RubyConf 2007, Day 3: Sploitin' with Ruby

Speaker Aaron Bedra, who works for startup gonowdo, is closing out the day with a talk about how Ruby has "infiltrated the security community."

The main thrust of the talk is introducing metasploit, a collection of information security tools for exploitation (attacking and owning systems). The tool has been ported from Perl to Ruby in its most recent version.

Metasploit has top-level concepts of exploits and their auxiliaries. Exploits depend on payloads, encoders, and nops (no operation instructions). Exploits are what trigger a vulnerability, and payloads determine what happens (for example, getting an administrative shell back from the target machine). Encoders transform payloads, avoiding restricted characters and applying intrusion detection evasion techniques.

A variety of payloads are available for different platforms. Bedra describes Metasploit's meterpreter as "the coolest and best use of Ruby in the application." It's an enhanced version of irb that exposes a DSL for exploitation. To delivery these payloads, Metasploit has three interfaces: a console, a Rails-powered web interface, and a GTK GUI that's still experimental.

Before Bedra can proceed with a demo, a couple of skeptical questions from audience interrupt him. One questioner was unsure of the benefit of being shown how to attack systems, and the other wanted more information on defending his web applications. A general discussion of security disclosure and the benefits of security research clears up some misconceptions, and the demo proceeds.

The target machine is a virtual machine running an old copy of Windows 2000. Bedra selects an exploit targeting a vulnerability in the WINS nameserver, and proceeds to demonstrate that the system is up and talking to the network. The meterpreter payload is selected, the host set, and the system is exploited. Everything is working flawlessly so far.

Bedra then demonstrates increasing privileges, listing processes, and retrieving password hashes. He then jumps to irb and manipulates various properties of the system from familiar Ruby syntax. It's noted that the meterpreter DLL is a mere 80k, and lives solely in memory unless otherwise specified. Spawning calc.exe and migrating to its privileged process is shown, as is uploading remote files.

Next, the web interface is demoed from a virtual instance of Backtrack, described as the evolution of the WACKS and Auditor LiveCDs. The process of exploiting from the web interface is quite literally point-and-click. The payload this time around contains VNC, allowing complete graphical control of the target system. Always impressive.

Positive Security Strides in Rails

At last year's RailsConf Europe in London, I argued that security is a framework-level concern, and a great place for Rails to offer developers sensible, responsible conventions. Reading over the Rails changelog just now, I was thrilled to see some positive momentum in the security arena.

First of all, Rick Olsen's csrf_killer plugin now comes standard in Rails (you can see more work being done on the merge here). Edge Rails users can now decorate their controllers with a call to protect_from_forgery. Forms built "the Rails way" will then be secured with a hidden token. We use a similar pattern for critical actions in Twitter and it's worked out well.

Secondly, the sanitize, strip_tags, and strip_links helper methods are now far more robust. While Rails's previous string sanitization was better than nothing, it let many non-trivial XSS attacks sneak by. This change should ensure that all but the most determined attackers can't pollute your Rails-powered site with sneaky scripts.

Improvements like these go a long way towards improving the default security stance of Rails applications. It's also an example of the rewards of framework usage: you get good stuff for free.

Updates to Acts As Sanitized Coming

It’s been nice to see that there’s some interest in Acts As Sanitized.

John Nunemaker referred me to the White List plugin by Rick Olsen, which seeks to solve a similar problem but for views, not models. Rick himself then mentioned that the sanitize method passes only a fraction of the test cases that he’s adapted from Rsnake’s XSS Cheat Sheet, something I’m well aware of.

Over the next couple days I’ll be expanding my test cases to encompass the XSS Cheat Sheet. Beyond that, I’ll be providing an enhanced filter along the lines of Rick’s solution. Rick has clearly done the difficult legwork here; the rest is just a matter of approach and implementation details.

Any other feature requests while I’m at it?

Human Testing, Unit Testing

The Windows Vista team knows something about finding bugs after all:

“Donnelly [who manages part of Microsoft’s Vista test operation] tries to do the opposite of what an IT manager would recommend. He changes all the default settings, for instance. And instead of testing a clean installation on a new machine, he’ll try to upgrade an older model. ‘You find bugs,’ he said, ‘You absolutely find bugs that way.’”

It’s a start.

