Ramblings of the änal security guy

Sometimes pointless, always rambling, best ignored…

  • Archives


  •  Subscribe in a reader

  • Twitter

26C3: Lightning Talks – Day 2

Posted by ChrisJohnRiley on December 28, 2009

After yesterdays late night with TCP, I decided to kick-off day 2 with a look at the lightning talks. Yesterday’s lightening talk from p4ula on sleep hacking was really interesting (if a little brief), so hopefully there#ll be something here to keep my interest.

The information on the lightning talks at 26C3 can be found on the CCC wiki

MFCUK = MiFare Classic Universal toolKit

MFCUK is an open-source implementation (GPL) that implements the “Nested authentication attack” and “DarkSide attack” using crapto1 libraries. This toolkit is a merger of existing projects – MFOC and MiFare Classic DarkSide Key Recovery.

The MiFare standard is used in a variety of different places, including :

  • Credit-cards
  • Transport
  • Student ID cards
  • Building Access cards/systems

RFID Standard 14443A 13.56 MHz

The next revision of the tool will increase compatibility with card readers and possibly implement support for the Nokia NFC 6131/6212

  • http://code.google.com/p/mfcuk
  • http://groups.google.com/group/mfcuk
  • http://andreicostin.com/

Stali – Static linux

Primary focus is on statically linked binaries. This distribution is designed to have no dynamically linked libraries.

Project goals:

  • Statically linked binaries only
  • Hand-selected collection of best tools
  • Radically cleansed filesystem structure
  • Focus on end-user adoption

Pros of static linking:

  • Smaller binaries (really!)
  • Less memory footprint
  • More secure userland
  • Better startup performance

More information can be found at http://suckless.org or http://sta.li

Designing for socialization

http://www.meetforeal.com/

Looking to create a new iPhone application designed to help people communicate and break out of their social shell.

  • @meetforreal
  • @amonter5

DIY Bookscanner

Scan your own books to allow for full text searching and portable access to physically owned books.

Checkout the website for some great photos of other DIY scanners.

  • http://diybookscanner.org
  • http://diybookscanner.org/forum/
  • http://diybookscanner.org/wiki/


Crypto Stick (Version 2)

GPF Crypto Stick – Is a combination of OpenPGP Card v2 and a smartcard reader. RSA keys length up to 3072 bit (improvement over v1). 3 independent keys (authentication, encryption and signature)

This USB stick is used to store secret keys for things like GnuPG v2, Thunderbird+Enigmail, SSH, etc… The USB device is supported on Linux, Windows and Mac OSX (?). The project is based on open-source hardware and software.

Version 1 (Current)

  • Available for €38 incl. MwSt
  • order: info@privacyfoundation.de

Version 2 (Developement)

  • Includes encrypted flash (MicroSD)
  • dm-crypt/LUKS compatible
  • Strong Aluminium case
  • Securest portable data storage available

More information can be found at http://www.privacyfoundation.de/crypto_stick/ or by emailing info@privacyfounda

Hacking hearing devices

Features of hearing devices :

  • Small and (nearly) invisible
  • Microphones and speakers
  • Powerful signal processing (recognize acoustic settings, direction, filter)
  • Talk to each other
  • Talk to other hardware (phones etc…)

Why hack them – If you can’t open it, you don’t really own it. Free the information and technically interesting. Current information and hardware is proprietary. This means that the devices are expensive, aren’t permitted to be sold on services like eBay (medical devices are prohibited).

Visions:

  • Allow for parameter adjustment
  • Affordable bluetooth support – Currently very costly
  • Write your own signal processing -  Filter out specific voices ;)
  • Hear more than normal people
  • Use device to spy/record

More information, or to help with the future of the project can be found at http://hackandhear.com or through email at helgar@hackandhaear.com

The distributed rainbow table project. So far over 1.5tb of tables created and indexed.

Focus is on LM/NTLM, MD5, SHA1 (with future work on MySQL (SHA-1) tables)

Common myth – Everyone uses SALTed hashes
Actuality – Systems still used unSALTed hashes on a regular basis

Future developments:

  • More tables
  • Maybe new format (smaller, faster)
  • Maybe cooperation with other projects
  • Maybe YOU as contributor
  • More tables — Less mishaps !

