I thought I would throw my list into the mix of other Security Twits that are posting about talks they are either going to or wish they were going to at Black Hat this week. Most of my picks have a pentest perspective to them (a lot like CG's over at Carnal0wnage). Here is my tentative list of talks I plan on attending:

August 6th
10:00 to 11:00
Nmap: Scanning the Internet - Fyodor Vaskovich

If your a penetration tester, don't miss this one...Fyodor is a legend (heck, even some girl at sexyhacking.com (NSFW!) thinks so...the man has stalkers! ;-) ) and I'm looking forward to hear about new and unique ways to use Nmap.

11:15 to 12:30
Black Ops 2008: Its The End Of The Cache As We Know It - Dan Kaminsky

Unless you have been living under a rock for the last month then you should know about this one. It will be crowded (like all of Dan's talks) but well worth attending.

13:45 to 15:00
Client-side Security - Petko D. Petkov

Another not to miss talk in my book. Petko or better known as pdp heads up GNUCITIZEN which is one of the sites that I closely follow. GNUCITIZEN releases some amazing security research and are always on the cutting edge. As a bonus it looks like pdp will provide details of a QuickTime 0day for Windows Vista and XP.

15:15 to 16:30
Bluetooth v2.1 - a New Security Infrastructure and New Vulnerabilities - Andrew Lindell

This one should be different. I recently started gaining more of an interest in Bluetooth vulnerabilities. Andrew will "show that it is possible to pair with a device that uses a fixed (but unknown) password, even when the password is random and reasonably long". Sounds interesting.

16:45 to 18:00
MetaPost Exploitation - Val Smith

This is one I am really looking forward to. This is one just for penetration testers. I saw Val Smith and HD Moore present last year on "Tactical Exploitation" and it was outstanding.

After hours...
The Pwnie Awards 2008

If I'm not totally beat I plan on attending this. Should be fun to check out before hitting some of the parties.

August 7th
10:00 to 11:00
Satan is on My Friends List: Attacking Social Networks - Shawn Moyer and Nathan Hamiel

I was tossed between this one and "Encoded, Layered and Transcoded Syntax Attacks". However, I am really on a social network security kick as of late so I think I will attend this one. If it is lame, I'll jump in the other talk.

11:15 to 12:30
Threats to the 2008 Presidential Election (and more) - Oliver Friedrichs

While not pentest specific...this one looks pretty interesting. The synopsis notes the following: "...we will discuss domain name abuse, including typo squatting and domain speculation as it relates to candidate Internet domains. We will present and demonstrate how widespread this activity has already become. Secondly, we will discuss the potential impact of phishing on an election." Sounds cool!

13:45 to 15:00
Hacking and Injecting Federal Trojans - Lukas Grunwald

The "infection proxy" demo seems worth seeing! The other talk that sounds cool is the one Joanna Rutkowska is doing. I saw her talk at Black Hat last year. Joanna is a brilliant mind, but a *fast* talker...with the amount of technical detail she usually covers...it's tough to keep up.

15:15 to 16:30
...Continuing "Hacking and Injecting Federal Trojans". If it seems to suck, I'll be at the following:

The Internet is Broken: Beyond Document.Cookie - Extreme Client Side Exploitation - Nathan McFeters, John Heasman, Rob Carter

or...

Get Rich or Die Trying - Making Money on the Web, the Black Hat Way - Jeremiah Grossman, Arian Evans

I can't decide between these two, perhaps I will attempt to see a little of both! :-)

16:45 to 18:00
Methods for Understanding Targeted Attacks with Office Documents - Bruce Dang

We all have seen a rise in this type of attack over the last year. It's true...there isn't a ton of information about the technical details of these types of attacks. Hopefully this talk sheds some light on what's behind them and help with introducing some new prevention methods.

Wow. Packed schedule with lots of great talks! Looking forward to Las Vegas as well! Always a good time (if I can break even...it would be better). Oh, and hopefully I will be able to hook up with some of the other Security Twits during the week. I'll be at Defcon as well so if anyone wants to have a beer hit me up on Twitter...or, just stop by the Podcaster/Blogger Meetup at Defcon 16. I'll be there representing the Security Justice podcast.

Stay tuned for my Defcon 16 "talks to attend" post in the next few days.

I saw this post on Hexesec the other day that made me think about all the skill's that when you put them together could make one kick ass penetration testing team. Note that this is a pretty large list of skills that would be difficult if not impossible for one person to master. However, it gives you an idea of the various skill sets that should be required for a robust, high caliber team.

As a pentester you should be familiar with most of these areas, meaning, you should have working knowledge at a minimum. Of course, reverse engineering and vulnerability development may not be everyone's forte...but take for example the web application pentester. Reverse engineering and vulnerability development is a skill that can be learned (especially if you have a deep programming and development background). Same goes for wireless penetration testing as someone with a networking background can easily pick this up. Everyone will still have their own specialty but you can still expand on your existing skills to learn new ones.

