PaulDotCom's Web Site

Live from the PaulDotCom studios...

• Want to register for any SANS conference? Please visit http://www.pauldotcom.com/sans/ for our referral program and sign up for SEC535 - Network Security Projects Using Hacked Wireless Routers Today!
• Sponsored by Core Security, listen for the new customer discount code at the end of the show
• Sponsored by Tenable Network Security, creators of Nessus and makers of the Tenable Security Center, software that extends the power of Nessus through sophisticated reporting, remediation workflow, IDS event correlation and much more.
• Want some cool PaulDotCom Gear? Do you hack naked? Check out our Cafepress Store!
• Full Show Notes

Hosts: Larry "Uncle Larry" Pesce, Paul "PaulDotCom" Asadoorian

Email: psw@pauldotcom.com

Direct Audio Download

Audio Feeds:

Posted by Paul Asadoorian at 11:43 PM | Permalink

The media for the April 2008 Late-Breaking Computer Attack Vectors webcast is ready to be released:

LBCAV April 2008 - Audio

LBCAV April 2008 - Slides

This is a 45 minute presentation on the latest happenings in computer security, vulnerabilities, and methods in use by attackers. I've also included several recommendations for defensive measures, so enjoy! If you want to listen live this webcast is done on the last Wednesday of every month at 2:00PM EST.

I hope to create a podcast feed for the audio sometime in the near future as well.

PaulDotCom

Posted by Paul Asadoorian at 11:51 AM | Permalink

Larry did a fantastic job with the Shmooball Cannon, it was featured on Make Magazine and Hack A Day. It was such a huge success that we produced a video detailing how it was made, including several takes of Paul getting shot:

This video will also be added to our video feed and our YouTube channel:

Video Feeds:

YouTube: PaulDotCom YouTube Channel.

Look for more videos to come!

PaulDotCom

Posted by Paul Asadoorian at 10:11 AM | Permalink

Live from the PaulDotCom studios...

• Want to register for any SANS conference? Please visit http://www.pauldotcom.com/sans/ for our referral program and sign up for SEC535 - Network Security Projects Using Hacked Wireless Routers Today!
• Sponsored by Core Security, listen for the new customer discount code at the end of the show
• Sponsored by Tenable Network Security, creators of Nessus and makers of the Tenable Security Center, software that extends the power of Nessus through sophisticated reporting, remediation workflow, IDS event correlation and much more.
• Want some cool PaulDotCom Gear? Do you hack naked? Check out our Cafepress Store!
• Full Show Notes

Hosts: Larry "Uncle Larry" Pesce, Paul "PaulDotCom" Asadoorian

Email: psw@pauldotcom.com

Direct Audio Download

Audio Feeds:

Posted by Paul Asadoorian at 09:47 PM | Permalink

All:

It was my pleasure to make and appearance on the Network Security Podcast with Martin McKeay and Rich Mogull. We had some interesting conversations about SQL Injection, how we got started in computer security, thoughts on the CISSP certification, PCI and its usefullness, and general security banter.

You can download the Network Security Podcast episode 103 here.

Enjoy!

PaulDotCom

Posted by Paul Asadoorian at 10:49 AM | Permalink

All:

The April Late-Breaking Computer Attack Vectors webcast this month will be held on:

Wednesday, April 30, 2008 2:00 pm EDT (GMT -04:00, New York)

Register Here For This Webcast

This month we I will discuss some of the latest attacks, including hacking kiosks, attacking your desk, and darkets for defense. Hope to see you there...

PaulDotCom

Posted by Paul Asadoorian at 10:39 AM | Permalink

At 9:00PM EST tonight I will be chatting with Rich & Martin from the Network Security Podcast. Should be fun, we will bat around PCI, SQL injection, and hopefully a few other topics of interest.

You can see and hear it all on our live Ustream channel here.

Cheers,

PaulDotCom

Posted by Paul Asadoorian at 05:08 PM | Permalink

Larry and myself gave presentations yesterday at a mini-conference yesterday. The slides are located at the links below:

• "Attack Trends - What the bad guys are up to" - Paul Asadoorian
• "Metadata - The Silent Killer" - Larry Pesce

Hopefully we will have audio & video, so stay tuned!

Cheers,

Paul

Posted by Paul Asadoorian at 09:32 AM | Permalink

Social networks have become a very popular usage of so-called "Web 2.0" technology. Web sites, such as Facebook and LinkedIn, have begun to move towards targeting working professionals, in addition to the traditional younger college and/or high school crowd. Myself, and others, have been doing extensive research into the security (and insecurity) present in social networking web sites. You may now be wondering, "Just how have you been doing your research?". Well, we decided to register ourselves on several social networking web sites to see just how they work, and just how ourselves and others could break them and abuse the security present in these web sites. What we've found has been very interesting, and useful for providing the community with information about the risks, and tips to protect themselves:

The “Evil Twin” attack was an experiment we performed, and turned out to be wildly successful. We registered a Facebook account as someone else, using an email address we controlled, pictures we downloaded from the Internet, and information we gathered from various publicly available sources. Our attack was very successful, several people believed that the person we faked was real and started to add them as a friend. The best defense here is to register yourself on social networking web sites to prevent others from doing so. We did a segment about this which you can read about and listen to here.

If you use social networking sites regularly you might say, “only people in my network can see my information or my pictures”. This may be true, however XSS vulnerabilities have exposed that information. For example, millions of pictures marked “private” on the popular social network site MySpace, and subsequently Facebook, were suddenly public due to a vulnerability. Once something is “public” on the Internet, there is no going back, its archived in cyberspace forever. Even without vulnerabilities there are groups on sites such as Facebook, and to a certain extent LinkedIn, that automatically allow others in your group to see your profile. For example, I was placed in the group “Providence, RI”, a group anyone can join, and now thousands of people can see my profile. You should always treat information on the Internet as public, whether marked "private" or not.

Recently there has been an unknown exploit of Facebook that is hijacking people’s Facebook accounts and putting up grotesque images, a social network “Rick Roll” attack with a bizarre twist. Reportedly there was a vulnerability in Facebook that allowed this to happen. However, recently I got the following email:

Looking at the link highlighted in red closely you see that it does not go to Facebook at all, but to some other site, which looks exactly like the Facebook login page, but really is an attacker collecting your username and password. Why would someone launch a phishing attack against Facebook? I'm still not certain why this information is so valuable that it is being targeted by attackers? If nothing else it proves that social networking sites are not only more popular, but represent an area that potentially could be profitable for attackers - as soon as I figure out how, I will let you know :).

Social networks are all about sharing information, however they’re a great way to distribute attacks. Attackers are not looking to use social networks to distribute links to a trusted audience, not just for fun, but profit! Use extreme caution when using social networks and try to think how attackers could use this information and technology against you.

Posted by Paul Asadoorian at 06:58 AM | Permalink

Recently I taught a 2-day hacking course titled "Cutting-Edge Hacking Techniques", writen by Ed Skoudis, and offered by The SANS Institute. The students learned a lot, and as always when I teach, so did I. I summarized my thoughts and experiences on a guest blog posting I wrote for my friends over at GNUCITIZEN:

Read the full posting here.

Enjoy!

Cheers,
Paul

Posted by Paul Asadoorian at 06:55 AM | Permalink

I've been poking at some metadata for information gathering lately for a project or two. One of the document types that I've been focuses on has been JPEG images. Why, you ask? Take a look at this web page. See all those pretty pictures. JPGS. Same with just about every other website on the planet.

Look like we have plenty of fodder for our metadata cannon.

So, I began analyzing metadata on JPGS form random websites that struck my fancy. In a few cases, I came across some good information; the type of software used to produce the image (great selecting a particular exploit), the author (great for selecting a target), dates of authorship (good for determining validity of attack and target) and finally some camera types (good for determining some basic financial commitment, and who's memory cards to steal on a physical assessment). Mostly, I came across a whole bunch of sanitized data. Clearly I needed a better set of JPGS to play with.

Then, 18 gigs of Myspace JPG images fell into my lap.

I figured that I'd be in metadata heaven. I also figured that I might be able to put an author name behind the image of the two dogs humping, or better, the hottie showing off her naughty bits.

