Get caught up on this week’s posts with Weekly Rewind.

Welcome to another edition of our Weekly Rewind – where we summarize all our posts from the last week. The top stories this week were 3) “NovaHackers May Meeting Videos Posted”, 2) “20% Discount on Level 1 Penetration Testing Class”, and 1) “NIST Releases Analysis of Cybersecurity Framework RFI Responses”. If you missed anything or happened to be offline, we hope you find this summary post useful as a quick reference.

A la Schneier … you can also use this rewind post to talk about the security stories in the news that we haven’t covered.

20% Discount on Level 1 Penetration Testing Class: After the success of last month’s discount program, Bulb Security has once again decided to extend a deal to NoVA Infosec readers for one of their upcoming classes in June. This time it will be for a $100 Penetration Testing Level 1 class (a.k.a., Penetration Testing with Metasploit), which is probably much more accessible than the previous months “Intro to Exploit Development” topic. (continued here)

NIST Releases Analysis of Cybersecurity Framework RFI Responses: Earlier today NIST released a document covering their initial analysis of the hundreds of comments provided by industry as part of the RFI for the development of a critical infrastructure cybersecurity framework. The 33-page document starts out by introducing some of the overall categories and themes and culminates in Figure 1 to the right. This chart provides a map for the remainder of the document with each of the subsequent sections detailing a theme in terms of key phrases, statistics, example responses, and questions.  How do you feel about NIST’s initial analysis? Let us know in the comments below. (continued here)

NovaHackers May Meeting Videos Posted: If you weren’t able to attend last week’s NovaHackers meetup, five of the presenters opted in to being recorded. Brett Thorson, of the Compute Cycle podcast, recorded and recently posted them. We weren’t able to attend but we heard it was a great time as usual. Did you attend May’s NovaHackers meeting and have any thoughts on any of the talks? Let us know in the commends below. (continued here)

Skype and the End to P2P Architecture & Privacy: I’ve been thinking about the recent discovery by H-Online.com of Microsoft visiting URLs used in the Skype chat window. Yeah, they may be scanning it for spam and such but in reality what we are really experiencing is the loss of the basic foundation on top of which Skype was built … encrypted peer-to-peer communications. Anyone know of a Skype-type application that still supports true peer-to-peer secured conversations? Obviously, open source is preferred… Let us know in the comments below. (continued here)

Amazon AWS Becomes FedRAMPable: Yesterday, we picked up on a bit of big news … Amazon and their AWS service officially received the stamp of approval in meeting FedRAMP in coordination with the US Department of Health and Human Services (HHS). It’ been three years in the making since the government announced FedRAMP and now Amazon joins the elite with only two other approved cloud offerings that include CGI Federal and Autonomic Resources. Will FedRAMPing systems into the cloud really make authorization easier and more secure? Let us know in the comments below. (continued here)

Twitter Adds Two-Factor Authentication but Still No Silver Bullet: Twitter has always had a special place in my heart and as a security professional I was pretty happy to learn that they finally implemented two-factor authentication earlier today. The second factor is a six digit code sent to your registered phone over SMS. In their blog post announcing the new feature, Twitter mentioned the following four simple steps in getting two-factor authentication setup.  (continued here)

#####

Hope everyone had a wonderful week. Have a great weekend!

Twitter has always had a special place in my heart and as a security professional I was pretty happy to learn that they finally implemented two-factor authentication earlier today. The second factor is a six digit code sent to your registered phone over SMS. In their blog post announcing the new feature, Twitter mentioned the following four simple steps in getting two-factor authentication setup.

• Visit your account settings page.
• Select “Require a verification code when I sign in.”
• Click on the link to “add a phone” and follow the prompts.
• After you enroll in login verification, you’ll be asked to enter a six-digit code that we send to your phone via SMS each time you sign in to twitter.com.

Sounds simple enough … but is two-factor authentication the silver bullet to Twitter’s account hijacking woes? As is usual in infosec … the answer is “it depends.” Two-factor authentication will definitely stop attackers from guessing easy passwords or reusing compromised credentials from other breaches however it probably won’t do too much to stop take-overs from compromised computers. And of course real-time man-in-the-middle attacks are still possible through phishing, fake websites, or other social engineering-based attacks.

Still, this implementation is a huge step in the right direction that significantly raises the bar for attackers. About the only thing I’d like to see is for their next release to be compliant with RFC 6238 – TOTP: Time-Based One-Time Password Algorithm, which seems to have the momentum with backing from Google, Facebook, Microsoft, Dropbox, and others. ArsTechnica also notes some additional limitations (e.g., required for every login, one-to-one account to phone relationships, and temporary passwords for third-party apps) that are hopefully candidates for their next release as well.

