February, 2015

now browsing by month


Creepy NSA

Source: Re/Code

I don’t know really what to say about this. Not too much commentary to add, besides the NSA is being super creepy with its Valentine’s Day twitter posts.

Read more here: Re/Code

Free books, everyday from Packt Publishing

Source: Packt Publishing

I hopped on this one just a little bit late. A former co-worker had asked me to get him an idea of a collection of books I recently bought, and one of my visits included a visit to Packt Publishing, where I have bought several books.

I noticed that they were currently doing a promotion, where they are giving away a book a day, for 18 days. Today’s book, just happens to be Metasploit Penetration Testing Cookbook. I enjoy most Packt Publishing books, and now would be a great opportunity to get some free books.

FYI: This is not a paid/advertising post, my story is true, and I just happened across Packt Publishing’s website, researching some books for a former co-worker. I’m not getting paid for this post, although, I would happily accept it 😉

VulnHub – Sokar Challenge

Source: VulnHub

Just some quick background, VulnHub provides vulnerable system images, to prep penetration testers and vulnerability researchers. Often times, the images can be presented as a challenge.

For VulnHub’s 2nd anniversary, they have a challenge called “Sokar” which, as of this writing, you have 2 more days, left to complete. You setup the image in VirtualBox or VMWare, and attempt to exploit it, in order go get the root flag.

Blog at VulnHub and you can download the Sokar image here.

Fun at the hotel or Adventures with the Roku box, and Plex Media Server

So, I had some fun playing with the hotel’s TV system tonight, and just wanted to document what I did; just in the off-chance someone else, runs into a similar issue.

Also, it is important to read, and know what the rules and regulations are, concerning the hotel’s TV system, and know, that by tampering with it, there may be liabilities involved.

The story begins, when the wife and I want to make a getaway, for the day, to a hotel, just to hang out, with one another. We figured we would go to a hotel, and watch some TV and movies together. The best option for us watching TV, was to bring our Roku box, and stream shows that I have on my Plex Media Server at home; as opposed to paying $18.00 a show at the hotel.

Read the rest of this page »

Pres. Obama signed new EO for the sharing of threat data

President Obama has signed a new Executive Order (EO) aimed at sharing threat data that the government collects with the private sector.

I’m curious to see how valuable the data shared will be, if it will have enough valuable to make this service worthwhile, and who exactly would be given access to the threat intelligence data.

Read the entire EO here:  White House Press Office

Releasing Ten Million Passwords

Source:  Xato.net

Today, Mark Burnett is releasing 10 million passwords, available to download on his website.

This isn’t the first time passwords have been released. The current, most popular (I think no facts behind this statement) “dictionary” used for passwords is the “Rock You” list of passwords, which were uncovered from several breaches including the LinkedIn breach.

So, on the “blue team” (the defenders) side, this gives us another list of passwords to run against our databases, and ensure that users don’t use these passwords. On the “red team” (the attackers) gives us another very large database to test against passwords.

I don’t see this as being a huge hacker release, when it comes down to it, I believe Mark is releasing these passwords to test the laws.

From the post at Xato.net:

Although researchers typically only release passwords, I am releasing usernames with the passwords. Analysis of usernames with passwords is an area that has been greatly neglected and can provide as much insight as studying passwords alone. Most researchers are afraid to publish usernames and passwords together because combined they become an authentication feature. If simply linking to already released authentication features in a private IRC channel was considered trafficking, surely the FBI would consider releasing the actual data to the public a crime.

But is it against the law? There are several statutes that the government used against brown as summarized by the Digital Media Law Project:

Count One: Traffic in Stolen Authentication Features, 18 U.S.C. §§ 1028(a)(2), (b)(1)(B), and (c)(3)(A); Aid and Abet, 18 U.S.C. § 2: Transferring the hyperlink to stolen credit card account information from one IRC channel to his own (#ProjectPM), thereby making stolen information available to other persons without Stratfor or the card holders’ knowledge or consent; aiding and abetting in the trafficking of this stolen data.

Count Two: Access Device Fraud, 18 U.S.C. §§ 1029(a)(3) and (c)(1)(A)(i); Aid and Abet, 18 U.S.C. § 2: Aiding and abetting the possession of at least fifteen unauthorized access devices with intent to defraud by possessing card information without the card holders’ knowledge and authorization.

Counts Three Through Twelve: Aggravated Identity Theft, 18 U.S.C. § 1028A(a)(1); Aid and Abet, 18 U.S.C. § 2: Ten counts of aiding and abetting identity theft, for knowingly and without authorization transferring identification documents by transferring and possessing means of identifying ten individuals in Texas, Florida, and Arizona, in the form of their credit card numbers and the corresponding CVVs for authentication as well as personal addresses and other contact information.

