Friday, August 31, 2007

Rogue Wireless Access Points

Doug asks:

" you have a suggestion (besides NAC) for pinpointing a rogue access point on a lan from the wired side?"

Finding rogue AP's from the wired side is tricky. You can try scanning for them using Nessus or NMap, but I've had only limited success with these techniques. This is because the typical wireless router you get from Best Buy today isn't going to give up enough data for Queso TCP fingerprinting or banner grabbing to work if the 'outside' interface is plugged in to your network, which is pretty much required in order for it to work.

If the AP is just an AP (like my Linksys WAP11) and not a NAT router (like my Linksys WRT54G), then NMap or Nessus may work for you. Using your switches is another good way to find it - look for multiple ARP entries with a single MAC on any given switch port. There may be 'switchport port-security' features on your Cisco IDF/userland switches that can prevent regular APs from serving more than the first wireless client as well. Probably depends on the switch's IOS version and the AP's behavior.

You can also do things like dump ARP/CAM tables from your switches and match the first part of the MAC address against the IEEE database looking for manufacturers like Buffalo, Linksys, D-Link, TI, etc.

This works with AP's and routers alike, and is probably a good idea to do on any network without EAP/NAC, especially if you've standardized your workstations so you know all the NIC's are from just one or two OEMs, so anything else is worth tracking down.

However, I think that the best way to find rogue AP's is via wireless signal. Using something like the features built in to the Airespace/Cisco systems, a wireless IDS like AirDefense, or even just regular site checks with a laptop and Kismet (or a PDA and PocketWarrior) will yield the best results.

Storm on Blogger

Don't believe anything I link to, ever. Even before this. :)

Thursday, August 30, 2007

The Great NAC Robbery

From Dark Reading's "News Feed" (aka industry press release feed) comes a purported success story about an intermediate school district in Texas that has implemented Mirage Networks' NAC. Reading stuff like this makes me ill. There are several components of this scenario that are offensive to my sensibilities and common sense in general.

First, K-12 schools have very real, very unique security challenges. (I speak from experience. My early work with firewalls, content management, security monitoring, incident response, forensics, and working with law enforcement all came from working for a school district for the latter half of the 1990's.) But rogue devices (the problem that NAC should be positioned to solve) shouldn't be one of them, at least not a big one. Simple network design and segmentation should cut down on accidental cross-over from student/library/commons networks, and then physical supervision (you know, teachers, librarians, parapros, etc.) can be used to cut down on students intentionally plugging in laptops in classrooms or offices.

Secondly, NAC is the wrong fix for Sasser. Patching a 4-year old vulnerability is the right fix. If your patch cycle is over 4 years, then you have no patch cycle, and with or without NAC, you've lost. Using NAC to 'ban' all of your unpatched workstations from the internal network may save your unpatched servers, but kicking out legitimate users on internal machines is still an overall loser for IT. Functionally and politically, this can't be sustained.

Thirdly, school money is taxpayer money. School administrators - especially facilities and IT folks - hate to be reminded of it, but it's true. This is a nice win for the account manager at Mirage that pulled it off. K-12's can be tricky to sell into, and they typically have tight budgets with limited or no dedicated spending for security. An ISD like Round Rock will actually encompass several local school districts, and RRISD itself consists of over 40 schools, plus admin offices and bus garages. At that size, there's pretty much no way this wasn't at least a 6-figure expenditure. And for what? A temporary fix for a problem that could've been solved with $20K of server hardware and WSUS? If I lived in Round Rock, TX, you can be sure I'd be at the next board meeting asking questions.

Friday, August 24, 2007


Andreas Oestling's pmgraph utility is probably the best visualization tool for output from Snort's perfmonitor preprocessor. Unfortunately, Andreas' home page at went offline a few months back. Fortunately, for those of you trying to find a copy of pmgraph, Sourcefire's Jason Brvenik has made copies available here, and here.

Friday, August 17, 2007

Bruce Potter vs. ecard

At Defcon 15, Bruce Potter gave an awesome talk titled, "Dirty Little Secrets of Information Security" that I certainly hope makes its way to YouTube soon. Especially for those folks that were asked to leave the far-too-tiny room in which Bruce was speaking.

