I had the honor to attend CONFidence 2010 and hear some great talks on security as well as meet people of the industry which are outside your regular circle.

This included speakers you would not normally meet, such as from Israel, Russia, Germany and other countries.

I really enjoyed the lecture by Dan Kaminsky on how to change Internet security “one step at a time” by providing, maybe for the first time? a secure solution for session cookies as well as solve the SQL injection issues with as little burden as possible on the developers.

Though those two ideas require proof, i.e. they are just theory now, if they do become actual code lines, I am sure people will take a deeper look into them - as the name Dan Kaminsky will surely draw attention to them.

The lecture on “Don’t touch my WinNY” proved both funny and technically interesting with the display of a 0day in the WinNY (file sharing) product.

Mario’s lecture on “The Presence and Future of Web Attacks Multi-Layer Attacks and XSSQLI” proved once again how much more work and research can be done in this field, with browsers constantly changing the rules of the game and creating new ways for attackers to inject malicious content.

Yaniv’s “Microsoft Patch Analysis” shows how straight forward of a process you can do for converting a patch by Microsoft to an exploit - the process may not be easy, but once you nail the method it shouldn’t be hard to recreate for every patch that comes out.

The second day lecture of “Hacking games for fun and profits” proved how wrong I am on playing games to earn prizes, the two presenters showed that they could easily win any online contest without having to actually put any effort to playing the game - that calls it quits for me on getting my highest score on Game X (change X to whatever game you like).

Alexey’s “De-blackboxing of digital camera” showed me how much can be done with very little, having access just to the led of the camera allowed them to dump the camera’s memory via a blinking led data transfer method - even though it was slow, it proved useful in bypassing the protection mechanisms implemented in the camera.

Chris’s “Web browser PKI/SSL security policy weaknesses and a potential solution” talked about how the wording shown to people in relation to SSL should really change - and I have to agree - saying to someone that the certificate name doesn’t match doesn’t tell mom and pop what they should do about it, is that a good or bad thing? should they continue or not?

To summarize, there is a lot to learn, and much to listen to, hope to catch you all again on the next conference with new information and new techniques.

Keep up the good work,
Noam.

We’ve all been there before, having to do a demo to show the dangers of not patching, or insecure operating systems, and then spending ages configuring a vulnerable host for the demo. Or even just wanting to set up a host so that you can better familiarize yourself with Metasploit, it takes a while to build a vulnerable machine, in my experience it actually always seems to take me longer to build an insecure machine than a secure one.

The crew over at Metasploit recently released Metasploitable, which is an Ubuntu 8.04 server install as a VMWare image, it includes a number of vulnerable packages, such as tomcat, mysql, tikiwiki, and others.

This is definetely a move in the right direction if you ask me, as this is just the type of thing that I’ve been looking for, as this is going to save me hours of time, and will be perfect for a lot of my presentation needs, and will also help me to train others up on the many facets of Metasploit.

For more info on Metasploitable, read the Metasploit blog post here.

To download the torrent directly, you can get it from here.

The guys over at Rapid7/Metasploit have been really busy lately, judging by all the new features that have been added to what is one of the most widely used Open Source security tools.

If you’re one of the people that have been running off of the svn builds, then you will have seen these changes coming in gradually, if not, then you’re in for quite a nice suprise.

The new features added to Metasploit 3.4.0 are the following:

Statistics
-Metasploit now has 551 exploit modules and 261 auxiliary modules (from 445 and 216 respectively in v3.3)
-Metasploit is still about twice the size of the nearest Ruby application according to Ohloh.net ( 400K lines of Ruby)
-Over 100 tickets were closed since the last point release and over 200 since v3.3

