Top 10 Self-Reliance Skills- A Review of the Pathfinder School Advanced Class

Wilderness self reliance and survival skills are both challenging and comforting. The ability to be comfortable outdoors with a minimal kit makes time outdoors almost stress free. What use to just look like random plants now are seen as aspirin, cordage, food, poison, and many other resources. After successfully passing Phase I and Phase II of the Pathfinder System and just returning from the Pathfinder School Advanced Class, here’s my top 10 summary of the event:

1. Kit Reduction- There is a clear list of what you are allowed to bring, and there was no slippage here. I had hoped to bring in Frog Toggs as we expected rain. The only way I could have brought them in is if I were to have worn therm. Going through thorny briars they would have been useless by the time we hit camp, thus they got left behind. No food, no water, no paper products, no deviation from the pre-defined kit, period.

2. Hydration/Hypothermia/Hygiene- Hydration was primary concern throughout the course. At every point boiling and drinking water was critical. One of my buddies during the class almost got pulled for dehydration. On two of the days we had rain, and as I had to leave my raingear behind (grumble) staying warm during night became an issue. Luckily a requirement was to have wool blankets. Wool maintains 80% of it’s thermal properties even when wet. Hygiene, well, Mullein & wet rocks are your friends.

3. Navigation- After gear was checked we headed out. We were put into 2-man teams and brought to various start points. This first navigation course was based primarily on map and terrain navigation. Working the course was difficult with the briars, streams, downed-timber, and other hazards. Making it to the last location on the course we found a tag, right in the middle of a beaver pond. Up went the packs and down into the water we went to traverse the pond and acquire the tag. Once the course was complete we headed into our initial camp.

4. Fire- Having no water, and already being thirsty from the navigation course we quickly moved towards primitive bow-drill fires. Several fire skills were tested throughout the class to ensure we could get our flame on in many different ways. Time limits pushed us to be quick with making our sets and getting embers.

5. Water- Our water was from the beaver pond. Boiling the water makes sure it is safe to drink, just be sure you’re not operating around pesticide or other contaminants. The class was extremely physically intensive for a guy who is a computer security guru in his day job. We were constantly looking to boil, transfer, drink, and boil again. At one point one of my buddies almost was removed from class due to dehydration. Getting 32oz and a little more into him helped get him back in the game.

6. Shelter- We knew it was going to rain. Our tarps were taken away and we were required to build primitive shelter. Our lean-to, and a 55 gallon drum liner filled with my wool blanket and me kept me dry through the night. We did not have enough time to complete our shelter as we had hoped and the rain that night consistently reminded us of it through the night. The drum liners were a fantastic resource to stay dry in.

7. Tools- Primitive cordage, hooks, gill-nets, dip-nets, frog gigs, and other tools were created as deliverables for the class. The ability to create tools outdoors with the resources at hand gives an individual a great sense of comfort. Even though it was early springtime for Ohio we were able to find a lot of available resources.

8. Medicinals & Edibles- We did not spend too much time on the edibles and medicinals in the environment. We did have some deliverables to make sure we knew a few good plants and trees to use for resources. Coming from San Diego the operating area was very different than what I’m use to. Luckily dandelions grow almost everywhere!

9. Meat Acquisition- We were tested on both our land and water meat acquisition capabilities. A group or two ate well, most did not. The quality of traps, the locations of the set, and other variables were evaluated to ensure the students were putting themselves in a good position to acquire meat. Traps are great as they continue to work even while you’re doing other things. It is hard to sustain oneself on greens and plants alone. The ability to successfully capture fish and/or game is critical.

10. Signaling- In a survival situation you’re generally looking to signal for rescue. We were tested on our knowledge of signalling and how to use our creations. My group created a smoke generator and took an orange bandanna and split it into 3 parts on a tall set of sticks. 3′s of just about anything indicate distress. Most of the groups also did some kind of signal in a 3-way pattern.

