Jan26

H.323 “hacking” without coding in 2006

by Michael Farnum on January 26th, 2012 at 10:39 pm
Posted In: Security, Video Conferencing

Recently some news came out from NY Times and HD Moore where he was doing some targeted scanning and found a bunch of open H.323 videoconference systems open and ready for viewing. What he found was that a lot of these systems are deployed outside of the firewall on the Internet without any security and with auto-answer turned on, and these were sometimes installed in sensitive board rooms, etc. Then, along came some videoconferencing guy who said some of HD’s claims were bunk. Then Rapid7 and HD fired back, and yada, yada, yada (you can read a better run down here at Computerworld).

What I find funny about this is that this has been an issue for a long time. Back when I was an InfoSec manager, I put in a videoconferencing system in 2006 to facilitate some communication with a sister company. When we set it up originally, I found that there were a lot of issues with putting an H.323 device behind a firewall. NAT broke it pretty easily, and I ended up putting it on the outside of the firewall for a time when we needed to setup a session, and I tore it down immediately after (we ultimately setup a private T-1 between us so we would have no issues – there was some sensitive info going across the line in those sessions). But when I was getting it setup for the first time and doing some testing, I found that the Polycom unit I was using had some test sites already in the address book. So I connected to a few of those to make sure things were working. I even had folks on the other end try to connect to me (yes, there were people on the other side just kinda hanging out. In fact, there were a few sites where it was like, you guessed it, a Google+ hangout – it was kinda fun and weird at the same time).

But after discovering that, I decided to turn on a bit of Google-fu and see if there were other sites out there that were also open. And again, the answer was yes. Google linked to a lot of sites (like this one) that had a list of “test” H.323 locations ready for connection. But what I quickly found out was that many of these “test” units did not seem to be for testing purposes at all (or maybe they had been at one time but someone forgot to secure them after they had been repurposed to a “real” site). Many were companies that often had these VC units setup in sensitive areas. Some of these had their audio and connected TV’s turned on, and people in the room would notice when a connection occurred. But very often i found that some had their audio and TV’s turned off, or the folks in the room ignored the connection signal. Basically, what HD said here:

…we did prove that most VC equipment provided little or no warning when an attacker dialed into the system. In most cases, the television set is off unless a call is expected. If the television is off, there is little indication that a call is in progress. The reason for this is two-fold;

First – the base unit, not the camera, is usually what has an indicator that turns on when a call is in progress. The base units are often stashed behind a cabinet, near the floor, or generally out of sight.

Second – newer cameras (specifically, the Polycom HDX series) are extremely quiet while being panned or zoomed and the only indication they provide is the direction they are facing. We conducted a “blind” test where the conference room VC unit was accessed during a Rapid7 general staff meeting. Twenty minutes into the meeting, nobody had noticed the camera swinging from the rest position to pointing at a participant’s laptop screen, zoomed in to capture his email and keystrokes.

After connecting to a couple of them and hearing and seeing snippets of very sensitive discussions and realizing that these cameras were very good at zooming into documents, I decided to stop it. I am kinda bummed that I didn’t write about it in my blog back then (at least I don’t remember doing so, and I can’t find it in my archives), but oh well. I didn’t do any cool coding like HD did, and I am pretty sure this would still be a problem today anyway.

So basically, HD is right, and the VC dude is wrong. This is a problem. I know. I have seen this first hand by my own actions. I heard things that I wish I would not have heard about (maybe that is why I didn’t publish anything back then). Not crazy guvment secrets or anything, but it still was information that I could have used to hurt folks or profit from if I was that kind of person.

So IT and security folks, take a look at your videoconferencing setups. Realize that there are a lot of bad settings turned on by default, so make sure you lock them down. Get them off the Internet. Pay attention to where they are located. This can cause you a big headache.

[UPDATE: After re-reading my post and after reading the first comment, I want to say something. I am not saying that HD didn't do something cool, and I am not trying to disparage his work in any way. HD uses code, and he does it very well. I don't have the mad skillz that he does, and putting those scans together is pretty dang cool. I am glad someone with his platform showed that this was an issue that needed to be addressed. I was merely trying to point out that the issue has been around for a while and that I found it in other ways that didn't involve coding.]

