It looks like our electronic devices can be searched by customs when entering the US. This somewhat violates the 4th amendment, however there is a border exception to the 4th amendment and unless I am wrong you are not officially in the US until you pass customs/border so the amendment would not apply.

A lot of company policies state that you should not be holding confidential information on laptops in the first place, but email, and browser cache can contain that information. To help prevent the information from intranets from being cached you can install JohnnyCache. JohnnyCache lets you enter in a url pattern and will prevent disk and memory based cache from being accessible when viewing a site matching that pattern. I highly recommend you install this extension regardless of your traveling habits.

I am going to be writing additional posts about handling these searches. These posts are going to be directed at protecting corporate information and personal information.

Tomorrow is weeCamp, a beCamp/barCamp style conference covering web application security. I am REALLY excited about this conference, there was a chance I was not going to be able to go, but I will be there. The talk I think I will be most interested in hearing is RoR security. I have been learning RoR a bit the past week and while there is a learning curve I am really enjoying it. I have a large project that I am going to be tackling in the Rails framework and I hope that my needs to not exceed my limited experience with RoR. Worst case I have to write it in PHP by scratch or use CakePHP.

Very early Friday morning I was updating my BIOS and it appears that the utility killed off a dependency for my UPS utility, which then made the application think that the connection was lost. This resulted in my UPS rebooting and killing the power to my machine in the middle of the update. I was unable to do a BIOS recovery so I had to order a new motherboard since MSI does not have advanced replacement. If I RMA that board it will take 7-10 business days for them to fix it after they receive it. Combine that with shipping and I am looking at probably a month, considering that is my primary system and migrating everything to another system is just out of the question I felt the $150 was worth it.

Its been a difficult few days even outside my techie life, so I am really hoping this conference will boost my spirits.

I received an email a while back about updating information in my affiliate account so that I could receive payment and put it on the todo list for another time. On August 30th I decided to browse the site to see if I could enter the information online, and just as I was about to enter my Tax ID/SSN I noticed it was on an insecure connection. I asked for a fax number and mentioned that they were not forcing SSL on that page. On September 3rd I emailed them again after reading their privacy policy, where I read the following:

Berkeley Data Systems uses industry standard security measures to protect against the loss, misuse and alteration of the information under our control. Although we make good faith efforts to store the information collected by Berkeley Data Systems in a secure operating environment that is not available to the public, Berkeley Data Systems cannot guarantee complete security. Further, while we take reasonable steps to ensure the integrity and security of our network and systems, we cannot guarantee that our security measures will prevent third-party “crackers” from obtaining this information.

We’ll start here, they are talking about the steps they take to ensure the security of your information, but by default when I logged into their affiliate site I was on an insecure connection. I don’t think that is reasonable, if it was just a few bits of information, or maybe the ability to change my password I could let it slide as a large number of sites allow you to change your password without SSL. The problem with their site is that they are asking you for too many key pieces of information over an insecure line. In the screen shot at the bottom of this post you will see what I am talking about. They asked me for my full name, company information, and my Tax ID, which would be my SSN if I was not putting this under a company. In the next section they ask for your full address, which is used by banks, credit cards, and other companies as additional verification information. The last box is your Paypal account email address.

I left one box out and that was the two fields for changing your password and will go into details on this now. A lot of people use the same password for multiple accounts, I know I do, but I also have a number of different passwords I use depending on how important I feel that information is. For the average Joe, they will use the same password for all their accounts and in most cases it will not be secure to start with. When you view this page the password fields are completely blank, there are no fields that contain your original password for someone to use a revealing program on. However, you did login over an insecure connection with this password, so if anyone had been “listening”, they just got access to your account. Now I usually use a generic password for signing up on an account and change it later over the secure connection so if someone was able to read my email they would not have the actual password. If I followed that procedure over the insecure connection my password could be sniffed. So even my paranoia would not have saved me.

