Wednesday, April 16, 2008

Why Social Engineering works

Social Engineering has been mostly overlooked during most IT penetration tests in the past 10 years. However, the latest trend is to include it in all remote and onsite penetration tests. I agree with this principal idea, but not how its implemented.

Face it, not everyone will be good at Social Engineering. This is the same thing that happened when every m$ shop said they could do penetration testing. The only difference is they relied on Nessus for the pentests.. you don't really have that for Social Engineering yet... although I expect a dynamic tool in the near future.

Anyway- this is why Social Engineering works http://en.wikipedia.org/wiki/Milgram_experiment

This was an experiment on the use of authority.. if you remember- very close to the scene in ghost busters.

Basically, they bring in an actor, a scientist conducting the experiment, and a test subject.
The subject is mislead into thinking they are performing a learning exercise. In reality, the scientist is recording how they react to authority when it overrides their personal beliefs.

This human instinct to respect authority is the main weakness in the defense against social engineering attacks. To protect against this, companies should put time into a security awareness program. Because 90% of targeted social engineering attacks are successful to obtain sensitive information. If the attacker has done enough research, the victim may willingly divulge internal passwords within a few minutes.

Wednesday, July 26, 2006

Packet Focus Security Research

RFID Ideas

Ok, SO I have been doing a lot of RFID Research lately. A couple of ideas I have had to date:

RFID Automotive:
RFID is basically used to ID someone or something right? I have had several luxury cars in the past that allows (2) drivers to save settings and recall those settings by pushing a button.

Enter RFID: Most keys are now using RFID for locks and other uses: What we could do is enable the seats, Radio, and any other componet that has personell settings. This would communicate back to the RFID chip in the key or keychain. They would have the ability to write custom codes to the chip refrencing save point.

Ex- I get into my new car: Before I start it the RFID chip communicates with the car and all personel settings are activated. The seat , radio, climate control and other settings are how I like them without having to touch a button.

It's all about convienence.

Thursday, June 29, 2006

Packet Focus Security Research

Packet Focus Security Research

RFID Access Card Vulnerabilities

Ok... so now I feel like I know a little more about RFID and how it works. I have been reading a lot of research lately about the hardware involved and some limitations.

Notes about RFID:
Each RFID tag has a unique UID burned and locked into the card. This is like the UID for network cards.

Most proximity and access control cards do not use encryption and are mostly identified by the UID.

The cards are powered by the readers when within operating range. Varies from vendor to vendor but generally close range.

The reader / card use a protocol to talk to each other. This is defined the ISO's / vendor docs.

ISO makes you pay for the documents. Donations? :)

Encryption and Key infrastructure can be used in recent implementations.

Collision protection has been implemented to assist when multiple cards are in the energy field.

Secure installations would use encryption and other methods like biometrics.


Theory:
Most every proximity or access card is vulerable to "session replay". This also applies to 100's of other types of ID cards used at grocery stores , libraries, and others...

Readers may be vulnerable to exploits used to compromise the box and allow access. This is much easier than cloning or session replay.

More to come:

Contact: Joshua Perrymon
PacketFocus
www.packetfocus.com
josh.perrymon@packetfocus.com

Monday, June 26, 2006

Packet Focus Security Research

Packet Focus Security Research

A lot has been going on lately.... Work has been very busy as well as personal life ;)
Learning to Surf in Australia on my time off...

Eweek contacted us about RFID security at the Olympics and the World Cup. Nothing big here... Each ticket has an embedded RFID chip with a unique ID-
When people walk into the stadium the ticket is scanned and the ID is accosiated with the personell info provided when buying the tickets initially.
I don'thave problems with RFID when it's used effectivily ( US DoD for example-- Inventory Management )

But when using RFID for identification there are certain implied risks- This shouldn't be a problem for ticket ID's as long as the ID is unique and doesn't prvide an attacker with the ability to identify ticket holder information. The risk I see with this is input validation on the RFID scanners as the ticket holders walkthrough. In theory a SQL injection could be burned to an RFID chip and parsed by the backend database upon scanning. This would be a one=shot attempt and would be hard to gain outside / backdoor access with one shot.

However, RFID systems such as the one mentioned above should ensure proper input validation is performed on RFID input and integrate this into the SDLC.

The REAL risk;

The risk I see with RFID is mainly when used as physical access cards. It's trivial to sit outside a large downtown corp and sniff rfid ID's. This can then be burned to a generic ID card and used to access the building.

This is mostly theory but should easily be reproduced with commercial tools.

Josh Perrymon
CEO
PacketFocus
www.packetfocus.com
josh.perrymon@packetfocus.com

Tuesday, May 16, 2006

Alpha Version of LabRat ready

LabRat = The first version Application Security Testing CD developed with the OWASP project.

3 straight weekends behind the pc and it is finally ready for testing. This process took MUCH longer than expected. I ended up testing about every distro and method for creating a live CD. I ended up using Morphix ( www.Morphix.org ) for the first version of LabRat.

LabRat v0.8 is based on debian and runs the 2.6.15 kernel and Morphix live cd modules. So far it just minimal branding and content. The goal now is to create a stable environment to build the Live CDs. Once that has been checked off the CD will take personality and start including tools to make it functional other than a coaster.

