haxorthematrix

A tale of information gathering made easy, Part one.

2008-03-20T21:53:56Z

I wanted to recount a tale that happened to yours truly at the recent Shmoocon 4 (2008), no how easy it can be to perform information gathering. I'll start with a quick one at the airport...

I sit down at the gate waiting for my flight to arrive, and I've got plenty of time. I pull out the laptop and connect to the internet using my CDMA USB card, and plonk away chatting with the folks on IRC (at irc.freenode.net #pauldotcom). A gentleman in his forties sits down two seats away from me, and also pops open this laptop, and he proceeds to connect to the t-mobile wireless network.

Now, I know what you are thinking! No, I didn't decide to own him via wireless, or sniff his traffic or any of those type of attacks. It was better than that:

The gentleman was presented with the T-mobile captive portal to subscribe for an account for access. Out comes his wad of cash and credit cards in the money clip on to the seat between us. Out of the stack comes the AMEX, and he types in the required info. Fail. Sigh. Retype. Fail. Even bigger sigh. Now the cell phone comes out, and I look over. I can clearly read the numbers, first and last name on the card sitting on the seat next to me. So technically, he's owned. But there is a snag; apparently his card has expired! Out comes his phone to call his wife, and apparently he has the main number, and has to ask to be transferred.

"Hello, may I speak to Carol please?" "This is her husband." "Thank you."

"Hi honey! I'm at the airport and trying to get on the internet, but it won't take my AMEX. I think it is expired." "Do you have your new one with you?" "Ok, can you read me the numbers?"

"Let me read them back to you: XXXX..."

"And the number on the back?" "YYY?" "Good."

Now through my powers of observation, I have a first and last name, and AMEX number with CVV code. All I'm missing is the billing address, which I bet Google would have found for me with a few clicks. Some more unscrupulous places won't even care that I don't have it, or that it doesn't match...

Credit card fraud, no computer needed.

Here's the lesson: If you are going to read sensitive numbers over the phone or back to the person, do so in private. Heck, go somewhere out of the way in the airport, take your bags, and pack up your laptop, and even write it down. Seems like common sense to me.

- L

More Shmoocon projects

2008-01-23T16:14:44Z

No, I didn't take up an entry for the hacker arcade. Maybe next year.

But, what I did do was take some inspiration from last year's attempt at a "shmooball launcher". Given my involvement with potato cannons, I figured this one would be a slam dunk, and infinitely better than the leafblower from last year's closing ceremonies.

So here's a sneak preview of my version during the dry fit stage. I've completeley glued and done some low pressure testing. I've got a few issues to resolve, but nothing major.

Josh, I'll see you at your presentation. I promise not to aim for your junks.

- L

A busy Shmoo is a good Shmoo

2008-01-14T01:51:27Z

It just goes to show not to give up hope. I heard back Saturday that I'm currently on deck as an alternate speaker. That means if someone bails last minute, or if someone has to back out, there is a good possibility that I'll be speaking.

Some is better than none, so I'll take it.

See you at Shmoocon!

I'm not really dead...

2008-01-11T14:33:05Z

Lots of life changes...busy, you know the deal.

In any case, I submitted a proposal for the 2008 Shmoocon CFP, and we were supposed to hear back by January 10th, 2008. I haven't heard yet, and it is the 11th, so, I'm thinking I'm out. Certainly, I know the shmoos are busy and may be running a bit behind, so I'll still hold out a little hope.

Regardless of my speaking status, I'll be in attendance, and at the Podcasters Meetup

See you there!

Security Training - I'm teaching SANS Stay Sharp Courses!

2007-06-18T23:49:24Z

I would like to announce some upcoming course that we are teaching through the SANS Institute:

Stay Sharp: Defeating Rogue Access Points North Kingstown, RI Wednesday, July 25, 2007, 8:30 AM - 11:30 AM
Stay Sharp: Google Hacking and Defense North Kingstown, RI Wednesday, August 29, 2007, 8:30 AM - 11:30 AM

While you are at it, go check out Paul's course in Las Vegas:

SEC535 Embedded Device Hacking, SANS NS 2007, Las Vegas, Friday, September 28, 2007 : 9am - 5pm (Includes a WRT54GL Wireless Router!), Instructor: Paul Asadoorian

You can register for SANS training via our click-through at http:/pauldotcom.com/sans/

Hope to see you there!

I bet you thought I was dead...

2007-06-18T23:45:14Z

Nope.

Just busy.

I'm baaaaack!

Shameless Self Promotion

2006-12-05T02:04:48Z

Today when I came home, I had a nice little package on my front doorstep from Syngress.

