USB Stick of Death: Not Really Low Severity

by kriggins on October 22, 2012

in Uncategorized

On October 21st, 2012, Mateusz “j00ru” Jurczyk, published a blog post describing an exploit he developed which allows one to execute a privilege escalation attack on Windows 7. The attack results in one having SYSTEM level permissions on the machine. SYSTEM is the highest level of permissions one can have, even higher than administrative permissions.

You can read the details about the exploit here. I Suggest you do read it. It is very interesting.

In the post the following statement is made:

...requires the attacker to obtain physical access to the machine and have a local user in the system. Consequently, the only scenario in which it might be a problem security-wise is a local computer shared between multiple users with restricted privileges (e.g. schools, universities, hostels) and thus has been rated as low-severity by both us and MSRC,...

Let's see. Where else might there be situations where this might be of concern? How about any organization that restricts its users from having administrative privileges on their workstations.

Wait, you mean there are places that enforce least privilege on their users?


I work for one. I also know of several government entities that also restrict administrative privileges for most users.

Color me crazy, but I'm pretty sure those organizations would not consider the ability to easily elevate privileges as a "low-severity" vulnerability.

Just sayin'.

What do you think?





For some time, there has been a bug in the cryptroot script that makes it odd when you enter your passphrase. Some, including me, have also found it kind of annoying that you have to press the F8 key to get to the console to enter your passphrase.

I have updated the how-to with the fix for the cryptroot bug and with instructions on how to remove the splash screen and boot straight to console mode.

Many thanks for James and Greg for figuring out how to so this.

Included below are the instructions which were added to the blog post. These steps can also be taken to correct an already built Backtrack USB drive. Simply boot the drive and follow the instructions below.


Fixing the Passphrase Entry Bug

When we boot our USB drive, it will appear to be stuck on the splash screen. What is actually happening is that the system is waiting on us to enter our luks password. We have two choices for doing so.

The first is to just type it in when we see the splash screen. This works as long as we have waited long enough for the system to be ready for us. However, it's kind of hard to tell what's going on.

The second option is to press the F8 key which takes us to the console. There we will see the system waiting for us to enter our passphrase and this is where this odd bug shows up.

Initially, it will look like 4 characters have already been entered. They haven't been, but that's what it looks like. Then, every type we press a key, it will reprint the line asking us to enter our passphrase. It is actually taking the input correctly, but, man, it's annoying 🙂

We can fix that. Greg M and James had a conversation in the comments about this topic and found the resources needed to fix it. James was kind enough to send me the changes that need to be made.

As mentioned, the problem is with the cryptroot script. This script is the script that requests our passphrase and mounts the encrypted volume. Kind of important stuff.

Greg and James used a patch file found in this post in the Backtrack Linux forums. Below I have included the actual changes to be made. Alternatively, you can use a patch file. The commands to perform the patch are as follows. BTW - that's a zero in the patch command.

Warning: You can make your system unbootable if the cryptroot script gets corrupted.

cd ~

wget http://www.infosecramblings.com/cryptroot.patch

patch -u /usr/share/initramfs-tools/scripts/local-top/cryptroot ./cryptroot-patch

If you prefer to do it the manual way, open the file /usr/share/initramfs-tools/scripts/local-top/cryptroot in your favorite editor. Go to line 275. You should see the following:

# Try to get a satisfactory password $crypttries times
 	while [ $crypttries -le 0 ] || [ $count -lt $crypttries ]; do

Add the following line right after 'count=0'

echo "Unlocking the disk $cryptsource ($crypttarget)"

The section should now look like this:

echo "Unlocking the disk $cryptsource ($crypttarget)"
while [ $crypttries -le 0 ] || [ $count -lt $crypttries ]; do

Next, skip down to line 291 and you'll see a the following:

if [ -z "$cryptkeyscript" ]; then
    cryptkey="Unlocking the disk $cryptsource ($crypttarget)\nEnter passphrase: "
if [ -x /bin/plymouth ] && plymouth --ping; then

Replace the middle line, the one that starts with cryptkey, with:

cryptkey="Enter passphrase: "

so that it now looks like this:

if [ -z "$cryptkeyscript" ]; then
    cryptkey="Enter passphrase: "
if [ -x /bin/plymouth ] && plymouth --ping; then

That's it. Save the file and we are ready to rebuild initrd. To do that, execute the following command.

update-initramfs -u

Now, if having to press the F8 key at boot bugs you, you can change the boot sequence to go directly to the console.

