Liquid Information

First blog post of 2010

2010-02-16T00:15:00.000+02:00

This is the first blog post for the year 2010 and we have already lived two and a half months of it. I looked at what people search and read on the blog and the most popular searches and reads are related to bluetooth sniffing and WPA cracking. That was the situation already in 2009 and it is still going on strong, not that I had anything to contribute on the topic.

Thinking back at 2009, I didn't attend any kind of security related conferences or similar happenings. Actually, I haven't been anywhere for a while, except on a SANS forensics course which I probably should try to certify for. On the other hand, I have been busy with work and have traveled more in a half-year period than I have done in about two years time.

An objective for me this year is to attend a security conference. Good candidates would be Blackhat, T2 or Sec-T or something similar. The actual problem is that do I actually get any kind of possibility of attending any as there is so much work to do? It's a good thing that there is work, but there should also be the possibility to gain more knowledge.

I believe this year we will hear more about whitelisting, software sandboxing/policies and secure by default concepts. I have thought of blogging a little bit more about these topics and also about some basic security measures small and medium businesses could take to be more resilient against attacks. Another topic we will most certainly hear elsewhere is about the so-called advanced persistent threat, which is all the rage currently.

If there still is any readers on this blog after my long silence, I'd like to give you the opportunity to come forward with topics you would like to discuss or read about. There might be a chance that I blog about them :)

Happy New Year 2010!

Integrating browser functionality into programs

2009-12-19T12:08:00.000+02:00

Some programs like winamp and windows media player integrate browser functionality into the software. Whether the functionality is intended for full browsing or something else, one has to bear in mind that the software is prone to client-side web browser vulnerabilities.

It should be evident with the full browsing capability but not so with integrating just part of the functionality. It could be possible to inject arbitrary HTML which is handled by the browser integration and can then be used to do evil stuff with the privileges of the running user.

Extra care should be taken in validating any input received by the software, whether it comes from the user or some external source (for example Adobe Acrobat Reader Javascript exploitation via PDF-files).

Times change

2009-12-15T20:02:00.001+02:00

I started thinking of the past 18 years or so, and what kind of things I've encountered in the computer security side during that time, from personal viewpoint.

During my Amiga times I was aware of the boot sector viruses but do not recall being ever infected. Once I got a disk which had a boot sector virus but it got blocked. My friends hade more problems with those. When I moved to PC, I eventually got a modem which I used to dial in to BBS'es and a system called Freenet where I used a browser for the first time (Mosaic). The PC (MS DOS/Windows) had also viruses and I used F-Prot to check any downloaded files. I also played around with PGP, which I tested with some friends. I recall talking to my friends at school about Echelon but they really didn't believe me. At some point NSA has admitted it being real and today others do it too, the brits and swedes for example.

When I got into using Windows 95/98, I still used BBS'es and Freenet (for email). At work I was able to use the Internet and explored it once in a while when there was a slow day. I read about security and privacy stuff and got interested in the darker side of security, hacking. So, basically to know how to protect my computer from evil, I need to know how evil works.

Not long after getting my hands dirty with the Internet, I got a decent account from an ISP around 1995. The BBS and Freenet dropped off my radar. I read a lot more about security, hacking and phreaking, used Usenet and tried sending anonymous emails and tested anon remailer services. My knowledge about malware increased, trojans were used to control an infected machine and you just need to be really careful what you download and from where.

Most of the security papers I read about said Linux is an essential tool in getting better with security and computers in general. I bought a book on Linux which came with Redhat Linux 5.2 CD. It was interesting to learn it and I got more experience with networking and different services. Eventually I found myself from IRC running Slackware 7 as NAT firewall, chatting in some hacking and security related channels as an @ and getting DoSed for the first time by some italian university student behind a big fat pipe.

By then I had run into email/IM spam (e.g. Nigerian spam), viruses and worms, read about buffer overflows, botnets and phishing/social engineering attacks. I used intrusion detection systems like snort, samhain and log checking tools, knew Nessus and understood what the attack landscape was and what mitigative impact hardening and patching activities have. Back then defacements were also a big thing and having a host-based firewall on Windows was important.

At 2001 I got a security role at work and felt quite confident with my uber skills. It didn't take long for me to realize that the more you know, the more you don't know. I got into security testing, first with basic vulnerability scanning and then web application testing. I had a great mentor at work who teached me a lot about security and challenged my viewpoints. The OWASP was launched.

A couple of big worms hit the Internet, Code Red and Slammer. The landscape began changing, more firewalls and less services to attack. It was getting more common that only port 80/443 was open to the Internet and attack focus was moving to the web applications. Also wireless security was under scrutiny and terms like wardriving began popping up, WEP was dead. I studied about incident response and forensics in my free-time.

