innismir.net

Link many other Twitter users this weekend, I got the following DM from someone I followed:

Hey, i found a website with your pic on it… LOL check it out here <link>

As soon as it arrived, my spidey sense went off:

• Unsolicted? Check.
• Vague message? Yup.
• Wants me to click on a link? Indeed.

This  instantaneously causes me to think “Bad link! Do not click!” and I quickly tweeted my concerns. Thankfully many people did the same which probably saved more then a few people from clicking the link. It did garner a fair bit of attention since this was the first-ever phish that came via DMs on Twitter and some people are seeing strange activity on certain accounts, but for the most part it has faded back into the noise of a usual Monday morning on Twitter.

This was bad, and I feel it was the opening salvo in a major change in the way spammers operate on Twitter, but I think the worse may be yet to come. For those of you not on Twitter, the way spammers have been operating is by setting up an account, following a lot of people, then waiting for the unsuspecting users to follow back. Once they feel that enough people have started following them, they start spamming their links. Now, with the phishing attempts, they can cut out the middle man and start spamming your follower lists with their links. Ruh Roh Shaggy…

Now, lets ratchet this up to the next level. Imagine if the phishing page had some kind of exploit embedded into it? Let’s say @britneyspears posts “Hey guys, check out my new track at (link)!” Thousands of devoted Britney Spears fans clamor to hear their idol’s screeches talents and are directed to a page telling them to log in with their twitter ID. That page exploits their browser and assigns them to a botnet. The few who think Twitter is trustworthy fork over their credentials, at which point a PHP script logs into their Twitter account and DMs all their friends the same link with a random headline.

Lather.
Rinse.
Repeat.

Congratulations! We now have the first Twitter worm! With Twitters somewhat notorious instability under high load, at which point would we see a Twitter DoS?

This Twitter phish was bad. However, I think the community dodged a bullet and we may not be so lucky next time. Many people think Twitter is a safe sandbox on the Internet and not the same as their e-mail or IM. The million dollar question is how can we teach people that Twitter can be a nasty place before “the big one” hits?

What’s the opposite of FUD? Unbridled optimism? Rosy colored glasses syndrome? Sheesh. This @ryanaraine posted this on Twitter this morning: Microsoft to issue out-of-cycle patch for the ‘unknown exploit’. This features such choice quotes as:

It’s the kind of development that could give “zero-day” a whole new meaning: a wave of alleged Internet Explorer exploits, the total number of experimentally validated cases of which apparently numbers zero.

What in the Wide Wide World of Sports is “experimentally validated cases?” Did I miss something here? Is this some kind of new InfoSec standard that I was previously unaware of? How much verification do you want? Take your pick: ISC, Trend Micro, F-Secure, ZDNet, or the  Washington Post. What else does he want, have the hole paint itself purple and dance naked on the table in front of him singing “zero day exploits are here again?”

This IS being actively exploited. I have a list of sites that are being used to host exploits sitting in my INBOX right now. If you use IE, you need to patch ASAP or switch you web browser over to something else. To suggest this may not be “actually valid” is irresponsbile and is undermining the efforts of security people across the Internet.

There has been some hub-bub lately about Fortify saying that “Penetration is Dead! .. Oh yeah, and by ‘Dead’, we mean, not dead, but just different.”  This was following a similar, but completely unrelated post by Jack Daniel stating that “Penetration testing is a farce and largely a waste of time and money.” While I am inclined to agree with Jack’s basic tennants regarding the two possible outcomes of pentration tests, and I do have a disdain for the term “ethical hacking”, I don’t think that the current model is going away, nor that it is useless.

There are two types of penetration testing that should exist: The kind of penetration test that is worked into the QA process, and the “How screwed are we?” audit-type penetration test. The former should be worked within the application development process, testing the codebase as the project moves forward and giving the application one last assessment before it moves into production. The latter is one where you have a no-holds-barred scan on your network. Both of these accomplish two similar, but different goals: Within the QA process, it gives you and the developers ideas on how secure a certain application is and if there are any show-stopping security bugs. As an audit, it gives you a better idea as to where the weak spots are on your network.

