Welcome Ken "cktricky" Johnson!

Ken "cktricky" Johnson has agreed to join the carnal0wnage/attackresearch blog and I cant be more excited. Ken brings tons of webappsec kung fu and is the core developer for wXf. He should be adding lots of webappsec goodness.

you can catch him on twitter as well @cktricky

Welcome Ken!

-CG

carnal0wnage/Attack Research Blog Back On Blogger

Carnal0wnage/Attack Research Blog is back on blogspot. URL is still http://carnal0wnage.attackresearch.com and http://carnal0wnage.blogspot.com should redirect you to the right place. I doubt that RSS feeds will be so lucky though...you'll probably want to update your feeds.

Hopefully being back on blogger will allow for more and better discussions than on the drupal site and if the blind elephant guy is working on an update, hopefully this fucks up his talk and he doesn't get to call us out this year b/c Drupal sucks to update/manage.

-CG

carnal0wnage and Attack Research join forces!

I'm happy to announce that carnal0wnage and Attack Research have joined blog forces!

the new home for the blog will be:

http://carnal0wnage.attackresearch.com/

please point your RSS readers to the new location and enjoy

With the new blog is the ability for a few more people to post. If you want to contribute please email c0arblog@attackresearch.com

-CG

Not Dead, just busy

I'm not dead and I haven't quit blogging, just been tired and busy and working on fairly big change to c0 that I think everyone will enjoy. I was hoping it was going to be ready by now but its not...I do this for free...so you'll just have to wait :-) I'm actually waiting on someone else to do something, and they also do what I'm waiting on for free...vicious cycle...

back to your regularly scheduled ranting and pwning

Carnal0wnage Blog makes the top 5 Best Technical Security Blog

I am happy to announce that Carnal0wnage Blog made the top 5 Best Technical Security Blogs for the RSA Social Security Awards

https://365.rsaconference.com/blogs/blogger_meetup/2009/04/06/social-security-awards--the-finalists

Best Technical Security Blog

Carnal 0wnage
Zero Day
Schneier on Security
SANS
Rational Survivability

Thanks to everyone that voted or to whoever coded up that burp script :-)

Shotgun Blast for 29 March 2009

Couple of articles/blog posts worth taking a look at

Info on Ghostnet
http://www.f-secure.com/weblog/archives/00001637.html
*mirrors of the two papers are available above
http://news.bbc.co.uk/2/hi/americas/7970471.stm

I am personally glad when i see people getting pwned via client-sides make the news. Hear me and Vince talk about it a Notacon and DojoSec this month!

It's also interesting, at least to me, to see real cyber warfare in action. cyber warfare doesnt have to be about stuff going boom, but having another nation state all in your network for god knows how long certainly makes you wonder how much of your "secret" activity isnt secret anymore.

Application Operation System Fingerprinting From Dan Crowley
whitepaper: http://x10security.org/appOSfingerprint.rar
his blog: http://x10security.org/blog

Sweet new updates to metasploit!

no link...just svn up your trunk and enjoy! the snmp community scanner is nice.

Weaponized Malware ??
http://preachsecurity.blogspot.com/2009/03/weaponized-malware-your-protection.html

while the question of what the home user is to do is tougher, in the enterprise keeping up with what is egressing your network may help with catching that malware calling home. It probably time to start looking at the problem as its going to happen how do I detect and respond instead of just "hoping" it doesnt happen.

What is conficker going to do on April 1st?
http://lastwatchdog.com/debate-significance-conficker-phoning-hom-april-fools/
http://lastwatchdog.com/countdown-conficker-worms-april-fools-day-climax/

do we worry or not? do you deserve what you get if you still have it in your network after this long?

If you allow gaming systems on your network without authentication can an attacker abuse that?
http://s148954166.onlinehome.us/2009/01/26/on-the-network-of-a-certain-university/

definitely something to keep in mind if a network requires authentication, can you change your MAC to that of a wii or xbox360 and gain access?

Exploiting Unicode Enabled Software by Chris Weber
http://www.lookout.net/2009/03/26/exploiting-unicode-enabled-software-slides-from-cansecwest-and-source-boston/

Moving Cybersecurity from DHS to White House

From here:
http://infosecurity.us/?p=7343

“Forthcoming legislation would wrest cybersecurity responsibilities from the U.S. Department of Homeland Security and transfer them to the White House, a proposed move that likely will draw objections from industry groups and some conservatives.
CNET News has obtained a summary of a proposal from Senators Jay Rockefeller (D-W.V.) and Olympia Snowe (R-Maine) that would create an Office of the National Cybersecurity Advisor, part of the Executive Office of the President. That office would receive the power to disconnect, if it believes they’re at risk of a cyberattack, “critical” computer networks from the Internet. “I regard this as a profoundly and deeply troubling problem to which we are not paying much attention,” Rockefeller said a hearing this week, referring to cybersecurity…”

and a DHS response here:
http://news.cnet.com/8301-13578_3-10048063-38.html

I'm a simple guy and I'm going to over simplify my response. So here goes.

