Amazing that security breaches like the one I am about to tell you about are becoming more common...so common that the mainstream media like CNN doesn't even report it anymore. If you haven't read about this pretty significant security breach yet...let me briefly tell you about it...

Bank of New York (BNY) Mellon and People's United Bank of Bridgeport, CT may have Social Security numbers and bank account information lost when unencrypted backup tapes went "missing" from BNY Mellon. No big deal right? Only 4.5 million customers affected. From the Reuters article:

"...on February 27, Bank of New York Mellon was transferring back-up tapes with data, including names, addresses, birth dates and Social Security numbers, when it lost a box with six to 10 unencrypted tapes....an archiving vendor lost the tapes from its Shareowner Services unit, but there was no evidence any data had been inappropriately accessed or used."sic

Basically People's hired BNY Mellon Shareowner Services in 2007 to tabulate votes and process stock orders during its conversion from a mutual bank, which is owned by depositors, to one that is fully publicly traded.

Moving on...nothing to see here right?

The problem is that this data was not BNY Mellon's customer data but the customer data from People's United Bank, some Wachovia employees and some 64,000 MetLife shareholders...

"People's United claims this was a BNY Mellon security lapse, as People's United transmitted encrypted information to BNY Mellon who in turn created the unencrypted backup tape(s) that was lost."

Good for People's Bank for encrypting the data in the first place...but the problem lies with the vendor(s). It seems that more and more financial institutions are letting other financial institutions and other vendors process transactions and convert information for them. Trusting others with your sensitive data is not always the best idea (even though thats how business gets done these days), however, BNY Mellon should have encrypted these backup tapes in the first place! What about the vendor (Archive Systems Inc.) who actually lost the box of tapes? I would think that they are to blame as well. Sounds like a lot of vendor management issues here from many angles.

I would think that a large archive vendor like this would have some kind of policy stating some form of compensation for losing a box of tapes in transit. Almost how armored truck carriers transfer money from a bank branch to a financial processing center...if the armored car was compromised in transit and the bank lost all the money inside the car, it's not the bank's fault...thus the armored car carrier is responsible for the loss and would have to compensate the bank.

Looks like 4.5 million customers will get one year of crappy credit monitoring service as usual because of poorly managed vendor relationships. Nice.

I wrote an article some time ago about multiple platform password managers. At the time I talked about PasswordSafe and Password Gorilla. While both of these are really good password managers that work on Linux, Windows and OSX...Matt Neely talked about KeePass at the NEO InfoSec Forum last week and how KeePass is probably the best password manager available.

What is really cool about KeePass is that you can use it on just about anything including Blackberry and Windows Mobile devices. Having a password manager on the Blackberry just about sold me and I have yet to try it, however, what did sell me was the KeePass port called KeePassX for Linux and OSX! I downloaded and installed it on my Mac and it is way faster then the old Password Gorilla. The features are really great to with automatic clearing of your clipboard, a nice easy to navigate interface and a password expiration system. My only gripe was that I had to load up the Windows version to import my PasswordSafe formatted database file for use in the OSX version. The Windows version has a plugin you can download which will automatically import your database file from PasswordSafe. There is no PasswordSafe import plugin for OSX currently. Other then that, I am converted and love it!

This is just classic. A TJX employee, Nick Benson, was fired for posting about security issues on the TJX internal network to this sla.ckers.org forum. Nick attempted to report security issues to his management back in 2006 (before the massive TJX security breach) and nothing changed. Apparently things like having blank passwords on servers were in effect up until May 8th of this year! Some of the issues he identified are noted from the SecurityFocus article below:

"Security was so lax at the TJ Maxx outlet located in Lawrence, Kansas, that employees were able to log onto company servers using blank passwords."

"...a store server that was running in administrator mode, making it far more susceptible to attackers..."

and my favorite...

"My store manager even posted the password and user name on a post-it note..."

So whats the issue here? Two things...sure, telling your management that there are security issues was the right thing to do. However, when nothing changes based on the information you told them then things need to be escalated to a higher level of management. I would hope that TJX has some sort of "ethics" or "privacy" hotline (most major companies have these and they are anonymous) that this guy could have called. How about doing some research within the company Intranet to find out who to contact...that would be an easy approach to take if your management is not listening to you. Secondly, not the brightest idea to post on a hacking forum to let the whole world know of these issues. This guy was easily tracked back to his real IP...heck he probably even posted from work which made tracking him even easier! If he was really serious about not wanting to be caught then he should have used Tor or some other anonymous proxy to setup the account and make those postings (keep in mind he was just a retail worker, no IT background so Internet anonymity was an afterthought). Either way, not a very smart thing to do.

