Archive for hacker

Backpeddled But Still Very Wrong

Posted in security with tags , , , , , , , on May 4, 2010 by hellnbak

I guess all of the attention that the mindless blog post by eEye created has caused them to backpeddle quite a bit.  Sadly Morey is still way off the mark and if anything just made it more clear that he is attempting to use this as a reason you should buy their product and not use the free and better tools out there.  I did a quick check of Google Cache and was not able to find the original post but here is the text of the post from yesterday;

Penetration Tools Can Be Weapons in the Wrong Hands
Author: Morey Haber Date: May 3rd, 2010 Categories: Network Security,
Vulnerability Management

After a lifetime in the vulnerability assessment field, I’ve come to look
at penetration testing almost as a kind of crime, or at least a misdemeanor.

We enjoy freedom of speech, even if it breaks the law or license
agreements. Websites cover techniques for jailbreaking iPhones even though
it clearly violates the EULA for Apples devices. Penetration tools clearly
allow the breaking and entering of systems to prove that vulnerabilities are
real, but clearly could be used maliciously to break the law.

Making these tools readily available is like encouraging people to play
with fireworks. Too bold of a statement? I think not. Fireworks can make a
spectacular show, but they can also be abused and cause serious damage. In
most states, only people licensed and trained are permitted to set off
fireworks.

Now consider a pen test tool. In its open form, on the Internet, everyone
and anyone can use it to test their systems, but in the wrong hands, for
free, it can be used to break into systems and cause disruption, steal
information, or cause even more permanent types of harm.

How many people remember the 80’s TV show Max Headroom? Next to murder, the
most severe crime was if users illegally used information technology systems
to steal information or make money. There was tons of security around these
systems and even possession of tools to penetrate a system was a crime too.
So what’s the difference?

Yes, it is just a TV show but in reality today we are in effect putting
weapons in people’s hands, not tracking them, and allowing them to use them
near anonymously to perform crimes or learn how to perform more
sophisticated attacks. It all comes back to the first amendment and Freedom
of Speech. I can write a blog of this nature, state my opinion about how I
feel about free penetration testing tools, and assure everyone that they
need defenses to protect their systems, since free weapons are available
that can break into your systems – easily.

And now today, it has been replaced with (http://blog.eeye.com/vulnerability-management/penetration-tools-can-be-weapons-in-the-wrong-hands);

The post I had here earlier was worded in a way that was misleading, and I want to rewrite it now so that I’m perfectly clear.

Thousands of legitimate individuals and businesses (including eEye) perform penetration testing, which is useful, required by regulatory compliance, and a very important tool in the security industry. Referring to it as anything besides a tool is a poor choice of language, and I want to correct it. My main issue is with running penetration testing tools against assets that the user either does not own or is not responsible for. And, the easy availability of such tools, often free of charge, opens the door for this potential abuse. On the contrary, it also makes it easier for businesses to test themselves whether a vulnerability can be exploited. This is a difficult balance.

With many years in this business, I’m well acquainted with what can go wrong, and what I hoped to convey was the importance of well-managed testing under the watch of a user who knows what they’re doing. When these tools aren’t used as they are intended to be, with care and professionalism, damage can be done. Having them free, and readily available for everyone increases the risk of the wrong person, using the right tools, in the wrong way.

So now all Morey was trying to say is that running a free tool against an asset you do not own or have permission to “attack” is a bad thing.  He stops short in saying how we proposes we solve this problem but I am sure that is on purpose in order to prevent falling down the rabbit-hole of this discussion and yet again making completely stupid and undefendable statements.  Besides, isn’t this just like saying that doing is bad?

However, once again, Morey completely missed the point.  Taking a tool and charging money for it will not deter an attacker.  Attackers, the real ones not the kiddies that get caught, already have their own toolsets and shared knowledge base.  If they absolutely require a commercial tool to do their job, which is a laughable scenario, there are enough places to get them for free.  I mean one can simply download a free trial of Retina, eEye’s vulnerability assessment tool, and then easily crack it.  A quick search of popular torrent and other warez resources easily proves that all the commercial tools are just as easily available as the “free” ones.

