Is Your Response Time Less Than 120 Days?

I recently read a blog about ChoicePoint and the ongoing coverage of their business, especially after 13,750 people had their personal information compromised. Tina Stow, who seems to represent ChoicePoint, left a comment on the blog stating:

“We have several monitoring tools and the one in question was not intentionally switched off. Due to human error for which the Company took appropriate action, one of our monitoring tools was temporarily and mistakenly turned off for a four month period. The other monitoring tools and our information security program were working. We have added redundancies to try to prevent future human error.”

4 months?!!? Holy cow! If a “monitoring tool” is unintentionally switched off for 1/3 of an ENTIRE YEAR and no one notices, I wonder what else has been going on that went unnoticed. No wonder they had a breach! That statement reminds me of clients that never see brute force attacks on their systems simply because they never review logs. Whatever the reason that the said system was not discovered to be down or malfunctioning, a core deficiency exists within the system and/or process(es) surrounding it; or the statement presented simply lacks validity.

With that being said, you can buy the latest, greatest, or most expensive tools, systems, and software out there, but unless installed, configured, and used in a correct or proper manner, do you little to no good. It’s like putting in a web application firewall without having it “learn” your web application, or dropping in a firewall with any/any rules in place; it will only get you so far. Unfortunately, it may have earned a “checkmark” or opportunity to issue a press release saying “we did something”.

Read more!

To Pen Test or not to Pen Test, that is the question…

Time and time again I am challenged by clients and security professionals alike on what is the real benefit of penetration testing. Though this seems like an age old debate with many famous hackers and security professionals weighing in, I am not entirely sure I understand the argument undermining the importance/benefits of penetration testing. Below are arguments from both black and white hat security professionals:

White Hat – “Pen testing can show one of two things: your security sucks or your security is better than your pen tester”

Black Hat– “The very concept of "penetration testing" is fundamentally flawed. The problem with it is that the penetration tester has a limited set of targets they're allowed to attack, while a real attacker can attack anything in order to gain access to the site/box. So if a site on a shared host is being tested, just because site1.com is "secure" that does NOT in any way mean that the server is secure, because site2.com could easily be vulnerable to all sorts of simple attacks. The time constraint is another problem. A professional pentester with a week or two to spend on a client's network may or may not get into everything. A real dedicated hacker making the slog who spends a month of eight hour days WILL get into anything they target. You're lucky if it even takes him that long, really.”

Though I understand the point of the above arguments, I believe the logic behind these statements is fundamentally flawed. The point they are trying to make is that an organization is never going to be entirely secure and that an attacker with dedicated time and resources WILL in all cases break in, so performing a pen test is only validating something already known. I see penetration testing differently. Penetration testing is not designed to make an organization 100 percent secure but to make them MORE secure (assuming identified vulnerabilities are remediated) and MORE aware what they were before the penetration assessment was performed. It also is a good means to test current logical and physical security controls. From my experience, many security professionals responsible for an organization’s security do not understand the full ramifications of vulnerabilities and thus can become complacent in fixing them.

Case Study:


A vulnerability scanner returns one vulnerability on Company A’s external presence. The vulnerability identified was Cross Site Scripting or SQL Injection. A report is issued to Company A showing a “High” risk rating based on this vulnerability. Company A may not understand how a single vulnerability can translate into a “High” risk rating and thus chooses to ignore or at least delay remediating this vulnerability until time and resources become available. Does this mean Company A’s security is bad? I would say if that if Company A had an external presence of 50 servers and 10 applications, and only one vulnerability was identified, the answer would be no. Company A may very well have good security, but as with everything else in life, mistakes happen. Now let’s assume a penetration assessment was performed on Company A’s external presence instead. Not only would the penetration assessment identify this vulnerability, it would attempt to exploit it. Let’s go on to say that this vulnerability is in fact exploitable and allows for full system compromise. What is a client going to react to more? A report stating they have one critical vulnerability stating what could happen or a report stating they have one critical vulnerability and, oh yeah, by the way we compromised your entire domain controller? A client who just had their entire domain controller compromised is going to be more inclined to fix the vulnerability in a timely manner than one reading a report stating what could happen if not fixed.

How can one argue that this penetration assessment was not beneficial to Company A? It effectively made Company A more aware as to the dangers associated with a critical vulnerability, which in turn made them take a proactive approach to fixing the problem almost instantaneously, thus reducing their overall risk rating.

