The local chapters of OWASP and ISSA jointly sponsored a 1/2 day Metasploit Training session taught by Raphael Mudge. It was held one Friday afternoon about 10 days ago at the Microsoft campus here in Austin which is a super nice facility and well set up for this type of class.
Metasploit is one of those technologies that is always near the top of my list to try out, but never quite takes that top spot, so I jumped at the chance to take this seminar. It sold out in less than 2 days, so it would seem that a lot of people felt the same way.
Raphael Mudge is the author of the Armitage front-end to Metasploit so he was a great choice to teach the class. He is a very high energy speaker and sprinkles anecdotes and experiences throughout, so the seminar never dragged. The seminar was an excellent mix of labs and presentation. The labs started with the exercise of installing metasploit and Armitage which was provided on a DVD. Virtual images which were vulnerable to attack were also provided and these were the targets of the exercises. Throughout the class, Raphael offered his experience on which exploits were typically the most successful, which payloads are the most valuable and other nuggets of information which are gained through experience. Armitage itself does a great job of lowering the barrier to entry and makes metasploit much easier to use.
This seminar was a great introduction to Armitage and metasploit, enough to make it useful for personal use of metasploit, but it is clear that I could spend many fun hours experimenting with the various exploits and payloads. Raphael made it clear throughout that he was not training crackers. The seminar succeeded brilliantly and so I would like to again thank Raphael Mudge, OWASP Austin and ISSA for making this seminar possible.
Great stuff!
Raphael left us with the following links for more information:
Penetration Testing and Vulnerability Analysis
Metasploit Unleashed
Backtrack Linux
My first experience with Gnome 3 is that it frowns at me for not living up to its expectations.
RSA – hacked
Lockheed Martin – hacked
Northrup Grumman – hacked
L-3 – hacked
Sony – hacked
Nintendo – hacked
Gmail – spear phished
PBS – hacked (and seriously?)
There must be millions of corporate security presentations that start off with the premise that the security apocalypse will soon be upon us if security doesn’t receive premium investment. It feels to me as if the security apocalypse long promised has now arrived. Whether these events are coordinated or independent, whether they are script kiddie cracking or cyber warfare, does this harald a new dawn? The risks which were once deemed remote have now been exploited multiple times. Is this a wake-up call or is everyone still yawning when security is mentioned?
Time reports that Bin Laden’s computer contains a “mother lode of intel“. The article ends with the question: “The official posed the same question that’s likely on plenty of other people’s minds: ‘Can you imagine what’s on Osama bin Laden’s hard drive?’”
The question on my mind is rather, with so much to lose, why wasn’t it all encrypted?
by George Wilson, IBM Linux Technology Center
I was recently reading through the NIST “Draft Guide to Security for Full Virtualization Technologies” (SP 800-125 draft) [http://csrc.nist.gov/publications/drafts/800-125/Draft-SP800-125.pdf]. It discusses various considerations relating to hypervisor security. One section that particularly struck me was the comparison of bare metal vs hosted hypervisors. These are also known as Type I and Type II hypervisors, respectively. The document states that choosing between them is a critical security decision. That started me wondering if it is actually true that Type I hypervisors offer superior security to Type II hypervisors. While a Type I hypervisor may have a small kernel, it relies on and trusts an entire OS instance in the resource-owning partition (Dom0 in Xen parlance) for device access. So while it might at first blush appear that a Type I hypervisor has a much smaller TCB than a Type II, the TCB is really just in a different place. Given imperfect knowledge of the implementations and similar size, complexity, and maturity, it would seem that Type I and Type II hypervisors would in general offer similar security. I can’t find any solid evidence to the contrary. I’d love to hear from someone who can clarify why the Type I vs Type II distinction is in any way a major factor in hypervisor security analysis.
by Rajiv Andrade, Linux Technology Center
Since the foundation of the Trusted Computing Group, previously named Trusted Computing Platform Alliance, the pillars required to win most of today’s security challenges have been heavily developed.
