Monthly Archives: February 2009

Want to learn more about Social Engineering?

1
Posted by Tom on February 25, 2009 – 9:48 pm
Filed under Social Engineering
Tagged as ,

Of course you do!

If you don’t know who Chris Nickerson is…then you should. Chris is the founder of Lares Consulting, was on the Tiger Team TV show and also a frequent speaker at security conferences who talks about tiger team/red team operations. He also talks about how social engineering is more important then ever to include in your penetration testing program. I couldn’t agree more! In fact, he’s giving a free webcast with Mike Murray on March 10th called “Modern Social Engineering – A Vital Component of Pen Testing”.

Via the Carnal0wnage Blog:

“The world of Information Security is changing. Budgets are tighter, attacks are more sophisticated, and the corporate network is no longer the low hanging fruit. That leaves web-enabled applications as the vector-du-jour, but that well is quickly drying up for organized crime as well. As they creep up the OSI Model looking for easier ways to steal your corporate assets, they are quickly making their way up the stack to the unspoken 8th layer, the end user. So what is the next step in the never-ending escalation of this cyber war?

To find out, we must do as Sun Tzu taught. “Think like our enemy!” That is, after all, the primary tenet of penetration testing AKA ethical hacking, isn’t it? After years of hardening physical systems, networks, OSs, and applications, we have now come full circle to a new dawn of attack. People are now the target of the advanced hacker, and the cross-hairs are focused squarely on their foreheads… literally. It is only a matter of time before corporations feel the pain of wetware hacking requiring a new approach to testing and defense. “

You can sign-up for the webcast here. Also, Chris and Mike are doing a “Social Engineering Master Class” at ChicagoCon this year which looks awesome! Looks like there are only 25 seats so check it out if you can. Interestingly enough Chris has just started blogging so be sure to check out his blog. If that wasn’t enough…we (Security Justice) recorded a special edition podcast with Chris in which he talks about his adventures on the Tiger Team TV show.

Using 25 random things against you

6
Posted by Tom on February 12, 2009 – 12:08 am
Filed under Social Networks
Tagged as ,

I have been seeing a bunch of friends on social networks filling out these “25 Random Things About Me” surveys. I just saw another one going around called “44 Odd Things About You” as well. I remember this similar type of activity passed along in email several years ago but now it’s made its way to social networks such as Facebook and MySpace. Here is what the request looks like once you have been “tagged” by one of your friends:

RULES: Once you’ve been tagged, you are supposed to write a note with 25 random things, facts, habits, or goals about you. At the end, choose 25 people to be tagged. You have to tag the person who tagged you. If I tagged you, it’s because I want to know more about you.

This sounds fun and a good way to network with your friends, however, let me tell you why putting in this information might be a bad idea.

What’s the big deal? This is fun…right?
One of the basic rules everyone should be following when using social networks is that you should consider everything you post as public information. For example, would you write down these 25 random things about you, stick your name on it, make copies and put them in the mailboxes of complete strangers in your neighborhood? Are all of the people you are friends with truly your friends? Will they always be your friends? How is your profile configured? Have you looked at your “Notes” application settings in Facebook? More importantly, do you allow your profile to be searched by search engines? If you posted these 25 random things to your profile and/or wall, you may have inadvertently allowed these things to be found by total strangers. Remember, personal information on social networks always seems to get out even if you do use the correct privacy settings…sometimes through no fault of your own.

Can I haz your password plz?
With these 25 random things about you someone may even be able to use your answers to gain access to your email, other social networks, bank accounts, etc…why? Check out this list of questions that are asked when requesting a “lost password” or “password reset”. Many of these are from online banking and other sensitive web sites and looks similar to…25 random things about you.

Think this doesn’t happen? This type of attack did happen to Vice Presidential candidate Sarah Palin last year. A hacker was able to reset her Yahoo email account password using information he found on her publicly accessible Wikipedia page. Here is a quote from the Sarah Palin hacker:

“…after the password recovery was re enabled, it took seriously 45 mins on wikipedia and google to find the info, Birthday? 15 seconds on wikipedia, zip code? well she had always been from wasilla, and it only has 2 zip codes (thanks online postal service!)

the second was somewhat harder, the question was where did you meet your spouse? did some research, and apparently she had eloped with mister palin after college, if you look on some of the screenshots that I took…so graciously put on photobucket you will see the google search for palin eloped or some such in one of the tabs.

