Saturday, December 26, 2009

Airport security, you are kidding, right?

I have not posted anything in a while because I was sometimes not inspired to write anything, sometimes too busy or sometimes just on holiday. My latest holidays were in Spain and while going trough airport security here in Charleroi Airport (a.k.a Brussels South) I declined the metal detector alarm. I was absolutely sure that I had removed any of the non-permitted objects and had no clue what declined the alarm.

The classic procedure then started ... please step through Sir. The security staff member asked me if I had anything on me that could have triggered the alarm. I replied no and than I assumed the position for a check. The guy did it reasonably correct but he forgot to check the lower part of the abdomen. I know most people would not be comfortable about this.

Since the procedure had no result, a hand detector was the next procedure. Funny because the only thing it found was the metal parts that every jeans has so with some logic everybody wearing jeans would have triggered the alarm. This was not the case so in my mind that was not what triggered it but I was cleared and off to catch my flight.

When I had my flight home I was dressed exactly the same way but I made sure that my clothes did absolutely not have any metal parts. You guess it ... I triggered the alarm again :). Yes I was very happy because I was consistent.

The guy started his search, he didn't find anything so I had to put each foot in some kind of sniffer machine (too bad I forgot to look at the brand) . When I got cleared it suddenly became clear to me the only thing I had on me and was made of metal is the frame of my glasses.

If I was really up to no good I would not have made such a 'mistake' but it is clear to me that those security people have no procedure in place for the cases that don't fit the procedure and actually I personally think that is scary.

Thursday, October 22, 2009

Belgian national infrastructure client

The last couple of days I was on site at a customer that is one of the big players in the Belgian national infrastructure. I am just there to help out roll out some systems, not as a DBA or a security guy but ... I had my little fun.

The first thing I noticed when I got in was that with just a name drop and telling that I am an IT guy the friendly guy at the front desk opened the doors. No calling to verify my story, just walked on the site to the other buildings. Always be polite and ask for directions smiling :).

Then I got to the building of the IT department and first thing I noticed where all the print outs on the walls, one of them was a procedure with a password on it ... sweeeet.

Later that day I got an email with my login credentials. Yes my dear reader, plain text passwords emailed over the dhcp network. I was asking my new colleagues if I was the only one thinking that it shouldn't be that way but apparently they did not understand the problem.

Now I have access badges and can come in through the employee entrance. At the entry point there is a security guard to open the gate for the cars and verify the people walking in. The only problem is, the guy is about 6 meters from you when you show your badge. The badge is a classic (white) RFID card with the company logo and your name printed on it. Just by curiosity I showed the guy a membership card of something else that is red and blue and got in smiling.

But the customer is security-aware ... they are doing an audit of their email system at the moment, they have firewalls, anti-virus and VPNs.

Sunday, September 27, 2009

Python workshop at HSB

Yesterday I went to a python workshop organized at the hackerspace Brussels. We gathered at the void*pointer around 14 hours. fs111 gave us a very nice introduction to python.

There where programmers and people who who had not programmed in ages but it was ok. You could ask any question you had and there were some exercises, classics like the number guessing games, to get you up and programming.

We have a home work assignment, writing a very simple port scanner :). Have a look at the hackerspace website if you want to join for the follow up.

My conclusion is simple python is a very powerful language, easy to learn (that is the credit of the instructor) and it is worth to sit down an afternoon and learn it. It will be certainly become a weapon of choice to handle some of my day-to-day admin problems.

Monday, August 31, 2009

Getting to know your target: find a job

Introduction
There are 2 ways of gathering information. You can go for passive reconnaissance or active reconnaissance. Recon can be done online but there is no reason that it can't be done offline.

During passive recon you go after the information that is out there? It is either out there intentionally or leaked. You do not engage any contact with the other party. You try to discover information about the organization, the employees, the third parties, the systems, naming conventions, ... anything that you can lay your hands on.

The active form of information gathering is the part where you engage a limited form of contact. Nothing intrusive but just enough to get a better view on the other party.

