A quick look at AnonymOS v0.1

March 15th, 2012

A couple of days ago someone (claiming to be) from Anonymous released a prepackaged Ubuntu distro with a whole bunch of tools pre installed. I decided to fire it up in a VM and check what it does on the wire. I would not trust this OS one bit as it is probably backdoored.

The first thing it does (naturally) is send out a DHCP request and once it gets an offer, it immediately tries to join the MDNS IGMP group (224.0.0.251) and then performs a whole slew of MDNS queries. Once it is done, with MDNS it will then send out SOA queries to get some information about to domain it lives on. Some more tedious NTP lookups and then we get to some interesting stuff.

At this point, it started scanning the network for Canon printers that ran BJNP (a USB over IP protocol for printing). I do not currently have a printer that uses this but would love to set one up to see exactly why it scans for printers. I am not seeing any current exploits in either exploit-db or Metasploit so your guess as to why it scans for these printers is as good as mine. It did cross my mind that they could throw a 0-day but looking at Anon’s track record this is highly unlikely.

Now, the most interesting thing part of this is that it does a geoip lookup using geoip.ubuntu.com. What it does with this info is again beyond me. As far as I could tell, it was not using this information as I could not see any of the information anywhere in the filesystem. Also keep in mind it does this before you have the option to launch tor. You are not so Anonymous when using this OS.

So far, it looks like a legit OS but I am concerned with why it is scanning for those printers and what it may do with the geoip information but I have not uncovered why it does this yet. I will dig in a little further later.

Black Hat OSPF Vulerabilities

August 31st, 2011

This year at Black Hat, some researchers presented some new ways to inject routes into an OSPF network. I will not go into much technical detail on how they were able to do so but at the very beginning of the talk they made it clear that these methods assumed that the attacker already had the md5 authentication key. After the talk was over, I talked to multiple people about it and was completely surprised at how all of them were brushing it off or playing it down. From just the arguments against the talk, I can conclude that

  • If administrators are not using an authentication key then there are other serious problems
  • A simple authentication password is sufficient enough to stop attackers
  • We haven’t seen it used in the wild so we don’t need to worry

I think that is total and utter bullshit and here is why.

If administrators are not using an authentication key then there are other serious problems:
I am not going to disagree with that at all. It is super easy to turn on the authentication key and there should be no excuse for any semi-competent network administrator to not have done so but we can not assume that, because not everyone has. I can say specifically from my experience in the Network Technical Support realm, 9.8 times out of 10, when walking someone through setting up OSPF on their device, they specifically tell me to not set up an authentication key and enable OSPF on all interfaces. This could be because they want to see it working with the path of least resistance all the way to they don’t think authentication was necessary. Also, every time I went to troubleshoot an OSPF network, I not once saw it enabled. Please keep in mind that I have worked with some very LARGE companies with big teams dedicated to administrating their network and securing it.

A simple authentication password is sufficient enough to stop attackers:
I spoke with one friend who specifically stated “I got up and left once they said they assumed you already had the key.” With all the preaching about how it is so easy to abuse passwords and how we need a better system because passwords suck, I would have expected to hear a different response because thats all the authentication key is, a password. We have been cracking passwords for a long long time now and there has even been a very successful contest at Defcon the past few years aimed at cracking as many passwords as you can in 3 days. You will be amazed to see how many passwords they crack every year. In essence, it isn’t hard to crack a password these days. If you throw a team of Nvidia GPU’s at the problem, it can be solved in no time. Also, don’t forget about the speed of using rainbow tables. Oh, and there are also web based services revolving around cracking passwords. If there were not already a plethora of options for cracking passwords, here is a shot of me brute forcing an OSPF authentication key with loki

And since I am doing this just to prove a point and don’t want to wait for the brute force to complete, here is a shot of me successfully getting the authentication key via a wordlist

We haven’t seen it used in the wild so we don’t need to worry:
Out of any of the responses I have heard, this is the most absurd. I don’t feel I should have to say this to anyone involved in the Security Community but here it goes anyway.

Just because you haven’t seen it does not mean it is not currently or will never be exploited.

If I have to explain this then please give up reading anything else I have to say for the rest of time.

 

 

tl;dr
I think this is a very viable attack method that everyone else has been discrediting and playing down when they shouldn’t be.

lulzsec, a catalyst for change?

June 15th, 2011

Big headlining breaches are all over the news these days and the star of the show recently has been the group lulzsec. Lulzsec is extremely popular on Twitter right now due to their extremely cavalier approach to securing the Internet. As their name implies, they are in it just for the lulz and because it is just for the lulz, they put no restrictions on themselves. They gain access to companies, post stolen information, and openly mock said company for not being secure enough to stop them. Some agree with what they are doing and some disagree but the big question I have see is “Is lulzsec a necessary evil that will get companies to actually pay attention to the security of their own systems?”

