"EH-Net Compromise Disclosure

EH-Net was compromised a few months back, and we are asking all members to immediately change their passwords. Although we do not hold any sensitive data such as social security numbers, credit card numbers, date of birth, etc., we still realize that, although it is not recommended, some members may use the same password for social sites such as our as they do for more personally sensitive sites. If this is the case, please immediately change those passwords, too, and make both follow complexity guidelines.

We apologize for the late notification, but while we were in the process of cleaning the mess, we did not want the attackers to be notified. Our intention was to prevent multiple notifications and required actions by our members. Although we feel very comfortable in the status of the site and had planned on notifying all members, someone beat us to the punch. http://www.milw0rm.com/papers/297. We are providing this link, so that our members can see that a select few accounts and their passwords have been released to the public. We do not know how many more they have or will make public. This makes it even more urgent to change your passwords.

We apologize for any inconvenience this has caused. Although many other sites have experienced the same issues, and we are clearly a target based on the content of the site, this in no way excuses us for this incident.

Donald C. Donzal
Editor-in-Chief
The Ethical Hacker Network"

WTF?

EH-Net staff waited over eight months to let members know about the compromise?  According to the milw0rm release, the compromise occurred before "Jul 16 18:05:29 CEST".  I got a notice today (Feb 28, 2009) about the compromise.  This means that members of EH-Net or registrants for ChicagoCon may have had their account information in the hands of black hats for 8 moths.  Forum and conference registrants trusted EH-Net to keep their account details secure (it is a security organization after all).  At the very least they should have known about the compromise as soon as it happened so they could be given the opportunity to change passwords shared with other accounts.  Instead they're notified almost a year after the fact.  This sort of scenario is *exactly* why so many states have passed mandatory notification laws - to protect consumers from circumstances where trusted vendors lose their information but don't notify the customers.

I'm a little confused.  Milw0rm lists this article as posted in November of 2006 - two years ago (http://www.milw0rm.com/author/858).  Is this just a cross post or did Craig Heffner actually produce this content for EHN?  Adding a dig for content posted on milw0rm, packetstorm and other sites seems a little odd.  I did find the PDF format on milw0rm much easier to read (and print/save .

On the other hand...

If you want to learn about web application exploits knowning C, Perl, and all about memory addressing won't be of very much use (exploiting a C based CGI web application or Perl web application aside).  In order to exploit an application you have to understand the technologies on which it rests.  Web application technology usually relies on a scripting language (PHP, ASP, JSP, etc.), and a database (MS-SQL, Oracle, MySQL). 

That said, I'd like to cite a recent blog post from SecurityBuddah.com (http://securitybuddha.com/2008/09/10/are-you-a-builder-or-a-breaker/).  The point of the post is to ask why so many people in security focus on breaking things rather than building better software.  I think learning to actually program in a language will be a much more valuable endeavor if you really want to learn to write exploits.  Being able to create an application, securely, teaches you much more about the pitfalls of application security than simply learning to write exploits.  The most skilled penetration testers can pull apart a target by analyzing services and software based on their own knowledge of how to build such things, and common points of weakness.  Knowing how to build apps allows you to do actual code level audit of systems, which is more thorough and likely to catch subtle bugs that automated testing will miss.  Sure, it takes a lot longer to learn to build applications and systems than it does to simply break them, but the value is much greater.  Why not learn how to spot weaknesses and offer fixes instead of just how to break things?

Helix 3 has been released.  This forensics centric live CD is now Ubuntu based and includes updates to many of the host programs.  From the site:

"Helix has been modified very carefully to NOT touch the host computer in any way and it is forensically sound. Helix wil not auto mount swap space, or auto mount any attached devices. Helix also has a special live side for Incident Response and Forensics."

The new version of Helix can be found at http://www.e-fense.com/helix/

Brutus AE2 or THC Hydra fit the bill.

