Here's our first "Phrack a Day" posting. We first mentioned this segment
here.
We won't be able to comment on every phile as we did this one, but we'll
do our best to keep them short, informative, and entertaining. We also
won't pretend like we know wtf an article is talking about when it's way
over our heads, so we're counting on you guys to fill in the blanks for
us. There are also some philes that are self-explanatory, [now] common
knowledge, etc. that we may just end up skipping. Post any feedback or
comments -- we'd love to hear them! Also don't forget to post in the
Phrack's comments section as well.
Phrack Issue One --
Released 11/17/1985
Hacking SAM - A Description Of The Dial-Up Security System by
Spitfire Hacker
I honestly have no idea what SAM is. A Google search returned many
results back to this phile, but also turned up this
pdf on Global DataComm
Modem Security.
THE PHONE PHREAK'S FRY-UM GUIDE by Iron Soldier
We love pranks, especially getting your friends. This one takes the
cake, totally ruining someone's day. Call up the phone company and
cancel the guy's phone, order a stack of phone books, The modern day
equivalent would be calling up the local pizza shops and Chinese
restaurants and ordering delivery to some loser's address.
Or how about that time we called Poison Control:
> Can you help me? My router has a poisioned arp cache. >> Say what?? >
It swallowed a TCP packet with a malformed header.
bahaha... good times :)
How to Pick Master Locks by Ninja NYC
This trick was just cool. Remember your classmates would try and listen
to the clicks like they do in the movies and end up failing at opening
the lock? Well, this trick did work. Masterlock has since made it harder
to break, but look no further, WikiHow shows you how to crack the
combo. Hack A
Day also had a
post back
in 2005 with video and a link showing how to recover a lost
combo. In gym class, most of us
would just give up and take a folding chair and slam the backrest
against the handle. Don't forget the Bic pen
trick with
Kryptonite U-locks.
Acetylene Balloon Bomb by The Clashmaster & Gin Fizz
Step 1, Fill a bathtub with water. Step 2, Submerge balloon in water and
remove all oxygen. Step 3, Fill balloon up with acetylene. Step 4, Take
balloon out, twist the opening shut. Let dry. Step 5, Open balloon and
insert a rock with a fun-snap.
I read this thinking, there's no way this works the way it's
constructed. How would a fun-snap pop on impact when it's inside the
balloon? This is just one of those projects you'd sit back and say, "eh,
I'll let someone else try this one." If anyone has gotten it to work the
way it's described, let me know.
Schools and University Numbers by Phantom Phreaker
Several years ago our university had a 56k modem bank for remote access
service (RAS). We found that the numbers were listed for students to
access the intranet homepage. One day, I dialed in to access our online
classroom and realized it put me on the same subnet as the student
workstations located in the common area. I began screwing around with
various settings for gateways and proxies, and found one proxy that
would allow me out of the network. I then set up a router in my
apartment and shared the 56k dialup Internet connection with some shady
dude who lived across the hall. Our university eventually took the modem
bank offline and we had to get our own connection. :/
***
Well, that's it for this issue. This issue was relatively short and not
as technical or security oriented. Future posts may end up being broken
up across the week depending on how technical and lengthy the philes
get. Hope you enjoyed reading this; subscribe to the RSS
feed so you don't miss any future
updates. :)
Posted by Marcin on Thursday, August 2, 2007 in
Phrack a day.
DEFCON15 is this Friday and I'll be in Vegas Thursday night. I'll be
without Internet access this weekend, but I'll try and post something up
for Sunday. If anybody wants to meet up, send me an email. Gonna be a
good weekend. Some of the talks I'm interested in:
- Dirty secrets of the security industry -- Bruce Potter
- Tactical Exploitation - H.D. Moore and Valsmith
- CiscoGate -- The Dark Tangent
- The executable image exploit -- Michael Schrenk
- The Market for Malware -- Thomas Holt
- Malware Secrets -- Valsmith and Delchi
- 44 lines about 22 things that keep me up at night -- Agent X
- The edge of forever - Making computer history -- Jason Scott
- The Commercial Malware Industry -- Peter Gutmann
By the way, I put up a poll as I'm trying to get a consensus on what you
guys like. Do you prefer light text on a dark background, dark text on a
light background, or do you not care and just use RSS for reading posts?
