« February 2008 | Main | April 2008 »
I've just posted a how-to over at wrt54ghacks.com on adding a removable antenna to the WRTSL54GS versions 1.0 and 1.1. This modification will allow you to use all manner of antennas with RP-TNC connectors with your router.
Check out the posting here.
As always, comments are welcome.
- Larry "haxorthematrix" Pesce
larry /at/ pauldotcom.com
All:
Recently I've done some webcasts on various security topics in a few different venues (webcasts and the like). I've had several requests for the presentation media, so I've updated our presentations section with the following:
I really enjoy doing the monthly threat summary and try to include as many "bleeding edge" threats as I can. Most I pull from my hundreds of security news feeds, and some I pull from my twisted imagination. The webcast had over 200 people listening live, so we are very pleased with the level of interest and thank all those who have attended. If you enjoyed the webcast please share it with all of your friends.
Thanks for listening!
PaulDotCom
We had a friendly reminder about the upcoming Notacon 5 in Cleveland Ohio on April 4th through 6th.
The speaker lineup looks to have some promising stuff that may not be available (for whatever reason) to some of the other security type cons.
Unfortunately the PaulDotCom crew won't be able make it. We'd love to go, but other responsibilities took priority. We would love hear your feedback on the con!
- Larry "haxorthematrix" Pesce
Technology is a wonderful thing, and I love nothing more than to experiment with it. As security professionals, its in our best interest, and the best interests of the organizations we set out to protect, to understand new technology and the implications for security. I truly believe that you cannot understand how to secure something until you've had some hands-on time using it. This is part of the reason why you will see us on many of the popular social networking sites such as Linkedin, Facebook, and even MySpace (I won't link to them, but you can find both myself and Larry on at least Linkedin and Facebook by our email addresses, see the Contact Page). The latest experimenting: you can now find me on Twitter (Larry too!). These are turning out to be some fairly useful networking tools, but present some risks and interesting attack scenarios.
For example, recently Twitter added the ability to send updates to Twitter, and receive updates from the people you are "following" via Jabber. This is very handy, "TWITTER" just shows up as another entry in your buddy list. To update your own Twitter page, just send the text to the "TWITTER" buddy. When someone you follow makes an update, Twitter sends it as a Jabber IM message back to you. You can do the same thing with SMS text messages. The danger? This allows me to put content in one place, and using the Twitter network, push it to potentially thousands of people automatically! This means if you can send some sort of exploit, or even a link to an exploit, and post it to people's twitter accounts, it gets sent to a potential wide audience. This sounds like the Smurf 2.0 attack to me (sorry, I couldn't resist). You would of course need to hijack someone's twitter account, or discover an XSS in the twitter web site, or some sort of authentication bypass. However, one of those vulnerabilities in the Twitter system could be extremely damaging due to the nature of the Twitter network. Not only do you have the ability to send malicious content to people's browsers, but you can also send exploits to Jabber clients and people's cell phones, all by just posting small amounts of content to one person's Twitter page!
Ah, but you say, what are the chances of this type of vulnerability? Nitesh Dhajani already found one.... This vulnerability allowed anyone who knows your phone number to essentially hijack your Twitter page. I was surprised not to see this exploited in the wild.
After my information gathering adventures at the airport on my way to Shmoocon, I was looking forward to getting to my hotel, grabbing a shower, and going to find some attendees for a beer. An uneventful hotel check in found me in my room only a few minutes later.
On my way to my room, I noticed a few smaller event rooms on my floor, hosting a number of smaller meetings. These meetings appeared to be some sort of mini-sales type of convention - "deductible junkets" if you will. This type of thing is not uncommon.
Once I found my room, I had a small surprise upon entering. Apparently a fine gentleman was originally scheduled to be at one of these mini-conventions apparently did not show up, and I was assigned his room. How do I know this?
I'm not Frank.
It would appear that this particular company (obscured to protect the innocent/guilty), was able to get the Wardman Park Marriott to place these helpful packets in the attendees rooms before they arrived. How convenient! Why do I think that Frank didn't attend? The envelope was still sealed, and it was placed in the correct room, according to the designation on the envelope.
Upon opening, I had been provided some excellent information on the company.
Sweet. Employee directory and last years sales report, amongst a few other things that may be helpful during social engineering attempts. Now, sure I'd have to want to target this particular company. The one that was right down the hall, with free drinks...
This company has just provided someone unknown with some potentially sensitive information (well, at least not public) without any type of authentication. supposedly, authentication would have been provided by the front desk, by checking Frank into his room. I spoke to a friend who is a meeting planner/conference organizer for a very large organization about this particular situation, who was notably shocked with this practice. For a nominal fee per attendee (and sometimes you can even negotiate it for free), the hotel will proved this type of information in person, at the hotel registration desk, when the attendee presents his or her identification. This sounds like a little bit better authentication to me.