I still find it hard to believe that the TJX information security department would have thought it was ok to have blank passwords to log on to servers! If so these are not security professionals in my book...heck, a bunch of script kiddies wouldn't even use blank passwords! My guess is that the information security department never even knew about these issues. The "management" that he reported the issue to was actually the loss prevention department. The loss prevention department in retail and other companies mainly deal with preventing shoplifting and theft...really not the right people to handle information security issues. Regardless, TJX still seems like a security train wreck...they won't be getting my business anytime soon.

Looking for a fresh, new look at all the recent security news and threats? Check out the new security podcast called "SecuraBit". The crew of the SecuraBit podcast includes Jason Mueller, Chris Gerling (you may know him from Hak5), Anthony Gartner and Christopher Mills. It's nice to have another podcast following in the footsteps of Pauldotcom...no BS, just good security talk with guys that know what they are talking about.

Very good interview over at The Ethical Hacker Network with Ed Skoudis of Intelguardians. Ed talks about his career, how Intelguardians came to be, his new SANS 560 Course, and a little about his hacker challenges that he is famous for. I know several of the Intelguardians and I have a huge amount of respect for all of them. If you are just getting into information security or penetration testing, Ed is one person that should be a role model for your career.

From the article's author it looks like part two and three will be with Johnny Long and HD Moore. Awesome stuff...looks to be like a great series of interviews.

According to 2600 News, 1,500 attendees of this years Last HOPE (Hackers On Planet Earth) hacker conference will be tracked via RFID in a large social experiment which will include games focused on RFID technology. From the press release:

"Players will seek ways to protect their privacy, find vulnerabilities in the tracking system, employ data mining techniques to learn more about other participants, and choose how much personal information they will disclose in order to play."

Cool stuff...if you are into being tracked via RFID! It should be interesting to see some of the results of this experiment from the conference attendees and to see some cool hacks to gather RFID data and ways to protect your privacy. I did an article on RFID awhile back talking about ways to protect your identity using credit card "shields".

The Last HOPE takes place July 18 to July 20, 2008 at the Hotel Pennsylvania in New York City.

I won't go into all the details since every other security blogger on earth is covering it....however, as a reminder this issue is pretty serious if you had generated any keys on affected Debian or Ubuntu systems. The best summary I have found of the issue with links to all the "toys" that have come out to attack this vulnerability are on HD Moore's web site. Here is a summary from HD:

"All SSL and SSH keys generated on Debian-based systems (Ubuntu, Kubuntu, etc) between September 2006 and May 13th, 2008 may be affected. In the case of SSL keys, all generated certificates will be need to recreated and sent off to the Certificate Authority to sign. Any Certificate Authority keys generated on a Debian-based system will need be regenerated and revoked. All system administrators that allow users to access their servers with SSH and public key authentication need to audit those keys to see if any of them were created on a vulnerabile system. Any tools that relied on OpenSSL's PRNG to secure the data they transferred may be vulnerable to an offline attack. Any SSH server that uses a host key generated by a flawed system is subject to traffic decryption and a man-in-the-middle attack would be invisible to the users. This flaw is ugly because even systems that do not use the Debian software need to be audited in case any key is being used that was created on a Debian system."

Ugly vulnerability is right for an OS that changes you....

I came across this post by Martin McKeay on the Network Security Blog today talking about changes to the Nessus license that Tenable will be starting July 31st. Martin makes some really good points and I recommend you read his post. Basically as a corporate user you will need to pay for the new "ProfessionalFeed". A corporate user is classified as anyone that uses Nessus in a corporate environment, including MSSP's and security consultants (some exceptions apply for non-profit and charities). From the Nessus announcement:

"...Tenable’s “Direct Feed” will be re-named to the “ProfessionalFeed” and the “Registered Feed” will be discontinued. The ProfessionalFeed will entitle subscribers to the latest vulnerability and patch audits, configuration and content audits and commercial support for their Nessus 3 installation. The ProfessionalFeed will serve as Tenable’s commercial subscription and will be required for individuals and organizations that want to use Tenable’s Nessus plugins commercially."

Looks like you are now getting everything that you would have gotten if you were a previous "commercial" user including support for Nessus 3. Home users will still be allowed to download the free "HomeFeed".

