In any case, if you do pentests, think about all the RECENT cases where you break in to a major corporation through:

• a Solaris system with Internet-exposed telnet with a guessable password OR a telnet vulnerability (circa 1994!)
• an exposed VPN appliance with a manufacturer's administrator password
• a router with default "enable" password
• or, something else entirely - but something that rivals the above example in its unparalleled, unbelievable, abysmal, deep idiocy.

Indeed, many of my pentesting friends still report plenty of such cases (one was also featured in the presentation mentioned above). Whenever I hear about it from a pentester, I always ask:

Do you think "somebody bad" had already passed through the hole you just discovered?

Maybe an hour ago, a day ago - or a year ago?!

I cannot see how the answer can be "no."

Even though pentesters usually don't focus on forensics (no time for this), it is not uncommon to notice "your predecessor's" intrusion traces while you break through systems, "plant flags", change screen backgrounds [for the admins to notice that you've been there...], etc.

Let's think what this situation really means? Here are the choices I see:

1. Nobody discovered the hole - a law of large  numbers (aka "dumb luck") have "shielded" the company from an incident. Yes, Virginia, dumb luck IS a security strategy for some companies... AND it works for them.
2. It was discovered, but not used/abused by the attacker - maybe he was busy hacking other systems, or saved this for later and never came back due to his ADD. Congratulation, you win! The immense power of dumb luck wrapped you in a protective "security" blanket ... again :-)
3. It was discovered; the attacker went in, looked around and compromised a few others systems, but found nothing of interest (no low hanging fruits)  - and he was not a bot herder. Again, you win. Next time you are in Vegas, bet on "00."
4. It was discovered; the attacker went in and deployed a bot on "your" system - given how many botnets are there, this situation is clearly acceptable to many organizations. In this case, dumb luck strategy, apparently, still work: so they use your box to spam and phish somebody else ... big deal!
5. It was discovered; the attacker went in and stole all your credit card information (it is now for sale) - even in this case, the user of "the dumb luck strategy" still "wins" (in some perverse sense)! Unless and until the stolen information IS tracked back to you OR a friendly neighborhood PCI auditor come and jams a broomstick up your ..., you can still continue to be stupid at your leisure and ignore basic security practices.
6. It was discovered; the attacker went in and stole your CEO's Inbox, including the email related to his affair (it is now on CNN) - now, in this case, you lose AND it is time to stop being stupid! Welcome to the "0wned world." Time to launch (relaunch?) your security program and get serious.

What does this teach us about RISK? The lesson here is important:

• For a security professional, an Internet-exposed system with "root/root" is an obvious HUGE risk!
• For your boss's boss's boss, it is NOT!

This is exactly why I think that the most critical problem in security today is METRICS. Metrics that a) work AND mean something to decision makers and b) can be clearly communicated to said decision makers [BTW, a) and b) are two separate problems.] Metrics that cover not only threats and vulnerabilities we face, but also the effectiveness of security countermeasures we deploy. Metrics you can act on - and ones your boss (and his boss) will act on. Metrics that lead to correct decisions about which risks to accept, which to  mitigate (all while knowing with what efficiency such mitigation occurs) and which to transfer.

Until that time, the dreaded "C-word" (compliance) will trump "the other C-word" (common sense) as a driver for security ... and we will continue to live in the "0wned world."

Possibly related posts:

• Risk vs Risk 

The U.S. Department of Homeland Security wrote a letter to Labbé in 2004, saying he had been placed on their watch list after falling victim to identity theft. At the time, the department said there was no way for his name to be removed.

Although Labbé wrote letters to the U.S. department, his efforts were in vain, prompting him to legally change his name.

"So now, my official name is François Mario Labbé," he said.

"Then you have to change everything: driver's license, social insurance, medicare, credit card -- everything."

Although it's not a big change from Mario Labbé, he said it's been enough to foil the U.S. customs computers.