General
-The dns_enum auxiliary module now supports bruteforcing IPv6 AAAA records thanks to a patch from Rob Fuller
- Command shell sessions can now be automated via scripts using an API similar to Meterpreter
- The console can be automated using Ruby code blocks within resource files
- Initial sound support is available by loading the “sounds” plugin
-The Report mixin and report_* methods are now one-way, you can write to the database but not work with the results. This increases the scalability of the database.
- Many modules report information to the database by default now (auxiliary/scanner/*)
- Lotus Domino version, login bruteforce, and hash collector auxiliary modules
- Upgrade any command shell session to Meterpreter via sessions -u (Windows only)
- The VNC injection payload now uses the latest TightVNC codebase and bypasses Session 0 isolation
- Several modules were renamed to include their Microsoft Technet bulletin number, e.g. ie_xml_corruption is now ms08_078_xml_corruption
- Code can now interface directly with an installed Java Development Kit via a Java mixin. See the java_signed_applet exploit for an example.
- Tomcat and JBoss installations can be exploited to gain sessions (Windows x86/x64, Linux x86/x64)
- The msfencode utility can now generate WAR payloads for Tomcat and JBoss
- Oracle XDB SID brute forcing is much more comprehensive thanks to Thomas Ring
- The msfencode utility can now inject into an existing executable while keeping the original functionality
- The XMLRPC server has been improved and additional APIs are available
- The db_import command now supports NeXpose Simple XML, NeXpose Export XML, Nessus (NBE, XMLv1, XMLv2), QualysGuard XML, and Nmap
- The sqlite3 driver has been deprecated. To ease the transition away from sqlite3, the postgres driver is installed by default in the Linux installer.
- There is a new db_status command that shows which driver is currently in use and whether your database connection is active

Bruteforce Support
- Account brute forcing has been standardized across all login modules
- Login and version scanning module names have been standardized
- The SSH protocol is now supported for brute force and fingerprint scans
- The telnet_login and ssh_login modules now create sessions
- MySQL is now supported for brute forcing, enumeration, service fingerprinting, and arbitrary SQL queries
- Postgres fingerprinting (pre-authentication) using the line numbers in the error messages
- Tomcat is now supported for brute forcing and session creation

Meterpreter
- The Meterpreter process management APIs and commands can now see all processes on WinNT 4.0 -> Windows 7 (32 & 64)
- The Meterpreter can now migrate from 32 to 64 and from 64 to 32, in addition to using a new mechanism to do the migration.
- The Meterpreter adds the steal_token, drop_token, getprivs, and getsystem commands (including kitrap0d integration)
- The Meterpreter pivoting system now supports bidirectional UDP and TCP sockets
- The Meterpreter protocol handle now supports ZLIB compression of data blocks
- The Meterpreter can now take screenshots (jpeg) without process migration and bypasses Session 0 isolation
- The Meterpreter can now stage over a full-encrypted SSL 3.0 connection using the reverse_https stager
- The Meterpreter and Command Shell scripts are now evaluated in the context of a new Rex::Script object
- The “hashdump” Meterpreter script provides a safe way to dump hashes for the local user accounts
- Automatically route through new subnets with the auto_add_route plugin

Thanks for all the hard work guys, Metasploit has come a long way, and I’m looking forward to seeing where it’s going to be in a few months time.

I figured that the article that I wrote about the OSCP training that I did a while ago went down really well, I’d write another aritcle about the Offensive Security WiFu course, and the OSWP challenge.

As you probably remember I loved the OSCP challenge, what could possibly be better than a “live hack” to pass an exam!

The WiFu course, walks you through a lot of theory to start off with, and some may be very tempted to skip this section of the material, all I can say is don’t. You will gain a wealth of knowledge on the theory of wireless networking by going through this section. I thought that I already knew quite a bit about wireless networking and the security there of before I took this course, and well, let’s just say that I didn’t.

The course mainly concentrates on how to use the aircrack-ng suite of tools, and it does this in a manner where you actually learn the best way to use these for their relevant purpose. Some people may say, “Why not just read the help/man pages?” Trust me, I read the help/man pages, and I was quite proficient with the aircrack-ng suite before I did the training, now not only am I confident, I also know exactly what I’m doing.

The price of the course is once again extremely reasonable, it comes in at a measly $350, which is honestly nothing for the knowledge that you will gain from doing the course and taking the challenge. They also give you a list of recommended hardware for the course and for me that in itself was worth it. The wireless card I now posses is a lot better than my previous one, and the range really is phenominal.
In regards to the challenge itself, it’s amazing, no bells and whistles, just cracking wireless AP’s in a safe environment, but it’s the stuff that you need to know if you’re planning on doing this in the real world at all. You’re allowed 4 hours to complete the challenge, and this is more than enough time to make the odd mistake here and there.

I’ve read quite a bit on wireless security over the past year or so, and well, I could have saved myself a lot of time and effort by taking this course first. I know that I have easily spent over $350 on books alone on this topic.

