SANS Las Vegas from October 26-27th will debut a new course titled "Embedded Device Security Assessments for the Rest of Us" which will teach students how to assess embedded systems of all varieties on pen tests and in your duties as a security professional. Register Here
This episode is sponsored by Core Security Technologies, helping you penetrate your network. Rock out with your 'sploit out and check out the client side exploit and web application testing modules! Listen to this podcast and qualify to receive a 10% discount on Core Impact, worlds best penetration testing tool.
This podcast is also sponsored by Tenable network security. Tenable is a developer of enterprise vulnerability, compliance and log management software, but most notibly the creators of Nessus, the worlds best vulnerability scanner. Tenable Security Center software extends the power of Nessus through reporting, remediation workflow, IDS event correlation and much more. Tenable also offers a Direct Feed subscription for immediate access to new Nessus plugins, and compliance checks” Tenable – Unified Security Monitoring!
Astaro offers the most complete and easy to use Internet security appliances available. The products combine best of breed applications, the proven quality of Linux and enterprise level performance, providing the latest protection with the best total cost of ownership. All products are available as software, hardware or virtual appliances, which allows users the flexibility to meet a wide variety of deployment scenarios.
One of the best things about Astaro is that it offers its products completely free for home use. All enterprise features and all subscriptions, including virus scanning, web content filtering, email filtering and VPN clients, are available in the home license for no cost. All you have to do is visit www.astaro.com, register, download the software and obtain the key, which protects up to 10 IPs. There are no sales people to talk to, no payment information to enter—it’s just free. Again, visit www.astaro.com for more information or to download the product and free home user license.
Announcements & Shameless Plugs
Welcome to PaulDotCom Security Weekly, Episode 128 for October 30th, 2008. A show for security professionals, by security professionals.
- PaulDotCom SANS Click-Through - Go there, register for fabulous SANS training! Go now!
- ChicagoCon - October 27 - November 1, Talks by Ed Skoudis, Gregory Conti West Point, Author of "Security Data Visualization", Daniel V. Hoffman CTO SMobile Systems, EH-Net Columnist, Billy Rios/John Walton Microsoft Pen Testers (Blue Hat)
- This week we have a Book Giveaway from No Starch Press, a copy of The IDA Pro Book. E-mail the answer to our question to email@example.com. First correct answer, with supporting documentation to that address wins!
Tech Segment: Getting started with Hardware Hacking
This is just my advice, and is actually a very nebulous thing to answer. I'll tell you what has worked for me over the years. I'm just breaking the surface, and still learning form my own advice.
- Read all you can find! - the internets have exploded with all sorts of information on electronics projects, kits, you name it. I'll have some stuff in the reading/websites section with some specifics
- Find a mentor - One locally is great, and is also a way to meet new people and get ideas. Consider your local 2600/Defcon/Maker group. At a minimum,stop in on the local HAM radio club. for what it was worth, my mentors ended up being my Dad, who was an EE and my grandfather who was a swamp yankee/inventor.
- Take something apart - Now certainly you might not want to take apart that nice $3000 flat panel TV, but find something appropriate. Check yard sales for cheap electronics, or even on trash day. For beginners, stay away from TVs and Microwave ovens. Don't discount kids toys. With these scenarios, you won't feel bad if you break something that was broken, cheap or free. Explore! You own the hardware! Figure out what all those unknown little bits do by looking up spec sheets on the internet.
- Think of ways to make something better - You know all that crap, I mean valuable electronics, you just picked up? If something works, how would one of them be made better, or how could it be made to do something else? For xample, we picked up a "baby boom box" at a yard sale for a quarter. My daughter LOVES it, but it is loud, and doesn't have an off switch. See? Take it apart and add a (baby proof) switch to disconnect the positive battery lead, and add a potentiometer (variable resistor - sort of like a dimmer switch) in line with the positive speaker wire. When she's done with it in a few years, take another look at how you could have improved that design - instead of the potentiometer what about replacing an output resistor. This can get even more fun, as you can start circuit bending!
