Fire Ant Security

So I will be heading to San Francisco in February 2012 for RSA, BSides and Metricon. I have submitted two talks to BSidesSF and one to Metricon 6.5. My fingers crossed are crossed for both as I wanted to practice my public speaking skills and what better way than to submit talks. I have already done one this year and I have two booked for next year already.

I plan to meet up with some other security tweeps whilst I am there so if you are in town then email me, I am ALWAYS up for a beer.

Just a quick post to let you all know what I am doing. I am currently organising Security BSides London and this is taking up all my time so all research is on hold at the moment until the event has finished.

Registration is open

Submit a paper here

Learn more about Security BSides London

See you all there.

At the Hack Eire CTF competition at IRISSCon we came across a server which was running both FTP and SSH. As a Mac user I needed a tool to brute force some known accounts with a list of suspected passwords. I downloaded Hydra which has the capability of brute forcing both protocols. After compiling Hyrda and running against the FTP it was time to start with the SSH server but as I hadn’t installed LIBSSH the SSH functionality was disabled.

Before compiling LIBSSH you need to download the cmake compiler.

This exercise was completed with the following versions:

cmake – v2.8.3
LIBSSH – v0.4.6
Hydra – v5.8

Compiling LIBSSH

mkdir build
cd build
cmake -DCMAKE_INSTALL_PREFIX=/usr -DCMAKE_BUILD_TYPE=Release -DWITH_LIBZ=OFF ..

If you get the following output then you need to make a change to the source code (See LIBSSH Code Change):

Linking C shared library libssh.dylib
Undefined symbols:
“_environ”, referenced from:
_environ$non_lazy_ptr in socket.c.o
ld: symbol(s) not found
collect2: ld returned 1 exit status
make[2]: *** [libssh/libssh.4.1.3.dylib] Error 1
make[1]: *** [libssh/CMakeFiles/ssh_shared.dir/all] Error 2
make: *** [all] Error 2

If the cmake was successful then you need to install the library.

make install

If this is successful you will get the following output:

– Generating done
– Build files have been written to: /foo

If you get the following then how about running as root using sudo.

Maybe need administrative privileges.

LIBSSH Code Change
Edit line 694 of socket.c.

Change the following line:
execve(args[0],(char * const *)args,(char * const *)environ);
To this:
execvp(args[0],(char * const *)args);

Now you have LIBSSH compiled and installed you need to recompile Hydra.

Recompiling Hydra

./configure

Make sure that LIBSSH support has been detected.

Checking for libssh (libssh/libssh.h) …
… found

make -B
make install
Test that it works correctly
./hydra -l root -p root 192.168.0.1 ssh2

Tada

Hack Eire is Ireland’s only capture the flag competition for hackers. Held every year at the IRISSCon event in Dublin it is free to attend and open to all. The conference itself is brainchild of Ireland’s one and only Brian Honan.

I have to thank Mark Hillick and the Hack Eire team for putting together a superb CTF competition. Some really good real(ish) world hacking challenges. I can certainly say that the amount of time the guys spent on putting this together really shows.

There were some last minute changes to team membership etc and I ended teaming up with some friends. Our team name…… 5CHF (5 Swiss Francs). There is a long story to this but suffice to say some things happened when attending another conference in Switzerland called Hash Days.

The Hack Eire team put in some nice red herrings and in combination with some faulty systems, power problems and slight cheating by one team (you know who you are) we spent 7 hours wading through the challenges. If I can give any advice to anyone thinking of competing at any of these events DO NOT attempt them if you have been out drinking till 4am the night before. 4 hours sleep does not induce the optimal thinking condition of the human mind. Also, come up with a plan. Assign roles to team members, who does the recon? etc. Ensure you have a good mix of skills in your team like reversing, web app testing and coding.

So our motley band of 4 players set about the challenges. The organisers had created a list of questions which if answered correctly proved that you had completed a challenge. The challenges themselves were split into the following:

Packet analysis with stego
Various hacker related questions
Really challenging packet analysis
Web app pen test
3 x network/server pen tests

Overall, we placed 2nd only 1% behind the winning team. Congratulations to the winning team, who by the way have won for the 2nd year in a row. I look forward to see you all next year at the competition.

I have just got back from what I consider the best security conference of the year. Organised by the DefCon Switzerland guys Hashdays was a two day two track security conference held in Luzern (Lucerne) Switzerland.

For me the highlights were a drunk Irishman falling asleep in the night club toilet and a certain incident involving a brothel, maybe nightclub in German means brothel in Swiss German?.

Some great talks from some really talented researchers, some of who I had never heard of. The main highlights for me were the following:

OsmocomBB by Harald Welte – Open source baseband GSM stack
Busting Phone Encryption by Karsten Nohl – Needs no description
Helios by Stefan Buhlmann – Excellent dynamic code analysis tool
Detecting Hardware Keyloggers by Fabian Mihailowitsch – Great insight into the hardware used by keylog vendors

Big respect to the organisers who had everything organised to perfection, I think that will be the German in them.

See you next year.