If you’re at all currently involved in wireless networks and/or security and you’re thinking about doing some training, make it this course, as it will cover what you need to know.

Somebody is selling places/reservations in/for a doomsday bunker.

Professional paranoid that I am, I immediately thought of what a great opportunity this is for a scam.  Take the deposits, sell the spaces.  Don’t spend anything on the bunker.  If there is no disaster, you’re golden.  If the world ends, what are they going to do, sue you?

(I like the “pets are free” mention.  Nice touch.  And, if you were going to build a shelter, it would extend the protein supply.)

Hi,

In light of the KHOBE story, it seems a “darker” truth has been uncovered. Apparently the researchers have published their advisory in order to sell their research material to anyone who wants to know more than their limited technical details.

Why is this important? Well, it shows that when publishing their research, their intent was to:
1) Scare
then
2) Sell their software

While there might be legit reasons to check out their research, these new facts do bring the “KHOBE” paper into question, especially whether it is more noise than signal.

More details on the story can be seen here: KHOBE - no problem.

BTW, a bit of exaggeration by our colleague Aviram got him this week’s medal for PR scandal assistant.

Guess what? You personal firewall/IDS/Anti Virus/(insert next month’s buzzword here) isn’t going to save you from an attacker successfully executing code remotely on your machine:
http://www.zdnet.com/blog/hardware/update-new-attack-bypasses-every-windows-security-product/8268

So no, it’s not the doomsday weapon, but definitely worthy of the Scarface quote in the title.
This isn’t surprising, researchers find ways to bypass security defenses almost as soon as those defenses are implemented (remember non-executable stack?). Eliminating vulnerabilities in the first place is the way to go, guys, not trying to block attacks hoping your ’shields’ hold up.

(*) If you’re reading this out loud you need to do so in a thick cuban accent

So, I just went to LinkedIn.com, and well, I really hope that this is because of maintenance.
If anyone has any info, please let us know.

——-
EDIT
——-

Confirmed down on downforeveryoneorjustme.com

After months of intermittent attempts and research, I finally have a connection between two of my laptops, and an Internet connection to the one that is not physically connected to the wired LAN.

(Well, perhaps I might qualify that.  I appear to have a connection to the Internet, and I seem to have been successful at viewing a couple of Websites, and sending one piece of email.  It’s pig slow, and at the moment the mailer is trying to download some email.  It’s made enough of a connection to know that some email is there, but actually retrieving the email is taking enough time that I have been able to start to prep this posting in a browser window while I’m waiting.  I type very slowly, and, as of the end of this paragraph, it hasn’t yet successfully downloaded the second of seven messages.)

(The speed of the connection [although the computer says the connection is “Very Good”] may be due to the fact that I’m using  WEP with 104, rather than 40, bit key.  Don’t know how much difference it would make.  At the moment, having only just established the connection, I’m not about to mess with the settings to find out.)

However, as happy as I am to have the connection, the simple fact of it is not important enough to warrant a blog post.  No, the real point is all the trouble I encountered trying to find out how to make it work.  Following on from the complexity of any computing that I wrote about earlier.
As usual, I made my own life more difficult.  If all I wanted was a simple ad-hoc wireless network, that could be had for the asking.  Well, sort of.  A simple wireless network doesn’t do very much, unless you can share information from the drives, or share an Internet connection.  And that seems to be extra.

(Maybe.  At one point in the process, I had left one of the test wireless networks “on.”  And in one of my classes, one of my students managed to connect to it and get an Internet connection from the wired connection I had.  Random successes aren’t terribly useful, unless you can repeat them.)

Anyway, I have a wired network at home.  I have sharing enabled, so that I can copy materials from one machine to another.  At the moment, all of them run Windows XP.  (Yeah, I know.  I’ll get around to Linux sometime …)  I have (now) multiple laptops, and have to take at least one of them on the road for teaching.  And, of course, the mobile machines have to connect to all kinds of wired and wireless connections on the road.

Of course, the easy way would be to go to London Drugs and get a wireless router, connect it to the wired LAN, and fill in a few simple settings.  It’d probably take no more than a couple of hours, from beginning to end.  But I wouldn’t learn much about ad-hoc networking that way, and I’ve been getting more interested in it, particularly as a security concern, as I have been seeing that “computer-to-computer network” legend show up in more and more places.  (Especially with “Free Internet Connection!” as the network name.)

