Category Archives: Today I Learned: InfoSec

TIL: They should have called it DHCPDOS

TIL: They should have called it DHCPDOS

Most mornings, you wake up and think you at least have a semblance of what your day will be like. But if someone tells you that you now have to worry about your DHCP server messing up your network, you might want to just go back to bed and stay there.

If you haven’t yet made DHCPwn an acquaintance, get yourself a cup of coffee and wake up to the sweet smell of IP Exhaustion.

The Dynamic Host Control Protocol server on your network sits around happily handing out IP address to machines on your network (identified by their MAC address).

  1. You turn on your computer.
  2. It requests a new IP address by sending over its MAC address.
  3. It gets assigned a new unused IP address.
  4. You’re now looking at Facebook marveling over how the girl that used to chug all of the Elmer’s glue in art class has now spawned her own Elmers glue chugging kid in some weird recursive Elmers glue Escher print of modern society.

This is where the trouble starts: DHCPwn impersonates an innocent computer on the network and just requests and requests and requests IP addresses leases from the DHCP server until there aren’t any left and nobody can get a new IP address to check on the status of the young glue eater.

If you’re sick of having a bunch of software applications that don’t work well together, check out Varonis’ suite of awesomely integrated solutions for monitoring user network behaviors and permissions management.  No glue necessary.

Today I Learned: There are some things you REALLY don’t want in bulk

Today I Learned: There are some things you REALLY don’t want in bulk

Everybody knows that you can have too much of a good thing: high impact yoga, deep water yodeling, reading TIL posts while unicycling, or any hobby where you’re required to “shuck” things.

But what if you take an ordinary bad thing and raise it to the power of awful! In other words, you ratchet up the potential consequences of what otherwise would be been a fairly minor issue.

A great example of this is bettercap – a “state of the art, modular, portable and easily extensible MITM framework”.  Bettercap can be used to amplify an attack by positioning it, so that it can be applied to any machine on a network.

A practical example of this is Simone Margaritelli’s writeup of how to autopwn every Android < 4.2 device on your network.

What makes this sort-of exploit interesting is the explosion of rarely patched Android-based We-put-a-Chipin-it style IOT devices. Today’s super secure version of Android is tomorrow’s bug ridden zombie version of Android – and nobody’s bothering to patch their “smart” water bottles.

Need the network equivalent of being told that you drank 3.7530340 oz of water so far today, and that usually by this time you’ve consumed 5.3703083 oz?

What you really need is User Behavioral Analytics.

 

Today I Learned: Keeping Up with the Cryptolockers

Today I Learned: Keeping Up with the Cryptolockers

It’s tough to keep up with CryptoLocker and the several quintillion other ransomware variants that have been released in the last couple years.

If you’re unfamiliar with ransomware, it’s the digital equivalent of an Adam Sandler movie. Your files are encrypted into mumbo-jumbo and you can’t get them back without paying way more than you should.

What’s really terrifying is that the ransomware packages have become robust enough through pure Darwinian Internet Evolution. Currently, recovery options include:

  1. Pay the ransom. (Although this option is moot)
  2. Restore the files from a backup.
  3. Go online to see if a decryption tool exists.

Even in cases where it’s possible to use a recovery method, these methods often don’t work (to the surprise of absolutely no one). Virus and ransomware writers aren’t the best at updating their documentation. So, what one outlet is calling “Cryptolocker 4”, another may be calling the same thing something else.

To date, the best preventative tool is not to try and block specific ransomware variants, but instead look at user behavior.  DatAlert is great for this type of detection. And if it’s set up properly, you can even quarantine infected systems.

Today I Learned: Automatic Isn’t Always Good

Today I Learned:  Automatic Isn’t Always Good

As the world moves even faster and becomes more interconnected, we’ve come to accept that being automated is a good thing. Automatic cars outsell stick shifts, software updates automatically install, and Autobots have beaten the Decepticons three films running.

But what you probably don’t want is to have your network peeled apart at the web application by SQLMap – the Automatic SQL injection and database takeover tool.

SQLMap is a terrifying, python-based, open source pentesting tool that can suss out vulnerabilities in MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase, SAP MaxDB and HSQLDB.

sql

Source: sqlmap.org

What makes SQL Injection bugs so scary is that there’s no “patch” that will stop them across the board. They’re introduced through specific patterns of application software development and can be successfully used against even fully patched and up-to-date systems.

I’d recommend you do the following:

  1. Check out the Troy Hunt Web Security Fundamentals courseThe second chapter is specifically about identifying SQL Injection attacks, but the whole thing is great.
  2. Once you understand the fundamentals, download SQLMap and test your applications in bulk.