More information can be found at the following locations :

  • http://events.ccc.de/congress/2009/wiki/Freerainbowtables
  • http://www.freerainbowtables.com/
  • http://sourceforge.net/projects/rcracki/

OWASP Favicon enumeration project

Identify software running :

  • Web Server
  • Web app: CMS, Forum, Wiki

For the paranoid, you can change the favicon to prevent enumeration.
Gather the data using modified version of favicon.nse:
nmap -v -sT -iR 0 -p80 -n -PN –script=http-favicon-get.nse -oN nmap-p80-ir-favicon

More information is available at http://kost.com.hr/favicon.php , http://www.owasp.org/index.php/Category:OWASP_Favicon_Database_Project or through twitter @OWASPfacicon


Posted in Conference, Security | Tagged: , , | Leave a Comment »

26C3: cat /proc/sys/net/ipv4/fuckups

Posted by ChrisJohnRiley on December 27, 2009

“Built around a fictional average company network, we will tell the story of an attack making use of subtle bugs across the layers all of which are as of yet undisclosed. This will include a bug in an Ethernet-driver, which allows an attacker to bypass MAC- and IP-based filters, bugs in TCP-implementations that are assumed to be fixed but aren’t, a web-cache which confuses itself and an instant-messenger, which was fooled by the protocol specification.

All of these bugs share a common property: They are a consequence of insecure coding-practices.”

Alone these bugs don’t achieve much, but when chaining them together and creating a jigsaw puzzle of attacks, it’s possible to construct an effective attack.

Stage 1: Attacking the clients

The client offers a huge variety of attack possibilities. However you need to target the attack to the specific system. What application do you want to exploit, how, what host system, what shellcode to use…. The first phase is information disclosure.

The application of choice for this demo is Pidgin emoticons. Using the MSN-SLP protocol, a client receiving an emoticon is able to request the graphic from the client by specifying the file to download. By replacing the name of the emoticon to fetch with a more interesting file (/etc/passwd springs to mind), an attacker can remotely retrieve the file. Adium suffers from the same issues as Pidgin as the issue replies on the underlying protocol and not the application itself.

This issue is less of an implementation issue, and more of a protocol issue due to the complexity of the protocol (for no reason).

Stage 2: Bypassing the internal packet filter

When trying to attack layer n, it’s always best to look at the lower layers to see if you can control or exploit them. Looking at  the link layer protocol for example, you see the typical MTU value of 1500 Bytes. Now that gigabit ethernet is coming to the enterprise, jumbo frames are supported (alongside the older 1500 MTU values). So what happens if somebody sends 2000 Bytes to a system that only supports 1500 ? Typically a controller will take the data and make it spam more than one receive buffer. However in some instances this might be the case. For example the e1000 Linux driver from earlier this year. It was fixed, but not really fixed !

When sending a frame that would normally be checked (i.e. a firewall) only the first part is checked, the second isn’t. This means that you can bypass the firewall rules, and send packets (and attacks) to systems behind it. 0-day !!!

Stage3: Poisoning the cache

Squid webcache, is also a DNS cache. This means that it’s vulnerable to the typical issues that standard DNS suffers from. Squid implements it’s DNS features independently of other DNS servers. Even though it randomizes the source port, the port is then statically assigned for the lifetime of the cache. Many layers of security are handed off to other systems (i.e. layer II protections).

By using NAT’s build in source-port protections it’s possible to fingerprint the port used by Squid.

When waiting for a DNS response, Squid constantly queries the next received packet. When it’s not expecting a response it caches responses until it makes a request. You can then put responses into the cache before even asking Squid to resolve. The first response wins, and you’ve given answers before the DNS server has even asked the question.

Squid is automatically setup to wait 2 minutes for a response. By performing a DoS on the firewall, you have enough time to poison the cache.

Stage 4: Denial of Service the Firewall

In 2009, a fix was implemented to the RTL Linux driver to re-enable the previously disabled hardware filtering on the NIC. By scanning possible MTU lengths, you can find the exact value that triggers the NIC to throw an error saying that multiple fragmented packets have been received, both of 8000 Bytes (this isn’t really possible). This will also cause garbage to be sent up the stack, instead of the packet contents. Lucky for us, the attacker can specify this garbage and control where the crash takes place.

More than just a Denial of Service, control over the remote machine.

Conclusion

  • The security of a network component relies on the environment
  • Security issues do not live in isolation – You never know the impact of a vulnerability until you see how it can be put to work

More information can be found on the CCC wiki

Posted in Conference, Security | Tagged: , , , , | 1 Comment »

26C3: Exposing Crypto Bugs through reverse engineering

Posted by ChrisJohnRiley on December 27, 2009

Exposing Crypto Bugs through reverse engineeringPhilippe Oechslin

“In this talk simple errors will be demonstrated that were discovered when reverse engineering three products for evaluation or forensic purposes. In each case, a simple error gave access to information that was supposed to be protected by the best crypto algorithms.”