So, having a spare laptop (since, on a recent teaching trip, it decided to go spare on me), I figured it would be easy to set up a connection between that and the new one.

Actually, it was on the trip that I wanted to start the process.  There was nothing wrong with the old laptop (except that it was a Toshiba, and I’ve had two Toshibas in a row, and I will never again by anything made by Toshiba since they’ve given me nothing but grief for eight years) except that the power supply was becoming unreliable.  I bought a cheap (and non-Toshiba) netbook and asked for advice about connecting them via ad-hoc network in order to transfer the necessary files.

Well, lots of advice, but nothing actually worked, and I fell back on using the Passport external drive my wonderful daughters gave me that has been so useful in so many situations.  But it doesn’t do networking.

The friends gave me some starting points in terms of places to look for advice.  Microsoft, naturally.  There is a wonderful page at http://www.microsoft.com/windowsxp/using/networking/expert/bowman_02april08.mspx which provides clear explanations.  Only a couple of problems: it was written in 2002, so the dialogue boxes have changed.  This piece does talk about sharing an Internet connection, but it doesn’t mention the need to modify the default IP addresses, since everything seems to want to use 192.168.0.1 as a base, and that leads to conflicts.  Bottom line: it doesn’t work.

Microsoft updated the information in 2006 at http://www.microsoft.com/windowsxp/using/networking/setup/adhoc.mspx and the dialogue boxes are closer to what you’ll actually see these days.  After running through that one I tested it out, only to find that the network never does show up on “Available Wireless Networks.”  I’m not sure if this is because, if you choose WEP, and tell it not to broadcast the key, it keeps it hidden.  I did manage to connect to the network, and even seemed to be able to see other computers drives, and see something of the Internet, but all of the connections disappeared over time.  Again, this page says to use Internet Connection Sharing, but doesn’t provide the necessary detail to make it work.

All kinds of pages are out there, if you do a Web search, seemingly based on this same, limited, misinformation.  At http://www.home-network-help.com/ad-hoc-wireless-network.html the author seems to have given some thought to the issue of IP addresses, but not much.  http://www.home-network-help.com/ics-host-computer.html goes into a bit more detail on the IP addresses, but not enough, particularly in terms of the entries that have to be made in various places on various machines.

Finding all the places to make those entries is a trip in and of itself.  The Help and Support Center for XP Home Edition is no help.  At one point I was afraid that the multitude of entries for the various networks I’ve connected to in hotels, airports, and seminar hosting sites had something to do with it, so I went and deleted all of those “Preferred networks” I had accumulated over the years.  (Did you know that they were all still there?)

Lots of people are willing, and more than willing, to provide the benefit of their lack of experience.  I say this, since so many of the entries don’t actually work.  http://www.ehow.com/how_6108229_make-wirelss-internet-_ad_hoc-wireless_.html  Terse, doesn’t work.  http://www.ehow.com/how_5167281_create-ad-hoc-wifi-network.html  Slight tech detail, doesn’t cover sharing drive or Internet connection, doesn’t explain how to make new wireless network visible to “View available wireless networks.”  http://www.ehow.com/how_5154137_create-ad-hoc-network.html  A touch more detail than above (5167281), mentions need to share Internet connection, mentions a dialogue button that doesn’t exist in the XP explanation.  http://www.ehow.com/how_5946176_set-hoc-network-windows-xp.html  Some detail on setting up the network, doesn’t completely work, nothing on sharing.  http://www.ehow.com/way_5492555_ad-hoc-network-tutorial.html  Some detail on setting up the network, doesn’t completely work, nothing on sharing.  http://www.ehow.com/how_5670567_set-ad-hoc-wireless-network.html  Some detail on setting up the network, doesn’t completely work, nothing on sharing, does do XP and Vista.

Some of the advice is contradictory.  For example, I mentioned I was using WEP.  This is because some of the sites, such as http://www.hardwaresecrets.com/article/418 and http://www.tomshardware.com/forum/28615-42-networking-security-problem suggest that WPA and WPA2 can’t be used if the “host” for your ad-hoc network is running Windows XP (which mine is).  Of course, that might be old news, which might have been superceded by intervening upgrades.  But, with this level of information, how am I supposed to tell?

