I am sure many that read this blog like to attend security
conferences. I am sure you are familiar with Black Hat, Defcon, and H.O.P.E.
These are great conferences with a lot of high quality content, they are also
expensive and very crowded. Last month I had the opportunity to attend Security BSides in Delaware. It was my first BSides and will not be my last. It was held
at Wilmington University on November 9th and 10th. The
conference was a smaller one but in my opinion that made it great. The best
part the entire conference was free. Free attendance, parking, breakfast, and
lunch. The content was high quality and attracted a number of well-known
speakers.
I was only able to attend on Saturday. My first talk of the
day was “Social Engineering Basics and Beyond” given by Valerie Thomas
@hacktress09. Valerie is a penetration tester. She audits company’s security
policies and is paid to hack them. The focus of the talk was on what could be
the weakest link in your organization, people. You can have the best firewalls,
anti-virus, and advanced persistent threat detection but all of that could be
overcome by an unaware staff member or inattentive help desk team member. Since
everyone transmits their entire lives and routines on Twitter, Facebook, and
4Square, it is not hard to figure out who works for a company and their
co-workers. Once you have that information it is a quick hop to Google to
figure out the organization email format, username format and other key
information. The information in hand the hacker makes a carefully crafted call
to the helpdesk and requests a password reset or gathers the other information
they need to launch their attack. The bottom line is train your people, make
sure they verify security information and know who you are on the phone with.
The person on the other end of the phone may be trying to steal your
information.
After a quick lunch I decided to visit the lock pick
village. The challenges were to pick some simple locks as well as learning how
to impression a lock and cut a key. I have previous experience with lock
picking so picking was easy. As a side note, the Kwikset lock on your front
door can be picked by an experienced picker in less than 2 minutes. The process
to impression a key however is very difficult. After about 20 minutes I was
able to impression and open a one pin lock. Most locks have 5 pins so you can
see why it is so hard. The good part is that a lock impression can be done in
stages, so if you have to abort your attempt you can always come back and
finish later. Also, once you have the key you always have it and can get in and
out quickly.
The afternoon was punctuated by shorter talks. I attended
three others. The first was a talk given by a group of students regarding the
CVE 2012-4681 Java Remote Exploit. The presentation was interesting in the fact
that the standard security that most people would have on their machines was
easily bypassed. The various freeware programs such as OSSEC also did not
detect the exploit. It looks like the file integrity monitoring or FIM portion of OSSEC wasn’t
used but in this case would have picked up the changes. They also caught
a special privileges escalation to a user account in the system logs which a
properly configured log management tool would have alerted to the problem and warranted
further investigation. The write up is available here: https://cyberoperations.wordpress.com/student-research/cve-2012-4681-by-o-oigiagbe-r-patterson/.
The second talk I attended was on exploiting android
operating systems. In this case the attack victim would be on a “rooted”
android phone in which ADB was left on (the default). In this case the attacker
could attach his phone or Nexus 7 table to a device and within a few minutes
steal critical data from the victim phone or table. Included in this critical
data was the Google Authentication token. The token, which can be pasted
directly into a web browser allows access the victims entire user account
bypassing any Google supplied security enhancements including two factor. The
speaker even gave everyone in the class a cable to perform the attack with.
Bottom line, if you root your phone, turn ADB off!
The last talk I attended I was on Pentoo http://www.pentoo.ch/ the Gentoo based
penetration testing live cd. It is an alternative to BackTrack. The developer
of the tool was very passionate about it and presented several
advantages. The first being an hardened kernel, pointing out how laughably easy
it is to hack BackTrack when its running, a real problem at cons like Defcon.
He also pointed out the advantage of having a good stable of WIFI drivers as
well as built in update system and the ability to save changes to a USB stick.
I have not had an opportunity to test Pentoo myself but I hope to over the
holiday break and I will report back in another blog post.
Finally after a long day at the con I stopped off at
Capriotti’s and picked up a Bobbie. Those from Delaware will know what I am
talking about, for the rest of the world, think Thanksgiving on a sub roll.
Bart Lewis, NNT
No comments:
Post a Comment