From Security Weekly Wiki
Jump to navigationJump to search


PaulDotCom Security Weekly - Episode 251 for Thursday July 14th, 2011.

  • Los episodios de PaulDotCom Espanol con Julio Canto, Lorenzo Martinez, Chema Alonso y Ruben Santamarta esta disponible aqui. Tenemos mas entrevistas en las semanas que vienen....
  • Sign up for Blackhat Training Courses:
    • PaulDotCom Blackhat Training Sign up for "Offensive Countermeasures: Making Defense Sexy" as a two-day course at Blackhat July 30-31. Every student gets a FREE "Hack Naked" t-shirt and sticker!
    • Tenable Security Blackhat Training Sign up for "Advanced Vulnerability Scanning Techniques Using Nessus" August 1-2

Interview: Claudio Criscione

Claudio Criscione managed to score his first hack at the age of 10, which was to download more content from the local BBS by bypassing ratio restrictions. After that he hacked his way to graduation at Milano TU and started his PhD. He has been the CTO of Secure Network since 2011. Criscione has been involved in web application security and anomaly detection, but has since moved into virtualization security and is also currently managing virtualization.info.

7:30 PM

Dave Kennedy

8:15 to 8:30

Stories For Discussion

PaulDotCom Blog Roundup

Larry's Stories

  1. Vodaphone Femtocell Hacking - [Larry] - THC folks have been plugging away at this device since 2009, and have completely pwned it. Can you say call snooping anyone? I sure can, because THC has been able to transform the device, that allows anyone (not just femtocell and Vodaphone subscribers) to connect. that means you can gather other's traffic with a modified device. Not to mention that THC shows you how to suppress errors and alarms back to Vodaphone for your hacking goodness. I think I've said it before, but the largest threat to vendors in getting their devices compromised? Releasing them to customers.
  2. So close, yet so far… - [Larry] …for the first iPhone Malware scanning app. YAY! AV for your embedded device. Well, not quite, due to the sandbox that iOS places around apps, there is no access to memory or the file system, so all you can do is scan e-mail attachments and web downloads. Better than nothing I suppose, but a long way to go to compare to more traditional tools.
  3. Didier's Teensy PDF Mayhem - [Larry] - Did you know that you can create a PDF with just ASCII? Did you know that you could also include a malicious executable in that ASCII PDF? Didier Stevens did, and ported it to be delivered by a Teensy HID device. Time for Dave to add this as another Teensy attack in SET.
  4. Bluetooth on? I thought so. - [Larry] - Remember that WiFi hack years ago that exploited a bug in wireless drivers, who would receive packets without being associated to a network to get exploits. Yeah, you didn't even need to be connected to a network, just have your adapter on. Now the same thing for Bluetooth on Vista and Win7 products. No interaction from the user. No pairing needed. To agree with a quite form Marcus Carey, I think we'll see more of this given the availability of better bluetooth auditing hardware/tools such as Ubertooth.
  5. Technology enabling shoulder surfing - [Larry] So, do you come full circle when you use technology to enable shoulder surfing of new technology? Ising a video (camera, stream, file), this app analyses not the asterisks of hidden passwords of touch screen devices, but the touchscreen keyboard color change for keypresses. If you know where the keys are, you can just analyze the color that changes for keypress confirmation. Of course you can turn that feedback off, but who does that?
  6. ...and the Daemon is coming true - [Larry] - Just for fun.

Paul's Stories

  1. Wi-Fi¿Hacking Neighbor From Hell Sentenced to 18 Years - Pay close attention to the details in this story. I mean, sometimes things go bad with neighbors. Myself and some of my close friends have had property disputes with neighbors, putting up pools without proper and any fencing, or dogs leaving presents in your yard. Thats really common neighbor type dispute stuff. The convicted "hacker" had gotten into a dispute with his neighbors because they accused him of kissing his 4-year old boy. I hope that word gets around about that litle fact when he goes to prison... But seriously, you should not use your skills for evil, ever. I know, its tempting, but framing people for child porn and sending threats to the vice president is not cool, and you will go to jail, with bubba.
  2. Travelers left 11,000 mobile devices at U.S. airports - Ever wonder if those people actually go back to claim their laptops or cell phones left at the TSA checkpoint, or if they are already on a plane? You don't want to leave your phone in an airport, think about all the personal information you leave on your phone. Its the same thing as leaving your wallet! Don't forget, the 11,000+ number only takes into account devices that are reported missing...
  3. Windows XP support shutdown countdown begins - Okay its time, you can safely ditch Windows XP and use Windows 7, you now have my blessing. I've used Win 7 for a while now, and still actually like it! What I don't want to see people doing is using an unsupported operating system that is not getting security updates.
  4. Hugh Hefner is NOT dead ¿ hoax spreads across the internet - Just a note to whoever is virtually killing people on Twitter, leave people like Hef alone man, the guy is a legend! Tom Cruise: fair game. But Hugh Hefner? Come on, he got women to take their clothes off when it was so not the cool thing to do, in fact, we owe much of the freedom we have to view porn on the Internet to Hef, so please stop trying to kill him on Twitter#[More Password Analysis] - The military chooses bad passwords. Among top honors? qazwsx. Yea, just look at your keyboard...

