a footprint -  whether it’s a user-agent tag in the popular Paros tool, or not so steathly NMAP scans. If you have a way to dig deeper and see what the tool is doing, you should.  In this case, don’t just relay on a EXIF viewer. Use a hex editor and get a different view of the picture. When it comes time to track down the bad guys, keep a look out for tell-tale signs.

What a difference a tool makes.

-b3nn 

Update:
More fun with EXIF data. Looks like RSnake (who we worship for XSS and WebApp goodness) left an untampered thumbnail behind on one of his posts. The story also links to a nice online EXIF Viewer… anyone checking out our EXIF data?

On June 19th a spoiler for the next Rowling book Harry Potter and the Deathly Hallows was posted to the full disclosure mailing list:
http://seclists.org/misc/harrypotterspoilers.html (WARNING: If you’re a Harry Potter fan you may want to hold off reading it.) The spoiler was nothing more than a summary of which main characters allegedly die in battle with Voldemort and other rivals.
What is more interesting is how this book was allegedly obtained. The author of the messages claims he launched a phishing attack against Bloomsbury Publishing.

“The attack strategy was the easiest one. The usual milw0rm downloaded exploit delivered by email/click-on-the-link/open-browser/click-on-this-animated-icon/back-connect to some employee of Bloomsbury Publishing, the company that’s behind the Harry crap.”

The claim is that a spear phishing attack was executed against Bloomsbury Publishing staff. Was Bloomsbury Publishing really phished? This telegraph.co.uk story: “Harry Potter ‘hacker’ posts plot on internet” has a quote from a Bloomsbury spokeswoman, “There are lots and lots of rumoured versions of the book (on the internet). We don’t confirm or deny any rumours”

Did the Bloomsburg phishing attack really happen or was it a hoax? Blog.phishme.com doesn’t know but one would think that if this hack really did happen over a month ago, that the Harry Potter and the Deathly Hallows would be all over bittorrent. I checked a few tracker sites before starting this blog post. All the claims on Demonoid were that the 5 available Deathly Hallows books were either hoaxes or ……..

********** BREAKING NEWS **********
Demonoid has removed all of the hoax torrents and only this one remains:
http://www.demonoid.com/files/details/1252898/13924344/

“I found this on another site, for those of you who simply can’t wait. It only includes the book up to pg.495.
But at least now we can compare the fakes to the real thing.
Enjoy and remember to seed!! ”

This one appears to be someone who has taken digital photos of 495 pages. Now that is someone dedicated to their piracy!

********** END NEWS **********

So it seems that there is still no official full copy on bittorrent but it’s only a matter of time.

In another story by PCmag: Dissecting the Harry Potter ‘Hack’ we read:

“it is conceivable that a successful download-based exploit was launched, according to a member of the hacker community, who asked that his name not be used. He pointed out that hackers have begun to carefully target companies and market segments. A well-crafted attack that uses correct names and titles, and spoofs a sending address from a partner firm, can be highly effective.”

For the record, it’s beyond conceivable, it’s happening now. In the recent incident response projects that we’ve worked the attack vector used to gain a foothold into the organization is a targeted phishing attack. It’s not just a problem for the commercial world either.
Do you think that the DOD is requiring mandatory anti-phishing training because they fear that they might get hacked using this method? Check out this quote from this DOD battles spear phishing article:

“At this point, the true scope of compromise and exploitation is unknown, but likely thousands more users and computers have been, or will be, successfully targeted,” the bulletin states. “

It’s too bad that external penetration testing no longer mimics the ways that attackers are getting into organizations. If you’re responsible for commissioning an external penetration test against your organization, maybe it’s time to do more than full TCP/UDP port scans (*Think social engineering). Today’s myspace generation of attackers don’t even know what UDP is.

-higB

Security conscious developers, world over, look to the OWASP Top Ten as their do’s and dont’s guide. The importance of this list, to the application development and security communities, cannot be exaggerated. Have a look at these impressive statistics from one of Jeff Williams’ recent presentations:

Thus, a Top Ten vulnerability should be one that occurs most commonly and has a high potential impact; something that developers should be made aware of. Based on this premise, session fixation should bull doze into the OWASP Top Ten.  Over 90% of all Java web applications that we have reviewed in the last couple of years have been susceptible to this attack. Combined with a little phishing, this attack can result in users’ accounts on vulnerable websites being hijacked. Let’s take a little detour and understand how this attack most often works.

