OSSTMM Links and Information

I’ve been discussing the Institute for Security and Open Methodologies (http://www.isecom.org/) with my students and clients, with quite a bit of interest. Here’s a short list of links for further information.

The Open Source Security Testing Methodology Manual – http://www.isecom.org/osstmm/
This is the essential methodology handbook for ISECOM security practitioners, or from the horse’s mouth: “The OSSTMM is a formal methodology for breaking any security and attacking anything the most thorough way possible.”

An Introduction to OSSTMM Version 3, by Michael Menefee – https://www.infosecisland.com/blogview/7797-An-Introduction-to-OSSTMM-Version-3.html
Menefee, who based his security consultancy around the OSSTMM, gives us the short list of Key Concepts.

Implementing OSSTMM Strategies Creates Value, also by Michael Menefee – https://www.infosecisland.com/blogview/8340-Implementing-OSSTMM-Strategies-Creates-Value.html
Menefee’s interview with Christoph Baumgartner, CEO of OneConsult, a security firm using the OSSTMM: “Relying on the OSSTMM has been one of the most important strategic decisions of my professional life – and I have never regretted it.”

Healthcare Risk Assessment Essentials, by Jack Daniel – https://www.infosecisland.com/blogview/6937-Healthcare-Risk-Assessment-Essentials.html
The four-step process of Discovery, Assessment, Recommendation and Review.

Risk assessment tips for smaller companies, by Dejan Kosutic – https://www.infosecisland.com/blogview/4499-Risk-assessment-tips-for-smaller-companies.html
An interesting summary of four basic steps in assessment.

This is an excellent in-depth look at cyber hacking and security resources: http://www.cybersecurityeducation.org/resources/ by David Parker | CyberSecurityEducation.org

Just how much your browser reveals about you

Vigilant security analyst Ronald Thomas of Albuquerque once again makes me stop in my tracks and go Hmm.

As part of a tip toward an interesting PC site (ComputerHope.com) he pointed out this interesting page:

http://www.computerhope.com/cgi-bin/systeminfo.cgi

Just click on that link and stare in dismay at the long, long list of things your browser just gave away. Depending on your habits, some of them might not be things you’d prefer to reveal. I can hardly imagine a better way to perform a little espionage on a suspect spouse: look at that list of visited sites, for instance. Hmm, got a little Facebook account I didn’t know about?

Beyond that, my particular rendition of that page pointed out one add-on app that needed updating. If I were running a real exploit site, I could latch onto that vulnerability and exploit to my heart’s content. And every visitor to the site might reveal information, or leave infected with some nasty zombieware. Heck, I could set up dozens of exploits that get deployed contingent on the visitor’s weaknesses. Sweet, huh?

Just one more reason to Fear Your Browser.

Capture the Flag 2010: Hacking competition at NMTech

As the Albuquerque Journal put it, “Chance To Be The ‘Bad Guys'”

Neale Pickett, a cyber security hotshot from LANL’s Advanced Computing Solutions Program, has been running the Capture the Flag hacking competition at NM Tech for some seven years now. The format is a hacker’s dream: an isolated, legal environment to run wild; tempting targets; effective exploits; and a winner-take-all competitiveness.

Tech students form teams to compete in tasks: programming, forensics, breaking encryption, threat identification and exploitation. In other words, exactly what a real-life security analyst would do. What’s great is that students can do things that would be illegal in the outside world of the Internet:

“By letting the kids act in the role of the bad guys, we’re also giving them more of an idea about what sorts of attacks to expect, because, once you start, if you’re just operating on the defense, then it makes it really hard to anticipate what the offense might do.” –Neale Pickett in the Albuquerque Journal, Monday, Nov. 8. 2010

My students often ask me where they’re supposed to sharpen these kinds of skills. If I get enough interest (expressed to me via email) I’ll consider working up an environment and agenda for doing this. It won’t be a small task, so either I’ll need help, or it’ll cost a lot. But think about it: isn’t this exactly what every security specialist needs?

Let me know what you think.

Attack Vector: Wireless Session Hijacking

Using an open wireless network to access Facebook or MySpace or Twitter? Stop. Now.

My students will recognize wireless session hijacking (sidejacking) as one of the most significant attack vectors, though frankly almost no one in the corporate world of social networking has been much worried about it. Until now. Because hacker/security proponent Eric Butler has done them a favor by releasing a Firefox plugin, Firesheep, that demonstrates the concept with horrifying clarity.

Security consultant Ronald Thomas sent me a link to one of the more user-friendly discussions of the Butler’s motivations, and Butler’s success in motivating an embarrassed Facebook to tighten up security, at http://www.smh.com.au/technology/security/how-anyone-can-pointandclick-to-hijack-your-online-accounts-20101101-179rg.htm, “How anyone can ‘point-and-click’ to hijack your online accounts.”

That ought to scare you.

From a security architecture side, the problem is that many social networking sites mix http: and https: pages in their applications. This ain’t good, because as soon as you step outside of the safe room of https:, your credentials are exposed. Voila, they’ve got your session cookies, they’re in! The solution is using pure https: end-to-end once you’re logged in.

From a corporate perspective, the problem is that https: uses TLS, Transport Layer Security, which eats up a lot of processor cycles. This makes their sites slower. The executive suite has recognized, we hope, that their sites will be *really* slow if nobody uses them because we know they’re not safe. In theory.

From Intel’s perspective, this is all great because it’ll sell more processors and encryption chipsets. Woo hoo.

It’s up to the Facebooks to pay coders and buy faster servers. It’s up to us, you and me, to make sure those who trust their security to us know about this issue. Sounds like one for the Hacker High School, doesn’t it?

I’d also consider it near mandatory for security researchers to download and try Firesheep at http://codebutler.github.com/firesheep/. I’ll bet very few audiences will need to see it demonstrated more than once.