PaulDotCom's Web Site

A bad day in IT is when you discover that one of your servers has been compromised. A really bad day is when you realize:

"...the compromised machine was one of the state government's smaller servers. But it was used by the Division of Motor Vehicles for processing payments by credit or debit card. And by the state Liquor Commission as a backup system for processing sales at state-owned liquor stores. And for collecting donations to support the New Hampshire Veterans Home."

It gets worse when you realize that:

"They knew they were stretched too thin on security, which is why they were testing an automated intrusion-detection tool. That's how the Cain & Abel program, which can capture credit card numbers, was discovered."

Yes, a bad day is when you find Cain & Abel installed on a server that houses credit card data for three different organizations. And I thought my week was rough :)

.com

Full Story

Posted by Paul Asadoorian at 05:36 PM | Permalink | Comments (3)

Live from Paul's Dojo....

• Sponsored by Core Security, listen for the discount code at the end of the show
• Sponsored by Syngress, be the first to post the answer to the question at the end of the show and win a free book!
• Last weeks winner was Steve Murawski, who is now a proud 0wner of "Penetration Testing Open Source Toolkit"
• Please go update our frapper map!
• Paul talks about 2 Security incidents, Dos from Japan, Smurfs
• Larry did no work this week
• Nick has interns
• Listener Feedback, John Sawyer states that the Nmap option "-sV" is new since 3.4 only addition quality
• Fred mentions the Washington Post article, "Invasion of the Computer Snatchers"
• Almost Bricked a WRT54g, go HERE for all the processor types and flash matrix
• Mason has is boss ping China
• Paul plugs his company, Defensive Intuition, mentions that he can write policy, vulnerability assessments, penetration testing...
• OS X Users should check out ClamxAV
• Full Show Notes

Hosts: Larry Pesce, Paul Asadoorian, "Twitchy", "The Mason"
Email: psw@pauldotcom.com

Direct Audio Download
Direct Video Download (Questionable this week, I will keep you posted)

Video Feeds:

Audio Feeds:

Posted by Paul Asadoorian at 01:02 PM | Permalink | Comments (7)

The trojans are definitely coming. As many have probably noticed security researchers found a flaw in OS X that allows attackers to execute arbitrary code. The most popular way is to use Safari and take advantage of the "Open safe files after downloading" feature. The best write-up is from the SANS ISC:

Serious flaw on OS X

You can find the proof of concept exploit here, and a write-up of how it can be exploited via email here.

There is no patch available. In The mean time:

• Disable "Open safe files after downloading"


• Use firefox on OS X (Which does not appear to be vulnerable)


• Be very careful about opening attachements in email and downloaded files

$ unzip Mac-TV-Stream.mov.zip
Archive: Mac-TV-Stream.mov.zip
inflating: Mac-TV-Stream.mov
creating: __MACOSX/
inflating: __MACOSX/._Mac-TV-Stream.mov

The metadata file in this example is ._Mac-TV-Stream.mov. This is some binary file, but even running simple strings command on this file will reveal what the real utility used to open the main file is:

$ strings ._Mac-TV-Stream.mov
%/Applications/Utilities/Terminal.app

A zip file could be masking malicious code, so be careful. Oh, and HD Moore has added this to metasploit, exploit here.

.com

Posted by Paul Asadoorian at 01:43 PM | Permalink

In an article titled "IT security podcasts you can't miss" PaulDotCom Security weekly was mentioned as being one of 6 chosen podcasts to be featured in Roger Grimes article. We're in good company with the likes of Security Now! and SABAG Security, and Martin Mckeay's Network Security Blog.

We did get the "Microsoft Haters" label, which of course is totally not true (a strong opinion maybe, but we're certainly not haters :)

Some good security podcasts that I listen to that did not make the list are Sploitcast, Binrev, and a few others I just started listening to at Hacker Media.

If you are into Phone Phreaking, check out PLA (Phone Losers of America) podcast. Very funny!

We thank Roger for the article...

