Looks like GNUCITIZEN and Blogsecurity.net have joined forces to create a online Wordpress security scanner. From GNUCITIZEN:

"Blogsecurify was created to help individuals and organization to secure their blog infrastructures by testing them against a set of security tests. The project is still in alpha stage although I am quite happy with the actual framework which I believe is the only one of its kind. The same framework will be used for several other initiatives but I will talk about them when their time come."

I tested it out and it works as advertised. Just make sure you enable/disable the template plugin that is required. I used the old security scanner that was on Blogsecurity.net and didn't get a ton of value out of it in the past so this is great news! Actually, the old scanner told me that the Wordpress installation that I was scanning was out of date and vulnerable even though I had the latest version installed! Blogsecurity.net has some really good resources for hardening your Wordpress installation by the way. I recommend that if you have a Wordpress blog you download the paper they have on hardening your Wordpress installation. While some of these tips are easy (change the admin account name and use role based access) others are a bit complex and may break most of your plugins (.htaccess modifications) without significant testing. Either way, it's worth checking out to make your Wordpress installation more secure.

I am writing this blog post as part of the Black Hat Bloggers Network topic of interest #2.

I guess you could say I am somewhat of a Black Hat n00b! This will only be the second time I have attended Black Hat in my security career. I have been to quite a few security related conferences in the past (most of these involved training as well as conferences all integrated into one event like SANS Fire) but since coming back from Black Hat last year I discovered the value of attending a conference like Black Hat. Three things come to mind as to why someone should go to Black Hat:

1. Great speakers! Seriously, if you want to "be there" when new vulnerabilities and exploits are released to the security community by some of the greatest security researchers in the world...that's Black Hat! I liked how conference attendees were able to "vote" in advance for selection of the talks this year. I felt this added real value to the great speaker line up for this years conference!

2. Good mix of "black hat", "white hat", and everything in between (gray hat) attendees. With a little more on the side of "white hat". This adds to the whole energy of the conference and allows some good networking opportunities. Black Hat is probably the one security conference where your company won't think you are just going to another "hacker con". For example, you can say to your boss "Hey, they have a vendor show with XYZ company that will be there!" Lucky for you if you are using the security product of XYZ company. Not to mention XYZ company will get you a pass to one of the cool after parties (for more networking of course...). :-P

3. Free admittance to DefCon. As a paid Black Hat delegate you get into DefCon for free! How can you beat that? Stay at Caesars Palace in a luxury suite the whole week and attend one of the best hacker con's in the world! I could do a whole post on how great attending DefCon is but in short it's awesome to see even a more diverse crowd then Black Hat of the good, bad, and the plain ugly! Not to mention the "spot the fed" and all the other fun games and activities unique to DefCon.

Can't wait to go this year and to also network with some of the other bloggers in the Black Hat bloggers network! Hope to see some of you there (and at DefCon 16).

This is a story that keeps getting more interesting...

I have been closely following the news that I blogged about last week regarding 1st Source bank of Indiana that fell victim to a pretty serious security breach. 1st Source ended up reissuing their entire credit card portfolio to their customer base.

The latest news is that other banks in the Indiana area are now reporting that their customers are reporting fraudulent transactions. The link is that all of these other bank customers used 1st Source ATM's around the same time the breach happened. From the IHT article:

"Bank officials said the victims they know of appear to have all used 1st Source Bank ATMs during the first 10 days of May. James Seitz, 1st Source senior vice president, said officials from his bank met with officials from other financial institutions on Wednesday to discuss the situation.

"As we're piecing this puzzle together, it appears that there may be a common thread," Seitz said.

A security consulting firm alerted 1st Source about a computer breach on May 12. The bank shut down its computer system and contacted authorities. Two weeks ago, 1st Source sent letters to customers asking them to monitor their accounts for suspicious activity."

I'm starting to suspect that the ATM's themselves were compromised or the bank's back end servers were compromised as well. From what I know about PIN storage, the PIN information in Track 2 data (this is the data that was reported stolen) on a credit/debit card does not have to be encrypted (however it can be, just not required by the ISO standard) so either a card "skimmer" device was used (physically attached to the outside of the ATM's) or this Track 2 data was pulled off the wire perhaps using a network sniffer installed on the ATM's. It could be similar to the Dave & Busters security breach that happened a few months ago. Whatever method was used, it was enough to replay this data to a bunch of fake ATM cards and start withdrawing cash and/or charging items from locations overseas. Hopefully the public gets to find out what really happened once 1st Source get's their act together.