Binary C&C Over HTTP - What would happen if you sent data over port 80 without HTTP headers? Everyone's firewall allows it ourbound, unless you are behind a proxy server, and since its NOT HTTP, most IDS/IPS type stuff won't pick up on it. Nice technique, turns out malware is already using it. Fresh PuTTY - Fresh PuTTY! after 4 years we have a new version, so if you are not using this software, you should be...I wonder why Microsoft does not include a default version of a secure TELNET and FTP client in Windows. I think once it stops including the insecure client software, we *may* see adoption of the more secure protocols. I mean, shouldn't it be the other way around, shouldn't we have to go out and download and install software that implements the insecure protocols, rather than including the insecure ones?

  1. Discoverability is Not a Mitigating Factor - Let me summarize, in Michael Ossman's words, just how stupid people are being about the new flaw in the Bluetooth stack on Windows: "Turning off discoverability is like hiding the SSID of an 802.11 network.". Makes sense now huh? Yes, the vulnerability is critical, and for the first time maybe even I agree with Microsoft's decision to make it critical.
  2. How To make a prank Phone call - There was some good tips in this article on making prank calls, some of it will help you with your phone SE engagements, some will just help you annoy the crap out of people. It was SO GOOD that the page has been taken down...
  3. Loki: An Open Source Layer 3 Packet Generating and Attacking Python Framework! - Ah Loki, first you were a covert ICMP channel, then you were an evil character in the book Daemon, and now you are a fantastically evil tool for manipulating protocols. I love what this tool can do, and see a great usage for it on stuff like the pwn plug, where you can plug into the network, take over routers and traffic streams, and sniff traffic to your hearts content. Notice how Loki is always evil? According to Wikipedia Loki is a god in Norse Mythology, and check this out: Loki's positive relations with the gods ends with his role in engineering the death of the god Baldr. Loki is eventually bound by the gods with the entrails of one of his sons. A serpent drips venom from above him that his wife Sigyn collects into a bowl. However, Sigyn must empty the bowl when it is full, and the venom that drips in the mean time causes Loki to writhe in pain, thereby causing earthquakes. Yikes...
  4. RFID bootable Live Hacking System - It can be a PITA getting some of the RFID tools working, so here is a bootable Linux distro with many of the tools pre-installed. Three words: I like it. I will love it when I find that it works.

Process Injection Outside of Metasploit - Ah yes, ever been in that situation where you just needed to jump processes, but A/V is going all "nom nom nom" on your metasploit binary? I hate it when that happens. For those times CG has shown us step-by-step how to use two different utilities, one called "shellcodeexec" and another called Syringe. Great stuff! (And no, not like the spray insulation, but like great stuff as in excellent! bravo! Yes, I need a drink)

  1. THC cracks Vodafone network, can listen to all calls - THC turned thier femtocell into a full blown 3G/UMTC/WCDMA intercepter. NICE! "THC found a way to circumvent this and to allow any subscriber - even those not registered with the Femto - to use the Femto. They turned it into an IMSI grabber. The attacker has to be within 50m range of the UK Vodafone customer to make the customer's phone use the attacker's femto." This is what happens when you give technology such as this to customers, they hack it. Now I have an AT&T femtocell.... Tech details are here: http://wiki.thc.org/vodafone Looks like they soldered a USB serial device on to it and then used the default root password of "newsys". Wonder how they found that? they change the iptables rules to accept all. In scanning my own femtocel, I found that it was in fact firewalled on all ports too. Time to break it open!