Monday, January 28, 2008

Metasploit Framework 3.1 is out!

HDM and the metasploit crew have officially released the Metasploit Framework 3.1 release

here is the release note

when asked to come up with a quote for the new release...

"if that new drag and drop meterpreter file browser in the GUI doesnt make you hot for your INFOSEC job, nothing will."

Saturday, January 26, 2008

New look for carnal website

Huge thanks to Matt for the update to the carnal0wnage main site.

here's a screen shot.
now I just have to get around to updating that site too...

Windows Vista One Year Vulnerability Report

If you haven't read the Windows Vista One Year Vulnerability Report its worth taking a look at only if to solidify what Andrew Jaquith talks about with security metrics and graphs and how they can say whatever you want them to say.

Original Post here:

Here are my comments after a quick read of the paper.

Interesting paper. I'm not convinced that because there were more vulnerabilities by number in RH/Ubuntu versus Vista is "necessarily a better OS or the fact that there were far less vulnerabilities by number between XP and Vista that deserves a ton of praise. Good, in 5 years MS got better at creating and rolling out a secure product...kudos. Isn't that what everyone expected and MS said they would do? Also, I cant imagine anyone dropping a remote code execution exploit for Vista on bugtraq/FD/milw0rm/whatever right now for free, a working exploit for Vista or XP SP2 is far too valuable to give away for the sake of "making the internet a safer place" especially with all the companies paying big bucks for those exploits or how valuable they would be for the underground or for the sake of having an 0day.

It would have been interesting to compare all those open source vulnerabilities not by number but by remote code execution possibility. I didn't go and check every MS # or every vuln listed for RH/Ubuntu but i am going to guess that if it got a critical or was made mention for Vista it was because there was code execution possible(either client side, i send you a link, click on this, or full old school remote). I'm going to go out on a limb and say that not every vulnerability that was released for open source was code execution. I wouldn't put a bugfix in some obscure library that did get pulled down as an update in Ubuntu (and added to that 100+ updates) in the same category as a code execution vulnerability.

Just goes to show you that I can make up become down and left become right with the right wording and some excel graphs...


Thursday, January 24, 2008

Metasploit Framework GUI

I'm behind on my posting, but I'm going to do a quick post on the shiny new MSF3.1 GUI.

I'm not usually a GUI kinda guy but I do like the GUI specifically the browser option where you can just drag and drop files...way cool.

here is the post from the framework list talking about getting it up and running on linux and windows

I think its technically still in beta and not officially released but its working well and I would expect a release soon.

couple of screenshots, I'm gonna try to get a video up shortly.

Badass MSF Splash Screen

Main GUI Layout

GUI Browser with Meterpreter Payload

Thursday, January 17, 2008

guilty until proven innocent and encryption in the digital age

"A federal judge in Vermont has ruled that prosecutors can't force a criminal defendant accused of having illegal images on his hard drive to divulge his PGP (Pretty Good Privacy) passphrase."
The Washington Post just revived this article and there is also a good article on cnet.In Child Porn Case, a Digital Dilemma; U.S. Seeks to Force Suspect to Reveal Password to Computer Files
Judge: Man can't be forced to divulge encryption passphrase

you may have to register for the post one, but the cnet one you can view

if you are unfamiliar with the case, like i was, basically Sebastien Boucher was stopped coming into America at the Vermont border. The border agents looked at his laptop which appeared to have been on, and saw what appeared to be preteen child porn. Of course the arrested him. At some point the laptop was turned off and now they cant answer some "Z" drive that supposedly holds the evidence. They now want Boucher to give up his PGP passphrase, which his lawyers argue will be violating his 5th amendment rights (right not to incriminate yourself).

I'll try to keep this on the technical level even though i have some strong other opinions on it.

We are forced to conclude that he has some sort of have to decrypt to boot or log into the laptop option even though they dont specifically say that. If they could log into the regular windows drive but not the "Z" drive, if this guy really has been engaging in that kind of activity it should be visible in IE history, saved passwords, temp files, irc logs, p2p client logs. there should be PLENTY of evidence. They could also subpoena ISP logs and search his home for backups. One of the articles says he is out on bail, a perfect opportunity to monitor now (another argument --but they should have no problem getting a warrant given the circumstances) if he truly is a pedophile hell get right back into it and they can catch the guy with real evidence.

Its a shame that the importance of this case will be overshadowed because of KP. The protect the kids crowd who, by reading alot of the comments on the Washington Post, have already convicted the guy and are fine with giving up liberties for people who are terrorists, pedophiles, or have something to hide --unless it was them. If the guy was accused of some white collar crime, i think most people would be like "hell no he doesnt have to give up his pass phrase" but because of KP, they want to hang him out to dry.

I for one dont blame the guy for at this point not wanting to give up his passphrase, even though its been over a year and i would have been trying really really hard to forget that thing the last year if it was me (it usually takes me a few tries anyway). The are obviously on a witch hunt at this point, and like he sort of says you never have no idea what is in your temp files, especially if you visit porno sites. It wont matter to the prosecution if the is questionable stuff in his temp files (and i'm sure that will be glossed over in any trial), it will be there even if everyone knows you can be redirected to questionable sites even when trying to access "clean" sites let alone "adult" sites.

