Posted by agent0x0 on January 31, 2008 – 10:23 am
Interesting post over on Slashdot yesterday on what the best practices are for documenting processes and procedures. While this is a general problem in IT, I thought that it would be worth to note that documentation is a major part of what pen testers and security professionals do.
From the pen testing side I require the testing team to document everything in at least some kind of document format like a text file to include time stamps to track when and what they did. Others find saving all the command shell activity to a file works just as well. It can be a pain when consolidating this data but having this documentation is better then tracking down who did what and when. As for process and procedure documentation I have just put everything in a centrally stored office document that the team can access. We can then track the revisions to this document by keeping it in this one location. Not a very sexy solution but it works for the team. One idea the team and I started to think about was putting together a Wiki (MediaWiki based) accessible to the team so each member could make updates and upload screen shots “on-the-fly”. I have used SharePoint, LiveLink, and Wiki’s for documentation in the past. The Wiki format seems to be the easiest to use and update.
One other thing to consider is how do you “securely” store all of this data (Wiki or not)? Our team stores this information on a encrypted file store (it was a strange third-party solution, nothing standard like TrueCrypt) but it can be difficult to access at times and tough to maintain the access control when team members come and go.
So how do others handle documentation as a pen test and/or security professional? Are you using a Wiki or other CMS type solution? What are some best practices regarding handling security documentation? Please add your comments and ideas…
Posted by agent0x0 on January 30, 2008 – 12:15 pm
Lots of talk on the net recently about the first “critical” vulnerability (MS08-001) released by Microsoft this year. If exploited, this vulnerability can allow an attacker to run arbitrary code on a remote system bypassing personal firewalls and in the case of Vista, the kernel protection mechanisms. Note that one caveat to this is that the attacker has to be on the same subnet as the victim machines.
Microsoft says that “there are a number of factors that make exploitation of this issue difficult and unlikely in real-world conditions”. However, researchers over at Immunity Inc. (these are the guys that make CANVAS, an automated pen testing product) demonstrated how this vulnerability could be exploited via this flash demo. Immunity only has released the exploit to it’s customers of the CANVAS product and admits that the exploit is not 100% reliable…yet. Now that everyone knows that an exploit is “possible”, it’s only a matter of time before someone releases working, reliable exploit code in the wild. Patch now!
Posted by agent0x0 on January 28, 2008 – 2:13 pm
HD Moore has released the latest version of the venerable Metasploit Framework over the weekend. Version 3.1 includes the following updates and improvements:
“The latest version features a graphical user interface, full support for the Windows platform, and over 450 modules, including 265 remote exploits…”
This is a significant improvement for the Windows version and it looks like the amount of exploits available has increased. Looking forward to testing this out! You can download the new Metasploit Framework v3.1 here.
Posted by agent0x0 on January 25, 2008 – 2:08 pm
Perhaps not if your one of 80,000 web sites that display the small green logo proclaiming your web site is “Hacker Safe”. I recently read two good articles one on Dark Reading and the other in the Computerworld mag that I get. While I understand that this is a marketing persons dream..promote your site as secure and not able to be hacked…”see all the customers that come and buy your products”! In the long run this is probably a bad idea. While I agree that what the “Hacker Safe” program by ScanAlert does at a basic level, scanning for known web site vulnerabilities, should be part of any overall vulnerability management program. However, in addition to automated scanning you have to conduct manual penetration testing on these applications as well on a frequent basis…automated scanners have a place but you cannot rely on these scanners 100% and then declare yourself “Hacker Safe”. If there is one lesson you learn in security and it’s “nothing is 100% secure”.
Both of these articles focused on the recent Geeks.com hack in which an undisclosed number of customers had personal and credit card data compromised. Geeks.com was a “HackerSafe” customer. However, note that the ScanAlert people mentioned the Geeks.com web site was “probably” hacked when they withdrew their “Hacker Safe” certification when they found vulnerabilities. How ironic…so how is a potential customer supposed to know that a web site one day is “Hacker Safe” and the next day it isn’t? By removing a logo temporarily? Perhaps during this “probable” period Geeks.com and ScanAlert should have changed the “Hacker Safe” logo to “Hackers- Safe to Hack”. Seems like a poor attempt from ScanAlert to do damage control.