.com

Posted by Paul Asadoorian at 09:51 AM | Permalink | Comments (1)

In part II of our interview we discuss:

• Brazilian hacker groups
• The physical manifestation of the NOP Sled
• OS Security/Insecurity, Shmoocon OS X Hack, OS X predictions
• Apple's move to Intel and its impact on security
• Bastille for Mac OS X
• Why not to hack your attacker
• Mike tells us a botnet story
• Preview of Mike/Ed's current projects such as Anti-Spyware testing and VMware escaping research, "The Skoudis & Poor 50", "Counterhack: Reloaded", "Packet Wars"

Hosts: Larry Pesce, Paul Asadoorian, "The Mason"
Email: psw@pauldotcom.com

Direct Audio Download

Audio Feeds:

Posted by Paul Asadoorian at 04:12 PM | Permalink | Comments (2)

While I do my best not to be the grip reaper of IT security, I believe that the recent release of OS X trojans is a bit more significant than others. Here is a brief rundown of the recently discovered malware:

• CME-4 (OS X Leap.A) - Disguised as screenshots of OS X 10.5 "Lepord", this malware travels through iChat and presents itself as a compressed file. In order to get infected a user would have to download this file, uncompress it, click on the JPG impage inside, then enter the administrator username and password. Whew, that's a lot of work to get infected. However, keep in mind that viruses on the PC side travel as compressed email attachments with the password contained in the email. These viruses have been known to be successful. Once CME-4 infects a system, it runs through the standard malware behavior which includes embedding itself into existing binaries on the system, attempts to propigate itself, and in true malware fashion, contains bugs that prevent it from performing certain tasks (maybe its a good thing malware writers don't unit test or QA their code :).
• OSX/Inqtana.A - This worms uses a bluetooth vulnerability from May 2005 to spread from computer to computer. The worm, quite frankly, is pretty lame. It shuts itself off after February 24, 2006. Users must accept the data transfer over bluetooth (Which means bluetooth must be enabled). It has mechanisms to spread to other computers. There are no reports of this worm in the wild and it does not appear to do anything other than spread, hence it is being dubbed a "proof of concept".

When you look at the above malware you probably come to the same conclusion as most, "No big deal, the malware doesn't really do anything bad, nor does it spread very well". And, your right, the risk that the malware poses by itself does not warrant classification as a critical security threat. However, it is very likely that its a testament of things to come. I'd like to jump in the time machine and take us back to the times of Code Red. It spread fast, but was pretty lame too. It was memory resident. It merely defaced the web page. It had no backdoor. It was pretty easy to detect. Remember what happened after? We got hit with Code Red, NIMDA, and a slew of other worms that plagued our networks for years to come. Was Code Red a test? I think so (think about how hard it is to come up with a worm test lab that emulates the Internet and people's behavior). Wait, people's behavior? Yes, not only do I believe that malware writers release worms to test code and see how a worm propagates on the network, but they release them to test our reaction. How do users respond? How do anti-virus companies respond? How well does current anti-virus software pick up on the new malware? OS X and its user base has been largely untested when it comes to malware, and in my opinion is very unprepared.

The canary is dead. OS X users need to start running out of the mines they have been so deeply buried in all this time.

So what do we do? Here are some tips, that will come as no surprise to those who are familiar with locking down a UNIX or Windows host:

• Patch - You not only need to patch your operating system, but all of your applications as well. Applications such as Version Tracker can help you do this.
• Firewall - The built-in firewall in its default configuration is very weak. It should definitely be enabled, but some work must be done to overcome its shortcomings (ever try to Nmap an OS X host? Try fragmenting the packets or setting your source port to 20). Also consider a 3rd party add-on, such as Brickhouse to ease the configuration pain, unless you are really good with ipfw.
Anti-Virus - These products do exist, and now is probably a good time to start using them. You can try Virex or ClamAV.
• Disable unnecessary services - Bluetooth would fall into this category, in addition to other services you may have enabled on your OS X system that you do not use.
• Proper user permissions - If it can be helped, do not run with a user that has administrative privileges. I run as a normal user in OS X, then use fast user switching to logon as administrator. I know that in previous articles I have warned against fast user switching as it does create some physical security concerns, but in this case I think its more important to be able to logon with regular user privileges.

