I saw this post on Hexesec the other day that made me think about all the skill's that when you put them together could make one kick ass penetration testing team. Note that this is a pretty large list of skills that would be difficult if not impossible for one person to master. However, it gives you an idea of the various skill sets that should be required for a robust, high caliber team.

As a pentester you should be familiar with most of these areas, meaning, you should have working knowledge at a minimum. Of course, reverse engineering and vulnerability development may not be everyone's forte...but take for example the web application pentester. Reverse engineering and vulnerability development is a skill that can be learned (especially if you have a deep programming and development background). Same goes for wireless penetration testing as someone with a networking background can easily pick this up. Everyone will still have their own specialty but you can still expand on your existing skills to learn new ones.

What's the point? The more you and your team learn the more valuable you become to your organization, clients and your own career.

Looks like the exploit code has been released by HD Moore as a Metasploit module. Hope everyone took the DNS patching requests seriously since we all know Metasploit is really easy to use (yes, especially for script kiddies!).

If you haven't patched your DNS yet...do it now! Check here for more information and here to check your DNS servers to see if they are vulnerable. If your ISP's DNS is still vulnerable...change your DNS servers to use OpenDNS!

Perhaps someone has figured it out or just decided to announce it but the big DNS vulnerability that Dan Kaminsky told the world about may have been revealed. Apparently a reverse engineer named Halver Flake was pretty close to figuring out how the vulnerability works. Then someone at Matasano apparently posted the details and then pulled them. Something is going on in the blogosphere...you can find details about the vulnerability on Slashdot and other blogs regarding the post that was on Matasano then removed:

Via McGrew Security:

"Let’s try again to convince Bob that WWW.VICTIM.COM is 6.6.6.0.

This time though, instead of getting Bob to look up WWW.VICTIM.COM and then beating Alice in the race, or getting Bob to look up WWW.EVIL.COM and slipping strychnine into his ham sandwich, we’re going to be clever (sneaky).

Get Bob to look up AAAAA.VICTIM.COM. Race Alice. Alice’s answer is NXDOMAIN, because there’s no such name as AAAAA.VICTIM.COM. Mallory has an answer. We’ll come back to it. Alice has an advantage in the race, and so she likely beats Mallory. NXDOMAIN for AAAAA.VICTIM.COM.

Alice’s advantage is not insurmountable. Mallory repeats with AAAAB.VICTIM.COM. Then AAAAC.VICTIM.COM. And so on. Sometime, perhaps around CXOPQ.VICTIM.COM, Mallory wins! Bob believes CXOPQ.VICTIM.COM is 6.6.6.0!

Poisoning CXOPQ.VICTIM.COM is not super valuable to Mallory. But Mallory has another trick up her sleeve. Because her response didn’t just say CXOPQ.VICTIM.COM was 6.6.6.0. It also contained Additional RRs pointing WWW.VICTIM.COM to 6.6.6.0. Those records are in-bailiwick: Bob is in fact interested in VICTIM.COM for this query. Mallory has combined attack #1 with attack #2, defeating fix #1 and fix #2. Mallory can conduct this attack in less than 10 seconds on a fast Internet link."

Meanwhile, Dan Kaminsky posted the following on his blog:

"Patch. Today. Now. Yes, stay late. Yes, forward to OpenDNS if you have to. (They’re ready for your traffic.) Thank you to the many of you who already have."

This might imply that Matasano has the goods...I hope everyone is patched out there! Things are about to get interesting!

EDIT: Thomas over at Matasano has issued a public apology about the post in question.

This is just a classic case of one administrator who managed to get all the "keys to the kingdom". From the San Francisco Chronicle:

"Terry Childs, a 43-year-old computer network administrator who lives in Pittsburg, has been charged with four counts of computer tampering and is scheduled to be arraigned today.

Prosecutors say Childs, who works in the Department of Technology at a base salary of just over $126,000, tampered with the city's new FiberWAN (Wide Area Network), where records such as officials' e-mails, city payroll files, confidential law enforcement documents and jail inmates' bookings are stored.

Childs created a password that granted him exclusive access to the system, authorities said. He initially gave pass codes to police, but they didn't work. When pressed, Childs refused to divulge the real code even when threatened with arrest, they said."

As part of his plan he also:

"...engineered a tracing system to monitor what other administrators were saying and doing related to his personnel case, law enforcement officials said. "

As of right now all other administrators are locked out of the system and he has the only password! I also saw on CNN today that he still won't give up the password when a judge asked him in court today. Awesome...so how does this happen? While exact details still are not clear...lack of proper controls, proper monitoring of privileged users, oversight, separation of duties...are just a few things that comes to mind.