But a real attacker, the ones companies like eEye cannot protect you from, will not use or need these tools regardless of their cost.  Once again, Morey makes former eEye Researchers sad by demonstrating his complete understanding of the very basic concepts of the Information Security and demonstrating just how far eEye has fallen.

Time to go pour a 40 out for our fallen homies….

UPDATE:  With Blackhat coming up and in good fun and as a joke (please read that 10 times as I still have a ton of respect for a lot of my former co-workers at eEye) I had to do this;

Remember this from I think 2005?

This year it should be this T-Shirt:

Apparently Time Has Reversed – Not The Disclosure Debate Again?!?

Posted in security with tags , , , , , , , , , , , , , , on April 23, 2010 by hellnbak

Remember  back in 2001 when researchers were compared to Terrorists and the term “Information Anarchy” was coined?  You can read this blast from the past here –>  http://www.windowsitpro.com/article/windows-client/information-anarchy-the-blame-game-.aspx

As the saying goes, those who do not learn from history are doomed to repeat it, or something like that we have this clueless blog post over on the Verizon Business Blog –>  http://securityblog.verizonbusiness.com/2010/04/22/redefining-security-researcher/

The gem of this post is:

“Narcissistic Vulnerability Pimp: One who – solely for the purpose of self-glorification and self-gratification – harms business and society by irresponsibly disclosing information that makes things less secure.”

Sigh.  Really?  One would think that a business with the word “Intelligence” in it would actually show some.  Meanwhile we all know that the “intelligence” is nothing more than a bunch of drones monitoring IPS logs and being yelled at when the technology they have pimped out does not actually detect a real world threat.  So instead of actually attempting to improve things it is much easier to point fingers, call names and attempt to blame researchers.

Researchers *DESERVE* credit for their finds because while they are causing short-term pain (short-term pain Verizon Business is able to invoice clients for) they are affecting long-term changes.  History has proven, when a vendor gets tired of being hammered by security issues that vendor starts taking security seriously and begins to improve.  Let us not forget that the majority of researchers do this FOR FREE, so giving them some resume fodder and recognition should not be such a big deal.

Verizon Business’ entire business model falls apart if it was not for these so-called “Narcissistic Vulnerability Pimps” giving your drones something to submit billable hours for.  Or how about the fact that Verizon Business themselves have and may very will still employ the exact people they are attempting to point fingers at.  I know for a fact that at one time (maybe still) a couple very high-profile “Pimps” were receiving paychecks from Verizon.

I am totally stealing this comment from Charlie Miller’s twitter (http://twitter.com/0xcharlie) but based on this blog post — Verizon Business are the whores that the vulnerability Pimps peddle to.  Given the choice of being a pimp or a whore I would pick pimp any day of the week, the wage is better, the benefits are better and who doesn’t like smacking a ho once in a while?

Lets back up a second and try to determine exactly what Verizon is complaining about.  I suppose they are trying to point out the difference between a researcher that follows responsible disclosure vs one that does not.  So why the silly name calling?  Why not just simply put it that way.  There are those that believe in responsible disclosure and there are those that do not.  Kind of simple isn’t it?  Oh wait, that does not make for a good blog post to generate some attention and traffic — much like this one.

While I am ranting about what is probably the most ass backwards blog post this year I might as well share my opinion on the whole disclosure thing and yes I do truly believe that this is beating a dead horse as there will never be an opinion that is completely correct.

There was a time, especially around the 2001 timeframe, when I believed that reporting a bug to a vendor, then giving said vendor a set amount of time (30 days in my case) to fix a vulnerability was the right thing to do.  After 30 days expires, release full details on the vulnerability and move on. 

