InfoSec Daily Podcast Episode 647 for April 17, 2012. Tonight's podcast is hosted by Rick Hayes, Boris Sverdlik, Adrian Crenshaw, Karthik Rangarajan, and Themson Mester.
Special Guest Co-Host SkyDog.
When: April 20-21, 2012
Where: Wellesley Inn, Atlanta GA
Linuxfest Northwest 2012
When: April 28-29, 2012
Where: Bellingham Technical College – Bellingham, WA
When: May 21-25, 2012
Where: MU Forensic Science Center - Huntington, West Virginia
When: May 26-27, 2012
Where: Clarion Hotel – Anaheim, CA
Security 504: Hacker Techniques, Exploits & Incident Handling – Matt Romanek
When: June 20 – 27, 2012
Where: Courtyard Seattle Federal Way, WA
Social Engineering Training
When: July 21-24, 2012
Where: Black Hat Vegas
When: August 20-24, 2012
Where: Bristol, UK
When: November 12-16, 2012
Where: Columbia, MD
Inside and Out of the Social-Engineer Toolkit (SET)
When: July 21 – 22, 2012
When: July 23 – 24, 2012
Where: Black Hat Vegas
DerbyCon 2012 – The “Deuce” Reunion
When: September 27-30, 2012
Where: Louisville, KY
When: October 26-28
Where: Hotel Preston in Nashville, TN
Thanks to everyone that has purchased products from Amazon through the affiliate program. If you’re not familiar with the affiliate program, simply go to http://www.isdpodcast.com and locate the Affiliate Program link on the right hand side.
I'm only going to address uncrackable quantum encryption though. I'm not touching unicorns or perpetual motion.
This article over at ZDNet was responsible for sending me down this rabbit hole, though I've been rolling my eyes at "Uncrackable Quantum Encryption" articles for at least a decade.
First off, most of the "uncrackable quantum encryption" claims refer to encrypting data for transmitting across networks, between endpoints. The idea is that you can make a tamper-evident system due to the nature of quantum mechanics. If an attacker attempts to manipulate or observe data in a quantum system, the data will be altered. Once altered, we're aware of the attacker and can take countermeasures.
It is more likely that companies and researchers trying to sell the idea of quantum encryption are depending on its Sci-Fi "WOW" factor to sell it as the next big thing in cryptography. In reality there are many issues with quantum cryptography.
1. It is new, and largely untested
2. We already have uncrackable encryption…
3. The real problem in most encryption failures is poor implementation
4. Aside from researchers, no one is attacking cryptography
Show me some uncrackable quantum encryption that keeps your data safe, and I'll show you the treadmill I use to power my house. He never gets tired.
A British teenager beleived to be the hacker TriCk, a founding member of TeaMp0isoN has reportedly been arrested after launching a denial of service attack against an anti-terrorism hotline in the UK.
The 17 year-old, a resident of Birmingham in the UK, was arrested on April 12 in connection with a high profile "phone bomb" attack on a telephone hotline used to collect reports of possible terrorist activities. The attack, on April 11th, used an automated system to flood the hotline with calls in which a computerized voice said TeamP0ison," overwhelming phone operators. He and another 16 year old UK teen were arrested by members of the Metropolitan Police's eCrime Unit and charged with one count of causing a public nuisance and one count of violating the UK's 1990 Computer Misuse Act, according to Richard Jones, a spokesman for the Metropolitan Police.
The Metropolitan Police would not identify the youth by name, citing legal protections for minors. Nor would the agency confirm that either youth was TriCk or a TeaMp0ison member. However, in a post attributed to TeaMp0ison on the Web site Pastebin, the group identified one of the arrested teenagers as founding member TriCk.
"We've lost the first and most important member of our team; our founder, our brother, our family member. Most importantly we lost a fighter for freedom, a fighter against corruption," the statement reads.
