ratproxy 1.51 tutorial

Published on July 5, 2008 in Web. 16 Comments

Ratproxy is a [mostly] passive web vulnerability scanner that Michal Zalewski released a few days ago. Set ratproxy to proxy your web browser and go surf! When you’re done, run a shell script and out pops a clear report of all the vulnerabilities ratproxy thinks it saw.

I’ve played around with ratproxy the past few days and used it to find vulnerabilities in some major websites. Here is a short cheatsheet I wrote up, an example report file and what it means, and a quick look into the source code of ratproxy.

Continue reading ‘ratproxy 1.51 tutorial’

Cute + Malicious == Deadly

Published on June 28, 2008 in Exploits, Physical Security, Social Engineering, Targeted Attacks and Windows. 0 Comments

In a recent (experimental only) project, I followed one of the multiple guides such as this one on how to make a Lego case for a USB stick. To top it off, I loaded the Hak5 Switchblade packages on the sticks. When used with U3 USB autorun technology, these packages allow automatic theft of various personal data upon insertion of the stick into a Windows computer. Now, doesn’t this just crush the competition (a regular USB stick lost in the parking lot)?

The Mona Lisa

Continue reading ‘Cute + Malicious == Deadly’

Security Meetup June 18th Cancelled

Published on June 13, 2008 in Uncategorized. 0 Comments

Go to the OWASP meeting instead!

Security Prediction Markets

Published on June 11, 2008 in Uncategorized. 0 Comments

A few days ago, Adam Shostack over at the Emergent Chaos blog invited some comments about using prediction markets for security-related events/decisions. This is a topic I’ve discussed quite a few times with a friend of mine and I have some fairly strong opinions about it (it’s a dead end), so I made a few quick statements pointing out its shortcomings. In a follow-up article, Adam quoted one of my responses in the article itself! I thought his comments and my response were relevant enough to repost here, but if this is a topic that interests you I encourage you to read both of the original articles and leave a comment there.

Quoted from Adam’s follow-up post:

Dan Guido said in a comment, “In security, SOMEONE knows the RIGHT answer. It is not indeterminate, the code is out there, your network is accessible to me and so on. There’s none of this wishy-washy risk stuff.”

I don’t think he’s actually right. Often times, no one knows the answer. Gathering it is expensive. Translating from “there’s a vuln” to “I can exploit it” isn’t always easy. For example, one of my co-workers tried exploit a (known, reported, not yet fixed) issue in an internal site via Sharepoint. Something in Sharepoint keeps munging his exploit code. I’ve even set my browser homepage to a page under his control. Who cares what I think, when we can experiment?

Continue reading ‘Security Prediction Markets’

Security Videos #2 Meeting Report

Published on June 4, 2008 in Events and Videos. 0 Comments

We had a much larger turnout this time around. There were probably about 10 serious people with a few more in and out. We got a special presentation from a friend of ours who wanted to practice his Blackhat talk, so we didn’t end up watching any videos.

The agenda ending up being:

  • Blackhat presentation dry-run.
  • Aleksey reversed some storm malware, found a carding forum, and broke into it! He showed us some of the things he learned about their community by looking through the forum.
  • Aleksey talked about his experience competing in the Defcon CTF prequals this weekend. All the questions from the competition are already up at Nops R’ Us but Aleksey was kind enough to upload his own work to the ISIS webserver.
  • Erik and I made fun of Synology for all the bugs we found in their webapps this weekend. I’m waiting to release anything publicly until I have proof of concept exploits.

Q&A with ISIS: Dealing with virus-prone users

Published on May 30, 2008 in Viruses and Windows. 1 Comment

Here’s a little quickie someone asked me today. Note it didn’t look like the person asking had the computers on a domain, so I gave only the simple answers.

Q: I have two illiterate users on my network and they click on everything they see. They also insist on installing random software. I can’t give them a guest account because that interferes with certain software they need to use. I would like to give them ‘computer administrator’ accounts (they’re on an XP pro machine) but still make sure they can’t infect the machine with all sorts of malware. Any suggestions? To reiterate, all I want to do is control they software they install, etc. They still need to be able to create files, have access to already installed software, etc.

