Wednesday, October 10, 2012

HITB Malaysia - Day 1


I am currently attending Hack In The Box (HITB), a major security conference in Kuala Lumpur, Malaysia.   This is the first security conference I have attended in many, many years.  So far I am highly impressed.  It’s easy to see the amount of meticulous preparation that has gone into this event.  Additionally, the talks have been really fantastic.  For this two-day event, I will share my thoughts and impressions from each talk and my general Likes/ Dislikes of the conference as a whole.

Day 1 - Talks:


The first talk I attended was "Tracking Large Scale Botnets" by Jose Nazario While there was no new ground breaking information in this talk, I did come away with the following interesting facts:

  • Botnets are sometimes constrained to geographical regions.  This is due to the cultural attractiveness and the language utilized by the lures, which led to the initial malware infection.

  • Although security researchers are occasionally able to hijack entire botnets way from the original operators, they never (publicly) issue a "kill command" or clean up the botnet infections.   This is due to uncertain legal restrictions and repercussions.

  • Some botnet operators are now using cryptographically signed command signals as a defense against hi-jacking.

  • Some botnets contain a Domain-name Generation Algorithm (DGA), which operate on a timer.  This DGA is used to periodically generate a new DNS domain name of the command and control server.   For instance, current command and control server may be serverX.adbprmmg.com, but once the DGA triggers and calculates that the new control server is serverY.bmpkngf.com, each node of the botnet will now begin communicating with this new server.  By reverse engineering the DGA portion of the botnet code, malware researchers can register the new domain name before the botnet operator does and effectively neuter the entire botnet.
Jose Nazario


The second talk I attended was titled "Data Mining a Mountain of Vulnerabilities" by Chris Wysopal.  Mr Wysopal's company, Veracode, scanned and performed analysis on approximately 10,000 applications from a wide range of sources.  This talk represented an analysis of that data and sharing of a lot of facts and figures.   The items that stuck out for me in this talk were:

  • Introduction of a new attack trend dubbed "water holing".  Basically this would be an attacker profiling a potential target and then attacking other sights of interest to the target.  The example provided was the attacker may determine that a subset of the employees of target company X are fanatical about the sport of Rugby and frequent a particular website dedicate to Rugby news.   The attacker would then attack the Rugby news website and host malware on it, in hopes of subsequently infecting the employees of target company X.

  • A very large percentage of non-web based applications, have problems with cryptography.  These are related to improper key storage and the like. 

  • The historical data shows that application developers are doing a better job of eliminating SQL Injection vulnerabilities from their applications.   This data also showed that developers are still not making progress towards eliminating cross-site scripting issues from their applications.


The third talk I saw was "OPSEC: Because Jail is for wuftpd" by The Grugq.  This talk was probably the most entertaining talk of the day and primarily focused on "how not to get caught hacking".   The items that stuck out to me were:

  • Multiple quotes from The Wire and the Notorious B.I.G. song, "The 10 Crack Commandments".   Big props for those fantastic meaningful incorporations!

  • When hacking, you do *NOT* have any friends.  You only have "criminal co-defendants".  Treat them accordingly.

  • An anecdote of a guy who would rent hotels near business locations to do his hacking from.   The guy would bring along a lot of Wi-Fi gear, hack a nearby business, and then utilized the hacked businesses networks to then attack his intended target.  The multiple layers of abstraction are a really cool idea.

  • Fake personas take a long time to setup and establish.  These should be setup way in advance and should include things like Gmail, Facebook, and Twitter.

  • There has already been some discussion about a potential marketplace for the selling of established fake personas.

  • Remember to shut off your mobile phone when going to an off-site location to hack.  The mobile phone signals could be used to correlate your geo-location.

  • As Tor button and Tor enabled browsers are prone to "fail open" on desktops, Grugq has developed a customized version of OpenWRT to run on selected mobile access points which will force all traffic to the Tor network.   This will be hosted on GitHub.