The Trusted Platform Module and the Trusted Software Stack are two of these. Now that we have in our hands the required enablement, the next expected step is to come up with the development of detailed and implementable use cases that were originally envisioned when starting the Trusted Computing Initiative.
The use case presented in this newly published Blueprint exploits the integrity measurement capability that the TPM provides. Other than using a passphrase as an authorization token, it describes how to use a machine’s integrity to authorize access to sensitive files, by means of a key sealed to those integrity parameters.
The parameters include the loaded kernel image, the bootloader and its configuration file, and the BIOS. Thus, if one tries to load a different flawed kernel image, those sensitive files won’t be accessible. It’s also worth mentioning that the bootloader used is able also to measure critical system files (e.g. the libraries placed at /lib), making the job of a rootkit even harder.
The next step is to attest a machine’s integrity using the Integrity Measurements Architecture (IMA) logs that contain a list of measurements of all files accessed by the root user during runtime.
Check it out at: http://publib.boulder.ibm.com/infocenter/lnxinfo/v3r0m0/topic/liaai/tpm/liaaitpmstart.htm
By Bryan Jacobson, Linux Technology Center.
While Virtualization offers many benefits, there can also be increased security risks. For example, consider a system running two hundred virtual images. All two hundred images are at risk if a flaw in the hypervisor (or configuration) allows any virtual guest to “break out” into the host environment and affect other virtual guests.
sVirt is a project to improve the security of Linux virtualization. Svirt applies the Mandatory Access Control (MAC) features of SELinux to strengthen the isolation between virtual images. Svirt works with KVM/QEMU and other Linux virtualization systems where the virtual image runs as a Linux user space process.
sVirt is a community project, with founding authors from Red Hat: Daniel Berrange, James Morris, and Dan Walsh. sVirt is integrated with libvirt.
One of my favorite sVirt use cases is: “Strongly isolating desktop applications by running them in separately labeled VMs (e.g. online banking in one VM and World of Warcraft in another; opening untrusted office documents in an isolated VM for view/print only).” (From the 8/11/2008 sVirt project announcement at www.redhat.com/archives/libvir-list/2008-August/msg00255.html).
The project announcement also identifies an excellent design goal: “Initially, sVirt should “just work” as a means to isolate VMs, with minimal administrative interaction. e.g. an option is added to virt-manager which allows a VM to be designated as “isolated”, and from then on, it is automatically run in a separate security context, with policy etc. being generated and managed by libvirt.”.
You can find a 48 minute video of James Morris’s February 2009 presentation on sVirt at Linux.conf.au: video.google.com/videoplay?docid=5750618585157629496#
Slides from that presentation are at: namei.org/presentations/svirt-lca-2009.pdf
Steve Hanna has written an excellent cloud security overview article A Security Analysis of Cloud Computing which talks about how trusted computing can help solve some of the cloud security problems.
Privacy concerns for the ages, is anonymity sufficient? Facebook and Google: Contrasts in Privacy Is privacy an illusion or a social contract? Blakley’s blog post Gartner gets privacy dead wrong debates the issue. Will Facebook users go along with Facebook’s new policies and the sense that their privacy was an illusion, or will they revolt, pile on EFF’s FTC complaint and leave Facebook in droves?
This article covers a lot of ground on the impact to security of virtualization and cloud adoption. I like it right up the the abrupt ending. Virtualization Adoption Slips.
Three just for fun:
SearchEnterpriseLinux.com has a 2009 retrospective of Linux activity: A look at Linux in the recession. Somehow I missed the news about Hannah Montana Linux.
An octopus and its travel trailer: Tool Use Found in Octopuses.
There is a new specialty of female bodyguards in Egypt.
Here are seven links that are worth the time that it takes to read them if you are interested in systems security.
The Evil Maid attacks again:
- ITPro article: Researchers break into Windows encryption feature,
- the original research behind the attack,
- article about Microsoft’s response.