In summary, the class was some of the most difficult days in the bush I’ve ever spent. The skills, knowledge, and resources I was fairly comfortable with. They physical demands, and the lack of food and water made things very difficult. Headaches, cramps, dizziness, and lack of dexterity caused tasks to become MUCH more difficult than normal. In reality, if I were in a survival situation I would certainly take a much slower pace- the pace and stress were intentionally pushed on us to test our limits. I can’t count the number of times I wondered why I was putting myself though the 4-day class. Now that I’ve recovered and reflect, it was an awesome experience. I really had to push myself.  I now know how my body responds to the lack of nutrition/hydration/sleep, and I feel much more confident about my ability to get things done under stressful situations. I would highly recommend this class if you’ve got solid dirt skills and want to push your limits. By no means is the above list everything we did while out in the bush, but provides some of the highlights.

Thanks go out to Dave Canterbury, Kevin Baxter, Brandon, and the rest of the instructors, and to Iris for getting some great shots of our event.  Here’s a great video Dave put together summarizing our event.

• The Pathfinder School (Ohio)- Dave Canterbury’s School
• South West Outdoor Travelers (San Diego)- San Diego MeetUp I run
• Elements Gathering (Santa Barbara)- Huge gathering on the west coast
• Transitional Gastronomy (LA)- Wild foods turned into phenomenal dishes
• Ancient Pathways of Southern California (LA)- I HIGHLY recommend this group.  Chris Morasky rocks the outdoors
• Urban Outdoor Skills (LA)- Master Forager
• Outdoor Self Reliance (LA)- Alan Halcon’s group

Stay Dirty!

Arcsight and Autonomy- Solving the Big Security Data Issue

Autonomy Feeding Arcsight

The integration between Arcsight and Autonomy is providing new insights into security that have not been previously attainable. Autonomy’s Meaning-Based Computing and sentiment analysis can show trends in social media, online resources, employee activities, activities within physical areas, and many other relevant security attributes. Feeding this into the Arcsight SIEM allows an organization to gain visibility into events that otherwise would have potentially gone unnoticed. View a quick high-level demonstration HERE.

Arcsight Feeding Autonomy

Going in the other direction, Arcsight’s capability to identify correlation between events could provide additional context for the Autonomy IDOL engine to leverage. Trends in Autonomy could automatically generate information clusters, heat-maps, and automatically provide context into phone conversations, actions people have taken within a building, voicemail analysis, and a host of other valuable bits of big data.

In this Page I’ll be discussing the various use cases and leading-edge big security data engineering we’re doing in our labs.

If you’re interested in a demo, or would like to discuss your situation, please feel free to Contact Me

Trace Security Breaches at Financial Institutions

p { margin-bottom: 0.08in; }a:link { }

Trace security breaches at financial institutions and many are linked to external vendors. To mitigate the threat the FFIEC addressed the issue on page 88 of the FFIEC IT Examination Handbook. If your security vendor provides penetration tests, vulnerability assessments, social engineering, or other infosec services and also designs, installs, maintains, or supports operational components in the organization you are at risk to negative remarks on your audit.

“Independent tests include penetration tests, audits, and assessments. Independence provides credibility to the test results. To be considered independent, testing personnel should not be responsible for the design, installation, maintenance, and operation of the tested system, or the policies and procedures that guide its operation. The reports generated from the tests should be prepared by individuals who also are independent of the design, installation, maintenance, and operation of the tested system.”

There are many vendors attempting to provide cloud-based compliance, risk management, vulnerability management, and other services alongside infosec services such as security assessments, risk assessments, penetration tests, vulnerability assessments, social engineering, and web application assessments. While vendor consolidation can potentially reduce cost it equally directly conflicts with FFIEC regulations. A more appropriate approach is to leverage vendor agnostic solutions providers, while using another organization for informations security services.

If you currently are at risk based on your currently vendor relationship contact me and I will help you maintain a quality information security posture while ensuring operational costs are tightly controlled.

Plunging Through the Palo Alto Networks Firewall

Palo Alto Networks claims they can “identify and control applications regardless of port, protocol, encryption, or evasive tactic.” Due to the need for organizations to support protocols and applications not yet categorized by Palo Alto there is an underlying logic issue. Unless a company is willing to disable all services except for those well-known by the Palo Alto Networks firewall risk will be constantly present. I spent a little while testing the Palo Alto Network firewall to see if I could puncture the firewall and achieve remote command-and-control.

