Cupfighter.net

Passwords are like Pants... a Creative Commons Attribution, Noncommercial, No Derivative Works image from Richard Parmiter's Flickr fotostream

One of the DefCon contests that most sparked my imagination was the “Crack me if you can” password cracking contest, organized by KoreLogic. The goal of the contest is to crack as many of the password hashes provided as possible. The rules of the contest allow the use of off-site and on-site computer equipment of any kind, but in order to be eligible for any prize money at least one team member had to be physically present at the DefCon conference.

The competition is interesting in more than one way. First of all the contest is educational in setup. Even though the amount of computer power a team can come up with is important in getting to good results, it is not the determining factor in winning or losing the contest. Key to winning or doing well in the contest was understanding human behavior. KoreLogic generated a set of passwords they feel is representative of what they actually encounter in the field. Most corporate environments rely on a common set of rules that are used to enforce user to pick “strong” passwords and force them to change them regularly. While the goal of the rules is actually commendable, KoreLogic’s experience learns them that the human behavior triggered by these rules cause passwords to be very predictable. “If you force employees to change their passwords four times a year, they will select something that naturally changes four times in most cities (except Las Vegas)”, typical passwords we find are things like Winter2010. Once you understand this pattern, you can actually reliably predict what this password will in say 9 months or a year. Teams that actually saw this pattern and used it to make smarter password guesses did better in the competition.
Read more…

GLOBAL BATTLE - KIDS TO SAVE THE WORLD SERIES (Explore #4) a CC, non-commercial, no derived works image from JOHN CORVERA's flickr photostream

This talk is a follow up of Felix’ talk at Black Hat Europe which I blogged about earlier here (http://www.cupfighter.net/index.php/2010/04/blackhateu-fx/) marking the release of the tool BlitzAbleiter.

One of the new point highlighted is that his work is not just of interest to normal users that are running flash content, but also to corporations that serve pre-compiled flash advertisements that they do not want to be infected with malware or other unwanted behaviour.
For the release of Blitzableiter Felix has chosen to integrate with NoScript. If you have the latest version of NoScript, you allready have BlitzAbleiter.
Next Felix actually demoed BlitzAbleiter by using it to stop some in the wild Flash exploits.

I managed to speak to Felix in a more informal setting later and he pointed out that there are two major differences between BlitzAbleiter as presented in Barcelona and the current version. BlitzAbleiter now support both the version 1 and version 2 Flash virtual machines. Besides that the code quality of the tool is now at such a level that it is actually a usable tool that can be released to the public.

The name BlitzAbleiter is the German word for lightning rod, because it has the potential to turn harfull Flash into harmless tunder.

By Fyodor and David Fifield

After the presentatioin I joined Fyodor end David in the Q&A room to talk further about the Nmap NSE session. Here are some of the questions and answers…

Is there anything like XML output to glue the output of the scripts together? Script output is included in the normal XML output, but it is not yet in any structured format. The cool guys from the nmap project has not yet figured out how to do that.

Will the password cracking capabilities in nmap make stuff like John the Ripper obsolete? The passwordcracking functionality demoed is not a replacement of John the Ripper, but work is in progress to make the capabilities of nmap better, especially on the ncrack project which will release a rdp password cracking in the next few days.

Is there a way to run scripts with a declared dependancy so one script runs and thenthe other script runs based on the results? The is fully supported.

Why lua over other languages? It was a fight over the scheme laguage or another language. In the end we settled on lua. Perl and pyhon where too big to ship with nmap. Lua really fitted with what we needed and wasn’t too big.

Is nmap turning into the new Nessus? Well, it could, but is will never include all scripts to find all vulnerabilities. Each product has its own use, but nmap is getting nearer and nearer to becoming a vulnerability scanner. Conflicker is a great example of that nmap was the first scanner that was able to remotely detect conflicker infected machines.

Are there plans to include hping functionality in nmap. Yes, there is nping, which has similar functionality and more.

Is there raw packet functionality in NSE? There are packet creation functions in the lua libraries and there is an interface to pcap as well.

Read more…

Sing It Back, a Creative Commons Attribution Non-Commercial No-Derivative-Works (2.0) image from alphadesigner's photostream

By Josh Corman, Dennis Fisher, HD Moore, Jack Daniel

The idea of infosec speed debates is to pick a topic and debate it betweeen the two panalists. A flip of the coin determines if the panel member has to argue for or against the idea in under 5 minutes.

Topics of the discussion

User authentication doesn’t work. Conclusion: Maybe.

End user education works. Conclusion: Dream on.

Is it posssible to talk about security research and not represent your employer? Conclusion: “Its the faukt of he press”

Do vulnerabilities still matter? Conclusion: It matters, but we are becoming unsensitive to them.

Metrics are bunk. Conclusion: A fool with a tool, is still a fool.

