.:Computer Defense:.

It's been a while since I posted here (I'll add another post with links to my recent postings) but maybe this one will irritate enough people to make up for it

--

Last weekend involved more playing with my iPad and given that it’s my first Apple product since the original iPod mini, there are many things that I’d never played with. I decided that an interesting first step would be figure out why it’s so popular to jailbreak iDevices. It only took me about 30 seconds on Google to come across Spirit and the process was incredibly painless. I downloaded the app, connected my iPad and clicked Jailbreak. In a matter of minutes I had a jailbroken iPad with Cydia installed (GUI apt-get like program similar to Synaptic on Ubuntu).

Given that I spend a lot of time with Python and I’m a big fan of Metasploit and Nmap, I decided that I’d start with those apps. It was pretty impressive, to just click and install (although I did have to modify msfconsole to get it to run on its own). If I was a pentester, I’d see some serious benefits to a jailbroken iPad. However, I’m not so I continued to dig around. I had to install openssh-server and SSH into my host (there’s no terminal software for the iPad like there is for the iPhone) but that was easy enough. Now it’s time to investigate.

My biggest complaints about the iPad are:

1. Inability to play DRM wma files.
2. Inability to multitask.
3. No decent text editor.
4. No way to have portable python.

#4 was solved immediately but wouldn’t be useful without a Bluetooth keyboard and that limits the portable aspect. #1 is wishful thinking; it’s just never going to happen. That leaves #2 and #3, so we’ll explore those in more detail.

The inability to multitask is a big one for me. I’d like to have a browser and a game and email and IM open… but Mr. Jobs doesn’t want me to have that freedom. Multitasking is supposed to be one of the big things that jailbreaking gives you… I’m afraid we’ve been mislead. ProSwitcher was the first app I tried, and as soon I installed it I experienced my first stability issue… Switchboard crashed when I tried to open an app. So next I tried Multifl0w and was disappointed when the repository failed and I couldn’t try it. That left Backgrounder; which, based on what I’d read online, was my best chance. It allowed me to background applications (a partial win) however my chat still logged me off when the Window was in the background, so ultimately it was another fail. I suppose that I could have gone with full console applications, install screen and run a different console app in each window but that feels like it’s defeating the purpose of having an iPad (besides, I’ll SSH into a shell account for that functionality).

A decent text editor is something else I was excited for. I’ve recently stumbled across a source code editor in the AppStore that might solve my problems but I couldn’t bring myself to spend $10 on it just yet. In the meantime the first thought I had was ‘finally… vi’. Vi IMproved was available and I quickly installed it. It was useful but, similar to python, wasn’t overly useful without a real keyboard (the lack of ‘:’ on the main keyboard made it especially painful to use).

So all my dream iPad situations faded away but I figured I should still check to see what else was in Cydia. I have to say, I was impressed… Impressed by the sheer amount of crap that existed. I couldn’t find any useful functionality. There was software that would make the annoying mosquito sound (that’s only heard by people under 30) and software that allowed you to “shake body parts” and even software that simulated Bluetooth functionality. It didn’t give you Bluetooth functionality… It just looked like it was doing something. No software to add DUN support so that I could tether with my Blackberry. No cool office suites or useful tools, just a whole lot of useless, mindless programs.

Needless to say, my jailbroken iPad lasted less than 2 hours, at that point I did a full restore of the original OS and I’m happy that I did it. In those two hours I had the iPad crash once and Springboard about a half dozen times. I found no useful software and couldn’t accomplish any of the tasks I wanted to.

Should Python ever make it into the AppStore, even with a price tag, I’ll happily pay for it but I’m going to stick with my iPad in its default configuration. Should I ever get into pentesting, I’d probably change my mind, but it just doesn’t seem useful for anyone else to even consider.

A couple of weeks ago, I posted regarding the logs of some SSH bruce force attempts I had logged on my server, and was looking through. One of the comments was asking for geolocation of the IP Addresses. Tonight I decided to make use of the service available at ip2location.com and geolocate each of the IPs that I had. I'm actually fairly impressed with the service, you can do 20 lookups per IP per day unregistered and if you register you can do 200 lookups per IP per day. I registered and then pasted my entire list into a textbox they provide and it looked them all up at once and provided the results.

