Slashdot Mirror

I remember the days when @Stake sold L0phtcrack for a large chunk of change.

Symantec decided to change it to a less hax0r name, and remove "crack" from all references and replace it with "audit".

Now they want to stop the selling of a product thats almost used exclusively by security professionals around the world to ensure compliance against password mis-use.

Its ironic that Symantec have done exactly they what they said they wouldnt do, screw with the product too much. You just have to visit http://www.atstake.com/ and read their mission statement to the product:

          @stake Acquired by Symantec

Welcome to Symantec. Symantec recently acquired @stake. We recognize that the strength of an organization is built on the loyalty of its customers, and we are committed to providing a seamless transition for @stake's customers.

Existing customers should expect business as usual through the transition period and a continuation of the same great service you have come to expect from @stake.

Using ICMP redirect messages to arrange MITM attacks was also an old one, but I don't think that most stacks pay attention to redirect any more.

try using one of those secure usb key's (lexar has one)

Whare have we heard that before?

Here's a little article from @Stake about Bluetooth, as well as some other insecurities.

I believe that even if the phone is in 'hidden' mode, on some models, one can still find a user's address by testing out every address. Redfang does that. This is brute force however and quite slow. In fact it could take up to a few years, as it takes about 20 seconds per address.

One thing I noticed while living in an apartment and playing with Bluetooth.. it is possible to tell when other people are in their homes or not. I was tempted to make a little app and compile statistics as to when/where people came and left, but then I remembered I wasn't the US federal government ;)

There are a bunch of other programs available to the Googler.

Ex-GAIN employees in the "Integrity Advisory Committee"??? That's like Richard Stallman working for the Patent Office!

I'd say it's more like hiring L0pht to protect you from hackers.

"I never recall seeing any statement that suggested the key could be seen plaintext in memory"

Which advisory did you read?
"It is also possible to attach a debugger to the Safe Guard software and read the password from memory. The Safe Guard software takes care of the decryption and the password can be seen in plain text within memory when the software does a compare between the stored password and the supplied password."

Keep a *nix and a windows version of netcat on there. A few of the essential RFCs wouldn't hurt either, HTTP, IMAP, SMTP, among others.

A long while back, I've heard/read that hackers (computer crackers?) at L0pht Heavy Industries (now apparantly http://www.atstake.com/) claimed that they could bring down the Internet within a half hour or so. My guess is that their plan involved attacking the DNS root servers. They didn't carry out their 'threat' which proves that they are being responsible with their 'dangerous' knowledge.

Recent research supports the belief that one well chosen password will defeat most intruders and that enforced rotation leads to weak passwords.

Here in work i've implemented a reasonable level (read: what you get for free from MS) password policy on the GC/DC (its a MS shop).
Passwords:

* Vary between Upper and Lower case
* Contain at least 1 number
* Have a minimum of 8 characters (MacOS9 users are only allowed to use 8 unless they have the MSUAM)
* Forced change every 90 days
* Differ from the 3 passwords used previously

In addition we encourage users to pick strong passwords:

Good Passwords contain:

* Multiple small words (let me in now: LetM3In0w)
* Unusual keys (open at eight : 0pEn@Ate)
* Personal Acronyms (open now please : 0pN0Plez)
* Replace letters with numbers (close please : C7o53p7z)
* Misspelled or nonsense words (close please : klOz3PeaZ)
* Offset the Number/Word (to home sweet : H0m325we3t)
* Non-sequential words from songs/poems (home of the brave: 7hebRaFovH0m3)
* A combination of the above!

Bad Passwords contain:

* Countries or Place names
* Names (First or Last)
* Anything Workplace related
* Historical events and Dates
* Personal information: Phone numbers, Birthdays or Social Security numbers
* Dictionary (English and Foreign language) words
* Consecutive numbers
* Popular phrases separated by spaces, underscores or a hyphen

I recently conducted an audit using the excellent @stake LC5. I used the SAM agent import feature and not the sniff the wire capability. It cracked 26/196 passwords in less than 50 seconds with straight dictionary attacks tho' to be fair it was running checks against the weaker LM password. It finished the run with 96/196 successful cracks in around 11 hours using the dictionary, hybrid dictionary/brute force and straight brute force cracking.

