Thursday, February 28, 2008

Goolag

Corey Nachreiner, over at WatchGuard, posted that the cDc has created Goolag as an aid to Google hacking (the term of using Google to find vulnerable devices or programs). Corey's declaration is a bit off of the mark in that Goolag is actually only a custom interface to search the cDc kruft space. In other words, you get to search all of the web for stuff that's related to (or at least mentionds) the cDc, not the all of Google's "discoveries", as evidenced by the following to screenshots.



Either one of those searches should have turned up hundreds, if not thousands of references to web cams. You can reproduce this "research" by going to Goolag and typing in "view" or "web cam" and then comparing it with a similar search via the normal Google interface (actually, Google will most likely block your search as an attempt at Google hacking, but it will report millions of hits).

Monday, February 25, 2008

VoIP Bandwidth Tester

Not that it's all that accurate but DSL Reports has a Voip Bandwidth Tester on their tools page. Interesting in any case (says I can support 18 simultaneous calls).

Sunday, February 24, 2008

MPD on the NSLU2

I can't vouch for it operating properly as I have no idea how to configure it to stream to Icecast but MPD did compile on the NSLU2. Notes here. Anyone have a working mpd.conf which allows streaming to Icecast without an audio interface?

Update: Running Icecast and MPD on the same NSLU2 may not be the best idea, at least if you're going to use the stock config files. I'm seeing almost 100% load on the box and the output to another system is quite bursty (about 3 seconds of silence for every 3 seconds of music). It's probably a good idea to put the utils on different systems (2 NSLU2s or a NSLU2 and a full-size computer?)(works nicely if I use my Asterisk service as a source). As I've built this for someone else, I don't have the resources (okay, or motivation) to tweak these.

For anyone that cares to, I will offer an account on the wiki if you'll post your tweaks.

Saturday, February 23, 2008

Icecast on the NSLU2

I've been wanting a better version of Icecast on the NSLU2 (other than the one that runs on OpenWRT) and have been meaning to build it. Various people have expressed interest, the latest of which was Brian M.

In short, I spent roughly four hours this morning installing various code on the NSLU2 and now have a working (I think) version of Icecast. Notes here.

If you're going to attempt the same build, it's probably a good idea to devote a Saturday to it cause it's not a simple process.

Now build MPD and write the start up scripts. I'll keep you posted.

Wednesday, February 20, 2008

Source Fource

Various thoughts on the Source Fource:
  • Can't we just buy a Happy Meal instead?
  • Just how old are those guys in the marketing department anyways?
  • How long before they receive an trademark infringement letter from Source Forge? (Do they think people have forgotten Mike Rowe Soft already?)
  • Why is it that four of the figures on the web page appear to be actual pictures while the other three are cheesy hand drawings (including the ones for Vista and Office)? Were there delays in production?
(heh) Couldn't resist.

Leverage

From the Obvious-but-not-stated-dept.: ... and thus, your entire infrastructure must be Cisco.

Tuesday, February 19, 2008

Zfone

I've added notes for installing ZFone in the wiki. The install is very basic, though I did have to chase down a library that I didn't have. Sparks and I will be testing this (hopefully) on Saturday. Let me know if anyone else wants to play.

Monday, February 18, 2008

Shmoocon 2008 - Day 3

A quick day (I was dog-tired). Attended:
  • When Lawyers Attack! Dealing with the New Rules of Electronic Discovery (Benson)
  • The Geek and the Gumshoe or Can Mathematics Solve Crimes? (Schearer, Thornton)
  • PEAP: Pwned Extensible Authentication Protocol (Wright, Antoniewicz)
All three were worth seing, the first two were more entertaining that the last. All ran out of time (maybe we could get longer sessions on Sunday?).

I left early 'cause I started feeling under the weather, nauseous on top of being tired, so I bought copies of various talks and got out of there. Good timing, too. By the time that I got back to Virginia Beach, I was down to nausea, shakes, and sweats. Haven't felt that bad since the last bout of food poisoning. Mebbe it's the flu? (No, I didn't do any of _that_ at Shmoocon. I was good.) I'm feeling somewhat better today but am definitely considering staying in bed.

Finally met CyberEagle at the SploitCast table. I'm bigger than he thought, he's younger than I thought. (Walc: I'll keep an eye out for more give-away stuff for next year.) Ran into Bob from work (shouts!). Talked with the Army cadet again.

No major surprises this year. Cisco took a beating though, with various people poking holes in VoIP implementations, network equipment, and various of their proprietary protocols.

