Let the sky begin to fall...

Moore and Druid have released a Metasploit exploit for Kaminsky's DNS vulnerability.  The last set of statistics scraped from the DNS checker logs on DoxPara indicated that quite a few servers were still unpatched, so it'll be interesting to see what the fallout is now that any kiddie can point & click an attack.  There's been plenty of debate on whether this bug was overhyped - the next few weeks may demonstrate whether that's true.  In the meantime, use OpenDNS if your ISP is still vulnerable.

Book review: "The Best of 2600: A Hacker Odyssey"

I still remember the first time I bought an issue of 2600.  I was probably 13 or 14 and had discovered the magazine through some posts on a BBS.  Finding a copy at the local bookstore was a huge nerdy rush, and I'm embarrassed to admit that I felt like some sort of rebellious bad-ass with contraband when I took it to the register.  Even if I was too chicken to try anything remotely illegal, I still wanted to soak up every last article no matter what the topic: phreaking, computer hacking, lock picking, or simply defying the man.  

My quarterly copies of 2600, combined with text files gathered from BBSs and early web sites, engendered the passion I still have for hacking and security.  I kept a binder, organized by subject, where I would collect articles and printouts.  I discovered "Off the Hook" on WBAI and would tune in every week.  And I even penned a few letters and articles that were published - you can imagine what a thrill that was for the ego of this young geek (thinking about them now makes me cringe).

I stopped keeping up with 2600 many years ago, mostly because the Internet became a far better source of information.  So it was with an enormous dose of fond nostalgia that I purchased "The Best of 2600: A Hacker Odyssey" from Amazon this week.  I'm happy to say that it's an exceptionally well-done collection spanning 800 pages and 20 years of history and hacker lore.  Articles have been nicely arranged by era and general subject matter, with plenty of interspersed new material written by Goldstein.  Content spans everything from phone phreaking during the Ma Bell days to hacking during the modern Internet era.

Of course, nostalgia doesn't change the fact that some of 2600's articles suffered from awkward writing and somewhat juvenile anti-establishment overtones - especially when you read them as a staid "grown-up" instead of an over-eager hacker-wannabe teenager.  But you have to consider the context in which they were written.  Many of the older articles truly capture the hacker spirit, developed by pioneers who had far fewer resources at their disposal for obtaining and sharing knowledge.

If you have even a passing interest in the history and evolution of the hacking "scene" over the last few decades, I highly recommend this book.  For me, reading it has been both informative and a fun trip down memory lane.  You can pick up a copy at Amazon.

BlackHat Wrap-Up

I've returned and recovered from a fun week at BlackHat in Las Vegas.  The conference was a great experience and had an excellent selection of speakers.  As with other hacking conventions I've attended in the past, it was humbling to see how smart some of the presenters and attendees are.  I unfortunately couldn't make it to Defcon this year (damn client obligations!), but four days is just about the right length of time to stay in Vegas.  

To share a few random observations and cool things:

• At this point it should be clear that browser vulnerabilities are this "generation's" OS-level vulnerabilities.  Owning the client means you can do just about anything, including full-fledged attacks against internal networks.  David Byrne's anti-DNS pinning really drove this home, particularly when he used Java LiveConnect to proxy a full Nessus scan against an internal host through the browser. 
• Billy Hoffman's talk on "The Little Hybrid Web Worm That Could" was really interesting - he's always a good presenter.  He illustrated several pieces of proof-of-concept JavaScript code that can self-mutate, parse sites like Secunia to "learn" new vulnerabilities, and exploit web application vulnerabilities.  It won't be long before we see these kinds of worms in the wild, as the technology and research are already in place.  
• Errata security demo'd a tool called Ferret that combines WiFi sniffing and gathering sensitive information into somewhat of a point-and-click affair.  It works with a HTTP proxy component that lets you easily use session cookies hijacked from other users' browser sessions.  He used it to hop on to an attendee's GMail account while on stage, which really got the audience going.  There's nothing new here - we all know you can sniff and re-use cookies from non-SSL'd connections - but the tool is still a neat implementation.
• A presentation on extrusion detection systems by Matasano ended up being far more interesting than I expected.  While their research focused on vulnerabilities in agent-based tools designed to prevent information leakage, it conceptually applied to any agent-based product (I'm thinking of SIM tools in particular).  Through reverse engineering, they revealed how trivial it would be to take over agents, execute code at the Windows kernel level, spoof reporting data, and cause other havoc.  It made me really want to grab a copy of PaiMei and learn more about reversing and fuzzing.
• The Metasploit team gave a fantastic two-part presentation (available on their site) on tactical penetration testing.  Their message was one we've always preached to our clients: pen-testing should not just be vulnerability scanning and firing off exploits.  They covered some interesting new resources for footprinting targets and network discovery, such as DomainTools.com and Paterva.com.  
  
  The presentation also included a demo of a new Metasploit component that facilitates NTLM hijacking.  You basically capture the victim's NTLM hash through a man-in-the-middle attack (the WPAD proxy hijack technique works great for this), and can then re-use this hash to authenticate with the user's credentials.  There's no need to crack the NTLM hash!  I plan on testing this one out in our lab - although our rules of engagement unfortunately often forbid us from performing network redirection attacks against clients.   
• SensePost had a presentation on timing-based attacks that I wish I had not missed.   They demonstrated "SensePost-aTime", which leverages timing information to perform SQL injection and extract data.  I couldn't find it on their web-site yet, but will post as soon as a link is available.  Until then, you can check out a recent post on ha.ckers.org that covers a "res://" timing attack that enumerates a user's local files through the browser.
• My "Best Booth Gimmick" award goes to Fortify Software - their Borat-inspired "Discover Hackistan" promotion was pretty damn funny.

Personal goal for next year: to put together a presentation that I can at least attempt to submit for BlackHat or Defcon.