  • MXI stealth USB key
  • EISST E-capsule PrivateSafe
  • Data backers Private Safe

MXI stealth USB key

This USB is similar in design to the Ironkey product, but also offers fingerprint access. The product is FIPS 142-3 level 2 certified. Information on the certification is available on the internet, and provides full specs and information on the USB device.

Passwords are stored on the EEPROM in salted SHA-256 format. Upon a failed password attempt a delay of 500 milliseconds is imposed to prevent brute-force attacks.

In testing it was found that the library responsible for the encryption between the computer and the USB key still had debug and symbols present. By further looking at memory with a debug it was possible to discover a SHA-1 hash of the current password and the previous 2 used passwords (these hashes where not salted and not SHA-256). This location was without entering any password and provided the ability to retrieve the hashes and perform an offline brute-force (bypassing the imposed 500 millisecond delay).

Correcting the issues: The company where very responsive and provided a fix within a week of being notified.

EISST E-capsule PrivateSafe

The software has 4 different passwords to enable deniable encryption (similar to Truecrypt hidden volumes). Each password shows a different volume to allow for multiple levels of deniability.

By looking at the control file of the product itt is possible to see that there are 4 sections to the file (numbered 1..4). y reverse engineering this file it was possible to find that the encryption used was AES 256 CTS mode. The key is a SHA256 hash of the corresponding password for the section. The IV is based on ripemd160.

Once the password is know it is possible to decrypt the control file using openssl as it supports both AES and ripeMD160.

As the blocks in the control file represent the sections 1 through to 4, it is possible to edit the control file to alter which password opens which section, without knowing the password. This can be easily achieved by simply changing the hex values for section 1 and section 2. This will result in the password for 1 being now valid for the 2nd section.

Correcting the issues: The vendor was made aware, but insisted that the product worked “as advertised”

DataBacker PrivateSafe

This software creates an encrypted data container. There is a control block at the beginning of the file (instead of separate as in the previous example). The data is encrypted using Blowfish CBC 4096, with an IV that is always the same (012345) with a key of the users password.

By loading the software into a debugger (in this case Ollydbg) it is possible to find the location in the code that loops through each character of the password to create a checksum (by XORing all characters of the password shifted one bit. The program then uses this checksum to see if the password is valid.

By examining the process and the checksum to match, it’s possible to see if the characters create an odd/even result. This would allow an attacker to cut down on the characters to check (cut down by 50%) and permit easier brute-forcing. If a password is found that matches the checksum, it “might” be correct. If it’s wrong it will crash the program as it fails the decoding (even though it matches the simple checksum test).

As blowfish was designed to prevent brute-forcing (~25,000 per second), it is possible to only attempt possible passwords that match the checksum. This cut down the brute-force from 1.7 years, to 2.5 hours (in this case).

Correcting the issues: Software discontinued.

Conclusion

  • Crypto is hard to implement correctly
  • If no source code is given, only reverse engineering can find the errors
  • When possible, prefer open-source solutions over closed-source, they are easier (and cheaper) to verify.

More information can be found on the CCC wiki

Posted in Conference, Security | Tagged: , | 2 Comments »

26C3: Sleep Hacking

Posted by ChrisJohnRiley on December 27, 2009

Well it’s the first day at #26C3 and purely by chance I stuck my head into the lightening talks to see Paula (@p4ula) talking about sleep hacking. This has been something that’s interested me for a while, as I’m sure it has many hackers before me. After all, we all want to fit more hours into the day, and I know more than my fair share of people that seem to never sleep at all.

There’s only so much information you can fit into a 4 minute lightening talk, luckily enough Paula had arranged a breakout room for Q&A after the talk, and it was packed. Seems like it’s not just me and Benny (@security4all) interested in this topic.

If you want to find out more information about Paula’s talk, and Polyphasic sleep in general check out the following links .:

  • http://twitter.com/p4ula
  • http://en.wikipedia.org/wiki/Polyphasic_sleep
  • http://barcampcologne.mixxt.de/networks/wiki/index._sleephacking
  • http://hackaday.com/2005/10/16/hacking-sleep/
  • http://www.explosiveapps.com/ (iPhone app)
  • http://easywakeup.net/ (iPhoone app)
  • ….

