force gmail to always use ssl

If you haven’t already, force Gmail to always be SSL. Log into your account, click Settings, and at the bottom of the General tab, select ” Always use https.” Click “Save Changes” and it should already redirect you over to SSL. Breathe a little easier.

more than just making sure https is present

Subverting http sessions on local networks is certainly a hot, quiet topic for the past year. First (most likely not first, but first for my purposes) was Sidejacking. At Defcon Beale spoke about his tool The Middler doing http fiddling. And now I read about Surf Jacking, which pretty much is an interesting bit of http fiddling.

How do you detect that someone is re-routing LAN traffic? If one knows the expected MAC address of the DHCP/Gateway devices, then one can implement firewall rules or just watch for changing ARPs. If you think someone might be hijacking your http sessions, purposely open an https session with some site and see if their cert is valid. If it is, there’s a decently good chance no one is interested in your traffic. If someone is interested and MITMing you, then the cert should give warnings.

For an enterprise, what do you do? Well, I think the only valuable recourse is to make every laptop VPN into the mothership and browse through it using more trusted services. A user can also inspect cookies to make sure they are encrypted, and try their best to ensure that SSL persists. Even watching wire traffic for weird ARPs can help.

The downside of all of this? It’s not easy being informed and secure. I wouldn’t expect any of my users to understand any of this, let alone actually practice it. This is why I think endpoints and especially public local networks are a dangerous hunting ground right now. These are advanced topics, and the only way to combat such advanced topics are long-term education and technological controls (like bumpers in the gutters of bowling lanes).

highlighted talks of defcon 16 and some I still want to see

These are some of the favorite talks I saw at Defcon.

Bruce Potter: Malware Detection through Network Flow Analysis
As expected, Bruce brings a lot of passion and “no fear” opinions to his presentations, which are much-needed as the industry spreads out and becomes more stuffy mature. Bruce spoke to using network flow analysis for finding intruders or suspicious activity. This was a Black Hat talk that ran right to the end of the session, and one question I would have posed to Bruce is how he would deal with Skype and how it makes connections to all sorts of otherwise suspicious endpoints with the P2P component. Really, if there is one talk I would hit at any con, I think a Bruce Potter talk would be it. The guy rocks.

Jay Beale: Owning the Users with Agent in the Middle
Jay didn’t even get to the real meat of his presentation, only scratched the surface of his tool The Middler, and didn’t get into subverting the automatic software installation process. Jay seems like one of those guys who can go on for hours if you just get his geek brain going. I dig that mentality! This talk alone should make one fear open networks (i.e. networks you don’t own) much more. I’m not even sure The Middler will be released (I’m skeptical since it is very powerful-sounding), but it should be something like a cross between ettercap and Hamster and a web proxy. It will reroute traffic through the host box, and allow all sorts of twiddling of the HTTP traffic in between the victim and web server, including persisting non-SSL session and javascript injection into pages.

Panel (Mogull, Pesce, Maynor, Hoff): All your Sploits (and Servers) are belong to us
This “panel talk” was really three smaller presentations in one, with some added humor by Hoff as he commendeered one screen to post heckles. Honestly, this “talk” gets props for several reasons. 1) BEER ON STAGE! Come on, there needs to be more beer on stage; I think I only saw 3 talks with beer; it’s Defcon! 2) It was opened with a Spot-the-Fed session. 3) While distracting from the talks, the heckling and interruptions by Maynor/Hoff really fit the atmosphere of Defcon. 4) The talk content was definitely interesting as well.

Movie Night With DT: Hackers Are People Too and Appleseed: Ex Machina
Ok, this was not necessarily a presentation, but rather two movies. The first was by a second-generation Defcon attendee who took video shots and interviews at Defcon 15 to help teach the world that hackers are not evil criminals you hide your children from. The second movie, Appleseed, is one I’ve never seen before and was awesome to see on screen. While the room was large, the screens small, and the sound system sub-par, I enjoyed it since I sat in the second row right next to the speakers.