I was mistaken.

I ran exiftool on about 10,000 images (with some fits and starts; exiftool is a perl app, and providing it too many images at once caused it to barf), all with the same result. Every image appears to have had the metadata stripped so that only the metadata needed to correctly render the image is left. No author. No creation tool. No dates. No camera info.

Apparently, Myspace sanitizes all of the metadata when you upload your pics.

Good Myspace.

Of course, I had to test, especially since the 18 Gigs of images could have been played with to protect the innocent, given that they originally came from some acquisition techniques that could be described as ethically questionable (they were not acquired by me in that fashion). Here's how I tested:

First, I needed an image that I knew had good juicy metadata. How about the one from the news story about the hacker 0x80 that Slashdot folks used to track down some pretty scary info on the anonymous 0x80 using the intact metadata:

Yes, this image has the metadata intact.

Here's the output from exiftool -t -s filename.jpg showing all of the metadata:

======== 0x80_cracker_with_laptop.jpg
ExifToolVersion	7.23
FileName	0x80_cracker_with_laptop.jpg
Directory	.
FileSize	44 kB
FileModifyDate	2007:12:14 16:05:51
FileType	JPEG
MIMEType	image/jpeg
JFIFVersion	1.1
ProfileCMMType	Lino
ProfileVersion	2.1.0
ProfileClass	Display Device Profile
ColorSpaceData	RGB
ProfileConnectionSpace	XYZ
ProfileDateTime	1998:02:09 06:49:00
ProfileFileSignature	acsp
PrimaryPlatform	Microsoft Corporation
CMMFlags	Not Embedded, Independent
DeviceManufacturer	IEC
DeviceModel	sRGB
DeviceAttributes	Reflective, Glossy, Positive, Color
RenderingIntent	Perceptual
ConnectionSpaceIlluminant	0.9642 1 0.82491
ProfileCreator	HP
ProfileID	0
ProfileCopyright	Copyright (c) 1998 Hewlett-Packard Company
ProfileDescription	sRGB IEC61966-2.1
MediaWhitePoint	0.95045 1 1.08905
MediaBlackPoint	0 0 0
RedMatrixColumn	0.43607 0.22249 0.01392
GreenMatrixColumn	0.38515 0.71687 0.09708
BlueMatrixColumn	0.14307 0.06061 0.7141
DeviceMfgDesc	IEC http://www.iec.ch
DeviceModelDesc	IEC 61966-2.1 Default RGB colour space - sRGB
ViewingCondDesc	Reference Viewing Condition in IEC61966-2.1
ViewingCondIlluminant	19.6445 20.3718 16.8089
ViewingCondSurround	3.92889 4.07439 3.36179
ViewingCondIlluminantType	D50
Luminance	76.03647 80 87.12462
MeasurementObserver	CIE 1931
MeasurementBacking	0 0 0
MeasurementGeometry	Unknown (0)
MeasurementFlare	0.999%
MeasurementIlluminant	D65
Technology	Cathode Ray Tube Display
RedTRC	(Binary data 2060 bytes, use -b option to extract)
GreenTRC	(Binary data 2060 bytes, use -b option to extract)
BlueTRC	(Binary data 2060 bytes, use -b option to extract)
ApplicationRecordVersion	2
Caption-Abstract	SLUG:  mag/hacker  DATE:  12/20/2005 PHOTOGRAPHER:  Sarah L. Voisin/TWP   id#:  LOCATION:  Roland, OK.CAPTION:   .PICTURED:
Writer-Editor	SLV
By-line	Sarah L. Voisin
By-lineTitle	STAFF
ObjectName	mag/hacker
Province-State	OK
Country-PrimaryLocationName	USA
OriginalTransmissionReference	175706
TimeCreated	12:38:30-06:00
DisplayedUnitsX	inches
DisplayedUnitsY	inches
GlobalAngle	30
GlobalAltitude	30
CopyrightFlag	False
PhotoshopThumbnail	(Binary data 3276 bytes, use -b option to extract)
PhotoshopQuality	12
PhotoshopFormat	Standard
ProgressiveScans	3 Scans
ExifByteOrder	Little-endian (Intel, II)
ImageDescription	SLUG:  mag/hacker  DATE:  12/20/2005 PHOTOGRAPHER:  Sarah L. Voisin/TWP   id#:  LOCATION:  Roland, OK.CAPTION:   .PICTURED:
Software	Adobe Photoshop CS2 Macintosh
Artist	Sarah L. Voisin
ComponentsConfiguration	YCbCr
Flash	On
UserComment	
InteropIndex	R98 - DCF basic file (sRGB)
InteropVersion	0100
Compression	JPEG (old-style)
ThumbnailOffset	17196
ThumbnailLength	3276
Orientation	Horizontal (normal)
YCbCrPositioning	Co-sited
XResolution	200
YResolution	200
ResolutionUnit	inches
Make	Canon
Model	Canon EOS 20D
ModifyDate	2006:02:16 15:43:01-05:00
CreateDate	2006:02:16 15:43:01-05:00
MetadataDate	2006:02:16 15:43:01-05:00
CreatorTool	Adobe Photoshop CS2 Macintosh
ExifVersion	0221
FlashpixVersion	0100
ColorSpace	sRGB
ExifImageWidth	3504
ExifImageHeight	2336
DateTimeOriginal	2005:12:20 12:38:30-05:00
DateTimeDigitized	2005:12:20 12:38:30-05:00
ExposureTime	1/30
FNumber	5.0
ExposureProgram	Manual
ISO	100
ShutterSpeedValue	1/30
ApertureValue	5.0
ExposureCompensation	0
MeteringMode	Multi-segment
FlashFired	True
FlashReturn	No return detection
FlashMode	On
FlashFunction	False
FlashRedEyeMode	False
FocalLength	85.0 mm
FocalPlaneXResolution	3959.32203389831
FocalPlaneYResolution	3959.32203389831
FocalPlaneResolutionUnit	inches
CustomRendered	Normal
ExposureMode	Manual
WhiteBalance	Auto
SceneCaptureType	Standard
NativeDigest	36864,40960,40961,37121,37122,40962,40963,37510,40964,36867,36868,33434,33437,34850,34852,34855,34856,37377,37378,37379,37380,37381,37382,37383,37384,37385,37386,37396,41483,41484,41486,41487,41488,41492,41493,41495,41728,41729,41730,41985,41986,41987,41988,41989,41990,41991,41992,41993,41994,41995,41996,42016,0,2,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,20,22,23,24,25,26,27,28,30;3B11799D192F50186735EF6636B7FD47
DocumentID	uuid:5A82A660A09311DAB292D9FC4FB3D5EC
InstanceID	uuid:5A82A661A09311DAB292D9FC4FB3D5EC
DerivedFromInstanceID	uuid:5A82A65FA09311DAB292D9FC4FB3D5EC
DerivedFromDocumentID	uuid:5A82A65FA09311DAB292D9FC4FB3D5EC
Format	image/jpeg
Description	SLUG:  mag/hacker  DATE:  12/20/2005 PHOTOGRAPHER:  Sarah L. Voisin/TWP   id#:  LOCATION:  Roland, OK.CAPTION:   .PICTURED:
Creator	Sarah L. Voisin
Title	mag/hacker
CaptionWriter	SLV
AuthorsPosition	STAFF
Credit	TWP
Source	20051220
City	Roland
State	OK
Country	USA
TransmissionReference	175706
ColorMode	3
ICCProfileName	sRGB IEC61966-2.1
DateCreated	2005:12:20
History	
ImageWidth	228
ImageHeight	153
EncodingProcess	Baseline DCT, Huffman coding
BitsPerSample	8
ColorComponents	3
YCbCrSubSampling	YCbCr4:4:4 (1 1)
Aperture	5.0
DateTimeCreated	2005:12:20 12:38:30-06:00
ImageSize	228x153
ScaleFactor35efl	1.6
ShutterSpeed	1/30
ThumbnailImage	(Binary data 3276 bytes, use -b option to extract)
CircleOfConfusion	0.019 mm
FOV	15.1 deg
FocalLength35efl	85.0 mm (35 mm equivalent: 136.1 mm)
HyperfocalDistance	77.02 m
LightValue	9.6

Now, I upload it to my Myspace account, and then use Firefox to "Save image as..." to the resulting image:

Yes, I have a Myspace account. It's my dirty little information gathering secret.

