From Security Weekly Wiki
Revision as of 22:01, 17 May 2012 by Jdaniel (talk | contribs)
Jump to navigationJump to search

Announcements & Shameless Plugs

PaulDotCom Security Weekly - Episode 288 for Thursday May 17th, 2012

Interview: Cedric Blancher


Cedric is a senior researcher at EADS Innovation Works Computer Security Research Lab near Paris. His research interests include honeypots, network and wireless security and is a founding member of Sky-nonymous



  1. How did you get your start in information security?
  2. Tell us about why you developed wifitap tool.
  3. Today, everyone seems to be buzzing about Mobile security and BYOD, are they missing the boat when it comes to Wifi security and forgetting about the huge security hole it leaves, or has technologies such as WPA taken care of the risk?
  4. What kind of hardware and software tools are in your wireless hacking toolkit?
  5. What are some of the most successful wireless hacks? How do you protect yourself, or your organization, against them?
  6. What's next for wireless security?
  7. What was your Hackito Ergo Sum Keynote about?
  8. What is the most interesting attack you've seen from a honeynet?
  9. What's the dumbest thing you've seen an attacker do on a honeypot?

Guest Tech Segment: Aaron Crawford on "Social Engineering Using Product Packaging"

Teasers & Plugs

About Aaron

In 2010 The Kansas City Infragard chapter, held Kansas City's first mock Cyber Warfare event called, Cyber Raid. There, an unfair advantage was had by a red team member, Aaron Crawford, who used an elevated form of social engineering, that not only fooled the blue team and event organizers but also the FBI agents present.


Aaron provides an elevated playbook of what to look for in social engineering campaigns and how to prevent them. He is here today to show us how various trust models, training and experience are circumvented by new approaches to social engineering. For example, a simple power strip and baby monitor can be combined to a cheap but undetectable listening device and new attacks with USB memory sticks can be successful.

Social Engineering Using Product Packaging

The quick and dirty, is that we are going to package our payload with a familiar wrapper of sorts or professional looking packaging. We are programed to trust and seek out products that are well designed and sealed. Name brands reassure us that we are purchasing and receiving a superior product. Think about the sealed food products you buy at the store, you assume the food is safe because it is sealed and packaged in a very specific way. Let’s grab some products and packages lying around the home to get some ideas.

Please note that these products are in no way endorsed by myself or Pauldotcom. These are merely items that were within my reach and close to my camera.

Take a look at the various devices used in packaging. These devices instruct us, inform us and make the benefits of the product clear.


Here we have a good example of using instructions to provide security through a weak integrity mechanism. If the seal is broken then the product is compromised and should be reported. This is a very powerful mechanism that we will take note of and use later.


Even your family member’s action figures are chock full of packaging ideas and instructional devices. The packaging even gives you an invitation to try out the product to demonstrate the value and need.

So now that we have dug around the house for inspiration we are ready to design some packaging to facilitate awesome pwnage, right? Not at all, we must research the target first. This is a major failure in pentests as well as phishing and noodling campaigns. Do your research on your target and more importantly its identity. You can use Maltego all you want to find juicy bits of info, as well as skimming through social media profiles, but that will not give you insight to the actual identity of the target and the vernacular used within its culture and internal avenues.

A simple and little known solution to this is obtaining the target’s stylebook or identity sheets. These documents are what companies or brands will issue to external parties that might be designing or handling the company’s logo or content. They outline very specific requirements such as how big the logos can be, the color and fonts that can be used and what language or associations that are allowed. These are invaluable assets in helping you craft better attacks on your target.

Hacking The Cyber Raid Challenge

In the case of the hacking tournament we did not have a style sheet so all we could do is collect the information that we have available to us, which was the web site (CyberRaid). The site gave us a plethora of information such as event sponsors, their logos, the tone and vernacular. This would allow us to mimic the same tone and language on our packaging. With our recon done its time to grab those pica poles and pencils and get our design on.

The design should be something to get us into the blue team space so we will use the color blue and borrow language from the CyberRaid web site. Having language that is too flowery or that speaks above or below an audience will raise an immediate red flag. (Think about those ingrish phishing e-mails that you get.) Next we will add a series of validation and instructional mechanisms that relate to the event as well as squash any suspicions. Let’s take a look at the finished packaging.


So with a little bit of planning, recon and some simple graphic design tricks you can get nearly anything into any environment without any questions asked by violating common trust models. Before you do the simple USB stick drop in the parking lot, look towards an easier solution, think with the box instead of outside of it. If you would like to learn more and how to do these attacks for free I am teaching “Beyond Social Engineering: Violating Trust Models Through Marketing” at the 2012 CEIC www.ceicconference.com and remember with the right tools it’s as easy as shooting squirrels in a barrel.

Tech Segment: Skipfish Web Application Scanner

Teasers & Plugs

  • Be sure to tune in to next week's show featuring mobile security expert Zach Lanier! That's Thursday May 24, 2012 at 6PM EDT. You can watch us live at http://pauldotcom.com/live or watch the recorded episodes on Ustream or Blip.tv

Installation and Running

I had to update to the latest version of Backtrack 5 in order to get the latest version of Skipfish to compile. Before I updated, it failed on an HTTP library.

Get it:

# wget http://skipfish.googlecode.com/files/skipfish-2.06b.tgz

Compile it:

# cd skipfish-2.06b
# make

Run it:

./skipfish -g 100 -f 50 -t 10 -o ulamp/ -L -W- -b ie


  • -g
  • -f
  • -o
  • -L
  • -W-
  • -b ie



Now your web application penetration test can begin!


http://holisticinfosec.org/toolsmith/docs/june2010.html - Article

http://code.google.com/p/skipfish/ - Project hompage


Teasers & Plugs

  • DerbyCon Call for Papers and Ticket Registration is: available online. If you have not yet registered or submitted a talk, please do so now.
  • Security BSides everywhere: Pittsburgh, Detroit, Cleveland, Las Vegas, more. http://www.securitybsides.com/ - We have 5 BSides tickets to give away! Listen to the instructions at the end of Episode 282 for complete details!

Paul's Stories

  1. PHP-CGI Vulnerability Exploited in the Wild | Sucuri - No suprise here!
  2. Risks of High SPF Sunscreen – flyingpenguin - Sunscreen is like firewalls, really? Let me lube up...
  3. Angry Birds tops corporate mobile blacklist - What is it about keeping tabs on employees. There is always a way around restrictions in place for computer usage, and you should have a policy. In the end, it comes down to hiring employees that don't slack off and making sure measures are in place to prevent he blatant violations of company policy.
  4. Apple QuickTime update for Windows only; Macs already secure - Is Apple favoring their own OS in terms of priotization of patch releases? Nooooo, say it isn't so!
  5. Hacking CCTV Security Video Surveillance Systems with Metasploit - Nice to see this in Metasploit, most don't secure CCTV.
  6. passdb: Kronos Workforce Central: SuperUser/kronites http://t.co/sVPYCCB3 #password - What could you do with a company time system? Hmmmm.
  7. PowerShell - Nice post getting code exec on x64.
  8. .secure domains require proof of security - Is a .secure domain more secure than any other domain? How hard would it be to obtain and/or hijack one?

Jack's Stories

  1. PHP-CGI Vulnerability Exploited in the Wild | Sucuri - No suprise here!