FredrickBerning.com

Be Good, Donate to Children’s Technology Foundation Northwest

2011-07-20T03:12:56Z

‎Children’s Technology Foundation NW is running out of computers to refurbish and give to underprivileged students. Please help by donating your old home or work computer. ‎Children’s Technology Foundation NW is a 501(c)(3) so your donation is tax-deductible. I will even come pick it up so it will be easy. Please email me for more information or to arrange for a donation. Thank you.

Add two-factor authentication to WordPress

2011-07-15T21:28:21Z

While getting my daily fill of security news, I came across a SaaS offering for two-factor authentication. I was initially drawn to the site because of one of the founders: Dug Song. Anyone who has ever picked up Hacking Exposed (or any other penetration testing book) will recognize Dug as the creator of dsniff. The service is called Duo, or Duo Security, or maybe that’s the name of the company. Hmm, might I suggest hiring a marketing agency to help define your product offerings and develop your brand? But I digress.

Duo Security claims to work with many VPN services, Unix based servers, and websites. It doesn’t appear it integrates with Windows.

I was mainly interested in securing my WordPress login, so I activated their free service that allows up to 10 users.

Installation was a breeze and consisted of signing up with Duo, installing a plugin for WP, verifying my iPhone, and finally installing the Duo iPhone app. The whole process took less than 15 minutes and the documentation was dead-on and included abundant screenshots.

Now, after entering my WP admin username and password, I am prompted by Duo Security,

Duo Push uses the iPhone (Android too) app installed on my phone and after clicking “Log In”, I open the app on my phone and “Approve” or “Deny” the login.

If I click “Approve”, I’m instantly logged into my WP admin page. If I were to click “Deny”, possibly due to an attacker performing reconnaissance, I would get the following options,

I’ve only been using Duo a short time but I already love it. It’s extremely simple, quick, and easy to use. Additionally, the company claims Duo Push protects from the type of attack RSA recently experienced.

By “RSA-proof”, we mean that even if an attacker leaked all the secrets from our database, they’d be unable to forge successful authentication responses for our Duo Push two-factor. We’re able to accomplish this by ditching the traditional shared secret model of OTP-based two-factor, which uses a symmetric key stored on the server-side to validate one-time passcodes.

Instead, we’ve opted to employ asymmetric cryptography to sign and verify all communications between Duo’s servers and a Duo Push-enabled smartphone.

http://blog.duosecurity.com/2011/06/rsa-proofing-our-duo-push-two-factor-authentication/

I’m very impressed and I hope the service gets the attention it deserves.

All IT people need this skill.

2011-06-28T07:50:41Z

Working at closerlook, a marketing agency based in Chicago, I developed an appreciation for good design and effective communication both in print and digital form. I often wish I had the presentation skills of Steve Jobs or the slide creation prowess of Nancy Duarte but, unfortunately, my strengths lie in logic and reasoning not creativity. But I strongly believe that with the right mix of enthusiasm and a dash of originality, anyone can capture an audience’s attention and deliver a compelling argument. And that is the skill that most IT people lack: delivery. IT folks are wizards at mining and massaging data but when it comes to delivering it in a clear and simple format, we often fail. The TED talk below, from Hans Rosling, is an excellent example of how even statistics can be interesting.

Office Click-to-Run 2010 beta causing Volume Shadow Copy errors

2011-06-27T05:57:40Z

Sometime ago I installed a beta version of Microsoft Office 2010, which created a Q: drive that was seemingly inaccessible. I recently noticed some errors in the Event Viewer.

Volume Shadow Copy Service warning: VSS was denied access to the root of volume \\?\Volume{volume GUID}\. Denying administrators from accessing volume roots can cause many unexpected failures, and will prevent VSS from functioning properly. Check security on the volume, and try the operation again. Operation: Removing auto-release shadow copies Loading provider Context: Execution Context: System Provider

After some Googling, I stumbled upon a post which recommended uninstalling Microsoft Office Click-to-Run 2010 (Beta). I had already uninstalled the Office 2010 beta but this product, which appears to be some cloud software delivery technology, stuck around. After a smooth and successful uninstall, the Q: drive disappeared and the next full backup completed without issue.

AllChars crashes IE9 on Windows 2008 R2

2011-06-28T22:22:46Z

I recently installed IE9 on a Windows 2008 R2 system, that I use as both a server and workstation (home use only). After upgrading, IE9 would frequently crash.

The Event logs weren’t extremely helpful.

So, I fired up Procmon, reproduced the crash, then filtered on iexplore.exe and WerFault.exe.

I’m not an expert with Procmon but I usually try to focus on when the application crashed and look for any ACCESS DENIED or NAME NOT FOUND, as recommended in Windows® Internals: Including Windows Server 2008 and Windows Vista, Fifth Edition. I noticed references to AllChars, which is an application that assists typing special characters. I remember installing this when I had some Spanish homework and wanted to quickly type accent marks. I knew AllChars wasn’t fully compatible with Windows 2008 but prior to IE9, I hadn’t experienced any issues. I disabled AllChars in the system tray and my IE9 issues were resolved. I then uninstalled AllChars from the Control Panel and considered this case solved.

References: Windows® Internals: Including Windows Server 2008 and Windows Vista, Fifth Edition, p. 264, 909

Vista Internet Security 2012 is fake and very stubborn

2011-06-26T22:02:00Z

A friend contacted me about pop-ups on her computer. I had previously installed Logmein on her machine so I logged in to investigate.

It didn’t take long to realize she was infected. Pop-ups like this were everywhere.

This wasn’t the first time I had worked on her machine and I had my trusty Sysinternals toolkit saved locally. Unfortunately, Vista Internet Security 2012 would have none of that and blocked the launching of any program.