Here the resulting metadata form the Myspace image, using the same exiftool command:

======== 0x08 from myspace.jpg
ExifToolVersion	7.23
FileName	0x08 from myspace.jpg
Directory	.
FileSize	6 kB
FileModifyDate	2008:04:01 13:59:33
FileType	JPEG
MIMEType	image/jpeg
JFIFVersion	1.1
ResolutionUnit	inches
XResolution	100
YResolution	100
ImageWidth	228
ImageHeight	153
EncodingProcess	Baseline DCT, Huffman coding
BitsPerSample	8
ColorComponents	3
YCbCrSubSampling	YCbCr4:2:0 (2 2)
ImageSize	228x153

That's a BIG difference. Good Myspace. Yes, I know that putting those two words together in the same sentence seems...wrong.

What about Facebook? I uploaded the same original image (with the juicy metadata) to my profile on FaceBook. Here are the results:

...and the resulting metadata (again, same exiftool command)?

======== 0x80 form facebook.jpg
ExifToolVersion	7.23
FileName	0x80 form facebook.jpg
Directory	.
FileSize	6 kB
FileModifyDate	2008:04:04 14:25:48
FileType	JPEG
MIMEType	image/jpeg
JFIFVersion	1.1
ResolutionUnit	inches
XResolution	72
YResolution	72
ImageWidth	228
ImageHeight	153
EncodingProcess	Baseline DCT, Huffman coding
BitsPerSample	8
ColorComponents	3
YCbCrSubSampling	YCbCr4:2:0 (2 2)
ImageSize	228x153

Yes. Good Facebook.

Overall, I was shocked that both Myspace and Facebook had done this. Am I off base? Is this a common thing?

I guess I have a few more "social networks" to try. Twitter, Picasa, LinkedIn, Flickr (I KNOW they keep and analyze some metadata...), and more I'm sure haven't popped into my head yet.

Looks like I'm still in need of finding a good repository of metadata. Flickr, here I come.

- Larry "haxorthematrix" Pesce

larry /at/ pauldotcom.com

Posted by Larry Pesce at 02:16 PM | Permalink

Larry & I hosted our first Linux Installfest this past weekend, and it was a huge success. Everyone had fun, ate pizza, drank beer, and spun our propellers installing Linux and just being extra geeky for a day. I made a blog posting detailing the event (including pictures) which you can find here.

PaulDotCom

Posted by Paul Asadoorian at 09:42 AM | Permalink

All:

Recently I've done some webcasts on various security topics in a few different venues (webcasts and the like). I've had several requests for the presentation media, so I've updated our presentations section with the following:

• Things That Go Bump In The Network - Embedded Device (In)Security - This presentation outlines some of the vulnerabilities in embedded devices, why you should pay attention to them, and some methods for defense. I also have a copy of the audio version available as well.
• Late Breaking Computer Attack Vectors - February 2008 - This was done as part of a monthly webcast series with Whitehatworld where I break down the latest security threats each month.
• Late Breaking Computer Attack Vectors - March 2008 - This is the most recent LBCAV presentation. Twitter botnets, cool!

I really enjoy doing the monthly threat summary and try to include as many "bleeding edge" threats as I can. Most I pull from my hundreds of security news feeds, and some I pull from my twisted imagination. The webcast had over 200 people listening live, so we are very pleased with the level of interest and thank all those who have attended. If you enjoyed the webcast please share it with all of your friends.

Thanks for listening!

PaulDotCom

Posted by Paul Asadoorian at 09:58 AM | Permalink

We had a friendly reminder about the upcoming Notacon 5 in Cleveland Ohio on April 4th through 6th.

The speaker lineup looks to have some promising stuff that may not be available (for whatever reason) to some of the other security type cons.

Unfortunately the PaulDotCom crew won't be able make it. We'd love to go, but other responsibilities took priority. We would love hear your feedback on the con!

- Larry "haxorthematrix" Pesce

Posted by Larry Pesce at 01:16 PM | Permalink

Technology is a wonderful thing, and I love nothing more than to experiment with it. As security professionals, its in our best interest, and the best interests of the organizations we set out to protect, to understand new technology and the implications for security. I truly believe that you cannot understand how to secure something until you've had some hands-on time using it. This is part of the reason why you will see us on many of the popular social networking sites such as Linkedin, Facebook, and even MySpace (I won't link to them, but you can find both myself and Larry on at least Linkedin and Facebook by our email addresses, see the Contact Page). The latest experimenting: you can now find me on Twitter (Larry too!). These are turning out to be some fairly useful networking tools, but present some risks and interesting attack scenarios.

For example, recently Twitter added the ability to send updates to Twitter, and receive updates from the people you are "following" via Jabber. This is very handy, "TWITTER" just shows up as another entry in your buddy list. To update your own Twitter page, just send the text to the "TWITTER" buddy. When someone you follow makes an update, Twitter sends it as a Jabber IM message back to you. You can do the same thing with SMS text messages. The danger? This allows me to put content in one place, and using the Twitter network, push it to potentially thousands of people automatically! This means if you can send some sort of exploit, or even a link to an exploit, and post it to people's twitter accounts, it gets sent to a potential wide audience. This sounds like the Smurf 2.0 attack to me (sorry, I couldn't resist). You would of course need to hijack someone's twitter account, or discover an XSS in the twitter web site, or some sort of authentication bypass. However, one of those vulnerabilities in the Twitter system could be extremely damaging due to the nature of the Twitter network. Not only do you have the ability to send malicious content to people's browsers, but you can also send exploits to Jabber clients and people's cell phones, all by just posting small amounts of content to one person's Twitter page!

Ah, but you say, what are the chances of this type of vulnerability? Nitesh Dhajani already found one.... This vulnerability allowed anyone who knows your phone number to essentially hijack your Twitter page. I was surprised not to see this exploited in the wild.

Posted by Paul Asadoorian at 03:34 PM | Permalink

After my information gathering adventures at the airport on my way to Shmoocon, I was looking forward to getting to my hotel, grabbing a shower, and going to find some attendees for a beer. An uneventful hotel check in found me in my room only a few minutes later.

On my way to my room, I noticed a few smaller event rooms on my floor, hosting a number of smaller meetings. These meetings appeared to be some sort of mini-sales type of convention - "deductible junkets" if you will. This type of thing is not uncommon.

Once I found my room, I had a small surprise upon entering. Apparently a fine gentleman was originally scheduled to be at one of these mini-conventions apparently did not show up, and I was assigned his room. How do I know this?

I'm not Frank.

It would appear that this particular company (obscured to protect the innocent/guilty), was able to get the Wardman Park Marriott to place these helpful packets in the attendees rooms before they arrived. How convenient! Why do I think that Frank didn't attend? The envelope was still sealed, and it was placed in the correct room, according to the designation on the envelope.

Upon opening, I had been provided some excellent information on the company.

Sweet. Employee directory and last years sales report, amongst a few other things that may be helpful during social engineering attempts. Now, sure I'd have to want to target this particular company. The one that was right down the hall, with free drinks...

This company has just provided someone unknown with some potentially sensitive information (well, at least not public) without any type of authentication. supposedly, authentication would have been provided by the front desk, by checking Frank into his room. I spoke to a friend who is a meeting planner/conference organizer for a very large organization about this particular situation, who was notably shocked with this practice. For a nominal fee per attendee (and sometimes you can even negotiate it for free), the hotel will proved this type of information in person, at the hotel registration desk, when the attendee presents his or her identification. This sounds like a little bit better authentication to me.

What's the lesson? Require some form of authentication for distribution of sensitive information (paper or otherwise), and be mindful that utilizing a third party to perform that authentication may not always work either - sometimes the third party's commitment isn't the same as your own. If you want a job done right, do it yourself.

