Wikileaks and Cyber Security

I'm back and catching up

I had an interesting time in Detroit. I heard some great presentations, some interesting perspectives, and gave two very brief talks. The insider threat talk went well; I like watching the operational security guys nodding their heads in agreement. The managerial guys also nod their heads but it's more of a "the would be nice if it didn't cost money" type of nodding. Regardless, I met some cool folks who definitely want the smart grid to be built securely. A few of them were vendors which is always cool, I love it when a vendor looks past the bucks and purposes to do things the right way. The second, unrehearsed, talk was to start up a new task force within OpenSG for network security. The group I am currently part of has been re-writing several of the DHS Catalog of Control Systems Security recommendations in an attempt to make them more actionable. In some cases this involves combining, in others controls are expanded. Either way, the group is coming up with some great verbiage that should definitely help folks in the future when they know "what" they are supposed to do and need the "how" to do it portion. Our new document should produce the "how", and the network security TF should be able to continue that work and pass it on as other groups continue to develop standards and requirements. This should provide a good foundation for the collaborative efforts that have been on going for quite some time and help to provide a common language and framework with respect to security.It's a privilege to be included in this effort, and I am getting to work with a number of exceptionally brilliant people that are teaching me a lot.

For the InfoSec people fighting the good fight

For those of you out there who "get it", "know what matters" and are fighting for adequate funding I humbly give you this Internet high five:

Insider Threats

I am heading to Detroit next week and will be presenting on "Insider Threats." There's a lot of cool research out there about this topic:
http://www.thetechherald.com/article.php/200831/1629/Analysis-of-Internal-Data-Theft
http://www.cylab.cmu.edu/research/chronicles/2008/cappelli.html
http://www.govinfosecurity.com/webinarsDetails.php?webinarID=67

What's funny, or sad, is that with all of that research I still haven't seen a lot of movement to mitigate this issue.  I once submitted a memo to my management regarding a vulnerability I exploited internally and was told to ignore it. The vulnerability gave anyone with physical access to a Windows Vista or Windows 7 PC SYSTEM-level access in about 60 seconds. In fact my immediate supervisor made some statement about "...Windows sucks" and " we trust our users." I will demonstrate this vulnerability, and the associated exploit, during my talk.
As I read though all of the talk on "Insider Threats" I see quite a focus on identifying the bad guy or girl. While I don't think that should ever be ignored, I feel there is an over emphasis here. Just prevent the data from being stolen or accidentally leaked. The truth is that we, yeah me included, have far too many privileges on our work computers and networks. We have all whined loud and long enough that people think we NEED twitter to perform our jobs. I have even been asked as a web-proxy admin to give someone access to Second Life at work. My supervisor replied with " {name removed} is a good kid, give him what he needs." After an hour of explaining what Second Life was, my boss didn't even know, he half-heartedly decided against it. Don't get me wrong, there is a place for trusting employees and it isn't easy to draw the line but always trusting all users to make the right decision {or never make a mistake} isn't how an infosec d00d should view the world. I think the best cure for that would be to let that person swap places with a helpdesk-type person for a day.

Anyway, here's the exploit running on Vista prior to any authentication:

Here it is on Windows 7:

I had already logged into this machine, but you get the idea. The way GIMP takes screenshots wasn't allowing me to take this shot the way I wanted so I got 0ld Sk00l, and took a pic. The reall problem these days isn't your OS though, it's the human element. You can almost equate it with social engineering but instead of trying to get your mark to provide you with access, credentials or what have you, You are trying to convince them to care about the dangers of losing data. For many years it was believed that gaining "root", "SYSTEM", or "Administrator" access was the key. This went away several years ago because data became the target. Unfortunately the defensive mindset hasn't yet shifted in some environments. I recently asked John Strand and Paul Asadorian a question during their "For the Last Time, The Internet is Evil" presentation. The question went like this:
" d00ds, what is the key to getting the organizations and personnel who review penetration testing results to understand the dangers and take action to implement the recommended changes?"
John replied:
"We have to create failure scenarios to show what happens if that one computer or one piece of data gets compromised."
Paul Chimed in with:
"It's will take a paradigm shift at the management level to understand these risks beyond the dollar signs."

I love both of those answers. I do understand information security can't be a bottomless pit that you throw money into, but experience has shown me that few organizations adequately fund initiatives in that realm. As I have stated previously, a lot of places out there are committed to maintaining the status quo. To them I say "Thanks for keeping my job as a pen tester fun and exciting." My next entry will be on the FAIL mode auditing and certification are stuck in. As always, this is not the fault of the auditor but at the funding and upper-management level.

Nexus One Awesomeness

Several months ago I purchased my Nexus One and started goofing with it and installing all manner of applications. Once I finished messing with things like wallpaper and ringtones I decided to go a step further. Last weekend I rooted the phone and installed Ubuntu. The phone now runs a full Ubuntu 9.10 install without the GUI. So far, I have installed NMAP, OpenVAS, and I am working on Metasploit. I also managed to get a packet sniffer installed, but I am quickly running out of space on my Sandisk 4GB MicroSd card. I am ordering a 16GB card and will then perform a reinstall and see what kind of platform I have available. The Android OS is truly amazing and powerful. I have also learned that the Broadcom chip is 802.11 b/g/n compatible and has FM RX and TX. Additionally, the camera is capable of shooting in 720p. I am still working on enabling the functionality in those last two sentences but I am pretty pumped about the phone's capability.

Local Conference

I don't yet know what the speakers will be presenting but there's a good lineup. I also really like the "..is the sky really falling?" theme they have going on. If you are wondering how "bad" the state of InfoSEc is, here are some links to keep you up at night:

http://inguardians.com/pubs/FriendlyTraitor.pdf

http://travisgoodspeed.blogspot.com/2010/07/reversing-rf-clicker.html

http://inguardians.com/pubs/AMI_Attack_Methodology.pdf

http://inguardians.com/pubs/toorcon11-wright.pdf

http://www.willhackforsushi.com/

Attacks are becoming very focused with less of a "shotgun-style" as technologies advance. The things Travis Goodspeed is doing with some of his hardware hacks reinforce the idea that security remains an afterthought in several areas. As long as security remains an afterthought, it will be difficult to provide reliable security. Fortunately, there are people dedicated to ongoing security research and the responsible disclosure of the vulnerabilities they find. If you haven't already, subscribe to some of the authors above, they are doing some amazing research that should open a few eyes.