Wednesday, April 16, 2014

Windows XP: Eol, What you need to know

Last week Windows XP finally reached its end of life.  The operating system was released back in 2002 and was (and still is) a favorite among many users.  So what does it mean that it is now reached the end?

Well.. If you are still using it, it will still work.   You don't have to worry about the system just shutting down and you losing all of your data.  While there has been a lot of hype over this dooms day, we haven't really seen a lot of the huge predicted issues.  I haven't seen any ATM's just spitting out cash for no reason.  Hospital medical devices have not just stopped working.  The earth is still spinning at its normal speed.

So what is the concern?   Of course it is going to be security related, on this site.  When an operating system goes end of life it means that Microsoft no longer supplies updates or patches.  Many times, these updates and patches contain critical security fixes.  In some cases Microsoft will provide extended support (for a large fee) to corporations to hold over until migration is complete.  This does not help your normal home user though.

Regarding the big concern over ATM machines or other embedded devices, it is important to understand what version of Windows XP they are running.  There may be some embedded versions of the OS that are still supported and are not effected by this.  There may be some running the End of Life version, but there are still many factors to include.  How does the device connect to the internet (or does it connect).  Does it have any input ports?  What other restrictions on access does it have.  All of these factors will raise or lower the risk to that specific device.

For the enterprises out there, running outdated software is always a concern.  There is no doubt that security vulnerabilities will be identified and exploits released for Windows XP in the future.  As updates come out for newer versions of Microsoft OS, flaws will be identified to still work in Windows XP.   With Phishing attacks being very popular, this opens your network up even more than normal.  All that money you have put into other controls could be diminished due to the OS and its lack of patches.   Some may say that they have custom software that runs on Windows XP only, but there has been plenty of time to update software for a newer OS.

There is also the question of compliance.  There appears to be lots of debate on how using Windows XP now effects PCI and HIPAA.  It is important to understand how these regulations work and what you need to do if you are still running Windows XP.

For home users, it is similar to the enterprise, except for the money spent on enterprise level controls.   Often times home users don't feel they are at much risk, but in reality, they are a great target for a hacker.  The resources of the computer (CPU, Drive Space) is very appetizing.  Attackers can use these home machines as launching pads for attacks to help cover their tracks.

Yesterday was the time to start updating to a newer OS, but if you missed that, today is the next best thing.  Start upgrading before the new vulnerabilities start flying around the internet.


James Jardine is a Principal Security Consultant at Secure Ideas. If you are in need of a penetration test or other security consulting services you can contact him at james@secureideas.com, @JardineSoftware, or visit the Secure Ideas - Professionally Evil site for services provided.

Thursday, April 10, 2014

All Your Base Are Belong to #HeartBleed - OpenSSL Heartbeat Overflow

What You Need to Know and Do About It

Unless you've been hiding under a rock, I'm sure you have heard about the overflow vulnerability in OpenSSL's heartbeat extension.  All today I watched my Twitter feed talk back and forth about this vulnerability and its impact.  In fact, as I write this post a search for "heartbleed" on Twitter has had 181 new comments in the last 8 minutes...  and this is late at night when the US population is largely in bed.  It has made a big splash, that's for certain.

So what is HeartBleed and what does it mean to organizations?  First, let's take a look at what it is.  The OpenSSL project created a heartbeat extension to create keep-alive functionality within the Transport Layer Security (TLS) implementation without needing to constantly renegotiate keys.  This is to help speed up performance.  The heartbeat has a maximum data size of 64k.  According to the advisory posted on by OpenSSL, there is a missing check which allows someone to access 64k of memory on a client or server.  So this has impact on not only our web servers, but also our client software.

A lot of the excitement comes into play when we start debating what could be contained in that bit of memory we request.  The worst case fear appears to be that someone may be able to access the private key.  Others have commented that it may be possible to collect usernames and passwords that are in memory and get picked up by an attack.  Lots of different kinds of data could be picked up because TLS is used by lots of different protocols.  Not only does it put the "S" in HTTPS connections, but it is also used to encrypt data in transit for email, chat, VPNs, SSH, etc....  TLS is all over the place.

I spent some time playing with some attack code against one of my own systems just prior to patching it and the code performed very reliably.  I didn't see anything go haywire on the server side and I was looking at data from my web site on the server.  The python script I was using performed its job quickly.  My site wasn't very busy, so there wasn't a ton exciting to see.  However, if someone were to attack a high traffic, sensitive system then this could get more interesting.  So the take away is that yes exploit code exists, it works and and could cause sensitive data to be randomly get snatched up by an attacker.  But only 64k of it and probably its not highly likely that each memory dump will relate to each other.

What do companies need to do about all this?  It's actually what you would expect.  Patch your systems and applications.  OpenSSL released the fix in version OpenSSL 1.0.1g. Updates for our major operating systems are ready to go, so apply them and verify that your systems are no longer vulnerable. I tested with a python script. The vulnerability scanners have largely all announced that they have plugins to check for the flaw. Apply the update and turn on some vulnerability scans to make sure you have complete coverage of your environment.

