SecuraBit

Before It Bytes!

Posts about security topics or news.

What features do you want added to our website?

We already have a blog aggregation that we host at planet.securabit.com and our new exploit developer’s corner. There is also a guest form on our contact page, so if you’re interested in being on the show or doing an interview of any sort, please fill that out!

What else do you want us to have? Perhaps bringing back the forums or introducing a mailing list? Challenges? Pictures of cats with lockpicks?  Please leave comments!

Please note, if you want us to revive our forums, we’re going to conscript you into slave labor to admin them. Thanks 🙂

ThotCon and Hacking Tractors

This past weekend our newest SecuraBit co-host Dan Mitchell got a chance to attend Thotcon, a non-profit, non-commercial hacking conference held in the “Windy City”.  Here is what Dan had to say:

The conference benefits from strong support by a vibrant local hacking community and a nice mix of infosec professionals and underground hackers alike. I was impressed by the quality of the presentations and the amount of knowledge and information I was able to condense into my brain in just 10 short hours. On the topic of “time”, the conference kicked off with a most excellent presentation called “pwning time” by Mark Hardy. Mark, also known for his outstanding DEFCON presentation “A Hacker looks at 50” is a veteran in the industry and somebody who personifies the true “hacking” spirit. Mark’s presentation was ultimately a bevy of wisdom on how we can better manage our time and figure out “what we want to be when we grow up”. I recommend checking out what he has to say, it is truly inspirational. By far my favorite presentation was given by Chris Roberts and Jesse Diekman called “Planes, Trains and Automobiles”. It was during this presentation that I was introduced to “Tractor Jacking” i.e. Chris and Jesses’s successful attempt at remotely hacking into the OS of large industrial tracktors and taking them for a spin.  They also demonstrated how they where able to stand on a bridge and wirelessly hack into the OS (AUTOSAR) of passerby cars and do everything from disabling the ABS to grabbing and reading sensitive configuration files. The presentation was simultaneously frighting and hilarious and served as a reminder that a the vulnerability landscape extends far beyond mobile devices, cloud services, desktops and servers.

Dan had the opportunity to speak personally with Chris after his presentation and we will hopefully be arranging to get him on the show soon. All of the presentations will be available on the ThotCon website in the near future. If you are looking for a unique hacker con, one that is different from the run of mill cons we see every year, ThotCon is definitely worth checking out.

Let the phishing begin!

If you stay in hotels, have a bank account or credit card, or shop (online, from your TV or good old fashioned brick and mortar), there’s a good chance you will be the proud new owner of some data breach notification emails. Yay.

Last week Epsilon Data Management notified its customers of a data breach. In turn it’s Epsilon’s customers, including hotel chains, banks, retail stores, etc. (see the Krebs on Security link below for a more complete list) are now notifying their customers.

Here is some great coverage, as well as possible implications and recommendations if your organization may be sharing data with third parties:

Krebs on Security: Epsilon Breach Raises Specter of Spear Phishing

CAUCE: Epsilon Interactive breach the Fukushima of the Email Industry

SANS Internet Storm Center: When your service provider has a breach

Email below from Best Buy Reward Zone:

__________________________________________________Dear Valued Best Buy Customer,

On March 31, we were informed by Epsilon, a company we use to send emails to our customers, that files containing the email addresses of some Best Buy customers were accessed without authorization.

We have been assured by Epsilon that the only information that may have been obtained was your email address and that the accessed files did not include any other information. A rigorous assessment by Epsilon determined that no other information is at risk. We are actively investigating to confirm this.

For your security, however, we wanted to call this matter to your attention. We ask that you remain alert to any unusual or suspicious emails. As our experts at Geek Squad would tell you, be very cautious when opening links or attachments from unknown senders.

In keeping with best industry security practices, Best Buy will never ask you to provide or confirm any information, including credit card numbers, unless you are on our secure e-commerce site, www.bestbuy.com. If you receive an email asking for personal information, delete it. It did not come from Best Buy.

Our service provider has reported this incident to the appropriate authorities.

We regret this has taken place and for any inconvenience this may have caused you. We take your privacy very seriously, and we will continue to work diligently to protect your personal information. For more information on keeping your data safe, please visit:

http://www.geeksquad.com/do-it-yourself/tech-tip/six-steps-to-keeping-your-data-safe.aspx.

Sincerely,

Barry Judge

Executive Vice President & Chief Marketing Officer

Best Buy

__________________________________________________

We feel better now knowing “the only information that may have been obtained was your email address and that the accessed files did not include any other information.”  We’re doomed if we need to rely on Geek Squad to help prevent us from future attacks.

sigh….

 

NetWitness acquired by EMC

As you may have already heard, our sponsor NetWitness has been acquired by EMC.  You can read the full press release here.

Nothing will change from a SecuraBit standpoint.  We will continue to deliver our content and this will all be transparent to that.

Thanks again for visiting and listening!

Ashton Kutcher the poster boy for SSL?

Ashton Kutcher (@aplusk) was attending the TED Conference and it looks like someone may have run Firesheep against him to hijack his Twitter account. Two tweets were made by the hijacker:

Ashton, you’ve been Punk’d. This account is not secure. Dude, where’s my SSL?

Followed about 20 minutes later with:

P.S. This is for those young protesters around the world who deserve not to have their Facebook & Twitter accounts hacked like this. #SSL

It looks like the tweets are still in his feed, including a “kudos” to the people responsible. The cool thing is that a lot of mainstream media/entertainment/news outlets are covering this, so perhaps this is an opportunity to bring the issue of HTTP Strict Transport Security (HSTS) to wider attention. Or maybe more people will download HTTPS Everywhere. OK, maybe those are long shots, but maybe we could get a Public Service Announcement with Ashton and Demi Moore?