Imagine you're in charge of infiltrating sleeper agents into the United States. The year is 1983, and the proliferation of identity databases is making it increasingly difficult to create fake credentials. Ten years ago, someone could have just shown up in the country and gotten a driver's license, Social Security card and bank account -- possibly using the identity of someone roughly the same age who died as a young child -- but it's getting harder. And you know that trend will only continue. So you decide to grow your own identities.

Call it "identity farming." You invent a handful of infants. You apply for Social Security numbers for them. Eventually, you open bank accounts for them, file tax returns for them, register them to vote, and apply for credit cards in their name. And now, 25 years later, you have a handful of identities ready and waiting for some real people to step into them.

There are some complications, of course. Maybe you need people to sign their name as parents -- or, at least, mothers. Maybe you need to doctors to fill out birth certificates. Maybe you need to fill out paperwork certifying that you're home-schooling these children. You'll certainly want to exercise their financial identity: depositing money into their bank accounts and withdrawing it from ATMs, using their credit cards and paying the bills, and so on. And you'll need to establish some sort of addresses for them, even if it is just a mail drop.

You won't be able to get driver's licenses or photo IDs on their name. That isn't critical, though; in the U.S., more than 20 million adult citizens don't have photo IDs. But other than that, I can't think of any reason why identity farming wouldn't work.

Here's the real question: Do you actually have to show up for any part of your life?

Again, I made this all up. I have no evidence that anyone is actually doing this. It's not something a criminal organization is likely to do; twenty-five years is too distant a payoff horizon. The same logic holds true for terrorist organizations; it's not worth it. It might have been worth it to the KGB -- although perhaps harder to justify after the Soviet Union broke up in 1991 -- and might be an attractive option to existing intelligence adversaries like China.

Immortals could also use this trick to self-perpetuate themselves, inventing their own children and gradually assuming their identity, then killing their parents off. They could even show up for their own driver's license photos, wearing a beard as the father and blue spiked hair as the son. I’m told this is a common idea in Highlander fan fiction.

The point isn't to create another movie plot threat, but to point out the central role that data has taken on in our lives. Previously, I've said that we all have a data shadow that follows us around, and that more and more institutions interact with our data shadows instead of with us. We only intersect with our data shadows once in a while -- when we apply for a driver's license or passport, for example -- and those interactions are authenticated by older, less-secure interactions. The rest of the world assumes that our photo IDs glue us to our data shadows, ignoring the rather flimsy connection between us and our plastic cards. (And, no, REAL-ID won't help.)

It seems to me that our data shadows are becoming increasingly distinct from us, almost with a life of their own. What's important now is our shadows; we're secondary. And as our society relies more and more on these shadows, we might even become unnecessary.

Our data shadows can live a perfectly normal life without us.

This essay previously appeared on Wired.com.

EDITED TO ADD (9/9): Interesting commentary.

Imagine you're in charge of infiltrating sleeper agents into the United States. The year is 1983, and the proliferation of identity databases is making it increasingly difficult to create fake credentials. Ten years ago, someone could have just shown up in the country and gotten a driver's license, Social Security card and bank account -- possibly using the identity of someone roughly the same age who died as a young child -- but it's getting harder. And you know that trend will only continue. So you decide to grow your own identities.

Call it "identity farming." You invent a handful of infants. You apply for Social Security numbers for them. Eventually, you open bank accounts for them, file tax returns for them, register them to vote, and apply for credit cards in their name. And now, 25 years later, you have a handful of identities ready and waiting for some real people to step into them.

There are some complications, of course. Maybe you need people to sign their name as parents -- or, at least, mothers. Maybe you need to doctors to fill out birth certificates. Maybe you need to fill out paperwork certifying that you're home-schooling these children. You'll certainly want to exercise their financial identity: depositing money into their bank accounts and withdrawing it from ATMs, using their credit cards and paying the bills, and so on. And you'll need to establish some sort of addresses for them, even if it is just a mail drop.