This is an intersting bit from the cnet article:
"Boucher was read his Miranda rights, waived them, and allegedly told the customs agents that he may have downloaded child pornography. But then--and this is key--the laptop was shut down after Boucher was arrested. It wasn't until December 26 that a Vermont Department of Corrections officer tried to access the laptop--prosecutors obtained a subpoena on December 19--and found that the Z: drive was encrypted with PGP, or Pretty Good Privacy."

This link says it was a forensic copy:

Hopefully the Constitution and real justice will prevail if the people in Vermont cant gather up some real evidence in the case but i will agree the guy screwed himself for the most part by letting people look at the laptop and admitting to having things on the laptop he shouldnt.

Here are some great quotes to help you get to sleep tonight:

"Criminals and terrorists are using "relatively inexpensive, off-the-shelf encryption products," said , the FBI's assistant director of public affairs. "When the intent . . . is purely to hide evidence of a crime . . . there needs to be a logical and constitutionally sound way for the courts" to allow law enforcement access to the evidence, he said."

"Mark D. Rasch, a privacy and technology expert with FTI Consulting and a former federal prosecutor, said the ruling was "dangerous" for law enforcement. "If it stands, it means that if you encrypt your documents, the government cannot force you to decrypt them," he said. "So you're going to see drug dealers and pedophiles encrypting their documents, secure in the knowledge that the police can't get at them.""

Lee Tien, senior staff attorney at the EFF, a civil liberties group, said encryption is one of the few ways people can protect what they write, read and watch online. "The last line of defense really is you holding your own password," he said. "That's what's at stake here."

and my favorite from one of the comments:

"Maybe it would be simpler just to declare the ever-dwindling number of people who happen to live outside prison walls criminals. Then we could dispense with this inconvenient notion of civil liberties altogether."


Sunday, January 13, 2008

The Craft of System Security Book Review

Book Review For:

The Craft of System Security
by Sean Smith, John Marchesini

Useful for the Novice and Professional

5 stars

The preface of the book says that the book grew from a college course to solve this problem: “to provide the right security education to students who may only ever take one security course and then move on toward a wide range of professional careers.” Its nice when the authors put the goal of the book at the front, it makes reading it in the proper context much easier and reviewing the book (usually) much easier.

I think the authors met their goal of a book to give to people who may only read one security book in a college course and have it be readable and useful. It is written in an understandable manner and provides enough pictures and explanations for someone new to the subject who “has to take the class” and enough math and further reading for someone that wants to really delve into a subject to do so. Important words are in italics so if you wanted to or needed to look up the definitions to really understand the section you could, but there is enough information in the paragraphs to get by.

The book also has the added plus of being useful to someone studying for their CISSP (if they actually want to know the subjects). It explains topics that, in my opinion, are not explained very well in the study guides. Their discussion of the orange book was superb and I wish I had this book when I was trying to make sense of it when I was studying. The chapters on cryptography go beyond the typical Alice and Bob stuff you get in most books (Alice and Bob are still there) but they also get into examples of breaking cryptography and explaining how the attacks work and usually backing it up with the math involved. I really could say something good about every chapter in the book. Each chapter is laid out with a solid, consistent road map, is full of quality readable content, and wraps it up with a “take home” message at the end.

The Table of Contents doesn't seem to be available on Amazon but if you are interested in the book, I'd recommend you take a look at it over at the InformIT site. It covers a lot of ground in its five parts of History, Security and the Modern Computing Landscape, Building Blocks for Secure Systems, Applications, and Emerging Tools. The book also comes with a huge list of references and a pretty good index for looking up topics.

I usually have my list of likes and dislikes for books. For this book I don't have any dislikes. The book is readable, well edited, a good font size, and I learned things from it. I've been actively recommending it to people at work, especially the guys working on their CISSP.


Saturday, January 12, 2008

The Art of Software Security Testing Book Review

Book Review For:

The Art of Software Security Testing: Identifying Software Security Flaws

by Chris Wysopal, Lucas Nelson, Dino Dai Zovi, Elfriede Dustin

Good overview but not a one stop shop

4 stars

This is a good “short” version of "The Art of Software Security Assessment" by Dowd. For a security book its short, at 250 pages. The book contains useful information but not enough to be an expert at anything. This is definitely one of those mile wide, inch deep books and not a one stop shop as it says in the preface. It covers topics in enough detail to have heard of the issue and some of the chapters give you some links to further information but you wont come away with enough knowledge to actually do many of the attacks talked about.