This should be a reminder for the corporate world that all privileged users (network administrators in this case) should be held to a higher standard then other users on the network. Thus, need more oversight and monitoring. Hopefully the city can get the password cracked or the guy eventually gives it up.

Yes, it's true. Presidential candidate John McCain is just now learning to use a computer. He also has said that he doesn't use email (he has staff and consultants to do that for him). So what does this say about him and how he would handle technology issues? In particular, security issues related to technology and national security. As someone who has embraced technology and social media I have some mixed feelings about this.

I guess in a way it's good to be a bit "old fashioned" but if he was to become the president don't you think that he should at least be competent with basic computer technology (like reading and responding to at least some of his email)? Perhaps we should send him a copy of this book to help him along?

I saw this news article tonight and had to laugh...

"We all recognize that the Web site is important to the community," Mayor Roy Robinson said. "We've tried to save money to build our own Web site. We should be designating a certain amount of money to maintain and protect it in a professional manner."

Yeah, you get what you pay for guys! Basically, the local city web site got hacked. The article tried unsuccessfully to say that the main page was hacked and users were redirected to spyware/malware web sites. Trojan horse in a database...huh? Have to love the media interpretation of technical issues.

This is nothing new right? Think about this though...how many other local communities do the same thing to cut corners and save some cash? Sure it's expensive to build and maintain a web site with security in mind but these days, can you really afford not to? I found a local city web site with security issues (while the one I found was a bit more serious) several weeks ago as an example. Next time you get a chance to talk to your local community ward representative ask them when they last had a security assessment done on the city web site, especially if they are offering services vital to the community.

I won't ramble on about the DNS vulnerability discovered by Dan Kaminsky this week...plenty of other blogs and news sites are covering it. Yes...it's important, groundbreaking and all that jazz. However, if you want the real scoop especially if you need to convince your employer that this needs to be addressed quickly...then I point you to Rick Mogull's web site securosis.com (specifically this post) and listen to the podcast over at the Network Security Podcast which has a good interview with Dan Kaminsky.

Oh yeah..Dan has a cool "DNS Checker" on his web site where you can test your own DNS servers to see if they are vulnerable.

Wow...I'm really on this banking kick as of late...

So I was watching TV tonight and saw a commercial for WaMu (Washington Mutual Bank) advertising their "Online Banking Guarantee". What I found interesting was the whole scenario that played out in the commercial...

Woman: "Hey, I'm using WaMu Online Banking..."
Man: "Online Banking?? That's not safe!!"
Woman: "It's safe...I have WaMu's Online Banking Guarantee!"
Man: "Oh...cool."

(Note: this wasn't word for word but pretty close...you get the idea.)

As a security professional I find it disturbing that you would "guarantee" something (like online banking) is safe and secure without a ton of terms and conditions (I'll get to this in a minute). We all know that nothing is 100% secure. Sure, online banking in general is safe to use..we all know banks are regulated to provide customer safeguards...etc...So how does WaMu pull this off? Here's the deal:

"For any fraudulent or unauthorized transaction that has been initiated during an online banking session at wamu.com, WaMu will provide 100% reimbursement of the transaction amount plus any related account charges imposed by WaMu or lost account interest resulting from such transaction."

Sounds good right? Here is the kicker...you as the customer have responsibilities which if you don't live up to, you get no guarantee...check these out:

"You have protected your password by creating one that would be hard for others to guess and do not write down or share your password with anyone."

Customer: Hard to guess password? So my dog's name isn't hard to guess?

"If you suspect a fraudulent or unauthorized transaction has occurred, you must contact WaMu within 60 days..."

Customer: I'm on it...I never, ever procrastinate about anything!

"If you knowingly share your username and/or password information with others, we will consider any direct or indirect transaction initiated online by this person as an authorized transaction."

Customer: My wife knows my username/password does that count? Damn...I'm getting a ton of these pop-up's on my PC...weird.

and...buried deep in the Online Services Agreement & Disclosure:

"You are responsible for the installation, maintenance, and operation of the Computer and browser software. The risk of error, failure, or non-performance is your risk and includes the risk that you do not operate the Computer or software properly. The Bank is not responsible for any errors or failures from any malfunction of the Computer or the software nor is it responsible for any electronic virus, viruses, worms, or similar software that you may encounter. The Bank has no liability to you for any damage or other loss, direct or consequential, which you may suffer or incur by reason of your use of the Computer or the software."

