We can’t talk about much in security without the silly thought that we might be “spreading FUD.” That is largely because shit just isn’t as secure as people think it is or expect it should be! Of course, there are two types of FUD: True FUD and False FUD. ..A discussion for another time perhaps!

More FU…errr…insecurity talk will be had at a presentation I wish I could see: Adam Laurie’s Satellite TV Hacking at Black Hate DC. An article about it is over at The Register.

An exploit against MS09-002 (IE7) is in the wild. This is a vuln that may lead to code execution in the context of the user. Thanks for the heads up on Twitter!

Today I needed to adjust the script that maintains my web environment. A developer needed a folder inside a website to be redirected to a different URL. This is easily done in an IIS MMC with just a few clicks. Since the dev needed any call to or inside that folder to go to a specific destination (and not carry over the trailing path), the box is checked for “the exact URL entered above.”

But my web install script deletes all sites and rebuilds them nightly. So, I need it to also rebuild this redirect.

In IIS6, it is easy to list out all of the children objects in a site, such as Virtual Directories. But if something has not specifically been given an object ID in the metabase, you can’t edit it like an existing object. In IIS6, regular old subfolders inside a site are not objects by default. You have to make them objects, in this case an IIsWebDirectory, before you can manipulate them.

This script snippet connects to an existing website, creates the IIsWebDirectory object, and sets the httpredirect property. Note that the folder may or may not actually exist in the site hierarchy yet. That’s ok! Also, the “, EXACT_DESTINATION” is the piece that makes the necessary check mark.

$iis = [ADSI]”IIS://localhost/W3SVC”

$findsite = $iis.psbase.children | where { $_.keyType -eq “IIsWebServer” -AND $_.ServerComment -eq “mywebsite” }

$site = [ADSI]($findsite.psbase.path+”/ROOT”)

$targetredirect = “/different/path, EXACT_DESTINATION”

$directory = “MySubFolder”

$newwebdir = $site.psbase.children.Add($directory, “IIsWebDirectory”)

$newwebdir.psbase.commitchanges()

$newwebdir.put(“httpredirect”,$targetredirect)

$newwebdir.psbase.commitchanges()

Part of troubleshooting this is echoing back psbase.properties to see what values I needed. This little piece will help, especially when you make the change manually and refresh this to see what changed. Get $iis, $findsite, and $site before doing this:

$homer = $site.psbase.Children | Where {$_.KeyType -eq “IIsWebDirectory”}
foreach ($donut in $homer) { $donut.httpredirect }
or
$homer.psbase.properties

My Tuesday quick rant. I’m not a big fan of schizophrenic IT departments (not a fan, but sometimems reality has to be tolerated). These are IT departments that one week want things fast and agile (like a cowboy!). Then the next week they realize fast often means mistakes, misconfigurations, and missing pieces that weren’t planned for, so the goal is suddenly to be slower and more deliberate (woot change management!). Then the next week, something needs to be done immediately in a cowboy state…

Not a fan of that…especially when the deliberate state makes the cowboy sprints much more painful and vice versa.

For future reference, some notes on hardening Apache. In case this post ever dies, it references these notes, and also points to some deeper tips.

I’ve long proclaimed email is dead (ok, it’s very slowly dying). It is great, but wasn’t ideal or forward-thinking enough (I can easily say that now that we’re beyond the forward!). IRC had it right early on, but just wasn’t and isn’t accessible enough… IM is excellent, but you often lose the buffering ability when someone is offline.

At lunch the other day I overheard a group of older adults talking and they delved into the topic of communicating with younger kids/adults. “They just don’t check their email like they used to. You have to text or post on their Facebook to get their attention.”

It’s true, right? Email is still dying and giving way to texting, IM, and social networking (aka Twitter, Facebook). Say that to anyone in a corporation and they may argue, but I’ll argue back that corporations (and later government) are the slowest entities to change. We’ll drag email on for another 10 years, most likely.

So last night I checked out my Twitter feeds again. Yeah, pretty hopping especially during and post-Shmoocon! In fact, I notice I still get new people following me very regularly. Seems I should jump back in! Hell, I also noticed I had some LinkedIn requests and Facebook requests (when the crap did I open a Facebook?!)…I may not dive totally into the latter one, but Twitter is just too powerful and cool paired with texting to keep drifting away from it.

Sony releases new piece of shit that doesn’t work. NSFW due to profanity, so put your headphones on.

EthicalHacker.net has a new challenge up. This is may be a first, I get to see it with plenty of time to submit something! Normally I see these after the fact or with 2 days to deadline. Oh, and The Brady Bunch was one of those shows that I watched but never liked; kinda like being forced to eat brussel sprouts as a kid; you sometimes have to, but it leaves a horrid taste in your mouth.

In case someone has strangely missed this story, Chris Padget has made some headlines for a recent video where he reads and clones RFID tags around the San Francisco area. Read the comments for some good discussion (amidst the ignorant noise).

This is a very big issue for three reasons. First, obviously we need to care what may or may not be disclosed from the tags. Is it personal? Is it just a number that is looked up? This is probably the easiest issue to resolve.

Second, even if the item is just a number that is looked up, all it takes is some relatively simple database tracking or data points to start stumbling over the lines of privacy. #3482749 is Michael Dickey. #3482749 is shopping at Wal-Mart at 7:30pm. #3482749 stopped for a shake at McDonald’s at 8:15pm. And so on… And it wouldn’t take much to track this. If all the legit scanners that get issued are dumb but ping back to the master database system, the database just needs to log the location of the scanner that pinged in.