The security guy in me has a hard time choking down the Unit Testing doctrine. Programmers don’t find deep bugs in their own code. Machines don’t find deep bugs when running in a contrived development/testing environment. These approaches find surface bugs, and that’s valuable, but they shouldn’t help you sleep at night.

People doing dumb and/or malicious shit finds deep bugs. You can’t script dumb and malicious.

And Yet Another Thing

Along with the other changes I’m making, I’ve resigned from Kenshoto. I haven’t talked too much about my participation therein, so here’s a sort of post-mortem.

Kenshoto is a hacker group in the tradition of the l0pht, the Shmoo Group, the Ghetto Hackers, etc. The group was formed two years ago, during the first ShmooCon. Most members competed in the Capture the Flag (CtF) competition at DefCon 2004 as Team Bacon. Popular Science wrote an article about that year’s game, a fair portion of which was from the perspective of Team Bacon. Bacon didn’t win, but we had a good time and thought hard about the mechanics of the game.

While the group was established with the usual set of hacker ideals and goals, Kenshoto’s principal purpose was to take up the torch from the Ghetto Hackers and run CtF at DefCon 2005. After a winning proposal bid, Kenshoto ran last year’s game to positive reaction from both teams and spectators. They were invited back, and this year they’ll be running it again. That’s the history, in a nutshell.

My role has been fairly minor. Much of the preparation for the 2005 game took place while I had moved to San Francisco, so my contribution was minimal. I intended to do more this year, but as the months progressed I found myself spending my after-work time on DJing and other less deeply technical pursuits. With qualifications coming up and development for the game about to get into full gear, it was time to either ramp up my commitment or bow out. Faced with the deeply unappealing prospect of a third summer’s vacation hours spent in Vegas, I chose the latter option.

I truly enjoyed my time participating in Kenshoto and I wish them the best for this year’s CtF game and beyond.

Schneier On Infosec Economics

A while back I wrote a post about the economics of information security. Yesterday, security expert Bruce Schneier spoke in a similar vein about where liability and economic burden should fall in the product security lifecycle.

I like what he has to say, but I’m not convinced that incentivizing developers to bear security costs upfront and, theoretically, to produce more secure products will shift enough economic burden onto attackers. As long as it’s cheaper to pay people to exploit software and more profitable to reap the benefits, the underground will deem law enforcement threats an acceptable risk and continue doing their worst, even in the face of (or in spite of) increased security spending.

It’s also somewhat glib to suggest that “[c]omputer security isn’t a technological problem—it’s an economic problem.” Really, it’s both, and a cultural problem to boot.

Fit To Print

Holy cats. The end of Phrack made the beeb.

The bit at the end is cute:

“I’d be surprised to see the thing stay dead,” [Bruce
Sterling] told the BBC News website, “They’ve got no
fixed address and anonymous contributors.”

“Any set of unruly teenagers could start Phrack
up because that’s who started it in the first place.”

A set of unruly teenagers hit the reset button on Phrack while it was still in “publication.” Their efforts are still floating about.

Not to get misty, but it is the end of an era. Some of the most important texts in information security found distribution via Phrack. It proved that the community could do better than 2600.

What’s Good and What’s Bullshit at DefCon 13

This is more for my scheduling purposes than anything else, but I thought I’d share. Given that my friends and I will be busy with Capture The Flag at this year’s DefCon (just mere weeks away!) I won’t have a lot of time to see talks. I played in CTF last year and didn’t see a single talk; given that I’m helping to run the contest this year I don’t have high hopes for my free time.

If I get a spare minute this is what I’ll be seeing, what I’ll be avoiding, and what I’ll be divided on, culled from the DefCon 13 Speakers Page:

Good

appropriate to the conference, covers new material, challenges the audience

• Routing in the Dark: Scalable Searches in Dark P2P Networks


• The Information Security Industry: $3 Billion of Snake Oil (editor’s note: you had me at the title)


• The Next Generation of Cryptanalytic Hardware


• Google Hacking for Penetration Testers (editor’s note: seems like a mundane topic but the speaker is a sharp fella)


• Suicidal Linux (editor’s note: Bruce does a good rant)


• Pen-testing the Backbone

Bullshit

tired topics, conference-unspecific material, non-technical, pandering, goofy, “hacker sociology” horseshit, tedious libertarianism, too academic, too corporate

