Saturday, June 28, 2008

so did you watch this vid?



my first thought when i watched the vid? look at how it hiccups when she goes up the wall, it's fake, wowdidijustgetowned?!?

how long until we see (or have we seen and i don't know it) a viral video flash 0day sploit, or something similar? flashblock and noscript are all good, until you turn em off to watch the nifty crap floating around the tubes that day...

this vid came up the other night...

just want to say we love watching your talks bruce... :D

breach waf foo

work has been keeping me busy lately... first official web app pen work was a coldfusion site, paros falsed a lot, but i managed to get some manual sqli and a few other things... fighting a waf :-\ still gotta bang that out some more and get around to writing the report... ;)

anywho, breach came by the office the other day. talked to the engineer about the technical aspects of their offering, which involves 4 ways of protecting your apps (i don't remember them all). their waf box sits out of line on a span/mirror and does the job via sending resets.

they do some analysis on your production traffic to build what boils down to a pattern matching ruleset for how your app works on the network. "this is always an integer" and "this is always a string w/ no special chars", etc. i'm sure this is understating the tech, but yea...

so that got me thinking, what it someone just has a dork for whatever your vuln is and their only interaction w/ you is the one session where they actually perform the attack, which is prepackaged for your vuln and requires no interaction (ie: recent mass sqli attacks). the WAF doesn't see the full attack until it has analyzed the packet(s), by which time the original copy of the malicious payload is on the nic of your web app server. the reset will come too late.

which brings about one of those other types of protection, which is a client shim in the TCP/IP stack which will inspect the packet for malicious payloads prior to releasing it on up to the application layer. so i guess if a waf is kinda like an ids at the app layer, i guess the breach client is like host ids.... "host web application firewall", better known as a "hwaf" (said w/ lots of throat noises ;)

another feature is that they support some common firewall featureset used so the appliance can request dynamic ruleset changes. i can't recall what it is named, and haven't googled around to find out more about it yet. but that bit got me thinkin about how grossman started combining VA and WAF, so i asked the guy if he'd heard of it and if breach was planning anything in that space. he had no idea, but then he told me this other interesting bit...

he said that now that they had a device monitoring application traffic, people have been realizing that it can be used as an application monitoring / health-check device. watching for broken links, error messages, and basically becoming an analysis and maintenence tool... reminds me of a nms for your application layer... damn nifty, and it makes so much sense... but my response was: be careful, much more of that and you won't be a security company anymore ;)

Sunday, June 22, 2008

su - v. sudo su -

ok, all this ubuntu talk has got me wanting to rant a little bit...

[rant]
sudo su is bad... there's no way around it. i know it's nice to keep users happy by not making them remember yet another password. and yes, it is nice that you have to know the current password to sudo su (in the same way that you have to know the current password to run passwd unless you're root).

this stuff, however, doesn't make sudo su a good thing.

don't believe me eh? all you have to do is check wikipedia (until one of you smartasses changes it):

sudo (super user do; officially pronounced /ˈsuːduː/,[2] though /ˈsuːdoʊ/ is also common) is a program for Unix-like computer operating systems that allows users to run programs with the security privileges of another user (normally the superuser) ... Before running a command with sudo, users typically supply their password. Once authenticated, and if the /etc/sudoers configuration file permits the user access, then the command is run


ok, so right now you're probably thinking that the quote doesn't support my point at all. stfu. look, just because i can edit the sudoers file to allow sudo to run su doesn't mean it's ok. i mean, i can edit the sshd conf to allow root logins, but do we think it's ok to do? i can install mysql w/ a blank sa password. i can use cleartext instead of crypto. i can find web sites with goat pr0n... wait... erm...

anyway, i understand where this fits in w/ the ubuntu community of being all warm and fuzzy and easy. but i don't have to like it. one problem is that it hinders the ability of windoz converts to understand the significance of the nix security and permissions model. but mostly i hate that it removes a layer of security. we're supposed to be about defense in depth, right?

if you get my password, i'd like it if you have to find a privelege escalation vuln and dig around for a while to root me. just using the same password again to do it seems cheap...

i know macs are kinda similar, and i don't care. and i know it isn't a big deal to most people, and i don't care about that either. i don't like sudo su, and i don't have to... grrr...


rwnin@deadwood:~$ cat /etc/sudoers
cat: /etc/sudoers: Permission denied
rwnin@deadwood:~$ sudo su -
[sudo] password for rwnin:
root@deadwood:~# cat /etc/sudoers | grep -v '^#' | sed '/^$/d'
Defaults env_reset
root ALL=(ALL) ALL
%admin ALL=(ALL) ALL
root@deadwood:~# logout
rwnin@deadwood:~$

[/rant]

Friday, June 20, 2008

ubuntu update

so my buddy is still waiting for gentoo 2008.0 (and what month is it?)(don't get kicked from any irc forums asking questions btw), and i'm still using ubuntu as my daily box (re: the last ubuntu post)

sooooo, here's my update on this little challenge...

i am really happy w/ the OS i'm using atm... the only issue i've run into that i couldn't solve within seconds is that VLC didn't play a dvd like i expected it to (like it did w/ a diff dvd in windows) so i went upstairs and watched it on the dvd player on my tv... also, vmplayer is dead in the water w/ hardy afaik... that sucks...

but to balance that out, tons of other stuff works correctly which gives me issues on my gentoo laptop (ie: sound, truecrypt, and other stuff i can't think of atm)...

