Episode 162 – .org TLD, VeriSign, IPv6 & UATester

ISD Podcast Episode 162 for June 29, 2010. This podcast is our contribution back to the community where we will discuss the vulnerabilities of interest, information security related news hopefully providing you a few laughs and a little knowledge.

Announcements:

MyHardDriveDied.com:

MHDD Data Recovery Class current dates and locations:
- Atlanta, GA – July 12th-16th
- Dallas, TX – October 11th – 15th
- Washington, DC – December 6th – 10th
- Cost is $3500 for all classes to reserve and register, call (678) 445-9007, email: smoulton@nicservices.com or go to http://www.myharddrivedied.com Use the Discount Code: isdpodcast for a $300 discount.

SANS Mentoring Program:

Jason Lawrence will also be putting on the SANS Mentor Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=21538). Use the Discount Code: isdpod15 for a 15% discount.

Atlanta ISSA:

ISSA International Conference – September 16, 2010 (http://www.issa.org/page/?p=105)
SANS 560: Network Penetration Testing and Ethical Hacking – September 17-22, 2010 (http://www.sans.org/atlanta-2010-cs2/description.php?tid=3142)
SANS 577: Virtualization Security Fundamentals – September 17 & 18 (http://www.sans.org/atlanta-2010-cs2/description.php?tid=3807)
9am-5pm US ET
Hilton Atlanta Airport Hotel
1031 Virginia Avenue
Atlanta, GA 30354

Kentuckiana ISSA Meeting
July 9th from 11:30 AM to 1:00 PM at Sullivan University.
http://www.issa-kentuckiana.org/index.php?option=com_content&view=article&id=13&Itemid=13
Ohio Information Security Forum:
Event Date: July 10th, 2010
Location: SCC Research Park, Auditorium
Time: 8:30AM-5:30PM

http://www.ohioinfosec.org/anniversary.htm

Friends of the Podcast:

Webhosting services:WebSpeedway

Corrections:

Stories of Interest:
News item 1: http://www.esecurityplanet.com/features/article.php/3889356/Org-Signed-for-DNSSEC.htm
The .org top-level domain (TLD) has now been signed with Domain Name System Security Extensions (DNSSEC), marking a significant milestone in better securing key elements of the Internet against security vulnerabilities. The move toward securing the .org registry with DNS security started back in September 2008, following the Kaminsky DNS flaw disclosure.

The .org TLD is now the first major generic TLD to be secured with DNSSEC, providing its domain holders with the potential to cryptographically ensure the integrity of DNS information (define). The signing of the .org domain comes ahead of the final signing of the root zone for the Internet, which is set for July.
While the .org domain space is now signed, it’s now up to individual domain registrars that sell and maintain .org domains to implement DNSSEC for their respective customers.

The expense to .org for implementing DNSSEC on its infrastructure and operations has not been a small one. While Alexa Raad, CEO of the Public Interest Registry, did not provide a specific figure as to the cost of DNSSEC implementation, Afilias, which is the technical operator of the .org registry, told InternetNews.com in 2009 that the DNSSEC implementation would be a multi-million dollar effort. But Raad noted that the cost isn’t going to be passed on by .org to domain registrars.

“This was not a commercial motivation for us, but rather more of a public interest motivation,” Raad said. “We’re not passing on any costs — we’re absorbing the cost.” While DNSSEC as a technology has been around for years, the need for it accelerated after vulnerabilities like the Kaminsky DNS flaw came to light. “Up until the Kaminsky bug, there was skepticism about the necessity for DNSSEC,” Raad said. “That bug put a stop to that very quickly.”
News item 2: http://bit.ly/b3tUGN
VeriSign and one of its partners have come under fire for publicly exposing webpages used to process customer security certificates, a practice a competitor claims puts some of the biggest names on the web at risk of serious targeted attacks.

According to Melih Abdulhayoglu, CEO of internet security firm Comodo, publicly accessible pages such as those here and here needlessly disclose sensitive internal information about VeriSign customers Bank of America and the Commonwealth of Massachusetts respectively. By exposing the email address of the organizations’ security certificate managers and providing a comprehensive list of web addresses that use secure sockets layer protection, VeriSign puts them at risk of targeted phishing attacks, he said.

What’s more, Abdulhayoglu pointed to the availability of this page provided by VeriSign partner Getronics.nl of the Netherlands. It allows anyone in the world to search its database and pull up a wealth of information about the digital certificates of not only Bank of America but plenty of other companies, including VeriSign itself. The interface also points to dynamically generated pages like the one captured below, which provide buttons for revoking, renewing, and replacing the digital certificate.
News Item 3: http://www.wired.co.uk/news/archive/2010-06/18/huge-privacy-flaw-found-in-vpn-systems

More and more people have attempted to preserve their privacy by signing up for VPN services like the Pirate Bay’s Ipredator and Pirate Party offering Relakks. But it turns out that there’s a gaping security flaw in these services that allows individual users to be identified. The finding was announced at the Cipher conference in Sweden. The flaw is caused by a combination of IPv6, which is a new internet protocol due to replace the current IPv4, and PPTP (point-to-point tunneling protocol)-based VPN services, which are the most widely used. IPv6 is enabled on many computers, and you may well be using it without realizing.
The flaw means that the IP address of a user hiding behind a VPN can still be found, thanks to their connection broadcasting information that can be used to identify them. It’s also relatively easy to find a MAC address (which identifies a particular device) and a computer’s name on the network that it’s on.