This is one simple example. I can go on and on about the benefits of penetration testing. Security is about managing and reducing risk to an acceptable level. A penetration assessment isn’t intended to reduce an organizations risk to zero percent, but then again neither is any security assessment. Any time an organization connects a device to a network it assumes a certain amount of risk. It’s understood that zero-day vulnerabilities will always surface and cannot be prevented. So sure, a dedicated attacker could decide to spend 6 months developing an exploit for an unknown vulnerability, however this is going to take a more sophisticated attacker which makes this a less likely scenario.

A penetration assessment is simply used as a means to identify vulnerabilities and provide proof of concept examples on exploiting these vulnerabilities. By doing so, it effectively better explains ratings associated with vulnerabilities which in turn produce much more conscious/aware security professionals. A much more aware security department will be able to better help reduce the overall risk for an organization.

Read more!

The Network Neutrality Debate: Good or Evil?

So for a long time now there has been a bill around in congress about Network Neutrality. Some people like it, some people don’t, others just don’t care. But who’s really looked into it? I mean, it sounds good. It sounds like it could help everyone out, right? It’s keeping the Internet neutral, right?

Well, for those of you who haven’t looked into Net Neutrality, its time you hear about it. Let’s look at the up side of this debate. The original idea was great: Ensure that all traffic on the Internet was treated equally by all Internet Service Providers. Net Neutrality is supposed to mean no discrimination and tries to prevent Internet Service Providers from blocking, speeding up or slowing down Web content based on its source, ownership or destination. That sounds good, right? I like this original idea, but as with many ideas that get turned into legislation, the point gets missed and in the case of this idea, the point is being completely smothered.


Now that the government has its hands on it, Net Neutrality will go the way of all the other bills that have gone through congress, adding pork at every congressman along the way. Net Neutrality line items state that every citizen in the US should be given free broadband Internet access. The proponents of this bill state that if there is only one provider to give Internet access that they can’t block content or stop the end user from getting to the site they want to view so the government should intervene. The proponents of this bill are in the mindset that if government can control this the ISPs won’t be able to implement a tiered Internet access model.

Others say that if Net Neutrality isn’t passed, companies will start to charge more to get to certain content on the Internet or that Internet Service Providers (ISP) can sign agreements with certain companies to give special access to that company’s website. For instance, if I went to Google, but my ISP signed a contract with Yahoo or Microsoft I wouldn’t be able to get to Google or the speed would be so slow I would have to use something else to search the Internet. People think that without Net Neutrality ISPs can tax content providers for using the backbone of the Internet to move data, or discriminate in favor of certain traffic, or block access to certain sites all together. Again, let me stress how this original idea makes complete sense and how much I agree with it at this point.

With the amount of service providers out there, the scenarios mentioned earlier (blocking content and discrimination of data) would never happen because if it did, people would just switch to another provider. Look at it this way, the Internet, in its current setup, has been operated for over 20 years without regulation or government interference. Net Neutrality protections have existed for the entire history of the Internet. Additionally, since its conception and the start of its mainstream use, the government has wanted to tax the usage of the Internet. Back at the beginning of the Internet a group of congressmen banded together and said, “No” to taxing Internet usage. But now with the government is trying to grab power from all over, and congress feels that it should control, monitor, and secure the Internet as well.

And it doesn’t stop there; if Net Neutrality goes through, the government will not only do a power grab over the Internet, but include wireless phone companies too since they are also part of digital communications. The FCC would basically be able to moderate and know everything that is being transferred over the Internet or wireless phones. Security and Privacy would be thrown out the window in this scenario. The Internet has been the source of the highest levels of freedom the world has ever known. There have never been any restrictions on speech, religion, or information on the Internet (some sites have their own policies, but you can always find information out there somewhere).

Aside from the Internet being a place for freedom, think about what will happen when the government steps in and tries to regulate and monitor it. Think about anything the government tries to run; it gets clouded in paperwork and the service is degraded to a level no one wants. The phone companies are a prime example of this, the government stepped in at the state and federal level and the prices skyrocketed. But the market innovated coming up with VoIP and free phone servers that utilize the Internet. The free market is responsible for having such a vast, open set of connected networks that make up the Internet; it would do nothing but hurt companies that try to impede this open communication of all types of content.