I got bored with IRC. Some decent forums popped up, blogging scene was more active and some sites provided quite actively security related news. Good times, except that botnets and phishing was evolving, tactics to get people run the malware or give their banking credentials was getting better. Monetary gain was raising it's ugly head while everything got more sophisticated. Microsoft made a lot of progress with Windows Server 2003 security while Windows 2000 kept people talking bad about MS. Exploiting stuff got a bit easier with Metasploit, which is a nice framework these days.

The vulnerability landscape began changing; less server vulnerabilities and more client software vulnerabilities. Mobile devices got their own malware, worms that did bad stuff on the Symbian OS. Things like PCI-DSS, SOX and HIPAA began appearing in the media. Cisco got owned at Blackhat 2005, networking device operating systems are not safe from exploitation either.

Web 2.0 started pushing through and social networking sites was getting more mainstream. Privacy and security was a big concern. Ajax and related interactive things brought back the old web application vulnerability concerns, that it has the same vulnerabilities as traditional applications. A lot of discussion dwelled also around outsourcing security and eventually cloud computing emerged which is still largely discussed in various places. Apple's new laptops were a big hit, a lot of security people liked to use it. Eventually it also experienced "the more it is used, the more people pay attention to it" phenomenon that Firefox also has experienced..

Browser (in)security has been discussed a lot and web related attacks continue to rise. Ad banners has been used to deliver malware and web vulnerabilities are used to plant malicious code on websites to auto-infect visitors. The criminal activity on the Internet gets more focus, there is an own ecosystem where credit card information changes owners, botnets are rented to send spam and all kinds of other activities.

People wake up on the fact that targeted attacks are reality, done for industrial espionage, politics and gaining access to specific bank's accounts among other things. Security breaches happen to large companies handling sensitive data (e.g. TJX) and security organizations struggle with fight against the spread of botnets. Cyber Warfare becomes reality after Estonia got hit and is a hot potato these days.

There is way too much to try to remember and put into one blog post but at least I remembered something, not necessarily in order but close. If I'm totally wrong or your viewpoints differ, feel free to comment. This is how I have interpreted the information posted out there, but the fact is that some things have been going on for "ages" before they've been posted on a news site. Everything can't be covered even if interesting (e.g. time-to-live for a fresh install of operating system X, from-patch-to-exploit discussions and so on).

Maybe a security encyclopedia wiki would be a cool thing, with timeline of interesting security events and such. Hope you enjoyed this post even thought the style was pretty loose.

ISPs react to threats

2009-11-25T23:19:00.003+02:00

Long time no post.

I have been travelling a lot and as a matter of fact I am going for a new trip soon. Things are busy on my side, I really haven't had the energy to post anything, especially something useful. This week I have been home working and it is a good thing to spend the week with my family.

On with the post, I noticed today a press release from the Finnish national CERT in which they had instructed internet service providers to filter traffic to some suspect network blocks regarding the latest banking trojan Zlob. Some operators have implemented filtering and actually disabled the accounts of infected hosts.

I think this is a good thing for the most part of it. Earlier this year I mentioned it in a blog post that we will see more of ISPs reacting to these kind problems. This can be called progress in the area, for protecting the normal end users, but I'm sure someone will complain.

Re: VA versus pentest

2009-10-01T18:39:00.001+03:00

Johannes Ullrich and Daniel Miessler has been debating on the definitions of a vulnerability assessment and penetration test. You can read the blog posts here: Johannes vs Daniel.

I have always considered a pentest as achieving a set goal by the client, which is what Daniel also thinks, whether it is breaking into the main financial database or the CIO's workstation. It could even be as simple as gaining access to the company's internal network, because from there the attacker would have time to penetrate further.

Johannes on the other hand thinks that a pentest should take everything into account, exploit all the possible avenues just to be thorough and present the client with all the possibilities that can be used to infiltrate the network. This would be a very time consuming task and would/should be more easily detectable, which is something working against a penetration test. You do not want to be detected, else you have failed.

There is a catch that should be thought of: Johannes talks about webapps in his blog post. Perhaps he forgot to specify what kind of target he is talking about?

I view vulnerability assessment as an automated task, you set a specific IP range and try to find known vulnerabilities in the operating systems, listening services and configurations. A web application is built on top of all this. A vulnerability assessment is just for that, finding vulnerable versions of software.

My point of view in this is that web application assessment is different from vulnerability assessment and is really a grey area. When you find something, you can either weaponize it to prove a point or simply mark the finding as a potential problem and move on with the assessment. The more you have time, the more you can weaponize or "proof of concept" the finding. For a web application assessment you can use automated tools to ensure proper coverage for the technical vulnerabilites.

So, when talking about webapps, you're basically doing a penetration test against it but usually stop half-way because you need to cover as much of the application as possible in a given timeframe. You do not really care about the noise you make, and usually you have information available that classifies this as a white box assessment.

