Monthly Archives: September 2012

Active Directory Unification

[This is a partial re-post of an entry on the STEALTHbits blog. I think it's relevant here and open for discussion on the concepts surrounding clean migrations and AD unification.]

It’s no secret that over the past decade, Active Directory has grown out of control across many organizations. It’s partly due to organizational mergers or disparate Active Directory domains that sprouted up over time, but you may find yourself looking at dozens or even hundreds of Active Directory domains and realize that it's time to consolidate. And it probably feels overpowering. But despite the effort in front of you, there’s an easy way and a right way.

Domain consolidation is not a simple task. Whether you're moving from one platform to another, trying to implement a new security model, or just consolidating domains for improved management and reduced cost, there are numerous steps, lots of unknowns and an overwhelming feeling that you might be missing something. Sound familiar?

According to Gartner analyst Andrew Walls, “The allure of a single AD forest with a simple domain design is not fool’s gold. There are real benefits to be found in a consolidated AD environment. A shared AD infrastructure enables user mobility, common user provisioning processes, consolidated reporting, unified management of machines, etc.

Walls goes on to discuss the politics, cost justification, and complexity of these projects noting that “An AD consolidation has to unite and rationalize the ID formats, password policy objects, user groups, group policy objects, schema designs and application integration methods that have grown and spread through all of the existing AD environments. At times, this can feel like spring cleaning at the Aegean stables. Of course, if you miss something, users will not be able to log in, or find their file shares, or access applications. No pressure.

Walls offers advice on how to avoid some of the pain. “You fight proliferation of AD at every turn and realize that consolidation is not a onetime event. The optimal design for AD is a single domain within a single forest. Any deviation from this approach should be justified on the basis of operational requirements that a unified model cannot possibly support.

What does this mean for you? Well, the most significant take-away from Walls’ advise is that it’s not a onetime event. AD Unification is an ongoing effort. You don’t simply move objects from point-A to point-B and then pack it in for the day. The easy way fails to meet the core objectives of an improved security model, simplified management, reduced cost, and a common provisioning process (think integration with Identity Management solutions).

If you take everything from three source domains and simply move it all to a target domain, you haven’t achieved any of the objectives other than now having a single Active Directory. There’s a good chance that your security model will remain fragmented, management will become more difficult, and your user provisioning processes will require additional logic to accommodate for the new mess. On a positive note, if this model is your intent, there are numerous solutions on the market that will help.

STEALTHbits, of course, embraces the right way. “Control through Visibility” is about improving your security posture and your ability to manage IT by increasing your visibility into the critical infrastructure.

If you'd like to learn more about the solution, you can start by reading the rest of this blog entry or contact STEALTHbits.

Drunken Security News – Episode 302 – September 13, 2012

Paul's Stories

A Guide To Network Vulnerability Management - Dark Reading - If you want the "training wheels" approach to vulnerability management, then you should read this article. However, the problem goes so much deeper, and this article doesn't even know what tool to use in order to scratch the surface. Sure, you gotta know what services are running on your systems, but it goes so much deeper than that. Environments, threats, systems and people all change, so howdo you keep up? How do you really find, and more importantly fix, the vulnerabilities in your environment?

Old Operating Systems Die Harder - Dark Reading - Okay, here is where you could make a lot of money. Create a company that can actually provide some real security to legacy operating systems. So many of our defenses fail if there is a vulnerability that doesn't have a patch. You can implement some security, but it doesn't really solve the true problem. Once an attacker is able to access the system, its game over. Unless, there is something that can really solve the problem, even thwart the exploit and/or shellcode. Technologies exist, but back-porting to legacy systems is not often done. And this is where we need the help.

Microsoft Disrupts ‘Nitol’ Botnet in Piracy Sweep - Microsoft takes down another botnet. Why is this news? Not-so-sure, as this should be the rule rather than the exception.

Blackhole Exploit Kit updates to 2.0 - Check this out, attackers are implementing security! Check this out, this exploit kit now sports: Dynamic URL generation, so there is no longer a standard URL pattern that could be used to identify the kit.IP blocking at the executable URL, so that AV companies can't just download your binary. This is meant to slow down AV detection. Use of Captcha in the admin panel login page, to prevent brute forcing unauthorized access. If legit defendersonly did all that, well, except for the CAPTCHA, which is useless.

