Defense in Depth

Public-information kiosks are supposed to allow users to find out more about a company or government agency, and that's all. But on Saturday afternoon, Shanit Gupta, a senior consultant at McAfee Foundstone, demonstrated several ways that he and others have been able to map the internal network on a system running XenApp, formerly Citrix Presentation Server.

On the demonstration screen at ShmooCon, an East Coast computer hacking conference, Gupta showed how the familiar toolbars and browser frame are missing on a system running XenApp. The idea is that on a kiosk the public can click on links only within the single page. But if there's a keyboard or a mouse present, which there often are, Gupta was able to open additional sites, exposing the internal network.

Starting with Ctrl-H, he was able to pull up the browser's history. If the history revealed no outside search engines like Google, one could also type Ctrl-O and then type in Google there. If all else fails, one could also hit Ctrl-N and open a new tab, which will show the usual address bar and toolbar for navigation.

Opening a Web site not on the public tour could allow an attacker to download and install NMAP and run a port scan of the internal network. If the browser supports Javascript, one could also run a Javascript port scanner.

Typing Ctrl-P calls up the printer; however, Gupta pointed out that you can also save to file there and, while doing so, see the internal network.

No keyboard, no problem. Gupta says simply right click on any image and chose Save As ...

Gupta's demo concluded prematurely, hampered by an overall loss of Internet connection at the conference.

Citrix says on its site that when running XenApp, "built-in endpoint scans and policy controls take into account each user's role, device characteristics and network conditions to determine which applications and data they are authorized to access." However, Gupta said that the flaws were first called to his attention at a government agency. Using the standard Internet Explorer keyboard hot keys, Gupta and partner were able to see inside the agency's network.

WASHINGTON--Two security researchers at ShmooCon demonstrated on Saturday how a laptop connected to a VoIP telephone could, in some cases, expose a business' internal network to outsiders.

John Kindervag, senior security architect for Vigilar, said that public waiting areas in hospitals, conference rooms, and hotel rooms are particularly vulnerable to this attack since often there is no IT staff around. Appearing on stage at the East Coast computer hacker conference with Kindervag was Jason Ostrom, manager of Vigilar's Vulnerability Assessment and Compliance Practice team, who used the ShmooCon conference to show off his latest version of VoIP Hopper, a tool he uses for penetration testing of companies that are running voice over IP phone systems.

Kindervag said that VoIP was gaining acceptance with large companies and organizations for many reasons: there are no toll calls over the Internet; there's less cabling involved; employees can move offices without having to rewire or change switching operations for their phones; and finally, voice mail notices can appear in one's Outlook inbox. "This is very popular among CIOs," Kindervag said.

But Ostrom's tool allows one to hook up a laptop computer to a public VoIP phone and connect to the company's or organization's internal network with full administrator access. VoIP Hopper can be used to intercept Cisco Discovery Protocol (CDP), which announces the device type and the SNMP agent address of neighboring devices, and automatically create a new ethernet device. This could allow someone to map or otherwise do damage to a company's network from a public waiting area. The tool also allows one to physically remove the phone and have a laptop spoof the phone's MAC address, so the network is unaware that a laptop has replaced the expected phone.

To prevent such attacks, the researchers recommend turning off CDP. They also recommend disabling port 2 on any public VoIP phone, and include the public phone within a firewall.

WASHINGTON--Researchers Charlie Miller of Independent Security Evaluators, and Dino Dai Zovi, turned their attention to Second Life during a Saturday morning presentation at ShmooCon, an East Coast computer hacking conference. The researchers didn't exploit a flaw within Linden Labs' Second Life, but within QuickTime. They showed how an attacker could make money stealing from innocent Second Life victims.

Miller and Zovi are both experienced with flaws within Apple products. Miller published the first Apple iPhone flaw shortly after its release. At last year's CanSecWest security conference, Zovi exploited a QuickTime flaw to win a "PWN to Own" hack-a-Mac contest. While Second Life does not install QuickTime, it invites users to install the player if they want to see multimedia files within Second Life.