2 Comments
Jan06

Symantec’s latest statement on source code theft

by Michael Farnum on January 6th, 2012 at 8:02 pm
Posted In: Security

This is from a local Houston Symantec source, but is widely available to everyone. Current on date of posting. We’ll see what shakes out.

“Symantec can confirm that a segment of its source code used in two of our older enterprise products has been accessed, one of which has been discontinued. The code involved is approximately six years old. Symantec’s own network was not accessed, but rather that of a third-party entity. This does not affect Symantec’s Norton products for our consumer customers. We are still gathering information on the details and are not in a position to provide specifics on the third party involved. Presently, we have no indication that the code disclosure impacts the functionality or security of Symantec’s solutions. Furthermore, there are no indications that customer information has been impacted or exposed at this time. Symantec recommends that users keep their solutions updated which will ensure protection against any new possible threats that might result from this incident. Given the early stages of the investigation, we have no further details to disclose at this time but will provide updates as we confirm additional facts.”

A blog post by @m1a1vet

└ Tags: , ,
 Comment 
Jan06

Security Lesson from A Mouse Story

by Michael Farnum on January 6th, 2012 at 5:46 am
Posted In: Rant, Security

I was going through some old blog posts, and one I found contained the following story:

Mouse Story

A mouse looked through the
crack in the wall to see the farmer and his wife open a package.
“What food might this contain?” The mouse wondered -
he was devastated to discover it was a mousetrap.
Retreating to the farmyard,
the mouse proclaimed the
warning.
“There is a mousetrap in the house! There is a mousetrap
in the house!”
The chicken clucked and scratched, raised her head and
said, “Mr. Mouse, I can tell this is a grave concern to you
but it is of no consequence to me.
I cannot be bothered by it.”
The mouse turned to the pig and told him, “There is a
mousetrap in the house! There is a mousetrap in the house!”
The pig sympathized, but said,
“I am so very sorry, Mr. Mouse,
but there is nothing I can do about it but pray.
Be assured you are in my prayers.”
The mouse turned to the cow and said, “There is a
mousetrap in the house!
There is a mousetrap in the house!”
The cow said, “Wow, Mr. Mouse.
I’m sorry for you,
but it’s no skin off my nose.”
So, the mouse returned to the house, head down and dejected,
to face the farmer’s mousetrap– alone.
That very night a sound was heard throughout the house –
like the sound of a mousetrap catching its prey.
The farmer’s wife rushed to see what was caught. In the
darkness, she did not see it was a venomous snake
whose tail the trap had caught.
The snake bit the farmer’s wife.
The farmer rushed her
to the hospital and she returned home with a fever.
Everyone knows you treat a fever with fresh chicken soup,
so the farmer took his hatchet to the farmyard for the soup’s
main ingredient.
But his wife’s sickness continued,
so friends and neighbors came
to sit with her around the clock.
To feed them, the farmer butchered the pig.
The farmer’s wife did not get well; she died.
So many people came
for her funeral, the farmer
had the cow slaughtered to provide enough meat for all of them.
The mouse looked upon it all from his crack in the wall with great sadness.
So, the next time you hear someone is facing a problem and think it doesn’t concern you,
remember –
when one of us is threatened,
we are all at risk.

I posted that back in 2006 (crap, I am getting old), and I said it had some security points. But the post also said that I was hungry when I was writing it (coincidentally, I am hungry right now also – huh, maybe I’m just always hungry…), so I didn’t break those down. Well fans, let me remedy that situation now. Here’s the lesson:

Your insecurity affects us all. If you know there is a security problem (whether that be by your own discovery or through someone else warning you), and you have the power to either fix it or influence someone who does have the power, then get ‘er done.

I know there are all kinds of caveats to that as far as risk, process, etc. But the raw edge needs to be there. Ignoring a problem does not make it go away. In today’s world of hactivism and hacking for hire, there are just too many attacks coming from too many angles. Test, fix, retest, fix, retest, fix, and so on. Stop screwing around.

