Wednesday, May 11, 2011

CMS Explorer in BackTrack 5

Just a quick note that Sunera's CMS Explorer has made its way into the BackTrack Linux version 5 (Revolution) release! So no need to download it separately, just fire it up in BackTrack when you come against one of the supported CMS systems.

You can find it on the menus (which are now aligned by the PTES and OSSTMM standards) under CMS Identification:
BackTrack -> Information Gathering -> Web Application Analysis -> CMS Identification -> cms-explorer
And note that before you use it, you may want to supply an OSVDB-API key:
If you see this message, you need to add your API key.
And just a reminder that CMS Explorer is open source Perl code, so please consider contributing to the project. Additionally, it requires the GetOpt::Long module and LibWhisker--both of which are included in the BackTrack distro.

Put your OSVDB API Key in the $osvdb_api_key variable.

Thanks to the BackTrack team for continuing to enhance the pentesting distro and adding new tools like this (and others)!

Friday, April 29, 2011

4 Tips for Safer Gaming

Did you recently receive an e-mail from the PlayStation Network (PSN) informing you that your personal information may have been lost? If so, you're one of many victims on a growing list for this year. Many hospitals, universities, and major companies such as Epsilon and Sony have all suffered similar data breaches in the first four months of 2011. Although data breaches are spreading to new horizons such as social networking and electronic health records, console gaming and associated processing systems are target rich environments that have been overlooked. This recent PSN breach serves as a wake-up call, drawing attention to the trust consumers put into these systems.
Whether you were affected by this breach or not, if you're a gamer you're probably wondering what you can do to bolster your security while gaming online. Based on our knowledge in network security and risk management paired with our team's personal experiences in online gaming, we've written a list of four potential steps you can take to play online, but keep your personal information as safe as possible.
1) Trust No One
We are being reminded on a fairly regular basis that our assumptions of trust in the online environment are unfounded.  We may use visual indicators like a visually appealing online presence, padlock icons, highlighted urls and ‘hacker safe’ logos to help justify moving forward with online transactions and information submissions, however they are no indicator of *actual* security.  Every single time you submit information to anyone, via phone, web form or jamming your credit card number into your gaming console, please stop and ask yourself “What would a bad guy do with this information?”  If your answer would hurt your bank accounts, credit or present issues with identity theft consider other options.  Specifically concerning transactions, review the alternative payment methods below.  Further, consider having non-critical email account(s) available for more trivial registrations.  The idea is to limit your exposure and risk. You will never eliminate risk entirely, but taking steps to limit damage can go a long way.
2) Utilize an Alternative Payment Method (Reduce your personal risk.)
Based on the recent loss of information, you may be less apt to trust online gaming networks with your information. Although little can be done to protect your contact information, it is possible to limit the exposure of your payment card data. Rather than exposing your card number, authentication code, and expiration data, consider these alternatives. Cards with points or credit in the gaming network can be purchased at many reputable retailers. These cards can be used to purchase items, games, and add-ons in the gaming network without exposing credit card data to them. Furthermore, it may be appropriate to leverage a limited use credit card. These cards may be generated by your online banking provider for one time use. Alternatively, consider using one of the many payment cards available with very low limits or allocated funds. Many banks offer a system in which parents can give their children cards with a certain cash value on them and refill the cards when needed. These cards may be ideal for less trusted vendors.
3) Segment your home network
In many ways, a console gaming system is like a network appliance. You have very little or no control over the software deployed on the system or how it interacts with the environment. In fact, many console systems use the universal plug and play (UPnP) protocol to open your home network up; establishing communications channels and opening ports to the outside. All of this is done with your implicit consent and, if you'd like to continue to participate in first person shooter (FPS) fun, you can't restrict those features.
Systems of this sort are often trusted less than others because they cannot be controlled or secured in the same fashion as PCs. When two distinct trust levels are present on a network, segmentation should be put into place.  This segmentation, or grouping, of systems will help prevent attacks which depend on being in the same logical network as other systems.  These attacks include man-in-the-middle style attacks and traffic analysis.  These types of attacks could be used from a gaming console to intercept sensitive information between your PC and retailers or online banking systems.
Although it would be nice to implement a full featured firewall between your PCs and the gaming systems, an alternative type of segmentation is possible with many home routers. New routers often include segmentation features such as VLANs. You can assign the gaming console(s) in your environment to a VLAN separate from the rest of your systems. This will limit inadvertent exposure of PCs using gaming ports and keep gaming consoles on their own network.  Of course, the underlying assumption here is your gaming console is not used as a media center requiring internal network communication - in which case more advanced preparation and setup may be required.
The following is a list of major, consumer-grade router manufacturers. Consult their website to determine whether or not your router supports network segmentation features, such as multiple VLANs:
  • DLink
  • Belkin
  • Cisco / Linksys
  • If your router does not support VLANs in vendor provided firmware, a custom firmware may be available which will enable this feature. If you are comfortable applying custom firmware (CFW) to your router, consider applying OpenWRT or DD-WRT to enable advanced features.
4) Consider the source of software
At the heart of a gaming console is a computer, one which has been optimized for accomplishing a single purpose, but a computer nonetheless.  As a result, we should treat consoles more like our PCs. If a website were offering a custom version of a popular operating system, such as Windows or OS X, wouldn't you be wary of applying that to your computer? We should apply the same logic to custom firmware and console gaming software available on the internet. A common attack against PCs is to backdoor pirated software or video games and then make the software available on peer-to-peer networks.  This attack vector would be highly effective against console gaming systems by deploying malicious game software or CFW.
Be wary of this software, evaluating and vetting software as much as possible before deploying it. CFW is not a bad thing and should be respected for the capabilities it provides consumers, but it should also be considered carefully by consumers as these CFWs become system level objects on gaming consoles when they are applied. This means that they have control over all aspects of the system.
Confirm the hash values of software against known, good values where possible to ensure that the software has not been changed or corrupted. Try to gather software from reputable sources as applicable.
The simplest answer to securing your information in this venue is to stop gaming online, but what fun is that? Keep these five things in mind to game safer and protect your personal information using a risk based approach.

