Register for PaulDotCom training at Blackhat USA: Defensive Countermeasures: Foundations for Becoming a Devious Defender & Offensive Countermeasures: The Art Of Active Defense July 27-28 & 29-30.
- Tenable Network Security - This episode sponsored by Tenable network security. Tenable is a developer of enterprise vulnerability, compliance and log management software, but most notably the creators of Nessus, the worlds best vulnerability scanner. Tenable Security Center software extends the power of Nessus through reporting, remediation workflow, IDS event correlation and much more. Tenable also offers a Nessus Professional Feed to detect vulnerabilities in your network today! Tenable – Unified Security Monitoring!
- Core Security - This episode is also sponsored by Core Security Technologies, helping you penetrate your network. Now version 10.0 with WiFi-fu good to go! Rock out with your 'sploit out! Listen to this podcast and qualify to receive a 10% discount on Core Impact, the worlds best penetration testing tool.
- Trustwave Spiderlabs - Trustwave's SpiderLabs - providing advanced information security services to planet Earth. Visit them online at trustwave.com/spiderlabs!
Announcements & Shameless Plugs
Welcome to PaulDotCom Security Weekly, Episode 140 for February 11th, 2009
- PaulDotCom SANS Click-Through - Go there, register for some of the best training available! Go now or we show you our third nipples!
- 20% Off the Metasploit class via SANS@ Home!!!!
- Register for SANS Security 560: Network Penetration Testing and Ethical Hacking
- SANS Saskatechewan - Larry is teaching the 6 day wireless track (SEC 617) in Regina on March 23 - 28, 2009. Come hear him pronounce 'Regina'!
You can find out about all of our events at http://pauldotcom.com/events/
- Don't forget LBCAV on February 25th 2:00PM EST with Larry Pesce
Tech Segment: Emulating SCADA Systems with Honeyd
With all of the cool discussions about hackers targeting SCADA systems and the fact that Paul does some cool stuff with Digital Bond I though it might be cool to showcase how you too can catch attackers doing wicked things to SCADA. First up lets pull the SCADA Honeynet Scripts down so we can emulate a SCADA system or two. Get em' here:
Now we are going to create a config file for honeyd to use. Put the following into a file called scada.config using your editor of choice:
create scada set scada uptime 1783333 set scada maxfds 35 add scada tcp port 21 "python plc/honeyd-ftp.py" add scada tcp port 23 "python plc/honeyd-telnet.py" add scada tcp port 502 "python plc/honeyd-modbus.py" add scada tcp port 80 "python plc/honeyd-html.py" set scada ethernet "00:00:00:01:02:03" dhcp scada on eth0
The above file that you have created will create a template called "scada" bind the ports to the specific SCADA emulation scripts (Remember you have to put the path the the scripts you downloaded from the SCADA honeypot project!!) Then it does something wonderful, it uses DHCP to get the IP address. I know many of you have used honeyd in the past and have done things like use farpd to get traffic to the honeypot, but honeyd also has the ability to use dhcp!! Cool. Now we have to start honeyd:
(Side note: to install honeyd on Ubuntu run `apt-get install honeyd`)
Make sure you are in the directory where you created your scada.config file above.
root@honey#honeyd -d -i eth0 -f ./config.honey
It should grab an IP address and start serving SCADA services.
Want to see a video of the above steps?
Check it out here:
Tech Segment: You too can be an SELinux rock star, with Shlomo Dubrown
SELinux by Example: Using Security Enhanced Linux - SELinux book referenced by Shlomo
Stories For Discussion
1) Quis custodiet ipsos custodes? - John - This is something that caught my attention when 3 of my current students at Denver University went to a prominent security site and got "compromised". I had to ask... Does this happen a lot? How much do we trust our security tools and the sites that they come from? I believe there needs to be a healthy level of suspicion around any security site you go to... It turns out it does happen.
2) Josh Wright is not human.. - John - As part of my 12 step recovery from Josh not sharing desert with me I have to share something cool that Josh did with the PDC folk. Remember the whole SSH brute force key thing? Well, Josh has released a tool that decrypts vulnerable OpenSSH traffic. But hey, it cool... All you have to do is install a patch... No, wait, you have to re-generate your SSH keys. The tool can be found here
3) flowmatrix - John - A new tool popped up on my second favorite website, darknet. Flowmatrix is a network anomaly detection monitor that "learns" what is normal then alerts when there is a deviation. Cool stuff. Anything that helps you better understand your network is OK in my book. Just one note.. If your network is a worm infested cesspool of malware any tool that "learns" about your environment will believe that to be normal traffic. "The more you know!"
4) MetaScan - John - From Nmap to exploitation with Metasploit.. MetaScan automates the transition.
5) Die 2K box! Die!! - John - An interesting thought brought up by Josh More. Basically, in the past many systems were upgraded because of hardware issues (i.e. it got old and died.) What happens now that your apps are running on systems that are not directly tied to an aging platform? Well, in the world of VMWare old Operating Systems don't have to die!!! So there is no real need to replace those old systems. Other then End of Life, no more patches, 0 support. But that is icing on the cake.. Right?
6) What time is it in geek time? - John - I don't know why this is a story. I honestly don't know why I am posting it. It is just too geeky to pass up.
7) BT4 officially released - [Larry] - Not just the shmoo edition
8) PWN2OWN - [Larry] - A replay of the PWN2OWN at CanSecWest. This time, the focus is on IE 8, Firefox and Safari as well as Andriod, Win mobile and the iPhone. This should prove interesting...
