Project Goal:

Create custom firmware for cheap consumer router to give them honeypot/honeynet capabilities.

Sub projects:

Re-direction of “dropped” packets

• Status: Planning stage
• Details: At the first look it’s the easiest thing to do, but routing, VPN and TTL issues are not yet solved.

Low-interactive honeypot capabilities

• Status: Ready for testing. Nepenthes has been added to the OpenWRT firmware.
• Outstanding: honeyd support

Extend firmware to offer the same or more/better capabilities as the stock firmware

• Status: In progress
• Outstanding: Web interface, documentation

The project was stalled for a while due to time constraints (work & real life commitments) and the fact that OpenWRT, which is base for the project, has gone through a major re-design overhaul since last year. The new build system is much easier to modify and maintain.

Availability:

Pre-compiled binaries are available upon request. Build instructions are currently being documented.

Current project members:

• Michael Boman (project leader)
• Rick Zhong
• Meder Kydyraliev
• Anton Bolshakov
• Johan Johari

The origins of the Compliance module dates back to February 1995 when it was first demonstrated to the British Standards Institution (BSI) as a new automation tool to support the very first release of BS 7799:1995. The BSI immediately signed up as a Distributor and added their prestigious BSI company logo to the product – which remains a unique relationship to this day, more than 11 years later. The latest version of Proteus software has been completely redeveloped by Information Governance Limited and enhanced over the past 2 years and is now accessed using a web browser interface. I was concerned that an application that will contain confidential information was web enabled. Don’t get me wrong here, I clearly can understand the benefits of having the application web enabled - but just think about it for a minute: It will clearly point out your critical infrastructure, where it is located and how it is protected. If my goal was to bring your corporation to its knees, the data stored in the system would be worth its weight in gold. With that in mind I asked if there has been any independent 3rd party security review of the software and according to the vendor Proteus has been audited both by Vodafone UK and Novartis AG - and both purchased it afterwards.

All versions of Proteus come with the self-assessment questionnaire that helps you understand where your organisation lacks processes and/or policies to be ISO27001 compliant. This can save you a big money based on what a consultant would charge you just to ask you the questions. Now you can sit and fill in your current security stance in the comfort of you own office, and once done you can review the report and see where you are not in compliance with the ISO27001 standard. Of course, if you use the Enterprise (Server) licence, the system fully supports assignment and delegation of the questionnaire to the relevant subject matter experts across your organization. The system incorporates automated workflow management and ‘dashboard’ graphical disply of current status apart from a comprehensive set of pre-defined audit reports.

Furthermore, the integrated nature of Proteus enables all the Compliance Controls and associated documentation to be fully integrated with Asset Management, Incident Management, Risk Assessment and Business Impact Analysis as you move forward to the construction of a live Information Security Management System (ISMS).

Even if you don’t plan to get your organisation certified right now it is good to know where it stands so you know which areas needs to be improved upon. The process itself can be very enlightening as well, as you will be required to find out and document which systems are required for business continuity and their respective dependencies on both infrastructure and staff.

I don’t consider the software to be that expensive compared what it provides you with. The Solo version costs around USD$1100 at the time of writing, and for that you get a day or two (or perhaps even three, if you are really lucky - but that would be stretching it) with a consultant. Don’t get me wrong here, if you are going for the ISO27001 certification you will definitely need to hire an auditor to certify your business - but shouldn’t you do what you can first to get your organisation up to speed with the requirements before calling in the auditors or external consultants?

I have not seen any other offerings of similar software, so I can not comment if this particular offering is the best one on the market - but one thing is for sure: this kind of software will really simplify the certification process, and is in my opinion well worth the investment. The software is currently in English, but the Japanese, French and Spanish version of Proteus should be available for mid-September followed up by the Simplified Chinese, Traditional Chinese and Portuguese version of Proteus should be available for mid-October. Finally, the German, Italian and Korean versions of Proteus should be available by mid-January 2007. Apart from that, it runs on the most commonly available systems out there: Microsoft Windows 2000 and Linux and has very moderate system requirements: minimum system requirement is a Pentium III with 512 Mb of RAM, but of course the software will perform better with more resources available to it.

I thank Eric for taking the time to show me the functionality of the Proteus software. If you are a vendor or a reseller of similar software - or any other security related software for that matter - do feel free to contact me so I can take a look at your offerings as well.

There are several places on the net telling you to change the port SSHd is listening to, or install some firewall modifying scripts that denies access to the system after the fact. Both approaches works, but isn’t IMHO “clean”. Then I found pam_captcha, and it seems like my worries are over.

pam_captcha is a ascii-art captcha system (you know, sometimes on the web you need to enter some text that are written, very often deformed, in an image) that utilises figlet (a text to ascii-art program) to make sure there is a human at the keyboard while going for keyboard interactive password authentication.