• A New Hybrid Approach for Infrastructure Discovery


• On the Current State of Remote Active OS Fingerprinting


• Introducing the Bastille Hardening Assessment Tool


• Development of An Undergraduate Security Program


• Be Your Own Telephone Company…With Asterisk


• Analysis of Identity Creation Detection Schemes post-9/11 (editor’s note: bonus bullshit for use of the phrase “post-9/11)


• Countering Denial of Information Attacks


• CISO Q&A with Dark Tangent


• Whiz Kids or Juvenile Delinquents: A Sociological Perspective The Construction of Hacker Identity


• Introduction to Lockpicking and Physical Security


• The Hacker’s Guide to Search and Arrest


• The Power to Map: How Cyberspace Is Imagined Through Cartography


• Hacking Nmap


• A Safecracking Double Feature: Dial ‘B’ For BackDialing and Spike the Wonder Safe


• Bacon: A Framework for Auditing and Penetration Testing


• Inequality and Risk (editor’s note: please stop talking, Paul Graham)


• Top Ten Legal Issues in Computer Security


• The Insecure Workstation II: “bob reloaded”


• Your Defense is Offensive


• No Women Allowed? Exploring Gender Differences In Hacking


• Meme Mining for Fun and Profit


• Credit Cards: Everything You have Ever Wanted to Know


• Black Ops 2005


• Passive Host Auditing


• Doing Not-For-Profit Tech: The Hacker Foundation Year in Review


• A Linguistic Platform for Threat Development


• Introducing Unicornscan – Riding the Unicorn


• The Dark Side of Winsock


• Social Engineering Do’s & Don’ts (A Female Perspective)


• The Six Year Old Hacker: No More Script Kiddies


• Old Skewl Hacking – InfraRed


• Visual Security Event Analysis


• Meet the Fed


• Hacking the Mind (Influence and NLP)


• Ask EFF: The Year in Digital Liberties


• Causing the Law


• Bypassing Authenticated Wireless Networks


• Assymetric Digital Warfare


• Licensing Agreements 101: The Creative Commons License


• Hacking Windows CE


• Why Tech Documentaries are Impossible (And why we have to do them anyway.)


• Automation – Deus ex Machina or Rube Goldberg Machine?


• Forensic Data Acquisition Tools


• Building WarDriving Hardware Workshop


• Legal and Ethical Aspects of WarDriving


• The NMRC Warez 2005 Extravaganza


• Attacking Web Services: The Next Generation of Vulnerable Apps


• Hacking Google AdWords


• The Revolution Will Not Be Copyrighted: Why You Should Care About Free Culture


• Recapturing the Revolutionary Heart of Hacking


• Hackers and the Media- Misconceptions and Critical Tools To Combat Them


• Paul Vixie Speaks


• Trends in Licensing of Security Tools


• Attacking Biometric Access Control Systems


• The Unveiling of My Next Big Project

Could Go Either Way

might be good, might be bullshit

• Mosquito – Secure Remote Code Execution Framework


• Auto-adapting Stealth Communication Channels


• Sketchtools: Prototyping Physical Interfaces (editor’s note: this looks neat but is totally inappropriate for DefCon, which is the fault of the speaker reviewers and not this presenter)


• Hacking in a Foreign Language: A Network Security Guide to Russia (and Beyond)


• Intro to High Security Locks and Safes


• Surgical Recovery from Kernel-Level Rootkit Installations


• GeoIP Blocking, A Controversial But (Sometimes) Effective Approach


• Trust Transience: Post Intrusion SSH Hijacking


• ATM Network Vulnerabilities


• Shmoo-Fu: Hacker Goo, Goofs, and Gear with the Shmoo


• “Shadow Walkerâ€? â€â€? Raising The Bar For Rootkit Detection


• DIRA: Automatic Detection, Identification, and Repair of Control-Hijacking Attacks


• Physical Security Bypass Techniques: Exploring the Ethics of Full Disclosure


• End-to-End Voice Encryption over GSM: A Different Approach

Can Markets Fix Information Security?

An unavoidable realization when working in information security is that you’re profiting from decades of mistakes.

Whether you’re playing defense or offense, one way or another you pay your rent thanks to the misconceptions, ragged implementations, and carelessness of the generations of technologists that came before you. The best hackers on the planet are the best because they’re close to those mistakes and the technologies that allowed for them.

