Sunday, October 24, 2010

Another SSL cert atrocity!

My Website hosted by "The Planet" has an https control panel with a self-signed cert. Self-signed certs are very very bad. A web site hosting company should know better

Sunday, October 10, 2010

OWASP AppSec at U.C. Irvine a success!

I worked as a volunteer at the OWASP AppSec conference at the University of California at Irvine, held Sept 7 through the 10th.

Unfortunately I did not get to sit in on any of the training sessions - they all looked first rate. I *was* invited to the VIP reception. It had a nice selection of appetizers and good drinks from the bar, with opportunities to chat with other conference volunteers, organizers and speakers.

The sessions I was able to attend were all very good, some excellent. My best take-away from the CxO panel was that "buy a tool" inevitably fails as an approach. I already knew this, but it is refreshing to hear this truism so bluntly stated.

The session on Threat Modeling covered the Microsoft-supported STRIDE/DREAD model for assessing application security. I've used this tool before so it was interesting to hear the speaker's perspective. Threat modeling belongs as part of the application's architecture review, and should be embedded in the development life cycle. The threat model should be maintained and updated for as long as the application is in use.

Bill Cheswick gave the end-all of password security talks. I've seen his video online, and this was similar. He gave a lot of very useful ideas about password vulnerabilities, user psychology, and how to realistically manage passwords better given human and technical limitation.

Other sessions I attended included ones on secure coding practices, OWASP projects, "Reducing Web application Vulnerabilities: Moving from a Test-Dependent to Design-Driven development", and HD Moore's talk.

HD's talk was given in a rapid-fire style that took some careful listening to follow and dwelt exclusively with the Metasploit product and plans to incorporate more Web application testing in future versions. And a Linux Meterpreter module may be out by version 3.5

Monday, September 06, 2010

RISSC's 3 year grant is ending

Got an email about a reception for the RISSC industry advisory board (including me). Their NSF RISSC Grant is winding to a close and they'd like to thank those of us in industry who have helped them over the last 3 years. I won't be able to make it - I will be attending SANS Las Vegas that week. I will be facilitating the Wireless Ethical Hacking, Penetration Testing, and Defenses course taught by Josh Wright.

Speaking of volunteering - I just got the assignment sheet for the OWASP AppSec Conference in Irvine. I will be working as a volunteer on Thursday.

Sunday, August 29, 2010

Defcon 18 quickly summarized

I skipped Defcon last year, so I made a point to be there all 3 days. I strongly recommend arriving Thursday evening. Registration is no hassle, you get the official badge, and you get to check out the facility at your leisure. Even though Defcon has been at the Riviera for years, I still need a walk-through to remember how to get around. Maybe casinos hope that lost hotel guests will gamble more.

Defcon is generally well organized and with few exceptions the talks are first rate. My main complaint is the long line to get into just about every talk. I suspect they have greatly oversold admission. I wanted to attend the SCADA track on Saturday, so I showed up almost an hour early for the first session, and remained in my seat for as many sessions as biological needs would permit.

The best session was given by Fyodor on scripting nmap. He gave a very useful and clear explanation of how to customize nmap using the Lua programming language. Fyodor is also a very engaging speaker. I was very fond of his dry wit.

Dan Kaminsky and Paul Vixie gave a double-shot of DNS on Friday. Vixie discussed the use of passive DNS to gain information useful in tracking malware and criminal activity by flagging malicious use of DNS. Kaminsky gave a talk similar to Toorcon 2009, on the use of DNSSEC to provide a true, usable public key infrastructure. Using signed DNS records can authenticate destination sites. DNS authority can also be delegated more elegantly (and more usefully) than X.509.

The SCADA track was interesting, with the talks varying between those concerned with general risk discussions, technical information systems, and general discussions of plan operations. If you've ever wondered how a small water district works, this was your chance.

"Wardriving the Smart Grid" gave an overview of the technology used for wireless monitoring and control of electrical utilities. Exploitation of field tech boxes would provide privileged access to these networks. The speaker suggested that it is only a matter of time until software for these boxes is available on bit-torrent.

"SCADA and ICS for Security Experts" gave a definition of SCADA and discussed what systems can be called SCADA and which ones aren't really SCADA. SCADA involves interconnected sensors and controls under central management. Not all industrial control systems (ICS) are SCADA. Electrical "Smart Meters" are really a billing system, not a remote control system, for example. The hard part of attacking SCADA and ICS isn't getting into the network - it is understanding the physical impact of various logical controls.

Speaking of Smart Meters, "The Night the Lights Went Out in Vegas" covered some of the details of Smart Meter networks. Radio communications involves either 900 mHz licensed spectrum and GRPS, with a small number of other methods like powerline RF.