A: Unfortunately, the best way to handle this situation is to bite the bullet and do exactly what you say you don’t want to: remove them from the Administrators group and put them in a limited account. No other way around it. Getting them out of the Administrators group won’t interrupt their ability to use already installed software or create files in directories they have permission to write to, but it will prevent them from installing [most] software.

I always suggest installing SiteAdvisor. It’s a free browser extension that attempts to warn you when you’re at a bad website. I like it because it passively trains users to recognize bad websites. You can also have them use OpenDNS to block access to certain classes of websites.

Re-imaging nightly is a possibility, but overkill I think. You can do it with Deep Freeze or Norton Ghost.

I know there are better solutions out there, I just didn’t have the time to remember all of them. Anyone care to help this guy out in the comments?

Storm Worm IP List and Country Distribution Statistics

Published on May 19, 2008 in Spam and Viruses. 0 Comments

Due to a recent need for creation of fresh blacklist, we have collected and analyzed 16,000+ unique Storm bot IPs over 2 days. Our results confirm some of the findings of this recent paper regarding size of the Storm botnet. It estimates that the Storm botnet’s size is 5,000 – 6,000 unique IPs (lower bound) and 45,000 – 80,000 upper bound.

The majority of infected machines are located in USA, Russia, Mexico, India, Turkey, Brazil and Poland (in that order). The complete list is here. A partial list of top results is below.

United States 1716
Russian Federation 1177
Mexico 869
India 699
Turkey 609
Continue reading ‘Storm Worm IP List and Country Distribution Statistics’

Security Videos #1 Meeting Report

Published on May 18, 2008 in Events and Videos. 0 Comments

People in attendance: 6 or 7

  • Dan Kaminsky interview – link
  • w3af demo – link
  • Unusual Web Bugs – videoslides
  • Social Engineering presentations – link

We’re having another meeting next week and I’m taking suggestions for topics. An [obligatory] brief overview of the Debian OpenSSL bug will be done.

Social Engineering final presentations

Published on May 14, 2008 in Academic Papers, Psychology of Security, Social Engineering and Web. 0 Comments

Yesterday marked the end of our first-run Psychology of Security/Social Engineering course here at Poly. Every student made a presentation that described the research project they designed and attempted to run during the semester. I’ll upload the presentations as I get them so check this page often :-) .

  1. The Effectiveness of Security Training / Graphical Indicators of Security
    Joint project by Dan Guido and Boris Kochergin
  2. Personalized Phishing
    Joint project by Brad Schonhorst and Jonathan Voris

I’ve made an executive decision. The mailing list that we used for the course will now be opened to the public for discussion of Social Engineering / Psychology of Security issues. I placed a link on the sidebar of this blog, please sign up if you’re interested!

Summer InfoSec Video/Study Group

Published on May 11, 2008 in Events, Press Release and Videos. 0 Comments

This summer the ISIS Lab will be hosting a weekly Information Security Video/Study Group every Wednesday from 6:30pm until people get bored (probably ~8-9pm).

I’ll show up in the lab and hook up our gigantic LCD TV to show a different video each week and host a discussion. Afterwards, I’ll do a review of each meeting on this blog. We will default to a FreeBSD Kernel Internals DVD course if no other videos are suggested (I need to brush up on my Operating Systems). If you have a specific video you’d like to see/discuss from Defcon, ShmooCon, HITBSecConf, Blackhat, RECon, or elsewhere then please suggest watching it!

Meetings will take place in the ISIS Lab (Room 219) located in Polytechnic University. The street address is 6 Metrotech Center, Brooklyn, NY 11201. If you’re not a regular, then I’m going to need to sign you in so call the lab phone at (718) 260-3986 when you get here (regulars get the sekret c0deword). I’ll keep a bunch of menu’s in the lab and we’ll make an order for takeout shortly after everyone gets here.

This event is open to the public (duh) so please invite your friends. Send all comments, suggestions or videos you’d like to watch to me, Dan, at dguido@gmail.com.

The first meetup is this Wednesday, May 14th. See you there!

Add this event and others to your calendar: ISIS Meetings.

