The latest Microsoft patch MS08-68 is a great example. It is a problem with NTLM authentication where the attacker can force a client to authenticate to him and the credentials, while not exposed in cleartext, can be relayed to another server or brute forced to obtain the cleartext. This is a very classic crypto protocol vulnerability. It’s not the crypto algorithms that are the problem, but the protocol implementation.

Microsoft recently fixed the problem, perhaps due to the availability of exploit code, the availability of an easy to use Metasploit implementation, or perhaps Microsoft’s changed tolerance for vulnerabilities. We can sum it up as a change in the threat space that made it worth fixing. But make no mistake, this is a very old problem.

News reports have been citing Sir Dystic’s SMBrelay tool, which was published in March, 2001, as the first knowledge of this vulnerability. Eric Shultze who worked at MSRC in 2001 just yesterday is quoted as saying, “I have been holding my breath since 2001 for this patch.” Obviously it is a long time coming. But this wasn’t the first publication of the problem. In 2000, one of my collegues on the research team at @stake, Christian Rioux (aka Dildog) published the telnet NTLM authentication vulnerability.

Rioux’s advisory has a great description of the credential relay and cracking weaknesses. I have talked to him and he says he discovered these problems independently, but he didn’t find them first. Dominique Brezinski published exactly these NTLM vulnerabilities in the SMB protocol in 1996 in a paper titled, “A Weakness in CIFS Authentication”. The earliest reference I can find on the paper on the net is here where it is included in another paper published in 1997. Such is the ad-hoc world of independent security research of 12 years ago which still continues today.

It seems ridiculous that a field like security research, which is so important to the running of modern society is so ad-hoc. Shouldn’t we know who discovered a vulnerability? Shouldn’t all researchers and engineers know about it? More importantly if someone implements a tool that takes advantage of a vulnerability shouldn’t they credit the discoverer? Don’t get me wrong. Implementation takes a lot of work and sometimes makes all the difference in makeing people aware of a security problem. After all when I was at the L0pht our slogan was, “Making the theoretical, practical”. I still think researchers should get credit when credit is due.

The security community has gotten better at documentating our research but I still see instances of independent discovery, misplaced credit, and tools giving no credit to researchers. I hate to say it but getting a bit more academic is in order. Credit is the currency of a researcher and placing it well will reward the right people and we will all benefit.

Hackers getting a free T pass may be the least of our worries — local hackers-turned-security experts suggest RFID keycards, wireless networks and medical devices implanted in the body are also vulnerable to hacks.

At last week’s Defcon hacker convention in Las Vegas, a team of researchers showed it was possible to get information such as Social Security numbers and medical diagnoses, and change the settings on an implantable defibrillator by impersonating the computer it communicates with wirelessly. By doing so, a hacker could send a fatal shock to a patient’s heart, said William Maisel of the Beth Israel Deaconess Medical Center.

It is almost like things haven’t changed since the 90’s when the L0pht worked to change the mindset of security:

1. Don’t trust vendor claims around security
2. Attacks aren’t “theoretical”
3. Security by obscurity is no security

The L0pht worked as an independent security research think tank.  For us it was non-profit side job researching and publishing vulnerabilities in software and hardware.  We did it for our love of technology and published what we found out because purchasers and users of the vulnerable systems deserve to know.

It’s 10 years later and the situation hasn’t improved much.  Mudge talks about the vulnerabilities the L0pht found in highway transponder systems that are still in systems being fielded today.  But more important than the vulnerabilities themselves is the nature of how these vulnerabilities are coming to light.  They are being found by hobbyists, students, and IT people working in their spare time.  How can something as important as the security of public fare collection systems and medical equipment not have a standard process for security acceptance testing? 

As we become more reliant on digital systems, with some even keeping us alive, it is high time for security testing to move beyond student papers and part time IT work.  Security testing needs to become a formal part of the process of purchasing and fielding digital systems.  Our lives are starting to depend on it.

Sniffing, or monitoring all traffic on a network, is so 1999. That is when L0pht came out with AntiSniff, which could detect many scenarios where someone was sniffing a wired network. How can we be using plain text authentication protocols in 2008? It is a well known and easily solved problem. But people authenticate in clear text everyday when they log into social networking or blogs or other “unimportant” applications. The problem is when they use those same credentials for work or online banking.