My thoughts are that I personally get a ton of value out of Nessus...it's simply the most versatile vulnerability scanner out there (from a pentest and customization perspective especially). Now that it is going to this "pay for plugins" model it doesn't really change much for me..I think the Tenable guys do great work and now that they will have more cash flowing in I would suspect the Nessus product offering will only get stronger.

Oh, and don't forget that Tenable is offering a limited time rebate for corporate users:

"Tenable is offering a 25 percent rebate for the Direct Feed subscription service (normally available at $1200 per year), beginning May 14, 2008 until July 31, 2008 only when purchased through Tenable’s e-commerce site."

Brain Salcedo was convicted back in 2004 of hacking the Lowe's (a national home improvement retail chain) computer network through an unsecured wireless network. Brian and his partner found the unsecured wireless network while Wardriving. Brian's plan was to eventually tap in and siphon off millions of credit card's through a backdoor installed in a proprietary Lowe's program called "tcpcredit" that Brian and his partner had modified.

Brian is currently serving out a nine year prison term even though there is no evidence that he even saw one credit card number (note that the longest federal sentence for a hacking offense was the 68 months imposed on Kevin Mitnick). During the investigation only six credit card numbers were found in the file that was created from the modified "tcpcredit" program. Ironically enough Brian seems to blame lack of fame and notoriety as to why he did what he did (he mentions the felony he was on probation for before the Lowe's hack):

"It took awhile to work out the dilemma then consuming my head. Why did those around me get acclaim for exposing security flaws? They got hired, I was convicted of a felony. What was I doing wrong? After what seemed like a lifetime absence from computers, I decided to renege on my commitment to stay away from it and I simply relapsed into this all-out cracking binge."

Two years later enter TJX ...

Back in November of 2006 TJX disclosed that there was about 17 months of unauthorized network access resulting in the compromise of 46 million credit card accounts. To date this is the largest single breach of personal data in history. How did the TJX breach happen? Almost the same way Lowe's got hacked...lack of wireless security. In this case TJX was using WEP which is known to be extremely vulnerable to attack. Of course there were other vulnerabilities that had to be exploited on the internal TJX LAN but the wireless network was the start. As we all know, it only takes one vulnerability to potentially bring down a network.

Two more years later enter Dave & Buster's and Hannaford...

Just today, it was announced that Dave and Buster's was victim to a data breach that resulted in bank losses of up to $600,000. This time apparently the attackers used "social engineering" to install packet sniffers to obtain credit card information. That's right...social engineering. Ironically, one of the accused was apparently involved in the TJX breach (I could only find one source on this). Hopefully we find out more details in coming days about how this social engineering attack took place.

The Hannaford Supermarket breach resulted in 4.2 million credit card numbers being compromised just this year. The attackers had apparently planted malware on the servers at each of the 294 affected stores. This malware apparently sent the compromised data overseas.

While details about all of these intrusions are still coming out, one can start to see the similarities with Lowe's, TJX, Dave & Busters and Hannaford.

Lessons Learned:

- Wireless is dangerous for retail if not properly secured. Now that WPA2 is widely available there is no reason that a retailer should not use WPA2. Interesting to note that I have reliable sources tell me that other major retailers are still using WEP to secure their wireless networks...and it's 2008!

- Stealing data in transit within an internal company network is the new hotness! Most of this information is unencrypted until it gets to the database. In many cases it's rather trivial to get this level of access (administrator rights on a workstation or server) to install a packet sniffer once you are on the internal network.

- Social engineering is on the rise! I wouldn't be surprised if all it took was a simple phone call from "the IT guy" asking a store manager to install a new piece of software in the case of Dave & Busters (or Hannaford, you never know).

- If you are a criminal thinking about doing the same thing...it's only a matter of time, you will most likely be caught and if you are a US citizen prepare to get the book thrown at you like what happened to Brian Salcedo.

- Finally, as a company don't put all your eggs in the PCI basket! Just because you are certified PCI compliant (Hannaford) doesn't mean you are secure!

This is one of those security breaches that underlines the need for physical security if you are doing remodeling or construction where there is potentially sensitive customer data being held...like a bank! From the official bank disclosure:

"The Hongkong and Shanghai Banking Corporation Limited confirms one of its computer servers went missing on 26 April 2008 at its Kwun Tong Branch, which has been undergoing renovation. The data held on the server includes account number, customer name, transaction amount and transaction type."

Nice! This just adds to the list of breaches that HSBC has announced recently...not a good time to be an HSBC customer. Seriously though, all banks should look at the physical security around these renovations..most construction sites I have seen have no security at all. I hardly ever see even a security fence around these locations. Take a look next time you drive by a store or building that is under a remodel or construction. You might be surprised at the lack of physical security of these locations.