Posted by Marcin on Monday, July 30, 2007 in
Conferences and
Security.
Recently, we've heard a lot of talk about P2P apps and data leakage
concerning various members of Congress. It started with this article
over at
NetworkWorld,
followed up by the guys at
nCircle,
directing criticism towards Congree from
Techdirt,
comments from
LonerVamp,
and lately a rambling from Alan
Shimel
on how NAC will solve the problem.
The problem is not so straightforward. It's a mix of company policies,
perimeter and endpoint protection, data protection, and culture. Alan
fails to see the problem all the way through. Sure, your NAC might
prevent P2P apps from existing on the network.. But what about on
employee's home networks? Many people are being issued laptops so they
can work from home, on the go, etc. How is NAC going to stop P2P there?
How do you stop people from installing P2P apps on their personal
computers? From bringing or sending data home through email, thumb
drive, cd-rw?
Besides Tiversa, has anyone actually tried to
automate P2P network scanning looking for [their] sensitive data? One of
the ways at trying to fix the problem is looking at/for the source of
information leaks. Use
honeytokens to weed out
nosey people, spies, and people who are most likely violating policies.
Use an IDS or other network monitoring solution to alert when it sees
those honeytokens traveling out of the network.
So the issue is one we'll be seeing a lot from now on as we move towards
"protecting data." Preventing information from leaking onto P2P networks
and detecting it is going to be tough. There is no single answer, but
many that require a lot of thought and planning. In addition to these
latest news articles, check out Inadvertent Disclosure - Information
Leaks in the Extended
Enterprise. It's the
only paper I've come across that tries to analyze the extent of the
problem and demonstrates the threat and vulnerability it poses to
businesses.
Posted by Marcin on Sunday, July 29, 2007 in
News,
Politics,
Security and
Tech.
Back in May, I attended a meeting to get a feel for the company and
group I would be working for this summer as an IT Security Intern. Much
to my surprise, Richard Bejtlich was in attendance and as it turned out
we'd be working for the same company. Anyways, Richard agreed to do be
interviewed on network security monitoring and his new role as Director
of Incident Response.
From reading your blog, most of us know you've served in the US Air
Force. How has serving as an Air Force intelligence officer prepared you
for a career in information security?
My Air Force intelligence training taught me to analyze data and search
for patterns. It gave me some historical background on related fields
like SIGINT. I also attended some specialized training, like the Defense
Intelligence Agency Indications and Warning course. This provided me
with a way to look at events as indicators that can be analyzed to form
warnings, which are then escalated to decision makers. I also learned
proper definitions for terms like "threat" and learned how to model
threats.
What is the most important lesson you learned serving on the AFCERT?
I learned many lessons there. I wouldn't be where I am today if I had
not joined the AFCERT. The first that comes to mind is the importance of
collecting alert, session, statistical, and full content data. The
AFCERT was practicing NSM before it really had a name for it. NSM was
the name of the sensor built by Todd Heberlein. My entire detection and
response methodology is built on that AFCERT foundation. I also learned
to appreciate that people are the real threats, not malware or tools.
Malware and tools change and disappear, but people rarely do, and people
are the bad guys.
What made you want to start your own company, TaoSecurity?
While working at ManTech, many customers were approaching me directly
for consulting and training help. I thought, "They are trying hire me,
not ManTech. Why not remove the middle man?" So I started independent
consulting in June 2005 and ended in June 2007.
Every company has ups and downs -- were there ever times you wanted to
just quit [TaoSecurity] and what kept you chugging along at the end of
the day?
