I’ll show up in the lab and hook up our gigantic LCD TV to show a different video each week and host a discussion. Afterwards, I’ll do a review of each meeting on this blog. We will default to a FreeBSD Kernel Internals DVD course if no other videos are suggested (I need to brush up on my Operating Systems). If you have a specific video you’d like to see/discuss from Defcon, ShmooCon, HITBSecConf, Blackhat, RECon, or elsewhere then please suggest watching it!

Meetings will take place in the ISIS Lab (Room 219) located in Polytechnic University. The street address is 6 Metrotech Center, Brooklyn, NY 11201. If you’re not a regular, then I’m going to need to sign you in so call the lab phone at (718) 260-3986 when you get here (regulars get the sekret c0deword). I’ll keep a bunch of menu’s in the lab and we’ll make an order for takeout shortly after everyone gets here.

This event is open to the public (duh) so please invite your friends. Send all comments, suggestions or videos you’d like to watch to me, Dan, at dguido@gmail.com.

The first meetup is this Wednesday, May 14th. See you there!

Add this event and others to your calendar: ISIS Meetings.

His presentation makes a number of claims about the security benefits of SSBs. It lists protection against phishing, CSRF, some types of XSS (likely all non-persistent varieties), and domain whitelisting as a future improvement to harden those protections.

I don’t think [current] SSBs completely provide those security benefits unless you do two things:

1. You block non-SSBs from accessing your website (blocking on user agent string would be enough)
2. You train users that an SSB is the only acceptable place to enter their password

Without those two requirements satisfied, it is my opinion that SSBs give little security benefit.

If you still allow non-SSBs to access citibank.com, then when a user clicks an XSS’d link to citibank.com, the citibank.com page will still load, and they will still be XSS’d. Similarly, CSRF continues to function as it is likely that the ’session cookie isolation’ benefit of SSBs are negated by the user likely having duplicate cookies in both their SSB and in Firefox (you must ensure the user never logs into citibank.com with their normal browser and obtain a session cookie there, hence the first requirement).

In order for the phishing protection to be effective, users must be aware that they are only supposed to encounter Citibank content in their SSB and not in their normal browser. For instance, if an SSB user encounters a Citibank phishing website in Firefox, will they close their browser and open their SSB instead? It might be the case that users will behave in this way, but I haven’t seen any verifiable proof either way.

[This hasn’t been reported on ISIS Blogs yet, but next week marks the end of our first run of “The Psychology of Security/Social Engineering”, a first-run research course here at Poly. I’m writing up a research proposal to test the above hypothesis with a group of students in the Fall.]

Lastly, if a bank starts deploying SSBs to their customers, I see this as a first step towards successfully forcing client-side requirements on users where the end-game is fully trusted computing and the open commercial web starts to disappear. This actually goes back to our “Refusing Insecure Customers” debate. It’s an evolution of the same (bad, according to readers) idea.

So, although I see where SSBs have some use and can positively affect your web security, let’s not kid ourselves, they don’t solve that much. To really be effective, they require major changes in the way you do business and [still] rely on an intelligent user. Rather, they look like avoidance of the base problem and an idealistic patch that isn’t going to work.

Oddly enough, I have been using a set of 4 Prism SSBs for the last 2 weeks and have actually grown fond of them, but not for security reasons at all. I like how they show up in my dock, that they rarely crash, and it seems natural to give such webapps “first-class” status as desktop applications. I’ll probably continue using them, but I don’t think I’ve gained any security from doing so.

That said, I think part of the problem here is that SSBs haven’t fully matured yet. I just heard about these things 2 weeks ago and I haven’t heard anyone else in the security community talking about them besides Andrew. They are a topic that deserves more attention and particularly more research from the security community as they embody a lot of attractive ideas. Despite my harsh words, I’m not ready to give up on them yet.

Let’s brainstorm: how could SSBs be more useful to security? Could we change the way they work or change how they are deployed to give us additional benefits? If you’re an InfoSec student with no good topic to research, this is without a doubt a good avenue to explore.

