Monday, February 1, 2016

A reflective week

Photo Credit: (NASA/Bill Ingalls)

Like many aerospace enthusiasts in my generation, my mind this week has turned to the skies.


I remember the fateful morning 30 years ago last week, in my elementary school classroom along with perhaps every other student in the county, watching the shuttle launch that was to carry a teacher into space. Some images sear themselves into your minds' eye. For me, the Challenger exploding over the skies of Florida the morning of January 28, 1986 is one of those images.

13 years ago this morning, shortly before 6am Pacific Time, I awoke to what sounded like a sonic boom. Growing up an hour from a major Air force base in the '80s, it was a familiar sound, but a sound rare enough in recent years to wake me.

Later that morning I learned of the Space Shuttle Columbia disaster. At the time that I awoke, the shuttle would have been around 200,000 high over Central California, and roughly 150 miles south of my home at the time. Images later that morning of the shuttle disintegrating over Texas are seared into my mind.


I'll never know if I heard Columbia making it's final re-entry to Earth. At 200,000 feet and 150 miles distant, it seems a stretch, though not impossible. Regardless, like the Challenger disaster 17 years earlier, as a lifelong aerospace nut February 1, 2003 is a morning forever frozen in my mind.

Thursday, January 21, 2016

Putting the Comcast Vulnerability in Context

Exploitable vulnerabilities are attention-grabbing, but need to be considered in proper context. Just because a design decision can be abused for ill gain doesn't always mean it was the wrong design decision.

In the news this month were numerous stories about vulnerabilities in Comcast's Xfinity home security system. The systems use wireless sensors to detect opened doors and windows, and to detect motion when a home is expected to be vacant. Some of the stories made it sound as though owners of Xfinity security systems were now a burglary waiting to happen.

Wireless sensors make installing a security system very easy. At the same time, wireless sensors are vulnerable to radio frequency interference - whether incidental or intentional.

Security products by necessity walk an often-grey line between function and usability. On the one hand, elaborate, multi-layer controls can provide a high degree of security, but at a high financial as well as usability cost. As an extreme example, Jake Williams writes of the Australian government resorting to hand-delivering submarine plans and communications, to eliminate entirely the chances of communication being intercepted electronically.

Tuesday, January 19, 2016

Administrator logout flaw in ASUS wireless routers

ASUS wireless routers have an optional feature to log the administrator out after a period of time. That feature was implemented in April 2014, in firmware 3.0.0.4.374_5656, in response to input I gave to their engineering team while correcting a previously reported flaw. Prior to then, if you logged into the router administration UI and did not explicitly log out, your session remained active forever.

While there are scenarios where you might want to keep a logged in session, remaining logged in makes it possible for a malicious hacker to use that session by tricking you into clicking a link. Researcher Bogdan Calin describes this sort of attack in a post he wrote a few years ago. His demo relies on guessing the admin password, but that is not necessary if you are already logged in.

The aforementioned firmware added an optional auto logout feature, so problem solved, right?

Well, not entirely.

Tuesday, January 12, 2016

Gnome in Your Home Conclusion: Meet the Villain

Pwning each of the SuperGnomes in the 2015 SANS Holiday Hack challenge.

This is the last of a multi-part series describing my approach to solving the 2015 SANS Holiday Hacking Challenge. After reading, try your hand at the challenges at HolidayHackChallenge.com!


Part Five: Sinister Plot and Attribution

  1. Based on evidence you recover from the SuperGnomes’ packet capture ZIP files and any staticky images you find, what is the nefarious plot of ATNAS Corporation?
  2. Who is the villain behind the nefarious plot.
Prior to launching the challenge in early December, the website showed a clue: "1957 was only the beginning." This being a Christmas-themed event, something immediately came to mind. Dr. Seuss wrote "How the Grinch Stole Christmas" in 1957, so through the first couple of SuperGnomes, I was pretty sure the villain was The Grinch. Upon cracking SuperGnome 04 though, I busted up laughing when the real villain appeared.

