Just like previous years, there are some really cool events you need to attend including Whose Slide is it Anyway, the Friday night experience and Blockparty!  This year the lock picking village is sponsored by Cleveland Locksport and be sure to check out Deviant Ollam’s new challenge the Defiant Box. Security Justice will also have a live show at 11pm Friday night in the Notacon Radio room. As for talks, this years lineup looks great!  Here are my picks of talks to attend this year:

Friday
Mick Douglas (from PaulDotCom Security Weekly) – U R Doin it Wrong Info Disclosure over P2P Networks
Tiffany Rad – Hacking Your Car: Reverse Engineering Protocols, Legalities and the Right to Repair Act
Brad Smith – Stealing from God!
Emily Schooley – Independent Filmmaking – Bringing Your Ideas from Paper to the Screen, and Everything in Between
Nicolle “rogueclown” Neulist – Hey, Don’t Call That Guy A Noob: Toward a More Welcoming Hacker Community
int eighty – Malicious PDF Analysis
catfood – Why Your Software Project Sucks (and how to make it not suck)
Dead Addict – Hidden Trust relationships, an exploration
Jeff “ghostnomad” Kirsch – The Haiku of Security: Complexity through Simplicity
David Kennedy (rel1k) – The Social-Engineering Toolkit (SET) – Putting cool back into SE

Saturday
Adrian Crenshaw (IronGeek) – Anti-forensics
James Arlen, Chris Clymer, Mick Douglas, and Brandon Knight – Social Engineering Security Into Your Business
James Arlen, Leigh Honeywell, Tiffany Rad and Jillian Loslo – Hacking The Future: Weaponizing the Next Generation
Melissa Barron – Hacking 73H 0r3g0n 7r41L for the Apple ][
Tom Eston, Chris Clymer, Matthew Neely, The Confused Greenies – Surviving the Zombie Apocalypse (did you see our preview?)
James Arlen – SCADA and ICS for Security Experts: How to avoid cyberdouchery
Eleanor Saitta – Designing the Future of Sex

Also on Saturday night don’t miss Dual Core at 8pm!  I’ll be around at the con hanging out so if you see me stop and say Hi.  See you there!

What I find fascinating (like most things in security) is that now that there has been a real confirmed case of using Twitter for botnet C2 (Command & Control) the media seems to be jumping on it and even trying to determine “why it took so long for hackers to take Twitter to the dark side”.  Well, you can’t say we didn’t warn you.

The point that Robin, myself and others were trying to make way back in April was that this is a real threat and the bad guys have probably started to use Twitter for C2 even before Robin put out the code!  We were hoping that by releasing the code Twitter (and others) would see this as perhaps an early warning of things to come and perhaps prepare some defense for it (yes, we know it’s hard to put a defense together for something like this).  Now that we have a confirmed case used for malicious purposes we hope Twitter takes this seriously and can combat future C2 channels used for very bad things.  It always takes something bad to happen to create change…where have you heard that before?

You can download the slide deck from SlideShare that was in the DEFCON 17 CD.  We plan on giving the talk a few more times in the next few months so we don’t plan to release the full version of the slide deck yet.  However, we will post the video as soon as we get it.  The slides on the DEFCON CD are mostly text…no cool Zombie graphics (thanks to @JaneDelay for the Photoshop work BTW) but it should give you a good overview of the talk.

Robin Wood’s fantastic tool called KreiosC2 was also released during our talk.  I did a demo which is posted here and talked a lot about how the PoC code functions.  If you don’t know already…KreiosC2 is a tool written in Ruby which allows IRC like command and control of systems over Twitter.  Very cool!  Also, check out the redesign of Robin’s website.  Awesome.  Make sure you follow Robin on Twitter!  He is one you need to follow!

DEFCON was awesome as usual!  Lot’s of people this year..perhaps an increase from last year and of course the usual hijinks.  It was awesome catching up with everyone and meeting new people.  I attended lots of great talks including the “DEFCON Security Jam 2: The Fails Keep on Coming“.  This was one that you should see the video for…especially the presentations by @haxorthematrix and @myrcurial.  Speaking of @mycurial…you really need to see the awesome yet scary presentation that @myrcurial and @TiffanyRad did on Sunday titled “Your Mind: Legal Status, Rights and Securing Yourself“.  I highly recommend this talk!

The podcasters meetup was also a success!  Thanks to @pauldotcom for hosting and for throwing such an awesome party this year and a shout out to the guys over at I-Hacked.com!  The audio will be posted soon, probably over at the Security Justice site.

Pictures will be posted soon!  Still trying to recover from Vegas!

My part of the talk is focused on security and privacy concerns with social networks, fake accounts, using social networks for penetration testing and the proliferation of bots on social networks.  I will also be talking about a new version of Robin Wood’s fantastic “Twitterbot” (we actually have a new name for the tool which will be announced at DefCon).  I’ll be providing a live demo showing the new and improved features of his tool!  Big shoutout to Robin for all the work he did on this tool!

