Here Georgia and Rachel discuss downloaded malware and how to avoid falling victim. It wouldn’t be GRM n00bs without some foolery. We’ve got lapdances, internal threats with broomsticks, and a lot of books from Syngress.

grmn00bs.py

MD5 sum: a3e75154e163037c63ff0ffae4d923e9

Then I got a bit distracted from the storyline and went off on a side quest to learn a new scripting language with one of my partners in crime. The loot I was after was the extended capability to write security tools, resulting in a dramatic increase in career opportunities. Daring to risk forgoing “planning the planning” on the grounds that this was such a small project, we were such a small team, and all the other excuses in the software engineering failure case studies, I dove right into drafting out a needs list. I got really into it for a while, going off on random tangents, secure in the fact that I could clean it up into the correct format before sharing it. The fact that said needs list was not due sometime early last week no doubt aided the creative process in this case.

What I ended up with had a little note in the margin of the fifth page, “If I had turned this in for software engineering class, I would have been expelled.” It’s true what I came up with was no needs list. Aside from flying in the faces of prescriptive grammarians and often bordering on incoherence, many of the notes shouldn’t have been addressed until the features list or even detailed design. There was even a small block of pseudo code mixed in with the idea for this article. Additionally there were details I wanted to remember to look up about the language and possible security issues that needed to be addressed.

I will admit at some point I may have played it up a bit. I got the idea into my head that after I became the world’s greatest information security professional I could publish my random software notes in the style of the Journals of Kurt Cobain. All the n00bs will buy it, and art house geek will finally become chic. Regardless, I felt like I had gotten more vision for a software project in one hour of free association than I had from any of those long team meetings back in graduate school trying to churn out an acceptable risk list by 1am yesterday.

What exactly am I suggesting here? That we expend valuable company resources sending the software team out to the woods with a pen and paper to take acid every time a new project begins? Even the most dedicated software engineers might protest having yet another phase added to the software engineering life cycle. I had to do a project in graduate school breaking down the steps of software development in every methodology from rapid prototyping to waterfall. I know what I’m complaining about. Or maybe I’m yet another two-guys-in-a-basement type who thinks we should just chuck the whole software engineering methodology and turn the whole business into some sort of improvised performance art. I’m not really advocating any of that. Rather I’m suggesting that taking some time to think about the problem with no goal in mind other than seeing where your thoughts take you might be worth its weight in time spent watching Youtube at work.

Take my advice or don’t. I don’t care. I’m not a software engineer. I’m an information security professional. I’m in business because software engineers don’t write down ideas for potential security vulnerabilities.

Georgia Regina Mundi

Specs-wise, the Nexus One looks to be the clear winner for the next littlest hack station. The Nexus One sports a 1 GHz Qualcomm processor with 512mb of RAM. I don’t know about you, but I still have servers with those sorts of specs running my day-to-day functions. The Android G1, which has done a fine job as littlest hack station, has a 528 MHz processor with 192mb of RAM. The thing I don’t like about the iPhone is the technical specifications page. They give me information about fingerprint-resistant, oleophobic (Microsoft Word doesn’t even think that is a word) stuff, but not a word about the processor speed or RAM. Other websites high on the Google hits quoted 600 MHz processor with 512 MB RAM for the current model 3GS. This only matters in the short term though. Smartphones are the new computers (way more than orange is the new pink), and everybody knows when you buy the cutting edge computer it becomes obsolete on the drive home from the store. A year from now, there will be a new iPhone and, if it makes it, a Nexus One Point One.

While there have been things worth jailbreaking that have not been jailbroken (the GPU of the PS3 comes to mind), odds are good that if people with the know-how are interested in jailbreaking the Nexus one, they will. The iPhone was first announced in January 2007, and by August 2007 the first, albeit complicated, unlock had been completed with the first jailbreaking application for 3GS appearing less than two months after the phone was announced. As for Android phones, a fix for a flaw that allowed users to run instructions as root in the Android operating system on the G1 was released in November of 2008, while the G1 was first released towards the end of October 2008. Work on hacking the G1 has continued with rooting applications, downgraders, custom firmware, full Debian installs, and other cool stuff. However, there seems to have been little interest in the community in working on later Android models.

The problem with keeping the secrets of these Smartphone operating systems hidden from curious hackers forever is they are Unix based, or in the case of iPhone OS, Mac OS based which is in turn Unix based, and hackers built Unix. While manufacturers may not be down with hackers using the full capacity of their devices, it’s just a fact of life. With enough community interest and talented minds, it seems inevitable that the full power of the Nexus One will be available to us in the near future.