Monday, January 11, 2016

Gnome in Your Home Part Four: Pwning the SuperGnomes

Pwning each of the SuperGnomes in the 2015 SANS Holiday Hack challenge.

This is one of a multi-part series describing my approach to solving the 2015 SANS Holiday Hacking Challenge; watch SecurityForRealPeople.com over the next few days as solutions for each challenge are published. After reading, try your hand at the challenges at HolidayHackChallenge.com!


Part Four: Gnomage Pwnage


Challenges:
  1. Please describe the vulnerabilities you discovered in the Gnome firmware.
  2. Attempt to remotely exploit each of the SuperGnomes. Describe the technique you used to gain access to each SuperGnome’s gnome.conf file.
Useful tools: Burp Suite, Wireshark

Each superGnome had a different vulnerability to exploit, and a different way to obtain the gnome.conf flag file. The first four required manipulating web form inputs to make use of foolish design decisions in the web interface. The last one took a different sort of expertise.

Friday, January 8, 2016

Gnome in Your Home Part Three: Hunting Gnomes with Shodan

Part Three of the SANS Holiday Hack challenges is best solved using Shodan: a search engine for Internet-connected devices.

This is one of a multi-part series describing my approach to solving the 2015 SANS Holiday Hacking Challenge; watch SecurityForRealPeople.com over the next few days as solutions for each challenge are published. After reading, try your hand at the challenges at HolidayHackChallenge.com!


Part Three: Internet-Wide Scavenger Hunt


Challenges:
  1. What are the IP addresses of the five SuperGnomes scattered around the world, as verified by Tom Hessman in the Dosis neighborhood?
  2. Where is each SuperGnome located geographically?
Useful tools: Shodan, Burp Proxy

Summary: Using Shodan and a unique HTTP header found on the first SuperGnome, finding all five is a snap.

Thursday, January 7, 2016

Gnome in Your Home Part Two: Firmware Analysis

The first challenges in the 2015 SANS Holiday Hack involve network packet analysis to discover a botnet communicating over DNS.

This is one of a multi-part series describing my approach to solving the 2015 SANS Holiday Hacking Challenge; watch SecurityForRealPeople.com over the next few days as solutions for each challenge are published. After reading, try your hand at the challenges at HolidayHackChallenge.com!


Part Two: Firmware Analysis for Fun and Profit

Challenges:
  1. What operating system and CPU type are used in the Gnome? What type of web framework is the Gnome web interface built in?
  2. What kind of a database engine is used to support the Gnome web interface? What is the plaintext password stored in the Gnome database?
Firmware image: giyh-firmware-dump.bin
Useful tool: binwalk

Summary: Use binwalk to extract the filesystem from a firmware image, explore the web interface, and view the contents of a NoSQL database, which includes a table with cleartext usernames and passwords.

Whois David?

My Photo

I have spent the better part of two decades in information technology and security, with roots in application developer support, system administration, and network security. My specialty is cyber threat intelligence - software vulnerabilities and patching, malware, social networking risks, etc. In particular, I strive to write about complex cyber topics in a way that can be understood by those outside the infosec industry.

Why do I do this? A common comment I get from friends and family is that complex security topics give them headaches. They want to know in simple terms how to stay safe in a connected world. Folks like me and my peers have chosen to make a profession out of hacking and defending. I've been doing this for the better part of two decades, and so have a high degree of knowledge in the field. Others have chosen different paths - paths where I would be lost. This is my effort to share my knowledge with those that are experts in something else.

When not in front of a digital screen, I spend my time raising five rambunctious teens and pre-teens - including two sets of twins. Our family enjoys archery, raising show and meat rabbits, and simply enjoying life in the Texas hill country.

For a decade I served as either Commander or a division leader for the Awana Club in Dripping Springs, Texas; while I have retired from that role I continue to have a passion for children's ministry. At the moment I teach 1st through 3rd grade Sunday School. Follow FBC Dripping Springs Kids to see what is going on in our children's ministries.