Here is a pretty cool project that I stumbled upon over at Security Catalyst. The concept is to have a “Honey Pot for mobile storage devices” but each mobile storage device (USB key, iPod, etc…) in reality becomes it’s own “Honey Stick” where the researcher can safely track how many people are plugging these devices into their computers. The hope is that by leaving these devices around in public areas, someone will pick them up..and plug them in. There is even a psychological aspect to this because the researcher, Scott Wright, is actually finding people that want to return these found devices to the owner!

While there may be some privacy concerns conducting this type of public experiment…Scott seems to have done his homework on this project thus far. I am looking forward to reading more about his results as the experiment continues. He has results for his first “stream” here. Check out the Honey Stick Project web site for full details and information.

This time 4.2 million credit cards were exposed. I personally smell a bit of TJX in this one…

“The stolen data was limited to credit and debit card numbers and expiration dates, and was illegally accessed from our computer systems during transmission of card authorization,” said Hannaford CEO Ron Hodge, in a statement posted to the company’s Web site.

The key phrase being “transmission of card authorization”. Sniffed? Bad Wifi security? Only time will tell…much speculation at this point. However, Securosis.com has some good speculation about what might have happened.

Interview with GNUCITIZEN – Part 1
Interview with GNUCITIZEN – Part 2

“Yes, you can read and write main memory over firewire on windows.
Yes, this means you can completely own any box who’s firewire port you can plug into in seconds.
Yes, it requires physical access. People with physical access win in lots of ways. Sure, this is fast and easy, but it’s just one of many.
Yes, it’s a FEATURE, not a bug. It’s the Fire in Firewire. Yes, I know this, Microsoft know this. The OHCI-1394 spec knows this. People with firewire ports generally dont.”

This LuciData “hack” doesn’t crack disk encryption at all. If the laptop was powered off..that’s a different story. Like Adam says…if you have physical access to a live computer there are lots of attacks you could do..not just the firewire one. Before we announce that the sky is falling…lets get the real details first please. If you are using any disk encryption (not just Pointsec) you should be using pre-boot authentication anyway as this is what most vendors recommend as a best practice for a corporate deployment.

This isn’t breaking news by any means. There are hackers all over the world trying to do the same things that they are, and they are not necessarily in China. I would bet that this group is nothing more then a bunch of script kiddies just looking for the attention of the US media. Sure, there are vulnerabilities in many, many web sites…some of them even high profile, however, I have my doubts that these guys have serious “skills” given the fact that they have a web site with over 10,000 registered users that distributes hacking software. The site “offers tools, articles, news and flash tutorials about hacking”. Anyone can run a tool or copy a script…what makes these guys so different? How can you really prove that the Chinese government even paid these guys to hack into the Pentagon?

Never fear…this is just media hype over US/Chinese relations and the potential “cyber war”. I am sure this won’t be the last either from these big media organizations.

On a related note, there was a good blog post over on Princess of Antiquity about some potential engineering solutions to this vulnerability you may be interested in reading about as well as some potential mitigations to this vulnerability that are being discussed. I actually like her quote at the end of her post:

“What we should remember is that no matter how strong your lock is, if you leave the key lying around, you might as well leave the door wide open.”

How true!

The webcast talks about the motivations for performing penetration testing to improve the security stance of an enterprise and covers some in-depth Windows command-line tips that can help penetration testers use Windows machines more effectively during a penetration test.

You can download the slide deck from Core Security Technologies here.

There are a ton of articles already about this new threat so I won’t bore you with the details…however, I have found one posted by Rich over at Securosis.com that sums up the entire issue and what risk this might have for your organization.

One thing I would like to highlight in his article is that you should contact the vendor of the hard disk encryption product you use to see if they plan to address this new vulnerability. It will only be a matter of time until the first tool is out there in the wild and actively exploited on stolen laptops.

Foundstone always puts together great research and releases great tools.

The other day Foundstone released a whitepaper describing all of the new and old 802.11 (Wireless) attacks. The paper gives some really good information about AP Impersonation, Rogue Access Points, Implementation Attacks (WEP, Dynamic WEP, WPA/WPA-2 cracking, including the Cafe Latte attack). The paper even goes into wireless client adapters and wireless DoS attacks.