- Larry "haxorthematrix" Pesce
larry /at/ pauldotcom.com

Posted by Larry Pesce at 11:04 AM | Permalink

Apologies to those that read this story over at haxorthematrix.com. I'm reposting it here, so that when I get to part two, those that missed this don't feel left out. Eventually, Paul and I will work to make some of the better archive entries form haxorthematrix.com available here.

Without further ado:

I wanted to recount a tale that happened to yours truly at the recent Shmoocon 4 (2008), no how easy it can be to perform information gathering. I'll start with a quick one at the airport...

I sit down at the gate waiting for my flight to arrive, and I've got plenty of time. I pull out the laptop and connect to the internet using my CDMA USB card, and plonk away chatting with the folks on IRC (at irc.freenode.net #pauldotcom). A gentleman in his forties sits down two seats away from me, and also pops open this laptop, and he proceeds to connect to the t-mobile wireless network.

Now, I know what you are thinking! No, I didn't decide to own him via wireless, or sniff his traffic or any of those type of attacks. It was better than that:

The gentleman was presented with the T-mobile captive portal to subscribe for an account for access. Out comes his wad of cash and credit cards in the money clip on to the seat between us. Out of the stack comes the AMEX, and he types in the required info. Fail. Sigh. Retype. Fail. Even bigger sigh. Now the cell phone comes out, and I look over. I can clearly read the numbers, first and last name on the card sitting on the seat next to me. So technically, he's owned. But there is a snag; apparently his card has expired! Out comes his phone to call his wife, and apparently he has the main number, and has to ask to be transferred.

"Hello, may I speak to Carol please?" "This is her husband." "Thank you."

"Hi honey! I'm at the airport and trying to get on the internet, but it won't take my AMEX. I think it is expired." "Do you have your new one with you?" "Ok, can you read me the numbers?"

"Let me read them back to you: XXXX..."

"And the number on the back?" "YYY?" "Good."

Now through my powers of observation, I have a first and last name, and AMEX number with CVV code. All I'm missing is the billing address, which I bet Google would have found for me with a few clicks. Some more unscrupulous places won't even care that I don't have it, or that it doesn't match...

Credit card fraud, no computer needed.

Here's the lesson: If you are going to read sensitive numbers over the phone or back to the person, do so in private. Heck, go somewhere out of the way in the airport, take your bags, and pack up your laptop, and even write it down. Seems like common sense to me.

- Larry "haxorthematrix" Pesce
larry /at/ pauldotcom.com

Posted by Larry Pesce at 09:35 AM | Permalink

As we move forward building PaulDotCom Enterprises we will be working to consolidate some of our other efforts under one umbrelss. As such Larry and myself have agreed that the Haxorthematrix blog will be moved to PaulDotCom. The domain will redirect to this site and Larry will begin posting all his fantastic content to pauldotcom (So if you really like the content, you can click the donate button on the left :).

Some of the latest postings from Haxorthematrix will be moved over to pauldotcom, so look for some good stuff coming soon!

Happy Easter to all those who celebrate it!

PaulDotCom

Posted by Paul Asadoorian at 09:26 AM | Permalink

All:

The March Late-Breaking Computer Attack Vectors webcast this month will be held on:

Wednesday, March 26, 2008 2:00 pm EDT (GMT -04:00, New York)

Register Here For This Webcast

This month we are sponsored by Mu Security, makers of a security analyzer series of products (aka automated fuzzing). Very cool devices! I will discuss some of the latest attacks, including RFID, attacking SIM cards, and more! Hope to see you there...

PaulDotCom

Posted by Paul Asadoorian at 10:04 AM | Permalink

All:

In collabortation with SNENUG (The Southern New England Network Users Group), OSHEAN, and PaulDotCom, we are proud to bring you a good 'ole fashion Linux installfest! Got an old PC hanging around? Bring it by! Got a dusty old ipod or wireless router? Come get help with installing Linux, a free operating system that is fun to learn and hack with.

Members of PaulDotCom (Larry and Myself), in addition to some other Linux "gurus" will be at OSHEAN for a full day on Saturday April 5, 2008 to assist people installing Linux.

For more information and to register for this event click here.

I hope to see you all there (however seating is limited so be certain to register at the link above).

Cheers,

Paul

Posted by Paul Asadoorian at 03:54 PM | Permalink

This is going to be another neat webcast in collaboration with SANS and Core Security. Below is the description and sign-up information:

"When beginning a security process at a consortium of non-profits, senior network security engineer, Paul Asadoorian of Pauldotcom began looking for a penetration testing tool that did network, web application and social engineering tests. The tool he purchased is low on manpower use, mostly self-maintaining and reliably proves the existence of network vulnerabilities. Please attend this webcast to find out why Paul selected CORE IMPACT and learn how it can help you safely perform network, web application and end-user penetration testing."

When: Tuesday, March 18 at 1:00 PM EDT (1700 UTC/GMT)
Where: Sign-up here
Who: Allen Paller & Paul Asadoorian

This webcast will give listeners some insight into why I have used Core IMPACT in many different organizations, its benefits, and some of the more creative uses for the product.

Sign-up Today!

PaulDotCom

Posted by Paul Asadoorian at 01:44 PM | Permalink

All:

I recently spoke for the SNENUG (Southern New England Network Users Group) and gave a short presentation on penetration testing. I introduced the basic concepts, steps, phases, and components of a penetration test. You can download the slides below:

Introduction To Penetration Testing

Enjoy!

PaulDotCom

Posted by Paul Asadoorian at 09:43 AM | Permalink

PaulDotCom is proud to announce it has joined forces with SANS to bring three SANS short courses, all hands-on, to North Kingston, RI. These will likely be the most enjoyable short courses SANS you have ever taken! We have hand picked these courses for your benefit, offering them in a series that is certain to increase your knowledge and awareness surrounding the latest security topics.

Registration for these training courses can be found on the SANS Institute web site by following the links below.

SEC452 IP Packet Analysis
Instructor Larry Pesce from Care New England
February 26th, 2008 (3.5 hour course)
9:00AM-12:30PM
Registration & Course description

SEC514 Advanced Network Worm and Bot Analysis - Hands On
Instructor Steve Marcelino from Care New England
March 25th, 2008 (1 Day Course)
9:00AM - 5:00PM
Registration & Course description

SEC517 Cutting-Edge Hacking Techniques - Hands On (2-day)
Instructor Paul Asadoorian from OSHEAN, Inc.
April 15th-16th, 2008 (2 Day)
9:00AM - 5:00PM
Registration & Course Description

These training events will all be held at:

OSHEAN, Inc.
6946 Post Road
Suite 402
North Kingstown, RI 02852
Directions

Registration Discounts:

SANS offers a group discount rate for two or more individuals registering from the same organization. These course are more challenging and fun when you attend with a colleague. We also offer a special rate of $1,200 for attending all three classes. To obtain the discount code, you must send an email to mentor@sans.org requesting the code ***PRIOR TO*** registering for this course. We can not go back and re-register with the discount code once you have already registered.

Hope to see you all there!

PaulDotCom

Posted by Paul Asadoorian at 09:29 AM | Permalink

All:

We have created a promotion video for the SANS course I authored called "SEC535 - Network Security Projects Using Hacked Wireless Routers":

Sign up for this course today:

SANS Orlando (Comes with your very own copy of Linksys WRT54G Ultimate Hacking by Paul Asadoorian and Larry Pesce!

If you are interested in this course and cannot attend the Orlando conference please contact me (paul /at/ pauldotcom.com) for more information.

PaulDotCom

Posted by Paul Asadoorian at 11:05 PM | Permalink

All:

Larry and myself have many conversations about how to best communicate with our listeners, send/receive feedback, and generally what our presence on the Internet should be. We've created a mailing list with the following intentions:

• General Questions/Feedback - Please do still send email to psw /at/ pauldotcom.com, however Larry and I are sometimes busy and do not get a chance to respond to all emails. This mailing list can serve as a place to post questions, feedback, or general comments and the hope is that if Larry or myself can't respond, someone else will.
• Announcements - Yes, we have a blog, podcast, and multiple RSS feeds. However, some just prefer to have a mailing list that keeps them current. We intend to use the list to announce episodes, locations where we are recording live, contests, and everything related to PaulDotCom!
• Technical Discussion - We hope that the discussions on the mailing list will be as technical and informative as the podcast and to a certain extent the IRC channel. Our goal is to keep everyone educated and allow you to learn about computer security and hacking, and hopefully the mailing list helps you do that

So come join now!

