Archive for the ‘rants’ Category

Get your creep on

Tuesday, January 24th, 2012

About a week ago, I stumbled across this post in google reader:

Console Cowboys -I always feel like somebodies watching me.

I read it, I was impressed, and it immediately reminded me of previous work I’ve done. In collaboration with @achillean we scanned the whole internet looking for ddwrt routers with a directory traversal vuln, and wrote a script to step through the findings.The result was a map you could use to find routers based on their mac addresses. The vulnerability was information disclosure of the wan mac address, which likely would have been found by the google street view cars, and the skyhook cars during their sweeps, so if you know the wan mac address of a router, you can translate that to a physical location on a map. I thought this would be perfect to apply the same formula to – except in this case it would be difficult to pinpoint where the camera actually existed unless there was some kind of information disclosure in the video stream itself.

Now let me make this abundantly clear: Nothing is getting recorded or saved. The output here are IMG SRC html links to cameras on the internet. Your browser renders those image streams directly from the cameras. Nothing gets saved or written unless you explicitly choose to save something – kind of like watching television – unless you dvr something or god forbid still own a vcr, in the same manner, you have to choose to record things. That onus is on the viewer.

The author of the console-cowboys blogpost wrote a script to do all the proper API calls against shodan to search for the cameras, then another loop to manually test each result found for the path that shows video. If an HTTP 200 OK was returned for the path, the url was saved.

I took that script, and simply added IMG SRC tags to the output, also adding threading during the checks and one or two small performance tweaks – my second python script ever, and I’m already using threads! (I was kind of proud of this :D )

The results looked something like this. Very simple, but effective:

 

Each image there is actually video. The cameras each output mjpg straight to the browser, so firefox and chrome were both happy to render video. The trouble was that I found more than 550 cameras – so loading that html into a browser caused my ram and cpu to spike.. a lot. It also wanted 2 megs a second (MEGS, not megabits..) of bandwidth just to view the cameras. So I used the split command to tear the huge list into 6 parts, each list containing 100 cameras, and one with ~56 or so. I posted it off the main website before having writing the script – there were several pastebins floating around with the camera list already, so adding html tags to that was dead easy.  I had 200-300 cams in one giant html posted maybe 5 days ago. Everyone had a laugh, and one friend even interacted with one of shops. It was all in good fun for about a week.

Last night I had a member of the information security community raise a concern with me. There was a discussion, and in the end I was berated and called names. As such, I’ve taken down the cam streams from my site. However, I’m absolutely happy to post my script that  generated all the cam streams, since its just a updated version of the console-cowboys posting. I encourage you to buy a shodan account like I did, get an API key and have a look at the sort of things people find valuable enough to put on camera. You’d be surprised. Most of it is HORRIFICALLY BORING, but some of the cameras are streaming labs and industrial areas with what appear to be scada devices and other interesting stuff. I’m glad that the girl in the pizza shop had a sense of humor about it, so good on her for that.

I also encourage you to do some research before you buy something like an internet-enabled camera so that you better understand what it is you’re getting yourself into – there’s a chance your camera has not only a ‘known vulnerability’, but a flat out hardcoded backdoor, like these cameras. This is BY DESIGN. Trendnet wrote in a back door.

Anyhow, I was going to use this as material for my LayerOne presentation if my CFP submission got approved but if there are more infosec patrons out there like our generous benefactor here I can expect more headaches the more I talk about this stuff, so I’ll have to think of something else (sorry Noid/Datagram/M).

Now for the meat!

Here’s the script: camcreep.py

You’ll need to install gevent and shodan modules for python. Google can help you with that.

You’ll need a shodan API key: Shodan API key (insert it where it says ‘key =’ .. you’ll see)

I ran this on my mac with 150 threads. It returned about 10,000 results from shodan, and took Just a hair shy of 7 minutes to run.

The script outputs “camlog_new.html”. Thats one giant monolithic file with ALL the cameras. You’ll want to use the linux ‘split’ command to slice it up into various files. I manually added the page links to the bottom of those files since there were only 6 of them.