Being a fellow Thailand-based expat, I'm really amazed by some of the stuff that Grugq speaks about.  Perhaps I am overly paranoid about a restrictive Thai government overreacting and revoking my visa and work permit, but I'd really like to know if he's ever ran into any issues in this regard or fears that he might one day.  Hopefully at some point tomorrow I will be able to meet him and pose this question to him.
The Grugq


The next talk I saw was "A Historical Look at The Personal Computer and The Phreaking Scene" by John 'Captain Crunch' Draper.  It was great to hear tales of days gone by from a legend in the industry.  The item I found most interesting in this talk was:

  • Back in the day, the computer enthusiasts were sharing a BASIC program between themselves.   This was common practice in those days, but for some reason Bill Gates because upset by it.   Bill Gates ended up being the first person to ever consider that software should be "closed".
John Draper


The next talk I saw "Pwn@Home: An Attack Path to 'Jailbreaking' Your Home Router" by Fredric Raynal & Gabriel Campana This talk focused on a previous customer engagement where the speakers where contracted to "test the security" of a settop box and home router.   The talk was fairly technical in nature, but the thing I found really cool was:

  • As the client did not define parameters around "testing the security", the speakers decided to review from 3 different perspectives:
  1.  As a "Geek User".   Could they install other software packages on this router?  Could they install OpenWRT?

  2. As a "Paranoid User".  Were there backdoors present?  What remote services were installed?  Was any surveillance type software present?

  3. As a "Bad Guy".  Could they pentest against the PayTV infrastructure?  Could they attack other routers and build a botnet?
A few weeks ago, I was examining the security of my own newly purchased home router.   This particular router forces the use of DNSPROXY and will only distribute the single internal IP address of the router as the client DNS server via DHCP.   I started digging in the router and eventually was able to get a shell and access to the file system.   I found many troubling things (more on this in a later posting!).   I was eventually able to make the changes I wanted (which were lost upon reboot), but I was never able to get *FULL* root access and was soon distracted by other tasks.   Seeing this talk makes me want to revisit this and try the following:

  • Check for the presence of setuid binaries and attempt to exploit.

  • Try to download and decompress the firmware.

  • Run "strings" against the firmware.


The final talk of the day was "'I Honorable Assure You: It is Secure': Hacking in the Far East" by Paul Sebastian Zieglar This talk was also very entertaining and after almost five years as a security professional in SE Asian myself, it hit really close to home.  This talk focused on the cultural mindset of Japan and Korea and how that applied to the realm of security.  There were so many great points made in this talk, they are too numerous to list.  My thoughts on this talk were:

  • There are a lot of similarities with Thailand.

  • There were also a lot of subtle differences with Thailand.

  • I would love to do an "extension" of this talk to focus on my observations based on my time in Thailand.


Overall Conference Likes:


  • Well organized and planned.
  • Good selection of local Malay food for lunch and great desserts.
  • Free bottled water widely available throughout the conference area.
  • Ease of registration.
  • The booth babes at the Time Networks booth.  I know some would consider this sexist, but booth babes are still very common in South East Asia, particularly in Thailand.  This is simply part of the culture, where oppressive fears of being non-politically correct don't run rampant.  So what some in the West may deem sexist, I deem it to be embracing of the culture I've chosen to immigrate into.


Overall Conference Dislikes:


  • The photographers and videographers spend too much time filming and taking pictures of the audience.  As someone who detests having my picture taken, I find it annoying to have a video camera pointed in my face every time I look up.
  • There is loud techno music being played in the common area throughout the event and additionally in the conference rooms between talks.  This is quite disturbing to the talks, as every time someone opens the door to come or go during a talk, the music can be heard through the open door.   I really wish the conference organizers would either select a less annoying form of music, turn it down a bit, or just play "Gangnam Style" on an infinite loop.

Day 2 Plan:


  • Talk 1 - Silo Busting in Information Security: The ISC SIE Approach - Paul Vixie
  • Talk 2 - How to Get Along with Vendors Without Really Trying - Katie Moussouris
  • Talk 3 - XSS & CSRF Strike Back Powered by HTML5 - Shreeraj Shah
  • Talk 4 - iOS Panel Discussion
  • Talk 5 - Messing Up the Kids Playground: Eradicating Easy Targets - Fyodor Yarochkin
  • Talk 6 - Information Warfare & Cyberwar: What's the Story Morning Glory? - Raoul Chiesa
  • Talk 7 - Element 1337 in the Periodic Table: Pwnium - Chris Evans

Be sure to follow me on Twitter @WetFdStamp for more pics and highlights from HITB Day 2!

HITB - Capture The Flag


Wednesday, September 26, 2012

WiFi Scanner in OSX Mountain Lion


Its a little known fact that OSX Mountain Lion comes with a Builtin wireless scanner. This scanner comes in quite handy when surveying available wifi access points. To use this scanner, simply open a terminal window and type:


 open /System/Library/CoreServices/Wi-Fi\ Diagnostics.app


This will open the primary Diagnostic window:



You can just ignore this window.   Next press Command + N.  This will open up the Wifi Utilities Window:


Now click the "Wi-Fi Scan" button at the top and your scan will start automatically:



Labels:

Friday, July 23, 2010

CentOS 5.5 Upgrade Bug

After upgrading a few production servers from CentOS 5.4 to CentOS 5.5, I have identified a potential bug in the upgrade. For some reason the checkconfig setup for postfix gets deleted and postfix doesn't start automatically after a reboot. I couldn't find references to this anywhere else, so posting in hopes that it may help somebody else. This is an easy fix, but something you need to watch for as you update any servers running postfix.

