August 25, 2009
It is a well known statement that, compliance is not equal to security. This is due to the divergence between the goals of security and those of being compliant. Being compliant to many companies means, doing just enough to check a box and not have the auditor fail the organization. On the other side is security. Security is a process. It is the process of protecting the organization from threats both internal and external through many different means. Security is only proven over time. Being “good enough”, is not good enough. In reality, you may be “good enough” to not be the attack of today, but that has nothing to do with the threats of tomorrow. For sure, 0day exploits can happen to any organization, the difference is how well can you handle it. Are there sufficient controls in place to limit your risk? Is a incident response team ready to be deployed if there is an incident? etc…
Okay, moving on…
Now-a-days, many companies are pushing with “Green” efforts and becoming environmentally friendly. This is means doing anything and everything possible to help the environment. For years the common method to do this was: to use the eco-friendly lights, take public transportation to work and recycle. In the corporate world, usually the lights are chosen/replaced by the building maintenance department. As for the handling public transportation, some organizations assist their employees with allowing them to expense monthly passes. The use of large recycling bins, makes things easy for companies as well. However, there must be a process to handle sensitive documents. If employees were to recycle sensitive information, than an attacker would have an easy job stealing the data! Separating documents from actual trash means there is no need for the attacker to get into the dumpster and get all dirty anymore.All that is needed is to grab a bag of recycling and it is likely the bag would contain some sensitive documents. Sensitive data should never make it to the recycling bin in the first place. Documents should be shredded before they are recycled and the employees of the organization should be trained to handle the data properly. Obviously, any training that would occur would be error-prone. Therefore, the best way to handle recycling is to shred the documents before recycling them. That way, eco-friendly is equal to security + the cost of the shredding/recycling service.
August 7, 2009
Last week, I gave a presentation with Robert “RSnake” Hansen called “Unmasking You!” at BlackHat 09 and DefCon 17.
The slides and demos can be found at: http://spl0it.org/files/talks/defcon09/
Originally, we were only scheduled to speak at DefCon, but due to a last minute change we spoke at both venues. The backstory of how that occurred, is kind of funny so I figured I would share it with everyone who hasn’t heard it yet.
On July 26th, I decided to go out on a twilight fishing boat after a week long engagement in LA. We weren’t really having much luck catching fish, a few missed opportunities but no fish. As the sun began to set over the harbor, my expectations shifted to enjoying the evening and the week ahead in Las Vegas at BlackHat and DefCon. Around 10:30 or so, I got a call from “RSnake”, and he said “There has been a scheduling change, would you like to give the talk at BlackHat?” That was the only moment in my life, that I was happy I didn’t have a fish on my fishing line. I gladly accepted the invitation and knew that the next with 48 hours would be interesting, since I still needed to record many of my demos. Once I arrived in Vegas, I spent the majority of the time preparing all of the demos and getting things ready. The end result was around 9 recorded demos and 2 presentations.
Our presentations went really well and everyone had great comments and feedback. I had an amazing time hanging out with tons of friends who I only see once a year. I had a chance to meet Wade Alcorn (the author of BeEF). BeEF for those who have not used it, is an browser exploitation framework and it is very useful in performing penetration assessment. For the talks, I wrote all of my code and ported several of RSnake’s code to BeEF as modules, which will be included in the next release (should be out in a few weeks). All of the demos demonstrated methods that attackers can used to determine information about the victim’s machine.
I hope everyone enjoyed the talk and I look forward to seeing everyone again next year in Vegas!
August 6, 2009
This is a module from the Browser Exploitation Framework (BeEF) to detect all of the plugins available within the browser. This was demonstrated during “Unmasking You!” at BlackHat 09 and DEFCON 17 by Joshua “Jabra” Abraham and Robert “RSnake” Hansen.
August 6, 2009
These are the steps used to disable SafeBrowsing within the Firefox Browser. This can also be done using Edit->Preferences and selecting security, then unchecking “Block reported attack sites” and “Block reported web forgeries”. This was demonstrated during “Unmasking You!” at BlackHat 09 and DEFCON 17 by Joshua “Jabra” Abraham and Robert “RSnake” Hansen.
August 6, 2009
This is a module from the Browser Exploitation Framework (BeEF) to detect the virtualization technology being used on by the client. This technique uses the MAC address with a regular expression to identify if the client is running on VMware, QEMU, VirtualBox or Amazon EC2. This was demonstrated during “Unmasking You!” at BlackHat 09 and DEFCON 17 by Joshua “Jabra” Abraham and Robert “RSnake” Hansen.
August 6, 2009
This is a module from the Browser Exploitation Framework (BeEF) to detect software on the clients machine. This technique uses local rendering of GIF images with SMB within the browser. This was demonstrated during “Unmasking You!” at BlackHat 09 and DEFCON 17 by Joshua “Jabra” Abraham and Robert “RSnake” Hansen.
August 6, 2009
This is a module from the Browser Exploitation Framework (BeEF) to identity all of the URL that the client has visited. This technique uses the CSS history to identify valid results. This was demonstrated during “Unmasking You!” at BlackHat 09 and DEFCON 17 by Joshua “Jabra” Abraham and Robert “RSnake” Hansen.