Thursday, February 10, 2011

When Distros (Sneak) Attack

I was re-testing a list of findings from a prior engagement yesterday and eventually worked my way down to the "SSLv2" enabled list. These are pretty much the universal findings, since seemingly few people disable SSLv2 or weak ciphers when standing up a web server. Also, applying the recommended registry fix in Windows isn't always executed to perfection, so SSLv2 tends to linger.

For quick checks like this, I use OpenSSL from the command line:

steve@swt-work:~$ openssl s_client -ssl2 -host some.ssl.host -port 443


If you get a bunch of certificate information back, the site supports SSLv2. If you get an error, it doesn't. Simple, right? Maybe not. I got errors on the first seven or so sites, and that got my spidey sense tingling. Maybe they actually removed SSLv2 successfully on all these systems, but I remain suspicious. So, I tracked down some hosts known to use SSLv2 and all of them reported the same error.

19669:error:140A90C4:SSL routines:SSL_CTX_new:null ssl method passed:ssl_lib.c:1453:


It didn't seem to be an issue with OpenSSL itself, because connections to SSLv3 sites worked as expected. After a few moments of troubleshooting, I turned to Google. No definitive answer was forthcoming, but I did come across a mail list post that indicated that Ubuntu entirely removed SSLv2 from OpenSSL. I jumped onto another Linux distribution and did some parallel testing. OpenSSL in Ubuntu does not support SSLv2, and "null ssl method" is the only message you get. We reviewed the changelog and verified the change.

openssl (0.9.8o-1ubuntu3) maverick; urgency=low

* debian/patches/no-sslv2.patch: disable SSLv2 to match NSS and GnuTLS.
The protocol is unsafe and extremely deprecated. (Debian bug 589706)

-- Kees Cook Tue, 20 Jul 2010 08:24:13 -0700


At this point, I was upset with Ubuntu for wasting my time, and fired off a tweet to that effect. Since I had another distribution available, I moved on with my auditing from there.

Then one of my co-workers wondered if Nessus SSLv2 scans worked on Ubuntu hosts. After some brief testing on other distributions, lo and behold, Nessus plugin 20007 (SSLv2 Enabled) does not recognize SSLv2-enabled servers. Anyone that has been using Nessus on Ubuntu 10.10 since July 2010 for scanning has been unable to detect SSLv2-enabled servers. That's an issue.

I took to the Nessus discussion forums for some guidance, since those guys are so quick to respond. It took all of 20 minutes for Renaud Deraison to reply:
I really like when vendors think they know better -- if a program wants to use SSLv2 they should not get in the way and decide it's bad, without looking at the context.

This probably means that in the not-so-long term, Nessus will ship with its own version of OpenSSL (as we do on Windows and in the "generic" builds).

So, the good news was that Tenable was planning to work around this distro nannyism by shipping their own SSL. The bad news was that we needed a fix in the interim, or our Nessus scans would be suspect.

I then noticed that Kees Cook came across my tweet and responded. After a brief exchange about the removal of SSLv2, he posted a step-by-step guide to reversing the no-ssl2 patch.

