Day 1: ITSM Vulnerability Assessment techniques
Lesson 1: These techniques are in two-parts, 1) Information assurance strategies, and 2) Software assurance tools. My feeling is that vulnerability assessments are typically done less strategically/operationally in IT environments (relying too much on tools and point-and-click scanners), while not hands-on enough for IT dev shops (or unknown where to start).
Part 1: Information assurance vulnerability assessment — Network segmentation, Physical
This is a bottom-up strategic approach using the OSI model. Start with Layer-1 and move up to the application layer. Physical security is extremely important. Host all computers at a data center and utilize thin clients locally, if possible.
How about the network? Keep network ports off by default and check/verify structured cabling. The largest problem here would be rogue AP’s or other WiFi-related security problems. WEP is worst of these, but WPA-Personal can also present problems with weak passphrases. This time last year, TJX had a data breach that started with an attack on WEP.
However, RF is all around and available in many devices. Not only will rogue AP’s present a physical layer network segmentation problem, but clients will as well. Clients are devices such as PDA’s, PDA phones, and also anything with both a radio and software. Other technologies such as copper wire, lasers, and infrared can also carry network traffic across segmented networks via the physical layer.
Scanning for all of these devices is not easy. Using Kismet and BTScan, even with advanced tools such as WiSpy — it can be impossible to perform such scanning at all times. There aren’t enough good vulnerability assessment tools for brute-forcing passwords along with scanning, and this activity takes even more time. When was the last time you made sure that BTScan was checking for unsafe OBEX passwords?
Recommendation: Vendors (secure AP vendors especially) should provide AP’s that present false AP information, for WiFi, Bluetooth, IRda, and possibly other common RF technologies. They should present a captive portal stating that connecting to this AP is against corporate policy, and that they are being monitored while administration has been contacted. Integration with SIEM is ideal to backup these claims.
If your WiFi vendor solution could also scan employee devices, this should detect rogue clients (e.g. Blackberrys, iPhones, Windows Mobile devices, etc). Again, integration with SIEM technology is an ideal way of notifying a possible breach. Checking to see if packets can loop between network types is a great way of detecting rogue AP’s and clients, but be careful how it’s implemented. All network traffic can be locally queued and/or blocked.
When a vendor can’t provide a solution, you may want to roll-your-own. I suggest Soekris boards, CM9 miniPCI cards, and Pyramid Linux.
I’ll talk more about the software-side of assessing radios on Day 2. If you’d like more information, please check out the books, “Blackjacking” by Daniel Hoffman, and the infamous, “Wi-Foo” and “Hacking Exposed: Cisco Networks” by the Arhunt team.
Part 2: Software assurance vulnerability assessment — Browsers and extensions
Best browser tools
bookmarklets, Firefox’s Tools->Page Info (with View Cookies), Nikhil’s Web Development Helper, Cooxie, Web Developer, FireBug, Microsoft Script Debugger, DOM Inspector, InspectThis, Cert Viewer Plus, HOOK, FlashTracer, XPath Checker, XPather, View Source Chart, viewformattedsource, UrlParams, IE Developer Toolbar, HttpWatch Basic, TamperIE, Tamper Data, Modify Headers, LiveHttpHeaders, Header Monitor, PrefBar, Technika, Fiddler, FireBug Lite, JS Commander, VBScript, Applescript, about:config
bookmarklets are the best browser tools because they are cross-browser, cross-OS, and multi-attack-functional. I use them in IE7, Firefox 2, and Opera 9.
I listed most of the other tools in a sort of important order. Feel free to explore them in this order. Some are Firefox only, and some are IE only. Some are external browser tools but had to be listed regardless (e.g. Fiddler, FireBug Lite, and JS Commander). I’ve listed VBScript and Applescript because they can be used to control the browser. In my past blog posts on Why crawling doesn’t matter, I talked about similar ways of “driving the browser” and called these “browser-drivers”.
I am not going to spend any time in the near-future on the internals of bookmarklets or browser add-ons, although I may touch on some of these other tools more when it comes to specific attacks. The point of this is to introduce you to tools which you may have not used or heard of. I would really like to leave you with further information on bookmarklets, so here are a few links to RSnake’s, Awardspace, and Squarefree. Some of my favorites are: Find Redirects, Show JS Vars, generated source, view cookies, netcraft, Alexa, http headers, and Edit Cookies. I have taken the code from Ajax Security in order to compose a “HOOK-lite” for Javascript function monitoring.
var ret = "";
for(var i in window) {
if(typeof(window[i]) == 'function') {
ret += i + " | ";
}
}
alert(ret);
You can paste the above into Technika and click “Run”. Technika requires Firebug and Firefox.
I think you bring up a good point, it is not only the basic Wi-Fi AP they may have a security whole, but any device can have flaws, and potential security risks.
Few weeks ago i was watching a demo, on the security flaws with bar-codes and bar-codes readers. With a few simple lines on a bar code, it signaled to the reader that more bar-codes will be scanned in as one long sequence. In result they showed the potential memory buffer over flow, since they never predicted that some one would scan such a long bar code.
I apologise ahead of time if this is the wrong place to ask how you synced all your bookmarks across the three browsers? I have Firefox synced with Google Bookmarks, and Opera to My opera. Just cant find any plug-in to cross sync them. I was going to write my own script, but why re-invent the wheel, if it is already out there.
I use del.icio.us in a separate Firefox profile and turn on a StumbleUpon BHO under IE7. Del.icio.us uses a bookmarklet, and I’m famous for putting several “post to del.icio.us” bookmarklets across my entire Bookmark Toolbar Folder. I used to use Foxmarks to sync RSS feeds across Firefox browsers, but gave up because of the problems you describe. I now use Google Reader and back up my feeds in OPML (XML file).
Bookmarklets are easy to copy/paste between browsers and browser profiles. Unfortunately, FireBug/Technika don’t run in every browser, but FireBug Lite is almost as good. There are ways of making your Bookmarks Toolbar wrap in order to provide more visible area for bookmarklets, and there is also a way of making bookmarklets get around size limitations.
I’ll try and cover these and other issues in a future post.
Depending on one’s line of work, even CRT monitor emissions are suspect! Phooey.
Maybe using BTScan is easier than I think it is (I admit ignorance!), but I bet discussing BTScan and how to use it would be a popular topic… winkwink!
@ LonerVamp:
Well depending on what OS you have, environment, etc — I can only recommend some basic tools.
Probably some of the best tools are redfang (Ollie Whitehouse), BTScanner, Network Chemistry’s BlueScanner, and even hcitool. I recall scanning with hcitool in a shell while(1) loop or with one of the local’s scripts and it being somewhat unreliable.
After trying the recent BTScan from Jerome Athias (cool guy, btw — TS/SCI hung out with him at Toorcon 9), I can say it’s probably more reliable and certainly prettier. It’s a simple install and easy to run. I don’t understand why examples would be necessary. The tool has two buttons besides the Windows defaults — “Refresh” and “Send [File]“. I only have four Bluetooth devices in my house right now, and I’m not really up for Photoshopping out my BT MAC’s and then somebody reading the EXIF data.
Also worth checking out might be btdsd (including bt_audit / psm_scan) and trifinite’s Blueprinting (as well as Josh Wright’s projects).