Well, eventually I did quit. I decided I wanted to try working with a
company for the long term, instead of working in one or two week bursts.
Consulting exposes you to many customers, but if you want to really make
a difference for the long term it pays to be an employee.
What makes a good network security analyst?
First, you need to want to beat the bad guys. If you are entering the
security field because you heard a commercial on the radio advertising
higher pay, you will not get far. You need to understand the business
you are protecting, the processes and the technologies. I recommend
having some system administration experience. I've had multiple students
in my classes who do not have the foggiest notion where to look for the
files that comprise a static HTML Web site, for example. You have to
understand the attacks the adversary employs. I've talked with people
who "play defense," but who have no interest whatsoever in learning how
the offense operates. If you don't know offense, how are you going to
play defense? I think it's important to read because it helps you stay
current. You also need a curious mind and be detail-oriented so you can
perform investigations.
Take me through a typical day with Richard Bejtlich, what do you
typically do in the morning? Are you watching packet captures all day?
Readers tend to see only the juicy stuff an NSM expert tackles by way of
your blog, but how much of your time is spent with very mundane stuff?
My new job as Director of Incident Response is different from my
previous work. During my first month at work I've spent a lot of time
learning about the company and its detection and response requirements.
This has been mostly non-technical, although I've been providing
technical expertise for ongoing projects and cases. I'm working on
assembling an enterprise sensor grid collecting data from various
sources. When that begins to take shape I will have data to investigate,
so I will return to that aspect of work.
I expect at some point to train analysts to do incident detection and
response, so I will be left with the more complex material and the big
picture issues. I try to spend a few minutes each day reviewing my
Bloglines feeds to keep up with current security issues. I also try to
read a few pages from a book on my reading list. If I get any real
reading done, however, it's usually between 9 pm and 12:30 am.
What path would you recommend to those interested in entering the
field of information security and more specifically, network security
monitoring?
If you are in middle school, try to get into a tech-oriented high
school. Then go to college for a CS degree. Get a job as a consultant or
with a MSSP. Whatever tech job you have, you can integrate security.
You MUST have a home lab. You MUST run operating systems besides
Windows. Knowledge of Windows is important because many of the victim
systems you will investigate will be Windows. However, you can do far
more with old hardware and zero budget when you open up to the open
source world. I recommend trying FreeBSD. In fact, try a book like
Building a Server with FreeBSD, and
then read Absolute FreeBSD, 2nd
Edition. I also recommend building
your own sensor infrastructure to watch your lab. (I use
Sguil.)
I also recommend reading my
books, starting with Tao. I
wrote it specifically for people just starting out. I got the idea to
write it in 2001 when I was building a MSSP with Sguil developer Bamm
Visscher. Instead of teaching analysts the same information
individually, I thought it would be best to have a book for them to
read. Then we could work on individual issues.
Ever learn anything from your students or come across something
totally unexpected in your trainings?
Students usually use me as an on-the-spot consultant. They have been
working on some problems for days, weeks, or months, and they ask me how
to solve it in front of 100 people. Sometimes I can help, sometimes I
can't. One of the last classes I taught before joining GE was for a
military unit. They had me analyze live data in front of them, on the
spot. That was interesting.
Where or who do you go to for inspiration in your writing?
I devote each book to someone in my family... Tao was for my wife Amy,
Extrusion for my daughter Elise... now that I have a second daughter,
Vivian, I will have to write a new book. I usually decide that I have
enough original thoughts assembled, or enough material that no one else
is addressing, and then I submit a proposal to a publisher. I have
several on deck now (listed on my books page), but I will probably start
a new project first that's not listed yet.
When I write I usually do it in long stretches that last from after work
until 1 or 2 in the morning. I can do that once or twice a week, which
is good for a chapter. I spend the rest of the week fixing what I wrote.
After 12-20 weeks I have a draft manuscript, and copyediting begins.