Here are the screenshots. It was a small set of IPs, but the top three countries were China, USA, Poland.

I was reading about the Gmail Labs option to display a key icon if the sender's domain is signed using DKIM and the sender is eBay or PayPal. This allows you to quickly verify if the email is legitimate by looking at the icon.  Now it apparently takes some work for a domain to be "super-trustworthy", so this key can't just work for any domain. (I suggested two types of keys, one for all DKIM emails and one for these "super-trustworthy" DKIM emails -- almost like SSL vs EV SSL (it kinda hurt to say that though))

Anyways, to get back on track, as I was reading some of the comments on the Google Group, I came across this one, 'Censoring my Email'. It actually made me stop and think for a second. One one hand Gmail is indeed censoring the email you see, however they're doing it to filter spam... is it really censoring at that point?

I think we first need to consider what's being filtered. Any email from paypal.com or ebay.com (or their international counterpart domains) must be signed with DKIM. If Gmail can verify the DKIM signature, it delivers it to your inbox, however if they can't they send it to /dev/null. How much spam does this filter? Well, basically anyone who's set their own 'MAIL FROM' response to paypal.com/ebay.com.  People who set their name to 'PayPal Support' with an email address of paypal-support@gmail.com will not be filtered and will show up as just 'PayPal Support', unless the recipient clicks 'Show Details'.

Now imagine that you're a non-technical Gmail user who's read an article that says paypal.com/ebay.com emails aren't even delivered to you if they are spam (that wasn't quite the wording Gmail used, but it's not hard to imagine it happening). You see an email that says 'PayPal Support' and you're going to click on it (after all, users are trusting... that's why phishing works in the first place). This could cause a lot of problems (maybe this is why the idea of showing the key for "super-trustworthy" domains came along even). So Gmail responds by introducing this key icon... and when you look at it this way, it almost seems required. Yet it was this introduction that made the filtering more evident to people and which prompted the commented that sparked this blog post.

So, back to the original question... is filtering spam and phishing emails the same as censoring email. I definitely don't think so. I applaud Gmail for making an effort to limit the spam that appears in a persons inbox (if only they were filtering my personal and work email ). However, I disagree with their approach and I see two problems with it.

The first is that they waited over a year between filtering email and providing verification for valid email. This could have lead to many cases like the scenario I described above and since the feature is only in Labs, not everyone will use it and it could lead to many, many more cases like the that.

The second is that they filter anything not signed via DKIM from ebay.com/paypal.com. After reading about this I went and setup DKIM on my server to get a better understanding of how it works. It requires a trust in two protocols that can't necessarily be trusted, SMTP and DNS.  What happens when eBay/PayPal have  a DNS issue and restart DNS and it doesn't start immediately... how many potentially valid emails could be dropped? What happens if someone gets it in their heads attack Gmail with DNS Cache Poisoning? What if someone at eBay/PayPal adjusts a mail server rule and the DKIM header stops being sent?

It's entirely possible that this email is "super-trustworthy" because work arounds have been implemented for every issue I've mentioned above, that still doesn't protect users that don't have the key icon yet. At this point, I guess the best we can hope for, is that this feature spends very little time in Labs before being implemented across Gmail.

So in the end... (Spam|Phishing) Filtering != Email Censoring and we should be thankful for it, not fighting it.

Quite a while ago I modified an instance of sshd to log the client version and password for every attempted login. I then set it listening on a seperate interface that I never log into. I finally got a chance to parse the logs (3 grep lines to dump data from the auth logs and 27 lines of python to generate a CSV to load in excel). The result was 12,214 attempts from 27 different source addresses.

The top 10 offending IPs were:

On the username side, root came in at number one (did anyone not see that coming?) and the top 10 usernames accounted for roughly 1/3 of the attempts:

I also don't think that there's much of a surprise with the top 10 passwords:

I will most likely post the file going forward or release additional numbers (I'll admit that I'm kinda curious to read through all the usernames used),  either way, there will be more data.