So now for some added truth on this; Net Neutrality is going to essentially going to cause these things to happen, just from a different angle. Now that H.R. 3458 has been introduced and federal stimulus money has been part of the deal, the government is going to pork the bill up so much you won’t even recognize it right before it is voted on.

Let’s put it in perspective: Over the last 3 or 4 years the telecommunications industry has pumped over 100 billion dollars into the data backbone and it has resulted in blazing fast speeds, lower price per kilobyte of bandwidth, and provided a higher level of competition. Now think about this: the government stimulus package invested 7.2 billion dollars in to this Net Neutrality bill and they call that “just a down payment” according to the diversity czar Mark Lloyd. His opinion is that managing the media, control of it by the state, can help level the playing field for those that aren’t fortunate enough to get all the news. Now why would you want to pay for Net Neutrality when you already pay for the Internet? Just with the thought of the government stepping in the price has already gone up in the form of taxes.

Almost everyone pays for the Internet in some way, either in your cell phone bill, your cable bill, your land line phone bill, and your VoIP phone (in some cases). All this money pays to keep the Internet up and running. When you purchase Internet access you are expecting a certain level of quality and service from the provider you are paying; be it AT&T, Sprint, Verizon, Time Warner, Comcast, just to name a few. Basically your monthly bill on these services goes to keeping the Internet up and running (I say this because basically everything is transmitted digitally).

Mark Lloyd, Chief Diversity Czar of the Federal Communications Commission said, “It should be clear by now that my focus here is not freedom of speech or the press. This freedom is all too often an exaggeration. At the very least blind references to freedom of speech or press serves as a distraction from the critical examination of other communication policies. The purpose of free speech is warped to protect global corporations and block rules [by the government], fines, and regulations that would promote democratic governance.”

This statement is coming from a guy who is a devoted liberal progressive (AKA Marxist) looking to stifle your freedom of speech. Mark Lloyd, a disciple of Saul Alinsky and fan of Hugo Chavez, wants to destroy talk radio and says free speech is a distraction. Mark Lloyd also says Venezuela is an example we should follow and he feels that the government should control all media outlets. His statements also want to tax media outlets equal to that of their total operating cost to help subsidize public media. If he is willing to do that with media outlets, what is he willing to do with censoring the Internet?

Government's first duty is to protect the people, not run their lives. It is not to tax you for your freedoms, it is not to regulate the things you do in life, and it is not the goal for government to interfere with every aspect of the country. If the government takes control of the Internet the way they are planning in this Network Neutrality bill, I promise you that the quality and value of the Internet will degrade and it will be the start of the end of the Internet as we know it.

Throughout the bill there are statements like, “unfettered access,” “lawful usage, devices and services,” “severely harmed,” “economic interest,” and “prevention of unwanted content.” The problem with this is that they never state who will be monitoring this or setting the standards on the content, bandwidth, and what they consider to be lawful.
http://thomas.loc.gov/cgi-bin/query/D?c111:1:./temp/~c111u6UoXZ::

Ronald Reagan once famously said, "Government's view of the economy could be summed up in a few short phrases: If it moves, tax it. If it keeps moving, regulate it. And if it stops moving, subsidize it."

Let’s keep the Internet free and open as it was designed. And let’s also keep Net Neutrality exactly how it was designed; to protect the freedoms of the Internet.

Read more!

The Louisville Metro InfoSec Capture the Flag

Just returned last night from the Louisville Metro Information Security Conference in Kentucky. I typically stay clear from the Capture the Flag events as I'm usually networking with people or presenting. This year I decided (with a little nudge from a couple friends) to participate in the Louisville InfoSec capture the flag. This years CTF was designed and put on by Irongeek (http://www.irongeek.com) which your always in for a blast with him.

Our team came in first place and everyone on the team did an amazing job contributing. I have to give a shout out to Irongeek and his time and dedication to the CTF. It was truly a great experience. Some of the ideas, twists, vulnerability linking, and creativity of the overall CTF was a unique experience in itself. The hack with the rotating web cam to see a password written on the computer is just a taste of the creativity Irongeek put into the CTF.

Overall, it was truly a great time and a great experience at the Louisville InfoSec Conference, would highly recommend it next year!

