Ubuntu Guest Security Follow Up

Ubuntu guru Adam from ‘DT’s Guide to Life and Linux‘ has posted a great follow up to our article ‘Ubuntu Decreases Security and Calls it a Feature?’

In the article, Adam shows that it is possible to get a remote shell if someone using the guest Ubuntu session does not practice safe surfing techniques. He also explains that even if remote access is gained the account really is locked down pretty well. Adam is a great guy, extremely knowledgeable about Ubuntu, and his article (and blog) are well worth your time.

Check it out:

Lately there has been a lot of hullabaloo about the Ubuntu Guest Account seen in Oneiric, though it’s been around for a while the feature has become much more visible. As such it has a lot of people having bad flashbacks from the Windows NT series Guest account. An interesting article written by Dan Dieterle at Cyber Arms addresses some of those concerns, and makes a valid point regarding a Social Engineering attack or some form of remote browser exploit.

The article warns users that a guest user could become the victim of a social engineering attack that leads to remote compromise, also scary is the fact that Firefox 7.0.1 POC exploit code has recently been released into the public that allows for remote compromise of the browser. What we’re going to explore here is, in the event this happens. What protections do this account offer, and is it in fact a security liability. The Guest Session account in case you do not know, does not require a password to access. For this discussion we will be using the Social Engineering Toolkit Java Applet vector that was discussed in Dan’s article, though it’s important to know a remote shell is a remote shell. For the “victim” machine we will have a fully patched Ubuntu 11.10 install , with a default configuration of UFW enabled. I’m not going to bother with AV for two reasons. One AV on Linux sucks (particularly the free products) and two our shell will never hit the hard drive so there is really nothing for AV to find here.

Continue Reading…

Advertisements

Water Utilities Hacked, End of the World Imminent

By now you probably have heard about the Water Utilities that have reportedly been hacked.  But is this the advanced uber world ending SCADA cyber attack that we have all been warned of? You know, the one that ends life as we know it and sends us back to the stone age? No, hate to disappoint, but it is not.

Then, what is it?

This was barely a hack. A child who knows how the HMI that comes with Simatic works could have accomplished this. I’m sorry this ain’t a tale of advanced persistent threats and stuff, but frankly most compromises I’ve seen have been have been a result of gross stupidity, not incredible technical skill on the part of the attacker. Sorry to disappoint.”

Says hacker “Pr0f” in an e-mail interview with Threat Post. Prof allegedly hacked into a South Houston Water plant after becoming frustrated with reports that surfaced after the Illinois Water Plant was attacked:

My eyes were drawn, nary, pulled, to a particular quote:

‘In an email sent several hours after this article was first published, DHS spokesman Peter Boogaard wrote: “DHS and the FBI are gathering facts surrounding the report of a water pump failure in Springfield Illinois. At this time there is no credible corroborated data that indicates a risk to critical infrastructure entities or a threat to public safety.”‘

This was stupid. You know. Insanely stupid. I dislike, immensely, how the DHS tend to downplay how absolutely F***** the state of national infrastructure is. I’ve also seen various people doubt the possibility an attack like this could be done.”

Pr0f said on a post on Pastebin that included pictures allegedly from the South Houston Water Plant (one is used as the graphic for this post as posted on The Register.).

In the Threat Post article, Pr0f claims to have used a “scanner that looks for the online fingerprints of SCADA systems.” Shodan, dubbed the “Google for Hackers” comes to mind. Just surf to Shodan’s website and you are greeted with, “Expose Online Devices.
Webcams. Routers. Power Plants. iPhones. Wind Turbines. Refrigerators. VoIP Phones.”

Power Plants? That is kind of unnerving. But anyone who has used Shodan knows that with the right keyword search many unsecured or lightly secured systems can be found. Pr0f claims that the South Houston site was protected by a three letter password!

This brings up numerous questions that must be asked and answered:

  • Why are public utility systems found through simple online searches that are completely or lightly protected? Especially after years of warnings of possible hacker attacks?
  • Why haven’t Federal agencies used the same search engines to look for open utilities and locked them down? Does the Federal Government even have a “Red Team” to do this?
  • Why would utilities themselves (again after several years of warnings) use a three character or easily guessable password to secure systems available online? Aren’t there rules set for password length and complexity for public utilities?

The press seems to be making this out as the missing links of cyber attacks. The proof needed that an “End of the World” attack is not only possible, but imminent. But so far, the proof available seems to show that this is nothing of the sort.

The closest call that I have ever heard of had nothing to do with hackers. Working in the Oil & Gas sector for a while I heard a nuclear power plant executive engineer tell a harrowing story.

A while ago, an engineer was looking for a gas leak near a Nuclear Power plant control room. He was in an area that has ALL the wires running through it that enter into the control room. He caught the room on fire, but they were able to put it out in time before any wires or controls were damaged.

How did he do this? He was using his lighter as a light to find the gas leak!

Our infrastructure will be much safer if and when utility providers are held to secure their systems, are checked and tested for security regularly and all lighters are banned from vulnerable areas!

25 Passwords NOT to use on the Internet

Are you using the password “password” or “123456”? If so congratulations! You are using one of the top two worst and easiest to guess passwords on the internet!

Splashdata creates an annual list of the worst passwords to use on the net and here are the top 10 for 2011:

  1. password
  2. 123456
  3. 12345678
  4. qwerty
  5. abc123
  6. monkey
  7. 1234567
  8. letmein
  9. trustno1
  10. dragon

If you are using any of these or the other 15, change them now.

This is very interesting, but how does this compare to lists that have been released from actual hacker attacks? Surely no one would use ‘password’ or ‘123456’ as a password in real life. Or would they?

Last year the Wall Street Journal released a list of the top 50 passwords pulled from the Gawker Media hack. Gawker Media runs numerous websites including the popular Lifehacker, and Gizmodo sites. The hackers publicly posted a list of user names, e-mail addresses, and you guessed it, passwords.

The top 10?

  1. 123456
  2. password
  3. 12345678
  4. lifehack
  5. qwerty
  6. abc123
  7. 111111
  8. monkey
  9. consumer
  10. 12345

And if we expand the Gawker password list to include 12 – 14 we also get:

  1. letmein
  2. trustno1
  3. dragon

Do you see any passwords that match between those two lists? How about most of them…

The majority of these make sense, common keys next to each other, and common phrases, but what is up with “monkey” and “dragon”?

The best bet when creating a strong password is to use a long complex sequence of upper and lowercase letters, numbers  and symbols. Something like:

[P1ckledP!gsF@@T&4aM]

Also, don’t use the same password for several sites, or use your work passwords at home. Using complex passwords will go a long way in securing your online activities.