Current build includes;
PacketFocus/Owasp Wallpaper
Custom menu items
Desktop shortcuts to tools/pentest folder
OWASP HTML Guide

Tools:
Nmap
Metasploit 2.5
Tcpdump
Ethereal

Upcoming Changes:
Custom BootScreens
Custom KDE Theme
Redesigned Menu to include the OWASP methedology
Fuzzing Tools
Voip Tools
RFID Tools
WebScarab Proxy
WebGoat

You are more than welcome to download the CD and give it a go. However, I must warn you.. It is a large download and doesn't contain much content as of yet.

download LabRat version 0.8 www.packetfocus.com/hackos

Stay Tuned for the next version in June 2006

www.packetfocus.com
email: josh.perrymon @ packetfocus.com


-jp

RFID HAcking

Hmm... everyday I read something new about RFID. THis technology has been around for a little while but is really gaining Steam now.. I'm the US large entities like Wal-Mart and the DoD are really pushing this technology.

I'm no expert at RFID but I know what I'l like to do with it as it relates to penetration testing.
I'm working on a handhelp compaq IPaq with a RFID R/W card installed. This device would become invaluable for on-site and physical tests. The tester could hang out in front of the building or in the lobby and scan RFID ID cards as internal users walk by.

The tester could then write to a similar badge medium and have access into the building. THis is the type of attack I would use while performing a wireless audit. Having a badge gives a much better chance of getting building access than tailgating.. THis access is then used to place a wireless AP or similar device inside the building to establish communication channels outside.

So the RFID hack within itself may not bring a corp to it's knees.. using it along with another attack makes it deadly.

JP

Direct Phishing Attacks

I have been doing a lot of penetration testing and the largest risk I see is Directed Phishing Attacks. I'm not talking about the normal phishing attack that sends out 10,000 million emails to random .@yahoo addresses asking the user to login to the "new" portal to make sure the password works...

I'm talking about a very small scale, hand-crafted attack. The attacker may spend days or weeks profiling and gathering information before sending an active attack. This is usually directed towards email addresses found on public websites or hardcopy documents captured via other channels. It's common to replicate an outward facing portal and spoof an email to users asking to login or verify credentials to ensure continuity. This stage is where creativity pays off.

The widget that gathers the passwords could be spoofed company newsletters, citrix , or remote email applications. Other advanced methods include creating a custom .exe installer with company logos and verbiage. The link is then passed to targets asking to install an update etc....

No matter the method of gathering the domain credentials... the attacker now has access to valid channels into the Target Intranet. To me.. this process is MUCH easier to execute than performing a multilayered SQL injection or certain overflows. But the obvious fact is that the attacker never triggers any IDS / IPS alarms. Valid remote access is obtained into the target network.

I have been keeping notes over the past couple years while performing these attacks and have recorded a 100% per engagement success in gaining valid credentials. This is successful due to an overal response rate of 65% which is probably a lot higher due to expired email addresses on the Internet.

How to protect from this Attack?
Well.. this is the hard part. Currently I don't know of an existing method that will protect against this type of attack. I have tested numerous Global Companies that had every device on the market in the network and this attack didn't raise one flag. However, PacketFocus is working to develop a new hybrid technology to protect organizations against this attack. This includes working on a prototype to be released depending current negotiations.

This new technology will push a new type of AI to detect and deter directed phishing attacks. However, it would be much eaiser if we could mark the internal usernames and passwords so a smart device could make sure they are not sent outside certain boundaries..


Until then..
Several of the following methods may minimize this risk but impact normal computing;
Enforcing Plain Text Email
Whitelisting Company Partners
Configuring Email servers to deny spoofed addresses

EMail Josh.Perrymon (at) packetfocus.com for more details.
www.packetfocus.com

Tuesday, May 09, 2006

Packet Focus Security Research

Packet Focus Security Research

Ok... the first version of the Distro is ready.. It is to be dubbed "labrat v0.8". This version is far from being slimmed down, weighing in at 587megs. It includes the KDE desktop with a lot of stock programs included. I thought that most of the packages were removed in the main module but a few snuck in.. :)

This Distro is being built off Morphix.. I must say it is a pleasure to work with. Two weekends and 30 install later I found morphix and had my first distro running in about 2 hours. My initial focus was to install a distro and create a mirror image bundled into the cd.. But now I found that the overlay approach works great and is very repeatable and scriptable.

So this is a Pre-Alpha/ Alpha version and has little bugs. So far it has worked great but did bomb out on a Optiplex 280 @ the Office. I think passing a boot paramater VGA=??? will fix it but I haven't tried yet.

I did notice the sound was LOUD when KDE starts on my laptop so remember to turn the sounds down if your using a laptop..

The /pentest/ directory has a few simple test directories installed including MetaSploit 2.5. This was just to understand how Morphix copies the files over.

A couple standard debian packages have been added;
Nmap
TCPdump
Ethereal
Stunnel

To name a few.

I copied over a theme but mispelled the directory.

Anyway, I hope to have time and work on the next version this week and put a beta version out in a month or so.

Download www.packetfocus.com