We need to think of any application that alows users to authenticate in the clear as broken. If 3 journalists can monitor paaswords, anyone can.

Sniffing, or monitoring all traffic on a network, is so 1999. That is when L0pht came out with AntiSniff, which could detect many scenarios where someone was sniffing a wired network. How can we be using plain text authentication protocols in 2008? It is a well known and easily solved problem. But people authenticate in clear text everyday when they log into social networking or blogs or other “unimportant” applications. The problem is when they use those same credentials for work or online banking.

We need to think of any application that alows users to authenticate in the clear as broken. If 3 journalists can monitor passwords, anyone can.

Update 08/08/2008 12:30pm EST:

It turns out the attack was likely a MITM attack where the attackers ran their own DHCP server and handed out a gateway IP that was controlled by them. At least one reporter was connecting to his organization’s content management system over unencrypted HTTP and got his password compromised. More details in “How eWeek Got Hacked at Black Hat.”

At the end of the day, however, we are facing a much bigger, more metaphysical question than the ones I have so far posed. That I can pose many others is of no consequence; either you are sick of them by now or you are scribbling down your own as I speak. The bigger question is this -- how much security do we want?

A world without failure is a world without freedom. A world without the possibility of sin is a world without the possibility of righteousness. A world without the possibility of crime is a world where you cannot prove you are not a criminal. A technology that can give you everything you want is a technology that can take away everything that you have. At some point, real soon now, some of us security geeks will have to say that there comes a point at which safety is not safe.

One of the questions asked of the panel by moderator Michael Fitzgerald (who did a kick-ass job) was, “What scares you the most these days?”. My answer was the proliferation of of inexpensive digital devices made in China that we plug into our computers. The malware problem is getting tricky to dodge. First you couldn’t open email attachments you weren’t expecting. Then you had to worry about surfing even trusted websites with JavaScript turned on, even with the latest patched browsers. Now you have to worry about plugging in the shiny new digital toy you got as a gift. Perhaps its a digital picture frame, digital camera, music player or silly programmable gizmo. Welcome to the age of factory installed malware –the age of devices coming Certified Pre-0wned.

The Associated Press writes:

Recent cases reviewed by The Associated Press include some of the most widely used tech devices: Apple iPods, digital picture frames sold by Target and Best Buy stores and TomTom navigation gear.

In most cases, Chinese factories — where many companies have turned to keep prices low — are the source.

We all know malware is starting to fly under the radar of black list style detection. Low volume malware is flooding the AV labs’ capability to build detection for it. The digital picture frame sold at Sam’s club was infected with previously unknown malware that stole passwords and turned off AV software.

An additional threat that has been reported is devices have been found infecting the flash memory cards that are often inserted to upload photos.  From SANS:

“Recently I found a virus on it called Troj_Agent.SAO, which is what Trend Micro named it.  Anytime you plug a removable device into it, it would create two files Autorun.inf and autorun.exe.  The exe would place itself in the recycler\recycler folder and the .inf would place itself on the root of the removable drive as a hidden file.  At first I thought this virus came in on one of our employee’s pen drive but after further investigation I discovered that the files that the virus uses were created on the kiosk the day it was shipped out to us.  Also our vendor is using this kiosk in some of their stores at the moment and there have been reports that the kiosks have given their customers a virus. “ 

We are back to the days of the floppy or “sneaker net” attack vector. Do you know who has touched your SD card or USB drive? Don’t use it in public.  Don’t share it with multiple machines. Dan Geer told me he once tossed a USB drive into an audience with the slides for a presentation he just delivered on it.  About 10 people passed it around and copied off the slides.  It came back with a virus on it.  And this was at a security conference.

On the 23rd episode of The Silver Bullet Security Podcast, Gary talks with Chris Wysopal, founder and CTO of Veracode and author of The Art of Software Security Testing. Chris was one of the seven original members of the L0pht hacker collective (operating under the hacker handle Weld Pond) and later went on to work for @stake. Gary and Chris reminisce about L0pht (and the warehouse full of stuff) and discuss the role of security researchers now versus in the mid-late ’90s. They also talk about the current state of the software security market and its continued growth.

• Chris’ Wikipedia entry
• The Art of Software Security Testing
• Veracode
• Zero in a bit - Veracode’s blog
• L0pht Heavy Industries
• Vulnwatch
• SOURCE: Boston 2008