There's an interesting post on VitalSecurity.org by paperghost. He's talking about a feature in Gmail that allows you to see all IP Addresses logged into your Gmail account and even sign out all other users. He has two interesting thoughts in the article. That there's now a privacy concern if an attacker is in your account and that password protecting this information may be a valid counter measure. The second thought is disregarded in the same sentence on the basis that the attacker has the password, however if you're the victim of sidejacking, perhaps this is the perfect defense.

I want to discuss the other point... that it's time to be paranoid, throw up the proxies and worry that your IP is being stored. I wonder if your IP Address is even an important piece of information these days? I'd prefer if not everyone knew my IP but at the same time, does it matter?

We mask packet captures because quite often those contain private IPs that could contain information on infrastructure and available resources. After all a host named dc.example.com or exchange.example.com probably tells you it's exact function. Should we worry as much about public facing IPs?

Let's picture the attacker and the victim. The victim is likely to log in from one of four places... Work, Home, Mobile, Free Wifi. Let's take a look at each of these.

Work - The attacker has access to your email and quite possibly targeted you. This means they're likely to know where you work. A simple search on a site like ARIN Whois will tell me all the public facing IPs... Sure this may speed things up... but I'm an attacker, I've got more than enough time.

Home - How often is your home IP targeted by an individual these days? Sure it may be scanned by bots and sure you may be targeted by malware, but an individual attacker? Unless they really want something specific from you, your home IP doesn't matter to them. Even if they do want it, having it shouldn't help them, a simple home router for $39.95 from Best Buy is going to keep those open ports from facing the internet.

Mobile - Since this is probably a NAT'ed IP Address what are they going to get... your cell provider?

Free Wifi - The attacker may now know where you are located if you are out and about, but twitter, Facebook and everything else under the sun already tells them that information.

So is an IP Address important private information these days? Maybe if you're breaking the law... but otherwise I don't think it matters.

I fully support the idea of adding password validation to the details section (perhaps even a different password than your login) but I definitely wouldn't want the feature going away... I love it.

The bigger issue will probably come when you can assign names to sessions ( and have it link that IP to the session for future ease of use). If your spouse happens to log in and sees another session open and it doesn't have 'Office' next to it like your previous ones, especially after you said you were going to be working late... well then you might have problems.

Randy Abrams (who's a great guy to share a beer with if you ever have the chance) of ESET briefly mentioned the impact that Microsoft Security Essentials (MSE) will have on the AV market in a blog post a couple of weeks ago.

A commenter mentioned that MSE meant that his father would now install AV. Randy's response was question if he would given that there are already free AV offering available.

This got me thinking about when I stopped using AV on my home systems. I was a huge AVG 6 fan, I recommended it over everything and was fairly certain it was the best AV available to the end user. Minimal footprint, good results and not intrusive. The day that AV died for me was the day AVG 7 came out. I wasn't a fan that support for my product was discontinued and that it wouldn't autoupdate. I had to download the new version and install it, I also had to register for a serial. That wasn't free anymore, I had to provide my email address to a spam database. I did indeed download and install AVG 7, it had a larger footprint and I noticed an increase of spam (this could be coincidence but I don't believe in coincidences). I uninstalled it less than two weeks after installing it and decided to go without AV.

It was at this point that the real problem occured to me. I had set up the computers of many of my family members and on every one I'd installed AVG and set it to auto-update. They were now without AV protection. I wasn't in the same city as many of them, so I had to walk them through the upgrade on the phone (a very painful process for anyone who's ever tried it).

Why does this story matter? If there's one thing that Microsoft is good at... it's pushing updates. I, for one, will install MSE on the systems of all my family members that ask for assistance and recommend it to anyone that asks for a good, free AV solution. I may even recommend it to those willing to pay (I've always found most of the other offers in commercial AntiMalware suites to be unnecessary) if I have a good experience using it. I know that as long as the software exists they will have updates and ease of use (Microsoft is good at both in my opinion).

