Security Links - 11/06/07

Serversniff.net - Fantastic little tool for auditing SSL. Easy way to test for the presence of SSL v2 and weak/export grade ciphers.

Hungry Machine - The guys over at Hungry Machine less show us how to quickly and effectively perform Geo-Locating by IP address in Ruby on Rails. Just goes to show that the 'net is alot less anonymous than people think. [For those that are unaware, IP address Geo-Locating is how adult friend finder always manages to display banner ads with lovely ladies from your present location! Now if only they could find a way to display a different set of women based on my location. I find it hard to believe that the exact same set of Caucasian women waiting for me in Arlington, VA are also patiently waiting for me when I travel to Bangkok, Thailand. ;) ]

ToorCon 2007 - Alot of the presentations are now available for download. (Hint: Click the [M])

Overlooked SQL Injection Techniques - Another presentation from ToorCon but not linked on their page. Great presentation that shows alot of often overlooked SQL Injection techniques.

The Bungling Sys Admin - A coworker's blog. I think its good for us security folks to be reminded of what its like working down in the trenches and on the front lines. Also some fairly useful information there.

OpenSSH Brute Password Capture Patch

Today I took was dealing with one of the countless ssh brute force grinders running wild out there on the net. I was thinking that it would be cool if I could capture all the username/password combinations they were supplying. During a search I ran across this nifty little patch. I downloaded and attempted to use it, but could not get the patch to apply. After a bit of investigation, I determined that this patch was written for the OpenBSD-specific version of OpenSSH and would not work on OpenSSH Portable. Since I wanted to use this on my Linux box, I had modify the patch to get it work.

The next thing I discovered, is that I really didn't like the logging format... The logs record Epoch time, username, password, and IP address... However, these are spread across 4 separate lines. So, a sample entry looks something like this:

1193780392
root
test
10.0.6.147


Not very easy to parse. Since I was interested in using the data for other things, I also decided to modify the logging as well. The format is still all the same fields, but now in a colon-delimited format, with one attempt per line. It now looks something like this:

1193780828:root:test2:10.0.6.147
1193788608:test:test:127.0.0.1

I've placed the patch on my Google code site for now. Its not very clean, but appears to work with the portable version of openssh for Linux. I tested it on version 4.7p1 on CentOS.

I'll attempt to clean it up and refine it later.

CapSec October - 10/25

Reminder: CapSec meet up tomorrow.

CapSec October
October 25 (Thursday) 7:30 PM
The Brickskellar
1523 22nd St, NW
Washington DC 20037


View Larger Map

Published! .... well, sorta

Last month I was contacted by a professor from a university in the midwest. He had run across my posting on DNS Best Practices and was requesting permission to include those in his course material. This material is being included in the curriculum for a Systems Administration class he teaches.

While this is both an honor and a privilege, the real kicker is that I am extremely jealous. I really wish that these sort of courses existed back in my college days. The closest thing available for me at the University of Houston where I majored in Physics, was an intro to computers they provided as part of my Physics major curriculum. We briefly learned about hardware (486 vs Pentium, ISA cards vs PCI, etc) and then we jumped into Mathematica and how we could use it to do our physics homework. Unfortunately, like many of my fellow UofH students that year, about the only thing I did learn was which computers could and could not effectively run the now classic Civ I game. ;)

Security Links - 10/22/07

Just a few links for security related tools and sites that piqued my interested in the past few weeks.

Hashmaster - Have a tool or application that is encrypting data, but you are unsure what algorithm is being used? Pass your application a string to encrypt and then pass those tow values to Hashmaster. It will make compare the values and attempt to identify the algorithm in question.

HITB Presentations - All the presentations from last months HackInTheBox Security Conference in Malaysia have been posted and are available to download. Pretty interesting stuff.

fierce.pl - By far, the best tool available for enumerating hosts via DNS. I had played with the very first version when it was announced, but had never bothered to follow up on subsequent releases. I recently downloaded and played with the most current version (0.9.9 - Beta) and was wholly impressed. A must have in any pen-testers toolbox.

Knoppix-NSM - A bootable LiveCD based on the popular Knoppix distro. This one has been customized to provide almost-instant NSM capabilities. Comes with Snort, BASE, Barnyard, ntop, and Squil. Was covered in this months copy of Information Security Mag.

Thailand or Bust!

(This is a bit more of a personal post than security related, but I will try to tie it in as much as possible.) I have a blogging policy that I don't mention my employers by name in my post or talk about issues directly related to them. However, today I am going to violate my own policy. ;) As of today, I have resigned my position here in the US as Director of Security Operations for Revolution Health and have accepted a new role with a Thailand-based company. Aware Corporation is a premier IT services, headquartered in Chiang Mai, Thailand. This is an truly exciting company that I have been communicating with and tracking for 3+ years and the opportunities are practically endless. In my 10-year IT/ Security career, I can't recall ever being as excited to work for a company as this one!