Hello,

  I'm posting because I have very little experience in forensic recovery but at an event over the weekend I overheard someone tell a casual computer user that if they were going to sell their computer on eBay all they had to do was a "low level format" of the drive to destroy all their data.  The explanation was that if the user formatted the drive from the BIOS menu that the computer would overwrite all the sectors on the hard drive and that only people who could spend hundreds of dollars would be able to recover any data.  The computer in question was an old Windows XP machine with no special security software.  I'm wondering how effective such a formatting is, how easy it would be to recover data off a drive formatted in this way, and basically if this advice holds any water at all?  I'm inclined to think that if you aren't doing a DoD spec wipe you're asking for trouble, and my suggestion was to simply TrueCrypt the drive so data recovery would be impossible.  Does anyone have any thoughts/insights/suggestions about a situation like this?  Thanks in advance.

I think this might be a dupe of  OSSEC v. 1.6

Version 1.6 might not be completely ready for prime time yet though.  There have been numerous problems reported with the release, including non-functional Windows active response.  The main developer, Daniel Cid,  recently wrote to the OSSEC mailing list:

Hi all,

I think I figured out what was going on. Depending on the argument (if
it had spaces),
the command to block would not be called properly. I am pretty sure it is fixed
on the following snapshot:

http://www.ossec.net/files/snapshots/ossec-win32-080904.exe

Can you try with this version? You don't need to update the server,
just the agent side.

*I will release a v1.6.1 soon with the fixes for some of the reported
bugs so far.


Thanks,

--
Daniel B. Cid
dcid ( at ) ossec.net

Chrome sports quite a few neat security features that are intriguing.

The sandboxed tabs seems to be one of the best features in the new browser, which will limit data leak from one tab to another.  Whereas most browsers run each tab inside the parent process, with Chrome, each tab is it's own independent process.  This means that one tab can't reach into the memory space of another tab (which actually effectively firewalls the tabs from one another, especially nice for the "incognito" tabs).

I'm a little perplexed by the incognito mode frankly.  It seems like a nifty feature, sure, but not all that practical if you're really serious about privacy.  The browser still collects cookies and transmits personal information and doesn't provide any of the protection that anonymous browsing via TOR or the privacy protection of encryption.  Your session can still be sniffed and the only real advantage is none of the data utilized by the browser is written to disk.  This might be nice in that the browser doesn't "remember" the URL's to sites you've visited or cache images, but you can customize most browsers to mimic this functionality.

On September 1, OSSEC announced the release of the latest version of the OSSEC-HIDS tool (version 1.6).  This release includes many notable new features including:

• Support for Microsoft Vista/Server 2008
• Performance and stability enhancements on Windows
• Active response on windows
• Upgraded rootkit checking
• Added support for more log formats

For a full list of upgrades and enhancements check out the change log.  OSSEC can be downloaded from http://www.ossec.net/main/downloads.

This is the first major release since Third Brigade acquired OSSEC and it looks to be a pretty major upgrade.  Third Brigade now provides commercial support for OSSEC, but the project remains free and open source software (FOSS).

OSSEC is an open source host based intrusion detection system.  It is completely cross platform and works on Unix, Linux, Windows and Mac OS.

--
http://www.MadIrish.net

Jack Koziol was kind enough to leave a response to one of my recent blog postings about the IACRB (specifically concerning their relationship with the InfoSec Institute).  He includes a bunch of great information that I wasn't able to find anywhere else on teh interwebs.  Those interested in understanding the linkage between the two organizations are encouraged to read his responses.  Because the IACRB sponsors such great certification processes I found it odd that the organization was so opaque.  In addition to Jack's comments, the IACRB also seems to be updating its website with some new features and perhaps more information about the organization.  Having passed the CEPT myself, I firmly believe that the IACRB utilizes some of the best certification methods available to ensure the quality of those they certify.  I'm eager to see how the organization lives up to this precedent by offering a clearer picture of their composition, mission and certifications.