If you conduct wireless penetration tests or want to know more about wireless security, I highly recommend you read this paper. You can download the 802.11 Attacks whitepaper directly from Foundstone.

Last week I spoke at a local security professionals user group about Automated Penetration Testing with CORE IMPACT (from Core Security Technologies). There has been some great developments in the automated penetration testing area recently with commercial tools like CORE IMPACT and Immunity’s CANVAS. However, lets not forget about recent advancements with open source solutions like Metasploit 3. All of these products perform automated penetration testing.

Instead of posting my slide deck I will highlight some of the key points below. Note that this is presented from the perspective of a customer, this was not a sales pitch for CORE IMPACT even though they do have a great product. Next month I will be speaking about Metasploit 3, specifically talking about the autopwn feature which automates exploiting network hosts. One thing I want to mention, automated penetration testing should never replace detailed manual penetration testing! You should use these tools to supplement your tool kit, not replace them!

First, some background on automated penetration testing tools:

What makes a good penetration testing framework?
A framework should be platform independent. Meaning, it should be able to be installed on on Windows, Mac, or Linux. A good exploit collection w/regular updates are also important. Third, an intuitive and robust GUI should be included. This is really to make sure everyone on your pen test team can quickly pick it up and use the product with very little training. Next, you need to have the ability to add new exploits! This is important because you may need to create an exploit for a custom application or even a new one that you may discover. Along that same line is that the product should be open source or have the ability to customize and view the exploit code. Finally, good reporting tools should also be included since the is one of the challenges of pen testing, report generation.

What frameworks are available?
Several commercial and open source penetration frameworks are available. Ones listed towards the bottom of this list are more specialized (example, there are ones specific web application and email gateway testing).

Commercial Tools
CORE IMPACT
Immunity Canvas

Open Source Tools
Metasploit Framework
Inguma
Attack Tool Kit
SecurityForest
BeEF (Browser Exploitation Framework)
PIRANA (email content filtering framework)
w3af - Web Application Attack and Audit Framework

What is CORE IMPACT?
CORE IMACT is a commercial penetration testing framework. The product uses a common pen test methodology:

-Information Gathering
-Attack and Penetration
-Privilege Escalation
-Clean Up and Reporting

CORE IMPACT provides network, client-side and web (SQL Injection and PHP remote file inclusion) RPT (Rapid Penetration Test) functions. It is easy to use (almost too easy) and is safe because all the exploits are tested by the CORE IMPACT development team before being released to customers. In addition, you can develop your own custom modules and exploits in the Python scripting language. Finally, lets not forget about the pretty reports that CORE IMPACT can give you via a Crystal Reports back end.

How does it work?
You basically launch agents and modules against target systems from the console.

Agents- Small programs you install on compromised systems and use to advance an attack. These agents are memory resident! (think Metasploit’s meterpreter). The level of agents give you additional functionality (example: pivoting)

Modules- Operations that can be launched against target systems. Examples: OS fingerprinting, port scanning, and targeted exploits.

You can also view detailed information about target systems. CORE IMPACT also keeps a record of all activity, module output, and the results of attacks. Good to know if you ever need to go back and prove that it wasn’t you who crashed a system or network device!

Cool Features
Hands down, pivoting, is the highlight of the product. For example, you can use a compromised host in a DMZ like a web server and then use that host to scan and attack other hosts on an internal network. You can do this with Metasploit and Netcat as well but CORE IMPACT does it much more smoothly. Some other features worth mentioning:

-Collect Windows password hashes in-memory
-Log keystrokes, sniff passwords and hashes
-Collect saved login credentials from popular applications such as Internet Explorer, Firefox and MSN
-Install agents with valid user name, password, hash combinations
-MSRPC fragmentation and traffic encryption (Test IDS/IPS defenses)
-Ability to import vulnerability scan data (Nessus, Qualys)

Limitations
CORE IMPACT comes pretty close to perfect, however, I have found a few limitations:

Importing external vulnerability data can be slow and buggy. If you have very large Nessus NBE files, it can take a long time to import these files. I have had the console crash with large amounts of data being imported. That being said, the console is sometimes unstable. This was a big problem in version 6, however, version 7 is much more stable. When the console crashes, it causes all of your agents to disconnect. Do you know Python? If so, great! If not, you should if you want to tear apart existing exploits or create your own.