Posted in Conference, Strange | Tagged: , , | 1 Comment »

Have a very trashy Christmas

Posted by ChrisJohnRiley on December 24, 2009

If you haven’t already had a chance to listen, make sure to grab your copy of Eurotrash episode 4. We give the guys over at Exotic liability a call and shoot the breeze about conferences, what happened in 2009 and what 2010 will hold. This ones definetly Not Safe For Work ;)

ExoticTrash Promo!

Have a very trashy Christmas !!!

Posted in Security | Tagged: , , , | Leave a Comment »

Eurotrash Security Podcast

Posted by ChrisJohnRiley on December 20, 2009

Well, the Eurotrash team (me, Craig Balding, Wim Remes and Dale Pearson) have just released the 3rd episode of the Eurotrash Security Podcast. As with every new project, you’re never quite sure how it’s going to turn out, but even if I do say so myself, the first 3 episodes have really been fun, educational and a great experience all round.

As the team moves into 2010 we’ve got more than a few interesting things lined up. We’ve got a few special interviews in the works, as well as a couple of mashups with some people who will probably spend most of the time laughing at our strange European type accents. So, what does this mean for you, the reader listener ?

Well, we want feedback…. Are we doing things right ? are the episodes too long/short ? too much/not enough news ? Technical content / segments ? Who do YOU want us to talk to next ? We do this for fun, and even though I’d be more than happy to talk to our excellent guests, chat with Craig, Dale and Wim about random things and then never release the audio, we do the podcast so others can listen in and join in the fun. So make yourself heard… tell your friends, your friends friends, and your friends friends pet cat Jimmy. Every little helps ;)

We all hope you’ve enjoyed the start of Eurotrash in 2009, and hope to make it bigger and better in 2010! Be a part of that by telling us what you really think –> feedback@eurotrashsecurity.eu

Updates on the Eurotrash Security Podcast .:

Posted in Security | Tagged: , , | 1 Comment »

SANS SEC556 – Comprehensive Packet Analysis

Posted by ChrisJohnRiley on December 20, 2009

To finish off my class reviews from SANS London 2009, I just wanted to put forward a few comments about the 1-day SEC556 – Comprehensive Packet Analysis class.

The class is very exercise heavy and although it kicks off with some required groundwork on packet structures and a quick review of things like hexadecimal and binary, the real strength of the course lies with it’s “learn by doing” style of teaching. From simple packet captures, through to finding network faults (retransmits, checksum failures, ..) and reconstructing traffic streams. Each lab builds on the knowledge of the previous one to really improve your knowledge.

As you’d expect from a 1-day course, the range of tools covered is slightly limited.

  • tcpdump
  • ngrep
  • wireshark
  • mergecap
  • tcpflow

The real focus of the class was on the use of tcpdump and wireshark to perform more advanced tasks, such as extracting files from packet captures (file carving), BPF and in particular bitmask filters to finely tune packet captures.

Overall I really enjoyed the class, and love Johannes’ teaching style. As with everything though, you get out of the class what you put in. After 8 days of training I don’t think I really gave it my full attention, which is a shame. I’ll have to make sure to look over the books again in a quiet moment. After all, we all love packets, right ?

Interesting links from the course .:

What ever happened to IPv5 ? Checkout The Internet Stream Protocol–> RFC1819

TCP/IP and tcpdump Pocket Reference Guide (PDF)

http://filext.com/ –> reference of hex file headers for specific filetypes

The Internet Stream Protocol

Posted in Security, Study | Tagged: , , , | Leave a Comment »

SANS SEC401 – Security Essentials

Posted by ChrisJohnRiley on December 5, 2009

Everybody should have a good foundation to build from. After all, there’s no point in building a tower of knowledge, just to find that the foundations can’t hold it up. SANS Security Essentials is a great course to provide that foundation.

One of the things I love to hear from students after teaching Security 401 is “I have worked in security for many years and after taking this course I realized how much I did not know.” With the latest version of Security Essentials and the Bootcamp, we have really captured the critical aspects of security and enhanced those topics with examples to drive home the key points. After attending Security 401, I am confident you will walk away with solutions to problems you have had for a while plus solutions to problems you did not even know you had.
- Eric Cole

Dr. Eric Cole on YouTube — Introducing Security Essentials

This class covers a lot of ground. I know the average SANS class is packed with juicy knowledge and tasty technical goodness, but the 401 class really crams it in. 11-12 Hours a day, and 6 days long. It’s not any easy task to take in everything, but Dr. Eric Cole is a great instructor, and really helps make things clear. As you’d expect from a class of this type, the content is wide-spreading and not as in-depth as some of the other SANS courses. Then again, this is what you’d expects from a course of this type. There’s no point in building a good foundation in 3 areas of the security landscape and skipping the rest. The 401 class covers the areas you need to know about without going too in-depth in any one thing. There’s plenty here for you to think about and it certainly gives you an idea of where your weak points are, and how to fill them in.