I found out later though more research that they met at high school, so I did variations of that, high, high school, eventually hit on Wasilla high I promptly changed the password to popcorn and took a cold shower”

This could happen to anyone! So by knowing some of your 25 random things, someone may be able to reset your passwords, impersonate you or even cyberstalk you. My advise? Don’t fill these things out or leave these surveys very general and not too detailed. Email might even be a safer place for this type of information…. Stop and think before you post overly detailed information about your life on social networks..it can all potentially be used against you.

What to attend at ShmooCon 2009

1
Posted by Tom on February 6, 2009 – 1:01 am
Filed under Hacking
Tagged as ,

I’m here in DC getting ready for ShmooCon which starts tomorrow. I had some time to blog before things get crazy later tonight when everyone starts to arrive for the con.

UPDATE: Ummm…someone *may* have hacked the Windows kiosks at the hotel…saw Ubuntu loading on one and Howard the Duck playing on another…probably shouldn’t use those kiosks, huh?

Anyway, I thought I would share some first impressions of the talks and what I will probably attend. Keep in mind, there are lots of great talks going on all weekend and it will be really hard to make all the ones I want to see but here is my short list of not to miss talks:

Friday, February 6th

Open Vulture – Scavenging the Friendly Skies Open Source UAV Platform
Ethan O’Toole and Matt Davis

An open source UAV? How friggin’ sweet is that? Now you too can spy on your own neighborhood… :-)

Building the 2008 and 2009 ShmooBall Launchers
Larry Pesce and David Lauer

Of course I will be in this one! Dave from Security Justice and Larry from PaulDotCom will be talking all about the new ShmooBall launchers for this year. Dave and Larry never disappoint and I assume there will be some surprises as well.

Decoding the SmartKey
Shane Lawson

I love physical security just about as much as information security so this one should be interesting. Shane will talk about how to decode the Kwikset SmartKey with materials costing under $5.

Podcasters Meetup/HacDC party

I will be there along with Matt and Dave from Security Justice. Looks like we are going to do a live show at 8pm, give away some prizes, start FireTalks then party with the folks from HacDC. Check out the podcasters meetup site for more details on times and official schedule.

Saturday, February 7th

Radio Reconnaissance in Penetration Testing – All Your RF Are Belong to Us
Matt Neely

My friend and fellow co-host of the Security Justice podcast, Matt Neely is doing a talk on ways to use radio reconnaissance in pentests. Matt does a ton of research with wireless so it should be really interesting to see what new techniques he has come up with. I hear that Shmoo Balls may be launched during this talk…. :-)

Fail 2.0: Further Musings on Attacking Social Networks
Nathan Hamiel and Shawn Moyer

I was at BlackHat last year and saw Nathan and Shawn’s talk titled “Satan is on my friends list”. These guys do great research on social network security and I am looking forward to see the new stuff they came up with for this year. As a bonus, they should have AFF (Adult Friend Finder) pr0n and related adventures. ;-)

Man in the Middling Everything with The Middler
Jay Beale

Jay Beale is speaking once again about the Middler! You may remember the Middler was to be released at Defcon last year…that didn’t happen for a bunch of reasons. However, I think Jay will finally be ready to release it! Jay is a great presenter to boot..highly recommended you attend this one. Another talk to beware of Shmoo Ball cannon fire…

802.11 ObgYn or “Spread Your Spectrum
Rick Farina

All Your Packets are Belong To Us: Attacking Backbone Technologies
Enno Rey and Daniel Mende

The Fast-Track Suite: Advanced Penetration Techniques Made Easy
David Kennedy

You may remember Dave from one of the first Security Justice Special Editions last year. Dave will be going in depth with the Fast-Track suite which is part of Backtrack 3. Knowing Dave, I’m sure he will be talking about and/or demoing new features in Backtrack 4. Shmoo Ball cannon may make an appearance…

Sunday, February 8th

Enough with the Insanity: Dictionary Based Rainbow Tables
Matt Weir

Yes! Improvements to rainbow tables…can’t wait!

RFID Unplugged
3ric Johanson

Looks like RFID is going to torn apart in this one…good stuff! Interested in the PayPass vulnerabilities he is going to talk about.

0wn the Con
The Shmoo Group

What to know what it takes to put ShmooCon together? Be sure to check out this talk and learn how it’s all done.

If you are around the con send me a tweet on Twitter or stop by the Podcasters Meetup if you want to chat! Hoping I can blog and/or live Tweet from some of the talks.