Both of these need to be accomplished by an independent party who do not hold an interest within the project. If you have an independent security team, they can usually handle the tests within the QA process. However, for audits, more often then not, it is a good idea to call in the consultants and let them go to to town. Now, I loathe consultants and feel that they often aren’t worth half of what they charge, but, there needs to be an air of impartiality to upper management. Also, by not putting the security group in charge, it gives them equal time within the crosshairs, something that may be glossed over if they are the ones running it.

More often then not, companies don’t have an independent security team. This has given rise to numerous “penetration testing” companies that specialize in shining a flashlight into all of the dusty corners of your applications and network. This is great and fills a vacuum for a lot of small businesses who just has a “computer guy” who realizes that security is an issue, but does not have enough cycles to address it. However the major issue is, as Jack correctly points out, that we don’t have a common criteria to judge what kind of “penetration test” we’re getting. Are we getting some ninja dropped into our environment to wreak havoc for a week or are we having someone show up with Nessus, scan, and drop off a report later that day? Also, what happens afterward? Does a report get dropped off and the auditor washes their hands of it or will they assist within the remediation phase of the problem? Does the report even get read by upper management? If management and IT is relatively clueless about what a good “penetration test” is, there potential for abuse is very high. When dealing with security that is a very dangerous game to play.

I don’t have a solution to this, besides suggesting that outreach and education is key. The issue is who should be doing the outreach and do companies really want to be reached out to. There is no quick and easy solution to this, just like a “penetration test” is not a silver bullet for solving security issues.

So, the web is all abuzz with Obama being elected to President. He has already set up Change.Gov for his transition, a first.

Personal politics and concerns about whether this is .gov worthy or why we need this when we have presidentialtransition.gov aside, this is an important lesson on why QA is important before putting your website/code/whatever into a production environment. People have release early/release fast/release often mentality when dealing with code. This can be fine when you are dealing with a project that no one expects to be 100% on the first pass. But when you are dealing with a site that should be a somewhat of a flagship for your “brand” it helps not to have embarassing SNAFUs like this:

Also, this SCREAMS possible XSS security hole to me (Note, this isn’t my screenshot, I didn’t test this, nor do I condone or endorse probing .gov sites for security holes without permission)

All of this annoys me to no end as a security guy, as QA is when we usually get called in (at the last minute) to “make sure we’re secure.” More often then not, when I tell them, in fact, they are not secure, I get “Well, we can’t fix that right now! We’ll fix it later in production!” from the developers and they try to move forward until someone from management smacks them with a rolled up newspaper. I’m thinking that this a shining example of what happens when the developers go ahead without being smacked. Quality Assurance is a necessary step when moving forward in website. Yes it’s tedious, yes it’s annoying, but it will save you pain and embarassment if you do it correctly.

(Hat Tips to Michelle Malkin for originally pointing out the site and dual_parallel for doing some in-depth research)

Over the weekend, the Federation of the American Scientists posted a presentation by the Army’s 304th Military Intelligence Battalion. This presentation went over a few things, focusing on the use of mobile technology and the possible use of Twitter by Terrorist cells for either Open Source Intelligence gathering (OSINT) or a Command, Control, Communication, Computers and Intelligence (C4I) tool.

Needless to say, most of the population of Twitter has basically taken the report to mean “Oh my god, the Army thinks Twitter is a Terrorist tool!” and has dismissed the report out of hand. Even some security weblogs I read have been fairly dismissive of the report. After reading up on the report, I completely agree with it’s findings. I’ve had similar concerns floating in the back of my mind since for a while now.

Twitter is a great tool for distributing information quickly, and while that is a good thing, it can also be used for not-so-good things as well. Twitter, with it’s mobile integration and the fact that everyone has a mobile device make it ideal for a distributed intelligence network. The report mentions that this was used with great effect during the Republican National Convention by dirty hippies activists in avoiding apprehension. The report looks at these uses and proposed three scenarios:

Scenario 1: Terrorist operative “A” uses Twitter with (or without) a cell phone camera/video function to send back messages, and to receive messages, from the rest of his cell… Other members of his cell receive near real time updates (similar to the movement updates that were sent by activists at the RNC) on how, where, and the number of troops that are moving in order to conduct an ambush.

Scenario 2: Terrorist operative “A” has a mobile phone for Tweet messaging and for taking images. Operative “A” also has a separate mobile phone that is actually an explosive device and/or a suicide vest for remote detonation. Terrorist operative “B” has the detonator and a mobile to view “A’s” Tweets and images. This may allow “B” to select the precise moment of remote detonation based on near real time movement and imagery that is being sent by “A.”