What is the problem with all of this? I will run down through the attack for you. Jason is in college working towards a business degree and he has a blog that he uses to teach others the things he learns in his classes. Well like most college students Jason needs some money, so he signs up for the Mozy affiliate program because his blog does very well and feels he can make a decent amount of money. Afterall Mozy is a pretty sweet backup setup and his friends can get free accounts with more than enough room to backup their school work. Well Paul, who happens to live in the same dorm likes to “listen” to his neighbors traffic, and he found out about this slip up and kept a watch on the dorm traffic for http://affiliates.mozy.com. One day Jason logs into his account and Paul nabs his password, well like me Jason slacks off on entering in the information. Paul knows it is only a matter of time before Jason enters the information, so to speed things up Paul visits Jason’s blog and creates a number of Mozy accounts using Jason’s affiliate banner to generate some cash in Jason’s account so that he has more interest in entering the information. One day Jason enters his SSN, full address, and paypal account so he can get paid. In the process Paul was able to get Jason’s full SSN, and his full address. Since Jason probably uses the same password for his Paypal account, Paul is able to login to his Paypal account and find out what banks Jason is using. Paul now has enough information to call up Bank of America and say he doesn’t have his account number handy, which will be followed by the customer service rep asking him for his social and most likely verify the address and phone number. Paul can now use some social engineering skills to get the remaining portions of the account number, maybe even gain access to the online banking system by having them reset the password. So with one false move on Jason’s part Paul could gather enough information easily to completely take over Jason’s life.

I will say there is a chance I am wrong, and the Tax ID field is not somewhere to enter your SSN, but on most forms they ask for your Tax ID or if you are a sole proprietor without a Tax ID you enter your SSN. The IRS actually prefers sole proprietors to enter their SSN vs entering a EIN. So the likely hood is that someone will enter their social security number in this box is very high.

Below are copies of the emails that I sent and the reply I received. By the way, it took 11 days and me having to email again before I heard back about this issue. Excuse the poor organization of the email, I wasn’t too interested in being poetic about it. In the original email I also mention how they ask you to email the W9, another chance for your SSN to be exposed to malicious individuals.

I went to the affiliate site the other day to enter in my information to redeem the money I have earned. Under settings it has field Tax ID, which if you are not using a tax id would be your SSN. The connection is not being forced to SSL. I find this to be a pretty serious security issue, and I will not enter my information until I am assured my SSN is not going to show up in that field. I was also originally asked to email a W9, which is another security issue as my SSN would be transmitted over an insecure connection. I did receive a fax number later, but there are a lot of people that do not think about those things and would be leaving themselves wide open. In the privacy policy you mention taking reasonable steps to assure security, but I feel these issues come close to violating that statement. On an insecure connection you allow changing a password, entering a tax id, a Paypal account address, and a full address to accompany all the other information. Seeing how a lot of people will use the same password for a number of accounts you leave that person’s paypal account pretty much open for being taken over, which of course is their fault in some ways. I need a reply as to why these problems exist or when they will be fixed.

I received this in response to my email.

I’ve consulted with our programmers, and this was the response I was given:

The reason we do not force SSL is because there are certain aspects of the program where SSL is uneeded. In addition adding a secure element to a non-secure page produces an error box as well if you do the reverse. That is why we leave the program open with the option of using non-secure and secure elements.

However, although there are no plans to force SSL, all links to our signup and affiliate dashboard pages will be (if they’re not already) pointing to the secure versions of the page.

So if they give you the option to make it SSL by changing the URL and they have made all their links now point to https, what’s the big deal with adding an apache vhost to make it redirect the request to a secure version of the site. That isn’t a huge task.

Since I contacted them, they have updated the default links to point to HTTPS, which is good, but previous bookmarks users have are still pointing to HTTP. In a number of circumstances it can be difficult to sniff the traffic on the network, but when I was in California I would be out and about and connect to random WiFi access points near my friends house. There is nothing to stop someone from doing that and maliciously gathering sniffing the traffic in the neighborhood. Sure it would take sometime to find someone that has an affiliate account, but here is another example for you.

Anyone who visits this blog sees I have an affiliate account by looking to the right and seeing the banner. You know my name, and what state I live in, so you could find my address. If I ran an insecure wireless network in my house you could have sniffed my traffic and found out what was up. Southern Cali has some insanely priced houses and some incredibly rich people, it would not be hard to find someone using the affiliate program, generate income under their account and follow that up with a little war drive down their street to gather the remaining intel needed.

How much time would you spend if the end result would be a new identity and the possibility of access to accounts with hundreds of thousands of dollars? I’m sure you can think of some people that would go to great lengths to get that information.