.com

Posted by Paul Asadoorian at 03:20 PM | Permalink

• Sponsored by Core Security, listen for the discount code at the end of the show
• Sponsored by Syngress, be the first to post the answer to the question at the end of the show and win a free book!
• Interview of Mike Poor and Ed Skoudis Part I has been posted
• Our Frapper Map service is available now, go to http://www.frappr.com/pauldotcom and add yourself to the map!
• One of our listeners recommends "Damn Small Linux" for a USB Thumb drives can boot Linux.
• This Week's Show Links

Hosts: Larry Pesce, Paul Asadoorian
Email: psw@pauldotcom.com

Direct Audio Download
Direct Video Download

Video Feeds:

Audio Feeds:

Posted by Paul Asadoorian at 12:18 PM | Permalink | Comments (9)

We are very excited to present to our listeners an exclusive interview with Mike Poor & Ed Skoudis of Intelguardians and The SANS Institute. Larry, The Mason, and myself spoke with Mike and Ed about a wide range of information security topics. This is part I of a two part interview.

In part I we discuss:

• First computers that Mike and Ed owned (NOT 0wn3d, see part II for that, kidding of course :)


• How Mike and Ed got their start in the information technology field


• They describe the primary courses they teach at SANS, GCIA and GCIH


• A really good description of SANS EDU


• Their experiences as incident handlers for The Internet Storm Center (ISC)


• Recent security incident trends, such as more hackers going to jail


• Botnet economics and strategies, plus ways to defend against the almighty botnet


• Current malware trends and defense mechanisms, including Mike Poor's commentary on IDS and malware

Hosts: Larry Pesce, Paul Asadoorian, "The Mason"
Email: psw@pauldotcom.com

Direct Audio Download

Audio Feeds:

Posted by Paul Asadoorian at 11:21 PM | Permalink | Comments (2)

Update: The short metasploit video has been posted.

A big thanks to George Starcher of In The Trenches for helping me with some of our audio problems and teaching me how to edit with Soundtrack Pro. This is the first time that we have integrated other content into our video, so please bear with us through our "firsts".

• RI.gov website hacking details (In Russian) - We won't say where we got this one (Well, unless it involves a car battery and probes, then we'll tell), but its pretty cool, even if you don't speak Russian.
• VPN 3000 Series DoS Saga Continues - So the latest version is 4.7.2D, does this fix the problem?
• Will Vista Offer Improved Security?] - I am very skeptical as to whether or not Vista will improve the security of the Windows desktop OS. With new features that include "easy real-time wireless collaboration and online file sharing" their just asking for trouble. So, while it may fix some problems, its going to open the doors to so many new flaws.
• Two more flaws found in windows - Return of WMF? Well , not exactly. And a bug found in Windows XP SP1.
• U.S. Prepares to hack the world - Okay, so maybe not the world, but a country anyway.
• Mozilla's Bugfix rate - I wonder what the numbers look like for IE?
• Firefox Patched Quicker Than IE
• Using Rootkits to defeat DRM - Hide and seek.
• Sun Java JRE Sandbox Vulnerability - Don't poop in my sandbox please.
• "Hacktivism" - Danish sites are under attack from angry muslims.
• Exploit Code published for Firefox flaw
• French Cops Ditch IE - Hurray for the French Police!
• Global WiFi Hotspot: FON - Wifi for all, but where's the security?
• Holy Lotus Notes Vulnerabilities Batman!
• When "vi" attacks QNX it spells trouble, check out the numerous vulnerabilities found. See all iDefense vulnerabilities here.
• Windows HTML Help Workshop Vulnerability and Exploit
• Security Professional's Mac OS X laptop hacked at Schmoocon - I truly believe we will see more of this. The recent Firefox exploit for OS X was built into metasploit and is very easy to execute.

Hosts: Larry Pesce, Paul Asadoorian
Email: psw@pauldotcom.com

Direct Audio Download
Direct Video Download

Video Feeds:

Audio Feeds:

Posted by Paul Asadoorian at 04:40 PM | Permalink | Comments (1)

"What's more worrying is that it's not unusual for PCs on private networks to get infected too, and once one PC in an organisation has it, it starts recruiting its colleagues too.

The risk isn't just spam or DoS attacks - zombie packages can have a range of features in them, including remote control, and the first targeted malware attacks have now been reported, such as one which aimed to steal data from the UK parliament."