so here's my real bitch about the ubuntu community. i've got a buddy who is getting into *nix, and he tried to drop it on his laptop. since then there's been video card issues w/ Xorg and wifi issues which render the box unusuable. he is pretty decent w/ RTFM and all of that, but he keeps calling me up to come fix his stuff. i kinda wanna bitch, but the sad truth is that when i go out to google issues using the ubuntu keyword, there just isn't much out there. it is as though they've taken for granted that their stuff works all the time, and don't provide detailed documentation for the people who might want to reference it...

i mean, dig into the links and compare this to this... wtf...

so i am considering contributing to the ubuntu community w/ some low level documentation, b/c i see people out there using ubuntu having problems w/ questions that aren't answered by the docs...

the truth i am willing to face up to, is that i can make ubuntu work on a variety of hardware platforms only because i cut my teeth on gentoo... i'm still happier running ubuntu day to day tho ;)

multipost

i can't justify making these all separate posts... sooooo....

#!) pdp has a post talking about some conversations he's had w/ joanna about virtualization security issues... the thing i did about this is how he hones in on how 'normal' users aren't going to use virt tech in the way that peeps like joanna see it helping security, b/c it's just too complicated for them. anyway, i dig this b/c it kinda fits w/ my view on security today. it's just too complicated for normal users (and arguably many sec professionals ;), and someday there's gonna have to be a solution to alliviate this pressure... things will not go on like they have in the infosec industry forever imo... anywho, i don't have a solution or anything, i'm just bracing myself for unknown inevitable life-altering change...

#@) the whole hack the coffee maker deal... i'm not sure i totally agree w/ thor on the whole responsible disclosure rant he had. i mean, i agree in general, but it's a coffee maker maker, i can imagine they might be completely unresponsive to infosec issues... anywho, i love this b/c it hits on a point i'm considering doing some research on, which is basically that inet enabled devices which don't have financial incentive for being secure are probably going to have higher vuln rates than appliance networks which add value to their parent companies through being inet enabled. in this case, it's just a feature, not an active profit center, so it isn't a surprise that security hasn't been taken into acct...

##) so some math geeks figured out you can "listen in" to encrypted voip calls (via schneier) just by doing timing and size analysis on the encrypted packets. they claim 50-90% accuracy. if they aren't doing it already, i wonder if you could take candidate words and run them through a grammar checker to improve the ultimate tally.... they've gotta be doing that already tho... i live in awe of math and crypto people sometimes, but i sure don't feel any burning desire to try to become one...

#$) too many mother uckers w/ a cissp... anyway, that's kinda not really the point of this post. but as a sec generalist w/o a cissp, i'll raise my glass and say it is worth reading... also, i like this owasp certification industry hack as well...

#%) ok, i may not entirely understand this AV cloud bs, but to me it sounds like... bs.... are we saying that we're going to do our checksum checks by communicating w/ hosts over TCP/IP instead of a local file? tell me what this solves that needs solving. my AV files aren't filling up my HDD. the problem is that my AV software can get sploited before it knows what happens. i am getting more and more jaded in this area. the solution isn't some new AV magic. the solution is to stop trying to paint lipstick on the pig which is the windows security model and move to a design which is managable a la *nix...

#^) i really need to read this face-off stuff regularly... i am too lazy to find the rss for it... i love both of these guys... despite the fact that one of them seems much more down to earth and cool based on my personal interactions as well as that of a ninja friend doing a talk @ blackhat this year ("please don't do this to me", lol)... anywho, they both know their stuff and stimulate the mind...

#&) came across this paper in the mail... very interesting attack vector which reminds me of reflection xss.... haven't digested it yet, but tacking it on to this post for giggles...

Thursday, June 19, 2008

blackhole dns

a friend and i got the inspiration to implement blackhole dns over a year back... iirc the linkage was snort hosted, but i can't find it.... basically we set up a bhdns check for all outbount web traffic to reduce malware issues.

i am quite surprised this type of thing isn't more popular... yea yea, it is blacklisting and we know that isn't totally effective, but we also know that academic ivory tower BS won't get you very far w/ the common constraints of corp america, budgets, etc etc etc. so are you better off blacklisting some sites which are known very hostile or trying to whitelist known-good stuff and then moving to a default permit posture...

anywho, i see this as one component of defense in depth, and well worth having in a lot of environments...

you know you wanna touch it...

anyway, old ass article i've been saving where b gates says that touch screen tech could be the end of the mouse...

it's ironic that this comes on the heels of the great success of apple w/ the iphone (although i'll admit that i have a winblows touch phone which i grudgingly like). if anyone wonders if this is off-base or not, i'd point back to apple (note: i'm sayin billy is just jumpin on the bandwagon) being completely on-point w/ halting shipments of 3.5 floppy drives. they mb timed perfectly or perhaps even invested and spurned the growth of the USB jump drive industry...

anyway, the reason i'm posting the link is b/c losing the mouse and moving to touch as an interface brings about some interesting possibilities w/ security in the auth space... we're all so used to dealing with passwords, but brining tactile into the space allows for a lot of new ideas... hand positioning, touch timings, geometric passkeys, timing based auth (via touch; but this could be done w/ keyboards too)... anywho, despite coming from MS, i see this possible evolution as being full of interesting possibilities....

echelon

digg ran this vid... got some foolish friends who think i wear a tinfoil hat b/c of some of their quite poor choices of words during phone conversations... anywho... been not posting for quite a while... sry!