Recently I’ve read a lot of things about the attacks against Sony. I’ve read that they’re nothing more than extortion attempts by hackers that probably live in their parents basements (based on the fact that the initial demands didn’t mention North Korea at all). I’ve read they were orchestrated by China by people who felt North Korea was being picked on and couldn’t stand up for themselves. I’ve read highly unconvincing reports from the FBI that they were orchestrated by North Korea. No one really knows. I can send traffic to servers from anywhere in the world. Anyone can anonymize their web traffic as easily as using a ToR plug-in with Firefox. I’ve also spoken to friends at Sony that told me that they’re concerned about the future viability of Sony due to the business impacts of these attacks. I’ve also spoken with people at other studios freaking out about not wanting to “be the next Sony.”
But in all of it, there’s something kicking in the back of my head. You see, if someone tried to blackmail me, I’d go to the press (or government) and allow the public to judge me for whatever it is, not cave to demands that are only likely to recur. Not giving into extortion demands is the right thing to do. If someone threatened the safety of people to go to a movie, I’d pull it as well, so that’s the right thing to do as well. There have been enough shootings in theaters and while financially potentially devastating it’s not worth the loss of a single human life to show The Interview in theaters. Of course, now that the attackers have backed off their stance, The Interview will be shown in hundreds of theaters. And it will likely be viewed online by millions of people over the next few days. And if this was carried out by North Korea, they couldn’t visit all of our homes to pull it (although the awful remake of Red Dawn by MGM might indicate differently).
I believe that the good, American thing to do is show our support to Sony for all the brain candy they’ve given us in the past. More than that, our support for doing what’s right. And what’s more capitalistic of us than spending $6 on a movie (other than spending more)? What’s better for Sony than to make a little money? In America, we tend to root for underdogs. We love Rocky (which btw cost less than a million to make and brought in a breathtaking $225M – 1:225 ROI there). We wanted Rudy to score a touchdown for the Irish (TriStar – part of Sony). We practiced our kicks like the Karate Kid (Columbia Pictures – part of Sony). We watched Jerry Maguire (TriStar – part of Sony again) even though we couldn’t stand Tom Cruise and rooted for the guy who risked it all to do the right thing (Money, baby). We threw up in our mouth a little when we watched Dodgeball (Fox but a fun movie anyways). We adore Gandhi (Columbia – again part of Sony) because it won an Oscar and taught us the story of one of the greatest men of all time. We loved Charlie Sheen when he was Winning in Major League (Mirage). And we loved Kick-Ass (Lions Gate), one of the unlikeliest heros of all.
Sony made Bond great again. Sony brought us Spiderman to the big screen. Sony told us about The Social Network (and were still allowed to have Facebook accounts. Sony gave us Eat Pray Love. Sony killed zombies awesome sauce in Zombieland. Sony gave us Superbad. Sony taught us a history lesson with The King’s Speech. Sony brought The Da Vinci Code to the big screen. Sony made a great movie in the Lords of Dogtown. Sony brought us Hell Boy, Adaptation (as a writer, a movie I love), Ali, Black Hawk Down and countless other movies. Some great, some not. That’s the game.
Now, we have a chance to do a very small part by helping Sony escape financial ruin. And yes, they make more movies that suck than are awesome. Because that’s what all studios do. And yes, the film industry seems like a bunch of rich people being silly sometimes. But there are real people that work there. Normal people. With boys and girls and installations at burning man. Some of the best people I know. And they do great work. And sometimes the studio makes brilliant movies. And whether this was spearheaded (yes, bad pun on spear phishing) by a dictator with a bad fade, the remaining communist hardliners in China, another studio or something else, it’s up to the market to dictate the outcome. That’s capitalism. ‘Merica
PS – It’s hilarious.
krypted December 26th, 2014
Slowly but surely information about what I left 318 to do has been leaking out. And I wouldn’t say leaking. More like being broadcast to the world. I’ve worked on a few little things here and there at JAMF Software since my arrival. But my core duty is to shepherd the development and strategy behind a new Mobile Device Management tool called Bushel. A little more about Bushel is available here, and I’ll likely post more about it here when the time is right:
And to access the Bushel site:
And some of the writing that are now finding their way onto the Bushel blog:
krypted November 18th, 2014
Posted In: Bushel
One of my favorite tools for penetration testing is Nessus from Tenable Network Security. Nessus 5 is the latest release in the family of vulnerability scanners that is probably amongst the most prolific. Nessus 5 does discovery, configuration auditing, profiling, looks at patch management and performs vulnerability analysis on a variety of platforms. Nessus can also run on a Linux, Windows or Mac OS X and can be used to scan and keep track of vulnerabilities for practically any platform, including Mac OS X.