We are awash in a sea of information.  Except that some of the information is misinformative.  As John Lawton stated, the irony of the information Age is that it has given new respectability to uninformed opinion.  This can have rather significant consequences.  A recent CBC story notes that this may play into the May 6 stock market mini-meltdown.

So far, the best clue I received was from http://www.wi-fiplanet.com/tutorials/article.php/3822651  I had frequently seen the “Bridge connections” option, but I somehow never thought to have two networks “selected” when I tried it.  Even then, I might have missed the opportunity.  I got the usual error message, but it suddenly dawned on me that ICS might conflict with it.  (Given that everybody else had been telling me to turn ICS on.)  So, I turned ICS off, and, sure enough, Bridge connections was happy to do just that.

I still have no clue what has been set, and where …

I was watching some of the Social Engineering Toolkit (SET) tutorials this weekend, and this really got me thinking. How many enterpises actually brief their employees on Social Engineering, and how it can be avoided? This should be part of the security training programme within any large organisation and yet so often this vital piece of security is often overlooked or ignored.

I’ve often found that so many organisations will spend a fair chunk of their budget on the latest IT security measures, like web application firewalls, database proxys, etc, but they neglect the easiest target of all, which is the staff.

If staff aren’t properly trained to recognise Social Engineering attacks, then they won’t know how to respond, and this is a threat to your business. I’ve had countless e-mails sent to me by users over the years with comments like the following.

“I recieved this e-mail telling me to please change my password on Facebook,it looked a bit weird, but after I changed it, it didn’t seem to take effect, should I be worried?”

Now, aside from the fact that the user is using their work e-mail address to sign up to a social networking site, this wreaks havoc on my mind for a few minutes, then I realise that it’s not the user’s fault. It’s down to the organisation and their security team to educate users to pick up on things like this.

As security professionals, every now and then we need to look at things from a different point of view, I know that it’s all too easy to mutter the words “Stupid users, or “Really? What were they thinking?” But unless we educate users, how can they help us to secure our organisations?

A step in the right direction would be to try and get some time reserved from your organisations induction programme for Information Security, and make sure that you cover Social Engineering in as much detail as the employees can handle.

If you don’t know where to start have a look at Social-Engineer.org the guys are doing some amazing work.

Cory Doctorow shares his experience of being ‘phished’. I had a similar experience, only in reverse.

As I’m waiting to board a flight, my phone rings and someone claiming to be a T-Mobile rep is on the other side.

“You’ve been using your phone a lot” she says

Yes, I spent a week in China and the roaming charges are especially high there.

“Well, you are over $2,000 in your phone bill”

Well, thanks for letting me know. When the bill comes I will be happy to pay it.

“No, you need to pay it now; it is higher than your monthly average and we need to collect the payment outside your monthly billing cycle”

Fine. I will call the billing center once I get back to the office tomorrow

“No, you need to pay it now”

I am just about to board the plane. Call me in 3 hours when I land.

“Sorry, I need to collect a payment or we will suspend the account”

Fine. Bill me. You have my credit card details on file.

“No, we need you to provide them again as proof that you are ok’ing the billing”

Hmm… This is beginning to sound like the most unsophisticated phishing attack ever. You need my credit card details? Now? Can’t wait? Ok. Give me your number and I will call you right back and give you my CC.

“This line is for outbound calls only. There is no direct number back to me”

No problem - I will call the t-mobile 800 number and ask for your department.

“They cannot transfer you to me”

Then how do I know you’re a real T-mobile rep and not someone out to get my credit card number?

“Well, how else would I have known your charges this month were especially high?”

At this point I burst out laughing and since boarding is about to end I give her my full credit card details. VISA will take the loss on that one, but who will save me from the embarrassment of ’securiteam blogger falls victim to the most amateurish phishing attack in history”?
I land, and log online to my t-mobile account, and am shocked to see a bill of $2,500 that is marked as paid. It really was T-Mobile.

Somewhere in Eastern Europe some guy is telling his boss: “Sergei, you’ll never believe this. The fake training material we planted at T-Mobile are actually being used. They are teaching their customers to be phished!”.

Phishing camp indeed.