What's the lesson? Require some form of authentication for distribution of sensitive information (paper or otherwise), and be mindful that utilizing a third party to perform that authentication may not always work either - sometimes the third party's commitment isn't the same as your own. If you want a job done right, do it yourself.
- Larry "haxorthematrix" Pesce
larry /at/ pauldotcom.com
Apologies to those that read this story over at haxorthematrix.com. I'm reposting it here, so that when I get to part two, those that missed this don't feel left out. Eventually, Paul and I will work to make some of the better archive entries form haxorthematrix.com available here.
Without further ado:
I wanted to recount a tale that happened to yours truly at the recent Shmoocon 4 (2008), no how easy it can be to perform information gathering. I'll start with a quick one at the airport...
I sit down at the gate waiting for my flight to arrive, and I've got plenty of time. I pull out the laptop and connect to the internet using my CDMA USB card, and plonk away chatting with the folks on IRC (at irc.freenode.net #pauldotcom). A gentleman in his forties sits down two seats away from me, and also pops open this laptop, and he proceeds to connect to the t-mobile wireless network.
Now, I know what you are thinking! No, I didn't decide to own him via wireless, or sniff his traffic or any of those type of attacks. It was better than that:
The gentleman was presented with the T-mobile captive portal to subscribe for an account for access. Out comes his wad of cash and credit cards in the money clip on to the seat between us. Out of the stack comes the AMEX, and he types in the required info. Fail. Sigh. Retype. Fail. Even bigger sigh. Now the cell phone comes out, and I look over. I can clearly read the numbers, first and last name on the card sitting on the seat next to me. So technically, he's owned. But there is a snag; apparently his card has expired! Out comes his phone to call his wife, and apparently he has the main number, and has to ask to be transferred.
"Hello, may I speak to Carol please?" "This is her husband." "Thank you."
"Hi honey! I'm at the airport and trying to get on the internet, but it won't take my AMEX. I think it is expired." "Do you have your new one with you?" "Ok, can you read me the numbers?"
"Let me read them back to you: XXXX..."
"And the number on the back?" "YYY?" "Good."
Now through my powers of observation, I have a first and last name, and AMEX number with CVV code. All I'm missing is the billing address, which I bet Google would have found for me with a few clicks. Some more unscrupulous places won't even care that I don't have it, or that it doesn't match...
Credit card fraud, no computer needed.
Here's the lesson: If you are going to read sensitive numbers over the phone or back to the person, do so in private. Heck, go somewhere out of the way in the airport, take your bags, and pack up your laptop, and even write it down. Seems like common sense to me.
- Larry "haxorthematrix" Pesce
larry /at/ pauldotcom.com
As we move forward building PaulDotCom Enterprises we will be working to consolidate some of our other efforts under one umbrelss. As such Larry and myself have agreed that the Haxorthematrix blog will be moved to PaulDotCom. The domain will redirect to this site and Larry will begin posting all his fantastic content to pauldotcom (So if you really like the content, you can click the donate button on the left :).
Some of the latest postings from Haxorthematrix will be moved over to pauldotcom, so look for some good stuff coming soon!
Happy Easter to all those who celebrate it!
PaulDotCom
All:
Coming soon, we'll be showing you how the 2008 Shmooball launcher goes together and operates. We even get to fire it a few times. Here's a tease of how we made out.
This video has also been added to our video feed and our YouTube channel
Video Feeds: 
YouTube: PaulDotCom YouTube Channel.
Look for more videos to come!
- Larry aka haxorthematrix
Live from the PaulDotCom studios...
Hosts: Larry "Uncle Larry" Pesce, Paul "PaulDotCom" Asadoorian
Email: psw@pauldotcom.com
Audio Feeds: 
All:
The March Late-Breaking Computer Attack Vectors webcast this month will be held on:
Wednesday, March 26, 2008 2:00 pm EDT (GMT -04:00, New York)
Register Here For This Webcast
This month we are sponsored by Mu Security, makers of a security analyzer series of products (aka automated fuzzing). Very cool devices! I will discuss some of the latest attacks, including RFID, attacking SIM cards, and more! Hope to see you there...
PaulDotCom
Live from the PaulDotCom studios...
Hosts: Larry "Uncle Larry" Pesce, Paul "PaulDotCom" Asadoorian
Email: psw@pauldotcom.com
Audio Feeds:
NOTE: Our streaming method has changed as of episode 100, and is reflected in the links below.
The live stream should be active about 6:30-6:45 PM EDT, Thursday March 20th. We should begin recording the live show at about 6:45 PM EST. Please keep in mind that these times are all estimates, but we will try to do the best that we can.
Don't forget to join in on the IRC channel during the stream - we can take live comments and discussion from the channel! Find us on IRC at irc.freenode.net #pauldotcom.
When active, the live stream(s) can be found at:
Ustream: http://ustream.tv/channel/pauldotcom-security-weekly
Icecast: http://radio.oshean.org:8000
Please join us, and thanks for listening!