What Miller and Zovi realized is that while direct communication between an attacker and a victim within Second Life passes through the servers at Linden Labs, multimedia objects are actually stored somewhere else. Hence, an object with a multimedia link could inject malicious code. In this case, researchers exploited a recent flaw within RTSP tunneling.

For their demonstration, they created "the most evil pink box you will ever see." They could have linked their malicious code to attributes of an avatar's hair, clothes, or anything else. They also could have buried the pink box underground or otherwise hidden it, but both researchers admitted they weren't very good players within Second Life.

Within Second Life they used a property that they own to demonstrate the exploit. Linden Labs sent a representative at the conference and a robot to the virtual demonstration site. The robot held a sign saying Hello to ShmooCon attendees watching the live demo.

In the demo, the researchers were able to show that their avatar became infected when it came too near the pink box. The code they used raided the avatar's Linden dollars and emptied the bank account. On the Internet, an attacker can get one dollar for every 275 Linden dollars stolen, so there is a financial incentive to these attacks and other future attacks. The attack demonstrated today works only on the property they own, and for the safety of others they put up signs perimeter that clearly stated a demo of an exploit was in progress.

To protect yourself while in Second Life, the researchers suggested either turning off multimedia altogether, or setting the multimedia preference within Second Life not to play streaming video when available, but to ask the user first.

WASHINGTON--In a keynote address at this year's ShmooCon, an East Coast computer hacker conference, J. Alex Halderman said that electronic voting machines could be good for the electorate--with some modifications.

Halderman is a graduate student studying under Ed Felten, a professor of computer science at Princeton, who is best known for demonstrating that the electronic voting machines produced by Diebold and other companies are vulnerable to attack. Diebold has since changed the name of election equipment to Premier Election Solutions. Felten was to make the keynote address, but canceled at the last minute due to the flu. Halderman is no less qualified to speak to the convention of computer hackers; this past summer, Halderman and others from Felten's team assisted California Secretary of State Debra Brown in her investigation of electronic voting machines.

At issue are direct-recording electronic (DRE) voting machines. Halderman points out that DREs are, basically, computers, susceptible to viruses, bugs, and crashes. What troubles Halderman and his team is that "a conspiracy of one could launch an attack on all the voting machines in a county or in a state." He said that while paper ballots could be rigged, paperless electronic ballots were even easier to exploit.

With the Diebold machines Halderman studied, he found that the company provided potential attackers with an upgrade process that was easy to manipulate. By giving a malicious file a specific file name, the Diebold DREs simply ran the code, allowing a devious programmer to inject malicious code into one or more voting machines. Since the same PCMIA card can be used to load a specific ballot within a precinct, county, or state, one tainted card could easily spread the infection.

Halderman also found, when working on the voting machines used in California that voting machines could also, with very little work, expose who voted for whom, violating voter secrecy.

Diebold has previously dismissed the claims by Felten, Halderman, and others. Another California e-voting system vendor, Sequoia, issued a press release faulting the secretary of state's study. Despite their objections, most states with electronic voting systems have now required the vendors to provide some kind of a paper audit.

Once the e-voting vendors improve their systems, Halderman said e-voting could ultimately be good. Voters like it. It provides faster reporting. It also offers more accessibility to disabled voters. With the addition of paper receipts, said Halderman, e-voting will also allow for better and less expensive vote auditing.

Currently, Halderman said, recounting votes in a disputed election is costly. Using machine-assisted auditing, however, taxpayers would save money and receive a much more accurate recount. One method Halderman showed at ShmooCon involved auditing only the winning candidate's vote to see if there was any evidence of electronic vote switching. As an example, he cited a recent election in Virgina where less than 1 percent of the vote decided the winner; by the current method, 1 million ballots would need to be recounted, but by his machine-assisted auditing method only 1,000 would be needed.