Category Archives: Today I Learned: InfoSec

TIL: They should have called it DHCPDOS

TIL: They should have called it DHCPDOS

Most mornings, you wake up and think you at least have a semblance of what your day will be like. But if someone tells you that you now have to worry about your DHCP server messing up your network, you might want to just go back to bed and stay there.

If you haven’t yet made DHCPwn an acquaintance, get yourself a cup of coffee and wake up to the sweet smell of IP Exhaustion.

The Dynamic Host Control Protocol server on your network sits around happily handing out IP address to machines on your network (identified by their MAC address).

  1. You turn on your computer.
  2. It requests a new IP address by sending over its MAC address.
  3. It gets assigned a new unused IP address.
  4. You’re now looking at Facebook marveling over how the girl that used to chug all of the Elmer’s glue in art class has now spawned her own Elmers glue chugging kid in some weird recursive Elmers glue Escher print of modern society.

This is where the trouble starts: DHCPwn impersonates an innocent computer on the network and just requests and requests and requests IP addresses leases from the DHCP server until there aren’t any left and nobody can get a new IP address to check on the status of the young glue eater.

If you’re sick of having a bunch of software applications that don’t work well together, check out Varonis’ suite of awesomely integrated solutions for monitoring user network behaviors and permissions management.  No glue necessary.

Today I Learned: There are some things you REALLY don’t want in bulk

Today I Learned: There are some things you REALLY don’t want in bulk

Everybody knows that you can have too much of a good thing: high impact yoga, deep water yodeling, reading TIL posts while unicycling, or any hobby where you’re required to “shuck” things.

But what if you take an ordinary bad thing and raise it to the power of awful! In other words, you ratchet up the potential consequences of what otherwise would be been a fairly minor issue.

A great example of this is bettercap – a “state of the art, modular, portable and easily extensible MITM framework”.  Bettercap can be used to amplify an attack by positioning it, so that it can be applied to any machine on a network.

A practical example of this is Simone Margaritelli’s writeup of how to autopwn every Android < 4.2 device on your network.

What makes this sort-of exploit interesting is the explosion of rarely patched Android-based We-put-a-Chipin-it style IOT devices. Today’s super secure version of Android is tomorrow’s bug ridden zombie version of Android – and nobody’s bothering to patch their “smart” water bottles.

Need the network equivalent of being told that you drank 3.7530340 oz of water so far today, and that usually by this time you’ve consumed 5.3703083 oz?

What you really need is User Behavioral Analytics.

 

Today I Learned: Keeping Up with the Cryptolockers

Today I Learned: Keeping Up with the Cryptolockers

It’s tough to keep up with CryptoLocker and the several quintillion other ransomware variants that have been released in the last couple years.

If you’re unfamiliar with ransomware, it’s the digital equivalent of an Adam Sandler movie. Your files are encrypted into mumbo-jumbo and you can’t get them back without paying way more than you should.

What’s really terrifying is that the ransomware packages have become robust enough through pure Darwinian Internet Evolution. Currently, recovery options include:

  1. Pay the ransom. (Although this option is moot)
  2. Restore the files from a backup.
  3. Go online to see if a decryption tool exists.

Even in cases where it’s possible to use a recovery method, these methods often don’t work (to the surprise of absolutely no one). Virus and ransomware writers aren’t the best at updating their documentation. So, what one outlet is calling “Cryptolocker 4”, another may be calling the same thing something else.

To date, the best preventative tool is not to try and block specific ransomware variants, but instead look at user behavior.  DatAlert is great for this type of detection. And if it’s set up properly, you can even quarantine infected systems.

Today I Learned: Automatic Isn’t Always Good

Today I Learned:  Automatic Isn’t Always Good

As the world moves even faster and becomes more interconnected, we’ve come to accept that being automated is a good thing. Automatic cars outsell stick shifts, software updates automatically install, and Autobots have beaten the Decepticons three films running.

But what you probably don’t want is to have your network peeled apart at the web application by SQLMap – the Automatic SQL injection and database takeover tool.

SQLMap is a terrifying, python-based, open source pentesting tool that can suss out vulnerabilities in MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase, SAP MaxDB and HSQLDB.

sql

Source: sqlmap.org

What makes SQL Injection bugs so scary is that there’s no “patch” that will stop them across the board. They’re introduced through specific patterns of application software development and can be successfully used against even fully patched and up-to-date systems.

I’d recommend you do the following:

  1. Check out the Troy Hunt Web Security Fundamentals courseThe second chapter is specifically about identifying SQL Injection attacks, but the whole thing is great.
  2. Once you understand the fundamentals, download SQLMap and test your applications in bulk.

 

Today I Learned: HSTS Supercookies Taste Bad

Today I Learned: HSTS Supercookies Taste Bad

If this were still the 90s and I still had Zack Morris style hair, this is where I’d make a pun, or clever ‘TeeHee’ about cookies. However, as we’re now living in what I once thought of as the far distant future, I’ll make a joke about how I’m really glad that the doctor came back and said I tested negative for HSTS.

With that out of the way, it’s important to know that HTTP Strict Transport Security is actually a good thing – a new browser security mechanism that lets a web server tell a browser: “For like totally serious Kelli Kapowski, every time you come back to this site, connect with SSL… and if you try to NOT use SSL I’ll shut you down like when Screech asked Jesse to the fall dance.”

To accomplish this, when your (modern) browser connects with a web server, it gets the HSTS directives (what subdomains should be SSL’d, for how long, etc.) and then remembers them. At which point the law of unintended consequences alarm bells should be going off – what one person might call a cached security directive, another sees it as a distinct browser fingerprint personally identifying you as you wander around the Internet.

Site operators can create a “SuperCookie” – an identifier for you that you can’t easily remove from your browser by stacking a series of subdomains and selectively enabling HSTS on them.

A technique described in more detail here:

More worryingly, HSTS leaks timing information – enabling a DIFFERENT website to selectively check your past browsing history via timing attacks.

This and other delightful techniques are covered in @bcrypt’s ToorCon presentation:Weird New Tricks for Browser Fingerprinting.

So get out there and have safe and private time on the Internet Bayside!