Skip navigation

What Can We Learn From The @lulzsec senate.gov Hack Dump?

What can the @lulzsec senate.gov dump tell us about how the admins maintained their system/site?

[code light=”true”]SunOS a-ess-wwwi 5.10 Generic_139555-08 sun4u sparc SUNW,SPARC-Enterprise[/code]

means they haven’t kept up with OS patches. [-1 patch management]

[code light=”true”]celerra:/wwwdata 985G 609G 376G 62% /net/celerra/wwwdata[/code]

tells us they use EMC NAS kit for web content.

The ‘last‘ dump shows they were good about using normal logins and (probably) ‘sudo‘, and used ‘root‘ only on the console. [+1 privileged id usage]

They didn’t show the running apache version (just the config file…I guess I could have tried to profile that to figure out a range of version numbers). There’s decent likelihood that it was not at the latest patch version (based on not patching the OS) or major vendor version.

[code light=”true”]Alias /CFIDE /WEBAPPS/Apache/htdocs/CFIDE
Alias /coldfusion /WEBAPPS/Apache/htdocs/coldfusion
LoadModule jrun_module /WEBAPPS/coldfusionmx8/runtime/lib/wsconfig/1/mod_jrun22.so
JRunConfig Bootstrap 127.0.0.1:51800[/code]

Those and other entries says they are running Cold Fusion, an Adobe web application server/framework, on the same system. The “mx8” suggests an out of date, insecure version. [-1 layered product lifecycle management]

[code light=”true”] SSLEngine on
SSLCertificateFile /home/Apache/bin/senate.gov.crt
SSLCertificateKeyFile /home/Apache/bin/senate.gov.key
SSLCACertificateFile /home/Apache/bin/sslintermediate.crt[/code]

(along with the file system listing) suggests the @lulzsec folks have everything they need to host fake SSL web sites impersonating senate.gov.

Sadly,

[code light=”true”]LoadModule security_module modules/mod_security.so

<IfModule mod_security.c>
# Turn the filtering engine On or Off
SecFilterEngine On

# Make sure that URL encoding is valid
SecFilterCheckURLEncoding On

# Unicode encoding check
SecFilterCheckUnicodeEncoding Off

# Only allow bytes from this range
SecFilterForceByteRange 0 255

# Only log suspicious requests
SecAuditEngine RelevantOnly

# The name of the audit log file
SecAuditLog logs/audit_log

# Debug level set to a minimum
SecFilterDebugLog logs/modsec_debug_log    
SecFilterDebugLevel 0

# Should mod_security inspect POST payloads
SecFilterScanPOST On

# By default log and deny suspicious requests
# with HTTP status 500
SecFilterDefaultAction &quot;deny,log,status:500&quot;

</IfModule>[/code]

shows they had a built-in WAF available, but either did not configure it well enough or did not view the logs from it. [-10 checkbox compliance vs security]

[code light=”true”]-rw-r–r– 1 cfmx 102 590654 Feb 3 2006 66_00064d.jpg[/code]

(many entries with ‘102’ instead of a group name) shows they did not do identity & access management configurations well. [-1 IDM]

The apache config file discloses pseudo-trusted IP addresses & hosts (and we can assume @lulzsec has the passwords as well).

As I tweeted in the wee hours of the morning, this was a failure on many levels since they did not:

  • Develop & use secure configuration of their servers & layered products + web applications
  • Patch their operating systems
  • Patch their layered products

They did have a WAF, but it wasn’t configured well and they did not look at the WAF logs or – again, most likely – any system logs. This may have been a case where those “white noise port scans” everyone ignores was probably the intelligence probe that helped bring this box down.

Is this a terrible breach of government security? No. It’s a public web server with public data. They may have gotten to a firewalled zone, but it’s pretty much a given that no sensitive systems were on that same segment. This is just an embarrassment with a bit of extra badness in that the miscreants have SSL certs. It does show just how important it is to make sure server admins maintain systems well (note, I did not say security admins) and that application teams keep current, too. It also shows that we should be looking at all that log content we collect.

This wasn’t the first @lulzsec hack and it will not be the last. They are providing a good reminder to organizations to take their external network presence seriously.

WEIS 2011 :: Session 2 :: Identity :: Negative Information Looms Longer Than Positive Information

Laura Brandimarte
Alessandro Acquisti
Joachin Vosgerau

Twitter transcript

#weis2011 How does information related to past events and retrieved today get discounted? Why does neg valence receive more weight?

#weis2011 how do we improve trustworthyness?

#weis2011 "designers of modern tech do not understand human fallibility and design systems w/o taking them into account" < true #weis2011 the reason why bad sticks better than good is that they way it gets discounted may be different. #weis2011 experiments were survey based & randomized. all were students < not sure that's random enough or broad enough selection #weis2011 (me) I hope they make the slides avail. ton of good info I just can't capture (and I don't have an e-copy) #weis2011 "good" information only matters if it's _recent_. "bad" information is not discounted at all. it "sticks" < huge e-implications

WEIS 2011 :: Session 2 :: Identity :: Economic Tussles in Federated Identity Management

Susan Landau
Tyler Moore

Presentation [PDF]

Tyler presented really well and it’s a great data set and problem to investigate. He & Susan shed a ton of light on an area most folks never think about. Well done.

Twitter transcript

#weis2011 this looks to be a "must read" resource for anyone embarking on a federated identity management (FIM) system.

