Monthly Archives: September 2008

Tom joins the Blogsecurify team!

1
Posted by Tom on September 26, 2008 – 3:00 pm
Filed under Social Networks
Tagged as

I am excited to announce that I am now part of the GNUCITIZEN Blogsecurify social media “tiger team”. I am officially a blogger for Blogsecurify and will be posting about security issues/vulnerabilities in social media applications. As you may already know, I have been doing a lot of research recently into Facebook privacy and security. Blogsecurify/GNUCITIZEN is the perfect outlet for the research I am doing as well as other projects I am about to work on. GNUCITIZEN has always been about cutting edge, progressive thinking security research and I am looking forward to working with others that have a passion for social media security.

Do you have a WordPress blog? If you do then you really need to check out the Blogsecurify tool. The Blogsecurify tool was basically formed from the wp-scanner project and was a joint effort between GNUCITIZEN and BlogSecurity.net. The tool is an online WordPress vulnerability scanner. It will scan your WordPress blog via a plugin that you activate on your end. It will then run a series of checks and let you know the results. I am under the assumption that this scanner will evolve with the ability to scan other types of blogging software and social media applications. If you are interested in helping out with research and/or blogging on Blogsecurify check out this post.

Stay tuned for my Facebook Privacy & Security Guide release and details on other social media security related projects I plan on working on through this site and now blogsecurify.

Malware Challenge begins October 1st!

0
Posted by Tom on September 25, 2008 – 9:48 pm
Filed under Malware
Tagged as

Malware!

Tyler (aka: The Security Shoggoth) announced on the Security Justice podcast last week about the “Malware Challenge” that begins October 1st. I think this is a great idea and is a fantastic way to learn about how malware works and how to analyze it.

Via The Security Shoggoth:

“Starting from October 1, 2008 and ending October 26, 2008 we will be running a malware analysis challenge at http://www.malwarechallenge.info. In the challenge participants will download a malware sample to analyze. The site will have a list of questions for participants to answer and send in. We will judge the answers and those scoring the highest will win prizes.”

Yes, this is a real piece of malware that you will analyze! More about the malware and the contest:

“Participants in the malware challenge will download the malware, analyze it and answer questions based on their findings. The answers to these questions will be evaluated by the judges in order to determine who the winners are. At a minimum, submissions should include the answers to the questions. However, submissions which also include a narrative on such things as how the malware was analyzed or how the analysis lab was set up will be more likely to win. Be creative.”

What are the prizes? So far they have a Best Buy gift card, IDA Pro Book, Full version of IDA Pro software, Hacker game from Steve Jackson Games and many more prizes as well. For the most up-to-date-list, check here.

Even if you have never analyzed malware before…everyone is encouraged to participate! This is a great way to learn about how malware works and also a way to develop a new emerging skill set! The contest site has some links for you to get started if you never did malware type analysis so you have some place to start. Winners will be announced at the 2008 Ohio Information Security Summit on October 31st. You don’t need to present to win but there will be special prizes for those that can be there. Good luck to everyone participating!

Where is Tom?

0
Posted by Tom on September 22, 2008 – 12:59 pm
Filed under Spylogic News
Tagged as ,

Wow..it’s been really crazy as of late. Sorry for the lack of blog posts but this is “the” busy month of the year for me! Here is what I have going on:

October 11th Ohio LinuxFest
Security Justice will be podcasting live from the Ohio LinuxFest! Dave and myself will be there hanging out with the folks from Notacon and others. If you are there…stop by, say hi and pick up some Security Justice stickers!

October 15th NEO InfoSec Forum
I will be giving a talk on “Information Gathering with Maltego” at the NEO InfoSec Forum. Join us after the meeting at Mavis Winkles for beer and the live recording of the Security Justice podcast.

October 30-31st Ohio Information Security Summit
There are several things that I am doing at this year’s local security summit:

I will be participating in a panel discussion at 2:20pm on October 30th, “Social Networks – Acceptance and Mitigation of Risk in Today’s Workplace”. Later that evening at 6pm I am leading a birds of a feather session entitled “Security & Privacy of Social Networks”. At this session I will be releasing my Facebook Privacy and Security Guide at the session. Look for a blog post about this project soon.

Finally, on October 31st I will be doing a talk entitled “Penetration Testing 2.0: Corporate Tiger Team” at 1:30pm.

If you are local or in the surrounding Ohio area be sure to check out the Information Security Summit. It’s well organized and is only $250 for two full days of talks!

Oh, and if that wasn’t keeping me busy enough…I am working on another Security Justice special edition with another very special guest to take place some time in October. More details soon.

I’ll hopefully get a few posts up in the next few days…I have a few in the “queue” almost ready to launch. :-) Back to work for me and thanks for reading!

