Toorcon 7: Computer Security Conference, San Diego, Sept. 2005
By Danx-Oracle on Sep 18, 2005
Toorcon 7: Computer Security Conference, San Diego, Sept. 2005
- Toorcon 7
- Keynote: Operational Security: Rethinking Realty
- Keynote: How Hackers Get Caught
- Bastille Hardening Assessment Tool
- How Big is that Foot in the Door?
- Exploring Security Problems in Hardware: Past and Present
- Tor: Anonymous Communication for the Dept. of Defense and you
- BBS Documentary: Fidonet Episode (and others)
- SCAIDA Exposed
- Applied Data Profiling, Classification, and Analysis Methods and Lo-Fi Graphics Demos
- Hacking Silicon: Secrets form Behind the Epoxy Curtain
- Law Enforcement Panel
Toorcon 7 is the annual Computer Security Conference held in San Diego. I think of it as a smaller-scale version of Black Hat or Defcon in Vegas (more toned-down than Defcon and less-commercial than Black Hat). I like it because it's local and cheap (as I'm paying for it). Previously, I have notes for Toorcon 6 (2004) and Toorcon 5 (2003)
This year's conference moved from the Hyatt to the Convention Center, with views of San Diego Bay and Coronado Island.
The thoughts below are not my own and I don't necessarily endorse them. Also, my summaries of other people's thoughts may be inaccurate, so don't take anything for gospel here :-). Trademarks are the property of the respective owners.
Also, I didn't cover everything. There were two tracks and not everything was worth repeating.
Operational Security: Rethinking Realty
Or: An Internet Legend is sick, and I get to rant instead
- Feds call security Information Assurance.
- Design Flaw (bad design) vs. not coding error (from bad tools)
- Script kiddie vs. Dedicated Attacker. Most attacks are easy and automated, not complex. Most attacks are known vulnerabilities.
- Host Hardening vs. Long term operational security
- Security Functionality vs. Secure Functionality E.g., PKI is Security functionality and JPEG rendering needs to be secure.
Current operational security focus: firewalls, IDS, & Antivirus
- Problem: very network centric
- focused on security, not secure operations
- patch management important, but also consider firewall/IDS infrastructure (latter is usually neglected) Long-term Operational Security is often overlooked. Any idiot can be trained to secure a host
Potter's Pyramid of IT Security Needs, from top to bottom:
- Software Security, ACLs,
- Firewalls, Auth/Auth,
- Patch management, Op. Procedures
- problems ignored until "in the wild"
- firewalls in our control
- patch management usually out of our control (especially for closed source)
- hardening server is harder than it used to be - not obvious what needs to be disabled (especially for wacky crap on MS Windows)
- procedures are important (don't mean written tombs). Pay attention to updates, be careful about changes.
- must understand environment: what's running or not on each server.
Next step: Network Security
- really a Band-Aid® for other problems
- firewall is a network solution to a software engineering problem
- firewalls prevent whole classes of problems
- access control is not just for routers, but part of any security architecture.
- FreeBSD-style Access Control Lists (ACLs) help control custom code problems. So does SELinux or Immunix. Difficult to setup, but great rewards
- IDS: great way to audit operational procedures and configuration. Attacks past firewall are bad, but IDS as defense is difficult. Must interpret IDS output.
- Honeypots and Honeynets good for academics, to learn what's going on.
OS Selection important: MS Windows vs. Linux.
Microsoft Windows A complete system and then some: flexible, productive, works. Tightly integrated applications: MS creates kernel and apps.
- MS seeds new technology in advance of release with a huge developer network
- MS ignores market once dominated (e.g., Internet Explorer). harms security.
- MS spending money on security: long term initiatives, internal code security programs, security roadmap (aware of security operations)
- Patching now planned (monthly on "Black Tuesday")
Linux - "Bazaar": community-created with loose coordination.
- Distribution adds duct tape as "value add", making each "Linux" distribution basically different OSs.
- Distros at whim of community for security features. E.g., firewall code.
- No roadmap, lots of add-on things, uncoordinated changes
- more vulnerabilities in RHEL ES 3 than MS 2003
- Distribution patches "second order" — done by developer, reshipped (modified?) by distro
- Linux will survive by brute force by a network of zealots (make Apple zealots look tame)
Future (two wild conjectures)
- Apple move to Intel will help solve security problems that have been around for over 30 years. Trusted boot and other hooks. Will be tested by attackers.
