ZF05 and Pentesting

http://www.flickr.com/photos/43052603@N00/3391952890/

I’m sure you heard about the release of the new ZF05, most likely due to their hack of Dan Kaminsky’s and Kevin Mitnick’s web pages. Here’s an interesting quote:

The very concept of “penetration testing” is fundamentally flawed. The problem with it is that the penetration tester has a limited set of targets they’re allowed to attack, while a real attacker can attack anything in order to gain access to the site/box. So if a site on a shared host is being tested, just because site1.com is “secure” that does NOT in anyway mean that the server is secure, because site2.com could easily be vulnerable to all sorts of simple attacks. The time constraint is another problem. A professional pentester with a week or two to spend on a client’s network may or may not get into everything. A real dedicated hacker making the slog who spends a month of eight hour days WILL get into anything they target. You’re lucky if it even takes him that long, really.

Well, he’s obviously right, there is no point arguing with that. Given enough time, an attacker can gain access to pretty much anything. No serious and reputable security company will tell you that after their penetration test, you will be perfectly secure. However, here are a couple of reasons why I think that pentesting (or code audits, or whatever) is still relevant and useful:

• There are no alternatives. What are you supposed to do? Put a white flag with your root password on it on your web page and surrender?
• Even if a pentest only found a single vulnerability, the target system is still a little more secure and a script kiddy might not be able to compromise it.
• Most attacks come from weak hackers anyway. For your average web page it’s enough to close the most obvious flaws.
• If you’re not hacked within a couple of hours, the attacker might move on to your neighbor.

Given how many completely insecure systems exist out there, and how few of them are actually hacked, I think you’re doing pretty well if a penetration test was able to locate and remove the most obvious flaws. However, someone who really, really wants to get on your system, will. If you unplug your system, he might just get in bed with the secretary to get to your data.

DNS Amplification DoS Attacks

http://www.flickr.com/photos/kainet/124912234/

Yes, I know: It’s been a while. A long while. I’m back for now, but do not have an idea how often I will get to post new articles. Currently, work gets the better part of me. Family gets another big chunk. Then I have this idea for a web page which I’m currently developing… All in all, I’m pretty busy. Nevertheless I’d love to keep on blogging a bit, since I learned so much during the time I did it, simply by researching my articles and looking for things to write about.

Anyhow, I recently read about this DoS attack involving DNS amplification (unfortunately I can’t find the link at the moment). I found this a really interesting concept and quite a danger for UPD services. The attack works since it is possible to send a relatively small request packet to a DNS server and receive a relatively large answer packet.

Since DNS works over UDP, an attacker can easily spoof his source address. By doing so, not the attacker will receive the (large) DNS response, but rather an arbitrary address of the attacker’s choice. By using multiple DNS servers, a small number of hosts just doing DNS requests with forged source addresses can cause quite some load on the victim’s server. And there’s nothing the victim can do about it, apart from contacting the upstream provider and having them block the offending DNS servers.

Luckily, this only works for UDP services, but still…

DNS Tunneling – Updated Source

Alright, so as I’ve been asked for the source of my changed Ozyman DNS source, I have now uploaded it. However WordPress does not allow me to upload .zip files, so I changed the extension to pdf, even though it’s a zip file. Rename the file before extracting it.

However, let me get a couple of things clear before you use it:

• It’s a development version and as such not destined for “production” use
• You should have some Perl knowledge to use it
• I will not support the code
• There will be problems if you have multiple DNS servers and some of them support larger packet sizes than others
• Don’t forget to change Net::DNS::RR::new_from_hash so that it does not remove tailing dots from the packet’s content (yes, I know it would be better to change the code in a way

OK, now that this is clear, I’d like to ask your help. My problem is, I’m not too good with Perl. I ran some tests with Devel::DProf (the Perl profiler) and here are the results:

Total Elapsed Time = 90.94859 Seconds
User+System Time = 57.02859 Seconds
Exclusive Times
%Time ExclSec CumulS #Calls sec/call Csec/c  Name
94.5   53.91 53.976    651   0.0828 0.0829  IO::Select::can_read
1.14   0.648  0.647    582   0.0011 0.0011  Thread::Queue::dequeue_nb
0.76   0.432  0.432  13868   0.0000 0.0000  Net::DNS::presentation2wire
0.67   0.382  1.371    639   0.0006 0.0021  main::reply_handler
0.27   0.152  3.271    639   0.0002 0.0051  Net::DNS::Nameserver::udp_connection
0.26   0.147  0.147  16596   0.0000 0.0000  Net::DNS::Header::AUTOLOAD
0.25   0.145 57.400    651   0.0002 0.0882  Net::DNS::Nameserver::loop_once
0.25   0.140  0.140      1   0.1400 0.1400  threads::create
0.24   0.138  1.870    639   0.0002 0.0029  Net::DNS::Nameserver::make_reply
0.17   0.096  0.154   2553   0.0000 0.0001  Net::DNS::Packet::push
0.14   0.079  0.079    638   0.0001 0.0001  Net::DNS::Header::string
0.13   0.075  0.553   1240   0.0001 0.0004  Net::DNS::RR::data
0.12   0.069  0.069    639   0.0001 0.0001  Net::DNS::typesbyval
0.10   0.059  0.059    639   0.0001 0.0001  IO::Select::handles
0.10   0.059  0.059    639   0.0001 0.0001  Net::DNS::Header::parse