Also, since I did this all using chrome, I was using “Ultimate Chrome Flag” which is a really neat extension that lets you see some IP GeoData about the site you’re on. If you right click, then open a cam stream in a new tab, you should see the little flag on the right hand side of the URL bar – that will at least tell you what city or major geographic region the camera you’re viewing is in.

Happy Hunting!

Tags: , , , , , , , , , , , , , , , , , ,
Posted in rants, technology | 2 Comments »

Adding context

Sunday, June 6th, 2010

However good or bad you think you are at security, this may put a few details into perspective for you:

In the last few weeks Ligatt Security has been “making headlines” with their 90′s-esque hackers-style commercials and advertisements – the three most notable of which advertise that large black men, 12 year old boys, and “hackers” with what appear to be ethernet-enabled projectorgoggles are “out to get you”. Their fear-based marketing campaign slants the average computer users security experience using the standard “if you don’t hire us, your life is pretty much over” routine.

It’s a pretty huge bag of fail – I really hope this is a learning experience for them. One of the more important ‘scout badges’ I’ve earned in my time as a contractor so far is “practice what you preach”. A “large”, publicly traded “information security company” probably should have taken the time to do some BASIC SECURITY on their own website – CLICKY!

virtually lol-inducing. wow, i actually typed that.

EDIT: After a couple of twitter posts about this they’ve firewalled me off of the host. Firewalling one guy isn’t gonna help guys, I’m certain I’m not the only person to have found a CORNUCOPIA of publicly available vulnerabilities on your site.

Tags: , , , , , ,
Posted in insight, rants, review | No Comments »

Paranoia, anybody?

Thursday, February 18th, 2010

So in a previous post, I discussed “Convergence Theory“, which is the concept that argues people will “go with the crowd”. There’s a new fad in town, and it’s all about ditching foursquare because you think you’re going to get robbed.

In this case, frankly, I’m appalled. This is absurdity at its best. Lets all get on the paranoia choo-choo with Jennifer Van Grove and the silly website she’s blogging about, cancel our foursquare accounts, and go hide at home in fear. Sorry to call you out like this Jen, but this is purely knee-jerk baseless paranoia. If someone sees me IN THE PARKING LOT AT THE GROCERY STORE, then they also know I’m not home. This isn’t anything new.

The common complaint I have with blogposts and arguments like this is that people never think two steps ahead. Nobody ever considers engaging their foresight muscle and actually thinking this sort of thing through to conclusion.

I’m a security-minded person. That means I have to very often think like an attacker. I have to plan out “missions”, I have to completely exhaust all nefarious ideas and plotting in an effort to fortify the clients that hire me to make them more secure. This exercise allows me to put on an attackers hat and logistically consider courses of action in an effort to understand things like the frame of mind and context of an attacker.

In the last few weeks I’ve seen a lot of folks all of the sudden “realize” that when checking into foursquare this tells the internet that “you’re not at home”. Disappointingly enough the first thing that short-sighted people think is “OH GOD THIS MEANS EVERYONE KNOWS I’M NOT HOME. I’M GOING TO GET ROBBED!”. I cannot articulate using text exactly the style in which I face-palmed. To bring some clarity to those who have chosen to forego foresight, I’ve made this handy flow-chart. Have a look:

Simply put: If you’re going to rob someone, you have to put a little thought into it. You may be shot. You may be caught on camera. You may have to deal with nosy neighbors. Do you even know who this person is or where they live? Think about it for more than 30 seconds. If you’re still convinced that foursquare will get you robbed, print this chart out, and put it over your display using a stapler.

Stop being paranoid. Stop following the crowd. Wake up.

Tags: , , , , , , , , , ,
Posted in rants | 9 Comments »

Dealing with liars, slander and libel.

Tuesday, February 9th, 2010

Having been practicing information security on a freelance basis for roughly 2 years now, I’ve quickly come to learn that the information security industry is very incestuous – teeming with folks that think the standard “how to survive prison” methodology works for information security. Find someone who’s made a name for themselves, beat the everliving crap out of them, assume their former glory. This is a problem. Primarily because it doesn’t work, and secondly because nobody has ever been able to do it right and get their intended results.