PaulDotCom

Posted by Paul Asadoorian at 12:00 PM | Permalink

Larry and I were talking one day last week about the number of listeners that have given us much of the same feedback. They all stated something along the lines of, "I used to listen to Security Now!, but now I listen to PaulDotCom Security Weekly". So, on the last podcast we asked real listeners to record their own switch commercials (audio only). I've added a bit of flavor (thanks to iMovie) and created a YouTube video of our first submission (Thanks Danny!):

Enjoy! And keep those submissions coming as we reward with fabulous prizes!

PaulDotCom

Posted by Paul Asadoorian at 03:14 PM | Permalink

Introduction

Security incidents come in many forms, from attackers breaking into computers, unauthorized attempts to sniff wireless networks and collect information, and stolen laptops or phones. This example is the latter, a stolen smartphone. What follows is the incident response procedure that I followed once I found out my phone had been stolen. Its not a comfortable feeling to know that someone else has control over a device containing your information. However, you must remain calm and follow some sort of incident response procedure. Sometimes this is not as easy as it sounds (as you will see below). Once the incident is over the most important thing you must do is learn from it. Hopefully you can learn from my experience.

Some Days Are Better Than Others

This all started with one of the things I enjoy most in this world, and thats sushi (In fact Josh just pointed out that I was the one who introduced him to sushi, and now he has an entire site named after this fabulous food!). I was going out to eat with my family and was talking on my iPhone on the way. I pulled into a spot in the parking lot, got out of the car and went into the restaurant where I draped my long trenchcoat over the chair on the table behind me. After feasting on some sushi ("slammin' salmon" roll was awesome) we paid the bill and I all of a sudden realized I did not have my phone. I searched my pockets, no iPhone. I thought, "well, I must have left it in my coat". I searched my coat, no iPhone. I searched around the table and the table behind us where my coat had been, no iPhone. I then thought, "well, it must be in the car". I searched the car, making everyone get out all while I cursed aloud, and no iPhone. I went back into the restaurant and searched the tables again, no iPhone. The conclusion, someone had stolen my iPhone when I either dropped it getting our of the car or when it fell out of my coat pocket.

Incident Response 101: Don't Panic

So I called my wife in a panic, explaining to her how someone else now has possession of my phone, which not only contained countless pictures of our last vacation and family (mostly pictures of the dog), but also had access to ALL of my email accounts. I was on my way to a family members house to get a flashlight to do a more thorough search of the car, as I was still in disbelief that someone stole my phone. Human instinct is a funny thing, even though I have training in computer incident response (even worked a few cases of data theft) I was still in great disbelief that someone would actually steal my phone. Another search through the car, guess what no iPhone. My only saving grace was that I left my home phone number with the restaurant in case the phone magically appeared. On my way home I still thought there would be a chance that they found my phone and called the house to tell me. I got home, no phone call and still no iPhone.

When you can't prevent or detect, react

I picked up my wife's phone as soon as I got home and dialed 611, the number for direct access to AT&T customer service. I waded my way through the options and discovered that I could report the other phone line, and associated phone, lost or stolen right through the menu, after of course being prompted for the billing zip code. Thats right, the only authentication you need to cancel the other line is the billing zip code. This means you can use anyone's AT&T phone to disconnect the other line on that account, and all you need is access to that phone and the billing zip code (most people put their address on the phone in case its lost, how ironic). If you are a smart phone thief, you can disable the other line when you steal a phone.

My iPhone had access to all of my email via passwords stored on the phone itself. My first step was to change all of my email passwords immediately. Once that was done I also changed the pin number to my voicemail. There was nothing sensitive in my email lately (i.e. a password emailed from a credit card or bank account), but I wanted to be certain that no one used the phone to check my email. I checked the email logs on one of the email servers I controlled and it showed that no one had used it to access my email. I started feeling a little better. Calls to the phone were going directly to voicemail while the phone was missing, and my guess is that the thief turned the phone off and removed the SIM card, or the battery died. In either case I wanted to be certain there we no calls made from the phone, so we activated our account online with AT&T and checked the call logs, which showed calls to my voicemail (which was normal as my voicemail forwards to YouMail, which is a great service). Now I feel slightly better, and my wife, as always, puts things in perspective and points out that it was not my car or laptop that was stolen, and that no one was hurt (however, the thought of having the opportunity to defend my iPhone appealed to me, if ever so briefly).

I did call the police, who weren't much help and told me that I need to go back to the scene of the crime or come to the station to file a report. Since the damage was done, I did not follow through with a police report. However, had I not been in such disbelief, I would have most likely called the police on the spot.

Lessons Learned

I try to look at all incidents, especially ones that have financial impact, as a learning experience. What could I have done better? Also, what can I do better/different in the future to have a positive impact on the outcome? Below is a list that I hope we can all learn from:

• Make it easy to change passwords and access your account - Have instructions on how/where you change your email/voicemail passwords so you can do it quickly. Also, have your online account setup and easy to access so you can check your statement and/or de-activate accounts online. This could be as easy as keeping a list of local bookmarks in your browser or in a text file.
• Report your phone stolen immediately - There were reports online about stolen phones being used to rack up $20,000+ worth of charges. Its hard to overcome the disbelief that your phone has been stolen, however better safe than sorry. It is best to report your phone stolen ASAP.
• Get insurance - Apple Care protection extends your warranty (Which I had), and is not insurance. Supposedly Apple offers some kind of insurance (according to the AT&T representative), but I am unable to find more information. Also, you may want to follow up with your home insurance provider to see if its covered ($400 may slide under your deductible though).
• Use a keypad/passcode lock - I did not set the passcode on the iPhone. I know, I know...silly me. However, this passcode is easily bypassed thanks to a vulnerability described here. This has to do with the "Emergency Call" feature in the iPhone, which could be used to not only make a call even though the phone is locked (which is still the case in the latest firmware) but launch applications as well. The only other method available to get around the passcode is to restore the iPhone, which would wipe all the data off of it, but still give an attacker access to your cell service if it has not already been de-activated.
• Don't store your email passwords on your phone - This is a hard one. On the one hand we tell everyone to use good, if not great, passwords. But, imagine trying to enter a 12 character passwords, mixing upper/lower case, letters, numbers, and symbols on your iPhone? To quote someone from the #pauldotcom IRC chat room, "Ugh.". If you do store passwords on your phone, make sure they are not used anywhere else.
• Use security software on your phone - This is an interesting dilema, if you hack your iPhone it most likely prevents you from applying security updates from Apple (which fix things such as the passcode bypass). These updates will break all of the modifications made to your iPhone, including the hack to change providers. However, hacking your iPhone allows you to install 3rd party applications, such as iphonelockbox, which lets you encrypt your passwords and other information on your iPhone. Apple is supposed to make available the ability to install 3rd party applications on your iPhone sometime in February 2008, so this may be a wait and see situation.
• Smart phone, careless user - I can't live without my phone. Aside from providing the ability to send and receive phone calls, I use my phone to store contact information, check my email, send/receive text messages, take pictures, listen to music, watch TV shows/Movies, and browse the web. I should have been more careful, just as with your laptop, never let your phone out of your sight. Always be mindful of where your phone is at all times. For me, I may chain it to my belt from now on!

Conclusion

I hope that you read the above and learned something about how to protect your information. I hope that you use this information to make changes to your security strategy, whether it be protecting your personal information, or your organization's secrets.

PaulDotCom

Posted by Paul Asadoorian at 04:15 PM | Permalink

All:

This is a recorded session from my SANS Webcast called "Things That Go Bump In The Network: Embedded Device (In)Security". Information, the accompanying presentation, and resources can be found below:

Direct Audio Download

Description: Embedded devices come into your network and appear in many different forms, including printers, iPhones, wireless routers and network-based cameras. What you might not realize is that these devices offer unique opportunities for attackers to do damage and gain access to your network - and to the information it contains. This webcast will review known embedded device vulnerabilities and cover how these vulnerabilities can be used to gain control of devices, networks, and data - and, more importantly, what can be done about it.