Saw this on Liquidmatrix today....

Some programmers in the UK created a Facebook application that could be downloaded by a Facebook user which would allow the programmers to view personal information even with the privacy settings changed. From the UK article:

"Details such as the date of birth, address and contact numbers of the user, and that of all their friends, can be seen by the creators and could potentially be stolen."

This shouldn't be a surprise to anyone. Facebook has very limited control over what third-party applications or widgets a user can install. Sure they have "terms and conditions" that must be followed...but as we all know those can be circumvented quite easily.

I recently created a Facebook profile to test the security for myself and I have found that the default security/privacy settings for your Facebook profile are pretty much wide open. This include having your profile hit by search engine spiders. The average user of Facebook will most likely ignore these settings and download those cool Facebook applications that their friends are using as well. :)

For those of you using phpBB2 (which last I checked was still one of the most popular open source forum software out there), you had better start to think about upgrading to the latest version, phpBB3 “Olympus”.

I have always had a love/hate relationship with phpBB...it has been the most popular target for attackers in the last couple years in terms of forum hacking so as a webmaster you really needed to keep up with phpBB security patches. There were some rather serious vulnerabilities discovered multiple times over the years so I am not sad to see the 2.0 branch bite the dust. It almost reminds me of how Wordpress is being targeted because of it's recent surge in popularity right now. Anyway, it is good to see the phpBB development team taking secure coding much more seriously with the new version 3.0.

I have seen a couple blogs posts, articles and even the creator of winlockpwn (the hack/script that allows you to bypass Windows authentication through FireWire) saying that this script is nothing more then a "partytrick"...

"Wow and amaze your friends by magically unlocking a Windows PC without a password!"

While this seems like a fun thing to do at your next party to impress the ladies (ladies that like geeks and slick python scripting of course!)...the truth is that it's a pretty serious issue. I have to hand it to the the creator of winlockpwn (Adam Boileau aka: Metlstorm) for having such a cool sense of humor about the whole thing and all the media attention he has gotten (he got "slashdotted" when he released the script). On his web site he mentions that "it's a pity to write code and have no one use it". Adam, we totally agree!

The No Tech Hacking Phenomenon
Attackers will always use the easiest way to gain access to the network, obtain confidential information, trade secrets, whatever. Since the majority of companies and organizations are locking down their networks it's becoming more and more popular to use social engineering to bypass physical security controls to gain access to the network. This is called the "No Tech Hacking" phenomenon which is recently popularized by Johnny Long and his book which was recently released (Johnny also gives a great talk on the same topic). No tech hacking involves things like social engineering, dumpster diving, shoulder surfing, tailgating, people watching, etc...I won't go into a ton of detail about this, read his book if you want to know more. The FireWire authentication bypass hack adds one more tool to the mix in which once you have physical access to a location and a computer, it is almost always game over. Sure, there are other attacks you could do like pop a bootable CD to change the admin password (this is assuming they are not using pre-boot authentication with hard drive encryption), or try and exploit another vulnerability, however, combine the FireWire attack with "no tech" hacking techniques, it just got easier for an organization to get pwned.

Demos and information about winlockpwn
I decided to try winlockpwn out on my own to see how easy it really is. There are a ton of articles out there already but few give you all the details about where this hack originated from and why this isn't a Microsoft specific issue. There are even videos up on YouTube demonstrating this. I was going to do the same type of demo but felt that screen shots would be just fine. To add to the twisted irony of all this I did record a video demo but couldn't find my 4-pin to 6-pin FireWire cable to hook up to my Mac to edit the video! Had a 6-pin to 6-pin of course...silly cables. Anyway, lets get right to it and talk about the background of the winlockpwn script and how all of this came about.

Where did winlockpwn come from?
Back in 2006 at the RUXCON convention security researcher Adam Boileau gave a talk called "Hit By A Bus: Physical Access Attacks With FireWire" which was about a "feature" with FireWire that if memory was accessed properly it would bypass Windows authentication. However, the code wasn’t released and according to Adam this was because “Microsoft was a little cagey about exactly whether FireWire memory access was a real security issue or not and we didn’t want to cause any real trouble”. Thats funny...Microsoft being "cagey" about something? More recently, because of the release of a video and paper detailing the “Cold Boot Attack” by a team of Princeton University researchers Adam felt that it was time to release his script (with a little coaxing from the Risky Business podcast folks.