I don't know who you are and if the knowledge in this article can get you in trouble with the law but I suggest you only try these techniques on your own infrastructure or one for which you have the necessary (written) permissions.

The idea behind this articles is to get feedback, so give me your side on the story. If you think I am wrong, tell me and if you agree or want to add something let me know too.

Relations
Organizations do not exist on their own. In the real world you got suppliers, customers, users, ... you get the idea. One of the ways to reveal this is just visit the website of your target and look for company info.

To look for an example I got on one of the large ISP's in Belgium their website and found this out:
- The members of the different boards: names and functions
- The have a daughter that is a hosting company
- Locations of different company locations
- Their logos and for what they are used
- Customer service, communication department info
- Phone numbers
- The use of webeventservices.com for communication
- The email address of the VP Corporate Counsel is firstname.lastname@staff.companyname.be
- The list of the different analysts in all major financial institions that follow the company and conviently their email addresses
- subdomains
- department names
- Jobs and these contain information about the systems they use

They use:
Cognos (7, Series 8, Powerplay, BCM), BO, SPSS, SAS, MS Outlook, MS Office, Salesforce.com (CRM), IBM Ascential Datastage, Oracle databases, Java, J2EE, MS Sharepoint 2007, Windows 2000 Server & Advanced Server, Windows 2000 Professional, Windows 2003 Server, Windows Vista, VMWare, Juniper & Alcatel backbone routers, linux, solarix, AIX, DNS, DHCP, POP3, SMTP, http, LDAP, IBM & Sun application servers (java), ...

This information was gathered just by looking around on their website, but the next step I use is by looking at jobsites if I can find anything on that company. For this example I used one of the most popular job sites in Belgium called vacature.com and it returned 12 job openings. On another jobsite called monster.be I found other information and stuff like what the interim offices they use.

To manage all the information I gather I use mind-mapping software. Since I like open source I looked for a good open source one and personally I like Freemind.

Next post will be about BiLE from Sensepost. A nice tool suite to get more info about relations between websites.

Monday, August 17, 2009

HAR2009

I've been to HAR2009 and it was the first security conference I've ever been to. It was great, it was on a camping site and there where 2000 tickets sold. I met a lot of interesting people and went to quite some cool presentations. Not all topics where technical infosec topics, but that was okay. Next conference will be BruCon and I'm looking forward to it.

I've your in the neighborhood of Brussels and want to meet nice people at a hackerspace make sure to drop by the Hackerspace Brussels (HSB). For those who don't know what a hackerspace is, just come. The people you'll meet are not the ones who'll break into your bank.

Sunday, May 10, 2009

My struggle with VMWare server

Like so many of my fellow IT collegues I run VMWare server on my laptop to do tests. I had my laptop scratched by our internal IT a couple of days ago and when I installed the latest VMWare Server (2.0.1) it worked fine and suddenly I got this.

The first thing I got was this error message:
Failed to Connect
The connection was refused when attempting to contact :8333.
Though the site seems valid, the browser was unable to establish a connection.
* Could the site be temporarily unavailable? Try again later.
* Are you unable to browse other sites? Check the computer's network connection.
* Is your computer or network protected by a firewall or proxy? Incorrect settings
can interfere with Web browsing.

When I had a look at the services I noticed that the VMWare Host Agent service was down.
I tried to start it but no luck. It stayed down. In the Windows System Event log mentioned
"The VMware Host Agent service terminated with service-specific error 4294967295 (0xFFFFFFFF)." I googled it and found in the VM communities that my datastores.xml file was corrupted.

The way to repair this is to go to "C:\Documents and Settings\All Users\Application Data\VMware\VMware Server\hostd" and rename the old datastores.xml and make a copy of the datastores.xml.default and rename that copy to datastores.xml. I started the service and the service started without any problem.

But I was still not at the end of the tunnel. The error message in my browser was still the same. Next thing I tried was to change the computername by localhost. I got a message to tell me the SSL certificate was not installed. So I installed it and it loaded the login interface :).