Scenario 3: Cyber Terrorist operative “A” finds U.S. [soldier] Smith’s Twitter account. Operative “A” joins Smith’s Tweets and begins to elicit information from Smith. This information is then used for… identity theft, hacking, and/or physical [attacks]. This scenario is not new and has already been discussed for other social networking sites, such as My Space and/or Face Book.

There a real-world examples of people using Twitter for things similar to Scenario 1 and 3 today and while Scenario 2 is the most far-fetched, it is still in the realm of possibility. While I don’t think that there are currently terrorists actively designing operations with Twitter in mind, I do believe that it has registered with them. I’m also sure that information on Twitter is going to be mind by both sides, so it is important to make sure that the “good guys” know that how it can be used against them and also how it can be used against the “bad guys.”

Figuring out your opponent’s next move is key in strategic battles and researching all the options is key. The report came up with a few not-so-far-fetched scenarios in which Twitter plays a key role. Coming up with these scenarios allows people to plan to combat them. While it’s easy to dismiss the report as paranoia and think as Twitter as 100% Sunshine and Puppies, it is important to realize that like any tool, Twitter can be used for good things and bad.

From the Boston Globe (Emaphasis Mine)

A junior at Needham High School posted students’ schedules and identification numbers and teachers’ classroom rosters on his Facebook account after hacking into an online student information system, school officials said yesterday.

NOTE: This weblog, and especially this post is of my own opinion and had nothing to do with my employer.

If you’ve been paying attention to the usual DEFCON brouhaha this weekend, you’ll note that my fine public transportation system decided to file an injunction against 3 MIT students who tested the MBTA’s security and successfully reversed engineering the Charlie Card. Too bad the presentation deck had already been released. Whoopsie!

As a surly information security engineer and a regular MBTA rider, I feel that I can more-or-less discuss with some authority the issues discussed in the presentation deck.

First, the physical security issues they discuss are spot on. As any regular rider of the MBTA knows, there are near constant issues with “exit only” doors unlocked or left wide open and people zipping through open gates when someone is exiting. The MBTA “customer service agents” either ignore it or flat out don’t care. On the Green Line (Which are trolleys, for you non-Bostonian folk.) people regularly get on via a rear door completely bypassing the fare collection system up front. Hell, even the MBTA Police seem to not want to deal with it. As someone who drops $250/month on the MBTA, I am the one who ends up getting screwed.

Social engineering the employees is always one of the biggest issues and the hardest to protect from. As shown in the deck, one can hit up eBay and make oneself into a true blue MBTA employee. I’ve seen first hand (badly) forged MBCR (MBTA’s commuter rail contractor) credentials being used by people to scam free rides. The MBTA spends big bucks on their Anti-Terrorism education campaigns, perhaps that would be better spent in educating their employees to do the same and teach them to start securing their infrastructure. They should also start classifying their information and at least try to keep “non-public” information somewhat private.

The Charlie Card issues are trivial. I long suspected that the stored value cards were similar to the New York Metro Card and would be vulnerable to a cloning attack or could be easily reversed engineered. These guys sat down and did it. From what I can glean regarding the RFID attack, the encryption key is trivial to crack and can be brute forced rather quickly. Had the MBTA opted to go with a more secure RFID system, this would be a lot harder to break, and from the sounds of it, more secure fare collection systems exist.

I’m somewhat pleased at the local media coverage on this. They seem to be painting a fair picture of the situation. So, Kudos to them.

In my not so humble opinion, the MBTA is 100% in the wrong on this. The judge should not have issued the gag order and the presentation should have gone forward. By doing so, the MBTA squashed discussion on its security, and has made itself even less secure in the process.

UPDATE: Apparently k4sac from twitter submitted this to digg. If you liked the post, considering feeding my ego and giving it a bump.

I am still recovering from The Last HOPE. What a weekend. My presentation went very well. While a few of the small jokes fell flat, it went very well. I don’t remember so many people coming up to me during the rest of the conference telling me they liked my presentation. So I guess people liked it.

