Currently browsing Hacking posts

Category Archives: Hacking

Indiana Bank gets Hacked…Who’s really to blame?

Posted by Tom on June 9, 2008 – 6:00 pm

Filed under Hacking

<%image(20080609-1stSourceBank.jpg|75|53|1st Source Bank Hacked)%>

Interesting story that hit the wire last week about another bank security breach. This time 1st Source Bank of South Bend Indiana became the next victim of stolen debit card data. Not a ton of details have emerged yet but we do know the following:

1. A external monitoring service (an MSSP perhaps?) or hired security consultants (doing a pen test?) detected an unusual amount of data leaving one of the banks servers.

2. The bank notified law-enforcement authorities and hired outside forensic firms (aka: security incident response consultants) to analyze the breach.

3. Track 2 data was compromised. Track 2 data contains the cardholder account number, PIN, plus other discretionary data. Note that the ISO standard does not mention that the PIN has to be encrypted. Only Track 1 data requires it. This may make a replay attack (encoding a fake debit card and using it in ATM transactions with this information) possible.

4. The bank is reissuing all debit cards in it’s portfolio and is offering to pay for “Deluxe ID TheftBlock” � at $4.95 a month for one year for any customer who requests the service.

These quotes from the bank are classic:

The bank also is monitoring automated teller machine transactions �minute by minute� to stop unauthorized activity. But even if the efforts fail, account holders won�t suffer, Seitz said.

�We�re certainly not holding any of our customers financially responsible for any transactions related to this breach,� he said.

and….

�Actually, our customers have been very understanding,� he said. �Obviously, this is something that puts a little stress on that relationship.�

Really…are you kidding me? Also note that they have yet to publicly announce an official statement on their web site about the security breach. Actually, nowhere on their web site mentions anything about the breach (however, they mention lots of interesting stuff about a recent merger with another bank beginning on June 9th…so they are updating the web site regularly). Clearly this is an attempt to make this security breach out to be “no big deal” to the general public.

So who’s really to blame? The bank is of course! Personally, I would rather have my bank be honest and up front with me about a security breach instead of delayed announcements (nothing was sent to customers until two weeks after the breach) and talk about how customers will be “understanding”. Clearly there are major security and customer service issues at this bank. Current 1st Source customers should bail out ASAP!

Share and Enjoy

How not to get your domain hijacked

Posted by Tom on June 6, 2008 – 12:09 am

Filed under Hacking

You probably have read about the interesting Comcast domain hijack that took very little technical skill a few weeks ago. Apparently these two hackers were able to social engineer their way to obtain access to the Comcast domain registration account that is being managed by Network Solutions. Once they had access they apparently changed the DNS record of Comcast.net to point to name servers under their control, thus hijacking the domain. For a short time they redirected Comcast users to a web page stating the following:

“KRYOGENICS Defiant and EBK RoXed Comcast, sHouTz to VIRUS Warlock elul21 coll1er seven.”

Here’s the best part (from the Wired article):

Network Solutions spokeswoman Susan Wade disputes the hackers’ account. “We now know that it was nothing on our end,” she says. “There was no breach in our system or social engineering situation on our end.”

Deny, deny, deny….not surprised at this response since it makes providers like Network Solutions look really bad. Sooner or later all the details about how these guys did it will come out…then the truth will be told.

In the meantime…what can you do to prevent your site from being the next Comcast? Believe it or not…Network Solutions actually has a few good suggestions! Note: this was apparently posted after the Comcast domain hijacking incident…hmmmm…coincidence or not?

Seriously though. I don’t blame Network Solutions entirely as many companies forget that domain registrations require maintenance and regular review of the security controls around them. By the way, the Wired article that I mentioned above is a great read…and probably the best article currently out there on the hijack.

Share and Enjoy

Metasploit.com Attempted Hijack

Posted by Tom on June 3, 2008 – 7:00 pm

Filed under Hacking

This past Monday, some silly hacker got the idea that he could easily redirect traffic from Metasploit.com to some Chinese forum using some ARP poisoning directed at the router that the metasploit.com domain resides. Basically he did a MITM attack. Here is an excerpt from HD Moore’s reply on the Full Disclosure mailing list:

“Problem solved. Someone is ARP poisoning the IP address of the router on which the www.metasploit.com server resides.
I hardcoded an ARP entry for the real router and that seems to solve the MITM issue. It doesn’t help the other 250 servers
on that network, but thats an issue for the ISP to resolve…”

Sucks to be those other 250 servers! This hacker should have brought his a-game if he really wanted take on HD Moore…FAIL!