Over the years, and as I began to work for various software and hardware vendors, my thoughts on this slighty changed putting me more in the responsible disclosure camp.  To me this means, you find a vulnerability, you report it to the vendor and you wait for the vendor to patch before releasing your independent advisory.  The severity, based on ease of exploitation and impact of exploitation, of the issue dictates how much information to release on the issue as the whole point is to actually help increase security.  The only caveat I have to this is that I also believe that if a vendor is refusing to patch an issue, not taking the issue seriously, or someone else finds the issue and uses it publically then all bets are off and it is better to simply drop all details so that those in the protection business have a level playing field. 

In fact, the only reason I am against the whole “No More Free Bugs” movement is because if you privatize and monetize the reporting of vulnerabilities, you remove the ability to hold a vendor truly accountable by having the ability to simply “drop zero day” on them to force a fix.  Once you enter in to contracts and start accepting money for vulnerabilities — you lose your ability to force change.  That said, a pimp needs to get paid.  😉

Anyways, this whole argument is stupid.  Full Disclosure works and in my opinion responsible disclosure is a safe compromise as long as the vendor is playing along.  Verizon Business is truly biting the hand that feeds them.

ZOMG! World’s Greatest h4x0r!!!

Posted in security with tags , , , , , on February 14, 2009 by hellnbak

Today Fox News an “article” about how the “worlds greatest hacker” would compromise President Obama’s Blackberry.  If you want to waste some time you can read the full article here:

http://www.foxnews.com/story/0,2933,492705,00.html

Lets take a look at some of the FUD in this article.  First the headline itself, “Worlds Greatest Hacker”.  Where to start withthat one.  Was there some sort of competition recently where every hacker in the world got together to prove their skills?  Did we have the Hacker Oscar Awards and hand out trophies?  Regardless of who’s name is associated with this title, it is in fact extremely silly but as you will see required to build the level of fear uncertainty and doubt which is no doubt required in order to read this article.

Despite warnings from his advisers, the president insisted on keeping his beloved PDA, which now has specially designed superencrypting security software.

Superencrypting security software?  Thats right.. not just encryption but SUPERencryption. Encryption so SUPER it can leap buildings and give homeless people houses in one swoop. 

But even this SUPERencrypting software has it’s Lex Luthor.  But this time it is none other than Kevin Mitnick and according to this article Kevin is full of.. ummm.. Kryptonite.

But that just makes cracking into it more challenging — and, yes, it can be done, says the world’s most famous hacker.

“It’s a long shot, but it’s possible,” Kevin Mitnick told FOXNews.com. “You’d probably need to be pretty sophisticated, but there’s people out there who are.”

Mitnicksaid someone with access to Obama is much more likely to be targeted by hackers because their networks, particularly those used at their homes, would be much less secure than those used by the commander-in-chief.

Once armed with Obama’s coveted e-mail address, a hacker could theoretically send an e-mail to Obama in an attempt to lure him to a Web site that has previously been breached in order to transfer “malicious code,” Mitnick said.

This make sense obviously, I mean it doesn’t take the world’s greatest hacker to understand that a social engineering attack is really the way to go in this case.  Send the device an email from a “trusted” address and hope that they are naive enough to open the attachment or click on the link.  BUT, we are talking about a Blackberry device here meaning your run of the mill malware is not going to work and you had better have some skills and knowledge around the RIM platform.  Considering the target, this is not beyond the realm of possibilities.

Although again considering the target one would assume that some pretty heavy security awarness training has been given.  So far the article isn’t actually that bad but then Fox News decides to ignore technical accuracy with this gem:

Chris Soghoian, a student fellow at Harvard University’s Berkman Center for Internet and Society, agreed that the most likely route to Obama’s BlackBerry would be to trick the president into visiting a pirated Web site.

Pirated web site?  You can pirate web sites now?  I suppose I could make some room on my hard drive between all of the pirated software, movies and music for some pirated web sites.  Pretty sure they meant compromised web site in this case.  Doesn’t that seem like a lot of work?  I mean, first identify a web site your target is likely to visit it then “pirate” it.  There are other, much easier was to do this.

These are attacks when you visit a Web site, and within seconds, it hacks into your computer and forces it to download viruses,” Soghoian said. “In many cases, people get infected by using out-of-date browsers.”

