Don’t store service account passwords in Active Directory attributes

A predecessor of mine decided to store service account passwords in the description attribute of the account. I’m somewhat grateful that he at least documented them, but further investigation showed just how negligent this is—especially given that many service accounts have escalated privileges.

I’m not super familiar with the gory details of how AD implements LDAP, but suffice it to say: it appears that any domain account may bind LDAP and query any other object’s properties—even totally unprivileged accounts within subdomains.

Continue reading Don’t store service account passwords in Active Directory attributes

Wi-Fi Security: Attack and Defense

Originally appeared in 2600 Magazine issue 30:4

This article seeks to examine the current state of Wi-Fi security, with a practical emphasis on attack and defense methodology. The proliferation of mobile devices, decreasing cost of deployment, increasing speed, and overall convenience, likely all play huge roles in the snowballing popularity of wireless networking. These benefits do not come without drawbacks, however; it seems convenience and security are inversely related. As we gain one, we lose the other. Wi-Fi security has matured significantly since its birth around the turn of the millennium, starting with open networks and WEP encryption. With insecure networks declining along with the ratification of WPA2 in 2004, it would seem we are moving toward a more secure wireless world. Experience, however, tells a different story.

Continue reading Wi-Fi Security: Attack and Defense

Harden DD-WRT against DNS rebind attacks

Yesterday I watched the presentation by Craig Heffner at DEFCON 18, where he describes using DNS rebind attacks to gain access to routers’ configuration pages from the public Internet. It’s a pretty complicated attack, requiring a rogue domain and server, and whose success relies on two pretty glaring end-user mistakes:

  1. Visiting that rogue domain and server; and
  2. Leaving a weak or default username and password on the router’s admin page.

Most people savvy enough to flash their router with DD-WRT know enough to steer clear of those mistakes, but it still bothers me that DD-WRT remains technically vulnerable to this attack.

Continue reading Harden DD-WRT against DNS rebind attacks