Share and Enjoy

Attendees to be tracked with RFID at The Last HOPE

Posted by Tom on May 19, 2008 – 11:10 am

Filed under Hacking

<%image(20080519-rfid.jpg|108|108|RFID Tag)%>

According to 2600 News, 1,500 attendees of this years Last HOPE (Hackers On Planet Earth) hacker conference will be tracked via RFID in a large social experiment which will include games focused on RFID technology. From the press release:

“Players will seek ways to protect their privacy, find vulnerabilities in the tracking system, employ data mining techniques to learn more about other participants, and choose how much personal information they will disclose in order to play.”

Cool stuff…if you are into being tracked via RFID! It should be interesting to see some of the results of this experiment from the conference attendees and to see some cool hacks to gather RFID data and ways to protect your privacy. I did an article on RFID awhile back talking about ways to protect your identity using credit card “shields”.

The Last HOPE takes place July 18 to July 20, 2008 at the Hotel Pennsylvania in New York City.

Share and Enjoy

Lessons Learned from the Lowe’s Hacker Brian Salcedo

Posted by Tom on May 13, 2008 – 4:27 pm

Filed under Hacking

<%image(20080513-BrianSalcedo.jpg|180|216|Brian Salcedo)%>

Brain Salcedo was convicted back in 2004 of hacking the Lowe’s (a national home improvement retail chain) computer network through an unsecured wireless network. Brian and his partner found the unsecured wireless network while Wardriving. Brian’s plan was to eventually tap in and siphon off millions of credit card’s through a backdoor installed in a proprietary Lowe’s program called “tcpcredit” that Brian and his partner had modified.

Brian is currently serving out a nine year prison term even though there is no evidence that he even saw one credit card number (note that the longest federal sentence for a hacking offense was the 68 months imposed on Kevin Mitnick). During the investigation only six credit card numbers were found in the file that was created from the modified “tcpcredit” program. Ironically enough Brian seems to blame lack of fame and notoriety as to why he did what he did (he mentions the felony he was on probation for before the Lowe’s hack):

“It took awhile to work out the dilemma then consuming my head. Why did those around me get acclaim for exposing security flaws? They got hired, I was convicted of a felony. What was I doing wrong? After what seemed like a lifetime absence from computers, I decided to renege on my commitment to stay away from it and I simply relapsed into this all-out cracking binge.”

Two years later enter TJX …

Back in November of 2006 TJX disclosed that there was about 17 months of unauthorized network access resulting in the compromise of 46 million credit card accounts. To date this is the largest single breach of personal data in history. How did the TJX breach happen? Almost the same way Lowe’s got hacked…lack of wireless security. In this case TJX was using WEP which is known to be extremely vulnerable to attack. Of course there were other vulnerabilities that had to be exploited on the internal TJX LAN but the wireless network was the start. As we all know, it only takes one vulnerability to potentially bring down a network.

Two more years later enter Dave & Buster’s and Hannaford…

Just today, it was announced that Dave and Buster’s was victim to a data breach that resulted in bank losses of up to $600,000. This time apparently the attackers used “social engineering” to install packet sniffers to obtain credit card information. That’s right…social engineering. Ironically, one of the accused was apparently involved in the TJX breach (I could only find one source on this). Hopefully we find out more details in coming days about how this social engineering attack took place.

The Hannaford Supermarket breach resulted in 4.2 million credit card numbers being compromised just this year. The attackers had apparently planted malware on the servers at each of the 294 affected stores. This malware apparently sent the compromised data overseas.

While details about all of these intrusions are still coming out, one can start to see the similarities with Lowe’s, TJX, Dave & Busters and Hannaford.

Lessons Learned:

- Wireless is dangerous for retail if not properly secured. Now that WPA2 is widely available there is no reason that a retailer should not use WPA2. Interesting to note that I have reliable sources tell me that other major retailers are still using WEP to secure their wireless networks…and it’s 2008!

- Stealing data in transit within an internal company network is the new hotness! Most of this information is unencrypted until it gets to the database. In many cases it’s rather trivial to get this level of access (administrator rights on a workstation or server) to install a packet sniffer once you are on the internal network.

- Social engineering is on the rise! I wouldn’t be surprised if all it took was a simple phone call from “the IT guy” asking a store manager to install a new piece of software in the case of Dave & Busters (or Hannaford, you never know).

- If you are a criminal thinking about doing the same thing…it’s only a matter of time, you will most likely be caught and if you are a US citizen prepare to get the book thrown at you like what happened to Brian Salcedo.