CORE IMPACT won’t tell you everything able to be exploited on a host! CORE IMPACT is designed to quickly exploit and get you root or admin access on a host! If there are other ways in or other misconfiguration, the product will probably miss those. Hence, the reason you still need to do manual penetration testing of your network and need to have a detailed vulnerability scan competed as part of each assessment.

Finally, CORE IMPACT is expensive! If you work for a small company you may not be able to afford it! However, if you think about how much a third-party penetration test would cost your company per year, you could easily justify this cost to do this on your own.

Conclusion
CORE IMPACT is a fantastic product. If you need to quickly conduct a penetration test to assess your environment CORE IMPACT will efficiently and safely do the job for you. However, CORE IMPACT is expensive so you may have a hard time justifying the cost to your company. If cost is an issue, Metasploit 3 or another open source product may be a better option.

The infamous Cult of the Dead Cow (cDc) has released a very cool Google vulnerability scanner called Goolag Scanner. This tool allows you to search a specific web site or domain for known vulnerabilities and misconfigurations.

From an eWeek article:

“The open-source program comes with about 1,500 custom Google search queries embedded by default to run searches for vulnerable Web applications, misconfigured Web servers with open backdoors, sensitive user names and passwords, and other documents accidentally exposed on the Internet.”

From the cDc press release:

“It’s no big secret that the Web is the platform,” said cDc spokesmodel Oxblood Ruffin. “And this platform pretty much sucks from a security perspective. Goolag Scanner provides one more tool for web site owners to patch up their online properties. We’ve seen some pretty scary holes through random tests with the scanner in North America, Europe, and the Middle East. If I were a government, a large corporation, or anyone with a large web site, I’d be downloading this beast and aiming it at my site yesterday. The vulnerabilities are that serious.”

Looks like they took Johnny Long’s “Google Dorks” search queries and put them into an automated tool. Very nice. Right now the tool only runs on Windows (.NET) but it looks like they will soon release it for other platforms. Nice to see all of these search queries put into a easy to use interface. Goolag Scanner and Maltego make fantastic additions to your pentest reconnaissance toolkit. You can download Goolag Scanner here.

“NOTACON, an annual conference held in Cleveland, Ohio, explores and showcases technologies, philosophy and creativity often overlooked at other “hacker cons”. Our desire is not to supplant other events, but complement them and strike a balance that has gone unnoticed in our community for far too long.

Events during Notacon run from Friday morning through Sunday afternoon. These include over 40 presentations, contests such as “Anything but Ethernet”, game shows, prize giveaways and a whole lot of who-knows-what. Anything can happen, and usually does. “

It’s also affordable! $50 gets you into the con for the whole weekend. Looks like they have some interesting talks planned including “Bagcam – How did TSA and/or the airlines manage to do that to your luggage?” and the “Exploit-Me Series: Firefox Plug-ins for Application Penetration Testing”.

Good post over at GNUCITIZEN today. They talk about how easy it would be for a hacker to social engineer their way into LinkedIn connections to get information about a potential business target, possibly even your company or business.

Social networking in general is very popular with security minded and non-security minded people. I use LinkedIn as well as many other security professionals because of the obvious career benefits. Even a gray hat/black hat hacker can use LinkedIn to further a legitimate career in the corporate world by getting a LinkedIn connection by doing a project for Hackers for Charity. It’s all about what you perceive your “personal risk” is associated with using a site like LinkedIn. The benefit may outweigh the risk in your case. Here are a few tips that you can do to help “minimize” your personal information exposure:

1. Do not make your LinkedIn profile public
2. Only accept connections from people you know and/or have personally worked with.

For example, if you own your own business you may want a public profile available to generate business. Again, this all depends on your personal risk assessment of your personal information.

I was listening to the latest Security Now podcast and Steve Gibson mentioned an interesting social engineering attack where some penetration testers were able to pose as employees just by listening to conference call and other telephone conversations across the street from the company facility. They used a police scanner dialed into the 800-900 Mhz range to pickup the signals of unsecured wireless headsets (very popular with many companies). There was also a very good article on this posted on Dark Reading that is a must read about this attack.

Another blogger from the Netherlands named Quzart will be posting an article on the revised c 99shell php script. Keep an eye out for it. Thanks Quzart!

So I was at the gym yesterday and noticed something that really bothered me….