Moreso is a problem when people who have openly admitted their noviceness in linux, security and other things of a technical nature decide to take up a crusade. They’re loud, boisterous and spend lots of energy on a ’cause’ that they simply don’t understand. The first thing that comes to mind when thinking about these people is an angry neanderthal – angry that the wind blew out his fire, who then goes and bludgeons his neighbor with a rock out of rage, or the salem witch trials where women were called out as witches and burned alive, their pleas of innocence ignored.

This is exactly what I’m dealing with – novices, newbies and beginners who know little to nothing about information security, the industry surrounding it – picking up a torch and going on a crusade because of something they don’t understand.

I’ve been dealing with a small handful of these people, and it seems the further along I get in growing my business, the more opportunity these trolls think they have to shoot me down. I’m going to draw out, chronologically the whole series of events from then until now – including how I’ve contacted attorneys, sent cease and desist notices, and how I personally have suffered, and the friends and loves ones around me have have suffered because two guys in Riverside simply cannot act like adults. It’s a long ride, but for those interested in the whole story, end to end, read on.

I apologize to those who’s names I’m about to drop, who I told I’d keep out of this – but at this point it’s unavoidable. I have to name names to tell the story.

(more…)

Tags: , , , , , , , , , , , , , , , , , , , , , ,
Posted in insight, rants | 7 Comments »

Twitter, DNS, the “Iranian cyber army” and panic – an analysis

Friday, December 18th, 2009

Status.twitter.com tells us that DNS records were overwritten temporarily tonight by attackers to redirect HTTP traffic to another host that was originally destined for twitter.com.

With the information that I know now (12:40am, 12/18):

The host which contained the landing page was hosted with bluehost. This tells us a few things

  • They didn’t have the infrastructure to do packet captures, or credential theft. Bluehost does shared hosting.
  • Any attempt to do so would have thrown TONS of SSL errors, and very likely DDoS’ed the server hosting the landing page. (Twitter had HUNDREDS of servers, these guys had 1.). All of your twitter apps would have thrown errors, or flat out stopped working.
  • Twitters security infrastructure was left untouched, and was not a target of the attack.

I’ve been watching twitter scroll with sensationalism and panic, people yelling “OH GOD TWITTER GOT HACKED EVERYONE CHANGE YOUR PASSWORDS NOW”.

Please – don’t do that.

Its going to make everyones job harder who have to work on this situation, it incites panic and causes people to prematurely flip out and do things they probably shouldn’t do.

I’ve had to deal with this in the past – people throwing their arms in the air and screaming about passwords being compromised when they in fact weren’t. It did not end well.

Please – think before you hit send.

Tags: , , , , , , , , , , , ,
Posted in insight, rants, technology | 3 Comments »

Hacking someones personal brand

Thursday, December 10th, 2009

Troll definitionI know two trolls. Roger Rustad, and David Kaiser – they run socallinux.org.

If you read anything these two post on socallinux.org you can quickly determine they use this mailing list to defame whomever they choose – and because their mailing list gets both spidered by google, and mirrored by list-serv they get pretty much automatic SEO. Multiple domain names replicating messages. And if the mailing list gets any activity for any reason the SEO goes up.

This is like a troll sniper rifle. You want someone to go down in flames, or you just want to make them real miserable? Talk smack about them somewhere that gets spidered by google and replicated to other sites. If anyone googles them, they’ll find listserv messages, mail-archive.com and google cache results all parroting the original messages.

Google is like the force. It can be used for good and evil. In this example, we’re looking at using it for evil.

(more…)

Tags: , , , , , , , , , , ,
Posted in insight, rants | No Comments »

Go to hell, Time Warner.

Monday, November 2nd, 2009

Let me begin by touching on the geographic disposition of internet service providers. I’m in 4s ranch, a community inside of San Diego. The cable provider is Time Warner, the phone service is PacBell and its etched into granite. I tried getting DSL from speakeasy when I first moved here but PacBell said they couldn’t do it because “The cost of running the copper where it needs to go exceeds the money we’ll make by selling this line”. I was stuck with Time Warner.

