Thursday, October 18, 2012

SkyDogCon is almost here!

Wow, I can't believe that it's already time for SkyDogCon. It seems like DerbyCon was just here. Well, I guess that it was, but I haven't had time to post anything from it yet.

Anyway, SkyDogCon is only 7 days away and we just secured our tickets. The conference which if from October 26-October 28th  states "SkyDogCon is a technology conference held annually in Nashville, TN. It is for the individual with the Renaissance Mind. 

It mixes Hacking and Making with a healthy dose of technology. SkyDogCon exists to facilitate learning, information sharing and mingling with like-minded people in a relaxed atmosphere."

Regarding the host, if you've never met SkyDog, he is a great guy and is the real deal. I've had the pleasure of meeting him way back at another conference for which he was involved, and got a chance to speak with him again in Louisville at DerbyCon this year.

SkyDog brings the best of what people like in other hacker/security cons and leaves out the "stuff" that don't seem to work.

In looking at the speakers and events that are linked up, this looks to be a great con.

See everyone there!


Wednesday, September 26, 2012

DerbyCon Countdown!

Countdown... T-minus 1 day and counting...

Ok, it's Wednesday and I am in full DerbyCon mode. If this years convention is anything like last years, it's going to be an awesome time.

The speakers lined up for this year look pretty cool, which in itself creates a problem, but a good one... which talks to go to.

Anyway, between the talks and events, like the movie Reboot screening this year looks to surpass last years con.
 

Monday, September 24, 2012

Nashvilel InfoSec 2012 Capture The Flag

This past September 13th saw the culmination of all of our hard work pay off as my colleagues and I put on our (and Nashville InfoSec's) 2nd Capture the Flag challenge.

This years challenge differed from last years in that there were no servers to attack, but instead, a series of 13 challenges was developed for the attendees to tackle. Of the 13 challenges, 8 were downloadable (below in green) for the conference attendees to take with them so that they could attend other talks and still work on the them.

The challenges, which covered different types of hacking were:

Challenge 1 (Flag Ridden App)           Web Application / Database
Challenge 2 (ModifyMe)                      Reverse Engineering
Challenge 3 (DiabloMania)                  Network Forensics
Challenge 4 (User Reports)                  Web Application / Database
Challenge 5 (Jurassic Park)                  Obfuscation / Data Forensics
Challenge 6 (TheScrambler)                 Reverse Engineering
Challenge 7 (File Reader)                     Web Application
Challenge 8 (War of Information)        Obfuscation / Encryption Tools
Challenge 9 (Not Authorized)              Web Application / Encryption Tools
Challenge 10 (The View)                     Web Application
Challenge 11 (What's your status?)      Network Forensics
Challenge 12 (Thoreau)                        Obfuscation
Challenge 13 (Rick Roll)                      Obfuscation



Most of the participants in the challenge (including 2 teams sent by CHS) stayed in the CTF room throughout the conference, each team battling it out for the top spot.

At the end of the day, a team, TABC, which was made up of individuals without a team came in first place.

All in all, from all of the feedback that we received, this was a great day. Everyone had fun and seemed to really enjoy the CTF.

Thursday, September 6, 2012

Nashville InfoSec CTF 2012

This year marks the second year that a few colleagues and myself will be hosting a Capture the Flag (CTF) competition at this year's Nashville InfoSec.


WHAT: Capture The Flag

WHEN: Thursday, September 13, 2012 during InfoSec 2012 conference. You must be registered to attend the conference to participate in Capture the Flag.

TIME: Capture the Flag will begin after the Morning Keynote Speaker (aprox 10am) and will end at 4pm. You will be able to attend the evening Keynote speaker session. The lunch break will coincide with conference lunch time, however those who wish to keep working may work through lunch. Team members can come and go as they please, but the timer will run continuously.

TEAMS: 4 persons per team max. You can register as a team or as an individual who will be assigned to a team. There will be a total of 10 teams max.