Besides of getting the opinion of some smart people, this panel was a lot of fun too.

Sent from my iPad

By Nicholas J. Percoco (@c7five) and Jibran Ilyas

The Spyderlabs guys had a busy year. They investigated over 200 incidents in 24 different countries and ended up collecting enough malware samples. Based upon last year’s DEFCON talk they are going to dive deeper and bring you the most interesting samples from around the world

This talk will bring you 4 new freaks and 4 new victims including: a Sports Bar in Miami, Online Adult Toy Store, US Defense Contractor, and an International VoiP Provider.

The malware being demoed are very advanced pieces of software written by very skilled developers. The complexity in their propagation, control channels, anti-forensic techniques and data exporting properties will be very interesting to anyone interested in this topic, even tough the major categories have stayed the same.

Malware comes in various categories: Keyboard logger, screen loggers and memory scrapers. Disk scrapers are not very popular because it is slow and is noticed to easily due to heavy disk activity. There are three basic ways to own a system: Physical, Easy and Uber . Physical means inserting something like a USB stick or key logger. Easy is e.g. through publicly exposed RDP and default passwords.

Malware is getting much harder to detect because they are better tested and using more stealthy techniques like root kits.

Sample SL2009-127 – Memory Rootkit Malware – Captain Brain Drain

Read more…

By Fyodor Yarachkin

To clear up a common misunderstanding, this Fyodor is not the same Fyodor as the author of Nmap.

XProbe-NG was written to discover a rouge server in a network of the major Taiwanese internet provider. It turned out that XProbe was not sufficient to handle all the application level stuff that was going on in this case.

However doing level 7 probes introduced two problems:

• Bandwidth – Having to send far more data
• Time – Making sure you finish in time

Other motivations for XProbe-NG include:

• Scanning other protocols then IP only
• Bulk scanning
• Probing “en-route” systems
• Migration to IPv6
• Honeypots/nets
• Improving precision

Read more…

By Roelof Temmingh

Maltego is like a box of Lego’s, but then for open source information gathering. Open source information gather refers to gathering information that is publicly available on the Internet.

Maltego has release version 3.0 about two weeks ago , and I previously blogged about the preview at Black Hat EU. Paterva has added quite a few new features, the most interesting is NER, Named Entity Recognition. NER gets text and marks entities like person names / companies / phone numbers. NER can be used to get to a big brother scenario where SMS, radio signals and web pages are constantly monitored for named entities.

Roelof demoed NER by trying to find the winner of the Fifa World Cup. He searched for all websites containing the phrases: FIF, “win the world cup”. Het found the top 50 sites that contained the phrases and got the urls on these sites. NER was run against these urls.

Using Maltego Paterva come up with the prediction that Brazil will win the World Championship.

Read more…

By Mark Curphey

Mark starts of by giving a very funny overview of his very impressive career. He currently has a non-security security job at Microsoft running the MSDN subscription services department. Being away from security has given him room to think about information security more.

His talk is about 10 crazy ideas that might change the state of information security. These ideas all cost little money, but may have a big impact.

#1 – Adopt Chinese Medicine Business Model

In China the doctor gets paid to keep you healthy, not to cure you. There are currently actually two companies that are experimenting with this business model.

#2 – Stop Human Pattern Matching

Humans seen things they expect so see. The brain is wired to see what it is expecting to see. This is why optical illusions work, which was demonstrated to the audience with two illusions. Security people do his all the time. I have XSS, this is going to happen, this vulnerability will cause this worm.

#3 – Community Driven Statistical modelling

An example of this is http://freerisk.org. It allows people to input and consume financial modelling data. In the security world there is no data that will give us some predictable model of how security behaves. Wine quality can actually be captured in a formula: Wine Quality = 12.145 + 0.00117 * winter rainfall + 0.0614 average growing season – 0.00386 harverst rainfall. Where is the equivalent of security? Rubbish you say? Well, the formula for wine quality is actually used in the field now

Read more…

By Wojciech Bojdol

Wojciech started his talk by explaining the basic principles of social engineering.

The his talk highlights three bugs in human behaviour

Bug #1: We want to trust the world

We are not open to information that contradicts our own view. Information that contradicts our own believes costs us effort.

Bug #2: People are lazy

Read more…

By Eddie Schwartz  (@eddieschwartz and LinkedIn)

Security today is sold by three may motivations. FUD: Fear, Uncertainty and Doubt.

Security sucks because there are certain factors that you cannot do anything about. E.g. if you get a mail from your kids school that 10 children have fallen ill to a new disease, would you open it?

Eddie further highlighted that there is a significant imbalance between the defense and offence. Offence runs broad organizations that make money from there activities (Cybercrime) whereas defense is costing organizations money just to make sure nothing happens (IT Security)

There is quite a different perception if compliance aids security between security officers and information officers.

Read more…