As soon as I pulled into the gym parking lot I noticed that it was packed! Seems like everyone wanted to workout last night for some reason. So I grabbed my gym bag and went into the locker room to change. The locker room isn’t very big to begin with so I started to hunt for an open locker to drop my stuff into. Most every locker had a “Master Lock” brand combination or key lock. I finally found three lockers in a row that didn’t have locks. I opened up the first locker and it wasn’t empty. Someone’s cell phone, wallet, and ID all available for the taking. So I thought to myself, ok someone just forgot their lock right? I opened up the locker next to that one and saw another guys wallet and PDA just sitting there! No way…two in a row? Thinking that there is no way there would be three lockers in a row unsecured I opened up the third locker…what do you know…someones bag with car keys just sticking out of the bag. Amazing.

Lucky that I have some ethics and wouldn’t take someones stuff but the sad truth is that someone else could have easily stolen all of this stuff…wallets with credit cards, drivers license, PDA’s and cell phones all could be used for simple transactions or even worse identity theft.

Whats the lesson here? Buy yourself a lock! A Master Lock is like $3.99 (or cheaper). While you could crack one of these locks with very little effort, it does provide a good “deterrent” to prevent simple physical theft. At a busy gym someone might say something to you if you were trying to break a lock off by force, calculating magic numbers or by picking it!

Lock your stuff up at the gym…please!

As previously reported, the game save that exploits a vulnerability in the Twilight Princess game has been released. This exploit will potentially allow you to run unsigned code and eventually a ELF loader which will allow Linux to run on the Wii. All you need is a copy of Twilight Princess and an SD card to load the hacked game save file. This is the first time that the game save has been released with installation details.

Full instructions with video’s are available from the wiibrew.org web site.

Check out the IT Security Events Calendar here.

If you happened to miss Defcon 15 last year or if you were there and have wanted to catch up on presentations you may have missed…the audio and video podcasts are available for download through two RSS feeds. Great for listening on your iPod, iPhone, or PSP! Subscribe below:

Defcon 15 Audio RSS Link
Defcon 15 Video RSS Link

Supporting materials for Defcon 15 are available here.

Looking forward to another great Defcon 16 this year!

Did you know that you can order free identity theft materials from the Federal Trade Commission? The FTC has a really good program called “Deter, Detect, Defend” to help educate the public about identity theft. They offer free bulk orders of pamphlets, handouts, and other paraphernalia to distribute to your company, friends, family, etc…great if you want to get good material for a security awareness program to distribute. There is a ton of good material to order, not just about identity theft, but about social networking dangers and safe web browsing among many other topics (many computer security related topics).

They even have a pre-made pdf’s and PowerPoint slides that are complete and ready to download, great if you are conducting any speeches or talks about identity theft.

You can order this free material directly from the FTC’s web site here.

Big news from the TrueCrypt Foundation yesterday…the new version of TrueCrypt (v5.0) supports full disk encryption and/or encryption of the system partition using pre-boot authentication. In addition, Mac OS X support was added and a GUI interface for the Linux version is now included. From the TrueCrypt web site:

“TrueCrypt can on-the-fly encrypt a system partition or entire system drive, i.e. a partition or drive where Windows is installed and from which it boots (a TrueCrypt-encrypted system drive may also contain non-system partitions, which are encrypted as well).”

Full disk encryption only works for drives with Windows installed in this new version (including Vista). This is great news considering TrueCrypt is a free, open source encryption solution. Now there is no excuse for companies to deploy full disk encryption to laptops containing customer, employee, or other confidential data. I personally use TrueCrypt with my USB thumb drive and is simply the best mobile encryption solution I have ever used (and it’s free).

Stay tuned for my review of TrueCrypt’s full disk encryption in an upcoming article.

Download the new version of TrueCrypt here.

Why are they doing this? To see what the vulnerability landscape is with home routers. There has been recent vulnerabilities disclosed with some popular home routers as well as UPnP that is included as a “feature” in almost all newer home routers. If you plan to take part, please comment and share your findings…

Confused about all the different homebrew firmware that is available for the PSP? Want to know the history behind the homebrew community? Then you need to read this article which gives a great introduction to PSP homebrew.