Day 1 – Networking Concepts

It’s hard to protect your network without knowing whats really going on on the wire. The first day of the 401 class was dedicated to understanding the fundamentals of networking, from the cable up. The information covered is just enough to really understand whats going on, without having to be a packet-monkey, or expert in routing protocols. Sure, there’s some exercises on decoding IP/TCP headers with pen and paper, but nothing that complex. As long as you can add up that is. It’s not rocket science after all ;) Day 1 concluded with some virtualization and physical security modules. It was nice to see the physical security aspects covered where so many classes tend to skip over the topic.

Day 2 – Defense In-Depth

I’m a big fan of defense in-depth, and always try to drum it into clients when testing systems. After all, a single piece of equipment that stops all attacks is only good until you can find a bypass for it. When that happens, you’re completely exposed, unless you’re layering your defenses. Eric covered a lot of ground here in day 2. Malware, worms and trojans, alongside policy, password security and web-application attacks and defense. Again there’s just enough here to understand the basics without confusing people who’ve started the class with a clean slate. If you’re an old hand, there’s still information here to be had. Even though I’ve been through the 560, 542 and 709 classes, there still points that make me sit up and pay attention. Nobody knows everything after all.

Day 3 – Internet Security Technologies

Day 3 kicked off with discussion of attacks and hardening of systems. Coverage of IDS/IPS/HIDS and some great hints and tips about maximizing your firewall protection and layout. Even though most people know what a firewall does and how it works, people rarely consider the pros and cons of multiple firewalls, positioning and using packet, stateful and proxy filters to maximize the protection without overloading the systems. Discussion of signature based protections vs. Anomaly analysis (including the method of using clipping levels to improve identification of possibly suspicious traffic/behaviour). To give the students a hands-on experience with IDS, a short module on Snort (including writing a simple Snort rule) is included as the 3rd day draws to a close.

Day 4 – Secure Communications

After finishing up the risk analysis module from Day 3, we moved quickly into one of the sections of the class I was really looking forward to, encryption. Eric took the class from basics of cryptography (ROT-13, Caesar Cipher) through to a surprisingly easy to understand diagram on how Diffie-Hellmen Key Exchange really works. There was good coverage of data protection in-transit, at rest and the key points of key management issues. Moving away from cryptography toward mobile and wireless, we covered a range of different connection solutions. In particular, Bluetooth, 802.11, and ZigBee were covered in-depth. It was good to see the newer technologies such as ZigBee discussed even in the essentials class. To bring it home for day 4 we talked about VoIP and the increasing convergence of technology within the enterprise.

Day 5 – Windows Security

As with the other days, we kicked off day 4 with the final module of the previous day. In this case we talked about OPSEC (Operations Security). OPSEC is taking a step back from the technical and making sure that the appropriate risks are being addresses. It’s all about the Big Picture and protection of company information. Tracking and finding your companies weaknesses can also give you an idea where your competitors may have fallen short. To kickoff the Windows section of the class, we covered the basics of Windows Access Controls, patching and hot fixes, as well as the all important backup/restore of critical data. Of course no Windows security class would be complete without the extensive coverage of access permissions, rights and controls.

To tie in with the previous cryptography discussions we talked about EFS and Bitlocker and the pros/cons of using TPM (with USB token, PIN) to enforce boot integrity. Naturally we spent time looking at the technical side of security policies (GPOs, Security templates, …) and the issue of dealing with extensive security policies in large-scale Windows environments.  Finishing up we covered automation when it comes to securing and maintaining security of systems. It’s interesting to see Microsoft’s move to more command line based solutions. Give it another 10 -15 years and it’ll be just as good as Linux at the command line ;)

Day 6 – Linux Security

Kicking things off for the last day, Eric went over the key differences and histories that make Linux and Windows such polar opposites. As you can imagine, a large part of the time today was spent discussing the intricacies of the*nix permissions system (including SUID, GUID and sticky bits). It was interesting to cover the usage of groups and the ability to assign passwords to specific groups using gpasswd. It was also good to get a quick overview of how PAM fits into the overall Linux authentication and user account management. pam_cracklib and pam_unix are something I’ll definitely be looking at more in the future. Finally I really get the permission system used in Linux. All it takes sometimes, is a simple down to earth explanation.

