SANS Las Vegas from October 26-27th will debut a new course titled "Embedded Device Security Assessments for the Rest of Us" which will teach students how to assess embedded systems of all varieties on pen tests and in your duties as a security professional. Register Here
Announcements & Shameless Plugs
PaulDotCom Security Weekly - Episode 311 for Thursday December 6th, 2012
- The Stogie Geeks Show! For cigar enthusiasts, by cigar enthusiasts.
- Please subscribe to the PaulDotCom Insider Newsletter for all things PaulDotCom, discounts on training, and updates on cool stuff we're doing (like looking for people to help, take people under our wings and teach them security, etc...)
Tech Segment: How I use GISkismet for more than mapping
I'll say up front, I love GISkismet for interpreting kismet .netxml output for sending to Google Earth. However, I find that sending the .nextml output to Sqlite3 also gives me plenty of options for reporting on issues as well!
In many cases when I do assessments, I won't have GPS location available; I'm walking around inside of the assessment environment without a clear view of the sky. In this case, this gives me the ability to see the environment just like the clients see it, often times revealing some risk that is oft forgotten about.
Based on the information that I won't always have information about GPS based location I need to import ALL of the collected AP information into the Sqlite3 database. We can accomplish this with the --ignore-gps option which will add all of the APs even though no location information was found in the .netxml
$ ./giskismet -x somefile.netxml --ignore-gps --database nogps.dbl Checking Database for BSSID: 00:0F:90:5E:37:70 ... AP added Checking Database for BSSID: 00:11:5C:44:27:C0 ... AP added Checking Database for BSSID: 00:11:92:49:A1:70 ... AP added Checking Database for BSSID: 00:11:92:7E:E1:20 ... AP added Checking Database for BSSID: 00:11:92:7E:F1:50 ... AP added Checking Database for BSSID: 00:11:93:0D:F2:40 ... AP added Checking Database for BSSID: 00:11:93:2A:01:70 ... AP added Checking Database for BSSID: 00:13:19:75:3A:A0 ... AP added Checking Database for BSSID: 00:13:C4:F3:E5:E0 ... AP added Checking Database for BSSID: 00:14:6A:73:BB:10 ... AP added Checking Database for BSSID: 00:14:A9:A9:08:10 ... AP added Checking Database for BSSID: 00:1A:70:44:82:C4 ... AP added Checking Database for BSSID: 00:1B:B1:03:BD:B9 ... AP added Checking Database for BSSID: 6C:E8:73:D2:66:C6 ... AP added Checking Database for BSSID: EC:17:2F:6C:C1:AA ... AP added Checking Database for BSSID: F4:3E:61:32:5A:B6 ... AP added
In this case, I've chosen to output the contents to the Sqlite3 database named nogps.dbl.
Great! Now, I understand that I can use GISkismet to run SQL queries against the database, but why not enhance my skill set and learn how to use Sqlite3 to do those same queries? Once Sqlite3 is installed (with say "sudo apt-get install sqlite3") let's get it to start an interactive shell with our new database:
$ sqlite3 nogps.dbl
Let's also be sure there's stuff in there. Show us all of the wireless networks my good man!
sqlite> select ESSID from wireless; Country Inn Country Inn Country Inn Country Inn Country Inn Country Inn Country Inn Country Inn Country Inn Country Inn Country Inn SANS-ROGUE01 GreyhoundWiFi_6002 TP-LINK_D266C6 OpenWrt
How 'bout we show the encryption type with that too?
sqlite> select ESSID, Encryption from wireless ORDER BY ESSID; Country Inn|WPA+TKIP WPA+PSK Country Inn|None Country Inn|None Country Inn|None Country Inn|None Country Inn|None Country Inn|None Country Inn|None Country Inn|None Country Inn|None Country Inn|None GreyhoundWiFi_6002|WPA+TKIP WPA+PSK OpenWrt|None SANS-ROGUE01|None TP-LINK_D266C6|None
That was easy, wasn't it? Yeah, now here's where the "hard work" comes in...
One of the things that I like to point out during an assessment from within the environment is open access points that are likely not associated with the customer. Why? If the customer allows end users to configure new wireless network connections on their devices, this can be an issue. Let's say the customer does the best they can securing their wireless networks, and when client machines are connected to gain access to internal resources, they are also prevented by policy from gaining access to some websites, say Facebook, Twitter, etc. What happens when the users MUST get on Facebook? Thy go join the open network next door, get on Facebook, get compromised, and then come back to the corporate network because they can't access their e-mail...now the customer has "pre-pwned" machines on their network...