I will be leaving the US later next month and beginning in my new role the first part of December. For those of in the industry and traveling to the region or already working in the region, please feel free to contact me. I'm hoping to start occasionally attending BangSec, HITB, becoming active in the SE Asian security community, and building up my network of contacts on that side of the world.

Wish me luck!

Simple Website Security - 4.5 Tips!

When setting up a secure website, system administrators and webmasters often fail to perform very basic tasks that would greatly "shore up" the webserver. Here are 4 and half simple tips to secure your webserver, make it easier to monitor, and prevent it from sticking out like a sore thumb during a security audit.


1.) There are known security vulnerabilities and weaknesses in some SSL versions and encryption ciphers. SSL2 along with all weak and export grade SSL encryption ciphers should be disabled. In addition to being a good overall security practice, this is also mandated by the PCI Data Security Spec. (4.1). This can be easily done in apache by adding the following line to your config file:

#Disable SSLv2 and weak/ export grade ciphers
SSLCipherSuite ALL:+HIGH:+MEDIUM:!SSLv2:!EXP:!eNULL


2.) When hosting a secure portal'ish site where the landing page is simply a login page, I like to force SSL only without requiring the user to remember that the site is SSL only. This can be easily accomplished in Apache by using a rewrite rule. This allows my server to still listen for regular http requests, but automatically rewrite those to https. Adding the following to your Apache config file will achieve this behavior.

#Redirect to SSL
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/(.*) https://%{SERVER_NAME}%{REQUEST_URI} [R]


3.) TRACK and TRACE are not very well-known HTTP request methods that allow you to debug HTTP problems. These methods are very seldomly used (if ever) and there are a few known Cross Site Scripting (XSS) vulnerabilities related to them. This is a very common vulnerability that will be reported by almost every automated security scanner in the world and can also lead to failed security audits. Because of this, its best to disable them. Again we can use Apache rewrite rules to do this by adding the following lines to the apache config file:

#Disable TRACE & TRACK Methods
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

4.) Monitoring application logs is an essential part of any security program. Often time your access and error logs will be polluted with error messages that "robots.txt" file is not found. Essentially all this really is, is a list of rules that a search engine spider should follow when crawling your site. Each time an automated crawler visits your site, this file is the first thing they request. To prevent this error from filling your logs, you should create a simple text file named "robots.txt" and place it in the root of your web directory which will still allow crawling of everything. The contents of the file should be:

User-agent: *
Disallow:

4.5) The next thing you will see constantly polluting your error logs are failed requests for a file named "favicon.ico". This file is the small little logo you see in your browser's address bar when you visit some sites or in your bookmarks when you bookmark that same site. This file is requested by the users browser at the beginning of EVERY visit to your site. Because of this, the failed request can quickly fill up your log files! An easy way to fix this is to copy a blank favicon.ico in to the root of your web directory. Alternatively, if you are feeling especially creative you can create a custom favicon here or here.

Security Links - 10/12/2007

Just a few links for security related tools and sites that piqued my interested in the past few weeks.

EasyIDS - Installable IDS system based on CentOS. Includes a web GUI, snort, barnyard, ntop, etc.

SecureDVD - Bootable DVD containing 10 popular Security LiveCD distros. A bit dated as it still ships with BackTracks 1.0

SecurityDistro.com - Great site that lists and tracks security related Linux distros.

Nipper - Fantastic little open source tool for auditing configurations of many network devices. Similiar to the Cisco Router Auditing Tool (RAT), but supporting so many more devices, including Juniper/Netscreen Firewalls.

Ruby on Rails Security Cheatsheet - Great list of security best practices for Ruby on Rails.

(IN)Secure Mag - 13th Edition

Just a quick heads up to point out that the 13th issue of (IN)Secure mag is out. There is another bit on PCI Compliance and a piece on automated log management for HIPAA compliance in this issue that look fairly interesting. This mag is usually a pretty good read and I recommend you check it out!

GAUS 1.5 - New Features/ Bugfixes

A couple bugfixes and a few more features have been added to the Gentoo Auto-Update Script. The new features include:

• Convenient variable enabling/disabling of functions to eliminate the tedious need to un-comment desired sections
  
• Optional cleanup of /tmp directory
  
• Listing of all files on the system larger than a predetermined size
  
• A GAUS project wiki page
  

The GAUS script can be downloaded from Google Code. Please review the README.txt file for complete list of changes/ bugfixes and additional information.

Additionally, please note that due to limitations in the Google Code system, I've had to re-engineer the way GAUS self update checking works. Users of version 1.4 will not be automatically notified that version 1.5 is now available. This should be now corrected going forward.

Monkey-House survives to Thailand

I'm happy to report that I once again survived my trip to Thailand. I deftly maneuvered myself through buckets of booze (pictured on left), hordes of hungry temple monkeys (below), and crazy drunken taxi drivers (something you don't want to see). In the process I managed to meet some great people, make several fantastic contacts, and might even end up with a couple of job offers after all!