Without further ado, my presentation:

• Ghetto IDS and Honeypots for the Home User PPT (4.2MB)
• Ghetto IDS and Honeypots for the Home User PDF (1.8MB)

Over the past few months, work generously paid for me to take a SANS course online. I opted to take “SEC503: Intrusion Detection In-Depth.” This was my first “certification” type course, and overall I was pleased. The course was on-target and wasted no time getting dirty into the nuts and bolts of the topic. It was very well done and despite me knowing a bunch of the basics, more often then not it was new territory for me and I had a ball learning it. There were areas which I wondered how useful they were going to be (Attacks against rsh? Really?) but I’d say 95% of the material was relevant to me in dealing with my day-to-day tasks. On the exam, I kicked ass and took names. So now, I am a GIAC Certified Intrusion Analyst. Bow before me.

I’ve always wondered about certifications. While there are people who have them that are very clueful, there is a sizable group who are certified who I often wonder if they really know how to use it. Now that I’ve gone through the process, I still wonder. I now have a sheet of paper that says I can be given a packet dump and tell you if you are doomed or not. While I feel that I am reasonably adept in studying IDS alerts and getting a reasonably good idea as to what is going on, I don’t think I should be put in charge of a large IDS system any time soon.

I’m not knocking ceritifcations. They are a good thing and I believe it does show that I do (partially) know what I am talking about when it comes to these things. More then anything, it shows that I know the basics, I can sit down and field questions tossed at me, and I can answer a 150 question exam. Nothing more, nothing less. What worries me that people take these certifications as gospel and are ready to proclaim people experts by the amount of letters after their name rather then they experience on the ground.

OK… Meandering Rant off.

There has been a lot of hub-bub regarding Debian’s SSL PRNG issues. I’ve also heard some people saying how this is mostly a non issue or that just upgrading your OpenSSL package will fix it. Let me state, for the record that this issue is bad. Bad Bad. Bad Bad BAD. Just upgrading your packages won’t solve it. You need to regenerate any kind of certificates on your machine after upgrading. The big thing is SSH: If you use SSH on your Debian boxes your need to regenerate your encryption keys immediately. Not doing so put you, and any of your users at risk. You’re just as safe using telnet.

After googling for a bit there was no clear tutorial on exactly HOW to upgrade your keys in Debian, so I copied and pasted what I did on my Debian box to give a quick tutorial. User input in Bold:

telstar:/home/bbj# ssh-keygen -b 1024 -f /etc/ssh/ssh_host_key -N ''
Generating public/private rsa key pair.
/etc/ssh/ssh_host_key already exists.
Overwrite (y/n)? y
Your identification has been saved in /etc/ssh/ssh_host_key.
Your public key has been saved in /etc/ssh/ssh_host_key.pub.
The key fingerprint is:
c7:87:51:db:65:7b:d1:58:65:23:85:e0:a2:70:52:68 root@telstar
telstar:/home/bbj# ssh-keygen -t rsa -b 2048 -f /etc/ssh/ssh_host_rsa_key -N ''
Generating public/private rsa key pair.
/etc/ssh/ssh_host_rsa_key already exists.
Overwrite (y/n)? y
Your identification has been saved in /etc/ssh/ssh_host_rsa_key.
Your public key has been saved in /etc/ssh/ssh_host_rsa_key.pub.
The key fingerprint is:
9d:91:02:33:cc:13:8a:7a:67:81:29:e5:50:6d:12:51 root@telstar
telstar:/home/bbj# ssh-keygen -t dsa -b 1024 -f /etc/ssh/ssh_host_dsa_key -N ''
Generating public/private dsa key pair.
/etc/ssh/ssh_host_dsa_key already exists.
Overwrite (y/n)? y
Your identification has been saved in /etc/ssh/ssh_host_dsa_key.
Your public key has been saved in /etc/ssh/ssh_host_dsa_key.pub.
The key fingerprint is:
76:1e:ac:8c:49:dd:33:d5:d5:d5:bf:87:60:6f:c0:76 root@telstar
telstar:/home/bbj#

Voila! If you open up a new SSH session you should get the “ZOMG THE HOST SSH KEY HAS CHANGED!” Warning. If you get it, your keys have changed, and you are all set. Enjoy once again being secure.

EDIT: Of course, not even 20 minutes after I posted this, milw0rm tweeted a new exploit for weak Debian keys. So, fix it. Now.