From the pen testing side I require the testing team to document everything in at least some kind of document format like a text file to include time stamps to track when and what they did. Others find saving all the command shell activity to a file works just as well. It can be a pain when consolidating this data but having this documentation is better then tracking down who did what and when. As for process and procedure documentation I have just put everything in a centrally stored office document that the team can access. We can then track the revisions to this document by keeping it in this one location. Not a very sexy solution but it works for the team. One idea the team and I started to think about was putting together a Wiki (MediaWiki based) accessible to the team so each member could make updates and upload screen shots “on-the-fly”. I have used SharePoint, LiveLink, and Wiki’s for documentation in the past. The Wiki format seems to be the easiest to use and update.

One other thing to consider is how do you “securely” store all of this data (Wiki or not)? Our team stores this information on a encrypted file store (it was a strange third-party solution, nothing standard like TrueCrypt) but it can be difficult to access at times and tough to maintain the access control when team members come and go.

So how do others handle documentation as a pen test and/or security professional? Are you using a Wiki or other CMS type solution? What are some best practices regarding handling security documentation? Please add your comments and ideas…

Microsoft says that “there are a number of factors that make exploitation of this issue difficult and unlikely in real-world conditions”. However, researchers over at Immunity Inc. (these are the guys that make CANVAS, an automated pen testing product) demonstrated how this vulnerability could be exploited via this flash demo. Immunity only has released the exploit to it’s customers of the CANVAS product and admits that the exploit is not 100% reliable…yet. Now that everyone knows that an exploit is “possible”, it’s only a matter of time before someone releases working, reliable exploit code in the wild. Patch now!

“The latest version features a graphical user interface, full support for the Windows platform, and over 450 modules, including 265 remote exploits…”

This is a significant improvement for the Windows version and it looks like the amount of exploits available has increased. Looking forward to testing this out! You can download the new Metasploit Framework v3.1 here.

Both of these articles focused on the recent Geeks.com hack in which an undisclosed number of customers had personal and credit card data compromised. Geeks.com was a “HackerSafe” customer. However, note that the ScanAlert people mentioned the Geeks.com web site was “probably” hacked when they withdrew their “Hacker Safe” certification when they found vulnerabilities. How ironic…so how is a potential customer supposed to know that a web site one day is “Hacker Safe” and the next day it isn’t? By removing a logo temporarily? Perhaps during this “probable” period Geeks.com and ScanAlert should have changed the “Hacker Safe” logo to “Hackers- Safe to Hack”. Seems like a poor attempt from ScanAlert to do damage control.

Whats the lesson here? It may seem like a great marketing idea to call your site “Hacker Safe”…but in the long run…if you get hacked it will soon turn into a marketing disaster that your company will not want to face. Putting any kind of logo or certification declaring your site is secure is a bad idea.

Scary time to be a DSL/cable modem customer! With this and recent security issues with UPnP, now more then ever is the time to change that default password and disable UPnP. Luckily, these are all simple security measures that can easily fix the problem. However, who is going to teach customers who buy these routers how to properly secure them? The vendor? I doubt it. The ISP? Even more doubtful! It’s up to us as security professionals to spread the word about these dangers and to encourage good security practices with our non technical, non security minded friends and family.

I conduct social engineering tests on a regular basis and I can tell you from personal experience that it is just too easy to bypass security controls by talking your way in by coming up with a real good scenario. You will find that employees want to be helpful, almost too helpful at times…holding the door open for you so you don’t have to badge in, or giving complete strangers login credentials to applications are just a few examples. All it takes is someone with enough guts to look and play the part of a fellow employee to take advantage of human kindness that we all posses.

One thing that I advocate is to test your own employees. This does two things. First, it allows management to get an idea of how bad it really is! Seriously, once executive management sees the problem the easier it will be to communicate the issue with executive support. Secondly, it raises awareness with your employees..even if you target just a small segment of your employees. I would bet that the next time you conducted a social engineering exercise on that same segment, you would have different results. People always seem to remember when they were duped by someone else. Don’t forget that word about a social engineering “test” that was conducted spreads throughout the environment by word of mouth…all of this can be an advantage on the awareness front.

How do you test your own employees? Very carefully! Seriously, there may be many political boundaries that you will have to overcome which is all dependent on your company culture. Start with a small segment..like your own department if you are in Information Security! Yes, test your own people…you might be surprised by the results. A very low impact method to start with is to conduct a simple “phishing” simulation. Setup a simple web server and send out emails with embedded links to the web server you just configured. Track the results by parsing out the web server log of who clicked on the link. Strip out the IP’s so the results are anonymous in your report. You can then put together a quick awareness piece showing the high level statistics sent to everyone you targeted. Simple and effective.

