Network Security Blog

I knew it had to be just a matter of time before someone took advantage all of the jailbroken iPhones and created another malicious tool to pwn them.  This time the attacker has been RickRolling iPhone users, changing the background on the phones to a picture of Rick Astley.  The worm is fairly simple and uses the default password set up on the SSH daemon when you jailbreak your iPhone, so if you’ve taken the 5 minutes required to change the password, you’re perfectly safe from the effects of the worm.  Of course, it’s written by someone in Australia going by the name of ‘ikee’ and generally has only been hitting phones down under, but given that the ikee code was released, along with an interview, it’s only a matter of time before someone else creates a new version that does something much nastier than putting up a picture of an 80’s pop icon.  I can think of a couple of people I know who’d be willing to put pictures of goats or lemons or things with spelling close to that on your iPhone.  And those are just the people who are there to be playful.

I’ve said it a number of times in the last week, but it bears saying again:  If you’ve jailbroken your iPhone, change your iPhone’s root password immediately!

By the way, I don’t know anyone who’s jailbroken their iPhone in order to access pirated software, everyone I’ve talked to did it so they could install software that unlocks capabilities that Apple doesn’t want us to have in existing apps, for example tools like xGPS and SBSettings.

I mentioned a couple of days ago that once you jailbreak your iPhone, you’ve bypassed many of the security protections Apple put in place.  One of the biggest concerns once you do this is the SSH service running on the iPhone, since it’s relatively easy to find the default password for the phone (it’s ‘alpine’).  My solution is to use SBSettings and simply turn off SSH on the iPhone all together.  But if you have reason to leave SSH running, you need to at least change the password, especially if you’re going to any security conventions or will be traveling through target rich environments that might draw the attention of malicious elements (aka, hackers).  You know, places like airports, train stations, Las Vegas, New York, etc.

How to Change the iPhone’s Root Password

Jailbreaking an iPhone unlocks some very useful features that the iPhone is lacking and gives you the control over your device that you should have in the first place.  Just getting access to the xGPS project and it’s turn by turn directions has been more than enough reason for my friend Bob to jailbreak his phone multiple times.  But as Uncle Ben once told Peter Parker, “With great power comes great responsibility.”  Apple locked down the iPhone in part to protect users from the bad guys out there and if you’re in the Netherlands with a jailbroken iPhone, you may be regretting having a taken your security into your own hands.

A Dutch hacker has started breaking into iPhones that have been jailbroken and left SSH running with the default root password.  This enabled the hacker to log into the iPhones and send the owner a message telling them their iPhone is insecure.  It goes on to give them a link and asks for 5 euros in order to secure the phone.  This has been sighted on a relatively few iPhones so far, but it’s not inconceivable that this could be weaponized and used on a much wider scale.

This just highlights that the act of jailbreaking your iPhone or hacking any manufacturer’s device places the onus of securing the device back on the owner rather than on the manufacturer.  I have no problem complaining about companies like Time Warner who’ve consistently given their users given their users insecure routers.  The company is supplying and configuring the device, the responsibility (and the power) to secure the routers is theirs and theirs alone.  The user has no ability to make changes and in most cases, probably doesn’t know much more than how to plug the router in and turn it on. 

But once you’ve taken the steps to jailbreak an iPhone or hack your router, you’ve relieved the company of that responsibility.  It may not take much, but if you’ve done the necessary research to download the tools to free your device, you are also taking on the responsibility of securing the same device.  So take the time to do a little more research and figure out what steps you need to take beyond just jailbreaking to secure your iPhone, or whatever device you’re hacking into today.

I imagine there are a fair number of people out there who are like me and instead of a cup of coffee and the morning paper they take the same cup of coffee and open up their favorite news sites online to get the morning’s news.  So I imagine there were more than a few people who were surprised yesterday morning to get a little something extra when they opened the New York Times site yesterday and got a pop-up ad telling them that their computer was infected with several hundred viruses and that they needed to buy some wonderful new anti-virus product to secure themselves.

We don’t know exactly how the NYT site was compromised and this code implemented, but there is a good analysis of the malware at Inputs & Outputs.  The ad used a scare tactic but by itself it didn’t do much.  But this phishing scheme did point users to a small program that probably did some very interesting things to the end user’s computer if you believed you actually were infected.  If you’re a Firefox user with NoScript installed, you probably didn’t even notice that this fun piece of code had been added to the NYT site.  Score one more for blocking scripts by default.

