.:Computer Defense:.

I'm not going to give an answer to that... but I want everyone to think about it. As most people have read by now, the SANS Top-20 2007 list has been published.

The list this year contains the following:

1. C1. Web Browsers
2. C2. Office Software
3. C3. Email Clients
4. C4. Media Players
5. S1. Web Applications
6. S2. Windows Services
7. S3. UNIX and Mac OS Services
8. S4. Backup Software
9. S5. Anti-virus Software
10. S6. Management Software
11. S7. Database Software
12. H1. Excessive User Rights and Unauthorized Devices
13. H2. Phishing / Spear Phishing
14. H3. Unencrypted Laptops and Removable Media
15. A1. Instant Messaging
16. A2. Peer-to-Peer Programs
17. N1. VoIP Servers and Phones
18. Z1. Zero Day Attacks

Now take a look at past year's lists [2000, 2001, 2002]. The lists were somewhat specific... they gave you specific pieces of software, or enterprise 'security issues' (failure to properly backup, failure to properly log) that were of a concern. This year, we're presented with 18 categories (that's right... the top 20 contains 18 categories) that are almost as generic as you can get. This years SANS Top-20 List contains 257 unique CVEs... and that doesn't include the fact that they have included configuration sections that don't include any CVEs. Someone made the comment that next year they will release the "SANS Number #1" and the single entry will be "Computer". They are starting to get pretty close. The fix will probably be "Unplug the computer".

So if you're in an enterprise... how can you find any meaning in the SANS Top 20... they've essentially told you that users are stupid and that every piece of software you have deployed is flawed. It seems to me that calc.exe is safe... and perhaps sol.exe but nearly *everything* else fits into one of those categories. There are actually some well respected individuals on the team that composed the SANS Top 20... people that I would not normally associate with this sort of drivel... but really that's what this has become... I almost want to call it a 'FUD Missile'. It's telling me that all backup software is vulnerable, all AV software is vulnerable... my web browser is vulnerable.. my IM and Media Players are vulnerable... Yet they somehow let network infrastructure off the list. DNS Rebinding has been fairly popular this year, yet DNS isn't listed... it's mentioned twice in the entire report... once under phishing / spear phishing... and once under 0-days for the Windows DNS 0-day. They don't even mention DNS Rebinding as an issue... the phishing section says, "While they leverage flaws in browsers, email systems, and DNS, they do so only to enhance the appearance of legitimacy"

So my question... Do people out there still find meaning in the SANS Top 20? Has it outlived it's usefulness?

Yet another one of these exploits... I find this one to be somewhat humourous... if for no reason other than I see it as a massive Apple failing... Apple has failed miserably. How did they fail? In two ways.

1. Quicktime was not compiled to take advantage of ASLR on Vista.

This is simple enough, you pass in the /dynamicbase switch to the linker... Visual Studio 2005 SP1 will even let you set it up in the linker options.

2. Apple saw this issue or a damn similar one back in 2002.

Thanks goes to Joel Esler for pointing this one out. CVE-2002-0252 describes a buffer overflow in the Content Type header. The SecurityFocs description of this vulnerability reads:

Apple QuickTime For Windows does not perform sufficient bounds checking of the "Content-Type" header. This issue may be exploited if a server responds with a maliciously crafted "Content-Type" header to a HTTP request for a media file. A "Content-Type" header of 500+ characters is sufficient to trigger this condition, causing stack variables to be overwritten in the process.

With this new vulnerability, we see that the overflow is again in the Content-Type... as one of the vulns on milw0rm makes evident:

header = (
'RTSP/1.0 200 OK\r\n'
'CSeq: 1\r\n'
'Date: 0x00 \r\n'
'Content-Base: rtsp://0.0.0.0/1.mp3/\r\n'
'Content-Type: %s\r\n' # <-- overflow
'Content-Length: %d\r\n'
'\r\n')

So I'm saying it.... Apple failed.

It seems to me that Google isn't the biggest fan of Tor...

Do a search for 'what's my IP' and you get a number of results, whatsmyip.org being the first one. Now do that same search with Tor running... I got a 403 page from Google:

We're sorry...

... but your query looks similar to automated requests from a computer virus or spyware application. To protect our users, we can't process your request right now.

We'll restore your access as quickly as possible, so try again soon. In the meantime, if you suspect that your computer or network has been infected, you might want to run a virus checker or spyware remover to make sure that your systems are free of viruses and other spurious software.

We apologize for the inconvenience, and hope we'll see you again on Google.
To continue searching, please type the characters you see below:
If you can read this, you do not have images enabled. Please enable images in order to proceed.

Disable Tor and once again I can run the query.

