ERR – Exponentially Expanding Rants

I’m expanding! Not only am I ranting on my own soap box (blog), now you can read my rants on other blogs as well: fudsec just published my Knowing Walls from Speed Bumps rant. Thank you! If you are fed up with FUD in the security industry, check out the site and went away! Who knows, maybe we can even change a thing or two (yeah, righ!).

Thanks again to the fudsec guys for publishing my “article”.

Picture taken from Serendigity's photostream with permission.

The Myths of Innovation

Some time ago I ranted about cognitive quantum leaps. Below is a presentation given at Google by Scott Berkun about the same topic. While the talk itself is two years old, the examples are still very relevant, and he presents it very eloquently. Enjoy!

Carcassonne – a great boardgame

My personal favorites are (board)games which create complexity from simple rules, for example chess, go or FPSs in the virtual world. A boardgame which comes close to this ideal is Carcassonne. The rules can be explained in less than two minutes and it is great fun! See below the recording of a nine hour game:

Don’t be afraid though, that one was played using tiles from 3 sets. A normal game lasts around 30 minutes. You can buy the game on Amazon (disclosure: the link contains my affiliate ID) or, if you are in Romania, you should check out cutia.ro.

Have fun!

PS. There seemed to have been a site where you could play it online, but it seems to be offline. There is some speculation that this is due to copyright violation on the part of the site and/or due to the site being hacked.

delicious/cdman83

InstEd It! - InstEd - Make packaging more productive Posted: 26 Aug 2009 11:45 PM PDT

Tv's cobweb: Git for Computer Scientists Posted: 29 Aug 2009 07:13 AM PDT

Pro Git - Table of Contents Posted: 29 Aug 2009 07:12 AM PDT

StockCharts.com - ChartSchool - ChartSchool Posted: 29 Aug 2009 06:24 AM PDT

CrypTool - Educational Tool for Cryptography and Cryptanalysis Posted: 29 Aug 2009 06:23 AM PDT

apache.org incident report for 8/28/2009 : Apache Infrastructure Team Posted: 02 Sep 2009 05:00 AM PDT

Computer Repair with Diagnostic Flowcharts - Troubleshooting Dell, HP, Sony, eMachines, IBM, Compaq and Gateway PC's Posted: 02 Sep 2009 11:15 PM PDT Via http://travisepperson.blogspot.com/2009/09/pc-repair-flow-charts.html

Free Automated Malware Analysis Services Posted: 04 Sep 2009 03:27 AM PDT

How to Use Operating System Styles in CSS Posted: 17 Sep 2009 07:42 AM PDT Operating System theme. This can be useful in situations when you require tighter OS integration, e.g. HTML help files, Adobe AIR or perhaps offline web applications.

libguestfs, library for accessing and modifying guest disk images Posted: 18 Sep 2009 03:39 AM PDT

CANABALT Posted: 17 Sep 2009 11:36 PM PDT

Zachtronics Industries - Ruckingenur Editor Posted: 22 Sep 2009 08:31 AM PDT

Amintiri din Epoca de Aur Posted: 24 Sep 2009 11:28 AM PDT

offset-derfilm - Startseite Posted: 24 Sep 2009 11:28 AM PDT

EasyHook - The reinvention of Windows API Hooking - Home Posted: 24 Sep 2009 10:07 AM PDT

Network Forensics Contest submission

Some time ago I mentioned the Network Forensics Puzzle. The contest is now over and since I didn’t win, I’ll publish my submission below – it was after all correct, but not quite what the judges were looking for (congratulation to the winner).

After validating that the MD5 sum for the downloaded file matches the one specified on the website, I first opened it up in NetworkMiner (http://networkminer.sourceforge.net/). I find the overview it gives much easier to understand than the statistics provided by Wireshark. Using it I identified the data stream between Ann's computer and the unidentified laptop.

1. What is the name of Ann’s IM buddy?
Sec558user1 - this is tricky because the IM (which seems to be AOL - but many other IM's behave in a similar fashion) routes chat traffic trough central servers (64.12.24.50 in this case - which belongs to AOL, making it even more probable that AIM was used) to make NAT traversal a non-issue, while file transfers are done trough direct connection to conserve bandwidth.