Update to Single-Site-Browsers (SSBs)

Published on April 28, 2008 in Psychology of Security, Risk Analysis, Security Engineering, Security Industry, Social Engineering and Web. 3 Comments

I spent a lot more time thinking about SSBs over the last week or so and I’d like to use this blog to do a bit of a brain dump. A few days ago, Andrew Jaquith publicly posted the presentation that was sent me to privately. Here are links to his blog and to his presentation.

His presentation makes a number of claims about the security benefits of SSBs. It lists protection against phishing, CSRF, some types of XSS (likely all non-persistent varieties), and domain whitelisting as a future improvement to harden those protections.

I don’t think [current] SSBs completely provide those security benefits unless you do two things:

  1. You block non-SSBs from accessing your website (blocking on user agent string would be enough)
  2. You train users that an SSB is the only acceptable place to enter their password

Without those two requirements satisfied, it is my opinion that SSBs give little security benefit.

If you still allow non-SSBs to access citibank.com, then when a user clicks an XSS’d link to citibank.com, the citibank.com page will still load, and they will still be XSS’d. Similarly, CSRF continues to function as it is likely that the ’session cookie isolation’ benefit of SSBs are negated by the user likely having duplicate cookies in both their SSB and in Firefox (you must ensure the user never logs into citibank.com with their normal browser and obtain a session cookie there, hence the first requirement).

In order for the phishing protection to be effective, users must be aware that they are only supposed to encounter Citibank content in their SSB and not in their normal browser. For instance, if an SSB user encounters a Citibank phishing website in Firefox, will they close their browser and open their SSB instead? It might be the case that users will behave in this way, but I haven’t seen any verifiable proof either way.

[This hasn't been reported on ISIS Blogs yet, but next week marks the end of our first run of "The Psychology of Security/Social Engineering", a first-run research course here at Poly. I'm writing up a research proposal to test the above hypothesis with a group of students in the Fall.]

Lastly, if a bank starts deploying SSBs to their customers, I see this as a first step towards successfully forcing client-side requirements on users where the end-game is fully trusted computing and the open commercial web starts to disappear. This actually goes back to our “Refusing Insecure Customers” debate. It’s an evolution of the same (bad, according to readers) idea.

So, although I see where SSBs have some use and can positively affect your web security, let’s not kid ourselves, they don’t solve that much. To really be effective, they require major changes in the way you do business and [still] rely on an intelligent user. Rather, they look like avoidance of the base problem and an idealistic patch that isn’t going to work.

Oddly enough, I have been using a set of 4 Prism SSBs for the last 2 weeks and have actually grown fond of them, but not for security reasons at all. I like how they show up in my dock, that they rarely crash, and it seems natural to give such webapps “first-class” status as desktop applications. I’ll probably continue using them, but I don’t think I’ve gained any security from doing so.

That said, I think part of the problem here is that SSBs haven’t fully matured yet. I just heard about these things 2 weeks ago and I haven’t heard anyone else in the security community talking about them besides Andrew. They are a topic that deserves more attention and particularly more research from the security community as they embody a lot of attractive ideas. Despite my harsh words, I’m not ready to give up on them yet.

Let’s brainstorm: how could SSBs be more useful to security? Could we change the way they work or change how they are deployed to give us additional benefits? If you’re an InfoSec student with no good topic to research, this is without a doubt a good avenue to explore.

SFS presentation about Synology

Published on April 16, 2008 in Exploits and Security Engineering. 0 Comments

This morning I summed up everything that happened with Synology and everything I have continued working on since my previous article was written in a deck of slides at the weekly SFS meeting.

Here is an overview of the items not covered in the previous article:

  • The director of software development at Synology contacted me one business day after my ISIS Blogs post. They have already released a firmware update to fix the most critical issues and came up with an “enhancement” plan (security fixes are not enhancements, but I digress) to fix the rest!
  • I’ve started developing ARM/Linux2.6 shellcode so I can integrate a Synology exploit into Metasploit. First try: virtualize the firmware inside of qemu. Failed. Second try: install gcc directly on device. So far so good.
  • I wrote an FTP request module for Sulley to fuzz the FTP server Synology is using. I haven’t been able to use yet because I hit the built-in connection limit on the FTP server and it starts ignoring me. That is a project for another day.

See the entire deck of slides here: http://cryptocity.net/archive/synology_presentation.pdf