Warning: You can make your system unbootable playing around in here 🙂

To make the system boot to the console, edit the /boot/grub/grub.cfg file, search for the word 'splash', without the quotes, and delete the word  splash and only that word. The line will end up looking like this:

linux /vmliunx-3.2.6 root=/dev/mapper/vg-root ro text vga=791

If all goes well, you are now ready to cross your fingers and reboot.


Guess or Know?

by kriggins on March 7, 2012

in Uncategorized

Stanford, and other colleges, have started offering some courses online for free. You can see one such portal here. I have started one and a couple others are starting soon. Very good stuff.

Anywho, Several of us were talking on Twitter this morning about a couple of them and the following exchange occurred.

That got me to thinking a little bit about guessing and keeping quiet.

How often in our efforts as security professionals do we guess we know something and don't ask a question?

How often do we assume somebody else knows something and don't offer a comment or provide information?

I know that I have been guilty of both on more occasions than I can count and will be guilty of both many more times in the future.

However, I'm going to work on getting better. Like my tweet above says, it's better to know than to guess.

Which brings up another point. Please folks, don't get offended or snotty when somebody tells you something you already know. That's just rude, particularly, when they have your best interests in mind.

What do you think?



Here are today's Interesting Information Security Bits from around the web.

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.



This is the weekly recap of things that happened on the SecurityTwits feed for August 31st - September 6th, 2011.

What's in the recap?

It contains most of the tweets/retweets made by SecurityTwits and many of the responses that carbon SecurityTwits. That of course means that if you respond to a SecurityTwits tweet make sure to include both the original poster and SecurityTwits so everybody can learn from the conversation.

The format will be original tweet/retweet left justified and then any responses indented just under that tweet.

I hope you find this helpful and I welcome suggestions on how to make these recaps even better.

InfoSec Questions

RT @jkvester: @securitytwits anyone got the bypassuac metasploit post module working on Windows 7? (If so, which patchlevel?)

RT @pwpslade: Does anyone have stats for the number of organisations using multi-factor authentication? #infosecq

InfoSec Call for Presentations

RT @hackinparis: #hackinparis Call For Papers now online, feel free to send your talk and workshop proposals ! http://bit.ly/oBmbLg

RT @shmoocon: Oh, hi! How about a CFP? http://www.shmoocon.org/

InfoSec Meet-ups/Tweet-ups

RT @d0rkh0rs3_tjw: Who wants to do another #SeacoastSec #MaineInfoSecTweetup soon? Some Saturday in the next couple of weeks, and where?

RT @InfoSecMentors: www.infosecmentors.com is up! We're doing quick matches, now until Sept 14. Pls RT! #BruCon Are you signed up?

InfoSec Jobs

For addtional job listings, makes sure to visit LiquidMatrix's job board.

RT @Digital_Defense Digital Defense is hiring! Looking for exp pen testers, software engineers. Interested? hr <at> ddifrontline.com

RT @kriggins: Please take my job, RIsk Assessment Team Mngr, so I can stop doing it + my new role: http://bit.ly/6KFodT Req number 212679

RT @wimremes: I'm still looking for manager and senior level infosec people and IT auditors. Dutch or French + English. Hit me up.

RT @MikD: Looking to hire 2 full time, former PCI QSA Managers (or experienced). Also, friend is looking for PCI contractors.

RT @danphilpott: I'm currently looking for some C&A folks for a few projects. If interested in working for a fast growing company DM me.

RT @alexhutton: Open InfoSec positions here in Salt Lake (possibility of remote): IAM, 2 Security Architects, 1 Security Testing. DM Me.