One area that will be harder to pin down is the client side. Finding vulnerable clients isn't as simple as performing a vulnerability scan to look for listening services that offer TLS. However, updates for the most common applications which use OpenSSL's libraries will almost certainly have updates out already or soon. Once they are out, get the updates deployed to your client systems.

Some organizations may not want to start looking at deploying these updates until they are certain that they are impacted by the flaw. So the question may get asked, "How do we test ourselves?" As I said previously, the vulnerability scanning apps out there have plugins ready to check for it. Default scans by the major vendors are generally safe to run on our networks. Get a scanning window approved and start taking inventory of your environment. Or wrap some of the scripts that have been released into a shell script and feed a range of IP addresses. With that information in hand, you'll have the evidence you need to help justify the maintenance window you need to deploy the updates.

Jason Wood is principal security consultant at Secure Ideas. If you are in need of a penetration test or other security consulting services you can contact him at jason@secureideas.com or visit the Secure Ideas - Professionally Evil site for services provided.

Tuesday, April 08, 2014

Auto-Updating Devices: How to Test?

Everyday we see new technology and devices in our everyday lives that are connected to the internet.  Smart TVs, scales, even a crockpot.  I personally have bought into the idea of the Nest products, thermostat and smoke detectors.   I have a Nest thermostat and two Nest Protect smoke alarms.   So far I really like them.   They were really easy to configure and set up.

Recently, the CEO announced in this letter that they were disabling the wave feature of the Nest Protect.  For those that don't know, the wave feature allows someone to turn the smoke alarm off by waving their hand.   The idea is that if there is a false alarm (something burning on the stove) you can silence it without the need to climb on a chair or wave a towel.

The interesting point made in the letter from the CEO was that if your nest was connected to the internet it would be updated to disable that feature within the next 24 hours.  Hmm..  so this begs the questions on how updates are pushed and what access does Nest have into these devices.  I don't recall getting a notice about the update, which is also concerning.

The first reaction to finding out the device was being auto updated was positive for me.  The fact that they have a way to update this device is excellent.   Many devices like smart TVs and other new ideas don't really include updates or a way to update at all.  As I started to think about it a little more I began to question how positive this is.  I think there is a grey area around the idea of manual updates and automatic updates.

So the device updated itself... what could go wrong?  It is not like we haven't ever seen an update go bad to other software (Windows, AV, etc)  What happens if the update kills the device.  For some reason, it no longer functions properly.  Especially if I didn't even know it updated, I wouldn't know to go test it to make sure everything is fine.   Maybe your TV getting "bricked" is a big deal because you can't watch your favorite show on CW, but a smoke detector...  What if that gets "bricked" and you don't even know?   That device you are depending on to warn you of a fire to save your life could now potentially not work anymore.  Fortunately, the device runs on specific hardware with very little variance, so the chances that the update would have issues if successfully tested in the lab are much smaller.  There is still a chance though.  Of course, the Nest does say to test the device weekly, so at least you would find out in a few days depending on release and your test schedule.

On the flip side, we have manual updates.   The user (us) has to go out and do the update.  The issue here is that many people don't understand the significance of the updates or just don't want to deal with the hassle.  If the update is really important, how do you ensure everyone actually does it?

I don't know what the right level of participation is, and maybe it depends on the application of the device and its importance.  For use consumers or business users, we need to start paying more attention to our devices and the update process.  In the event that an update is available, look into applying it, or the effects of not applying it.  If it auto-updates, the manufacturer should let you know it has updated the device, but you are then responsible for testing it to make sure it still appears to be functioning properly.

In the Nest's case, it has a self-test feature to verify that it is working ok.  Other systems may have a different way of testing.  Your gaming console might stop working if it is not right.  The TV may not turn on.  All signs that the update didn't go well.  As in business... know what devices you have, how they connect, and be on the lookout for updates or vulnerabilities to the device. 

James Jardine is a Principal Security Consultant at Secure Ideas. If you are in need of a penetration test or other security consulting services you can contact him at james@secureideas.com or visit the Secure Ideas - Professionally Evil site for services provided.

Thursday, April 03, 2014

Professionally Evil Training: Tactical Burp Suite Webinar

Tactical Burp Suite Webinar

Secure Ideas is excited to announce its latest upcoming online training.  We will be offering a two-hour session exploring Burp Suite and its use in a web application penetration test.  Kevin Johnson and James Jardine will explore the various features of Burp Suite, focused on how we use the system during our penetration testing.

This webinar will use hands-on examples to reinforce the topics and tricks that James and Kevin will be showing.  Not only will we be doing the demos, but a target system will be made available to attendees so that they can do the examples along with Kevin and James.

This webinar costs $25 dollars and will be held on April 29th at 2pm Eastern.  If you would like to attend, please fill out the form at https://attendee.gototraining.com/r/2059833137436556801

Note:  If you sat the original webinar earlier this year this is the same one (no need to attend this one).  We plan to get a recording from this one so we can make that available to those from the previous session can get that as well.