- Finally, as a company don’t put all your eggs in the PCI basket! Just because you are certified PCI compliant (Hannaford) doesn’t mean you are secure!

Share and Enjoy

Winlockpwn: More then a Partytrick

Posted by Tom on May 1, 2008 – 9:00 am

Filed under Hacking
Tagged as firewire, Hacking, hardware, pentest, winlockpwn

Fun with FireWire

I have seen a couple blogs posts, articles and even the creator of winlockpwn (the hack/script that allows you to bypass Windows authentication through FireWire) saying that this script is nothing more then a “partytrick”…

“Wow and amaze your friends by magically unlocking a Windows PC without a password!”

While this seems like a fun thing to do at your next party to impress the ladies (ladies that like geeks and slick python scripting of course!)…the truth is that it’s a pretty serious issue. I have to hand it to the the creator of winlockpwn (Adam Boileau aka: Metlstorm) for having such a cool sense of humor about the whole thing and all the media attention he has gotten (he got “slashdotted” when he released the script). On his web site he mentions that “it’s a pity to write code and have no one use it”. Adam, we totally agree!

The No Tech Hacking Phenomenon
Attackers will always use the easiest way to gain access to the network, obtain confidential information, trade secrets, whatever. Since the majority of companies and organizations are locking down their networks it’s becoming more and more popular to use social engineering to bypass physical security controls to gain access to the network. This is called the “No Tech Hacking” phenomenon which is recently popularized by Johnny Long and his book which was recently released (Johnny also gives a great talk on the same topic). No tech hacking involves things like social engineering, dumpster diving, shoulder surfing, tailgating, people watching, etc…I won’t go into a ton of detail about this, read his book if you want to know more. The FireWire authentication bypass hack adds one more tool to the mix in which once you have physical access to a location and a computer, it is almost always game over. Sure, there are other attacks you could do like pop a bootable CD to change the admin password (this is assuming they are not using pre-boot authentication with hard drive encryption), or try and exploit another vulnerability, however, combine the FireWire attack with “no tech” hacking techniques, it just got easier for an organization to get pwned.

Demos and information about winlockpwn
I decided to try winlockpwn out on my own to see how easy it really is. There are a ton of articles out there already but few give you all the details about where this hack originated from and why this isn’t a Microsoft specific issue. There are even videos up on YouTube demonstrating this. I was going to do the same type of demo but felt that screen shots would be just fine. To add to the twisted irony of all this I did record a video demo but couldn’t find my 4-pin to 6-pin FireWire cable to hook up to my Mac to edit the video! Had a 6-pin to 6-pin of course…silly cables. Anyway, lets get right to it and talk about the background of the winlockpwn script and how all of this came about.

Where did winlockpwn come from?
Back in 2006 at the RUXCON convention security researcher Adam Boileau gave a talk called “Hit By A Bus: Physical Access Attacks With FireWire” which was about a “feature” with FireWire that if memory was accessed properly it would bypass Windows authentication. However, the code wasn’t released and according to Adam this was because “Microsoft was a little cagey about exactly whether FireWire memory access was a real security issue or not and we didn’t want to cause any real trouble”. Thats funny…Microsoft being “cagey” about something? More recently, because of the release of a video and paper detailing the “Cold Boot Attack” by a team of Princeton University researchers Adam felt that it was time to release his script (with a little coaxing from the Risky Business podcast folks.

Not a Microsoft Issue!
The inherent issue with FireWire is built into the OHCI 1394 specification. It is important to note that this issue is not a Microsoft problem…rather it’s a “feature” with how FireWire technology requires direct access to the memory of the computer. This is how it’s designed and one of the reasons FireWire is as fast as it is.

How does the attack work?
In its simplest form, the authentication bypass attack involves having two PC’s. The target PC must be running Windows 2000/XP or Vista with FireWire ports (either built in or through a removable PCMCIA FireWire Card) and “locked”. The attacking PC must be running a Linux/Unix variant loaded with the pythonraw1394 library bindings, a romtool (to escentially make your FireWire card an Apple iPod), and the winlockpwn.py script. What makes this attack easy is that you can use a Linux bootable forensics LiveCD called Helix (v1.9) which already has the pythonraw1394 library bindings and the romtool installed. When using the Helix (v1.9) LiveCD all you need is to download the winlockpwn.py script and run the romtool which will emulate the attackers FireWire port as an Apple iPod. To the target machine, it will look like a FireWire Apple iPod is being connected in the Windows device manager. Let the fun begin!