Makes sense, huh?

Open Source hardening, by default

2009-09-21T23:40:00.001+03:00

(I tried to search if I have written about this earlier but was not able to find any reference. So here it goes..)

Microsoft has already a long time ago done progress in server hardening where only necessary components/settings are enabled to allow minimal service operation, like html-only web pages in IIS. If you want something nicer, you need to actually enable those settings, e.g. active server pages.

I'm just wondering why all the bells and whistles are usually enabled by default in open source stuff. Is it to get developers fast on track with the system, for them to be able to create things without much consideration to the configuration, except maybe performance related settings at some point?

I'd really like to see open source tools and projects, e.g. OpenSSH, Apache, Linux distros, Solaris, PHP and so on take on a different approach with the stuff they offer. For example OpenSSH, why have "PermitRootLogin yes" by default if the best practice is to disallow direct root login to ensure accountability and at the same time mitigate brute force attacks against root? Or how to automatically chroot a daemon where it makes sense, e.g. MySQL? Minimum required modules and configuration to run Apache with PHP and MySQL? Or how about network stack hardening, is there need to have ICMP redirects enabled in most environments?

There would be lots of security related improvements to be made, which should be default and not something you need to tweak to get into this state. Of course there should also be configuration examples available for most stuff, in form of FAQ examples: "minimum Z to get X work with Y, enable A to get B working" and so on.

Or am I just being silly for hoping this?

Loopback stuff and a comment to a SBN post

2009-08-25T21:19:00.008+03:00

http://isc.sans.org/diary.html?storyid=6991&rss

Mounting a partition inside a full image is quicker this way, I've blogged about the method before here and here (for LVM). It works with automated tools but if you need to use icat and other manual in-depth filesystem stuff, you need to enter the offset for each and every command and that is a pain. For looking around the partition this is a quick way, though.

Today I read a blog post from the Silver Tail Blog, which is a member of the Security Bloggers Network. Quite frankly, I am not sure I understand the post as it is supposed to be understood. Sorry about that.

I don't understand why marketing people want to redirect a potential customer away from their website or how XSS/SQL is related to business logic flaws. Below are examples that hopefully illustrate the difference between technical and logical flaws.

Business logic flaw: User parameter contains a userid. The user can change the userid and do actions as another user (if userid exists). The request looks perfectly normal, but application lacks a check if established user session is allowed to view the information.

Technical flaw: User parameter contains an address. The user can add HTML code to the address which is stored in a database and rendered in a browser each time when viewing the information (e.g. user profile). The request contains additional code which doesn't look expected. Application fails to validate the user input against allowed character set.

If I misunderstood the original post, explain.

New term for being slashdotted? :)

2009-07-03T23:59:00.000+03:00

Heh, a while ago one site was "slashdotted", meaning that a lot of readers clicked on a link in a posted story and simply flooded the target site, effectively but unknowingly causing a sort of distributed denial of service attack.

For fun I coined a few new abbreviations for this, MiDDoS (media induced distributed denial of service) or McDDoS (media coverage distributed denial of service).

Can I have a McDDoS please? -Do you want fries with it? ... :-D

Oh well... That's what you get for being tired. Honestly, "slashdotted" works better. But on the other hand, could someone order this kind of DDoS via the black market? Just ensure someone posts the vital details to a public site, either via social engineering or just by putting the details there.

First weeks in new job

2009-06-15T21:11:00.000+03:00

So, I got a couple weeks behind me in the new job. Things have gone relatively well, I got up to speed after two and a half days of induction diving right into some work.

The co-workers are quite nice and I've been accepted at least on some level. Time will show how well I fit in the merry bunch. I guess that at some point I can show my value to the company.

I'm also getting used to living away from the rest of my family and they seem to take it pretty well so far. When I'm at home we try to do something fun and I catch up with some manly activities at the house.

Back to work!

2009-05-29T20:41:00.000+03:00

After 2.5 months break from working I decided to accept a job offer as a senior security consultant. I will start on monday. I hope expectations on both sides will be fullfilled and it will be an enjoyable journey.

Blogging most probably will return to normal as most of that 2.5 months was spent on quality time with family, which was a rare opportunity itself. Honestly, I started to have the feeling I need to do something, but on the other hand I wouldn't have needed to be in a hurry.

I ran out of basil, can you get me some?

2009-05-09T12:41:00.001+03:00

Sorry for not posting anything lately, I have been enjoying time with family.

A week ago I was making some food which I put some basil in. The basil run out and I tagged it as something to buy from the grocery store. I probably have had too much idle cycles in my brain, because I began thinking about the following.