The other speaker is Kevin Johnson who you may know as the project lead for BASE and SamuraiWTF (Web Testing Framework).  Kevin is also a SANS instructor for Security 542 (Web App Penetration Testing and Ethical Hacking).  When he isnt managing projects and teaching he’s most likely abusing “playing with” social networks.  Kevin will be talking about SocialButterfly which is an application that can leverage and exploit various social network API’s.  He will also talk about manipulating social networks (and thier users) with third-party applications.  Remember: please accept any and all “friend requests” from Kevin Johnson!

From our talk abstract:

In Social Zombies: Your Friends want to eat Your Brains, Tom Eston and Kevin Johnson explore the various concerns related to malware delivery through social network sites. Ignoring the FUD and confusion being sowed today, this presentation will examine the risks and then present tools that can be used to exploit these issues.

This presentation begins by discussing how social networks work and the various privacy and security concerns that are caused by the trust mass that is social networks. We use this privacy confusion to exploit members and their companies during our penetration tests.

The presentation then discusses typical botnets and bot programs. Both the delivery of this malware through social networks and the use of these social networks as command and control channels will be examined.

Tom and Kevin next explore the use of browser-based bots and their delivery through custom social network applications and content. This research expands upon previous work by researchers such as Wade Alcorn and GNUCitizen and takes it into new C&C directions.

Finally, the information available through the social network APIs is explored using the bot delivery applications. This allows for complete coverage of the targets and their information.

How did this talk come together?  Kevin and I had some past converations regarding social network bots (mostly from my Notacon 6 talk) and decided that much of our research was similar so it made sense to “combine forces” to work on some of this research together.  Also, by working on bots and socnet bot delivery mechinisms we hope to raise awareness about some of the security and privacy threats that are out there, not just for the users of social networks.  Oh, and we both like Zombies.  See you at DefCon!

UPDATE: Ummm…someone *may* have hacked the Windows kiosks at the hotel…saw Ubuntu loading on one and Howard the Duck playing on another…probably shouldn’t use those kiosks, huh?

Anyway, I thought I would share some first impressions of the talks and what I will probably attend. Keep in mind, there are lots of great talks going on all weekend and it will be really hard to make all the ones I want to see but here is my short list of not to miss talks:

Friday, February 6th

Open Vulture – Scavenging the Friendly Skies Open Source UAV Platform
Ethan O’Toole and Matt Davis

An open source UAV? How friggin’ sweet is that? Now you too can spy on your own neighborhood…

Building the 2008 and 2009 ShmooBall Launchers
Larry Pesce and David Lauer

Of course I will be in this one! Dave from Security Justice and Larry from PaulDotCom will be talking all about the new ShmooBall launchers for this year. Dave and Larry never disappoint and I assume there will be some surprises as well.

Decoding the SmartKey
Shane Lawson

I love physical security just about as much as information security so this one should be interesting. Shane will talk about how to decode the Kwikset SmartKey with materials costing under $5.

Podcasters Meetup/HacDC party

I will be there along with Matt and Dave from Security Justice. Looks like we are going to do a live show at 8pm, give away some prizes, start FireTalks then party with the folks from HacDC. Check out the podcasters meetup site for more details on times and official schedule.

Saturday, February 7th

Radio Reconnaissance in Penetration Testing – All Your RF Are Belong to Us
Matt Neely

My friend and fellow co-host of the Security Justice podcast, Matt Neely is doing a talk on ways to use radio reconnaissance in pentests. Matt does a ton of research with wireless so it should be really interesting to see what new techniques he has come up with. I hear that Shmoo Balls may be launched during this talk….

Fail 2.0: Further Musings on Attacking Social Networks
Nathan Hamiel and Shawn Moyer

I was at BlackHat last year and saw Nathan and Shawn’s talk titled “Satan is on my friends list”. These guys do great research on social network security and I am looking forward to see the new stuff they came up with for this year. As a bonus, they should have AFF (Adult Friend Finder) pr0n and related adventures.

Man in the Middling Everything with The Middler
Jay Beale

Jay Beale is speaking once again about the Middler! You may remember the Middler was to be released at Defcon last year…that didn’t happen for a bunch of reasons. However, I think Jay will finally be ready to release it! Jay is a great presenter to boot..highly recommended you attend this one. Another talk to beware of Shmoo Ball cannon fire…

802.11 ObgYn or “Spread Your Spectrum“
Rick Farina

All Your Packets are Belong To Us: Attacking Backbone Technologies
Enno Rey and Daniel Mende

The Fast-Track Suite: Advanced Penetration Techniques Made Easy
David Kennedy

You may remember Dave from one of the first Security Justice Special Editions last year. Dave will be going in depth with the Fast-Track suite which is part of Backtrack 3. Knowing Dave, I’m sure he will be talking about and/or demoing new features in Backtrack 4. Shmoo Ball cannon may make an appearance…

Sunday, February 8th

Enough with the Insanity: Dictionary Based Rainbow Tables
Matt Weir

Yes! Improvements to rainbow tables…can’t wait!

RFID Unplugged
3ric Johanson

Looks like RFID is going to torn apart in this one…good stuff! Interested in the PayPass vulnerabilities he is going to talk about.

0wn the Con
The Shmoo Group

What to know what it takes to put ShmooCon together? Be sure to check out this talk and learn how it’s all done.