Prior to the arrrests, the group and the member known as TriCk had been outspoken about their role in the attack on online. In an interview on the Web site Softpedia, someone claiming to be TriCk said the phone bomb attack was run using a software program known as Asterisk running on a compromised server in Malaysia. The attack was launched in retaliation for UK treatment of terrorism suspects and moves recently to extradite suspected terrorists to the U.S.
The number of coding mistakes on websites continues to fall but companies are slow to fix issues that could be exploited by hackers working with improved attack tools, a security expert said.
The average number of serious vulnerabilities introduced to websites by developers in 2011 was 148, down from 230 in 2010 and 480 in 2009, said Jeremiah Grossman, chief technology officer for WhiteHat Security, which specializes in testing websites for security issues. Grossman spoke on the sidelines of the Open Web Application Security Project conference in Sydney on Monday.
The vulnerabilities are contained within custom website code and are not issues that can be fixed by applying patches from, for example, Microsoft or Oracle, Grossman said. According to WhiteHat Security statistics, it takes organizations an average of 100 days to fix about half of their vulnerabilities.
The risk is that vulnerabilities which haven't been speedily remedied could be found by a hacker, resulting in a high-profile data breach such as those that affected Sony, the analyst firm Stratfor Global Intelligence, and AT&T.
Hackers are honing their skills and are becoming better focused. They are using a wider array of improved tools in order to find coding problems in websites. "Offense gets better every year," Grossman said.
There has been a lot of buzz across the web the last few months about a program called “Mimikatz”. It is an interesting program that allows you to recover Windows passwords from a system in clear text. Why spend hours, days, or months trying to crack a complex password when you can just pull it from Windows memory as unencrypted text?
We have seen in the past that most Windows passwords less than 15 characters can be cracked in just a few seconds if the attacker can get the Windows Hashes. This is due to the fact that Windows stores these passwords in an easy to crack LM hash. An old encryption used for backwards compatibility. Microsoft allows you to disable the older LM Hash, but as Mike Pilkington discusses on the SANS blog, Microsoft still creates the hash and stores it in memory.
No big deal, just make your passwords 15 characters or greater and problem solved. The LM hash will not be created, only the more secure NTLM hash. Well, not so fast. It seems that the LM hash is not the only version of the passwords Windows keeps in memory, it also keeps a copy of the passwords in plain text.
Which you can even recover remotely…
Pauldotcom.com has a great article explaining how to use Mimikatz to recover remote passwords. In this example, I used the website Java attack through the Social Engineering Toolkit (SET) to obtain a remote shell. First thing you will want to do is download Mimikatz and place the files you need (Windows 32 or 64 bit) in a directory on your Backtrack system. Then run SET and pick the website java attack option.
Recently Oracle accidentally released a MySQL denial-of-service (DoS) proof of concept in the process of fixing the same problem. In March, the company released updates to MySQL, versions 5.5.22 and 5.1.62, which referred in their changes to "Security Fix: Bug #13510739 and Bug #63775 were fixed" with no other details on the problems. It is a common practice to keep details of issues which could be used to against older versions of software; even the bug reports for 13510739 and 63775 are not yet publicly available.
But, as security researcher Eric Romang found, Oracle also shipped the new MySQL versions with a development script "mysql-test/suite/innodb/t/innodb_bug13510739.test" in the source which appears to be not only part of the automated testing for MySQL, but also a proof of concept for the flaw which crashes MySQL 5.5.21 and earlier versions. Romang posted the script on Pastebin; it requires authenticated access and appropriate privileges to be run which mitigates the problem somewhat.
This incident demonstrates that, especially with applications where the buildable and testable source code is released, if a company is going to adopt a non-disclosure policy, it really is necessary to make sure that absolutely no information leaks out in the form of test scripts. A better path for companies is to adopt a policy where they fully document what they have fixed and release test scripts for administrators to test their installations; trying to hide security bug fixes makes no sense when criminals and other bad actors are already looking for them and will find plenty of hints in the code itself.
If not talked about yet, should note that Phrack issue #68 is out.