Thursday, January 21, 2016

Putting the Comcast Vulnerability in Context

Exploitable vulnerabilities are attention-grabbing, but need to be considered in proper context. Just because a design decision can be abused for ill gain doesn't always mean it was the wrong design decision.

In the news this month were numerous stories about vulnerabilities in Comcast's Xfinity home security system. The systems use wireless sensors to detect opened doors and windows, and to detect motion when a home is expected to be vacant. Some of the stories made it sound as though owners of Xfinity security systems were now a burglary waiting to happen.

Wireless sensors make installing a security system very easy. At the same time, wireless sensors are vulnerable to radio frequency interference - whether incidental or intentional.

Security products by necessity walk an often-grey line between function and usability. On the one hand, elaborate, multi-layer controls can provide a high degree of security, but at a high financial as well as usability cost. As an extreme example, Jake Williams writes of the Australian government resorting to hand-delivering submarine plans and communications, to eliminate entirely the chances of communication being intercepted electronically.

Tuesday, January 19, 2016

Administrator logout flaw in ASUS wireless routers

ASUS wireless routers have an optional feature to log the administrator out after a period of time. That feature was implemented in April 2014, in firmware 3.0.0.4.374_5656, in response to input I gave to their engineering team while correcting a previously reported flaw. Prior to then, if you logged into the router administration UI and did not explicitly log out, your session remained active forever.

While there are scenarios where you might want to keep a logged in session, remaining logged in makes it possible for a malicious hacker to use that session by tricking you into clicking a link. Researcher Bogdan Calin describes this sort of attack in a post he wrote a few years ago. His demo relies on guessing the admin password, but that is not necessary if you are already logged in.

The aforementioned firmware added an optional auto logout feature, so problem solved, right?

Well, not entirely.

Tuesday, January 12, 2016

Gnome in Your Home Conclusion: Meet the Villain

Pwning each of the SuperGnomes in the 2015 SANS Holiday Hack challenge.

This is the last of a multi-part series describing my approach to solving the 2015 SANS Holiday Hacking Challenge. After reading, try your hand at the challenges at HolidayHackChallenge.com!


Part Five: Sinister Plot and Attribution

  1. Based on evidence you recover from the SuperGnomes’ packet capture ZIP files and any staticky images you find, what is the nefarious plot of ATNAS Corporation?

  2. Who is the villain behind the nefarious plot.
Prior to launching the challenge in early December, the website showed a clue: "1957 was only the beginning." This being a Christmas-themed event, something immediately came to mind. Dr. Seuss wrote "How the Grinch Stole Christmas" in 1957, so through the first couple of SuperGnomes, I was pretty sure the villain was The Grinch. Upon cracking SuperGnome 04 though, I busted up laughing when the real villain appeared.

Monday, January 11, 2016

Gnome in Your Home Part Four: Pwning the SuperGnomes

Pwning each of the SuperGnomes in the 2015 SANS Holiday Hack challenge.

This is one of a multi-part series describing my approach to solving the 2015 SANS Holiday Hacking Challenge; watch SecurityForRealPeople.com over the next few days as solutions for each challenge are published. After reading, try your hand at the challenges at HolidayHackChallenge.com!


Part Four: Gnomage Pwnage


Challenges:
  1. Please describe the vulnerabilities you discovered in the Gnome firmware.
  2. Attempt to remotely exploit each of the SuperGnomes. Describe the technique you used to gain access to each SuperGnome’s gnome.conf file.
Useful tools: Burp Suite, Wireshark

Each superGnome had a different vulnerability to exploit, and a different way to obtain the gnome.conf flag file. The first four required manipulating web form inputs to make use of foolish design decisions in the web interface. The last one took a different sort of expertise.

Friday, January 8, 2016

Gnome in Your Home Part Three: Hunting Gnomes with Shodan

Part Three of the SANS Holiday Hack challenges is best solved using Shodan: a search engine for Internet-connected devices.

This is one of a multi-part series describing my approach to solving the 2015 SANS Holiday Hacking Challenge; watch SecurityForRealPeople.com over the next few days as solutions for each challenge are published. After reading, try your hand at the challenges at HolidayHackChallenge.com!


Part Three: Internet-Wide Scavenger Hunt


Challenges:
  1. What are the IP addresses of the five SuperGnomes scattered around the world, as verified by Tom Hessman in the Dosis neighborhood?
  2. Where is each SuperGnome located geographically?
Useful tools: Shodan, Burp Proxy

Summary: Using Shodan and a unique HTTP header found on the first SuperGnome, finding all five is a snap.

Thursday, January 7, 2016

Gnome in Your Home Part Two: Firmware Analysis

The first challenges in the 2015 SANS Holiday Hack involve network packet analysis to discover a botnet communicating over DNS.

