Seen at OWASP appsec dc

Originally uploaded by bachrach44

This sign pretty much speaks for itself. Something about the very specific and non-legalistic warning message really speaks to me.

This is partially a teaser for the talk I’m giving at AppSecDC on Domino security. (If you’re reading this after the talk has been given, I’ll have the slides and other information up on the Domino security page). In Domino, views are created which display certain data to the user. Many times a developer will assume that if they don’t advertise a view, no one will find it (security through obscurity anyone?) and don’t bother to apply the correct permissions. As a penetration tester I’m sure you’d like to find these views, but what are they called? If you look at the Domino help files, you’ll get some ideas. There are many pieces of sample code, and often a developer will cut and paste the applicable code. The names Domino favors in the help files are as follows, sorted by times used.

135 – By Category
36 – View A
31 – All
26 – Main
23 – Categorized
22 – Main View
13 – All Documents
6 – Topics
4 – By Author
3 – By Date\Ascending By Main Topic
3 – People
3 – Boots
2 – Products
2 – My View
2 – folderName
2 – CategoryView
2 – By Subject
2 – All Documents by CustomerNumber
2 – All documents
1 – XML
1 – Work Schedule
1 – viewName
1 – Transportation
1 – Stock
1 – Setup
1 – Sales Records
1 – Sales Leads
1 – Phone book
1 – My Favorites
1 – Locations
1 – Internet Profile
1 – Folder1
1 – Employees
1 – Discussion
1 – Days by Key
1 – Christmas
1 – By Category and Author
1 – By Category
1 – By category
1 – Authors
1 – All by Status & Project
1 – Open\By Project & Priority
1 – Open\By Due Date

Update: You can probably scratch this whole idea – see the comments for details.

First, a little background on geolocation for those who haven’t heard of this before:

1. Google has been collecting wifi data while doing streetview. One of the things they collect is MAC addresses of wireless networks.
2. Google, using the above MAC addresses and GPS data, is now offering a geolocation service. You just send in the MAC addresses of any wireless networks in range, and Google will helpfully tell you where you are.
3. While a browser is supposed to prompt a user before sending the MAC addresses off to Google, it is certainly possible for anyone to submit any MAC address they know of to Google. Sam Kamkar has a proof of concept for this.

The summary of the above is this: If you have a MAC address, google will tell you where it has seen that MAC address.

Now for the kicker. IPV6 autoconfig, by default, loads the mac address into the last 64 bits of the IP address. (Not directly – technically the bytes FFFE are added to the middle, and 1 bit is flipped, but this is all easily reversed. Suffice it to say obtaining a MAC address from this sort of IP address is trivial). See where this is going yet? If you want to know where an IPv6 address is located in the real world, just traceroute to the device, pull the MAC address from the device immediately prior to your target, and see if Google has a record of it. If your target is behind NAT, you can skip even this simple step. This attack is probably mostly theoretical right now since the vast majority of wireless networks are still IPv4, but if IPv6 ever does take off, this will become a real worry.

Credit where credit is due: I got this idea while watching the video of Samy Kamkar’s presentation entitled “How I met your girlfriend“. Samy goes from end to end, showing how to get a person’s real life location. He only talks about IPv4, so for the last steps he convinces the target to click a link, exploits their home router, and pulls the MAC address from there using the default credentials. I basically take this attack and consider it in the IPv6 world, where none of the technical wizardry is necessary and the attack difficulty is significantly lower.

Rarely do I encounter situations where two completely disparate interests in my life – for example security and football – intersect as they recently did. This article describes how the University of Oregon football team was upset because it seemed to them that other teams were stealing their signals and knew what plays they were calling. Usually a team’s quarterback will have a radio in his helmet. The coach will relay in the play from the sidelines, and the QB tells the rest of the team in the huddle. In football, if the defense knows what play is being called, they have a significant advantage. The Ducks decided to take a new approach. Instead of simply trying to make their communications secret, they actually make them public. Someone on the sideline holds up a giant sign with four images on it. The team knows the system, and that tells everyone, at the same time, what the play is. Removing the extra step (QB telling the whole team in the huddle what the play is), also sped up the team’s offense. Effort were made to ensure that usability did not suffer do to their new security:

The Ducks couldn’t elaborate on the meaning of the images for obvious reasons, but Asper said it’s not rocket science. “It’s just like the signals – each thing stands for different things,’’ Asper said. “We’re simple creatures. If a guy has a cap, it’s a cap. It’s real simple, real basic. Clover? OK, lucky, Irish – something like that. “It’s not, ‘OK, I have to add the top square and the bottom square.’ We’re not dividing matrices out there. And you can immediately see what’s there, as opposed to going through the dance of all the formations.’’

There is also some sort of defense against replay attacks

.

tonight Oregon used the same signal boards multiple times and ran different plays each time.

This is a great example of security being an enabler instead of a hindrance:

Seems like this is a big reason why the Ducks are averaging around 15 seconds in between the end of a play and the next snap.

OWASP has uploaded a whole bunch of videos of the talks given at AppSec USA 2010 in Irving CA in early September. There are some very good talks in there by some very good people.

On a related note, I’m going to be talking at AppSecDC in November on Domino security. Come check it out.