Via the Emergent Chaos blog...

If you follow physical security and specifically the "Locksport" community you might be interested in the open letter by Peter Field (chief architect of Medeco products) stating that Medeco (a big high security lock manufacturer) is embracing the Locksport community. This is huge news considering that lock manufacturers in general have been pretty reluctant to support the research of Marc Tobias and others in the past. From Marc's post on In.Security:

"So it often falls upon the Locksport enthusiasts, hackers, or security professional, outside of the lock manufacturing community, to demonstrate vulnerabilities that should have been discovered by the manufacturer before offering their products for sale. In my experience, design engineers learn how to make things work quite well; they rarely are educated in how to break them. That is a fundamental problem. If locks were designed properly, hackers and others would not be able to circumvent security. It is about time that manufacturers recognized that the more minds that are evaluating their products, the better."

You can read the full open letter posted on NDE here. Very good read as well as Marc's response. By the way, check out NDE (Non-Destructive Entry) magazine. It's a good magazine on the Locksport community and lock picking in general. Issue #3 even has a good article about the "Tiger Team" show that had a short appearance last year on TrueTV.

I'm sure you have already read this on other blogs...however, if you didn't get the news yet...Backtrack 3 has been officially released last week on the PaulDotCom show. I know myself and others have been using the beta and have been looking forward to this final release. Here are some highlights as posted by Max Moser one of the creators of Backtrack 3:

SAINT
SAINT has provided BackTrack users with a functional version of SAINT, pending a free request for an IP range license through the SAINT website, valid for 1 year.

Maltego
The guys over at Paterva have created a special version of Maltego v2.0 with a community license especially for BackTrack users. We would like to thank Paterva for co-operating with us and allowing us to feature this amazing tool in BackTrack.

Nessus
Tenable would not allow for redistribution of Nessus on BackTrack 3.

Kernel
2.6.21.5. Yes, yes, stop whining....We had serious deliberations concerning the BT3 kernel. We decided not to upgrade to a newer kernel as wireless injection patches were not fully tested and verified. We did not want to jeopardize the awesome wireless capabilities of BT3 for the sake of sexiness or slightly increased hardware compatibilities. All relevant security patches have been applied.

Tools
As usual, updated, sharpened, SVN'ed and armed to the teeth. This release we have some special features such as spoonwep, fastrack and other cool additions.

Availability
For the first time we distribute three different version of Backtrack 3
- CD version
- USB version
- VMWare version

BackTrack 3 final download page is here.

Final Requests
We request the community to not mirror or torrent this release, or otherwise distribute it online without our knowledge. We are trying to gather statistics about bt3 downloads. If you would like to mirror BT3 then please:

1) Think again! Traffic generated by BT3 downloads is CRAZY.
2) Please contact us before doing so.
3) Send us monthly statistics of downloads for the iso.

If you would like to add a link to BackTrack downloads to your website, please use:

http://www.remote-exploit.org/backtrack_download.html as the download link.

Rants
Problems, fixes, bugs, opinions - should all end up in our Remote Exploit community forums, and our wiki.

Awesome that Maltego has been added to Backtrack! Safe to say that Maltego is the best Internet reconnaissance tool out there. Too bad about Nessus but I hear SAINT is a good vulnerability scanner alternative (note that SAINT is a commercial product like Nessus but they don't have a "home user" plugin feed like Nessus provides). Also, be sure to link to the Backtrack 3 download as Max specifies. Please don't torrent the iso as they would like to track overall download statistics.

One final reminder, the Security Justice podcast will be interviewing Dave Kennedy of SecureState on the Fast-track script he developed. Fast-track in included in the Backtrack 3 distribution and is an integral part of using Backtrack 3 to it's fullest potential. Look for this special edition podcast in the next week or so.