The situation is now that I can open it through localhost but not via computername nor through the IP-address. Interestingly enough I tried the loopback IP address 127.0.0.1 and got the message again that the certificate was not installed. I added my hostname to the hosts file with no success. So I wonder how the name resolution is done, I thought the first place where Windows looks to resolve a name is in the hosts file. I talked to a VMWare specialist at my job and although he is only familiar with ESX he thinks that I should look at the implementation of the tomcat. If anybody has a clue about this, please contact me.

On my linux box at home I run the same VMWare server and there I did not have the same problem since I made the shortcut in my browser myself and pointed it to localhost :). I guess there are just some bugs in it.

Tuesday, May 5, 2009

Quick format or regular format?

Yesterday I worked side by side with a collegue specialized in storage (SAN) and when he presented the disks to the Windows Operating System I mounted the drives and told Windows to start formating.

After a while my collegue asked me how far the formatting was and when I said X %, he told me I should have taken quick format to go quicker. Always willing to learn something I asked him what the actual difference is. The guy said that when you do a quick format, you actually don't do a format but the formatting will be done when you need the space. Quick format only defines the beginning and the end of the partition. Whereas the full format does a real format and goes through every sector on the partition. By doing this you will gain I/O performance my storage specialist said. This is interesting since one of the classic bottlenecks is the disk I/O.

So, OK it takes time to format 300GB but if I gain some I/O performance and in the best of cases I can do it at night while sleeping it is worth I think considering it.

Thursday, April 23, 2009

Big Brother

Ok, it has happend. I was toughed I live in a democracy and now the Belgian State has given the ISPs the order to block a certain website. I don't care about the content on that website. I know people can have their proper opinion about it but the fact that my governement limits my freedom on the internet looks to me that the so called democracy is evolving into a totalitarian system. What will be next? Blocking google because you can find "bad" things as well on the internet or editing Wikipedia because there are some dark pages in the history of Belgium.

Thursday, April 16, 2009

Conficker

This website is a very nice. The information about Conficker is research from the University of Bonn.

Wednesday, April 8, 2009

The Dude

The Dude is a nice little tool from Microtik that I love to use if I need to see what boxes are on a subnet and I want to see it graphically. It is nothing spectacular and I know there are other tools out there but I simply like it.

According to Microtik you can run it under Wine but I tried a couple of times following their instructions and it failed each time.

Wednesday, April 1, 2009

Common Weakness Enumeration

At Mitre you can find these nice definitions on common weaknesses in software. I think this is handy if you are trying to do risk management.

Tuesday, March 24, 2009

The great cryptographic demolition derby

Tonight ISSA-BE was hosting a talk by Bruce Schneier.

The talk was in two parts. The first part was about cryptography and actually about a thing called the great cryptographic demolition derby. NIST has organised a first crypto contest and the winner was AES. Bruce was a participant with the blowfish algorithm.

Currently there is another contest for hash algorithms to replace SHA2. At the start there were 64 algorithms and this summer 16 will go through to the next round. Next year the top 5 will be anounced and in 2011 the winner will be announced and be called SHA3.

The big advantage of such contests is that the top minds in the industry participate and everybody in the world can enter and try to crack algorithms.

One thing that I thought was interesting is that according to Bruce most cryptographic research happens in Europe and in some Asian countries. He thinks that the reason why in the US is not so overwhelming represented is that the funding in the US is dependent of the DoD and the National Science Foundation and there not so happy that we could make things the goverment is not able to read.

The second part of the talk was about security in general. Security is a trade off. The trade off can is not always about money. It can be time, ease of use, ...

A very clear example to illustrate this was about a bulletproof vest. They are very efficient in stopping bullets and there are many bullets in this world but nobody at the talk wore a bulletproof vest. Why? Simply because the risk of being shot at the talk was acceptable to those who attended it.