To install Nessus, go to the Nessus site and click on the Download button, around the middle of the page. Agree to the download agreement and then choose the version that is right for you (Mac OS X in this case).
The software will then download and need to be installed. Once downloaded, open the Nessus dmg and extract it. Inside will be the Nessus 5 package installer.
Open the installer and click through the defaults to perform a basic installation.
Once done, you’ll have the Nessus Server Manager and Nessus Client.url in a Nessus folder in the Applications directory.
Open the Nessus Server Manager and authenticate as an administrator when prompted. When you downloaded the software you would have been prompted for registration. Provide that information in the registration field. Then click on Update plugins to make sure all of the Nessus plugins are running the latest version. Finally, click on Manager Users… to create your users.
At the list of Nessus users, click on the plus sign and create a new user, likely making the user an admin (I see few vulnerability scanning stations that have non-administrative users, which would just be for viewing reports and the such). Click Save to create the user and then close at the List of users screen.
If the Nessus server isn’t started, click on Start Nessus Server. Then click on the Nessus Client.url file back where the Nessus Server manager was accessed. At the Nessus login screen, provide the username and password for the Nessus server that was previously created.
Once authenticated, you will be placed in the Scans screen. Before we configure any scans, we’re first going to create a Policy (which defines how a scan operates for the most part). To do so, click on Policies and then click on the Add button. There are four policy tabs (aligned on the left sidebar). In the General pane, you will configure the name for the Policy, “Mac Servers” in this example. Then we’re going to check the boxes in the Scan section for Designate Hosts by their DNS Name, Log Scan Details to Server, Stop Host Scan on Disconnect and Avoid Sequential Scans. Then check the boxes in the Port Scanners section for TCP, SYN, SNMP, Netstat SSH and Ping Host. Leave the Port Scan Range set to default and the Performance options at their default values as well. These are useful when you’re done tinkerating to get better performance out of the system, but we’re not really there just yet.
Click on the Next button to define any credentials you’ll use during scans. Initially, I’d leave this blank, although you can provide SMB information for up to 4 accounts to see what kind of access users have. You can also define Kerberos, SSH and various cleartext credentials as well. We’re going to skip that for now and click Next to define the Plugins.
At the Plugins screen, we’re initially going to leave all of the plugins on. The reason for this is that many of the Lion Server services are similar to those of the various Unix and Linux variants and we can scan SMB with the Windows plugins. These can’t hurt, they might just waste a little time though. Clicking on a Family and then a plugin will show you what each does. Clicking on the green light for each will disable it.
Click on Preferences and define any preferences that you need. Amongst the plugin preferences I usually enable network printer scanning, CGI scanning, Enable experimental scripts, set my Report verbosity to Verbose, provide any certificates needed and then hit Submit to create the new Policy.
Next, let’s click back on Scans in the navigation bar on the screen. As you can see here, I’ve created a few template scans, but we’re going to create a new one by clicking on the Add button.
Provide a name for the scan and then choose the Policy you just created. Set the Type to Run Now (since we’re just testing) and put the IP address of a target into the Scan Targets field. You can also import a large set of targets using the Brows button and a csv file or use Schedule or Template rather than Run Now in the Type field to schedule scans or create a template scan. Click Launch to kick off the first scan.
Once started, click on the Reports button in the top nav bar to see the status of the scan.
Once the scan is finished, click on the scan to see a list of vulnerabilities and open ports, sorted by the severity of issues. Here, double-click on the host.
The Report screen then shows each service and the vulnerabilities found for that service. Click on one of the vulnerabilities to see what Nessus thinks is problematic with it.
Now for the fun part. Each of the vulnerabilities listed will have CVEs attached.
By default, Nessus is just looking at the service banners to determine vulnerabilities. If you look up the CVE at CVE Details or PacketStorm you’ll see that it was patched a few months ago by most vendors. Now Nessus can get things wrong with Mac OS X. The issue is that Apple forks the code for many open source projects, not always updating version numbers on banners. Looking up or testing whether a vulnerability is still applicable can be tedious but would likely need to be done per service according to your internal security policies.