ABOUT: The Nashville InfoSec Capture The Flag (CTF) competition is a contest designed to test a teams’ knowledge and skill in a variety of areas related to information security, including areas of web application security, cryptography, system exploitation, reverse engineering andnetwork analysis and forensics.

Throughout the game, ten teams of up to four members will probe, attack and solve offensive security challenges using skill, cunning and widely-available free tools. Points are awarded to teams based  upon the difficulty of the challenge that was needed to capture that particular flag. The winning team will be the one having the most points at the end of the competition.
Teams will be scored based upon a weighted point system. Points are awarded based upon the level of difficulty that was needed to capturing that particular flag.

PRIZES: First Place Trophy and prizes will be awarded during the reception/ prize drawing at the end of the conference.

Email chris.centore@tn.gov, steve.swann@tn.gov or george.romano@tn.gov with any questions concerning the event.

Monday, August 6, 2012

Is Demonoid Dead?

Demonoid, a website and BitTorrent tracker was shut down on August 6th, 2012 by Ukrainian authorities. Demonoid, in it's latest incarnation was hosted out of Ukraine's largest data center ColoCall. TorrentFreak reported that "A source in the country’s Interior Ministry says that the action was scheduled to coincide with Deputy Prime Minister Valery Khoroshkovsky’s trip to the United States." What the connection is aside from trying to cooperate with US authorities is unknown.

The service's troubles go back to 2007 when it was hosted in Canada and was inundated with cease and desist orders. It experienced trouble over the next several years culminating with a DDoS attack from about July 27th onward. In early August, the site started redirecting unsuspecting users to malware sites.

According to TorrentFreak, the current administrator of the site stated "I don't plan on shutting down, but if Im going to fix it I have to do it properly,... That means upgrading a lot of our 7 year old hardware and maybe bringing up the beta only. You know how it goes with demonoid. It might take a while but it will come back."

There are numerous heated debates on both sides of the aisle, but all this being said, what are your thoughts on the service? Is it a rights issue? What about the RIAA and CRIA?

Wednesday, February 22, 2012

So long, Scroogle...

Well, It looks like it's finally happened. The site that many people rely on for anonymous web searching, Scroogle has been taken offline. While I have been wondering about Scroogle's future for sometime due to Google intermittently blocking the Scroogle Scraper servers.

According to Scroogle's founder, Daniel Brandt, the site was a constant target of around-the-clock Denial of Service attacks and as a result it, along with Mr. Brandt's other domains, were simply just taken permanently offline.


What was Scroogle?
Scroogle.org, not to be confused with Scroogle.com, a pornography site, was a web service developed by Daniel Brandt. It was a Google scraper that allowed people to search Google anonymously. It essentially acted as a proxy for Google searches, so your IP address, any search terms used and other search information that is usually recorded by Google about your searches was anonymized through the system.
 
Scroogle also deleted all of their logs and cookies on their servers within 48 hours in order to provide better privacy for it's users.

What's wrong with Google?
Nothing per se, if you know what you are getting into. Google places a cookie to track a person's search history, on each registered user's computer. While this is not something new, this cookie is good for 18 months and is renewed whenever a Google service, such as Gmail is used.

Google also aggregates search data by IP address, storing its data for 9 months. This stored search data is a collective cornucopia of information which could be used to assist in targeting advertising as well as other marking purposes. While on the surface, this type of activity does not seem to be malicious, the potential power of this type of aggregate data to profile individuals is concerning to privacy advocates, who fear that it may be used by law enforcement, government agencies, or other entities for nefarious purposes.
 
Other reasons that people elected not to use Google included marketing, tourism and legal professionals who needed to have unbiased search results appear when performing research for their services.

What are alternatives?

Since Scroogle is permanently offline, there exist other search alternatives to keep your privacy intact. A few of these are below:

PageWash
Duck, Duck, Go
Google Encrypted Search

Tuesday, February 7, 2012

Judge Oders Defendant To Decrypt Laptop

I recently read an interesting article that was posted on CNN's site. The article tells of a story from Wired in which a judge in Colorado ordered a woman to decrypt her laptop hard drive after the computer was seized.