Here is an overview of the items not covered in the previous article:

• The director of software development at Synology contacted me one business day after my ISIS Blogs post. They have already released a firmware update to fix the most critical issues and came up with an “enhancement” plan (security fixes are not enhancements, but I digress) to fix the rest!
• I’ve started developing ARM/Linux2.6 shellcode so I can integrate a Synology exploit into Metasploit. First try: virtualize the firmware inside of qemu. Failed. Second try: install gcc directly on device. So far so good.
• I wrote an FTP request module for Sulley to fuzz the FTP server Synology is using. I haven’t been able to use yet because I hit the built-in connection limit on the FTP server and it starts ignoring me. That is a project for another day.

See the entire deck of slides here: http://cryptocity.net/archive/synology_presentation.pdf

But really, my alterior motive for posting this, was so I could point out this one particularly entertaining paragraph buried in the middle of it:

Now, Senate Intelligence Committee Chairman John D. Rockefeller (D-W. Va.) is said to be discreetly informing fellow senators of the Byzantine operation, in part to win their support for needed appropriations, many of which are part of classified “black” budgets kept off official government books. Rockefeller declined to comment. In January a Senate Intelligence Committee staffer urged his boss, Missouri Republican Christopher “Kit” Bond, the committee’s vice-chairman, to supplement closed-door testimony and classified documents with a viewing of the movie Die Hard 4 on a flight the senator made to New Zealand. In the film, cyber terrorists breach FBI networks, purloin financial data, and bring car traffic to a halt in Washington. Hollywood, says Bond, doesn’t exaggerate as much as people might think. “I can’t discuss classified matters,” he cautions. “But the movie illustrates the potential impact of a cyber conflict. Except for a few things, let me just tell you: It’s credible.”

For the record:

“Except for a few things, let me just tell you: It’s credible.”
- Senator Christopher “Kit” Bond (R-MO) on Die Hard 4

With this large amount of utilities, it is sometimes hard to pick the correct one for the job. At Shmoocon 2008, a BackTrack representative gave a talk which was good, but focused on exploiting a Windows binary using Olly, not on showing off the features of the distribution. So I took it upon myself to click on every single link and find the awesome and the less awesome tools among the bunch. Note that the work that I did was for a presentation. There are videos which are self-explanatory but at times need commentary. I will provide some explanation in writing.

1. CREDITS

BackTrack3 - www.remote-exploit.org
Tactical Exploitation – H.D.Moore & Valsmith (Defcon 2007)‏
Metasploit Videos - learnsecurityonline.com

2. RECORDING

BackTrack comes with a video recording utility, recordmydesktop. You can either record the whole desktop or just one window using a window id. Some useful commands are:

recordmydesktop –no-sound -o out.ogg
xwininfo |grep “Window id:”|sed -e “s/xwininfo\:\ Window id:\ // ;s/\ .*//” #gives you a window id
recordmydesktop –nosound -windowid 0×0442 -o out2.ogg

3. INFORMATION GATHERING

In this category, the focus is on information aggregators, network discovery tools and OS and application vulnerability scanning tools.

3.1. Maltego - Personal Discovery

This is a tool from www.paterva.com that can be used for personal discovery. It has been in development for a while now and switched from a web version to a standalone binary version. It is a total information aggregator. It can search social networks such as LinkeIn, public PGP key servers. It can pull down various information from inside documents and other aggregators such as serversniff.de and robtex.com. It offers services such as geoip resolutions, email verification. The tool has a graphical interface and you can start your search by domain, IP address, website, email, person, phone number etc. The information is presented as a directional graph and any results can be further interrogated producing new results. You can use this to do various things such as profiling users of a certain server, searching for groups of people, determining relationships between websites, building PGP trees etc.

Maltego commonly finds phone numbers, addresses, names, personal sites, resumes, newsgroup postings, usernames, email addresses.