Security is always a trade off between benefits and costs and that is the only economic perspective according to Schneier. To illustrate this he made an example of the way we pick out a restaurant. If you are in a town and don't know any good restaurant you pick one based on unclear biased criteria that make sense to you. The same goes for security, we make decisions based on what we know but actually there is no way for us to proof that the decision is correct.

All we want is adequate security at a reasonable cost. It seems that somewhere in security the trade off is more difficult that in real life (see the restaurant example)

There is a theoretical 'right' answer to the question "what is adequate security and a reasonable cost?" but things like cultural differences, regulatory environment and the amount of data we have about the risk influence the right answer and so it will be different each time.

Bruce also talked about the mandatory breach disclosure law in some US states. I think this would be a good idea to have this all over the world. At least we would know what happens. I am aware of the fact that this could do serious image damage to a company but comming clean is to me the first step in repairing the damage the company caused. I asked if there is a list on which we could check which companies suffered from which attacks, but Bruce wasn't aware of an existing list.

Another point that came up was the European data protection act. One of the illusions we have is that we own our private data but if you actually if you think about it your data is owned by your governement and companies. In Europe we have some protection due to this act but in most places on this planet this is not the case.

The reason why we have e-crime is simply because there is money to be made. Actually it is simple, if you can make a profitable business model for something people will do it. The same idea goes for e-crime and so it is clear that we haven't seen the end of it. One thing is very clear, there is no specific law that can protect you since the Internet has no nation bouderies and laws are bound to territorial boundries.

Sunday, March 22, 2009

!exploitable

Microsoft has announced at CanSecWest the release of !exploitable (pronounced as bang exploitable). This tool is still in beta phase but a RC is publicly available. !exploitable is an extension on Windbg, the well known Windows Debugger.

Monday, March 16, 2009

Foxit Reader & JBIG2

I made a post about Didier Stevens a while ago who found vulnerabilities in Adobe pdf. But not only Adobe made mistakes. In the SANS newsbite newsletter is an article that the popular alternative Foxit Reader has vulnerabilities in the JBig2. (JBig2 is an image compression standard.)

I am not a programmer but I know from the little programming experience at school I have that every code has bugs and the main goal of a programmer is to make things work. Therefore it is important that professional programmers get educated about common problems and mistakes. Once the code is written I think the code has to go through a peer revision system. I know there are things called deadlines but still QA of code is not something that can be skipped because the impact (Foxit has a user base of 50 million users) can be enormous.

Even if you are somebody that likes to write code on your own make sure you have a kind of
QA and practice secure programming.

Thursday, March 12, 2009

Nice website

Today I want to share http://www.ss64.com/nt/ with you. It is a simple website. You have a list of commands, next to it is written what it does and if you click on the command you get more details about the syntax.

Wednesday, March 11, 2009

Bastille

I was just configuring a box an used for the first time bastille linux (a project from Jay Beale) and I have to say it is a nice tool. It helps you configure a linux box in a safe and easy way. It is asks you a bunch of questions and explains you the impact of the choices.

Some people might think there box is 100% secure after running this but it isn't the case. You still have to do some additional steps (use hardening guides to help you) but is a nice and simple start :).

Keeping documentation

Yesterday I was talking with Christophe and he saw that I have a wiki on my system just to keep track of all the info I gather about almost any subject. For those interested it is a simple wampserver and a simple mediawiki. Wampserver has this cool feature that gives me the option to set the access and I restricted it to localhost.

Another tool I use was pointed out to me by the main programmer of phpcompta. He showed me that there were wikis that were file based and I personally use wiki on a stick to document my own systems at home. I keep track of what is installed, how I installed it, configuration, ect. Most people think this might be overhead but is a way for me to keep track of things because sometimes I have memory gets corrupted ;-)

Thursday, March 5, 2009

Didier Stevens did it again

Didier Stevens did it again :). He found some nice vulnerabilities related to pdf documents. To make things clear he created a nice video to demonstrate his findings.
http://blog.didierstevens.com/2009/03/04/quickpost-jbig2decode-trigger-trio/

L0phtcrack is back

Howdy,

Going through my RSS feeds I got some great news. L0phtcrack the world famous Windows password auditing tool will be back.