Politics and money aside, because there is alot of both for this issue DHS would be dumb not to fight to keep control of mission for the sheer amount of $ being thrown at it, without strong leadership and authority it wont matter who is in charge of cybersecurity for the US.

When I was just getting interested in security and still in college I went to Black Hat New Orleans 2002, and listened to Erik Birkholz's "How To Fix a Broken Window" talk.

From the talk description:

C:\>net send * “Don’t expect secure networks if you haven’t empowered your internal security team.”

Security vs. usability may finally become a balanced equation. All the usability in the world isn’t worth a damn if your internal network is a wasteland of default configurations and blank passwords. Security teams are now a required internal resource. Contrary to popular belief there are NOT 24 working hours in a day. Security can not be treated as a side order. The excuses need to stop - now.

The amount of the above that still rings true 7 years later is just ridiculous but the important thing I took from that talk 7 years ago that is still true today is don't give people the responsibility of security and no authority to do anything about it.

So what does that have to do with DHS & the White House and who's calling the shots? Well, the fact that DHS and U.S. Cert have all the responsibility but no authority. The U.S. Cert can send .gov organizations alerts, advice, guidance, incidents, threats, whatever all day long, but at the end of the day they really cant make those .gov entities do shit. That is the sad reality, those other agencies in most situations don't have to listen to the cert or can merely say "we took care of it" and there is no secondary investigation to be done or allowed. Additionally, there seems to be no punishment for receiving failing FISMA grades or having numerous amounts of security incidents, unless you call getting extra funding "to fix the problem" a punishment.

The simple version is this:
If things don't change...if the authority to withhold funds, internet access, or the ability to fire people who show gross incompetence or the inability to handle the security responsibility of their organization, if we dont stop putting people in CSO/CIO positions who have no security background, if getting a failing FISMA grade doesn't actually mean anything, and if we dont change the broke ass way that some .gov agencies operate it wont matter who is responsible for cybersecurity or how much money you throw at the problem its still gonna be jacked up. In fact, who's to blame bad guys for breaking into networks that are just so damn easy to break into?

Thoughts On Pentesting Must Evolve Or Die

So the latest article by Brian Chess didnt stir up quite the controversy that that his pentesting dead in 2009 interview/article but this one is worth a read:

http://securitysa.com/news.aspx?pklNewsId=31945

Its a short article and not near as controversial as the dead in 2009 one but three quotes...

"People are now spending more money on getting code right in the first place than they are on proving it is wrong. However, this does not signal the end of the road for penetration testing, nor should it, but it does change things. Rather than being a standalone product, it is going to be more like a product feature. Penetration testing is going to cease being an end unto itself and re-emerge as part of a more comprehensive security solution."

"2009 will be the year this strategy comes together, and when we look back, it will be the year when most of the world began thinking about penetration testing as part of a larger offering."

All that is good news (I think), secure coding is where things need to go but I personally dont feel any amount of secure code will ever completely replace pentesting as long as its possible to mis-configure it or set it up insecurely. So Microsoft Windows at some point may be free of stack overflows (or any memory corruption exploits) but that wont stop some system admin setting up their domain in some insecure fashion. That will still need to be pentested to discover and help remediate. Which leads me to the last quote...

"More than ever before, people understand the software security challenge, and penetration testing deserves credit for helping spread the word. But knowing a security problem exists is not the same as knowing how to fix it. In other words, penetration testing is good for finding the problem but does not help in finding the solution – and that is why it must take a long hard look at itself and then make a change. Just like the venerable spell-checker, it is going to die and come back in a less distinct but more pervasive form and I, for one, cannot wait."

I dont agree with this. Penetration testing/testers should never leave you without a fix to security issues. I know alot of pentesters and I dont know any that dont give the customer recommendations for remediations and a customer shouldn't accept a pentest that doesnt have recommended fixes. I suspect that what Chess meant here were "problems" like SQL injection vulns or code bugs that a source code scanning tool could help find and recommend the secure way to code it where a pentester may say "recode it", "have your developers find and fix the code" or "you may have improper parameter checking in this public function", etc.

I do agree that pentesting should evolve, but I think it should begin to look more at assessing an organization from many angles and taking the path of least resistance than pentesting the network side one quarter, the web app side the next, physical security the next, etc. When we begin to identify what makes us money, then look at how we are protecting it across the enterprise, then testing all those defenses at the same time, then we are evolving in the right direction. The evolution should be Full Scope pentesting and not the way most shops do it now.

Anyone else have thoughts on the article?