9) New Packet repository - [Larry] - Looks to be a better/new update to openpackets.org. Run by our good friends at Mu Dynamics. You can view everything online without needing to download. Neat. Go submit your captures now!
10) Information disclosure fail - [Larry] - We've talked quite a bit about what folks share via social networking, and how it can lead to compromise, or stalking. Unfortunaley Pete Hoekstra , who was on a secret trip to Iraq, twittered from his Blackberry about having just landed there. twitter - giving away your secrets 140 characters at a time.
11) J-wISM - [Larry] - I thought these were a couple of neat DoS vectors against Cisco wireless controllers - for version 4.2, a web authentication flaw caused the device to reload, and 4.1 the device can lock up after receiving malformed packets... That means be careful when testing web services, and fuzzing devices.
12) More on Conficker/Downadup - [Larry] - Many thanks to Bojan and h4z4rd. Some analysis of the code is finding more and more about this worm, such as VM detection, automatic patching in memory, and deletion of system restore points. This is looking more and more like something at was code by a real pro.
13) Kaspersky hacked - [Larry] - Wow, there is so much conflicting information to this story it is unbeliveable. First Kaspersky says no, your data is safe, and was only vulnerable for few hours. Tight lips ensue. Then an internal memo is "leaked" with more information - wrong database silly! Then, Kaspersky admits the hack had been active for 11 days...
14) Metasploit Software Services - [Larry] - Metasploit to start offering the "heavy lifting" on the back-end as a software service. Metasploit give you a hash? As an example have it processed by cracking at Metasploit, get it back, and use for other modules...
15) The importance of being canonical - [Paul] - This post (Robert Graham at Errata Security) highlights some really interesting (and accurate points) that I would like to highlight:
- "The hacker keeps up-to-date with the latest exploits from sites like milw0rm." - Evil hackers keep up the latest exploits, you should too. Whether you are a pen tester or a defender, you need to keep up in order to do your job. Why? Because hackers Do.
- "Hackers are looking for e-mail addresses (for spam/phishing), passwords, and credit-card numbers. " - Important things to now, the targets are passwords and credit card numbers, and email. Email is for SPAM (to get more credit card numbers or bank accounts, passwords are to use in brute force attacks (for the same purpose). Hackers are certainly financially motivated. We know that, but look at what Robert says, "A typical script-kiddy would, at that point, simply overwrite the homepage and move on. This hacker, however, goes deeper." As a pen tester or defender, you need to go deeper too, why, because Hackers Do.
- "A lot of websites in the hacker underground provide rainbow cracking services.... this hacker found one that allowed him to submit 28k hashes." - Important highlight, hackers use rainbow tables, so you should too. Not only that, but on the defender side, you would need to change your password every day in order to not be compromised by an attacker with Rainbow tables. Changing your passwords is good, but often not enough. You need to assume that attackers have your password, now what?
- "They didn't have enough manpower to get the patch installed before they were hacked." - This is scary, hackers have a lot of manpower, so should you. YOu should balance your manpower with risk of course, but as we all know most security teams are understaffed. If you can get management past "no one would want to hack us", then maybe you can justify more people because you could easily be outnumbered. On the flip side, when you get a pen test, you should request more than one person if you are concerned about this threat. My opinion is biased, but consider the "Red team" appraoch on selected tests and see how you fair as opposed to teh "lone hacker" threat.
16) SQL Injection in your FTP server? - [PaulDotCom] - I was puzzled at first, then realized that its caused when authentication is stored in a database. As an IDS analyst I might ignore SQL attempts at my FTP server and dismiss them as a false positive, oops :)
17) Note to the people DDoSing metasploit.com - [PaulDotCom] - I mean dude, you're dosing the domain name, come on! Give it up man, metasploit is a legit project, fully open source, and benefits both good guys and bad guys. They are the last people I would think you want to DoS, so like why? It is because they help the good guys too much? What's the deal?
18) pmdump - Memory Dump - [PaulDotCom] - This is a cmd line tool that will dump the memory space for a given PID. It caused my system to become unstable, but did successfully dump memory for a running process (firefox). I was logged into my email at the time, didn't find my password (encrypted?). I think this is an interesting post-exploitation tool, even if user's are not storing passwords in IE or Firefox, lets try to pluck them out of memory. If nothing else, read their email, and other interesting things in RAM.
19) Security FAIL of the week or "How to Hack a Security Gate With Your iPhone"! - [PaulDotCom] - But kinda funny that they would implement it this way.
20) The New War Driving - RFID Style - [PaulDotCom] - This is going to become more popular, just watch. 802.11 war driving was the expesive, cool, sexy thing, now its RFID. Also, technology has evolved, and you will find people war driving for your information (passports) and credit cards.
21) HP Printer Vulnerability - A New one - [PaulDotCom] - This time in the web interface, which allows attackers to read arbitrary files. Vulnerabilities in printers have existed for some time, and we've used them for recon, storing files, reading printed documents, and the like. Printers continue to be devices that are completely ignored when it comes to security. I will say that the problems are all over the map. Some printers, even ones by default, you really can't do much with. Others will cough up sensative documents just by breathing on them. In short, you need to test your printers. We've become conditioned, partly because of tools such as Nmap and Nessus not testing printers by default (in various ways and only with certain options), to just skip printer testing. Don't, manually test each model of your printers for vulnerabilities and apply security to them like you would any other device. Its important.o
22) Kiosk Hacking At Its Finest - [PaulDotCom] - This article does a great job of discusisng the potential security risks of public kiosks. I've run into many that are pretty well locked down, and others that just are plain wide open. This one is the latter, and Sherri does a great job of outlining the risk.