Tuesday, April 23, 2013

Being a good internet citizen

A large percentage of breaches are discovered by having a third party mention to you that you're insecure. I would estimate it to be well over 50%.
Because of that, when I come across things that are vulnerable I typically try to let the company know so they can fix it. Most of these are simple things that are indexed by google that were not meant to be public (see this post on google hacking).

I sometimes get responses, but typically do not. The most common response is a simple thank you email. I've had less nice responses as well, such as people angrily demanding to know what my intentions were. No good deed goes unpunished.


Recently I sent an email to a company to let them know they had a misconfiguration that makes every file on their box viewable (with the permissions of the httpd user) by the entire world. Looked kind of like this:



Plus, everything on their box had been indexed by google. Imagine your backups and config files being freely down-loadable and searchable on google!


Even worse, there wasn't just one domain hosted on this vulnerable box...a reverse lookup of the IP showed that the server was hosting 576 domains!


So I sent them a simple email:

Attention Information Security,
I saw this site on google, and happened to notice that you appear to have a sym link in your document root that points back to / allowing access to your entire system through the webserver.
For example, your passwd file SHOULD NOT be publicly viewable.
http://XXXXXXXXX.com/x.txt/etc/passwd

Please let me know if you have any questions.
Thank you,

I received a response from them, which included this:
It's worth noting that /etc/passwd does not contain any sensitive information, and that although we do not widely publish our configuration, we do not generally consider it to be sensitive as it is relatively trivial to reverse-engineer by experimentation and observation. We conduct regular reviews of our platform's security and take extensive measures to ensure that our servers stay secure.

Huh. Okay.


Note: Names have been redacted to protect the ignorant.

Friday, April 19, 2013

All, I noticed a tweet by HD Moore today giving a shout out to this post written last week by Ed Skoudis. Very good read. Here's a link and an excerpt:

http://pen-testing.sans.org/blog/pen-testing/2013/04/08/when-offense-and-defense-become-one

"at sufficiently advanced technical levels, offense and defense sometimes merge and become one. Offensive techniques can be used to achieve defensive ends; defensive means can be used to achieve offensive ends; and, sometimes, the inherent technical skills of offense and defense are actually identical."


"Consider these examples:
  • Endpoint security suites: Have you ever pondered what these tools really are? With their integrated anti-virus, personal firewall, and host-based Intrusion Prevention Systems, they operate at a fairly low-level of most operating systems, hooking all kinds of system calls so that administrators can maintain control of the machine. Wait... that's a rootkit! The only difference between an endpoint security suite and most rootkits is the level of functionality and who controls it: good guy administrators or bad guys. So, we've got a multi-billion dollar segment of the infosec industry that is actually built on selling commercial rootkits, also known as endpoint security suites."
Ed Skoudis is a very dynamic teacher there at SANS, and I recommend his courses to everyone.