The judge concluded that "the Fifth Amendment is not implicated by requiring production of the unencrypted contents of the Toshiba Satellite M305 laptop computer,"  and ordered the drive decrypted so that  prosecutors can use the files against her in a criminal case.

The EFF is involved in the matter and in trying to protect the defendant stating that the order violates the Constitution and would make the defendant incriminate herself.

This gives great pause for thought for privacy advocates. At what point does an individuals rights cease? What precedent would this action then set?

Wednesday, January 18, 2012

Stop Internet Censorship / SOPA and PIPA

To those browsing the web today, you may notice some changes if you are a user of Wikipedia or Google you will notice that their pages have "gone black". This is due to their opposition of the "Stop Online Piracy Act" and the "Protect IP Act".



What are they?

Wikipedia defines the situation as follows:


SOPA and PIPA represent two bills in the United States House of Representatives and the United States Senate respectively. SOPA is short for the "Stop Online Piracy Act," and PIPA is an acronym for the "Protect IP Act." ("IP" stands for "intellectual property.") In short, these bills are efforts to stop copyright infringement committed by foreign web sites, but, in our opinion, they do so in a way that actually infringes free expression while harming the Internet. Detailed information about these bills can be found in the Stop Online Piracy Act and PROTECT IP Act articles on Wikipedia, which are available during the blackout. GovTrack lets you follow both bills through the legislative process: SOPA on this page, and PIPA on this one. The EFF has summarized why these bills are simply unacceptable in a world that values an open, secure, and free Internet.


Who are the players?
While legislature is in Congress to support these acts, the legislation's supporters include the Motion Picture Association of America (MPAA), The NBA, Pfizer, Nike, L'Oreal, The Fraternal Order of Police (FOP) and others.

Diametrially opposed to these groups are organizations like Google, Yahoo!, Facebook, Twitter, ebay, Mozilla, Wikipedia and 2600, the hacker magazine.

What's the big deal?
The issue is one of 1st Amendment rights and censorship.

Although the current administration does not support these bills as written, proponents of the bills will certainly bring them or similar ones back.

There are several provisions such as The Anti-Circumvention Provision, The “Vigilante” Provision, Corporate Right of Action and Expanded Attorney General Powers, would stifle the Open Source community and cause sites (like Facebook and You Tube) to shut down due to the large cost of policing their own sites as well as forcing huge liability costs onto countless Internet companies. Small competitors of larger companies would have an unfair disadvantage.

SOPA and PIPA set up breeding ground for abuses like the prosecution of people with little, if any judicial oversight.  In general, SOPA and PIPA open up a Pandora's box for abuse and 1st Amendment rights violations.

 Read more from the EFF website, here.









What Can I Do?

Take Action Now! Visit the Electronic Frontier Foundation's action page here.

Tuesday, January 17, 2012

Book Review: A Bug Hunter's Diary

As an InfoSec professional, I frequently hear about insecure systems and vulnerabilities that are found in software packages. Bugs for software are rampant and seem to come from all sides. These bugs or errors in the coding of the programs, require proper identification in order to protect systems against and mitigate the software security vulnerabilities.

This month I read A Bug Hunter's Diary, a book published by No Starch Press and written by Tobias Klein. It provided me an often sought after, but rarely found look inside the mind and processes of a security researcher looking for software vulnerabilities.

This book made me feel like I was sitting down with Mr. Klein personally, pouring over code, gleaning the nuggets of wisdom and information that come from his in-depth understanding of software design and debugging. This book is really a diary in that one sits and shares in the experiences of Mr. Klein's entries for each chapter. Throughout the entirety, we are taken though his thought various methodologies and processes while being introduced to countless tools of the trade.