All in all, another good conference from Shmoocon. Looking forward to seeing what 757 and the Sploitcast groups come up with for next year (this year was a bit weak in the Arcade).

Sunday, February 17, 2008

Shmoocon 2008 - Day 2

A pretty interesting day. Attended:
  • Active 802.11 Fingerprinting: Gibberish and "Secret Handshakes" to Know Your AP (Sergey Bratus, Cory Cornelius, and Daniel Peebles)
  • SIPing Your Network (Radu State, Humberto Abdelnur, and Oliver Festor)
  • Passive Host Characterization (Matt Wollenweber)
  • VoIP Penetration Testing: Lessons Learned (John Kindervag, John Ostrom)
  • Advanced Protocol Fuzzing - What We Learned When Bringing Layer2 Logic to "SPIKE Land" (Enno Rey, Daniel Mende)
The 802.11 fingerprinting talk was based around the idea that devices can be indentified by looking at the responses to requestes with various header flags turned on, in a manner similar to how NMap does OS identification by messing with the IP and TCP header flags. The tool they were working on is called Baffle. It's not available yet but we should probably keep any eye on this one as there is still a lot of interesting work to be done on/with it. Larry Pesce managed to squeeze in a talk on Access Points For Pentesting, during the same hour.

The SIP talk could have been better. They couldn't get the video for their demo to work so they had to talk about the tool they're working on, KiF (not sure what that stands for), a state fuzzer for VoIP. In some architectures, KiF can "borrow" authentication from other phones to be able to make calls.

The Passive Host Characterization was a bit dry (but still interesting). Matt is a former Trickler programmer for those that know what it is. He's posted a demo for his tool, PHC.

The VoIP Pentesting talk cetnered around some of the common configurations and shortcomings in VoIP architectures. They showed how VoIPHopper can impersonate a phone so that it can access an organization's internal network, often through the firewall (based on assumptions made during rollout of the infrastructure).

The Advanced Protocol Fuzzing talk wasn't what I thought it was going to be (Layer 2 discussions usually mean wireless) but it was interesting regardless. The group is basically working on reverse engineering and testing various Layer 2 management protocols, such as Cisco's WLCCP, using a tool called Sulley.

Here's a short view of the news/gossip from day 2:

  • Ethan's walking without a cane! (For those that don't know him, he's taken a lot of ribbing for managing to generate a compound break in his leg via a Segway.)
  • Rob and I got to talk with Dave Aitel and, later, with an Army Academy student (Dude, take one of our first three choices for intership! You'll get more out of it and you'll get to meet/know "interesting" people.)
  • Southern Vriginia is well represented at the conference this year, having 757 (HRGeeks), Sploitcast, and Hak5 present. I managed to donate a couple items for one of Walcy's giveaways.
  • Shouts to Squidly1! Who knew your offer would generate sales at the local Best Buy? (heh)
  • I think hotel management finally found a couple groups that didn't "mix" badly with the Shmoocon attendees. There were actually two smaller conferences: one for "business resource managers" (salesmen) and one for Anime fans. No one really wanted to mess with the guys wearing tuxedos (they also kept to themselves) and the Anime fans were considered a bit weird by most of the geeks (though a 19-year old girl in a Sailor Moon outfit can be quite distracting). But seriously, they were wearing their costumes into the same restaurants that we were in and were making our freaks/rebels (you know, body piercings, tatoos, etc.) look normal. Most of the anime attendess just wore bunny or cat ears but some had full blown costumes which somehow were a mix of faux ancient Japanese, faux American Indian, and New York City hooker. (heh)

In any case, day 2 was fun. Got to catch up with a lot of friends that I hadn't seen since last year. I triend to hang around and particpate in the Sploitcast podcast recording but I was too tired and too hungry to stick around (my hotel is in Bethesda, MD).

Saturday, February 16, 2008

Shmoocon 2008 - Day 1

Day 1 of Shmoocon 2008 went pretty well. Got stuck in downtown DC traffic for hours but Karma balanced out by me ending up in the penthouse suite at my hotel. I attended:
  • Intercepting Mobile Phone/GSM Traffic (H1kari)
  • Forensic Image Analysis for Password Recovery (David Smith)
  • Baked not Fired: Performing an Unauthorized Phishing Awareness Exercise (Syn Phishus)
  • Web Portals: Gateway to Information or a Hole in our Perimeter Defenses (Deral Heiland))
  • Hacking the Samuri Spirit (Isaac Mathis)
.We blew off "New Countermeasures to the Bump Key Attack" and the keynote because we were just too hungry and tired.