An easy way to test these vulnerabilities is to use Metasploit, a tool I’m long overdue to write an article on. Another way is to try and run the exploit against the host. Apple does a pretty good job of addressing CVEs in their security updates, so don’t waste a lot of time trying things if Apple has already patched them. I have found a really good tool for automatically attempting to exploit via msf + nessus to be Carlos Perez’ auto exploit tool, available on github.
Finally, Nessus is a great tool for scripting. One of the big differences that throws off many an experienced Nessus operator off with the version for the Mac is the location of the Nessus binaries. They are in /Library/Nessus/run/bin. In here you’ll find nasal, nessus, nessus-fetch, nessuscmd etc. The command line control here is pretty awesome. Let’s run nessuscmd to scan a net mask of hosts (192.168.210.0/24):
sudo /Library/Nessus/run/bin/nessuscmd 192.168.210.0/24
There are tons of other options for nessuscmd, such as adding ssh keys, smb logins, scanner options, using a remote nessus server, etc. Or use the nessus binary to kick off scans using a nessus config file. The nessus.conf file is also stored in the /Library/Nessus/run/etc/nessus directory, worth looking into.
krypted February 23rd, 2012
Large deployments of Mac OS X based systems are becoming more and more prevalent. In some ways, this is due to one to one programs and more frequent enterprise deployments of Mac OS X. As such, people are more and more looking to manage systems. And any time you have systems being managed, those using managed systems start looking to break the management of the computers. Therefore, a new topic comes up: trying to discern when a system has broken out of the management framework. For example, how do you know when users have broken your firmware password? How do you know when they’ve circumvented your managed preferences framework to give themselves teh root? How do you know when they’ve traded access to teacher tube to some other video site with more scantily clad teachers on it? How do you know when employees have unlocked the “My IT Department Sucks” badge on Foursquare at work, even though your firewall specifically doesn’t allow access to social networking sites?
Here are some tips, most of which assume there is some form of patch/policy/update management solution (e.g. Casper, Absolute Manage, FileWave, Puppet, etc) in use in the environment:
krypted December 5th, 2011
For some time, Juniper has been agressively trying to win converts from Cisco. Not only in terms of sales, but also the hearts and minds of the engineers who influence purchasing decisions. Aggressively going after engineers has meant that for years, Juniper has made their certifications essentially free for those of us who were certified with Cisco. But now, they’re starting to cast their net a little wider and go after getting anyone and everyone certified for free, provided of course that you can pass the test.
Juniper’s Junos is being offered for free for a limited time. If you’re interested in beefing up your security and/or networking skills, this might not be a bad certification to look at (can’t beat the price and all):
krypted August 28th, 2010
Posted In: Network Infrastructure
I got this press release and thought it was pretty interesting. It’s just a cut/paste, and hasn’t been edited:
BREAKING NEWS – New York City – MacPhoneHome finds another stolen computer!
Late on a recent Sunday night, a Columbia University student
was crossing Morningside Park returning to the Columbia University
He was accosted by four knife wielding thugs who beat him and robbed his
MacBook Pro laptop, iPhone and wallet.
The student advised Columbia University security personnel that
since his laptop was partitioned with both a Windows and Mac Partition,
he had installed both PC PhoneHome and MacPhoneHome tracking and
recovery software on his computer which is available by contract to all
Columbia University students, faculty and employees as a free download.
Columbia University security personnel immediately notified Brigadoon
Software, Inc.the makers of PC PhoneHome and MacPhoneHome who’s recovery
agents, most of whom are former law enforcement, sprang into action.
Messages from the stolen machine indicated the thieves were using both
partitions of the stolen computer and moving around logging onto the
internet from various locations in the NYC Metropolitan area in the
Working with NYPD Detectives, Columbia University security personnel
and local Internet Service Providers, Brigadoon’s Recovery Agents
pinpointed the exact location of the stolen laptop. NYPD Detectives
secured a search warrant and raided the location.
Result: The student’s MacBook Pro, his iPhone and wallet
were recovered. One mugger arrested and three others
have been identified and are being sought.
What are you doing to secure your computers from theft?
