Stop poking the tiger.

I can’t help but laugh as this has happened so recently after the gawker hacks. For those who don’t follow this kind of thing, the company publicly taunted a group of people who may or may not have ties to some people who may or may not also have ties to some people who may or may not allegedly be hackers. This stupid behavior resulted in the gawker being defaced. The social networking sites of the corporate entity and it’s employees were also popped, scrolling with sensitive personal data and assorted offensive one liners.

The sites main database was compromised which contained hashed passwords, potentially exposing 1.5 million users. As people tend to reuse passwords, one can only image how many other systems were compromised as a result.  It’s pretty easy to hammer out a script to attempt to login to a list of sites using the stolen and cracked credentials. I have no doubt the attackers specifically targeted particular accounts from the database to escalate privileges elsewhere. People who do this kind of work are not your normal drive by exploiters.

This incident took place not even two months ago.

As the rest is already written, so i can just put the three relevant links here. A security consulting firm made a press release stating they had tracked down hackers which claim to be associated with anonymous. The result was their website was shredded, along with the social networking accounts of the entity and it’s employees, 66,000 company emails published, and sophos noted that someone else noted their backups allegedly trashed as well.

Point of me rehashing these stories that have been rehashed by everyone else?

STOP POKING THE TIGER.

This is the equivalent of the jackass that climbs over the fence at the zoo and acts surprised when they are mauled. “That is a tiger. It is a 500 pound predator. No, don’t approach it. No, don’t poke it in the eye. No, I’m not sure how to get your torso out of its jaws.”

For some reason corporations don’t understand that this playing field called the internet is not governed by rules, wealth, location, or “morals”. Taunting malicious users is the equivalent of walking into a shady bar, finding the guy that looks like he just got out of prison, and shoving him as hard as you can. It’s not going to end well, and your not going to come out ahead. You don’t gain from such actions.

If your going to do research and try to out someone, who allegedly has the clout to drop small companies such as mastercard for a day, you should be smart enough to assume they potentially have the resources do serious damage to your business and personal life.

Watch the service and ids logs on a server on your network that nobody cares about which is barely exposed to the internet for day. Now think about all the attacks to your web application which are not flagged or logged. Now think about your office and employees, usb thumb drives, your datacenter, your clients employees, delivery and building personnel, and all the threats in between. Yeah. There are a lot more attackers than there are defenders, and its not the majority you have to worry about. Thats what common practices and tools are for. Its the minority you don’t want around, much less invite.

So what simple policy can help mitigate the sophistication of the attacks? Start by not taunting the attackers. Stop poking the tiger. Enforce policy that discourages and holds employees responsible for making statements which blatantly invite attacks. Most business wouldn’t tolerate publishing “intellectual property”, much less “libel”, so why tolerate other internal hostile behavior? Train employees in your enterprise that these actions can result in business, financial, and personal “troubles”.

I should stop beating my head against the wall. I’m not getting anywhere. People just won’t learn.

Please stop poking the tiger. It will mess you up.


Posted: February 8th, 2011

Password management and sinking to KeePassX

For the past several years I have been using pwman for password management. It’s an ncurses interface for an xml file encrypted with gpg. This program was an ideal solution. It provided an easy to use interface for a file encrypted with an industry standard utility, which I could use remotely, regardless if pwman was installed as long as I had my gpg key. Almost perfect.

Unfortunately pwman is unstable and tends to produce segmentation faults. This is  unacceptable for regular use as most “unix like” systems have core dumps enabled, writing the entire password database in plaintext to file. I’m convinced several conditions which result in a crash exist from adding, removing, and editing entries. There is one bug I’ve been able to easily replicate. Editing fields that end with a period (yes, a “.”) will result in a crash. A review of the decrypted xml file shows no corruption from the standard format, nor extra characters from the period. I have not flipped through the source to isolate and correct the bug.

Why not?

I have a flashy android based phone. There have been several comments at my current place of employment regarding standardized key exchange through KeePassX databases. I want a solution where I can share the same database across platforms and employment, yet still access from a remote host via ssh.