I have heard security guys, for years, preach that companies are only skating by with the bear minimum when it comes to the security of their IT infrastructure. Its the mentality that you set the bar just slightly higher than your competitor so that attackers peruse the other guy first. From a business standpoint, I can see where it makes sense. You (theoretically) come out ahead with much less resources spent on the issue but it does not take the persistent threat into account and lulzsec is proving that. Notice how I left “advanced” out of that last statement? Persistence can triumph with a lack of advanced. As it appears right now, lulzsec is not advanced at all as they are utilizing basic SQL injection tactics to obliterate these companies. But are they a necessary evil?

I would have to say yes. Currently, there is no system that leaves companies accountable for less than reasonable security practices. I would like to point out the TJX breach as a prime example. After a breach of almost 50 million credit card numbers (by a WEP network), it seems they are going strong. I believe that they are still going strong because they play the roll of the innocent victim and people identify with that and continue shopping there. If lulzsec were to have been responsible for the TJX breach, there would have been no incentive to stay quiet for personal gain, and TJX couldn’t have played the victim card because lulzec would be publicly bashing them for having less than standard security practices. You can’t play victim when the main reasons you were breaches was because you aren’t doing it right to begin with.

I am personally cheering lulzsec on. Yes, what they are doing is illegal. Yes, they are hurting innocent bystanders in the process. And yes, they are causing catastrophe but until we come up with a better system for making companies accountable….we might as well have some lulz as we watch them be humiliated.

Somone Will Get In

February 14th, 2011

It seems more and more recently, Security companies are getting owned. The three notable ones in the past month or so have been Goatse Security, Ligatt, and HBGary. If you were not aware of who Goatse Security are, then you may remember the breach quite a while ago that exposed the email addresses of iPad owners. That breach was guys from Goatse Security. HBGary is an incident response company and Ligatt Security is a company that has gained more visibility in the Security World than it should.

I will look at the Goatse Security compromise first. A screenshot of the site after getting owned can be seen here. There is not a whole lot behind this other than it was done for the “lolz” and a “look what I did” kind of thing. HBGary and Ligatt are much more interesting.

The entire subject of Ligatt so much material to write about that it constitutes more time than I want to give Ligatt Security and Gregory D Evans. For all of the background on Ligatt/Mr. Evans please see Attrition.org. Now what happened recently was that the website Ligatt Leaks has gone live in an attempt to expose all of the things wrong with Mr. Evans. Some of the fallout from Ligatt Leaks is that someone had gotten into Ligatt’s mail server for several days, pulled down all of the mail and released all of it in a torrent.

HBGary is the most interesting out of the three I have noted. I had never heard of HBGary until one of their higher ups went public stating that he had found all of the personal information of the people that run Anonymous and would be selling it to the FBI. Not only did Anonymous rebuke the information stating that it was not correct but that HBGary was going to turn over innocent people to the FBI. This also angered Anonymous and so they took a page from the Ligatt book, got into HBGary’s mail server and released all of the emails stored there detailing their attack on Anonymous and how HBGary was planning to start targeting WikiLeaks donors.

Being a security shop and getting hacked is a pretty big blow to not only your ego but your reputation as well but it occurs all too often. Some further examples include Dan Kaminsky gets hacked, Kaspersky gets hacked, and Kevin Mitnick’s website hacked.

In my eyes, it comes down to the fact that you don’t write all of the software that you use (personally or for business). If you do not write all of the code yourself then you can not be 100% certain that there are no holes nor can you fully trust it (and even if you do write it 100% yourself, you are human and make mistakes). Being in the Security Industry also requires a sense of humility as there will always be someone who will be able to find a hole. The key is to not piss these people off and if they do find a hole, work with them to try and get it fixed. Do not paint a bullseye on your back and ask for you. Many people have done this and many have failed (see LifeLock CEO and StrongWebmail contest).

Having been keeping tabs on this industry for several years, I can tell you that there are plenty of people that I would not dream of pissing off because I know how good they are at attacking technologies and that I would not stand a chance against them. It just boils down to the fact that you need to assume everything is vulnerable and someone will get in.

.eg gone in the blink of an eye

January 31st, 2011

Over the past week, Egypt has been in an almost state of anarchy due to protesters calling for the resignation of the Egyptian president and government reform. Like most major protests, it has turned into the citizens vs government complete with teargas, riot gear, and car torches. Just like the 2009–2010 Iranian election protests, protesters started turning to the Internet to organize by using sites such as twitter and facebook. These sites were fairly quickly blocked by ISPs.

As the cat and mouse game takes effect, protesters start leveraging tools to get to services that have been blocked and Tor becomes a common tool for communicating across the Internet. The government was not happy about this so what do they do? Well last night, Egyptian ISP’s withdrew 3500 BGP routes. The effect of doing this was to blackhole 88% of all traffic to and from Egypt. Arbor Networks created a very good graph of internet traffic to and from .eg a little bit before and after the routes were removed.



This is very staggering and very scary as the US government has been lobbying to be able to do the exact same thing. There is a current petition online aimed at battling this “kill switch” here. I am very curious about what would happen if the US government ever decided to drop all Internet connectivity. I imagine it would only make whatever civil unrest even more of an issue.

 
     
); ?http://www.statcounter.com/free_hit_counter.html