After several months of work the team of Matt, Dave, Tyler, and myself finally went live with our first podcast called Security Justice a few days ago. Let me tell you...getting a podcast up and running was no easy task but it finally paid off. Special thanks to Dave for getting the mixer, microphones, software and related technology to record the podcast. Also thanks to Dual Core for letting us use their music in our podcast!

We just released episodes 1 and 2 the other day along with the web site. Our podcast has a pretty cool local feel to it. We record live right after the Northeast Ohio Information Security Forum at Mavis Winkle's Irish Pub in Independence, Ohio near Cleveland. We have a live audience which allows for some pretty unique interactions as well as comments and input directly from the crowd of fellow security geeks. :-) We interview the presenters from the Northeast Ohio Information Security Forum (takes place the 3rd Wednesday of every month) and discuss recent hot security topics. In addition, we plan on having "special edition" podcasts which will consist of interviews with well known security researches and "security celebrities". We have one that will be released here in a day or two.

Anyway, check us out! Let us know of any feedback that you have either here or via the Security Justice web site. Thanks for listening and for supporting the local Cleveland security community!

You can also follow Security Justice on Twitter or FriendFeed!

Last night I gave a talk at the Northeast Ohio Information Security Forum called "Online Social Networks: 5 threats and 5 ways to use them safely". I spent the last few months doing research on various social networks specifically MySpace, Facebook, LinkedIn. Many of us either use these sites or know others that do. Users of these sites have been increasing at a dramatic rate for several years. For example, MySpace was the most visited website in the US with more than 114 million global visitors in 2007, and Facebook increased its global unique visitor numbers by 270% last year alone. With this massive increase in social network usage, online social networking is now becoming the fastest growing area of privacy concerns and security threats.

My talk went over the top 5 emerging threats to online social networks and I also talked about 5 ways you can use these sites safely. You can download my presentation here. Be safe out there! :-)

Just a heads up for all you Mac fanboys/girls...Apple has recently released massive (240 pages each) security configuration guides for Panther (10.3), Tiger (10.4), and Leopard (10.5).

Note the warning from Apple if you are a n00b Mac user:

"To use these guides, you should be an experienced Mac OS X user, be familiar with the Mac OS X user interface, and have at least some experience using the Terminal application’s command-line interface. You should also be familiar with basic networking concepts."

I have paged through the Tiger guide and it's pretty detailed...exactly what I was looking for. Really glad Apple finally released these. Hopefully other security professionals using Mac's (like me!) will take the time to read these guides and harden their systems. Happy hardening! :-)

Hack a Day posted a cool tutorial today on how to make your own RGB combination door lock. What is this monstrosity of geekness? Think Star Trek, Star Wars or any other science fiction movie with scenes of cool blinky lights! Now you too can secure your man room, computer lab or whatever and really impress your friends. From Hack a Day:

"Instead of typing in numbers, your password is a unique set of colors."

"By entering the correct color code, the pad will flash green and unlock the door for 10 seconds. If you go over the limit counter, it will flash red for 30 seconds."

Pretty cool. Check out the pictures and details on the Hack a Day web site. Anyone have the nerve or electronics knowledge to put one of these together? Looks like part 2 of the article will talk about how to make the PC board, cut a custom wall plate, install the lock strike and more.

If you have been reading my blog and others in the Security Bloggers Network recently then hopefully you should know about the really cool alliance this year between Black Hat and the Security Bloggers Network. If not, here is a quick and dirty overview...

Basically, there will be a Black Hat topic of the week based on one of the scheduled briefings. The bloggers can then blog on that topic to hopefully generate some interesting conversation prior to the conference. Since there are about 150 different security blogs covering every angle of security in the network it should make for some interesting blog posts.

In addition the Security Bloggers Network will be linked on the Black Hat web site and in various conference paraphernalia. Personally, I am really looking forward to blogging about some of the hot topics that will be talked about at Black Hat this year!

Be sure to follow all the Black Hat updates on Twitter and if you haven't subscribed to the Security Bloggers Network OPML, check it out! You can also follow me on Twitter and FriendFeed as I will be at both Black Hat and Defcon 16 this year, hope to see some of you there...

Also, if you plan on attending this year don't forget to register for the Black Hat "sneak peek" webcast on June 26th!