Jumping from permissions, we did a quick overview of the boot processes, run-levels and services. It’s great to hear little tips and tricks from people who work with this stuff on a daily basis. Things like the RC scripts. Newer systems (anything in the last 5 years) can handle 2 startup files with the same number (i.e. S08service and S08service2). Older systems would only run 1 of the services, and ignore the other. Certainly an important note when working on older *nix systems.

In the logging and monitoring section we covered a number of interesting log files. Of special interest to me (as a penetration tester), was the /var/run/btmp log file. If this file is present on a system, it contains information on failed logon attempts, with the attempted password listed in plaintext. Obviously this could be a great source of information if a user mis-types their password. At the very least, it’s a starting point for a brute-force of that account. At best, you have the users password and can start guessing what they mis-typed. As you’d expect a range of logging and centralised log management was discussed. After all, no talk on *nix logging would be complete without mentioning SYSLOG and SYSLOG-NG.

Winding up the class we touched on *nix patch management and enhancing the security of Linux. As you’d expect, we spent some time discussing APT and RPM based patching solutions, before moving into IPTables, TripWire and Bastille Linux.

It’s been an exhausting 6 days… but I feel like I’ve filled in a few gaps in my knowledge. I’ve especially enjoyed working with Dr Eric Cole and hearing about his take on various topics. Eric has a lot of knowledge to bring to the table, and I hope to attend another of his classes in the future.

Conclusion

There’s far too much information crammed into this class to really write about every topic covered. Then again, that’s not the point of this review. I’ve covered the key points we discussed, and hope it gives a good overview for people looking at taking this class in the future. I would say however, that SANS updates the classes on a regular basis. So your mileage may vary ;)

I stand by my earlier comments that the security essentials class gives a good foundation. However, I would append a small note. If you’re already an experienced InfoSec person, then there will be times when you’re required to review things you already know. This isn’t a bad thing, as there’s always a few points that are worth reviewing, or described from a different standpoint. When looking purely at the content of the course and the method/style of delivery, I would highly recommend this class as the place to start when it comes to moving into InfoSec. The broad level of knowledge is both theoretical and technical, yet not too in-depth too get sidetracked into a single topic for too long. If you’re already working in InfoSec, then checkout the assessment test below to see what your level of knowledge is.

If you want to test yourself and see where the gaps in your knowledge are, you can use the SANS Security Essentials assessment Test to see how you score.

Posted in Conference, Security, Study | Tagged: , , , | 1 Comment »

Playing with iPhone profiles

Posted by ChrisJohnRiley on December 4, 2009

It’s not often that I talk about a GOOD feature of the iPhone. Don’t get me wrong, I love my iPhone and it’s really changed the way I work and communicate, however Apple really only want you to use the device they want, not how you want. Still, I’ve recently been fighting with a few issues while traveling. The largest of these is the need to constantly change my APN settings whenever I fly somewhere. I usually travel with a small collection of pay as you go sim cards so that I can just touchdown, plug in the sim and charge enough credit to cover a few days, weeks of data transfer. You’d be surprised at the prices you can find even on pay as you go nowadays. Anyway, this is all well and good, but wouldn’t it be nice if the APN settings (APN name, username and password) was automatically detected. Some sim cards do this, however most don’t (my O² sim card even fills it in with incorrect info). Today I finally had a chance to look at the iPhone configuration tool offered by Apple.

The iPhone configuration tool gives you a range of options to configure a single or multiple iPhones. It also offers the chance to do some security related configurations that you can’t achieve directly on the iPhone itself. The 2 things I was particularly  interested in where the Passcode and APN (advanced) settings.

Wether you’re using this in a corporate of home environment, the configuration tool can help improve the security of your iPhone, as well as making it easier to turn settings on/of as required.

Passcode

By default the iPhone allows for a 4 character passcode to lock down your phone. This is great, but I’ve lost count the amount of times I’ve seen people type in their passwords. It’s not hard to remember a 4 digit passcode, and as iPhone doesn’t randomize the layout of the numbers on the screen, it’s easy enough to figure out the password even without seeing which numbers are selected. Luckily the iPhone configuration tool gives you the chance to correct this.