So in the end I actually think that MSE will steal a large chunk of the AV market, however they'll steal it from the other free vendors (AVG, Avast, etc)... the commercial vendors won't have to worry for a long, long time.

Tonight I started thinking that one of the biggest problems affecting IT today is the lack of a clearly defined terminology (both terms and acronyms). Sure certain things have had standardization (CPE comes to mind as a great example) but generally terms are not common across the board. Let's consider a few examples.

VM - Do I mean Vulnerability Management or Virtual Machine? Depending on the industry it could mean either or both.
FP - Do I mean Fingerprint or False Positive? Again, the industry dictates the meaning or both meanings.

There was a period of time where people referred to Cross Site Scripting as CSS... occasionally I still see it places. How about RE? I'm sitting here looking at the spine of 'Reverse Engineering Code with IDA Pro'. The spine says 'RE Code with IDA Pro' but RE commonly refers to regular expressions as well. The list goes on and on, and I think it is a problem that hurts us across the industry. Now miscommunication may not occur because there's generally context around the term but it can happen. I think the bigger issue is misrepresentation outside of the industry. This could be outside of IT, or could be within disciplines of IT.

Take, for example, this blog post on the SecuriTeam blog. The title is 'Mysql authentication bypass'. I was rather excited when I saw the title in my feed reader, I thought that someone had found a way to bypass authentication and access the MySQL database directly. It turns out this wasn't the case. Instead it was talking about a method of SQL Injection that will bypass many filters/IDS and works only against MySQL, it was also a discussion that was 6 months old. A comment pointed out that this wasn't a MySQL Authentication Bypass and I tend to agree, the author disagreed in the comments.

As I see it, an Authentication Bypass is when you are bypassing the authentication process into software or a website. Prefixing it with MySQL leads me to believe we are bypassing the authentication process in mysqld. SQL Injection is so much more than simply bypassing authentication, and at the same time bypassing a filter/IDS is so much less than SQL Injection. The author of the blog post was fairly insistent that he'd titled the blost properly yet I think this is a prime example of terminology failing us.

Is there a way for us to work around this issue, or will it always exist?

I don't know about everyone else, but I tend to send hit 'Reply to All' much more frequently than just Reply. So when the Gmail labs feature to make 'Reply to All' the default became available, I was rather excited. It isn't much (a simple click on a drop down) but it made life more convienient and I rather enjoyed it. The other day I replied to an email intended for 4 people and realized that I'd sent it only to the person who sent the last email in the thread. Confused I went back into the thread and replied again, only this time did I realize that reply was the default and not 'Reply to All'

I searched Labs and discovered that the feature was gone, after some googling I came across this link. It contains a very minimal comment stating that it was removed because it was causing issues for people who had enabled it, followed by a series of responses requesting the feature be brought back. Obviously it was working for a number of people, myself included.

Now, I can accept that in my lifetime the beta tag on my Gmail may never disappear and I can accept that adding a Labs feature may break my "Gmail experience". What I don't get is how a feature from Labs could be pulled because it's causing some people a bad user experience? Perhaps those people just shouldn't use it. Let those of us that want to risk the alpha release (after all if Gmail is beta, Labs can only really be considered alpha). I assumed risk when I enabled the feature, I've accepted that... those people who are having issues also assumed risk... let them suffer on their own.

Anyways, this post had two purposes... the first was to inform anyone who hadn't yet noticed that their "Reply to All" feature was gone and second to rant about an alpha feature being pulled.

When you speak to individuals working in our industry, you'll get a variety of answers for what they do. This near endless list of titles includes:

• Software Engineer
• Software Developer
• Security Engineer
• Support Specialist
• Research Engineer
• Network Admin
• System Admin

The list goes on and on. Historically, I've divided those within IT into one of four groups:

• Developer
• Information Security (IS) Professional
• Information Technology (IT) Professional
• Web Developer

These days Web Developer could probably be folded into Developer since there's so much beyond simple HTML used to build web sites. That leaves us with Developer, IS Pro, and IT Pro. I tend to think that that is a fairly reasonable distinction, at a high level with one caveat. IS isn't really on the same level as the other two. Most people that you talk to have experience in either IT or Development when they move into IS. IS is a skillset that's built onto one of those two. Let's look at this another way...