Over the years I’ve had to learn a lot about computers.  I’ve written device drivers for the All-in-One system under Vax/VMS.  I know what to do with MS-DOS’s AUTOEXEC.BAT and CONFIG.SYS files.  I’ve learned more word processors than I can remember the names of.  I was using UNIX when that was still a big deal.  Because of some some research that was important in the early days of computer viruses I know a question that will stump any computer forensics expert on the witness stand.

I’m a little afraid of my new netbook.  Within a few months I’ll need to buy a new desktop, and I know I’m going to be more afraid of it.

In the DOS days, I knew pretty much everything that was going on in it.  I knew the hardware, and the system files.  I even had a bunch of tools that would let me see the raw disk and memory.  It was tedious to do so, but it was possible.

Even when Windows 3 and 95 came out, I understood that this was simply a new interface.  I could still examine the system, and make sure everything was as it should be.  I could have confidence and assurance in the computer.  True, there wasn’t any serious protection on it, but, since I knew the full system, I could examine it regularly and make sure that nothing untoward was happening.

Then came Windows NT.  Extra protection on the system, but suddenly every time you turned the system on, 400 files (a number of them system files) got modified.  Change detection lost its security.

Then the later members of that family started adding ties into applications and back again.  And with Windows XP, for the first time, when a friend’s computer got infected, the only solution was to re-install the system.

Complexity is the enemy of security.   However, this goes deeper.  These days we have huge numbers of people using devices that are, as far as they are concerned, magic.  Don’t get me wrong.  I think magic is a lot of fun.  It’s just that magic seems to be defined as inherently unknowable, and these users are not only content with, but actually proud of, their ignorance.

This is dangerous.  When you assume that you cannot know, that seems to absolve you of any responsibility for even trying.  You punch the icons, and do things with no understanding of the consequences.

At the moment, I am trying to set up an ad-hoc wireless network between some of my machines.  I’m not having much luck.  I’ve researched the process, and had suggestions from friends.  I’ve been working at it, off and on, for months.  It still isn’t working.  I can’t find the information I need, either on the process, or in regard to the actual settings on my machines.

Ignorance isn’t bliss.  It’s dangerous.  If I, as a computer, communications, and security specialist of decades of standing, can’t get a simple (well, not quite that simple) network set up, how can we give advice to the novice users of the world on how to keep themswelves safe?

With the advent of the ITSEC standard (solidified with its inclusion in the Common Criteria) we got the idea of assurance requirements in security.  We’ve always had functional requirements: functional requirements are, basically, everything that we do.  All the technical stuff is functional.  Assurance, as a concept, is a bit elusive.

Some people think assurance is tied to metrics.  Yes, we use metrics for assurance, but assurance isn’t just about metrics (and we can all think of some metrics that are absolutely pointless for assurance).

As a teacher, I’m always looking for examples to illustrate concepts like this.  And my wife pointed one out the other day.

Disposable gloves.  The really thin, cheap kind that the fast food places are, more and more, starting to use.

The functional requirement here is hygiene, yes?  We don’t want germs from dirty hands contaminating the food.  We used to use handwashing as the functional security.  However, there is no assurance in that control (or, at least, not one that is easy to see, and thus be assured of).  Aside from really filthy hands (which actually might not be germ-laden), unwashed hands look about the same as washed hands.

But you can see gloves.  Therefore, you have assurance that the functional requirement is being fulfilled.  Therefore, gloves have an assurance component which hand-washing does not have.

(Disposable gloves actually have an additional assurance component, protecting against re-use.   Gloves that are not disposable could be used all day, and get contaminated themselves.  But, because these gloves are cheap and disposable, you can see the staff taking a new pair whenever they start making a new item.)

I’ve worked at enough companies to see a general trend that I’m sure you’ve all seen before. Someone is hired into the security field from a purely business background, and asked to manage an estate securely, the first thing that they always turn to is policy. Walking around saying things like, we must have a policy for this and that, oh and that, and they must be compliant to PCI DSS, ISOxxxxx, unknown standard X, etc, etc.

In some of the penetration tests that I’ve done in the past, I’ve literrally walked into companies and asked about their security and have been told with huge smiles, that their security is amazing, as they have a security policy. My first question is usually, how do you make sure that it’s being enforced, which usually gets me a look that says “No-one ever told us that we had to inforce it, we just have to have one to be secure!”

