Saturday, August 22, 2009

Heartland Lessons

The Heartland Payment Systems data breach that resulted in the theft of more than 130 million credit and debit card numbers dominated the news during the past couple of weeks. The company is the world's ninth largest credit processing company. So you would think that they would have taken the necessary precautions to prevent breaches of this nature from occurring. I say this against the backdrop of the breach being due to a sql injection vulnerability. The vulnerability is well understood, and security analysts have warned retailers about it from time immemorial. Sql injection is in fact so popular that it is the most common form of attack against Web sites.

I often felt that hackers employed techniques found only in rocket science manuals. However since becoming a part of the infosec world I have come to the realization that it is in fact not so. Now don't get me wrong some exploits can be looked at as a work of art. And therefore will require some doing. However the majority of attacks do not fall into that category.

This latest incident is testament to that fact. Sql injection is at the script kiddie level of attacks. As there are several tools available that simply require you to point, click and viola you're done.

So when a company like Heartland falls prey to attacks like this it is just unbelievable. Recall that sql injection attacks seek to exploit one of the basic tenets of web application development. And that is you should not trust ANY input from the user.

This article over at Dark Reading should serve as a timely reminder of the impact such vulnerabilities can have and some steps you can take to mitigate against such attacks.


Infiltrating A Botnet

I have always had an interest in Botnets. So when I came upon this article posted by awesec on Ethicalhacker it immediately piqued my interest. Incidentally if you have not already checked out the folks over at ethicalhacker you should go say hello.

So back to the article at hand. A Cisco research team while on an assignment recently, noticed a tremendous number of alerts including IRC activity, far larger than anything that could be benign, were occurring on the customer’s network. It turned out that the machines had been compromised and had become a part of a botnet.

The article explains how they got rid of the Botnet but more interestingly gives some insights into the mind and motives of a botmaster. It really is an interesting read.

Tuesday, July 21, 2009

The Windows "FOR" Loop

As some of you may or may not know windows supports numerous different kinds of FOR loops. This post aims to discuss two of the most common and powerful.

FOR /L loops can be used as counters, starting at a given number, and incrementing by a given step, counting to another number.

FOR /F loops are more advanced and offer options of iterating over a set of files, the contents of files or the output of a command.

Syntax And Usuage
The syntax for the FOR /L loop is as follows
c:\> for /L %i in ([begin],[increment],[end]) do [command]

Using the syntax above we could implement a simple counter using the following:
c:\> for /L %i in (1,1,10) do echo %i

In case you're not a programmer, %i represents a variable we wish to use as our incrementer. We can also refer to the %i in the [command] and it will be replaced with the current value through the loop. Pretty cool huh? %i will start at [begin],changing by [increment] at each cycle through the loop, and going up to [end] value. The [command] will run once during the loop.It is important to note that %i should be an integer as good ole windows will drop any decimal places.

My very first program was to print 'Hello World' to the console. Yeah I know, it's boring but hey, we all have to start some where. And so on that note let's print 'Hello World' using our loop.

c:\> for /L %i in (1,1,10) do echo Hello World
This will print Hello World to the console ten times. A sample of the output is also shown.

c:\>echo 1 Hello world
1 Hello world

c:\>echo 2 Hello world
2 Hello world

c:\>echo 3 Hello world
3 Hello world

You will notice that the output is ugly. We can clean this up, essentially turning off echo by adding the "@" in front of our [command]. Our new loop now becomes

c:\>for /L %i in (1,1,10) do @echo %i Hello world
1 Hello world
2 Hello world
3 Hello world

This looks much better. Again take note that only a sample of the output is shown here.

Ok, so we can print Hello World ten times. What good is that? Well we can extend it to build a simple ping sweep like so:

Ping Sweep
c:\> for /L %i in (1,1,255) do @ping -n 1 192.168.1.%i | find "Reply"

This command will create our counting loop with a variable of %i, starting at 1, incrementing by1, going through to 255. On each iteration it will ping without displaying the command (@), sending(-n 1) ICMP echo request message to 192.168.1.%i. And scraping through the results looking for the word "Reply" indicating a response to the ping request.

All this is nothing new. Ed Skoudis covers this and a lot more in his weekly Command Line Fu blog. I encourage you to check it out.