If you are around the con send me a tweet on Twitter or stop by the Podcasters Meetup if you want to chat! Hoping I can blog and/or live Tweet from some of the talks.

While these types of attacks are not new…it goes to show that this can happen to anyone, even high profile security professionals. Not much is known yet on how these attacks happened but I am willing to bet that common and/or weak passwords were part of the attacks in some way. Think about all the passwords you have…do you have the same one for everything? If you are a blogger or manage a web site think about the last time you changed the password you use for your domain registration (yeah..that was a long time ago right?)! Add to the fact that these passwords may not be very complex and you have a potentially dangerous situation.

Close to two years ago I started using a password manager and it has been one of the best things I have done to help sort out the password mess. Password managers are great…but you can still get lazy. We all have the lazy bug…especially with online forums and web sites. One idea that I learned to help combat this was to have a “throw away” password that you can easily remember (yet still somewhat complex) for things on the web that you wouldn’t care if they were compromised. Everything else…use the password manager and make sure you use a long (> 20 character) randomly generated password for each application. Keep in mind that 20 characters may be too long for certain web sites or applications. Case in point…LinkedIn has a limitation of 16 (I found this out the hard way). Sure, it’s a pain in the ass to use a password manager but in the end…it’s well worth the extra work.

So what password manager to use? I did a few posts a long time ago about two of them. However, over the years I have migrated everything over to KeePass and KeePassX (for OS X). Since I use multiple computers with different OS’s (and a Blackberry)…KeyPass is the only one that I found that can be easily used on multiple platforms. There are also a TON of great plugins. Add to the fact that it’s free…it’s tough to find a more robust solution.

So yes, go for it! These targeted attacks should remind you that it’s a good time to change those passwords to something complex and unique. Don’t forget to use a password manager to help you out!

“Terry Childs, a 43-year-old computer network administrator who lives in Pittsburg, has been charged with four counts of computer tampering and is scheduled to be arraigned today.

Childs created a password that granted him exclusive access to the system, authorities said. He initially gave pass codes to police, but they didn’t work. When pressed, Childs refused to divulge the real code even when threatened with arrest, they said.”

As part of his plan he also:

“…engineered a tracing system to monitor what other administrators were saying and doing related to his personnel case, law enforcement officials said. “

As of right now all other administrators are locked out of the system and he has the only password! I also saw on CNN today that he still won’t give up the password when a judge asked him in court today. Awesome…so how does this happen? While exact details still are not clear…lack of proper controls, proper monitoring of privileged users, oversight, separation of duties…are just a few things that comes to mind.

This should be a reminder for the corporate world that all privileged users (network administrators in this case) should be held to a higher standard then other users on the network. Thus, need more oversight and monitoring. Hopefully the city can get the password cracked or the guy eventually gives it up.

If you saw Johnny Long’s “No Tech Hacking” presentation then you will probably remember the line “What does a hacker see?” as Johnny pointed out items in pictures that wouldn’t be a big deal to the average person but to a hacker this information becomes extremely valuable.

Russell Handorf who wrote the article on Bloginfosec also put together a pretty cool quiz that you can take online to see if you can recognize some typical and not so typical sounds from various computing devices. I would be interested in hearing more about cell phone defaults…for example, does your phone have a default sound for Bluetooth sync? Like Russell mentioned in his article, it is pretty easy to use a tool like hcidump or the soon to be released BTfind which will help identify and enumerate found Bluetooth devices.

Next time you are at a conference, on the bus, train or at your local coffee shop pay attention and listen…you might be amazed at what you hear.

I have been closely following the news that I blogged about last week regarding 1st Source bank of Indiana that fell victim to a pretty serious security breach. 1st Source ended up reissuing their entire credit card portfolio to their customer base.

The latest news is that other banks in the Indiana area are now reporting that their customers are reporting fraudulent transactions. The link is that all of these other bank customers used 1st Source ATM’s around the same time the breach happened. From the IHT article:

“Bank officials said the victims they know of appear to have all used 1st Source Bank ATMs during the first 10 days of May. James Seitz, 1st Source senior vice president, said officials from his bank met with officials from other financial institutions on Wednesday to discuss the situation.

A security consulting firm alerted 1st Source about a computer breach on May 12. The bank shut down its computer system and contacted authorities. Two weeks ago, 1st Source sent letters to customers asking them to monitor their accounts for suspicious activity.”

I’m starting to suspect that the ATM’s themselves were compromised or the bank’s back end servers were compromised as well. From what I know about PIN storage, the PIN information in Track 2 data (this is the data that was reported stolen) on a credit/debit card does not have to be encrypted (however it can be, just not required by the ISO standard) so either a card “skimmer” device was used (physically attached to the outside of the ATM’s) or this Track 2 data was pulled off the wire perhaps using a network sniffer installed on the ATM’s. It could be similar to the Dave & Busters security breach that happened a few months ago. Whatever method was used, it was enough to replay this data to a bunch of fake ATM cards and start withdrawing cash and/or charging items from locations overseas. Hopefully the public gets to find out what really happened once 1st Source get’s their act together.