RT @kizz_my_anthia: R7 is looking for a new pen tester or two, hit me up for details if u or you no sum1 interested

RT @StrongwaterSec: A challenging InfoSec position in one of the most interesting security environments, higher ed, is open! bit.ly/qyFWRv

RT @innismir: Looking for a Server Hardening/Vulnerability Assesment Engineer in the Providence RI area. DM for details #infosecjobs

As usual, questions and comments can be left below or you can email me at kriggins@infosecramblings.com



My how-to for installing Backtrack 5 to a USB thumb drive or hard drive has been published. There are several changes from the Backtrack 4 how-to, but nothing catastrophic. I do plan to create an updated persistent install how-to also, but it will be a day or two before I can get to that.

Backtrack 5 – Bootable USB Thumb Drive with “Full” Disk Encryption

As usual, please let me know if you notice any problems or typos. You can do so by emailing me at kriggins@infosecramblings or leaving comments on the page itself.



Backtrack 5 and My How-tos

by kriggins on May 12, 2011

in Uncategorized

My Backtrack how-tos will be updated this weekend with specifics for Backtrack 5.

The full disk encryption how-to appears to work fine as long as you increase the boot partition size. The exact size is unknown at this time, but 1000MB works. Details this weekend.


The USB how-to should work as is except you do not need to install Nessus. It is now included in the distribution.






What to Read Wednesday: Securosis

by kriggins on December 29, 2010

in Uncategorized

Note: Some of the suggestions for What to Read Wednesday will be corporate sites/blogs. I do not receive any financial or other compensation for these suggestions. They are based solely on my belief that you should be reading what they provide.

If you are looking for in-depth research that you can actually use, you can't go wrong with the stuff that Securosis turns out. I know almost all the folks at Securosis and they all generate exceptional content.

And as a bonus, Securosis provides all their research free to you and me. We just can't beat that price 🙂

I have had the pleasure of meeting Rich Mogull, Mike Rothman, David Mortman, Gunnar Peterson and Dave Lewis in the person and have enjoyed communicating with them and James Arlen online. I have not met Chris Pepper or Adrian Lane although I have been in the same room as Adrian 🙂

There are a couple ways to consume their content. There is a blog, both a highlights version and full version, and their research library.

Here are a few items to give you a taste of what they can provide:

Project Quant: a metrics model for measuring the costs and effectiveness of patch management

Friday Summary: December 24, 2010

Incite 12/22/2010: Resolution

Pop the feeds in your reader and bookmark their research page. You'll be happy you did.

You can also follow all the Securosis staff on twitter too. I do.

Rich Mogull (@rmogull)

Mike Rothman (@securityincite)

Dave Lewis (@gattaca)

David Mortman(@mortman)

Gunnar Peterson (@oneraindrop)

Adrian Lane (@adrianlane)

James Arlen (@myrcurial)

Chris Pepper (@reppep)

Mellissa Schott (@geekgrrl)

As always, comments welcome below or you can email me: kriggins@infosecramblings.com

If you are interested in getting my content regularly, go ahead and subscribe to my RSS feed. You can also subscribe have posts emailed to you if you prefer.



I am at the RSA conference again this year. At the same time and nearby, Security BSides is holding an event.

Most of you are are probably aware of the RSA conference, but many may not be familiar with Security BSides. From the site:

What is BSides?

BSides is a community driven unconference built for and by information security community members.  The goal is to expand the spectrum of conversation beyond the traditional confines of space and time.  It creates opportunities for individuals to both present and participate in an intimate atmosphere that encourages collaboration.Pariuri  Mozzart It is an intense event with discussions, demos and interaction from participants. It is where conversations for the next-big-thing are happening.  We've followed the BarCamp format... because it works.

The format is intimate, i.e. small, and the content is voted on by the community. This was my first opportunity to participate in this type of conference and I found it a great environment for learning and interacting with peers.

Security BSides

I spent the morning at BSides and it was time well spent.

Life on the InfoSec D-list by Andrew Hay

The opening keynote was delivered by Andrew Hay. Andrew started a series of interviews calledDSC_4828 the D-list a while back and I consider myself fortunate to have been included. Before you take umbrage at the name D-list, you need to understand what Andrew means.