Soghoian said he suspected that the likely culprit wouldn’t be a hacker who targets computers for notoriety or fiscal gain, but rather a foreign government looking for classified information.

OMG.. within seconds you get hacked just by visiting a web site!!  Obviously we have all seen examples of this sort of attack but to me the wording sounds like nothing more than fear mongering.  But note they said “outdated browsers”.  Last time I checked (just now) the options for a web browser is very limited on a Blackberry.  Mine runs both the built in RIM supplied browser as well as Opera Mini.  So, sure there is an attack surface there but that is assuming they allow Mr. President to surf the web from his device which to be honest sounds pretty far fetched.  In fact, I would bet that the device Obama uses is very limited in what functions it performs and is in fact locked down to the point that the web browser is removed as well as other basic functions like installing software.  But that is just a common sense guess.

But wait, all of this focus on Blackberry devices by the media and we do not even know for sure if that is what the device in question is.

“Nobody has really said with certainty what device he is actually using,” said Randy Sabett, a partner at Sonnenschein Nath & Rosenthal LLP and a former NSA employee. “That right there is an important subtlety. The less information known, the better.”

So here we have an article based completely on an assumption of what device the President may be using.  While I suppose it is a good assumption based on various photos it is still an assumption and while we all know that security through obscurity does not work and something tells me that it is only a matter of time before we all know for sure what the device actually is.

So does a BLOG post about an article that is about nothing actually exist?

Seeing how the big bad well funded Fox News cannot get things right, I reached out to Kevin and got his permission to publish the following from an email:

I did not pick the title so don’t blame me!

Second, I told this reporter numerous times that I don’t believe Obama uses his Blackberry device for anyclassified communications– that should be a no brainer, right?

I did, however, share some attack scenarios that are feasible. One example below I used to surveill the FBI when playing the fugitive game– which would likely work today.

Objective: Identify Obama’s current cellular phone number (SIMPLE)

1.  Compromise his past provider (he’s likely to be using the same one).
2.  Obtain past (3 months) billing records (call detail records)
3.  Compromise (current) provider and perform terminating number searches for any mobile device that has dialed or received calls from the same numbers on Obama’s past billing records.
4.  Maintain a list of suspect devices (mobile handsets) for further analysis
5.  Analyze each suspect device’s call detail records looking for a similar pattern of call traffic (incoming /outgoing)
6.  Narrow the list of devices down to similar call patterns
7.  Pull the subscriber data (billing name, address, contact #, device info (IMEI, SIM info) or (ESN if CDMA provider)
8.  Use mobile operator’s intelligent network to find where the device is registered (in real time)… Is Obama near that location?

Once Obama’s cellular number is identified the attacker can acquire his text messages by compromising the smsc (orable db) at  the provider, determine his location via cell tower registrations, and his capture call traffic ( via real time CDR).
 
Objective: Obtain Obama’s email address. (SIMPLE)

1.  Identify Obama’s close circle of friends and family.
2.  Compromise these target systems (phishing, wifi, etc) and install a trojan
3.  Steal authentication credentials stored on target system or via keylogger (web based email)
4.  Watch email communications.. eventually the attacker may hit pay dirt.

As far as compromising his BB device, I said it would be difficult but not impossible depending on whether he uses BB’s browser. The possible attack scenario I explained to the reporter was:

1.  Identify vulnerability in BB’s browser that allows execution of arbitrary code.
2.  After compromising his provider, identify what sites Obama visits on his BB (this can be logged by an attacker in the providers intelligent network.)
3. Identify the sites visited that are not so popular (minimize the potential victims) and compromise these targets.
4. Plant exploit code to execute payload– whatever that is…
5. Wait… and see what happens.

I brought up some others but the article omitted most of what I discussed… go figure…

Anyway, Happy Friday the 13th…

Kevin

All of what Kevin said above is of course plausible but far be it for Fox News to care if they get anything right vs. just publishing some oversensationalized article.  Besides, as another friend of mine pointed out, isn’t the Blackberry Enterprise Server (BES) a more juicy target with a much larger attack surface?