Whats the lesson here? It may seem like a great marketing idea to call your site “Hacker Safe”…but in the long run…if you get hacked it will soon turn into a marketing disaster that your company will not want to face. Putting any kind of logo or certification declaring your site is secure is a bad idea.
Posted by agent0x0 on January 23, 2008 – 2:12 pm
It was just a matter of time before we started to see this pop up but “drive-by pharming” is now just starting to be discovered. In this case a user received an email from a spoofed “e-greeting card” company with an embedded HTML image tag. Once the code is launched, it manipulates the DSL router configuration (specifically 2Wire routers) using default login credentials. The article doesn’t say but it most likely manipulates the default DNS settings on the router to point to a “fake” DNS server. Once this happens, the attacker can forward you to things like fake banking sites (ones that look just like yours).
Scary time to be a DSL/cable modem customer! With this and recent security issues with UPnP, now more then ever is the time to change that default password and disable UPnP. Luckily, these are all simple security measures that can easily fix the problem. However, who is going to teach customers who buy these routers how to properly secure them? The vendor? I doubt it. The ISP? Even more doubtful! It’s up to us as security professionals to spread the word about these dangers and to encourage good security practices with our non technical, non security minded friends and family.
Posted by agent0x0 on January 22, 2008 – 8:45 pm
Good blog posts over at Episteme and Andy’s blog about employee awareness and social engineering. Teaching your employees not to trust people is a tall request that’s for sure! Most businesses are built by having employees trust each other…like Andy mentions, you have to teach them to “trust, but verify”.
I conduct social engineering tests on a regular basis and I can tell you from personal experience that it is just too easy to bypass security controls by talking your way in by coming up with a real good scenario. You will find that employees want to be helpful, almost too helpful at times…holding the door open for you so you don’t have to badge in, or giving complete strangers login credentials to applications are just a few examples. All it takes is someone with enough guts to look and play the part of a fellow employee to take advantage of human kindness that we all posses.
One thing that I advocate is to test your own employees. This does two things. First, it allows management to get an idea of how bad it really is! Seriously, once executive management sees the problem the easier it will be to communicate the issue with executive support. Secondly, it raises awareness with your employees..even if you target just a small segment of your employees. I would bet that the next time you conducted a social engineering exercise on that same segment, you would have different results. People always seem to remember when they were duped by someone else. Don’t forget that word about a social engineering “test” that was conducted spreads throughout the environment by word of mouth…all of this can be an advantage on the awareness front.
How do you test your own employees? Very carefully! Seriously, there may be many political boundaries that you will have to overcome which is all dependent on your company culture. Start with a small segment..like your own department if you are in Information Security! Yes, test your own people…you might be surprised by the results. A very low impact method to start with is to conduct a simple “phishing” simulation. Setup a simple web server and send out emails with embedded links to the web server you just configured. Track the results by parsing out the web server log of who clicked on the link. Strip out the IP’s so the results are anonymous in your report. You can then put together a quick awareness piece showing the high level statistics sent to everyone you targeted. Simple and effective.
Posted by agent0x0 on January 21, 2008 – 9:57 pm
< %image(20071120-kismac.jpg|91|91|KisMac)%>
The following is the continuation for “The Wardriving Experiment – Part 1“. To recap…I decided to setup a little wardriving experiment to really get an idea on how many people are still using WEP to secure their wireless access points. I also wanted to find out if people still setup a wireless network without encryption. Results in the following article are from a medium populated suburban neighborhood near a large city.
Read More »
Posted by agent0x0 on January 19, 2008 – 7:38 pm
Just put a new theme in for the site..so far so good. I also removed the forums since they were not used (at all actually) and re-enabled the comments. Enjoy!
Posted by agent0x0 on January 18, 2008 – 9:46 am
Found this post over at the Defcon forums…RenderMan did a wireless audit of West Edmonton Mall (located in Canada) which is one of the largest malls in the world. RenderMan details his assessment of the 200+ wireless networks and devices…including a separate review of Bluetooth devices found.
Read More »
Posted by agent0x0 on January 16, 2008 – 1:44 pm
Looking to enhance your pen testing skills and take it to the next level?
Thomas over at De-ICE.net has just released the first disk in the more advanced “Level 2″ set of Live PenTest LiveCD scenarios.
Read More »