Luckily, I was able to Ctrl+Alt+Del to get to Task Manager and selectively end processes that I thought looked suspicious, bbl.exe being one of them.

After killing bbl.exe, I was able to quickly launch Process Explorer. BBL.exe had already respwaned so I suspended it from within Process Explorer. From there I ran Autoruns and sifted through any references to bbl.exe and deleted them. I also deleted bbl.exe. Finally, I downloaded Malwarebytes and ran a full scan, which detected multiple items (not sure if they were all bbl.exe related).

After multiple scans, from multiple vendors, I felt the machine was finally clean (I know, I know, but who wipes their machine after every virus?). I grabbed bbl.exe from the Recycle Bin and uploaded it to VirusTotal. The first time I uploaded it (6/23/2011), only 4 of 42 vendors detected anything. The following day, when I had time to analyze it in the lab, VirusTotal reported a 47% detection rate. Still not great. I used Microsoft Skydrive to transfer the zipped virus and Skydrive was able to detect the threat.

In the lab, I ran bbl.exe through Sandboxie + Buster Sandbox Analyzer.

This piece of malware was pretty nasty. I always hate seeing Keylogger or Backdoor activity. I contacted my friend and told her to change ALL her passwords immediately. I have no way of knowing which sites she logged into while this thing was resident. Better safe than sorry.

Is MPLS public or private with regard to PCI?

2011-06-26T22:05:40Z

Unfortunately, according to “guidance” from the official PCI website, the answer to the question is, “It depends.” Oh how I loathe the ambiguity of PCI (and most other regulations).

In general, MPLS networks are considered “private” networks and do not require encryption. This, however, is dependent upon the specific provider and/or configuration.

I haven’t been a network engineer in years and I never had the opportunity to implement an MPLS network so I decided to question someone who had, Todd Deaver. Since PCI DSS is ostensibly concerned with maintaining data privacy, my biggest concern would be any scenario in which an MPLS network could expose private data. Todd described an instance where the service provider misconfigured his corporate network and they received another customer’s network traffic. Of course, this traffic will likely bounce around the network and eventually die but it’s also very possible that the traffic would be forwarded to a default route destined for the Internet. Having a been a security engineer, I know what might be lurking on the wires at egress points. IDS, IPS, DLP, and network forensic appliances would all have the ability to sniff unencrypted traffic and expose my company’s private data to an unintended party.

The scenario above might not happen frequently but if it did occur, how would you know? That’s the problem, you wouldn’t. Securing PII over an MPLS network using a VPN tunnel should be strongly considered.

References:

http://selfservice.talisma.com/article.aspx?article=8705&p=81

http://pciguru.wordpress.com/2011/04/18/an-update-on-the-mpls-privacy-debate/

http://pciguru.wordpress.com/2009/04/18/the-mpls-is-a-private-network-debate/

WPtouch hacked

2011-06-26T22:09:37Z

I logged into my WordPress installation, which is hosted with Amazon Web Services, and noticed a post from the WordPress team stating,

Earlier today the WordPress team noticed suspicious commits to several popular plugins (AddThis, WPtouch, and W3 Total Cache) containing cleverly disguised backdoors. We determined the commits were not from the authors, rolled them back, pushed updates to the plugins, and shut down access to the plugin repository while we looked for anything else unsavory.

I have WPtouch installed and I immediately deactivated the plugin until I could investigate any issues.

The developers of WPtouch, had this to say,

If you haven’t updated WPtouch in the last few days, then this issue will not have affected you. But we encourage anyone that is running WPtouch version 1.9.27 or 1.9.28 to update to version 1.9.29 immediately.

Luckily, I had not updated the plugin recently; however, little information has been published concerning the “suspicious commits” and for now I am taking a wait and see approach before updating and re-enabling WPtouch.

Lesson? Secure your source code repositories.

References:

http://wordpress.org/news/2011/06/passwords-reset/

http://www.bravenewcode.com/2011/06/important-security-update-wptouch-1-9/

Citi Hack Unsophisticated?

2011-06-26T22:12:38Z

According to the New York Times, a recent breach that exposed private data of “of more than 200,000 Citi customers” was a relatively simple attack.

“In the Citi breach, the data thieves were able to penetrate the bank’s defenses by first logging on to the site reserved for its credit card customers.

Once inside, they leapfrogged between the accounts of different Citi customers by inserting various account numbers into a string of text located in the browser’s address bar. The hackers’ code systems automatically repeated this exercise tens of thousands of times — allowing them to capture the confidential private data.”

If the above is true (seems like there may be some details missing) then Citi’s developers clearly failed to do a minimum level of application code review, which should have included testing for common vulnerabilities outlined in the OWASP Top 10. More specifically, it appears Citi’s failure was in authentication and/or session management, which OWASP clearly defines as a high risk. Year after year, the Verizon Data Breach Investigations Report consistently recommends companies “Test and review web applications” and this year is no different. On p. 66 of the 2011 DBIR, Verizon states,

“SQL injection attacks, cross-site scripting, authentication bypass, and exploitation of session variables contributed to nearly half of breaches attributed to hacking or network intrusion. As with everything else, put out the fires first: even lightweight web application scanning and testing would have found many of the problems that led to major breaches in the past year.”

Until more details are released, I’m going to assume that Citi didn’t bother to do a quick automated scan and, given the potential value of Citi’s assets, that is unacceptable.

References:
http://www.nytimes.com/2011/06/14/technology/14security.html
https://www.owasp.org/index.php/Top_10_2010
https://www.owasp.org/index.php/Top_10_2010-A3
http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2011_en_xg.pdf

Open Source in Cybersecurity

2011-05-27T23:13:35Z

http://www.livescience.com/14356-cybersecurity-open-source.html