- Mind your voltages - ...and of course your positives and negatives. Don't swap them, and don;t over power them (unless you read all about those power regulation chips). Making these mistakes is a great way to let the magic smoke out of your electronics. Double (even triple) check your wiring. With higher voltages (such as direct mains power), they can easily let the magic smoke out of you. Start small.
- Don't be afraid to follow in the footsteps of others - Read someone else's projects and recreate them, or in many lucky cases, build them form a kit. It is a great way to learn how to solder/desolder, and learn the principles and about the parts. Learn from someone else's experience and mistakes, and even improve on the design. Eventually your path will drift, and you'll be on your own road, even if it is just a slight deviation at first. Modify your kit!
- Learn to solder - Yeah, you had to figure that was coming. Also, learn to de-solder. Use all of those valuable electronics you picked up to practice both - they you aren't learning on your project. Practice makes perfect! Yes, re-solder the pieces you just practiced removing. and when you are done, you can even be left with a bunch of parts to use in another project, that are often worth more apart then the sum of the free/cheap whole. A great way to build an inventory of bits and wire.
- Start with the basics - Learn basic electronic principles; completing a circuit, switches, etc. Even though they are old, don't hesitate to use analog devices, like 555 timers, transistors, capacitors, resistors and so on. Venture into microcontrollers such as Arudino, and PICs as you get more comfortable. Learn how to read schematics - even the basics will take you along way.
Start small. Go ahead and buy just what you need to get started on your first project. Even see if you can borrow some from a friend (but return them!) for a bit. Certainly, try out the moderately priced soldering iron from Radio Shack to get started...
Here's what I find is most helpful:
- Dremel with grinding and cutoff wheels
- Drill press, and bits, in a pinch, a hand drill (electric or otherwise) will work.
- Soldering station - I like Weller, but I have a generic. Variable temperature is best.
- De-soldering iron. A "solder sucker" is Ok, but tends to be frustrating. De-soldering wick is good too.
- Small screwdrivers, jewelers screwdrivers, torx, and any other security screw bits. It is all about having the right tool for the job. This coming from a guy who just upgraded his MBP with a jewelers flat head for phillips screws, and a filed down jewelers flat head to remove #25 torx screws.
- set of small metal files (for sharpening your soldering iron, and filing down flathead screwdrivers)
- A pair of "extra hands". a magnifying glass, or head mounted loupe (both in conjunction with a good light source) is also a huge plus.
- Pliers and wire cutters are also a great idea. As are a pair of wire strippers (your teeth get tired after a while).
There is tons of info out there. Here are some of the places I learn form and take inspiration from.
- Make - This is the mecca of all things hack. A little of everything, and they've really blown the doors off this thing for the whole community, making this info and reporting available for everyone.
- Hackaday - A daily dose of hacking goodness, on all sorts of topics. good brain food, and they've recently started a series about all the piece parts.
- LadyAda - Limor Fried's website. Kits, and general blog about electronics goodies.
- Citizen Engineer - A new video series on hardware hacking how-tos
- Nuts and Volts Magazine - Pure electronics projects, that you can adapt the concepts to your own projects.
- Instructables - All sorts of step by step tutorials on all types of hacks, crafts and electronics.
Interview: Jason Ostrom
How did you get started in information security?
How did you get involved in VOIP and Unified Communications Security?
We know you're not a lawyer, but is listening to others VoIP calls illegal?
What are some of the major problems with VoIP implementations? What can people do about them?
Why should we care about VoIP security, its on a separate network, right? Do people care?
I heard that "“VLANS are all you need to secure VoIP”", is this true?
Tell us about VOIPhopper! What's the best way to use VOIPHopper?
What about some new features? Nortel you say? :-)
Tell us more about UCSniff (unveiled at Toorcon), what it is and how it works.
When will UCSniff be released?
Stories For Discussion
Crypto1 = Crapto1 - [Larry] - We've heard about the talks on cracking the mifare Crypto1 algorithm (in use all over). They've done a lot of talking, but now the attack cose is available. All you need is to be able to sniff the wireless conversation between a tag and a legit reader, and in 2 seconds you can calculate the decryption key.