Two Trusted Computing articles:
- “openSUSE is now the first operating system to offer full TC support” (from 11/24/2009)
- Trusted Computing in the Cloud: Towards Trusted Cloud Computing (from Hot Topics June 2009).
An introduction to Tin Hat Linux which is a Linux distribution based on hardened Gentoo which “was conceived as a challenge to the old mantra that physical access to a system means full access to the data”.
Everybody is talking about the botnet on AWS: Zeus botnet finds hold in Amazon cloud. From now on, I fully expect that stories about botnets controlled from within a cloud will become a footnote, rather than noteworthy and they will be served with standard takedown notices.
The September 2009 edition of the Communications of the ACM had a very fascinating article called Spamalytics: An Empirical Analysis of Spam Marketing Conversion. Aside from the catchy title, this article is well worth a read. You will definitely understand more about spam after doing so. Given how much fun the authors must have had doing the background research for this article, it seems a shame to quibble with it, but there were a couple of things that set my teeth on edge so I’ll do so anyway. Besides, it gives me the reason to point out this article which really is a fun read. With that said, here are the things about the article that that affected me like nails on a chalkboard.
The article starts off with chest beating about how revolutionary the article is since there is a lack of information on the efficacy of spam. But, in their background section, they mention the previous work on pump and dump spam which is relatively easy to study. Wikipedia links to 3 studies that show that pump and dump spamming drove up prices of the touted stocks by 6% between 2005-6. This is a pedantic point but distracts from the strength of their argument right away.
The deconstruction of Corman’s remarks is just outright weird. No telling why they didn’t just ask him what he meant and what numbers he was adding up. My guess is that instead of profit, he may have said or meant millions of dollars in damages, but I haven’t asked him either. The site that they link to doesn’t quote him, rather it attributes a paraphrased statement to him. This paraphrased statement is then put into quotes in the article, but the text in quotes doesn’t actually show up on the linked-to site. (Note, although we both work for the same company, I have never met nor talked to Corman.)
Gathering statistics by parasitic infiltration is ethically questionable. Counter attack is becoming more acceptable from a cyber war perspective, but it is not a generally acceptable security practice. I definitely do not consider it an ethical research practice. The paper extensively discusses the ethics of this practice and decides that since no one is left worse off than before that it must be ethically correct to allow it. I think this is disingenuous and disregards all of the arguments about why it is not an ethically sound security practice, primarily the argument that you might get it wrong and actually damage an innocent bystander inadvertently.
The spamalytics system alters the entity that they are studying and thus their statistics although interesting become questionable. The backend fulfilment or trojan delivery server is often quickly shut down in a real attack. They address this point in Figure 6, but don’t discount their conversion rate in any way nor do they site statistics about how quickly fulfilment servers are shut down to defend not discounting their conversion rate.
They wound up with 28 conversions for the pharmacy spam, but they didn’t allow the site to accept personal information. How many of the 28 users would actually have completed the transaction. How many of them were participants in the scam the scammers movement? Regardless, their conversion rate is amazingly low, as they state too low to sustain profitability for the spamming operation.
The researchers performed analysis on only one type of spammer – the ones motivated by money. The quality of the average spam clearly indicates that not every spammer is in it for the money. They are griefers, just like the griefers in online games who show up to “spoil it for the rest of us”. It would be worth running a similar research project on non-email spammers who are motivated by money to see if they are more profitable. Wired had an article about Craigslist in a recent issue and it included a paragraph on the problems that they have with spam. They manually remove spam from their listings. Captchas didn’t work because the spammers hired cheap labor to break the captcha. You can see this in Amazon’s Mechanical Turk where spammers offer users $0.01 to perform a spam like activity.
Because of these quibbles, I would not bet the house that spammers are unprofitable (or barely profitable) just based on these results. Despite these quibbles, I really enjoyed the time that I put in to reading this article and so I recommend that you go take a look too. Enjoy!