That can take 4-6 weeks. Production takes 4 months. So writing a whole
book, if you add in about 2 months of preparation, can take about one
year. That's very aggressive. I think if you take too long events pass
by... unless you're writing THE ONE TRUE BOOK OF SECURITY FOR ALL TIME.
:-)
You mentioned you were recently hired by General Electric to be the
new director of Incident Response. What new challenges are you facing
that you might not have been exposed to in your private consulting?
The biggest challenge is the scope of the company. The closest
organization in size was the Air Force. Honestly, the challenge is the
reason I was interested in the job in the first place.
How do you plan on tackling those challenges?
An obstacle I've encountered that needs to be overcome is the desire to
avoid action because the company is too big. It's ok to take a sampling
approach. With no data, you have nothing to investigate. With some data,
you can make discoveries. Those bring investigative leads which direct
additional data gathering. That is my plan for this challenge.
Over the next 2-3 years, what are the biggest challenges you think the
security industry is going to face?
I see several challenges. If it hasn't happened already, people are
going to wonder why they spent several million dollars deploying a
SIM/SEM/SIEM, and they are "still being hacked." I am exceptionally
worried about clients being exploited via Web browsers and subsequently
controlled via encrypted Web channels. I see more of our investigation
and security tools being directly targeted. I think people are going to
spend millions on NAC and also ask why they are "still being hacked."
I'm hearing that organizations with 80% NAC coverage are seeing
intruders target the remaining 20%. Which, interestingly enough, are the
most vulnerable already -- all those embedded Web servers on printers,
routers, etc... along with new consumer equipment. There's no shortage
of work.
During those years, what do you think we'll have to do right?
My constant plea is for more visibility. If you cannot see what is
happening, you cannot make effective security decisions. To the extent
you do anything right without visibility, you're just lucky. It's like
playing goal with a blindfold. Visibility should be a design and
deployment consideration, just like security is becoming.
More assets are being introduced to the enterprise. How do we deal
with the risks introduced by threats who learn how to exploit vulnerable
assets?
I return to visibility. The world changes too fast for anyone to
understand it. If you can't understand it, the next best bet is to be
able to watch it. If you can't watch it, how are you supposed to defend
it -- or even know that an asset exists? I am not advocating abandoning
your resistance mechanisms. (Notice I do not say "prevention."
Prevention implies 100% effectiveness. Resistance implies that
prevention eventually fails.) You should resist wherever possible but
detect resistance failures. Sometimes that is only possible by keeping
track of as much as you can, and then querying that data after-the-fact.
Then you feed those lessons into your resistance mechanisms and repeat.
And finally, are we really still secure after all these years?
Nope! :-) Security is "the process of maintaining an acceptable level of
perceived risk." It never ends.
Thank you Richard!
Thanks for the chance to share a few thoughts!
Posted by Marcin on Thursday, July 26, 2007 in
People and
Security.
I'd like to introduce a new segment we'll be doing called "Phrack a
Day." Casey and I are going back to the roots of the hacking and
phreaking culture and reading through every Phrack article, beginning
with the first one to the most current. We'll be outlining the main
points from each, provide some commentary, and show off a little history
that so many have forgotten.
Eric S. Raymond once said,
"..being able to break security doesn't make you a hacker any more
than being able to hotwire cars makes you an automotive engineer."
There's more to hacking -- it's about freedom, solving problems, and
respect. With each blog post, we're going to live and embrace the spirit
of hacking, hoping we pass it on to others.
The other day, pdp at
GNUCITIZEN brought up the
movie `Hackers <http://www.imdb.com/title/tt0113243/>`_ and the
e-zine, Phreedom as the reasons for getting
into hacking. The technical accuracy in Hackers may be incorrect, but
the culture is there, in plain sight. We'd like to join you pdp, in
revitalizing what has been lost. To anyone reading, if you have any
questions, comments, complaints, etc.. post 'em.
Posted by Marcin on Tuesday, July 24, 2007 in
Hacking and
Phrack a day.