You won't be able to get driver's licenses or photo IDs on their name. That isn't critical, though; in the U.S., more than 20 million adult citizens don't have photo IDs. But other than that, I can't think of any reason why identity farming wouldn't work.

Here's the real question: Do you actually have to show up for any part of your life?

Again, I made this all up. I have no evidence that anyone is actually doing this. It's not something a criminal organization is likely to do; twenty-five years is too distant a payoff horizon. The same logic holds true for terrorist organizations; it's not worth it. It might have been worth it to the KGB -- although perhaps harder to justify after the Soviet Union broke up in 1991 -- and might be an attractive option to existing intelligence adversaries like China.

Immortals could also use this trick to self-perpetuate themselves, inventing their own children and gradually assuming their identity, then killing their parents off. They could even show up for their own driver's license photos, wearing a beard as the father and blue spiked hair as the son. I’m told this is a common idea in Highlander fan fiction.

The point isn't to create another movie plot threat, but to point out the central role that data has taken on in our lives. Previously, I've said that we all have a data shadow that follows us around, and that more and more institutions interact with our data shadows instead of with us. We only intersect with our data shadows once in a while -- when we apply for a driver's license or passport, for example -- and those interactions are authenticated by older, less-secure interactions. The rest of the world assumes that our photo IDs glue us to our data shadows, ignoring the rather flimsy connection between us and our plastic cards. (And, no, REAL-ID won't help.)

It seems to me that our data shadows are becoming increasingly distinct from us, almost with a life of their own. What's important now is our shadows; we're secondary. And as our society relies more and more on these shadows, we might even become unnecessary.

Our data shadows can live a perfectly normal life without us.

---

Bruce Schneier is Chief Security Technology Officer of BT, and author of Beyond Fear: Thinking Sensibly About Security in an Uncertain World.

Synopsis:  Blue Box #82: Asterisk & Skype security vulnerabilities, new VoIP security tools, VoIP steganography, VoIP security news and much, much more...

Welcome to Blue Box: The VoIP Security Podcast #82, a 47-minute podcast  from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.   

Download the show here (MP3, 21MB) or subscribe to the RSS feed to download the show automatically. 

NOTE: This show was originally recorded on June 21, 2008.

You may also listen to this podcast right now:

Show Content:

• 00:20 - Intro to the show, contact information and how to provide comments.  Welcome to all the new listeners - and to all those listeners who have been here for so long!
• Programming notes:
  • Note about the production team – new special editions coming soon.
  • Note about URLs for the media files
• AST-2008-008 – Remote Crash Vulnerability in SIP channel driver when run in pedantic mode
• AST-2008-009 – Remote crash vulnerability in ooh323 channel driver
• Skype-SB-2008-003 – Skype File URI Security Bypass Code Execution Vulnerability
• New version of SIPvicious


• Sipflanker – tool to find SIP devices with web GUIs




• Discussion about VoIP Steganography (pointed to by Craig Bowser)


• Geeks Are Sexy: New Technology Hides Messages in Internet Phone Calls – and Switched: Spies to Use Skype to Send Secret Messages? – and The Register


• FierceVoIP: VoIP Security and the Circle of Trust pointing to Government Computer News: Careful with the call



• The Register: ‘Untraceable’ phone fraudsters eye your credit card



• SearchUnifiedCommunications: Disaster and recovery in the VoIP/IPT RFP



• Secure Computing: Voice tools under enemy fire



• VNUnet: A good VoIP application is worth paying for



• Ofcom confirms VoIP providers must provide access to 999 and 112



• Bogdan Materna’s blog is live
• Realtime Community: The Essentials Series:
  Messaging and Web Security
  Volume III


• Global Knowledge: On-Demand Webinar on VoIP Security (hat tip to Thomas Lee )