What's the point? The more you and your team learn the more valuable you become to your organization, clients and your own career.

Looks like the exploit code has been released by HD Moore as a Metasploit module. Hope everyone took the DNS patching requests seriously since we all know Metasploit is really easy to use (yes, especially for script kiddies!).

If you haven't patched your DNS yet...do it now! Check here for more information and here to check your DNS servers to see if they are vulnerable. If your ISP's DNS is still vulnerable...change your DNS servers to use OpenDNS!

Perhaps someone has figured it out or just decided to announce it but the big DNS vulnerability that Dan Kaminsky told the world about may have been revealed. Apparently a reverse engineer named Halver Flake was pretty close to figuring out how the vulnerability works. Then someone at Matasano apparently posted the details and then pulled them. Something is going on in the blogosphere...you can find details about the vulnerability on Slashdot and other blogs regarding the post that was on Matasano then removed:

Via McGrew Security:

"Let’s try again to convince Bob that WWW.VICTIM.COM is 6.6.6.0.

This time though, instead of getting Bob to look up WWW.VICTIM.COM and then beating Alice in the race, or getting Bob to look up WWW.EVIL.COM and slipping strychnine into his ham sandwich, we’re going to be clever (sneaky).

Get Bob to look up AAAAA.VICTIM.COM. Race Alice. Alice’s answer is NXDOMAIN, because there’s no such name as AAAAA.VICTIM.COM. Mallory has an answer. We’ll come back to it. Alice has an advantage in the race, and so she likely beats Mallory. NXDOMAIN for AAAAA.VICTIM.COM.

Alice’s advantage is not insurmountable. Mallory repeats with AAAAB.VICTIM.COM. Then AAAAC.VICTIM.COM. And so on. Sometime, perhaps around CXOPQ.VICTIM.COM, Mallory wins! Bob believes CXOPQ.VICTIM.COM is 6.6.6.0!

Poisoning CXOPQ.VICTIM.COM is not super valuable to Mallory. But Mallory has another trick up her sleeve. Because her response didn’t just say CXOPQ.VICTIM.COM was 6.6.6.0. It also contained Additional RRs pointing WWW.VICTIM.COM to 6.6.6.0. Those records are in-bailiwick: Bob is in fact interested in VICTIM.COM for this query. Mallory has combined attack #1 with attack #2, defeating fix #1 and fix #2. Mallory can conduct this attack in less than 10 seconds on a fast Internet link."

Meanwhile, Dan Kaminsky posted the following on his blog:

"Patch. Today. Now. Yes, stay late. Yes, forward to OpenDNS if you have to. (They’re ready for your traffic.) Thank you to the many of you who already have."

This might imply that Matasano has the goods...I hope everyone is patched out there! Things are about to get interesting!

EDIT: Thomas over at Matasano has issued a public apology about the post in question.

This is just a classic case of one administrator who managed to get all the "keys to the kingdom". From the San Francisco Chronicle:

"Terry Childs, a 43-year-old computer network administrator who lives in Pittsburg, has been charged with four counts of computer tampering and is scheduled to be arraigned today.

Prosecutors say Childs, who works in the Department of Technology at a base salary of just over $126,000, tampered with the city's new FiberWAN (Wide Area Network), where records such as officials' e-mails, city payroll files, confidential law enforcement documents and jail inmates' bookings are stored.

Childs created a password that granted him exclusive access to the system, authorities said. He initially gave pass codes to police, but they didn't work. When pressed, Childs refused to divulge the real code even when threatened with arrest, they said."

As part of his plan he also:

"...engineered a tracing system to monitor what other administrators were saying and doing related to his personnel case, law enforcement officials said. "

As of right now all other administrators are locked out of the system and he has the only password! I also saw on CNN today that he still won't give up the password when a judge asked him in court today. Awesome...so how does this happen? While exact details still are not clear...lack of proper controls, proper monitoring of privileged users, oversight, separation of duties...are just a few things that comes to mind.

This should be a reminder for the corporate world that all privileged users (network administrators in this case) should be held to a higher standard then other users on the network. Thus, need more oversight and monitoring. Hopefully the city can get the password cracked or the guy eventually gives it up.

Yes, it's true. Presidential candidate John McCain is just now learning to use a computer. He also has said that he doesn't use email (he has staff and consultants to do that for him). So what does this say about him and how he would handle technology issues? In particular, security issues related to technology and national security. As someone who has embraced technology and social media I have some mixed feelings about this.

I guess in a way it's good to be a bit "old fashioned" but if he was to become the president don't you think that he should at least be competent with basic computer technology (like reading and responding to at least some of his email)? Perhaps we should send him a copy of this book to help him along?

I saw this news article tonight and had to laugh...

"We all recognize that the Web site is important to the community," Mayor Roy Robinson said. "We've tried to save money to build our own Web site. We should be designating a certain amount of money to maintain and protect it in a professional manner."