Interesting story that hit the wire last week about another bank security breach. This time 1st Source Bank of South Bend Indiana became the next victim of stolen debit card data. Not a ton of details have emerged yet but we do know the following:

1. A external monitoring service (an MSSP perhaps?) or hired security consultants (doing a pen test?) detected an unusual amount of data leaving one of the banks servers.

2. The bank notified law-enforcement authorities and hired outside forensic firms (aka: security incident response consultants) to analyze the breach.

3. Track 2 data was compromised. Track 2 data contains the cardholder account number, PIN, plus other discretionary data. Note that the ISO standard does not mention that the PIN has to be encrypted. Only Track 1 data requires it. This may make a replay attack (encoding a fake debit card and using it in ATM transactions with this information) possible.

4. The bank is reissuing all debit cards in it’s portfolio and is offering to pay for “Deluxe ID TheftBlock” – at $4.95 a month for one year for any customer who requests the service.

These quotes from the bank are classic:

The bank also is monitoring automated teller machine transactions “minute by minute” to stop unauthorized activity. But even if the efforts fail, account holders won’t suffer, Seitz said.

“We’re certainly not holding any of our customers financially responsible for any transactions related to this breach,” he said.

and….

“Actually, our customers have been very understanding,” he said. “Obviously, this is something that puts a little stress on that relationship.”

Really…are you kidding me? Also note that they have yet to publicly announce an official statement on their web site about the security breach. Actually, nowhere on their web site mentions anything about the breach (however, they mention lots of interesting stuff about a recent merger with another bank beginning on June 9th…so they are updating the web site regularly). Clearly this is an attempt to make this security breach out to be “no big deal” to the general public.

So who’s really to blame? The bank is of course! Personally, I would rather have my bank be honest and up front with me about a security breach instead of delayed announcements (nothing was sent to customers until two weeks after the breach) and talk about how customers will be “understanding”. Clearly there are major security and customer service issues at this bank. Current 1st Source customers should bail out ASAP!

“KRYOGENICS Defiant and EBK RoXed Comcast, sHouTz to VIRUS Warlock elul21 coll1er seven.”

Here’s the best part (from the Wired article):

Network Solutions spokeswoman Susan Wade disputes the hackers’ account. “We now know that it was nothing on our end,” she says. “There was no breach in our system or social engineering situation on our end.”

Deny, deny, deny….not surprised at this response since it makes providers like Network Solutions look really bad. Sooner or later all the details about how these guys did it will come out…then the truth will be told.

In the meantime…what can you do to prevent your site from being the next Comcast? Believe it or not…Network Solutions actually has a few good suggestions! Note: this was apparently posted after the Comcast domain hijacking incident…hmmmm…coincidence or not?

Seriously though. I don’t blame Network Solutions entirely as many companies forget that domain registrations require maintenance and regular review of the security controls around them. By the way, the Wired article that I mentioned above is a great read…and probably the best article currently out there on the hijack.

“Problem solved. Someone is ARP poisoning the IP address of the router on which the www.metasploit.com server resides.
I hardcoded an ARP entry for the real router and that seems to solve the MITM issue. It doesn’t help the other 250 servers
on that network, but thats an issue for the ISP to resolve…”

Sucks to be those other 250 servers! This hacker should have brought his a-game if he really wanted take on HD Moore…FAIL!

According to 2600 News, 1,500 attendees of this years Last HOPE (Hackers On Planet Earth) hacker conference will be tracked via RFID in a large social experiment which will include games focused on RFID technology. From the press release:

“Players will seek ways to protect their privacy, find vulnerabilities in the tracking system, employ data mining techniques to learn more about other participants, and choose how much personal information they will disclose in order to play.”

Cool stuff…if you are into being tracked via RFID! It should be interesting to see some of the results of this experiment from the conference attendees and to see some cool hacks to gather RFID data and ways to protect your privacy. I did an article on RFID awhile back talking about ways to protect your identity using credit card “shields”.

The Last HOPE takes place July 18 to July 20, 2008 at the Hotel Pennsylvania in New York City.

Brain Salcedo was convicted back in 2004 of hacking the Lowe’s (a national home improvement retail chain) computer network through an unsecured wireless network. Brian and his partner found the unsecured wireless network while Wardriving. Brian’s plan was to eventually tap in and siphon off millions of credit card’s through a backdoor installed in a proprietary Lowe’s program called “tcpcredit” that Brian and his partner had modified.

Brian is currently serving out a nine year prison term even though there is no evidence that he even saw one credit card number (note that the longest federal sentence for a hacking offense was the 68 months imposed on Kevin Mitnick). During the investigation only six credit card numbers were found in the file that was created from the modified “tcpcredit” program. Ironically enough Brian seems to blame lack of fame and notoriety as to why he did what he did (he mentions the felony he was on probation for before the Lowe’s hack):

“It took awhile to work out the dilemma then consuming my head. Why did those around me get acclaim for exposing security flaws? They got hired, I was convicted of a felony. What was I doing wrong? After what seemed like a lifetime absence from computers, I decided to renege on my commitment to stay away from it and I simply relapsed into this all-out cracking binge.”