Domino's Pizza says website hacked - One of the most useful things the Internet has ever given birth to, aside from access to free porn, is the ability to order pizza online. So back off! Oh, then there is this: "This is a very unfortunate event which has happened despite the security ecosystem that we have created around our online assets. Some security "ecosystem" you got there.

More SSL trouble - SSL is broken, again, Drink!

Apple unveils redesigned iPhone 5 with 4-inch display - I did not see any mention of improved security, but what a sexy device. Wireless now supports dual band n, which is awesome.

Google helps close 163 security vulnerabilities in iTunes - iTunes is a beast, I use it all the time and well at the end of the day its kind of a resource pig, but gets the job done. However, its pretty crappy software, tons of vulnerabilities, and new ones found by Google! Webkit was to blame for many...#Antivirus programs often poorly configured - New study finds AV is not configured correctly. No huge surprises there... Do weneed to make it easier to configure or are people just lazy or both?

Larry's stories

Who's your GoDaddy - [Larry] - Yup, GoDaddy dns was down for the count. This included their own authoritative DNS as well as for those for the hosted stuff. Of course, now folks are talking about DoS against root name servers, and OMG the sky is falling. Of course, a single Anonymous member took credit, and GoDaddy, said along the lines of "Ooops, we tripped on a cable and corrupted our routing tables". Who do you believe… In other notes, a leaf fell from a tree and an individual member from anonymous took credit.

What happens when your encryption is EOL-ed - [Larry] - Victorinox (the Swiss Army folks) are offering full refunds if you return the secure usb thumb drives. Why? As of September 15th the certificate will expire, and they have no intent on renewing and are stopping support for the software. If you don't get your data out of the encrypted volume before then, you'll allegedly lose it. So, what happens when we have something else like this that is significantly more mission critical, we have significant investment and no upgrade path. Choose wisely.

Judge rules WiFi Sniffing Legal - [Larry] - Basically it boils down that is you have an open network and the data is in the clear, you should be able to sniff it. Don't want someone to sniff it? Encrypt it - and yes, WEP would be sufficient for word of law here. So, why did the judge rule this way? Wireless is a shared medium. If you are not allowed to sniff traffic that is not destined to you, then how are you able to determine that the traffic on said network is destined for you? Ruling against it would make all WiFi networks illegal, just by nature of the technology.

ACTUAL Stego in the wild for "legitimate purpose" - [Larry] - I just put this story in for Darren to bust John's stones. But, it appears that Blizzard has been embedding information about the user via stegonaography into screenshots taken by the WoW clients.

Jack's Ruminations

Half of all Androids have Vulns? Also, water is wet. I'm surprised at this, I would have expected much higher. Android phones are at the mercy of their carriers for updates. And carriers are not noted for their mercy.

Chip and Pin, er, PWN Chip and pin research shows that this bandage for the fundamentally obsolete and insecure payment card systems. The EMV protocol has crypto issues, as in "programmers may not be using cryptographic random number generator algorithms to create UNs, and instead may be using counters, timestamps or homegrown algorithms that are not so random."

New FBI Facial Recognition program what could possibly go wrong? From the article "nabbing crooks after a crime is only part of the appeal. The technology also foreshadows upcoming security enhancements that will stop many offenses before they start". That "before they start" bit sounds pretty damned scary to me.

Jason Lam Interview – Episode 302 – September 13, 2012

Interview with Jason Lam

Jason is the head of global threat management at a major financial institution based in Canada. Jason specializes in Web application security, and shares his research findings and experiences by teaching at the SANS Institute. His recent SANS courseware development includes Defending Web Application Security Essentials and Web Application Pen Testing Hands-On Immersion.

How did you get your start in information security? Tell us something no one knows about Defending Web Apps...

Drunken Security News – Episode 301 – September 6, 2012

Show Notes:

Answers to Allison's Puzzle Contest, Paul's Stories:

100,000 Vulnerabilities - Security vulnerabilities measured in numbers is sometimes a scary thing. At some level there you can prove strength or weakness in numbers. If you count vulnerabilities, for better or worse, how are you qualifying them? Severity? Exploitability? Ubiquity? All those things, and more, can impact your view on the matter, in fact it can make it matter, or not. The point being, try not to play the numbers game. There is a "shit ton" of vulnerabilities out there, and what we do to prevent them from happening in the first place and how we deal with them in the real world is what matters.