The following is the continuation for “The Wardriving Experiment – Part 1“. To recap…I decided to setup a little wardriving experiment to really get an idea on how many people are still using WEP to secure their wireless access points. I also wanted to find out if people still setup a wireless network without encryption. Results in the following article are from a medium populated suburban neighborhood near a large city.

I drove in a approximate 6 mile area and was able to pick up 194 access points. Results were sampled a few months ago (unfortunately, I am just getting around to analyzing this data…busy life gets in the way!)

Equipment Used

PowerBook G4 running KisMac 0.21a
D-Link DWL-122 USB Wireless Adapter (version A1)
USGlobalSat BU-353 USB GPS (this is a cheap GPS you can find on eBay as well)

GPS and Wireless Adapter Setup

I took the GPS and placed it out the window of my car so I could get a good signal and I used a USB extender cable with the wireless adapter and secured it to my dashboard. Before I left my driveway, I made sure KisMac had my GPS coordinates and everything was working properly.

I must say, once I got the serial to USB drivers working, the GPS unit works extremely well! Not bad for a $50 GPS unit.

Laptop Setup

A good hint prior to wardriving is to disable the “sleep” function on you laptop. This is so you can close the lid on you laptop while you drive. Depending on the laws in your state, I have heard that driving with your laptop open is illegal! So, probably not a bad idea to do this. On OS X you do this by following the “Insomnia” instructions. This is a simple kernel extension to temporarily disable sleep mode on your Mac.

The Results

These results shouldn’t shock anyone but it does show that most people still do not secure their wireless networks. Keep in mind, I took out any ad-hoc networks so so these are all standard “access points”.

87 (45%) “Open” Unsecured Wireless Networks
71 (37%) Using WEP
36 (19%) Using WPA

Interesting to see that there was almost the same amount of WEP encrypted networks as there were “open” networks. Out of all 194 of these networks you also have to wonder how many of these WEP and WPA networks use easy to guess passwords, I would be willing to bet quite a few…perhaps 75% or more. Another reason to use a long passphrase when setting up your access point.

Next up in part 3, I will discuss wardriving in more detail to include some history, good websites for reference and some ethical things to consider if you decide to try wardriving, warbiking, or warwalking on your own.

“With the holiday season around me and the rampant orgy of consumer spending that was occurring nearby at one of the worlds largest shopping malls, I took it upon myself to conduct my own study of retail, and consumer wireless security during the busiest shopping time of the year. My target was West Edmonton Mall, one of the largest retail malls in the world.

Beyond the tenants of responsible disclosure, this report hopes to be a frank and frightening look at how poor retail security is during the 2007 holiday season”

I would say that the wireless security of the retailers in you local mall would probably have the same results..scary..especially after the media frenzy that took place after TJX. Check out his article…good stuff. I still have to post my results of my Wardriving experiment from a large suburban neighborhood…which also show some interesting results as well. Look for that soon!

Thomas over at De-ICE.net has just released the first disk in the more advanced “Level 2″ set of Live PenTest LiveCD scenarios.

The Level 2 disks are designed to be much more difficult then the Level 1 disks. There are no spoilers or hints provided and it won’t be easy to exploit the system (as in Metasploit won’t help you here). It is up to you to figure out a way to hack into the system. Here is your scenario:

“The scenario for this LiveCD is that you have been given an assignment to test a company’s 192.168.2.xxx network to identify any vulnerabilities or exploits. The systems within this network are not critical systems and recent backups have been created and tested, so any damage you might cause is of little concern. The organization has had multiple system administrators manage the network over the last couple of years, and they are unsure of the competency previous (or current) staff.”

Setting up a lab to run the disks is really easy…you can use VMware (Player or Workstation) or two old PC’s with a router/switch/dhcp server. Your “attack” machine is the Backtrack security distribution LiveCD. Everything you need to hack the Level 2 disk is included on the Backtrack distribution.

Disk Download and More Information
Download the Level 2 disk from MegaUpload (this location will change once the initial rush is over).