"Cyberterrorism and the National Drinking Infrastructure" gave an overview of operations at a small public water district. There are a lot of fail safe mechanisms that make it difficult to effectively attack a drinking water system. Water districts themselves are highly fragmented, meaning an attack would likely be local in scope, confined to a single municipality.

Aside from SCADA other notable topics included cyber-warfare and hardware hacking. "How to Build a Cyber Army" discussed a possible budget for a hypothetical cyber-army (North Korea was the example). Having agents embedded in the target nation's critical infrastructure is essential - remote attacks would not have their full impact without this. The final budget came out to something short of $50 million (I'm relying on memory here).

Hardware hacking included hacking WiMAx customer boxes, basics of the Arduino ("Hardware Hacking for Software Guys"), and building electronic weapons (a variant of the old Defcon "Build your own HERF gun" talk).

It wouldn't be Defcon without some controversy. Here's a short rundown:

  • A talk on Chinese cyberattacks was canceled due to objections of the Taiwanese government, ever desirous of not offending the mainline Chinese. The key speaker was a Taiwan national, so his government's request carried the day.
  • A talk on evading censorship by using TOR had one of the key speakers, affiliated with Wikileaks, detained by US authorities upon entering the country from the Netherlands. His electronics (computer, cell phone, etc.) were seized.
  • A talk on jackpotting ATMs went on as scheduled. It was pulled last year due to pressure from the presenter's employer (Juniper). He now works fo IOActive, who had no objection.
  • GSM-based cell phone communication was intercepted using a mock base-station built using $1500 of equipment. Lots of notices were prominently posted warning people not to use your cell phone during this time!

Lastly, one of my favorite things was the exhibit of old computer technology. A fully functioning DEC PDP-11 was featured that brought back memories of my first computing experiences.

And while I fully support the EFF, I did *not* get a mohawk, thank you

Friday, August 13, 2010

Another entry in the broken cert hall of shame

Noted this when trying to log into gmail using my secure POP client. I hope this is just a quirk in Google's cert management

Tuesday, August 03, 2010

OCEAN AS/400 Conference Notes

I attended the July 16 OCEAN annual technical conference on the iSeries (which I will always call the AS/400). I've spent a good chunk of my professional career working on this system and while it seems to be slowly fading away, I still like to keep up on it. Who knows when you might run across one? Being one of the last people around familiar with this technology may prove useful.

Some general notes: There was a session on iPhone integration with the iSeries, showing this venerable back end is still being adapted to the latest client gadgets. A whole series of PHP development sessions was provided, including ones on the Zend environment.

My main focus here is the session on security, given by John Earl (who immediately recognized me in the audience after over 10 years). He covered some of the laws governing breach reporting and personal information protection, noting that Massachusetts has the strictest state laws in the US. His main focus was on insider threats, as he believes the iSeries is hard for an outsider to attach without some sort of inside access and knowledge.

John noted that default passwords are still a problem, especially for vendor software. The ANZDFTPWD command will help by checking for many of these. Unencrypted passwords on the wire is another problem, with FTP, telnet and the iSeries Access Servers (formerly Client Access). He noted some common mechanisms for finding user IDs and user profile information that can be exploited even with a limited capability account that supposedly restricts command line access. Read access to a user profile provides the ability to take over the profile - so do not allow *PUBLIC (world in unix-speak) read access. Taking over a profile involves using it in the SBMJOB commands, in a JOBD, or through ADDJOBSCDE (look these up if they don't make sense!). John is a strong believer in relying on object authority rather than exit programs for security.

Having been outside the iSeries world for a while, it was discouraging to hear the same flaws mentioned that I had known about ten and fifteen years ago. The approach to taking over an AS/400 seems similar to that used in Windows systems - get the authentication credentials, execute a command using that credential, use the command to gain command line access. What ADDJOBSCDE does in an iSeries, "schtasks" (or "at") does for Windows.

Labels: , ,

Monday, July 19, 2010

ISSA LA gets some press

Our very own Stan Stahl has been quoted in the LA Business Journal:

It seems starting Internet security companies has become something of a gold rush, according to Stan Stahl, chief executive of L.A. cybersecurity firm Citadel Information Group and president of the Information Systems Security Association.

“In the last year, all of a sudden this industry has taken off,” Stahl said. “Legally, anyone can hang up a shingle and say they are a computer security expert.”

This is in an announcement for a new independent information security firm headed by Hemu Nigam called SSP Blue.

A new infosec boutique isn't in itself so newsworthy - but the mention of ISSA along with some positive business prognostications about infosec in general make the article worth a read.