3.2. Nmap and Websites - Network Discovery

While doing network discovery, you are looking for variety of things such as MX records, internal networks, outsourced services, important server and open ports. The number one tool for this is still Nmap. A lot has been written about nmap, so I will just share my favorite usage and leave it at that:

nmap -sS -P0 -O -T Sneaky -p 445 -D 64.233.169.99 <ip_to_scan>

The above command initiates a stealth scan (-sS) which does not complete the TCP connection. This is fairly fast and unobtrusive. The -P0 flag tells nmap not to ping the IP which adds to stealth. The -T is a timing flag that can be set from Sneaky to Insane and determines the speed of packet generation. The -p flag specifies the port or a port range. You can use this flag either to add to stealth by specifying one or few ports, or add to thoroughness by providing a range of 1-65535. And last but not least, the -D flag allows you to specify a number of decoys. I usually put googlebot’s IP address. This makes nmap generate packets from your IP address and googlebots IP address (the response to which will go to google). This has an effect of confusing the target.

I would also like to share with you 2 less known network discovery tools. Two websites, www.domaintools.com and centralops.net provide nmap-like services. You can use these to create a domain dossier on any website that will include things like popular port scan, ping, traceroute, nslookup and whois. And best of all, the traffic is not going to come from you.

3.3. OS & Application Vulnerability Scanning

GFI LANguard is a tool I found as a useful replacement for Nessus (BackTrack does not include Nessus). It is only free with this BackTrack distribution. I found this tool to be a slightly slimmed down version of Nessus. On the other hand it was incredibly easy to use and it provides a wealth of information. It can scan a range of IPs to determine open ports, operating systems, common vulnerabilities, users, shares, running processes, security policies, missing patches, SNMP devices and functions they provide. This demo shows a limited use of its features and the results are more glorious on a larger network.

video

4. WIFI WEP Fun

BackTrack has an excellent collection of various wireless tools. I will present some of these here. I will use them to defeat WEP protection of my home router.

4.1 WEP Overview

WEP weakness stem from frequently repeating 24-bit IVs (initialization vectors) and the use of weak RC4 algorithm for keystream generation. This knowledge has been used to create a brute force attack. In this attack, you need to only capture a single encrypted packet and apply enormous amount of computing power to try all possible keys. This is possible due to the fact that the real key length is 40 for 64-bit keys and 104 for 128-bit keys. It has been shown that a weak key can be brute-forced in a manner of minutes. Another type of attack is FMS attack which is a statistical attack on known weak keys. You need to capture a lot of traffic to collect these keys, apply little CPU power and perform this attack. The tools that I describe below use the FMS attack.

4.2 Airo Tools

Below is a sequence of commands to use. I will not post the video due to its large size. You have to first bring up an interface in monitor mode. Then, you have to find a target with a command like “ wlanconfig ath0 list scan“. Then, use airodump-ng for collection of IVs, aireplay-ng for speedup of collection of IVs, and aircrack-ng for cracking of the key. In general, you need about 60KB of IVs before you should attempt to crack a 128-bit key. I waited until my filesize was a few megabytes. Depending on how fast the packets are flowing, the attack can take a few minutes or much more.

ifconfig wifi0 up
wlanconfig ath0 create wlandev wifi0 wlanmode monitor
ifconfig ath0 up
wlanconfig ath0 list scan
airodump-ng –ivs -c 6 –write dump –bssid <AP’s_MAC> ath0
aireplay-ng -2 -b <AP’s_MAC> -d ff:ff:ff:ff:ff:ff -m 68 -n 68 -p 0841 -h <Innocent_computer’s_connected_to_AP_MAC> ath0
aircrack-ng -f 2 -a 1 -b <APs_MAC> -n 128 dump-01.ivs

4.3 Wesside-ng Demo

This is a tool that automates WEP cracking. It is still in early stage of development and I could only get it working with an atheros chipset. It is simple to use and does everything on its own. It finds a nearby vulnerable network, collects traffic and cracks the key.

wesside-ng -i ath0

video

5. Other WIFI tools

5.1 WifiZoo

This is the most useful tool that I found. I believe it comes from the CoreImpact toolkit. It is used primarily for cookie stealing on unencrypted and possibly encrypted (untested) networks. On my test network I managed to steal Facebook cookies. I had unlimited control of the Facebook account of the “victim” and could do anything up to changing the password. I also managed to steal Gmail cookies. Pretty much the only things I could do was read email and set a forwarding email. I could not change the password.

