PaulDotCom Security Weekly - Episode 225 - for Thursday January 6th, 2011.
Guest Interview with Ed Skoudis of InGuardians
Ed Skoudis is a founder and Senior Security Consultant with InGuardians. When he's not teaching for SANS, serving as an expert witness, or consulting, you can find him devising a Capture The Flag for his family gatherings.
Counter Hack Challenges is an organization devoted to creating educational, interactive challenges and competitions to help identify people with information security interest, potential, skills, and experience.
Ed, Tom, Yori and crew design and operate a variety of capture-the-flag and quiz-oriented challenges for US Cyber Challenge, the SANS Institute, and other organizations. Their featured contests include NetWars Next Generation (NetWars-ng) and Security Treasure Hunts.
Tech Segment: SpiderTrap
One the topic of ways to mess with attackers.
Ethan Robish, one of our hard working interns, has the unfortunate position of writing python scripts that we request. Lately, Paul and I have been working hard to come up with ways to make life harder for attackers.
So, we had Ethan write a script that is a simple web server that serves up four random links, if you refresh it serves up four more. If you click on a link, it serves up 4 more.
Run a web crawler at it.
It is simple:
# python spidertrap.py
$ wget -r http://127.0.0.1
There are a number of reasons we did this. First, Ethan rocks. Second, many testers simply run their automated tools over night. This would lead to a very nasty surprise. Finally, if someone was crawling a section of your site and they tripped on this you could generate an alert when it happens.
We also found some very interesting behaviors when we ran a number of commercial scanners against it. Some look for a 404 message and kill the session when it is not found (well done w3af) and other (expensive tools) simply freeze or crash. Also, we discovered a number of situations where if you tried to kill the crawl, it killed the whole session. No Results. Start over.
As with any of the tools we release we encourage you to use caution. I have yet to see exactly how google bot would react. I assume they are smart about these types of things. But angering the google gods may not go well. Rather, I recommend running it on an internal network segment.
Get it here
Stories For Discussion
- What's wrong with reporting - [Larry] - Here's a great posting by shrudlu that really hit home: Reporting, and what makes a vulnerability reportable? Do error messages and information gathering make it, if there is no specific vulnerability…yet? How do we help folks with their "risk calculations"
- GSM = PWNED - [Larry] - Give us enough monkeys and typewriters and we can crack anything. Cheap phones, open source tools and and 2 TB of rainbowtables and you too can snoop on GSM.
- Don't steal a hacker's computer - [Larry] - if you are going to steal a computer, format the damed drive.
- IE bug leaked to the chinese - [Larry] In other news, Microsoft has their panties in a twist. REsearcher develops cross_fuzz, works on timeline with MS, and somehow code gets indexed by google. That code then gets downloaded form Chinese IP addresses. Only google hit for specific attacks, by someone who likely already knew…
- Using Bittorernt as a DDos tool - [pauldotcom] - Due to some flaws in the protocol its possible to use the popular file sharing protocol to DDoS web sites. I'm a bit sketchy on the details, but sounds like you can re-direct users using the trackerless torrent functionality. Goes to show that there will always be creative ways to DDoS a site, and still little you could do about it.
- You say false positive, I say tell me anyway -
- You say Potato, I say learn how to work with your security assessment vendor - [pauldotcom] - Here's the thing, you need to work together to identify risk. Case in point in this article is the author complaining about information leakage being in the report. There are multiple angles to this, and a version banner is a good example. If a service or application is leaking information about its version or type, it needs to be noted. First, as a tester, you should try to verify it the information being leaked is accurate. You can do this the hard way and try to break into the actual system and verify, or you can just ask your client to verify it for you as in, "Are you really running version XXX of XXX?". Now, if you are running the application, you should not leak information about it and configure the app to hide this information. Even better, configure the service or application to leak the wrong information. In terms of remediation, you need to show it. If you are in fact leaking legit information about a service or application, management should know. Even better, when you remediate this risk by turning it off or changing it, management should know, and it should be noted in future testing. In terms of risk, you the tester should do a better job. You can't just put something in and say "someone could" and expect people to react. Paint the picutre, or better yet draw one yourself: "We exploited a SQLi flaw to obtain all user's credit cards. We kne the syntax because the app told us exactly what version you were running".
- Penetration Testing Rapidly Becoming Obsolete - [PaulDotCom] - Originally, pen testing was a simulation of what real attackers would do. Then it became more about validating vuln scan/assessment results. Now its essentially about compliance check boxing. (PCI) Uhm, wait. Those are reasons for having a pen test. So it is the reasons for having a pen test that are obsolete or penetration testing itself that is obsolete? I think its unfair to judge legitimate penetration testing based on the reasons people have for getting them. The fact is, people need them. You should never consider something "secure" until you've tested it. Airport security should be tested. Fighters should spare. Cars should be crashed, without people in them, to test safety. Its part of maintaining something, you need to test it. So, I don't think its obsolete, I think the culture as a whole is not proud of their work anymore and only looks at the bottom line because the economy is in the toilet, largely because so many have lost site of what capitalism really is, and therefore only we only want to do what is "absolutely necessary". Now, I agree, automation is not a bad thing, however it doesn't make pen testing obsolete. If anything, we need penetration testing more than ever! And I mean true penetration testing, that does all those things that automated tools can do, like think like an attacker, chain vulnerabilities together, take advantage of people, and so on.
- Breaking GSM With a $15 Phone...Plus Smarts - [Pauldotcom] - This is the same thing as wifi, security sucks, gear is too expensive, then gear gets cheaper, people get hacked, and more secure protocols ensue. Problem solved, right?
- How Not to Store Passwords in iOS - [PaulDotCom] - I think this is great research, and scary to think there are many apps that don't store passwords correctly. Malware could easily be created to pluck this out of memory and send it off.