What if you have never seen, touched and tasted basil before, how would you know it is really basil? How have you ended up trusting it really is that? You probably have seen pictures of fresh basil, you have been told by many it is basil and you have read from literature it is basil. It is also commonly recognized as basil by the population.

Consider this. You just have learnt to read and have never seen, touched or tasted basil. You're told to go buy basil. Someone could sell you oregano in a jar which simply states basil and you wouldn't know. Eventually you would learn more and be able to distinguish between oregano and basil, even thought they look quite the same when dried and chopped into tiny pieces. You would be able to go to trusted shops to buy it. In the above example you are probably told that you got the wrong herb, unless the requestor doesn't know better.

So, how does this relate to security?

What I was thinking of is that the management which has to make security and other decisions is like someone who just have learnt to read. The subordinates are like those who could sell oregano as basil. Might sound harsh but that is my perception.

Even if you're equipped with the necessary skills to be able to understand the very details of network infrastructure, hosts, firewalls, applications, patching, vulnerabilities and so on, you still have to rely on others to produce most of the information for you which you base your decisions on.

What I mean is that you don't have a large population inside the company who agree on the current state of these things like you would with my example of basil, mainly because of resource allocations, different skillsets and interests. Instead you have smaller organizations who are supposed tell you what they see. You are dependent on the skill and ethics of your employees, which on the other hand are affected by thight schedules, money and motivation.

Of course the size of the company and the complexity of the internal organizations affects all this. The larger the company is, the more there are points where things could fail in a way or another. On the other hand, you have more eyes than in a smaller company, which would have fewer but possibly incompetent employees.

Lets imagine there are four steps to the deciding manager: a group of specialists, the group manager, the city-level manager, the deciding country-level manager. In this the city-level manager deals with many group managers and the country-level manager deals with the city-level managers.

On each step from the specialist all the way up there is a possibility that somewhere in the chain oregano is sold as basil, either knowingly or unknowingly. The larger the possibility the less peers pay attention to the details (peer review).

Being able to measure things (security metrics) help to some extent but is still prone to misleading results. For example vulnerability scan data gives you the remote and in some configurations internal posture of a host, but what if the scanner itself has limited view because of firewall rules implemented on the host or network? Things would look good on the automated report but the real state of the host would be totally different.

Surely having auditing enabled and a review board examining each firewall rule change would tackle at least firewall device modifications but you hopefully get my point with the example. Such modification could be the result of an earlier report and you get a "yes, we will fix it" response, a lazy and irresponsible "fix" by blocking the affected ports from the scanner and only patching the necessary services. Motives behind such could be thight schedules and a "we will fix it later" mentality, not understanding the risk caused to the company by leaving the host vulnerable.

That would be you getting oregano instead of basil.

With proper controls, automated reports from different areas, auditing and reviewing things it could be possible to correlate results and mitigate these occurrences of happening to some extent. But without having someone watch over the shoulder all the time you would never be sure, and still there is room for things to go wrong.

Sounds like it is not easy to be a manager who has to make important decisions driving the security (or any) posture of a company forward. But take into account that this is also vice versa, the people below the deciding manager has to trust fair and correct decision making happens, all the way down to the specialist level. Specialists and upper management could be fed oregano by their middle manager who alters information to suit his own personal goals better, e.g. by painting a rosier picture upwards which causes the upper management to make wrong decisions that affect the specialists and the whole company. Depressing, huh? But we are humans, after all...

Saturday stuff

2009-04-04T22:51:00.001+03:00

Lately I have spent quality time with my family. It has felt good to relax and and just set your brain into a different mode, waiting for spring to arrive. On the nerd side, I bought a new laptop battery but seems it has 30% of the capacity already gone. I complained about it, not sure what kind of capacities you should expect anyways but 30% sounds too bad.

I took my kids toy train and hooked it up with the USB hub. At least the batteries give some power. Now I'm not sure if there is something wrong with cabling or what, but the N810 complains about a bad hub or cable. If I use it with a memory stick, it works. Could be that the plug I managed to fit in the power socket is damaged somehow and it short-circuits the hub. But anyways, I thought of leaving that project for now, unless a friend has another hub I can test.

In the meanwhile I need something else to work on. Haven't yet figured out what.

Marcus Ranum - The Anatomy of Security Disasters

2009-03-28T09:34:00.001+02:00

http://blog.tenablesecurity.com/2009/03/ranums-rants-the-anatomy-of-security-disasters.html

Good read and makes you think... Have you witnessed any security disasters, bad ideas that get implemented even if specialists object against it? Marcus has put some good thought on the topic.

Family OS upgraded to version 3.0

2009-03-26T10:23:00.001+02:00

This is the 100th blog entry with blogger, so it is an occasion for a small personal celebration. It just happened to be also the post where I announce that my Family OS has just recently been upgraded to version 3.0. Tired but happy!