We all know that botnets are bad, they do the evil bidding of attackers all across the globe. Criminals rent botnets (why buy when you can rent?), spammers use them to send the latest emails that claim to enlarge mail body parts, and I swear there must be a permanent botnet aimed at grc.com ready to take it down upon command. If you don't know what I am talking about, you should check out this great article about botnets. If you want to know what you can do to prevent botnets, here are a few tips:

• Proxy all outbound connections from your network - When I helped manage the security for a large corporate network we had a bank of proxy servers. No one could get out to the Internet unless they went through one of these bad boys. We used Squid running on FreeBSD which is an excellent combination. You get the added bonus of caching, which means the proxy server can store images for a limited amount of time and serve them up to save bandwidth and make web browsing a little quicker.
• Don't just rely on Anti-Virus and Anti-Spyware - I see so many machines that have the latest anti-virus definitions and anti-spyware software/definitions become part of a botnet. Why? Because as the article says, botnet herders are getting smarter and evading our defenses. Take a look at Cisco CSA, and give the new Core Force a try (Its still in beta, but may be a good thing to start looking at in the lab). These are behavior based host-intrusion prevention systems that can prevent you from the zero-day effect and help avoid those pesky bots.
• Use your IDS wisely Grasshopper - Your IDS can be used to detect botnet activity before and after infection. The Bleeding-Rules project has many good rules for detecting IRC bots, and I've got a few homegrown sigs that have proven useful (drop me an email and I will send them along).
• Review your outgoing traffic daily - In addition to your IDS, using tools such as IPAudit, Argus, Flow-tools, and the like you should be able to get a good idea of what normal means on your network. Then you can start to look for anomalies, such as number of outgoing sessions, most outgoing bandwidth, and other factors. Also, once you find one host that has become part of a botnet you can study its traffic, then see what other hosts exibit the same traffic. This helps you be certain you remove all the botnet participants from your network.

Full Article

.com

Posted by Paul Asadoorian at 04:39 PM | Permalink

No, the SSID for this one is not "linksys", its a new company called FON who just got some major investment from Google & Skype.

So here's the deal, you take DD-WRT and hack it up so that they any Linksys WRT54G/GS/GL series 2-4 router running it can be part of the global hotspot network. Anyone who has an account can associate to one of the access points and gain access to the Internet. Cool huh? There are even different types of setups. You can be a Linus, a Bill, or an Alien:

A Linus is any user who shares his/her WiFi in exchange for free access throughout the Community wherever there is coverage. A Bill is a user who, instead of roaming for free, prefers to receive 50% of the fees that FON charges to Aliens. And Aliens are those users who do not share their WiFi access and therefore must pay FON a modest fee every time they connect through a Fonero access point.

I think this is a great idea, however it is severely flawed at the moment in my opinion because while they offer identification (username/password) they do not use encryption by default. It would be most excellent if they could implement this system using WPA(2) enterprise for encryption/authentication. Of course, they would then have to choose and EAP type (like PEAP or TTLS) which would be more difficult to configure and/or require a third party client. For example, you can get a free EAP-TTLS client for Windows called SecureW2, and OS X comes with an EAP-TTLS client, and is my recommendation for enterprise WPA at this time.

.com

Posted by Paul Asadoorian at 02:36 PM | Permalink

"The French police force plans to ditch Microsoft's Internet Explorer as its preferred browser software and replace it with Firefox by the end of the year."

While I can write/talk about the security advantages of running Firefox over IE, some people do it, like the French police force. IE 7 has not yet proven that it will fix any of the security problems in IE, which as most of us know stem from ActiveX. But, will Microsoft keep Activex? I think yes, and one big reason is that there are numerous, very large, web sites that use it. For now, I suggest you use Firefox. Of course, you already know that because most people who come to this web site already use Firefox (In January 2006):

# 	Hits 			User Agent

1 	15284 	12.21% 	Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko

2 	8256 	6.59% 	Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET

3 	7481 	5.98% 	iTunes/6.0.1 (Windows; N)

4 	6066 	4.85% 	FeedDemon/1.5 (http://www.bradsoft.com/; Microsoft Windows XP

5 	4835 	3.86% 	SharpReader/0.9.6.0 (.NET CLR 1.1.4322.2032; WinNT 5.1.2600.0

6 	4283 	3.42% 	iTunes/6.0.2 (Macintosh; N; PPC)

7 	3963 	3.17% 	NetNewsWire/2.0.1 (Mac OS X; http://ranchero.com/netnewswire/

8 	3521 	2.81% 	iTunes/6.0.2 (Windows; N)

9 	3366 	2.69% 	Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12)

10 	3356 	2.68% 	Mozilla/5.0 (compatible; Konqueror/3.4; Linux) KHTML/3.4.3)

So your job now is to spread the word to all those IE users :)

Full Article

.com

Posted by Paul Asadoorian at 09:21 AM | Permalink

For the first time we will be releasing the audio and video versions of our show at the same time! Of course, we've still got some audio issues that need to be addressed, and hopefully we will have some better video content coming soon. Got some suggestions? Send us feedback!

• We recommend CME for referencing since every anti-virus uses something diff
• hack-a-day is cool, go check it out
• Shmoocon DVDs are available, get em' here
• Blackworm came and went
• Google giving into the government?
• WMF was sold for $4k
• Planting rootkits in BIOS, very cool/dangerous
• Cisco VPN 3000 DoS Vulnerability update
• IE 7, DoS vulnerability found within 15 mins exploit was available
• 85% of our visitors are Firefox users
• Firefox - 7 new vulnerabilities
• Tor park - browse the web anonymously via a USB key
• Leo Lapore on newsvine - Twit to be donation based
• Winamp Buffer Overflow in play lists
• FreeBSD SACK DoS vulnerability
• NMAP 4.00 released, see Paul's Blog posting for details
• Larry will be at Sans Orlando pimping core, go see him for PaulDotCom Schwag!
• Binary Revolution Radio is cool

Hosts: Larry Pesce, Paul Asadoorian, "The Mason"
Email: psw@pauldotcom.com

Direct Audio Download
Direct Video Download

Video Feeds:

Audio Feeds:

Posted by Paul Asadoorian at 08:26 PM | Permalink | Comments (1)

Started to mess around with some of Nmap 4.00's new features. Here's what I found so far.

The live interaction is way cool:

# nmap -sP 192.168.0.0/16

Starting Nmap 4.00 ( http://www.insecure.org/nmap/ ) at 2006-02-03 12:56 EST
Interactive keyboard commands:
? Display this information
v/V Increase/decrease verbosity
d/D Increase/decrease debugging
p/P Enable/disable packet tracing
anything else Print status
More help: http://www.insecure.org/nmap/man/man-runtime-interaction.html

The v/V and d/D work like a slider. So if you push "v" it increases the verbosity by 1 (by default they are set to 0). Pressing "V" decreases the verbosity. like so:

# nmap -O 192.168.23.0/24

Starting Nmap 4.00 ( http://www.insecure.org/nmap/ ) at 2006-02-03 13:01 EST
Verbosity Increased to 1.
DNS resolution of 9 IPs took 0.00s. Mode: Async [#: 2, OK: 8, NX: 1, DR: 0, SF: 0, TR: 9, CN: 0]
Initiating SYN Stealth Scan against 5 hosts [1672 ports/host] at 13:01
Discovered open port 443/tcp on 192.168.23.5
Discovered open port 443/tcp on 192.168.23.20
Discovered open port 25/tcp on 192.168.23.5
Discovered open port 25/tcp on 192.168.23.6
Discovered open port 80/tcp on 192.168.23.20
Discovered open port 21/tcp on 192.168.23.20
Discovered open port 22/tcp on 192.168.23.5
Discovered open port 22/tcp on 192.168.23.6
Discovered open port 22/tcp on 192.168.23.20
Discovered open port 139/tcp on 192.168.23.20
Discovered open port 548/tcp on 192.168.23.20
Discovered open port 445/tcp on 192.168.23.20
Discovered open port 37/tcp on 192.168.23.5
Completed SYN Stealth Scan against 192.168.23.5 in 1.45s (4 hosts left)
Completed SYN Stealth Scan against 192.168.23.20 in 2.47s (3 hosts left)
Completed SYN Stealth Scan against 192.168.23.6 in 2.50s (2 hosts left)
Verbosity Decreased to 0.

You can do the same with debug information by using "d/D":

# nmap -O 192.168.23.0/24

Starting Nmap 4.00 ( http://www.insecure.org/nmap/ ) at 2006-02-03 13:03 EST
Debugging Increased to 1.
Finished block: srtt: 232070 rttvar: 303203 timeout: 1444882 block_tries: 2 up_this_block: 0 down_this_block: 0 group_sz: 23
Finished block: srtt: 232070 rttvar: 303203 timeout: 1444882 block_tries: 2 up_this_block: 0 down_this_block: 0 group_sz: 27
We got a ping packet back from 192.168.23.100: id = 62034 seq = 23724 checksum = 45312
Hostupdate called for machine 192.168.23.100 state UNKNOWN/COMBO -> HOST_UP (trynum 0, dotimeadj: yes time: 4186)
We got a TCP ping packet back from 192.168.23.100 port 80 (hostnum = 100 trynum = 0
Hostupdate called for machine 192.168.23.100 state HOST_UP -> HOST_UP (trynum 0, dotimeadj: yes time: 4306)
Finished block: srtt: 178662 rttvar: 263119 timeout: 1231138 block_tries: 2 up_this_block: 0 down_this_block: 0 group_sz: 31
Finished block: srtt: 178662 rttvar: 263119 timeout: 1231138 block_tries: 2 up_this_block: 0 down_this_block: 0 group_sz: 13
massping done: num_hosts: 128 num_responses: 7
mass_rdns: Using DNS server 192.168.128.9
mass_rdns: Using DNS server 192.168.128.11
mass_rdns: 0.00s 0/9 [#: 2, OK: 0, NX: 0, DR: 0, SF: 0, TR: 9]
caught SIGINT signal, cleaning up

You can also do packet tracing (which is nice, because I used to open another window and use tcpdump):

Starting Nmap 4.00 ( http://www.insecure.org/nmap/ ) at 2006-02-03 13:06 EST Packet Tracing enabled
SENT (3.0590s) ICMP 192.168.23.140 > 192.168.23.83 Echo request (type=8/code=0) ttl=50 id=52529 iplen=28
SENT (3.0590s) TCP 192.168.23.140:53596 > 192.168.23.83:80 A ttl=55 id=5015 iplen=40 seq=1118672030 win=4096 ack=1118672030
SENT (3.0590s) ICMP 192.168.23.140 > 192.168.23.82 Echo request (type=8/code=0) ttl=46 id=2197 iplen=28
SENT (3.0590s) TCP 192.168.23.140:53596 > 192.168.23.82:80 A ttl=41 id=62936 iplen=40 seq=2888667998 win=2048 ack=3933049694
SENT (3.0590s) ICMP 192.168.23.140 > 192.168.23.81 Echo request (type=8/code=0) ttl=37 id=23214 iplen=28

Another cool feature is nmap now comes with an xsl stylesheet. What do you do with this? Well, you can generate a nice HTML report:

# nmap -oX report.xml -O 192.168.23.1-254

# xsltproc /usr/local/share/nmap/nmap.xsl report.xml > samplereport.html

The command "xsltproc" is available from the libxslt project (Did you know this tool is built right into OS X?). This applies a stylesheet to the xml data so you can then view the report in HTML. I have posted a sample here. Its pretty nice, and heck if you don't like it you can change it, its a stylesheet. (Thanks to my cow-worker John for info on that tip).

The other cool thing is that if you are scanning hosts on the same subnet it will use arp to find hosts (bypassing firewalls). This does not seem to be displayed in the interactive mode packet tracing, but it still a cool feature, especially for those pesky Windows XP firewalls.

That's all for now, happy nmap'ing!

.com

Posted by Paul Asadoorian at 02:02 PM | Permalink

We are to the point where we are comfortable releasing the video version of PaulDotCom Security Weekly each week. The release will lag a little behind the audio version, especially in the beginning. We are also working hard to include more exclusive video content (so you will get to see more than just Larry and I sitting with headphones on). We currently have two episodes in the feed:

Episode 11
Episode 12

Both videos are formatted for the iPod video, but you can use iTunes or Quicktime to play them on pretty much any platform. The direct download and feed links are also listed below. I am working on getting this feed into iTunes as well.

Enjoy!

Video Feeds: Direct Video Download

Send us feedback and let us know what you think!

.com

Posted by Paul Asadoorian at 10:56 AM | Permalink