Tenable Blog

Physical Access: RFID Badges

This year's competition debuted an RFID badge hacking system. The Red and Blue teams had separate rooms that were governed by badges and a badge reader. The Red team badges were allowed access only to the Red team room and vice versa for the Blue teams. I really wanted to hack the badge system right out of the gate. There were a couple of motivators involved (including the fact that my friend Larry put the system together), and if we bypassed the RFID reader the Red team would gain physical access to the systems after the Blue teams went home for the night.

Before the competition started I mapped out a plan of attack. Since all of the Red team members were in the same room and I had access to their badges, I planned to scan them and record all of the values. This would give me knowledge of the known values, making any other value a potential Blue team code. Before I could scan the badges, I needed to set up a reader. Larry had a reader for players to use, but I wanted to set up one of my own (besides, I did not trust Larry… what if he defected to a Blue team?). After about two hours of fighting with software library installations, failed dependencies and USB drivers, I finally had a working reader. I was using RFIDIOT to do the reading, which are Python scripts developed by Adam Laurie. While it is a great contribution to the security community, the documentation could have been more comprehensive (if you are looking to contribute to an open source project, here is your chance!). Having little to no experience with RFID, it was a challenge to figure out how to correctly configure my reader and set it up to read our badges, but persistence prevailed and just before the competition started I was reading Red team badges.

Welcome to the Tenable Network Security Podcast - Episode 26

Announcements

• Two new blog posts have been released titled "The Value Of Credentialed Vulnerability Scanning and Microsoft Patch Tuesday - March 2010 - "It Won't Happen To Me" Edition.
• You can provide feedback to this podcast and all of our social media outlets by visiting our discussions forum and adding messages to the "Tenable Social Media" thread. I would love to hear your feedback, questions, comments and suggestions! I put up a call for ideas on new Nessus videos, so please give us your feedback!
• We're hiring! - Visit the web site for more information about open positions, there are currently 7 open positions listed!
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, Nessus plugin statistics and more!

Interview - Ron Gula - CCDC Recap

Ron Gula and I discuss our experiences at the 2010 Collegiate Cyber Defense Exercise held this past weekend in Columbia, MD.

"What Am I Doing Wrong?"

I am often asked, "What am I doing wrong in regard to security?". This question is usually in reaction to some event, such as a failed audit, a network outage as a result of malware or worm or a breach that was detected in the environment. I ran into this situation while doing incident response for a large university. It was my job to monitor the network and respond to the major incidents that were occurring (it was also up to me to determine what was "major" and what was not). I worked with many different network and system administrators on campus to help them improve the security of their respective departments. However, this was an academic environment full of students and professors who wanted to work in a free and open environment, which turns out is one of the most difficult to secure!

If a department had a compromise, I would do my best to help them figure out what happened and take measures to prevent it from happening again. A comprehensive assessment would next be performed to gain a better understanding of the security shortcomings and appropriate remediation measures. These types of assessments can be a daunting task for any security professional. Nessus was one of the primary tools we used to get a handle on the vulnerabilities in the environment. While it is important to scan for vulnerabilities such as missing patches or buffer overflows, assessments need to go deeper than that because attackers will use any approach they can to breach a system. A mis-configured system does not necessarily have a CVE or BID entry. The more comprehensive the audit, the better chance I had of making a recommendation that would effect change and result in better security (which really boiled down to me not having to come back in “incident response mode”).

In the interest of helping you cope with the "APT" hype, I thought I'd offer a few observations and ideas about things you can do that might actually help. After all, it's too easy to point and shout "hype" - the truth is that there is a problem, and system and network administrators who are concerned with security do have to worry about long-term embedded penetrations in their network.

There are two primary approaches to Intrusion Detection and they both work. But, they work against different threats, for different reasons. One is the 'classical' IDS approach: know what attack looks like, and look for the attack. That's what most of the signature-based IDS do, and they're good at it and therefore they are useful. The second is the 'analytical' approach (what Richard Bejtlich, in his excellent books, calls "network security monitoring"): know what your network and systems usually do, and begin an investigation if you see them suddenly start doing something new. As with everything, there are trade-offs. Some people would say that the first approach has a problem of "too many false positives" although, seriously, if your network is carrying such a large amount of apparently hostile traffic that your IDS is constantly ringing off the hook, I think you've already got a serious problem. The second approach has the problem that "start an investigation" may be outside the purview, skill set, or energy level of many system/network managers - especially now that the typical system/network admin is chief cook, busboy, and bottle-washer all rolled up in one.

Tenable Network Security will shortly release SecurityCenter 4. It embodies our entire Unified Security Monitoring^TM strategy. SecurityCenter 4 places everything you need to know about vulnerabilities, missing patches, intrusion events, anomalies, log searches, configuration audits, file integrity auditing and much more right at your fingertips. It centralizes all system and event alerting for any type of security, IT or compliance regulations. But most of all, it makes your job as an auditor, a “risk mitigator”, a compliance monitor, a security analyst or even an IT executive, much easier. This blog post discusses the major functions of SecurityCenter 4 and provides several screen captures to illustrate them.