Looking at the analysis of this compromise, it appears that the code wasn’t directly on a NYT server, rather it was served up by one of the third-party services that provide ads for the NYT.  Once again, it shows that even if you trust a particular site you’re visiting, the interaction between that site and the secondary systems supporting it offer a great attack vector for the bad guys to gain access through.  The New York Times probably has a great security team who’s up on the latest vulnerabilities and does an excellent job protecting their site, but if the other companies they rely on for additional code can’t protect their systems, even the best team at the NYT won’t be able to do a thing.  It’s something for anyone who relies on third-party code on their site to think about.

Rich Mogull took the time to read through the entire indictment against the hackers who targeted not only Heartland, but also 7-Eleven and Hannaford as well.  The first thing that really leaps out at me about this is that the attacks were using command execution via SQL injection or XSS via SQL injection.  Given that these are both methods of attack that the PCI DSS specifically calls out to protect against, this blows a pretty big hole in the case Heartland CEO Robert Carr made that his QSA let him down.  We’ve known about SQL injection for years and there should be no need for a QSA to tell a company or it’s security team about the problem.  There should also be no reason that SQL command execution should be enabled on any SQL server that’s exposed to potentially malicious traffic.   As Rich points out, on most modern SQL servers, this is a capability that has to be enabled, not a feature that’s turned on by default.

It’s a little surprising to me that one group of hackers is connected to so many high profile breaches, including TJX, OfficeMax and Dave & Busters.  Are they an isolated group who managed to find a way into these networks or are they just the group of hackers that was stupid enough to get caught?  The possibility that these guys are just the hackers who were unlucky enough to get caught worries me, since their capture may lead a number of security professionals to breath a sigh of relief and get back to life as normal.  Which means arguing with management to get new tools and toys for the network while ignoring serious configuration errors like having SQL command execution enabled on transaction servers. 

When heading to Las Vegas for Black Hat and Defcon, there are a number of basic security measures many of us take.  Phone wireless off:check.  Phone bluetooth off: check.  Laptop wireless and bluetooth off: check.  Use an ATM that’s no where near either Caesar’s or the Riviera: check.  Which turned out to be a very good decision as a fake ATM showed up at the Riviera and the machines at the Rio Hotel were debiting accounts but not dispensing money.  And people were wondering why the ATM’s on the conference floor at the Riviera were all unplugged from power when we arrived.  Of course the network cables for the ATM’s were still in place, but I hope the hotel was proactive enough to disable those ports on the switch as well.  The fact that I saw one hotel information machine with an error message about network connectivity tends to support that possibility.

It’s not a joke when the networks at Black Hat and Defcon are called some of the most dangerous networks in the world.  Attendees take the safety of their computers into their own hands when they connect to either network.  The best answer is to not connect to the network at all if you can avoid it, but if you have to connect, encrypt every packet and every connection and use a computer with a new, patched image that you wipe as soon as you get back from the event.  These aren’t the only steps you should have taken over the last week, but it’s a good start.

Along the same lines, it was a good idea to take out the money you thought you’d need before you ever got to Las Vegas for last week’s events.  I have to admit I didn’t take this precaution myself, I was busy and forgot to hit an ATM before boarding the plane for Vegas.  I had to take my chance with an ATM in my hotel, which luckily was not Caesar’s, the Riviera or Rio.  I chose a machine that was in a heavily monitored and travelled area, looked for anything suspicious and crossed my fingers.  So far it looks like my luck has held.

It’s no joke that ATM’s are not secure.  Many of them run on a Windows OS and have all the vulnerabilities associated with Windows, especially since I highly doubt many ATM’s are configured to patch themselves with any regularity.  Plus there are little things like the software my coworkers at SpiderLabs found on ATM machines in Europe earlier this year.  The fact is, the entire ATM infrastructure is under attack on both a physical and virtual level.  And if someone like Chris Paget, a professional who specializes in credit card and hardware security can’t recognize a compromised machine on sight, the rest of us don’t have much of a chance.

It’ll be interesting to see how this plays out.  The fake ATM that was placed in the Riviera lobby will likely have a fair amount of interesting forensics evidence, not the least of which will be potential for fingerprints inside the machine.  The attackers might have thought it was a fairly harmless joke to show how stupid other security professionals can be, but I doubt the FBI will show much of a sense of humor.  The Riviera staff likely took the most prudent route in disabling their ATM’s in the conference center, but this sort of antic has to be trying the patience of a hotel who needs the business that Defcon brings.

Repeat after me:  “Being compliant does not mean you’re secure.  Being compliant doesn’t mean you’re secure.”  Keep muttering that to yourself while you read the rest of this post.  If you have a bluetooth headset, people might not even think you’re crazy.