Chapter One takes you through the basics of what bug hunting is and why is is needed. Tactics, terminology and tools of the trade are discussed as a primer for those with little or no exposure to this practice.

Chapter Two introduces us to a 'stack buffer overflow' by looking at VideoLAN's VLC media player. We are taken step by step through the bug discovery process from vulnerability discovery to exploitation and then to remediation and how one should handle the knowledge of the exploit once found as well as a nice summary of lessons learned.

Chapter Three takes a different approach and looks at Operating System (OS) kernels, specifically Sun/Oracle Solaris 10 and the way that it handles error conditions. Once again, we are taken through the steps from discovery to remediation and lessons learned.

Chapter Four covers NULL pointer dereferrences from a type conversion vulnerability that affects the FFmpeg multimedia library used by various software packages such as Google Chrome and VLC media player.

Chapter Five looks at web browser add-ons, specifically WebEx and looking at cross-site scripting and ActiveX to find a stack overflow. In looking at remediating this bug, Mr. Klein show us that in addition to simply notifying the software vendor, that we have the option selling the bug to a vulnerability broker, in this case, Verisign's iDefense Lab.

Chapter Six takes a look at Microsoft Windows drivers and the possibility of finding a vulnerability there, specifically with the anti-virus software 'AWIL/avast! Professional'. The approach taken in this chapter was a little different since the source code is for the AV program is not Open Source.

In Chapter Seven we are given a chance to examine the OS X kernel, looking for an exploit and validating input data while developing a debugger on a remote Linux host connected via cross-over cable. Whew!
 
Chapter Eight begins by looking at the iPhone and pouring over applications and libraries that are assumed to most likely have bugs in them, including the Mobile Safari browser, the Mobile mail app and the audio libraries. Mr. Klein takes us through fuzzing (providing invalid, unexpected, or random data to the inputs of a program), to look for obvious bugs, in this case, untrusted media files.

Just when you thought that the book was over and that there was nothing left to discuss, Mr. Klein gives us three appendices that provide a plethora of valuable information. Appendix A is a handy, in-depth reference to vulnerably classes, exploitation techniques and some common issues that lead to certain bugs. Appendix B details information about debuggers and how one goes about the debugging process. Appendix C gives the reader a summary of mitigation techniques from Address Space Layout Randomization (ASLR) to Data Execution prevention (DEP). All of these appendices help to neatly tie up any loose ends that the reader may have after exhausting the resources found throughout the book.

In the reading this book, one gains ideas and insight to help to explain alternate thought processes of software vulnerabilities to others. In addition, the material contained in the book would be a good source for a series of departmental workshops within any security minded organization or their customers.

While an understanding of structured programming languages, Unix, and a sense of adventure and wonder are a must to get the most out of this book, the amount of knowledge that is contained therein is truly staggering and definitely worth the read.

Tuesday, January 10, 2012

New Year, New Opportunites

With this new year, come new challenges and new opportunities. I realize that as a person. company, etc. that you can choose to start over whenever you like, but each January provides us with a "built-in" push to try new things, take new risks, etc.

What are you going to do differently this year......career wise? ...education wise? ...security wise?

This year, take the time and resolve to think more securely. How does one do that?
  1. Stay informed on news, issues and threats by subscribing to Twitter feeds, reading blogs, subscribing to mailing lists, etc.
  2. Think like an attacker. Look at your company/network like an attacker would. What is sitting out there like low hanging fruit? Where would you begin when looking at your company or network? What systems or employees are vulnerable to manipulation? Mitigate those issues now while you can
  3. Don't ignore social media and OSInt (Open Source Intelligence). There is a plethora of information that is available even if you think that your information is secure. Also, are you open to Facebook/LinkedIn profile cloning? Do you check for something like that?
  4. What else is there? The above three things are far from an exhaustive list. What else can be done?
Yes, there will be things that bit us in the but. There is always something that we could've done better, but purposing it in our minds to be better about security will go a long way towards giving you an edge.