I finally fell for the twitter hype and have been on twitter for a few months now. I still do NOT like the 140 byte limit – the world is  complex and complex ideas need more than 140 bytes. That being said I do like the running conversation and the way in which anyone can contribute and respond to anyone, so you can chalk me up as a reluctant convert. You can follow me @angelofsecurity.

I just came across a tool called mojopac which I’d actually never seen or heard of before. Basically you can take a current windows OS and move the entire OS onto a USB drive. Take that USB drive to any other computer and it will launch your system as a VM. They claim (although I haven’t seen it verified) that the USB based system and the host system will not interfere with each other. Basically it seems to be like a “build your own knoppix” tool but for Windows. It also turns any computer into a super portable laptop – just install your system with all your configs, apps, etc. onto a USB stick. You don’t need to take any hardware with you when you travel – just plug your USB into whatever computer is convenient.

There’s been a ton of speculation on stuxnet so far, much of it seeming to indicate that this was created by a state actor. Most people have pointed at the incredible levels of effort that went into creating it. However people are forgetting that many recent malware attacks – including Zeus and Conficker, have had the title of “most complex ever” bestowed upon them as well. It seems natural that malware and computer attacks will only continue to get more complex. Complexity alone does not indicate a state actor.

What people aren’t saying (but I have a feeling many people sense it intuitively without stating it), is that the lack of monetization combines with the effort is indicative of a state actor being behind the stuxnet worm. Zeus and Conficker were easily monetized, which explains the effort involved – people (perhaps many people), worked hard to create something to make them money. If they needed an exploit, one could be purchased with the hope that they’d recoup the costs later. The fact that Stuxnet seems to do something (but we don’t know what), and doesn’t seem to be easy to monetize, certainly seems to indicate a non-criminal motive. Since we haven’t seen many other players in this space with significant resources other that criminals and governments, government because the natural suspect.

As for the target of Stuxnet, Iran has the most infections, but that could very easily be coincidence. So far there’s no evidence at all that Iran, or anyone else, was a specific target, and we’ve had a simple case of the media continuing to report on each other’s reporting. There are so many reasons that Iran could have more infections I can’t even count them all. Perhaps Iran doesn’t have great antivirus adoption rates. Perhaps the first few infections simply happened to be there. Perhaps, this was made by Iranians. Viruses are inherently untargetted, so trying to guess at a target based on the geographical location of infections is speculative at best. However, since no one has any better theories, the media echo chamber will continue to promote this until people assume it’s true, whether or not it really is.

I got a spam this morning which is essentially looking for people to help repackage and ship out stolen goods. They have of course dressed it up in an attempt to appear legitimate, but anyone with any sense can tell this is a scam. I thought briefly about pretending to accept long enough to get some info on the perps and then turn the info over to the authorities, but I highly doubt anyone will actually care. I’m still surprised by their brazenness.

Hello, my name is Lawrence Siegell. [note: email sent from Evan Franklin]
I’ve just viewed your resume and would like to offer you a part-time job based on work at home.
Our company name is Manpower East Gmbh. Job title is Stuff Manager.

We’re a small courier company based in Europe.
We help our clients to order some goods or things at low prices and safety ship packages to the client side.
Our experience shows it’s easier to order something using our service.
We’re looking for a good support representative to process our packages in the USA.

The stuff (like clothes, musical instruments) will be shipped from the online stores, auctions or some of warehouses via regular or express delivery services like USPS, UPS and etc. You will have to handle these packages and resend it to us or our couriers.
Your salary will be $20 USD for each handled package but you will get $50 USD for each package, marked as important. Of course, you will have some bonuses if you work hard and complete your tasks in time.
You will receive 5-20 parcels weekly, trial period (first 4 weeks) includes processing of 2-5 packages.
Maximum packages weight is 20lbs, max size lenght+width+height < 80 inch, usially 5-12lbs, 8*14*18 inch. For heavy parcels you will be paid with additional (bonus) salary.
We pay monthly or per 20 sent packages. If you have PayPal account, you will be paid via PayPal instant transfer, if don’t have then via Western Union or Moneygram.

All shipping charges will be paid by our company.
No investments required, we will cover all your expenses including shipping charges.
If you’re interested in our offer give me your contact phone # and the best time to reach you at. Or contact me via email.
I also want to inform you that sometimes the international calls from Germany have no caller ID that’s why I ask you to answer the unknown phone calls.

Best regards,
Lawrence

update: Since a lot of people seem to be finding this page, I figured I would add a link to this article from workathomescams.com which describes how the scam works, and mentions that if you participate, you may find yourself to be an accessory to a crime.

Speaking of passwords….

In the last few weeks there have been a few stories about criminals using stolen credentials to steal large amounts of money from unsuspecting victims. The Zeus botnet stole about a million dollars from UK banks. Criminals stole a million dollars from UVA, and the Diocese of Des Moines had 600K stolen. All of these followed a similar pattern – criminals used stolen credentials to move money to other bank accounts. I’m reminded of the 2010 Verizon Data Breach Investigations Report (if you haven’t read it, please do). One of the recommendations was to limit the amount of damage that can be caused by compromised credentials. If these banks had been following that advice, their customers might not now be out millions of dollars. If they had implemented any sort of program to look for fraud indicators, they likely would have avoided this whole mess. I know of many banks that have such a program in place, and let’s just say that I haven’t seen any of them show up in the news lately.