If you haven’t already heard, over the weekend Network Solutions announced that they’d been compromised and over half a million credit card records had been stolen.  All we know about the attack so far is that it used ‘unauthorized code’ which could mean anything from a wholesale compromise by an outside attacker to a malicious insider placing the code for his own profit.  In other words, they’ve really told us almost nothing about what happened and it’s quite likely that’s about all we’ll find out.  The code transferred the the information to servers outside the company and while there’s no evidence yet that the stolen credit cards have been used for fraud, there’s also no evidence that they haven’t. 

So why are we spending so much time on PCI if it doesn’t make our merchant and service providers secure?  Network Solutions had been validated as PCI compliant by Payment Software Company (PSC) last October, so they were secure weren’t they?  Once a merchant or service provider is compliant, that’s it, isn’t it?

The Payment Card Industry Data Security Standards are not a magic potion that will make a company secure.  The requirements are mostly good practices and the annual review that merchants and service providers go through is not exhaustive and do not touch on every server in a company’s PCI environment.  The PCI DSS is a minimum baseline companies should be complying with in order to take credit card numbers.  Each network and each business is too different for any standard to cover in a horizontal market that includes everything from your corner Mom’n'Pop store to the likes of Amazon, Best Buy and Walmart.  What PCI does, and does well, is raise the baseline of security for the entire market and hopefully makes it a little harder for the bad guys.  But raising the bar for everyone may not raise it high enough to actually secure any one company and it’s up to the security professionals who work at those companies to realize that PCI isn’t a stopping point, it’s just one milestone along the way to securing the systems at their companies.

Network Solutions had been validated by a QSA, nearly a year ago.  If you’re ever curious, Visa keeps a list of the validated service providers on their site.  Pay very close attention to a short clause they have on every page of the document:

(1) PCI DSS assessments represent only a “snapshot” of security in place at the time of the review, and do not guarantee that those security
controls remain in place after the review is complete. These reviews did not cover proprietary software solutions that may be used or sold by
these service providers.

Yes, Network Solutions was listed as having been validated last Halloween.  Take a moment and think back to how your own network was configured and maintained last Halloween; have there been any changes to your network since then?  Has anyone made any configuration mistakes on your systems in the last 10 months?  Have there been any 0-day vulnerabilities that affect your servers since then?  If you can answer ‘no’ to all of those questions, you’re either the best systems administrator I’ve never met or you’re lying to yourself.  I’d lean towards the latter.

The PCI requirements don’t require a QSA to check every server on the network or even in a company’s PCI environment.  They require the QSA to check a sample of systems for all of the PCI requirements.  My own experience has been that you can tell pretty quickly if a merchant or service provider is following their own configuratioin and hardening standards or not.  If they are, you might be able to reduce the sample size some and if they’re not, you might have to increase the sample size you’re assessing.  In all except the very smallest merchants, there’s is no way even the most competent QSA can assess more than a sample of systems involved in the PCI process.  It’d be great if we could review each and every system involved with cardholder data, but that’s why companies retain security personnel. The job of the QSA is not to verify every system, it’s to assess the security of a company as best they can in the few days they have on-site.   It’s the job of the security and system professionals who work at a company day after day the rest of the year to ensure that the baseline of security PCI requires is kept current and that even the systems the QSA didn’t check are secure.

Like my friend Anton, I wish people would stop taking every breach of a PCI compliant company as proof that PCI has failed.  We don’t scream that Microsoft is a failure every time a Windows server is compromised or state that the OWASP top 10 is worthless if a company follows the guidelines but still turns out insecure software.  We acknowledge that the system has weaknesses, that people don’t follow guidelines as well as we might like and we move on.  Just because one part of an overall system is flawed, we don’t declare the whole thing a failure.  Instead, we work on improving the system and making it better so that the same problem doesn’t happen again.  Or at least we try to.  So why does anyone expect the PCI system to be perfect?

I have to admit, as a security professional, I’ve been woefully lacking in my exploration of the 4chan site.  More accurately, I’ve been unwilling to stick my nose into what is known as one of the most disturbing and contentious sites on the entirety of the Internet. I know what 4chan is and have a number of friends who spend significant amounts of time there, but I’ve never had the need or desire to explore or spend any time on the site.  But one thing I do know about 4chan is that you don’t want to stir up it’s denizens and find yourself on the receiving end of more unsavory attention than you even knew existed.  Apparently AT&T didn’t understand that basic tenet of the Internet and started blocking 4chan in SoCal over the weekend, nearly creating a digital uprising they not have been able to handle.  Luckily for them, they relented and unblocked 4chan before the real storm started.