(more…)

Tags: , , , , , , , , , , , ,
Posted in rants, technology | 4 Comments »

State of the pwnion.

Thursday, August 6th, 2009 
message begins
Personal details were revealed, emails, chat logs – pretty scary stuff – and very sobering. A clear demonstration that things like cross site scripting and the spreading of malware (likely for the use of cascading spam or addition to botnets) is the least of our problems. Also clear proof that people who consider themselves security folks have to be very wary of using creature comforts such as reusing passwords or even operating a wordpress blog (3 updates in a month?! and 2.8.2 is vulnerable? gaw!).
The textfile the group distributed was called zf05.txt and after skimming it’s abundantly clear that wordpress played a huge part in these folks getting rooted. Almost every example was sort of an ‘all in one’ server that was used for ‘whatever’. Its also become clear that jam packing one server with a bunch of services makes it more vulnerable to compromise. Ever heard of KISS? “Keep it simple, stupid”. It’s used very commonly among engineers, computer people – you name it. Anyone that has to build things or design things. The minute you start adding complexity for no reason the proverbial altimeter begins its decline.
People who fake tech exacerbate things. There are groups that call themselves “tech” when in reality they are simply PR or Marketing. The Web 2.0 craze has hypnotized people into putting almost everything they think and do ‘behind the scenes’. They let someone else worry about it. Some ruby programmers I’ve met are incapable of manually issuing a sql query. Others are incapable of interacting with sql unless they have phpmyadmin. These folks generate a requirement to artificially make systems more complex and less secure entirely to suit their evergrowing hatred of looking things up themselves or actually learning anything about the technology they use every day. The easiest way to think about it is this: Think of some people. Now think of these people all owning cars. Think of these people now requiring something as simple as an oil change, a tire change, or a simple tune up. Now think of these people taking their cars to a shop to get work done – for whatever reason: maybe they lack the tools, maybe their HOA doesn’t allow them to perform work on their cars on the grounds (those HOA people desperately need to be stabbed in the lungs, by the way) or maybe they just don’t know how. Now lets imagine these people have the work done, and are talking to the mechanics as they are preparing the invoice behind the counter. The mechanic begins to explain how their oil was changed, and these people abjectly refuse to learn or understand how this works even from a top-level non-technical aspect – they plug their ears and yell “NO! NO! AAALALALALA!! NOT LISTENING NO NOOOO! ALLALAAAAAA!”.
These people strongly support a fancy new term. “Cloud Computing”. Cloud computing will make this worse for everyone.
Let me jump away for a moment. I’d like to point out a fact. The attackers that distributed zf05.txt made a valid point – a point I’ve tried to make to peers, friends and clients alike – If your site/data are on shared hosting and you consider them secure that may mitigate some amount of risk. But if the other people hosting their data are vulnerable and your data is on the same system, you’re still vulnerable.
Now we have some ingredients – lets make a stew. Lets take these bits of information and put them all together and let it simmer.
- Non technical people whos requirements and behavior are insecure and promote systems being rooted
- Systems with lots of various services running on them
- A new trend of mashing these systems together to form giant systems that do the same thing, ending up being bigger and more powerful
- Commonly used software being exploited within a week of a patch.
Mix in a bowl with a wisk until creamy. Add a teaspoon of extra virgin olive oil to a cast-iron skillet. Add a bit of freshly cracked pepper to the oil and some freshly pressed/minced garlic. Let simmer until the pepper and garlic begin to bubble, then pour the mixture from the bowl into the skillet and add a squeeze of fresh key lime if you wish. Cook until firm or golden brown, flip once, then serve! Let stand for 10 minutes to cool. What do you get? What does it smell like? (Well if people actually taste of chicken then that may make one hell of a breakfast omlette). We dont know. Here’s why we don’t know:
- “Business people” like the idea of getting rid of systems administrators and IT overhead
- “Cloud Computing” does not have a security model yet
- There are no standards – this stuff is too new
- Far too many people are comfortable being hacked, and say “oh there’s nothing important on that sit/box”
.. Really, guys? You don’t use that same wordpress password everywhere? For your bank, for gmail, for your car insurance or your mobile provider to login? If a blackhat gets that password you’re really okay with it? If thats the case, I’d like you to kindly leave the internet, never to return. Please – do us all a favor, for the people that like keeping their privates private and their secrets secret, go away.
So we’re going to take all of these insecurities, vulnerabilities and holes – package them up with non-technical people demanding insecure practices so that they don’t have to learn or think and we’re going to replicate this ad nauseum and store the results in one gigantic computer grid system? Awesome. Maybe I should trade in my whitehat for a black one – since thats obviously where all the focus, media, fear and money are going to be. Or maybe I’ll just make my white hat bigger – perhaps people will come to their senses and listen to fact and reason. Perhaps not. I guess we’ll see.
I’m not the only one, either…
http://darkreading.com/securityservices/security/app-security/showArticle.jhtml?articleID=218102139&cid=RSSfeed
http://www.sensepost.com/blog/3706.html – open the ppt, this was the defcon talk. they pwned amazon ec2.
http://evilpacket.net/ – see the ‘theft of a rackspace cloud api key’. These guys got root on the rackspace/mosso cloud.