Classic social engineering at it's best...a professional thief (or thieves) apparently got away with over 2 million in rare art and jewelry. Pretty much sounds like a movie scenario! From the CBC article:

"Four hours before the break-in on May 23, two or three key surveillance cameras at the Museum of Anthropology mysteriously went off-line.

Around the same time, a caller claiming to be from the alarm company phoned campus security, telling them there was a problem with the system and to ignore any alarms that might go off.

Campus security fell for the ruse and ignored an automated computer alert sent to them, police sources told CBC News."

Wonderful. It gets better...

"Then, as the lone guard working overnight in the museum that night left for a smoke break, the thief or thieves broke in, wearing gas masks and spraying bear spray to slow down anyone who might stumble across them."

Bear spray you say? Yes sir...bear spray is some serious stuff. It's like regular self defense pepper spray but "super charged"! By the way...what's the deal with the surge in "bear spray" related crimes in Canada? Can anyone in Canada verify a serious bear problem up there? ;-)

They still haven't caught the thieves. These guys were good. Goes to show you yet another example of "no tech" hacking and how humans are always the weakest link in security.

Interesting story that hit the wire last week about another bank security breach. This time 1st Source Bank of South Bend Indiana became the next victim of stolen debit card data. Not a ton of details have emerged yet but we do know the following:

1. A external monitoring service (an MSSP perhaps?) or hired security consultants (doing a pen test?) detected an unusual amount of data leaving one of the banks servers.

2. The bank notified law-enforcement authorities and hired outside forensic firms (aka: security incident response consultants) to analyze the breach.

3. Track 2 data was compromised. Track 2 data contains the cardholder account number, PIN, plus other discretionary data. Note that the ISO standard does not mention that the PIN has to be encrypted. Only Track 1 data requires it. This may make a replay attack (encoding a fake debit card and using it in ATM transactions with this information) possible.

4. The bank is reissuing all debit cards in it's portfolio and is offering to pay for "Deluxe ID TheftBlock" – at $4.95 a month for one year for any customer who requests the service.

These quotes from the bank are classic:

The bank also is monitoring automated teller machine transactions “minute by minute” to stop unauthorized activity. But even if the efforts fail, account holders won’t suffer, Seitz said.

“We’re certainly not holding any of our customers financially responsible for any transactions related to this breach,” he said.

and....

“Actually, our customers have been very understanding,” he said. “Obviously, this is something that puts a little stress on that relationship.”

Really...are you kidding me? Also note that they have yet to publicly announce an official statement on their web site about the security breach. Actually, nowhere on their web site mentions anything about the breach (however, they mention lots of interesting stuff about a recent merger with another bank beginning on June 9th...so they are updating the web site regularly). Clearly this is an attempt to make this security breach out to be "no big deal" to the general public.

So who's really to blame? The bank is of course! Personally, I would rather have my bank be honest and up front with me about a security breach instead of delayed announcements (nothing was sent to customers until two weeks after the breach) and talk about how customers will be "understanding". Clearly there are major security and customer service issues at this bank. Current 1st Source customers should bail out ASAP!

You probably have read about the interesting Comcast domain hijack that took very little technical skill a few weeks ago. Apparently these two hackers were able to social engineer their way to obtain access to the Comcast domain registration account that is being managed by Network Solutions. Once they had access they apparently changed the DNS record of Comcast.net to point to name servers under their control, thus hijacking the domain. For a short time they redirected Comcast users to a web page stating the following:

"KRYOGENICS Defiant and EBK RoXed Comcast, sHouTz to VIRUS Warlock elul21 coll1er seven."

Here's the best part (from the Wired article):

Network Solutions spokeswoman Susan Wade disputes the hackers' account. "We now know that it was nothing on our end," she says. "There was no breach in our system or social engineering situation on our end."

Deny, deny, deny....not surprised at this response since it makes providers like Network Solutions look really bad. Sooner or later all the details about how these guys did it will come out...then the truth will be told.

In the meantime...what can you do to prevent your site from being the next Comcast? Believe it or not...Network Solutions actually has a few good suggestions! Note: this was apparently posted after the Comcast domain hijacking incident...hmmmm...coincidence or not? :-)

Seriously though. I don't blame Network Solutions entirely as many companies forget that domain registrations require maintenance and regular review of the security controls around them. By the way, the Wired article that I mentioned above is a great read...and probably the best article currently out there on the hijack.