This rant brought to you by @m1a1vet

 Comment 
Jan06

An Information Security Place Podcast – Episode 01 for 2012

by Michael Farnum on January 6th, 2012 at 5:04 am
Posted In: Security

 

Wow! 6 Months…and 2 job changes later, we are finally back to recording! YEAH!….Here the latest show from our intrepid hosts.

Show Notes:

InfoSec News Update –

  • The Hacker News Hacking Awards : Best of Year 2011 – Link Here
  • Japan’s Anti-Virus Virus – Link Here
  • Nginx (pronunciation: “engine-ex”) becomes #2 web server
  • Saudi hackers break into Israeli site – Link Here
  • 3 Surefire Ways to Tick Off an Auditor – Link Here
  • OWASP AJAX Crawling Tool – Link1 / Link2

Discussion Topic – 2012 Breach Report

  1. Care2 Discloses Breach; Company Has Nearly 18 Million Members – Link Here
  2. AntiSec hit California and NY Law Enforcement Sites – Link Here
  3. Anonymous Nabs 50,000 Credit Card Numbers From Security Think Tank – Link Here

Music Notes:Special Thanks to the guys at RivetHead for use of their tracks – http://www.rivetheadonline.com/

Tour Dates:

  1. Jan 6 – Dallas – Curtain Club
  2. Jan 27 – Dallas – Trees
  3. Jan 28 – Dallas – Trees
  4. Mar 2 – Dallas – Curtain Club – 7th Album CD Release Party
  5. Mar 3 – Houston – BFE Rock Club
  6. Mar 24 – Fort Worth – The Rail Club
  7. May 5 – Dallas – Renos Chop Shop

Intro – RivetHead – The 13th Step”

News Bed – RivetHead - “Beautiful Disaster”

Discussion Bed – RivetHead - “Difference”

Outro – RivetHead – “Zero Gravity”

Link to MP3

 Comment 
Dec29

Quit publishing my info. I said stop! Now!

by Michael Farnum on December 29th, 2011 at 12:50 am
Posted In: Privacy, Security

My wife and I homeschool, so we include our kids in a lot of extracurricular “stuff” to hopefully keep them well-rounded. One of the things my oldest son does is take a Lego engineering class at a small local school that caters to homeschoolers.

Last year, when we first signed up for the school, we found out that they published a report on the Web that listed the personal information (names of parents and kids, emails, street address, phone numbers, etc.) of all the families of the attendees. This was meant to be a resource for the attendees of the school, which is somewhat understandable since the homeschool community is fairly close knit. But when I saw that our info was included by default, AND that the report was secured by just a password, AND that password was emailed to everyone on the list, I kinda freaked a bit. So my wife sent out an email requesting that our info be pulled from the list.

I honestly expected a fight of some kind since I have seen small groups like this that just don’t get security and that a password just ain’t enough, but I was pleasantly surprised to find that they complied immediately with the request. All’s fixed, right? Well, it was for a few months. Now they are publishing a new list. But no big deal, right? We’ll just request to be removed again, right? Nope. Now they are acting as I expected them to last year. They are pushing back because, in their words, “they don’t have the time to reformat the report”. In fact, the email response in general was completely rude.

So I thought I would send off an email to them with a little bit of attitude of my own.

As to the matter of this directory, the last time the database was published, My wife and I were given the option of having our personal information deleted from the report. When we opted to be removed, there was no argument about whether or not anyone has the time to remove this information, and the request was acted upon quickly. So you can imagine our surprise when we received your reply when we asked to be removed again.

I understand that it takes time to format the report, and I understand that you are busy. But as a parent that pays tuition to your school, I fail to understand how this request can be so blatantly refused. In fact, I fail to understand why the information is needed by anyone outside of the staff at the school. If other parents have requested this information, then it should be provided on an opt-in basis, not by default.

While it may seem paranoid to you that we do not wish to have our personal information included in this database, I hope you understand our concern for privacy in this day and age. My career is in information security, so I know on a technical level how easily this type of report is compromised, and how the personal data can be misused.

Please remove our personal information from the report at your earliest convenience.

We’ll see what comes back.

 Comment