Monthly Archives: April 2008

New versions of fgdump and pwdump released

0
Posted by Tom on April 28, 2008 – 1:35 pm
Filed under Penetration Testing

The latest versions of fgdump and pwdump have been released by the foofus.net team. Looks like the most important change is that both tools support 64-bit targets. Here is the official announcement:

“The foofus.net team is pleased to announce updates to both fgdump (2.0.0) and pwdump (1.7.1), which incorporate a number of new features, the most significant of which is that both tools now support 64-bit targets.

We are also pleased to announce the creation of a mailing list for the purposes of tool support, bug reports, feature requests and new revision announcements. This mailing list currently covers fgdump, pwdump and medusa. Feel free to sign up at http://lists.foofus.net/listinfo.cgi/foofus-tools-foofus.net.
For all the details on the latest fgdump and pwdump releases, please visit their home pages:

http://www.foofus.net/fizzgig/fgdump
http://www.foofus.net/fizzgig/pwdump”

If you don’t know what fgdump is and how it differs from pwdump…basically, fgdump attempts to shutdown local anti-virus before attempting to dump the password hashes and it also pulls cached credentials. Fgdump is a great tool if you still need to dump the hashes of a system (which in a pentest I always like to conduct a password strength test for clients by running hashes through John (large wordlist and incremental mode). Once you have the hash, you can also use a “pass-the-hash” utility like the one created by the foofus.net team (for Linux) or the one released by Core Security Technologies (for Windows).

The Cleveland Security Community

4
Posted by Tom on April 26, 2008 – 12:42 am
Filed under Cleveland

If you are in the Cleveland, Ohio area and a security professional be sure to check out the other security bloggers that are located in our area:

Security Second Thoughts
The Security Shoggoth
Securi-D

Even if you are not from Cleveland, check them out!

Matt and I are also on Twitter. Here is Matt’s profile, and mine. Feel free to umm..tweet us!

If you are located in Cleveland you should hopefully know we have a growing security community…currently focused around a few local groups which meet on a regular basis. Check out these groups and get involved!

NEO Information Security Forum
The Northeast Ohio Information Security Forum is a professional organization for people interested in information security. Members are in the information security, networking, system administration/engineering, and IT industry who are either involved in or interested in the information security field. The composition of the membership range from professionals working in the public sector (at colleges, universities, government agencies) to private industry (banks, manufacturing, tech, services) to college students. The group comes together monthly to discuss issues, watch presentations from members and speakers from outside of the group, and demos of various tools and techniques in the information security arena.

InfraGard Northern Ohio Chapter
InfraGard is a Federal Bureau of Investigation (FBI) program that began in the Cleveland Field Office in 1996. It was a local effort to gain support from the information technology industry and academia for the FBI’s investigative efforts in the cyber arena. The program expanded to other FBI Field Offices, and in 1998 the FBI assigned national program responsibility for InfraGard to the former National Infrastructure Protection Center (NIPC) and to the Cyber Division in 2003. InfraGard and the FBI have developed a relationship of trust and credibility in the exchange of information concerning various terrorism, intelligence, criminal, and security matters.

NOITR
The Northern Ohio Information Technology Roundtable provides a forum for the exchange of information covering a broad and diverse range of Information Technology (IT) topics. NOITR members constitute a diverse cross-section of manufacturing and critical infrastructure industries, government agencies, academic institutions, and enforcement bureaus within Northern Ohio.

Cleveland is also host for two security related conferences:

NEO Information Security Summit
Notacon (not really a “security” conference but has security themes and topics, yet very innovative and getting lots of national attention)

There will be an announcement about another web site in the works that will be promoting the Cleveland Security Bloggers as well as a Cleveland Security Podcast in the works…yes, I said it..a podcast! Trust us, this won’t be your typical security podcast either. Stay tuned for these announcements in the next few weeks!

Collaboration Technology and Engaging the Campus 2008

0
Posted by Tom on April 26, 2008 – 12:01 am
Filed under Cleveland

Posted at Securi-D’s blog…I am spreading the word to other hip and cool technology people in Cleveland, Ohio… :P

Thursday, May 8, 2008
Case Western Reserve University
Thwing Center
Cleveland, Ohio

9am – 4 pm

To the Cleveland 2.0 Community:

This is an outstanding opportunity for the entire Cleveland community to learn and participant in the emerging world of collaboration technology. In addition to workshops, panels, and keynotes, there are big raffle drawings for computer systems and more (must be present to win). The website is open for registration. Case Western Reserve University will highlight new technologies and how they enhance research and discovery during its campus Collaboration Technologies Summit 2008 from 9 a.m. to 4 p.m. May 8 in Thwing Center. In addition, the keynote and panels will be streamed in ClevelandPlus in SecondLife.

All university faculty, staff, students, alumni, neighborhood and community partners are invited to attend the symposium and demonstration event—that will be conducted simultaneously at collaborative sites throughout world.

The event will feature a keynote address by Anthony D. Williams. An author, researcher and consultant, Williams’s latest project is the bestselling book (co-authored with Don Tapscott) called Wikinomics: How Mass Collaboration Changes Everything.