For those that want a quick introduction, here’s a quick one-minute video Twitter put out with their announcement.

#####

Today’s post pic is from ReadWrite.com. See ya!

Yesterday, we picked up on a bit of big news … Amazon and their AWS service officially received the stamp of approval in meeting FedRAMP in coordination with the US Department of Health and Human Services (HHS). It’ been three years in the making since the government announced FedRAMP and now Amazon joins the elite with only two other approved cloud offerings that include CGI Federal and Autonomic Resources.

The covered regions include Amazon Web Service (AWS) US East/West as well as their GovCloud (US) offering and can include systems at both the low and moderate risk impact levels evaluated per NIST 800-53 Rev. 3 – moderate baseline requirements, plus additional FedRAMP security controls.

Now don’t get too excited here … this isn’t as simple as throwing your systems into Amazon AWS and receiving an Authority to Operate (ATO). FedRAMP simply covers the “infrastructure” pieces of the vast FISMA puzzle. So although Amazon simplifies the approval process by covering a large swath of required controls, users must still closely develop and operate their systems keeping a large group of controls in mind.

For those interested in leveraging Amazon’s AWS HHS ATO packages, simply complete this form and email it to  info@FedRAMP.gov with the message subject “Leverage Authorization.” Additional information on Amazon’s FedRAMP approval can be found in their press release as well as their very informative FAQ.

#####

Will FedRAMPing systems into the cloud really make authorization easier and more secure? Let us know in the comments below. Today’s post pic is from GCN.com. See ya!

I’ve been thinking about the recent discovery by H-Online.com of Microsoft visiting URLs used in the Skype chat window. Yeah, they may be scanning it for spam and such but in reality what we are really experiencing is the loss of the basic foundation on top of which Skype was built … encrypted peer-to-peer communications.

At least now we see the reason Microsoft migrated away from the random supernode architecture into one with a limited number of core nodes controlled by Redmond themselves. Supposedly, the reason was for even better voice quality and performance but in reality it was more likely the deliberate weakening of the core Skype architecture to more easily conform to government and law enforcement requests.

Now I’m all for law enforcement getting the information they need to fight the bad guys however the effects of such a technology migration may actually hurt more when considering the bigger picture. Three areas of concern include government and law enforcement abuse, US company growth limitations, and embedded malicious actor.

Government & Law Enforcement Abuse: Beyond just government, law enforcement in general and Microsoft themselves could use this data in illegal or unethical ways. Hopefully, the courts will mitigate this issue but with the infamous National Security Letters (NSL) becoming more and more common, who knows what kind of checks and balances the courts truly offer.

US Company Growth Limitations: Next is the potential for such government access to stunt the international growth of US companies. This situation with Microsoft is just one example of how foreign companies and organizations sensitive to security and privacy could shy away from using US-based technology providers where our government could snoop on their discussions.

Embedded Malicious Actor: The key consideration here is that if Microsoft has access to these communications, there is the potential that malicious hackers already embedded within their corporate network also have access to this same information. As we’ve seen with the recent hacks of the Department of Labor, QinetiQ, and WTOP, Microsoft is surely not immune to such a compromise.

#####

Anyone know of a Skype-type application that still supports true peer-to-peer secured conversations? Obviously, open source is preferred… Let us know in the comments below. Today’s post pic is from OnSIP.com. See ya!

Where do you want to be this week? Now you’ll always know with our “Where You Want to Be This Week” feature, which will tell you about infosec meetups happening in your local area as of Sunday night. If you would like your event listed in our Calendar and in this post, let us know through our Submit Event form or mention it to @grecs on Twitter.

Another week of a couple of meetups to look forward too during the week. Start your week with either the ISACA NCA meetup or ISSA DC meetup and end it at OWAASP NoVA meetup and as always if you are still looking for more to do, be sure to check out @grecs‘ weekend best bets later in the week as we might have something else you’d be interested in. With that said, here are your meetups for this week as well as a preview for next week.

This Week

Tuesday (5/21)

• ISACA NCA Meetup - “Annual Meeting of the Chapter Membership” at Holiday Inn – Rosslyn at Key Bridge from7:30 AM to 5:20 PM (more info)
• ISSA DC Meetup - “Continuous Monitoring for Large Scale Enterprises” by Ron Gula at Center for American Progress from 6:30 to 8:00 PM (more info)

Wednesday (5/22)

• OWASP NoVA Meetup - “Top Ten Web Defenses” by Jim Manico at Living Social – Reston from 6:30 to 8:30 PM (more info)

Next Week

And for those who would like to plan ahead, here is a preview of events on our calendar for next week.