It got many "strong passwords" chosen using the above methodology which is similar to the previous post. I am not too worried as ANY password is vulnerable to determined brute forcing. Thats the reason you combine strong passwords and an x-attempt lockout policy.

The bonehead central office still enforces the password rotation despite the evidence that users are sabotaging the process. I sincerely believe this collision of function and security is a zero sum game: the users need to work meeting a complex security process irrespective of the necessity.

I am actively looking into 3rd party DC/GC extensions which perform the routine checks LC5 used so successfully and that have been in use on *nix systems for years. I'd love to hear from any1 in a similar situation. Please note i had reservations purchasing from @stake based on their abhorrent treatment of Dan Geer and evidently vindictive successive OSX disclosure campaign.

Use netcat (nc)

A version exists for Windows (it's what the kiddee's use), but it can be used for legit purposes if done properly.

No there was another overflow problem that was in the screensaver module that as you say is inherently local. And incidently it was described in almost exactly the same way for that patch. But no, this one is a remotely exploitable stack buffer overflow that allows an attacker to obtain administrative privileges and execute commands as root.

http://www.atstake.com/research/advisories/2004/a0 50304-1.txt

Like LC5 - Cracking^H^H^H^H^H^H^H^HVerifying Password Security at the speed of light...

sorry, "nc" is netcat (or, if you prefer, gnu netcat). you have committed a namespace violation. your application will be ignored until you find a name that does not conflict with a currently maintained, widely used application.

regards,
the management

I am unaware of open source software that meets the functionality of PWSEX or LC5.

They're much better off taking one of the @stake classes. They don't pretend to teach you how to be a 'hacker', but how to secure your systems. They do show several (four or five) outdated scriptkiddy hacks, but mostly, the focus is making people aware of issues and giving them a toolkit to try and secure it.

I wish it had been a /little/ more technical, but in their defense, we did spend 90% of the time actually doing lab exersizes, and I did take some good stuff away from it. My boss, who is our director of IT, went with me, and really loved it; His focus is not as security focused as mine, so I think a lot more of it was new to him. Anyway, at least you know you've got really good instructors, so if you are curious about a specific aspect of security, they can sit down and teach you about that, or if they don't know, they can get somone who does to answer it.

Also, it was pretty cool to have the guy who wrote The Sleuth Kit as an instructor. Needless to say, the forensics section was pretty interesting.

http://www.atstake.com/research/tools/network_util ities/

A good password is:

• Greater than 6 letters long
• Composed of numbers and letters
• Easy to remember, easy to reremember when changed.

I don't think so. On a single machine it takes l0phtcrack a day or two to crack passwords with only letters and numbers.

It took my comp 36 days to crack the M$ generated ASPNET user account; it's generated from the full keyboard charset.

Password policies like this won't enhance security. Maybe disabling LM hashes would, but the vulnerability is still there.

I used this last April Fool's Day...went over well, except with the management who sent out emails expressing how irritated they were that someone had this much excessive time before a release. Was good for a laugh, though...

--trb

There were a number of studies done, @stake would be a good source for that particular bit of data, considering they state that a Windows network can be audited in minutes: . I've personally used it once long ago, to retrieve an admin pw on an NT domain for a company who's former sys admins had all wandered off or been fired. Took about 4 minutes at that time, to retrieve 80% of the 4K pws in the domain, and the admin pw I was looking for.

It should be noted that this only applies for Windows systems, but then again, they're the biggest problem out there on the net.

From an advisory at @slash, linked in the main article...

Timeline

3/26/2004 Vendor notified of issue
5/03/2004 Vendor informs us that they have a patch available
5/03/2004 Advisory released

This was for a security hole in the Apple Filesharing Service, both on OSX and OSX server. The vulnderability was/is remotely exploitable for administrative privilages.