Estonian Registar Shutdown - [PaulDotCom] - ICANN takes some bold steps and shuts down a registar in Estonia that is known to harbor spammers, fraudsters, and the like. I think this is great, provided there is some approval and validation process, for organizations such as ICANN to start cracking down and "take the Internet back" from the bad guys. Will it ultimately help in the end? Not really, but shows that they are paying attention to this behavior.
More RFID - Passport card! - [Larry] - When Ray Davidson was here in the studio a couple of weeks back, he gave us a peek at his new passport card - a functionally equivalent facsimile of the paper based passport, in a card form (much like a license). The card and passport both contain the same information via the RFID chips contained within, however the paper passport utilizes encryption (although see last story), whereas the card does not! The card version is readable in cleartext, and is clonable...
IPv6 Flaw Could Allow for MITM attacks on the local subnet - [PaulDotCom] - Couple of things, IPv6 flat networks could be quite large, opening up the attack surface. This is a problem we have seen a lot in protocols, they are just too trustworthy. Basically you can spoof packets and tell the router to forward packets to you rather than the original destination. Kinda neat, and yet just another way to perform a MITM attack, which by the way are going to grow in popularity as tools for implementation become more readily available (like the middler, I wonder if it supports IPv6?).
IPv6 - The Metasploit Way - [PaulDotCom] - Speaking of IPv6, the new versions of Metasploit (3.2) and Core IMPACT (7.6), and CANVAS, and Nmap all now support IPv6. In this paper HD discusses the ins and outs of why that is useful. HD sheds some light on some things we've already talked about:
- "On networks where there are no active IPv6 routers, an attacker can reply to the router discovery request and force all local IPv6 nodes to configure a site-local address."
Neat, don't forget to check out THC's IPv6 Tools. More to follow on this one...
Car Battery? - [Larry] - I had a listener write in after my simcard presentation about another way to destroy simcards - applying voltages across the power contact, rendering it useless. I had a thought when this came in about being able to use the same car battery, jumper cables and sponges to wipe simcards as you would to extract passwords and decryption keys. Wait, a car battery to extract passwords and keys? Yes! Your data is only as strong as the encryption, which likely relies on keys and passwords. Ultimately your encryption is only as strong as the storage of those keys and passwords - if they are only stored in a human mind, how much torture (with a car battery or rubber hose), can that person endure before they turn them over...
VLC Stack Overflow - [PaulDotCom] - I love it when the vulnerability description states, "This leads to a straight stack overflow that can be trivially exploited by a (remote) attacker to execute arbitrary code in the context of VLC.", from the looks of it this should produce a nice, stable exploit for VLC. Of course, you have to get the user to click on a TiVO media file and have it open in VLC, but heh, that should be easy, right?
Reporting to some companies is hard - [Larry] - I wanted to report on this last week...but the original blog posting about the difficulty trying to notify e-bay about a large number of hacked accounts, had quickly disappeared form the internets. Now we get a little bit more information (actually any information at all). I'll recount the tale of what I read last week...Here's a perfect opportunity to think about setting up a public, and appropriate security reporting mechanism for your organization.
La Fonera 2.0 - [Larry] - A while back when I was working on my hiding rogue AP presentation, I was definitely looking at the new La Fonera with two ethernet ports to help out with some of my problems, an before they were released, I was able to stumble across the FCC pics for a version with a USB port. when released, there was no port.... Now they are releasing one to developers with the USB port! Maybe some hardware hacking and model comparison will allow us to USB enable all of the others? This also solves one of the problems with data gathering with hiding the rogue.
Lynx Vulnerability - [Larry] - A while back someone I follow on twitter (I can't remember who), commented on thw recent round of firefox/chrome vulnerabilities, and said that they were not concerned because they used Lynx (likely a tongue in cheek remark). So, here we have for you a (rather esoteric) Lynx remote code execution exploit! Just to prove a point that folks still do research into finding vulnerabilities (wither on purpose or on accident), in older, more legacy type of software that isn't the new fangled whizzbang product.