On l0phtcrack.com is an announcement that version 6 will be released on the Source conference in Boston.

Wednesday, February 25, 2009

How long do I need to keep logs?

Today I talked to a guy at an ISP where I do the SQL maintenance and I asked him what they keep in their logs about what people do with their services (telephony and Internet access for companies and private persons).

For the telephony part, the law in Belgium asks them to keep which number called which number and matching them with the contracts of the customers of the telephony providers the law officers can trace your calls. I asked him if this is still the case if you use something like Skype out and according to him there is no way to trace this for the telephony provider, the cops have to have an agreement with Skype (who are based in Luxembourgh).

For the internet behavior he told me that they just keep the IP address leases for the dynamic IP customers and they don't care to what websites you go or what chatrooms you frequent. The only thing that the law requires them to do is to give the name and address of who owned that IP at that particular point in time.

I asked him what the most common case for requesting the users identity and he said that it is usually a case of copyright violation.

He wasn't aware of the TOR network and when I explained to him how it works, he said that it becomes a very difficult task for the cops to trace your particular visit to a website back to you.

One particularity he told me is that the public (companies and private persons) are responsible for keeping their own router logs and should be able to show them to the men of law in case of an investigation. For how long you have to keep them if your not an ISP he couldn't tell me.

If anybody can tell me more about this subject please post a reaction. I think that it is important for the public to know this.

Monday, February 23, 2009

Fosdem 2009

Hello,

A couple of weekends ago I went to Fosdem 2009. This is my report of the talks I went to. I choose to go to the security track and to go to the mysql developer room.

The first talk I went to was OWASP Testing guide v3 given by Matteo Meucci. The OWASP testing guide is basically a must read for everybody these days. Back in the good old days when the internet used to be static it was easy to make a website and then things suddenly got more complicated which added nice features that have lead up to web 2.0. Like most of us know everything has a price. As websites get more "layers" of complexity, the more layers that will require you to look into to secure them. The OWASP Testing guide v3 does this. It is a nice example of structured knowledge about what there is to know about making a secure web app.

The other security talk I went to was Fusil by Victor Stinner. I just know what a fuzzer is but never played with one and learned a lot from it :). I asked Victor why he coded Fusil since he clearly states that there are other fuzzers out there. He answered me by telling me he is a hacker and wanted to write a fuzzer. You just got to love such an answer :)

The rest of my day I sat down in the dev room of MySQL. I am not a developer myself (although I write my own code occasionally when I need something). It was very interesting. The first talk that I went to was about mysql clustering. Geert Vanderkelen introduced us to the basics of database clustering and I learned a lot. The following MySQL-talk wasn't actually a talk. It was Kaj Arnö, who asked us what we liked, disliked and how we would like things to be. It is nice to know that MySQL still is listening to its non-commercial user base.

I 've seen some strange partitioning at customers in Microsoft SQL and was curious about Giuseppes Maxia talk. He gave the best explaination about partitioning there is and I will use his example to explain the advantage to those customers who need it and those who implemented it in that 'not so efficient' manner. He showed us the map of Brussels and tore it appart and showed us visually that it was far more efficient to find something on only a part of the map than on the big map. He got an applause for this.

The last talk I went to was about database sharding. I never heard the word before and it was Jurriaan Persyn who gave that presentation. It is still not clear to me how it works but it seems to me that is not the easiest thing to accomplish. There were some guys in the room who were asking a lot of questions and their questions were not actually about sharding but about availability issues and at a certain point it became annoying that Jurriaan wasn't talking anymore about his subject.

It was a long but very interesting day and I look forward to do stuff with all the new knowledge I gained and was happy to meet so many interesting people.

Thursday, February 5, 2009

hackerscenter.com

Howdy readers,

I found this nice website http://www.hackerscenter.com .