Quick outline of how we got first place:

Machine 1:
MS08-067 with Meterpreter payload, dumped hashes, and performed rainbowtables to crack passwords. Fast rainbowtables didn't work, ended up using CUDA cracking power to get the password.

Second machine: Directory traversal to /etc/passwd, found user account that was on the windows box, with same password on *nix box. Pulled off encrypted TrueCrypt volume. Found a robots.txt with a disallow on a config file that contained the MySQL db username and password. Connected to the mysql machine and extracted a table that had the truecrypt password in it. Inside that file was a password protected 7zip file.

Third machine: Web based camera web interface, not a default password, no published vulnerability, no apparent easy way in. Performed arp cache poisoning, obtained the credentials passed in the clear of view/view. This got us access to a web cam that could rotate. Rotating it from left to right, it revealed a piece of paper with a handwritten password that ultimately allowed us access to the 7zip file.

Thanks again guys was a blast, nice job Pure-Hate, Archangel, and Titan. Bang up job team.

Irongeek's post about the CTF: http://www.irongeek.com/i.php?page=videos/louisville-infosec-ctf-2009

Read more!

What’s the Value of Your Mobile Phone’s Address Book?

Being a consultant, I travel a good amount around the United States for various engagements. While at airports, hotels, and other public places that offer opportunities for wireless communications, I often find myself in amazement of the information at large.

Approximately 4 months ago, I sat at the airport gate awaiting my incoming flight and a woman sitting next (2 seats down, or about 6 feet away) to me was talking on her cell phone about her travel reservations. Whomever she was speaking with apparently had Internet access as she gave them instructions on how to open up Internet Explorer, navigate to www..com, and login with a username of and password of . She proceeded to instruction this person how to search for a hotel, and book a reservation, also giving her credit card number, expiration date, and CV2 code. After she hung up from the call, I thought to myself that it would be very amusing to go thank her for her information and paying for my flight/hotel. Of course, I did not, but thought to myself how clueless must this lady be.

From airports to hotels, it is no surprise that there are always open file shares, shared iTunes libraries, and similar things readily available to people via Bluetooth or wireless communications. This is nothing new, however the sensitivity of the information people purposely or inadvertently have shared varies. When doing a penetration test for a large health care organization, a coworker and I gained access to a Web site that was indexed in Google that provided us with a complete employee directory listing. This client was alarmed at what we found, as we could couple this gold mine of internal information with some XSS flaws to perform a large scale phishing attack.

I pose this question: How important to your organization is your mobile phone’s phonebook?

More specifically, the Apple iPhone’s use for the corporate world has been a topic of debate for some time. With the number of applications in the AppStore, how well do you think Apple is doing screening them all for rogue code? Just as an organization has that fear of a time bomb planted by and ex-developer in one of its code bases, should iPhone users and enterprises be worried about your information on their iPhone? The answer is yes.

Code showing how to read not only your iPhone’s number, but also your entire address book as well has been published online for some time now. Additionally, the article claims that applications can obtain personal information from most of the iPhone’s file system despite Apple having a developer sandbox in place. We’ve already seen the $999.99 “I am Rich” app that tricked 8 people into its $1,000 price tag, so what else might exist in the thousands of other applications available? Do your C-level executives use an iPhone? Has your address book or theirs already been compromised? You may never know…

Read more!

How a simple python fuzzer brought down SMBv2 in 2 seconds.

If you haven't had a chance to check out the post by Laurent Gaffie (posted at the end of this blog), it's a really great read on how the latest SMBv2 zero-day got discovered.

Laurent used a simplistic packet reconstruction fuzzer in python to ultimately discover what is now a remotely exploitable zero-day within SMBv2 systems. Let's dissect the code a little bit:

from socket import *
from time import sleep
from random import choice

host = "IP_ADDR", 445

#Negotiate Protocol Request
packet = [chr(int(a, 16)) for a in """
00 00 00 90
ff 53 4d 42 72 00 00 00 00 18 53 c8 00 00 00 00
00 00 00 00 00 00 00 00 ff ff ff fe 00 00 00 00
00 6d 00 02 50 43 20 4e 45 54 57 4f 52 4b 20 50
52 4f 47 52 41 4d 20 31 2e 30 00 02 4c 41 4e 4d
41 4e 31 2e 30 00 02 57 69 6e 64 6f 77 73 20 66
6f 72 20 57 6f 72 6b 67 72 6f 75 70 73 20 33 2e
31 61 00 02 4c 4d 31 2e 32 58 30 30 32 00 02 4c
41 4e 4d 41 4e 32 2e 31 00 02 4e 54 20 4c 4d 20
30 2e 31 32 00 02 53 4d 42 20 32 2e 30 30 32 00
""".split()]