Two years later enter TJX …

Back in November of 2006 TJX disclosed that there was about 17 months of unauthorized network access resulting in the compromise of 46 million credit card accounts. To date this is the largest single breach of personal data in history. How did the TJX breach happen? Almost the same way Lowe’s got hacked…lack of wireless security. In this case TJX was using WEP which is known to be extremely vulnerable to attack. Of course there were other vulnerabilities that had to be exploited on the internal TJX LAN but the wireless network was the start. As we all know, it only takes one vulnerability to potentially bring down a network.

Two more years later enter Dave & Buster’s and Hannaford…

Just today, it was announced that Dave and Buster’s was victim to a data breach that resulted in bank losses of up to $600,000. This time apparently the attackers used “social engineering” to install packet sniffers to obtain credit card information. That’s right…social engineering. Ironically, one of the accused was apparently involved in the TJX breach (I could only find one source on this). Hopefully we find out more details in coming days about how this social engineering attack took place.

The Hannaford Supermarket breach resulted in 4.2 million credit card numbers being compromised just this year. The attackers had apparently planted malware on the servers at each of the 294 affected stores. This malware apparently sent the compromised data overseas.

While details about all of these intrusions are still coming out, one can start to see the similarities with Lowe’s, TJX, Dave & Busters and Hannaford.

Lessons Learned:

- Wireless is dangerous for retail if not properly secured. Now that WPA2 is widely available there is no reason that a retailer should not use WPA2. Interesting to note that I have reliable sources tell me that other major retailers are still using WEP to secure their wireless networks…and it’s 2008!

- Stealing data in transit within an internal company network is the new hotness! Most of this information is unencrypted until it gets to the database. In many cases it’s rather trivial to get this level of access (administrator rights on a workstation or server) to install a packet sniffer once you are on the internal network.

- Social engineering is on the rise! I wouldn’t be surprised if all it took was a simple phone call from “the IT guy” asking a store manager to install a new piece of software in the case of Dave & Busters (or Hannaford, you never know).

- If you are a criminal thinking about doing the same thing…it’s only a matter of time, you will most likely be caught and if you are a US citizen prepare to get the book thrown at you like what happened to Brian Salcedo.

- Finally, as a company don’t put all your eggs in the PCI basket! Just because you are certified PCI compliant (Hannaford) doesn’t mean you are secure!

“Wow and amaze your friends by magically unlocking a Windows PC without a password!”

While this seems like a fun thing to do at your next party to impress the ladies (ladies that like geeks and slick python scripting of course!)…the truth is that it’s a pretty serious issue. I have to hand it to the the creator of winlockpwn (Adam Boileau aka: Metlstorm) for having such a cool sense of humor about the whole thing and all the media attention he has gotten (he got “slashdotted” when he released the script). On his web site he mentions that “it’s a pity to write code and have no one use it”. Adam, we totally agree!

The No Tech Hacking Phenomenon
Attackers will always use the easiest way to gain access to the network, obtain confidential information, trade secrets, whatever. Since the majority of companies and organizations are locking down their networks it’s becoming more and more popular to use social engineering to bypass physical security controls to gain access to the network. This is called the “No Tech Hacking” phenomenon which is recently popularized by Johnny Long and his book which was recently released (Johnny also gives a great talk on the same topic). No tech hacking involves things like social engineering, dumpster diving, shoulder surfing, tailgating, people watching, etc…I won’t go into a ton of detail about this, read his book if you want to know more. The FireWire authentication bypass hack adds one more tool to the mix in which once you have physical access to a location and a computer, it is almost always game over. Sure, there are other attacks you could do like pop a bootable CD to change the admin password (this is assuming they are not using pre-boot authentication with hard drive encryption), or try and exploit another vulnerability, however, combine the FireWire attack with “no tech” hacking techniques, it just got easier for an organization to get pwned.

Demos and information about winlockpwn
I decided to try winlockpwn out on my own to see how easy it really is. There are a ton of articles out there already but few give you all the details about where this hack originated from and why this isn’t a Microsoft specific issue. There are even videos up on YouTube demonstrating this. I was going to do the same type of demo but felt that screen shots would be just fine. To add to the twisted irony of all this I did record a video demo but couldn’t find my 4-pin to 6-pin FireWire cable to hook up to my Mac to edit the video! Had a 6-pin to 6-pin of course…silly cables. Anyway, lets get right to it and talk about the background of the winlockpwn script and how all of this came about.

Where did winlockpwn come from?
Back in 2006 at the RUXCON convention security researcher Adam Boileau gave a talk called “Hit By A Bus: Physical Access Attacks With FireWire” which was about a “feature” with FireWire that if memory was accessed properly it would bypass Windows authentication. However, the code wasn’t released and according to Adam this was because “Microsoft was a little cagey about exactly whether FireWire memory access was a real security issue or not and we didn’t want to cause any real trouble”. Thats funny…Microsoft being “cagey” about something? More recently, because of the release of a video and paper detailing the “Cold Boot Attack” by a team of Princeton University researchers Adam felt that it was time to release his script (with a little coaxing from the Risky Business podcast folks.

Not a Microsoft Issue!
The inherent issue with FireWire is built into the OHCI 1394 specification. It is important to note that this issue is not a Microsoft problem…rather it’s a “feature” with how FireWire technology requires direct access to the memory of the computer. This is how it’s designed and one of the reasons FireWire is as fast as it is.

