Rick’s Playground

I have to admit that the recent malwares like Storm, Conficker have really impressed me - the various top-notch feature implementations and the strong skills and knowledges demonstrated. If you still think the malware developers are the bunch only knows to package published vulnerability POCs and inserts the payloads into the out-dated templates, you probably are still living in the pre-2004 era.  yeah, that’s not very long ago, but long enough for the information security industry to get rid of a bunch of old concepts and ideas.. Here is the original description from SRI about the Conficker worm - Conficker Write-up .

One of the quoted paragraph from this write-up realy sends a chill down the spine for most infosec folks.

“Finally, we must also acknowledge the multiple skill sets that are revealed within the evolving design and implementation of Conficker.  Those responsible for this outbreak have demonstrated Internet-wide programming skills, advanced cryptographic skills, custom dual-layer code packing and code obfuscation skills, and in-depth knowledge of Windows internals and security products.  They are among the first to introduce the Internet rendezvous point scheme, and have now integrated a sophisticated P2P protocol that does not require an embedded peer list.  They have continually seeded the Internet with new MD5 variants, and have adapted their code base to address the latest attempts to thwart Conficker.   They have infiltrated government sites, military networks, home PCs, critical infrastructure, small networks, and universities, around the world.  Perhaps an even greater threat than what they have done so far, is what they have learned and what they will build next.”

While we - the infosec folks are happily talking about nice-looking process, management, frameworks etc.. indulging ourselves in various fanciful security solutions which are full of marketing hoohaaas. We seems to forget about the fundermentals. Probably we need some form of wake-up call - before it is too late.

What do you think of when you see the pinky pig ? And the balance
is tilt to the pinky pig !!

http://www.iss.net/

Oink..oink...

Nokia ‘curse of silence’ sms details are released by Tobias Engel.  It is a simple sms like ‘123456789@123456789.1234567890123′ sent as email format from most mobiles. Once you recieve this sms in your vulnerable nokia smart phone (most symbian S60s), it’s a gone case. Factory reset is required.

Exploits details:

http://berlin.ccc.de/~tobias/cos/s60-curse-of-silence-advisory.txt

An article from CSO online and I can’t help but blatantly post it here to share with all my friends in the Information Security Industry.  Information security is a very young industry and we need people to have faith in what we are doing and the value we create. It’s sad that we see a lot of people leaving during the good years to pursue greater monetary gains and also people who are forced to go when the economic crisis strikes. I heard one of the veteran mentioned that “All of us want to quit the InfoSec industry but realized that it has sucked us in !” Hope this quoted article can help us survive in the current economic recession and keep the passion and faith in the professional to which we have dedicated our career.

========================================================

November 04, 2008

When meeting someone new and describing my background in this industry I often say “I’ve seen the best of times, I’ve seen the worst of times and most of what falls in between.” I’ve been recruiting in Information Security long enough to have experienced the heady times of the dot.com boom and the dark days that followed after it all came crashing down. I’ve also been here as the industry has grown and evolved—sometimes as a result of and sometimes in spite of significant difficulties. This evolution leads to adaptation, and it’s the ability of people to adapt and rise above one challenge after another that makes our industry so dynamic.

Given what I do, communicating with and connecting people, I’ve offered both a shoulder to cry on and kick in the pants to those that need it—especially in uncertain times like the ones we’re facing. I don’t enjoy either situation. For the purpose of this column I wanted to offer some sound advice to those Information Security professionals who are concerned about the future of their jobs. Think of it as a general checklist of things that you probably should be doing all the time but need to devote some time and consideration to right now, especially if your future is uncertain.

First, know your differentiators. Understand what sets you apart from your peers and how you can use these qualities to best advantage. Similarly, think about your personal “brand”. If you had to describe to another person who you are, what you do and most importantly what problems you can solve, how would you do it? Develop a personal branding statement that will allow you to do this whether it’s in the elevator with your boss’s boss or on a job interview.

For example, I was speaking with a candidate who had very strong application security skills. She also had a great sense of humor and was a natural communicator. She was frustrated because she was falling behind in her work due to the number of times she was personally requested to sit in on IT project meetings. I laughed when I heard this because she didn’t realize what she was saying. The result was one more critical differentiator that strengthened her personal brand. So now, when somebody asks her what makes her stand out, she’ll tell them “Although my primary focus is application security risk assessment, I’m the person my company relies on to bridge the gap between business and security requirements and who gets everyone work and play well together.”