- Bluetooth device security - biggest problem is nobody believe it's a problem. More BT than 802.11, so a good war driver target
How Hackers Get Caught
By Simple Nomad, Nomad Mobile Research Centre, www.nmrc.org and BindView.
The other keynote. Here's the major ways hackers are caught. Overall principle: "Laziness" == Jail time".
- Access from hacker's home is common, especially after broke in.
- Shell history written after exit.
- Log files don't always make sense after editing.
- Duplicate remote logs and forgotten logs.
- Port scans are obvious during port scans (multiple or timed-out connections)
- Scanning stops, and attack at box last scanned
- Attackers often use the same playbook and leave footprints
- Include trusted hosts from log or tools
- Using wrong code for wrong OS or wrong processor on a server (core dumps)
- File access times (atime) changed on filesystem
- Monitoring quotas on disk use and bandwidth use
- Forensic tools such as The Coroner's Toolkit finds footprints
- Malware often fails under high load
- Nmap does its job well (such as OS and version ID), but every noisy
- Admins can use Nmap to find attacker-installed back door
- Botnets by "skiddies" with IRC is very noticeable. It's SO February 2000.
- ARP footprints during port scans
- Logs of DNS server showing accesses or zone dumps from attacker's home machine around time of attack.
- Attackers often tell friends on IRC, SILC
- Deleted files left on free areas or journal of filesystem
- DES, PGP (and some others?) not secure
Bastille Hardening Assessment Tool
(Note: Sun has a tool for hardening and auditing Solaris systems (and that I work on) called Solaris Security Toolkit )
Bastille Linux is for Hardening and Assessing Linux. Hardening enabled HP-UX, Mac OS X, Linux (RedHat flavors, Mandrake, Debian, SuSE, and Gentoo), and soon Solaris. Assessment enabled for Redhat, Mandrake, and SuSE Linux, but not others.
Why harden? Hardening is setting system config settings to make it more resilient to attack. Hardening is not sexy (like firewalls). More people now know their system is a useful target for attack. Useful by the attacker for the next hop to the target, for distributing warez, botnet, phishing, fake websites, etc.
Patching not fast enough—still have windows of vulnerability. Average patching speed: Redhat increased from 7 to 30 days. Windows 30 days. Sun decreased from 90 to 30 days.
Proactive security decreases odds of attack, establishing policies in advance.
Hardening is "configuring a system for better security." Deactivating unnecessary programs, using file permissions and ACLs, and tweaking OS parameters to limit access to what's needed, Using Least Privilege: giving just what they need and a little bit more. Using Minimalism: turning stuff off you're not using. Hardening is easy with available tools. About 95% of Linux exploits mitigated with hardening (e.g., man or nmh exploits not stopped).
Kernel-level technologies (Trusted OSs, such as SELinux) are complementary to hardening and good to use.
- Bastille asks questions for hardening in its GUI, and has explanations for each question. This is to educate the sysadmin. E.g., give reasons why telnet is bad, instead of just asking.
- Modules: patches, file permissions, account security, secure inetd, miscellaneous daemons, sendmail, dns, printing, and OS-specific. Can add user-written modules (Perl, API manual).
- Can create policy file with GUI on one system, and run it on other systems.
- HP-UX donates developers to Bastille and ships with HP-UX 11.11+
- Assessment Report has weighted scoring for vulnerabilities (configurable). Educational benefit and strong psychological power to do things now. High scores == better.
- Assessment good for triage—harden worst systems first
- Assessment good for due diligence for SOX, etc.
- Assessment detects "rot" from patches, installs, and reconfig.
- LiveCD version in progress.
How Big is that Foot in the Door?
By Foofus, Foofus Networking Services
This concerns a problem with vulnerability enumeration tools tend too give massive output that needs to be analyzed. This talk is about a framework to visualize the network data. This is by looking at trust relationships between hosts. Uses matrices and matrix inversion to compute trust networks. An example implementation is looking at password-based trusts between MS Windows hosts (OWNR). Graphically shows the likelihood if one host can be attacked from another. Can visually see (beneficial) effect of removing various accounts on graphs (usually admin accounts). Tools incomplete, not user-friendly. Written in J Software. Using AfterGlow to visualize graphs. Visual graphs very persuasive to non-technical people (PHBs).
