Friday, August 20, 2004

MIT Security Camp 2004 and the invisible AUP

So I took the past two days off to attend MIT Security Camp. I've been going to it and its sister conference at BU for a number of years now and really enjoy it. Its free, the talks are great and I always walk away learning something and having fun. So, I shouldn't be complaining, right?

Well, yes and no.

At one point during today's session, I, like 75% of the other people there, decided to take out my laptop to check mail, check in at work and the like. Now, given that there was a free wireless network for our use and I'm a freak when it comes to my data and my security, naturally I do everything I can to protect myself. So, I setup SSH forwarding to tunnel my mail traffic off the wireless network and to a slightly more secure wired network at home. My signal strength wasn't the best and I was having DNS issues so it made checking mail a bit tricky. So, I fired up trusty tcpdump to see what was going on. Sure enough, soon after I started seeing my traffic things started to work. If I had to guess, it was because the APs became slightly less bogged down or the slower of my assigned DNS servers finally timed out.

But, my tcpdump session was open long enough for me to see some pretty interesting traffic. Though, thats not too surprising for a number of reasons. For one, MIT's network (wired or otherwise) is extremely interesting given the vast number of machines, lack of firewalls, and hardware and software that predates my birth. Secondly, its because I have an eye for things that are out of the ordinary. Among other things, my eyes immediately fixated on some IPX traffic. In the payload was some data that obviously came from an Alpha box and was prefixed with the string LONG-LIVE-THE-BO, or something along those lines. Interesting, eh?

So after my mail situation was straightened out, I fired up ethereal to get a better (easier) look at the data I was seeing.

Keep in mind that my card was not in RFMON mode, as I still haven't figured out how to put my card into that mode and actually be able to establish normal connections with it (i.e., SSH'ing somewhere). So, the traffic that I was seeing was broadcast traffic that was headed toward my machine legitimately. I'm sure many of you know that the traffic that is considered network broadcast traffic can get quite ugly. This'll include everything from IGMP, to multicast, to windows networking and at least a half dozen other old, but relatively common protocols that most everyone has seen and isn't that interesting. As such, I filtered out damn near everything that I wasn't interested in. Sure enough, eventually that Alpha box was back and there were a few more that were chatting IPX with each other.

About 5-10 minutes into the second talk, one of the talk organizers taps Muncus (who was sitting next to me) on his shoulder and asks to speak to him outside. It was odd, but didn't think much of it. When he came back, he told me that someone had complained about me sniffing traffic and that she wanted me to leave (she being the talk organizer). At first very confused and surprised, I reluctantly packed up my stuff and headed out. I met her and the guy who was upset with my "sniffing" in the hallway. At the time, I was a bit uneasy because I wasn't sure what was going on, let alone what the big deal was. I was polite and as unconfrontational as possible, yet they seemed to insist that what I was doing was wrong and that I was breaking their rules. I tried to explain to them that I was doing nothing malicious at all and was merely interested in that Alpha traffic, which was coming my way whether I wanted it or not. It didn't seem to matter, really. I had already been asked to leave and two people were already fairly unhappy with me, so why bother making a stink, right?

Well, after the hike in the hot sun back home I had some time to think.

First of all, I broke no rules. Why? Because there were none. Yeah, I signed up for this conference, but I neither signed nor read any AUP or rules stating how I was to use their wireless network. That said, I'm a mature and fair person, especially when in the hospitality of others. So, if I thought that what I was doing was blatantly wrong and malicious, I can assure you I wouldn't have done it.

Second, even if I had read an AUP or signed some sort of agreement, I was doing nothing even remotely close to subverting or attacking their network. This was good old, plain jane broadcast traffic. No, I'm not talking RF broadcast, but standard 802.3 broadcast traffic that was being spewed at every machine in the auditorium whether they wanted it receive it or not. So, by telling me I can't do that is the equivalent of saying "hey, I'm gonna be talking really loudly in the back of the room while someone else is talking but you cannot listen to me." Sure, a similar argument can be made for RF traffic, but its a bit different. I took no hostile measures to get the traffic I saw. Heck, at that, the traffic I did see and was specifically looking for was 100% harmless anyway.

Thirdly, if you are at a security conference and have a problem with someone sniffing wireless traffic, you've got a serious wake up call coming. This is not the third grade -- there is no "honor system" in the security business. You've got to assume that, unless you are in some extreme situation, the minute traffic leaves your machine it will be compromised. Thats why the entire theme of this conference was security. It is extremely important and yes, despite what you may think, there are people out there whose soul purpose is to make your life as a security professional that much more difficult. I can think of easily a handful of conferences (whether they were security minded or not) where a survey of some sort was conducted to see what portion of the people attending that conference were practicing insecure computing practices. You know what? A scarily high percentage of those people that were among the foolish masses who were POPing their mail in the clear, using plain old HTTP to do banking and telnet'ing and SNMP querying their organizations routers had no idea of the implications of their actions. You know what? Now they know.