Two panels at the summit will be anchored by Campus Computing Project Director, Dr. Kenneth Green, Visiting Scholar at Claremont Colleges. The first panel is titled Making Sense of the explosion of Web 2.0 tools and their relevance and consequence in Higher Education. Panelists include educators and faculty leaders from Case Western Reserve University, University of Southern California, Bradley University, and Researchers from IBM. At the end of the day-long event Green will host a panel called Collaboration Technology—What’s Next?: Bold Predictions, Cautionary Notes and Take Away Lessons. Panelists include leaders from Case Western Reserve University, Tri-C, MIT, and the co-founder of SecondLife, Cory Ondrejka.

New Black Hat Call for Papers Review Process

0
Posted by Tom on April 24, 2008 – 12:38 pm
Filed under General Security

<%image(20080424-blackhat.jpg|115|41|Black Hat Briefings)%>

If you happened to sign-up for the Black Hat USA 2008 Briefings early this year you will notice that as a paid delegate you are able to review and comment on all the current papers submitted to the Black Hat speaker review board. You can basically comment and rate each paper and also provide comments back to the person/group that submitted the paper.

Black Hat has always been a great security conference and I really like this new format as it gets the people that actually attend a chance to put input into what talks will be selected. One thing to note…there are some fantastic submissions, however, I was surprised to see all the junk that gets submitted as well! Reminds me a lot of getting resumes for open job positions…most resumes are 90% crap, 10% qualified.

If you are signed up for Black Hat USA 2008, you need to do your reviews quickly as the CFP closes May 1st.

Twitter!

0
Posted by Tom on April 23, 2008 – 10:34 am
Filed under Spylogic News

I finally decided to check out what all the hype was about and took the Twitter plunge. I am now a security “Twit”. Not sure how I feel about being a “Twit” but so far so good. :)

It’s actually quite addicting as others have pointed out and I have started to convert my friends and associates over to the “dark side” of instant social networking. I have never been a big fan of the other social networking sites (Myspace, Facebook) but this is very different. So if you want to check me out on Twitter, here is my profile. Check out some of the security “Twits” I follow like matthewneely, McGrewSecurity, PaulDotCom, haxorthematrix and Andy Willingham.

Here is a newbie guide to Twitter if you need some assistance setting it up and learning to send “tweets”. Enjoy!

DHS wants you to sniff your neighbors

2
Posted by Tom on April 22, 2008 – 10:31 am
Filed under Wireless Security

*** UPDATE #2: The site mentioned below is an elaborate hoax/experiment created by a graduate student! Thanks to everyone for researching this! If anything…get a good laugh out of it. ***

Well not really physically “sniff” your neighbors (that would be disgusting especially if you saw my neighbors)…but they do want you to fire up a network sniffer like TCPDUMP and collect the traffic off of wireless networks to root out “terrorists” in your neighborhood. I thought this was a joke when I first saw a link posted on McGrewSecurity…then I saw someone posted a link to this pdf on the penetration testing mailing list on insecure.org. In doing some research it looks like this may be an organization that is “affiliated” with the Department of Homeland Security. Hoax perhaps? This is from the “Network Neighborhood Watch” web site:

“Participants in HNAP would collect sample network traffic from their own home networks as well as samples from networks within the vicinity. The Neighborhood Network Watch will be making a set of freely available instructions on how to capture network traffic, using the open source packet sniffer TCPDUMP, and how to log onto nearby wireless networks that maybe being operated by neighbors.

These samples of network traffic would then be sent to the Neighborhood Network Watch for analysis using the latest revision of the NNWKAA. The participants would then be sent back a rating for each network along with a rating for the area as a whole.

This allows the participants to not only find out how their own home network is being used but also valuable information about those around their home that may have large amounts of terrorist related traffic flowing over them. This also provides the Neighborhood Network Watch with the ability to see if there is potential terrorist cell activity in or around the participants homes.”

Oh it gets better…there is a nice document (linked above as well) that tells you step-by-step how to sniff wireless traffic and send it to them for analysis:

“With the widespread adoption and usage of wireless networks, it has created a climate that is ripe for exploitation by terrorists. Since these networks often times are unsecured or offered as a free service to the public it allows any individual to use them, including terrorists. Even the networks that reside in our homes can be used by terrorists who maybe our own neighbors or fellow building residents.

Therefore it is imperative that these networks do not go unmonitored. That is why the Neighborhood Network Watch was established and why now the Home Network Awareness Program has been created to allows individuals like yourself to make sure that terrorists may not be using your own home network to plan the next attack on our nation or your very own community. This document has been created so individuals like yourself and your community can become more involved with and to help the Neighborhood Network Watch carry out its mission, by learning how to packet sniff your own home network. That mission being to keep our communityʼs networks safe from terrorists and those who may attempt to harm our community and our nation.”

The FAQ on their web site says it all I guess:

“Q: Isn’t this invading my privacy?

