0xfeedface Tech musings and rants

My first Defcon, Defcon 18, was a success. I mostly hung out with some SoldierX peeps and with StankDawg from BinRev. Livinded and I got into Vegas on Wednesday evening. Bringing all the equipment in from his car was a major task. He and a few of his friends ran oCTF. They did a good job and everyone involved enjoyed the game. I met up with Blake and StankDawg on Thursday and we all chilled and had a good time. Continue reading to find out all that happened.

For the past little while, I've had a few projects at an online security community called Binary Revolution (BinRev for short). I had the opportunity to cohost a radio show called BinRev Radio Remix. It was a lot of fun and I'll be looking forward to next month's show live at Defcon. Feedback for this episode can be sent to lattera@0xfeedface.org.

Show Notes:

• Introductions
• Show Overview
• Scheduling/next show information
• News
  • Google Wardriving
  • Hackers Wanted Documentary Leak
  • A new type of phishing attack
  • Froyo and Google TV
• Interview with PurpleJesus
  • How he got into and out of phreaking
  • Current research
• Interview with Livinded
  • Preparing for the administration of oCTF
• Goodbyes and reminders

Medium- and large-size businesses everywhere are victims of countless hacking attempts. Attacks come from those that are curiously, chaotically, and financially motivated. As a security analyst for a successful company which grosses millions of dollars in profit, it is my job to ensure the security and integrity of the network. The company deals with retaining sensitive data for longer periods of time. Thus, preventative measures and proper response measures play a vital role in every aspect of the company.

We recently had a surprise penetration test. No one in the company (not even me) except the president of the company knew about the penetration test. The test was twofold: to find potential vulnerabilities in our web-based product and to see how the security team (mainly just me) handles a hack attempt. The security analyst started out with Nikto, generating thousands upon thousands of 404 errors. We first caught wind of the penetration test because of how loud Nikto is. We quickly firewalled that IP. The attacker then used a proxy and continued attacking. He was able to find valid login credentials after a few brute force attempts. We then learned something really important: our intrusion detection methods weren't up to par.

We rely on error emails (404 and 500/503) to tell us when an intrusion occurs. After monitoring emails for a while, we only know a handful of things: the IP, the date/time of the attack, and what types of attacks. We don't know if the attacker was successful. After a few hours of research, I was able to gather that the attacker successfully logged in. It really should not have taken hours just to find out if he logged in.

It was on that day that I fully realized just how important detection is as a method of protection. Instead of looking at data for hours and guessing potential outcomes, proper detection and logging allows the security team to make accurate, timely decisions. Even now, a few days later, I don't know what the attacker accomplished. Without an audit trail, there's no way for me to tell what happened or how. Intelligent detection should be a part of every company's security plan. Without it, time is wasted and the chance of being fully compromised is much greater.

So, to sum up, make detection a part of your security plan. Detection allows your IT department to know what's going on and what actions to take in an efficient, affordable manner. If intrusion detection and logging is not a part of your security strategy, you'll end up doing what I did: spent hours just trying to figure out whether the attacker successfully logged in.