Checkout PC PhoneHome and MacPhoneHome at: http://www.brigadoonsoftware.com
krypted May 1st, 2010
Posted In: Mac Security
Graham Lee is working on a title about Mac OS X Application Security. You can find it at Wiley or click on the link for Amazon: http://www.wiley.com/WileyCDA/WileyTitle/productCd-0470525959.html
krypted January 30th, 2010
Sorry, I can’t help it. That whole “iPhone Security Problems” thread I’ve seen on a few sites recently due to that worm. Oh, then there was a second worm that did the same thing. Really? Did these awesome security gurus realize that the device has to be jailbroken? Oh and they have to still have the default password used for SSH? I would hope that if you know enough to jailbreak the device without bricking it that you know enough to change the default SSH password.
Interestingly enough though, an estimated 6 to 8 percent of iPhones are jail-broken… If there have been 21 million sold, that provides an attack surface of around a 1.2 million if you just target jail-broken phones. A PC needs to be running on the same network infected with a totally different worm that tries to log into the phone and steal things. By the way, here’s a huge new security vulnerability I should write – if you leave your LinkSys with the default password AND you allow administration over the WAN then someone can break in over the WAN and mess it up… Of course, in that case you should maybe be with the LinkSys (although the power adapter might cause more damage in terms of hit points), but for some reason people aren’t being beaten over the head with an iPhone but instead so-called security experts find spreading FUD is far more helpful than doing something for a living, like real research.
I just have to reiterate this. There’s a worm out there that scans a subnet and attempts a specific SSH user name and password, if it works then it tries to steal some data, or in a different variant just Rick Rolls ya’. Somehow the fact that in order to put an SSH server on the subnet in the first place you had to void a warranty and forklift SSH onto a device, which took great pains to do, and subsequently forgot to change the password for that SSH server means nothing; nor does the fact that you also need a frickin’ Windows computer to carry the worm to you that’s also infected. Crap, just crap.
krypted November 25th, 2009
Posted In: iPhone
Apple has posted the documentation for Snow Leopard Server:
You may now learn how to do all kinds of fun things… Like play with Podcast Composer, one of the nicest updates of them all (so much so, it got its own PDF).
krypted August 27th, 2009
Google’s Android is a very small Linux distribution. Recently I needed to test some applications that were developed by a couple of friends of mine. Rather than run out to T-Mobile I figured I’d just install the new LiveAndroid disk and thought I would write up how to get setup using VMware Fusion and then go about doing some tasks with Android. To get started make sure you’re running the latest Fusion (or Parallels or Q or VirtualBox). Then download two ISO files from http://code.google.com/p/live-android/
liveandroidv0.2.iso.001 and liveandroidv0.2.iso.002.
Once you have downloaded the two ISO files we’re going to need to join them. To do so
cat liveandroidv0.2.iso.001 liveandroidv0.2.iso.002 > liveandroidv0.2.iso
That will take a few seconds to complete. When it’s done, open up VMware and then click on the New button in the lower left corner of the Virtual Machine Library screen. At the New Virtual Machine Assistant, first click on Continue Without Disk and then choose the Use Operating System Installation Disk Image File: option, selecting the ISO file from the browse screen. Once selected, click Choose in the Browse dialog box and then back at the New Virtual Machine Assistant Screen click on Continue.
At the Choose Operating System screen, leave the Operating System and Version fields set to Other and then click on Continue. The Default memory and disk capacity should be fine (256MB of memory and 8GB of disk). The default Shared networking (NAT) option will also have the Android instance able to boot with the network interfaces functional (unlike in my VirtualBox testing), so leave that as-is as well. Click Finish and then the Android virtual machine will start.
Once started you’re going to get an error about the battery. This is not a big deal, click on OK to suppress it. If you can’t find your cursor then look for the faint grey arrow. You can then click on the default home screen applications (Messaging, Dialer, Contacts or Browser) or on the slider to the right of the screen for the rest of the applications (such as the Gallery or the Camera). If you use the space bar you’ll open the dialer (not that you can dial out or anything) and if you use the the Escape key you’ll back out of an application, back to the home screen.
To get to the command line you can use the fn-alt-F1 (the F1, when pressing the fn key is immediately to the right of the Escape key whereas the alt is the same as the option on Mac in that scenario). The fn-alt-F7 combination will switch back from the command line to the home screen.