Second, find ways to leverage your differentiating qualities to add greater value to your current organization. By demonstrating the ability to provide solutions and solve problems important to your company you may just save your job, or at least postpone your departure. So find out what the hot buttons are—not just within security but with other areas of IT and within the business you support. There may be hidden opportunities where your perspective and experience could make a difference.

Third, work on strengthening your relationships with your management as well as other stakeholders or clients you support. Communication is key to accomplishing this. Developing an active and open rapport with others will help you better understand the big picture of what’s going on around you. It will also help you keep your cool and make informed decisions about your options while rumors at the water cooler are flying.

And finally, be ready to embrace change beyond your control. From a career perspective this means having your “personal marketing documents”, AKA resumes, references and professional certifications up to date. It also means communicating your interests and intentions to everyone you know who might be able to help you. This includes re-connecting with your recruiter, any mentors, past co-workers or clients with whom you’ve had positive experiences with in the past. It also means taking the time to catch up on the industry at large through reading trade journals, attending networking events and increasing your participation with industry organizations. Get the word out to your associations, organizations, friends and family that you are on the job market.

Lately, not a day goes by that someone doesn’t ask me what the future holds for our industry in these tough economic times. The truth is, nobody can tell. It’s a fact that in the short term, supply will likely outstrip demand especially for the most senior roles in our industry. The best and only way to adapt to change of this nature is to be prepared—mentally, materially and socially. We should know that we’re in for a marathon and not a sprint. Yet despite the challenges ahead I’m confident that our industry will continue to grow and thrive. We just need to put less stock in the markets and more stock in ourselves. ##

Jeff Combs is Practice Lead, Security and IT Risk Recruiting at Alta Associates.

========================================================

Last Thursday I  gave a presentation on Dan Kaminsky’s recent DNS finding to the local security meetup group folks. It has been a while since the previous time I laid my hands on network packets analysis, tweaking a bind9 server and even backtrack 3 looks fresh and interesting to me again.

Initially I thought it would be a huge task to set up a full POC environment of the DNS attack. I was planning and thinking about all the details such as the race conditions, full-function attacker controlled DNS server, segregation of testing environment. However the more I plann, the messier it becomes and until a point which I told myself - forget about it, this is not a huge corporate project which you need all the planning, risk analysis etc etc .  Let’s just be a normal script kiddy - get an available exploits, understand it and set up a minimum environment to try it, if it works, that’s it.   If it doesn’t work, then we analyze what the problem is. This turned out to be a fanatasic plan and again all my old friends - VMware, Ubuntun, Metasploit, Wireshark and Backtrack came into rescue.  Here is the simple but fully workable setup (all in one Lenonvo T61 laptop) :

Vulnerable DNS server

• Ubuntu 8.04 LTS Desktop Edition in VMware (server 1.06)
• IP address: 192.168.1.13
• with Bind9 packages installed
• A little tweaking of the named options (fixed query source port and allow recursion to the attacker’s subnet, see attached named option files)

Attacker machine

• Backtrack 3 Final in VMware (This is availabe directly from the home page, you don’t need to install into harddisk anymore)
• IP address: 192.168.1.24
• Update your Metasploit to make sure the auxiliary/spoof/DNS/bailiwicked_host” is available

Client PC

• Windows XP (The host machine which has the vmware-server installed)
• IP address: 192.168.1.4
• It just serves as a poor third-party DNS client who queries the vulnerable DNS server for IP info

The successful rate for the POC is quite high,  more than 70% of the spoof attacks (using the Metaslpoit module)  were able to successfully inject the records to the vulnerable DNS server within 20 minutes.  I have attached a copy of Metasploit screen output and a corresponding wireshark traffic dump for one of the POC attacks - make the vulnerable DNS server point www.jpmorgan.com point to ip address 192.168.1.226.

The POC for this attack is pretty safe because the traffic is only routed within the LAN except the initial target DNS nameservers list queries. Anyway the initial queries are harmless at all because they are just normal DNS query to a third party DNS server.   Lastly the Metasploit’s check for recusive DNS server is a bit buggy.  It throws out false-negative and always consider the target vulnerable DNS “not vulnerable”.  I am yet to find out the reason.

Bind9 Named Config Options:  namedconf.options

Metasploit Console Output: msf_output_jpmorgan

Meetup Slides: understand-kaminskys-dns-attacks-oct-2008.ppt

I just read an article “Confessions of a Risk Manager” from economist.com. It is recommended by a featured blog post “Risk Managers Are Just Like Security People” on securityfocus.com.  The article truely and vividly described the kind of difficulties and dilemmas encountered by a Risk Manager, which I can very much relate them the information security folks in the finanical sectors. The situations are amazingly similar between information security folks and the risk managers.

