Friday, May 29, 2015

Not So Bright

As it turns out, it is somewhat self defeating to deploy a honeypot, advertise it, and for no other reason than self amusement, hope to get attacked. My server got port scanned about 300 times last night, and than nobody else actually entered the trap after the first hour. Than there was a DDOS attack, which effectively shut the server down. Whether or not that is related is hard to say. I have concluded  this endeavor was a bad idea.

Honeypots & ScriptKiddies... Let the Games Begin

Oh man the internet is so much fun! I was really bored tonight, so I decided to set up a honeypot. I fired up a virtual machine on one of my burner computers, and placed it my hardware switched DMZ. I configured a variety of applications that pretend to extremely vulnerable to a lot of really old exploits, including Kippo SSH, Wordpot, and Dionaea. Next, I triple checked my firewall rules to ensure that nothing would escape into my LAN. Than I ran some port scans through the msfconsole, and realized that when running nmap inside msf, honeypot applications are easily detected... damn. But wait... there is always a solution to a problem when there is a will (and a good dose of boredom). It turns out that if you just change the banner displayed on the FTP login, the workgroup name on the SMB service, and the presented version of MSSQL, than nmap will not detect that it is scanning a honeypot! To confirm that, I ran portscans from several remote servers. None detected anything but about 500 open ports running so many horribly misconfigured services that anyone with a brain would know that this is just too good to be true. When everything looked okay, I placed the host online.

Next, I open Wireshark, grabbed some coffee, and sat back waiting for the script kiddies to start attacks. While I was waiting, I fired up Metasploit and started generating some payloads for any flies that get caught in the web. I ended up deciding on a passive exploit, a meterpreter embedded in a few PDF files that I placed inside the honeypot's file system, along with a bunch of porn videos, and nonsensical websites that I cloned with HTTP-Track. Than I actually changed my mind about that part. I realized reverse physiological phishing is still not right, even though the attacker would have to break a law or three himself to get the into my system. The way I saw it... there is just no legitimate reason for anyone to break into a honey pot, even if I am doing this because I am just bored. Of couse most of the hits would come from China anyway, so no harm done. Anyway,  I even placed a watered down php shell in a hidden directory with a random URI (like a cracked easter egg of sorts...) This was all looking pretty damn good, but it'd been an hour and nobody had bitten the hook yet. I am not a patient person.... But then I thought of...

PASTEBIN. Yes, that is the answer to my lack of problems. A simple paste titled 'Very Compromisable Host" with the target IP address was more than enough to get this party started. I posted the paste... waited 5 seconds...refresh... 55 hits....wait 10 seconds... refresh.... 147 hits .... waited 30 seconds.... refresh.... 269 hits!!!! I checked back just now... over 300 hits!  Someone is bound to bite soon...

It's now T+30 since the paste, I am currently half way through the last episode of Bates Motel, and am about to go to bed. Over the last 20 minutes, I've had 6 SSH 'breakins', 1 SMB attack, and 3 ftp logins! By morning, I'm hoping to have a few interesting payloads in Dionaea's archive to add to the old arsenal. Why are people so retarded? Ugh, who cares, it's hilarious. I'll follow up with this post tomorrow. Good night.

Wednesday, May 20, 2015

Designed to Fail: US to Classify 'Surveillance Capable' Software as Weapons

This one will blow your mind. The retard level of this proposed law is stratospheric. In countries like France, internet entrepreneurship has suffered because of lame regulations that are supposed to protect their citizens from 'unfairness'. One great example is when Uber started gaining traction in France. Suddenly, the French Taxi market began to expand, as normal people were using Uber to make some money giving rides. The French bureaucracies did not like that, claiming that it was 'unfair to licensed Taxi drivers' who are trying to make a living. Rather than let capitalism do it's job (which would have forced the Taxi companies to innovate or lower they're rates), they just banned apps like Uber. So it's no wonder that none of the Google's and Apple's of the world are French. Innovating in a place like that would be impossible. I suppose this is one reason why so many people have come to America seeking better lives, because here in America, whoever does the best job wins. We know that when government interferes with business, it's usually a very bad thing. Of course there are times when regulations are necessary, but those occasions are rare, and when they do occur, the will of the people is usually taken into consideration.

