It’s a sad tale we all know too well:  our poor CISOs are tied down with red tape while the attackers have all the time in the world.  My only regret is that the hakker kitteh isn’t a siamese.  =)

• LOLCATS Take on Catalog of Controls
• Lolcats Protect the End Users
• Noms and IKANHAZFIZMA
• LOLCATS Take on MS08-67
• Lolcats, Capital Hill, and a Haiku

Yesterday I got a hasty call from Jon D about my server. He had checked out my blog from work and within an hour got a call from a Symantec SOC that he was looking at a web page that was part of a botnet.

So he called me.

Back 4 years ago I had set up an IRC network for a friend, including my server as one of the nodes. Over time the network died, as they do, and when I moved the server a couple of times over the course of several years, the ircd didn’t come back up.  The ircd.conf didn’t match up with the network interfaces on the box, so ircd would croak every time it tried to start up.

Well, I guess the last server move did something that the ircd did like because it came back up and stayed up.  Bah, that’s resiliency in action for you, kids.

When I got the call from Jon I knew exactly what it was.  It took about 2 minutes to ssh in,verify that there were 8 dirtballs squatting on my server, kill the ircd, and kill the line in crontab that restarts the server if/when it dies.  Problem solved, now back to playing zombie hack-n-slash games.

In an OS sense, there wasn’t a compromise or anything, just the greasies using the application like it was intended to be used, only with a different intent.

• Life Behind “The Great Big NAT in the Sky”
• Rybolov is Dead, Long Live Rybolov
• Downtime
• Turning Routers into Firewalls
• Stress-Test Apache with Intent to Tune: BSOFH Tip for the Software Masochist

I’m not Lord Nikon, but I play him at lunchtime. A guy can always pretend, can’t he?

You see, here in “occupied” Northern Virginia, we all work for either the Government, contractors, IT companies, or any combination thereof. Everywhere you go, you have a badge. Most badges have at least two things: the company name and the employee’s name. Looking at my “25 pieces of flair”, I see that you can even get my middle initial and where I work.

If all this sounds exactly like seed material for your password seed files, well then it just might be. Not really what I would call earth-shattering ‘leet skillz, but it might be enough to get a foothold if you’re targeting one company in particular–find the nearest lunch spot and look for the right logo, check the web for @targetcompany.com email addresses, note the smtp headers to see what kind of a user naming convention they use, and mung your collected names list into the right format.

Then get hacking! That’s an exercise left to the reader, just follow the golden rule and “never hack from home.”

Anyway, my little lunchtime distraction is to notice how many organizations I can see standing in line, talking on the phone, or enjoying their lowfat Atkins-friendly salad. I guess you could say it’s the CISO’s version of buzzword bingo.

But then again, I’ve always been a little bit touched, so this shouldn’t be a big surprise. =)

• Some Thoughts on Comments to My Blog…
• My Stalking Spammers
• Internet in the Remote Desert
• And in This Corner, Special Publication 800-60
• Is Myspace Satan?

Nominations for the Pwnie Awards are open until the 28th.  It’s still not too late to get in that last-minute nomination for your favorites.

Award categories:

• Best Server-Side Bug
• Best Client-Side Bug
• Mass 0wnage
• Most Innovative Research
• Lamest Vendor Response
• Most Overhyped Bug
• Best Song

Note that they don’t have a “Most Loveable but Still Harmless Curmudgeon who Obsesses about Flyfishing, Zombies, and a Whole Lot More” category because I could win it hands-down. =)

Deep inside the site is this link:  PNG (Portable Network Graphics) Deflate Heap Corruption Vulnerability complete with this song:

<Preamble>
Twas the night before Christmas, and deep in IE
A creature was stirring, a vulnerability
MS02-066 was posted on the website with care
In hopes that Team eEye would not see it there

But the engineers weren’t nestled all snug in their beds,
No, PNG images danced in their heads
And Riley at his computer, with Drew’s and my backing
Had just settled down for a little PNG cracking

When rendering an image, we saw IE shatter
And with just a glance we knew what was the matter
Away into SoftICE we flew in a flash
Tore open the core dumps, and threw RFC 1951 in the trash

The bug in the thick of the poorly-written code
Caused an AV exception when the image tried to load
Then what in our wondering eyes should we see
But our data overwriting all of heap memory

With heap management structures all hijacked so quick
We knew in a moment we could exploit this $#!%
More rapid than eagles our malicious pic came —
The hardest part of this exploit was choosing its name

Derek Soeder
Software Engineer
eEye Digital Security
</Preamble>

• Sprinkling on the Magic FISMA Fairy Dust
• My System Environment
• 20 Critical Security Controls: What They Did Right and What They Did Wrong
• Hardware Woes
• Server Upgrades

As much effort as we put into badge readers, smart cards, and access controls systems, it’s a dirty little secret that they are easy to overcome if you know what you are doing, and the only way to keep you from cheating is to put a “meatgrinder” in your way.

Techniques for getting past card reader systems:

• The Big Box: Hold a box that’s big enough and bulky enough that you need two hands to hold it. Ask a cleared employee to hold the door open for you.
• The Mad Dash: Hide just out of reach of the door. Wait for a cleared person to go inside, then make a “mad dash” to grab the door right before it closes. If you practice, you don’t even have to run to get the door, you use your sense of timing.
• The New Employee: “Hi, I’m new here and they told me it would be a week until I got my badge. Can you let me in?”
• The Clipboard: Hold a clipboard and act like an auditor who is dismayed that they couldn’t get into the area that they need to inspect.
• The Visitor: Ask somebody to sign in so you can legitimately get access to the area. After that, it’s a simple deal to shed your escort.

The commonality to all this is that you’re preying on peoples’ sense of either being a team player or giving other people some common hospitality. You can teach people to not let anybody else in, but our brains just won’t let us slam the door in somebody else’s face.

Come to think of it, it’s suspiciously like trying to teach your kids not to talk to strangers.

• Mike’s Guide to Information Security Policy
• The BSOFH On Dorky, Auditor-Friendly Policies
• Clearances and Economy of Scale
• FISMA Report Card News, Formulas, and 3 Myths
• The “Off The Record” Track

Very interesting article on keyloggers and the AV companies.

I’m sitting here trying to think about the problem, the scenario goes something like this:

• I’m the police/$favorite_member_of_NIC and need to keylog somebody
• I need to get the keylogger to the target and their computer
• I need the anti-malware detector on the target computer to not find my product so I can both get a foothold and continue to collect evidence.

So putting on my thinking cap, this is a fairly complicated attack. Yes, malware vendors do it all the time, but they aren’t selective usually in what their target is–they’re throwing what they have at a bajillion targets and taking what sticks.

In order to do this attack right, I would need to know which type of AV/endpoint security the target uses or I need a technique that none of the vendors know about or how to detect. In order to find out the AV that the target uses, I can either break in, hire a snitch, or use a wiretap to wait for the software to phone home for a signature update.  Once I know what exactly the target uses for protection, I can plan the attack.

Of course, this assumes that AV is 100% effective, which we all know isn’t true. =)

• Sir Bruce Mentions FDCC, World Goes Nuts
• Digital Forensics: Who should make the keys?
• DDoS Vocabulary and Mathematics
• My Lunchtime Hobby: Collecting Badges
• Keeping Up With the DDoS Kids