A little background: When Shmoo Group forms like Voltron, Bruce (aka gdead) happens to be the head. The big, loud, talking head. Bruce is also a consultant at Booz Allen, one of the ShmooCon organizers, and one of the most entertaining speakers working the *Con circuit today (he's like Johnny Long with IRC cred). I'm a fan of what Bruce has to say, generally.

So back to his DefCon talk. On slide #6 (going from the PDF on the DefCon CD, which is different than the slide deck he actually used), Bruce announced that "Defense In Depth is Dead." Naturally, I disagree. Defense in depth is hardly dead, in fact it's pretty much the only chance you have. And so I present to you, dear readers...



I'm going to use the case of the ecard worm outbreak to disprove Bruce's assertion that defense in depth is dead.

Bruce says...
  • We start with bad code
  • Then we added firewalls
  • ...but still bad code
  • Then we added AV, IDS, and anti-spam
  • ...still bad code
  • Then we added 2-factor auth and single sign-on
  • ...bad code again
  • Then we added application firewalls
  • ...code is still bad, plus we have LOTS MORE code now
  • We have lots of security controls, environmental complexity, and mad technology, but we still get owned because of bad code. So fix the code, stupid.
  • Didn't exploit code vulnerabilities in your OS, browser, or anything that runs code
  • Was delivered by sending e-mail messages with links in them that got users to download and run the dropper, which did all of the mass pwnage.
  • Wasn't blocked by most firewalls because it used inbound SMTP and outbound HTTP
  • Kicked my AV vendor's ass for several weeks by repacking binaries
  • Schooled really stupid spam filters by changing it's delivery message and download URL
  • Got past IDS until the vendors wrote signatures for it
  • BUT couldn't install on machines where the user wasn't a local administrator
  • It WAS found by monitoring firewall logs in the SIM
  • AND was stopped when the application firewall was configured to block "http://*/ecard.exe" requests
  • AND when Group Policy disallowed the execution of files named ECARD.EXE
  • PLUS NOW my spam vendor has decent filters that catch it
  • AND my AV vendor is detecting the first 8 of 13 variants... OK, they still suck
  • BUT we don't have ecard problems because we had a variety of defensive measures available to protect local and mobile users until the storm subsided.
So there are two take-aways from this. First is that defense in depth still works today as long as you are monitoring and managing it. Just buying products and plunking them in won't save you. And your super-cool security gadgetry won't always be the most effective tool for addressing a new threat. Second is that despite proving Bruce Potter wrong about defense in depth, ecard proves him right about his second point, "You Can't Train Everybody." So there you go.

Tuesday, August 14, 2007

Playing Catch-Up

Did you know that it's possible to overwhelm a Treo be simply ignoring your e-mail for two weeks? :-) Now you do.

OK, first of all I want to get some thank-you's out. Thank you to Jeff Moss and the Black Hat staff for putting on an amazing conference. Thank you to OWASP, Microsoft, and especially Don Donzal and for buying the bar. Thanks (and congrats!) to the 1@stPlace guys for hanging out Thursday night. It was great to meet you all and nice job on your 2nd consecutive win! Oh, and thank you to Dateline producer Michelle Madigan for sending me home from Vegas with a story I could tell to people that don't grok '%48%45%58'.

And second, here are my pictures. All taken with my Treo, so they pretty much look horrible.

David Litchfield teaching "Breakable: ..."

(L-R) Peter Ferrie, Tom Ptacek, Nate Lawson, Dino Dai Zovi

Free Shirts !
(Note the rare and prized ArcSight Ace & Gary shirt)

Alexander Tereshkin, Joanna Rutkowska


Bruce Schneier

Tim und das Grosse Bier
( @ Hofbrauhaus - thanks again Don Donzal!)

CTF !@#!!
(Kenshoto ninjas surrounded me and demanded the SD card, but I escaped)

Lockpicking races

Priest kicking folks out of Bruce Potter's very popular talk

S'mores rule!
(Vegas to Pentwater was opposite ends of the spectrum, but just what I needed!)

Wednesday, August 1, 2007

VMWare Escape Public (Finally!)

Lots of good an interesting stuff, plus pictures coming from BlackHat. I'll post them hopefully by the end of the week. In the mean time, check this out:

No, I didn't have any specific knowledge of this beforehand. I only knew that a group of REALLY smart people were working on it and when asked, "Is it possible to break out of VMWare?" they would smirk wryly and say things like, "I don't know, and if I did, I couldn't tell you." Yeah, well, I knew better than to bet against them.