Read all the documentation in the PenTest LiveCD Wiki and participate in the de-ice.net forums if you have specific questions.

Nevertheless, UPnP is useless, right?
Wrong! UPnP hacking is extremely serious discipline which often lead to a catastrophic effect. The following is possible with UPnP:

* portforward internal services (ports) to the router external facing side (a.k.a poking holes into your firewall and/or network)
* portforward the router web administration interface to the external facing side.
* port forwarding to any external server located on the Internet, effectively turning your router into a zombie: the attacker can attack an Internet host via your router, thus hiding their IP address (not all routers are affected by this, but most are)
* change the DNS server settings so that next time when the victim visits bank.com, they actually end up on evil.com mascaraed as bank.com
* change the DNS server settings so that the next time when the victim updates theirs favorite Firefox extensions, they will end up downloading evil code from evil.com which will root their system.
* reset/change the administrative credentials
* reset/change the PPP settings
* reset/change the IP settings for all interfaces
* reset/change the WiFi settings
* terminate the connection

And these are just a small portion of the things you can do over UPnP.

If you have no need for UPnP…turn it off and disable it in your router!

The second was posted on GNUCITIZEN. Adrian mentions the following:

“Let’s think about it: who gives a darn about compromising your computer when you can change the DNS settings on most consumer routers without a password via UPnP? We’ve said it before here at GNUCITIZEN: people are stuck on the old-school mentality of rooting the user’s box. Things have changed. Your data is now online, your router is a computer much more insecure than your XP desktop that runs an AV + firewall and updates itself automatically on a regular basis…”

After reading the UPnP research on GNUCITIZEN and doing some on my own…this may be a new attack vector that perhaps Bruce may not be aware of yet? It’s some scary stuff…then again, Bruce probably has UPnP disabled on his router right? Or, perhaps Bruce’s commentary makes this quote from this site even more true:

“I don’t bother with WEP or WPA, I just got Bruce to autograph my wireless access point.”

<%image(20080111-bruce-schneier-3.jpg|300|300|The man!)%>

<%image(20080110-password_gorilla.jpg|112|123|Password Gorilla Logo)%>

I blogged about this great program that allows you to securely store your passwords on multiple computers. In doing some further research I found a program that is based off of Password Safe called “Password Gorilla“. I had been using the Java version of Password Safe both on my PC and Mac. One of the things that bothered me with the Java version is that it was sometimes slow and sluggish performance wise, on my Mac Password Safe was leaving weird .tmp files in my Documents folder, and I also wanted something I could easily put on a thumb drive (meaning the entire program) so I could get my passwords from any computer if I needed to.

I am happy to report that Password Gorilla is running off of my USB thumb drive (Password Gorilla for Windows is just a .exe file), with my password database on the same drive. When I want my passwords on my Mac, I plug the USB drive in and fire up the OS X version of Password Gorilla and open up my password database stored on my USB thumb drive. Very easy. There is also a Linux version (using tlckit) which I still need to try out. If anyone has played with Password Gorilla in Linux, please add your comments.

Good article over at Linux.com about how to secure your Linux laptop from a physical and data perspective (including hard disk encryption). I usually see a ton of articles about how to secure Windows and Mac laptops but not a lot on Linux. From the article:

“There are three problems with having a computer stolen: the loss of the machine, the loss of the information on it, and the possible security breach if that information includes sensitive information or client data. Each of those problems requires a different approach.”

The author talks about several different solutions around whole disk, separate partition, and USB encryption using solutions like dm-crypt and TrueCrypt. I am a personal fan of TrueCrypt and I have been using that to secure my data to a USB drive. There is also some good stuff on laptop tracking solutions for Linux. Don’t forget, one of the best deterrents…is to use a cable lock..yes, a cable lock can easily be cut but as a deterrent to physical theft it works pretty well.

“I (Richard) contacted several PR reps at TruTV and asked about Tiger Team’s future. One of them wrote back:

Thank you for your email and interest in Tiger Team. Tiger Team was a special and likely won’t be returning. Please let me know if I can assist you with anything else.“

Thats really too bad. I thought this was a great show! I guess I am biased however, since I am a penetration tester myself. The more I think about this I assume that the general public may think that the “tiger team” concept is a little over the top…as well as trying to find companies that want to go on the record that they got hacked and/or robbed. Oh well it was a great show while it lasted!