 

Today I Learned: HSTS Supercookies Taste Bad

Today I Learned: HSTS Supercookies Taste Bad

If this were still the 90s and I still had Zack Morris style hair, this is where I’d make a pun, or clever ‘TeeHee’ about cookies. However, as we’re now living in what I once thought of as the far distant future, I’ll make a joke about how I’m really glad that the doctor came back and said I tested negative for HSTS.

With that out of the way, it’s important to know that HTTP Strict Transport Security is actually a good thing – a new browser security mechanism that lets a web server tell a browser: “For like totally serious Kelli Kapowski, every time you come back to this site, connect with SSL… and if you try to NOT use SSL I’ll shut you down like when Screech asked Jesse to the fall dance.”

To accomplish this, when your (modern) browser connects with a web server, it gets the HSTS directives (what subdomains should be SSL’d, for how long, etc.) and then remembers them. At which point the law of unintended consequences alarm bells should be going off – what one person might call a cached security directive, another sees it as a distinct browser fingerprint personally identifying you as you wander around the Internet.

Site operators can create a “SuperCookie” – an identifier for you that you can’t easily remove from your browser by stacking a series of subdomains and selectively enabling HSTS on them.

A technique described in more detail here:

More worryingly, HSTS leaks timing information – enabling a DIFFERENT website to selectively check your past browsing history via timing attacks.

This and other delightful techniques are covered in @bcrypt’s ToorCon presentation:Weird New Tricks for Browser Fingerprinting.

So get out there and have safe and private time on the Internet Bayside!

Today I Learned: How a Botnet Works

Today I Learned: How a Botnet Works

When many people think of “hacking” they picture leather clad people wearing sunglasses at night, typing furiously at their computer, stealing secrets from a company while a pulsing techno beat underscores the scene.

Surprisingly, this is almost 100% true, with the exception being that it’s often not ‘secrets’ that people are after – it’s the use of other people’s computers to be put into a botnet.

Which is why Conor Patrick’s efforts to show what happens to a machine brought into a botnet are so interesting. He deliberately set up a vulnerable machine, Honeypot, and left it alone for a couple months so he could observe its behavior.

Botnets are interesting in that they are, in many ways, a self perpetuating organism that lives on the Internet.

  • Communicate with one another over IRC
  • Move from computer to computer
  • Accomplish tasks
  • Self replicate (infect more computers)

If you’d like to get notified if one of your user’s accounts starts acting weird and suddenly self-replicates across the Internet, we’d recommend using DatAdvantage to analyze and track their behavior, build a profile and light off flares if their behavior suddenly changes.

Today I Learned: Malware for the Public Good

Today I Learned: Malware for the Public Good

Each week, we’ll bring you the latest news on exploits, protecting your perimeter and keeping your data secure. Informative. Entertaining. Best of all, each post is like an energy bar for IT! It’ll take you less than 2 minutes to read. Enjoy!

Malware isn’t just a word to describe Serenity’s Browncoat captain. It’s the catch-all term for the venomous soup of viruses, ransomware, ad injectors and other horrible bits of software that make the Internet a hive of scum and villany.

So, it’s just darn weird when a piece of Malware does something useful: like the recently detected Linux.Wifatch. Wifatch scans the internet for WiFi routers and other Internet of Things (IoT) devices with default or very easily guessable passwords (aka “password”) and then patches them up to try and make the vulnerable surface area of the Internet a little smaller.

While a noble and altruistic goal, it’s still complicated and points to the deep degree to which the interconnectedness of systems doesn’t necessarily match the intentions of their owners. Are my parents complicit in DDOS’ing a website in the Ukraine if they don’t update their router’s password? Did they consent to let random security researchers update their router to prevent abuse?

White Team (who developed Wifatch) do seem to be working in the legitimate public interest, but it’s a bit like someone putting a padlock on your front door to prevent burglary without your consent.

If you’d like to know what’s happening on your network before a do-gooder attempts to patch it for you, check out DatAlert.

Today I Learned: Ducking and Weaving around Firewall Rules

Today I Learned: Ducking and Weaving around Firewall Rules

Each week, we’ll bring you the latest news on exploits, protecting your perimeter and keeping your data secure. Informative. Entertaining. Best of all, each post is like an energy bar for IT! It’ll take you less than 2 minutes to read. Enjoy!

Developers moving from compiled languages to web development are often taken aback by how permissive browsers are at layouts.