The next post will cover the more advanced FOR /F loop.

Tuesday, July 7, 2009

Bait

Do you remember that movie ? It starred Jamie Foxx. He played the role of Alvin Sanders an ex-con who is used by the police to lure a criminal out of hiding. Go watch the movie if want to know how it turns out.

Traditionally, attackers went after our servers, but there has been a shift to the client side because server-side applications have been targets for attackers since 2001, and these applications have matured. Attackers have therefore turned their attention to weaknesses in desktop applications such as browsers, media players, common office applications and e-mail clients. In short the user has now become the center of attention.And has therefore taken on the role of Alvin Sanders.Bait.

F-Secure showed samples of bait files recently showing real malware-laden Microsoft Word and Adobe PDF documents it has received. I could see how they could easily slip under the radar. The files are well done.

The lesson here is that we should not neglect our users. We should seek to educate them on the various attack vectors being used by attackers. This should be done using a language that they understand and practical examples they can relate to.

How is your user awareness program? Do you even have one?

Monday, July 6, 2009

Those URL Shortners

So unless you have been living under a rock, you have probably heard about Twitter. And if you have used Twitter then you know all about url shorteners. Basically, long urls are simply hard to pass along. They tend to sometimes break in email, are harder to verbalize in a conversation, and they are difficult, or in some cases near impossible to remember. Url shortners solve this issue by, well, shortening the length of that long url .

The problem with this is that a link that used to be transparent is now opaque. As you may have guessed this has led to a huge proportion of shortened links acting as a disguise for spam and a slue of other bad things.

One way around this problem of obfuscation is the use of the AVG LinkScanner.This is a free tool from AVG. It scans the pages behind all the links you click or type into your browser. And then tells you in real-time whether a Web link you’re trying to click to contains malicious code. Pretty cool.

Its not the perfect solution I am sure. But I believe it's worth a second look.
I'm sure there are several other tools. So feel free to share.

0-Day Microsoft DirectShow

Today was all abuzz with news on a new 0-day exploit affecting the msvidctl.dll component of Microsoft DirectShow. The bug can be leveraged to run code on users' PCs if they are tricked into visiting a malicious website through Internet Explorer. The operative term being Internet Explorer. The internet is filled with pocs'. However if you are too lazy to search you can check out the carnal0wnage.attackresearch blog. Beware however, if your running Avast it may not like what it finds.

There is not currently a fix for this vulnerability,so in the mean time switch on over to FirefFox 3.5.

Saturday, July 4, 2009

Keeping Up With The Joneses

We live in a dynamic, evolving world. And it is therefore important that we keep abreast with the latest trends in our respective fields. This is a surefire way of getting ahead of the rest of pack.

With that said I found the following resources to be quite helpful with achieving the above mentioned objective for us infosec types.

Social Networking Sites
Not only are these sites fun to hack and useful in the reconnaissance phase of a pentest. They also represent one of the best ways to network in the infosec field. Twitter for example is proving to be a great tool for this. Jhaddix from SecurityAegis has a very good write up over at EthicalHacker.net on leveraging its power in this regard. I encourage you to read it. Good stuff gets posted on twitter long before it hits mainstream. Case in point is the release of RSnakes new tool Slowloris.

RSS Feeds
Another way to keep up is via RSS feeds. Paul Asadorian from the famed PaulDotCom has an extensive list to get you started. All you need to do is download the feeds and import them into your RSS news reader. So check that out also.

Blogs/WebCasts
Well you can start off by always reading this blog to get your day started. Ok let's get back to reality. Bloggers is a good place to start. With regards to webcasts Sans has some very good ones. Check this out to whet your appetite.

There is a lot more that can be said on this topic. I am only scratching the surface here. Mubix has a much better list here.

These are just some of the resources that I have found useful.So check them out and feel free to share your own.

Additional resources

The Attack Of The AV

PC's running the popular McAfee VirusScan were brought down recently when the anti virus program began attacking core system files. Based on anecdotes the 'attack' appears to be caued when older VirsuScan engines install DAT 5664 which the anti virus giant pushed out within the last 36hours.