Taylor Banks & Carric: Pen-Testing is Dead, Long live the Pen Test
Carric and Taylor look the part of the old-school guard of pen-testers; basically with piercings and facial hair and attitude that fit what Defcon is all about. They both went over some of the history of pen-testing and why the pen-test from 8 years ago is dead, but new pen-testing with actual methodologies has been born. I really like their speaking style, and their stance on things like certs and self-taught knowledge and the repeatability of a pen-test (this fits with my life/hard science background). Another abbreviated Black Hat talk, and if I can get my hands on their preso vid from there, I’ll happily pirate watch it.

Schuyler Towne and Jon King: How to make friends & influence Lock Manufacturers
I’ve been dabbling in lock-picking for a while now, and as such this and the Tobias talk really helped fill in a lot of information for me. Schuyler talked about the lock-picking industry and how to properly work with lock vendors if you happen to find a weakness in their locks. I really appreciate that he made a distinction between software and physical lock full disclosure. Software is easy to update, but actual locks almost never get updated or replaced, and it is costly to have someone use a kit on a lock to upgrade it. Not only that, but locks do protect some amazingly sensitive and dangerous stuff, unlike most software. Jon King talked about breaking into Medeco M3 locks and he successfully did a demonstration on stage. What I took away from his talk, however, is that he’s only been doing this hobby for about 3 years, yet has been able to make some huge discoveries.

Marc Weber Tobias: Open in 30 Seconds: Cracking One of the Most Secure Locks in America
Tobias and company went into detail about breaking into more locks, and the various ways to defeat protection mechanisms and bypass others. He also stressed key control, which is important and not something I have actively heard before. It’s a no-brainer, but a no-brainer that still makes a lightbulb ding on after hearing it once.

Nelson Murilo & Luiz “effffn” Eduardo: Beholder: New WiFi Monitor Tool
Unfortunately, Murilo’s English was not so good, but I really dig what his tool, Beholder, wants to do. It really should not be hard to monitor a wireless network for various “stuff” and I think his tool is a great addition to any wireless implementation, especially for networks on a budget.

Valsmith & Colin Ames: MetaPost-Exploitation
This talk got a bit old-school because “the old stuff still works!” They talked about hiding your presence after actually gaining root on a box, and using it to attack others or just hiding your tracks. While this got old-school and was interesting, it still surprises me few people talk about hiding files in ADS.

David Maynor & Robert Graham: Bringing Sexy Back: Breaking in with Style
While a bit lacking in cohesiveness, I like their humor and respect their knowledge. I’m not sure I agree that we should arm everyone with guns a toolbar which does a quick vuln scan on every site/page they visit, but it is ideas like that that can get us thinking deeper than our day-to-day usually affords us.

I missed several talks I’d like to see, some because they were just too packed to bother with, or because they were held concurrently with other talks I wanted to see. I hope to catch these on video at some point, unless I hear that they’re not worth the effort to go beyond the presentation materials on the attendee cd.

Time-Based Blind SQL Injections Using Heavy Queries…
Compliance: The Enterprise Vulnerablity Roadmap.
Strace & RSnake – Xploiting Google Gadgets: Gmalware & Beyond
Satan is on my friends list: Attacking Social Networks.
Advanced Physical Attacks: Going Beyond Social Engineering…
SensePost – Pushing the Camel through the eye of a needle.
Fyodor – NMAP-Scanning the Internet.
G.Mark Hardy – A Hacker Looks at 50.
Gaming- The Next Overlooked Security Hole.
Mati Aharoni – BackTrack Foo- From bug to 0day.
Is that a unique credential in your pocket or are you just pleased to see me?
Autoimmunity Disorder in Wireless LANs.
Career Mythbusters: Separating Fact from Fiction in your Information Security Career.
Grendel-Scan: A New Web Application Scanning Tool.
Renderman – How can I pwn thee? Let me count the ways.
Identification Card Security: Past, Present, Future.
Jay Beale – They’re Hacking Our Clients! Introducing Free Client-side Intrustion Prevention.
Renderman – 10 Things that are Pissing me off.
DAVIX Visualization Workshop

can you trust the network traffic more than the endpoints?

I’m catching up on my feeds today at work (amazingly, I didn’t have a huge pile-up of issues like I expected!), and I was reading Bejtlich’s updates on Black Hat. Particularly, I think I want to see the presentation Deeper Door: Exploiting the NIC Chipset by Shawn Embleton and Sherri Sparks of Clear Hat Consulting. Richard says, “This presentation reinforced the lesson that relying on an endpoint to defend itself is a bad idea.” Basically the researchers found ways to pass packets past host-based protections.

