Wireless inSecurity (WPA Owned)

So it has been no mystery that it's possible to break WPA and WPA2's Pre-Shared Key which is the default WPA security on most consumer grade access points. Because there is no direct weakness in the encryption protocol like WEP, it relied on brute force hash matching a process that can take a long time.

Wordlists considerably sped this process up making breaking WPA possible against dictionary PSK's in weeks/months as opposed to years. Why is this process so slow? WPA encrypts in multiple steps including salting the PSK hash with the SSID. So the password "dogthebountyhunter" would be SHA1 hash with the ssid or "DOG" as the salt. This adds unique randomness to make encryption breaking take longer.

Then two years ago group called "The Church of Wifi" released a set of rainbow tables (precomputed password hashes) for WPA security. The only issue is that it only covered the top 10 SSID names (default, linksys, NETGEAR, Belkin54g, etc) listed from http://Wigle.net/

So PCI DSS and an entire industry for years have been championing WPA and strong non-dictionary passwords for wireless safety, and it was generally considered secure, until now...

The biggest reasons WPA and most encryption are hard to break is that they are computationally difficult algorithms which simply take long time to guess. A standard modern processor say an Intel Core2Duo 2.5Ghz could brute-force crack WPA using methods above at around 600-700 PSK/s, well if there are a 500 million possible hashes to try it's going to take while (think lifetime).

Now graphics card developers namely Nvidia and ATI have been making super computers on a chip for a decade now, with simple, fast and highly parallel processors to make Counter Strike run smoothly as possible :) Recently something amazing happened, Nvidia released the CUDA API or programing library so the average Joe could write scripts and applications harnessing the power of their GPU for any type of computation, including encryption. The end result? WPA is broken:


Pyrit Source



Another movie

Oracle Weblogic IIS remote buffer overflow

I think this new Weblogic exploit found on milw0rm is particularly nasty as Weblogic is a java web-app framework used as the backend for some very large enterprises. Both for internal and external facing web applications, many which house millions of financial records and transactions. These types of exploits scare me in that they have the potential to lead to a huge financial data compromise...

Also brings to mind some interesting attack vectors for finding targets, my girlfriend works in sales for an IT services/recruiting firm just last week she was asking me what a Weblogic administrator was and how she was trying to find some consultants to fill a new project. I immediately thought of this new vulnerability and that an attacker, instead of traditional banner scanning for Weblogic they can simply pull up Monster.com and find the next fortune 1000 company to 0wn.

http://jobsearch.monster.com/Search.aspx?brd=1&q=weblogic

Scary stuff... anyways, pop in this signature I wrote this morning for Emerging Threats into your IDS/IPS and let me know if they are knocking on your door yet...

**** Updated sig to match vulnerability not exploit code...

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT Oracle WebLogic IIS connector JSESSIONID Remote Overflow Exploit"; flow:to_server,established; uricontent:".jsp?"; nocase; uricontent:"JSESSIONID="; nocase; isdataat:5132,relative; reference:cve,2008-5457; reference:url,infosec20.blogspot.com/2009/04/oracle-weblogic-iis-remote-buffer.html; reference:url,doc.emergingthreats.net/2009216; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Oracle; sid:2009216; rev:4;)

Dude, Where's my Conficker?

With all the hoopla about Conficker, many of our customers are blowing up our inbox's wondering why they are not seeing Conficker related alerts on their Sentinel IPS?

Well congratulations to those customers, you have proper firewall rules in place, therefore Conficker cannot open up attacks to the MS08-067 vulnerability in Windows filesharing.

For those of you who are unsure, you have two easy possible solutions to barracade your front door from the thousands of daily Conficker attempts.

Firewall TCP port 445 inbound, or simply turn off Network Print/Filesharing on your Windows servers.

Also if you want to quickly sweep your internal network or DMZ for Conficker infections the latest version of Nmap can do the job in a snap! Just download the latest version and give this command a whirl:

nmap -PN -T4 -p139,445 -n -v --script=smb-check-vulns --script-args safe=1 [mylanaddress]

That's it!

Flush.M trojan and rising attack complexity

An updated version of DNS hijacking malware 'Flush.M' is currently out in the wild, it originally popped up in December 2008. What is significant about this particular nasty is the methodology of network compromise, it's sharply more complex and creative in the way it hijacks it's prey.

Let me walk you through how it works:

Joe the Plumber clicks through a website with a malicious banner ad hosting a Flush.M laden PDF using Adobe's latest JBIG2 security flaw, once his browser auto-opens the PDF, the trojan is successfully installed on his machine.

Now the interesting part, the malware starts a rogue DHCP server advertising to the local lan with a 1 hour refresh rate. This means that if Joe is at the public library, the one 'Flush.M' infection will change the network settings on all machines of the same LAN.

Because DHCP has the capability to set the client machine's DNS servers 'Flush.M' resets all DNS resolvers to malicious external DNS hosts which then exposes the entire LAN to a giant man in the middle attack. Phishing, password stealing, more malware injection, click fraud, you name it...

So for the first time I can think of you have malware not spreading on the LAN via attacking known vulnerabilities but from using legitimate networking technologies to poison the environment and very quickly compromise an entire LAN. Nasty stuff.