I was late to hear – by a day. Thats 10 years in internet time, we all know. If you’re not in InfoSec you probably didn’t hear. Maybe you heard somewhere, irc, twitter, other bits of the intarnets that Kevin Mitnick got hacked. Everyone chuckled. As it turns out a whole bunch of people got compromised. People I know personally who I consider friends. Rob Fuller, Dan Kaminsky, the Hak5 group and a handful of others, including Kevin Mitnick.

Personal details were revealed, emails, chat logs – pretty scary stuff – and very sobering. A clear demonstration that things like cross site scripting and the spreading of malware (likely for the use of cascading spam or addition to botnets) is the least of our problems. Also clear proof that people who consider themselves security folks have to be very wary of using creature comforts such as reusing passwords or even operating a wordpress blog (3 updates in a month?! and 2.8.2 is vulnerable? gaw!).

(more…)

Tags: , , , , , , , , , , , , , , , , , , , , ,
Posted in insight, rants, review, speculation, technology, Uncategorized | 1 Comment »

Making Security Research Relevant

Monday, January 19th, 2009

I’m very very open and transparent about security, technology and what I do. I’ve written documentation so thorough that my clients have ended the contracts stating “we dont need you anymore – with these docs we can do the work ourselves” – in the grander scheme of things thats awesome. I love it when clients learn from me and it makes me feel really good about what I do – especially if it sticks the first time – but it certainly is prohibitive towards me paying my rent.

I’ve been very vocal in the last year about what I do – to the point it manifests itself as talks I give during BarCamp (LA and San Diego), and Refresh San Diego which is held at Qualcomm. Here is my most recent talk


Security 102, part 1 from Dan Tentler on Vimeo.


Security102, part 2 from Dan Tentler on Vimeo.

Video courtesy of @northlight


(more…)

Tags: , , , , , , , , , , , , , , ,
Posted in insight, rants, review | 1 Comment »

Post Mortem

Wednesday, November 26th, 2008

So security101 went fairly well – people didn’t show up until later, and I had spent too much time screwing aroung with ettercap and MITM attacks to have enough battery to complete the entirety of the talk with all the examples I had hoped for.

Some of the attendees ended up asking lots of questions so the ‘flow’ I had envisioned sort of went out the window – but I’d much rather have people interested and actively asking me questions: It shows interest. I’d rather have interest then have them all silent while I blather on and on.

We all ended up at my place afterwards and I was giving short demos on MITM dns tomfoolery, rewriting all queries for microsoft.com to linux.com, and doing SSL MITM attacks against hotmail using ettercap. Pretty fun stuff!

I’ll be holding the class again for anybody that missed it the first time and wants to have it again, but I haven’t chosen a date yet.

If you’re interested in a date, please leave a comment! I’d like to hold the class when more people can attend.

Tags: , , ,
Posted in insight, rants, review, speculation, training | No Comments »