I have been doing lots of research over the last few months on online social networking sites to prepare for an upcoming talk that I am going to be giving on the latest threats to social networks...in particular MySpace, Facebook and LinkedIn.

Tonight I received new friend request from someone named "Elysabeth" in my email. Clicking on the link in the email takes you to the legitimate MySpace Friend Request Manager page which shows the below request:



Clicking on the picture takes you to the profile of Elysabeth. Check out the picture of what the profile looks like now after clicking on the profile.

EDIT: I didn't edit out the MySpace profile URL in the picture so don't hit up the URL and click on anything if you don't want to risk being infected!

Notice anything strange...like the Windows Update notification pop up? Looks pretty real huh? Clicking anywhere on the first half of the page pops up the dialog you see on the right side to download a .exe file....some nice malware for you to install. Enjoy! (only on a Windows box.... :-) ) Interesting to note that by scrolling down the page past the malware banner it looks like a legitimate MySpace profile. My guess is that this profile was hijacked either through XSS or some other third-party application vulnerability...the real owner probably has no clue.

On a related note, I just read an article on how Paris Hilton and Lindsay Lohan just had their private photos downloaded because of a flaw in a Yahoo/MySpace widget. Looks like Yahoo/MySpace fixed this flaw pretty quickly tonight but it goes to show that third-party applications and widgets are another popular attack vector.

One more update...Mediaphyter posted a link tonight on the 10 Social Networking Security Trends To Watch. A must read on the latest online social networking threats.

This past Monday, some silly hacker got the idea that he could easily redirect traffic from Metasploit.com to some Chinese forum using some ARP poisoning directed at the router that the metasploit.com domain resides. Basically he did a MITM attack. Here is an excerpt from HD Moore's reply on the Full Disclosure mailing list:

"Problem solved. Someone is ARP poisoning the IP address of the router on which the www.metasploit.com server resides.
I hardcoded an ARP entry for the real router and that seems to solve the MITM issue. It doesn't help the other 250 servers
on that network, but thats an issue for the ISP to resolve..."

Sucks to be those other 250 servers! This hacker should have brought his a-game if he really wanted take on HD Moore...FAIL!

Seriously...I don't go looking for web site security issues or vulnerabilities but sometimes you do "stumble" upon them. :-P

Several weeks ago I was looking for an online schedule of events at one of the local community centers where I live so I did what anyone would do and typed in the URL of the city's web site into my browser, but without typing "www" first. The actual URL starts with "www" but many times just by typing the URL without "www" will take you to the web site. So to my surprise instead of getting the main index page of the city's web site I get a web form prompting for login credentials to what looked like an HVAC system attached to the Internet! The header of the page had some information about a system version so I did what any other security guy would do and launched a Google search to find out more details about this system. Yep, it was an HVAC system alright. So I thought no big deal right....out of curiosity I hit the 'enter' key thinking that there was no way that there was an anonymous login on this baby...low and behold, it logged me in! I was able to view the HVAC system configuration and potentially manage the HVAC for not only the community center but the city hall and other facilities. Looked like I could have caused some mischievous outages like changing the temperatures and even shutting down the HVAC system. At this point many scenarios entered my head, including why someone would put an HVAC system that should be on the company "Intranet" on the "Internet" with an anonymous administrator level account...nahh...I'm a pen tester so this isn't shocking to me at all!

Being the ethical person that I am I emailed the city that manages this domain letting them know of the issue...today a received an email that said they were looking into the issue and it should be resolved shortly. So here are the questions. What would you have done (put your non-evil hat on please...yes, methodically messing with the temperature in the mayors office would be a blast...)? Do you just forget that you stumbled upon this vulnerability or do you believe in more of a full disclosure policy to the people running the web site? In talking to some others...attempting to contact the site owners is the best option (which I agree with) yet some others may take a different approach. Some "grey-hat" hackers might even resort to causing havoc with the HVAC system just to prove a point, then disclose the vulnerability the right way. Thoughts from the community?