Getting Involved with the Local Community
Handler Note
This diary is part of the path to becoming a handler. Today's peice was written by Russell Eubanks and is on his path to becoming a handler.
You can find out more at: https://isc.sans.edu/handlerroadmap.html
Russell can be reached at securityeverafter at gmail dot com.
Russell's Diary
The beginning of the year is a great time to commit yourself to a local security community. These organizations exist to foster active and lively security conversations through regular meetings. Many opportunities exist, especially in larger cities to attend and participate on a regular basis. The following are many of the popular security communities that may very well be available in your area. Listings for them and their link to learn more about them follows.
- Defcon Groups - https://www.defcon.org/html/defcon-groups/dc-groups-index.html
- InfraGard - http://www.infragard.net/chapters/index.php?mn=3
- ISSA - http://www.issa.org/?page=ChaptersContact
- NAISG - http://www.naisg.org/default.asp
- OWASP - https://www.owasp.org/index.php/Category:OWASP_Chapter
- Security BSides - http://www.securitybsides.com/w/page/12194156/FrontPag
Every person should strongly consider becoming more involved in their local security community. Both the individual and the community will benefit in the following ways.
- You will have the opportunity to meet like minded people.
- You will learn something new and could very well learn a new skill.
- You will be able to avoid a pitfall previously encountered by others.
- You will very likely become inspired to improve yourself.
- You will become known in the community as a leader.
- You will improve the community by your involvement.
- You will have the chance to share something you have recently learned with the community.
I have been involved with the leadership of my local InfraGard and OWASP chapters for the last five years. I have found this to be beneficial to both myself and the organizations. It has required a little bit of work every week and can start to resemble a part time job without the involvement of others. The leaders of these security communities serve by finding interesting speakers, securing a location for the meeting and by encouraging others to attend. I know from experience that the leaders would absolutely welcome your active involvement and participation by sharing the work needed to conduct a successful security community.
If you are not involved in a local security community, I encourage you to do find one and become more involved this year. If you are already a regular attender, strongly consider offering your time in a leadership position. The current leaders will certainly welcome your help. You will find this experience to be rewarding as you actively participate and give back to your local security community. Watching a local security community grow is very rewarding and will often encourage continued involvement from others.
What is keeping you from being involved in your local security community this year?
Exposed UPNP Devices
Rapid7 conducted a widely quoted study, scanning the Internet on port 1900/udp to find devices that expose UPnP [1]. Universal Plug and Play (UPnP) is a protocol frequently supported by home gateways to automate firewall configurations. For example, an IP based security camera may use the protocol to instruct a firewall to open a port and redirect incoming traffic to it, allowing the user to monitor the camera from outside the own network. Online games use it in similar fashion to allow game servers to reach the host participating in the game. While UPnP itself is not exactly a "secure" protocol, in addition, implementations suffer from various flaws as the paper by Rapid 7 points out.
Rapid7 does offer a free Windows tool to scan your network. In addition, you could use nmap to find hosts supporting UPNP, but you will need a NSE script that sends an "M-SEARCH" request to trigger a response [2]. A UPnP listener will not respond to a typical "empty" nmap UDP scan.
Here is a sample nmap scan using this NSE script:
sudo nmap --script upnp-info.nse -p 1900 -sU 192.0.2.1 Nmap scan report for somehost.mynet (192.0.2.1) Host is up (0.067s latency). PORT STATE SERVICE 1900/udp open upnp | upnp-info: | 72.92.145.199 | Server: Custom/1.0 UPnP/1.0 Proc/Ver | Location: http://192.168.1.1:5431/dyndev/uuid:3872c05b-c117-17c1-5bc0-12345 | Webserver: LINUX/2.4 UPnP/1.0 BRCM400/1.0 | Name: Broadcom ADSL Router | Manufacturer: Comtrend | Model Descr: (null) | Model Name: AR-5381u | Model Version: 1.0 | Name: WANDevice.1 | Manufacturer: Comtrend | Model Descr: (null) | Model Name: AR-5381u | Model Version: 1.0 | Name: WanConnectionDevice.1 | Manufacturer: Comtrend | Model Descr: (null) | Model Name: AR-5381u |_ Model Version: 1.0
Or you could try to scan on port 5431/tcp if you don't want to install the NSE script, or don't have root permission:
nmap -sV -p 5431 192.0.2.1 Starting Nmap 6.01 ( http://nmap.org ) at 2013-01-30 07:37 EST Nmap scan report for myhost.mynet (192.0.2.1) Host is up (0.008s latency). PORT STATE SERVICE VERSION 5431/tcp open upnp Belkin/Linksys wireless router UPnP (Linux 2.4; UPnP 1.0; BRCM400 1.0) Service Info: OS: Linux; Device: router; CPE: cpe:/o:linux:kernel
The difficult part is that the most vulnerable devices are the once with UPnP exposed on the external interface. In many cases these are ISP supplied routers and the end user may not be able to turn off UPnP.
[1] https://community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play
[2] https://svn.nmap.org/nmap/scripts/upnp-info.nse
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter
Comments