Leah Culver – Top 5 Female Hackers in Film History

Someone should put together a TV show “Top 5 Female Hackers”..my vote for #1 is Chloe O’Brian from 24.

<%image(20080104-24chloe_o_brian.jpg|284|198|Super Hacker Chloe O'Brian)%>

She’s the only one that could hack into the NSA database in under 5 minutes while redirecting CTU satellites for Jack.

“Historically, the vast majority of trojans, worms, and viruses have targeted the (Windows) PC. Attack and propagation methods may have grown more sophisticated, but the PC has remained the focus of most malware. According to a paper written by a team of researchers at Indiana University, however, this could change in the future. According to the team’s research, an attack that specifically targets wireless routers and spreads between them at any point where coverage overlaps could quickly and easily propagate throughout an entire city.”

Interesting if you think of the possibilities…a worm that uses default router login’s, unsecured wireless, and weak encryption keys…fun.

“Sears.com is distributing spyware that tracks all your Internet usage – including banking logins, email, and all other forms of Internet usage – all in the name of “community participation.” Every website visitor that joins the Sears community installs software that acts as a proxy to every web transaction made on the compromised computer. In other words, if you have installed Sears software (“the proxy”) on your system, all data transmitted to and from your system will be intercepted.”

How this still even possible with privacy laws and other regulations? Especially from a major retailer like Sears. Super scary stuff! Reminds me of the Sony Rootkit issue awhile back….check out the links below for more information on this.

Digg – Sears: Come see the softer side of spyware

Updates to the original blog posting from Benjamin.

More updates with full screen shots of the spyware installation.

“They were able to find encryption and decryption keys by doing full memory dumps at runtime over a custom serial interface. Using these keys, they were able to create a Wii ‘game’ that ran their own code (their demo happened to show live sensor/Wiimote information, amongst a few other things).”

So what does this mean? Hopefully you will be able to run homebrew via custom firmware, emulators, and even launch programs from a SD card…perhaps even a Linux Channel a some point?

Here is an interview with one of the hackers and a link to the YouTube video of the demo.

Centralized
Hackerpedia is an attempt to share knowledge in an easy-to-read format. Certainly, there is a lot of information gathered within various forums, but none of it is centralized.

Hacker-specific
While there are other wikipedias, Hackerpedia focuses on information from a hacker perspective. While others may have entries for Nepenthes, here you won’t find anything on plants.

All things to all people
Designed for beginner and expert alike, there is something for everyone.

I know I haven’t found anything quite like this out on the net and usually finding pen test related information can be a tedious experience. As with any new community, this needs lots of volunteers to get the word out and to get pen test and security professionals to contribute content to the wiki. I would love to see this take off and become a great resource for pen testers.

What can you do?
Please help spread the word about this resource by linking to the Hackerpedia and contributing content! Hopefully the community will quickly grow around this project.

You can watch the episodes via CourtTV. There are also Torrents available…

I came across a good interview with Johnny Long over on Computer Defense this morning. If you don’t know who Johnny Long is…well…he is pretty well known in the hacker and security community. More about him on his web site and by doing some Google searches (he wrote a very good book called “Google Hacking” BTW).

Anyway, when I was at Defcon 15 this past summer I sat in on his “No Tech Hacking” presentation and remember Johnny talking about a charity organization that he started called “I Hack Charities” or better known as “Hackers for Charity”. While honestly at the time I was more interested in the talk he was about to give, I had thought that this was a really cool idea. Hackers for Charity basically gives hackers an outlet to use their skills for good and to also help build their resumes. Basically, you help them out with a technical project, they will give you a job reference (via a LinkedIn connection and resume reference). In addition, Hackers for Charity accepts all sorts of donations from old hardware to swag you may have been collecting over the years from all those security conferences (I know I have tons of this stuff). They collect this swag and send it to needy people over in Africa and other underdeveloped countries. I am thinking about getting all my co-workers to dig out all of their swag and we could send them a big box of this stuff…think of the possibilities if several big corporations did the same thing…something we should all think about.

Great stuff, right? How can you get involved? Check out the web site here. Sign up for the mailing list here. You can donate time, money, swag, or any skill set that you may have. They are even looking for people with soft skills as well (business, management, etc…). Let’s help spread the word and get other security professionals to support this worthy cause.