After upgrade and reboot, running chkconfig no longer shows postfix in the list.

[root@mx1 ~]# chkconfig --list
[..snip..]
ntpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
oddjobd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
pand 0:off 1:off 2:off 3:off 4:off 5:off 6:off
pcscd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
portmap 0:off 1:off 2:off 3:off 4:off 5:off 6:off
psacct 0:off 1:off 2:off 3:off 4:off 5:off 6:off
rawdevices 0:off 1:off 2:off 3:on 4:on 5:on 6:off
rdisc 0:off 1:off 2:off 3:off 4:off 5:off 6:off
[..snip..]


I was able to get to to show up, simply by typing "chkconfig postfix on". I assumed I would need to do "chkconfig --add postfix" to *ADD* it first, but does not appear that this is the case.


[root@mx1 ~]# chkconfig postfix on
[root@mx1 ~]# chkconfig --list
[..snip..]
oddjobd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
pand 0:off 1:off 2:off 3:off 4:off 5:off 6:off
pcscd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
portmap 0:off 1:off 2:off 3:off 4:off 5:off 6:off
postfix 0:off 1:off 2:on 3:on 4:on 5:on 6:off
psacct 0:off 1:off 2:off 3:off 4:off 5:off 6:off
rawdevices 0:off 1:off 2:off 3:on 4:on 5:on 6:off
rdisc 0:off 1:off 2:off 3:off 4:off 5:off 6:off
[..snip..]



Labels: , ,

Friday, August 07, 2009

Google-Hacking Google's Safe Browsing List

I discovered a kind of cool trick the other day with the Google safe browsing service. When doing a client vulnerability assessment or pen-test, if the customer has an assigned AS number, you can quickly check the Google safe browsing list to see all the sites from their network, found to be serving up malware in the past 90 days. For example, if you were doing an assessment for a customer than owned the AS number 11643, you would use the URL in the following format:

http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=AS:11643

As your customer is probably not knowingly going to host malware, identifying these sites proves valuable as it is probably still exploitable. More often than not, I have discovered that these sites have been compromised through weak/ easily guessable FTP or SSH usernames and passwords.

Taking this a couple steps further, I noticed that Google has published an API for this service.
An interesting application of this would be to take all the discovered host names, when enumerating a client's IP space with something like Fierce Domain Scan, and feeding each of those sites into the Google Safe Browsing list.

There are several other applications of this. Say for instance you are a web hosting provider. You can semi-monitor your hosted customers and notify them when they ended up on the "bad list". This can either be done by plugging in your AS number or by enumerating all the sites and plugging those into the API.

Another application for this, could be for a security company to identify potential customers. For example, working for a security vendor here in Thailand, all I would need to do is identify a few Thailand specific AS numbers, and away we go:

AS 7470 , AS 9737 , and AS 9931

Please note, for those who are not familiar with the naming conventions in the .th TLD, go.th is reserved for government sites and mi.th is reserved for military sites. With that knowledge, the results above are sort of shocking, no?

Labels: , , ,

Tuesday, July 28, 2009

Scam Protection - Open Letter to the bar owners of Thailand


Here in Chiang Mai, as well as various other parts of Thailand, one seemingly popular scam, is collection of music royalties and levying of fines for infringement. These "copyright police" show up with dodgy documents and a uniformed police officer in tow. These uniformed officers, either through sheer ignorance or an agreement for a cut of the profits, allow the "copyright police" to seize computer equipment, confiscate CD's, and even will arrest "violators" and take them down to the jail.

You can read more about this horrible scam here and here.


So, obvious legalities aside, I asked myself, "Why are they making it so easy?" "What would *I* do, if I was running bar in Thailand?" [Something that is actually part of my long-term goals, but that is a story for another day!]

So, Bar Owners of Thailand, here is what I would do:

First off, I would stop storing questionable items on my computer. On my personal computer, you will not find any mp3s, boot-legged movies, pornography, pictures of old girlfriends, etc.. Not saying I don't possess these items, I am just saying they are NOT stored on my personal computer. Now if I was going to have a PC sitting out in a public place of business, I think this rule of thumb should be infinitely more applicable.