Exploring Security Problems in Hardware: Past and Present
Joe Grand of Grand Idea Studio. Talked about historical attacks, how to analyze new devices, and RFID technologies. Threat vectors are interception (eavesdropping), interruption (fault generation), modification, and fabrication/man-in-the-middle (counterfeit/spoofing).
Why attack? Rip off competitors (IP), steal services, forge ID to gain system access, and privilege escalation (feature unlocking) Can find out how to attack systems with trial and error and vendor docs.
Example attacks: Rainbow iKey 1000 (EEPROM dongle with weak key algorithm, xor with md5("rainbow")). Master admin password key is "rainbow". Epoxy not secure—can just scratch off.
Another authentication token: Dallas Semiconductor iButton. Java-based. DS1991 iButton has 3 48-byte keys. Used a lot in Europe for cashless transactions. Supposedly on password errors, return "random" data, but data was predictable (equals input + constant), not "random." Can use dictionary attack against it.
Biometrics: considered more secure than passwords, but physical characteristics hard to keep secret. Can lift fingerprint, face, or voice. Stealing finger or fingerprint gives new meaning to "hacking" and "digital theft!" Gelatin finger works 80%, can eat afterward.
Intel NetStructure 110 (crypto accelerator). Uses serial port management console that can be attacked. Opened box and used strings to find OS on EEPROM (BSD). Still had debug symbols. Found password based on mac address. Uses weak crypto (xor of constants).
MAC address cloning is easy. Usually stored in EEPROM. Sun SPARC: set in NVRAM with prom-monitor. Also NS, Ansel, Microdyne, Linksys, Genius, Winbond, and almost every NIC.
RFID uses radio waves (RF) to ID. Becoming popular just now. RFID chips has a unique serial # (tag). Active &mmp; passive (power or not). Four frequencies, most LF or HF (low, not UHF, uW). Tags are read-only, read/write, or crypto. Most tags have no security—just need to know frequency, so can easily "snoop". Tags come in capsules or thin and flat (for retail). Gillette® has 35% loss from plant to retail. Easy attacks: label switch, cover, or destroy. Reader attacks: read cell phones going by on a bridge. TI uses a weak 40-bit homemade key cipher (reversed engineered from a Powerpoint slide). Proximity Card Simulation by Jonathan Westhues. Other tools available. Can read/write with rf-dump (Java-based).
Tor: Anonymous Communication for the Dept. of Defense and you
By Roger Dingleline, EFF, http://tor.eff.org/
Bad people doing great (viruses, botnets, phishing, spam). Criminals have anonymity (have motivation to get it), but normal people and government don't. Lots of legit needs of Anonymous communication (privacy, commerce). Used by EU PRIME project. Used by Navy group in Gulf. Could be useful for, say, DoD Net: hard to get on, but once there—you're home free.
- Keys: can distribute keys among three servers, all three required to decrypt. Stealing one server doesn't break security.
- Onion Routing: resists traffic analysis (traffic analysis can be used even with VPN and SSL traffic). Path chosen by client (can't trust anonymous Tor servers).
- Tor has never been down. Each node decides amount of traffic it accepts.
- Tor client looks like a Socks proxy. Tor is TCP only—not UDP (yet). Connect with a Tor server with TLS. Proxy tunnels with Onion Router to "next guy". Public keys used to verify destination ID. Directory servers used to find onion routers and keys. In future, may need to remove or decentralize directories.
- Tor supported Linux, BSD, MacOS X, Solaris, MS Windows, xbox, linksys wireless routers, etc.
- Voluntary server operators— no payments, not proprietary
- Servers DOS-resistant (too many of them)
- Some tradeoffs for efficiency (e.g., no packet padding).
- Many entry nodes needed for China, Iran, and other censor-heavy countries, to defeat banning of IPs.
- Policy issues: Tor used to relay ransom notes, spam, IRC jerks, high-bandwidth Vin Diesel movies. Posts from Tor exit nodes banned by Wikipedia & Slashdot (lots of defacement from tor) Tor exit nodes in some spam blacklists (e.g., SORBS).
