Monthly Archives: June 2008

Blogsecurify: New Wordpress Security Scanner

0
Posted by Tom on June 27, 2008 – 8:00 pm
Filed under General Security

Looks like GNUCITIZEN and Blogsecurity.net have joined forces to create a online Wordpress security scanner. From GNUCITIZEN:

Blogsecurify was created to help individuals and organization to secure their blog infrastructures by testing them against a set of security tests. The project is still in alpha stage although I am quite happy with the actual framework which I believe is the only one of its kind. The same framework will be used for several other initiatives but I will talk about them when their time come.”

I tested it out and it works as advertised. Just make sure you enable/disable the template plugin that is required. I used the old security scanner that was on Blogsecurity.net and didn’t get a ton of value out of it in the past so this is great news! Actually, the old scanner told me that the Wordpress installation that I was scanning was out of date and vulnerable even though I had the latest version installed! Blogsecurity.net has some really good resources for hardening your Wordpress installation by the way. I recommend that if you have a Wordpress blog you download the paper they have on hardening your Wordpress installation. While some of these tips are easy (change the admin account name and use role based access) others are a bit complex and may break most of your plugins (.htaccess modifications) without significant testing. Either way, it’s worth checking out to make your Wordpress installation more secure.

Why go to Black Hat?

1
Posted by Tom on June 26, 2008 – 10:04 pm
Filed under General Security

I am writing this blog post as part of the Black Hat Bloggers Network topic of interest #2.

I guess you could say I am somewhat of a Black Hat n00b! This will only be the second time I have attended Black Hat in my security career. I have been to quite a few security related conferences in the past (most of these involved training as well as conferences all integrated into one event like SANS Fire) but since coming back from Black Hat last year I discovered the value of attending a conference like Black Hat. Three things come to mind as to why someone should go to Black Hat:

1. Great speakers! Seriously, if you want to “be there” when new vulnerabilities and exploits are released to the security community by some of the greatest security researchers in the world…that’s Black Hat! I liked how conference attendees were able to “vote” in advance for selection of the talks this year. I felt this added real value to the great speaker line up for this years conference!

2. Good mix of “black hat”, “white hat”, and everything in between (gray hat) attendees. With a little more on the side of “white hat”. This adds to the whole energy of the conference and allows some good networking opportunities. Black Hat is probably the one security conference where your company won’t think you are just going to another “hacker con”. For example, you can say to your boss “Hey, they have a vendor show with XYZ company that will be there!” Lucky for you if you are using the security product of XYZ company. Not to mention XYZ company will get you a pass to one of the cool after parties (for more networking of course…). :-P

3. Free admittance to DefCon. As a paid Black Hat delegate you get into DefCon for free! How can you beat that? Stay at Caesars Palace in a luxury suite the whole week and attend one of the best hacker con’s in the world! I could do a whole post on how great attending DefCon is but in short it’s awesome to see even a more diverse crowd then Black Hat of the good, bad, and the plain ugly! Not to mention the “spot the fed” and all the other fun games and activities unique to DefCon.

Can’t wait to go this year and to also network with some of the other bloggers in the Black Hat bloggers network! Hope to see some of you there (and at DefCon 16).

FBI gets involved in the Indiana bank security breach

0
Posted by Tom on June 25, 2008 – 1:15 pm
Filed under Hacking

This is a story that keeps getting more interesting…

I have been closely following the news that I blogged about last week regarding 1st Source bank of Indiana that fell victim to a pretty serious security breach. 1st Source ended up reissuing their entire credit card portfolio to their customer base.

The latest news is that other banks in the Indiana area are now reporting that their customers are reporting fraudulent transactions. The link is that all of these other bank customers used 1st Source ATM’s around the same time the breach happened. From the IHT article:

“Bank officials said the victims they know of appear to have all used 1st Source Bank ATMs during the first 10 days of May. James Seitz, 1st Source senior vice president, said officials from his bank met with officials from other financial institutions on Wednesday to discuss the situation.

“As we’re piecing this puzzle together, it appears that there may be a common thread,” Seitz said.

A security consulting firm alerted 1st Source about a computer breach on May 12. The bank shut down its computer system and contacted authorities. Two weeks ago, 1st Source sent letters to customers asking them to monitor their accounts for suspicious activity.”

I’m starting to suspect that the ATM’s themselves were compromised or the bank’s back end servers were compromised as well. From what I know about PIN storage, the PIN information in Track 2 data (this is the data that was reported stolen) on a credit/debit card does not have to be encrypted (however it can be, just not required by the ISO standard) so either a card “skimmer” device was used (physically attached to the outside of the ATM’s) or this Track 2 data was pulled off the wire perhaps using a network sniffer installed on the ATM’s. It could be similar to the Dave & Busters security breach that happened a few months ago. Whatever method was used, it was enough to replay this data to a bunch of fake ATM cards and start withdrawing cash and/or charging items from locations overseas. Hopefully the public gets to find out what really happened once 1st Source get’s their act together.