I am not posting a demo of this due to size limitations and privacy issues. I am posting a screenshot. As you can see the tool also automatically collects FTP data and SMTP data. What you have to do to get it working is:

1. nano /pentest/wireless/wifizoo/wifizoo.py and change conf.iface=’eth0′ to you monitor interface
2. ./wifizoo.py to start the tool
3. Start Firefox and change its HTTP proxy to 127.0.0.1:8080
4. Point the browser to 127.0.0.1:8000 which is WifiZoo’z webinterface

5. After that, it’s smooth sailing - click on the cookies link, click on a captured cookie, select “Set Cookie” and it will take you to the IP address of the website. You usually have to change the IP address to the name manually (e.g. change 69.63.176.140 to www.facebook.com in the browser location bar).

5.2 MDK3

I don’t know if this stands for “Murder Death Kill 3″ but it sure looks like it. I could not fully test this tool as I did not want to attack a large network and this is mainly where it would shine. This tools allows you to deploy a 3-part attack. First, you can deauthenticate clients from all nearby or a selected Access Point thus providing a denial of service. Second, you can flood the nearby APs with authentication requests. This can lead to a situation where some APs will need to be restarted or the become full and will not accept any new users. Third, you can create a beacon flood of fake APs specifying some ssid or generating random ssid names. After this step, the legitimate clients that were booted from their APs in step 1 will have a lot of problems reconnecting. This sounds like it could create some major havoc on unsuspecting networks. Most of this can probably be mitigated by a combination of MAC filtering and good firmware. The commands are:

mdk3 eth0 d # deauthentication attack
mdk3 eth0 a -a <AP_MAC> # authentication flood
mdk3 eth0 b -n MyEssid -w -c 11 # beacon flood mode

6. EXPLOITATION FRAMEWORKS

Backtrack comes with Metasploit, Inguma, W3AF and a few others. I have tested Metasploit and W3AF and will present my results here.

6.1 Metasploit 3 - unlocking a workstation

The problem is simple, I have a Windows 2000 VMware workstation that I don’t know the password to. Since it turns on, it probably goes online and gets an IP address. A nmap scan reveals that to be true. After that, I take a random exploit for windows 2000 and throw it at the box. This one happens to be a Net32Api CanonicalizePathName() stack overflow. The payload is set to vncinject. By default, it provides a “Courtesy Shell”. Typing “explorer.exe” in that shell bypasses the authentication window and allows the change or Administrator password. Note that I am using the Windows GUI Metasploit. I had to do this due to my need to start a VM.

video

6.2 Metasploit 3 - SMB Relay Attack

Multiple videos already exist for this attack elsewhere and while doing this I used a tutorial from learnsecurityonline.com. The attack mechanism is described nicely here and here. In a few words, whats going on here is - a man in the middle reflection attack based on the weakness of the Microsoft SMB file sharing authentication protocol. Note that I am using a web interface this time.

video

7. PENTESTING A WEBSERVER

The tools that you want to use for this are: webspiders, webserver vulnerability scanners, exploitation frameworks for web, credential brute-forcing utilities.

7.1 Nikto

This is web server scanner which performs tests against web servers for multiple items, including over 3500 potentially dangerous files/CGIs, versions on over 900 servers. It commonly finds outdated software versions (SSL, Apache, PHP), allowed HTTP methods, and various directories that are missing index files.

7.2 W3AF

This is a web application attack and audit framework. I have not experimented much with it. I used its webSpider to collect all the links of a webserver. Then I wrote a script to extract the users of the server by searching for “~”.

Summary: Using the information collected from just the above two tools, we can now go ahead and try to exploit the server by looking for existing vulnerabilities for the outdated software, examining the files in directories that are missing index files to try to find .htpasswd files or embedded passwords in PHP files. We can also try to bruteforce the accounts of the users we collected from the webspider. The tools to use for bruteforcing are Hydra, Medusa, and SSHater. They come with modules that allow you to attack most popular protocols (ssh, ftp, telnet, imap etc).