Let's get a list of the open APs, shall we?
sqlite> select ESSID from wireless where Encryption = 'None'; Country Inn Country Inn Country Inn Country Inn Country Inn Country Inn Country Inn Country Inn Country Inn Country Inn SANS-ROGUE01 TP-LINK_D266C6 OpenWrt
...or to eliminate duplicates:
sqlite> select DISTINCT(ESSID) from wireless where Encryption = 'None'; Country Inn OpenWrt SANS-ROGUE01 TP-LINK_D266C6
The other use case that I like to point out is when cloaked or hidden wireless networks are discovered. Again, you ask, why? The hiding of networks can be argued to introduce more risks in some scenarios, ultimately when a wireless device travels outside of the environment into a public one, where tools such as Karma, Karmetasploit or the WiFi Pineapple some into play.
Let's get us a list of cloaked networks:
sqlite> select DISTINCT(ESSID) from wireless where Cloaked = 'true'; OpenWrt
Now based on these two scenarios, we can us the info from GISkismet for more than just mapping.
- Bsides everywhere baby! Likely there is one near you, so check the web site www.securitybsides.com. Next local BSides is in Boston on February 23d.
- Larry teaching SANS SEC617 all over and coming to a city near you in 2013
- Please fill out Intern Mike's survey for which locations and what SANS Mentor-led courses you'd like to see in the Boston-area.
- Email hacks router - The H Security: News and Features - This type of attack crops up from time to time. As always, I warn people about the details. CSRF attacks that rely on default passwords are not just CSRF attacks. Two condition need to be in place, the first being you need to have a default password set. The second the web application has to suffer from poor session management that triggers CSRF. So, the problems are still lying within the embedded device manufacturers. They need to apply security to their web applications. They need to allow the user to enter a default password, or even generate one and put a sticker on the device. Look, its messed up. The default password makes it easy. But, most users never even log into their routers, so why bother with a default password? Users that are not sophisticated enough to configure a router are not going to benefit from a default password. Users advanced enough to log into the router will be able to set an initial password. Stick that in your router and smoke it.
- US woman arrested for bank robbery brags on YouTube about robbing a bank - Bank robbers almost always get caught, its easier to create or rent a botnet. They are especially prone to getting caught when you brag about it on YouTube.
- Forget Disclosure — Hackers Should Keep Security Holes to Themselves | Wired Opinion | Wired.com - Sensationalism. You publish an article from someone shady, tisk tisk. The only reason you do that is to benefit from the press. Even better when the shady hacker is "weev", who is likely going to federal prison for the AT&T "hack". As for the disclosure debate, its still a debate, any takers?
- DARPA Looks For Backdoors - I get it, backdoors put their by malicous insiders, or outsiders, are bad. It compromises the integrity of the device. However, a deeper problem is that embedded devices have vulnerabilities that are widely known, and so many unknown, that are put their not-on-purpose by the freaking developers! I think a better project would be to create standards and educate software developers for embedded systems. Then worry about the other "stuff".
- FreeSSHD Remote Authentication Bypass - This is really funny: "ssh.exe -l<valid username> <host>" I mean really, you write software that allows people to securely communicate with systems. Yet, you don't take the proper precautions to make sure there are no easy authentication bypass vulnerabilities? Doesn't that defeat the entire purpose of making this software in the first place? I say give up and write a Telnet server, for Solaris.
- Simple Nomad Locates John McAfee Through Smartphone Photo - Metadata strikes again!
- Buffalo Linkstation Privilege Escalation - Wow, more embedded device fail! So, using the guest credentials, and some readily available session data, you can make the guest user an admin user. Also, directory traversal gives you access to htpasswd and the certificate public AND private key. Firmware also supposed to be riddled with other issues, like file permission problems. Who is making this firmware? Why don't they apply any security? Have they never even read a book on Linux security like ever? Do they just not care? Are they in a race to see who can make the most insecure firmware?
- cPanel Unspecified Flaws Have Unspecified Impact - SecurityTracker - This is the best vulnerability write-up ever. We don't know what the flaws are and we don't know the impact. So, they are unspecified. I hope this attitude never gets into the medical field, "Yes sir, you have some unspecified problems with your penis. The problems they would cause are also unspecified."
Jack's Ghosts of Christmas Past
- Unrealistic expectations and a skills gap mire market for IT security jobs.
- SC breach report from Mandiant. More details on the "numbers is hard" breach in South Carolina (link is to a PDF).
- Why It Pays to Submit to Hackers I like this quote "we already know how we should protect ourselves online, we just choose not to do so." Not a perfect article, but a good look at infosec failures and challenges.
- Responsible Disclosure Can Be Anything But a very interesting story of disclosure from the researcher who found and disclosed the hotel lock bypass, Cody Brocious (aka Daeken).
- Log all the things A tale of logging from Wendy Nather.
- Small Medical Offices Biggest Risk to Patient Data Security, Privacy No kidding, really?