"Intercepting Mobile Phone/GSM Traffic" was interesting though I got the impression that H1kari had dumbed it down to make it more interesting to a wider group. It was interesting in any case.

I felt the audience was a bit unfair at the end of David Smith's talk on password recovery. He had stated up front that it was a work-in-progress and that he was looking for other ideas. Basically his works comprises building attack dictionaries by extracting strings from memory space, passing them through qualifying filters (must be a certain length, must be from a certain (type-able) character set, etc.), and using the resulting dictionary in a much smaller brute force attack. (Rob! Something to include in the forensics class?)

Deral Heiland's talk on web portals had similar audience issues as it too was a work in progress. I guess we're an unforgiving bunch. It did remind us to pay attention to details when evaluating web services.

Isaac Mathis's talk well done (funny). It reminded me a bit of Johnny Long's talks on just about any subject. With a bit more practice, I think Isaac might just reach the same quality.

Overall, the conference is off to a good start (I wonder if there were any shenanigans last night). No suprises so far, security-wise. I ran into a few friends that I hadn't seen in awhile. Noticed that others were missing (maybe Saturday?).

Thursday, February 14, 2008

Shmoo!

There may be no blogging for the next few days. I'll be at Shmoocon and will be attempting to travel extremely light (i.e., I'll only have my N800 and my Razor on me). Then again, depending on how nimble my thumbs feel, I may be up to a few rounds of thumb typing into vi.

Tuesday, February 12, 2008

Shrinkage

...and so it starts. I've just deleted ten or so subscriptions from my blogline feeds. As it's only February, it's not a good sign that I'm already deleting subscriptions because of various blogs' "content drift", specifically that of the usual rabid anti-other-party election-year politics.

To paraphrase the television commercial: Sorry guys, I'm afraid I'm going to have to block you.

Note to self: start - 12 Feb - 392 subscriptions (now 383).

Monday, February 11, 2008

Shmoocon this week!

Okay, the number of days before the con is less than the fingers on one hand so I guess I should start packing. Problem is, I just finished unpacking from a last-minute trip to San Diego (I'm not gaining any spouse points here). I think I'm wearing my laptop out via the constant rebuilding, setting it up for a business environment (i.e., installing Windows), then setting it up for a known-hostile environment (i.e., a stripped down version of Linux), then rebuilding it post-conference (I like you hacker con guys, I just don't trust you as a whole).

In any case, I'm looking forward to going. The 757 bunch will be there in force (someone said 30 of us!!?), counting those that have moved away but have remained in contact. Was there anyone that was forced to take the goon route this year?

Sunday, February 10, 2008

Xact and Yealink

I tried out the YeaPhone software, running on SlugOS/BE v4.8 on an NSLU2, to connect to a XACT XVP620 phone. Because the repository already had linphonec and yealink available, I avoided having to build them from scratch (I'm stating this as it may be a source of the following problem). Following the configuration guide on the YeaPhone site, I was able to cause linphonec to initiate calls and use the handset (hear/speak). However, there was a lot of annoying clicking in the call and the calls tended to fail after a couple minutes.

Below is a capture from dmesg on the NSLU2.

input: Yealink usb-p1k as /class/input/input1
usbcore: registered new interface driver yealink
drivers/usb/input/yealink.c: Yealink phone driver:yld-20051230
usbcore: registered new interface driver snd-usb-audio
drivers/usb/input/yealink.c: urb_irq_callback - urb status -2
drivers/usb/input/yealink.c: urb_ctl_callback - usb_submit_urb failed -1
drivers/usb/input/yealink.c: urb_ctl_callback - urb status -2
drivers/usb/input/yealink.c: urb_irq_callback - urb status -2
drivers/usb/input/yealink.c: urb_ctl_callback - usb_submit_urb failed -1
drivers/usb/input/yealink.c: urb_irq_callback - urb status -2
drivers/usb/input/yealink.c: urb_ctl_callback - usb_submit_urb failed -1
drivers/usb/input/yealink.c: urb_ctl_callback - urb status -2
drivers/usb/input/yealink.c: urb_irq_callback - urb status -2
drivers/usb/input/yealink.c: unexpected response 11
drivers/usb/input/yealink.c: urb_irq_callback - urb status -2
drivers/usb/input/yealink.c: unexpected response 2
drivers/usb/input/yealink.c: unexpected response 4
drivers/usb/input/yealink.c: urb_irq_callback - usb_submit_urb failed -22

Port forwarding and SIP

The overly cautious amongst us will refrain from port forwarding massive numbers of inbound ports, regardless of a stated need and especially if the box the ports are being forwarded to is not a single-purpose system. Port forwarding is a bad idea if more than two geek-level users live behind a single NAT box. The situation is much worse if the two are married. Where one wants his Asterisk server to run, the other wants to be able to listen to her radio stations or watch streaming videos. Port forwarding will allow the Asterisk box to accept inbound SIP calls but it also breaks the streaming media to the other system.