It’s possible to re-hide yourself by switching IPv6 off and going back to IPv4, but that does mean losing the benefits that it offers. It’s most dangerous because many users aren’t aware of the issue, so it’s likely that administrators of VPN networks may end up having to warn their users, and offer instructions on how to turn off IPv6. It’s thought that the Swedish anti-piracy bureau could already be gathering data using the exploit.

One alternative to PPTP is OpenVPN and offers a number of advantages, especially as it’s free and open-source. It’s more secure than PPTP, and more stable too, though it doesn’t work on mobile devices natively and isn’t quite as easy to set up on a computer, especially older machines. OpenVPN also has the advantage that it’s often not blocked in countries where PPTP systems are blocked.
News item 4: http://www.owasp.org/index.php/How_to_write_insecure_code
In the interest of ensuring that there will be a future for hackers, criminals, and others who want to destroy the digital future, this web page captures tips from the masters on how to create insecure code.

General Principles

Avoid the tools
If you want to ensure vulnerabilities, simply make them difficult for automated tools to find. This is a lot easier than it sounds. All you have to do is make sure your vulnerabilities don’t match anything in the tool’s database of signatures.

Always use default deny
Apply the principle of “Default Deny” when building your application. Deny that your code can ever be broken, deny vulnerabilities until there’s a proven exploit, deny to your customers that there was ever anything wrong, and above all – deny responsibility for flaws. Blame the dirty cache buffers.

Be a shark
Always be on the move. Leave security problems to operations staff.

News item 5: http://www.mail-archive.com/ibm-main@bama.ua.edu/msg118853.html
The Guardia Civil have arrested three managers of a company that sells customized software for small and medium enterprises which contained “errors controlled” programming to fail at a predetermined date. The company sold software poisoned more than 1,000 customers in Spain, according to sources of the armed. The scam was made from about 1998 and consisted of the introduction of “logic bombs” in the software that they distributed, which causes a computer that paralyzed the normal functioning of business and forced them to contact the service technical, with the consequent economic loss. Users who had not contracted this service were charged for the repair, they introduced other “error controlled” for a new date and were advised to contract the service technician.

News item 6: http://threatpost.com/en_us/blogs/critical-pdf-reader-patch-fixes-launch-command-attack-vector-062910

Adobe today shipped a critical Reader/Acrobat patch to cover a total of 17 documented vulnerabilities that expose Windows, Mac and UNIX users to malicious hacker attacks.

The update, which affects Adobe Reader/Acrobat 9.3.2 (and earlier versions), includes a fix for the outstanding PDF “/Launch” functionality social engineering attack vector that was disclosed by researcher Didier Stevens.

As previously reported, Didier created a proof-of-concept PDF file that executes an embedded executable without exploiting any security vulnerabilities. The PDF hack, when combined with clever social engineering techniques, could potentially allow code execution attacks if a user simply opens a rigged PDF file.

According to Adobe, the newest version includes changes to resolve the misuse of this command.

We added functionality to block any attempts to launch an executable or other harmful objects by default. We also altered the way the existing warning dialog works to thwart the known social engineering attacks. More information on the security-related improvements in this update can be found in this Adobe blog post

Tools:

UATester Alpha – Chris John Riley’s tool that is designed to automatically check a given URL using a list of standard and non-standard User Agent strings provided by the user.

root@bt:~# python UAtester_0.8.py -u http://www.jpmc.com

_/    _/ _/_/_/_/       _/_/_/_/ _/_/_/_/ _/_/_/_/ _/_/_/_/ _/_/_/_/ _/_/_/_/
_/    _/ _/    _/          _/    _/       _/          _/    _/       _/    _/
_/    _/ _/_/_/_/ _/_/_/ _/    _/_/_/   _/_/_/_/    _/    _/_/_/   _/_/_/_
_/    _/ _/    _/          _/    _/             _/    _/    _/       _/    _/
_/_/_/_/ _/    _/          _/    _/_/_/_/ _/_/_/_/    _/    _/_/_/_/ _/      _/

_/ User-Agent Tester
_/ ChrisJohnRiley
_/ blog.c22.cc

[ ] Performing initial request and confirming stability

[-] URL (ENTERED) : http://www.jpmc.com
[-] RESPONSE CODE : (200, ‘OK’)
[-] DATE           : Tue, 29 Jun 2010 22:16:39 GMT
[-] CONTENT-TYPE   : text/html
[-] SERVER         : Apache/2.0.52 (CentOS)
[-] LENGTH         : 901
[-] DATA           : 888e04340e02e9405585c5279d3c468a

[ ] First Pass : . . . .
[ ] Second Pass : . . . .
[ ] Third Pass : . . . .