How does the attack work?
In its simplest form, the authentication bypass attack involves having two PC’s. The target PC must be running Windows 2000/XP or Vista with FireWire ports (either built in or through a removable PCMCIA FireWire Card) and “locked”. The attacking PC must be running a Linux/Unix variant loaded with the pythonraw1394 library bindings, a romtool (to escentially make your FireWire card an Apple iPod), and the winlockpwn.py script. What makes this attack easy is that you can use a Linux bootable forensics LiveCD called Helix (v1.9) which already has the pythonraw1394 library bindings and the romtool installed. When using the Helix (v1.9) LiveCD all you need is to download the winlockpwn.py script and run the romtool which will emulate the attackers FireWire port as an Apple iPod. To the target machine, it will look like a FireWire Apple iPod is being connected in the Windows device manager. Let the fun begin!

I want to note that not only can you use winlockpwn to unlock a PC but you can also use a tool called 1394memimage which will dump the physical memory of the victim PC to a USB drive. This could be even more valuable since you can then run “strings” and search for anything interesting (passwords, login information, etc…). I won’t go into the details about 1394memimage (and I have yet to try this) but you basically use the same method that I will describe but when you get to the step to run winlockpwn, use 1394memimage. Here is a good, detailed article about this process.

Steps to demo the attack
It might be a good idea to demo this to your management and/or clients so I put together a little demo. Below is my lab setup:

- Desktop with a PCI FireWire Card running fully patched Windows XP SP2 (the victim)
- Laptop with a PCMCIA FireWire card (generic FireWire card, you can find a ton of these on eBay) booted with the Helix LiveCD (v1.9)
- 6-pin to 6-pin FireWire Cable
- USB Thumb Drive w/winlockpwn.py script

1. Boot the laptop with the Helix LiveCD. Next, “lock” the victim desktop. Copy the winlockpwn.py script to the correct directory on the laptop:

cp winlockpwn.py /usr/local/pythonraw1394

2. Connect the 6-pin to 6-pin FireWire cable to both PC’s.

3. Load the FireWire bindings and run ./businfo to see if it is loaded (should be port 0).

modprobe raw1394
./businfo

Click here for a screen shot of this.

4. Reprogram the CSR to mimic an Apple iPod. Run ./businfo again to see if the firewire card now emulates an iPod:

./romtool s 0 ipod.csr
./businfo

Click here to see what businfo looks like with the iPod emulation.

5. Waited for a few seconds for the FireWire/iPod drivers to load on the victim desktop. Finally, run winlockpwn.py. Run winlockpwn with no parameters to see all the options. There are several (one will actually allow you to spawn a command shell right at the login screen!). For this demo, we are just using option 2 (regular non-fast-user-switching). The 0 and the 1 are the port and the node.

./winlockpwn.py 0 1 2

Click here to see what happens when winlockpwn is successful!

6. Press CTRL-ALT-DEL on the victim desktop. You will get a an error message box about an incorrect password. Don’t worry about it and press ENTER. You will then be logged into the Windows desktop, bypassing authentication! Note that you can now lock/unlock the computer as many times as you want as the memory of the machine is “snarfed” until a reboot. Also, something to note is that if you want to do the demo again make sure you uninstall the FireWire drivers that loaded in the Windows device manager before rebooting the box. If not, you will probably have problems getting the hack to work again.

How to protect yourself from winlockpwn?
Well for starters, don’t loose physical access to your PC! That sounds obvious but it goes back to the fact that once an attacker has physical access to your PC it’s pretty much over regardless. However, here are some tips that myself and others are suggesting. Keep in mind, most of these can be circumvented, however a “defense in depth” strategy is always the best way to go:

- Ensure that all sensitive laptops/desktops are using whole disk encryption software with a pre-boot password.
- Disable the standby feature and also hibernate.
- Disable unused ports in the BIOS including bootable USB devices.
- Disable the PCMCIA slots in the Windows device manager (this may cause more problems then it’s worth).
- Don’t purchase laptops/desktops with FireWire ports (do you really need FireWire when you have USB ports?).
- Always secure laptops physically with a cable lock when unattended (depending on your environment).
- Mandate that users shut down their PC’s if they are going to leave a PC unattended for a long period of time.

If you have any more suggestions let us know in the comments.

Some highlights of this issue include an interesting “prophile” on a hacker named “The Unix Terrorrist (the_uT)”, Stealth hooking : Another way to subvert the Windows kernel, and Hacking the $49 Wifi Finder.

This isn’t breaking news by any means. There are hackers all over the world trying to do the same things that they are, and they are not necessarily in China. I would bet that this group is nothing more then a bunch of script kiddies just looking for the attention of the US media. Sure, there are vulnerabilities in many, many web sites…some of them even high profile, however, I have my doubts that these guys have serious “skills” given the fact that they have a web site with over 10,000 registered users that distributes hacking software. The site “offers tools, articles, news and flash tutorials about hacking”. Anyone can run a tool or copy a script…what makes these guys so different? How can you really prove that the Chinese government even paid these guys to hack into the Pentagon?