I want to note that not only can you use winlockpwn to unlock a PC but you can also use a tool called 1394memimage which will dump the physical memory of the victim PC to a USB drive. This could be even more valuable since you can then run “strings” and search for anything interesting (passwords, login information, etc…). I won’t go into the details about 1394memimage (and I have yet to try this) but you basically use the same method that I will describe but when you get to the step to run winlockpwn, use 1394memimage. Here is a good, detailed article about this process.

Steps to demo the attack
It might be a good idea to demo this to your management and/or clients so I put together a little demo. Below is my lab setup:

- Desktop with a PCI FireWire Card running fully patched Windows XP SP2 (the victim)
- Laptop with a PCMCIA FireWire card (generic FireWire card, you can find a ton of these on eBay) booted with the Helix LiveCD (v1.9)
- 6-pin to 6-pin FireWire Cable
- USB Thumb Drive w/winlockpwn.py script

1. Boot the laptop with the Helix LiveCD. Next, “lock” the victim desktop. Copy the winlockpwn.py script to the correct directory on the laptop:

cp winlockpwn.py /usr/local/pythonraw1394

Step 1

2. Connect the 6-pin to 6-pin FireWire cable to both PC’s.

3. Load the FireWire bindings and run ./businfo to see if it is loaded (should be port 0).

modprobe raw1394
./businfo

Click here for a screen shot of this.

4. Reprogram the CSR to mimic an Apple iPod. Run ./businfo again to see if the firewire card now emulates an iPod:

./romtool s 0 ipod.csr
./businfo

Step 4

Click here to see what businfo looks like with the iPod emulation.

5. Waited for a few seconds for the FireWire/iPod drivers to load on the victim desktop. Finally, run winlockpwn.py. Run winlockpwn with no parameters to see all the options. There are several (one will actually allow you to spawn a command shell right at the login screen!). For this demo, we are just using option 2 (regular non-fast-user-switching). The 0 and the 1 are the port and the node.

./winlockpwn.py 0 1 2

Click here to see what happens when winlockpwn is successful!

6. Press CTRL-ALT-DEL on the victim desktop. You will get a an error message box about an incorrect password. Don’t worry about it and press ENTER. You will then be logged into the Windows desktop, bypassing authentication! Note that you can now lock/unlock the computer as many times as you want as the memory of the machine is “snarfed” until a reboot. Also, something to note is that if you want to do the demo again make sure you uninstall the FireWire drivers that loaded in the Windows device manager before rebooting the box. If not, you will probably have problems getting the hack to work again.

How to protect yourself from winlockpwn?
Well for starters, don’t loose physical access to your PC! That sounds obvious but it goes back to the fact that once an attacker has physical access to your PC it’s pretty much over regardless. However, here are some tips that myself and others are suggesting. Keep in mind, most of these can be circumvented, however a “defense in depth” strategy is always the best way to go:

- Ensure that all sensitive laptops/desktops are using whole disk encryption software with a pre-boot password.
- Disable the standby feature and also hibernate.
- Disable unused ports in the BIOS including bootable USB devices.
- Disable the PCMCIA slots in the Windows device manager (this may cause more problems then it’s worth).
- Don’t purchase laptops/desktops with FireWire ports (do you really need FireWire when you have USB ports?).
- Always secure laptops physically with a cable lock when unattended (depending on your environment).
- Mandate that users shut down their PC’s if they are going to leave a PC unattended for a long period of time.

If you have any more suggestions let us know in the comments.

Share and Enjoy

Phrack Issue #65 Released

Posted by Tom on April 16, 2008 – 2:13 pm

Filed under Hacking

Looks like the latest issue of Phrack was released. Phrack is one of those hacker magazines that seemed to have disappeared and now is starting to slowly come back into existence. Phrack is famous for posting the infamous Hacker Manifesto and also provides a good insight into the current (and past) state of the hacker underground.

Some highlights of this issue include an interesting “prophile” on a hacker named “The Unix Terrorrist (the_uT)”, Stealth hooking : Another way to subvert the Windows kernel, and Hacking the $49 Wifi Finder.

Share and Enjoy

Chinese Hackers or Script Kiddies?

Posted by agent0x0 on March 10, 2008 – 8:11 pm

Filed under Hacking

Interesting article on CNN today about a covert group of Chinese “hackers” who apparently have broken into the Pentagon and other high profile sites. Actually, they “know” someone who broke into the Pentagon, they didn’t actually do it themselves.