While these particular indictments refer to credit card data, the laws do also reference authentication features. Two of the key points here are knowingly and with intent to defraud.

In the case of me releasing usernames and passwords, the intent here is certainly not to defraud, facilitate unauthorized access to a computer system, steal the identity of others, to aid any crime or to harm any individual or entity. The sole intent is to further research with the goal of making authentication more secure and therefore protect from fraud and unauthorized access.

To ensure that these logins cannot be used for illegal purposes, I have:

  1. Limited identifying information by removing the domain portion from email addresses
  2. Combined data samples from thousands of global incidents from the last five years with other data mixed in going back an additional ten years so the accounts cannot be tied to any one company.
  3. Removed any keywords, such as company names, that might indicate the source of the login information.
  4. Manually reviewed much of the data to remove information that might be particularly linked to an individual
  5. Removed information that appeared to be a credit card or financial account number.
  6. Where possible, removed accounts belonging to employees of any government or military sources [Note: although I can identify government or military logins when they include full email addresses, sometimes these logins get posted without the domains, without mentioning the source, or aggregated on other lists and therefore it is impossible to know if I have removed all references.]

Furthermore, I believe these are primarily dead passwords, which cannot be defined as authentication features because dead passwords will not allow you to authenticate. The likelihood of any authentication information included still being valid is low and therefore this data is largely useless for illegal purposes. To my knowledge, these passwords are dead because:

  1. All data currently is or was at one time generally available to anyone and discoverable via search engines in a plaintext (unhashed and unencrypted) format and therefore already widely available to those with an intent to defraud or gained unauthorized access to computer systems.
  2. The data has been publicly available long enough (up to ten years) for companies to reset passwords and notify users. In fact, I would consider any organization to be grossly negligent to be unaware of these leaks and still have not changed user passwords after these being publicly visible for such a long period of time.
  3. The data is collected by numerous web sites such as haveibeenpwned or pwnedlist and others where users can check and be notified if their own accounts have been compromised.
  4. Many companies, such as Facebook, also monitor public data dumps to identify user accounts in their user base that may have been compromised and proactively notify users.
  5. A portion of users, either on their own or required by policy, change their passwords on a regular basis regardless of being aware of compromised login information.
  6. Many organizations, particularly in some industries, actively identify unusual login patterns and automatically disable accounts or notify account owners.

Ultimately, to the best of my knowledge these passwords are no longer be valid and I have taken extraordinary measures to make this data ineffective in targeting particular users or organizations. This data is extremely valuable for academic and research purposes and for furthering authentication security and this is why I have released it to the public domain.

Having said all that, I think this is completely absurd that I have to write an entire article justifying the release of this data out of fear of prosecution or legal harassment. I had wanted to write an article about the data itself but I will have to do that later because I had to write this lame thing trying to convince the FBI not to raid me.

I could have released this data anonymously like everyone else does but why should I have to? I clearly have no criminal intent here. It is beyond all reason that any researcher, student, or journalist have to be afraid of law enforcement agencies that are supposed to be protecting us instead of trying to find ways to use the laws against us.


Read more at Xato.net

Anthem (Blue Cross Blue Shield) hacked

Like so many other people, I woke up yesterday morning, to find myself reading another breach notification (see: here). Only to find news about the Anthem hack.

This time, it was a letter from Anthem, notifying me that my health information may have been compromised. Also, in reading the letter, I saw that Mandiant and the FBI had been retained for the purpose of investigating the breach.

I usually come to the same conclusion every time I hear certain things together. When I hear about a breach affected a HIPAA agency, I usually start thinking about a phishing/spear-phishing campaign that occurred, which usually results in someone giving up the details of their account/VPN; followed by the immediate breach, and scouring of their website for information and data.

The other thing I always think of, when Mandiant comes rushing to the scene is the immediate blame to a state-run actor. Of course, China, whose population is 1.35B, is going to find the SSN of impacted customers useful; oh wait, what value is there in the SSN of people of a foreign land. Or better yet, with the joke I make about the hack of CHS. Again, the problem I see, is what is the value of a SSN to a foreign country? Some claims went on, to say they were after formularies associated with drugs and medicine, which several news agencies ran with. But consider this, hospitals don’t have the same sort of pharmaceutical horse-power that huge drug manufacturers have; I would go so far, as to say that they aren’t even comparable.

So once again, I will ask, what value does a SSN have to a nation-state?

UPDATE: First posts about this being a state-sponsored attack are now emerging.