Class: Bypassing Intended Security Controls

CVE: <NA>

Remote: Yes

Local: No

Published: August 11, 2010

Timeline: Submission to MITRE: August 11, 2010

Credit:

Jeromie Jackson CISSP, CISM

COBIT & ITIL Certified

President- San Diego Open Web Application Security Project (OWASP)

Vice President- San Diego Information Audit & Control Association (ISACA)

SANS Mentor

LinkedIn: www.linkedin.com/in/securityassessment

Blog: www.JeromieJackson.com

Twitter: www.twitter.com/Security_Sifu

Cell: 832-378-RISK (7475)

Validated Vulnerable:

All versions prior to 12/07/2010

Discussion:

The Palo Alto Networks firewall uses “Application Visibility” and “Application Control” functions in order to identify services and apply controls across the firewall segments. An attacker can leverage a phishing scam or a vulnerabile online forum to distribute a remote command-and-control payload to a machine behind the firewall. The attacked machine will then initiate an outbound command-and-control connection. Palo Alto Networks Firewall simply identifies it as “Unknown TCP.”

Exploit:

First, I thought about using HTTP to traverse the firewall and remotely control a device behind the firewall. I successfully created a command-and-control session which the firewall identified as generic HTTP traffic. I leveraged the following script from The Hacker’s Choice (THC):

http://www.packetstormsecurity.org/groups/thc/rwwwshell-1.6.perl

Second, I generated a Metasploit reverse_tcp command-and-control payload. I uploaded the payload to a website, generated a phishing email, and had the victim machine go to a malicious URL. Command-and-Control was achieved and the firewall simply characterized it as “Unknown TCP” traffic. Metasploit has the ability to encode the payloads in a plethora of ways- Palo Alto Networks will need to address all potential encodings in order to mitigate the risk.

I worked with the vendor for several months and they recently came out with a signature update that will identify Metasploit. Due to evasion techniques such as encoding, payload packing, and other ways to evade filters I believe it will be difficult for them to find all the permutations.

Below are the details pertaining to the update. I find it odd it was marked as a medium severity. Having these Metasploit remote command-and-control sessions enabled me to gain access to password hashes, install keyloggers, start remote desktop VNC sessions, hide my process, and to pivot off the attacked machine to gain further access into the environment.

Vulnerability Signatures Summary

Solution:

A patch will be required from the vendor. In order for the vendor to meet its claims of “identifying and controlling applications regardless of port, protocol, encryption, or evasion techniques,” it will be required to gather signatures from at minimum the most prevalent command-and-control tools available in the wild and create identification techniques to mitigate the risk. Users could block all non-identified application traffic passing through the firewall to mitigate the risk, however this is generally not a viable option. While their technology is proving to be a strong firewall in the market the marketing statements are a bit lofty.

Top 5 Social Engineering and Penetration Testing Tools

I will be presenting at the 6th Credit Union Information Security Practitioner’s (CUISPA) conference demonstrating Rapid7′s Metasploit Framework and a few other tools I use during social engineering and penetration tests.  Organizations realize attacks are often blended in today’s environment.  Phishing scams, tailgating behind employees entering the office, and local wireless hacking are all common attack vectors.  The Top 5 Physical Penetration Testing Tools come from my toolbox I carry when conducting penetration tests for credit unions, banks, and many other verticals.  Interesting to note many of the tools are leveraging Metasploit under the hood.

#1 Rapid7 Metasploit
Creating Command & Control (C&C) USB sticks, CDs marked with tempting notations such as “Payroll,” and malicious attachments are greatly simplified by using Metasploit.  Metasploit is the de-facto standard when it comes to penetration testing frameworks.  Tremendous open source resources have been applied to Metasploit, and tools that rely on the framework.  The creator HD Moore joined Rapid7 and now is focused on continually pushing the product forward with new features and interface improvements.  Just a few of the many functions Metasploit has:

Command & Control Payload Creation (PDF, Excel, Word, JavaScript, etc.)
Ability to hide within running processes
Screen capture, keyboard logger, and camera tools
Extensive enumeration of host information
Pivoting ability – enabling a compromised machine to act on behalf of the attacker
Hashdumping
AutoPwning

I recommend checking out videos on YouTube , http://Securitytube.net/, as well as Irongeek’s site.  The Metasploit Framework is free but requires a fair amount of background knowledge to use.  Rapid7 has built two commercial versions based on the Metasploit Framework that offer a graphical user interface, workflows, and advanced penetration testing features. Metasploit Express is software for general security professionals who need an easy-to-use solution to verify vulnerabilities. Metasploit Pro is best for full-time penetration testers who require an advanced solution.