Upon opening the package, I discovered copies of the book that I helped to write/revise: Wireshark & Ethereal Network Protocol Analyzer Toolkit! I knew it had gone to the printer, but WOW that was fast.

My assignment was Chapter 4 - Using Wireshark. If I must say so myself, I think my chapter, and the whole book came out excellent. If you want an awesome book on Wireshark/Ethereal, this book is for you. I must say that I'm honored to work with all of the people involved, as there are certainly some very brilliant minds contributing. I must say that I'm incredibly impressed with the chapter on wireless written by Joshua Wright.

So, if you are in the market for some good, technical holiday reading go buy yourself one from the Syngress website, and help support some nerd who got published for the first time!

"Modified" security professional

2006-11-28T01:41:23Z

First off, I apologize for the lack of posts. I think that maybe I'll have a bunch of stuff caught up that will allow me to post more.

So, back to the title.

For those of you that have either met me, seen pictures, or listen to the podcast that I co-host, you've probably figure out that I'm what you might call a "modified professional". I'm tattooed (quite heavily, and visibly) and pierced (again, visibly, but only mildly in my opinion). I'm technically adept, and in management. Yes, it is possible to be a freak, and be good at what you do, and be a manager somewhere other than a tattoo studio or Hot Topic.

So, my latest modification might be the coolest, and most technical. I spent Saturday morning at the PaulDotCom Security Weekly studios getting "tagged". My left hand web between the thumb and pointer finger now contains a uniquely numbered RFID tag. We did film the procedure, and will be releasing it as an episode of PaulDotCom Security Weekly TV in the near future.

So far, the implant seems to be healing much better than I have anticipated. Now, I do know how to take care of these type of things from a health perspective, and we did practice some very good sterile procedure for the process - I've seen it done enough times to know how to do it right. So far, no ill effects.

I've got some good plans on how to use the tag - from the good perspective, and from the evil. I'm looking at this from a security professional's perspective - I want to show the good and the bad, and how we can improve both.

So far I've got a few projects planned. The first one, was to get me to be able to log in to my PC only using my tag for credentials. I'm already seeing some issues with the process, and I'll be sure to document my experiences. Stay tuned to this space.

Please, if you have any good ideas for projects, please let me know. I'm also looking for a reasonably priced self contained (and programmable, say for authentication) RFID reader for 125kHz tags.

- Larry

Oracle - Sh!t List

2006-10-19T01:44:59Z

Yet another reason that Oracle remains on my shit list:

Oracle has just released 101 patches. Yes, I said one hundred and one. Now I understand that they only release patches once a quarter, which in my mind only compounds this problem. Even at a monthly rate (like Microsoft), that pushing 30+ patches a month.

What DBA can evaluate 101 patches a quarter (or 30 in a month)? That is a huge amount of data to evaluate, test appropriately , and then deploy of hours. You do evaluate and test your patches before you put them in your production environment, right?

Now, I don't want to bash Oracle for releasing too many patches (although, woah, 101?), because I believe if you have a vulnerability (and can patch it) you should release the patch. However, how well written is Oracle it they have to release 101 patches at a whack?

The short of it: Oracle's patching strategy is a mess. I feel sorry for any Oracle DBA right about now.

IMsafer - a good privacy/security trade off?

2006-10-12T21:08:17Z

Dancho Danchev had an interesting post about an IM monitoring tool for parents/kids.

Now, I don't have kids yet, there is no reason for me to think about how I'd handle these things with my kids. I guess I'm some kind of weirdo to think about how I'll communicate with my kids in 10 years about internet predators.

In any case, the IMsafer seems to strike a balance that I would consider something reasonable for a parent and a child (assuming of course that it works). Apparently IMsafer monitors the IM conversations and only alerts the parents about parts of a conversation that might be suspect. That would be something that I'd be happy with as a parent. It would also allow the children to have private conversations about other topics without the parental knowledge, and that would work for me as a parent too.

I'm all about not pandering to children, and I believe that they should be treated like small adults. To those ends I think IMsafer works for me in those manners. Of course, healthy two way discussions with the offspring about internet predators and such is also a good course of action.

I'd live to hear more technical bits on the product. I'd especially like to know how many perverts that it took for the company and law enforcement to compile the metrics that it took to determine “you’re a good girl” is indicative of the building of a sub/dom relationship.

Subliminal message: Buy Viagra

2006-09-15T16:01:54Z

I hate SPAM. Well, actually, I do enjoy the Hormel potted meat product from time to time, but I hate unsolicited e-mails.