2. What was the first comment in the captured IM conversation?
Here's the secret recipe... I just downloaded it from the file server. Just copy to a thumb drive and you're good to go >:-)
(actually, > is escaped as HTML - ie >)

3. What is the name of the file Ann transferred?
recipe.docx

4. What is the magic number of the file you want to extract (first four bytes)?
50 4B 03 04 - Which corresponds to PK..., signaling that we are potentially dealing with a ZIP archive here. This is further reinforced by the filename (.docx, which is the new "open" document format from Microsoft - basically, it consists out of a zipped XML - similarly to the OpenOffice.org format)

5. What was the MD5sum of the file?
8350582774e1d4dbe1d61d64c89e0ea1

This is again tricky, because ZIP (like many other formats) admit arbitrary data after the logical end of the file. So, using a hex editor, we first carve the the part starting at PK in the 192.168.1.158 -> 192.168.1.159 (be careful not to include the traffic in the reverse direction). Then we need to convince ourselves that the end of the file has been correctly identified at the byte level. To do this we could study the ZIP specification (http://www.pkware.com/index.php?option=com_content&task=view&id=64&Itemid=107) or use a more empirical level: using a hex editor (HxD for example - http://mh-nexus.de/en/hxd/) eliminate the last byte of the file and "test" the integrity of the file (using the Test option from 7-zip for example - http://www.7-zip.org/ - but one could use almost any de-archiving program, since almost all of them offer a "Test" option). The test will fail. Now add back the last byte (which is 0x00) and perform the test again. It will succeeded. This means with a big probability that we correctly identified the actual (logical) end of the file.

6. What is the secret recipe?
The most recent version of OpenOffice.org (3.1.x) can open the docx format, so the following can be retrieved on any platform, regardless of whether MS Office 2007 is installed (an alternative solution would be to use the free MS Word 2007 viewer or the import filters available for older versions of MS Office).

The contents (sans the formatting):
Recipe for Disaster:
1 serving
Ingredients:
4 cups sugar
2 cups water
In a medium saucepan, bring the water to a boil. Add sugar. Stir gently over low heat until sugar is fully dissolved. Remove  the  saucepan from heat.  Allow to cool completely. Pour into gas tank. Repeat as necessary.

Back with a vengeance

I’ve had limited connectivity / time in the last couple of weeks, but I’m back baby!

The lesson of the day: you shouldn’t let your AV vendor provide general security. The lesson comes to us via Graham Cluley’s Sophos blog, which informs us that Sophos released a free encryption tool. So, what’s wrong with it?

• It uses symmetric crypto! Let me repeat that for you: it uses symmetric cryptography and recommends that you communicate the encryption password to the counterparty via an other communication channel. So much for ease of use and the asynchronous nature of email!
• The feature sheet starts out by declaring that PKI has failed us, and then it touts a proprietary centralized solution for managing passwords.

In conclusion: this is a software which shouldn’t have been made. It is simplistic, cumbersome to use and provides no added benefit over using something like 7-zip with encryption (which also uses AES, also does compression – most probably better compression – and it to can create SFX password protected archives).

Go and install Thunderbird with Enigmail.

For added fun: the brochure says “Protects against “brute force” attacks by increasing response times each time the user enters the wrong password”, and they then proceed to give you a CLI and COM interface to the program which can be used directly to bruteforce the archives and without these timeouts. Nice!

Ethical Hacker challenge “Prison Break” solution

As I usually do, I’ll publish my entry for the Ethical Hacker challenge after the deadline passed:

Challenge Question 1: What is the most probable reason Michael could not get network connectivity from the desk Ethernet jack?  What actions should the team take to determine exactly what is going on, collect full traffic captures, and gain full access to the network?

Most probably the switch to which the given port is connected has MAC address filtering turned on. To circumvent this, they must clone the MAC address of the VOIP phone.