This isn’t breaking news by any means. There are hackers all over the world trying to do the same things that they are, and they are not necessarily in China. I would bet that this group is nothing more then a bunch of script kiddies just looking for the attention of the US media. Sure, there are vulnerabilities in many, many web sites…some of them even high profile, however, I have my doubts that these guys have serious “skills” given the fact that they have a web site with over 10,000 registered users that distributes hacking software. The site “offers tools, articles, news and flash tutorials about hacking”. Anyone can run a tool or copy a script…what makes these guys so different? How can you really prove that the Chinese government even paid these guys to hack into the Pentagon?

Never fear…this is just media hype over US/Chinese relations and the potential “cyber war”. I am sure this won’t be the last either from these big media organizations.

Share and Enjoy

Goolag Scanner – Google Vulnerability Scanner Released

Posted by agent0x0 on February 22, 2008 – 11:14 am

Filed under Hacking

<%image(20080222-goolag.gif|228|84|Goolag Scanner)%>

The infamous Cult of the Dead Cow (cDc) has released a very cool Google vulnerability scanner called Goolag Scanner. This tool allows you to search a specific web site or domain for known vulnerabilities and misconfigurations.

From an eWeek article:

“The open-source program comes with about 1,500 custom Google search queries embedded by default to run searches for vulnerable Web applications, misconfigured Web servers with open backdoors, sensitive user names and passwords, and other documents accidentally exposed on the Internet.”

From the cDc press release:

“It’s no big secret that the Web is the platform,” said cDc spokesmodel Oxblood Ruffin. “And this platform pretty much sucks from a security perspective. Goolag Scanner provides one more tool for web site owners to patch up their online properties. We’ve seen some pretty scary holes through random tests with the scanner in North America, Europe, and the Middle East. If I were a government, a large corporation, or anyone with a large web site, I’d be downloading this beast and aiming it at my site yesterday. The vulnerabilities are that serious.”

Looks like they took Johnny Long’s “Google Dorks” search queries and put them into an automated tool. Very nice. Right now the tool only runs on Windows (.NET) but it looks like they will soon release it for other platforms. Nice to see all of these search queries put into a easy to use interface. Goolag Scanner and Maltego make fantastic additions to your pentest reconnaissance toolkit. You can download Goolag Scanner here.

Share and Enjoy

Notacon 5: April 4-6 Cleveland, Ohio

Posted by agent0x0 on February 21, 2008 – 9:37 am

Filed under Hacking

If you are in the Cleveland, Ohio area you should check out the local con called Notacon. Similar to Defcon or ShmooCon but much smaller and in my opinion more unique. From the Notacon web site:

“NOTACON, an annual conference held in Cleveland, Ohio, explores and showcases technologies, philosophy and creativity often overlooked at other “hacker cons”. Our desire is not to supplant other events, but complement them and strike a balance that has gone unnoticed in our community for far too long.

With each new year we build upon the successes and knowledge of the previous years. Our goal is to enlighten, educate, and entertain attendees, presenters, and staff alike. We try to do this by finding new ways to apply technology to graphics, art, music, or social interaction.

Notacon espouses an ethos of exploration, participation and positive contributions. Hence, while some of the material we may cover is controversial or potentially “black hat” in nature, we feel it is important to bring light to all topics so that everyone can learn from the experience and create something good, fun or interesting from it.

Events during Notacon run from Friday morning through Sunday afternoon. These include over 40 presentations, contests such as “Anything but Ethernet”, game shows, prize giveaways and a whole lot of who-knows-what. Anything can happen, and usually does. “

It’s also affordable! $50 gets you into the con for the whole weekend. Looks like they have some interesting talks planned including “Bagcam – How did TSA and/or the airlines manage to do that to your luggage?” and the “Exploit-Me Series: Firefox Plug-ins for Application Penetration Testing”.

Category Archives: Hacking

Indiana Bank gets Hacked…Who’s really to blame?

Share and Enjoy

How not to get your domain hijacked

Share and Enjoy

Metasploit.com Attempted Hijack

Share and Enjoy

Attendees to be tracked with RFID at The Last HOPE

Share and Enjoy

Lessons Learned from the Lowe’s Hacker Brian Salcedo

Share and Enjoy

Winlockpwn: More then a Partytrick

Share and Enjoy

Phrack Issue #65 Released

Share and Enjoy

Chinese Hackers or Script Kiddies?

Share and Enjoy

Goolag Scanner – Google Vulnerability Scanner Released

Share and Enjoy

Notacon 5: April 4-6 Cleveland, Ohio

Share and Enjoy

Subscribe

My last Tweet

Like SpyLogic.net

Disclaimer

Categories

Search

Cleveland Sec Bloggers

Recommended

Security Podcasts