Medeco Embracing the Locksport Community

0
Posted by Tom on June 24, 2008 – 9:00 am
Filed under Physical Security

Medeco Locks

Via the Emergent Chaos blog…

If you follow physical security and specifically the “Locksport” community you might be interested in the open letter by Peter Field (chief architect of Medeco products) stating that Medeco (a big high security lock manufacturer) is embracing the Locksport community. This is huge news considering that lock manufacturers in general have been pretty reluctant to support the research of Marc Tobias and others in the past. From Marc’s post on In.Security:

“So it often falls upon the Locksport enthusiasts, hackers, or security professional, outside of the lock manufacturing community, to demonstrate vulnerabilities that should have been discovered by the manufacturer before offering their products for sale. In my experience, design engineers learn how to make things work quite well; they rarely are educated in how to break them. That is a fundamental problem. If locks were designed properly, hackers and others would not be able to circumvent security. It is about time that manufacturers recognized that the more minds that are evaluating their products, the better.”

You can read the full open letter posted on NDE here. Very good read as well as Marc’s response. By the way, check out NDE (Non-Destructive Entry) magazine. It’s a good magazine on the Locksport community and lock picking in general. Issue #3 even has a good article about the “Tiger Team” show that had a short appearance last year on TrueTV.

Backtrack 3 Released

0
Posted by Tom on June 23, 2008 – 7:00 pm
Filed under Penetration Testing

I’m sure you have already read this on other blogs…however, if you didn’t get the news yet…Backtrack 3 has been officially released last week on the PaulDotCom show. I know myself and others have been using the beta and have been looking forward to this final release. Here are some highlights as posted by Max Moser one of the creators of Backtrack 3:

SAINT
SAINT has provided BackTrack users with a functional version of SAINT, pending a free request for an IP range license through the SAINT website, valid for 1 year.

Maltego
The guys over at Paterva have created a special version of Maltego v2.0 with a community license especially for BackTrack users. We would like to thank Paterva for co-operating with us and allowing us to feature this amazing tool in BackTrack.

Nessus
Tenable would not allow for redistribution of Nessus on BackTrack 3.

Kernel
2.6.21.5. Yes, yes, stop whining….We had serious deliberations concerning the BT3 kernel. We decided not to upgrade to a newer kernel as wireless injection patches were not fully tested and verified. We did not want to jeopardize the awesome wireless capabilities of BT3 for the sake of sexiness or slightly increased hardware compatibilities. All relevant security patches have been applied.

Tools
As usual, updated, sharpened, SVN’ed and armed to the teeth. This release we have some special features such as spoonwep, fastrack and other cool additions.

Availability
For the first time we distribute three different version of Backtrack 3
– CD version
– USB version
– VMWare version

BackTrack 3 final download page is here.

Final Requests
We request the community to not mirror or torrent this release, or otherwise distribute it online without our knowledge. We are trying to gather statistics about bt3 downloads. If you would like to mirror BT3 then please:

1) Think again! Traffic generated by BT3 downloads is CRAZY.
2) Please contact us before doing so.
3) Send us monthly statistics of downloads for the iso.

If you would like to add a link to BackTrack downloads to your website, please use:

http://www.remote-exploit.org/backtrack_download.html as the download link.

Rants
Problems, fixes, bugs, opinions – should all end up in our Remote Exploit community forums, and our wiki.

Awesome that Maltego has been added to Backtrack! Safe to say that Maltego is the best Internet reconnaissance tool out there. Too bad about Nessus but I hear SAINT is a good vulnerability scanner alternative (note that SAINT is a commercial product like Nessus but they don’t have a “home user” plugin feed like Nessus provides). Also, be sure to link to the Backtrack 3 download as Max specifies. Please don’t torrent the iso as they would like to track overall download statistics.

One final reminder, the Security Justice podcast will be interviewing Dave Kennedy of SecureState on the Fast-track script he developed. Fast-track in included in the Backtrack 3 distribution and is an integral part of using Backtrack 3 to it’s fullest potential. Look for this special edition podcast in the next week or so.

New Security Podcast: Security Justice

0
Posted by Tom on June 21, 2008 – 4:39 pm
Filed under Cleveland

<%image(20080621-sj_logo_header_300x21.jpg|300|27|Security Justice Podcast)%>

After several months of work the team of Matt, Dave, Tyler, and myself finally went live with our first podcast called Security Justice a few days ago. Let me tell you…getting a podcast up and running was no easy task but it finally paid off. Special thanks to Dave for getting the mixer, microphones, software and related technology to record the podcast. Also thanks to Dual Core for letting us use their music in our podcast!