• The attacker requests the home page of the vulnerable website
• In response the attacker’s browser is provided a jsessionid. Note: No authentication has occurred
• The attacker extracts the jsessionid from the response and constructs a legitimate URL with the jsessionid in it as follows:

https://www.vulnerablesite.com/login.jsp;jsessionid=<insert the extracted token here>

• The attacker then emails this link to a potential victim – a legitimate user of the website
• The victim does not find anything “phishy” with the URL. It actually points to the SSL website; no phony subdomains, suspicious IP addresses, illegible URL encoding, etc.
• The user clicks the link and is presented the login page. What the user doesn’t know is that his or her session is associated to the jsessionid in the clicked URL.
• The jsessionid continues to be associated with the user’s session post-login too.
• Now, the attacker can browse to any restricted page of the website by merely appending the jsessionid in question to the request. The application believes that the attacker is the victim and will readily provide the former access to the victim’s profile- think bank account.

Due to the default behavior of most Java application servers, web applications using the jsessionid for authorization, are often rendered vulnerable. Don’t get me wrong – I am not recommending against the use of jsessionid as an authorization token. I am only calling for the issue to be brought to the fore front by the foremost application security community – OWASP. Especially because it has an easy fix; developers should invalidate the session after critical events like login and re-issue a session ID.

session.invalidate();
session=request.getSession(true);

Also, disable URL re-writing in web.xml.

Some may argue that session management is  included in “A7 – Broken Authentication and Session Management” of the OWASP Top Ten. Yes, it is. However, just like cross site scripting and injection flaws got their own spots and were not clubbed under input validation, session fixation too demands the spotlight.    

-Rohyt 

We’ve all heard there’s no such thing as a free lunch, but this is not always easily remembered when online. The latest example of that is the number of iPhone related phishing messages that had flooded my inbox while I was on vacation (example – results). Some of the links didn’t even need to claim it was a ‘free’ deal; just a site claiming to have the cool tool in stock was enough to get clicks.

Of course this is nothing new. Go back and replace ‘iPhone’ with ‘Wii’ or ‘PSP’ or ‘Nano’ and you get similar results. As a gadget geek, I’m always at least a little tempted when I see one of these deal emails come in.  I think back to the few times I have gotten a free lunch from the Internet borg,  free speakers from some early online music start up or free Microsoft discs from a Vista promotion.  It’s not far fetched to believe that  some new start up is blowing their marketing wad to ride the wave of the latest ‘gotta-have-it’ item. But like they say “if it sounds too good to be true, then it probably is not”… And then multiply by 3.14 to take into account the Internet factor :-)

Damn you, spammers! I think you may have found my weakness.

-b3nn

Recently, I came across a press release by McAfee citing the results of a “groundbreaking” study that talks about the psychological games played by phishers and email scam artists. The results of the study indicated that “cyber criminals use fear, greed and lust to methodically steal personal and proprietary financial information”. Frankly, I didn’t see anything groundbreaking in those results. Don’t we all know that social engineers (including phishers) have to play with peoples psyches to get them to click on links and submit personal information? 

The study did however quote some interesting statistics from a 2006 Gartner study:

• Cumulative loses stemming from phsihing attacks rose to more than $2.8 billion in 2006 as compared to $137 million in 2004.
• Number of US adults that received phishing emails doubled from 57 million in 2004 to 109 million in 2006.
• The per-victim loss due to phishing increased almost five-fold from $257 in 2004 to $1,244 in 2006

These numbers beg the question – are we fighting phishing the right way?

-Rohyt

The Defcon 15 schedule has been posted and I’m glad to have the 7pm time slot on Friday. I’ve presented about automatic outbound covert channels using untraditional hardware in the past but this year my DefCon presentation is for the gear heads.

Short summary: This presentation is about a modern cars ECU and how reflashing it can net you more power. It’s a super ambitious topic to cover in 75 minutes. There are tomes of information about performance tuning theory so it won’t be possible to make everyone an expert in the matter. What I can do is show the tools of the trade, explain some of the basics of tuning and data acquisition, and highlight some of the opensource projects dedicated to the subject. http://www.enginuity.org/ http://www.openecu.org

I’d like to give special thanks to Intrepidus Group for letting me present on the topic and for graciously donating some cool giveaways that will be handed out during the presentation.

-higB

   Brad Kenney interviewed me about the unique information security challenges faced by manufacturing companies. Excerpts from that interview can be found in his IndustryWeek story –  From ID to IP Theft.

Moral of the story: Large employee bases whose skill set is not in technology, coupled with fragmented operations make the job of an information security officer in the manufacturing sector very challenging.

-Rohyt