James Jardine is a Principal Security Consultant at Secure Ideas. If you are in need of a penetration test or other security consulting services you can contact him at james@secureideas.com or visit the Secure Ideas - Professionally Evil site for services provided.

Wednesday, April 02, 2014

Oversharing: Who Has Access?

 What types of information do you copy to a shared folder?  Who has access to the share?  This can be a difficult problem within many organizations to handle these questions.  From a user perspective, a shared folder is just a means to collaborate.  We often don't think about what type of data is in the files or who has access.  As long as the recipient has access, we don't continue to think about who else has access.

From a system admin perspective, how do we completely lock down the shares so that no one can create them when needed?  We don't want to hold up progress for the employees.  But what is the big deal with a share anyway?

Often times during a penetration test we have credentials of a normal user on the system.  This is critical  during an internal assessment to determine what types of information is available to that insider threat.  You may be surprised at the information that is found, or maybe not.   I have seen social security numbers, credit card numbers, bank account info, and sometimes worse, database credentials.  You may think the personal information is worse, but many times the credentials may get you many more records.  These credentials can also lead to much more than just data compromise.  They can also lead to system compromise and pivoting around the network.

We need to start thinking about what data is stored in the files we put on a shared folder, as well as who has access.  Does everyone have a need to access that file?  Should it just be available to one person?  Limiting access helps reduce the risk posed by an insider scavenging for data.

One way you can audit the shares on your network is to run Nessus scans with different levels of credentials.  Running it as an administrator and as a regular user and then comparing the share outputs can help identify the shares that need a closer look.  Unfortunately it is a bit manual, but it is a step in the right direction.


James Jardine is a principal security consultant at Secure Ideas. If you are in need of a penetration test or other security consulting services you can contact him at james@secureideas.com, @jardinesoftware or visit the Secure Ideas - Professionally Evil site for services provided.

Friday, March 28, 2014

Secure Coding for Developers at Kingston MakerSpace, May 5-6

I'm excited to announce that I will be returning to my hometown of Kingston, Ontario to teach a two-day, hands-on Secure Coding course at Kingston MakerSpace, May 5-6, 2014.  This course is geared towards software developers who want to learn the details of common web application attacks and what coding strategies to use to properly defend against them.

This course will cover the OWASP Top 10, testing techniques and tools, and secure coding practices.  In addition, how these web vulnerabilities apply to the Payment Card Industry Data Security Standards (PCI DSS) will be covered.

Full details and registration are available at: Kingston MakerSpace .

Jason Gillam is a Senior Security Consultant with Secure Ideas. If you are in need of a penetration test or other security consulting services you can contact him at jgillam@secureideas.com, on Twitter @JGillam, or visit the Secure Ideas - ProfessionallyEvil site for services provided.

Tuesday, March 25, 2014

Breaking in to Security

Some of the roles within security are all about breaking in to systems, but what about just breaking into the field?  Jobs in security are popping up all over the place and recruiters are trying desperately to help fill them.  There are many people interested in security, but without previous experience, they often want to know how to make the jump.  This is a great question for any type of job you are thinking about.  Here are a few things to consider when trying to get into the security field.

It is important to realize that there are a lot of specialties within the security field.  There are management positions, testers, auditors, policy writers, even physical security guards.  Many people may not know exactly which aspect they are interested in, but should start to think about this.  You may also find that there are some roles that are just not for you.  For example, social engineering and physical penetration tests require a high confidence level and ability to stay cool in unpredictable situations. I can assure you that this is not for everyone.

Depending on your topic of interest there are many different things you can do to help get ahead in the game.  The first step that covers everyone is to start getting involved in the security community.  I can't even count the number of security conferences "cons" that occur all throughout the world each year.  It is true what they say that a lot of a career is about who you know.  Getting out and involved is a great way to start getting to meet other people in the industry.  Many people work for companies that are looking to hire and getting out in front of them is a big benefit.

In addition to conferences to meet people face to face, participating in open source projects or creating resources the community can benefit from are also great to see.  Companies like to see individuals that are passionate about what they are doing.  Open source projects and other resource can also show off your relatable skills.

Many people ask about education.  Do I need a degree?  What certifications do I need?  In most cases, the more education and certifications you have, the more it is helpful.  This doesn't mean that you do need a large formal education as there are many industry professionals with minimal formal education. In fact there are many people on both sides of the fence that are pro certifications, or against certifications.  Desire and ability to learn new things quickly are huge traits for security professionals.  Like any other technology career, things are moving at a very fast pace and you are constantly updating your skills.  Your ability to show flexibility with the job also is something hiring managers are looking for.

Expect to accept an entry level position if you don't bring a lot of experience.   Just because you may have been a rock star in a different role, it is like entering a whole new career path.  Switching from a developer role or administrative role to a security role may not equal out (pay wise).  But it can be a foot in the door to a career that not only pays well, but can also be very enjoyable.

James Jardine is a Principal Security Consultant at Secure Ideas. If you are in need of a penetration test or other security consulting services you can contact him at james@secureideas.com, @jardinesoftware on twitter, or visit the Secure Ideas - Professionally Evil site for services provided.