Before I end this with the screen shot I do want to say that I think Mozy has a nice service, and from what I have seen their backup services are secure. I support Mozy and will continue to fly their banner on the right, but I do have a serious problem with the security measures they have not taken with the information being transmitted on their affiliate site.

This completes my first contribution to the security community. I hope some read this and begin adapting more secure standards of how information is transmitted to and from their websites. I also hope that users will make sure to use various levels of passwords to segment the information that can be retrieved about them.

I started the training videos for the Offensive Security 101 course. I am so pleased with the quality of the courseware. The instructor does a great job of presenting information and recommends reading material throughout the videos so that you don’t go into the next course completely blind. I have watched other training on some of these topics and the presentation just didn’t come close to what I am seeing in these sessions.

The training was $400, which includes access to a VPN, a lab environment to test what I am learning, and the certification exam. On September 1st, the prices are going up so if you are interested you might want to jump on it. If you currently have your CISSP this course will give you 40 CPE credits.

I will blog about the course more as I work through the exercises and view the remaining videos. By the way, Offensive Security is the training spin off from remote exploit, which is the company that created BackTrack.

Yesterday I made my payment for the Offensive Security 101 training. If I pass the exam I will be a Offensive Security Certified Professional. This exam has received very good reviews from a lot of experienced security professionals, one major reason being that you have to prove knowledge of the ethical hacker practices. So instead of just memorizing the nmap man page you have to actually apply the knowledge of fingerprinting, scanning, and other tasks required during a pen test. After I receive this certification I will study for my CEH (Certified Ethical Hacker) certification and work on picking up some contracts that will let me apply that knowledge. Ultimately I would like to get my CISSP and work as a penetration tester, but I do realize that after taking this training I may not like the whole world of security, so my plans could change.

I thought I would make this a separate post from my previous one, which talked about my report of a recent attempt to get access to my server.

This is specific to attempts against sshd, if they attempted to gain access through other services or ‘door’ you would need to look through other logs, but the procedure is pretty much the same. The first thing of course is to make sure that it was an attempt. Every morning I receive and email from logwatch telling me what has happened in the last 24 hours and in my email I had the following information (edited of course):

--------------------- pam_unix Begin ------------------------

 sshd:
   Authentication Failures:
      unknown (***.******.com): 256 Time(s)
      root (***.******.com): 30 Time(s)
      [.......]
   Invalid Users:
      Unknown Account: 256 Time(s)

 ———————- pam_unix End ————————-

Which outlines the user names that failed and the number of invalid users.

 Failed logins from:
   194.**.***.*** (***.*******.com): 80 times
      ***.**.***.*** (my.hostmask): 1 time

 Illegal users from:
   194.**.***.*** (***.*******.com): 256 times

 Users logging in through sshd:
   achilles:
      ***.**.***.*** (my.hostmask): 4 times

The second part will detail successful logins in addition to the failed attempts. It is best to check those against the list of failed addresses to see if the attacker was able to gain access. It doesn’t mean they didn’t, they could have edited the logs and left a list of attempts from another IP to make you look under the wrong rock.

One you have determined whether you should report it or not, try to find the owner of the address. In my case it traced back to a website and from there I was able to get contact information. When you visit the website, if there is one, you may not find a contact page, which happened when I went to their site. The alternative is to view terms of service pages, privacy policy, or corporate information pages. These pages will usually contain a address, phone number, or email address to contact them with any questions. I believe it may even be required to have a proper privacy policy. The other alternative is to use a WHOIS result with email addresses to see if you can get a technical contact or have a domain service to have pass email through.

When reporting it, I have a couple thoughts on variations of this. When I reported the attack I sent the section of the email that states the number of failed attempts and invalid users. I then followed that will a sentence saying similar to “Please do not overlook these events, if they continue I will have to have someone look into the problem more thoroughly.” If they are serious about finding out about it they should ask for more information since sending them a # of failed attempts gives them no time frame or address the attacker was attacking. The reply for this information is critical, this should show they have interest in fixing the problem, and it confirms they received the first email. I received an email a few hours after I originally sent mine asking for more information. In the follow up I specified my hostname and domain for the server along with the possible IP addresses the attacker was targeting. I also made a copy of the /var/log/secure file and removed information for valid users that had been given access along with any failed attempts there may have been coming from hostmasks I recognized. It is important to remove as much valid information as possible incase the attacker is working inside the corporation. If the attacker is on the inside, they may have been left log entries or other information thinking you will report the incident giving up information like valid ssh users and their hostmasks, which can be used to restrict/permit access.