8. TOOLS I DIDN’T LIKE

There were a few that I didn’t like but others I just didn’t find useful. The list would be too long if I had to list it here. I will mention the fact that THC-Hydra and Medusa, both online password brute forcers, core dumped when I tried to use them.

STRIDE is the dumbest acronym in security.

There are two kinds of dumb:

1. dumb == harmful
2. dumb == pathetic

STRIDE has a little bit of both in it, it’s pretty high on the dumb scale.

I’m taking votes for either. What’s the overall dumbest term in security (acronym or not)?

I’ll start: the dumbest (#2) thing I had to learn for the CISSP was “salami slicing.” The concept is OK, but the name makes me shake my head in shame. I shudder using this term to actually describe something to someone else.

EDIT: Ok, it might be “superzapper.”

Let me just say this: it seemed like a good choice at the time, and, if I could have trusted the vendor to deploy the software on it properly, it might still be. Here is a short summary of some of the issues I found:

You can skip to the full report here: A Security Audit of the Synology Disk Station Manager (DSM) v2.0-0590 Firmware.

What follows is a complete retelling of how I got here, sort of a lesson in vulnerability disclosure (not so much discovery, you’ll see why). It’s not pretty, I didn’t do all the right things, and it’s kind of long.

I had a lot of free time over Spring break (read: no money to travel anywhere) and so I decided to start “kicking the tires” of the Synology CS407 I owned. My jaw dropped when I got this first nmap scan back:

PORT      STATE SERVICE     VERSION
80/tcp    open  http        Apache httpd 2.2.3 ((Unix) mod_ssl/2.2.3 OpenSSL/0.9.7e PHP/5.2.0)
139/tcp   open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
443/tcp   open  http        Apache SSL-only mode httpd
445/tcp   open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
515/tcp   open  printer
548/tcp   open  afpovertcp?
3306/tcp  open  mysql       MySQL (unauthorized)
3493/tcp  open  tcpwrapped
3689/tcp  open  http        mt-daapd httpd 0.2.4
5000/tcp  open  http        Apache httpd 2.2.3 ((Unix) mod_ssl/2.2.3 OpenSSL/0.9.7e)
5001/tcp  open  http        Apache SSL-only mode httpd
5432/tcp  open  postgresql  PostgreSQL DB
50001/tcp open  tcpwrapped

It only got worse when I ran Nessus. And then worse when I got a shell and started poking around the filesystem. Get this: every application on the box is running as root! And all the web apps are written as compiled binaries running in CGI… with root privileges! As a friend in the lab described it, “1996 called, it wants its web technology back!” They weren’t even making it difficult.

This is where things got interesting. I looked around and there isn’t any formal security contact or even a public bug tracker (and they call themselves a Linux vendor!). I’m thinking maybe I can save myself some trouble and get this solved informally, so I made this really scary sounding post on their user support forums with just the results of that nmap scan. I also submitted a technical support request at the same time, pointing to the forum post. Best idea? No. But it was easy. I really didn’t want to write a formal report and submit it. I’m not getting paid for this, and frankly, I’m kind of pissed off that I bought this thing and that I’m stuck with it now.

Two moderators immediately replied to my forum post claiming that there were no security vulnerabilities and that security vulnerabilities were the price we pay for having the coolest NAS out there. I thought these were official representatives of Synology at first and was ready to make a post to full-disclosure after reading their replies.

Then an official response came back from their tech support: log in to the box over SSH (which they don’t provide, I had to hack it to turn it on) and turn off the affected services. They also recommended I put the box behind a firewall… This is why you’re supposed to have a security@ contact, so people like me don’t get stuck with non-tech and sales staff. I said a few specific things in my reply to get my concerns in front of the right people:

1. Ask for this issue to be escalated to a product manager
2. Explain the risks they were putting themselves and their customers under
3. Explain what would happen if they didn’t respond to my concerns (full-disclosure)
4. Included a PDF of a very early draft of my report

That worked. 3 days later I got a response from Synology (still their sales staff) indicating that more than half of the vulnerabilities I pointed out would get fixed in a new release of the firmware due out in 60 days. They denied a number of vulnerabilities, which I explained further and sent back to them.