IMHO, a filesharing exploit that works on OSX server is a pretty large problem, and a month + change to fix a buffer overflow in a packet seems a bit extreme.

A comment in response to the Scobleizer blog said it best:

Eh, I think @stake is just whining. The security update on the apple site is written for consumers, not security experts. The knowledgebase article: http://docs.info.apple.com/article.html?artnum=617 98 clearly lists the CAN number. Plugging in that CAN number into google gets me straight to the @stake advisory here: http://www.atstake.com/research/advisories/2004/a0 50304-1.txt

Personally, I don't think apple is trying to hide anything, they are just assuming that calling it a "a pre-authentication, remotely exploitable stack buffer overflow" would confuse consumers. The knowledgebase article contains all the info a technical person would need to find out more.

Speaking of "full disclosure" - the criticism came from @stake, which is a vendor to Microsoft and fired one of their employees for criticizing Microsoft in a report. :)

No Apple doesn't have any security problems.
Let's see within the last week they have closed at least two exploitable buffer overrun holes.
Of course Apple doesn't call them that. Instead they use euphemism.
"AppleFileServer: Fixes CAN-2004-0430 to improve the handling of long passwords."
Now go and read atstake.
Or, "QuickTime 6.5.1: Fixes CAN-2004-0431 where playing a malformed .mov (movie) file could cause QuickTime to terminate."
Now go and read eeye.
No problems at all.

This is one of those situations where if someone can't do the job, you do it yourself. Be a man, download netcat, read the FTP RFC and resume the file yourself.

A possibility is VideoLAN which, while not able to send raw data across the network, can stream mpeg-1, -2, and -4, as well as other formats/codecs. For direct data streaming, netcat is a possibility. However, like stated in a brother post, the traffic on the network is an important aspect to consider.

These are "poor-man" methods, so the choice is up to you if you want to use these or a more professional method of streaming.

Pfft! Real men use netcat and the FTP RFC for reference.

Ooooo. Sounds like some fancy-dancy user interface to me. That telnet's probably got escape sequences an everything.

Us real trogs use netcat.

What about netcat ?

Vulnerabilities in security products, especially those making outrageous claims, need to be exposed.

excerpt from NAI ePolicy Orchestrator Format String Vulnerability

"When deploying new security products within the enterprise, organizations should understand the risks that new security solutions may introduce."

-weld

Real men send USER, PASS, TYPE I, PORT, RETR with netcat to get FTP files.

Traceroute and ping are included with Windows. Hell, finger is included too! Other things like whois, dig, etc. can be done on Windows the hardcore way. Put netcat and some RFCs (for reference) on a floppy and send straight protocol commands.

That's why I use netcat to port 80 instead.

In addition to resetting the admin password there are tools like this one which I've used many times to recover passwords from NT boxes.

• Remote file retrieval, administrative authentication bypass, authentication bypass, remote code execution
• SAP DB Privilege Escalation/Remote Code Execution

I have really no idea why it was modded as Funny. I had nothing but great experience with dd(1), especially the version from GNU Fileutils. If you are stuck with MS Windows and cannot use Knoppix then check out Cygwin. One of the great advantages of dd(1) is the ability to use good old Unix-style anonymous pipes, so with Netcat or SSH it can really do miracles with filesystems cloning across the network, be it LAN (with nc(1)) or the Internet (with ssh(1) as nc(1) sends data as unencrypted).

According to this advisory at @stake, they have at least once withheld release of a vulnerability until affected systems could be patched. This paragraph kinda sums it up:

Due to the severity of this vulnerability @stake has confirmed that they will not be releasing this information publicly on their research page (http://www.atstake.com/research/) until Nokia has confirmed that all affected operators have fully patched and tested all affected elements. However @stake would ideally like to release this information no later than 1st June 2003.