Never fear…this is just media hype over US/Chinese relations and the potential “cyber war”. I am sure this won’t be the last either from these big media organizations.

The infamous Cult of the Dead Cow (cDc) has released a very cool Google vulnerability scanner called Goolag Scanner. This tool allows you to search a specific web site or domain for known vulnerabilities and misconfigurations.

From an eWeek article:

“The open-source program comes with about 1,500 custom Google search queries embedded by default to run searches for vulnerable Web applications, misconfigured Web servers with open backdoors, sensitive user names and passwords, and other documents accidentally exposed on the Internet.”

From the cDc press release:

“It’s no big secret that the Web is the platform,” said cDc spokesmodel Oxblood Ruffin. “And this platform pretty much sucks from a security perspective. Goolag Scanner provides one more tool for web site owners to patch up their online properties. We’ve seen some pretty scary holes through random tests with the scanner in North America, Europe, and the Middle East. If I were a government, a large corporation, or anyone with a large web site, I’d be downloading this beast and aiming it at my site yesterday. The vulnerabilities are that serious.”

Looks like they took Johnny Long’s “Google Dorks” search queries and put them into an automated tool. Very nice. Right now the tool only runs on Windows (.NET) but it looks like they will soon release it for other platforms. Nice to see all of these search queries put into a easy to use interface. Goolag Scanner and Maltego make fantastic additions to your pentest reconnaissance toolkit. You can download Goolag Scanner here.

“NOTACON, an annual conference held in Cleveland, Ohio, explores and showcases technologies, philosophy and creativity often overlooked at other “hacker cons”. Our desire is not to supplant other events, but complement them and strike a balance that has gone unnoticed in our community for far too long.

Events during Notacon run from Friday morning through Sunday afternoon. These include over 40 presentations, contests such as “Anything but Ethernet”, game shows, prize giveaways and a whole lot of who-knows-what. Anything can happen, and usually does. “

It’s also affordable! $50 gets you into the con for the whole weekend. Looks like they have some interesting talks planned including “Bagcam – How did TSA and/or the airlines manage to do that to your luggage?” and the “Exploit-Me Series: Firefox Plug-ins for Application Penetration Testing”.

If you happened to miss Defcon 15 last year or if you were there and have wanted to catch up on presentations you may have missed…the audio and video podcasts are available for download through two RSS feeds. Great for listening on your iPod, iPhone, or PSP! Subscribe below:

Defcon 15 Audio RSS Link
Defcon 15 Video RSS Link

Supporting materials for Defcon 15 are available here.

Looking forward to another great Defcon 16 this year!

Why are they doing this? To see what the vulnerability landscape is with home routers. There has been recent vulnerabilities disclosed with some popular home routers as well as UPnP that is included as a “feature” in almost all newer home routers. If you plan to take part, please comment and share your findings…

Both of these articles focused on the recent Geeks.com hack in which an undisclosed number of customers had personal and credit card data compromised. Geeks.com was a “HackerSafe” customer. However, note that the ScanAlert people mentioned the Geeks.com web site was “probably” hacked when they withdrew their “Hacker Safe” certification when they found vulnerabilities. How ironic…so how is a potential customer supposed to know that a web site one day is “Hacker Safe” and the next day it isn’t? By removing a logo temporarily? Perhaps during this “probable” period Geeks.com and ScanAlert should have changed the “Hacker Safe” logo to “Hackers- Safe to Hack”. Seems like a poor attempt from ScanAlert to do damage control.

Whats the lesson here? It may seem like a great marketing idea to call your site “Hacker Safe”…but in the long run…if you get hacked it will soon turn into a marketing disaster that your company will not want to face. Putting any kind of logo or certification declaring your site is secure is a bad idea.

Nevertheless, UPnP is useless, right?
Wrong! UPnP hacking is extremely serious discipline which often lead to a catastrophic effect. The following is possible with UPnP:

* portforward internal services (ports) to the router external facing side (a.k.a poking holes into your firewall and/or network)
* portforward the router web administration interface to the external facing side.
* port forwarding to any external server located on the Internet, effectively turning your router into a zombie: the attacker can attack an Internet host via your router, thus hiding their IP address (not all routers are affected by this, but most are)
* change the DNS server settings so that next time when the victim visits bank.com, they actually end up on evil.com mascaraed as bank.com
* change the DNS server settings so that the next time when the victim updates theirs favorite Firefox extensions, they will end up downloading evil code from evil.com which will root their system.
* reset/change the administrative credentials
* reset/change the PPP settings
* reset/change the IP settings for all interfaces
* reset/change the WiFi settings
* terminate the connection

And these are just a small portion of the things you can do over UPnP.

If you have no need for UPnP…turn it off and disable it in your router!

Leah Culver – Top 5 Female Hackers in Film History

Someone should put together a TV show “Top 5 Female Hackers”..my vote for #1 is Chloe O’Brian from 24.

<%image(20080104-24chloe_o_brian.jpg|284|198|Super Hacker Chloe O'Brian)%>

She’s the only one that could hack into the NSA database in under 5 minutes while redirecting CTU satellites for Jack.