Security Media

Everybody knows youtube. The other day I stumbled upon securitytube. A site with currently more than 165 video's about security and related items. Yes, I like video as a format. I enjoy reading but if a video is as it should you can learn a lot. I learned quite a lot from Irongeek his website too. And of course on youtube you can find some interesting stuff. If you like to watch a nice tech-show check out Hak5.

I like to listen to podcasts as well, one of my favorite security podcasts is PaulDotCom.

If you have interesting websites, podcasts, RSS feeds, ... share them with me :)

Monday, February 2, 2009

Securing a LAMP Server ... follow up

Recently I've been working on a LAMP Server. I learned a lot and got an interesting pointer from Christophe Vandeplas. The center for Internet Security has a collection of nice scoring tools/benchmarks to verify if a system is correctly implemented.

I recommend this exercise to everybody. You make a VMWare server on machine (or use a virtual box if you like open source). Set a box up and do the homework :).

Next Wednesday I'll be joining our Belgian OWASP chapter. On the agenda:
  • Best Practices Guide Web Application Firewalls
  • Research on Belgian bank trojan attacks
I hope to meet you there. If you can't be there I'll make a post with my impressions.

Wednesday, January 28, 2009

No backup and the database in suspect mode

This week, I got a call to help out with a database in suspect mode. I tried the usual MS SQL arsenal of tricks to get the CRM-database of that customer back. After more than 20 hours of repair commands (those included a night of sleep) I had to give an negative answer to the customer.

In the afternoon I had another call to ask if we could try to extract the data and dump it into another database or flat file. I had no clue how we could do this since everything in the last 20 hours failed. My collegue Gert Lievens found a technique on the Internet that we never tried before but worked :). We got everything back except for a primary key on 1 table and 1 index on that same table.

This is how it works:
First you change the database from suspect mode to emergency mode. Next you make sure you're the only one using it by forcing it in single user mode (with no wait of course). Then you make a DTS package where you use the copy database component. We configured the package to work in small steps (tables, views, functions, ....) and finally we found that the error was on the primary key and index for that table. So we told the DTS package to make a copy of that specific table but leave the primary key and indexes out. At the end of the day we had an identical copy of the database and a happy customer.

There are some lessons to be learned here:
1. Make sure your backups are ok if you manage a database.
2. There is another technique to get data back that I learned about.

Tuesday, January 20, 2009

Enter at own risk (follow up story)

In the month of November 2008 I had a bad restaurant expirience (
http://erikvanderhasselt.blogspot.com/2008/11/enter-at-own-risk-dont-go-eat-there.html) and filed a complaint at our federal agency for food safety.

I got an e-mail today from the agency telling that their inquery has finished and that my complaint was grounded and the necessary measures will be taken. What that means isn't in the text but I am happy with the result.

Wednesday, January 7, 2009

Undelete Plus : data recovery tool

We all know that situation, you get a call from a friend to tell you the data on his usb stick or hard disk has gone. I have some recovery software but recently Christophe Vandeplas has told me about UndeletePlus.

It is a free little tool, I've played around with it and I hope it will help me when I get that call again.

Securing an LAMP server ... intro

I've been given the opportunity to secure an LAMPserver. I 've never done this before but there is a first time for everything.

This is the layout of the system:
First of course there is OS hardening. I mention it since I've noticed that it isn't done by everyone. It is an Ubuntu server and google was my friend :). There are tons of info out there.

All ports except port 80 will be closed towards the Internet and port 80 will be connected to the web server by using NAT. On the web server the only ports open are HTTPS and SSH.

The server has a firewall and 3 rules:
1. Close every port
2. Allow the HTTPS traffic from the internal network and the Internet
3. Allow SSH trafic from the internal network and the Internet.

I am not happy with the last one, I will change it so that only the admin has access from his laptop but right now it is not my primary concern.

In my next post about securing the a LAMP, I'll be talking about the apache web server. Meanwhile if you have any suggestions or questions just give me a reaction.