Kiosk security

Regarding http://blogs.securiteam.com/index.php/archives/1165 , I won’t be able to do daily posts…I’m just way too busy for that…

A few months back, I was sent a 4-foot tall, 80 pound kiosk in the mail.  I had 32 hours (one weekend) to figure out how to break the software.  It only took a few hours, so I thought I’d put together a list of Kiosk 101 security bullets.

1) Encrypt *all* of the traffic.  If you’re not using certificates, it is downright trivial to modify a DNS server (or write a quick MITM proxy) to point your web/xml client to some other web site.  Plus, do you really want your clients order, warranty information, address, phone number, best time to contact, etc passed in plain text over the web?

2)  Do not trust the store network.  Assume that someone malicious can both read AND write data on the store network.

3) Port scan or do a netstat on the kiosk OS to ensure that your kiosk isn’t set up with a service that binds a socket that you haven’t thought to ACL.  I thought it unusual to find 6 open TCP ports on a secured kiosk device.  For that matter, how about just blocking everything except the ports that you need?

4) disable broadcast services, especially ones that tell the passive listener the OS, system name, etc.

5) there is more at risk than just the kiosk.  Consider the attacker who figures out how the client protocol works and then uses this information to spoof a malicious client and attack the server.

6) disabling the cache on the local system isn’t the same as always storing confidential data securely (in transit and at rest).  Assume that the attacker can figure out your “magic key strokes” (maybe by recording a technician servicing the machine??????) and get local access.

7) This will be a service nightmare, but the devices shouldn’t be configured with the same accounts and passwords.  If you break one kiosk, you shouldn’t be given the keys to all of the same kiosks.

!Dmitry

Boxers and pen-testers

If you play any sort of sport, you’ll be familiar with the means by which an athlete develops their skill.  I like to box, so I’ll use that as an analogy.  Before you ever get in the ring, you have to know how to balance your body, hold your hands, throw a punch, move your feet and head, etc.  Once you master the FORM, you can then move to SPEED and STRENGTH training.  You don’t start on the heavy bag.  Kids who start on the heavy bag learn how to push a heavy bag…not how to fight.  Kids who start with shadow-boxing, footwork, then move to double-end or speed work, and finally end up on the heavy bag, have the correct form to punch through an object and not push an object.  I digress…

There is a discussion on the dailydave mailing list regarding the benefits of being able to reliably write exploit code in order to do pen-testing.  Writing exploit code, reversing binary apps, and fuzzing are great skills.  I liken them to a knockout punch.  Not many people have these skills (relative to the total number of pen-testers).  The problem is that you don’t want to start learning how to knock people out until you have figured out how to get close enough to throw the punch.  How many times have you seen a pen-tester show up on site with his/her interpreter?  I don’t mean a literal interpreter, I mean the person tasked with harnessing the creative maelstrom that is the pen-tester.  These two (or more) often have their shtick all worked out and the Corporate folks grin along with the show.

Corporate folks: whatcha got on that leash there?

Interpreter: the whooly behemoth, recently returned from a heap-overflow bloodbath at Antigua

Corporate folks: AH!  EEH!  is it…is it like the others?

Interpreter: Unlike any other that has been seen in this part of the corporate world.  Terribly destructive.

Corporate folks: Do we treat it like the others and put it in a cube near the bathroom, feed it pizza and caffeine and never, ever look it in the eyes?

Interpreter: Yes.  Further, you have been blessed with the fact that I have been blessed with the ability of communicating with Bob…errr…the Behemoth.  [turns to behemoth] ukkle snarp miselthrape dominos pizza muhgarkle

Behemoth: muhgarkle?  jasi blem blam Papa Johns [and shuffles off to cube]

Interpreter: He’s on it now.  [winks at crowd]  I don’t know howwwwwww he does it [glances over shoulder at shuffling behemoth]…different breed, that’s for sure.

Corporate folks: [laughing].  Well, we sure are glad they sent You.  Some companies [wink wink] just leave their behemoths on site with no supervision.

Interpreter: Oh, no.  Yeah, we could never do that with this one…I could tell you some stories…oh my…leave him alone on site…horrible…hey, it’s almost 11:00.  Who’s up for lunch?

This is roughly akin to a boxer entering the ring on the shoulders of another guy.  The other guy lugs him around the ring, trying to position him to throw haymakers at the opponent.  How much better if the guy throwing the haymakers had mastered the form necessary to get close enough to land a punch.  With respect to corporate consultants, the form isn’t really that hard to come by.  A few things:

1) You should be and smell clean.  Often overlooked, a consultant should be well dressed, groomed, and not reek of the margarita shots that he/she was taking at the strip club 3 hours before the work day began.

2) You should be able to communicate with the business professionals that are paying for your consulting.  This includes both speaking AND writing in a clear and intelligible fashion.

3) You should be able to understand business drivers and how they might *possibly* apply to your consulting engagement. This is an important point – The company will tell you what needs to be accomplished.  Not the other way around.

!Dmitry

Another hack-a-hack attack

So, I blogged about it here, initially. This week I’ve been playing with keyloggers. I had my keyloggers setup on win2k3 and winxp machines and I was accessing them via RDP. I made the mistake of keeping my RDP session nailed up. A few days later, I note tons of entries being displayed within the keylogger GUI. Of course, since the clipboard auto-synchs between the client machine and the RDP server, the keylogger on the virtual machine had been logging the clipboard contents from my home machine. I had been doing tons of code edits, so every cut-and-paste was captured and displayed by the keylogger software. Pretty embarrassing!

Now, what would I find if I setup a machine on a stub network, installed a keyboard logger, and let the hackers come on in? For everyone attaching to my machine, I would be snagging their clipboard. That might be interesting data.

!Dmitry

Wikiscanner

OK, I’m sure that, as usual, I’m a day late to this party…but, I’m having lots of fun with Wikiscanner . It’s pretty fun to browse around companies that you’ve worked for and seeing what edits they have been doing on Wiki. One of the cool things is to look at a company and see when and where they have been editing their Companies wiki (it’s also funny to see when and where they have been editing their competitions wiki). Companies want to ensure that the Wiki article reflects well on their company. After all, a google query for company X will almost always have the Wiki article as one of the top hits. I’m pretty sure that this can be used to an attacker’s favour. For instance, if you know that the PR folks are monitoring and editing a certain page on the Internet at regular intervals, then you can inject malicious links, code (?), etc. and use it to target the internal user. What if the wiki page for a large software vendor contained a link to where they could download a demo of the software for free? Would the PR person know better than to download the software and see what it was?
!Dmitry