No surprise, then, that pretty much anyone with a long career in information technology understands that overhaul, not incremental patching, is the only definitive solution to the security woes that plague us.

It’s a losing battle. Such a radical overhaul will likely never occur. Hell, we can barely contemplate a global move to IPv6. Even if we collectively decided to move on to Computing 2.0 our conceptual scope can’t account for all potential vulnerabilities. It’s the human condition: we’re all but blind to faults at the time of a creative act. When it comes to something as complex as computers even hindsight isn’t 20/20; unforeseen vulnerabilities in old software crops up every day.

So, why? I’d argue that the economics of security don’t work out. Right now, for every white hat making dollars off protecting a network there’s a black hat with more to gain from breaking into that network.

Now think beyond one network. Spread information security liability and consequences across all industries, across any portion of the global economy that depends on networks to function (ie, pretty much all of it). Do we have more to gain by collectively sponsoring security initiatives? Of course. Will international governments, militaries, private industries, and non-profits ever coordinate rather than compete? That’s a rhetorical question best left unanswered, suffice to say that to date, competition has not left us more secure.

Yeah, I said it. I’m as pro-market as next post-libertarian, but markets don’t create security. Yet.

Decades ago, people said the same thing about markets and environmentalism. They said that polluting was always cheaper than being green, so industry would continue to pollute. But through advances in technology and revolutionary economic ideas like selling “pollution credits”, industry and environmentalism are no longer polar opposites.

Something similar needs to happen in information security before we see substantive improvement. A combination of technological overhauls and economic refactoring will make security cheap and economically efficient. It’s nice to see that people are thinking about the technical end, but I’m not sure who’s thinking about the economic end.

Talk to me if you know, or if you have thoughts on this subject. Comments are enabled for a change.

We’ll Be Your Hosts This Con

So, there’s a little more to the Popular Science/DefCon/CTF story. Sure, we played last year. Yeah, we had a good time (a time good enough to write about, apparently). But the nature of the competition left our wheels turning.

Months passed, and our crew found ourselves out for Thai food one evening during this February’s Shmoocon. ShmooCon didn’t attempt to offer a hacking contest on the scale of CTF, and its shorter sprint-style games weren’t popular. We kicked some thoughts around and were soon dedicated to an idea: we were going to run Capture The Flag, the biggest hacking competition in the world. We were going to run it, and we were going to run it better.

For the past several years the venerable Ghetto Hackers, former multi-year CTF champions, have run the challenge. I’ve only had the opportunity to play in one competition run by the Ghetto and it was, by and large, solid. A hacking competition is a hideously complex thing, a tenuous web of puzzles and tricks designed to thwart tricksters who eat puzzles for breakfast. Anyone managing to design a remotely entertaining hacking game deserves merit, and the Ghetto all the more so for taking the burden on multiple years running at considerable expenditure of bytes, sweat, and cash.

The Ghetto, for the above and other circumstances, decided to make way for new blood this year. A call for proposals was made several months ago and we didn’t hesitate. Then we waited, and planned. Oh yes. We planned.

Today it’s official. We, kenshoto, are your hosts for Capture The Flag at DefCon 2005.

We’re putting together a game that will be fresh for longtime players, accessible to first time players, and all around fun. If you’re into pwning stuff I encourage you to sign up, try your hand at the qualifiers, and hopefully join us in Vegas this summer for a great goddamn time. Spread the word, too: not only can teams register, but we’re accepting individuals who want to “lone wolf it” as well.

The next few months are gonna be busy!

But… They’re Tracking Me!

The first “privacy advocate” to complain about the prospect of Apple embedding GPS trackers into PowerBooks gets punched in the neck. Nobody wants to be within thirty feet of you people, much less track your geospatial location to an accuracy of thirty feet.

Metadata is the joint. Don’t fuck it up for the rest of us.

ShmooCon

I’ll be at Shmoocon this weekend.

I’m a little burned out on hacker cons, but Shmoocon – being located right here in DC, put on by friends and colleagues, and free to me thanks to a pass handout “for the community” at a 2600 meeting a few months back – requires such infinitesimal effort and outlay of resources on my part that I have no excuse but to go.

Say “die” if you’re around. I’ll be blogging interesting panels as I see fit and as connectivity permits.