- Larry & Paul
Live from the PaulDotCom Security Weekly Studio, the fine folks from GNUCITIZEN (Petko D. Petkov and Adrian P.) join us for discussion on more of their projects including MDNS and others. Part two of two.
There is s slight, barely audible echo in a few places as an artifact from Skype! We apologize!
Hosts: Larry "Uncle Larry" Pesce, Paul "PaulDotCom" Asadoorian
Email: psw@pauldotcom.com
Audio Feeds:
NOTE: Our streaming method has changed as of episode 100, and is reflected in the links below.
The live stream should be active about 5:45-6:00 PM EST, Thursday March 13th. We should begin recording the live show at about 6:15 PM EST. Please keep in mind that these times are all estimates, but we will try to do the best that we can.
Don't forget to join in on the IRC channel during the stream - we can take live comments and discussion from the channel! Find us on IRC at irc.freenode.net #pauldotcom.
When active, the live stream(s) can be found at:
Ustream: http://ustream.tv/channel/pauldotcom-security-weekly
Icecast: http://radio.oshean.org:8000
Please join us, and thanks for listening!
- Larry & Paul
Live from the PaulDotCom Security Weekly Studio, the fine folks from GNUCITIZEN (Petko D. Petkov and Adrian P.) join us for discussion on how they got started, and who they are all about and delve into some of their projects in this episode. Part one of two.
There is s slight, barely audible echo in a few places as an artifact from Skype! We apologize!
Hosts: Larry "Uncle Larry" Pesce, Paul "PaulDotCom" Asadoorian
Email: psw@pauldotcom.com
Audio Feeds: 
The PaulDotCom TV video feed lives on! I just know that everyone was dying to have the latest videos from PaulDotCom available on your iPods and iPhones, so I've updated the feed with the latest four spectacular videos from the PaulDotCom crew. They include:
Video Feeds:
All of these videos are also available on our PaulDotCom YouTube Site. Look for more videos to come!
PaulDotCom
NOTE: Our streaming method has changed as of episode 100, and is reflected in the links below.
The live stream should be active about 5:45-6:00 PM EST, Friday March 7th. We should begin recording the live show at about 6:15 PM EST. Please keep in mind that these times are all estimates, but we will try to do the best that we can.
Don't forget to join in on the IRC channel during the stream - we can take live comments and discussion from the channel! Find us on IRC at irc.freenode.net #pauldotcom.
When active, the live stream(s) can be found at:
Ustream: http://ustream.tv/channel/pauldotcom-security-weekly
Icecast: http://radio.oshean.org:8000
Please join us, and thanks for listening!
- Larry & Paul
All:
In collabortation with SNENUG (The Southern New England Network Users Group), OSHEAN, and PaulDotCom, we are proud to bring you a good 'ole fashion Linux installfest! Got an old PC hanging around? Bring it by! Got a dusty old ipod or wireless router? Come get help with installing Linux, a free operating system that is fun to learn and hack with.
Members of PaulDotCom (Larry and Myself), in addition to some other Linux "gurus" will be at OSHEAN for a full day on Saturday April 5, 2008 to assist people installing Linux.
For more information and to register for this event click here.
I hope to see you all there (however seating is limited so be certain to register at the link above).
Cheers,
Paul
This is going to be another neat webcast in collaboration with SANS and Core Security. Below is the description and sign-up information:
"When beginning a security process at a consortium of non-profits, senior network security engineer, Paul Asadoorian of Pauldotcom began looking for a penetration testing tool that did network, web application and social engineering tests. The tool he purchased is low on manpower use, mostly self-maintaining and reliably proves the existence of network vulnerabilities. Please attend this webcast to find out why Paul selected CORE IMPACT and learn how it can help you safely perform network, web application and end-user penetration testing."
When: Tuesday, March 18 at 1:00 PM EDT (1700 UTC/GMT)
Where: Sign-up here
Who: Allen Paller & Paul Asadoorian
This webcast will give listeners some insight into why I have used Core IMPACT in many different organizations, its benefits, and some of the more creative uses for the product.
PaulDotCom
Live from the PaulDotCom Security Weekly Studio for Episode 100! Special guest appearnces from listeners across the world, Black Dragon offers listeners a special treat, and Paul & Larry profess their love for each other...
Hosts: Larry "Uncle Larry" Pesce, Paul "PaulDotCom" Asadoorian
Email: psw@pauldotcom.com
Audio Feeds:
Live from the PaulDotCom Security Weekly Studio for Episode 100! Special guest appearnces from Ed Skoudis, Ron Gula, the British Royal Family, and Bob's true identity revealed!
Hosts: Larry "Uncle Larry" Pesce, Paul "PaulDotCom" Asadoorian
Email: psw@pauldotcom.com
Audio Feeds: