innismir.net

I was very lucky this summer because the Security Office got some funding for training and footed the bill for another SANS course. I opted to go for SANS SEC504: Hacker Techniques, Exploits & Incident Handling. I did a “At Home” course this time, which met three times a week online and was taught Ed Skoudis and John Strand. While I did like the self paced learning that I had for SEC503, but it was very cool to be taught by the folks that you always heard on and about PSW. Plus, I was able to make snide remarks in the chat window.

As much as I still wonder about certifications in general, I am starting to really like SANS courses. The course wasted little time on the basics and quickly had us rolling up our sleeves mucking about in what I classify as “cool sh*t”. While I did have stretches where I was just nodding and going “yeah… yeah… know that… uh-huh…” I would occasionally see or hear something, go “Oooh!”, and make write down some notes. The course consisted of 5 books of material, ranging from incident planning and handling to how to exploit systems, and then culminated in a capture the flag contest. I am ashamed to say the CTF was designed well enough that I could barely establish a toehold on the first server, I guess my days of staying up for an entire weekend and dominating the CTF at Northeastern is far behind me.

Although the course itself wrapped up sometime in the summer, I finally took my certification test today and passed with flying colors. I am happy to report that I have even more alphabet soup after my name and I am now “Ben Jackson, GCIA, GCIH”

From the Boston Globe (Emaphasis Mine)

A junior at Needham High School posted students’ schedules and identification numbers and teachers’ classroom rosters on his Facebook account after hacking into an online student information system, school officials said yesterday.

I have always been a fan of the The Flea at MIT. A Cambridge institution, I can remember being introduced to it my Freshman year at college with the promise of cheap computer equipment. It did not disappoint and it instantly turned me into a die-hard flea market rat. I would arrive an hour before the gates open to get up in the front of the line. My arrival time, while inconvenient, would almost always pay off, by the time the gates open the lines would stretch down around the block. I would sometimes be starting my second loop around and still see people waiting in line to get in. I reveled in the smell of musty electronic equipment; haggling with vendors, rummaging through boxes, and lugging home backpacks full of electronic junk that would deck out my dorm room. It was a six story parking garage of nerdvana.

After moving down to New Bedford, the logistics of getting up to Cambridge became more complicated. That, coupled with the fact that I now had to store all my tech into a much smaller room, I only started to occasionally go to the flea. Yesterday, I drove up with Steve, KB1MEH, to my first flea of the year, and I was blown away at how small the flea had become. While the outside was filled with the usual vendors, and there were quite a few deals there, what was once a nearly-filled to capacity parking garage didn’t even have a complete floor filled. Steve informed me that it was a similar scene the month before when he went.

On the ride home, I thought to myself about the proclamations of “Ham Radio is dying!” and the subset of that “Hamfests are dying!“, and wondering how the applied to the Flea. While the Flea can be classified as a “Hamfest” and you can often find radios for sale, the amount of computer gear outnumbered the amount of radio gear easily 4:1. What did this mean?

After some thought I came to a conclusion: What we are seeing is the mainstreaming of computer gear that occured in the early 2000s. Computers are now a consumer technology and the vast majority of consumers are likely to toss them out at the end of life. Since older technology has a very limited life-span, the glut “vintage” technology for sale in the late-1990s and early-2000s are now completely worthless and are likely to join their older counterparts in the recycling center or dump. What doesn’t will likely make their way to eBay or Craigslist rather then flea market as it is a lot easier to post an ad online rather then set up shop at a flea market that smells of BO and musty electronics.

I think we may be seeing the same thing on the Hamfest side. With the more non-user-serviceable nature of new radios, when they break, it can be often cheaper to replace them rather then fix them. Since this is leading to a shorter life-span of radios and the conveience factor of online marketplaces, we will likely see flea markets, tech or otherwise, continue to shrink.

I am very happy that I nabbed some cheap ceramic insulators and some more connectors for my budding projects, though.

NOTE: This weblog, and especially this post is of my own opinion and had nothing to do with my employer.

If you’ve been paying attention to the usual DEFCON brouhaha this weekend, you’ll note that my fine public transportation system decided to file an injunction against 3 MIT students who tested the MBTA’s security and successfully reversed engineering the Charlie Card. Too bad the presentation deck had already been released. Whoopsie!

As a surly information security engineer and a regular MBTA rider, I feel that I can more-or-less discuss with some authority the issues discussed in the presentation deck.

First, the physical security issues they discuss are spot on. As any regular rider of the MBTA knows, there are near constant issues with “exit only” doors unlocked or left wide open and people zipping through open gates when someone is exiting. The MBTA “customer service agents” either ignore it or flat out don’t care. On the Green Line (Which are trolleys, for you non-Bostonian folk.) people regularly get on via a rear door completely bypassing the fare collection system up front. Hell, even the MBTA Police seem to not want to deal with it. As someone who drops $250/month on the MBTA, I am the one who ends up getting screwed.

Social engineering the employees is always one of the biggest issues and the hardest to protect from. As shown in the deck, one can hit up eBay and make oneself into a true blue MBTA employee. I’ve seen first hand (badly) forged MBCR (MBTA’s commuter rail contractor) credentials being used by people to scam free rides. The MBTA spends big bucks on their Anti-Terrorism education campaigns, perhaps that would be better spent in educating their employees to do the same and teach them to start securing their infrastructure. They should also start classifying their information and at least try to keep “non-public” information somewhat private.

The Charlie Card issues are trivial. I long suspected that the stored value cards were similar to the New York Metro Card and would be vulnerable to a cloning attack or could be easily reversed engineered. These guys sat down and did it. From what I can glean regarding the RFID attack, the encryption key is trivial to crack and can be brute forced rather quickly. Had the MBTA opted to go with a more secure RFID system, this would be a lot harder to break, and from the sounds of it, more secure fare collection systems exist.

I’m somewhat pleased at the local media coverage on this. They seem to be painting a fair picture of the situation. So, Kudos to them.

In my not so humble opinion, the MBTA is 100% in the wrong on this. The judge should not have issued the gag order and the presentation should have gone forward. By doing so, the MBTA squashed discussion on its security, and has made itself even less secure in the process.

UPDATE: Apparently k4sac from twitter submitted this to digg. If you liked the post, considering feeding my ego and giving it a bump.

I am still recovering from The Last HOPE. What a weekend. My presentation went very well. While a few of the small jokes fell flat, it went very well. I don’t remember so many people coming up to me during the rest of the conference telling me they liked my presentation. So I guess people liked it.

Without further ado, my presentation:

• Ghetto IDS and Honeypots for the Home User PPT (4.2MB)
• Ghetto IDS and Honeypots for the Home User PDF (1.8MB)

Twitter Love Day Logo courtesy of Jennifer Leggio

If you have been following Twitter scuttlebutt recently, you’ll know that today is the day of the great “Twit-Out” in which certain users are abandoning twitter for a day to move to FriendFeed, an alternative service. Jennifer Leggio (aka @mediaphyter), who more or less got me hooked on Twitter by making it part of SOURCE Boston, had issues with the boycott and has come out with an alternative concept called “Twitter Love Day” in order to show support for Twitter, but also point out it’s shortcomings and try to offer suggestions.

I am very much in Jennifer’s camp. I don’t think a boycott helps anyone, but a bit of a “twitter intervention” (twitvention?) is constructive, as people are letting twitter know that while yes, we love your service, there are major issues you need to fix.

Jennifer has posted a good list of suggestions for Twitter, and I agree with most. However, there are a few I feel there are couple that are wrong

• Limiting API calls – Twitter has a great API. It is allowing people to build a plethora of applications for Twitter. However, this does put a healthy load on the servers. I think the idea that Twitter should further limit API calls from 70/hr down to something lower is the wrong direction. I think twitter should encourage people to be using 3rd party applications instead of hitting their website. Of course, I’m assuming that generating API responses generates less traffic then website hits. But, if it isn’t, shouldn’t it be?
• Groups and Tags – I think Twitter’s advantage is it’s simplicity. It doesn’t try to be everything to everyone, just provide a framework that people can extend. I do like the idea of filtering based on message tags, but I think that should be done on the end-client, rather then Twitter itself. Doing it this way would also provide incentive for users to move away from the web and to API-based utilities.

There is one I agree with wholeheartedly:

• Talk to Us – For the love of God, talk to us, tell us ANYTHING. Please *explain* why there is downtime. Tell us what we can do to help, even if it’s “tweet less”. Just tell us SOMETHING.

Anyway, only time will tell if Twitter continues ticking along or if the twit-out people are the smart ones who can see the storm on the horizon. I’ll be sticking it out for a while, downtime and all.

Over the past few months, work generously paid for me to take a SANS course online. I opted to take “SEC503: Intrusion Detection In-Depth.” This was my first “certification” type course, and overall I was pleased. The course was on-target and wasted no time getting dirty into the nuts and bolts of the topic. It was very well done and despite me knowing a bunch of the basics, more often then not it was new territory for me and I had a ball learning it. There were areas which I wondered how useful they were going to be (Attacks against rsh? Really?) but I’d say 95% of the material was relevant to me in dealing with my day-to-day tasks. On the exam, I kicked ass and took names. So now, I am a GIAC Certified Intrusion Analyst. Bow before me.

I’ve always wondered about certifications. While there are people who have them that are very clueful, there is a sizable group who are certified who I often wonder if they really know how to use it. Now that I’ve gone through the process, I still wonder. I now have a sheet of paper that says I can be given a packet dump and tell you if you are doomed or not. While I feel that I am reasonably adept in studying IDS alerts and getting a reasonably good idea as to what is going on, I don’t think I should be put in charge of a large IDS system any time soon.

I’m not knocking ceritifcations. They are a good thing and I believe it does show that I do (partially) know what I am talking about when it comes to these things. More then anything, it shows that I know the basics, I can sit down and field questions tossed at me, and I can answer a 150 question exam. Nothing more, nothing less. What worries me that people take these certifications as gospel and are ready to proclaim people experts by the amount of letters after their name rather then they experience on the ground.

OK… Meandering Rant off.

One of my duties at my job is to the maintain the lab environment that we have to do our super 31337 skunk works projects in. As we all are quite lazy and don’t have room for gobs of hardware, we make good use of virtualized machines to do our projects. One of the annoying issues that keeps popping its head up every time we need to install a fresh desktop install is that Windows XP does not like to run within VMware ESX server. It’s frustrating and there is no real tutorial online with a definitive set of answers, just a bunch of forum posts with tidbits of info that if you arrange correctly, you can piece together what to do.

So, without further ado, here is how to make Windows XP install onto a VMware stock VM machine:

1. Download the VMware SCSI Disk image from VMware Drivers & Tools download page. Save the image somewhere where you can locate it easier.
2. Follow the normal procedure for creating a VMware machine for Windows XP.
3. Select the machine in the Virtual Infrastructure client and select “Edit Settings”
   
4. On the settings screen, select the SCSI controller, then in the upper right click “Change Type…”
   
5. On the “Change SCSI Controller Type” screen, “LSI Logic” should be selected. Change that to “BusLogic”. Click OK.
   
6. Click OK on the settings screen.
7. Open the console of the Virtual Machine and Power it On.
8. During the VMware POST, press Escape to access the Boot Menu.
9. Click the “Virtual Floppy 0″ button and select “Connect to Floppy Image…”
   
10. Select the floppy image that you downloaded from VMware in step 1.
11. Click the “Virtual CDROM” button and connect it to your install media
12. On the console select “CD-ROM Drive” and press Enter to boot from the CD-ROM
13. Immediately when the Windows installer boots, you will see the bottom of the screen “Press F6 if you need to install a third party SCSI or RAID driver.” Press F6. Windows will continue loading the installer.
    
14. Windows will eventually prompt you to load additional devices. Press “S”
    
15. There will be only one option: “VMware SCSI controller” Press Enter.
16. That will take you back to the previous screen. You are done. Press Enter.
    

Windows will continue loading and now pick up the hard drive that you specified during the Virtual Machine creation process. You’re all set.

There has been a lot of hub-bub regarding Debian’s SSL PRNG issues. I’ve also heard some people saying how this is mostly a non issue or that just upgrading your OpenSSL package will fix it. Let me state, for the record that this issue is bad. Bad Bad. Bad Bad BAD. Just upgrading your packages won’t solve it. You need to regenerate any kind of certificates on your machine after upgrading. The big thing is SSH: If you use SSH on your Debian boxes your need to regenerate your encryption keys immediately. Not doing so put you, and any of your users at risk. You’re just as safe using telnet.

After googling for a bit there was no clear tutorial on exactly HOW to upgrade your keys in Debian, so I copied and pasted what I did on my Debian box to give a quick tutorial. User input in Bold:

telstar:/home/bbj# ssh-keygen -b 1024 -f /etc/ssh/ssh_host_key -N ''
Generating public/private rsa key pair.
/etc/ssh/ssh_host_key already exists.
Overwrite (y/n)? y
Your identification has been saved in /etc/ssh/ssh_host_key.
Your public key has been saved in /etc/ssh/ssh_host_key.pub.
The key fingerprint is:
c7:87:51:db:65:7b:d1:58:65:23:85:e0:a2:70:52:68 root@telstar
telstar:/home/bbj# ssh-keygen -t rsa -b 2048 -f /etc/ssh/ssh_host_rsa_key -N ''
Generating public/private rsa key pair.
/etc/ssh/ssh_host_rsa_key already exists.
Overwrite (y/n)? y
Your identification has been saved in /etc/ssh/ssh_host_rsa_key.
Your public key has been saved in /etc/ssh/ssh_host_rsa_key.pub.
The key fingerprint is:
9d:91:02:33:cc:13:8a:7a:67:81:29:e5:50:6d:12:51 root@telstar
telstar:/home/bbj# ssh-keygen -t dsa -b 1024 -f /etc/ssh/ssh_host_dsa_key -N ''
Generating public/private dsa key pair.
/etc/ssh/ssh_host_dsa_key already exists.
Overwrite (y/n)? y
Your identification has been saved in /etc/ssh/ssh_host_dsa_key.
Your public key has been saved in /etc/ssh/ssh_host_dsa_key.pub.
The key fingerprint is:
76:1e:ac:8c:49:dd:33:d5:d5:d5:bf:87:60:6f:c0:76 root@telstar
telstar:/home/bbj#

Voila! If you open up a new SSH session you should get the “ZOMG THE HOST SSH KEY HAS CHANGED!” Warning. If you get it, your keys have changed, and you are all set. Enjoy once again being secure.

EDIT: Of course, not even 20 minutes after I posted this, milw0rm tweeted a new exploit for weak Debian keys. So, fix it. Now.

I first stumbled across this report while I was at SecureWorld in Boston this spring. One of the Keynote speakers, Bret Arsenault, General Manager of Microsoft’s National Security Team, went over the 1H07 report and provided some spiffy bound hard copies for the attendees. It is really well done and a nice view of the current threats against the Windows Environment.

Now, Microsoft has released 2H07 for download. Sadly, no hard copies for me, but it’s still a very good read. Available are the complete report and a “Key Findings” section suitable for 50000ft views.

• Microsoft Security Intelligence Report (July – December 2007)