More importantly, maybe a high profile attack like this will get the attention of Twitter and Facebook.

Coverage from The Huffington post

Coverage from the LA Times

ZDI Makes good on release of vuln information

Back in August the Zero Day Initiative, a program founded by HP’s TippingPoint, announced that they would be making changes to their process due to vulnerabilities which  seemed to hang around forever. Because the timeline for disclosure of vulnerabilities had been controlled by the vendors, some appear to drag their feet on patching them. Anyone who has seen the Stack of Shame over on HNN knows what they mean. To avoid this, the ZDI implemented a six month deadline, after which details of the vulnerability would be publicly disclosed.

Well, the six month birthday has hit for some vulnerabilities, and the ZDI has started releasing the information on vulnerabilities for some big name vendors such as Microsoft, CA, Novell, SCO and even TippingPoint’s parent, HP.

The details are available over at TippingPoint’s DVLabs blog.

We Dont Suck! (As Much Anymore)

Allow me to direct your attention over to Geordy Rostad’s blog for just a minute. His recent post over at notanon.com gives in my opinion, a very fair & accurate review of Episode 67 and SecuraBit as a whole. Geordy notes how we’ve evolved from our earlier “SecuraBeer”-type shows to deliver topics & guests that add value to the listening experience.

This progression is evident when listening to past shows in contrast to our latest releases. The podcast has grown & changed as we the hosts have grown and changed ourselves. When we released our first episode on May 3, 2008, we were fresh out of the Navy serving together at the same location. We thought we could do anything and say anything. This was evident in our content. Fast-forward about 2 and a half years and now you have a podcast hosted by still edgy, yet tempered hosts.

Going out on our own to Corporate America, civilian government, and government/military contracting has rounded us out. Nine-to-five life in a professional setting expanded our horizons as to what an audience expects and wants to hear. Who would have thought that anyone would want to listen to this podcast in an office environment?

All that being said, thank you, Geordy for the review.

Geordy Rostad’s site is http://www.notanon.com/ and his Twitter account is http://twitter.com/grostad

The ColdFusion Directory Traversal vulnerability

There has been a lot of noise over the past week about the ColdFusion Directory Traversal Vulnerability.  If you haven’t heard, the basic issue is that ColdFusion allows the inclusion of just about any file on the server (usually Windows servers) to be included by using either a URL parameter or form parameter.  Without special encoding the vulnerability will let you grab any file ending in “.xml”, but by adding a “%00” to the parameter, just about any file gets included in the normal display of the ColdFusion Administrator login page.  This means that no authentication is required to pull this off.  The flaw is in the internationalization tags being used by the Administrator pages which include XML files to render the text for different languages in the CFAdmin section.  In turn the XML files aren’t really XML files, but instead are files containing large switch/case statements which, according to the arguments, spit out the value for the piece of text the XML file is called with.  The flaw is that the code calling the file uses user input to decide which file to grab, but doesn’t properly sanitize the request, allowing the inclusion of other files from the same disk the CFAdmin section is living on.  As Adrian Pastor points out, CF runs under the SYSTEM account by default, which means access to any file on the drive.  Including the CF configuration files which may include things like database connection settings (with passwords saved which can be decrypted easily).  Adrian also points out that once an attacker gains access to the CF Admin, it’s game over.

The patches provided by Adobe for the problem are quite simple, and in most cases shouldn’t even require a restart of the ColdFusion services.  The impact of the vulnerability is huge.  As Rafal Los, who rightfully calls this a “Disaster”, points out, there are a lot of ColdFusion servers with the Administrator pages available to the world.

Even worse, the vulnerability can be exploited on versions 6-9 (CFMX6, CFMX7, CF8, CF9), but Adobe is only releasing patches for versions 8 and 9.

Now for my confession.  I’ve been working with (and frustrated by) ColdFusion since version 4.5.  I understand how CF developers work, and how poorly the servers are administered in most installations.  In his post, Rafal Los offers some Google dorks for finding CF servers, and states that “There is really no legitimate reason to have a ColdFusion Admin interface on the public internet … really, I can’t think of one… yet there are many results!”.  So why are there so many results?

It is a combination of factors, laziness I’m sure being close to the top of the  list, but there are others.  The primary reason that comes to my mind is the location of the ColdFusion Administrator directory, inside of the “/CFIDE/” directory.  This directory has other directories inside of it which are used by CF for things like form validation, rendering of graphs, etc. and as such some applications stop working if the entire directory is locked down.  This means having the administrator (who may know nothing about ColdFusion) has to try to lock down the directories individually (in Adobe’s defense, the most recent version has a Lockdown Guide written by Pete Freitag which is well done).  I think the security of ColdFusion has suffered as a result of this mixture of programming functionality and server administration.

Another problem is those older versions for which no patch is forthcoming.  CF developers are very wary of changing the version of CF their application currently works on.  Much of this comes from a botched move by Macromedia a long time ago, when their first version of ColdFusion MX 6 (6.0.0) became notorious for breaking apps and eating resources.  This means that there are now a lot of old applications which are on old versions of CF.

Unfortunately, ColdFusion is starting (well, continuing) to look a lot like PHP for its reputation in security circles.  Like PHP, CFML is easy to pick up, and makes it very easy to write applications.  It also makes it very easy to write insecure applications.  Most CF sites are vulnerable to SQLi, XSS, and LFI, much like PHP.  Now with a vulnerability like this in the core of ColdFusion, I can’t say the reputation it is gaining isn’t deserved.