I'm not sure how I didn't stumble across this before but at least I did eventually find it. From the about page:

In the style of Johnny Longs googledorks, I bring you the CSRF Hacking Database.
This database will contain urls that exploit CSRF vulnerabilities in websites.
This is not intended to assist malicious hacking, rather it is intended to raise
awareness about CSRF vulnerabilities in general.

You can check out the database here.

I know it shouldn't surprise me anymore... but it still does. Every time I visit a site and see a massive, gapping hole in their webapp security. I can get missing an XSS or some other input validation... it's not good, but it happens... what I don't get is shopping cart apps that allow the customer to change the purchase price.

I was visiting the online ordering system of local pizza/pasta place and noticed the links I was clicking on for the first time. The query looked something like this:
'add=310,1,8.95,Sandwiches,veggie&returnto=/top.php'

This translates to: item number, quantity, price, category, description.

Now the first obvious problem is that we've got an open redirect on the 'returnto' field. The second problem is that we can modify the price (change field three) and we can inject text via either category, description and price, all of which are printed to the page. I did notice that the '<' character was stripped, but that's the only character that I noticed.

As I said, this probably shouldn't surprise me anymore but it still does. The kicker... there's no administrative contact info on the website to point out these flaws to them.

SecTor Day #2
Speakers: Ryan Poppa and Jay Graver
Presentation (pdf)
Download Audio (with Slide Deck) (wmv)

This was the final talk that I attended prior to the wrap up. I already knew what to expect for the most part, since Ryan and Jay are colleagues at nCircle.

The hour long presentation started with 30 minutes of background presented by Jay. The discussion itself focused around network fingerprinting (detecting versions of operating systems and listening services over a network) and, more specifically, HTTP server fingerprinting. The background included a comparison of currently available tools and included nmap, amap and httprint. Jay looked at the results of these tools against modern servers... first while displaying their standard banners and then using obfuscated banners. When faced with obfuscated banners the tools didn't fare so well.

The second half of the presentation, presented by Ryan, included what was really the "meat" of the presentation... the discussion of a new tool, httpfp [link coming as soon as the tool is released], which uses a new approach to fingerprinting. Ryan pointed out numerous aspects of a HTTP Server response that can be used to determine the type of software that the server is running, even if banner obfuscation is being used. Some of the included identification points were:

• Case of the Content-Length header (Content-Length/Content-length/content-length)
• The existence of Public or Allow headers
• The order of the options presented in the Public/Allow header

The concept is definitely cool and I'm really looking forward to see what advancements and improvements will be made in the future. It was also a great way to round-up the conference.

[Updated Links]

SecTor Day #2
Speaker: Johnny Long
Download Audio (wmv)

This was my first time seeing Johnny talk and he definitely lived up to the stories I've heard. This wasn't a technical talk by any means, but it was highly entertaining and hilarious.

Before Johnny started his talk, he took advantage of his the platform to fill in the attendees on IHackCharities.org. The basis of the organization is fairly simply... they match hackers/it professionals who are unemployed with charities that are seeking IT-related help... e.g. a charity that needs a web page built for them. In exchange for the few hours of work that the hacker donates, they get references from leading industry professionals who have verified their work. I actually see this as being quite useful and was excited to hear about it. I have to contact Johnny still as he mentioned unemployed professionals, but I'm wondering if the employed can volunteer as well. It's a way that everyone can give back, even if it's just a little bit. This is something that the SecTor organizers should have picked up on and presented to the entire con, as it's definitely a worthwhile cause.

Back to the presentation... Johnny took several popular hacker related movies and demonstrated why scenes were either 'leet' or 'lame'. The movies included Hackers, The Matrix, Swordfish, and Code Hunters... although there were plenty of others. The presentation was a lot of fun, however it might have been more fitting as a keynote so that everyone could have enjoyed it.

Valid uses of security in movies were pointed out, as were the completely wacko ideas. There were typos identified and examples of Hollywood using yet to be discovered technologies.

The hour flew by and could have most likely been extended, as everyone was drawn into the talk, which included audience participation.

SecTor Day #2
Speaker: Dan Kaminsky
Presentation (ppt)
Audio (wmv)

This was the first talk I attended on day 2. Dan demonstrated DNS Rebinding attacks and how they can be dangerous to internal networks. The talk was filled with technical data and live demos.

While the demo had been setup in advance it was nice to see how quickly and efficiently the attack could be pulled off if you were prepared.

One interesting event occurred when another speaker (who had presented on DNSSEC) argued that DNSSEC is the solution to this problem. Kaminsky was able to make short work of the individual and put him in his place... even though he attempted to persist with his argument.

There are solutions to some forms of DNS rebinding, unfortunately they could take years to implement, even if they were.

The first would be to rewrite DNS servers to not allow RFC 1912 addresses from external sources.