So the program spends almost 95% of it’s system time inside IO::Select::can_read (called by Net::DNS). I have no idea why this takes so long. I think the main speed problem is Net::DNS (even the homepage says that it’s slow). As it seems that the only problem is this single call (for DNS tunneling at least), maybe does anyone know how to make this faster? Alternatively it might be a good idea to implement the server in C (iodine does this; it’s way faster if you’re interested, however does not work in some cases).

Picture of Harley by ZakQ100

ISMS Implementation I – Know What to Expect

[This is the first part of a series of postings about the implementation of an information security management system (ISMS). Also have a look at the introductory article.]

One of the major factors for a successful implementation of an ISMS is to know what you have to expect. The worst thing that can happen to you is that midway through the implementation you notice that an ISMS according to ISO 27001 is not what you want, is too expensive or requires too many resources to operate.

First of all, try to reflect about why you want an ISMS at all. Depending on what role you occupy within your company, the reasons might be quite different. If you’re responsible for (information) security, you might have been told to do so. Or you might want an ISMS on your own account in order to adequately protect the information for are responsible for. If the latter is the case, you will need to get management support. This is one of the most important factors for a successful ISMS. It’s one of the standard’s requirements – but the real reason is that operating an ISMS requires resources. And lots of them.

On the one hand, you will need money to implement controls and information security safeguards. On the other hand – and more importantly – you will need a lot of your coworkers time. It’s important to note that an ISMS is nothing a single person can implement. Actually the role of the security manager is to coach everyone and manage the project. Most information (e.g. for the risk analysis) has to be gathered from the managers and employees of the respective departments. Typically the managers are not too keen on spending time for these things. So it is vital to get support from top management.

If you’re from top management yourself, you too need to think about your reasons. Due diligence might be a good reason, however if you only want a(nother) certificate to hang on the wall, I can guarantee that there are easier ways than getting an ISMS. I don’t want to keep anyone from getting certified. However you need to be aware that a functioning ISMS not only needs to be implemented, but also operated. Operation is typically the most difficult part, because the excitement of the project is over.

My recommendation in this phase is to read the standard. If you’re from top management, reading ISO 27001 will suffice. If you’re responsible for security, I suggest you also have a look into ISO 27002 (formerly ISO 17799). I know it’s a boring read (good pillow book if you’re suffering from insomnia), but it will help to determine if an ISMS according to the standard is what you actually want. It will also help you to get a first feeling for how much work it’s going to cause.

Picture of all-seeing eyes by Pulpolux

Firewire Attacks

Amazing new research: Attacks via Firewire. Firewire is a type of interface that allows DMA – Direct Memory Access. In order to make access to devices attached via Firewire faster, DMA allows complete access to a computer’s memory.

A problem arises since firewire devices can be attached even though a computer is locked. By overwriting the right instructions in memory, it is possible log in with an arbitrary password.

However this is not the only way the issue can be exploited. Especially in connection with the recently published attacks on hard disk encryption this is extremly critical. While those cold boot attacks require to reboot the system, DMA via Firewire allows an attacker to read a complete memory image while the system is running and locked. After a view minutes the image is copied and the attack cannot be detected at all. The tool “keyfind”, described in the paper by Halderman et al. could be easily used to find discover the master keys in such an image. Problems with cold boot attacks like bit decay can be completely disregarded.

So everyone: disable your firewire ports! And while you’re at it: also disable PCMCIA slots and external SATA interfaces. All of those can be used for DMA attacks.

Picture of fire by Millzero Photography

Introduction

This is an experiment. What I’d like to do is write a new series of posts about implementing an ISMS according to ISO 27001.

This is going to take a while. I’d like to write about the implementation in real time, or at least near real time. That means that I’ll wait between posts until the things I write about can be actually done. I hope to be able to post approximately one article per week, but there will be weeks without a posting, if things take longer (e.g. conducting a risk analysis). I’m currently helping a customer build an ISMS for their organization. So that will help me to get the timing right.