#weis2011 Tussle #1: Who gets to collect transactional data? FIMs generate a TON of data. Diff FIMs benefit svc prvdrs, others id prvdrs

#weis2011 Facebook is a HUGE FIM, both id provider & service provider < and u thought it was just for congresscritters to show private parts #weis2011 FIM platforms that share social graph data attract more service providers < so much for privacy #weis2011 Tussle #2: who sets rules for authentication in FIMs? Time to market is primary concern. Users want "easy" < security loses #weis2011 Tussle #3: What happens when things go wrong? svc unavail == no login; unauth users can be incorrectly authenticated; lots of finger pointing

WEIS 2011 :: Session 2 :: Identity :: Social Networks, Personalized Advertising & Privacy Controls

Catherine Tucker

Presentation [PDF]

Catherine’s talk was really good. She handled questions well and is a very dynamic speaker. I’m looking forward to the paper.

Twitter transcript

#weis2011 Premise of the study was to see what impact privacy controls enablement/usage have on advertising. It's an empirical study #data!

#weis2011 click through rates DOUBLED for personalized ads after the fb privacy controls policy change

#weis2011 it's been a "slightly augment the slides with humor" for the remaining slides. Good data. View the slides & paper (when avail)

WEIS 2011 :: Session 2 :: Identity :: The Inconvenient Truth About Web Certificates

Nevena Vratonjic
Julien Freudiger
Vincent Bindschaedler
Jeane-Pierre Hubaux

Presentation [PDF]

Twitter transcript

#weis2011 Overview of basic ssl/tls/https concepts. Asking: how prevalent is https, what are problems with https?

#weis2011 Out of their large sample, only 1/3 (34.7%) have support for https, login is worse! only 22.6% < #data!

#weis2011 (me) just like Microsoft for patches/vulns, everyone uses Bank of America for https & identity examples. #sigh

#weis2011 More Certificates 101, but a good venn diagram explaining what authentication success looks like w/%ages. rly good visualization.

#weis2011 domain mismatch accounts for over 80% of certificate authentication failures. why? improper reuse. it has a simple solution (SNI)

#weis2011 the team did a very thorough analysis that puts data behind what most folks have probably assumed. #dataisspiffy

#weis2011 We've created a real mess for users with certs. EV certs help, but are expensive and not pervasive (***6%***!)

#weis2011 economics don't back good cert issuance practices; 0 liability on issuers; too many subcontractors; we trained users to click "OK"

#weis2011 great slide on CA success rates (hint: godaddy is #1) #sadtrombone

#weis2011 sample: 1 million web sites; less than 6% do SSL/TLS right. cheap certs == cheap "security"; policies need to change incentives

#weis2011 URL for the data is in the last slide. first question is challenging the approach for the analysis and went on for a while

WEIS 2011 :: Session 1 :: Attacks :: The Underground Economy of Fake Antivirus Software

Brett Stone-Gross
Ryan Abman
Richard A. Kemmerer
Christopher Kruegel
Douglas G Steigerwald

Presentation [PDF]

Twitter transcript

#weis2011 presenting analysis of *actual* data from 21 servers from 3 multi-million $ fake a/v ops!!! < #spiffy #weis2011 showing example of fake a/v exploit that was embedded in HTML. good walkthrough. useful slides for an orgs tech ed/brown bag sessn #weis2011 good/succinct survey of techniques blackhat seo, annoying popups, preying on user naivete. #weis2011 great graphic on the flow of the money trail in fake a/v. Brett & his colleagues paid attention to detail. #weis2011 talking about affiliate programs (think amazon associates but for bad guys) & webmoney (evil bitcoins). #weis2011 189K sales; $11mil in 3mos!! 8.4m installs. conversion rate 2.4% (wow). if it had not been stopped, fy net $ wld be 45mil! #weis2011 comparing campaigns & operations. the choice in malicious hosting provider is key. downtime reduces profits. #timeforMalCloud? #weis2011 fake a/v providers actually give refunds to help avoid bank fraud detection. Refund rates between 3-9%. #weis2011 now showing their economic statistical models (and plugging real data into them) and the back-end infrastructure that runs the biz #weis2011 (me) the bad guys have better metrics, better partnerships & rely on naivete of users. the good guys don't share anything w/anyone #weis2011 the threshold for payment processors to terminate a bad account is when bad transactions (chargbacks) hit 10%. virt no incentive

WEIS 2011 :: Session 1 :: Attacks :: Sex, Lies & Cyber-crime Survey

Presentation [PDF]

WEIS 2011 :: Session 1 :: Attacks :: Where Do All The Attacks Go?

Dinei Florncio
Cormac Herley

Presentation [PDF]

Twitter transcript

#weis2011 New threat model (that may scale). Rather than use individual users & attackers, use population of users, pop of attackers

#weis2011 assumption/proposition: attacker attacks when Expected{gain} > Expected{loss}

#weis2011 (me) more good math on the slides. using the populations, they made a probability model to predict detection/succumb/gain & cost

#weis2011 model has a core of "sum of efforts defense" (vs weakest link)

#weis2011 attacks are proven unprofitable if prob of success is too low or gain is too low < this may seem obv. but it's an intersting model #weis2011 (me) really good examples of practical example of model efficacy. mimics/validates 2011 DBIR results (does not mention DBIR) #weis2011 working though another example of using "dog's name" as password. (me) this could be a *rly* handy tool for threat modeling #weis2011 Security does not mean avoiding harm, and avoiding harm is less expensive than being secure. #weis2011 "Thinking like an attacker" does not end when an attack is found. Ask how you can use what you found to your advantage.