When you’re at the command line you’ll have a number of options. Because LiveAndroid .2 supports DHCP there’s usually no need for configuration of the network stack, although I did have to configure it manually in VirtualBox. To do so I started with ifconfig, which works similarly in Mac OS X.
ifconfig eth0 192.168.210.30 netmask 255.255.255.0
Then I setup a gateway with the route command:
route add default gw 192.168.210.1 dev eth0
You can also use setprop to define your DNS servers. For example, to set 18.104.22.168 as a DNS server you would use the following:
setprop net.eth0.dns1 22.214.171.124
I also use a proxy so I had to configure that in order to be browsing the old interweb. After a bit of noodling around I realized that Android stores a number of settings in a sqlite database stored in /dat/data/com.android.providers.settings/databases/settings.db. If you remember, I did an article on using sqlite3 with Address Book on Mac OS X awhile back – this is all very similar to that, as sqlite doesn’t really change much (if any) from platform to platform. To open the database in sqlite3, use the following command:
Then type .tables and you should see one called system. We’re going to insert the proxy data into it, in this case inserting proxy.krypted.com:8080 using the command:
insert into system values(99,’http_proxy’,’proxy.krypted.com:8080′);
At this point I’m off to the races with the web browser. Next I have a couple of applications friends have developed that I’d like to install. From the command line this is pretty easy. They put them up on their websites and then I go to /system/app using the following command:
Next, I use wget to pull down the app (which is in the form of an apk file), assuming that the name of the server is my.server.org and the name of the app is myapp.apk:
Once I’ve downloaded the app I’m going to go ahead and create a shortcut key just for that application by adding a line to /etc/bookmarks.xml that reads as follows (which would use the z key to open the app):
Next, I’m going to flip through all of the tables looking for any other settings back in the settings.db that I’d like to change. To look at the options for each table use ‘select * from’ followed by the table name. So if I wanted to look at the SYSTEM table I could use the following command from within the sqlite3 interactive mode for settings.db:
select * from SYSTEM
You can then find a value and edit it as we did earlier but with update instead of insert.
Many of the common commands and tasks that you might be used to are exposed in android. For example, you can edit the /etc/hosts file to force address resolution. Also, while I’m testing my friends applications I’m also monitoring statistics within my Android instance. This is fairly straight forward in some cases as I can simply cat many of the files located in the /proc directory, such as cpuinfo and loadavg.
Looking at these files through VMware while launching an application exposes some of the underlying security framework. Much like the iPhone, processing for a given application is halted when another application is launched. In Android though, each application is written in Java and each runs both as its own Java virtual machine and with its own UID. This isn’t to say that Android applications are sandboxed from one another as in the iPhone when the Activity (screen) is not in the foreground. Instead, there is a framework for background processing with a service. Many of the built in aspects of Android can run as services, although none of the third party applications I was looking at leveraged this component of the Binder (borrowed from BeOS). Any information shared between different applications works via a Content Provider service. If you look at the path for the sqlite3 database, it’s using providers in the path. This isn’t meant to reference cell phone providers but instead the internal’s content providers.
Each application can be considered a risk to install. Therefore, each application has a corresponding AndroidManifest.xml file which provides the rules that the application has to follow along, permissions and a listing of all of the components of the application (binaries, libraries, scripts, etc). Each application can therefore have a component of itself exposed to other applications (typically used for example if you have a chain of applications with permissions between them), with an additional permission of having an application that publicly makes its data available to others. I could see uses for something like this with photo sharing applications but overall it leaves exposure for the manifest to open communications between applications if compromised. I have not been able to thoroughly test whether input validation is available here, but it’s theoretically possible for an application to either obtain elevated privileges from another or to influence the data in another. Granularity of these permissions is possible but must be configured by the developer. I was able to use one of the applications I was testing to access the contacts on the machine, a bit of a concern, but common. Overall, it’s hard to conceive installing any application without a prior thorough review of the manifest if I were working on a production device.
Android is just a trimmed down Linux. I would expect a Chrome OS to be very similar. I don’t even expect it to have much more or much less (although I would assume it will run gears and all of the dependencies of gears). If you replace the Dialer application in Android with Google Voice and add support for an LDAP client then you would have much of what I might expect out of a NetBook OS. If Android is to be tailored to be a NetBook OS I’d like to see Full Disk Encryption for Android as well, even if most data is stored in the cloud. But then, I’d like to see that for all devices… If Android does offer a snapshot into what Google Chrome will look like then it seems like applications written in Java, whether for Blackberry, Palm Pre or Android would likely fairly easily be ported into the platform and therefore be a sandbox worth pursuing assuming that is the case; because while people seem to love the idea of the cloud at the end of the day they seem to also be hooked on their fat clients.
krypted July 28th, 2009