If you want to know if Flush.M is on your network, here is a snapshot of it phoning home:

14:45:26.989321 IP 172.17.1.86.60307 > 55.55.55.55.53: 45585+ A?
isatap.snip.edu. (33)
0x0000: 4500 003d 040c 0000 7f11 c4b3 ac11 0156 E..=...........V
0x0010: 4056 8533 eb93 0035 0029 42f8 b211 0100 @V.3...5.)B.....
0x0020: 0001 0000 0000 0000 0669 7361 7461 7004 .........isatap.
0x0030: 6963 6970 0365 6475 0000 0100 01 snip.edu.....


Snort signature (thanks jp):


alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53
(msg:"Flush DNS lookup isatap (Possible flush)"; content:"|06|isatap";
nocase; classtype:trojan-activity; sid:1021339; rev:1;)

Network Security Appliance testing and QA with Virtualization

While working on our newest Intrusion Prevention appliance Sentinel IPS 4.0, we are always working to streamline and automate all testing. Unfortunately an inline bridged network device can be a challenge...

Here are some of the strategies that have worked in the past and some of the issues we are currently struggling with:

The old fashioned way (QA environment round 1):

What the team before I joined was using, 4 separate physical machines configured like this:

QA Attacker/Tester (loaded with stateful attack scripts) --> Router (192.168.x.x <-> 10.10.x.x) <--> Sentinel IPS (inline bridged appliance) <--> Switch <--> QA Target Host/s

This works but is in my mind too much equipment and software to maintain, not only that but power consumption is in microwave oven levels. Adding a new attacker or target platform requires loading or reloading another piece of hardware.

QA environment round 2:

Hello Vmware! I believe it was VMware Workstation for Windows 5.x or so which added a wonderful new network feature called "teaming" in which you could create virtual labs by daisy chaining VM's and virtual interfaces together allowing Vmware to handle all of the routing.

Here is how it worked (QA Team1):
Attacker VM (Gentoo) <-bridged interface0-> Sentinel IPS VM <-Nat interface1-> Target VM1 (Windows Server 2000) Target VM2 (CentOS 5.x)

So you simply assign all of the VM's to a single team and the one interface each to your network appliance so it will bridge the traffic from your Attacker/Tester VM to the Internal target VM's. With one command you can start and stop the entire team or add and modify the attacker and target OS's. Adding Backtrack LiveCD as one of the attacker's is easy, simply install their VM and add it into the team using the bridged interface.

Now to avoid confusion there are two bridges in action, one which bridges the attacker and network appliance (Sentinel IPS in my case) to your normal physical LAN. This is chosen automatically by VMware but if you are on a laptop which may switch between wireless and wired networks you will want to manually create a bridged interface for your wireless card. They make it dead simple to switch your team interfaces around when your not on wireless.

The second bridge is the network appliance itself! If it is an inline bridge device like our IPS, then it will bridge the already bridged interface to the private NAT network which VMware created automatically. The auto NAT network is usually some derivative of 192.168.1xx.x which likely won't clobber your normal LAN.

Ok... so that seems like the perfect setup and it has worked rock solid for us requiring only one Windows machine with VMware, one actual real network interface and 2+ gig's of RAM. Pretty easy to come by these days.

Why do we want a new setup? Well I had to splurge on a Macbook Pro last year and VMware fusion does not support teaming.... Seem like small potatoes but it kills me that I can't put my 4 gigs or ram to good use. Yes my drive is encrypted :)

*** Update: maybe time to try Convirt 1.0 on my Mac

Whole Foods RFID price tag security

A brand new Whole Foods opened up right next to our house so I had to check it out on opening day. What a nightmare of triple parked Prius', scooters and other granola eating eco-hipsters transportation devices. I'm not an anti-hippy but my love for red meat, beer and Marlboro lights is not so popular with that crowd. Anyways throughout the dozens of free yummy samples I happened to notice new digital price tags under the food. Well they are not connected to any physical wires and looks to be powered off watch batteries, must be RFID! A little bit of googleing confirmed my theory and we are off to the races.



Potential security issues:

Price modification (Choice Ribeye steak for $2/pound)
Customer product tracking
Store pricing denial of service (eggs and toilet paper now $99, maybe too believable at whole foods)
Price change sniffers (publish sale items on rss feed, hide behind the cantaloupe)

I would like to hear your ideas, thoughts, comments on this change which will likely ripple down to other big box grocers in the future.

ASPROX Back with a vengance

So the SQL Injection attacks have slowed down a bit but the botnet is still very much alive and is now back running large scale phishing and money mule scams designed to prey on jobless Americans.

Please read or watch the amazing ASPROX report by Dennis Brown @ Verisign given at Toorcon on the latest on ASPROX anatomy.

If you or your organization's website are a victim of ASPROX please see our highly popular ASPROX Toolkit with recommendations on defense and post compromise remediation.



Known currently active ASPROX domains:
dbrgf.ru
lijg.ru
bnmd.kz
nvepe.ru
mtno.ru
wmpd.ru
msngk6.ru
dft6s.kz
47mode.name
berjke.ru
81dns.ru
53refer.ru
chk06.ru
driver95.ru
errghr.ru
lang42.ru
netcfg9.ru
sitevgb.ru
vrelel.ru
30area.ru
4log-in.ru
advabnr.com

Also being reported at:
http://www.matchent.com/wpress/?q=node/432
http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20090122