• SearchSecurity: The threats to telcos and how they can repel them


• TMCnet: Balancing Issues in World of Telepresence


• Network World: VoIP Security Buying Guide
• Nortel and SecureLogix Team to Deliver Voice Security and Management Solutions to Worldwide Enterprise Market (see also this analysis )


• Sipera Partner Network Arms Resellers With Comprehensive UC and VoIP Security


• VIVOphone Deploys Paradial RealTunnel?? to Solve NAT Traversal Challenges for VoIP Services


• Audiocodes joins the ranks of SBC vendors


• SearchSecurity: Securing the new network (interesting because it shows the layers of a defense in depth)


• The Hindu Business News: Serious about Security


• Shows:
  
  
  
  • IP Telephony University – June 23-24, Alexandria, VA
  
  
  • IPTComm 2008 – July 1-2, Heidelberg, Germany
  
  
  • The Last H.O.P.E. – July 18-20, New York
  
  
  • SpeechTek – August 18-20, New York
  
  
  
  
• Call for papers for Hack-in-the-box Malaysia ends June 30th



• SchmooCon 2008 videos available – several dealing with VoIP
• No comments this week.
  
• Review of the last week's traffic on the VOIPSEC public mailing list 


• Wrap-up of the show


• 47:09 - End of show 

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at either +1-415-830-5439 or via SIP to 'bluebox@voipuser.org' to leave a comment there. 

Thank you for listening and please do let us know what you think of the show.

]]> Wed, 27 Aug 2008 16:53:17 +0000 voip security voip security news voip voip security tools voip steganography voip services security skype security vulnerabilities voip security podcast Blue Box #82: Asterisk & Skype security vulnerabilities, new VoIP security tools, VoIP steganography, VoIP security news and much, much more... http://securityratty.com/article/48c1a58b9d39348008877ad191ffcfea http://securityratty.com/article/48c1a58b9d39348008877ad191ffcfea

Synopsis:  Blue Box #82: Asterisk & Skype security vulnerabilities, new VoIP security tools, VoIP steganography, VoIP security news and much, much more...

---

Welcome to Blue Box: The VoIP Security Podcast #82, a 47-minute podcast  from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.   

Download the show here (MP3, 21MB) or subscribe to the RSS feed to download the show automatically. 

NOTE: This show was originally recorded on June 21, 2008.

You may also listen to this podcast right now:

Show Content:

• 00:20 - Intro to the show, contact information and how to provide comments.  Welcome to all the new listeners - and to all those listeners who have been here for so long!
• Programming notes:
  • Note about the production team – new special editions coming soon.
  • Note about URLs for the media files
• AST-2008-008 – Remote Crash Vulnerability in SIP channel driver when run in pedantic mode
• AST-2008-009 – Remote crash vulnerability in ooh323 channel driver
• Skype-SB-2008-003 – Skype File URI Security Bypass Code Execution Vulnerability
• New version of SIPvicious


• Sipflanker – tool to find SIP devices with web GUIs




• Discussion about VoIP Steganography (pointed to by Craig Bowser)


• Geeks Are Sexy: New Technology Hides Messages in Internet Phone Calls – and Switched: Spies to Use Skype to Send Secret Messages? – and The Register


• FierceVoIP: VoIP Security and the Circle of Trust pointing to Government Computer News: Careful with the call



• The Register: ‘Untraceable’ phone fraudsters eye your credit card



• SearchUnifiedCommunications: Disaster and recovery in the VoIP/IPT RFP



• Secure Computing: Voice tools under enemy fire



• VNUnet: A good VoIP application is worth paying for



• Ofcom confirms VoIP providers must provide access to 999 and 112



• Bogdan Materna’s blog is live
• Realtime Community: The Essentials Series:
  Messaging and Web Security
  Volume III


• Global Knowledge: On-Demand Webinar on VoIP Security (hat tip to Thomas Lee )