Thus...no guarantee. Enjoy!

Lots of buzz on the net about Blizzard (creators of World of Warcraft) offering a $6.50 two-factor authentication token for customers that want an extra layer of protection for their account. Yes, if you didn't know account theft in WoW is on the rise! I commend Blizzard for taking this extra step to help protect their customers...sure two-factor authentication isn't perfect, but regardless it's a step in the right direction.

So why don't more banks and financial institutions set this up for their customers? PayPal was able to do it right (not perfectly, but close)? It comes down to customer support and cost. One of the many ways a bank or financial institution makes money is by offering products that are user friendly and can be used by just about anyone. For someone using a two-factor authentication token with some technical skill it's a cake walk...unfortunately, the average bank user (think about your mom or the person in your family with the least amount of technical skill...yes, the one that calls you to fix their computer...) will most likely be confused as how to use the device and that will be a call to the bank's customer support center (calls cost $$) and lets not forget about the back end infrastructure (servers and IT staff cost $$) and all the additional red tape the institution has in regards to advertising and putting a friendly spin on it to customers.

Martin McKeay and Michael Santarcangelo on the Network Security Podcast (Episode 110) had some good discussion about this. In a nut shell the conversation was about how banks offer many different easy to use services and tying a two-factor solution to all of these products is just not worth the cost, time and effort (except for high wealth customers). Also, what happens when you have multiple accounts at multiple banks? Do you carry around multiple tokens? My opinion? Until there is something easier to use and more secure, I don't see most banks or financial institutions going two-factor anytime soon.

Last week GNUCITIZEN posted an article entitled "Tiger Team Operations vs. Penetration Testing". I personally feel this is a spot on article and is a must read for anyone involved in either tiger team operations or penetration testing. The article focused on three areas in regards to these two types of assessments: quality, pricing and time frames. While these three areas are quite different when comparing a tiger team operation vs. a penetration test I see something more when it comes to penetration testing. I see the penetration test as we know it eventually evolving into tiger team operations.

While we will always need to conduct traditional network and web application penetration tests, clients and employers are asking us to conduct more "unique" assessments. These unique types of assessments include things like social engineering, client-side phishing, physical security reviews, user security awareness, or testing the overall security of a specific facility or business unit. These unique individual assessments are addressing the changing threat landscape and new ways information systems and people are being exploited.

A tiger team can address many of these different types into one unique assessment of it's own (including network and web application penetration when appropriate). Keep in mind, a tiger team operation is very different then a penetration test in terms of quality and quantity as GNUCITIZEN mentions. A tiger team requires multiple unique skill sets (for example a physical security specialist) and always requires multiple high performance team members. Let's also not forget about timing and preparation. A tiger team operation and a penetration test should always be conducted unannounced and to conduct the operation properly the team must be held to strict confidentiality. In regards to preparation, a tiger team operation may take many weeks and/or months to prepare. Why so long? The longer preparation time (meaning the reconnaissance phase) the closer you will get to simulating an actual attack on the targets selected. The real bad guys that want to do harm to your organization have the advantage of time...a tiger team must try to replicate this as close as possible. There may also be variations of a tiger team operation as well. Some methods may or may not need to be used depending on the scope and the target(s).

I am currently putting together a presentation for a conference later this year on how tiger team assessments work in a large corporate environment and how you can take these same concepts and use them either with an internal penetration testing program or for clients. More on this in the coming weeks. In the meantime, if you want to know what a tiger team operation/assessment is like...I recommend you check out the Tiger Team series that was on TruTV last year. You can find torrents and also view one of the episodes on the TruTV web site.

Good post on Bloginfosec last week that talks about all the interesting security related sounds that go on in pretty much any environment just by listening.

If you saw Johnny Long's "No Tech Hacking" presentation then you will probably remember the line "What does a hacker see?" as Johnny pointed out items in pictures that wouldn't be a big deal to the average person but to a hacker this information becomes extremely valuable.

Russell Handorf who wrote the article on Bloginfosec also put together a pretty cool quiz that you can take online to see if you can recognize some typical and not so typical sounds from various computing devices. I would be interested in hearing more about cell phone defaults...for example, does your phone have a default sound for Bluetooth sync? Like Russell mentioned in his article, it is pretty easy to use a tool like hcidump or the soon to be released BTfind which will help identify and enumerate found Bluetooth devices.

Next time you are at a conference, on the bus, train or at your local coffee shop pay attention and listen...you might be amazed at what you hear.