Hackin9

Boing Boing

Hospitals are patient zero for the Internet of Things infosec epidemic
Boing Boing
Whatever commercial and technical impediments exist to securing medical devices -- bad vendors, lack of negotiating power in hospitals, the intrinsic difficulty of information security -- the DMCA makes it all much, much worse. But it's a very good ...

and more »
 

(credit: Wikipedia)

The FBI is denying that it paid $1 million to Carnegie Mellon University to exploit a vulnerability in Tor.

"The allegation that we paid [Carnegie Mellon University] $1 million to hack into Tor is inaccurate," an FBI spokeswoman told Ars in a Friday morning phone call.

Two days ago, the head of the Tor Project accused the FBI of paying Carnegie Mellon computer security researchers at least $1 million to de-anonymize Tor users and reveal their IP addresses as part of a large criminal investigation.

Read 4 remaining paragraphs | Comments

 
 

1939, back when ads used to be safe. (credit: Flickr user: Lulu vision)

Privacy advocates are warning federal authorities of a new threat that uses inaudible, high-frequency sounds to surreptitiously track a person's online behavior across a range of devices, including phones, TVs, tablets, and computers.

The ultrasonic pitches are embedded into TV commercials or are played when a user encounters an ad displayed in a computer browser. While the sound can't be heard by the human ear, nearby tablets and smartphones can detect it. When they do, browser cookies can now pair a single user to multiple devices and keep track of what TV commercials the person sees, how long the person watches the ads, and whether the person acts on the ads by doing a Web search or buying a product.

Cross-device tracking raises important privacy concerns, the Center for Democracy and Technology wrote in recently filed comments to the Federal Trade Commission. The FTC has scheduled a workshop on Monday to discuss the technology. Often, people use as many as five connected devices throughout a given day—a phone, computer, tablet, wearable health device, and an RFID-enabled access fob. Until now, there hasn't been an easy way to track activity on one and tie it to another.

Read 8 remaining paragraphs | Comments

 

Boing Boing

Hospitals are patient zero for the Internet of Things infosec epidemic
Boing Boing
Whatever commercial and technical impediments exist to securing medical devices -- bad vendors, lack of negotiating power in hospitals, the intrinsic difficulty of information security -- the DMCA makes it all much, much worse. But it's a very good ...

and more »
 

BankInfoSecurity.com

4 Barriers to Hiring DHS InfoSec Experts
BankInfoSecurity.com
Although the U.S. Office of Personnel Management this week granted the Department of Homeland Security permission to hire 1,000 cybersecurity specialists, that authorization doesn't ensure that 1,000 experts will be hired anytime soon. See Also: Trust ...

and more »
 

When doing security assessments or penetration tests, theres a significant amount of findings that you can get from search engines. For instance, if a client has sensitive information or any number of common vulnerabilities, you can often find those with a Google or Bing search, without sending a single packet to the clients infrastructure.

This concept is called google dorking, and was pioneered by Johnny Long back in the day (he has since moved on to other projects see http://www.hackersforcharity.org ).

In a few recent engagements, we actually found password hashes in a passwd file, and passwords in passwords.txt is a somewhat common find as well.

Search terms: inurl:www.customer.com passwords

Or inurl:www.customer.com passwd

Excel documents (always a great target) can be found with a simple:

Inurl:www.customer.com ext:xls

Or configuration files:

Ext:cfg

Or ext:conf

Or something you may not have though of - security cameras. Folks are stampeding to put their security cameras online, and guess how much effort they put into securing them (usually less than none). Not only do you have security footage if you gain access to one of these, theyre usually running older/unpatched linux distributions, so in a penetration test they make great toe-hold hosts to pivot into the inside network.

To find JVC Web Cameras:

intext:Welcome to the Web V.Networks intitle:V.Networks [Top] -filetype:htm

Finding things like webcams is sometimes easier on Bing, theyve got an ip: search term, so you can find things that are indexed but arent hosted on a site with a domain name.

You get the idea. After you total everything up, theres several thousand things you can search for that you (or your customer) should be concerned about that you can find just with a search engine.

With several thousand things to check, theres no doing this manually. In past projects, I wrote some simple batch files to do this, with a 2 or 3 minute wait between them to help evade google saying looks like a hacker search bot to me when they do that, they pop up a captcha. If you dont answer the captcha, youre on hold for some period of time before you can resume.

However, in my latest project, Ive seen that Google especially has a much more sensitive trigger to this kind of activity, to the point that its a real challenge to get a full run of searches done. This can be a real problem often what you find in reconnaissance can be very useful in subsequent phases of a pentest or assessment. For instance, recon will often tell you if a site has a login page, but a simple authentication bypass allows you to get to the entire site if you go to the pages individually. This can save you a *boatload* of effort, or find things you never would have seen otherwise. Leveraging search engines will also sometimes find your customers information on sites that arent their sites. These are generally out of scope for any active pentest activities, but the fact that the data is found elsewhere is often a very valuable finding.

So, with a typical dork run taking in excess of 3 days, what to do? On one hand, you can simply change search engines. For example Baidu (a popular china-based search engine) doesnt appear to check for this sort of dork activity. In the words of John Strand baidu is the honey badger of search engines they just dont care. While you might get the same results though, using a china based search engine isnt confidence-inspiring to some customers.

The path I took was to use the Google Search API (Bing offers a similar service). You can sign up for the API at the Google Developers Console, found here:

https://console.developers.google.com/project?authuser=0

The Bing equivalent is here:

https://www.bing.com/developers/appids.aspx

Now, with an API key you can simply plug that key in to the tool of choice (I often use either GoogleDiggity or Recon-NG, but you can write your own easily enough), and you are good for thousands of searches per day! An entire run that might have taken 3 days using a traditional scraping" />

Theyve got a helpful create pick if you dont have a search application of your own set up yet.

Lastly, on your Google CSE setup page (https://cse.google.com/cse/setup ), open the Basic tab, add the domains of interest for your client in the Sites to Search section, then change the scope from Search Only Included sites to Search the entire web but emphasize included sites. This will allow you to find things like sensitive customer information stored on sites *other* than the ones in your list.

You can expand on this approach with API Keys for other recon engines as well - Shodan would be a good next logical step, their API key subscription options are here:

https://developer.shodan.io/billing

Please use our comment form and share what APIs or tools youve used for reconnaissance. If your NDA permits, feel free to share some of the more interesting things youve found also!

===============
Rob VandenBrink

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

The Register

TalkTalk hired BAE Systems' infosec bods before THAT hack
The Register
Contrary to suggestions that TalkTalk hired BAE Systems to shore up its security after the much-publicised hack in October, the telco had actually been outsourcing its security operations centre to BAE since June – and previously told investors it had ...

 
[SECURITY] [DSA 3395-2] krb5 security update
 
OpenBSD package 'net-snmp' information disclosure
 
Internet Storm Center Infocon Status