Presentation: Things That Go Bump In The Network: Embedded Device (In)Security

Resources: I have collected a number of articles and papers that are relevent to embedded device security. You can find them on my del.icio.us links tag AttackingEmbeddedDevices.

Learning More: We do cover many of these same topics, while at the same time learning how embedded devices can be hacked and used for various things, in my SANS course titled SEC535: Network Security Projects Using Hacked Wireless Routers.

Audio Feeds:

Posted by Paul Asadoorian at 01:53 PM | Permalink

All:

I am excited to present my keynote presentation via a SANS Webcast. I will be speaking about why embedded devices pose a threat to your organizations, how attackers can use them to gain unauthorized access to your information, and what you can do to defend your networks. I will cover iPhone hacking, attacking web cameras, and of course wireless routers. So, go sign up today!

Who: Me (Paul Asadoorian)
When: January 24, 2007 - 1:00 PM EST (1800 UTC/GMT)
Where: https://www.sans.org/webcasts/show.php?webcastid=91511
Cost: FREE!

Embedded devices come into your network and appear in many different forms, including printers, iPhones, wireless routers and network-based cameras. What you might not realize is that these devices offer unique opportunities for attackers to do damage and gain access to your network - and to the information it contains. This webcast will review known embedded device vulnerabilities and cover how these vulnerabilities can be used to gain control of devices, networks, and data - and, more importantly, what can be done about it.

Register For The Webcast Here

Posted by Paul Asadoorian at 11:28 AM | Permalink

Hot off the press is an article I wrote titled "The Benefits of Hacking Embedded Devices" and was posted today on the informit.com web site. The abstract reads:

"Embedded devices can often perform the same tasks as workstations and servers while consuming less space and power, generating less heat, and being more cost-effective. Paul Asadoorian describes why you'd want to "hack" (install new firmware on) embedded devices, and which hardware and firmware choices are the best, so you can make your $40 router do things typically found in a $600 device!"

Not only do I cover many reasons why embedded devices are so much fun to hack, but I answer the question that we get so many times, "What device should I buy if I want to hack and play with third-party firmware and/or embedded Linux?". So, enjoy and let me know if you have questions or feedback (You can use our new contact page!).

PaulDotCom

Posted by Paul Asadoorian at 01:07 PM | Permalink

I first wanted to mention that we finally have put up a contact page, so you can Contact Us and tell us that we are doing a good job, just day "Hi!” tell us that we suck (be certain to accompany that with suggestions on how we can get better), or provide suggestions for the show. I've listed out Larry, myself, and the general podcast email separately. We love to hear from our listeners! I promise that I read every email that comes to me directly or the podcast. If we don't respond, its just because we are busy and it can be difficult to respond to each and every email, but we try, I promise!

Just a quick note on the web site, we are planning to get a new web site. This means a complete face-lift, better organization, more content, etc.. If you have suggestions, please send them along.

I also just configured my voicemail on my new iPhone. I am using a service called YouMail (www.youmail.com), which I like very much. However, after some travel, I realized that I hate, okay hate is a strong word, "dislike" voicemail. Many of the reasons are security related, so I thought I would share them here:

1) There is no way to identify the caller - I could call you up and leave voicemail and state that I am your credit card company and you should call me right away at the following number. Since there is no way for you to prove that, some users may panic and call the number that I leave on your voicemail. This happens to me a lot, many people have called me and left voicemail stating that "I have seen malicious traffic coming from your network, please call me at once". Why should I call you back and answer questions about my network?

2) Most Voicemail systems rely on called-id for authentication - This is just wrong. Lets start with caller-id information can be spoofed VERY easily! Why would you rely on such a crude authentication mechanism? This would allow you to access a person's voicemail, which could potentially contain sensitive information (such as some random person calling you up and leaving a message that states, "Hey, your web server at IP address x.x.x.x is compromised and they used a PHP flaw to do it"). Great, thanks. (and yes, that it just an example).

3) It goes in clear-text - With VoIP becoming more and more popular, using voicemail to retrieve any kind of sensitive information is just plain silly. RTP (Real-Time Protocol) can be easily sniffed off the network, and so can DTMF. This means if I am listening, not only do I get to listen to you check your voicemail, but I get your pin number so I can go back and listen later. This is scary given that you may not control what information is left on your voicemail because someone else is exposing the information for you.

4) It is difficult to store voicemail for long periods of time - I like to have a record of all email so I can go back and prove who said what. Such as, "Yes, we were hacked due to a weak password, here is a copy of the email where I suggested a password policy". It’s hard to do this with voicemail, unless you have a system that will email you a WAV or MP3 file (Such as YouMail).

5) You can't respond to voicemail - With an email, I can take it right off my to do list by simply replying to it. With voicemail, I have to try to call the person back, and then leave them a voicemail. But, if they are not around, we play phone tag. Then I have to leave my phone number on their voicemail, so now my information is held in someone else's voicemail box!

6) Its easy to mis-interprate voicemail - I always get voicemail that I cannot understand, and its always the company name, person's name, or phone number that goes missing. At least with email, I can read the phone number and not have to listen for it and play it back 8 times before I get the phone number.

7) Its one more thing to check and receive to do's in - Its bad enough that I have email, instant messenger, and IRC to deal with, but voicemail too. I hope that as time goes on we will move away from voicemail as a communications mechanism. I like systems that will take the voicemail, do the speech-to-text conversion, and email it to me. However, that still does not let me respond to it via email :-(

8) The best protection that you get is a four-digit pin - We've talked about this before, why are we, in today's day and age, limited to a four-digit pin number for authentication!?!? A four-digit pin is easy to guess, brute force, and just plain should not be used.

Now, I'm off to check my voicemail...

PaulDotCom

Posted by Paul Asadoorian at 12:59 PM | Permalink

Note: Updated times!

The live stream should be active about 7:30 - 8:00 PM EDT, Friday November 23rd. We should begin recording the live show at about 8:30 PM EDT. Please keep in mind that these times are all estimates, but we will try to do the best that we can.

Don't forget to join in on the IRC channel during the stream - we can take live comments and discussion from the channel! Find us on IRC at irc.freenode.net #pauldotcom.

When active, the live stream can be found at:

http://hydrogen.oshean.org:8000

Please join us, and thanks for listening!

- Larry & Paul

Posted by Paul Asadoorian at 11:03 AM | Permalink

Recently I had the opportunity (privilege actually) of writing an article for INSECURE Magazine which appeared in issue 14 and is titled "Attacking Consumer Embedded Devices". It covers reasons why you would want to attack embedded devices, the goals of exploitation, example vulnerabilities and exploits, discovering vulnerabilities, and finally defense.

In researching and writing this article I had some thoughts that I will share (for those still reading this posting and not INSECURE magazine issue 14 :). First, its somewhat sad that the security industry as a whole is heavily focused on vulnerabilities and exploits, instead of attacks methodologies and protection of information. I think that far too many vendors, and the community as a whole, puts too much time and effort into what ultimately boils down to software bugs/vulnerabilities. I know this is true because so many times I go into the first meeting with a customer to discuss a security assessment and they automatically think that I should just be scanning the network for vulnerabilities. When in reality their organization, and most importantly their information, may be at risk due to other insufficient security measures such as poor physical security, end-users that will click on anything, and weak passwords. None of those problems can be solved by the latest and greatest intrusion prevention system, firewall, or vulnerability scanner. The best example that I can give is in the form of a question, if you can entice users to click a link and install software, why do you need a vulnerability to be present? This idea was underscored in "Tactical Exploitation" by HD Moore and Valsmith. I believe this is some of the most signifigant research/presentation to come out of the latest onslaught of conferences, including Blackhat, Defcon, and Toorcon.

So go check out this months INSECURE mag, and remember that software vulnerabilities are but a small part of the problem we must face as security professionals.