The easiest way to do this is to start capturing the traffic on the network interface of the laptop and then plug the VOIP phone into it. The initial packets (most probably DHCP requests) will reveal the phone MAC address. Sidenote: most ethernet ports these days are auto-sensing (ie. no crossover cable is required). But just to make sure, one should use a crossover cable or an intermediate switch (not hub!) is one is available. After the MAC address has been determined, the host OS should be instructed to use the given MAC address for the laptop network card. You can find instructions for Linux here: http://linuxhelp.blogspot.com/2005/09/how-to-change-mac-address-of-your.html and for Windows here: http://www.irongeek.com/i.php?page=security/changemac

Sidenote: given that the packet captures show two distinct networks (192.168.1.0/24 and 172.29.0.0/16), it is clear that the administrators have tried to separate the computer networks from the VOIP one. However, relying only on different (sub-)nets is extremely weak and at least VLAN level separation should have been implemented (then again, maybe the available switches don't have VLAN features). 172.29.0.0/16 most probably is the VOIP network, since we see SIP packets on it and 192.168.1.0/24 the computer network.

If only MAC filtering is implemented, after changing the MAC address, it is possible to join any of the two available networks, meaning that they can interact with the "computer" network, even if the given port was originally assigned to a VOIP phone.

Challenge Question 2: What tool should Lincoln download, if any, to be able to capture traffic on the desktop computer?

Sectools.org contains a nice list of available packet sniffers ( http://sectools.org/sniffers.html ). Given the constraints, my tool of choice would be WinDump, the Windows port of tcpdump ( http://www.winpcap.org/windump/install/ )

Challenge Question 3: Starting with the reverse connection from the desktop computer, describe a step-by-step approach that could be applied prior to 09:00 the next day in order to capture the network traffic on the remote network and get a capture file for further in-depth analysis. Make sure your approach follows Michael's advice to avoid detection.

• download WinDump ( http://www.winpcap.org/windump/install/bin/windump_3_9_5/WinDump.exe ) and WinPcap to the laptop
• use the instructions provided at the following link to construct a portable version of WinPcap: http://paperlined.org/apps/wireshark/winpcap_silent_install.html
• you can package up all the files (WinDump and the WinPcap DLLs + driver) into a single file using the SFX functionality from 7zip. To make sure that you don't get under the 0.5 meg limit, use Zip with the Store algorithm
• upload the resulting file to the general's desktop (this part of the challenge is a little forced IMHO, since the IDS should have detected the reverse connection if it is sensible to long-lived, low traffic connections...)
• launch the SFX, wait until all the files are extracted and copy npf.sys into c:\Windows\System32\drivers
• before 9:00 AM (at 8:55 for example) launch WinDump (this will capture at most 5 MB of data):

  WinDump -i 1 -w capture.pcap -C 5

• after WinDump has stopped, retrieve the capture file and clean up (delete the driver, the SFX file, etc)

Challenge Question 4: Help the team complete this aspect of their mission by analyzing the packet capture file collected on the desktop computer and provide detailed information about the environment. Your response should at least include the type of network traffic collected, details about the General’s laptop computer, details about the Scylla Codes server plus any other server available, and provide the names and contents of the files stored on the server the input passphrase is based on.

The collected traffic consists of 6 requests made to the Scylla server (10.10.20.94) using HTTPS. To decode them, first convert the provided key file into PEM format with OpenSSL:

openssl rsa -in server.key -out server_key.pem 

Then use the resulting PEM file as described here for example to let Wireshark decode the traffic: http://www.novell.com/coolsolutions/appnote/19321.html

Now you can use the "Follow SSL stream" functionality from Wireshark to analyze each request. From the headers it seems that the general's laptop is running Windows Vista Media Center (tablet? edition), while the Scylla server is running Linux/Apache:

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506) 
Server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8g DAV/2 PHP/5.2.9 

Challenge Question 5: What are the validation code and input passphrase used by the General to generate the Scylla validation code for this week?

The validation code is "6189db841f01413a05a53b7135137a17"

BONUS QUESTION: Briefly describe your recommendations about how The Company could have detected and defended against the tactics you described in your answer to Question 3.

The attack could have been prevented by using a whitelisting product which doesn't let unknown executables be started. Other mitigating measures would be:

• using Group Policy to disable autorun
• using Group Policy to controls what kind of USB devices can be used: http://www.windowsecurity.com/articles/Control-USB-Devices-Group-Policy.html
• using a switched network
• using an outbound proxy and make sure that only valid HTTP/HTTPS traffic can leave the network

One could work around many of these restrictions (for example: finding a vulnerability in an installed software, running meterpreter in-process, killing the whitelisting software, masking the outbound connection as a HTTP one, using ARP spoofing to get around the switched network, etc), but it raises the bar considerably.