Over the past three years I have attended rougly 25 security conferences and events. In each of those, I believe I may have been searching for ShmooCon 2010. In spite of multiple adverse conditions, ShmooCon was quite simply the best run, most worthwhile (from a learning perspective) event that I have attended to date. If for no other reason, ShmooCon 2010 was a rare celebration of computer security expertise and passion that is often lost in the overcrowded, diluted conferences that seem to have taken hold of the security industry.
The awesome qualities of ShmooCon could not be out done by the 20 inches of snow that covered the Wahsington DC metro area where ShmooCon was held. Despite the unforgiving weather, to my knowledge all the speakers, with the exception of Josh Coremann who telecommuted, were able to attend the event. Furthermore, despite canceled flights, train arrivals, and bus trips, only 100 attendees were unable to make it into the DC area. These figures are incredible when one considers the severity of the weather situation which the media has laughingly labeled ?Snowpocalypse.?
Smooth sailing in spite of adversity is not however what made ShmooCon an incredible conference. What made ShmooCon an incredible conference was the attendees. The ShmooCon attendees mirrored what I have always pictured DefCon attendees to be. This is not to say that the level of expertise of DefCon attendees is not superb, but rather to say that the elite are diluted by the indifferent. ShmooCon on the other hand seemed to house a higher potency of the passionate than the indifferent and more of the knowledgeable than the curious. Granted, ShmooCon 2010 hosted roughly 1,500 attendees compared to DefCon 17?s nearly 10,000.
The significantly lower attendance of ShmooCon was not due to demand however, but rather more due to exclusion. ShmooCon does ticket sales a little bit different than most other conferences. Specifically tickets are limited and while ShmooCon could have brought in more money by allowing more attendees, they kept the figures down to 1,500. This meant that, with few exceptions, only people particularly driven to attend were able to get tickets. In fact, in each round of ShmooCon ticket sales sold out in minutes.
As a direct result of the relatively exclusive nature of the event, the level of conversation seemed higher and the ratio of vendor marketing to security practitioners seemed just about right. Finally the content of the talks was fantastic, although I still think my tracking and profiling talk shouldn?t have been an alternate (I?m just saying). ?Granted the content was probably not on par with the likes of BlackHat DC, however, that is also a $200 ticket versus a $1,095 conference pass comparison. All things considered ShmooCon was fantastic, so kudos to the Shmoo Group, I?ve been a fan since Rouge Squadron J keep up the good work!
A Few Highlights
The highlighted presentations may still be purchased on DVD or some may still be available on http://www.ustream.tv/recorded/4538594
- Hacking Sleep Cycles
- Social Zombies II: Your Friends Need More Brains
- Learning By Breaking: A New Project For Insecure Web Applications
- 0wn the Con
- Just walking around talking to people
Perhaps it’s all the talk about Advanced Persistent Threats (APT’s) or the arguements over sophistication, heck maybe it’s just because it’s after the holidays and I have some kind of security industry seasonal depression–but I can’t deny that my disenchantment with the security community is at an all-time high at the moment. In fact the realization is setting in that the career of a security professional is one that will be defined by the minor victories in our overall defeat. Security professionals are Michael Spinx and we’re in the ring with Tyson. The only difference is that we’re not going to get put out of our misery in one round…it’s going to be a long affair. That is of course unless we actually learn something from organized attacks like Titan Ra–errr I mean organized attacks like Operation Aurora.
To be clear I’m not talking about learning lessons from a technical or internal process perspective, rather I’m talking about learning how, as a community, we can work to better handle these types of scenarios. My own personal perspective is that the community as a whole has lost sight of what the overall goal is and how we must ALL function together to accomplish that goal. This view is exacerbated by the multiple questions that have been left in my mind by incidents such as Operation Aurora. Again let me stress that I’m not talking about anything from a technical or internal process perspective but rather pointing out the multiple questions that continue to go unanswered by the community as a whole. Questions such as: isn’t this the exact type of real-world event that drills such as Cyberstorm were supposed to prepare us for? Why, with our multiple upon multiple information sharing venues does it seem like everyone is running so frantic and misinformed? and most important in my mind, as a community are we trying to market security or are we trying to ensure it?
The truth is, that I don’t have a definitive answer to these questions. What I do know is that when most of the community is looking to vendors like McAfee and Symantec for answers it doesn’t help when one vendor calls the event a “Watershed Moment In Cybersecurity” and the other rates the risk as very low. In my personal opinion, which is supported by researching multiple responses to the event and conducting a source code analysis on the IE 0day exploit, I would personally say it’s somewhere in between, at a medium. On the one hand it is certainly not a “Watershed Moment In Cybersecurity” the details of the event that make it distinct are extremely similar to the Titan Rain incident of 2003. The only real difference between the distinct details of the two events is that Titan Rain really only targeted US government and defense contractor infrastructures, while Operation Aurora has targeted multiple industrial segments. Put simply, Operation Aurora makes for a better marketing message. On the other hand, the attack used an evolving IE 0day exploit and leveraged three pieces of malware working in concert together. The risk is not “very low”.