So it does seem a little childish to just jump out and announce a vulnerability to the world.... My guess (yeah, it's just the little scenario I've worked up in my mind) is that @stake wanted to "work with Apple" and release a joint press-release type scenario on squashing a vulnerability. Apple of course doesn't want to give credit to anyone for anything (not trolling, just stating an observation), and refuses the offer. @stake gets pissed and blares this up and down the board, issuing press releases, contacting specific non-Apple-loving reporters, etc. You know why I think this? From the same advisory linked above is this self-serving text:

@stake worked with Nokia to ensure that all affected operators where informed and upgraded and only after this time did @stake agree to release this information to the public.

Do you really think that Nokia let @stake get into their code, make security changes, and essentially be a full partner in the effort to crush this vulnerability? I don't.

The reporting is fine, you should just try and read the article instead. It does affect 10.1 and 10.2. Here's the relevant links: first and second. If indeed Apple has said that they will not patch 10.2 they are just plain stupid. That's just a very good way to piss off your customers. As other people have pointed out they seem not to have patched ssh in 10.1 either. Crazy.

The reporting is fine, you should just try and read the article instead. It does affect 10.1 and 10.2. Here's the relevant links: first and second. If indeed Apple has said that they will not patch 10.2 they are just plain stupid. That's just a very good way to piss off your customers. As other people have pointed out they seem not to have patched ssh in 10.1 either. Crazy.

From the site at @stake....

Release: 10.28.03
Name: Long argv[] Buffer Overflow
Application: Mac OS X
Platforms: Mac OS X 10.2.8 and below
Severity: Attacker can crash Mac OS X and possibly execute commands as root
Author: Matt Miller and Dave G.
Overview: It is possible to cause the Mac OS X kernel to crash by specifying a long command line argument. While this primarily affects local users there may be conditions where this situation is remotely exploitable if a program which receives network input spawns another process with user input. It is possible to use this condition to dump small portions of memory back to an attacker.

Release: 10.28.03
Name: Systemic Insecure File Permissions
Application: Finder (and many others)
Platforms: Mac OS X 10.2.8 and below
Severity: High
Author: Dave G.
Overview: Many applications are installed onto Mac OS X systems with insecure file permissions. This is due to two distinct classes of problems:

A security issue regarding DMG files managed by Mac OS X
Insecure file permissions packaged by different vendors
The result is that many of the files and directories that compose various applications are globally writable. This allows attackers with filesystem access to an OS X machine to replace binaries and obtain additional privileges from unsuspecting users, who may run the replaced version of the binary.

Release: 10.28.03
Name: Arbitrary File Overwrite via Core Files
Application: Kernel
Platforms: Mac OS X 10.2.8 and below
Severity: High
Author: Dave G.
Overview: In the event a system is running with core files enabled, attackers with interactive shell access can overwrite arbitrary files, and read core files created by root owned processes. This may result in sensitive information like authentication credentials being compromised.

Yeah, they're bugs, and yeah, it's possible. But don't these phrases kinda limit the scope?

"While this primarily affects local users"

"This allows attackers with filesystem access"

"attackers with interactive shell access"

So to me this doesn't mean the end of the world, or that all my data is wide open and exploitable from the public internet. I'm guessing they'll patch it when they can, and the fact that it's patched in X.3 probably means they're using a different release of the software in question that is inherently invulnerable to these issues.

Amazingly, even with completely new Samba and browser implementations, WINS resolved browsing on a routed network is STILL hosed. It works a little better than before. I see a few shares for a few seconds before the window goes blank and reports zero shares. I replicated the failure on three machines, then a report with Apple, including a tcpdump.

The other big problem I have had stemmed from being short of space after doing an upgrade install. Using the new Disk Utility, I backed up my whole home directory to a disk image on my iPod and did a reformat install of Panther. Next time I mounted the disk image, the file system was unrecoverably corrupted. So much for my data.

This is a bit off topic, as it is pertains only to pre-Panther revs of the OS, but @stake is reporting a kernel buffer overflow in 10.0-10.2.8. I submitted this as a story, but it was rejected. Does @stake have a bad reputaiton or something? Apparently our Windows team subscribes to it. One of them forwarded the advisery to me.