Schneier on Security: CSOs/CISOs Wanted: Cloud Security Questions - This is one topic which we did not debate, that is the cloud. I think, like security vs. obscurity, its a simple solution on the surface. For example, if you care about your data, don't store it in the cloud. Similarly, if you care about the security of anything, don't just obscure it, secure it. Wow, that sounds even cheesier than I thought. Secret account in mission-critical router opens power plants to tampering | Ars Technica - This speaks to the continued lack of awareness in device manufacturers when it comes to security. I'm baffled that they have not solved the problem. The common problems they have, such as easily exploitable vulnerabilities, are easy to fix. It requires two things: Awarenesss training for developers and QA (ala Rugged/DevOps) and regular security assessments. In the grand scheme of things, it doesn't cost all that much. In the end, you produce a better product. Hopefully the market has changed, and customers value security as one component of a great product. Or maybe I live in a dream world...

The Social-Engineer Toolkit (SET) v3.7 Street Cred has been released. « - Java 0-Day is in SET. Coupled with the other Java payloads, this ensures your phishing success. On the defense side, I disagree with everyone saying "Disable Java" or "Disable Flash". There is going to be users that require this technology. Those are the users we will target. Sure, it reduces your attack surface, and that does help. But I believe what people miss the boat is just how deep "security" needs to go. Its more than layers. Its more than awareness and technology. Its about doing all sorts of things to keep your organization resilient to attacks, and having a plan to deal with successful attacks and minimize damage.

Cracking Story – How I Cracked Over 122 Million SHA1 and MD5 Hashed Passwords « Thireus' Bl0g - Nice

BYOD creates generation of workaholics - Saying that BYOD adds 20 hours to your work week is ridiculous. How much work can you really get done on your smartphone? If your spending that much time in email or some such thing, you need to re-evaluate your strategy. Devices and technology should make you more productive or your doing it wrong. However, it does increase the threat landscape.

3 security mistakes your management is making now - I have to say, and this usually never happens, I agree with Roger, at least on the first point of testing vendor products. I think a lot of people get this wrong. It goes deeper than what Roger stated. Sure, you should test out products before you buy them, and even use them on real production networks. Also, you have to understand your problems, develop requirements, and research the right way to test, install and configure the said products. Many don't do this and end up with the wrong products for the wrong reasons. Along these lines, products that work for others may not work for you, so don't put too much stake in what works for others. I also agree that priorities couldn't be more wrong. Attacker are successfully phishing you, so lets buy an IPS and firewall. WTF? The whole thing about "drift" is bit puzzling, but I think it just needs better clarification. Configuration management is important. The first thing most do wrong is never define a secure configuration. If you've made it that far, most don't do much to keep the systems in a secure state. The toughest organizations to break into are ones that have a secure config and work to keep systems that way.

[papers - How to Use PyDbg as a Powerful Multitasking Debugger] - Love the Python debugger, just sayin'.

Marc Maiffret – Episode 301 – September 6, 2012

Interview with Marc Maiffret

Marc Maiffret is the Chief Technology Officer at BeyondTrust, a leading vulnerability and compliance management company, and was a co-founder of eEye Digital Security.

How did you get your start in information security? Tell us about your work at eEye and your work in the early days there. Back in 2007, you left eEye to start work on a mobile phone application - what would do you think is needed in the Mobile arena now that is NOT security related? What research do you think needs to be done that no one is doing now?

Hack Your Car! – Episode 300 Pt.8 – August 31, 2012

Hack your Car with CANBUS

A little into in a few minutes. yes, as implied, it is a BUS and you can gain access to it from the ODB-II port. Think a hub. All messages on a segment go to all devices on the segment. Messages can be filtered with a gateway (think firewall) between various busses, which may or may not be exposed at the ODB-II port. A little bit different from networks that we are familliar with. First off, the message do not have source field, but do have a destination in the form of a one byte arbitration ID, these arbitration IDs also indicate priority - the lower the Arbitration ID destination, the higher priority the message. So the ArbID 0 would be processed prior to 73febeef. Now, each message is sent to the bus with an ArbID, and each device LISTENS for specific ArbIDs that is concerned about. With that, Gateways can pass specific messages, and each Device can look for multiple messages. Oh, those messages? Either 11 or 29 bytes, so fairly easy to fuzz.