Not a Microsoft Issue!
The inherent issue with FireWire is built into the OHCI 1394 specification. It is important to note that this issue is not a Microsoft problem...rather it’s a "feature" with how FireWire technology requires direct access to the memory of the computer. This is how it's designed and one of the reasons FireWire is as fast as it is.

How does the attack work?
In its simplest form, the authentication bypass attack involves having two PC’s. The target PC must be running Windows 2000/XP or Vista with FireWire ports (either built in or through a removable PCMCIA FireWire Card) and "locked". The attacking PC must be running a Linux/Unix variant loaded with the pythonraw1394 library bindings, a romtool (to escentially make your FireWire card an Apple iPod), and the winlockpwn.py script. What makes this attack easy is that you can use a Linux bootable forensics LiveCD called Helix (v1.9) which already has the pythonraw1394 library bindings and the romtool installed. When using the Helix (v1.9) LiveCD all you need is to download the winlockpwn.py script and run the romtool which will emulate the attackers FireWire port as an Apple iPod. To the target machine, it will look like a FireWire Apple iPod is being connected in the Windows device manager. Let the fun begin!

I want to note that not only can you use winlockpwn to unlock a PC but you can also use a tool called 1394memimage which will dump the physical memory of the victim PC to a USB drive. This could be even more valuable since you can then run "strings" and search for anything interesting (passwords, login information, etc...). I won't go into the details about 1394memimage (and I have yet to try this) but you basically use the same method that I will describe but when you get to the step to run winlockpwn, use 1394memimage. Here is a good, detailed article about this process.

Steps to demo the attack
It might be a good idea to demo this to your management and/or clients so I put together a little demo. Below is my lab setup:

- Desktop with a PCI FireWire Card running fully patched Windows XP SP2 (the victim)
- Laptop with a PCMCIA FireWire card (generic FireWire card, you can find a ton of these on eBay) booted with the Helix LiveCD (v1.9)
- 6-pin to 6-pin FireWire Cable
- USB Thumb Drive w/winlockpwn.py script

1. Boot the laptop with the Helix LiveCD. Next, "lock" the victim desktop. Copy the winlockpwn.py script to the correct directory on the laptop:

cp winlockpwn.py /usr/local/pythonraw1394



2. Connect the 6-pin to 6-pin FireWire cable to both PC’s.

3. Load the FireWire bindings and run ./businfo to see if it is loaded (should be port 0).

modprobe raw1394
./businfo

Click here for a screen shot of this.

4. Reprogram the CSR to mimic an Apple iPod. Run ./businfo again to see if the firewire card now emulates an iPod:

./romtool –s 0 ipod.csr
./businfo



Click here to see what businfo looks like with the iPod emulation.

5. Waited for a few seconds for the FireWire/iPod drivers to load on the victim desktop. Finally, run winlockpwn.py. Run winlockpwn with no parameters to see all the options. There are several (one will actually allow you to spawn a command shell right at the login screen!). For this demo, we are just using option 2 (regular non-fast-user-switching). The 0 and the 1 are the port and the node.

./winlockpwn.py 0 1 2

Click here to see what happens when winlockpwn is successful!

6. Press CTRL-ALT-DEL on the victim desktop. You will get a an error message box about an incorrect password. Don't worry about it and press ENTER. You will then be logged into the Windows desktop, bypassing authentication! Note that you can now lock/unlock the computer as many times as you want as the memory of the machine is "snarfed" until a reboot. Also, something to note is that if you want to do the demo again make sure you uninstall the FireWire drivers that loaded in the Windows device manager before rebooting the box. If not, you will probably have problems getting the hack to work again.

How to protect yourself from winlockpwn?
Well for starters, don't loose physical access to your PC! That sounds obvious but it goes back to the fact that once an attacker has physical access to your PC it's pretty much over regardless. However, here are some tips that myself and others are suggesting. Keep in mind, most of these can be circumvented, however a "defense in depth" strategy is always the best way to go:

- Ensure that all sensitive laptops/desktops are using whole disk encryption software with a pre-boot password.
- Disable the standby feature and also hibernate.
- Disable unused ports in the BIOS including bootable USB devices.
- Disable the PCMCIA slots in the Windows device manager (this may cause more problems then it's worth).
- Don't purchase laptops/desktops with FireWire ports (do you really need FireWire when you have USB ports?).
- Always secure laptops physically with a cable lock when unattended (depending on your environment).
- Mandate that users shut down their PC’s if they are going to leave a PC unattended for a long period of time.

If you have any more suggestions let us know in the comments.