Additionally, I have an update on my previous report regarding Thailand's Internet Filtering. There is a blog, FACT - Freedom Against Censorship Thailand, dedicated to the dissemination of information regarding Thailand's filtering. (Thanks Ed!) One of the interesting things they provide, is the secret block list compiled by MICT and pushed down to all of the ISPs in Thailand.

Basic DNS Auditing

I seem to run across alot of security consultants and professionals that just don't seem to have a basic understanding of DNS and what sort of basic things to look for when performing an audit. I previously posted a high level guide on DNS best practices, so this posting is meant to demonstrate the technical methods for checking some of these things. This guide only provides a basic starting point and by no means is complete and exhaustive.

The first thing I like to do when externally examining someone's DNS configuration is to perform a whois on the domain name.

# whois some-domain.com

The important part of that information is the domain servers.

Domain servers in listed order:

NS1.SOME-DOMAIN.COM
NS2.SOME-DOMAIN.COM


The other things I like to check is that the contact information is semi-generic. The place this comes in handy, is in an enterprise environment where there will enevitabley be employee turnover. If the contact information is spefic to a single user, i.e Billy J. Bob, billy.bob@some-domain.com, etc, then it becomes very painful to update this information or have changes made once that employee leaves the company. I instead prefer to see something more along the lines of hostmaster@some-domain.com or dns@some-domain.com which is a distro list pointing to operations team Billy Bob is apart of.

The next thing I check, is that the NS records supplied for that domain by the name servers, match those supplied by the whois record.

dig ns @NS1.SOME-DOMAIN.COM some-domain.com

;; QUESTION SECTION:
;some-domain.com. IN NS

;; ANSWER SECTION:
some-domain.com. 7200 IN NS ns1.some-domain.com.
some-domain.com. 7200 IN NS ns2.some-domain.com.


Any mismatch between the NS records supplied by the name server and those listed in the whois record can cause intermittent DNS resolution failures and sometimes even mail delivery problems.

For redundancy purposes, the supplied domain servers should be located in geographically diverse regions on seperate networks, and should also be carrier diverse as well. Resolving these server names and performing traceroutes to each of them should allow you to make educated inferences into whether this is true or not.

Now its time to examine the DNS servers themselves. I first like to check to see if the DNS servers will provide version information. There are two ways to do this. With dig:

dig @ns1.some-domain.com version.bind txt chaos
;; ANSWER SECTION:
VERSION.BIND. 0 CH TXT "8.3.4-REL"

Or alternatively with nslookup:

nslookup -type=txt -class=chaos version.bind ns1.some-domain.com
VERSION.BIND text = "8.3.4-REL"

The easiest way to obscure this information on a server running BIND, is to use the version statement within the options section of the named.conf file.

options {
version "None of Your Business!";
}

The next thing to check is if zone transfers are enabled. Again, there are two ways to do this. With dig:

dig @ns1.some-domain.com some-domain.com axfr


Or alternatively with nslookup:

nslookup
> server ns1.some-domain.com
Default Server: ns1.some-domain.com
> set type=any
> ls -d some-domain.com

If zone transfers are enabled, you will see something similar to the dig output below:

;; global options: printcmd
some-domain.com. 3600 IN SOA ns1.some-domain. admin.some-domain. 4 900 600 86400 3600
some-domain.com. 3600 IN NS ns1.some-domain.com
some-domain.com. 3600 IN NS ns2.some-domain.com
some-domain.com. 3600 IN MX 10 mail.some-domain.com.
mail.some-domain.com. 3600 IN A 208.209.251.12
www.some-domain.com. 3600 IN A 208.209.251.243
ns1.some-domain.com. 3600 IN A 208.209.251.8
ns2.some-domain.com. 3600 IN A 208.209.251.9
some-domain.com. 3600 IN SOA ns1.some-domain. admin.some-domain. 4 900 600 86400 3600
;; Query time: 681 msec
;; SERVER: 208.209.251.11#53(208.209.251.11)
;; WHEN: Tue Sep 11 10:04:12 2007
;; XFR size: 6 records (messages 6, bytes 429)

Remember to also check for zone transfers for the reverse DNS as well:

dig @ns1.some-domain.com 251.209.208.in-addr.arpa axfr

To prevent unauthorized zone transfers, use the allow-transfer statement within the options section of your named.conf file.

allow-transfer { ns2.some-domain.com; };

Alternatively, TSIG (Transaction SIGnature) keys can be used to authenticate zone transfer requests.