Is PenTesting Worth It? – Episode 300 Pt.7 – August 31, 2012

Guests: Ed Skoudis, Alex Horan, Ron Gula, Weasel

Once upon a time a big bad pen tester gets a contract with 3 little pigs, Inc. On the first test, he huffs, and he puffs and blows down the network made of straw. On the next test, you build it out of sticks, and you get the same result (everyone now, he huffs and he puffs and he…). On the next test, you build your network out of bricks, and the big bad pen tester shows up with a wrecking ball, knocks down the house and presents you with an invoice.

(strange sci-fi sound)

In a parallel universe, the big bad pen tester contracts with 3 little pigs inc. The first test the straw house gets knocked down rather fast. But 3 little pigs Inc. gets a report outlining the weaknesses in construction along with recommendations for improvement. The knocking down of the house was a mere simulation, and they are given an opportunity to add a layer to the network, of sticks. The next test the big pad pen tester has to huff and puff, and huff and puff again, simulating another network destruction. No harm is really done, so the process repeats, until a wall of bricks is built. Now the only big bad person able to get through has to really work at it, too much huffing and puffing, and decides to go rob the three little bears instead, using their APT, and eating their IP. First question for the group, 3-5 minutes each, is penetration testing worth it, why or why not?

What benefits to you receive from a "good" penetration test and what are the qualities of a "good" penetration test? If someone were to give you a "penetration test", then run a couple of automated tools and provide the stock report, is this a bad thing in all cases? If we don't test our defenses in a controlled experiment, how do we really know they work? Lets say a penetration tester is conducting an internal penetration test, and finds out quickly that more than 50 servers have missing patches for vulnerabilities that lead to a reliable shell. What is the benefit of the penetration test from this point?

Automate Wifi, pfSense for Pentesting – Episode 300 Pt.6 – August 31, 2012

Automating Wifi Attacks by John Strand - In this Tech Segment we will talk about one of the easiest ways to create an evil access point to steal credentials. We will be using the very cool utility called easy-creds.

PFSense for pentesters - We use PFSense every day and love it. I also love the nice red Alix box that we built. After using it day to day, we've found that it is great, and has a few things that drive us nuts. Specifically, when you put two guys behind that doing two pentests or vuln scans, the box just cant stand up unless properly configured. We're gonna to install it on a real PC. This PC we happened to pull from the trash, and is some 64bit AMD system with 2 gig of ram. Total cost? Free. It is probably way more horses than we need for this situation, but is is what we got.

Defending Your Network – What really works? – Episode 300 Pt.5 – August 31, 2012

Guests: Wendy Nather, Iftach Amit, David Mortman, Dan Crowley, RSnake, David Maynor

"We have a firewall". "All of our systems use Anti-Virus software" "We've implemented the latest web application firewalls and intrusion prevent systems" "We have a patching cycle, weekly maintenance windows and a 30-day patch turn-around" These are things we've all heard before. These are things I often hear right before we are about to start a penetration testing. Depending on how you define success, these things do little to stop attackers.

What are we doing wrong when it comes to defense? What is the number one thing that organizations miss when it comes to defense? Should we even bother, and just know that a certain percentage of attackers will be successful? Can't we just do the easy and cheap security "things" and get by as long as we don't get owned as badly as our competition?

Data Mining ETW, AWSIEM – Episode 300 Pt.3 – August 31, 2012

Data Mining ETW - In this technical segment we will look at how to tap into the vast amounts of data logged by Windows Communication Foundation (WCF) and fed to Event Tracing for Windows (ETW). ETW Provider will sometimes log information excesive amounts of information giving an attacker access to sensitive data. By tapping into these otherwise silent logging mechnisms an attacker can find all kinds of useful information.

AWESIEM - After years of making security databases, I realized that Security Information doesn't match up to the way databases have to be normalized - I started looking at Ontology languages and triple stores instead to store security info, and am now working on an app framework to write security apps using an ontology storage backend, it's called AWESIEM. Here's my intro on how to use ontologies for infosec knowledge.