Yeah, you get what you pay for guys! Basically, the local city web site got hacked. The article tried unsuccessfully to say that the main page was hacked and users were redirected to spyware/malware web sites. Trojan horse in a database...huh? Have to love the media interpretation of technical issues.

This is nothing new right? Think about this though...how many other local communities do the same thing to cut corners and save some cash? Sure it's expensive to build and maintain a web site with security in mind but these days, can you really afford not to? I found a local city web site with security issues (while the one I found was a bit more serious) several weeks ago as an example. Next time you get a chance to talk to your local community ward representative ask them when they last had a security assessment done on the city web site, especially if they are offering services vital to the community.

I won't ramble on about the DNS vulnerability discovered by Dan Kaminsky this week...plenty of other blogs and news sites are covering it. Yes...it's important, groundbreaking and all that jazz. However, if you want the real scoop especially if you need to convince your employer that this needs to be addressed quickly...then I point you to Rick Mogull's web site securosis.com (specifically this post) and listen to the podcast over at the Network Security Podcast which has a good interview with Dan Kaminsky.

Oh yeah..Dan has a cool "DNS Checker" on his web site where you can test your own DNS servers to see if they are vulnerable.

Wow...I'm really on this banking kick as of late...

So I was watching TV tonight and saw a commercial for WaMu (Washington Mutual Bank) advertising their "Online Banking Guarantee". What I found interesting was the whole scenario that played out in the commercial...

Woman: "Hey, I'm using WaMu Online Banking..."
Man: "Online Banking?? That's not safe!!"
Woman: "It's safe...I have WaMu's Online Banking Guarantee!"
Man: "Oh...cool."

(Note: this wasn't word for word but pretty close...you get the idea.)

As a security professional I find it disturbing that you would "guarantee" something (like online banking) is safe and secure without a ton of terms and conditions (I'll get to this in a minute). We all know that nothing is 100% secure. Sure, online banking in general is safe to use..we all know banks are regulated to provide customer safeguards...etc...So how does WaMu pull this off? Here's the deal:

"For any fraudulent or unauthorized transaction that has been initiated during an online banking session at wamu.com, WaMu will provide 100% reimbursement of the transaction amount plus any related account charges imposed by WaMu or lost account interest resulting from such transaction."

Sounds good right? Here is the kicker...you as the customer have responsibilities which if you don't live up to, you get no guarantee...check these out:

"You have protected your password by creating one that would be hard for others to guess and do not write down or share your password with anyone."

Customer: Hard to guess password? So my dog's name isn't hard to guess?

"If you suspect a fraudulent or unauthorized transaction has occurred, you must contact WaMu within 60 days..."

Customer: I'm on it...I never, ever procrastinate about anything!

"If you knowingly share your username and/or password information with others, we will consider any direct or indirect transaction initiated online by this person as an authorized transaction."

Customer: My wife knows my username/password does that count? Damn...I'm getting a ton of these pop-up's on my PC...weird.

and...buried deep in the Online Services Agreement & Disclosure:

"You are responsible for the installation, maintenance, and operation of the Computer and browser software. The risk of error, failure, or non-performance is your risk and includes the risk that you do not operate the Computer or software properly. The Bank is not responsible for any errors or failures from any malfunction of the Computer or the software nor is it responsible for any electronic virus, viruses, worms, or similar software that you may encounter. The Bank has no liability to you for any damage or other loss, direct or consequential, which you may suffer or incur by reason of your use of the Computer or the software."

Thus...no guarantee. Enjoy!

Lots of buzz on the net about Blizzard (creators of World of Warcraft) offering a $6.50 two-factor authentication token for customers that want an extra layer of protection for their account. Yes, if you didn't know account theft in WoW is on the rise! I commend Blizzard for taking this extra step to help protect their customers...sure two-factor authentication isn't perfect, but regardless it's a step in the right direction.

So why don't more banks and financial institutions set this up for their customers? PayPal was able to do it right (not perfectly, but close)? It comes down to customer support and cost. One of the many ways a bank or financial institution makes money is by offering products that are user friendly and can be used by just about anyone. For someone using a two-factor authentication token with some technical skill it's a cake walk...unfortunately, the average bank user (think about your mom or the person in your family with the least amount of technical skill...yes, the one that calls you to fix their computer...) will most likely be confused as how to use the device and that will be a call to the bank's customer support center (calls cost $$) and lets not forget about the back end infrastructure (servers and IT staff cost $$) and all the additional red tape the institution has in regards to advertising and putting a friendly spin on it to customers.

Martin McKeay and Michael Santarcangelo on the Network Security Podcast (Episode 110) had some good discussion about this. In a nut shell the conversation was about how banks offer many different easy to use services and tying a two-factor solution to all of these products is just not worth the cost, time and effort (except for high wealth customers). Also, what happens when you have multiple accounts at multiple banks? Do you carry around multiple tokens? My opinion? Until there is something easier to use and more secure, I don't see most banks or financial institutions going two-factor anytime soon.