A: In many ways yes, but in a post 9-11 world the government and most communities across the United States, believe that these sorts of measures are necessary to prevent our nation from being attacked by ruthless terrorists. In fact privacy is a relative term with a definition that is constantly being redefined. Especially so in the highly technologically mediated world we live in today. “

Does anyone else think this is the worst possible idea ever?

Pen Test Documentation Strikes Back!

1
Posted by Tom on April 21, 2008 – 11:19 am
Filed under Penetration Testing

<%image(20080421-documentation.jpg|132|102|who wants to do documentation?)%>

John Sawyer over at Dark Reading put out a post about the importance of documentation as it relates to your pen test’s. I couldn’t agree more as documenting your methodology, testing it, and even having it reviewed by your peers are very important. I wrote a post a few months back about the importance of documentation and what some of the best practices are around how a team documents a pen test in progress. Even more important is having your basic methodology for testing well documented.

Your testing methodology should be the cornerstone of any pen test. Without a sound, repeatable methodology it would be very difficult to provide your client or organization with the systematic approach you used to conduct your testing and how you achieved your results. Most penetration testers follow some form of the ISSAF or OSSTMM methodologies and it’s ok to deviate slightly since every company and organization does things differently.

The hard part, as John points out, is that no one wants to do documentation! It’s time consuming and boring. Sure, we would all rather be out exploiting systems but you really need to think of the bigger picture here. Here are some basic suggestions:

- Talk about your methodology after each and every pen test with your team (make this part of the last phase of the pen test even). What went wrong? What went well? You can always make on-the-fly adjustments to your documentation if you need to and it will foster better communication between your team members.

- Rotate the documentation review process from one team member to another. That way not one person is stuck updating and maintaining your documentation. Also, if you have a system where one person does all the reports for your pen tests…make sure this isn’t the same person! That can lead to serious burn out (writing the reports can cause burn out as well but that’s another post entirely!).

- Schedule “documentation and tool review” sessions several times a year with your team. This is a great way for everyone on the team to provide feedback on the current testing process and methodology and make changes if necessary. Also because tools are always being updated and new ones are being released, you should talk about adding/removing these tools from your team’s toolkit based on the needs of team.

Malware is Evolving

0
Posted by Tom on April 18, 2008 – 9:07 am
Filed under General Security

I saw a good presentation analyzing the malware behind this current “fake subpoena phish” by Tyler and Greg at the NEO Information Security Forum the other night. Tyler and Greg are legendary in the Cleveland area for conducting some cutting edge malware analysis over the last few years. They focused on how this type of malware is somewhat different as it did some interesting things with rapidly modifying and changing the the hosts file on the victim machine and how this type of malware will connect and disconnect rapidly as to throw off security researchers (do a netstat and alas…there is no active connection). Tyler and Greg mentioned that they are seeing more and more “smart” malware which is adapting to the techniques malware researches use to find out how this stuff works.

Another point is that these types of targeted attacks are becoming more common. It’s getting easier for anyone to find detailed information about anyone (not just CEO’s) by using free tools like Maltego or by getting creative with your Google searches. This particular phish was very personalized and I would expect this trend to continue.

Phrack Issue #65 Released

0
Posted by Tom on April 16, 2008 – 2:13 pm
Filed under Hacking

Looks like the latest issue of Phrack was released. Phrack is one of those hacker magazines that seemed to have disappeared and now is starting to slowly come back into existence. Phrack is famous for posting the infamous Hacker Manifesto and also provides a good insight into the current (and past) state of the hacker underground.

Some highlights of this issue include an interesting “prophile” on a hacker named “The Unix Terrorrist (the_uT)”, Stealth hooking : Another way to subvert the Windows kernel, and Hacking the $49 Wifi Finder.

Flash, Adobe Reader and Java…Oh My!

0
Posted by Tom on April 15, 2008 – 2:07 pm
Filed under Vulnerabilities

<%image(20080415-exploit_hat.jpg|112|107|Put your exploit hat on!)%>.

Breaking News!

90% of all Windows machines are vulnerable to Adobe Flash vulnerabilities…(not really breaking news by any means for security professionals, right?). But for the average home user I certainly hope it is. You see articles all the time talking about the latest client-side vulnerabilities and usually they are just talking about one specific vulnerability. What about all the other client-side software that users fail to either patch or keep up-to-date. Shall I give you examples besides Adobe Flash? How’s this for starters?

Internet Explorer, Firefox, Opera, Skype, Windows Media Player, Quicktime, Adobe Reader, Java, Microsoft Office…the list goes on and on.

The scary thing is that the “average” user really has no clue on why this software should be updated and patched- even when they are prompted by the application to “Update me now!”. Most users will just click “cancel” and go about their business…and if their business includes checking their email, lets not hope there is a malicious PDF waiting for them in their inbox…or a link taking them to the latest Excel exploit. This is currently the most popular attack vector right now and until either applications get smarter about how they update themselves, programmers learn secure coding practices, and users become security aware, these types of attacks will “keep on coming”. Oh, and don’t forget about 0day vulnerabilities like the ones discovered in the pwn to own contest at CanSecWest.