What's even scarier is that tactic fails to prevent many common phishing tactics.  For instance, using a domain name that looks like the target in specific fonts (substituting 1's for lower case L's for instance) or misspelled domain names.  Not to mention that if a link spans multiple lines and it's sometimes tough for users to cut and paste the whole thing.  Microsoft needs to do their security reading (http://people.seas.harvard.edu/~rachna/papers/why_phishing_works.pdf) first before issuing statements like this

Certification, in the end, stands as independent verification that you passed a test.  The test criteria and the respectability of the certifying body determine the value of the test to others.

Personally, when I interview someone I don't give a second look at the certifications they have.  I look for experience that proves the assertions the certifications make.  Proving you can apply knowledge that a certification tests is much more difficult than just getting a certification.

I have to applaud the CEPT because it has a practical portion that is unstructured, that forces you to apply your knowledge.  If all certifications had this sort of component fewer people would be certified but certification would be worth a lot more.

That said, in the end I think demonstrable knowledge and skill are much more important than a certification, but then again I'm not working in a big box corporation.  For large organizations, the HR departments will insist on some sort of rubber stamp they can use to weed out candidates.  So if that sort of job is your goal, certifications are great.

Certifications are also good if you're freelance or doing consulting.  Having certifications stand in good stead for references (which are probably better).  However, having lots of certifications will make your client feel more confident about you, and allows them to justify their investment in your services to their superiors.  Like the saying goes, nobody ever got fired for choosing the Gartner pick.

Outside of consulting and big corporations though, in that other murky realm inhabited by your peers, a certification is going to be worth the paper it's printed on.  Other security professionals, especially those who are familiar with certifications, view certifications with quite a bit of skepticism.  Proving to this audience that you know your stuff will require quite a bit more.  In this arena I would say a published article is worth a lot more than a certification.  Working on an open source project, producing white papers, publishing exploits and the like will go a lot farther to prove your credibility than producing a certification that shows you memorized the answers to a hundred multiple choice questions.

Of course, going to a hiring officer at a large company and saying "I published the remote root compromise of servers running foobar 1.2" will probably just get you a blank look.  On the flip side, if you do something like that, someone might just come looking for you with a job offer.  I never heard of anyone trolling the CISSP registrations looking to hire their next rock star though...

Two days ago OWASP (http://www.owasp.org) announced the release of a new version of their DirBuster tool.  DirBuster is a Java based web application scanner.  Basically you give it a host and it scans that host for directories on the host.  DirBuster can utilize a list of directories and files or it can brute force them.  DirBuster is nice because it can find files directories that might not be directly linked to.  This can be used to expose information on the host that you might not find otherwise.  DirBuster will also parse the HTML of files that it does discover, allowing it to follow links present in discoverable files as well.  You can find more information about DirBuster at the OWASP site at https://www.owasp.org/index.php/Category:OWASP_DirBuster_Project.

There is a growing trend amongst infosec circles, especially with information assurance people, to concede that compromise in inevitable.  If you subscribe to this school of thought then backups are your best friend.  In an economic analysis, when you take compromise as a given, it makes the most sense to spend your time/energy investing in returning services to availability rather than exploit prevention.  To that end I'd say your backups are a very, very wise way to devote your time.  Because law enforcement agencies rarely take on cases of cyber crime I would suggest that any forensic analysis you do should be to discover the vulnerability utilized to compromise your systems so you can patch them (rather than worrying about chain of evidence to build a criminal case).  If you're going to pursue a criminal case law enforcement is going to insist on doing the forensic investigation anyways.  Just my $.02.

WebGoat is pretty solid, but for my money I'd recommend cruising the vulnerability announcements for well known web apps and installing vulnerable versions and exploiting them yourself.  Many of the most popular web systems have vulnerable versions at some point.  Installing them and figuring out how to exploit the vulnerability is, I think, a lot more worthwhile than poking at a training application.  Of course, you've got a lot more overhead installing and configuring applications that you may not intend to use other than as an exploitation experiment.  Just my $.02.  Getting familiar with tools like Paros and the Firefox Tamper Data plugin will go a long way towards getting you up to speed also.