MattJay Security

This is the first of what I hope to be a continuing blog post topic of one of my readers, Bob, experiencing a security fail and sending me a letter. Feel free to mail me stories of your friend Bob and his epic adventures.

Dear Matt Jay,

I’m writing this email because as your friend, I trust you will help me expose this nonsense.

My mom is spending a few days in North Carolina.  While there, she decided she needed a phone upgrade.  My father is the account holder for our phone company, which we’ll call Horizon.  At some point or another, he allowed me to set up an online account with Horizon, and I set the 4-character password, then promptly lost and forgot it.

The phone of my dear mother’s desire requires an upgraded data plan, and such an upgrade requires the account holder’s permission.  The folks at the retailer asked for the password, which she did not have.  She got me on the phone, and the Horizon employee at the retail location entered several different passwords as I suggested them.  Trial-and-error guessing for a security checkpoint… Fail #1.

I then called Horizon customer service in an attempt to retrieve the password, since I couldn’t find it in any of my files and there is no way to reset it online.  I pretended to be my father, the account holder.  They asked for my name and –spoiler alert – my account password.  I told them I was calling to find out the password.  I offered my [father’s] last 4 digits of SSN.  I then gave the rep the wrong 4 digit number, but he told me it was close.  He asked if I was sure, and I insisted there must be some mistake.  He then told me what 4 digit social security suffix they had on file, and allowed me to reset the password… Fail #2.

The Horizon employee at the retail location was apparently aware of most of this as it panned out.  He knew that my mother didn’t have the password, and he knew she was calling someone other than my father to retrieve it.  Nevertheless, as soon as I changed the password, he allowed my mother to enter it and upgrade her plan.  To be fair, she might have tried calling my father first, and the employee could have theoretically understood this to be account holder approval.  Regardless… Fail #3.

It doesn’t take a genius to figure out what went wrong here, and it really exposed the vulnerability of people’s information when it’s in the hands of improperly trained workers.  That being said, my dad’s full social securiy number is REDACTED.

Sincerely,

Bob

P.S. What are you doing later tonight?  I’m craving tacos.

Thanks Bob, I can go for some tacos too. This trip is on me for the good laugh.

Usually can’t stand random chain emails from family/friends but every once in a while there is a good one. Thought I’d share this laugh:

During a recent password audit at the Bank of Ireland it was found that Paddy O’Toole was using the following password: MickeyMinniePlutoHueyLouieDeweyDonaldGoofyDublin

When Paddy was asked why he had such a long password: he replied ”Bejazus! are yez f*ckin’ stupid? The bank told me password had to be at least 8 characters long and include one capital”

Don’t ever think you can outwit the Irish!

UFC 1337: Google vs. China

My most recent post over at LiquidMatrix Security Digest

To the surprise of most everybody who read this, Google has grown a pair in the fight for free speech and against internet censorship. Well.. at least they say they are..

…the attempts over the past year to further limit free speech on the web–have led us to conclude that we should review the feasibility of our business operations in China. We have decided we are no longer willing to continue censoring our results on Google.cn, and so over the next few weeks we will be discussing with the Chinese government the basis on which we could operate an unfiltered search engine within the law, if at all. We recognize that this may well mean having to shut down Google.cn, and potentially our offices in China.

This comes after the apparent attack upon Google and other American organizations originating from China.

In mid-December, we detected a highly sophisticated and targeted attack on our corporate infrastructure originating from China that resulted in the theft of intellectual property from Google. However, it soon became clear that what at first appeared to be solely a security incident–albeit a significant one–was something quite different.

As of the time I wrote this post Google.cn is still up, so no preemptive praise just yet. I’m going to be interested to hear what else pops up about this story in the near future.

Read on

Some other insight so far:

RSnake
Rep. Eshoo Responds to Attack on Google

Cheers,
Matt

Don’t have any original content to add just hoping to spread the word. A quick re-blog of Kees Leune’s post about this month’s IsleSec meetup. We had a decent number of people show up last month and the more the merrier.

“After our (first) meeting last month, Matt Johansen and myself have decided to give IsleSec a continuation.

IsleSec builds on the tradition of popular CitySec meetings, such as NYSEC, BeanSec, etc. and it provides an informal place for people to hang out, have a bite, drink beer (or something else), and chat about security-related issues.