Amazingly, even with completely new Samba and browser implementations, WINS resolved browsing on a routed network is STILL hosed. It works a little better than before. I see a few shares for a few seconds before the window goes blank and reports zero shares. I replicated the failure on three machines, then a report with Apple, including a tcpdump.

The other big problem I have had stemmed from being short of space after doing an upgrade install. Using the new Disk Utility, I backed up my whole home directory to a disk image on my iPod and did a reformat install of Panther. Next time I mounted the disk image, the file system was unrecoverably corrupted. So much for my data.

This is a bit off topic, as it is pertains only to pre-Panther revs of the OS, but @stake is reporting a kernel buffer overflow in 10.0-10.2.8. I submitted this as a story, but it was rejected. Does @stake have a bad reputaiton or something? Apparently our Windows team subscribes to it. One of them forwarded the advisery to me.

The point is that this sort of thing is really really bad for society because of the chilling effects. If it's risky to criticize the big boys, guess what, they get less criticism than they should have on account of their actions.

In this case, the guy published the paper on his own, and was fired "because his services were no longer needed." There is an outcry, and the guy gets thousands of job offers.

Next time sombody at @stake publishes a paper. The paper is also based on fact. The company also immediately fires them. The company has now established a pattern of firing people for doing what they are supposed to do. At this point, there would be a labor dispute (29 USC 158 c) (Employees and emplyers are free to express their views) as well as a civil dispute (18 USC 245 Sec 245(b)(5)) (Federal protection against intimidation or punishment from participating lawfully in speach or peaceful assembly), as well as probably several other laws.

Or in simpler terms, the company would have shown a pattern of unlawful practices, meaning that they would have some serious lawsuits on their hands.

frob

@stake ethics

Neither solicit nor accept financial or other valuable consideration, directly or indirectly, from outside agents in connection with the work for which we are responsible

@stake, eeye, and iss have all agreed w/ microsoft not to release details of even potential exploits until the microsoft has had 30 days to "evaluate" them, leaving admins and the public unnecessarily exposed to vulnerabilities. This is completely unacceptable, and contrary to the scientific peer-review process of real science. If you know there's a problem, you speak out, suggest a fix, and hopefully the appropriate parties will be responsible enough to take action. Additionally, others have to be able to VERIFY and REPRODUCE findings, a critical part of *real* research. But microsoft's tactic is to force so-called security "research" companies (who are in it for money, not necessarily for altruistic research or making things more secure) into a lop-sided, biases "standards" NGO, the "Organization for Internet Safety" (OIS), which Microsoft is a member. (read this). What they are proposing is censorship, hiding information until they can find a fix, so that only the hackers will know what's broken. Talk about the fox guarding the hen-house!!!

Additionally, the director of research for @stake, Chris Wysopal, is effectively lobbying congress to give teeth to the OIS, and more power to microsoft and their buddies.

OIS = @stake, BindView, SCO, Foundstone, Guardent, ISS, Microsoft, NAI, Oracle, SGI, Symantec. sounds like the stone cutter's guild to me.

Eeye seems to be left out for obvious reasons, they oppose this secretive "research." Read eeye's Marc Maiffret's (chief hacking officer) thoughts on things to a congressional subcommittee here.

"windows corrupts, microsoft corrupts absolutely."

Interesting. Does that mean that employees should only issue statements in the course of their job responsibilities? Or that job statements must be objective, fact-based and truthful but personal statements can be whatever they want? This latter interpretation seems to conflict with their action.

I don't think Dan Geer will have trouble finding a new job. However, it is an interesting reflection of what @Stake has become. Look at their management team. Looks awfully VC to me.

Interesting. Does that mean that employees should only issue statements in the course of their job responsibilities? Or that job statements must be objective, fact-based and truthful but personal statements can be whatever they want? This latter interpretation seems to conflict with their action.

I don't think Dan Geer will have trouble finding a new job. However, it is an interesting reflection of what @Stake has become. Look at their management team. Looks awfully VC to me.