BBS Documentary: Fidonet Episode (and others)
_ / \\ /|oo \\ (_| /_) _`@/_ \\ _ | | \\ \\\\ | (\*) | \\ )) |__U__| / \\// _//|| _\\ / (_/(_|(____/ (jm)
Jason Scott (textfiles.com/) produced an 8-episode documentary on DVD about BBS (www.bbsdocumentary.com). The episode he screened was on Fidonet. On first thought it sounds as dry as dust (or neon-green ASCII chars). However, it's not about obsolete technology—it's about people behind it. FidoNet founder Tom Jennings. Scott interviewed people about the creation of Fidonet, to it's height in 1995 (30,000 nodes), and subsequent decline (15,000 nodes 2005). An interesting part was the great amount of conflict and flamewar it generated. Ken Kaplan was in charge of the master "SysOp List" that he had to push out to 30,000 or so nodes. It created tremendous phone bills. To defray this, he accepted donations. However, his accountant said he had to pay taxes on it. To avoid this in the future, he and other Fidonet founders created a non-profit IFNA ("if-naa"). Unfortunately, the paranoid thought this was a move to gain dictatorial control over Fidonet, or at least it had the future potential, along with commercializing Fidonet and possibly enriching a few. Even today people involved still are disgusted with the rabid politics of Fidonet.
In the end, IFNA was disbanded and Kaplan and many others, including Fidonet founders, quit in disgust. Fidonet still exists today in smaller form. Many Fidonet "nodes" can be accessed by telnet, not just a modem. One of Fidonet's growing uses is in third-world countries with low-bandwidth or high-censorship (e.g., Vietnam).
Next day, Sunday noon, Mark Grimes of SAIC talked about SCAIDA networks, which are private Control Systems networks. I missed most of this driving around the ballpark crowd barriers. His main point is the network conventions are private and not available to the security community. This is security by obscurity, and he feels that is a bad approach. This is not necessarily his employer's opinion. SCAIDA is suffering the same weaknesses that Internet used to have (or have more frequently). An example he gave was ARP spoofing. ARP is the main protocol used to ensure security—that the correct devices are connecting to the network. ARP, however, is easily defeated. An audience member gave another example about Nuclear power plants are going wireless. Wires are very expensive because it requires physical recertification of the plant. However, wireless (such as 802.11) is notorious for poor encryption protocols. He suggested a Ziggy war driver can easily break into a plant.
Applied Data Profiling, Classification, and Analysis Methods and Lo-Fi Graphics Demos
Christopher Abad of Cloudmark and The Math Club http://www.the-mathclub.com/
Showed using Adobe Photoshop to model data, such as password length. This makes it a lot easier to visualize problems. Read binary files as a .raw grayscale graphics files, then modify the file with histogram and color picker tools. Showed using Adobe Photoshop to even decrypt a file (although tedious).
Hacking Silicon: Secrets form Behind the Epoxy Curtain
By "bunnie" (Dr. Huang), bunnie studios LLC. Famous for hacking MS Xbox encrypted keys.
Lots of stuff going into one package or one chip now (Moore's Law). Discussed methods of opening packages (acid, brazing)—dangerous. X-ray lab often easiest and safest. Scopes, microprobes. No secrets in silicon—can't encrypt, and can remove shields. Silicon design is hard, so lots of debug and test resources in silicon. Design is modular and layered. Often locking in hardware uses weak encryption. Sometimes there's a bug and encryption or locking is not enabled at all.
Law Enforcement Panel
This year's panel was Jim Blanco, Computer & Tech Crime High-tech Response Team (CATCH), Robert Morgester, Dept. of Justice, Dan Hubbard, Websense, and Simple Nomad (moderator) and Weasel, both of Nomad Mobile Research Centre (aka Simple Nomad). The panel's goal is to discuss the legal aspects of computer security with law enforcement and legal people.
Discussed disclosures of vulnerabilities. DOJ not interested in exploit writers (although Corporations harmed are very interested). DOJ interesed in those who use it and those who give it to them. DOJs problem is they are overwhelmed by an overwhelming number of cases.
ID theft (DOJ): everyone will be a victim. Problem is neglect by corporations--you have a right to sue them. Class action a possibility.
DOJ guy said sniffing packets over wireless networks (without permission) is wire tapping. He said problem is old laws written for a land-line culture. Also protects you from government wiretaps. Lots of heated discussion.
More discussion about spyware and ID theft. DOJ guy says to call him if you get a well-documented spyware case. He wants an example made of someone. ID theft a big problem because lots of small and big corporations do not encrypt their customer data.