The bottom line is this, security events such as Operation Aurora can be detected early if not ototally prevented but the security community as a whole needs to make major changes. Vendors need to stop selling snake oil and vaporware, while security teams need to do a better job of information sharing. The only problem is that no one seems to know how to do this, so at the end of the day the problem is not the attackers, it’s the defenders and unfortunately there is no solution in sight.
Nothing gets me more excited professionally than the opportunity to go to a good conference. If nothing else, I relish the opportunity to surround myself with others who are as passionate for information security as I am. Unfortunately, while I have experienced a number of conferences in my six years as an information security professional, I have no as of yet experienced a ShmooCon. This year I decided to change that trend.
I will be spending three full days at the Marriott Wardman Park soaking in all the infosec information I can find with the other ShmooCon attendees who successfully battled for tickets. Find me for some cool swag and be sure to attend the Fire Talks, I might be speaking (I’m the first alternate).
1600: GPU vs CPU Supercomputing Security Shootout
1700: Economics Of Cybercrime
1800: Learning By Breaking: A New Project For Insecure Web Applications
18:30 Guest Stealing…the VMware Way
1100: Social Zombies II: Your Friends Need More Brains
1600 BaS04: A Dynamic Dataflow Tool For Auditing and Reversing
1000: PCI an Extistential Threat To Security As We Know It
1200: 0wn the Con
a href=”http://secanalysis.com/index.php/blog/1-blog/17-a-bit-of-perspective-on-the-acquisition-of-metasploit”>My thoughts on the Rapid7 acquisition of the Metasploit project aside, Rapid7 and HD Moore’s Metasploit team have been quick to produce an interesting integration between Rapid7′s NeXpose vulnerability scanner and the Metasploit exploitation framework. In particular, Metasploit is now capable of leveraging NeXpose’s vulnerability scanning engine to determine vulnerabilities that can be exploited via Metasploit modules. Better yet this can all be done for FREE (as in Beer) with NeXpose Community Edition, Rapid7′s recent free release of their Rapid7 Enterprise vulnerability scanning product. Granted, this capability scanning/exploitation can also be produced with a simple PERL program and the Tenable Nessus free scanning engine as well. Competitively Core Impact has long been able to import Languard, IP360, Nessus, Qualysguard and Retina scan results for automatic exploitation as well.
Personally though, when it comes to free products, I actually already prefer NeXpose Community Edition (CE) to the current version of Nessus. Although I must admit this preference is not grounded in any type of scientific comparison between the two products but rather a bit of lasting disdain for the Nessus product since Tenable closed the open-source project in 2006.? In my humble opinnion the open-source spinoff created in the gNessus project, now known as OpenVas may have kept the spirit of the Nessus project alive but failed to maintain a unified Nessus community, which seems to have resulted in less development and passion in the project itself. As for the Nessus product itself, I have found the free version a bit frustrating. Regardless, NeXpose CE is a viable alternative to any vulnerability scanning engine as long as a user doesn’t need to scan more than 24 IP addresses at a time (product limitation). Regardless, the integrated Metasploit and NeXpose capabilities tore apart the SecAnalysis vulnerability lab in no time at all…
In order to begin working with Metasploit and NeXpose within the SecAnalysis vulnerability lab I first began by reading the Metasploit user’s guide for intructions on how to use the NeXpose plugin. I realize that a lot of folks don’t like to do the upfront reading but as is normally the case, I strongly recommend it.? The Metasploit user guide NeXpose intructions can be found here.
Once I got the instruction reading out of the way I got started. I turned up a few of the virtual machines I had handy. In particular I turned on the following:
- A vulnerable Windows 2000 machine with IIS 4.0 running
- A vulnerable Windows XP machine
- A patched Windows XP machine
- A vulnerable Windows 7 machine
- A vulnerable Windows 2003 machine
- A vulnerable Windows 2008 machine
- A FreeBSD machine with FreeNas
| Hacking Made Easy Way With NeXpose and Metasploit
Looking past the hype surrounding the IE 0-day that was utilized in Operation Aurora, is it all that different from other attacks in the past? Not at all. In fact if?one were to look a little closer at what is actually delivered to the victim, it is blatantly obvious that this is an attack. From the large unescape variable that is clearly percent encoded hexidecimal values (and probably shellcode) to the padding in the form of the repeated 0c 0d. These are characteristics of exploits that the security community has been dealing with for the past four years and not of a sophisticated new threat!?In fact, existing IPS signatures were capable of triggering alerts on the attack itself. For example, ISS Proventia IPS devices would have raised at least six alarms should this IE 0-day have crossed a sensor. Why then does the security community find these attacks so frightening?
