Rapid 7 has announced with Metasploit 4.2 a brute force attack on weak passwords in vSphere web services APIs (vmware-api). Their repository also shows updates to the ESX scanner as well as a few admin scripts.

• vmauthd_version : Discovers the version details for a vmauthd service
• esx_fingerprint : Fingerprints (down to the build number) of a stand-alone ESX server
• vmware_http_login : Attempts to brute force local VMware credentials via the Web Services interface
• vmauthd_login : Attempts to brute force local VMware credentials via the vmauthd service
• vmware_enum_users : Enumerates both local and domain VMware user accounts
• vmware_enum_permissions : Enumerates locally-defined user and group permissions on a VMware instance
• vmware_enum_sessions : Enumerates active VMware login sessions
• vmware_enum_vms : Enumerates all local virtual machines on the local VMware instance
• vmware_host_details : Discovers host hardware and software details of the VMware host machine
• poweroff_vm : Powers off a virtual machine via the VMware Web Services interface
• poweron_vm : Powers on a virtual machine via the VMware Web Services interface
• tag_vm : Writes a user-defined “tag” to the VMware logs as proof of compromise
• vmware_screenshot_stealer : Grabs screenshots of VMware guest operating systems as proof of compromise
• terminate_esx_sessions : Disconnects a user from the ESX server

Finding weak passwords is a great example of old threats and vulnerabilities applied to new environments. VMware gives consumers the ability to set strong password restrictions but that does not mean systems will always be configured properly. These tests are an excellent way to validate vSphere hardening procedures in an organization.

Come see me and Bruce Schneier at the RSA Conference in San Francisco discuss his new book, Liars and Outliers: Enabling the Trust that Society Needs to Thrive. He was kind enough to mention me by name on his blog:

At the end of February, I’ll be at the RSA Conference in San Francisco. In addition to my other speaking events, Davi Ottenheimer will interview me about the book at something called The Author’s Studio. I’ll be doing two one-hour book signings at the conference bookstore. And, and this is the best news of all, HP has bought 1,000 copies of the book and will be giving them away at their booth. I’ll be doing a couple of signings there as well.

We will be in the Crypto Commons, Wednesday, February 29th from 10:20 am – 10:50 am

Crypto Commons will be the home for new events at RSA Conference 2012 this year. One of these new events will be the debut of the Security “Author’s Studio.” Come spend 30 minutes watching and participating in a live interview with a well-known author who is also speaking at the Conference. The interview will be done by a selected delegate and will include questions from the audience. A book signing will follow.

The book has just been published and already is getting many rave reviews for his treatment of game theory and his thorough study of trust. He is clearly one of the best writers alive and is known for an amazing ability to synthesise, distil and explain complex security theory in a very accessible and entertaining format.

We don’t demand a background check on the plumber who shows up to fix the leaky sink. We don’t do a chemical analysis on food we eat.

Trust and cooperation are the first problems we had to solve before we could become a social species. In the 21st century, they have become the most important problems we need to solve—again. Our global society has become so large and complex that our traditional trust mechanisms no longer work.

I don’t know about you but I don’t background check the plumber because I use a different set of controls instead. It’s not like I actually trust the plumber. And I have been known to do chemical analysis of food. Perhaps you can imagine how this interview will go. :)

Below is a video on YouTube I found with Bruce introducing the core dilemma he addresses in the book (20 views so far).

After I watched it a few times (to help get the view numbers up) an alternative title came to mind: Life with Parasites.

Now just imagine my voice interrupting him to ask if we really should judge the outliers as a parasite absolutely or does the dichotomy break when we introduce a few degrees of relativism. Given one person’s parasite could be another person’s provider, does the dichotomy give way to a cycle of rewards?

To put it another way, why is it after a bombing that a bus driver is more likely to return to driving a bus than a passenger is likely to return to riding one? Is it trust? I say no but maybe Bruce can convince me otherwise.

Hope to see you there.

The recent breach of “Jude Medical Center in Fullerton and Mission Hospital facilities in Laguna Beach and Mission Viejo” offers some examples of communication made after discovery.

First, the article gives a statement regarding obfuscation of the data:

But the data would have been difficult to access without using “a complex combination of terms” or be doing an “extensive search,” said Dr. Clyde Wesp, chief medical-information officer for the St. Joseph Health System.

Complex according to what? Compliance regulations tend not to use “complex” or “extensive” to describe controls required for privacy because computers are very good at turning both complex and extensive into easy and fast operations.

The University of Miami tried to make this argument when they lost their backup tapes. It did not fly then. It won’t fly now. Doctors, of all people, should know better than to say that complexity will be the main impediment to success.

So the question they really should answer is related to the “strength” of the control that protects data, not the complexity.

Second, the article says they are unaware of anyone obtaining the data improperly:

St. Joseph discovered the security breach within the past week after receiving a phone call from a patient’s attorney, said hospital officials, adding they do not know how the patient learned about the problem. Personnel at the two hospitals have not heard of any of the information being improperly obtained, Wesp said. The information could have been accessed from Google and Yahoo; the hospital worked with the search engines to delete the information from the Internet.

They may be trying to emphasise that it is hard to prove a negative. Yet the article also gives at least two positive examples of improper access.

The first is by the search engines. They have evidence that the data was accessed by Google, Yahoo!, and so forth. Did they authorise search engine access? No.

The second is by the patient’s attorney. Clearly the patient’s attorney obtained something akin to improper access, which is why they contacted the entity.

This also undermines their “difficult to access” communication in the first point. It is easy to use a search engine. It must have been easy enough for the patient and/or their attorney to find the data and access it, so how complex is it really?

Third, they try to give some of the usual disclaimers:

It would not have included Social Security numbers, addresses or financial data, the doctor said. “I think that the most important thing is that our response was rapid,” Wesp said. “As a health system, we have secured the sites, and this information is not available any longer.”

These no longer carry any weight. Regulators, as well as patients, have expanded the scope of concern beyond basic financial information. Email addresses, birth dates, intellectual property, even zip codes are increasingly considered privacy-related information. And if they want us to believe the data was not privacy-related, why would they report the breach at all?

It’s nice to see that they had a “rapid” response but I don’t know anyone who would characterise that as “the most important thing”. Everyone, I think, would agree it is more important to prevent a breach or to detect a breach internally than to respond rapidly. That certainly has been the perspective taken by regulators who have fined entities for failure to prevent breaches. Rapid response just lessens the penalties, it does not take them away.