Response to How to Choose a Pen Tester

So a response to "How to Choose a Pen Tester"

Let me start with that I agree with the core of Steve's argument. Yes if I pay someone to come in and do "anything" on my network I want to be able to trust them not steal info, plant trojans, or air my dirty laundry out on the net when they are done.

I don't disagree with that.

BUT

A few comments not sure they are quite counterpoints

1. I personally don't see a big prevalence of pentest shops doing pentests and posting customer data on the net in any form. If there are examples show me. He mentions in 6 months he heard ONE story about someone that did that and didn't provide a link...ummm ok. Is it believable that it does happen/has happened/could happen?...yes. That every pentest shop is doing it (except his which is really the point of the post)... doubtful. Its not a smart business decision to 1) as a company do that or 2) allow your testers to do that on their personal blogs.

2. As David Hull mentioned, what is the problem with talking about a pentest as long as the customer cant be derived from the post/presentation/email or there isnt enough actionable information to conduct the attack? If companyX was vulnerable to SQLI 6 months ago and I went in and found it using some creative method and i decided to share that experience on my blog or at a conference what is the problem with that? The company isn't vulnerable any more and if I had to figure out some new method of doing "whatever" unless it was explicitly in the contract not to share "new pentest methods" aren't those mine to share as a I see fit? It helps the community when others talk about things they have seen on a pentest even if its just to make the other guy feel a tad bit better than someone else lives in jacked up network hell. Even though I always get alot more out of peoples posts about their pentests.

3. I realize that Steve proposes you do a scorecard but really....trustworthiness over competence? Why on earth would you ever even consider doing business with someone you didn't trust? I don't see how anyone with half a brain would put themselves in the position of...hmmm do I choose the trustworthy CEH or the untrustworthy l33t ass hacker....ummm NEITHER! You pick a company that hires intelligent, competent, trustworthy, and the rest of the stuff on his scorecard people. Is there really that many companies that are that piss poor that even make it past a scoping call? and more importantly do the decision makers for choosing the testers not have the ability to pick the good from the bad?


I should insert a shameless plug here but I don't think its necessary :-)

Interview with an adware author

really good interview with "Matt Knox, a talented Ruby instructor and coder, talks about his early days designing and writing adware for Direct Revenue. (Direct Revenue was sued by Eliot Spitzer in 2006 for allegedly surreptitiously installing adware on millions of computers.)"

http://philosecurity.org/2009/01/12/interview-with-an-adware-author

Weak Password Brings 'Happiness' to Twitter Hacker

From Wired Threat Level

"An 18-year-old hacker with a history of celebrity pranks has admitted to Monday's hijacking of multiple high-profile Twitter accounts, including President-Elect Barack Obama's, and the official feed for Fox News.

The hacker, who goes by the handle GMZ, told Threat Level on Tuesday he gained entry to Twitter's administrative control panel by pointing an automated password-guesser at a popular user's account. The user turned out to be a member of Twitter's support staff, who'd chosen the weak password "happiness."

http://blog.wired.com/27bstroke6/2009/01/professed-twitt.html

great stuff, twitter got for free what would have cost them 20k+ from any other pen test shop.

UK to allow warrantless "remote searching"

"TheHome Office has quietly adopted a new plan to allow police across Britain routinely to hack into people’s personal computers without a warrant.

The move, which follows a decision by the European Union’s council of ministers in Brussels, has angered civil liberties groups and opposition MPs. They described it as a sinister extension of the surveillance state which drives “a coach and horses” through privacy laws.

The hacking is known as “remote searching”. It allows police or MI5 officers who may be hundreds of miles away to examine covertly the hard drive of someone’s PC at his home, office or hotel room."

http://www.timesonline.co.uk/tol/news/politics/article5439604.ece

Congrats To My Aura Software Security Friends

Just wanted to give a big congrats to my Aura Software Security friends over in New Zealand for the good things I'm hearing about their hacking netscreen talk.

"Netscreen of the Dead: Developing a Trojaned Firmware for Juniper Netscreen Appliances"

http://www.ruxcon.org.au/files/2008/gn-netscreen-of-the-dead.ppt

http://www.zdnet.com.au/news/security/soa/Ruxcon-security-gurus-hit-Sydney/0,130061744,339

Publish Post

293503,00.htm

I don't normally say this...

But go feds!

http://blog.wired.com/27bstroke6/2008/10/darkmarket-post.html

"DarkMarket.ws, an online watering hole for thousands of identify thieves, hackers and credit card swindlers, has been secretly run by an FBI cybercrime agent for the last two years, until its voluntary shutdown earlier this month, according to documents unearthed by a German radio network."

Why Blog?

Richard Bejtlich has a really good blog post on his blog entitled "why blog".