This is one of a multi-part series describing my approach to solving the 2015 SANS Holiday Hacking Challenge; watch SecurityForRealPeople.com over the next few days as solutions for each challenge are published. After reading, try your hand at the challenges at HolidayHackChallenge.com!


Part Two: Firmware Analysis for Fun and Profit

Challenges:
  1. What operating system and CPU type are used in the Gnome? What type of web framework is the Gnome web interface built in?
  2. What kind of a database engine is used to support the Gnome web interface? What is the plaintext password stored in the Gnome database?
Firmware image: giyh-firmware-dump.bin
Useful tool: binwalk

Summary: Use binwalk to extract the filesystem from a firmware image, explore the web interface, and view the contents of a NoSQL database, which includes a table with cleartext usernames and passwords.

Wednesday, January 6, 2016

Gnome in Your Home Part One: Wireless Packet Analysis

The first challenges in the 2015 SANS Holiday Hack involve network packet analysis to discover a botnet communicating over DNS.

This is one of a multi-part series describing my approach to solving the 2015 SANS Holiday Hacking Challenge; watch SecurityForRealPeople.com over the next few days as solutions for each challenge are published. After reading, try your hand at the challenges at HolidayHackChallenge.com!


Part One Challenges:

  1. Which commands are sent across the Gnome’s command-and-control channel?
  2. What image appears in the photo the Gnome sent across the channel from the Dosis home?
Packet capture file: giyh-capture.pcap
Useful tools: Scapy, Wireshark

Summary: The gnomes communicate with a Command and Control server using covert DNS traffic; the DNS traffic contains base64-encoded commands from the server to the gnome, and a base64-encoded JPG image is sent from the gnome to the server.

Tuesday, January 5, 2016

Gnome in Your Home Prelude: The Quest


This is one of a multi-part series describing my approach to solving the 2015 SANS Holiday Hacking Challenge; watch Security For Real People.com over the next few days as solutions for each challenge are published. After reading, try your hand at the challenges at HolidayHackChallenge.com!


Each December, security training and certification company SANS puts together a highly anticipated hacking challenge. These challenges are a variation on Capture the Flag – digital puzzles designed to test our skills (and in many cases, excuses to learn new techniques). In addition to being a fun way to compete with peers, learning new attack techniques is a great first step toward learning how to detect and defend against the same attacks.

This was very much a learning experience for me. By trade, I am skilled in defensive arts - network controls, incident response, forensic analysis and malware analysis. While I am by nature a hacker (in the puzzle-solving tinkerer sense of the word) with a few CVEs to my credit, attack techniques are a very small part of my repertoire. But thanks to challenges such as these, they are a growing part of my toolkit.

The 2015 SANS Holiday Hack Challenge begins with a throwback quest-style video game, complete with awesomely cheesy 8-bit Christmas music. Themed “Gnome in Your Home,” the premise is a play on “elf on the shelf,” Santa’s diminutive spy with the impish grin.

The Gnomes are wildly popular electronic toys that just happen to be spying on the families (oddly reminiscent of a Washington Post story suggesting that Elf on the Shelf teaches kids to expect a world of constant surveillance). I am sure it is no coincidence that the gnomes evoke thoughts of Hello Barbie, Mattel's Internet-connected talking doll that has sparked considerable privacy worries this year.

The quest takes place in the imaginary neighborhood of Josh and Jessica Dosis, tech-savvy kids that did what any good hacker would do: they hacked their new Internet-connected toy to see what it was really doing. In the course of the quest, players talk to Josh and Jessica, as well as numerous SANS experts who offer tips on how to help the Dosis kids interpret what they find.

Whois David?

My photo

I have spent the better part of two decades in information technology and security, with roots in application developer support, system administration, and network security. My specialty is cyber threat intelligence - software vulnerabilities and patching, malware, social networking risks, etc. In particular, I strive to write about complex cyber topics in a way that can be understood by those outside the infosec industry.

Why do I do this? A common comment I get from friends and family is that complex security topics give them headaches. They want to know in simple terms how to stay safe in a connected world. Folks like me and my peers have chosen to make a profession out of hacking and defending. I've been doing this for the better part of two decades, and so have a high degree of knowledge in the field. Others have chosen different paths - paths where I would be lost. This is my effort to share my knowledge with those that are experts in something else.

When not in front of a digital screen, I spend my time raising five rambunctious teens and pre-teens - including two sets of twins. Our family enjoys archery, raising show and meat rabbits, and simply enjoying life in the Texas hill country.

For a decade I served as either Commander or a division leader for the Awana Club in Dripping Springs, Texas; while I have retired from that role I continue to have a passion for children's ministry. At the moment I teach 1st through 3rd grade Sunday School. Follow FBC Dripping Springs Kids to see what is going on in our children's ministries.