Gotta love those @stake guys. Here's a relevant quote from their website:

"@stake has assembled the best minds in digital security to help you understand and mitigate the security risks inherent in your business model, so that you can maximize the opportunity in front of you. We help you make the hard decisions about what matters most in your business, so that your security investment has the greatest impact. We work in the space where your business and technology meet, because we believe that this is where security is most powerful."

Talk about blowing it out both ends. You can read their ethical and guiding principles as well.

This is what l0pht has turned into?

Gotta love those @stake guys. Here's a relevant quote from their website:

"@stake has assembled the best minds in digital security to help you understand and mitigate the security risks inherent in your business model, so that you can maximize the opportunity in front of you. We help you make the hard decisions about what matters most in your business, so that your security investment has the greatest impact. We work in the space where your business and technology meet, because we believe that this is where security is most powerful."

Talk about blowing it out both ends. You can read their ethical and guiding principles as well.

This is what l0pht has turned into?

I've just spent the last 21 months as network person at Moor Park High School in Preston, Lancs. I implemented two Linux servers which did internal www which staff could access parts of via their W:\ drive, mail, proxy (with authentication and ability to block kids by a gui), ability to reclone damaged NT/2000 workstations, quota limits for kids, staff and pupil shared areas (accessible via S:\ and T:\ drives), shell access for kids, remote KDE/GNOME desktops in a window for staff (not that they used them!)...

The whole thing cost them £400 in software. Unfortunately two weeks ago they still insisted on me spending 7 hours a week standing in a library doing duties telling kids to take their coats off... and all for less than six pounds fifty an hour (probably 9-10 USD per hour). They're now looking for three people to replace me. I've now gone self employed and am the cheapest IT person I know even at more than twice the rate they paid me.

The biggest difficulty I found with implementing Linux was getting it to understand our existing username/password database. You have several options, some of them being:

- Make everyone set a new password (bad idea - they'll want to know why)
- Use pwdump.c (available from Samba mirrors) to create an smbpasswd file from your existing NT or 2000 server.
- Use John the Ripper or L0phtcrack to crack your existing account database. This isn't such a great solution, as some passwords could take weeks to crack, and some passwords will get changed after you cracked them.
- Use Winbind, which is part of the Samba suite which will talk to your existing NT/2000 setup and make those user accounts appear as ordinary users. This is an absolutely great solution once it works; you can give them access to any service you want (it works through PAM, so it's as good as having them all in /etc/passwd in many ways) - such as ftp, ssh, local or XDMCP access, you can chown and chmod files and directories to them, and it just works. It can be, however, an absolute nightmare to set up, and so I've written a document on the subject and how to get past a number of random error messages here.
- Read the comments in smb.conf

Management are always a problem, and it's the usual scenario: if it's Free, it has to be crap. If this is a problem, then instead of telling them how good it is, just show them. It's not difficult to find a spare unused machine in a school, or to boot Knoppix onto something, and you only need something with 16 or 32MB to install Debian or an old version of RH onto it and make it a useful server - machines of that calibre of write offs in UK schools right now with all the money the UK government are pumping into them. (This quarter alone, we had £27,000 to spend on IT - something like $40,000.)

Set something up, and implement a feature that your network lacks - quotas, web, email, cloning (use Partition Image - a much nicer replacement to Norton Ghost), proxy server (use Squid and Webmin so that your boss can easily add users to a list of banned people). Consider writing a cronjob to automatically copy everyone's home directory once a day, and then suddenly you'll be able to restore someones work from backup from any particular day or week (depending on how much hard disk space you have - a couple of cheap maxtor 80GB disks or something similar will do the job) in the space of ninety seconds *every time*. No more messing with backup tapes. (But still do tape backups, because you don't know when a lightning strike/minor earth tremor is going to destroy every hard disk...)

Write a manual. "This is how our Linux boxes were set up. The IP is this, here are the open ports, these packages were compiled from sourc