I realise that it’s a lot easier in larger organisations than it is in smaller ones, as they usually get audited, and the auditors tell them what needs fixing, but for the smaller businesses, it’s not that easy. Unfortunately when something goes wrong with the smaller companies security it doesn’t always get noticed though.

I remember reading an article not too long ago that mentioned that as penetration testers we have to change our game, as if we cannot communicate to the relevant people at the top what the problem is, then we are the ones to blame. They are hired for their business accumen, and we tend to get hired for our technical skills, so we should be the ones to learn the new skills here. I’m not talking about social engineering, although there is a time and a place for that, but just better communication methods. Learn to speak the language of the business, and learn to get the policies tweaked enough to secure the estate.

To secure a company, you need more than just policy, you technical security measures, you need to train employees, and keep training them, you need people who keep up to date with the latest exploits, and people who question others reasoning at times, and most importantly you all need to be able to work together and get your point accross. Take the time out to get to know the people that you work with, what they enjoy, how they enjoy being presented with things, and the things that they despise, it pays off in the end.
If you can communicate at a better level, you stand a better chance of getting the logical security sorted out, and being more than just a policy based security team.

It seems that in this day and age, people have finally grasped the concepts of why it’s a good idea to patch systems regularly, run an anti-virus application, and have funky network appliances like firewalls and Intrusion Detection Systems. Which is a really great move in the right direction.

One thing that I will never understand though is that people will spend a fortune on new security tools and appliances, adn they’ll forget the basics.

Please people, remember to lock down the items on your network that may seem insignificant to you, as nine out of ten times, they are a foothold for a hacker. A prime example of this would be printers, I have managed to obtain really sensitive information off of printers attached to networks in their default state in the past, and also waste valuable time and company resources.

Here are few of the things that i’ve done on various assignments over the years in regards to printers:

- Modify the default web console pages, and load them up with browser exploits

- Find valuabe documents saved as files on the printers

- Use the printers as zombie hosts for nmap zombie network scans

- Tie up the printer for a day or so printing out the contents of my hard drive

- Waste paper and ink from doing the above

- Leave obscene messages on the console display
- Shut down the printer and fake the logon page to accomplish all of the above

Here’s a pretty useful link for all those with HP printers on their estate as well.
So in going forward, please remember that if it’s attached to your network, it needs to be secured. Most printers these days come with security configuration options, but they have to be enabled, so take the extra 5 minutes to make the world a better place.

In the last 20 years, practically all the large software vendors came out with Single-Sign-On (previously “PKI”) products that were supposed to give a single login that would give you access to all the resources on the network. As good as this idea sounds, in practice that almost never works. Why Single Sign On constantly fails in corporate environments is a mystery wrapped in an Enigma. But it just doesn’t.

On the web, it seems even more logical that a single login will give you access to all the resources, and yet the situation is even worse. Microsoft, google, yahoo, AOL, and now facebook have all tried their Single Sign On initiatives that ended up having users signing up to 4-5 different ’single sign on’ services and typically just opting for the only single sign on method that works: Using the same username and password everywhere.

Before you ask, OpenID is not a single sign on solution – it’s an identification service. So with that out of the way, are we doomed to never have a workable option to web single sign on?

Well, it seems the solution was always there: in fact, most of us have been using it for a while. Your browser.

Done well, the browser can keep the username/password combination in a secure place, protected by a single password and encrypted on your hard drive. The only risk is a Trojan using your browser to log into web sites without your knowledge – but that’s a risk you have today with keylogger rootkits, so you are not worse off letting your browser save the password for you.

The only two challenges facing the browsers to truly provide an SSO experience were web sites like paypal that refused to let the browser save username/password information (though you could bypass that restriction with bookmarklets such as “Password Saver” on firefox) and the second challenge was just the convenience of needing to login instead of having the browser login for you, as you’d expect in a “real” SSO.

It seems that firefox has picked up the glove. In a recent blog post (http://hacks.mozilla.org/2010/04/account-manager-coming-to-firefox/) firefox announced an add on that will handle account management; likely not much different than what is done today, perhaps a bit more extended and automated. Facebook, google and some others won’t be happy about this move, but who cares. The best thing about this method of SSO is that you don’t need the site’s cooperation for it to work. In fact, as long as they don’t actively resist (e.g. by adding CAPTCHA’s) firefox can be the de-facto standard for account management in the not-too-far future.