Through the configuration tool you can set the advanced settings not possible to do directly on the iPhone itself. These settings include the complexity (including the number of non-alphanumeric characters required), minimum length, maximum password age, password history and failed attempts.

Alongside these typical settings you can also set the auto-lock and grace period times. Most importantly, from my perspective, you can enable the device erase function (this can also be enabled on the device directly).

When it comes to mobile devices, password enforcement is becoming more and more important. With the limited keyboard functionality and repetition of password entry (how many times a day do you type in your iPhone passcode ?) it’s important to make sure users (whether enterprise or home) don’t simplify the passcode too much. It’s very convenient to use 9999 as your passcode, but it’s not hard to shoulder-surf.

The above images show the default 4 character PIN style password, and the more extensive passcode options you can enable through iPhone configuration tool. The more security conscious may have noticed there are 3 images and not just 2. If you allow users to set digit only passcodes (i.e. an 8 character passcode like 12345678) then your users will be prompted ONLY to enter numeric values. If the user sets a more complex alphanumeric password, then they will be given a full keyboard for entry. This isn’t a BIG security issue, but it does tell you what kind of passcode they’ve selected without you needing to know the passcode itself. Still, it’s better than a 4 digit passcode ;)

APN (advanced)

The second feature that interest me is the advanced page, which allows you to set the APN and Proxy information. For me this is really handy. I can go into the configuration tool and create a profile for each APN setting combination that I need. When going between countries I can simply pull up the .mobileconfig file from my email (make sure you’ve got it cached) and apply it to the iPhone.

The advanced settings page also allows you to set a proxy for your communications. I’ve not had a chance to play with this setting yet to see what kind of security enhancement can be gained from this. In theory it would be nice to force ALL communications over an SSL secured proxy. This could then connect back to a trusted system to give you an extra layer of protection between your phone and home base. When travelling to a possibly dangerous environment (I’m thinking China, Russia, Ukraine, etc…) it would be nice to feel just a little bit more secure.

The good thing about profiles is that you can add and remove them at will. You can also have more than 1 profile active on the iPhone at once (as you can see I’ve got 4 currently). This allows you to add and remove them whenever you need to. It also means you can have a profile that applies your security settings and separate ones that apply just the APN info (as it’s likely to change more often than you security configuration). I’ve not had a chance yet to look at what happens when you set multiple profiles to contain settings that clash. I get the feeling that the LAST profile applied will override the earlier ones, but at the moment that’s just speculation on my part.

.mobileconfig

The files you export from the iPhone configuration tool are simple XML files. So if you find yourself out and about without the tool, you can still open the file up in a text editor and change the settings as required. If you do a Google search for “mobileconfig iphone” you’ll find a number of sites discussing the format. You can also checkout the enterprise deployment documentation HERE for more hints. You can also download the configuration tool from the same location (Windows / OSX only).

Edit: After posting I did a little followup on the contents of the .mobileconfig file. When looking at the files created to implement specific APN settings, I noticed the following string s in the XML :

 <key>apns</key>
 <array>
   <dict>
     <key>apn</key>
     <string>payandgo.o2.co.uk</string>
     <key>password</key>
     <data>
     cGFzc3dvcmQ=
     </data>
     <key>username</key>
     <string>vertigo</string>
  </dict>
</array>

I can almost see people holding their heads in their hands. Yes, the password is stored Base64 encoded. I can understand why Apple have done this (to avoid issues with special characters corrupting the XML). However Base64 isn’t encryption. Luckily the APN settings are usually publicly available. However the .mobileconfig file can also contain data such as WPA keys, mail account passwords, and even LDAP and Exchange server settings. Surely these are protected in the XML by default right ?

<key>LDAPAccountDescription</key>
 <string>LDAP Account</string>
 <key>LDAPAccountHostName</key>
 <string>server</string>
 <key>LDAPAccountPassword</key>
 <string>SecretLDAPpassword</string>
 <key>LDAPAccountUseSSL</key>
 <true/>

That’s what we like to see. Clear text passwords… However it’s not all bad, there is a solution, even if it’s not the default. When exporting the .mobileconfig file from the iPhone configuration tool, you can select to sign and encrypt the file. The downside of this, is that you need to tie the .mobileconfig to an iPhone that has been registered in the iPhone configuration tool. This may not always be convenient, especially when your CFO is shouting that his wireless settings are wrong as he’s waiting for the 9th hole at the local golf club. Still, at least Apple have thought about the security risks. When creating a single profile for your entire corporation however, you’ll either need to register each iPhone in the configuration tool before exporting the file, or use the less secure, unencrypted, option.