Once again, folks, the Internet is a scary scary place so you best start practicing what you preach or you will get bit and get bit hard. Its not if, its when.

I'll be at this coming Spring's BU Security Camp, as well as next year's MIT Security camp.

Sunday, February 15, 2004

An exploit a day keeps the doctor away

Or something.

Ok, what the heck. I just can't seem to find the time to blog anymore. One would think that I'd have much more free time because, well, I'm not driving to/from Boston all the time to see Rachel. I think I just have to organize my life a bit more and I'll find that I have free time.

Since last I blogged, quite a bit has happened. Lets see here...

Many weeks back I drove up to NH to meet Pete and Rachel. They had gone snowboarding on saturday, so I drove up to meet them that night. It was quite cold and had been for some time, so conditions that day were really really icey. Fortunately it warmed up quite a bit by the next morning, so things melted slightly and the snow they were making stuck. Still it hurt like a bastard when you fell, and I did plenty of that. We ended up calling it quits in 2-3 hours because it was just too sucky. It was fun, but my knees and elbows hurt bad.

It was about that time I had been toying with BOOTP and DHCP, and I noticed that Linksys boxes don't properly handle BOOTP requests. For whatever reason I wanted to configure my laptop's network using BOOTP instead of DHCP. Afterall, any DHCP server is really just a jazzed-up BOOTP server, so it should work. Well, I found that I couldn't get a proper lease from either of the Linksys boxes I have access too (a BEFSR41 and BEFW11S4). Some quick tcpdump'ing showed the BOOTP replies coming back, but the data contained in the reply was totally bogus. It seemed like random garbage. I tried a few more times and started seeing human readable text in there. This immediately got my attention, and I started spraying BOOTP requests at the Linksys and looked at the replies. Then I saw bits and pieces of HTTP, AIM and other traffic. And it wasn't my traffic, it was bits of traffic from other machines using the Linksys. OWNED. So, none of the Linksys boxes know how to handle BOOTP requests. Instead of replying with a proper BOOTP response, they fill in the entire data portion of the UDP packet with bits and pieces of memory. This memory is all from traffic that has previously appeared on the interfaces of the Linksys. Thats great. Within a day or so I had some initial POC code, which later turned into full-fledged exploit code. Actually, the current linksys bootp/dhcp exploit code is just some simple Libnet/pcap code that forges BOOTP requests and then captures the responses. Last week after work I worked with Linksys and Cisco (PSIRT) to get this bug fixed. Linksys' fix was to just ignore BOOTP packets, which isn't the best way, but it works. They'll be releasing an updated firmware sometime soon, but haven't been very helpful regarding an advisory. I'm gonna give them until tuesday to respond, then I'm just gonna post it everywhere. The exploit code is up and available, so that might help. Feel free to email me with any comments or suggestions.

On February 4th, I gave a presenation on "InfoSec Blunders" at Northeastern's ACM. The room was packed full of people and the talk went ok. It could've been much better if I had slept more, but oh well. I only left myself a few days to prepare for the talk, so I didn't sleep much at all. I ended up going too fast and the talk ended 15-20 minutes early. Anyway, the slides are up if you want to see them.

Two Friday's ago we went and saw Henry Rollins at the Berklee performance center. He is soooo my idol. Quite possibly the most angry man I know, yet he can be so peaceful and can actually hold a great conversation. Did you know he is only like 5'2"? In all his videos, movies and pictures he is made to look tall, but he is really short. Not that height has anything to do with anything, because he'd crush your skull without even breaking a sweat.

Last week some time the word hit the news that the Windows 2000 and Windows NT source code had been leaked. Some rumors and reports said it was mainsoft, but it really could've happened a number of ways. Any idea how many Unversities or corporations have access to Microsoft's source code? Tons, and you and I both know how juicy .edu land can be. So anyone that really wanted the source code could've knocked over a bunch of boxen in academia and gotten the source that way. I haven't downloaded the code because not only do I have no real interest in seeing it, but its also illegal. But, I've seen portions of it posted in various places, and the code is UGLY. Its no wonder there are soo many ways to own a windows box. I give it no more than two weeks and we'll see at least 5 remote exploits for most Windows OSs. Have fun.

Last night was valentines, so a bunch of us went out to eat, and then we met up with some other friends at the Purple Shamrock. We saw two guys get their ass beat by the bouncers on the sidewalk while we were waiting to get in. It was a great time.

This week will be a busy one and I'm headin to Chicago on Friday. Never been there before. Anyway, I'm out.