Then I didn’t hear from them for 9 days. Apparently, my emails were getting stuck in their spam filter (again, vendors, please set up a security@ e-mail)! This went back and forth for a bit and I’ve moved about 90% of the issues into the next release! A handful of more architectural issues were pushed back until a release 6 months in the future. You can’t win them all, but at least they are aware of the issues now.

Back on the forum, I had been getting fairly actively involved by answering security questions from other users. Some intelligent people saw what I was saying and came to my defense when the fanboys attacked what I was saying about their precious devices. Two people even posted that they had delayed or reconsidered buying Synology products because of this discussion! It was really great to hear that, both as vindication that what I was saying was important and that Synology’s management had to take me seriously now. They were actively losing customers due to poor development practices.

How they reacted to this really isn’t surprising in hindsight: they moved all my posts to a separate, special forum, away from potential and current (but mostly potential) customers. Then their moderators started getting fed up that people were still talking about security issues they thought were irrelevant and resorted to character attacks and flaming. I sent an e-mail to my contact on the sales staff that someone representing their company was acting inappropriately and their behavior might be tied back to the company. Synology responded by locking my post.

And that’s the end of that mess.

If you have a Synology product… well good luck! All the problems I found won’t be resolved until 09/2008! And even then, I’m sure there will be more security vulnerabilities. Those compiled binary CGIs are a ticking timebomb. If you don’t already own a Synology product, I suggest FreeNAS. You can install it in a VM and try it before you “buy” it. I’d really like to get my hands on one of NetGear’s ReadyNAS products… anyone with one want to let me poke around it for a bit?

Have you encountered a website that asks for the username and password to your e-mail provider? I’m talking about this:

LinkedIn asking for my Gmail password

Yelp asking for my Gmail password

This really needs to stop and people need to start using the Gmail Contacts Data API.

I think it’s kind of needless to say that not only is this unsafe, but it helps users become victims of phishing at some point in the future. Socializing users into giving away their passwords to arbitrary 3rd parties is not OK.

So, thanks Facebook, LinkedIn, Yelp, and others for continuing to make the Internet just that much more dangerous; now start using the Contacts API.

If you know of any other websites that still ask for your Gmail password, list them in the comments!

Draw a Secret- DAS is a graphical password scheme where users are suppose to draw a secret on a grid. A completed drawing, i.e., a secret, is encoded as the ordered sequence of cells that the user crosses whilst constructing the secret. Each time a user lifts the en from the drawing grid surface, a “pen-up” event is encoded by distinguished coordinate pair. Here the important thing to note is even if the shape are not same as long as the encoding is identical it will yield to the same password. The basic problem with this scheme is it is vulnerable to graphical dictionary attacks. Also, users tend to choose passwords which are symmetrical and centralized. Therefore in this paper, authors proposed to use a background image to help users 1)remember the password more easily 2)set none symmetrical or none centralized passwords. The only difference here, users are not drawing their passwords onto an empty grid, but they are choosing a background image to draw on it as well. Experimental results show that this scheme is better than DAS since people chose more complicated and longer passwords. Also symmetry and centralization was lesser for this scheme, therefore authors concluded it is more secure than DAS. However the question arises here : introducing background images may give the attackers clue about the password. So can security reduction caused by this background images be compensated by reduced symmetry and centering? Unfortunately in the paper there is no study about this question. It is an open problem!

Questions arised in the meeting:

• Do we really believe in graphical passwords? Are they really more memorable? Are the really more usable? Are they really more secure?
• What would be the impact of background images in this scheme? Will they mess up the security?
• Which graphical password scheme is more secure? DAS or PassPoints(where user click on the points of an image in a particular order)
• How about using PassPhrases instead of Passwords? Will it be more secure to use initials of a secret Phrase as a password?
• Can we design a new scheme combining both graphical and text?
  • How about writing your password with your own hand writing and make the scheme verify that it is you who is writing. (how about combining password with your biometric?) Will you feel uncomfortable about shoulder surfing in this case? (Note that even if the shoulder-surfers capture your movements, they can’t capture all about your handwriting, they can only capture about the letters that you use in your password.)