A session can look like this:

One caveat with the system is that sometimes figlet doesn’t generate the most readable ascii-art captchas, but on the other hand you don’t want something that can be bypassed with a OCR software either. A limitation in the technique, so to speak.

The PAM module was easy to compile and install, but it has the path to figlet is hardcoded into the source code and it needs to be changed on most standard Linux installations. The documentation is sparse, but performs it’s intended use. I don’t have much to complain about when it comes to the functionality of the software.

Do yourself a favor and get this one installed to make sure that no 2-bit script kiddie can compromise your system due to some user choosing a poor password.

This is beta software, no official support will be given and they have only been tested so far as they compile cleanly. The RPMs are compiled for CentOS 4 (a gratis re-compile of RHEL 4), but the source RPMs are available if you want to compile them against a different distribution.

Just to note that Mr. Murphy was present at the conference, and the demo was totally fubar’ed. Next time I’ll go with a pre-recorded demo or just screenshots. And sorry about the sound quality, the audio was recorded on the same machine I had my slides / demo on.

As I understand it there was some lack of communication within the Wordpress team when Matt wrote the release advisory and was never informed about my contribution. I still hope that the Wordpress team does take my suggestion under consideration and implement processes and procedures to make sure this sort of thing does not happens again.

With this I put the Wordpress issue to rest. Thank you all so much for your support and feedback.

Wordpress 2.0.1 has an reflected Cross Site Scripting vulnerability in /wp-admin/options-general.php. You need to be logged in to use it. The exploit URL would be something like this:

http://host.domain.tld/wp-admin/options-general.php?page=%3CSCRIPT%3Ealert(%22XSS%22);%3C/SCRIPT%3E

Due to the fact that it’s an reflected version and you have to be logged in to use it I don’t think it’s very suspectable for malicious usage. The fix is pretty simple as seen by the diff below:

$ svn diff wp-admin/admin.php Index: wp-admin/admin.php
===================================================================
— wp-admin/admin.php  (revision 3513)
+++ wp-admin/admin.php  (working copy) @@ -61,7 +61,7 @@
}  if (! file_exists(ABSPATH . “wp-content/plugins/$plugin_page”))
-                       die(sprintf(__(’Cannot load %s.’), $plugin_page));
+                       die(sprintf(__(’Cannot load %s.’), htmlentities($plugin_page)));
if (! isset($_GET[’noheader’])) require_once(ABSPATH . ‘/wp-admin/admin-header.php’);

I have notified the Wordpress security team about this bug, and hopefully we will see a public fix soon.

Take care.

UPDATE: Mark Jaquith and David House on the #wordpress IRC channel worked up an possible exploit scenario, which made me mark this post as private until a public fix for this vulnerability is published. The attack scenario they came up with is the following code. If disguised with something like tinyurl an administrator might be fooled to click on the link and set the password to a pre-defined value (or modify any other settings).

From the #wordpress-dev channel on Freenode IRC network:

Mar 04 19:10:02 [MarkJaquith] We'll make sure you get credit

This is perhaps something I would expect from some vendors of propriety software (and no, Microsoft is not one of them), but not from a prominent open source project as Wordpress is.

As a security consultant, researcher and developer the only thing I (and others like me) have is our reputation. By not giving credit where credit is due, I don’t get any recognition of my contributions which could be taken in the view that my contributions were not important. This is very strange in this case, as they even used the patch I submitted verbatim.

Responsible disclosure is a two-way street, where the security researcher comply with industry best practices and vendor disclosure policies and in return the vendor gives credit to the researcher for his or hers contributions. It is also important to keep the security researcher in the loop about the progress as well, else the researcher might think that nothing is happening and might pre-maturely release the vulnerability and label the vendor as non-responsive.

If the communication with the Wordpress security team drastically improves, I might consider to start selling those vulnerabilities to the highest bidder - because then I at least get rewarded financially for my research. This would of course be on a vendor by vendor basis, where vendors who honor their part of responsible disclosure do not need to worry.
My suggestions for the Wordpress security team is the following:

1. Have an auto-responder on the security@wordpress.org address which confirms to the reporter that the mail system has recieved it.
   There was no communication at all through email, or othervise, letting me know that you even recieved the email in the first place. Only later I got contacted by Donncha O Caoimh, letting me know that he patched Wordpress.com against the vulnerability. As his email contained my email I can assume with great confidence that the email sent to the Wordpress security team was in fact recieved.
2. Communicate to the reporter when the vulnerability has been confirmed.
   There were some IRC communication on the topic, but an email reply isn’t that time consuming.
3. Communicate to the reporter when the patch has been created, possible ask them to test it out for themselves as well.
   My submission included a patch, which was working and fixed the vulnerability (and later used verbatim in the patched version).
4. Let the reporter know when the patched version will be released.
   I had to constantly ask on IRC what the progress status was.
5. Make sure that the reporter recieves propper credits where credit is due.
   The Wordpress team obviously failed on this.