The folks over at PandaLabs have found that spammers are now beginning to include subliminal messages in the spam messages. The research is indicating that spammers are placing "BUY" in the messages for 10 to 40 milliseconds. Possibly with some sort of animated .gif? Hmmm....

It is good to see that spammers are learning from history, and are using some methods that have been shown to work (if they didn't why to advertisers still use them - look closely in those ice cubes in advertisements).

We should use those techniques for good! In the setup CDs for wireless routers, put subliminal messages such as "USE WPA2", and set corporate desktop background images to cycle "CHANGE PASSWORD", "STOP PLAYING GAMES" and "WATCH PORN AT HOME, NOT AT WORK". I could think of a thousand different messages that would make my job easer...

- L

New spam technique uses subliminal messages to manipulate users

Delivering Judicious Karma with Ubuntu 6.06 LTS and Madwifi-old

2006-09-08T16:43:14Z

or How I Stopped Worrying and Learned to Hate linux-modules-restricted.

I did cross post this a few days ago over at PaulDotCom, but I did want to preserve it for posterity here. This is also a great test of my migration to my Mac, so that I can now do this from anywhere. Expect more from me now!

Paul and I spent some time a few weeks back trying to get Karma working on my new Ubuntu 6.06 LTS installation. Needless to say we ran into a few problems with the MadWifi-old kernel modules.

For those not in the know, Karma is a great piece of software for demonstrating how insecure open wireless networks are, as well as illustrating problems that can be had by auto probing for insecure wireless networks. Karma uses a patch for the Madwifi-old drivers to answer for ANY open SSID request, and can perform a number of actions - DNS, DHCP as well as HTTP content redirection. The usefulness of such a tool is quite apparent, especially when delivering a demo to those management-types who like pretty pictures. We'll be releasing a video segment of PaulDotCom security Weekly of Karma in the next few weeks.

Paul and I spent a few hours trying to figure out why my installation didn't work, and I proceeded to spend several weeks scouring the internet looking for help to little avail.

I was able to put some of my research to good use, and certainly provided me the right direction. After all of this research I figured that I was not the only one in this predicament. As a result I've documented the steps that I have completed to make Karma work for me under Ubuntu with Madwifi-old. I'd like to release said documentation, so that you can learn from my experiences:

http://www.pauldotcom.com/KarmaUbuntu.pdf

I would certainly consider this a living document. Please, any and all comments and suggestions are greatly appreciated and should be directed to larry@pauldotcom.com

Enjoy, and may Karma be good to you!

- Larry

Long time no post.

2006-08-30T20:04:11Z

I know. I miss it.

I've unfortunately been very busy, and on vacation over the last few weeks, not to mention that my wife and I are dealing with some very trying medical issues. That being said, I'm making some changes that will allow me to be more active in posting here and at PaulDotCom as well, however those changes will take me a little bit more time to accomplish. My problem is I take on too many projects, and then get projects handed to me on top of that - both personal and work related. Heck, my lawn hasn't even been mowed since BEFORE I went to BlackHat/Defcon.

So, that is my excuse.

I promise more good stuff coming. In fact, I'm going to be writing up my experiences with installing and using madwifi-old, Karma and airpwn under Ubuntu 6.06 LTS, just as soon as I manage to get it working.

Thanks for sticking with me.

- L

Bluecasing from T.W.A.T.

2006-07-13T15:10:37Z

The guys over at T.W.A.T. put together a great episode on bluecasing. We've mentioned it in the past, and I wish we could have done this, but there are only so many hours in the day. Please it you are interested in the Bluetooth hacking, go check out Episode 124. They did a great job, and I'm all about supporting the others in teh community who know their stuff.

- L

T.W.A.T Episode 124: Bluecasing

If it is "Worth Millions", Back It Up!

2006-07-12T20:32:56Z

Well, this guys is just a moron. He saves his "multi-million dollar screenplays" to his desktop. The DSL tech comes over and does the install, and decides to help out by cleaning up the desktop, and deletes said screenplays.

Backup, what's that?

Now, I agree the DSL guy is in the wrong. I'm also as guilty as the next guy about backing stuff up. However, I make damned sure I make multiple copies of my really important stuff. I maen, it really isn't that hard, or expensive - I just picked up three 500gig drives (yes, 1.5 terabytes) and external enclosures for under $500 USD.

Given the alleged value of the material, isn't a few bucks for a backup copy a good investment. Just think, today it was the DSL guy, but tomorrow or the day after it could be hardware failure, electrical surge, fire, intercontinental ballistic misslles. Isn't a few bucks that worth your piece of mind, and your livelyhood?

- L

If You Have Something Worth Millions, Shouldn't You Back It Up?