• SearchSecurity: The threats to telcos and how they can repel them


• TMCnet: Balancing Issues in World of Telepresence


• Network World: VoIP Security Buying Guide
• Nortel and SecureLogix Team to Deliver Voice Security and Management Solutions to Worldwide Enterprise Market (see also this analysis )


• Sipera Partner Network Arms Resellers With Comprehensive UC and VoIP Security


• VIVOphone Deploys Paradial RealTunnel® to Solve NAT Traversal Challenges for VoIP Services


• Audiocodes joins the ranks of SBC vendors


• SearchSecurity: Securing the new network (interesting because it shows the layers of a defense in depth)


• The Hindu Business News: Serious about Security


• Shows:
  
  
  
  • IP Telephony University – June 23-24, Alexandria, VA
  
  
  • IPTComm 2008 – July 1-2, Heidelberg, Germany
  
  
  • The Last H.O.P.E. – July 18-20, New York
  
  
  • SpeechTek – August 18-20, New York
  
  
  
  
• Call for papers for Hack-in-the-box Malaysia ends June 30th



• SchmooCon 2008 videos available – several dealing with VoIP
• No comments this week.
  
• Review of the last week's traffic on the VOIPSEC public mailing list 


• Wrap-up of the show


• 47:09 - End of show 

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at either +1-415-830-5439 or via SIP to 'bluebox@voipuser.org' to leave a comment there. 

Thank you for listening and please do let us know what you think of the show.




]]> Wed, 27 Aug 2008 15:53:18 +0000 voip security voip security news voip voip security tools voip steganography voip services security skype security vulnerabilities voip security podcast Blue Box #82: Asterisk & Skype security vulnerabilities, new VoIP security tools, VoIP steganography, VoIP security news and much, much more... http://securityratty.com/article/2110e94e736fbe5f32088eee09481bee http://securityratty.com/article/2110e94e736fbe5f32088eee09481bee Warning: rant ahead, and names named.

When I'm not traveling, I like to work from home some days rather than endure the trek from Seattle to Redmond (although it's much better now that our own employee transit service has expanded into my neighborhood -- the existence of which is sad commentary on the availability and reliability of Seattle's public transit companies).

This means, of course, that I need fast and stable network connections. Comcast with their PowerBoost is working very well for me. But I just can't find a decent wireless router at all. My Lenovo T61p (with Intel 4965abgn adapter) just won't stay connected to my D-Link DIR-628 and IT'S DRIVING ME CRAZY! (Yes, I've tried various driver versions, from both Lenovo and Intel.)

My house is in an area with a lot of wireless activity -- sometimes I can see nine or ten SSIDs. I'm running draft N on 2.4GHz (which occupies two non-adjacent channels, currently 1 and 4), and I suspect the problem is collision interference. I could shift the router to 5.2GHz, which I probably would help, but then the rest of the computers in my house won't connect. Why, you ask? Well get this: the DIR-628 is part of D-Link's RangeBooster N family. So I stayed in the family and got two DWA-542 adapters for the desktop computers. Yet they only do 2.4GHz! Silly me, I assumed that being in the same family means full support of the router's capabilities.

I'm very tempted to replace my router again -- and I'm thinking that the best option is to get one with dual radios. That way I can move my T61p to 5.2GHz and replace the desktop adapters, while still having single-channel 802.11b/g on 2.4GHz for the Wii and my PlayStation Portable.

Now my request: tell me about your experience with home routers. What do you really like, and why? What should I buy?

]]> Fri, 22 Aug 2008 20:12:38 +0000 decent wireless router home router lenovo d-link dir-628 lenovo t61p intel dir-628 intel 4965abgn adapter [OT rant] Are there any home WiFi routers that DON'T SUCK? http://securityratty.com/article/4f945955ba8a424fe6b9352583602062 http://securityratty.com/article/4f945955ba8a424fe6b9352583602062
The average web based command and control kit for a botnet consisting of single user, single campaign functions only, has just lost its charm, with a recent discovery of a proprietary botnet kit whose features clearly indicate that the kit's coder know exactly which niches to fill - presumably based on his personal experience or market research into competing products.