My own personal perspective is it is because the attackers showed an advanced level of sophistication beyond what most security professionals will ev er achieve in their careers. The security community today is saturated with professionals who may have never even witnessed a computer compromise, let alone truly understood one.?For the most part security professionals do not know how to hack and to a large extent do not know how to code. While they might understand the basics of a buffer overflow or SQL injection from a theoretical level, in a real world situation the average security professional would not have the slightest idea how to actually infiltrate an application or network. Thus, when security professionals are enlightened to the level of sophistication held by their opponents it is frightening. Even more so when jazzy labels like, Advanced Persistent Threat (APT) or “Operation” are applied to an incident. Terms such as these insinuate battle and make people feel threatened by something they do not truly understand and like so many other things, what people do not understand, scares them.
So while I do encourage decision makers to allocate more budget towards the products and services that will better protect them from attacks like Operation Aurora, I also encourage them to recognize the need for better understanding. Particularly, I encourage them to realize that ten people with certifications may not be worth a single person who understands the COND field of a microword, or rather someone with a deeper level of knowledge. For the rest of the security community, I would encourage them to recognize that with the saturation of what qualifies as a security professional, the endless pursuit for knowledge in this field is invaluable. If a cyberwar does truly exist, then it is not a battle of what was hacked and what was secured, but rather an intellectual competition the likes of which have not been seen since the space race. And for those frightened by the events that took place in Operation Aurora, I offer for comfort the fact that in this intellectual race, the good guys are not behind, just saturated. | An Underlying Message From Operation Aurora
Mesh is a simple but powerful browser plugin that parses websites for useful information such as E-mail addresses, phone numbers, and other information. I won?t sit here and tell you that Mesh by Paterva (same people as Maltego) is an end-all data reconnaissance tool, it?s not. However, the features of Mesh are none-the-less extremely useful.
Mesh parses sites for the following information:
- IP Address Discovery
- Netblock Discovery
- E-mail Address Discovery
- Phone Number Discovery
- Dates Discovery
While this may seem a touch remedial, consider that Mesh uses some of the same methodologies to see past obfuscation to pull information from websites as many spam crawlers do. For example, MontecilloM at SecAnalysis.com shows up without any user interaction in the E-mail list when Mesh is running. This can be very useful to anyone conducting recon or investigation work. (Especially because the information can be piped into Maltego for more in-depth searches)
Things I Like
I really enjoy the simplicity of Mesh. It is as simple as Cntrl + Shift + M and watch for results. Combing Mesh with a few Google hacking tricks for locating information can be extremely useful. Below I simply clicked Google Maps which dumped a number of basic phone numbers.
Things I dislike
To be honest I sometimes found myself wishing that I could set Mesh up to do some automatic scanning. I guess that is really Maltego?s job, however I have to note that it was something I wanted. I also found that I wanted to be able to save off particular bits and pieces of findings off to a particular category, for example if I was doing a search on ?Jon Doe? and I found a phone number, I would like to save that to a specific location so that I could also add an E-mail address if I found it underneath ?Jonathan Doe.?
As more and more information makes its way to the Internet in the form of personal information on social networks and the likes, simple yet powerful data recognition tools such as Mesh become all the more important. Philosophical thoughts aside Mesh is so simple to install and utilize you should really just go download it and try it out.
When using a tool for any type of security capability it is important to understand the capabilities and limitations of those solutions. Thus, in order to determine what Mesh was capable and incapable of, I created a very simple test page that had some different ways of writing or obfuscating Email addresses, phone numbers, and IP addresses.
Figure 1: Mesh E-mail detection results
You?ll notice that there were a number of ways that Mesh saw beyond the minor obfuscation techniques such as writing E-mail addresses in formats such as ?Address at site.com.? Mesh also uses key words such as ?Me at? or ?Correspondence at? to detect when an E-mail address might be present. However, to my surprise Mesh did not detect the E-mail address housed simply in the html code via mailto: also Mesh did not detect the E-mail address using dashes.
As you will notice the phone number detect is pretty straight forward, however Mesh did not detect the International number. Finally, Mesh did a good job of detecting IP addresses but for some reason does not detect the simple CIDR notation as a netblock. See below in Figures 2 and 3.
Figure 2: Mesh with phone number formats
Figure 3: Mesh with IP address formats
Check It Out
Check out Mesh by downloading it free at http://www.paterva.com/web4/index.php/client/mesh