Register for PaulDotCom training at Blackhat USA: Defensive Countermeasures: Foundations for Becoming a Devious Defender & Offensive Countermeasures: The Art Of Active Defense July 27-28 & 29-30.
PaulDotCom Security Weekly - Episode 220 - For Thursday November 18th, 2010.
- Mark Baggett teaches SANS 504 during SANS San Antonio for 6 days. Come learn Hacker Techniques, Exploits & Incident Handling! November 13th thru 20th.
Guest Interview: Rafal "Wh1t3Rabbit "Los
Rafal is a Security Specialist with Hewlett-Packard's Application Security Center (ASC). He combines research, evangelization, and commentary to educate, create awareness and point out the bullshit that exists in the Information Security industry.
You can follow Rafal via his blogs:
- How did you get your start in information security?
- Please tel us about your latest blog post Small Office, Big (Software/eHealth) Problems
- Tell us about how to best mitigate web 2.0 attacks and why the attack surface has increased with Web 2.0.
- Please explain what you mean about the lines between data and code for Web Apps.
- What can we do to solve the problem with Web App Security? Do we really need to license developers?
- What do you mean when you say infoSec folks are life insurance salesman?
- Latest blog post (Open Source eHealth software …how big of a risk is it really? (http://h30501.www3.hp.com/t5/Following-the-White-Rabbit-A/Small-Office-Big-Software-eHealth-Problems/ba-p/13209)
- It’s almost 2011, are our developers writing better software? Why or why not?
Special Guest Tech Segment: Dave "ReL1K" Kennedy on the Long Tail of Information Security
Special Guest ReL1K stops by to expand on his recent talk given with Ryan Macfarlane on the The Long Tail of Information Security.
Dave is a security ninja that likes to write exploits, break people, and develop code when he has spare time. Heavily involved with BackTrack and the Social-Engineer Framework, Dave works on a variety of open-source projects.
Currently, Dave is a Director of Information Security for a Fortune 1000 organization.
Mini Tech Segment: Installing pfSense on an Alix.6e1 by InternMike & PaulDotCom
We here at PaulDotCom love FreeBSD. We also love beer, and so we've been looking for an economical (read: cheap) way to install a firewall without raiding our beer fund. I also have to say, that I am totally in love with the ALIX.6e1 hardware platform:
2 10/100 LAN / 1 miniPCI / 1 miniPCI Express / AMD LX800 / 256 MB / 2 USB / DB9 serial port / CF Card slot / Board size: 6 x 6
pfSense is a FreeBSD-based project that has been special purposed for use as either a firewall or router. The project started in 2004 as a fork of the embedded firewall software package called m0n0wall. pfSense is focused towards full PC installations rather than the embedded hardware focus of m0n0wall. After some research, we decided to purchase the ALIX6E1 kit as there was a lot of web documentation for the project and well, because it was a sweet red color that made Larry crazy. Well, more crazy than his usual self.
First step: break out the credit card
As we hold a strong belief that you should purchase from the vendor whose Google page ranking is first in search results, we clicked the link to Netgate's ALIX 6E1. Netgate's ALIX 6E1 Costs $175, or roughly a box of PADRON 7000's
The kit includes:
- ALIX.6E1 system board (2/1/1/256/LX800)
- Laser etched red aluminum enclosure with USB and antenna cutouts
- Blank 2 GB Sandisk Ultra II CF Card
- 15V 1.25A 18W power supply (US 3 prong plug style)
You will also need a Compact Flash card writer for installing the pfSense operating system. The one we used cost $10.00 or one PADRON 1926 Series Cigar.
Next you will need the pfSense & physdiskwrite Software, Cost: FREE! (or what a sexy blond pays to drink beer at a frat party).
Second step: Download the necessary packages
We needed the embedded version specifically created for the 2GB CF card size. The embedded version performs only reads from the flash card, with read/write file systems as RAM disks as compact flash cannot handle many write operations. The embedded versions can be found on pfSense's mirror list
Third step: Install the pfSense operating system on our CF card
pfSense's documentation does a good job. We used a Windows PC as all our other boxes were busy umm analyzing pr0n, so we opted for the physdiskwrite method.
WARNING: Follow the documentation's advice and be sure you are not overwriting the wrong disk!
C:\Documents and Settings\All Users\Documents>physdiskwrite.exe pfSense-1.2.3-2g -20091207-1914-nanobsd.img physdiskwrite v0.5.2 by Manuel Kasper <email@example.com> Searching for physical drives... Information for \\.\PhysicalDrive0: Windows: cyl: 19452 tpc: 255 spt: 63 C/H/S: 16383/16/63 Model: ST3160812AS Serial number: 9LS0V1FC Firmware rev.: 3.ADH Information for \\.\PhysicalDrive1: DeviceIoControl() failed on \\.\PhysicalDrive1. Information for \\.\PhysicalDrive2: Windows: cyl: 244 tpc: 255 spt: 63 Information for \\.\PhysicalDrive3: DeviceIoControl() failed on \\.\PhysicalDrive3. Information for \\.\PhysicalDrive4: DeviceIoControl() failed on \\.\PhysicalDrive4. Which disk do you want to write? (0..2) 2 About to overwrite the contents of disk 2 with new data. Proceed? (y/n) y 2001194496/2001194496 bytes written in total C:\Documents and Settings\All Users\Documents>
Fourth step: Find a desktop PC for a serial connection to the Alix
You'll need either a USB to serial converter cable or a desktop PC to connect the serial cable. In OS X I've used the USB to Serial cable and software called "Zterm". You can also use the command line utility called "screen", or several other free programs.