What are some its key differentiation factors? Multitasking at its best, for instance, the kits provides the botnet master with the opportunity to manage numerous different task such as several malware campaigns and DDoS attacks simultaneously, where each of these gets a separate metrics page.  

Automation of malicious tasks, by setting up tasks, and issuing notices on the status of the task, when it was run and when it was ended. Just consider the possibilities for a scheduling malware and DDoS attacks for different quarters.  

Segmentation in every aspect of the tasks, for instance, a DDoS attacks against a particular site can be scheduled to launched on a specific date from infected hosts based in chosen countries only.  


Customized DDoS in the sense of empowering the botnet master with point'n'click ability to dedicate a precise number of the bots to participate, which countries they should be based in, and for how long the attack should remain active. Quality and assurance in DDoS attacks based on the measurement of the bot's bandwidth against a particular country, in this case the object of the attack, so theoretically bots from neighboring countries would DDoS the country in question far more efficiently.  

Historical malware campaign performance, is perhaps the most quality assurance feature in the entire kit, presumably created in order to allow the person behind it to measure which were the most effective malware and DDoS campaigns that he executed in the past. From an OSINT perspective, sacrificing his operational security by maintaing detailed logs from previous attacks is a gold mine directly establishing his relationships with previous malware campaigns.


Bot Description:  

1. Completely invisible Bot work in the system.
2. Not loads system.
3. Invisible in the process.
4. Workaround all firewall.
5. Bot implemented as a driver.
Functions Bot (constantly updated): 
1. Downloading a file (many options).
2. HTTP DDoS (many options, including http authentication).
The web interface 
-- Convenient manager tasks.
-- Every task can be stopped, put on pause, etc. ...
-- Interest and visual scale of the task.  
-- A task manager for DDoS and Loader
    
-- For DDoS tasks
Bots involved in DDoS 'f.
Condition of the victim (works, fell).

2. Bots manager
-- Displays a list of bots (postranichno).
-- Obratseniya date of the first and last.
-- ID Bot.
-- Country Bot.
-- Type Bot.
-- The status Bot (online / offline).
-- Bot bandwidth to different parts of the world (europe, asia).
-- The possibility of removing bots
-- When you click on ID Bot loadable still a wealth of information about it
3. Statistics botneta
-- Statistics both common and build Bot.
-- Information on the growth and decline botneta dates (and build).
-- Bots online
-- All bots
-- Dead bots.

4. Statistics botneta country
-- All countries to work on 
-- New work by country 
-- Online work from country to country
-- Dead bots by country
5. Detailed history botneta 
6. Convenient user-friendly interface adding teams
8. Admin minimal server loads
-- Use php5/mysql

Upcoming features :
1. Form grabber (price increase substantially), for old customers will be charged as an upgrade
2. Public key cryptography
3. Clustering campaigns and DDoS attacks

Despite it's proprietary nature, it's quality and innovative features will sooner or later leak out for everyone to take advantage of, a rather common lifecycle for the majority of proprietary malware kits in general.

Related posts:
BlackEnergy DDoS Bot Web Based

A New DDoS Malware Kit in the Wild
The Cyber Bot - Web Based Malware
The Black Sun Bot - Web Based Malware
Custom DDoS Capabilities Within a Malware
Botnet on Demand Service
Loads.cc - DDoS for Hire Service
Using Market Forces to Disrupt Botnets 
Botnet Communication Platforms
A Botnet Master's To-Do List
DDoS on Demand VS DDoS Extortion
How Does a Botnet with 100k Infected PCs Look Like?

]]> Fri, 22 Aug 2008 10:02:15 +0000 ddos attacks based ddos attacks malware previous malware campaigns ddos attacks simultaneously botnet country country bot ddos Web Based Botnet Command and Control Kit 2.0