Sad as it is, I had no plans for the bank holiday weekend. The weather wasn’t great and I wasn’t very motivated to do anything outside the house (I think they have a name for that, agoraphobia?). I fired up VMWare Fusion, installed XP and downloaded a shed load of FTP servers and started fuzzing. Let me just state now that I am no expert fuzzer, in fact the purpose of this post is report not only the final results but also the journey that I took to get there.

I had two choices open to me, write my own fuzzer or use something off the shelf. Well, I wanted results quickly so I picked InfigoFTP Stress Fuzzer and dusted off trusty old Metasploit.

FTP Servers Tested
smallFTPd
FTPdmin
Quick n Easy FTP Server
Xlight FTP Server
WingFTP Server
Golden FTP Server
Sysax FTP Server
Cerberus FTP Server

So what are you actually testing?
To start with I just wanted to see how susceptible the servers were to crashing when provided with dubious data. It was only after actually doing the testing that I hasn’t really set an objective. This lead to me only really testing the servers ability not to crash.

Limitations
When fuzzing, the biggest limitation is time. There is an infinite number of combination’s of commands and parameters which can be sent to the FTP server.

Of the two fuzzers I used neither looked at the server responses. If I was looking for directory traversal or authentication bypass attacks I would have to use a different tool or code something myself.

Conclusions
1 – You have to define the objective of your fuzzing. Is it to find an exploit for remote code execution or DOS or to find authentication bypass vulnerability?
2 – The majority of the servers I tested were fairly robust.
4 – There was lots of inconsistency with regards to implementing the FTP RFC.
5 – There was a massive difference in the specific commands which the FTP servers implemented.
6 – Most of the servers would drop connections if an invalid command was entered rather than producing an error message.
7 – Overall the testing took a lots of time.

As a customer of a large web hosting company I expect a certain level of security. With this assumption I used their web mail service for months without actually validating the level of security they offer for this service. One cloudy day I just happened to be looking through my browser history and what do I see? My username and password in the URL string.

HTTP://www.company.com/login.php?account=foobar@foobar.co.uk&password=Password1234

Absolutely astounded that in 2010 the password is sent as part of the URL clearly visible to anyone with access to the browser history I tweeted something like “#company = #securityfail password in the URL, please!”. With this now out there on twitter not knowing who might respond within minutes the web hosting company responded and asked that I email them my issue and they would follow it up.

With nothing to loose I wrote up a quick statement how SSL should be the standard and the password should never be in the URL I fired it off to the social media representative. With that done I went back to the daily grind forgetting that I ever sent the email.

Several days later I got a response from the social media rep stating that they had changed the code of the web mail system so that the URL does not contain the password. So here I am writing this blog post thinking that maybe social media isn’t a complete waste of time and that some companies do care.

As the for the security of the web mail system, they still don’t use SSL on the login page and the password is passed in the clear in the HTTP header. Web hosting provider…..must try harder next time.

So here it goes, a rant about bad website design. People, it’s 2010, why oh why oh why have you not sorted out your web forms.

So I regularly purchase stuff of the Internet so I am used to filling in web forms regarding payment details and I noticed that still to this day, some 20 years after the invention of the WWW, very few websites actually have intuitive web forms. The rest of the website is usually some flashy piece of work however I am still bugged the same issues.

Country
Why do you insist on giving me a list of 200 freaking countries to sort through. Do you think you could detect where I am browsing from and maybe auto-populate that in the list control, perhaps somewhere near the top? With the rise in geo-location software you can but you can’t be bothered. You don’t consider this part of the user experience. by the way, does anyone from Afghanistan buy from your website?

I Live in London London
This is one that annoys me the most. All you UK developers, I live in London, why on earth do you insist on me providing a county? London is not in any county. On a few occasions I have been restricted to putting my county in as Middlesex (technically the nearest county to me) just to purchase something. On other occasions I have to type my county in so I have an address of London London.

Please think when designing these forms and stop copying the same old shite that’s used everywhere else. Think intuitively, think independently.

In the new digital world we all have digital identities exposed through various forms or medium such as email, instant messaging, forums and social media like Linked-in and Facebook etc. Each of these forms represents a digital version of you. Now I don’t know about you but I care how I look in the real world and I also care about how I look in the digital world. But like in the real world I don’t like to mix these identities, I am different person down the pub with my mates compared to how I am with a customer at work. But with the prevalence of social media this line is getting blurred and this has consequences.

Over the last several years there have been plenty of examples of where a personal identity is exposed to a work related identity and this can result one of many problems such as divorce, loss of job, loss of integrity and legal issues.

Below is a Venn diagram showing how my digital identities relate.

Notice how some of the media overlap. Facebook is clearly personal but there is some crossover with my Twitter account.

This is a bad example of relating digital identities.

So where do you draw the line in sharing this always on permanent record of yourself?

Some social media actually encourage you share these identities between platforms for example Linked-in allows you to share Twitter messages. But do you really want your work colleagues to know that you just ate at a certain restaurant?

So how do we stop blurring the lines between personal and private identities?

Consider under which identity to share information

You have something to share but who should you share it with? Is it work related or personal? You wouldn’t post your latest holiday pictures on Linked-in and by contrast you wouldn’t post work related information on Facebook, at least I hope not.