Another would be to rewrite DNS to operate with its own version of the three way handshake. The server receives an IP after resolving the domain name and rather than pass it to the host, it performs a reverse resolution on the IP, ignoring any mappings that occur in its cache. Sure this increases the load on servers, but I'm fairly certain they'd be able to handle it... A problem that can occur here is with virtual hosts, and unfortunately they are becoming more and more common. The problem here is that you need all virtual hosts to be returned when an IP is resolved, and that doesn't seem likely.

Right now, the most effective step you can take is to have firewall rules on the border of your network to either drop DNS responses with internal IPs or to rewrite them on the fly. This doesn't, however, stop an attack from rebinding to a different external IP.

For more information on DNS Rebinding, there's a great paper available from a team at Stanford CS on the subject.

SecTor Keynote
Speaker: Steve Riley
Presentation (ppt)

Full Title: Defending Layer 8: How to Recognize and Combat Social Engineering

This talk was interesting, funny and informative... a great way to start the second day.

Steve took the 7 layer OSI model and turned it into a 9 layer model. He added layer 0 to the bottom, physical... but not physical like layer 1... He differentiated by referring to layer 1 as 'cyberspace' and layer 0 as 'meatspace'. Layer 0 is your physical location, your physical security... the building itself where your systems are located. The other added layer was layer 8, a layer that is traditionally added to the OSI model and referred to as the 'human layer'.

To demonstrate layer 0 problems, Steve told a story involving the movement of a data center. The company had moved their data center down to street level, and put it on display behind a glass window facing the street. This included server names and ip addresses, dial-in numbers for modems, etc... It turned out some thieves noticed the display and they drove a truck through the window, grabbing the first computer they came across. The computer ended up being the company's domain controller. An hour later they were lucky enough to get the computer back, however instead of performing forensics... they immediately plugged it back into the network.

Steve's talk was full of stories like that one... little, funny, to the point stories that kept you interested and enhanced the overall presentation. I believe that the SecTor organizers are putting video, or at very least audio, online with the presentations... for all of the keynotes so far that will make a huge difference for those intending to go through the slide decks (which I will link to as soon as I see them posted).

Steve continued on with his discussion on social engineering and offered 10 tips for anyone interested in trying out social engineering. The list included:

1. Be Professional.
2. Be Calm.
3. Know your mark.
4. Do not fool a superior scammer.
5. Plan your escape from your scan.
6. Be a woman.
7. Use watermarks.
8. Make business cards and fake names.
9. Manipulate the less fortunate, the unaware, and the stupid.
10. Use a team if you have to.

Each of these steps included details and descriptions... or at very least amusing commentary.

Steve also outlined 8 types of Social Engineering 'exploits', each with an example:

1. Diffusion of Responsibility - 'The VP says you won't bare any responsibility'
2. Chance for ingratiation - 'Look at what you might get out of this'
3. Trust Relationships - 'He's a good guy, I think I can trust him'
4. Moral Duty - 'You must help me! Aren't you so mad about it?'
5. Guilt - 'What, you don't want to help me?'
6. Identification - 'You and I are really two of a kind, huh?'
7. Desire to be helpful - 'Would you help me here, please?'
8. Cooperation - 'Let's work together. We can do so much!'

Following this, along with additional stories, were steps on discovering data on your target, ways to pull off an attack, ways to defend against an attack. It was definitely a great explanation of social engineering. I think that a lot of people walked away with a lot of useful information.

Sector Day #1
Speakers: Rohit Sethi and Nish Bhalla
Presentation (pdf)
Audio (wmv)
Tool Website

Full Title: Exploit-Me Series -- Free Firefox Application Penetration Testing Suite Launch

I was really curious to see this one, although I heard the other talks were interesting. My main reason was that I wanted to see how this plugin was different from others, such as my favourite tool: Tamper Data. In the end, the tool is much more like WhiteAcid's XSS Assistant.

The tool, which be available on Nov 26 from SecurityCompass.com, allows you to assign static variables to certain form fields and then XSS the rest of them... testing for a variety of types of XSS, and allowing you to insert your own. They provided video demonstrations of the tool, which will be released under GPL, which I can't wait to get my hands on to play with.

The first half of the talk, leading up to the tool release took a look at problems with current testing tools, which are primarily proxy based (such as Tamper Data). It also explained CSRF, XSS and SQL Injection. The second half was demos of both tools, XSS-Me and SQL Inject Me... as well as a brief discussion of limitations/future improvements and other planned tools.

I'm very excited to see what happens to these tools, especially once they hit the hands of web app geeks everywhere. I was also genuinely impressed by the mention that SecurityCompass (the company at which both Nish and Rohit work) would be staffing someone to develop the Exploit-Me series of plugins.