• Thursday: CharmSec Meetup

Remember that Baltimore Node, HacDC, Nova Labs, Reverse Space, and Unallocated Space are four local hacker spaces that also hold several standard activities each week … so check them out for more fun stuff to do. And be sure to subscribe to our RSS feed or follow us on Twitter at @novainfosec and @grecs to be alerted about any last-minute events or to receive updates on the meetups listed above. Finally, check out our Calendar for a complete list of infosec events in and around NoVA, DC, and MD.

If you weren’t able to attend last week’s NovaHackers meetup, five of the presenters opted in to being recorded. Brett Thorson, of the Compute Cycle podcast, recorded and recently posted them. We weren’t able to attend but we heard it was a great time as usual.

Of the five presentations the one that caught my attention the most was John Lankau’s 40 minute introduction to Encase. This topic seems like a natural extension of where I’ll be heading next in my quest to master malware analysis. Also Chris Kuehl’s 18 minute coverage on defensive CTF scripts seemed refreshing giving that most people like to cover the offensive side of the house instead.

I’ve embedded the Encase and defensive CTF scripts video’s below but be sure to see Brett’s post for the other three titled “IP Unreachables,” “Residential Home Ownership,” and “Hack Your Body.”

#####

Did you attend May’s NovaHackers meeting and have any thoughts on any of the talks? Let us know in the commends below. Today’s post pic is from Twitter.com. See ya!

NIST provided this convenient chart that summarizes their overall findings. Click to view a larger version.

Earlier today NIST released a document covering their initial analysis of the hundreds of comments provided by industry as part of the RFI for the development of a critical infrastructure cybersecurity framework. The 33-page document starts out by introducing some of the overall categories and themes and culminates in Figure 1 to the right. This chart provides a map for the remainder of the document with each of the subsequent sections detailing a theme in terms of key phrases, statistics, example responses, and questions.

via NIST.gov

The National Institute of Standards and Technology (NIST) has posted an initial analysis of hundreds of comments submitted by industry and the public related to the President’s “Improving Critical Infrastructure Cybersecurity” Executive Order, issued Feb. 12, 2013. NIST is making this initial analysis available as a status update and to help provide background for a workshop later this month to discuss the cybersecurity framework.

The Executive Order calls for NIST to work with industry to develop a voluntary framework to reduce cybersecurity risks to the nation’s critical infrastructure, which includes power, water, communication and other critical systems. The first step toward drafting the framework was soliciting information on current risk management policies, existing standards and guidelines, and specific industry practices from stakeholders through a Request for Information (RFI). These comments were due April 8, 2013. NIST received more than 200 responses and posted them publicly.*

NIST’s approach to analyzing the input from the RFI, as well as identification of the common cybersecurity framework themes that emerged as a result of the analysis, is described in the paper, Initial Analysis of Cybersecurity Framework RFI Responses. In addition to identifying and describing the common themes, this paper provides questions for stakeholders to consider.

The paper can be found at http://csrc.nist.gov/cyberframework/nist-initial-analysis-of-rfi-responses.pdf, and additional information about the cybersecurity critical infrastructure framework project is available at www.nist.gov/itl/cyberframework.cfm. Information on the 2nd Cybersecurity Framework Workshop, May 29-31, 2013, at Carnegie Mellon University is at www.nist.gov/itl/csd/cybersecurity-framework-workshop-may-29-31-2013.cfm.

Full article here.

#####

How do you feel about NIST’s initial analysis? Let us know in the comments below. Today’s post pic is from NIST.gov. See ya!

After the success of last month’s discount program, Bulb Security has once again decided to extend a deal to NoVA Infosec readers for one of their upcoming classes in June. This time it will be for a $100 Penetration Testing Level 1 class (a.k.a., Penetration Testing with Metasploit), which is probably much more accessible than the previous months “Intro to Exploit Development” topic.

The class will be on Saturday, June 22nd starting at 11:00 PM EST virtually via GotoMeeting. The 20% discount will bring the total cost down to ONLY $80! Use the “Buy Now” link below to get this special price.