Imagine this is a RPG and your Level 1 IT Worker. You can choose the abilities you upgrade and they include "Programming", "Router Config", "OSI Model", etc. The level ups for these may include "C++", "Java", "Routing Protocols", "Routed Protocols". This means you could follow the path of IT Pro, Developer or "Jack of all Trades". It isn't until you reach one of these levels that you unlock the next round of abilities (the IS skills) which may include "Packet Analysis" (requires Routing and Routed Protocols) and Binary Analysis (requires "Programming" + 1 Level UP). Only at that point do you move to "IS Pro".

You're probably saying to yourself, "WTF is he talking about?" After all, I'm reading this and thinking that. What I'm talking about is this blog post, 'what do you need to know to work in infosec'. To put it plainly, the list is wrong. Well the list isn't wrong, the list is correct, but the title is wrong. With the exception of one or two items, this list reads more like a "what do you need to know to be a sysadmin" or "what do you need to know to work at a helpdesk"

Now as I said, IT is a stepping stone to IS, so yes, at one point or another you probably learned many of these if you now work in IS, but these aren't the things you need to know to work in IS, these are the things you need to know to work in IT.

So let's take a look at the 'What you need to know...  ' list and figure out where the line items fit. If we take the ones you really need to know to work in IS we've got maybe 5-7 items (1, 11, 14, 15, 17, 18 and 19) - I'll let you decide if it's some or all.  Let's think about some of the others. Numbers 2 -5 are all networking related, I know people in IS who've never touched them... now as a network admin or member of the network group (which would fall under IT) these would be important skills. With numbers 6 - 9, we're looking at a sys admin, or help desk employee (again positions I'd consider to be IT related). Now 10, 12, 13, and 16. These could be argued a few ways but I'm going to call them help desk or support type things and bundle that up into the IT category.

So what's my point? To state that I disagree with a definition of infosec that "needs" all those abilities. Then again, people may even disagree with the 5-7 I felt could be kept. In the end that list is a great list if you want to go get the title of Network Admin or Sys Admin, or even in some cases Security Admin but even at that, working in a enterprise security group where you may deal with all those tasks (it seems doubtful that you'd rely on the security team to install software though) that's one very small aspect of infosec.

One of the coolest booth prizes at RSA had to be from an appliance builder that was having a draw for a free prototype appliance ($2000 value). Thinking this would be an awesome win, i quickly filled out the form and placed it in the fish bowl. That was the last I heard of this until yesterday. I came into the office and had a voicemail from last week. It went something like this (close approximation):

Hi Tyler, it's Ed ******** calling from MBX Systems. I just wanted to let you know that we drew your name for the RSA drawing and it would be great if you could give us a call back to go over the details.

Now at this point I'm rather excited... I've got plans for this win. I'm thinking ComputerDefense.org appliance installed in a rack somewhere instead of a hosted page for this blog. I call back and end up having to leave a voicemail. After a brief game of phone tag, I finally get Ed on the phone. He does some standard sales guy talk and then asks how he can meet my needs, and since I just want my free system that I won, I ask how it works. At this point I'm informed that someone else won the free prototype... I've won a free eval! W00T! Stop the presses... a FREE eval! Needless to say the phone call quickly ended.

This was, to date, the sneakiest trick I've seen to get someone on the phone. At this point I may not be directly involved in appliance purchasing but I'm a big fan of the vendor space and who knows where I'll be in 1, 5 or even 10 years. I do, however, know who I won't be doing business with.

You know, if I'd won and their systems were half as good as their marketing material claims, I probably would have written up a blog post praising them... at the very least they would have gotten positive mention just because I'd won it. Since I didn't win, they could not contacted me or gone with a standard sales call and I wouldn't have had anything bad to say about them, at least I'd know the name should I ever be in the position to purcahses appliances in the future. Instead they took this sleazy approach and now I'm going to always know who I'm not doing business with.