This was the last day...

2009-03-17T19:11:00.001+02:00

Today was my last visit to the workplace and I left all my company belongings there. The feelings I had were quite mixed; partly excited and happy but also kind of sad and a tiny bit worried. Anyways, now I feel quite OK. The sauna is heating up and I have a few cold beers in the bridge, so I will probably feel even better today. I might be shocked tomorrow when I notice I got no work laptop and I can't login to read my emails. Then I guess this whole "leaving" thing has hit home, it has finally been done.

Now it is time to relax for a moment before I start looking around what the future has in its sleeve for me.

What consists of useful logs?

2009-03-09T00:30:00.001+02:00

Today I will talk a little bit about logs and what added value these can bring to your day-to-day security operations in addition to just storing them for X amount of months because some regulation says so.

In general logs come from network devices, operating systems and services. Also applications can produce logs but usually these have their own logging. Most can do syslog formatted logging and support logging to a separate log server, and some can utilize an agent which modifies the logs to syslog format. Of course if your environment is homogenous and it supports a specific logging system, use it instead if it meets your requirements. There exists also logging appliances which could be purchased and set up to receive logs from different sources. However, this post is not about the logging infra (which can be easy or hard to deal with), but the content of the logs.

One obvious log to follow is the access log.

Many devices, operating systems and services create access logs, for example a login attempt to FTP service, SSH, Windows login, VPN devices, databases, telnet, router login and so on. Getting in with password guessing is still accomplishable even though the whole password topic has been debated for ages.

A telltale sign that you are in trouble is a lot of failed login attempts against a specific user which finally stops with a successful login. Even though you don't see that successful login, it might be a good time to check the strenght of the passwords in the attacked system.

Also odd login times might mean that someone unauthorized has gained access to an account and is using it for evil purposes. Centralized logs can turn out to be a handy tool when you're doing incident response and are faced with a system which log files are modified or deleted.

Another log source is the firewall log.

Obviously lots of network activity through a firewall will cause loads of log data which can be very cumbersome to analyze. Individual operating systems could also produce packet filtering logs. In smaller environments it should be easier to handle this kind of data, but with some traffic analysis tools larger sets of data can be analyzed. One might think that logging only the denied packets is sufficient, but it can be worthwhile to log the accept packets too, because these can reveal administrative mistakes in the rulebase and other things.

When you are facing a compromized system you might want to know during the investigation if the system has been used to access other hosts in your network. You might find out that some hosts are running unnecessary services or you have made a mistake in the rulebase which allow outbound traffic from your servers which you never intended to. Anyways the logs could be used for correlation in many situations.

How about system/service events?

Logs here could for example reveal that a HDD is breaking down on an important server, as disk i/o errors start appearing in the logs. You could also notice unexpected service restarts or service errors which could indicate a successful attack against your system. Correlating such events with IDS logs and firewall logs helps you validate a possible incident and if you should investigate further. Added users, modifications in groups and so on can also prove helpful, amongst other things like sudden increase of outgoing emails through your email gateway.

Are IDS events any useful?

IDS events trigger when a packet meets a specific signature in the rulebase. For efficiency and removing false positives, a rulebase should be tuned to the environment you're trying to monitor. Sure, it might keep you blind to ongoing (wrong) attacks but eventually trigger to the meaningful ones. The benefit of an IDS is also a lot up to the placement. If you put it in front of a bunch of webservers that like to talk a lot HTTPS, then the added-value is not that good. If you have load-balancers which also offload the SSL from the servers, then you have a better chance of getting something useful if you place one leg behind the balancers.

In addition to the default rulesets you should build custom rules for the assets you're protecting, e.g. webapps. Having IDS log to a central server mainly would log events but what you also need during your incident response is the payload. Of course the IDS event and other related logs for the affected asset give you a quick correlation of the flow of a possible incident, but the payload shows what triggered the signature. Payload is usually viewed through a IDS management console or separate database frontend.

Last thing to talk about is the service application logs.

By the service application logs I mean actual logs produced by a service, like DHCP, WWW or proxy logs. Webserver logs might not be so useful because these usually don't log POST requests and logging those fully could anyways be a privacy issue (e.g. credentials are mostly given over POST instead of GET). They surely could help assessing what a would-be attacker has done on the site before and after the IDS signature was triggered. Proxy logs on the other hand could help you hunt down infected internal hosts which try to talk with outside Command and Control servers over HTTP. DHCP servers would log the hostname of a computer if it has been present in the DHCP request, which can help you track down the actual user of an infected asset.

As you can see from all the examples given above, the focus of logs from my point of view are more for incident response purposes. These can also prove useful for system administration and troubleshooting. I bet you can come up with lots of other intresting log sources (HIDS, AV?), use scenarios and suggestions on where certain type of logs can be beneficial, but this is what came from the top of my head.