#2 Social Engineering Toolkit (SET)
The Social Engineering Toolkit (SET) has simplified many of the technical details of creating social engineering payloads and infrastructure.  Spear-Phishing, infectious websites, mass mailing, infectious Command & Control (C&C) payloads for USB sticks and CD’s, and tabnabbing are easily accomplished.  Metasploit is the underlying engine for much of the functionality of the tool, however extensive work continues to be done to expand the functionality of SET.  This is definitely one of the tools you want in your bag of tricks.

#3 Karmetasploit
Karma provides the ability to easily erect an wireless Access Point (AP) that will respond to all SSID requests.  Users come into the area where the AP is and look to establish network access.  The rogue AP automatically responds and establishes initial connectivity.  Using DNSspoof, a DHCP3 server, and Karmasploit, which integrates Karma with Metasploit, it is possible to redirect everyone connecting to an infected website.  Regardless of what they request (Google, Facebook, Twitter, etc.) they are instantly attacked with Metasploit Autopwn features.  A great video demonstrates the how the attack takes place.

#4 BackTrackBackTrack is certainly the most popular bootable ISO for penetration testing, vulnerability assessment, and general security.  BackTrack 4 R1 was just recently released.  Many security toolsets are quirky and require a lot of tweaking to get working properly.  By leveraging Backtrack it is easy to hurdle over the technical issues and get to the business at hand.  Metasploit, SET, vulnerability scanners, port scanners, brute force password tools, and a tremendous number of other tools are easily accessed. Metasploit Pro users can use VPN pivoting to tunnel BackTrack tools through a compromised target as if you were on the host’s local network. If you are using VMware and wish to use Aircrack & other wireless toolsets, it is generally necessary to use a USB wireless card.  On-board wireless chip sets will generally be seen as ETH0 and not provide the additional wireless functionality.

#5 Browser Exploitation Framework (BeEF)
The Browser Exploitation Framework (BeEF) is a great tool for manipulating a victim’s browser.  Have you ever had a cross-site scripting issue that needed to be able to present to management?   Ever wanted to do something more interesting than a simple pop-up?  With BeEF you gain access to the browser.  Port scanning, command shells, and other directed commands can be sent to the victim.  John Strand put together a primer video that’s definitely worth checking out.

Have fun, be safe, and use the tools wisely.  Follow me and Rapid7 on Twitter.

SSAE 16 and SAS 70- Changes and Recommendations for 2011

June 15, 2011 is the date set to begin implementation of the standard. The Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA) maintains the SAS 70 standard. The SAS 70 is the de-facto standard used to document a service provider’s internal security controls. Too bad it misses the boat in truly documenting a service provider’s security posture.

The primary problem with the SAS 70, and the upcoming SSAE 16, is the lack of standard control requirements. The SAS 70/SSAE 16 allows the service provider to define what controls are utilized. The audit only confirms the implementation of documented controls- review of sufficient controls is not conducted. Without a standard the quality and comprehensiveness of the controls becomes questionable.

Mature organization’s have adopted control frameworks such as COBIT and ISO 27000-series. The Control OBjectives for IT (COBIT) defines control focus areas, key performance indicators (KPIs), key goal indicators (KGIs), and governance to assist organizations in reaching high levels of maturity. COBIT defines Maturity much like the SEI Capability Maturity Model (SEI-CMM).

• Level 0: Non-existent

• Level 1: Initial/ad hoc

• Level 2: Repeatable but Intuitive

• Level 3: Defined Process

• Level 4: Managed and Measurable

• Level 5: Optimized

There are two primary changes between the SAS 70 & the SSAE 16. With SSAE 16 service provider executives will now be required to have attestations about the presentation and accuracy of the system and supporting controls. Secondly, as opposed to the SAS 70 which was to represent a specific date, the SSAE will represent a period of time.

Contrary to a popular misconception there is no SAS 70 Type certification process. The SAS 70 & SSAE 16 are meant to be used as a standard communications vehicle between auditors. While reviewing SAS 70 & SSAE reports from vendors is prudent, and may provide some security from a legal perspective, a deep-dive into the reports are required to truly understand the quality of information security within the service provider. I recommend always asking for the ability to audit the service provider in contractual agreements. As with most negotiations ask for twice as much as what you expect. If they decline I recommend the ability to review the most recent penetration testing and vulnerability assessment reports at minimum. Ensure your intellectual property is protected with both vendors with whom you share data or physical location, as well as those who may remotely connect into your networks. Always remember-

CYA- Cover Your Assets!

