Episode86

From Paul's Security Weekly
Jump to: navigation, search
Palo Alto Networks
Tenable Network Security
The SANS Institute
Pwnie Express
Black Hills Information Security

Episode Media

mp3

Mini-Low-Tech Segment: Firefox Addons For Your Users

Verisign EV Add-On - This add-on will provide you with some extra protection when visiting participating sites. This is good for users, especially Paypal and/or Ebay users. Verisign issues these EV (Extended Verification) certificates, doing extra checking into the organization who purchases it, and Firefox then provides the add-on to check for it. When you go to a site that has this, and the addon is installed, the URL bar turns green and the organization's name and other information is displayed for you.

Greasemonkey - This is a framework to be able to write firefox addons in Javascript. It enables you to install the next addon....

Greasemonkey - GMailSecure - This plugin will ensure that you are always visiting Gmail using SSL so people like me don't steal you Gmail cookie and use it to change your default language to Arabic.

Not a plugin per se, but there is a feature in Firefox to prevent you from visiting Phising web sites. In the firefox preferences go to Preferences | Security and click the checkbox that says "Tell me if the site I'm visiting is a suspected forgery". Now go to www.phishtank.com, visit one of the known phishing sites, and see if it works.

Semi-Unrelated note: remind your users that they should not be storing passwords in Firefox, Internet Explorer, or any other end-user application. It can be easily retrieved by attackers (Core IMPACT has plugins for a slew of programs). Also, I spoke with one user who, even despite me falling over in my chair, was convinced it is okay to store all passwords in a password-protected Excel spreadsheet!

Stories Of Interest

Legendary Podcast!!!

SMS SPAM is coming - [PaulDotCom] - I just know it, first it was junk mail (like snail mail), then it was telemarketing, then it was email SPAM, then it was IM SPAM, etc... This is just the new delivery mechanism, and its already popular in Asian countries. Interesting though, as more people get phones with SMS, they will become targets to launch more SMS SPAM to cut down on costs...

If You Own a BT Home Hub, You're gonna get Pwned - [PaulDotCom] - I've done some research into hacking into home routers, and its very scary. My upcoming article in InSecure Mag will go into details, but here's a preview. Authentication Bybass + CSRF = BAAAAAAAD. This will enable the so-called "Drive-By Pharming", among other things...

Litespeed Remote Source Code Disclosure - [PaulDotCom] - Note: when you have a product that has a major hole, and is used to view in plain text the username and password to your database server pulling your customer list off your web site is not the answer see here.

Security through Obscurity? - [Larry] - An alleged terrorist hid files on his computer in c:\windows\options, unencrypted, but hidden from a casual user. If you need to protect something, obscurity is not he way to go. Sure, it may help, but is not the solution. Use trusted encryption.

Organizations will go into the rapids - [PaulDotCom] - Yes, despite our great advice and cautions, organizations will make the wrong security decisions. Some of it may be related to too much faith in vendor products. For example, I sometimes go to sites and install an intrusion detection sensor. At this one particular site, they had a high degree of confidence in a popular vendors intrusion prevention system that they were funnel all of their traffic through. I came along with my open-source tools, namely IPAudit, and instantly found a SPAM bot SPAMing the world. Tip: Always monitor your network, and even on multiple fronts (Couple Product X with a free open-source tool running on older hardware), and block outgoing port 25 at all times :)

Compromised AD server means pwnage - [Larry] - A major internet advertiser had an ad server compromised, and had ads deliver an additional frame and script. This script directed users to an exploit for the un-patched Real Player exploit. The ads are not controlled by the website operators, so , now it appears that third party content on your own website could be bad. Use Firefox extensions such as noscript and Adblock Plus. More

Cisco Wireless Controller Upgrade adds a Default password - [PaulDotCom] - Default passwords such as these are just as good as authentication bypass vulnerabilities, and its sad to see them in such a high profile vendor.

VoIP SPAM - Yummy, and so is Mp3 SPAM - [PaulDotCom] - So, Vonage users are getting some VoIP SPAM, and I'm not suprised. I do think its funny that SPAMers have moved from Image SPAM, to PDF SPAM, to MP3 SPAM! Take a listen...

