Episode 192 – Hardware QA, TSA, RBS & Kerberos

Announcements:

Local Password Exploitation Class:

• The Kentuckiana ISSA will be putting on class on Aug 28th 2010 from 10am to 4:30pm at the Jeffersonville Public Library (https://events.constantcontact.com/register/eventReg?oeidk=a07e2znbzbs77edf8b6&oseq=)
• The class will cover the details of pulling passwords/hashes that are stored on a box where the attacker has physical access to the system, or via network vulnerabilities that can reveal the password/hash. Topics to be covered:
  • Pulling stored passwords from web browsers/IM clients and other apps
  • Hash cracking of Windows passwords, as well as other systems
  • Sniffing plain text passwords off the network
  • How passwords on one box can be used to worm though other hosts on a network
• Seating is limited to 50 people.
• The class is being held as a charity event for the Matthew Shoemaker Memorial Care Fund.  Matthew was a fellow security professional and podcaster who left behind two children, His colleagues have set up an account to help support his two children. Donations can be made to the Shoemaker Memorial Care Fund at The Peoples Bank, P.O. Box 788, Winder, GA 30680. Checks can either be mailed directly or transfers via telephone (770) 867-9111. Please place the account 00133835 on the check.  A PayPal account has been established and you can find on the right hand side of this ISD page (http://www.isdpodcast.com/goodbye-farewall-god-bless/).  Please show your receipt for donation of at least $10 at the door.

Atlanta ISSA:

• ISSA International Conference – September 16, 2010  (http://www.issa.org/page/?p=105)

SANS Community:

• SANS Security 560: Network Penetration Testing and Ethical Hacking – September 17th – 22nd, 2010 (http://www.sans.org/atlanta-2010-cs2/description.php?tid=3142)

9am-5pm US ET
Hilton Atlanta Airport Hotel
1031 Virginia Avenue
Atlanta, GA 30354

• Use the Discount Code: isdpod15 for a 15% discount.

ShoeCon 2010:

• Atlanta, GA September 18th (http:///www.shoecon.org)
  

Wellesley Inn-Atlanta Airport (Google Maps)
1377 Virginia Avenue
East Point, GA 30344
(404) 762-5111

• If you are interested in speaking at this Conference then we are interested in talking with you.  The September DC404 meeting will also be held at the Con.
  
• This is a donation supported event and all the proceeds will go to the Matthew Shoemaker Memorial Fund.
  
• We also need volunteers, donations of swag, time, etc.
• The isdpodcast website has made it easy for you to donate.

SANS Mentoring Program:

• Jason Lawrence will be teaching the SANS Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=21538).  Use the Discount Code: isdpod15 for a 15% discount.
• Adrian Sanabria will be teaching the SANS Security 504 – Hacker Techniques, Exploits & Incident Handling in Knoxville, TN starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=22258).  Use the Discount Code:  isdpod15KY for a 15% discount.

The Louisville Metro InfoSec Conference:

• Thursday, October 7th, 2010 at Churchill Downs (http://www.louisvilleinfosec.com).  
  Use the Discount Code: IGK-0726 when you and register for $30 off the $99 ticket price ($69), until Sept. 1st.  This discount will expire on that date.

MyHardDriveDied.com:

• MHDD Data Recovery Class current dates and locations:
  • Dallas, TX – October 11th – 15th
  • SANS: Drive and Data Recovery Forensics September 20th – 24th (https://www.sans.org/registration/register.php?conferenceid=21967)
  • Washington, DC – December 6th – 10th
• Cost is $3500 for all classes to reserve and register, call (678) 445-9007, email: smoulton@nicservices.com or go to http://www.myharddrivedied.com Use the Discount Code: isdpodcast for a $300 discount.

Stories of Interest:
News Item 1: http://www.ibtimes.com/articles/40790/20100804/ucla-professor-warns-of-hardware-hacks.htm

[Notes: Karthik - Dell will agree to what he is saying readily. ]

John Villasenor, a professor of electrical engineering at the University of California, Los Angeles, studies the way information moves and the way chips are built. He says the problem is that protecting hardware is neither that expensive nor difficult, but many companies don’t give it the attention it deserves.

A hardware hack could be an annoyance, by stopping a mobile phone from functioning. Or it could be more dangerous, if it damages the way a critical system operates. “The vulnerability is in the design process,” he said. “The trouble can only be caused by someone with access to that.” Traditionally, hardware hacking was almost impossible. Chip manufacturers did all the design in-house, and any problems would be quickly traced. But in the last several years, hundreds of companies have become involved in hardware design as bigger manufacturers have started outsourcing parts of the design process.

