What is Toluu?
Toluu is a free service for sharing the feeds you read and discovering new ones.		 Get Invite

Matasano Chargen


My Pentest Secret: Password GuessingToday

Since we have seen a couple of cases where low tech mechanisms were used for real breakins (see Sarah Palin and most recently Twitter), now is a good time to reveal a practice I commonly employ use that frustrates co-workers to no end: password guessing on administrative interfaces. It isn’t glamourous, it isn’t exciting, but it is unbelievably effective.

A high percentage of pentesters see a login prompt, look for input validation flaws like XSS or SQLi, try some auth bypass like forced browsing, and typically move on. I will almost always try some basic account and password guessing, along with doing some research on the system to see if there might be some default accounts.

In 2008 alone, I used this at least 5 times to game-over systems OVER THE INTERNET. Without fail, management interfaces indirectly allow code execution or arbitrary file read/write (90% with admin privs). Application admins on website invariably have access to all of the users on the system, and lets face it, if there is one area that your dev’s didn’t think about sql injection it’s the code only admin’s get to see.

If you are responsible for these systems, I have some advice:

  1. SEGMENTED INTERFACES. For the love of all things holy, do not, DO NOT, DO NOT, DO NOT expose management interfaces ove

Penetration Testing: Dead But Not Really Dead.December 24 2008

Yah, late commentary.  Sorry, been a little busy.  Brian Chess kicked the hornet’s nest beautifully by declaring:

Penetration Testing: Dead in 2009

with:  

“Death doesn’t mean it goes away, it means it transforms. Pen testing will be reborn in the area of production monitoring and measurement,” Chess said. “The goal won’t be that failure is found and must be fixed. The goal is that failures will become a much rarer event.”

That is a great goal.  However, the goal of penetration testing (which in my world is synonymous with security assessments, so if you are going to get all semantic on me, go nuts, most of my customers use these words interchangably, and they are some of the most sophisticated puchasers of security), is not to prove you have a problem, it is a last minute check to find what you missed elsewhere during the construction of a given application or environment.  In the future, where security in the SDLC is considered mature, penetration testing will still be there for assurance purposes, but also perform continuous improvement, where the findings get looped back into the process so that developers learn about the latest security flaws that they aren’t defending their applications against.

Spending more in other parts of the lifecycle is essential to effectively manage security.  But, no mat

Happy Holidays and Happy New YearDecember 24 2008

Just wanted to wish our customers, our readers, the blogosphere, the internet, the world, and the universe a happy holiday season.   With an economic decline and mass layoffs, IT security budgets are going to get smaller.  Security teams will have to do more with less. 

Meanwhile, an economic downturn will increase motivations to commit crime (including computer based).  And motivations aren’t the only thing increasing.  Attacker sophistication always goes up.  Every year, attackers get more and more sophisticated, and no matter how much improvement we make in application security, there still seems to be enough critical security vulnerabilities out there to keep everyone frantically patching.

I promised that I wasn’t going to do a predictions blog post, because next year predictions are like new years resolutions.  They seem important on January 1st, and by February 1st you can’t even remember what they were.  But, I do have one prediction:

We are going to see an increase in stupid, stupid insider attacks.  People who just get mad at their employers and try to inflict damage.  

No matter what happens, 2009 is going to be an interesting year for the information security space. 

Happy Holidays!

Playbook v1.2 - Now With Full Textual Search And AJAX Bling!December 16 2008

We’ve just released a new version of our first product: Playbook v1.2.

Textual and structured search

Playbook v1.2 now includes full textual search to complement the previously available rule search. We’ve always known search would be important for Playbook: once you manage a certain amount of firewalls being able to quickly find policies referencing an IP address or service can be a huge time-saver.

Before v1.2 search was limited to what we now call rule format aware search, where only specific elements (e.g., addresses, port numbers, host names) within rules could be used as search terms. This form of structured search works great when you are looking for things that fall within the supported structure: it is often more accurate than its unstructured counterpart, and can provide additional benefits when the search terms are more complex than simple text or numbers. For example, using rule format aware search you can identify all rulesets that reference a given IP address, including those that do so by using a netblock that includes it (e.g., searching for “192.168.2.1” will return firewalls with rules for “192.168.2.0/24”).

But sometimes what you are looking for may not be structured information. You may be interested in all uses of an interface name, specific text within macros or all mentions of “FIXME!” in comments. That’s where textual search comes in. With Playbook v1.2 you can now search all your rulesets using bo

VoIP Demystified: SIPOctober 3 2008

This is the first in a series of posts covering VoIP.

There are two separate components to most VoIP implementations:

  • Signalling, which is communicating call setup and details. (Ex: SIP, H.323)
  • Session, which carries the actual media stream and conversation itself. (Ex: RTP)

There are also master/slave protocols that incorporate signalling, but directly control the client hardware or software. With this, the handset or softphone is a dumb terminal where keypresses are sent directly to the host which controls the display and indicator lights. Examples include Nortel’s UNISTIM, and Cisco’s Skinny Client Control Protocol (SCCP).

With this in mind, we can classify VoIP endpoint philisophies as follows:

  • Peer to peer - with more intelligence in the phones itself, and using SIP or H.323, the phone can negotiate and initiate calls on its own.
  • Dumb endpoints - calls are initiated and negotiated on behalf of the endpoint by the controlling host, the PBX.

In this post, I am going to be focusing on and attempting to distill the essentials of SIP, demystifying it for the security audience who wishes to work with it.