Affected systems then start to identify a wide variety of legitimate and frequently crucial system files as malware. According to this article files belonging to Microsoft Internet Explorer, drivers for Compaq computers and even the McAfee-associated file McScript.exe were being identified as a trojan called PWS!hv.aq.

I can only imagine what admins the world over are going through right now. Hopefully will get a lid on this situation ASAP.

Reputation-Based Security

Zulfikar Ramzan technical director and architect at Symantec recently spoke with CNET where he took the opportunity to outline the company's future plans.

Symantec has what they call the Symantec Community Watch program where customers submit data back to them about security events and related happenings on their system at any given moment in time. The submission of this data is void of human intervention. The program currently has well over 30 million participants.

The company plans to use this data in the next version of its Norton Antivurs 2010 product. Accroding to Ramzan this new approach dubbed reputation based security is really about looking at a much wider spectrum of machines to make a much more informed decision about what one file is doing.

This approach is in stark contrast to to what currently exists where a blacklist or a white list is used. This approach essentially looks for files you are either know are bad as in the case of a blacklist. Or files known to be good as in the case of a whitelist. Both these approaches neglect what happens in the middle. And so reputation based security is geared towards addressing that.

This is an interesting approach. However I am sure the bad guys will find a way around it.
We'll see.

Thursday, July 2, 2009

Mozilla will issue security fixes for Firefox3.5

Wow that was quick!!! Mozilla which just released the latest version of its Firefox browser on Tuesday is already planning to release web security fixes for bugs in Firefox3.5 according to ComputerWorld.com

The company essentially plans to fix at least three bugs and what it calls "topcrashes". Some interesting things to note about this version is that it includes tools for controlling private data, including a private browsing mode(hmmm that's interesting )

In its first 36 hours it was downloaded 6.5 million times.


Have You Ever Been Tempted By The Lure Of The DarkSide?

This story is a couple days old(in the world of IT a day is like a thousand years) but I still wanted to mention it. Max Ray Vision aka "Iceman" pleaded guilty on Monday to two counts of wire fraud stemming from the theft of approximately 2 million credit card numbers(yes you read that right!!!) and $86 million in alleged fraudulent purchases. WOW!!!! Just WOW!!!!!!!

Vision was a security consultant before he got arrested. So I guess the lure of going to the DarkSide got the better of him. In commenting on the incident FBI agent J.Keith Mularski who spent two years undercover infiltrating a group of cyber scammers who bought and sold stolen credit cards says that some guys simply allow their curiosity to get the better of them. And in the end find themselves going down that dark path.

How many of you guys who are currently employed in the INFOSEC industry have ever entertained the thought of going to the Dark Side? You have all the required skills. You have all the tools? And to cap it all off we are in the midst of a Global recession. So why not?

It isn't worth it. I say use your skills for the good of society and the cyberworld.

Vision now faces up to 60 years in prison when he is sentenced in October.


Wednesday, July 1, 2009

Securing That Shiny New PC

So you just unpacked that brand new shiny pc and fired her up. And you are anxious to hit up your favorite social networking site. At this point security considerations may be the farthest thing from your mind. In fact you may not even be concerned with security at all.

Well with attackers focusing a lot more on the end user(that's you) you need to take a more proactive approach towards security. Bill Brenner has a nice article on securing that new pc.

He recommends taking the following steps:
  1. Uninstall Stuff You Don't Need
  2. Install Firefox
  3. Install NoScript and other Firefox add-ons
  4. Search for all needed Windows patches
  5. Customize your AV/firewall package

5 Steps to Secure a New PC

Security,Group Size, and the Human Brain

I wonder if this is why I can't seem to remember the names of some of my co-workers. Based on the findings of primatologists Robin Dunbar, 150 is the cognitive limit to the number of people a human brain can maintain a coherent social relationship with.

Security, Group Size, and the Human Brain

Juniper pulls researcher's Black Hat ATM talk

I was not planning to attend the conference but I still find this story very interesting. The talk I gather was pulled because the affected ATM maker(Diebold probably?) raised concerns that it would not be able to fix the flaw in time. Give me a break!

I don't know how true that is but chances are they very much knew about it and decided not to do anything. Or better yet take an ETERNITY to address the flaw. And so if that is indeed true then I believe that research as important as this should be made available to the public in order to advance the state of security.