With more hype behind Android, it is likely there will be at least some converts from the kingdom of iPhone to the Republic of Android. One thing the Android Market has going for it is freedom for developers. There has been much woe from all sides pertaining to Apple’s requirement that all apps including updated versions of existing apps go through the lengthy approval process. While it is a deft argument that this process actually helps to protect users from security breaches by reviewing apps for potential malware, iPhone could also be dubbed a security killer. What happens when a popular application is found to have a major security flaw in the code? The developers cooperate with researchers and fix the problem, but then the updated version sits in the approval queue while malicious attackers exploit the vulnerability. Many developers including, some security conscious types, will no doubt see the appeal of Android’s open market resulting in more apps for Nexus One.

There’s no doubt that the Android G1 is an enjoyable little hack station. “Is she texting, or is she reading all your web traffic?” is a worthwhile question if you are connected to a public access point. More information on becoming Starbucks Wi-Fi is here. (Disclaimer: Only with permission, never for evil, proof of concept, etc. etc. etc.) With additional interest and hours from the community to integrate the hardware with available tools, the sky is the limit. So, is the Nexus One an “iPhone killer?” Probably not. However, it is in a good position to have a solid foothold in the smartphone market and be a fun tool for hackers.

So why does Backtrack rock in general? It’s basically most of the tools you will need for your pentest all rolled into one and set up nicely. I say most because it doesn’t have your commercial tools such as Nessus built in for obvious reasons, though it is possible to integrate your licensed Nessus into your Backtrack install. Ever been setting up Dradis for your first big pentesting gig at a new company on a recently imaged box? You’ve got your ruby prerequisites (rubydev, opensslruby, etc.), various gardening tools, SQLite, diamonds, garnets, and opals. At some point in the process of getting it all integrated, even your technically savvy individual may find himself ruing the day he decided it was a good idea to wait until the night before to build the pentest box. In Backtrack it goes like this:
root@bt4: cd /pentest/misc/dradis/server
root@bt4: ruby ./script/server
Done.

So why upgrade to Backtrack 4? First off, there’s the obvious perk of having the newest versions of all your favorite tools and some you’ve had on your list to check out for a while now. It also includes some new tools that have been developed in the interim since Backtrack 3 came out way back in summer of 2008, saving you the trouble of those pesky installs and svn checkouts. A great new tool that’s making its Backtrack debut on the final release of Backtrack 4 is re1ik’s social engineering toolkit (SET). Additionally, Backtrack 4 is Ubuntu based rather than Slackware based. While Backtrack 3 was great, your Ubuntu-based system has its perks as far as driver integration goes. As more and more people move from just the Live-CD Backtrack approach to using Backtrack as the base operating system on their pentesting boxes, this can only be a step in the right direction. Speaking of installation, Backtrack 4 final has an installation script that looks a lot like the GUI-based point-and-click installation wizards seen in system such as Ubuntu, resulting in a more hands-off approach than persistent changes in Backtrack 3.

The only drawback with Backtrack 4 as is that I can think of would be trying to write up your reports in Backtrack. Let’s not get into any holy war between writing in vi or nano, and just suffice to say it’s not easy. Backtrack 4 does come with Emacs, and some included tools such as Maltego make some pretty graphs. Plus, you can install OpenOffice on Backtrack, so it’s not that big of a drawback after all.
All in all, Backtrack 4 is the bomb, and if you haven’t jumped on the bandwagon, my advice is to get to it.

Georgia

The rationale for this decision includes allowing more teams and smaller teams with smaller budgets to compete and saving money for everyone involved. I am all for saving JMU money so they can budget more for my filet mignon, though filet mignon is part of the JMU Cyber Defense Team tradition in Lancaster, PA at qualifier while we are all a little too nervous to enjoy it properly. In the spirit of all fairness, I believe everyone, read everyone, should have a chance to compete in Cyber Defense. I’m not even precluding non-security-type majors. Cyber Defense can be a good way to know if you want to do this for your whole life. I suppose by nature you have to be in college to compete, but I’m looking forward to competition going international with a top showing from the Uganda Christian University where beneficiaries of Hackers for Charity will be further honing their skills. The press release also notes that this system has been used by other regions such as the Midwest. “Why does it matter what the Midwest is doing?” I ask flippantly before realizing that the winner of past two national competitions Baker College hails from the Midwest region. Fair enough. They are no doubt doing something right out there, but I seriously doubt having an offsite qualifier without a Red Team has much to do with it.