Centralized
Hackerpedia is an attempt to share knowledge in an easy-to-read format. Certainly, there is a lot of information gathered within various forums, but none of it is centralized.

Hacker-specific
While there are other wikipedias, Hackerpedia focuses on information from a hacker perspective. While others may have entries for Nepenthes, here you won’t find anything on plants.

All things to all people
Designed for beginner and expert alike, there is something for everyone.

I know I haven’t found anything quite like this out on the net and usually finding pen test related information can be a tedious experience. As with any new community, this needs lots of volunteers to get the word out and to get pen test and security professionals to contribute content to the wiki. I would love to see this take off and become a great resource for pen testers.

What can you do?
Please help spread the word about this resource by linking to the Hackerpedia and contributing content! Hopefully the community will quickly grow around this project.

I came across a good interview with Johnny Long over on Computer Defense this morning. If you don’t know who Johnny Long is…well…he is pretty well known in the hacker and security community. More about him on his web site and by doing some Google searches (he wrote a very good book called “Google Hacking” BTW).

Anyway, when I was at Defcon 15 this past summer I sat in on his “No Tech Hacking” presentation and remember Johnny talking about a charity organization that he started called “I Hack Charities” or better known as “Hackers for Charity”. While honestly at the time I was more interested in the talk he was about to give, I had thought that this was a really cool idea. Hackers for Charity basically gives hackers an outlet to use their skills for good and to also help build their resumes. Basically, you help them out with a technical project, they will give you a job reference (via a LinkedIn connection and resume reference). In addition, Hackers for Charity accepts all sorts of donations from old hardware to swag you may have been collecting over the years from all those security conferences (I know I have tons of this stuff). They collect this swag and send it to needy people over in Africa and other underdeveloped countries. I am thinking about getting all my co-workers to dig out all of their swag and we could send them a big box of this stuff…think of the possibilities if several big corporations did the same thing…something we should all think about.

Great stuff, right? How can you get involved? Check out the web site here. Sign up for the mailing list here. You can donate time, money, swag, or any skill set that you may have. They are even looking for people with soft skills as well (business, management, etc…). Let’s help spread the word and get other security professionals to support this worthy cause.

This was a hard one to categorize as I have a Video Game Console Hack section but this really isn’t a hack…it looks like a New Zealand security researcher determined that cracking password hashes on a Playstation 3 via brute force is much faster (100 times actually) then cracking on Intel based hardware. From the article:

“The gaming console is perfect for cracking passwords because the chips it uses are optimized to rapidly perform the calculations required to model 3-D environments. The computing techniques used to crack passwords are similar.”

In addition, the console is pretty affordable (cheaper then a Intel based PC/laptop) so this is great for cracking passwords on the cheap. Be sure to check out the podcast that is linked in the article I referenced above as the researcher explains some of the ramifications of this research (good stuff about cracking Bit Torrent hashes to poison download chunks). Hopefully we get to information down the road about the setup he used on the PS3 to achieve this (I will post an update when I get it).

This relates to the video card password hash cracking technology that Elcomsoft developed but the Playstation 3 cell processor runs way faster (like the tune of 1.4 billion calculations).

One of my favorite web sites “Hack a Day” has a really good and detailed (with pictures) article on how to solder. While this may seem an easy task to some..it is a whole new experience for others. Now you can take apart and hack gadgets like the best of them! Click here for the article.

“Using the “brute force” technique of recovering passwords, it was possible, though time-consuming, to recover passwords from popular applications. For example, let’s assume that logon passwords for Windows Vista is composed of uppercase and lowercase alphabetic characters, and up to eight characters long. There are about 55 trillion (52 to the eighth power) possible passwords in this range. Windows Vista uses NTLM hashing by default, so using a modern dual-core PC you could test up to 10,000,000 passwords per second, and perform a complete analysis in about two months. With ElcomSoft’s new technology, the process would take only three to five days, depending upon the CPU and GPU.”

Also note that the product used distributed processing in a client/server architecture so it can harness the power of multiple GPU’s when cracking passwords. A 20 client license is only $599 US. Read more about this product here.

Password-cracking chip causes security concerns – tech – 24 October 2007 – New Scientist Tech

Passwords on the Loose – F-Secure Weblog : News from the Lab

The link in this article about the embassy pop3 passwords is very interesting as well.

Good article about this over at Darkreading.org.

Here is a good site with some ideas on how to prevent DDoS attacks. Not a whole lot of information out there, hopefully there is more research done on this subject soon.

HD Moore has done it again and is adding payloads for the iPhone. Some of these payloads include the ability to make a victims iPhone vibrate or even better..root shell access! HD is also putting in recent exploits like the like the one that exploits the Perl Compatible Regular Expressions (PCRE) library vulnerability.

HD goes on to explain that “a rootkit takes on a whole new meaning when the attacker has access to the camera, microphone, contact list, and phone hardware. Couple this with ‘always-on’ Internet access over EDGE and you have a perfect spying device…”.

You can read the full article at darkreading.com. Check out HD Moore’s blog post.

DefCon: Friday Insanity!

War driving by rocket at 6,800 feet

CNN.com – Microsoft to hackers: Take your best shot – Aug 3, 2006