While this isn’t a revelation that will cause us to throw our hands in the air about endpoint protections (it’s just a bit too exotic to be a big risk right now), it does reinforce my feeling that the network is the future of security, the stuff that is actually passed from system to system. Well, at least until it is all encrypted for privacy concerns. This is because endpoints just cannot ultimately be trusted or protected in such a way as to remove the network protections and barriers.

Besides, on a related note, I had two overarching security take-aways from my Defcon experience:

1) Open networks are untrusted networks; act like it. The ability for attackers to subvert subnet traffic or sniff traffic or attack endpoints is just huge on an open network. Compound this with wireless… Basically user beware. Hell, even I sit at hotspots and scan around and sniff casually.

2) Endpoints are still ripe to attack, even if you think you run host-based protections. Maybe seeing Jay Beale’s talk on host-based protection will change my mind, but like Maynor said in his panel talk, he’s not risking even turning on his Macbook wifi because he knows or at least one 0day exploit for Broadcoms. Yes, we’re a paranoid lot, and Maynor maybe a little more so since he is a personality, but the actions/habits of the experts should not be taken lightly.

defcon 17 planning

Some thoughts on Defcon and what to plan for next year.

  1. Research the talks a bit more. This breaks down into several points:
    1. Think twice about talks given at both BlackHat and Defcon. It seems too much to ask speakers who made 75 minute talks for BH to trim a bit to comfortably cover 50 minutes at DC. They either have to rush or not finish, or both. Sadly, most of the better talks fall into this category, and it really sucks that they all had to stop short in their material.
    2. Check the presentation materials early to avoid highly technical, focused talks that won’t benefit me. Sitting in a code-related talk in code I don’t write can be interesting, but ultimately not too beneficial.
    3. Check the presentation materials to avoid overly shallow talks that don’t give any information other than stuff I already know.
    4. Check whether the talk has been given before. Either I can catch the talk elsewhere because it’s been given at 3 other cons, or the speaker may be pretty raw or even English-challenged.
  2. Get into some parties, do less talks.
  3. Print out some self-promoting swag. I obviously am not trying to make myself or the site some pillar of information or profitable venture, but it is nice to be able to spread the word and get involved a bit more. I’d like to print some personal cards with contact info on them, maybe print a few cool t-shirts that have my name or site address, and maybe something else like a little scrolling LED on my backpack with the site address.
  4. It’s vacation! Go alternative! I might think about dyeing my hair next year a bit bluer (professionally done) or bring some clothes for the parties/balls. Defcon is really a great place to just kick back and do whatever isn’t the normal fare for work/days, so one may as well experiment.

countrywide learns that it just takes one

I mostly missed this whole Countrywide data theft scandal, but I’m catching up! As Rothman pointed out:

…Rebollo told special agents that he knew most computers in the office had a security feature that disabled the use of a thumb drive. However, he discovered that one computer didn’t have this feature.

There are two possibilities here, the latter of which I might think is the real reason.

1. The system simply got skipped/missed. Repeatedly. Over the course of two years. I’d have to call bullshit on this one unless their IT is inept or dangerously overworked.

2. Someone, somewhere complained about the inability to use thumbdrives to move data, most likely involving a client or VP/exec. So IT set up a special system that was exempt from the security measures but still allowed on the network, because business wanted that convenience.

I really like what Rothman said in his post:

And there you have it. The weakest link is always the one that gets nailed. Moreover, the policy isn’t worth the paper it’s written on, if it’s not enforced. Seriously. Countrywide gets an A for preventative controls. But they get an F for implementation. As my friend told me when I was trying to sell my house, “it only takes one.” I guess Countrywide gets that now too.

And that is why we will continue to need people to watch logs, alerts, and make sure every device is accounted for. Getting “most” of them is simply not a sustainable security approach.