All domains should also have at least two MX records for redundancy. Like DNS servers, these servers should be on separate netblocks, and be both geographically and carrier diverse.

dig ms @ns1.some-domain.com some-domain.com

Another good thing to check for, are the presence of SPF records. To do this with dig:

dig -t TXT some-domain.com +short
"v=spf1 mx ?all"

One more common mistake is to have your public authoritative nameservers configured to allow recursion. The simplest way to check for this, is to use nslookup to send a non-related request to that server. For example:

nslookup www.monkey-house.org ns1.some-domain.com

Server: ns1.some-domain.com
Address: 208.209.251.11#53

Non-authoritative answer: Name: www.monkey-house.org Address: 216.98.141.250

For more intensive testing, I also like to run the domain through tools such as:

DNS Report - http://www.dnsreport.com

So, how are you auditing DNS? What are your favorite tools?

The Resurrection of KisMac

Now that I have a bit of down time here in Thailand and am trying to give my liver a well deserved day or rest, although a bit late, I wanted to provided an update to a previous posting regarding the demise of KisMac.

The primary developer, Michael Rossberg had decided to halted the project due to restrictive changes in German law. Well, I'm happy to report that this project has been relocated to a site in Switzerland and by the looks of things, is alive and well. The new site is here and the old site has been replaced with some interesting political commentary. It will be interesting to see if Mr. Rossberg continues to commit code to the project or not.

PCI - Lost in Interpretation

Several people commented on my previous PCI postings and have recommend that when implementing PCI DSS, it should be done in the spirit and intent of the spec, and not necessarily in accordance with the exact wording.

The primary point of my posts were that the spec is vague in many areas and should be rewritten or clarified.

The argument of "Use the spirit, not the letter" is only good until I squander thousands of dollars for a failed PCI audit because the Auditor was not interpreting the requirements in the same "spirit" as I was.

Things of this nature should be specifically spelled out and carefully worded. Leaving them open to interpretation can and will cause problems. This is especially concerning when State Governments (Texas and Minnesota) start adapting this Spec as State Law. I believe its only a matter of time before some poor shmuck fails an expensive PCI audit and drags this into the court system. And with it now becoming a government mandated requirement, its inevitable that without improvement, interpretation is going to ultimately fall in the hands of judicial courts that lack the proper technical background.

Green Screen of Death?

(Standard Disclaimer: As always, views, opinions, and actions expressed in this post are solely mine and in no way reflect that of my employer. Additionally, in no way is this meant to reflect negatively on Thailand, its people, or its government.)

Thailand's Internet Filtering Gone Awry

While browsing my companies website, I noticed that alot of pages were failing to render properly. After a bit of digging, I noticed some strange behavior. Some of our CSS and Javascript files are being blocked.

For instance, the following HTTP request:

GET http://www.revolutionhealth.com/stylesheets/65919/common.css HTTP/1.1
Host: www.revolutionhealth.com
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6 Paros/3.2.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Referer: http://www.revolutionhealth.com/omag/?ipc=B00145
Cookie: (Cookies Removed!)
Cache-Control: max-age=0


Returns the following 302 HTTP Redirect:

HTTP/1.0 302 Moved Temporarily
Server: squid/2.5.STABLE11
Mime-Version: 1.0
Date: Wed, 29 Aug 2007 10:27:00 GMT
Content-Type: text/html
Content-Length: 0
Expires: Wed, 29 Aug 2007 10:27:00 GMT
Location: http://w3.mict.go.th/ci/blocked.html
X-Squid-Error: 403 Access Denied
X-Cache: MISS from proxy
X-Cache: MISS from 192.168.0.1
Connection: keep-alive

This of course redirects us to what is apparently locally known as "The Green Screen of Death". It seems that the local ISP used by my hotel, PROEN Internet (while a mistake, is ironically enough is listed as one of Google Badware Sites!), is filtering all web traffic through a caching/ filtering Squid proxy server.

So all requests which pass through this service appear as:

GET / HTTP/1.0
Host: (Removed)
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Via: 1.1 192.168.0.1:8080 (squid/2.5.STABLE1), 1.0 proxy:8080 (squid/2.5.STABLE11)
X-Forwarded-For: 192.168.0.198, 202.151.184.194
Cache-Control: max-age=259200
Connection: keep-alive

And in my case are coming from 202.151.191.38 as seen by:

Aug 30 04:03:22 10.54.54.254 Aug 30 2007 04:03:30: %PIX-5-304001: 202.151.191.38 Accessed URL (Removed):/

Squid is running on port 8080 of this machine, but use is limited by source IP address.

However, when the proxy server sees something that it does not like, it redirects to the http://w3.mict.go.th/ci/blocked.html site. An IIS 6 webserver hosted by Thailand's Ministry of Information and Communication Technology (ICT).

So, the obvious questions become:

• How are the block lists generated and maintained?
• Is it controlled by a central authority or is supplied as part of a commercial product?
• What is the process to report and remove false positives?
• Is any dynamic and/or keyword filtering being utilized, or is it solely based on a list of URLs?
• Is participation mandatory for all ISPs or is it elective?

Can anyone in Thailand or with knowledge of this, provide further insight on the matter?