As previously stated I think everyone on the face of the planet should have a chance to participate in the Collegiate Cyber Defense Competition; however, I suppose I don’t see competing in this setup quite the same thing as actually competing. You can never be ready for regionals. Every year White Wolf has managed to throw some righteous challenges our way. Even as a Red Team member it will be an opportunity to get some experience with cutting edge technologies that are coming to the forefront of information security. Having been through the Collegiate Cyber Defense Competition and even having taken gold at the qualifier, I still knew I was in for trouble that no amount of preparation could absolve the moment I saw the final team packet the morning of the regional competition. I remember Tim Rosenberg of White Wolf Security commented, “Think you have enough USBs?” upon seeing ten around my neck. The answer: “no, not even close.” It’s just a given that the real winner is always the Red Team. The most a Blue Team can hope for is not to cry and vomit, learn more than you will learn in any classroom, and maybe, just maybe, knock out and keep out a few Red Team exploits along the way. My question is how can teams that have never done this before ever hope to have a good experience at Cyber Defense regionals? Without getting their feet wet in the one day qualifier where the Red Team is in before it even begins, how will they know how to hit the ground running and come home from regionals proud? I once heard it from a friend who did Cyber Defense before there was a qualifier that, “one team decided to walk out in the middle of the competition.” In my personal opinion a team that goes through only the form of qualifying round suggested above will not get the most out their experience.

Cyber Defense has already tried to make it extra difficult with no internet, purposefully bogged down network, etc. (Pronounced etcetera for the win). I just think maybe the newly instated rules for the qualifier might be taking it to a whole new extreme. An additional information release stated that again machines will have no access to the internet, and no tools may be uploaded to the systems. Though not specifically stated, this probably means no patches as well, especially considering past waltzes around the legality of patches. But let’s face it, why not just run “Core Impact and other penetration testing tools,” against the systems and do your best to fix what it finds in the time allotted, that is if your school is rich enough to have a Core Impact license. I’m sure we all know how much that costs, which kind of goes full circle back to the idea that this setup will allow programs with smaller budgets to compete. Compete, sure, but at a disadvantage to say the least.

One might could say that the bulk of my argument is stemmed from the fact that I want yet another excuse to see how my old team is doing these days, hang with all the famous people I’ve met through Cyber Defense, and hack some stuff. While all that would be grand, and you’d better believe Scott plus Georgia equals social engineering trouble, my real concern is that some students won’t get the opportunity to be coerced into crying and vomiting by the Red Team. The Red Team is what makes this article so tragically unfinished. The Red Team is what makes Cyber Defense, Cyber Defense. Here’s a joke: a Blue Team captain just recently 21 walks into a hotel bar. Not long after that a small group of Red Team and White Team members also enter the bar. Later that year she’s at arguably the biggest hacker show of the year and walking through the press room she hears, “Hey, I know you!” from a very important table. A small crowd of people around her all looks on in disbelief, “Who are you and what have you done that’s so awesome that famous person knows you?” The punch line is she’s arguably 22 by morning, but that’s another story with a video evidence to prove it.

What’s really getting me down here is that a whole set of teams are not going to get to meet real live hackers with spouses and children and sometimes stable jobs and even mortgages. I suppose it’s in that instant that a computer hacker ceases to be this esoteric Zarathustra on the mountaintop, the geeky equivalent to Don Mafioso, and turns into exactly what I’ve wanted to be my whole life. It’s kind of like some really important type telling you, you really can be a rock star except instead of saving rock and roll you are going to save, well, everything.

Georgia

Micheal

Shownotes:

hak5 is one of the original security shows. Rob has been featured on several segments.
Twit Netcast Network with Leo Laporte is another show that’s been around for a while.
Security Tube is the Youtube of security videos. This is where I’m at when I should be working. You might even find some GRM n00bs stuff rattling around there.
The Academy Pro is another excellent place to go for security training.
milw0rm has lots of exploits. It’s a good place to check out some old papers to brush up on security history.
NewOrder is another resource to get abreast of lessons learned in the past.
Jasager is the “Yes Man” Rob talks about in the show.
Chris Gates’s book list has some good ideas for security reading.
Syngress is a publisher of security texts. They have all my money.
Donate to Johnny Long.

Whoa what a new podcast? I thought you guys had retired into the abyss! No, we are still here. Look out for an avalanche of GRMyness in the new year such as podcasts with the sound fixed, more basic tutorials, and maybe even some videos.

Georgia “Not Watching Final Fantasy Trailers at Work” Nabaat