Oh, and if you want to know the best ways to get around security controls in a business, interview the average employees. They find the ways, unbeknownst to non-monitoring IT/security teams.

some more info on recent pwning of security persons

Just moments ago I posted some headlines from the Black Hat/Defcon week/weekend. Marcin just linked me over to a story with more info on the recent attacks on some security researchers/persons (Shimel, pdp were the two I mentioned). I’m still wondering if they accidentally checked their accounts or had their systems pwned at Black Hat. However, they could also easily fall prey to an email sent to a web mail account that drops them elsewhere and steals their logins if cached…

My eye caught this snippet from the story:

Whoever broke into Petkov’s account was able to archive an entire email spool into an mbox file. Without knowing his password, the attackers most likely would have had to archive all 2GB message by message.

The last part is simply not true. Jay Beale gave a talk at Defcon about a new tool he and a coworker (I missed his name, Justin I think) have developed that will reroute traffic on the network to his machine and then start messing with the http packets to do all sorts of evil things like, oh, harvest all emails from a web-based mail account. The tool is called The Middler, and should soon be available. Here is the presentation which he didn’t come close to finishing in the 50 minute talk.

the lasting headlines from defcon 16 (and black hat)

Every year the Blackhat/Defcon one-two punch of hacker info-sharing makes some headlines. Three years ago was Ciscogate, two years ago Spot the Reporter, and last year Maynor/Ellch and Apple got busy. Here are some stories that made the rounds this year.

Presenters banned from discussing how to beat the Boston subway system. While they were banned, the materials were still available to every attendee and even mirrored online. The presentation looks fun, by the way. Nonetheless, we are hopefully slowly learning that supressing information/truth does not improve security. Fix the shit rather than cover it up.

French reporters booted from Blackhat for sniffing passwords of other reporters. I think I agree with how this was handled, based on what I’ve read. The reporters are not new to the cons, know what the Wall of Sheep is supposed to be, and knew the rules of the press area. That press area does need to remain a safe place in what is otherwise the most hostile network any of us will ever likely be on. Of course, on the other hand…the victims at least got a first-hand lesson in how to fail at protecting your logins… I somewhat disagree that the sniffing of those passwords should be illegal…again, while that network does need to have some semblance of security, in the end it is still an open and hostile network with hosts you can not fully trust. It should have been ethically respected, if not legally bound.

I haven’t even read the full-disclosure threads yet, but it looks like several people had accounts hijacked over the past week (pdp from gnucitizen and Alan Shimmel). I wonder if this is related to possibly using the network at Black Hat and either having your system pwned or a gmail session hijacked. This is easy to do if you stay logged into gmail and open a browser to it on accident while on a hostile network. There have been at least two recent presentations on the topic, one involving sidejacking with Hamster from Erratasec and another from Jay Beale this year at Defcon. More reason to respect the hostility of the networks at these two events.

Security Monkey beat me to the punch on a post like this, and he has more info on his post.

you know you wanted to be a firefighter as a kid

Is your IT/security team largely firefighting? If not, I’d love to know!

This rumination was prompted by a blog comment I read, and I was kinda dumb-founded. Are there IT shops that are *not* firefighting? Pray tell, where are they?

I conjecture that top-down, and outside-in we have this tendency to think IT/security is better than it really is.

I also conjecture that the only shops that are not firefighting are the ones so large that all those things that would be “firefighted” in small shops end up falling into the black holes of processes and separated teams. “Oh, I know that’s a problem, but that’s for the virtualization team,” or “That’s not something my manager wants me to touch, that’s a code issue for dev team 83,” or “I’m just the consultant/security advisor, it’s up to the desktop team to figure out how to properly implement that DLP.” It’s not that they’re getting done, as much as being buried in a field full of freshly dug holes.

heading to defcon 16

I will be at Defcon this year! I will be hanging around like a normal creepy hax0r starting Wednesday morning. I’m still attempting to figure out what laptop to bring, but I think I am settled on my primary one. I’ll just swap out my hard drive for an older one and put a patched Win XP and Ubuntu install on it. Win XP because ease of use on the road is paramount. Ubuntu just to keep the g33k cred rolling. This way the system is expendable on the cyber side.

The biggest annoyance on the trip? Trying to figure out what I can and cannot bring on the damn plane. My cell and laptop and pmp charger cables can be used as a garotte! And I’ve removed the batteries on my vibrators so they don’t turn on and get flagged by the baggage handlers.