**I know there are several ways to bypass this including Tor (which is also blocked in Thailand), various anonymous proxies, tunneling web traffic over SSH to a remote machine, etc. This post is not about that, so please don't post circumvention methods. I am much more interested in sharing knowledge of the system's design and operations.

Monkey-House goes to Thailand

In just a few short hours I will be making that ever so long flight back to Thailand. From August 23rd until Sept 6th, I will be pounding the pavement in Bangkok in search of gainful employment. If anybody out there is looking for a security guru or experienced network admin based in Bangkok, please feel free to contact me. Additionally, if there is anybody in the area that is interested in a BangSec - CitySec meeting, please let me know.

VMWare Fusion

Looks like VMWare has taken its MAC OSX Virtualization platform out of beta and is now shipping a finished product.

Although I am fairly happy with Parallels, I like the idea of being able to run pre built VM images and I am sort of intrigued by some of the new Fusion features such as:

Create powerful multi-core virtual machines

Only VMware Fusion gives you the ability to leverage the power of the dual-core processors found in most Intel-based Macs with exclusive support for VMware Virtual SMP technology.

Although the price war I hoped for didn't happen, the are current offering a $20 rebate.

More PCI Woes

Another major complaint of mine is that the defined scope of the PCI DSS 1.1 spec does not scale very well for today's modern architectures. The applicable scope is defined as:

These security requirements apply to all “system components.” System components are defined as any network component, server, or application that is included in or connected to the cardholder data environment. The cardholder data environment is that part of the network that possesses cardholder data or sensitive authentication data. Adequate network segmentation, which isolates systems that store, process, or transmit cardholder data from those that do not, may reduce the scope of the cardholder data environment. Network components include but are not limited to firewalls, switches, routers, wireless access points, network appliances, and other security appliances. Server types include but are not limited to the following: web, database, authentication, mail, proxy, network time protocol (NTP), and domain name server (DNS). Applications include all purchased and custom applications, including internal and external (Internet) applications.

This is all well and good for most traditional networks, however they fail to account for key components of modern networks. Take for instance the following examples:

• Virtualization - What happens when the machines that accept and process card holder data are virtualized? Do PCI requirements extent to every virtual machine that these machines may share hardware with? If your virtualization software allows for real time transitioning of machines across a virtulization cluster, is every machine in the cluster now subjected to PCI? What if administrative authentication to the virtualization management console is controlled by your internal Active Directory structure? Is that now also within scope?


• Service-Oriented Architecture/ Enterprise Service Bus - The big trend in modern web applications is to provide a type of service-oriented architecture. A key component of this is whats known as an enterprise service bus (ESB). The ESB is used to connect all the machines in your production architecture to facilitate the passing of data. So, if the web server that accepts the card holder data utilizes the ESB to transfer that data to the processing server and/ or a fulfillment application, does that mean that the ESB and every machine which touches it are now subjected to the PCI requirements?

The common response is to limit the scope of PCI DSS requirements by means of network segmentation. However, given the following examples some things simply transcend past network segmentation.


(Warning, rant below!)

So surely there must be some way I can do more than whining to help address these short comings in the PCI DSS spec. Of course there is! For the low low fee of $2,000 USD, I too can pay the PCI Security Standards Council to *allow* me to help them. For some odd reason, this just seems a bit backwards to me.

PCI Shortcomings

Often times I run across security recommendation from security individuals that plainly have no operational experience. While in theory they sound good, they don't really work from an operational standpoint. Much to my dismay, it appears that these same sort of individuals played a large role in composing the PCI DSS 1.1 spec.

There are several items within the PCI DSS 1.1 spec that seem simple enough on the surface, but are extremely difficult once you dive into the implementation details. For example:

10.5.5 Use file integrity monitoring and change detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert).

I am finding this item difficult to truly get my hands around. I am find with using a tool like trip wire to md5sum the log file post log rotation. However, I can't figure out how to handle the logs that are actively being appended too. The premise of file integrity tools is to notify of changes to that file, regardless of whether its an addition or subtraction. Continual appending of an active log file, means that the file is constantly changing. If file integrity monitoring is configured not to alert on the new data being added, how can it alert on data be subtracted?

For instance, how does this protect against a rogue administrator going in and removing certain log entries from the active log to cover his tracks?

Short of spending extremely large sums of money on extravagant appliance solutions such as loglogic, how are others addressing this requirement?

GAUS v 1.4 - New Features

In a rare bout of motivation, I added some additional features to the Gentoo Auto-Update Script. The new features include:

• AES-256 Encryption of backups (requires openssl)
• Automatic checking of available GAUS updates.
• Listing of installed Linux kernel sources.

The GAUS script can be downloaded from Google Code. Please review the README.txt file for additional information.

R.I.P. KisMAC?