” In their (By Rick: the business people mainly front line traders, bankers, sales) eyes, we were not earning money for the bank. Worse, we had the power to say no and therefore prevent business from being done. Traders saw us as obstructive and a hindrance to their ability to earn higher bonuses. They did not take kindly to this. Sometimes the relationship between the risk department and the business lines ended in arguments. . . .

Tactfully explaining why we said no was not our forte. Traders were often exasperated as much by how they were told as by what they were told.At the root of it all, however, was—and still is—a deeply ingrained flaw in the decision-making process. In contrast to the law, where two sides make an equal-and-opposite argument that is fairly judged, in banks there is always a bias towards one side of the argument. The business line was more focused on getting a transaction approved than on identifying the risks in what it was proposing. The risk factors were a small part of the presentation and always “mitigated”. This made it hard to discourage transactions. If a risk manager said no, he was immediately on a collision course with the business line. The risk thinking therefore leaned towards giving the benefit of the doubt to the risk-takers.

Collective common sense suffered as a result. Often in meetings, our gut reactions as risk managers were negative. But it was difficult to come up with hard-and-fast arguments for why you should decline a transaction, especially when you were sitting opposite a team that had worked for weeks on a proposal, which you had received an hour before the meeting started. In the end, with pressure for earnings and a calm market environment, we reluctantly agreed to marginal transactions.”

Probably I shall replace all the financial terms with information security terms in this articule and come out a new version titled “Confessions of a Information Security Manager”.

(This post does not have any answers, just my personal ranting )

Recently I have attended a few risk management conferences mainly for financial institutions. The most common question asked was “what’s the risk management framework used by your institute?” Then it was usually followed by a round of discussion on Basel II or COSO ERM (Enterprise Risk Management). For IT folks, the topics will revolve around the risk management in IT govenance, COBIT or ITIL. However when it comes to the point of implementation, it becomes an evasive topic and most of the time I hear people complaining about the difficulties in implementing all these established frameworks etc.

Similar to the RM domain, implementation difficulties were constantly mentioned during my last conversation with a couple of Business Continuity folks.  It brings me to the questions - what’s the use of all these frameworks when they are not properly implemented? Are we spending too much efforts in coming out with these framework and methodology?Is it the time for the industry to channel some attention or resources to the implementation for these established frameworks?

I just read from ISACA’s Information System Control Journal that ITGI (IT Governance Institue ) has identified a gap in the current array of risk management framworks for IT: there is no known framework that includes both a holistic look at risk management and, at the same time,  provides adequate depth and details when covering IT. I just hope this ‘depth’ and ‘details’ are refering to the implementation aspect as well.

References and Resources: CONSTRUCTION OF AN IT RISK FRAMEWORK

Fresh from the oven !!! wondering where did our deal friend Michael manage to source these treasure …

Full Set of Blackhat 2008 Vegas Conference Presentation Slides

It’s probably the most [discussed,argued,rumured ...] topic in the infosec field for the past few weeks. Starting from all the media hype of “largest synchronized internet security efforts“, “Most serious security vulnerability” etc and tons of speculations on what exactly is wrong, and just a couple of days ago, the security researcher Halvar Flake revealed some educated guess (exact term used by securityfocus) about this flaw and H D Moore put up some POC exploit in Metasploit as well. For geeks who need more information, there are tons of materials on various mailing list, forum, underground articles. 

But for man on the street, Why so serious?  here is an interesting video from the researcher Dan Kaminsky who discovered this vulnerability and is going to present the details in the coming BlackHat 2008 Vigas.

Recently we have seen some rapid growth of information security topics in virtual world, typically relating to MMORPGs and both good and bad. For example World of Warcraft is getting bank-like security while Game Trojans outscore Storm worm.  It has been almost a year since I kicked off my part-time hobby research project on MMORPG security. The progress is rather slow but I am really enjoying the exploring process. It’s really amazing to witness the evolving process of all the virtual worlds. Here are a couple of MMORPG security discussion topics I have raised among the local infosecurity interest groups.

• MMORPG - InfoSec Research Nov 2007
• MMORPG - InfoSec Research Mar 2008

Based on the current trend, more and more MMORPGs are no longer “game” and they become a special type of social communities. There is a newly published research survey from CNNIC(China Network Information Centre). Majority of the users consider the virtual world is a community and have a sense of identity and belongings.

Fig 1. The meanning of a MMORPG to users

Fig 2. What are the factors of an MMORPG most valued by the users

This change of users perception towards MMORPGs also reflect the growing importance of information protection to the virtual world and remind the gaming industry to take it very seriously.