We just released episodes 1 and 2 the other day along with the web site. Our podcast has a pretty cool local feel to it. We record live right after the Northeast Ohio Information Security Forum at Mavis Winkle’s Irish Pub in Independence, Ohio near Cleveland. We have a live audience which allows for some pretty unique interactions as well as comments and input directly from the crowd of fellow security geeks. :-) We interview the presenters from the Northeast Ohio Information Security Forum (takes place the 3rd Wednesday of every month) and discuss recent hot security topics. In addition, we plan on having “special edition” podcasts which will consist of interviews with well known security researches and “security celebrities”. We have one that will be released here in a day or two.

Anyway, check us out! Let us know of any feedback that you have either here or via the Security Justice web site. Thanks for listening and for supporting the local Cleveland security community!

You can also follow Security Justice on Twitter or FriendFeed!

Online Social Networks: 5 threats and 5 ways to use them safely

3
Posted by Tom on June 19, 2008 – 10:48 pm
Filed under Security Awareness

Last night I gave a talk at the Northeast Ohio Information Security Forum called “Online Social Networks: 5 threats and 5 ways to use them safely”. I spent the last few months doing research on various social networks specifically MySpace, Facebook, LinkedIn. Many of us either use these sites or know others that do. Users of these sites have been increasing at a dramatic rate for several years. For example, MySpace was the most visited website in the US with more than 114 million global visitors in 2007, and Facebook increased its global unique visitor numbers by 270% last year alone. With this massive increase in social network usage, online social networking is now becoming the fastest growing area of privacy concerns and security threats.

My talk went over the top 5 emerging threats to online social networks and I also talked about 5 ways you can use these sites safely. You can download my presentation here. Be safe out there! :-)

Mac OS X Security Guides Released…Finally!

1
Posted by Tom on June 16, 2008 – 9:22 pm
Filed under Apple

Just a heads up for all you Mac fanboys/girls…Apple has recently released massive (240 pages each) security configuration guides for Panther (10.3), Tiger (10.4), and Leopard (10.5).

Note the warning from Apple if you are a n00b Mac user:

“To use these guides, you should be an experienced Mac OS X user, be familiar with the Mac OS X user interface, and have at least some experience using the Terminal application�s command-line interface. You should also be familiar with basic networking concepts.”

I have paged through the Tiger guide and it’s pretty detailed…exactly what I was looking for. Really glad Apple finally released these. Hopefully other security professionals using Mac’s (like me!) will take the time to read these guides and harden their systems. Happy hardening! :-)

Geek out with your own RGB combination door lock

1
Posted by Tom on June 12, 2008 – 11:35 pm
Filed under Physical Security

Hack a Day posted a cool tutorial today on how to make your own RGB combination door lock. What is this monstrosity of geekness? Think Star Trek, Star Wars or any other science fiction movie with scenes of cool blinky lights! Now you too can secure your man room, computer lab or whatever and really impress your friends. From Hack a Day:

“Instead of typing in numbers, your password is a unique set of colors.”

“By entering the correct color code, the pad will flash green and unlock the door for 10 seconds. If you go over the limit counter, it will flash red for 30 seconds.”

Pretty cool. Check out the pictures and details on the Hack a Day web site. Anyone have the nerve or electronics knowledge to put one of these together? Looks like part 2 of the article will talk about how to make the PC board, cut a custom wall plate, install the lock strike and more.

Black Hat and the Security Bloggers Network

0
Posted by Tom on June 11, 2008 – 9:09 pm
Filed under General Security

<%image(20080611-th_120x120.gif|120|120|Black Hat 2008 Logo)%>

If you have been reading my blog and others in the Security Bloggers Network recently then hopefully you should know about the really cool alliance this year between Black Hat and the Security Bloggers Network. If not, here is a quick and dirty overview…

Basically, there will be a Black Hat topic of the week based on one of the scheduled briefings. The bloggers can then blog on that topic to hopefully generate some interesting conversation prior to the conference. Since there are about 150 different security blogs covering every angle of security in the network it should make for some interesting blog posts.

In addition the Security Bloggers Network will be linked on the Black Hat web site and in various conference paraphernalia. Personally, I am really looking forward to blogging about some of the hot topics that will be talked about at Black Hat this year!

Be sure to follow all the Black Hat updates on Twitter and if you haven’t subscribed to the Security Bloggers Network OPML, check it out! You can also follow me on Twitter and FriendFeed as I will be at both Black Hat and Defcon 16 this year, hope to see some of you there…

Also, if you plan on attending this year don’t forget to register for the Black Hat “sneak peek” webcast on June 26th!