So, if you’re a corporate using this feature for your CEO’s iPhone, remember to store the .mobileconfig in a safe place and use the sign and encrypt option (not the default, at least in my testing). If you’re a penetration tester, add this filetype to your list of files to look for next time you exploit a users system. You never know what you might find. If you want to know how bad it really is, try the following Googledork “filetype:mobileconfig”.

Posted in Security, Technology | Tagged: , , , , | 3 Comments »

SANS DEV319 / SEC319 – Intro to Web Application Security

Posted by ChrisJohnRiley on November 29, 2009

Prior to the 6-day classes starting at SANS London 2009, I had the chance to sit in on the 2-day DEV319 class (run by Johannes Ullrich) to see what the class was all about. As I’ve said over and over again, I love learning, and I can’t say no when somebody offers me a chance to sit in on a class, even if it is something I’ve already covered in my recent GWAPT course. Once thing I like about the classes from SANS is the instructors. Unlike some companies, the people teaching the class  really do this for a living. They’re not just standing there reading the slides and nothing more. Johannes really know his stuff when it comes to web applications. There is so much knowledge there to be gained just by asking questions and discussing solutions. This is the real essence of learning in my opinion. Sitting at the back of the class can only get you so far. So next time you’re at a class make sure you ask some questions. You will be surprised what you can learn just be asking.

DEV319 / SEC319 – Intro to Web Application Security

If you’re new to security, finding a place to start can be a real problem. Diving straight into a class covering the deepest darkest secrets of SQL Injection or Cross-Site Scripting isn’t always going to be your best option. The “baptism by fire” approach isn’t for everyone after all. To make a move from systems administration or development that little bit easier, SANS have put together the SEC/DEV319 class to give an introduction to web application security. Don’t misunderstand, this isn’t a 2 day class that glosses over the problems and contains no real meat. The topics covered are in-depth, well explained and looked at in a hands-on approach. The labs are brief due to the tight timescales and amount of information to cover, however they come in at the right time and help to reinforce the content well.

The topics covered are varied and give a good foundation to build on. Obviously no 2 day class can cover everything, but SANS certainly try and cram a lot into a short timescale .:

  • Securing Web Application Architectures and Infrastructures
  • Cryptography
  • Authentication
  • Access Control
  • Session Mechanism
  • Web Application Logging
  • Input Issues and Validation
  • SQL Injection
  • Cross-Site Scripting
  • Phishing
  • HTTP Response Splitting
  • Cross-Site Request Forgery

Also not on the list, but equally important are discussions on logging (what, why, how, legal requirements, …), Phishing mitigation (discovery, defense, tarcking, ..)  and specific information on credit card processing issues (handling of data transfer, CCV/CCV2 numbers , AVS, …). These might not be the most glamorous topics, but for security, they’re just as important as the more technical attacks, like XSS, CSRF, etc…

This class is aimed at developers, QA analysts, and infrastructure security professionals. With that said it offers a great deal of information for anybody who wants to secure web applications. The class is taken from a developer and attacker standpoint, showing how to check for errors and how attackers would take advantage of them. I’m not sure this works as well as people think for developers, but it seems to be the way things are taught currently. One thing to consider if you’re coming at this class from a pure developement background, is the longer langauge specific classes like DEV541 (Secure Coding in Java/JEE: Developing Defensible Applications). These are taken more from a developer standpoint and go deeper into not only the cause of the flaws, but also the underlying code that causes and fixes the issues.

Conclusion:

If you’re a developer or network support technician looking for a good introductory class to web application attack and defence, then this is certainly a great place to start. It will help you hit the ground running with some good knowledge on how things work (from the HTTP protocol  up). Even though this class is a 300 level* course, the content isn’t basic by any means. There’s something here for everybody.

*When selecting the courses that you wish to take, keep in mind that the course numbers indicate relative degree of difficulty. Thus 300-level courses are intended for students who are new to security and have no experience; 400-level courses are intended for students with some experience; 500-level courses are intended for students who are seasoned security professionals; 600- and 700-level courses are the most advanced. The levels are not determined by how much hands-on or technical work is involved in the course, but rather by the overall difficulty of that course in comparison to others in the same discipline. Within any given level, course numbers do not indicate level of difficulty. SEC589, for example, should not be any more difficult than SEC571. – SANS Brochure

Posted in Conference, Security, Study | Tagged: , , , | 1 Comment »

« Previous Entries