Register for PaulDotCom training at Blackhat USA: Defensive Countermeasures: Foundations for Becoming a Devious Defender & Offensive Countermeasures: The Art Of Active Defense July 27-28 & 29-30.
PaulDotCom Security Weekly - Episode 229 for Thursday February 3d, 2011.
- Register for Blue Teams: "Don't Call It a Comeback" presentation with Core Security Technologies on Tuesday, February 15th, 2011 at 2pm EST]
- Get involved in the PaulDotCom Community - We have an all new Video Edition of the podcast. You can subscribe to PaulDotCom TV via iTunes, or visit the PaulDotCom Blip.tv channel (http://pauldotcom.blip.tv), and PaulDotCom YouTube Channel for all new videos, technical segments, and how-tos. Don't forget the PaulDotCom Insider, where you can access special content from our webcast series, the PaulDotCom Mailing list, and our IRC Channel #pauldotcom on irc.freenode.net.
Guest Interview: Andrew Lockhart
Andrew is currently a Senior Security Engineer for a large embedded device designer and manufacturer where he specializes in security architecture review, protocol development and analysis, source code auditing, and reverse engineering. In a previous life Andrew wrote the first and second edition of O'Reilly Media's "Network Security Hacks," was the Lead Security Guy for a wireless security vendor, and wrote an experimental wireless IDS.
- What kinds of security protections are available for embedded systems? On full-size systems we have DEP, ASLR, and anti-virus, do these things exist in the embedded space?
- What needs to happen before manufacturers take security on embedded systems seriously? Botnets?
- Are smart cards the answer to security on entertainment systems? Example, My tivo uses this thing called a "multi-stream card", which is basically a smart card.
Guest Tech Segment: Foundstone's Brad Antoniewicz on ProxBrute
Brad is the leader of Foundstone’s network vulnerability and assessment penetration service lines where he focuses on internal, external, web application, device, and wireless vulnerability assessments and pen testing. Brad developed Foundstone’s Ultimate Hacking: Wireless class and is a contributing author to the Sixth Edition of Hacking Exposed: Network Security Secrets & Solutions as well as the Second Edition of Hacking Exposed: Wireless .
You can also find more in his whitepaper that describes general RFID functionality and ProxBrute further.
Quick Note about How Proximity Card Systems Work
Proximity card access systems are essentially RFID chips embedded within a commonly credit card sized tag which is then used to provide the holder with access to a room, office, or building. As the tag enters the reader’s (commonly on the wall, next to a door protecting the area you’re trying to access) magnetic field, the reader powers up the tag, and then the tag and reader communicate. This communication occurs over a set frequency which is defined by the standard that the tag and reader follow. During this communication, the tag transmit’s its identifier (stored on the RFID chip) and the reader sends that down the wire to a backend database which validates it. The backend system triggers the door to open, and you walk in.
The reader and tag must follow the same standard in order to properly communicate, and as one might expect, there are a lot of standards to follow. This entire tech segment focuses on the ProxCard II cards, so keep in mind that even though the large majority of card access systems use this technology, it is not the only one that exists.
Standard Proxmark3 Cloning
The Proxmark3 is a highly customizable, RFID testing device. It currently has built in functionality to perform basic ProxCard II Cloning. That functionality was enhanced by a forum user named “samy”, who tied the cloning functionality into the external button located physically on the proxmark3. This functionality is called standalone mode and does not require the use of a computer to clone and replay tags.
Brute Forcing with ProxBrute
ProxBrute is a relatively simple modification to the proxmark3 firmware which enables brute forcing of tag values. The current implementation supports a particular type of brute forcing which requires the knowledge of a field of the tag’s value called the site code. The site code is commonly shared among employees working within the same company, so by reading any pre-existing tag, you can attempt privilege escalation. Additional attacks can be implemented which use more intelligent methods to brute force these values so that a site code is not needed.
Stories For Discussion
- New Tattoo - [PaulDotCom] - Once Larry sees this, I bet its a week or so before he's sporting one too :
- Tips for OS X Security - [PaulDotCom] - this is a very basic list of OS X security, but something you should be doing and recommending to your customers (and your organization) as a standard for OS X. My fear is that many of the problems, particularly vulnerable software and few security protections in the kernel, will continue to allow attackers to rape this platform. I hope David Rice has a cape.
- Core Discovers Webex - [Pauldotcom] - I really like this vulnerability, a lot, and not just because sexy Alex Horan wrote the blog post, its a really cool vulnerability (Alex will be on next week's show). If you've attended a webex, they install software on your workstation, how many people do you think actually remove that software? This software does not get updated, I believe until you view another webex. Then people get busy and forget to remove it, the same way you forget about that box containing valentines day cards from your ex (Yes, Alex, this happened to me too, its not pretty, but gifts and money help you climb out of the "Grey area"). So now, an attacker can send you a file, which gets opened in webex, and buffer overflows prevail. I like being able to include webex in my social engineering attacks.
- How not to do mobile banking - [Pauldotcom] - And here I thought multi-function printers were the only things that stored credentials in clear-text.
- The end of IP(v4) as we know it - [pauldotcom] - this is coming to be more of a reality, IPv4 will not be around, so lets byte the bullet and embrace IPv6. I will get us started, "I LOVE IPv6!". Johannes brings up good points, like yes there is wasted IPv4 space, but even with that it doesn't help. Also, its costly to take back IP addresses (I have personally participated on projects where IP space had to be converted, moved, and given back, its NOT pretty). So, stop bitching about all those people with /8, it doesn't help. How many IP addresses do you personally use? I share one with my family for home Internet, my phone will grab another one, my aircard may grab one, albeit not at the same time, but eventually this will be a major problem.
- Nmap 5.50 Released - [pauldotcom] - Lots of new features, NSE overhaul, and more. I like the support of DNS Discovery protocol, love this stuff. I like to scan the network, but its noisy. Anytime I can collect information about hosts, services, and vulnerabilities without direct scanning its a huge win. Btw, Fyodor is sexy too... Also, Nmap has always compiled cleanly for me, so other open source projects take notes (*cough* snort *cough*).
- To Phish or not to Phish, that is the question - [pauldotcom] - "The problem with pentesters phishing ... is that it does more harm then good for the organization. Without the education piece following a phish, you setup the organization to ban the practice." So, thoughts? I agree with Chris, if one 0day client-side exploit causes the integrity of your entire network to crumble, you should know this. You should also know how much effort goes into successfully phishing your organization. If it takes a pen test team a day, you need to make it more expensive for attackers to do this.
- Cisco Root - [Larry] - For Tanberg units. Root, no password, enabled by default. Oh no you didn't….
- Hacking High School - [Larry] - No, not the actual high school, but a competition for high school students. Seems like it might be a good creative outlet for angsty yutes.
-  - [Larry] - We don't do enough on forensics, so here's a bit. Recovering passwords from OSX from memory dumps, from dumping the memory to password extraction, this might be helpful on your next pentest.