Finally a use for Incognito

1
Posted by Tom on September 10, 2008 – 11:28 pm
Filed under Penetration Testing
Tagged as

Lets say (hypothetically for the sake of this post) that you were able to exploit the system of a Windows domain admin during a pentest. The goal of this attack? Steal the credentials of the domain admin and continue on with owning the domain. Sure, you could use gsecdump, pass-the-hash and do the same thing…however, Incognito (tool to conduct token passing) is nice when you know a system is vulnerable to an exploit and you want to do everything through a nice Metasploit meterpreter shell. The problem with gsecdump is that it would require you to use psexec to run it remotely on the admin’s system. Depending on the scope of your assessment and if you are trying to be covert, gsecdump/psexec may not be the best idea as you may get noticed by either an anti-virus, HIDS alert or some other detection system on the host, including the admin (don’t get me wrong…gsecdump is a GREAT tool and should be part of any pentest toolkit). So here comes Incognito to help you out in this situation…

How does Incognito work? I won’t go into a ton of detail as you can check out CG’s posts over at Carnal0wnage. He did an awesome two part write up about the tool…in detail…you should check out. Here are the high level steps:

1. Ensure you have the latest Metasploit snapshot. Not by doing an “svn update” either…you have to use Subversion and do an “svn co http://metasploit.com/svn/framework3/trunk/”. Run msfconsole through this trunk. Be warned that Subversion is picky with proxy servers if you have to deal with that.
2. Exploit system with Metasploit and a meterpreter payload.
3. Follow CG’s posts (linked above)
4. Once you impersonate the domain admin, use the tool in your meterpreter shell to create a domain user and add your new user to the domain admins group (again…follow CG’s posts).
5. Continue on with your domain compromise…rinse and repeat with your next client and/or pentest! :-)

The best tool to clone hard drives, is free!

1
Posted by Tom on September 8, 2008 – 9:37 pm
Filed under Linux
Tagged as ,

While not a security related post…I thought I would let everyone know about a really good open source hard drive cloning software that I recently discovered when I needed to clone and image multiple Linux systems. It’s called Clonezilla and works just like Symantec Ghost but faster and free.

From the Clonezilla web site:

“Clonezilla, based on DRBL, Partition Image, ntfsclone, and udpcast, allows you to do bare metal backup and recovery. Two types of Clonezilla are available, Clonezilla live and Clonezilla server edition. Clonezilla live is suitable for single machine backup and restore. While Clonezilla server edition is for massive deployment, it can clone many (40 plus!) computers simultaneously. Clonezilla saves and restores only used blocks in the harddisk. This increases the clone efficiency. At the NCHC’s Classroom C, Clonezilla server edition was used to clone 41 computers simultaneously. It took only about 10 minutes to clone a 5.6 GBytes system image to all 41 computers via multicasting!”

Yeah, it’s fast alright! I have been using the Clonezilla Live to image hard drives and it has been working great. You can also run it off of a USB thumb drive if you are so inclined. So, don’t fork over $$ to that evil empire called “Symantec”…give Clonezilla a try if you want to clone a drive or multiple drives. :-)

New Ohio Identity Theft Law: Epic FAIL for Consumers

1
Posted by Tom on September 2, 2008 – 11:50 pm
Filed under Identity Theft
Tagged as , ,

Freeze or Thaw?

I have to give the lawmakers in the state of Ohio some credit for attempting to take identity theft somewhat seriously. It’s actually about time since every other state in the US has had laws for a long time now. Unfortunately, they got it wrong. The problem is that they have made something that is fairly manageable for consumers into another way for the three credit agencies to make more money.

From the Cleveland Plain Dealer:

“When a new Ohio law kicks in on Labor Day, you’ll be able to freeze your credit reports for $5 a pop. Security freezes let you “lock up” your credit report and scores, making it more difficult for an identity thief to open accounts in your name. New account fraud isn’t the most common type of identity theft, but it’s one of the more expensive and time-consuming varieties to clear up. A freeze is an important tool in combating this financial crime.

To get the best protection, you’ll need to freeze your files at all three credit bureaus, meaning you’ll shell out up to $15.”

and to “thaw” your “freeze”…

“You’ll need to temporarily thaw a freeze when you shop for credit, buy insurance or do anything else that requires a credit check. Each thaw costs $5. Ohio’s law lets you thaw for a specific party or, if you’re applying to multiple lenders, for a specific period of time. If you’re thawing for a specific lender, ask which bureau it plans to use so you can minimize the cost and thaw only at that bureau. Make sure you have the lender’s correct name so it can access your report.”

Confused yet? Let me explain….

So fork out your first $15 to get this baby started. Now when you are ready to buy something that requires a credit check…don’t forget to call the credit agencies to “thaw” your “freeze”. But wait! Which one do you call? Not sure? Call all three and fork out another $15. Oh? I need a PIN to thaw my account? Most consumers will forget what the PIN was so thats another $5 to get a PIN reset. Is the freeze a pain in the ass to manage? No problem…fork out another $15 to remove the freeze to permanently thaw your credit.

There are two solutions that provide similar protection:

1. Every 90 days call each of the three credit agency’s and put a fraud alert on your credit reports. This costs nothing and is pretty effective…but a pain to remember.

or better yet…

2. Get a monitoring service like Debix. They will freeze your credit and provide real time monitoring. You can’t beat the service for $24 a year. Between the $15 freeze and if you need to open up your credit one time with all three agency’s, Debix is a cheaper, more reliable and safer with less work. If you want some good information on Debix and how it works check out Rich Mogull’s blog post.

Oh. If you read the full news article…check out the following (funny) information required if you want to hook this up via snail mail:

“By certified mail: Send your full name, with middle initial and generation (for example, Jr. or II); Social Security number; date of birth (month, day and year); current address and previous addresses for the past two years; and $5 fee (not cash) to…”

Good thing identity thieves don’t steal mail these days….who really sends certified mail anyway right? :-)