When the world found out that the NSA was stealing the entire world's meta-data, business in tech industries suffered. Hell, even I stopped doing business with American cloud computing service providers, and switched to overseas providers instead. That's the way of the universe, and the way of capitalism. Edward Snowden once said that the British intelligence agencies are worse than the NSA, and that Great Britain is the most surveyed state in the world. I guess it's not surprising that I can't think of one British tech company that is doing well either.
Today I found out that the United States intends to classify software with surveillance capabilities as weapons, and to place export restrictions of such software, so that it is illegal to 'export' such software to anywhere but Canada. These proposed regulations are completely ridiculous, and if they become law, than it will seriously stall research and development in the computer security field. Here is the summary of the proposal:


"The Bureau of Industry and Security (BIS) proposes to implement the agreements by the Wassenaar Arrangement (WA) at the Plenary meeting in December 2013 with regard to systems, equipment or components specially designed for the generation, operation or delivery of, or communication with, intrusion software; software specially designed or modified for the development or production of such systems, equipment or components; software specially designed for the generation, operation or delivery of, or communication with, intrusion software; technology required  for  the  development  of  intrusion software; Internet Protoco (IP) network communications surveillance systems or equipment and test, inspection, production equipment, specially designed components therefor, and developmen  and production software and technology therefor.
BIS proposes a license requirement for the export, reexport, or transfer (in-country) of these cybersecurity items to all destinations, except Canada.Although these cybersecurity capabilities were not previously designated for export control, many of these items have been controlled for their “information security” functionality, including encrpytion and cryptanalysis. This rule thus continues applicable Encryption Items (EI) registration and review requirements, while setting forth proposed license review policies and special submission requirements to address the new cybersecurity controls, including submission of a letter of explanation with regard to the technical capabilities of the cybersecurity items."
[1]

You can read more about it here. So basically, the Burea of Industry and Security wants to classify software with 'intrusive' capabilities as weapons, and wants to require people to be licensed to export it out the country. This is definitively somewhere in between the first and tenth worst ideas I've ever heard. Being a developer myself, I often exchange code and work with people from all over the world.  
This is the way that the open source community works, and a law like this has the potential to completely destroy the open source cybersecurity community. Much of the software that we are working on could definitively be considered to have 'intrusive capabilities'. This is also how the computing industry works. In order to develop software to defend yourself from cyber threats, you need to get your hands dirty and exploit your own network, computer, or programs the same way that an attack would happen in the real world. If you are going to do that, than you need access to tools that could be considered malicious. If we start putting export regulations on that kind of software, than the open source community will be the first to suffer. The big businesses will be able to afford the licenses, and the little guys like me will not.  Some of the worst security vulnerabilities out there were discovered by people overseas, using software developed here in America. It seems that this law is designed to fail, and to weaken our cyber security systems. It will also effectively consolidate the computer security industries into a few giants, squelching creativity and innovation, and add just one more roadblock for entrepreneurs in the digital world.

If this becomes law, than in the near future I may not be able to legally continue exchanging certain code on Github with my friends in Europe. And who will be in charge of deciding what software is considered a weapon? How will that process work? I don't even want to know. A law like this would also create serious headaches for people that run communities like Github, as they will likely be held responsible for the content other people upload to their site. So is Github supposed to block access to certain code with geographic restrictions? How the hell will that work? Everyone knows that content censorship attempts are some of the most failed undertakings in human history.

You don't see laws preventing the exportation of Swiss Army Knives or rat poison because they have the potential to kill people if used incorrectly. Ultimately, the way a piece of software or physical object is used depends completely on what the user chooses to do with it. Oh, and let's not forget that the biggest surveillance perpetrators are in fact our governments, and not black hat hackers in foreign counties.

These laws are currently open for public debate, and I suggest that if this news angered you as it did me, that you submit a comment to BIS explaining what a horrible idea this is. Remember, the government that governs least governs best.