PaulDotCom

Posted by Paul Asadoorian at 10:35 PM | Permalink

Oops! Sometimes we make mistakes on the podcast, and thankfully our listeners are kind enough to correct us. We incorrectly stated that there was not much difference between a dangling pointer and a NULL pointer, when in fact there is most certainly a difference. From listener "Mike":

A dangling pointer points to an arbitrary place in memory. A null pointer points specifically to memory address zero. Dereferencing the latter produces nasty results which vary by platform. Dereferencing the former produces nasty results which vary in crazier and less secure, (generally,) ways.

Of course, the press still may be a bit off when they report on this, calling things "new hacking techniques" as recently reported from watchfire. Refer to this thread on the daily dave for some insight. Also, check out "Exploiting the Otherwise Non-Exploitable on Windows", which came out a full year before the research from Watchfire.

PaulDotCom

Posted by Paul Asadoorian at 01:11 PM | Permalink

We've all seen Simple Nomad's presentation from Shmoocon 2006, [http://www.nmrc.org/pub/present/shmoocon-2006-sn.ppt Hacking The Friendly Skies]. And we all took notice secured our environments from this threat, right? WRONG! While traveling on a short flight recently (just over an hour) Bob wrote in and told us about an experience that he had while doing some hacking on the plane ("Hackers On The Plane" would be a cool sequal to the cinematic briliance that is "Snakes On The Plane").

It all started when Bob got bored on the plane. Bad things tend to happen when Bob get bored, so he decided to whip out his MacBook Pro and see what he could find and hack into in under and hour using the tools already installed on his laptop. Certainly this will be more interesting that talking to the person next to him or reading the airlines very own magazine. The first thing that Bob noticed was an ad-hoc wireless network called "Free Public Wifi" (Screenshot). "There must be something interesting there", thought Bob with an evil grin on his face. Associating to it yielded him an IP address on the 169.254.0.0/16 subnet, the range that you get when you can't pull a DHCP address. "Well, if there is another host on this subnet, it may take some time to scan and find it" Bob thought. But wait, why don't we just fire up a sniffer and see what I can find. Low and behold a couple if minutes later:

4v1lhax0r:~ root# tcpdump -i en1 -nn -X -s0 host 169.254.35.218
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on en1, link-type EN10MB (Ethernet), capture size 65535 bytes
10:54:21.339837 IP 169.254.80.136.53349 > 169.254.35.218.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST

Looks like the machine told me where it was all by itself. Sweet! Lets start with some light scanning with "nbtscan" to find out more about the NetBIOS configuration:

4v1lhax0r:~ root# nbtscan 169.254.35.218               
Doing NBT name scan for addresses from 169.254.35.218

IP address       NetBIOS Name     Server    User             MAC address      

------------------------------------------------------------------------------

169.254.35.218   CAMP9317     unknown unknown  00-19-e3-bd-15-fd

(NOTE: Names and MAC addresses were changed to protect the innocent, or not so innicent as teh case may be)

Awesome, now we know its NetBIOS name, although Bob was hoping to get more information. We can assume that this is most likely a Windows host (What are the chances that someone on the plain is on an ad-hoc wireless network with a Linux laptop running Samba querying the network with SMB packets?). Now, lets try our trusty friend "Nmap":

Starting Nmap 4.20 ( http://insecure.org ) at 2007-07-28 10:39 EDT
Interesting ports on 169.254.35.218:
Not shown: 65530 closed ports
PORT      STATE SERVICE
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
6129/tcp  open  unknown
32981/tcp open  unknown
MAC Address: 00:19:D2:AF:04:DC (Unknown)
No exact OS matches for host (If you know what OS is running on it, see 

The standard TCP ports open for NetBIOS and CIFS, and some other interesting ports on 6129 and 32981. Hrm, lets do a services scan just on those two ports because they look interesting:

4v1lhax0r:~ root# nmap -T4 -p6129,32981 -sV 169.254.35.218
Starting Nmap 4.20 ( http://insecure.org ) at 2007-07-28 10:41 EDT
Interesting ports on 169.254.35.218:
PORT      STATE SERVICE    VERSION
6129/tcp  open  damewaremr DameWare Mini Remote Control
32981/tcp open  unknown
MAC Address: 00:19:D2:AF:04:DC (Unknown)
Service Info: OS: Windows

Interesting, either someone has already 0wned this machine, or its some weird service that is throwing a false positive on Nmap's service fingerprinting. Too bad we didn't have a copy of DameWare installed on our Parallels instance of Windows. Instead, Bob used the remaining time to throw every available exploit for Windows SMB at the target in both framework versions 3.0 and 2.7. In between exploits, attempts were made to connect to smb://169.254.35.218/c$ as administrator using various common passwords and then...."This is your captain speaking, please return all seat backs to their full and upright position, and lock all tray tables....." Blah, blah, oh well, more hacking to be done for the next flight.

Recommendations

There are many lessons to learn from this fictitious story:

1) Disable your wireless adapter when you are not using it. Not only does this improve battery life, it keeps the "Bobs" of the world away when you are traveling.

2) Enable the built-in firewall in your operating system. By simply disallowing all connections initiated from the outside, all of the above scanning and attacks could have been thwarted immediately.

UPDATE: While this recommendation is good for general wireless network usage, I am told that ad-hoc networks bypass the local windows firewall. Anyone know of any good windows client firewalls that will block connections via ad-hoc networks? Add in here that you should configure you wireless adapter to never connect to ad-hoc networks, nor create them.

3) Scan your system regularly. Systems should be scanned at least on a weekly basis for open ports. This can be easily scripted with Nmap, or even done with Nessus. If your client or server machines have dropped shields and show they now have DameWare installed (and you don't use DameWare) you want to know about it for sure! I Nessus scan my servers weekly and review the reports to be certain that my firewalls are working and configured properly, that there are no new vulnerabilities on my servers, and that I don't see any new listening programs. The same can be done for clients...

4) Disable the administrative shares. I know, this breaks all kinds of stuff. At least if you are not going to disable them, put in a local account and password policy so that the LOCAL administrator account gets locked when you try different passwords. Also, do your clients really need to be sharing out files with NetBIOS locally? Make certain you have a good network storage facility to curb users from having to share files between workstations, and more importantly share them with the hackers on the plane.

PaulDotCom

Posted by Paul Asadoorian at 03:23 PM | Permalink | Comments (4)

All:

We would like to announce that the next two weeks we will be conducting two interviews with some very special guests:

August 16, 2007, 7:00PM EST (Streaming Link) - Interview with Tim Rosenberg and Dwight Hobbs from www.whitewolfsecurity.com, who will be providing the tecnical "arena" for the upcoming ICE games

August 23, 2007, 7:00PM EST (Streaming Link) - Interview with Ed Skoudis, Tom Liston, and Mathew Carpenter from Intelguardians to talk about VM Escaping and the research that they have been doing on this topic.

The above two recordings will serve as the podcasts for those weeks. Moving into September, we will be discussing the happenings at Black Hat and Defcon hopefully in some more detail, discussing current events, and providing you with even more fantastic technical segments (we have a great one we are working on called "Just Plane Fun")!

PaulDotCom

Posted by Paul Asadoorian at 02:18 PM | Permalink

On Friday, July 27, 2007 a very tired member of the PaulDotCom crew sat in a standing room only room ar SANSFIRE 2007 to hear about the latest research in VMWare escaping (or really any other virtualization technology). VMWare escaping you say? What's that? Ed Skoudis, SANS Instructor and co-founder of Intelguardians, true to form gave the perfect ananlogy (and it didn't have anything to do with the Matrix!). Think of virtualization as a cave, and you are trapped inside (just like the "guest" OS). Outside the cave there is a giagantic monster. Everytime you try to escape from the cave, you get squashed, pushed back in, or even have your legs cut off and re-attached facing the opposite way. No matter what you do, you can't escape the cave, unless of course your name is Tom Liston...

Tom and Ed went on to describe all of their attempts to escape from the cave. Spawned from this were many attempts and tools that start with "VM", including VMChat, VMftp, VMcat, and my favorite VM-Drag-N-Sploit. All of these tools allow for some communications between the guest and the host, or between two guests running on the host (Fool Moon Blog has a good write-up on all the tools, located here). While these tools are interesting, they are not a "true" escape, as they only allow file transfer and/or require end-user interaction.