while True:
#/Core#
what = packet[:]
where = choice(range(len(packet)))
which = chr(choice(range(256)))
what[where] = which
#/Core#
#sending stuff @host
sock = socket()
sock.connect(host)
sock.send(' '.join(what))
sleep(0.1) # dont flood it
print 'fuzzing param %s' % (which.encode("hex"))
print 'complete packet %s' % (''.join(what).encode("hex"))
# When SMB Or RPC die (with TCP), sock get a timed out and die @the last packet, printing these things is more than usefull
sock.close()

Look at the #Negotiate Protocol Request portions, this is simply rebuilding a dump of a valid SMB request, easily obtainable through wireshark or other sniffers, the rest of the fuzzer simply substitutes every byte with a substituted value like most fuzzers do. The blog outlines how could something like this escape Microsoft's auditing and how easy it was for Laurent to find this bug.

Also if you haven't read the post on how this bug became exploitable using the trampoline method for reliable exploitation, take a read here: http://blog.metasploit.com/2009/10/smb2-351-packets-from-trampoline.html written by Piotre Bania.

Using three stages, some division to calculate a INC ESI, POP ESI, and RET (0x46, 0x5E, 0xC3) to our shellcode, the smbv2 exploit is now a living breathing remote exploit.

For more information and an explanation of how the exploit was discovered check out: http://g-laurent.blogspot.com/2009/10/more-explication-on-cve-2009-3103.html

Read more!

Patrick Swayze- Roadhouse Ramblings

I have always liked the movie Roadhouse. Patrick Swayze is an amazing actor (and has more range than he gets credit for- remember Wong Fu?). Throw in Sam Elliot and I don’t see how you can go wrong. Before you decide that I have taken up blogging about cinema, let me say that in light of the recent passing of Swayze, I think we can learn a few things about information security from Roadhouse. And also, we can learn from the way that hackers have exploited the death of Swayze to spread viruses.



In Roadhouse, Swayze is called in to clean up a bar, and thus a town, ravaged by criminals. These criminals steal from honest people and legitimate businesses to enrich themselves. In information security, we come in and clean up servers and networks ravaged by, well, criminals stealing from honest people and legitimate businesses. Remember the bartender, the distant relative of the main antagonist in the movie, stealing money from the register? He can represent the threat organizations face from their own employees. Swayze threw him out. Swayze cleaned up the bar, and hardened it against attackers. While I don’t claim to look as cool as Swayze while neutralizing threats, we also spend our days identifying and removing threats. More about that in later blogs.


What I want to discuss here is how attackers use news events such as the death of Swayze to spread malicious software. E-mail claiming to contain photos of or links to stories about celebrities will often link to sites that install malicious software. The human element is regularly the weakest part of any security program. Rather than attack your hardened systems, attackers will work to gain the confidence of those who already have access to you your systems: your employees. To be secure, it is important to have a culture of security. Every employee must understand the importance of their role in protecting systems and information. And every employee must be educated as to the threats and techniques used by attackers. All the locks in the world won’t help keep your information safe if your employees open the door every time a sympathetic character comes knocking. Sure, anti-virus and e-mail filtering can help, but employees need to know how to recognize suspicious e-mail, and they need to be educated to never open it.


We have a lot of success exploiting the human element. People have a natural inclination to be helpful, and curiosity is a big part of human nature. There is software and processes that can help combat social engineering, but until all your employees understand the risks, it is difficult to be secure. That is another area where we help our clients. Just like Dalton (Swayze) showed the other bouncers at the bar how to handle problems, we can show you how to educate employees and keep your environment safe.


I don’t want to take the analogy too far, to the point of ridiculousness (if it isn’t too late already), but we have found that sometimes the best way to articulate threats to information security is to use analogies based on the bricks and mortar world. And in the electronic world, much like a roadhouse, there are all types of people, with all types of intentions. The first step in securing your information, or roadhouse, is an assessment. Then, we can get to work on cleaning it up.

Read more!