Being on the D-list means you are in the trenches getting the work done. You are contributing to the field and active in the community. You may not be a "star", but you care and are committed to the profession.

He talked about the importance of community and gave some tips on ways to possibly move up the chain should you be so inclined.

I thought it was a great keynote and that perspective is in no way influenced by the fact that I consider Andrew a good friend 🙂  We all have ways we can contribute to the profession and community and being on the D-list is not to be scoffed at.

Preparing for a PCI forensic investigation by David Barnett

After Andrew's keynote, David Barnett delivered a talk about PCI investigations. David is an ex-QIRA. For DSC_4836those who don't know, a QIRA is a Qualified Incident Response Assessor. This is the individual that will show up to perform the incident response assessment in the event you are involved in a PCI DSS breach.

David shared what is involved when a QIRA comes on site and also offered some tips on how to manage an incident in a manner that will make it much less painful. From his talk description:

Reviewing lessons learned from dozens of past forensic cases,  this presentation will highlight how to prepare for a PCI mandated forensics investigation including;  what steps should be taken to limit fines and fees, how to ensure you have proper legal representation, how to limit the scope of the investigation, and what questions to ask before deciding on who will conduct the forensic investigation.

This was an interesting talk with a great deal of information in it. I hope to get the slide deck and will offer other thoughts after that.

So what's the Alternative by Michael Santarcangelo, JJ (Jennifer Jabbusch), Marisa Fagan

This talk was a panel that explored what can be done to remove the inherent risk that  passwords bring to the table. It was a lively discussion and was particularly interesting since Michael attended via Skype. His head was huuuuge 🙂

Of particular note to me was the discussion about the difference between identity and authentication and how in most cases we have merged the two. Very interesting stuff. The conversation continues on Twitter. Join in here.

Moving venues

After the password panel, I moved from BSides, which was held in a co-working site not too far from the Moscone center, over to RSA.  Transportation back and forth was generously provided by BigFix. I hopped on the bus and enjoyed a nice ride back to the conference site.

Security "Groundhog Day" – Third Time's a Charm with Martin McKeay, Rich Mogull, Ron Woerner, Dave Lewis and Mike Rothman.

DSC_4851 This was the second time I attended this panel and its third iteration. It is a fun and informative discussion about what is going on in the security industry and that we can't keep doing the same things and expecting a different outcome. There was a lot of ground covered from APT to what technologies should die to several other topics. Very interesting stuff.

Case m00p by Mikko Hypponen

After repeating my Groundhog Day experience :), I went to a talk given by Mikko Hypponen of F-Secure. Mikko’s talk was a walk-through of the DSC_4859investigation and eventual apprehension, at least of some members, of the computer hacking  gang called m00p. Mikko is a very engaging speaker and this was a very interesting talk.

Nothing cutting edge because the case itself was a little older, but very interesting to see the steps that Mikko went through to track these folks down. The most amusing part about the story was the gang’s constant need to tell what they did and their naiveté in thinking that Mikko would not share that information with law enforcement.

Winnovation- Security Zen through Disruptive Innovation and Cloud Computing by Christofer Hoff and Rich Mogull

This rapid-fire information onslaught was an extension of a talk Chris and Rich gave last year. It focused on the fact that DSC_4864 innovation is often disruptive and that cloud computing is acting as such an agent right now. Chris and Rich are fun to watch and at the same time introduce a great deal of information.

One of the biggest takeaways I had from this talk is not necessarily new, but still very important. We have to talk to the business in a manner that shows we are supporting their effort, but at the same time help them understand we want to do so in as secure a manner as is appropriate. Rich offered up some tips and good questions to ask and hopefully I can get the slide deck later so they can be shared more widely.

Speaker’s Dinner

The final event for the first day of RSA/BSides for me was the speaker’s dinner. I attending as a speaker this year. I led a peer-2-peer session on Wednesday that I will talk about in a separate post. I enjoyed the dinner and discussion even though the drinks and hors d’ oeuvres time was packed, hot and loud 🙂

I thought the first day of both conferences was fantastic and the rest followed along the same path. More on that later.