[-] URL appears stable
[ ] Beginning test

[ ] Using DEFAULT User-Agent Strings

[ ] User-Agent String : Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0)
[*] All Results returned match the reference connection

[ ] User-Agent String : Mozilla/4.0 (compatible; MSIE 6.0b; Windows 98)’,'Mozilla/4.0 (compatible; MSIE 5.5;)
[*] All Results returned match the reference connection

[ ] User-Agent String : Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)
[*] All Results returned match the reference connection

[ ] User-Agent String : Mozilla/5.0 (Windows; U; Windows NT 5.2; rv:1.9.2) Gecko/20100101 Firefox/3.6
[*] All Results returned match the reference connection

[ ] User-Agent String : Mozilla/5.0 (X11; U; SunOS sun4v; en-US; rv:1.8.1.3) Gecko/20070321 Firefox/2.0.0.3
[*] All Results returned match the reference connection

[ ] User-Agent String : Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/525.13 (KHTML, like Gecko) Chrome/0.2.149.27 Safari/525.13
[*] All Results returned match the reference connection

[ ] User-Agent String : Opera/9.99 (Windows NT 5.1; U; pl) Presto/9.9.9
[*] All Results returned match the reference connection

[ ] User-Agent String : Googlebot/2.1 (+http://www.google.com/bot.html)
[*] All Results returned match the reference connection

[ ] User-Agent String : Googlebot-Image/1.0
[*] All Results returned match the reference connection

[ ] User-Agent String : Mediapartners-Google
[*] All Results returned match the reference connection

[ ] User-Agent String : Mozilla/2.0 (compatible; Ask Jeeves)
[*] All Results returned match the reference connection

[ ] User-Agent String : msnbot-Products/1.0 (+http://search.msn.com/msnbot.htm)
[*] All Results returned match the reference connection

[ ] User-Agent String : mmcrawler
[*] All Results returned match the reference connection

[ ] User-Agent String : Mozilla/5.0 (PLAYSTATION 3; 2.00)
[*] All Results returned match the reference connection

[ ] User-Agent String : TrackBack/1.02
[*] All Results returned match the reference connection

[ ] User-Agent String :
[*] All Results returned match the reference connection

[ ] User-Agent String : Mozilla/4.75 (Nikto/2.01)
[*] All Results returned match the reference connection

[ ] User-Agent String : curl/7.7.2 (powerpc-apple-darwin6.0) libcurl 7.7.2 (OpenSSL 0.9.6b)
[*] All Results returned match the reference connection

[ ] User-Agent String : w3af.sourceforge.net
[*] All Results returned match the reference connection

[ ] User-Agent String : HTTrack
[*] All Results returned match the reference connection

[ ] User-Agent String : Wget 1.9cvs-stable
[*] All Results returned match the reference connection

[ ] User-Agent String : Lynx (textmode)
[*] All Results returned match the reference connection

[ ] User-Agent String : .nasl
[*] All Results returned match the reference connection

[ ] User-Agent String : paros
[*] All Results returned match the reference connection

[ ] User-Agent String : webinspect
[*] All Results returned match the reference connection

[ ] User-Agent String : brutus
[*] All Results returned match the reference connection

[ ] User-Agent String : Mozilla/5.0 (iPhone; U; CPU like Mac OS X; en) AppleWebKit/420+ (KHTML, like Gecko) Version/3.0 Mobile/1A543a Safari/419.3
[*] All Results returned match the reference connection

[ ] User-Agent String : Mozilla/5.0(iPad; U; CPU iPhone OS 3_2 like Mac OS X; en-us) AppleWebKit/531.21.10 (KHTML, like Gecko) Version/4.0.4 Mobile/7B314 Safari/531.21.10
[*] All Results returned match the reference connection

[ ] User-Agent String : Mozilla/5.0 (Linux; U; Android 2.1-update1; en-at; HTC Hero Build/ERE27) AppleWebKit/530.17 (KHTML, like Gecko) Version/4.0 Mobile Safari/530.17
[*] All Results returned match the reference connection

[ ] User-Agent String : jBrowser-WAP
[*] All Results returned match the reference connection

[ ] User-Agent String : Nokia7650/1.0 Symbian-QP/6.1 Nokia/2.1
[*] All Results returned match the reference connection

python UAtester_0.8.py -u https://www.chase.com

_/ User-Agent Tester
_/ ChrisJohnRiley
_/ blog.c22.cc

[ ] Performing initial request and confirming stability

[-] URL (ENTERED) : https://www.chase.com
[-] RESPONSE CODE : (200, ‘OK’)
[-] DATE           : Tue, 29 Jun 2010 23:07:16 GMT
[-] CONTENT-TYPE   : text/html
[-] SERVER         : JPMC1.0
[-] LENGTH         : 23437
[-] DATA           : c1bf535b0121c3a602b445d0ef5fa549