Rapid7 Optimizes Security for Credit Unions

Credit Union security practitioners leverage Rapid7 to provoke reaction at the board level. Compromised credit cards, remote command-and-control over an ERP system, and administrative access to the payroll database provides for much more compelling discussions than discussing the number of vulnerabilities found in the environment. Hypothetical issues do not obtain budget.

Credit Unions are required to adhere to stringent security regulations. Delivery of superior security & risk management is often squelched however due to small budgets, lean staffing, and technical jargon. Most credit unions have existing vulnerability assessment budgets in place. By leveraging the Rapid7 software suite credit union security practitioners are enabled to bring transparency to the current state of security affairs.

I am sure you have experienced the difference it makes when speaking to someone with their paradigm in mind, and a good story. There is a very different reaction when I tell a client that a given machine is infected and susceptible to attack vs. when I hand the executive their recent tax paperwork and a copy of their customer database. Putting business context into a security conversation makes the discussion relative to non-technical peers.

Rapid7 acquired the open-source Metasploit security framework in October 2009. Since that time integration between the vulnerability scanning application Nexpose and Metasploit has been bridged allowing someone to pivot from a vulnerability right to a pre-loaded exploit page leveraging Metasploit. In April of 2010 Rapid7 then released Metasploit Express providing a clean graphical interface over an application that had came from a command-line background. This definitely brought penetration testing mainstream. In July 2010 Rapid7 announced sponsoring W3af, a strong web application assessment tool, while acquiring the founder of the project Andrés Riancho. They seem to be acquiring talent and exceptional projects which have large existing install bases- not a bad business strategy in my humble opinion.

Being able to not simply identify vulnerabilities, but to attack, compromise, and collect intellectual property from those assets generates much more response from executives. Security is important. Executives quickly turn a deaf ear to technical jargon. The ability to demonstrate compromise, as opposed to commenting on vulnerabilities, is a game-changer for credit union security practitioners.

Phreaking in iOS 4.1 and Others

I came across a post on Twitter about the ability to place calls and view contact information without logging-into the phone.

“When you iPhone is locked with a passcode tap Emergency Call, then enter a non-emergency number such as ###. Next tap the call button and immediately hit the lock button. It should open up the Phone app where you can see all your contacts, call any number, etc.”

I thought this was interesting.  Reading the comments I found something however that definitely caught my eye:

- Dial *3001# and press call. You get a “Vote for your favorite developer” screen.
- Dial *301# and press call. You get a message that says “This is a response from short code 301 from LabCore. Powered by Practicallabs”
- Dial *3002# and you get “test for 3002″
- DIal *3003# and you get “this is a test message”
- Dial *3004# and you get “this is a test for short code 3004″
- Dial *3005# and you get “Thank you, your request is being processed. A message will be sent to your phone”

In the 80′s and 90′s phreaking was a very common practice.  Individuals, and small groups, would scour phone ranges using tools such as Toneloc and THC-Scan looking for interesting things.  You can find the results of a lot of this early work at www.textfiles.com.  All kinds of phone testing devices, loops, sweeps, etc. were found along with modem connections to all sorts of devices.

It will be interesting to see what else can be found in iOS and others.

P.S.  The graphic above is a picture of an old-school “Red Box.”  These were used to simulate the tones a payphone used to identify how much money was inserted.  _VERY_ popular back in the late 80′s & early 90′s.

Regulatory Compliance in Cloud Computing Environments

Cloud computing offers tremendous business value, as long as it doesn’t compromise regulatory compliance. The type of cloud architecture used directly affects the types of security countermeasures an organization may use. In this presentation I discussed the various types of cloud environments, the risks associated with each, and appropriate countermeasures for each environment type. Click here to review the presentation.

Managing The Risk and Security of Virtual Environments

Virtual environments pose new and challenging risks. Regulatory compliance, virtual sprawl, and environment provisioning are just a few of the topics I discussed during the 17^th annual ISSA Discovery Conference in Oahu. Click here for a copy of the presentation.