Have a nice week!

Heh, one prediction getting somewhere?

2009-02-24T19:33:00.000+02:00

In January I predicted that there will be common functions that developers could use to develop more resilient web-applications. Seems that at OWASP there has been some progress in this area, they released an API for Java just a while ago. The site stated that similar APIs are already being planned/built for .NET and PHP.

I had no previous knowledge of this project, but cool to see that some people put effort in it. OWASP is quite respected, so this could mean wider adoption of the provided tools. I haven't looked at the ESAPI to see what kind of input validation it provides, which was my main point. Based on the powerpoint it offers all sorts of web-app related security functionalities.

Password cracking, WPA and rainbow tables

2009-02-19T19:14:00.002+02:00

I have seen a lot of searches about rainbow tables and WPA so I'll spend a few moments to talk about this and other password related stuff. (Please note that I am in no way an expert in the cracking area)

First of all, what is a rainbow table? It is a pre-computed table of hashes that is generated with a set keyspace and lenght. When you have a hash (lm, md5, sha1, etc) and a rainbow table for that particular hash, you just need to do a search in the table to see if you have a match. This is much faster than computing a new hash based on brute force or dictionary list and comparing it to the hash you have. Of course creating the rainbow table takes a long time and space depending on the keyspace and lenght you want it to be. To create your own rainbow table you can use rainbowcrack, and if needed, add new hashing algorithm to it.

Now about WPA cracking with bruteforce/dictionary. When you are going to crack a WPA passphrase you need to capture the initial handshake. You can get the handshake with a de-auth attack and continue offline with cracking the key. However, with current computing power it is possible to attempt just a couple hundred keys per second so it is slow. Of course you could utilize something like NVIDIAs GPU to speed up the cracking by 10 to 15 times if you know how to do it.

Ok, so using a rainbow table for the task sounds more feasible, right? The Internet has rainbow tables for WPA ready-made so you can just download it and crack the key fast instead of weeks or months, right? The problem here is that the rainbow table is created using the SSID and if the rainbow table you find isn't created for your target (default SSIDs mostly), you're out of luck. If you know the SSID, you can generate a pre-computed table and then use it when you need to. Considering the slow speed, you might have to resort to using a dictionary file with certain lenght words unless you have lots of time to spend.

To efficiently protect your WPA key against cracking would be to use over 20 character passphrase and to also render rainbow tables ineffective in other cases, you should use a long salt when generating the hash (apply it to the password before hashing).

Now, about password cracking in general and jumping a bit back in the topic. Cracking is generally about guessing passwords, unless there is a clear cryptographic flaw that can be exploited (e.g. WEP encryption). There are two methods of doing this, bruteforce attack or dictionary attack.

When doing a dictionary attack you have a file with lots of different words, which the cracking tool will use to try to figure out the password. Some tools may offer a permutation possibility, where characters are added (dash, 123 etc) or common letters are transferred to their special counterparts (s is $, i is 1, uppercase/lowercase etc), to ensure covering common ways of writing "difficult" but easy to remember passwords. Consider such a word that fullfills the usual [a-z][A-Z][0-9] + special character requirement which is 8 characters long or more, for example "Pa$$w0rd-".

When doing a bruteforce attack you instruct the cracking tool to go over all the possible combinations based on your parameters, like minimum and maximum lenght, the keyspace to use, for example [a-z][A-Z][0-9][$‰&-!]. If you set a password which is lenght 2 and is only the lowercase alphabets, it would go something like this: aa, ab, ac. When it reaches az, it will then start going like this: ba, bb, bc and so on.

When cracking something, you have gained access to a password hash with some kind of method or try to directly gain access to a resource. A hash is obtained from a system, database or network traffic. A resource could be a router, printer, SSH server, web-application, SNMP, you name it. To devices you can find default password lists, which will work if people have been lazy.

Usually when cracking the hash you usually do not need anything else, but when attacking a live resource you usually also need a valid username on the system and a tool capable of talking the protocol. Attacking a resource directly has also the caveat that it is noticeable and there may be account lockout measures in place which thwarts off your attack. Also the speed of the network plays a big role.

Here is a list of TOP-10 cracking tools, which are written for different purposes. Out of this list there exists tools that are written just to crack a specific hash and do it good. If you look hard enough, you might find one that it written just for the purpose, or you could manage to write your own. I once wrote a small shell script which attempted to crack different kind of logins (like Hydra). Sure, it worked and it was fun to write it, but it was dead slow.

A lot of other means exist to gain access to passwords. One could use sniffers, man-in-the-middle attacks, social engineering (ask, give chocolate, run a look-a-like phishing site etc), look under the keyboard, get the user to connect to your system instead of the real system, study the target and use related birthdays/pet names/car names/children names and whatever.

To thwart off most password gaining attempts is to use passphrases instead of passwords (which are long enough to make guessing them computationally infeasible), do not use cleartext protocols, pay attention to encryption warnings, don't fall for phishing emails and so on. Build the security of your systems in such a way that unauthorized access to your password hashes is hard to gain.

Phew, this was a mammoth post and honestly I started to get bored writing it :)

Hardest decision ever

2009-02-11T21:15:00.000+02:00

I made the hardest decision of my life this monday. I decided to resign from my job during these difficult times. From 17.3.2009 onwards I will be available for new opportunities. I need a change. If you never take risks, you will never gain anything. Time will show if this was a bad decision.

This is somewhat true

2009-02-08T11:20:00.000+02:00

I read a blog posting at DarkReading this morning, it was about security guys becoming admins in their daily work. In some sense this is true, I've also seen that happen. More time goes into administration than doing real security work.

Has anyone noticed the "trend" going on at some mailinglists?

"Hey, look! I made a blog post! Come and read, and comment!"
"Hey, look! I made another blog post, now I talk about this!"
"Hey, look! I made a blog post in response to your mailing list discussion!"

To me that sounds more like trying to get more readers to your blog with some silly advertising. I would be hesitant to post my own blog posts to any mailinglist unless I've tried to actually do some research I want responses to, and it is easier to present it in a blog entry. More reasonable would actually be to copy-paste the blog entry and just point a link to the blog, to possibly keep the discussion at mailinglist level.

But anyways, I hope this trend doesn't get too common.

Here we go again..

2009-01-31T15:05:00.000+02:00

As most of you probably have read discussions about the latest web application scanner test made by Anantasec where three scanners were tested, there is now an article on Dark Reading which has commentary from different players in the field.

For some reason Acunetix representative comments were absent from the article, but people from HP and IBM did of course comment. Oh well, would have been interesting to get some comments from their company too. I don't remember seeing any NTObjectives representative commenting on the earlier round made by Larry Suto, but it stirred up a lot of other (heated) discussions...

Nessus on N810, part 2

2009-01-24T13:32:00.001+02:00

I decided to test if Nessus really doesn't work with all the plugins.

This time I just let the device take its time and seems that it actually was able to load everything. For the first time it took almost 50 minutes for nessusd to load the plugins, but next time it takes 5 minutes. For the GUI it is a whopping 20-25 minutes every time.

Everything seemed to be OK except for the portscanning part I mentioned also in my earlier post. It didn't work even if I installed nmap and the nmap.nasl plugin on the system. After looking at nessusd.messages file, it seems that some plugins have not been installed to the plugins directory at all during the nessus-plugins compilation and install. I had to manually copy them over from the scratchbox environment.

After copying the required .nes files over to N810, I got the portscanning feature of Nessus to work. I'm however a little worried that if the scan is too agressive, this device is too slow for that and will drop packets. There is values that can be tuned for nmap, but the scan used Nessus TCP scanner. I validated the open ports as I have nmap results from an earlier run and the results matched.

As mentioned somewhere on the Nessus website, using nmap will eat a lot more memory than utilizing Nessus own portscanning, so either run the nmap scan before hand with -oG to have the open ports in a greppable form, and tell nessus to use this file for open ports, or use directly Nessus own portscanning plugin. By default it seems to use the Nessus TCP scanner.

With all the plugins the device eats up a lot of system memory so having lots of hosts to test can cause memory to run out. With my testing it was able to test 3 different hosts during the same scan, but one host and one check at a time. Because of the memory it might be justified to finetune what plugins to include in the system, and it makes things a little bit faster.

Nessus on N810

2009-01-19T22:20:00.002+02:00

Yesterday I decided to continue with my Nessus on N810 project, and basically had to start over again because I had done a re-install of my Linux box. So, on with the maemo environment setup and downloading required packages.

First I tried OpenVAS, but it had way too many dependencies which were not included in the environment and I got bored after hunting these all down after a while. Then I continued with Nessus 2.x series which there is sources still available and compiling the stuff was a breeze like the first time.

After installing the stuff on the N810 and downloading the plugins, I thought that last time it died because of way too many plugins. I did some quick harvesting of what to include:

copy the dependencies which are present in NASL scripts
copy all the plugins from CVE-2005 to CVE-2009
copy os fingerprinting plugins, CVE NOMATCH plugins
copy .inc files and exclude local security checks

Then I installed the openssl package to the device as nessus-mkcert wanted it, and added the user with nessus-adduser. Then to the fun part, running nessusd & nessus. The daemon slowly chugged on the plugins (which load way faster next time), but the system was fully usable. Last time it was really hard on the system, maybe the OS2008 update has something to do with it?

Running nessus client:

When entering the credentials to the login screen I was greeted with a long wait. I thought it crashed like earlier, but it actually did finish and I was able to use the GUI. The next screenshot shows the Plugins tab:

The exiting moment came next when I entered the subnet as target and clicked start the scan. The screen blanked and flickered once and I thought it crashed. It didn't crash and begun testing the hosts, multiple at a time. However, at some point the device rebooted.

I decided to tune the default values to be more friendly for the device, running one test per host, and only one host at a time. I also increased the timeout value in case tests do not finish in time. Now I decided to target my XP and a Linux sitting in VMWare. Here is a screenshot of the scan:

Last but not least I actually got some results from the scan. The Linux had a vulnerable BIND service listening which Nessus correctly identified. As can be seen from the screenshot, the report is actually quite readable:

What buggers me though is that it didn't show any progress on the portscan level, so I actually have to do some sniffing to verify if it does scan the default services ports or not. Also the scan options were only few, maybe it is because of the GUI or it requires NMAP.

Anyways, I'm glad I continued the project, which was basically just compiling it to the proper platform and finetuning what it eats. Having a simple and small vulnerability scanner which fits your pocket sounds fun.

Next N810 project I should continue working on is the packet injection with a USB WLAN adapter, which requires some electronics work. Too bad I'm too lazy to go to a hardware shop. As a side-effect from that project I think checking out a USB ethernet adapter can be worthwhile too. Then the device wouldn't be restricted to WLAN.

Some security predictions

2009-01-18T15:59:00.000+02:00

You all have probably seen and read a lot of different security predictions for year 2009. I think there is nothing wrong with such lists, some predictions seem pretty self-evident and some contain vendor buzz. Do you have one or two predictions you have a strong feeling about, that you think will happen this year? Feel free to share in blog comments!

Considering spam and botnets, I think there will be more research put into analyzing botnets and more pressure on badly behaving ISP:s like with the MoColo case. ISP:s will be forced to react to the problem in some way, but this eventually leads to more advanced botnets that are harder to figure out.

Personally I think ISPs should be required to install spam filtering technology on their mail gateways (inbound and outbound) and offer it for free for their customers, also email clients should come bundled with spam filtering software.

My second thought is that there will be more focus on whitelisting approach and also extensive input validation "modules" built for the most common web development languages (asp, jsp, php, etc), which is easy to implement and modify based on your needs. The functions would be easy to include into your existing applications and as long as you religiously use the functions properly before doing something with the input, it will make you site more resilient against technical vulnerabilities.

Personally I think there should be this kind of common "modules" available for developers to use. Even with such modules, it wouldn't remove everything and business logic flaws can still exist. It would however be a step in the right direction, instead of everyone building their own validation routines (e.g. re-inventing the wheel). Maybe such modules already exist and this is old stuff, but just a thought that it should become mainstream practice.

Now, please tell me some of your suggestions :)

A question for you...

2009-01-01T15:10:00.005+02:00

Happy New Year to all my readers! Hopefully you survived all the drinks, food and fireworks and feel happy for getting to live through another interesting year. Now I would like to ask you, my dear reader, what do you think of the following:

I have been working with security around 7-8 years now, depending on where you begin counting. During this time I have done a lot of technical security audits and web application audits for around five years, worked on host hardening related matters, vulnerability management and other things. Currently I am a technical lead for the global Incident Response function of the company.

What kind of skillset do you think this all needs? Here are some:

Understanding of network topology, firewalls and networking in general
Understanding of how an operating system works
Understanding of services, protocols, how they interact etc
Understanding of different web application platforms
Understanding of vulnerabilities and design flaws
Understanding of logs and other information sources
Understanding of incident response processes
Understanding of how to do forensics
Understanding of security policies, organizations and how to interact with people
The need to be interested in and follow what is going out there
etc...

I believe you pretty much need to be an all-around guy to be able to do this kind of security stuff, like giving consultation when needed, to know what to do to fix a found problem and so on. Sure, you can specialize in a certain area and be very very good at it, but having an adequate to strong understanding/know-how of many of those bullets is not bad either.

As you might have noticed, my latest blog posts have been a bit weird and not like my usual rants. As usual, the problem is about what you get paid for the work you do. What you get paid usually indicate how much a company values your work and how well it is in line with what you generally get paid for such work.

Would you feel valued and happy about it if you receive the same salary as a person who has local, small responsibilities, when your responsibilities are global and you need to have a lot broader knowledge of things? Sure, I enjoy my work most of the time but I still expect to get righteously paid for it, like most of us probably do. Most of us do not want to sell ourselves cheap. I have been told I'm grossly underpaid for what I do, and I have known that for a long time.

Maybe I'm just plain stupid for having been in this situation for so many years but I have hoped for it to get better. What would you, dear reader, do in such situation?