It seems that the very popular wireless scanning tool for OS X, KisMAC, has hit a very serious roadblock. The primary developer, Michael Rossberg has halted the project due to restrictive changes in German law. He provides the following explanation:

There has not been a lot of time for KisMAC lately. However the motivation for this drastic step lies somewhere different. German laws change and are being adapted for "better" protection against something politicians obviously do not understand. It will become illegal to develop, use or even posses KisMAC in this banana republic (backgound: the change of § 202c StGB).
While I cannot do much about that for now, you probably can. Make copies of KisMAC and its source as long as the website is up! Do further development outside of Germany, even better outside the US and EU! If you are a German resident, you will need to fight for your rights.

From the KisMAC mailing list, it appears that work is underway to host the KisMAC elsewhere. However, its highly questionable how much additional development effort on long awaited features such as packet injection on Ralink-base USB devices, will now be made given the loss of the primary developer. As a security professional with a Macbook Pro as my primary platform, this is especially painful. Has anyone else out there discovered viable alternative wireless tools for the MBP?

(IN)Secure Mag - 12th Edition

Just a quick heads up to point out that the 12th issue of (IN)Secure mag is out. The cover story regarding log management and PCI looks very interesting as does the interview with Jeremiah Grossman. This mag is usually a pretty good read and I recommend you check it out!

GAUS v 1.3 (now with Metasploit!)

I recently had a chance to spend a little quality time with Metasploit again. One of the first things I did, was attempt to update. However, using the msfupdate in default Gentoo package resulted in the following:

# msfupdate

[*] The msfupdate command is no longer supported, please use
Subversion to update your Framework installation.

Updating with Subversion:
$ cd framework-2.x/
$ svn update


So, I naturally decided that I needed to add a "module" to the Gentoo Auto-Update Script to keep my install automagically updated. However, I also remembered that Gentoo only ships a 2.X version of the framework (currently 2.7). On my box I have upgraded to 3.x of the Framework. So, the newest version of the GAUS script, version 1.3, now has the ability to first attempt to determine what version of the framework you are running, and then svn sync up to the newest build.

The GAUS script can be downloaded from Google Code. Please review the README.txt file for additional information.

Gentoo Auto-Update Script - v1.2

After some initial feedback of my Gentoo Auto-Update Script, version 1.2 has been released with several bug fixes. See README.txt for more.

Download script from Google Code.

iPhone HTTP User-Agent String

Just a quick FYI.. The following is the HTTP User-Agent string supplied by the iPhone browser:

Mozilla/5.0 (iPhone; U; CPU like Mac OS X; en) AppleWebKit/420+ (KHTML, like Gecko) Version/3.0 Mobile/1A543a Safari/419.3"

URL Deobfuscation

A few days ago, I was having a little fun with a coworker. I sent him several obfuscated URL's through Outlook Web Access (OWA) from Internet Explorer (IE)7.

The 3 URLs I sent were:

http://1096965168/

http://0x41.0x62.0x5c.0x30/

http://0101.0142.0134.0060/

(Warning, links NSFW!!)

Which all resolve to: http://65.98.92.48/ (http://goatse.cz)

Strangely enough, as I sent the email, the links were transformed to the "real" IP address, 65.98.92.48 before being sent. Originally I wrote it off as either a feature of OWA or Exchange, but I then resent using OWA via Firefox and also through Entourage. The last two test delivered the email with the URL's in their obfuscated form.. So, it appears that its the IE7 browser that is DE-obfuscating those URL's before they sent!

Additionally, while composing this post, I've noticed that neither Firefox on OSX, nor Safari on OSX was able to resolve the obfuscated URL's and display the site. Using Thunderbird on WindowsXP, I was also surprised to see that not only did Thunderbird label the email as a potential scam, it presented me with a pop-up warning when I attempted to click the links.








(Click for full size view)

As someone who "cut my teeth" working the Security/ Abuse desk at UUNET, I remember URL obfuscation as a major tool in the spammer/ phisher arsenal. Alot of these bad guys would hide their sites by doing something like http://www.bankofamerica.com@0x41.0x62.0x5c.0x30/.

VMware Fusion Beta 4

VMware has just released Beta 4 of its Fusion product. If you are not familiar with Fusion, this is VMware's Mac OSX version of its workstation product. Although they appear to be borrowing a lot of the cutting-edge features from Parallels [Unity (called Coherence in Parallels), booting of Boot Camp partitions, and DirectX 8.1 support (introduced with Parallels 3.0)], it will be interesting to see how they compete price-wise with Parallels. While Parallels 3.0 is currently retailing for a hefty $79.99, the Fusion Beta is a free download. According to the Fusion FAQ, the final pricing has not been set. The introduction of Fusion should provide for some great old fashion competition between VMware and Parallels in the arenas of performance, features, and price which will benefit us all.

Additionally, having Fusion now allows me to finally tinker with all those pre-built VMware appliances/ images!!








(Click for full size view)

Here is a screen shot of the Smoothwall Firewall VMware appliance running on my machine.