But with Ed calling Tom everyday for a year and asking, "Do you have a VM escape yet?", Tom was motivated to break out from the cave. The first, and most obvious method, was to exploit a known vulnerability in the form of a directory traversal. While this close to a full escape, it is still a directory traversal at its core. This directory traversal was disclosed by iDefense, reportedly from an anonymous source. You can find a full write-up here (CVE-2007-1744). Apparently, Ed and Tom and his team aren't the only ones interested in VM escaping. This also became apparent when another Intelguardians member, Jay Beale (he's a genius right?), saw a presentation at the most recent CANSECWEST on VM escaping using QEMU. It was interesting to see how many of the vulnerabilities in that research were applied to all of the other VM products, many of which centered around the ne2000 network driver and video card emulation. You can find the research in this area from a Google employee named Tavis Ormandy here, titled, "An Empirical Study into the Security Exposure to Hosts of Hostile Virtualized Environments" They stressed that these emulation drivers were important, and especially the video one...

So, enough already, get to the escaping! Ed and Tom had to get special permission to give the talk and release the details, which is why the next section was light on details, and answers were vague. Tom demonstrated a program running on the guest, which took a minute or so to run, then crashed the guest and ran a program on the host. W00t! VM escape by blowing up the cave. I asked Tom if that works with a fully patched version of VMware and got an answer of "portions of it", and couldn't get any more information, and for good reasons I'm sure.

The bottom line is that you cannot trust virtualization products to provide security. You should keep up-to-date on all the patches and design your security architecture such that you do not espose sensative data in the case of a guest breaking out of the cave.

What is interesting is that just after this presentation, more vulnerabilities for VMware were released!

http://www.milw0rm.com/exploits/4245
http://www.milw0rm.com/exploits/4244
http://www.milw0rm.com/exploits/4240

While these may not lead to escaping (exploit was non-specific on this topic), they are interesting none the less.

Cheers,

Paul "PaulDotCom" Asadoorian

Resources:

http://handlers.sans.org/tliston/ThwartingVMDetection_Liston_Skoudis.pdf - Tom and Ed's presentation from 2006, before they could release many of the details.

http://www.cutawaysecurity.com/blog/archives/170 - Cutaway's blog posting on the subject.

Posted by Paul Asadoorian at 09:59 AM | Permalink

All:

First, let me remind all of you that the official web site and blog for our "Linksys WRT54G Ultimate Hacking" book is alive and well! So, go to http://wrt54ghacks.com right now for up-to-date information, behind the scenes pictures, WRT54G Hacking Links, and more! We are very excited to have completed the book, and even more excited to continue to provide information on embedded device hacking via the http://wrt54ghacks.com web site and blog.

First order of business, our book is shipping! W00t! You can purchase it via Amazon by clicking here.

Next, we have a winner of our book contest! The contest was to be the first person to send us a picture of themselves with the book. Doing so would win you (Compliments of the PaulDotCom Security Weekly Crew):

• An autographed copy of Wireshark & Ethereal Network Protocol Analyzer Toolkit
• An autographed copy of Network Security Hacks, 2nd Edition by Andrew Lockhart
• An official PaulDotCom Security Weekly Hack Naked beer drinking mug and t-shirt

And the winner is......Dave! Who submitted a wonderful picture of himself holding the book and two WRT54G routers (whoops, don't drop one :).

Congrats Dave!

Stay tuned, good things coming...

Paul "PaulDotCom" Asadoorian

Posted by Paul Asadoorian at 04:29 PM | Permalink

All:

I would like to announce some upcoming course that we are teaching through the SANS Institute:

• Stay Sharp: Defeating Rogue Access Points North Kingstown, RI Wednesday, July 25, 2007, 8:30 AM - 11:30 AM, Instructor: Larry Pesce
• Stay Sharp: Google Hacking and Defense North Kingstown, RI Wednesday, August 29, 2007, 8:30 AM - 11:30 AM, Instructor: Larry Pesce
• SEC535 Embedded Device Hacking, SANS NS 2007, Las Vegas, Friday, September 28, 2007 : 9am - 5pm (Includes a WRT54GL Wireless Router!), Instructor: Paul Asadoorian

You can register for SANS training via our click-through at http:/pauldotcom.com/sans/

Hope to see you there!

PaulDotCom

Posted by Paul Asadoorian at 02:53 PM | Permalink

All:

After almost a year from when we had the first spark of an idea to do something with a WRT54G and hacking, we are very proud to announce the release of the sample chapter and table of contents:

Table Of Contents

Chapter 3: Using Third-Party Firmware

The complete book will be available for purchase after June 15th. We are in the process of scheduling and booking appearances on various podcasts and interviews, so if you would like to have us on your show, just drop us a line and we will put you on the book reviewer list.

The official WRT54G Hacking book web site will feature errata, new projects, pictures, and updates to any/all of the projects in the book. It is still under development and will be released with the book in June. The link will be:

http://wrt54ghacks.com

Look for some updates in the coming weeks.

Cheers,

Paul & Larry

Posted by Paul Asadoorian at 03:38 PM | Permalink

The first Using Metasploit course was a great success. We piloted the "Hacking Challenge" where students form teams and score points for various hacking activities. The second Using Metasploit course has seats available so sign-up today!

When: May 22, 2007

Where: OSHEAN (646 Camp Avenue, North Kingstown, RI)

Phone: 401.886.0887

Time: 8:30AM to 4:30PM (lunch will be provided)

Cost: $200.00

For more information please call Melissa at 401-521-7805 x109 (You may also inquire about becoming a member of Tech Collective. If you have any questions, please feel free to contact me at paul /at/ pauldotcom.com. We will be running two more of these courses as well as part of a series.

Paul

Posted by Paul Asadoorian at 04:59 PM | Permalink

If you are in the Rhode Island area and are interested in training courses that will cover using the metasploit framework and other exploit goodness then you are in luck!

I will be teaching the metasploit course twice in May:

When: May 8th & May 22nd

Where: OSHEAN (646 Camp Avenue, North Kingstown, RI)

Phone: 401.886.0887

Time: 8:00am to 4:30pm (lunch will be provided)

Cost: $200.00

For more information please call Melissa at 401-521-7805 x109 (You may also inquire about becoming a member of Tech Collective. If you have any questions, please feel free to contact me at paul /at/ pauldotcom.com. We will be running two more of these courses as well as part of a series.

Paul

Posted by Paul Asadoorian at 05:02 PM | Permalink

We tried this from Shmoocon 2007 with an EVDO connection and learned a great deal :) Now we have a good Internet connection and plan to stream the live show from SANS to the Internet in near real-time.

Come hear us entertain the SANS students, talk to audience members, and present some of the cool WRT54G projects from our book.

The the live stream should be active about 5:30 PM PST, Wednesday April 4, 2007.

When active, the live stream can be found at:

http://hydrogen.oshean.org:8000

We have found that VLC is the best program to use when listening to the stream (ogg). It runs on Linux, Windows, and OS X. Please join us, and thanks for listening! Tell all your friends!

The PaulDotCom Security Weekly Crew

Posted by Paul Asadoorian at 08:11 PM | Permalink | Comments (2)

He presented his tools, all based in Python, to the audience and demonstrated a number of cloning attacks, as well as the ability to read the new UK passports. The UK passports contain all of the information needed to create a new one - including a digital version of the picture.

The challenge that he faced with the passports, is that a key is required to read the RFID chip. However, he was able to obtain all of the information that was needed to brute force the required key in only a few hours, using only the information printed on the envelope.

It also seems that Major Malfunction has a keen interest in cloning of humans. Well, not so much the humans, but their implanted RFID chips. As you may be aware, I have an implanted chip, and spent some time on stage with Major to have him clone me in front of a live audience. He was successful in cloning my chip, and was able to utilize it to unlock my laptop.

Now you may be asking, "Why would Larry allow someone to clone his implanted chip?". The reasons are simple:

• The number is publicly available from the video of the implantation [view it here]. It was always intended to be public.
• The implant was done for research and education. To me, assisting in the demo was the perfect opportunity to educate about the insecurities in RFID. I'm taking the