Here’s some more information about Bulb Security’s June penetration testing class…

#####

Abstract

In this 1 day class we will study penetration testing with a focus on using the Metasploit Framework. We will begin by becoming proficient at using Metasploit. Then we will work through the phases of penetration testing using Linux and Windows victims. Students will be introduced to finding and exploiting many different kinds of vulnerabilities as well as post exploitation strategies. In addition to Metasploit, students will gain experience with additional pentesting tools such as Maltego, Nmap, and Nikto.

What You Get

• One full day of online instruction.
• Fully configured victim virtual machine downloads (Windows trials and Linux) for use in the class.
• 2 weeks of access to a VPN with several additional victim machines. The lab victims will all be custom built so you can fully test your skills. This will not be a host for pre-built victims you can download for free online. These systems will be unique and will simulate real scenarios from penetration tests.
• Access to the instructor to answer questions about the material and labs during the course and the 2 week lab access period
• Slides and other course material

When

Saturday June 22, 2013 from 11am Eastern

Note: Time zones are lousy for everyone. For this iteration of the class I’m doing my best to make it accessible for everyone in the Americas. There will be future classes that will be at times better suited to other regions given enough interest. I tried running this class in Europe and didn’t have many signups, and a lot of people wrote and said they wanted American times. That said if you are a night owl you are welcome to join the class from anywhere in the world.

Where

Online! The class will be held using GoToMeeting. There is a free client download for Windows and Mac. Like most useful things it isn’t supported on Linux unfortunately. You will able to see me, hear me, and see my screen as I demonstrate the hands-on material.

How it Works

A week before the class I will upload 2 victim virtual machines for students to download. These will be compressed to make the download as small as possible but you can still expect about 500MB-1GB total. So if you have a slow connection you might not want to wait till the night before. You will host these victims and a Backtrack 5 R3 attack virtual machine on your own machine using Vmware or Virtual Box. You will be able to follow along with everything covered in class on your virtual machines. Additionally there will be independent exercises during the course using your virtual machines. You will also receive a meeting invite to join the live portion of the class. The day of class you choose to attend, log in to Gotomeeting. You will also receive credentials and instructions for the VPN to use the online practice lab. Your account will be active for 2 weeks after the end of the class.

Student Requirements

• Backtrack 5 R3 virtual machine. It can be downloaded here
• About 10 gigs of free space for victim virtual machines that will be provided by the instructor
• Vmware or Virtual Box (free and/or trial versions are available)

About the Instructor

Georgia Weidman is a penetration tester, security researcher, and trainer. She holds a Master of Science degree in computer science, secure software engineering, and information security as well as holding CISSP, CEH, NIST 4011, and OSCP certifications. Her work in the field of smartphone exploitation has been featured in print and on television internationally. She has presented her research at top conferences around the world including Shmoocon, Blackhat, Hacker Halted, and Bsides. Georgia has delivered highly technical security training for conferences, schools, and corporate clients to excellent reviews. Building on her experience, Georgia founded Bulb Security LLC, a security consulting firm specializing in security assessments/penetration testing, security training, and research/development. She was awarded a DARPA Cyber Fast Track grant to continue her work in mobile device security, culminating in the release of the Smartphone Pentest Framework (SPF) which allows pentesters to assess the security of mobile devices in an environment.

Cost

$100

Be sure to put in your correct email address when you purchase the class. That is the email I will use to communicate class details with you.

#####

Today’s post pic is from ICSinc.com. See ya!

In response to a discussion on Twitter the other day as well as our prior post on Apple’s iOS backdoor, David “@darthnull” Schuetz … yeah the BlueToad-gate guy … has written up a great post describing his point of view that most of what’s been in the news lately is pure and total FUD. Although he can’t offer a concrete conclusion, his best educated guess is that Apple most likely uses a signed external drive to gain access to the unencrypted contents of the phone (unfortunately mostly everything these days) and then bruteforces the passcode/word to obtain access to everything else.

David is a super-smart guy when it comes to iOS security so I won’t even pretend to understand half the stuff he’s talking about … but color it how you want, I’m still calling backdoor. Now this isn’t a backdoor for law enforcement per se … but just some internal mechanism that Apple has for fully decrypting iOS contents without the passcode/word.

via DarthNull.org

Just like the perennial discussion on location-based services and Apple’s ability to track you, the question of accessing an iOS device’s data when the device is locked seems to come up every few months. This time around, the discussion was inspired by a CNET article, with the sensational title “Apple deluged by police demands to decrypt iPhones.”

The article seemed to be built around a single paragraph in a blurry copy of a search warrant affidavit from ATF, which stated that the writer “contacted Apple” and was told by “an employee [...] who is part of their Apple Litigation Group” that Apple “has the capabilities to bypass the security software” on the iPhone.

That’s it. That’s all we know. An ATF agent reports having talked to a single person at Apple, who told him that they can “bypass the security software” on iOS devices. And from that tenuous hold, the Twitters exploded with “See! I TOLD you Apple had a back door!” and other related Fear, Uncertainty, and Doom.

But is any of it warranted? What could Apple really be doing, and is that any different from what we already know? Let’s review what we know, and don’t know, about iOS security, passcodes, and encryption.

Continued here.

#####

Do you think there’s an Apple-only accessible backdoor in iOS? Let us know in the comments below. Today’s post pic is from CNN.com. See ya!

A few weeks ago I had an opportunity to chat with Adam “@al14s” Byers and Tom “@c0ncealed” Moore at AIDE about an interesting new assessment tool they created called RAWR or Rapid Assessment of Web Resources. Adam was kind enough to write up a quick post for us so we could pass the word on to others in the security community.

In summary … feed it an Nmap XML results file and RAWR parses through it looking for any web resources to interrogate. After RAWR’s analysis the output consists of any useful information it extracts from a service as well as a picture of the web interface.

Anyway … on to Adam’s post with all the details…

Web Assessments

One of the highest threats to organizations today is, in most cases, also one of their most prevalent – web services. Through the years, the landscape has changed from simple static websites to fully functional web-based applications that provide access to internal information gold mines. Most organizations have little to no knowledge as to how many internal web resources they have within their environments, many of which leave clients open to network compromise. Getting a clear picture of an organization’s internal or external websites can be a time consuming process. If you are tasked to ensure the security of your client’s web interfaces, you’ll find that there is a lot involved – and usually not a lot of time to get the report out. Over the past few months, I’ve written a cross-platform, open-source tool that will take your next web assessment from discovery to analysis in one fell swoop.

The Innards

RAWR is a python application (tested w/ 2.7) that takes your scan data, which must be nmap .xml or .nessus at the moment, and uses it to gather as much data as possible on any web services that turn up. It utilizes multi-threading and queues to quickly and efficiently pull data from each host. In the background, it uses phantomJS for taking screenshots of the interface.

We gave an outline of how it works at CarolinaCon 9:

There are a few features that aren’t necessarily documented in the ‘help’ text. In the script, scroll to the ‘Settings’ header (~line 240). You’ve got options for the user agent, number of threads to use when making the web calls, amongst others. The value for ‘csv_sort_col’ enables you to choose a column by which to sort the .csv output. The order of the .csv’s columns can be changed by moving the values around in ‘flist’. While they didn’t really fit as command-line switches, I tried to make these ‘under the hood’ options as usable as possible.

Be sure to check out the ENUM options. You’ll probably get a little more info using HTTP 1.0 via the ‘–downgrade’ switch, or find a web server that still has TRACE/TRACK enabled using the ‘-o’ switch to get available methods. There’s room for more, and I’m always interested in the tidbits pentesters find valuable when they go to do one of these assessments. Feature requests are definitely welcome!

Output

The goal with RAWR’s output is to give the pentester as much as we can for their report. I believe that the value in a good assessment isn’t all about the tools, so much as it is about the ability to use the tools to gather the right info and then the understanding to interpret it.

The HTML report was designed to make it easy to find interesting interfaces by having a jQuery-driven, fully searchable interface. All of the gathered info on a specific host can be pulled up by clicking the ‘i’ when you hover over a thumbnail. You can form lists by selecting hosts, then pull up ‘iplist’ and copy/paste the info into, say, an input list for Nikto.

I recommend pulling the .CSV up along with the HTML report. The two used in conjunction make LHF identification a ‘snap’. Within the .CSV is every bit of information gathered, along with a ‘notes’ column for marking down any items of interest. Something I didn’t consider until recently was that RAWR can be used for SSL certificate assessments as well.

Images, Cookies, SSL_Certs, and Robots are folders within the log folder that will contain files that were obtained. Other than that, you have the nmap output and the .log file, which is where I’m directing error messages. If there are any problems during execution, they’ll show up in the .log.

Thanks for checking out RAWR. If there’s something you see that would make it more useful – be sure to submit a feature request to our BitBucket Issues page!

#####

And don’t forget … if you are interesting in posting an article on NovaInfosec.com, please head on over to our Submit Article page for all the details as well as our submission form. Today’s post image is from the good folks over at Twitter.com.