Third, just how easy is it to clone a tag and fool scanners? Kinda like me opening up a Facebook page for someone else, I might be able to do quite a bit of damage to someone’s profile or reputation by wandering around with a cloned ID just for the heck of it. Or maybe I’ll just clone my own and give it away on the streets and generate so much noise… In fact, how defensible would that tag information even be, legally, if I can generate doubt like that? Can I overpower my own RFID tag by transmitting a stronger signal and drown out my card?

Besides, let’s face it, as a shop owner I might want to buy some cheap RFID reader and put it near the front door just keep my own tabs on who my repeat visitors are based on their number. And it’s just a hop-step away from keeping a personal record of them so they can pay quicker by keeping their credit card on file and just charging them based on the number on the RFID. Come on, there’s a whole industry of people salivating at the possibilities of such tracking and ID…

And if “do no evil” Google will happily cross the line of privacy in pursuit of the profits, so too will others. It will just take some curious entity that is large enough to connect data points and suddenly that slippery slope is rushing by fast enough to burn our ass.

In short, it’s not just about the data given off by an RFID tag, but also how that data can be correlated. And how much the general public is made aware of the risks of unshielded tags or unquestioned tracking.

I’m a bit surprised to see talk of BackTrack4 since it seemed like BackTrack3 is barely a year old. Alas, a new version can only be a good thing! Shmoocon attendees got to check out a pre-release version and I wouldn’t be surprised if they did an IRC channel pre-release outing as well. Hopefully sometime soon BT4 will be widely released to the public or available to me via some other channels.

I had a few small quibbles about BT3 over BT2. I was unimpressed with the tossing away of the stealthy boot up. BT2 was very quiet on the wire, while my experiences with BT3 involved it starting up and immediately wanting an IP from the first network it saw. The BT3 hard disk installer was still pretty unintuitive, although the forums are invaluable for figuring it out.

BT4 goes back to the stealthy startup (omg newbies, you gotta start network!), and from what I gather will be much friendlier for a more permanent distro-like install (I’m assuming, here). I enjoy the livecd a lot, and someday I’m sure I’ll enjoy a USB install more, but some of us really don’t mind at all loading it on some older laptop for permanent use and tinkering. A vmware image as well? That might be worthy of a little jizz in my pants!

Anton Chuvakin posted over a week ago about some possible reasons why Heartland Payment Systems had their data breached. After his 5 examples, he concludes that none of them specifically follow that PCI failed or is irrelevent. In a way, he is correct, but what we’re doing here is playing with semantics vs perception. (Something we who throw around the term “hacker” often should be very intimate with.)

If PCI didn’t fail in any of those cases, one could argue that PCI will never fail us. That means PCI compliancy doesn’t offer much beyond any other list of Best Practices. Best Practices that are required. We’ve known for some time that PCI is just a general guideline. But there is either a perception problem on those adopting PCI, or a presentation problem by the PCI Gods that are requiring it.

If PCI can’t be blamed for anything, then what value is there? If PCI doesn’t allow a CTO to shift blame onto it (or a QSA) when things go wrong, there are plenty who then see no value in it. In which case it is just a requirement to meet in the least painful/costly fashion possible (which does not preclude simply lying about it). And then there truly is no value in it for those persons.

I don’t agree with that position, but it exists whether I like it or not.

Maybe the underlying concept we need to continue to hammer out is: Security is not easy.* Security is hard work. Security is not always cheap. Security costs money. I’m sure there is a haiku in there somewhere…

* Just think of all those painful experiences trying to align secure practices to people and a business. Years of those experiences, trying to guide the moving waters of a river to where you want them to flow. There are small and large security battles lost every day, and poor individual decisions made constantly and gambles accepted. We’re certainly not in it bcause the job is easy!

Thank you to Tyler (SSLFail.com) for posting that Jay Beale has (finally!) released The Middler (sorry, no front page discussing it, just a direct link). Released, but it looks like, upon a very quick glance, that it might not be nearly finished yet. The Middler was discussed at Defcon 16. It is a tool that can inject into http traffic between client and server, intercept and reuse session credentials, and more. In short, this is a tool that automates what many of us have known can happen when you’re on a non-trusted LAN. Only scarier. And more accessible.

By the way, props to Jay for apparently skipping ahead to the demos. There is a ton of information in his presentation and all of it relevent, but I was a bit disappointed in not seeing many demos at the Defcon talk. Despite that, his was one of the best talks I saw there!

Grats to Mubix on his OSCP! In his post he talks about how the OSCP won’t get anyone a job, and I think he’s 99% correct. However, the caveat to that is to anyone that would know what the OSCP is, it does have meaning. So the other 1% might be a manager who knows the OSCP and knows that anyone who has it probably has a certain level of geekery and interest in security beyond what even the CISSP will demonstrate (e.g. those sales people who are required to get CISSP and finally do so on their 6th try…). This is part of the reason I want to get back to the OSCP afer my ill-fated attempt last year (right when I got slammed with a coworker quitting). The other part being that it actually is freakin hands-on!

If you use a VNC product, more specifically UltraVNC or TightVNC (or others), you probably want to keep your eyes open for an upcoming new version of the client. Core released a VNC security advisory, and from the sound of it, a workable exploit is likely (hi Metasploit!).

Offsetting that risk, the exploit is on the client and not the server. This means an attacker has to not only get a workable exploit, but get a VNC user to connect to an untrusted or subverted VNC server. If you automatically have .vnc files mapped to the VNC client, this is where it might be useful for Metasploit to have a fake VNC server module to trick admins to connecting back to an attacker.

Now, I often get back to ideas on making a network more hostile to attackers, and this can be another opportunity, especially if a workable exploit is developed or released. Get your hands on a subverted VNC server, set it up in some dark space or honeypot area of your network and wait for someone attempt to connect.