Production Shmerver

OpenBSD excising future Apache httpd developments seems, unfortunately, like yet another reason not to run the heavily audited OS as anything more than a firewall/router box. I see where they’re coming from, and there’s always custom compiles, but it seems like they’re auditing themselves into a corner.

An Immodest Proposal

Some chump over at Slate rocks the bullshit economics to let us know that it would cost less to kill worm writers than imprison them. It’s all an argument for encouraging more impartial economic thought by the government, which isn’t a bad thing, but this guy’s reasoning is shabby at best.

I won’t take it point by point, but his conclusion is worth eviscerating: “Governments exist largely to supply protections that, for one reason or another, we can’t purchase in the marketplace.” Take that as fact and the author is still wrong in the case of virus writers: protections against what he eye-rollingly dubs “vermiscripters” can be purchased in the marketplace. All the recent widespread worms have exploited gaping holes in Microsoft Windows and products that run on that operating system. A consumer choice to use Windows is a consumer choice to be exploited and suffer losses, tantamount to consciously moving into a crime-ridden neighborhood. Government should be protecting us from monopolies peddling insecure software, not the petty vandals who write worms.

Further, information security policy implemented in the US is next to worthless in a global network context unless developed in tandem with international partners to ensure extradition rights. Even if our courts suddenly decide to kick it Texas style and execute worm authors, chances are slim-to-nil that our global partners would go along with such daft policy.

Ultimately the article is about the author’s economic perspectives, and the whole proposal a device for expounding upon them. Regardless, he should stick to his “everyday economics” and not venture into territories he’s woefully uninformed of.

Pf Outside OpenBSD

The availability of pf as a loadable NetBSD kernel module brings me hope of one day, in the not too distant future, running pf on FreeBSD production servers. And there would be much rejoicing.

If you <3 pf like I <3 pf, check out the O’Reilly interview (and part 2) with some of the core devs working to make packet filtering/scrubbing/mangling that much better.

Richard Clark Interview on Cyberwar

Choice quote from the PBS interview:

I think the fact that Microsoft hadn’t applied its own patch of its own system says it’s difficult and time consuming to apply these fixes.

Linky link from Bruce Sterling.

SummerCon 2004

I\’ll probably be at SummerCon 2004, mostly \’cause it\’s a good way to kill a Saturday. A couple years back when the con was in DC it was fun enough. Not highly attended, but good folks by and large.

Good InfoSec Deed For The Day

I was in my school\’s commons building this afternoon, reading, when I overheard a young man trying to sell a discount salon package to two young women and their male companion sitting to my left. Since we\’d had a rash of scams the previous semester (kids selling bogus tickets to a comedy club on false behalf of our SGA) I was skeptical as I listened to his pitch. Right about when he was putting on the sale-closing pressure, mentioning that he took cash, checks, or credit, I walked over and politely interrupted. I mentioned to them the scams from last semester and suggested they give the salon he was promoting a call before paying for anything.

I didn\’t stay to see if they completed the sale or not, but I was thanked by the targets of the sales pitch before they left. They hadn\’t seen the scams reported but found my interruption very helpful. The young man with the two girls confided in me that he found the whole thing a little sketchy, but the salesman was just so pressuring.

It amazes me that people don\’t really think about their personal information security, even with all the publicity that identity theft gets these days. I was happy, if a little embarrassed, to be able to give someone a heads-up, and happier still that they didn\’t think I was a crazy, nosy jerk.

Hackers Don&#8217;t Let The Hacked Hack Back

Talk to a less technically-inclined person about information security for long enough and they\’ll eventually and inevitably suggest the following idea: “what if the firewall hacked back at those jerk hackers?” If you\’re not an idiot, you then explain exactly why you don\’t want a firewall or similar security countermeasure that retaliates against intruders: because there is no legal self-defense doctrine for hacking, nor even a reliable guarantee that your automated retaliation will reach its intended target.

Apparently, someone had the hack-back conversation and was an idiot.

Remember, Kids

Gen. John Gordon, White House homeland security advisor: “to date [terrorists] have not engaged in cyberwarfare.” From the horse\’s mouth, people. Don\’t let anyone tell you otherwise.

The article is a good read, and includes comments from honchos on DHS\’s recent failing grade on a congressional cybersecurity readiness assessment, not least of all: “I do not want to receive an F next year.” Maybe it\’s time to start studying, then?