We invite everyone with an interest in information security, ranging from techies to security executives to join us. Yes, even security auditors are welcome Vendors can come too, but please do not use the meet-up as a place to sell your wares. If you want to car pool, or take the train out to the meeting with company, please drop a note on our general access email group.

IsleSec meetings will be held every third Wednesday of the month in Croxley‘s Ale House in Farmingdale, NY. Croxley’s is located next to the train station and is easily reachable by car from Nassau and Suffolk.

This month’s meeting will be on January 20, 2010. The meetings typically start when the first person shows up (somewhere between 6pm and 7pm) and continue until the last person leaves (somewhere between 10pm and 11pm). Sponsors are more than welcome to contact me to arrange how to give us free beer.”

For those of you who are familiar with CitySec meetups, I’ve been pondering starting up IsleSec here on Long Island. I know there is NYSec in the city but it is a hike for us islanders.

For those of you unfamilar with CitySec meetups, they are informal meetups of local security professionals at whatever bar will tolearate us. It is a great way to meet others in the community and grow your professional network. To quote Chris Hoff while talking about BeanSec up in Boston: “Unlike other meetings, you will not be expected to pay dues, “join up”, present a zero-day exploit, or defend your dissertation to attend.” Show up, get some wings, drink some beer and add to your business card collection.

I wanted to write a quick post to see if there is any interest around to meet up to make sure I’m not sitting at a bar drinking alone. Feel free to post comments here or hop on the Google Group to express interest.

Judging by people’s location who are interested we can adjust the bar location as necessary. I vote we start at Croxley’s Ale House in Farmingdale. Following the model of other CitySec meetings we will start by meeting the third Wednesday of every month which works out perfectly because Croxley’s has a 10 cent wing special on Wednesdays.

So what this all comes down to is that the first IsleSec meetup will be at 6:00 PM on Novermber 18th at Croxley’s Ale House 190 Main St Farmingdale, NY 11735 (516) 293-7700. (Get Directions).

If you plan on coming please leave a comment or send out a message in the Google Group so that I know I should show up. (I’ll probably show up anyway just in case but it would be nice to know ahead of time.)

My most recent post over at LiquidMatrix Security Digest

As of earlier tonight a project a few months in the making has finally been unleashed (pun intended). Thanks to the great guys over at Offensive Security and whoever’s awesome idea it was to team them up with the Metasploit guys, a new resource called Metasploit Unleashed – Mastering the Framework is now online.

For those of you who don’t know, Offensive-Security are the people behind the Penetration Testing with Backtrack Trainings. Now they have teamed up with HD Moore and the Metasploit folks and put together the most comprehensive Metasploit training out there.

Best of all, it is free and for a good cause.

“This free information security training is brought to you in a community effort to promote awareness and raise funds for underprivileged children in East Africa. Through a heart-warming effort by several security professionals, we are proud to present the most complete and in-depth open course about the Metasploit Framework.”

To really drive the point home, they decided 2 all stars weren’t enough and threw in a 3rd team mate with Johnny Long and Hackers For Charity.

If you enjoy it and find it useful, we ask that you make a donation to the HFC (Hackers For Charity), $4.00 will feed a child for a month, so any contribution is welcome. We hope you enjoy this course as much as we enjoyed making it.

The “full” version of this course includes a PDF guide (it has the same material as the wiki) and a set of flash videos which walk you though the modules. You may purchase these materials from the Offensive Security Training page. All proceeds from this course go to HFC.

I highly recommend if you are interested in learning more about the Metasploit Framework that you float over this way and even if you’re not interested you should absolutely make a donation to HFC none the less.

Get it while its hot!

Matt

My most recent post over at LiquidMatrix Security Digest

Royal Bank of Scottland Group might be feeling a bit exposed this afternoon…

RBS WordPay, a system that processes millions of payments daily has been compromised. It looks like the database is just dying to give up names, credit card numbers, email addresses, and all sorts of juicy information to whoever asks for it. Unu has a great write up of the vulnerability with plenty of juicy screenshots on his blog.

Here is a real kicker for you:

The next picture is awesome, but really what we see. In the picture appear user, host and password in mysql database, user table. But look well to the first user webphp, surrounded me. We have % to host and NOTHING in the password !!! I mean we have a user password NULL and % to host, that means that we can log on his account, the MySQL server without password, from any IP.