My intention is this to become a group effort. I’ll post my opinions about the requirements of the standard and a functioning ISMS. However I’d love to have readers post their opinions and views on the topic. I hope to finish the first posting by the end of the week.

Picture of shaking hands by Jeff Bauche

Temptation and Security

Ahhhh. We recently made an amazing discovery in our company, and I am so tempted to write about it here. But it would be absolutely unfair and inappropriate. Also, it would cost my anonymity, which I value a lot. But it’s sooo cool, I can’t wait to get it out. (Yes, you can now imagine an angle on my one shoulder and the devil on the other).

Generally, this seems to be a problem in security. People like to boast, as it is good to be admired by others. It is hard for us to keep things secret. Only when something would make us look silly, we are interested in protecting the information.

People also like to be nice to others, so if someone is asked a question, he subconsciously wants to be friendly and answer the question. It is actually really difficult to tell the person: “I know the information, but won’t give it to you”. This is the reason why social engineering attacks work so well.

As a great example, have a look at the DefCon talk by Johnny Long last year on Google Video. The talk is almost an hour long, but take the time, it is definitely worth it. Apart from it being really funny, it shows how people from the audience like to yell out the right answer, even if it’s something you would not want everyone to know.

Picture of tempting cookie by YlvaS

Finally – A Good Nessus Client

It’s been a while since my last post, but the week was pretty busy so far. I’m afraid it’s not going to get better soon, so don’t expect much news.

Anyway, I discovered an interesting piece of software last week: NessConnect, an improved client for the security scanner Nessus. Latter is a great auditing tool. Of cause it can only discover known vulnerabilities in know software, but still… It’s perfect to quickly see if there are any patches missing or flaws in the configuration of services.

However the lack of a good client software has always a major pain in the ass. The only one that was at least usable was NessusWX, which was recently discontinued. The current official client for Windows and Linux is crap.

NessConnect is cool for a couple of reasons:

• you can preview results during the scan
• scan results are summarized by vulnerability (you can choose level “High Impact”, and a certain vulnerability to see what servers are affected by it)
• it can import NBE files, so you’re able to use the improved reporting on scans you did with a different client
• reports are created by XSLT and can therefore be arbitrarily customized
• it’s open source (as opposed to the Nessus server software itself, which abandoned GPL licensing in 2005)

Things that could be improved:

• resuming scans should be implemented
• there’s a small bug with parsing existing NBE files – it sometimes crashes with the message “unparseable date”. However as it’s open source you can just edit the source and add a try-catch-block around the according parsedate function.

Anyways, have a look at it. If you’re doing internal scans, it’s going to make your life easier.

Picture of CaptPipers Brain on MRI

Hard Disk Encryption Not so Secure as You Might Think

Usually I try not to just reiterate what is written elsewhere anyway. But this thing is so hot and amazing that I just have to provide you with a link: New Research Results: Cold Boot Attacks on Disk Encryption.

In a nutshell: Hard disk encryption master keys are stored in DRAM. However according to the research results of Princeton University, DRAM does not lose its content immediately, but rather only after a couple of seconds or minutes. If cooled (e.g. by spraying cooling spray on it), memory content can be preserved for multiple minutes and restored after booting from a malicious operating system.

I strongly recommend you read it for yourself.

Picture of a Hard Disk by cgommel

All Your Illness are Belong to Hackers

Have you been to the hospital recently? If so, I hope you were in good hands from a medical point of view. Because chances are, your medical data was not.

Even though there is HIPAA, which addresses some aspects of security and privacy, in the past medical data has been leaked*.

However the real situation is far worse. Medical equipment like x-ray or CT machines cost loads of money and run on Windows 98 machines. Manufacturer don’t allow patches to be installed, or otherwise support and warranty will be void. X-ray radiographs are automatically transmitted to electronic medical files via the network. You therefore have machines in the network that are lacking years of security updates. Even a 12 year old would be able to hack into them.

Now the only thing required to getting access to all kinds of patients data is a patched network outlet. And you’re in a hospital – everybody can gain access to a hospital. Nobody will ever wonder if there are new faces.

And do you really think a medic gives a damn about security? They do care about availability (yes, lung ventilators should also run during black outs), but confidentiality is – also understandably – pretty low on their list of priorities.

So, all in all we’re fucked. However I do need to admit that I don’t have much use for my privacy if the doc can’t access the data when he needs it because it’s so secure.

* This has happened only a few days ago. <sarcasm>I’m so relieved to know that the laptop was password protected, cause there is no way around those highly secure windows passwords.</sarcasm>

Picture of a guy who I hope is up and well in the meantime by drp