He lists five things:

1. Blogging organizes thoughts.
   


2. Blogging captures and shares thoughts.
   


3. Blogging facilitates public self-expression.
   


4. Blogging establishes communities.
   


5. Blogging can contribute original knowledge faster than any other medium.
   

I'll let you read the blog for the discussion on the five things but I've really enjoyed blogging.

I mostly keep the blog as my note taking canvas (for notes I want to share with others) but RB's five reasons are reasons I blog as well.

BGP Eavesdropping

From Wired:

Two security researchers have demonstrated a new technique to stealthily intercept internet traffic on a scale previously presumed to be unavailable to anyone outside of intelligence agencies like the National Security Agency.

The tactic exploits the internet routing protocol BGP (Border Gateway Protocol) to let an attacker surreptitiously monitor unencrypted internet traffic anywhere in the world, and even modify it before it reaches its destination.

The man-in-the-middle attack exploits BGP to fool routers into re-directing data to an eavesdropper's network.

Anyone with a BGP router (ISPs, large corporations or anyone with space at a carrier hotel) could intercept data headed to a target IP address or group of addresses. The attack intercepts only traffic headed to target addresses, not from them, and it can't always vacuum in traffic within a network -- say, from one AT&T customer to another.

The method conceivably could be used for corporate espionage, nation-state spying or even by intelligence agencies looking to mine internet data without needing the cooperation of ISPs.

http://blog.wired.com/27bstroke6/2008/08/revealed-the-in.html

2nd post on it
http://blog.wired.com/27bstroke6/2008/08/how-to-intercep.html

slides from Defcon: https://www.defcon.org/images/defcon-16/dc16-presentations/defcon-16-pilosov-kapela.pdf

And a little further in the toilet we go...

From wired blog:

http://blog.wired.com/27bstroke6/2008/06/dems-agree-to-e.html

"Breaking months of acrimonious deadlock, House and Senate leaders from both parties have agreed to a bill that gives the nation's spy agencies the power to turn a wide swath of domestic communication companies into intelligence-gathering operations, and that puts an end to court challenges to telecoms such as AT&T that aided the government's secret, five-year warrantless wiretapping program."

There isnt much to say if you read the article, its shameful the FUD still flows and becomes law in the name of terrorism 7 years after 9/11.

DIY Career in Ethical Hacking

My good friend Don Donzal of EthicalHacker.net spoke at the SANS Pentest Summit recently.

his slides and audio are available on the site

Main Link: http://www.ethicalhacker.net/content/view/201/1/

Slides: http://www.ethicalhacker.net/images/stories/columns/editor/diycareer/diy%20career%20in%20ethical%20hacking.pdf

Audio:
http://www.ethicalhacker.net/images/stories/columns/editor/diycareer/donzal_diycareerinethicalhacking_sanspentestsummit2008.mp3

He said some good things in the talk, here are two slides that bring alot of good information.


First slide I posted was on being honest with yourself about who you are, where you want to go, strengths and weaknesses, and the family concerns. Being gone alot isnt the best thing for a marriage.



Second slide was free or cheap ways to get there once you know where you want to go. I really like this slide because I would consider it the roadmap I have taken and I think its going pretty well.

The talk is about 50 minutes and worth the listen.

I had to laugh about his "flash resume" from back in the day, if someone sent me a flash resume I'd be too worried I'd be sending a reverse shell back to the guy by reading it.

blind phreaker pays verizon security officer a home visit

http://blog.wired.com/27bstroke6/2008/06/blind-teenage-h.html


"Less than two months after his celebrating his 18th birthday, a blind, East Boston-based phone hacker has been arrested for paying a Sunday afternoon visit to the Verizon security officer who'd been chasing him."

"Weigman allegedly persuaded a fellow hacker to drive him and his brother 66 miles to the home of William Smith, a Verizon security investigator who'd been monitoring Weigman's hacking and phoning in updates to the FBI. Smith was outside doing yard work when the three men drove up, according to an FBI affidavit. Weigman introduced himself and said he wanted to talk to Smith, who instead went inside and called the police."

not to say that calling the police wasnt the right move. 18 yr olds dont have the best track record of common sense and restraint in stressful or tense situations...

British ISP Syping On Users

Ok, this one is a little bit Dale Gribble...

From Wired Blog:

"An internal British Telecom report on a secret trial of an ISP eavesdropping and advertising technology found that the system crashed some unsuspecting users' browsers, and a small percentage of the 18,000 broadband customers under surveillance believed they'd been infected with adware."

"Those boxes inserted JavaScript code into every web page downloaded by the users. That script then reported back to Phorm the contents of the web page, which Phorm used to create ad profiles of a user. Additionally, Phorm purchased advertising space on prominent web sites, showing a default ad for a charity. But when a user who had previously looked at car sites visited one of those pages, he instead got an advertisement for car insurance."

http://blog.wired.com/27bstroke6/2008/06/isp-spying-made.html