Social Engineering: BP leaking more than Oil

Richard Marcinko, founder of Seal Team Six believed in hard realistic training. “The more thou sweat in training the less thou will bleed in combat.”, was one of his favorite sayings. He wanted his training exercises to mimic what happens in real life. It seems that a recent contest at Defcon may have been taken from a page of Marcinko’s training manual.

According to an article on The Register, a two day social engineering contest was set up, where contestants called ten industry leading companies and tried to trick them to give up information about their internal network. Contest organizer Chris Hadnagy, Operations Manger of Offensive-Security (Well known for creating Backtrack 4) said, “We assumed that if we can make a person open up their browser, tell us the version of their browser they had, and then visit a website, in essence if we were malicious, terrible hackers, we could have driven them to a site that had some kind of malicious file on it and that most likely the person would have downloaded it and accepted the malicious file.”

Companies including Cisco, Microsoft, Apple, Pepsi and Coca-Cola were called dozens of times and only three times did the attacker strike out. Contestant Josh Michaels was very successful in obtaining information from BP Oil. According to the article:

“With just two phone calls, entrant Josh Michaels managed to dupe a computer support employee at BP into spilling details that could have proved crucial in launching a network attack against the global oil company. The information included what model laptops BP used and the specific operating system, browser, anti-virus and virtual private network software the company used.”

Michaels even tricked the employee into visiting a social engineering site. “That was scary,” Michaels said as he hung up the phone. Scary indeed, humans will always be the weakest link in security.

How do you defend against these types of attacks? This is very tough, because humans naturally want to help people in binds. Having and posting policy on giving out system information needs to be posted where employees can see it. Having documentation “employees” can be pointed to on an internally assessable only system will help too. Sometimes just saying that you need to check on something and asking for the suspicious caller’s phone number to call them back will end many social engineering attempts.

Half of Home Routers Vulnerable to DNS Exploit

The Black Hat Security conference is going on now in Vegas. Scanning through the list of presentations, this one really stood out, “How to Hack Millions of Routers“. According to the description, “This talk will demonstrate how many consumer routers can be exploited via DNS rebinding to gain interactive access to the router’s internal-facing administrative interface.”

The DNS binding attack has been known for a while, but it looks like Craig has found a new spin on the attack. According to a Forbes article, an attacker places a malicious script on a web page. When the page is visited, it switches the webpage IP address visited with the IP address of your router. It then gives the script access to view the router contents, and to log in to it.

Which routers are susceptible to this attack? Oh, a few, and you probably recognize their names, “Confirmed affected routers include models manufactured by Linksys, Belkin, ActionTec, Thompson, Asus and Dell, as well as those running third-party firmware such as OpenWRT, DD-WRT and PFSense.”

Also at the conference, Craig is going to release the tool that automates the attack, “A tool release will accompany the presentation that completely automates the described attack and allows an external attacker to browse the Web-based interface of a victim’s router in real-time, just as if the attacker were sitting on the victim’s LAN.”

That’s awful nice of him isn’t it?

All right, so what do we do? An article on recommends changing your router password to a very complex password, upgrade your routers firmware to the latest version, and to avoid questionable sites. I would also add that you should check for firmware updates frequently. As router companies scramble to patch this, yours may not be updated against the threat yet.

The End of IPv4 Addresses and Free IPv6 Certification

2012 may truly mark the end of the world. Well, the end of the IPv4 world that is. Some say it doesn’t even have that long. According to a new FoxNews article, there are only enough new IP addresses left for about 340 more days of growth.

Here is the problem. TCP/IP is the communication protocol your computer uses to talk to each other and to communicate over the internet. Each computer or device must have a unique address, so they can communicate with each other.

When TCP/IP IPv4 was implemented, address space was issued for a certain number of users (about 4 Billion). With the explosive growth of connected devices these addresses have been devoured. IPv6 was defined as a standard in 1998, to remedy the problem.

IPv4 uses 32 bits of information for addressing, while IPv6 uses 128 bits. This allows for extraordinary growth. How much growth you say? Well, IPv4 allowed about 4 Billion addresses, IPv6 allows for about 340,282,366,920,938,000,000,000,000,000,000,000,000!

That’s a lot of addresses! A security instructor once said that he thought that was roughly the number of grains of sand on the planet. This should allow for us to connect all the world users, their phones, fridges, cars and hair care products. For more information see Wikipedia.

Okay, on to the free IPv6 Certification. Many IP professionals have put off learning IPv6 for a long time. Well, the time draws near, and it is time to learn it if you haven’t all ready. Hurricane Electric offers free IPv6 certification and training. Hurricane Electric is an internet backbone and co-location provider. (From their web site:)

Welcome to the Hurricane Electric IPv6 Certification Project. This tool will allow you to certify your ability to configure IPv6, and to validate your IPv6 servers configuration.

Through this test set you will be able to:

  • Prove that you have IPv6 connectivity
  • Prove that you have a working IPv6 web server
  • Prove that you have a working IPv6 email address
  • Prove that you have working forward IPv6 DNS
  • Prove that you have working reverse IPv6 DNS for your mail server
  • Prove that you have name servers with IPv6 addresses that can respond to queries via IPv6
  • Prove your knowledge of IPv6 technologies through quick and easy testing

Check it out!

Sophos creates free Tool to Defend against Windows Shortcut Exploit

Scrambling to protect your systems from the latest Windows Zero day shortcut exploit? What if your anti-virus doesn’t protect against it, what do you do? The anti-virus company Sophos has created an app to defend against the USB shortcut exploit.

The free Sophos tool installs a new icon handler for Windows shortcuts. Whenever Windows tries to display an icon corresponding to a Windows shortcut, the new icon handler will intercept this request and validate the shortcut. If the shortcut does not contain the exploit, control will be given back to Windows.

The nice thing is that if your current anti-virus company doesn’t protect against the exploit, the Sophos Windows Shortcut Exploit Protection Tool can run in tandem to make sure your system is protected.

And the Sophos Windows Shortcut Exploit Protection Tool (maybe we should have come up with a shorter name?) is a piece of cake to install. The tool can be installed and uninstalled easily and quickly. Administrators can run the installer package on the computer, and network administrators can push the installer package via Group Policies.

Check out the Sophos blog for more information.