[UPDATE] Looks like VMware has set the price. From the updated FAQ:

Customers can pre-order VMware Fusion for $39.99 from www.vmware.com/mac until the product is GA (generally available) prior to the end of August 2007, which is a 50% savings over the suggested retail price of $79.99 when it is released in August 2007.

Gentoo Auto-Update Scripts

Being a old OpenBSD user, I have grown quite accustom to receiving the daily email outputs from the fantastic /etc/daily, /etc/weekly, and /etc/month cronjobs. Now that I am supporting several Gentoo based servers, I find myself longing for that same system maintenance automation.

To addressed this, I have created a shell script for Gentoo to preform various nightly system administration tasks from a cron job and then email me a report reminiscent of OpenBSD's /etc/daily reports. This script is generic enough to run on all of my Gentoo based boxes. Additionally, since most of the servers I support serve some sort of security function, I've included optional auto-updating for Nikto plugins, Snort signatures, and Nessus plugins.

This script is released AS-IS under the New BSD License and is available from the "Downloads" section of my Google Code page. While I am currently running this script in production environments, it should still be considered Beta. Please feel free to change/add/ improve as you see fit. If anyone would like to contribute, please drop me a comment.

Idle Hands are the Devil's Tools

In all my years of travel, other than dealing with TSA, nothing has inexplicably bothered me more than airports that charge for wireless access. Due to ever growing unpredictability of security lines, ticket counter hassles, less frequent parking lot shuttle buses, and the like, I've have to continually adjust my schedule to arrive at the airport earlier and earlier. Because of this, I often find myself sitting at the airport waiting. To compensate for this, it seems like the least they could do is provide me with some complimentary wireless access so that I can entertain myself or even catch up on some work. (Without me having to squat outside the Red Carpet lounge and "borrow" some wireless access!)

The old saying goes, "Idle hands are the devil's tools".. And its no different for me. With copious amounts of "wait" time, I often found myself honing my wireless sniffing and attack skills. ;)

Well, briefly passing through BWI Airport last week, I decided to check for free wireless. Upon connecting and trying to reach cnn.com, I was instantly presented with a captive portal page.










(Click for full size view)

Of course, the first thing I check were obvious combinations (guest/guest, admin/ admin, etc). These all led to an Access Denied page. But, what if there was someway that I didn't have to supply a password. Surely in this day and age there was no way that the login page would be vulnerable to basic kindergarten-grade SQL Injection attacks. This is a very large wireless provider with presence in airports across the world. Surely they have seen other people try this before and have fixed this. But, curiosity got the best of me, and I tried the ol' admin' --






(Click for full size view)

I guess I was wrong.

Security Feeds

Recently several people have inquired about easy and efficient ways to stay on top of what is going on in the security community. The answer of course is by aggregating all of your security news "inputs" into a RSS reader.

For Mac OSX platforms, I highly recommend Vienna. This is what I use 90% of the time.

For Win32 platforms, I am currently using Feedreader, however, I am still not completely sold on it. If anyone knows of a better free RSS Client please let me know.

Another amazing resource is the Security Blogger's Network created by Alan Shimel and of which www.monkey-house.org is a proud member. This is essentially a large collection of top-notch IT Security related blogs, aggregated and served out as a Feedburner Feed. To take advantage of this, simply subscribe your RSS client to:

http://networks.feedburner.com/Security-Bloggers-Network/feed

Addtionally for anyone that is interested, I have exported my current list of Security/IT related feeds to an opml file. To use this, simply download my security.opml file and import this into your RSS reader.

***Please note that because my current job duties include performing web application security tests against Ruby on Rails platforms, I have alot of feeds specific to these two areas.

Google Calendar Session Auth.

While reviewing IDS logs at work today, I noticed that the Snort Bleeding-Edge rule "BLEEDING-EDGE CURRENT EVENTS Google Calendar in Use" (Snort SID 1:2003597) had fired.. Looking at the logged request, I noticed that it logged a URL similar to:

http://www.google.com/calendar/feeds/COWORKER%40gmail.com/private-98d32c472
5baf853a1c50c4485c9XXXX/full?start-min=2007-04-30T00:00:00&start-max=2007-05
-05T00:00:00

(note, actual calendar name and Session-ID have been changed to protect the innocent, so link will not work)


But the URL basically includes: /username/auth-token

Upon clicking on the initial unmodified link, it allowed me to view my coworker's private Google calendar..

It appears that Google is ignoring a fundamental rule of web application security. "Thall shall not expose any credentials in URLs"


Referencing item A3 Broken Authentication and Session Management of the OWASP Top 10

From the Session ID Protection section: First, they should never be included in the URL as they can be cached by the browser, sent in the referrer header, or accidentally forwarded to a ‘friend’.

This also includes web proxy logs and IDS logs.


Quote from a friend of mine: " but it's Google.. you don't have to be secure, you just have to be easy "

Hotel Wireless IDS (Oppsie!)