The company may not let you know if there was a problem or not, because obviously you may be the actual attacker and you are testing their response or some other possible test you could be doing to get information. The company I contacted let me know there was a problem and that I helped them fix it, which is nice to know.

This morning I received a email from logwatch letting me know what had gone on during the last 24 hours and this was what I was presented with.

Failed ssh logins from:
194.**.***.*** (****.*****.com): 80 times

Illegal ssh users from:
194.**.***.*** (****.*****.com): 256 times

I have of course removed identifying information of the company that was breached, but I emailed them this morning notifying them of the problem and after they confirmed interest in the problem I emailed them a copy of my secure log. I just received an email from them confirming there was a breach and that it has been fixed. Made me feel good that I was able to help out a company.

This isn’t the first time I have had those messages in the log, the 2nd night I had the server up the log said there were 1200 attempts. Unfortunately I cannot send mail to those because they were just random IP addresses and not much would come of it.

There is an article on The Register about surviving Defcon. It was an interesting read, and I feel sorta stupid for never thinking about, but this is a quote that really sums up the idea of using a laptop at a security conference.

Try to recall all of the attacks you have seen in the last year and dismissed because the attacker needed to be local to your network. Then realize that you are about to to connect to that network.

For a while I have been keeping my eye on certifications I would like to obtain in the next few years. Being honest with myself it really is just a goal because it would be very costly and time consuming to obtain all of them, not impossible, just difficult. What is a life without goals? however difficult they might be. After speaking with some security professionals on [H] I have added enough certifications to keep me busy for many many years. There are a number of certifications that you really cannot pass without real world experience, one I have heard of is the CISSP, which requires four years of experience (5 years effective Oct. 2007), however two years may be waived. One of my goals is to have the credentials that would land me contracts as a white hat so getting real world security experience is a priority anyway.

Below the list of certifications I have an additional list which outlines the certifications for the DoD directive 8570.1. This directive applies to individuals administering DoD machines. Of course the major problem with certifications is maintaining them, the more certifications you have the more difficult it can be since you have to recertify every so often. The list below is a broad list of certifications I am interested in, and while I would like to have them all the list will be narrowed over time. Lets say I get my RHCT, but when looking into Solaris more, I don’t have interest in working with Solaris or the other way around, ultimately reducing the list over time.

Now for the main list of certifications:

• Certified Ethical Hacker
• Zend Certified Engineer
• CompTIA Linux+
• CompTIA Server+
• CCNA, Cisco Certified Network Associate
• Linux Professional Institute Certification (LPIC-1), Junior Level Administration
• Linux Professional Institute Certification (LPIC-2), Advanced Level Administration
• Linux Professional Institute Certification (LPIC-3), Senior Level Administration
• Sun Certified System Administrator (SCSA)
• Sun Certified Network Administrator (SCNA)
• Sun Certified Security Administrator (SCSECA)

Since Red Hat has recieved its EAL4 certification with Labeled Security Protection Profile (LSPP) I added some of the Red Hat certifications to the list

• Red Hat Certified Technician (RHCT)
• Red Hat Certified Engineer (RHCE)
• Red Hat Certified Security Specialist (RHCSS)

DoD Directive 8570.1 Technical I

• A+
• Network+
• TICSA, TruSecure Certified Security Associate
• SSCP, Systems Security Certified Practitioner

DoD Directive 8570.1 Technical II

• GSEC, GIAC Security Essentials Certification
• Security+
• SCNP, Security Certified Network Professional
• SSCP, Systems Security Certified Practitioner

DoD Directive 8570.1 Technical III

• CISSP, Certified Information Systems Security Professional
• SCNA, Security Certified Network Architect
• CISA, Certified Information System Auditor
• GSE, GIAC Security Expert

There are also a number of certifications under the SANS Global Information Assurance Certification that look very interesting. These certifications also seem to be more specific, an example being “GIAC Securing Oracle Certification” or the “GIAC Secure Internet Presence”.

One of the posters from [H] had this in his signature.

CCNA, CCNP, CCIE, CCAI, MCT, MCSE, CNE, CNI, A+, Net+, Security+, SSCP

Showing that it is very possible to obtain a grip of certifications