4chan’s members range from web neophytes to some of the most talented hackers out there.  The last time 4chan was in the news was this April when they gamed a Time poll to find the top 100 most influential people.  Talent aside, just the sheer number of people who use the 4chan site worldwide is enough to cause a serious problem for AT&T, especially given their excitable nature.  And all it would have taken on AT&T’s part to avert this disaster is a little bit of transparency, provided their reasons for blocking the site in the first place were authentic. 

Both Black Hat and Defcon are incredibly hectic and for the most part unplanned.  I have a few interviews that I’ve arranged and a lot of parties, but most of my time is unstructured specifically so I can catch whichever talk is sounding hot this year or catch an interview with someone I happen to catch in the press room or hallways.  There’s also Security Bsides, which I have to attend (because I want to, not because someone’s forcing me).  There’s only one event I’m attending that I know I’ll be there from beginning to end: The Second Annual Podcasters Meetup @Defcon.   I’ll be showing up there for the entire show.  I’m sort of essential, or at least some of my technology is; We’ll be using my camera again for the streaming video.

If you listen to security podcasts, or even if you don’t, you’re invited to come to the event.  I have it on good authority that there are some cool prizes that are being given out at the event, though I’ve unluckily been told I’m not eligible to win anything.  Which is especially annoying, since they’re giving away a USB Monitor among other things, something I really need in order to meet with my goal of becoming a digital nomad. 

I’ll be roaming around Black Hat starting Wednesday around 11am, Rich will be working and our special guest host, Zach Lanier will be working with us to get even more interviews than ever before.  We’ll be doing our best to record and post our interviews as close to real time as we can, so if you can’t be there, at least listen to the podcast.  If there’s someone you really want Rich, Zach or I, leave a comment, drop me an email or give me a call.  If you can’t find my cell phone number, it’s probably better you didn’t go to Black Hat and Defcon anyway.

PS.  Don’t forget to use the #BlackHat and #Defcon hash tags in Twitter!

I’m sitting down to nurse a cup of coffee this morning.  Had friends over last night, a fair amount of drinking ensued, lots of male bonding through bad jokes and some rousing games of Alhambra and Saint Petersburg.  This is my idea of a good Friday night with friends, which worries me a little, since it makes me sound and feel like a middle-age geek.  Which I have to say is a pretty good description.  I guess I’ll have to overcompensate at Black Hat and Defcon next week.  In the mean time, here are some of the stories from this week that are clogging up my Firefox tabs.

• Adobe issues security advisory for Flash zero-day flaw – Rumor has it that Adobe has known about this flaw for over seven months.
• Help for internal auditors on PCI Compliance – Some of these points are going to help me as the assessor as well.  But more of them should be part of your security processes whether your trying to be PCI compliant or simply secure.
• Extending the concept: A security API for Cloud Stacks – Chris Hoff posted this concept last night and caused quite a bruhaha.  The basic idea is that the commonality of the various compliance structures should be built into a security control model that’s used to build Cloud infrastructure in a testable, open archetecture.  Very interesting concept, I want to see how Chris develops it going forward.
• Vulnerabilty scanning and Clouds: an attempt to move the dialog on – This is the post that kickstarted the Hoff’s thinking for the previous article.  Lack of vulnerability scanning is just one of the reasons that cloud computing gives compliance officers fits.
• The growing threat to business banking online – Somewhere in the last couple of years the Internet has gone from being the Wild West to the streets of Chicago in the 1920’s. The bad guys have become incredibly well organized and you’re taking your digital health in your own hands every time you go online.  Businesses and local governments are increasingly becoming targets.  After all, “That’s where the money is.”
• Mind games:  How social engineers win your confidence – Scams and grifting are as old as humanity, probably older if you want to consider some of the examples you can find in the animal kingdom.  And they stick around because once you’ve mastered the basic principals, it’s relatively easy to get what you want out of the majority of people and situations.  The best defense is to be educated and be able to recognize some of the clues you’re being social engineered without you having to consciously think about it.
• Network Solutions hack compromises 573,000 credit, debit accounts – Good job NS, you allowed code to be installed on a compromised system and gave up over half a million records, mainly of mom and pop stores.  I hope you do a better job protecting our domain names.

Just added – Matasano site compromised.  I couldn’t fault them too much for falling to a Zero Day, except for the fact that they’re a research firm that should be finding these things on other people’s sites, not their own.