Chips are divided into “blocks,” each of which has a different function or set of functions. A chip maker will outsource some blocks if it doesn’t have the expertise in certain fields. “A chip might need to do 15 different things,” Villasenor said. “So the company outsourcing might say, ‘I need a block that adds six and four.’” A malicious designer could then build a block that functions innocently and well enough until a very specific function is called for. When that happens a certain program is initiated, which could be anything from simply freezing the machine by monopolizing the input and output of data and paralyzing the rest of the system, to transmitting private data to someone else. Such a problem wouldn’t be caught in the fabrication process, since by that time the factory is just following instructions.

“The system assumed that everybody was going to be nice,” Villasenor said. Villasenor says there are several types of attacks. Broadly they would fall into two categories: one is when a block stops a chip from functioning, while the other involves shipping data out. In the first case, a block might execute a piece of code that makes it monopolize the transmission of data between the chip it is on and the rest of the system. That would simply stop the chips from functioning, possibly freezing a computer or cell phone. In the second, a block might be programmed to gather data and send it elsewhere. Most of the defenses involve adding a kind of “policing” function to the chip’s architecture. For example, one could design a block that would monitor the behavior of other blocks and make sure they fit certain patterns. If another block misbehaves, it would be “quarantined” and the monitoring hardware would take over the now-missing functions.
News Item 2: http://www.securecomputing.net.au/News/223608,bank-fined-97m-over-poor-it-governance.aspx
[Notes: Rick - It's hard to believe that there was no validation of the solution prior to or even after implementation.]
The Royal Bank of Scotland (RBS) has been slapped with a GBP 5.6 million (US $8.9 million) fine for negligent IT governance.  RBS implemented an IT system in 2006 to screen cross-border transactions, but the bank has not tested the system for accuracy since its inception.  Over a two year period, the system in question missed all
incoming payments from a foreign source as well as the majority of outgoing payments except for those headed for the US.

News Item 3:  http://www.nextgov.com/nextgov/ng_20100804_3502.php?oref=topnews
[Notes: Rick - You just knew it was a matter of time before this happened.  Also, what is the manufacturer doing with the images?]
Images of body scans taken at US airports, courthouses and other high-security environments have been saved in some cases, despite assurances from the Transportation Security Administration (TSA) that the images “cannot be stored or recorded.”  The TSA at one point admitted that it requires the machines to be able to store and transmit the images, but said the capability was not enabled by default.  The story came to light through evidence obtained by the Electronic Privacy Information Center (EPIC) under the Freedom of Information Act (FOIA).  The US Marshals Service said it had saved tens of thousands of scanned images from a millimeter wave device at a checkpoint in a Florida courthouse.  A machine tested at a Washington, DC federal courthouse was later returned to the manufacturer, which now is in possession of the stored images.

News Item 4: http://www.darkreading.com/authentication/security/encryption/showArticle.jhtml?articleID=226600201
[Notes: Keith - Going to be amusing watching all the .govs and private sectors use PIV or CAC implementations relying on AD for authentication. Those entities that allow for downgrading of encryption, if there are legacy systems in production, authentication can potentially be circumvented. Moral of the story, acceptance of known vulnerable authentication mechanisms to support legacy systems that should not be in production in the first place nullifies the security controls throughout the entire organization.]

Significant weaknesses in the common configuration of Kerberos-based authentication servers could allow attackers to more easily circumvent security measures in networks that rely on the open authentication standard, according to recent research presented by consultants at the recent Black Hat USA 2010 conference

The researchers found several common configuration problems that could allow attackers to significantly weaken the security that Kerberos provides.

Companies typically use Kerberos in Microsoft Active Directory environments or in large university Unix or Linux networks that allow users to access various network resources after authenticating to a central server. An active attacker could cause an authentication server to downgrade the data encryption, or etype, used for exchange of the authenticator, says Scott Stender, co-founder and principal consultant with iSEC Partners and one of the report’s authors.
Kerberos version 4 was hard-coded to use the Data Encryption Standard (DES), a 64-bit block cypher that is no longer considered a strong form of encryption because — among other reasons — only 56 bits provide meaningful security. While the latest version of the authentication protocol, Kerberos version 5, allows any suitable cryptographic primitive, attackers can functionally prevent the authentication system from using the more secure Advanced Encryption Standard (AES).