I was recently out in Las Vegas for some compliance training. After a long night of honing my Blackjack skills, I returned to the hotel to catch up on e-mail. The hotel had free wireless, and since 24 hours had expired from when I initially connected, I was redirected to the captive web portal to agree to terms of service, see their marketing stuff, etc. Well, when I clicked accept, I noticed that the captive portal was utilizing a series of CGI scripts to authorize clients. Definitely piqued my interest.

So, first step in any good "investigation" is to do some fingerprinting. I fired up nmap -sT -A to identify listening services and make an OS guess. Being the impatient person that I am, I also fired up nikto in parallel. But of course, that wasn't enough to immediately satisfy my curiosity, so I started conduction some web tests by hand. And then something happened that I completely did not expect. I got this web message:

Opps!

Has anyone else experienced something like this before? The interesting thing is the URL. I wonder if I sniffed the IP / MAC address combinations off my local segment and did HTTP POST's to that URL if I could blacklist everybody else.

Revolution On Rails

As I've previously noted, Revolution Health is currently the largest Ruby on Rails site on the internet. There has been alot of discussion in the industry that Rails could not scale well in a full blown enterprise environment. So, in an effort to dispel this myth and help others who may follow in our footsteps, my coworkers are attempting to document the trials and tribulations of Ruby On Rails from an Enterprise level in their Revolution On Rails Blog

My Kudos to them for also releasing alot of the custom written tools, plug-ins, Gems, and scripts they have developed along the way. I think its fantastic when corporations that heavily leverage open-source tools and platforms in their business environments can find a way to give back to the open-source community.

Pantera WAS Documentation

It looks like all of the Pantera on OSX Documentation I did here on Monkey-House has been officially incorporated in the OSX Install guide bundled in Pantera:

Pantera_Release_0.1.3/doc/en/install-osx.html

Metasploit Frame on Gentoo

Today I discovered a bug while installing the new Metasploit3 Framework on Gentoo, according to the provided instructions. The essence of the problem is a mixing of a new version of rails (1.2.2) with an old version (< 0.9.0) of RubyGems. This is a problem for anybody that is running Gentoo Stable, as Gentoo is currently shipping RubyGems version 0.8.11-r6. The work around is to install the testing branch of RubyGems. To do this in Gentoo, simply appending: dev-ruby/rubygems ~x86 to the file: /etc/portage/package.keywords and rerunning emerge rubygems.

I've also opened up a defect ticket with metasploit so the documentation can be updated.

SQL Injection and MyODBC

Recently I was attempting to exploit what have should have been a very vanilla SQL Injection attack. The webserver was Microsoft IIS6 serving ASP pages. This server was using MySQL's MyODBC Driver to allow this application to connect to a backend MySQL database. However, everything I tried only yielded an error message similiar to:



Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

[MySQL][ODBC 3.51 Driver][mysqld-5.0.26-standard-log]You have an error in your SQL sytanx; check the manual that corresponds to your MySQL server version for the right sytanx near ';DROP table userinfo' at line 1

/test/test.asp, line 192


Having access to the asp file, I could see that the SQL Query was basically:

SELECT * FROM userinfo where user = Request.QueryString('user_id');

Normally it would be trivial to modify the HTTP Request to be:

/test.asp?user_id=bob%3BDROP%20table%20userinfo%20--

So that the SQL query would effectively become:

SELECT * FROM userinfo where user ='bob'; DROP TABLE userinfo; --


However, for some reason I could not get this to behave as expected. I was able to append other SQL syntax (AND, OR, etc) and get the desired results, but I was not able to DROP that particular table. After much digging, I ran across the following email thread:

gmane.comp.db.mysql.odbc/2003-06/msg00142.html

As it turns out the MyODBC does NOT support multiple SQL commands. While this seems to be a minor irritant for the developer in the email thread, it does provide the unintentional benefit of preventing alot of SQL Injection attacks..

There appears to be a "bug" ticket open with MySQL on this, and it appears that this could potentially be addressed in the upcoming release of MyODBC. In the meantime, for all of you web application security testers out there, maybe this can conserve some of your valuable testing time.

Largest Ruby on Rails Site to Date

For those of you that are not aware, I am the Director of Security Operations for Revolution Health, founded by the likes of AOL Co-Founder Steve Case, Colin Powell, and Carly Fiorina among others. The main goal of this site is provide an all encompasing health care portal. There are forumns, blogs, Doctor Directories and Ratings, etc.. While this site was developed using a wide range of technologies, it is majority based on the relatively new web framework, Ruby on Rails. Our site is currently the largest Ruby on Rails project to date and presents its own unique set of security challenges.

Because of this, you can expect to see alot more RoR focused posts on this blog.

While the site is still in "Preview Mode", you are welcome to sign up and have a sneek-peek.

* http://www.revolutionhealth.com/preview?code=IHoUuq3GYg

Please let me know what you think.