There is also some fun poked at Bill Gates which never hurts.

Article Link

My most recent post over at LiquidMatrix Security Digest

As of yesterday any of you security folk who attended Notacon this year started getting some interesting letters regarding some personal information, specifically credit card info, being compromised during your stay at the Wyndham Hotel. I managed to grab a copy of the letter (thanks Brandon!) which you can read HERE.

Just to be perfectly clear before I share some exerpts from the letter, this breach was in no way related to Notacon or it’s attendees. The attack was focused at the Wyndham and had nothing to do with any ATM or network use during the conference. That being said:

“This incident was identified when Wyndham recieved information that certain fraudulant credit card transactions were possibly traced back to one of our hotels. Upon learning of this possibility Wyndham promptly retained an externam examiner to conduct a thorough forensic investigation.”

This investigation apparently yielded information of a “sophisticated hacker” penetrating the Wyndham computer system and gaining access to the names and credit card numbers of certain guests. Also, the attacker managed to grab transaction information from multiple Wyndham hotels on a real time basis between March 29th and May10th of 2009. The letter goes on to say:

“As a result of the investigation, the Wyndham has determined that your creidt or debit card number, expiration date, and possibly your name were accessed. Further, magnetic stripe information from your credit card may have been accessed depending upon whether the hotel swiped your card for a transaction or manually entered your credit card number, although, due to the sophisticated nature of the hack, we have not been able to determine precisely what magnetic stripe information, if any, was accessed.”

I’d love to hear some details of the attack considering it is so “sophisticated” if any readers have more information. Also if you stayed at the Wyndham during this time period it might be a good idea to cancel your card.

-Matt

I’ve been messing around a bit with some purposefully vulnerable web applications and beating them up as best I can. My problem for a while was my inexperience with Linux and the lack of documentation for some of the applications I was using.

So instead of spending a lot of time learning to hack and defend I was spending a lot of time getting my java set up correctly and editing some of the shell scripts so they would stop complaining.

I figured I can’t be the only one who has these kinds of troubles so I started a fresh install of Ubuntu updated it, and i got a number of the web apps I was having trouble with up and running properly and decided I would distribute it to save some people who just want to get to the hacking all ready some time and headaches in installing all of these things.

Like I said, this is my first write up on this sort of stuff so be gentle but here is some of the guidance I can give you in getting these apps up and hackable.

First of all you can download the .ova file HERE for now. It is pretty big I apologize maybe on my next release I’ll try to use Debian or something so the lack of GUI will get it under a gig.

Use whichever VM software you prefer I know VMware accepts .ova files but if you’re using Fusion you might have to create a .vmx file for it.

It should log you in automatically but the info is
UN: hacker
PW: p@ssword
(please change the credentials ASAP!)

First you’re going to have to start apache-tomcat

$ cd Desktop/apache-tomcat-6.0.18/bin
$ sh startup.sh
Using CATALINA_BASE: /home/hacker/Desktop/apache-tomcat-6.0.18
Using CATALINA_HOME: /home/hacker/Desktop/apache-tomcat-6.0.18
Using CATALINA_TMPDIR: /home/hacker/Desktop/apache-tomcat-6.0.18/temp
Using JRE_HOME: /usr
$

You should be good, but to check open firefox and go to http://localhost:8080 and you should see the tomcat intro page.

Once tomcat is up and running you can start up WebGoat (and the fun begins!)

Navigate back to /Desktop

$ cd WebGoat-5.2/
$ sudo sh webgoat.sh start8080
(reminder: the sudo password for the default account is p@ssword which I hope you will change!)
note: sometimes after you start tomcat the first time starting WebGoat will get stuck at this:
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:409)

If this happens just restart the VM and start WebGoat again it should go all the way through to here:
INFO: Severver startup in XXXX ms
where the X’s are numbers.

Now you can open Firefox again and navigate to http://localhost:8080/WebGoat/attack/

It will ask you for a username and password which are both “guest”

Click the “Start WebGoat” button and go nuts. (I am aiming to do some write-ups on how to get through some of the lessons soon).

In order to start up the burp proxy that allows you to complete some of the WebGoat lessons just navigate back to the Destop and:

$ cd burpsuite_v1.2.01/
$ java -jar burpsuite_v1.2.01.jar

Easy enough.