Fifth Step: Bootup the device and fire up Windows' hyperterminal
Use the following settings for the connection:
- Baud rate: 9600
- Data: 8 bit
- Parity: None
- Stop: 1 bit
- Flow control: None
Now we boot into pfSense. As the bootloader comes there are 7 options listed. The first choice you will be asked is
“Do you want to set up VLAN's now [y|n]?” select no or 'n'.
Then you are asked to
“Enter your LAN interface name”,
We used 'fxp1'. Next,
“Enter your WAN interface name”
We entered 'fxp2'. Next,
“Enter the Optional 1 interface name”,
here we used 'fxp0'.
Using the above examples, you'd see “The interfaces will be assigned as follows:” LAN -> fxp1 WAN -> fxp2 OPT1 -> fxp0
Do you want to proceed [y|n]? (make sure you enter 'y' here).
pfSense is now running in RAM and almost fully functional. If you wish you may plug your LAN interface into a hub or switch and connect via the web interface. pfSense is by default assigned an ip of 192.168.1.1. Open your browser and navigate to http://192.168.1.
- If you choose to login the username is 'admin' and the password is 'pfsense'.
Guides & Further Reading
- http://doc.pfsense.org/index.php/ALIX_BIOS_Update_Procedure (We didn't have to do this)
Stories For Discussion
- So, you want to crack passwords - [Larry] - Mmm, Amazon releases EC2 GPU instances, stacksmashing.net shows us how to set one up and cracks a dozen 1-6 charager sha-1 hashes in 49 minutes (EC2 instance is$2.10/hr). You too can use the power of the cloud.
- The alarm has sounded! - [Larry] ….uhhhh, only a few months too late. Oh right, now that it has made it to congress, it is even more news worthy. News worthy in that China rerouted 15% of internet traffic to itself, much of that traffic for US Military or government IP blocks. Not the first time this has happened with China, and no way to know if it is malicious (DUH). Just goes to show how easy it is to screw up the internet with a little misconfiguration. Let's discuss weaknesses in routing protocols, shall we?
- V for Vendetta, C for Cisco? - Lovely bunch of coconuts, er, exploits. for Cisco video conferencing gear, all related to unix configuration issues. No patches form vendor, but a lame workaround exists. Default, unchangeable credentials, post auth command execution, and loads of configuration issues. I winder if this was some of the stuff used to play the V for vendetta squirrels video?
- 64 bit rootkits - [Larry] - Thanks Carlos for turning me on to this one. yay, now rootkits coming to 64 bit Windows 7, just in time for the holidays. Nice, uses, SCSI commands to rewrite the MBR to disable Kernel driver signing.
- Honeypots Simplify Network Security - [pauldotcom] - Honeypots have always been one of those things that people talk about implementing, but never get around to it. I think its time to turn the tide and give honeypots a higher priority. As the article states, "I've seen honeypots on a corporate LAN catch foreign industrial spies, snare trusted insiders gone bad, and alert security teams to the presence of a roving malware program that had gone unseen. In nearly 10 years of deploying honeypots, I've yet to create one that didn't find something malicious within a few days of being installed.". I think there is huge value in understanding the attacks coming at your network, and use it as an early warning system. As I've said before, your "darknet" space is a great place for a honeypot.
- Security Takes People - [pauldotcom] - I am a firm believer in this, security is about people, and it takes people to have good security. The article states that people need to be dedicated to patching, log monitoring, and incident response. It even goes deeper than this, people can create a culture. One of the most challenging places to implement security is a university, and probably one of the most signifigant wins was helping create a culture around security. This even goes beyond awareness, its working with people, understanding their needs, and helping them understand the reprecussions of "insecurity".
- Its not how many vulnerabilities, but about security practice - [pauldotcom] - Our good friend Brian Krebs points out flaws in a list about flaws. Its not about how many vulnerabilities a product has, but the window of exploitation. By far, for example, Firefox has a much shorter window of exploitation than IE. This makes sense, and its not about marketing. We need to ask hard questions, and point things out such as "For one thing, Adobe appears to have had more windows of vulnerability and attack against flaws in its products than perhaps all of the other vendors on the list combined.". Oh yea, Adoabe sucks, k, thx, bye.
- GHDB Re-Born - [pauldotcom] - Really quick, its awesome and being updated now. Rejoice!
- Firesheep Making Waves: What is safe? - I think Firesheep brings up an excellent point, no one is safe. This article from Zscaler says that WPA2 is safe. I agree its "safer", but its not safe. The real problem is there is no encryption, and therefore trust, model that really works for protecting your data. So, you can arp cache poison, take over routers, sniff traffic on the same network as the access point after the traffic is encrypted, etc... The real thing that Firesheep is trying to point out is that SSL sucks, and web site's implementations suck. Lets fix that problem, okay?
- HP Printers Directory Traversal - [pauldotcom] - No details on this one, boooooo! hisssssssss! Really grinds my gears, I am looking for more information on this one, please contact me if you have details. I think PJL is a nut yet to be cracked.