Consider who you let into your network

What is the use of the medium? Is it to let your friends know that you will be down the pub at 6pm of that you are looking for another job in nuclear physics? Don’t befriend your boss on Facebook but also don’t let your mate Steve send inappropriate jokes to your work email.

Consider what the medium is to be used for

Is it used for personal business like keeping in contact with friends or work associated? A Facebook account is clearly personal but what about your Twitter account? Is that personal or work related?

Consider the security of the medium

Who owns and manages the medium? What are your rights and privileges? Email may stay private but blog posts are public.

Consider the availability and data retention of the medium

Will the post you made to someones Twitter account be available in 5 years time? That newsgroup post you made 10 years ago slating company X definitely will be. Your views in your original post may have changed but will this information be publicly available? Will it affect your next job interview?

Consider each of these when using the medium in question and you can’t go wrong.

Happy messaging in what ever form you choose.

Today Cyveillance posted a press release titled “Cyveillance testing finds AV vendors detect on average less than 19% of malware attacks”. I have to say that this report was clearly put together by the person who cleans the toilets. Even an intern could do a better job. Lets examine why I think this has the dubious honor of being the Worst Report Ever (just imagine comic book guy saying it).

First of all the title, now if that isn’t FUD then I don’t know what is. Lets examine the release in detail.

The report reveals that traditional antivirus (AV) vendors continue to lag behind online criminals when it comes to detecting and protecting against new and quickly evolving threats on the Internet.

Duh! Of course they are. I wonder how many analysts it took to figure this out?

Cyveillance testing1 shows that even the most popular AV signature-based solutions detect on average less than 19% of malware threats. That detection rate increases only to 61.7% after 30 days.

Tell me something that I couldn’t have figured out myself. Every self respecting security professional knows that signature-based solutions just don’t cut the mustard in todays security landscape. End users won;t know this of course but I couldn’t figure out who the report was aimed at so I used my experience as a baseline. I recently attended a presentation by one of the AV vendors mentioned and they presented a pretty bleak landscape for signature-based solutions. They mentioned that one particular piece of malware had over 1000 variants. Now show me a product that can cope with signatures for all the circa 1 million pieces of malware out there? There isn’t one and that’s why AV vendors rely on other technologies like heuristics and reputation etc. But the report is on signature-based detection so did they mean they will only test this functionality or did someone forget that AV is not about signatures any more? If they intended just to report on one function of AV then this is stupid as it doesn’t give a complete picture about the level of protection. So maybe they meant just malware detection using any technique the vendor can use, if this is the case they don’t say “using signature-based detection” because that’s just wrong.

Now the biggest bugbear I have with this report is its use of stats. One of my favorite quotes is

There are three kinds of lies: Lies, Damn Lies, and Statistics.

Now anyone can manipulate statistics but I am not saying that they manipulated the data in anyway. It’s all to do with how it’s presented. First of all Cyveillance states that they used 1,708 malware samples. What samples did they use and where did they get them from? Wikipedia states

Sampling is that part of statistical practice concerned with the selection of an unbiased or random subset

Incorrect sampling will certainly reduce a skew in the results. Some vendors will likely class one piece of software as malware whilst others may not. So what if this happens? Does the vendor get scored down because they didn’t detect the malware? Who knows?

Additionally, I have concern with regards to the use of the average across all the products. Some of the products they used I have never heard and clearly bring the over all results down. I question the use of these products in the test. If for example I was going to report on the overall speed of cars and I use the following data set:

Bugatti Veyron: 253 mph
Koenigsegg CCX: 245 mph
Ferrari Enzo: 217 mph
Ford Focus: 133 mph
Renault Clio: 108 mph
Smart Car: 80 mph

Average 172.7 mph

Now does this mean that the average speed of all cars is 172.7 mph? Clearly not.

Also, I suspect that some of the vendors do not have the money and resources to put into sampling malware and defining signatures. But don’t detract from the fact that using the average creates FUD in this case. Should you be worried? So only 61.7% of their sample of malware was detected after 30 days, what I am worried about is does the product I am using detect the malware after 30 days? Well if your a Kaspersky or AVG user then no but if your a Norman or eTrust-Vet then yes. The use of the average just brings the overall results down. This is plain wrong to do this!

Would you be surprised if I told you that if you chose the top 8 vendors from the list the overall detection rate jumps to 79.4%?

Panos Anastassiadis, COO of Cyveillance. “To increase protection, users can’t forget the basics – avoid unknown or disreputable websites, increase security settings on their web browser and leverage supplemental malware block lists to increase security on their devices. ”

Excuse me? The users? Do you expect me to rely on administrative controls to keep my environment secure? I cannot expect users not visit disreputable websites either knowingly or unknowingly, they simply do not have a banner which says “disreputable website”.

Finally,

The only thing which I can agree on with Cyveillance COO Panos Anastassiadis is

Only through both proactive and reactive tools can a solid security platform be achieved.

I do hope though that when he means tools he is referring to controls in general and not just software.

Rant over