Archive for category Uncategorized

The Security Pretend Game – Sudo and Runas

Common wisdom would have you believe when you run sudo that you are only granting root privileges to one command at one point in time. In reality, you are granting root privileges to any hacker who has ever run any code in any process at any previous time in your account and decided they wanted escalated privileges.
Use completely unprivileged accounts for day-to-day tasks, then log out and log in with a privileged, trusted account for privileged tasks; don’t use runas or sudo from your day-to-day account; it eliminates the security benefits of using the unprivileged account.
Control should always flow from a more privileged and more trusted environment to the less privileged, untrusted environment; going the other way, even when presenting credentials, only allows those credentials to be stolen and hackers to ride up to the higher privileges. This is not a new idea; it is why Microsoft’s #1 recommendation to secure privileged accounts from credential theft is to make it so you cannot log into a privileged account from an ordinary, untrusted workstation. But this principle frequently seems to be forgotten.

No Comments

Why the government shouldn’t pay for your college (or most other things)

Recently there has been a renewed push, from presidential candidate Bernie Sanders to the “Million Student March” protests, to have 100% government funded college in the US, and similar policies under the banner of socialism. I thought the below tweet captured my thoughts on the matter well, but it also generated its share of negative […]

No Comments

On Suicide and Ashley Madison

Suicide is a difficult topic to discuss. It has claimed many well-known individuals in society at large and in information security. It is a difficult topic for me to discuss since one of my best friends in college committed suicide just a few years ago, something I still struggle to talk about. As many of you know, I am a veteran, and far too many of my fellow veterans have also taken their own lives, at a rate far higher than the population at large. There have been a number of high-profile suicides in my home town recently…

It’s been about 3 1/2 weeks since the dump was released. In a random selection of 20-37 million people matching Ashley Madison’s user demographics, at least 250 to over 400 people have committed suicide. If three Ashley Madison users have committed suicide, they would have a suicide rate 1/100th that of the population at large. What’s going on?

No Comments

Credential Assessment – Mapping Privilege Escalation at Scale

I recently gave the following presentation at CanSecWest. (cansecwest.com) You can see the slides below:

No Comments

Replacing Passwords With EasyAuth

There’s been a lot of focus on replacing passwords for authentication lately. Google and Twitter have each put forward proposals to address issues in authentication, Google’s based on browser modifications and Twitter’s based on mobile phone usage. Many people advocate multi-factor authentication while others advocate email-based authentication or even more unusual ideas. While many offer […]

No Comments

Exploiting Ammyy Admin – developing an 0day

Background For the past few years, a number of groups of scammers have been cold-calling thousands if not millions of people in what’s been referred to as the “Ammyy Scam” or the “Microsoft Tech Support Scam” among other names. The scammers pretend to be from Microsoft or another official group and claim to have detected […]

25 Comments

More Spiders, Fewer Trees: Meterpreter Hop

Just about every time you see a serious network intrusion where the attackers obtain access to internal networks, the attackers used “hop points” to conceal their identity and evade detection. … Setting up and using hop points has been a chore for penetration testers as well. Normally setting up a hop requires owning the server to open and listen on arbitrary ports and forward data. But today, using a new payload and session type I contributed to the metasploit framework, you can use any common PHP host as a hop for meterpreter. This is a big deal since it’s the first time metasploit has natively supported receiving a connect-back shell that goes somewhere other than directly to the Metasploit controller. … Check it out in the video below:

,

No Comments

4 practical rules to not get your program hacked

If you’re a developer, the task of building secure software can seem to be daunting. Vulnerabilities are a bane of large complex software projects, and companies like Microsoft spend millions to try to address them. This shouldn’t be a surprise, but since it’s popular to claim everything is hackable and nothing can be secure, it’s worth spelling out: Remote code execution vulnerabilities are not hard to prevent if developers follow a few simple, practical rules from the start, since they basically always fall into the below categories.

4 Comments

Red Teaming the CCDC

At BSides San Antonio this year, I gave a talk on Red Teaming the CCDC, including the CCDC red team year-end highlights, lessons learned, and all the secrets we’ve been hiding from the regional qualifiers to the national finals. I covered how we hacked and hid from the most paranoid student sysadmins in the nation, […]

No Comments

March – Pass the Hash Awareness Month

March is Pass-the-Hash Awareness Month! It’s not as simple as you might think, but to break it down, I did a guest post on the passing-the-hash blog: http://passing-the-hash.blogspot.com/2014/03/guest-post-lets-talk-about-pass-hash-by.html

No Comments