$ sudo apt-get install build-essential devscripts
...
$ sudo apt-get build-dep openssl
...
$ apt-get source openssl
$ cd openssl-*
$ quilt pop -a
...
$ sed -i '/no-sslv2.patch/d' debian/patches/series
$ quilt push -a
...
$ dch -n 'Allow dangerous v2 protocol'
$ debuild -uc -us
...
$ ls ../*ssl*.deb


Most of the instructions were familiar, but I hadn't used 'quilt' before. In this case, 'quilt pop -a' removes all patches, and the 'quilt push -a' adds all the patches in debian/patches/series once the "no-sslv2.patch" entry has been deleted. Then the debs are built and easily installed using the 'dpkg -i' command.

Nessus and the openssl s_client were once again able to connect using SSLv2 with the custom debs installed. I reported this back to the Nessus discussion forum thread, and Renaud once again responded with lightning speed.
Nessus 4.4.1 for Ubuntu 10.10 will ship with its own OpenSSL 0.9.8r. ETA is "very soon". Your solution is fine in the meantime, but it's a hack. In the long term, as distributions start to decide they know best about their users needs, we'll probably start shipping OpenSSL with more and more builds
So, in the long run, this will not be an issue for Nessus users on Ubuntu. In the short term, there is a workaround, but system updates will require extra attention, as OpenSSL needs to be rebuilt after every update.

Thursday, January 20, 2011

Stuxnet and Cablegate - Harry Palmer wins again.

The two biggest data security stories of 2010 (and arguably of all time) are the weaponization of a computer virus targeted at a nuclear plant and the massive, unprecedented theft and disclosure of national security secrets from a secured military network. Under close examination, neither of these; Stuxnet nor Wikileaks/Cablegate, used a particularly exotic attack vector.

They happened because of the failure, again, of the organic component of information security. They happened because a disgruntled PFC, a high school dropout with apparently unfettered access to SIPRNET, brought writable CDs to work and proceeded to copy everything he could lay his mouse on. They happened because some nameless Russian contractor working for Atomstroyexport jammed a USB stick loaded with a worm into an Iranian PC. Yes, the worm was incredibly sophisticated. The method of delivery? Not so much.

Air gap? Meet 'the bridge'.

PFC Manning and 'Ivan Doe' have shown in big glaring headlines, that the best defenses can be defeated by The Gray Man. Harry Palmer, the 'Anti-Bond' spy and prototypical Gray Man, was perhaps the best fictitious example of this, the most dangerous of threats. Harry did not rely on gadgets from Q Branch or Parkour acrobatics, but used the best weapons available to an intelligence operative; he had the ability to blend in and possessed a cold, singular focus.

In retrospect, PFC Manning was the ultimate disgruntled employee. He was ticked off, had recently broken up with his boyfriend and was newly demoted. But he found himself sitting (along with over 3,000,000 other users with his clearance level, yikes!) at a job he hated and staring at the crown jewels of American information security. The unknown contractor was working at one of the most scrutinized construction projects on Earth - the Bushehr nuclear plant. But given an environment where the host nation had to rely almost entirely on foreign nationals to build their facility, it was most likely child's play to bring in an autorun-capable thumbdrive loaded with a viral weapon and find a nice open USB slot or slots to infect.

The successes of Stuxnet and Cablegate are not surprising, nor is the attack vector. Anyone who has done any Social Engineering testing can tell you a myriad of ways to contravene physical and logical security measures. Most of the those techniques involve blending in with the rest of the sheep and taking advantage of the fact that once you get past the perimeter and are a 'trusted' member of the flock, you pretty much have free rein.

It takes a thief...

The way to combat disgruntled employees or hostile intruders from stealing or corrupting your confidential data is by following the old tried and true methods: concrete, realistic security policies and user/employee awareness training. But this needs to be reinforced with something that not enough organizations implement - Regular, unannounced Red Team penetration testing. Penetration testing with a strong social engineering component serves two purposes:

  1. It demonstrates your vulnerability to new, current attack profiles and exploits. That's good, not bad! An experienced and effective Red Team will most likely find holes you never knew existed and will provide you with a detailed After Action Report complete with remediation advice.
  2. It serves as an awareness reinforcement tool for you employees. If they've experienced Red Team attacks, have seen the repercussions and know they are going to be hit again at random times, it tends to make them take all that training a lot more seriously.

Is there is a silver lining to be seen in all of this? Perhaps. Perhaps the high-profile nature of the exploits will finally result in attention being paid to that most dangerous of threats: your very own Harry Palmer wandering around your building.