black hat / defcon parties 2009

in the interest of not biting the hand that feeds (or waters…) us, i’ve reduced the list to a simple listing of the available parties on a given night, unless it’s been cleared with the party host. note that most (if not all) of them are private, and you will need to be on the list / know the secret handshake to get in.

tuesday (07/28/2009)

  • Speaker Party

wednesday (07/29/2009)

thursday (07/30/2009)

  • Securosis/Threatpost Disaster Recovery Breakfast
  • Syngress Tweetup
  • Core Security
  • SecurityTwits
  • Microsoft
  • Security B-Sides
  • McAfee
  • NetWitness

friday (07/31/2009)

  • AR

saturday (08/01/2009)

  • I-Hacked / PaulDotCom
  • EdgeOS

shoot me a message @jcran if you’ve got something to add to the list.

Courvoisier

didn’t get your facebook vanity url?

that’s okay, a vanity phone number will do. google voice now allows you to search for numbers when you sign up. it’s the little things.

snapshot6

and you can find me at: http://www.facebook.com/jonathan.cran. :)

simply awful

i currently have the worst bio i’ve ever seen. must fix that.

fyi, wordpress has issues:
http://seclists.org/fulldisclosure/2009/Jul/0057.html (thank you, core)

A vulnerability was found in the way that WordPress handles some URL
requests. This results in unprivileged users viewing the content of
plugins configuration pages, and also in some plugins modifying plugin
options and injecting JavaScript code. Arbitrary native code may be run
by a malicious attacker if the blog administrator runs injected
JavasScript code that edits blog PHP code. Many WordPress-powered blogs,
hosted outside ‘wordpress.com’, allow any person to create unprivileged
users called subscribers. Other sensitive username information
disclosures were found in WordPress.

custom.dic could really end up being one.

Typing up a report tonight and i realized I had been adding a number of exceptions to my custom Microsoft Word dictionary (‘Add to Dictionary’) . Thinking about this as an attack technique, i realized there’s a whole lot of information leakage in this text file. The (abbreviated) list below may not mean a whole lot to the casual observer, but contained within are a topics that are directly correlated with the work I do.  

Charles
Chris
Edward
Elizabeth
Frontpage
Gates
Halvar
hotsite
JATOBA
Metasploit
Nessus
NeXpose
netcat
nmap
Petrovski
RAPID7
Thayer
Tolson
Vulnerabilties

Are you forensics guys catching this? You can find the Microsoft Word custom dictionary here: C:\documents and settings\[username]\application data\microsoft\UProof\custom.dic  and the corresponding Vista+ path under \Users.

I did a quick search for a database of files that might be of interest in a forensics investigation. Nothing came up. Anybody know of a list of such files? Depending on the use of the machine under investigation and the software installed, this would certainly change. It may be sufficient to grab just the \documents and settings or  \users directory, but a list of database of  files relevant in most forensics investigations would be useful.

Google Voice (was Grand Central) is a pentester’s best friend

Google Voice turns out to be really handy for phishing attacks. When you send out a phishing email, it’s useful to include a phone number, in case of any issues with the attachment, link or other payload.

Google voice gives you a (new, anonymous) number which you can route wherever you’d like (cell, office, etc). Additionally, you can configure your voicemail to quickly impersonate the local admin, or security officer.

The killer feature, however, is the voicemail recording and transcription. Never again do you have to wade through a voice-driven mail system. Now, it simply dumps into your inbox for easy inclusion into a report. Additionally, you can download, email and share (via unique URI) voice messages.

Good for demonstrating that you can’t trust links AND phone numbers.

Scoping a Penetration Test

Scoping a penetration test is difficult. This is why Statements of Work and Requests for Proposals are necessary evils. It’s not an exact science.

There’s a lot of factors that can be involved:

  • Number / Complexity of Systems and Networks - Standard windows boxes? What about the patching system controlling their updates? Are they located in the DMZ, or would exploitation of the system drop you directly into the internal network?
  • Number / Complexity of Applications - Number of pages (a horrible metric)? What technologies were involved? How many developers? In-house, or Third-Party? Remote Administration? The List goes on…
  • Depth of Testing - How “deep” should the test go? Should we stop once we’ve run a vulnerability scan and confirmed / denied the results? What about brute forcing of authentication? What about attacking the users? What happens when we gain access? Should we continue?
  • Focus Areas – Where should testing be focused? What systems are of critical importance? How are those systems used?

A number of helpful things to do:

  • Define a goal. If you haven’t DEFINED a goal, you should start there. Some goals are obvious — Gain Domain Administrator access. Some are not so obvious: Gather document on sally from accounting’s desktop.
  • Accept that each test is going to be different. Each time you do one of these, the goals are going to be slightly different. Disregard that fact at your own risk.
  • Look at the system from the perspective of controls. Which controls are you trying to test? The firewall? The spam filter? The user’s intuition? (The danger of this method is testing to the control, not the gaps between them.)

In the end, it’s scoping == budgeting. You have to be able to make reasonable estimates about the time that you’re going to spend testing. How do you scope penetration tests and other services work? I’m interested in the tactical (and repeatable) metrics that you use!

Raising the Bar

I often hear technologies or controls disregarded on the basis of  “It can’t protect against X scenario.” or “It doesn’t completely protect me.”

For example, take a web application firewall. It can be boiled down to a regex, and possibly some fancy behavior analysis. It CAN be subverted. Encoding, session splicing, other types of evasion can defeat them.

That’s not to say technologies and products shouldn’t strive for more. It’s just accepting the reality of the situation that you can’t completely control your environment.

It’s not about creating a perfect defense. It’s about raising the bar.

Security only works as a process, only as defense-in-depth. There is no silver bullet that can protect against all scenarios. Everything breaks when its assumptions are violated.

The whole security industry is wrapped up in an arms race. As soon as you add another layer of protection, an attacker is forced to work that much harder, and they will.

The question becomes, does the arms race ever end? (Hopefully not. It’s paying my bills.)

Smarter people than i have written about this.

Back|Track 4 First Impressions

It’s damned liberating to take this distro and be able to update it. This, along with specialized security-tool repositories, is the killer feature of the new Back|Track 4 release. A

If you haven’t tried either the LiveCD or the VM version, give’m a shot.

My first impressions are extremely positive. I like the fact that you can choose your window manager, KDE or FVWM (FVWM is /sexy/). Most of the Ubuntu folk (myself included) are going to be used to using Gnome, but KDE will do.

It would be better if the distro would auto-generate a password on first load, rather than using the default of root:toor. Especially, now that the disk has become installable, and thus, more permanent. I look forward to owning a corporate auditor’s Backtrack box. :)

Good work all around. Now to get documentation on how to set up & maintain my own Debian/Backtrack tool repository! 

jcran

Just about right…

justaboutright3

ShmooCon 2009 Wordle Visualization

ShmooCon 2009 Talks

ShmooCon 2009 Talks

Visualization of the 2009 Shmoocon talks created byWordle.net.