Your daily source of Pwnage, Policy and Politics.

Episode 281 – Bug Bounty, HP SANS, Blackberry, NSA & Metasploit, Canvas, SAINT, CORE

Play

ISDPodcast Episode 281 for December 17, 2010.  Tonight’s podcast is hosted by  Rick Hayes, Keith Pachulski, Geordy Rostad,
and Varun Sharma.

Announcements:

SANS Community:

Jason Lawrence, Management 414: SANS +S Training Program for the CISSP Certification Exam:  http://www.sans.org/mentor/details.php?nid=23493

Wednesday, February 23, 2011 – Wednesday, April 27, 2011

Use the Discount Code: isdpod15 for a 15% discount.

Appalachian Institute of Digital Evidence (AIDE):

AIDE Winter Meeting, Marshall University Forensic Science Center, Huntington, WV

When: February 17 – 18, 2011

http://aide.marshall.edu/default.htm
Intro/Outro Music provided by JimmyZ (http://soundcloud.com/jimmyz)
Stories:

News: https://blog.mozilla.com/security/2010/12/14/adding-web-applications-to-the-security-bug-bounty-program

Many people are not aware that Mozilla pays a bounty in the past on web application security vulnerabilities which impact client security. We have only paid on critical or extraordinary web application vulnerabilities which have a direct impact against the client. We are now going to include critical and high severity web application vulnerabilities on selected sites.  We are giving a range starting at $500 (US) for high severity and, in some cases, may pay up to $3000 (US) for extraordinary or critical vulnerabilities.

We want to encourage the discovery of security issues within our web applications with the goal of keeping our users safe. We also want to reward security researchers for their efforts with the hope of furthering constructive security research.

This new policy will go into effect starting December 15th, 2010 PST, and any new web application bugs will fall under this new policy. It is important to note that nothing else has changed with the original security bounty program and the updated amount which was announced back in July.

The Web Security Bounty FAQ includes which types of vulnerabilities will be considered and which sites will be considered to be apart of the Web Application Bounty Program.

The full text of the security bounty program:  http://www.mozilla.org/security/bug-bounty.html

News: http://securityconscious.blogspot.com/2010/12/migitating-isp-disruption.html

There is a blog that I think you would be interested in reading, the author Abraham Aranguren does a good job of compiling news articles.  I do enjoy his “Highlighted quotes of the week” section.  Apparently, Abraham had some issues with his ISP.  He blogs about it, but makes some important notes:

  • If a browser can do it, I can do it automatically from the command line too (it does not matter if it is POST, etc)
  • Don’t use a browser’s user agent, etc. as a way of assuming anything.

News: http://www.fiercecio.com/techwatch/story/hp-confirms-san-password-vulnerability/2010-12-17

Hewlett Packard has confirmed that every HP MSA2000 G3 SAN (Storage Area Network) that has been sold comes with a critical security vulnerability in the form of a secret user account. The fiasco came to light in an anonymous warning posted on the security-centric electronic mailing list Bugtraq, which observed that “This user doesn’t show up in the user manager, and the password cannot be changed–looks like the perfect backdoor for everybody.”

The hidden user is either “admin” or “manage,” and comes with a fixed password of “!admin” that poses a threat to organizations that deploy the SAN, and is also an embarrassment to HP. The use of hardcoded passwords in appliances stems from past practices where it was assumed that such backdoors into the system will never be found out. It is not known in this situation whether the hidden account was an oversight by an engineer, though HP was quick to clarify that this vulnerability does not impact other models on HP’s MSA line of storage solutions.

News: http://www.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=KB24761 and http://www.us-cert.gov/current/index.html#rim_releases_security_advisory_for1The vulnerability could allow a malicious individual to cause buffer overflow errors, which may result in arbitrary code execution on the computer that hosts the BlackBerry Attachment Service. While code execution is possible, an attack is more likely to result in the PDF rendering process terminating before it completes. In the event of such an unexpected process termination, the PDF rendering process will restart automatically but will not resume processing the same PDF file.Successful exploitation of this issue requires a malicious individual to persuade a BlackBerry smartphone user to open a specially crafted PDF file on a BlackBerry smartphone that is associated with a user account on a BlackBerry Enterprise Server. The PDF file may be attached to an email message, or the BlackBerry smartphone user may retrieve it from a web site using the Get Link menu item on the BlackBerry smartphone.
News: http://packetstormsecurity.org/news/view/18335/US-No-Such-Agency-Admits-Its-Networks-Are-Hackable.html
http://www.theinquirer.net/inquirer/news/1933395/agency-admits-networks-hackable

The NSA (National Security Agency) has admitted that it builds systems on the assumption that they’re broken because “there’s no such thing as ‘secure’ any more”.

The US agency charged with protecting classified material made the startling admission that its computer networks are fallible. In fact, the agency went one further and said it operates on the assumption that it has already been hacked.

The head of the NSA’s Information Assurance Directorate, Debora Plunkett made the statement just days after the US started scratching its head trying to come up with some sort of extradition case against Wikileaks founder Julian Assange. Wikileaks has published a massive trove of classified US material that has embarrassed the US government.

Good quote “However, Plunkett added, “We have to build our systems on the assumption that adversaries will get in.”"


Keith: I hope this isn’t a ground breaking..this is realistically how the approach should be
News: http://www.networkworld.com/community/node/69802

Rapid 7 is now including exploits of Cisco gear in Metasploit. The tool can now automatically use authentication holes on Cisco devices that allow attackers to gain access to the network. As new vulnerabilities on Cisco become known, they too will be included in the penetration testing tool.

UPDATED: The inclusion of Cisco is part of the rollout of Metasploit 3.5.1. “Metasploit 3.5.1 focuses on [Cisco] routers and switches, as well as Pix and ASA platforms. Previous versions of Metasploit already addressed Cisco wireless access points (and, therefore, included in this new version),” explains Metasploit founder and lead developer, HD Moore.

Explains Christian Kirsch on the Rapid 7 Security blog:

“The new Metasploit version 3.5.1 adds a lot of features to audit your network’s password security on many levels. Metasploit has always offered a broad range of brute forcing capabilities. Since version 3.5.1, it now also downloads the configuration files of Cisco routers and extracts their passwords. HD’s team has also added brute forcing of UNIX “r” services, such as rshell, rlogin and rexec, as well as VNC and SNMP services. Metasploit can also now import pcap network traffic logs to find clear text passwords, and to discover hosts and services. Metasploit has also become stealthier than ever: It now flies under the radar of intrusion detection (IDS) and intrusion prevention systems (IPS). An enhanced anti-virus evasion ensures that exploits are not stopped by end-point defenses.”

Metasploit is a two-edged sword for security professionals. It is a beloved tool that helps security pros find and fix security holes — leveling the playing field by giving security pros easy access to the exploits the bad guys can find. But it also serves as a sort of informal deadline on how much time an enterprise has to patch its wares. Once an exploit is included in the tool, the blackhats have easy access to it, too, and Metasploit prides itself on adding exploits as soon as they go public.

Exploits against Cisco devices are, for now, only included in the two paid versions of the tool, Metasploit Express and Metasploit Pro, and not in the free open source version, Metasploit Framework.

The new 3.5.1 release has also become the engine of the FOSS tool. A few months ago, when I talked to HD Moore, he promised that the company wouldn’t hamper the FOSS tool by leaving out exploits. At the time, he said: “The 3.3.0 release, 3.3.3, 3.3.1, all those releases were under Rapid7. We haven’t changed the licensing, registration, or delayed access to exploits.”