My sisters computer
Posted by creining | Filed under Security
My sister complained about her out of date computer that is slow and that she “can’t do anything with”. I agreed to take it into my possession and make it so she can [insert whatever the opposite of can't do anything with is]. I basically wanted to look at the specs and do some upgrades if needed and to install a new operating system. When I first boot the computer up I find she is running Windows 98, unpatched of course. Her virus definitions haven’t been updated since August of 1999. Yes, that’s over 65 months old. She is using Internet Explorer version 5.00.2614.3500, which according to SecurityFocus’s Vulnerability page has no less than 46 unique vulnerabilites in it. I decided to download and run Spybot on her computer and it found *plenty* of spyware and registry changes. I think one of the saving graces that her computer was still functioning is that she still accesses the internet via dialup and spends less than 10 hours online a month so the “always on” security aspect of consumers on broadband doesn’t apply to her. In any event, I have rebuilt her computer with Windows XP Home Edition. I was contemplating installing Fedora Core 3 but decided against it. If I find myself rebuilding her computer in the near future it’s definitely getting a FC3 install with 2 icons on the desktop, Open Office and Firefox. After I installed XP, I fired up Internet Explorer and downloaded Firefox. I then uninstalled the Internet Explorer Windows component. I installed Spybot, AVG Anti-Virus, free for home use, and ZoneAlarm, also free for home use. She needed an office suite and didn’t want to buy one so I downloaded and installed OpenOffice.org. I’m not quite sure but am thinking OOO might be a bit to heavy for her so I installed AbiWord as well, which in my opinion is a great free standalone word processor. I used automatic updates to install all the current hotfixes and I set up XP to notify her that there are updates available. I’m not sure about the feasibility of her getting updates over dialup automatically but I want her to know that there are updates she needs to install as a reponsible computer/internet user. I remember hearing about receiving Windows security updates via CD for computers with no internet access or dialup but the page I found at http://www.microsoft.com/athome/security/protect/cd/order.mspx states “The Windows Security Update CD is no longer available”. It appears that you can, however, order Windows XP SP2 on CD. I plan on sitting down with my sister when I give her computer back and showing her how to be a savvy security-conscious computer user like her brother 
The Paris Hack
Posted by creining | Filed under Security
It’s been big news lately, Paris Hilton having her T-Mobile Sidekick get hacked and her addressbook, notes, and camera phone images showing up all over the internet and back again. I originally suspected that it was a result of T-Mobile getting pwned by Nicolas Jacobsen throughout the course of a year that was in the news recently. That article states that Jacobsen “could access information on any of the Bellevue, Washington-based company’s 16.3 million customers, including many customers’ Social Security numbers and dates of birth, according to government filings in the case. He could also obtain voicemail PINs, and the passwords providing customers with Web access to their T-Mobile e-mail accounts. He did not have access to credit card numbers.” However, I ran into this O’Reilly article by Brian McWilliams that states T-Mobile.com requires users to answer a secret question if they forget their passwords in order to reset their password. Supposedly, someone simply masquerated as Hilton using her T-Mobile.com email account and forget their (her) password. Hilton’s question was “What is your favorite pet’s name?” Anyone who doesn’t live in a cave knows that Hilton carries around a little rat dog named Tinkerbell everywhere she goes. I really dislike secret questions, for one, if they are lame and there’s no lockout on attempts they can easily be bruteforced (favorite color, etc). Second, some answers can be obtained through social engineering or public records (name of street you grew up on, etc). Third, I can use a fairly secure password but have to rely on an answer to a secret question as essentially my backup password. This backup password, in my case, will be much easier to guess than my fairly secure password.
PADS – Passive Asset Detection Engine
Posted by creining | Filed under Security
I’ve known about PADS, the Passive Asset Detection Engine, probably since it was first publically released. I finally had a chance to try it out and I think it is useful in identifying asset types without using active means. You can run PADS on existing pcap files or run it in daemon mode and have it listen on an interface. I decided to chew through some existing full pcaps from a Sguil sensor by using the -r flag and having PADS only report on my network assets using the -n flag:
for i in /var/log/snort/dailylogs/2005-02-2*/*; do ./pads -n 10.0.0.0/23 -r $i; done
PADS writes the data to a CSV file called assets.csv by default. The data in this file looks like this:
10.0.0.131,25,6,smtp,Generic SMTP - Possible Postfix,110900691810.0.0.130,22,6,ssh,OpenSSH 3.7.1p2 (Protocol 2.0),110900691810.0.0.163,443,6,ssl,OpenSSL,110900691910.0.0.133,22,6,ssh,OpenSSH 3.7.1p2 (Protocol 2.0),110900691910.0.0.156,0,1,ICMP,ICMP,1109006919
You can run a report using the PADS Text Reporting Module pads-report.pl. A snippet of the report looks like this:
1 ------------------------------------------------------IP: 10.0.0.135ICMP: Enabled Port Service Application 22 ssh OpenSSH 3.7.1p1 (Protocol 2.0)13782 unknown unknown 2 ------------------------------------------------------IP: 10.0.0.138ICMP: Enabled Port Service Application 22 ssh OpenSSH 3.7.1p2 (Protocol 2.0)13782 unknown unknown 3 ------------------------------------------------------IP: 10.0.0.144 Port Service Application 22 ssh OpenSSH 3.7.1p2 (Protocol 2.0) 4 ------------------------------------------------------IP: 10.0.0.145 Port Service Application 22 ssh OpenSSH 3.7.1p2 (Protocol 2.0)7040 www Unknown HTTP (HTTP/1.1)
PADS makes its decisions on what the application is by using a signature file, much like the one used by NMAP when using the -sV flag to do service detection. Here’s what some of the Apache signatures look like in the PADS signature file:
www,v/Apache/$1//,Server: Apache\/([\S]+)[\r\n]www,v/Apache/$1/$2/,Server: Apache\/([\S]+)[\s]+\((.*)\)www,v/Apache/$1/$2/,Server: Apache\/([\S]+)[\s]+([\S]+)www,v/Apache///,Server: Apache[\r\n]
I think this information would be a great complement within the Sguil console for doing Network Security Monitoring. Tony Lukasavage contributed code to PADS called ATM (Assets to MySQL) which takes the asset file and INSERTs the data into a MySQL database. Also, when browsing the PADS forums on Sourceforge I saw that Matt Shelton, PADS author, wrote “I’m working on something similar to the Snort/Barnyard approach. It’s the same concept; the detection engine will be separated from the IO module. Look for it in the upcoming v1.2!” So, I think when Matt gets that complete it will be trivial to hack PADS into Sguil.