Rice University logo
Top blue bar image Comp327: Introduction to Computer Security
Blog and homepage for Rice's Comp327

Archive for February, 2011

HW3 due date update

Sunday, February 20th, 2011

It’s due Thursday night. The schedule was right. The homework page itself was mistaken. Sorry for any confusion.

Lessons learned the hard way: HBGary Federal’s Security Short Comings

Wednesday, February 16th, 2011

Security companies are not invincible, and they can fall prey to security attack like any other company or individual. They have humans that work there, and as such, these humans do not always practice good security practices. If you are in this class and you are not following the events that have unfolded with respect to HBGary Federal and Anonymous, you should be. The events that have unfolded brought to light a number of interesting perspectives and details that don’t often show themselves to the public.

One of the interesting items that came out of this event was the anatomy of their attack. The initial attack that got Anonymous into HB Gary Federal’s network is not unusual. In fact, this is a pretty standard MO that I have had to use during the course of a pen-test for organizations in the past. Find one vulnerability, gain access, mine as much pertinent information as possible, dump users and hashes, crack the passwords, and then identify other hosts and assets in the network. Then re-use the information I have on those hosts. In general, it takes only a few short steps to own the network.

The first vulnerability they found was SQL injection in a public facing web application. The silly part is the development of the application was outsourced, and there was no validation into the security of the application. This vulnerability was not the nail in the coffin though. The next major vulnerability were weak passwords and password reuse. Aaron Bar used a weak 6-letter password that was cracked using Rainbow Tables, and the nail in the coffin was his privileged (e.g. administrator) access to the e-mail appliance. This gave them access to the email of all the users on the appliance through password resets. There were some other elements too such as an unpatched server and social engineering, but the over all damage resulted from a poor over sight and security evaluation of outsourced work and then a poor choice of passwords by executives in the company.

I hope that all of you take time to read over and review the following article, because it serves as a very educational episode.

Anonymous speaks: the inside story of the HBGary hack

Security Topics: Social Engineering – Practical Applications

Tuesday, February 15th, 2011

Currently in the course we are now dabbling in social engineering. This topic is usually the least technical but the hardest to execute successfully due to the amount of homework the attacker has to perform of the target before execution. It is more of a combination of Psychology, Sociology, and a little of “The Art of War” mixed together with some dumpster diving.  Now there are degrees of success after execution, though most of the time this attack is used for intelligence gathering to defeat a physical/technical defense. Currently this attack has proven to have significant gains.

Proof of  how much you can get by this type of attack is the current attack that has effected one company. To keep search engines off this blog and to keep this discussion educational the players will be Actor, Corp X, and Attacker Y.

The story starts where an Actor for Corp X doing research using Social Sites in to Attacker Y. One day a news outlet interviews Actor. During this interview Actor decides to state that he has the leaders for Attacker Y and later on down the road he will be turning over the people to a three-letter agency. Attacker Y finds out and is not too happy, so they get access to Actor’s personal web site through Social Engineering an e-mail to reset the password to the system and open up a port. This did break the policy for the company where the web site was being hosted. To gain access to Actor’s company website, it is looking as there was a XSS issue. This allowed Attacker Y to gain access into the company while using Actor’s password from his personal web site.

Right now the biggest take away that needs to be educated to anyone that has an account across multiple computer systems is Password Reuse. This was first thought to be a small problem, but after this massive data breach, it is proven to be a bigger problem.

The other issues from this will be how the law of the land will handle Attacker Y and Actor from their actions. This is a good conversation of debate and learning. Though this is not finished.

Now to read up on the story:
The beginning  
Act 1  
Act 2
The biography
The Conversation
The list of pawns

Hacking the internet. All of it

Monday, February 14th, 2011

Researcher’s at the University of Minnesota have come up with a bot net attack that could theoretically take take a large portion of the internet. It is a scalable distributed denial of service attack that exploits the way routers send ouf BGP updates(border gateway protocol). It basically involves using the botnet to have send out a ton of BGP updates saying that a given router is dead, causing the other routers connected to it to have to recalculate the route for packets. As more and more routers are affected, the amount of computation each router has to do would sky rocket, causing each router to have more updates than it could handle. Apparently the attack is unlikely because the people malicious people with the technical knowledge to do it would be motivated by profit and have little interest in a DoS attack. Here’s the link to the article: link