NOTE: Speaking of vulnerabilities in high profile vendors, Nmap found me a DoS vulnerability in a large vendors Wireless controller system. They will remain nameless as it is not patched, but listen how easy it was...

QVC = "free" stuff - [Larry] - We've been talking about web based attacks and security lateley, so I wanted to bring up this story about a large online retailer, QVC, and their website. Apparently, a woman was able to place orders, cancel them and still receive the items without paying. Apparently QVC had some bugs in their website, and possibly back end that did not complete the cancellation process when certain conditions were met. There's a valuable lesson about testing: Sure, always test for the false (or wrong) condition, but also check all of the conditions that are correct! I have a similar correlation to a badge access solution I once encountered.

SSL MITM tricks work - even against security people! - [PaulDotCom] - Wow, just wow. Attendees at a security conference got pwned because they clicked "yes" and accepted a bogus cert. If security pros do this, how many users would get duped by this? Answer: a wicked lot

More TJX... - [Larry] - I know, it is getting old, but there is important lesson to learn. Some of the latest facts/allegations TJX failed to notice that the stolen info was sent back out of their own network - 80 Gig in 7 months - of which, they failed to notice. How do you miss that? Yet another tool that security pros should have in their arsenal is traffic patterning, say MRTG. Increases should be investigated!

OMG Macs Have Malware too! - [PaulDotCom] - The MacTrojan is running around! Seriously people, all operating systems are vulnerable. But thats only part of the issue, are Macs becoming popular enough to be a target for malware and make evil bad guys some $$? Boy, I hope so, maybe virus writers are just as frustrated with Vista's slowness and instability that they are turning to Macs :)

Investigate Storm, get DDoSed - [Larry] - A couple of researchers connecting to a Storm CnC channel were discovered, and had the botnet turned against them. This seems to be a new tactic for the bot herders, albeit a smart (for them) one. The researchers seemed to indicate that the botnet was "self aware", but I'd suspect that someone was manning the battle stations.

iPhone gets iPwnd by HD - [PaulDotCom] - This is part of a three part article from HD detailing how he put together payloads, exploits, and a general framework for reliably gaining control of an iPhone. I think we are going to see more of this. To me this is useful in a penetration test for several reasons. For one, most users of smart phones will store credentials on the device, and most people use the same credentials for multiple sites/applications. So, grabbing a user's email credentials could yield access to the application for processing financial transactions. Also, the iPhone could hold other such useful information such as the WEP/WPA keys, email address book, and call history. Certainly access to enabling the mic and telephone features would open up a whole new world of possibilities.

Addendum: Check out Seth Fogie's two-part article on Windows Mobile Spouseware.

AOL Vulnerability Fixed? - [PaulDotCom] - It appears that AOL only fixed the specific exploit that was crafted, which leaves it open for anyone with enough time on their hands to find another way to inject script code into the application. The exploit author is still holding off on going public with his code until a more permanent fix is implemented, i.e. using the Localzone in IE.

Adobe PDF URI exploit active - [Larry] - this has been patched as of Adobe Reader 8.1.1. No user intervention is required with this one.

Other Stories Of Interest

Microsoft HealthVault helps you find....Porn! - [PaulDotCom] - Apparently its fixed now (yes I tested it :), but a search for "sucker" would return adult web sites. Sweet!

Corrections & Comments

From Raul Siles: Listening to the last episode, #85, I saw you will be looking at aircrack-ptw soon. You also provided some not very accurate numbers (number of different IV's and time required to break a WEP key), and also referenced the Airtight presentation in DC15. All these topics have been covered in recent, and not so recent, RaDaJo posts:

Enjoy!... and please, include RaDaJo in your feed reader  ;)


From "TW" Regarding WifiZoo:

Guys,

What you wrote was a great start, but I ran into a couple other issues of python dependencies and other errors. The notes below fix the problems I had.

# apt-get install tcpdump graphviz imagemagick python-gnuplot python-crypto python-pyxh  python-gnuplot libltdl3 tcl8.4 graphviz kismet

# wget http://www.secdev.org/projects/scapy/files/ethertypes 

# cp ethertypes /etc/

Bash Script:

#!/bin/bash
#Auto config for wifizoo
wlanconfig ath create wlandev wifi0 wlanmode monitor
ifconfig ath1 up
python wifizoo.py