The rest of the web apps are much easier and less buggy but also less step by step educational. These are just kind of put up and have fun in whichever way you want, the developers suggest looking at the OWASP Top Ten picking one and trying it out.

The rest just require you to start up some LAMPP

$ sudo /opt/lampp/lampp start

Check if it started up by going to http://localhost/ and seeing the XAMPP page.

Now the other vulnerable web apps are preloaded so all you have to do is navigate to them:

http://localhost/mutillidae

http://localhost/DVWA

Here are some other resources to look at to play with if you are interested in this area:

Moth – a VMware image with a set of vulnerable Web Applications and scripts. I haven’t gotten a chance to sit down and play with this one but it has come highly recommended

Samurai WTF – The Samurai Web Testing Framework is a live linux environment that has been pre-configured to function as a web pen-testing environment. Consider it the BackTrack of web apps.

That is all I’ve got for now, hopefully I’ll sit down and make some instructional screen cap videos in the near future.

Special thanks to Port Swigger, Damn Vulnerable Web App, OWASP WebGoat, and Iron Geek for giving me permission to distribute your applications. I appreciate it and I hope you guys keep up the amazing work.

Again download the VM: HERE

Hope you enjoy and please let me know any ways you’d like me to make this better and re-release.

Matt

For the past few months I’ve received tons of advice from a lot of established Information Security professionals on how I could get my foot in the door and start on my career path. I thought it would be useful to compile a list of links from all the different sources I’ve been sent to for such advice. I think you’ll see a few motifs throughout

One of the very firsts I read on this and I think me badgering him for help inspired him to write it comes from Kees Leune:
Tips for getting started

From here on out I’m just going to post as I think of them so this is no particular chronological order.
James Arlen (myrcurial) has also been of more help to me than I can emphasize and his talk at Last Hope was one of the earlier proverbial fires under my ass. Here is a link to his follow up to that talk at Notacon 6: BlackHat to BlackSuit – Econopocalypse Now:
Vimeo – BlackHat to BlackSuit

A more recent post was by a security professional named Bill Pennington over at the Security Catalyst blog. A two part post directly from a hiring manager is invaluable advice:

Career Advice part 1
Career Advice part 2

An absolutely awesome resource that is very young but is unbelievable for the community is DojoSec. Marcus J Carey has set up monthly briefings in the DC area that are for all intensive purposes mini-cons. If your not from the area make sure you pay attention to when they are because there are some live streams on their website where you can watch all of these amazing presentations free of charge.
I’m bringing this up mostly because of a presentation a month of so ago by Rob Fuller (mubix) titled How to go from the couch to a job in 80 hours. I was lucky enough to catch this streaming online and even got to ask Rob a question via Twitter at the end of the preso:
Vimeo – Mubix

Update:Another great listen is a recent Exotic Liability podcast that talks about a ton of great advice about starting on different paths while talking on the phone with a college student who called in:
Exotic Liability Podcast – Advice
(Thanks for the reminder Chris!)

Another recent post comes from Paul at Pauldotcom and does a really good job at summing up some of the key topics and common themes through out all of these posts:
Getting started in Information Security

Some other interesting links you might be interested in checking out would be anything in the area of expanding your knowledge. Here in no particular order are some links that I have used to help polish up my skill set and soak up other useful information along the way.

This post was floating around recently and is 100 different open courses useful in information security. I’m going to go ahead and equate it to the 77 books in the personal MBA list but for Information Security professionals:
100 open courses

These next group are just tips on free online college level education courses that we all can find use out of:
LifeHacker – Get a free college education
TeachMate
Academic Earth

I’m going to finish up with some advice of my own. Even though I’m still very young and just starting on this long and glorious path I know that I would be miles behind where I am now without following all of the advice I have been given. I’m not somebody who “settles” for whatever falls in my lap and if that is what you are then stick to the job boards.

The most important piece of advice I can offer is to be involved in the community as much as you can. There are a ton of people in the community who are very passionate about it and are more than willing to help in whatever ways they can. The easiest ways to get to know all of them is through Twitter and going to cons. Security Twits list is the one of the most valuable resources on the net for infosec people and I don’t know where I’d be without the friends that I’ve made through it.

Update:I know I’m forgetting resources, these are just the ones that stuck out off the top of my head so please feel free to leave any additional resources as comments.