Searching for a multi-platform solution not reliant on xorg (yes, that’s what’s providing your mac with its interface) yielded no results that fit the bill. My next thought was to go back to using an encrypted text file without an interface. This proves to be another dead end as there is no real android gpg port.

The end. I give up.

I tried several console interfaces which handle KeePassX databases, and a perl script called kpcli was the winner. It took a bit of work to get it running on the FreeBSD systems I regularly use.

Kpcli will not work on FreeBSD 8.1 out of the box. It ships with perl version 5.8 which does not allow nested regex quantifiers. You first need to upgrade perl to 5.10 or higher, I chose the 5.10 branch, following the commands as listed in /usr/ports/UPDATING at 20090328.

pkgdb -Ff
env DISABLE_CONFLICTS=1 portupgrade -o lang/perl5.10 -f perl-5.8.\*
portupgrade -fr perl

Unfortunately on all the systems I tried this on I was still left with some ports failing to recompile and would no longer start. You can also recompile all installed ports with portupgrade -af if you’re not willing to approach and correct these issues as they arise.

Now download the perl script to interact with the database if you haven’t already.

fetch http://cdnetworks-us-1.dl.sourceforge.net/project/kpcli/kpcli-0.8.pl

If your not a perl person you most likely do not have the needed cpan modules installed. For my systems I was lacking the following:

/security/p5-Crypt-Rijndael/
/textproc/p5-Sort-Naturally/
/shells/p5-Term-ShellUI
/devel/p5-ReadLine-Gnu/
/devel/p5-Term-ReadKey

After which I was only lacking the file::keepassx cpanel module. There is not currently a FreeBSD port for this, so you will need to install it thought the cpan interface.

perl -MCPAN -e shell
install File::KeePass

The interface for kpcli is familiar to say the least. The following is an example of working with it, accessing the KeePassX database.

kraken:~% kpcli

KeePass CLI (kpcli) v0.8 is ready for operation.
Type ‘help’ for a description of available commands.
Type ‘help <command>’ for details on individual commands.
* Please upgrade Term::ShellUI to version 0.87 or newer.

kpcli:/> open .kpass.kdb
Please provide the master password:
kpcli:/> ls
=== Groups ===
bills/
sites/
work/
backup/
kpcli:/> cd bills
kpcli:/bills> ls
=== Entries ===
0. Suntrust suntrust.com

kpcli:/bills> show 0

Title: Suntrust
Uname: fakeusername
Pass: realpassword
URL: suntrust.com
Notes:

kpcli:/bills>


Posted: February 4th, 2011

ShmooCon triumphs and failures.

Information security conferences are loved and hated. Defcon is a zoo. Blackhat and RSA are both a corporate oxymoron and expensive. There are now several others seemingly with ups and downs. Shmoocon passed and I had an interesting weekend spending too much time at the bar, being a bit inspired, and discovering a mild distaste for the failures of so called security professionals.

My only real problem with the conference was the timing of the ghost in the shellcode event. I was really hoping to spend more time on a hostile network getting my laptop owned by people who actually know what they are doing. Unfortunately you have to choose between being engaged with the game or seeing talks as they both finish at approximately at the same time each night.

The keynote from Peiter Zatko, or the nom de plume we have always known as “mudge“, was far more intriguing than expected. The talk Jack Daniel gave at the firetalks was inspiring, and left me wondering if I’ll hit career burn out again or persist to fade away.

I have a much better understanding of the disgust and relentless torment the blackhat community provides the security industry. Unfortunately a large percentage of security professionals are not technically savvy, much less programmers. The business world has somehow failed to differentiate a theory consultant from an admin who has the skills to actually implement best practices. Hackers write code, discover flaws and new attack vectors, and compromise systems. The bulk of security professionals lack the ability to accomplish any of these tasks, nor do they even practice what they preach. Watching the traffic of the shmoocon-open ssid, I saw an alarming amount of credentials of well known security professionals pass across the network. Allowing such information to cross a totally unsecured and extremely hostile network falls into the basic “things you just don’t do” category.

An epic flaw from those who preach about how flawed things are.

I wish I could say I wasn’t just a guilty as everyone else.


Posted: February 1st, 2011