It does hit the major attack vectors; Ch6 Generic Network Fault Injection, Ch7 Web Applications: Session Attacks, Ch8 Web Applications: Common Issues, Ch9 Web Proxies: Using WebScarab, Ch10 Implementing a Custom Fuzz Utility, and Ch11 Local Fault Injection. So thats a plus. The first part of the book on Secure Software Development Lifecycle was good, but again, not really enough information to be the only book you need on the subject. The third part of the book on analysis, Ch12 Determining Exploitability, was really not useful to me its way too short and tries to cram exploit development into 25 pages which just isn't possible. It shows you some diagrams of the stack and heap then some winDbg screen shots of nameless programs crashing and overwriting EIP (stack) and EAX (heap) and a null dereference. Fairly anti-climatic and doesn't dispel the “magic” of writing exploits.

Things I liked; the WebScarab chapter (Ch9) was good, that can be a tough tool to get up and running with all of its options. The Web Application chapters (Ch 7 & Ch8) are pretty good overviews. Part 1 of the book on the SSDL, overview of how vulnerabilities get into code, and risk-based security testing was useful to me and serves as a good into to the Dowd book.

Things I didn't like; Chapter 12 on Determining Exploitability was too short and not enough information, no code for the custom web application they use for examples for SQL Injection. I'm very much a “have to do it” guy and not having the code was a disappointment and lastly the book's website seems to have never been updated after first standing it up.

I'd recommend the book to people who need to get an idea of security flaws, how they get into code and some visual examples of those flaws. But only if they needed either a high level overview or they need an initiation to the topic. For people who need a deep knowledge I'd refer them to the Dowd book.


Thursday, January 3, 2008

Storm/CME711 has a temper

So I spend a lot of my time figuring out ways to better detect some of the newer bot/malware variants in enterprise environments. Part of what I do, when I have time, is to pull down some malware and analyze it. By analyzing it and looking at network traffic, peers, etc... it is possible to build up signatures to detect the latest variant. Nothing groundbreaking and horribly reactive. This seems to be the only way to really detect it on the network. Automation is getting harder and harder and requires more and more human interaction as the malware evolves.

Anyway, I was modifying a script to pull down the latest variant from a known domain that hosts the malware. It seems that I downloaded one too many in a too short a period of time. Storm DOS'ed me. :) It's still going on from a few IP Addresses, nothing too impressive, probably more of a warning than anything.

So looking at some data from December 25th (I performed 14500+ lookups on Careful, this is still a live domain) I mapped the IP to it's geographic region.

The previous day there were only about 1000 unique IP Addresses being used to host this domain. The geographic spread is interesting. The USA has the dubious honor of having the most infected hosts. These numbers can be skewed by many outside factors including the time I performed the lookups in relation to the time that the latest spam email containing links to the malware was released. (Some people were still sleeping :))

Here are the top 25 countries from that dataset:

China 47
Brazil 49
Bulgaria 53
Chile 57
Hong Kong 79
India 90
Hungary 97
Japan 99
Sweden 121
Germany 136
United Kingdom 137
Taiwan 145
Netherlands 153
Spain 174
Canada 194
Australia 196
Russian Federation 198
Turkey 198
Argentina 220
France 237
Poland 368
Romania 522
Korea, Republic of 814
Unknown 3208 [These 'unknown' IP Addresses were not in the GeoIP database I used]
United States 6427

Doing reverse lookups on the IP Addresses show most to be home DSL/Cable modem users. When will people learn that the email is not from a friend? Heh. Oh well.

dean de beer

Tuesday, January 1, 2008

New Year Paranoia Thoughts

As we were at Safeway buying champagne and the sparking apple cider for the party last nite it really dawned on me the amount of personal data we give to stores in exchange for a couple dollars off at the register.

When you think about it, would you regularly post on the net when you buy condoms or butt cream from the drug store, or EVERYTHING you bought from the grocery store. While I don't consider myself strange or to have weird eating habits, I don't know that I'd be comfortable letting everyone know what I was buying -- even though evidently I am because i take my couple dollar discount.

While most of the info is just for marketing or statistics, some you have to wonder what its for. For example, Safeway (a grocery store) you enter in your phone number and you get the "Safeway member price" on alot of things that are on sale that week, thats cool, and i usually save 3 or 4 dollars per visit. But what does safeway do with that data? i don't get coupons or things like that in the mail or email (you only give them name and phone number but alot of stores ask for email now too) but where is all that information going and who is using it?

So, two thoughts I took away from it were:

1. Looking back at my maltego post (or just using google) look at the amount of information you can find about someone if you just know there name, email and phone number...kinda scary

2. Can that information be used to incriminate you? Say I was a suspect in a murder case and I had bought (and swiped my member rewards card) at the local hardware store when I bought lime, shovel, trash bags, and rope --hope I didn't pay with my debit mastercard either.

So, I guess my question is, in this day and age of really working hard to protect the privacy of our online identity with TOR, anonymous email accounts, limiting what personal information we do give out, and your favorite flavor or PGP do we need to work harder to protect our physical (real/human) identities, especially when that information is so easily and pretty much instantaneously transfered into the online realm?

I think I'll continue using the in-laws information at Safeway...just in case.

Happy New Year!