So, how can I make this work? Easy! First I would head down to Pantip (or any other computer mall of choice) and buy a nice, cheap, external USB hard-drive. Next I would down the free/ open-source tool, TrueCrypt. I would use this to create one or two large encrypted volumes on the USB device. In these encrypted volumes, I now have a handy, safe, and very portable place to store my all questionable items!

If anyone ever tried to catch me with said questionable materials, hopefully me or my staff might have time to quickly disconnect the USB drive and physically move it out of sight. If not, it does provide me with some measure of plausible deniability.

There are no questionable items to be found on my computer, nor the encrypted device... Go ahead and take a look... I challenge you to show me these items! Most likely they aren't going to be able to.

If for some strange reason, the "inspector" is somewhat intelligent enough to figure out the encrypted USB storage trick, and presses me for the password, no problem! A simple white lie, for instance, "an unknown person accidentally left it behind.. I have no clue what the password is. I, being nothing short of a good Samaritan with the best of intentions, simply plugged it into my computer in hopes that I could determine the proper owner and return it to them."

What can they do? And better yet, what can they prove in a court of law? :)

[Disclaimer, I am NOT a Lawyer. I am NOT advocating unauthorized possession of copy-written materials and/ or the mis-leading of authorities. I have carefully reviewed the prevailing law here, the Thailand Computer Crime Act of 2007, and do not see indication of what I am proposing is in violation of any sections of this law. However, again, I am NOT a lawyer and more importantly I am NOT a Thai lawyer.]

On the off chance this helps someone and you end up saving 50,000 THB, feel free to comp my drinks next time I visit your fine establishment.

Labels: , ,

Thursday, March 26, 2009

A Big F-U to GoDaddy


So its been a very busy month. I took some holiday time at the beach. From there I was in Bangkok for a week of Vendor training. My return home was filled with long days and nights trying to get caught up as well as, prepare for a week long business trip to Singapore next week.

During all this hubbub of activity, I accidentally let my domain expire. Opps! Oh well, there is a grace period, I can just renew it right? Not exactly. Turns out that the grace period is only 12 days. After that GoDaddy penalizes you with on outragous $80 USD "Registry Redemption Fee". Umm, what? Srsly?

"Ok, no problem", I think. I'll just re-register it at another Registrar. NOPE! The domain still shows up as registered to me, but locked by GoDaddy.

So..... Just wait for it to expire and then pounce on it again to re-register? NOPE! Not so easy. Then GoDaddy puts your domain up for Auction for 10 days! Ok, so wait for the auction to finish and hope nobody bids on it? WRONG AGAIN! GoDaddy then puts your domain up on a 5-day Closeout auction /Firesale!

So, in reality when GoDaddy says "Registry Redemption Fee" what they really mean is "We Are Holding Your Domain Hostage Until You Pay an Ungodly Ransom".

Now, because I am in Thailand, lets put that $80 USD into prospective. The average Thai salary here in Chiang Mai is about 10,000 THB/ month. Assuming a 4 week month and 40 hours per week (most work more hours and days than that), that means the average pay here is 62.5 THB/ hour. Exchange rate is approximately 35 THB per $1 USD. That means that GoDaddy's ransom money equates to about 45 hours of work here. MORE than one weeks pay!! Or in other terms, about 93 average lunches (30 THB).

So GoDaddy, as I really have no recourse other than to publize your horrible business practises. Additionally, did a little bit of google searching, and seems I'm not the only one upset with GoDaddy.

I urge everyone to take a look at (nmap) Fyodor's NoDaddy site.

So, again, screw you GoDaddy. Enjoy the extortion money.

Labels: ,

Wednesday, February 18, 2009

Tip of the Day: Keeping Web Directories Clean

Just a simple system admin tip of the day.

One issue that I tend to run into quite frequently, are linux directories that are full of crude from other people and their OS's. A perfect example of this, is a web server, where multiple people have access to the directory to upload new content, etc. Invariably you end up with backup files, systems files from VSS, Windows Thumbs.db files, Apple OSX .DS_Store files, etc.



So to help me clean house, I add 5 or 6 simple rules to the end of my mightly cron jobs:

cd /var/www/html
find . -name "*.bak" -exec rm -rf {} \;
find . -name "vssver.scc" -exec rm -rf {} \;
find . -name "Thumbs.db" -exec rm -rf {} \;
find . -name ".DS_Store" -exec rm -rf {} \;


This will seek out and all these files for me, on a nightly basis.


Labels: , ,