In a normal programming environment, leaving a stray semicolon or a few extra lines of text from Moby Dick in the middle of your application would result in a stream of errors – not so with HTML. Web browsers will attempt to display almost anything you throw at them, so it’s no surprise that the corporate firewalls can be bypassed in a similar way.

serious

Steffen Ullrich has created a really interesting tool called ‘HTTP Evader’  which seeks to enumerate these conditions into a way that they can be rapidly tested.

He gives the example of setting an older HTTP header paired with a modern HTML declaration – essentially creating a unique request type that a firewall isn’t prepared to handle and that would most likely result in a malicious request being let through.

If you’re currently behind an intrusion and malware detecting firewall you can check it, here.

Want to go beyond firewalls and check if your users behaviors match what they’re actually supposed to be doing? Get a demo of DatAdvantage and find out how much you can tighten your network file permissions.

Today I Learned: Man in the Middle Executables for Fun and Strictly Not for...

Today I Learned: Man in the Middle Executables for Fun and Strictly Not for Profit

Each week, we’ll bring you the latest news on exploits, protecting your perimeter and keeping your data secure. Informative. Entertaining. Best of all, each post is like an energy bar for IT! It’ll take you less than 2 minutes to read. Enjoy!

The fine folks at peinjector.eu want to be really upfront with you about how their suite of open source tools for:

  1. Inserting themselves between a user and the data they requested,
  2. Reading all requested data
  3. Injecting unknown (probably totally fine, right?) payloads into executables as they come in over the wire.

Are strictly for “security professionals and researchers only” – which to their credit are actually extremely useful for said professionals and researchers. Their message is a _little_ undercut by the totally wicked grinning skull ASCII art that immediately follows.

pic

In particular what’s interesting about their peinjector application is that it’s specifically made to be used on embedded hardware, like that consumer grade router that all your sensitive files pass through (or a Raspberry Pi that someone left plugged in).

If you’re worried about threats like this, always remember to use a VPN and always remember that it’s not enough to secure your perimeter, threats can come from anywhere and that you absolutely need to have solutions to thwart insider threats in place. Not worried? Reply to us with your favorite horror movie.

 

Today I Learned: Fundamentally Rooted

Today I Learned: Fundamentally Rooted

Each week, we’ll bring you the latest news on exploits, protecting your perimeter and keeping your data secure. Informative. Entertaining. Best of all, each post is like an energy bar for IT! It’ll take you less than 2 minutes to read. Enjoy!

If you’re an Alan Moore fan, then you’re familiar with the phrase “Who watches the watchmen?” – his succinct plea to think about just who to trust in an authoritarian state.

If you’re unfamiliar with him you might be thinking “Well, probably the head of the watch? Maybe a shift supervisor?”

In any case, the issue of fundamental trust has been on everyone’s tongues with the news that dozens of approved applications in the iOS and Mac App stores had been compromised via corrupted versions of Apple’s XCode application.

While it’s not surprising in and of itself that if your compiler is rooted then applications can be rooted as well it is surprising both that it went on for so long and that the malware was able to make it through the application approval process.

If you want to checkout some of the code that was injected – browse on over to Github (it will help if you can read Chinese)

In a world where we now need to worry about compilers silently infecting each application they build, it’s good to know that applications like DatAlert will still detect odd behavior on your network and alert sysadmins to the problem – no Mandarin required.

Speak Chinese? Comment and let me know that my new tattoo means ‘strength’? 这家伙是醉了

Today I Learned: The Babadook is IN the computer

Today I Learned: The Babadook is IN the computer

Each week, we’ll bring you the latest news on exploits, protecting your perimeter and keeping your data secure. Informative. Entertaining. Best of all, each post is like an energy bar for IT! It’ll take you less than 2 minutes to read. Enjoy!

Most people naming exploit software pull from a pastiche of leetspeak and juvenile humor – so it’s both refreshing and doubly terrifying when a new backdoor app emerges that not only is named after the scariest movie of 2014 but also is ALREADY INSTALLED ON YOUR COMPUTER*.

Thankfully the author of said Babadooking app was aiming to teach his colleagues the perils of leaving their workstations unattended and not actually after their immortal souls.

His app – written in vanilla Powershell – mainly served to annoy his fellow users until they adhered to decent safety procedures.

Interested in applications that will let you sleep easy at night. Knowing that your data is secure from unwanted visitors? Checkout DatAlert.

Also, submit a comment and let us know the most time saving Powershell script you’ve ever used.

*   well, if you have Powershell. Also, keep telling yourself that monsters aren’t real while you fall asleep tonight