Ignoring SIP proxies and external routing of calls, the immediate compromise is often forwarding a smaller number of ports and this can cause other issues if you're not careful about your server configuration.

Hint: if you only forward UDP ports 10000 through 10100, make sure to edit /etc/asterisk/rtp.conf so that "rtpstart" and "rtpend" have the same values. Otherwise, you'll often end up not being able to hear any incoming audio on SIP calls.

Friday, February 8, 2008

Firefly marathon

Heads up! The SciFi Channel is running a Firefly marathon starting at 8:00 EST on Monday, Feb. 18th.

Monday, February 4, 2008

With apologies...

To Mr. C. form WTKR: I hereby apologize for being clueless myself and causing insult. However, what you plan to do is a bad idea in that it is a legal "gray" area in that it gives the impression that you've actually accessed the homeowner's network. It's why both Rob and I were uncomfortable each time it was mentioned. (Based on our training, it's considered unethical and can lead to a number of legal issues.)

A much better approach would be to ask Rob to set up a demonstration network to show what can be done (e.g., mirroring a user's web surfing, intercepting a VoIP call, etc.). The main point is that all parties must agree to the monitoring/interception. Otherwise, it's very likely to be illegal.

Saturday, February 2, 2008

WTKR

Hey, one of my body parts is going to be on TV! Nah, it's not what you think. Rob and I did a little bit of wardriving for a local television news station. Being non-photo/audio-genic, I managed to stay off-mike/out of the lens for most of the interview. My right hand does show up in some of the filler shots so if you see a hand with a fresh scratch across the back (thanks to Rob's vicious Rotweiller), that's me! It was fun to do. The reporter was mostly clueless (he ends up wearing a wifi t-shirt) but the camera guy understood the jargon.

Friday, February 1, 2008

11 Deceptive Truths We Think We Agree To

Okay, I'm really annoyed by Rich Mogul's "11 Truths We Hate To Admit". Basically, it's a list of trolls that have popped up in the last few years. I'm surprised he didn't add "the IDS is dead" or "the firewall is dead". Following is my responses to his "truths":

"1. Signature based desktop antivirus is an addiction, not effective security." This is one of the more offensive trolls. It's right up there with "the IDS is dead" and "the firewall is dead". Statements like this make sweeping assumptions about what you're trying to protect and what tools you're using to protect those assets. Sadly, signature-based anti-virus actually has the best ROI.

"2. The bad guys beat us because they're agnostic and we're religious. Complete and utter BS. The bad guys are in the lead because they're doing the majority of the research. It's a bad analogy to start because if the good guys were to ever "win", every bad guy would be either dead or in jail. Mebbe it's better to call it the "game of life"?

"3. Antitrust concerns force Microsoft to weaken security." Hahahahahahahahahahahahahahahahahahahahahahahahahaha...!!! Yeah, keep believing that Microsoft would give something away for free if they hadn't been sued in the past. Troll!!

"4. Vendors are like politicians - they lie to use because we ask them to." Wow. Uh, can I sell you something? Troll!

"5. We're terrible at talking to, or understanding, those that fund us." Uh, speak for yourself. Obviously, a good chunk of us understand "business-eese". Otherwise, the "industry" would have died of atrophy years ago.

"6. Security researchers need to grow up." Obviously Mr. Mogull has never seen someone else's name tacked onto his work, had his work denigrated in mainstream press, or was ever under attack from an organization that refused to believe that their product was ever anything other than perfectly secure. Troll!

"7. Security companies make more money when there are more incidents." True somewhat. However, Mr. Mogull seems to have missed the mark by claiming that the fastest way to grow a security market is to have a product ready when a massive exploit hits. It's a fallacy. The actual fastest way is to have a good marketing plan ready for when the next big exploit hits. You can go a lot further with a superb marketing plan and a crappy product than you can with a superb product and a crappy marketing plan. The day the day-stopping painful exploit occurs is when the lawyers make the most money. Followed by vendors as companies abandon certain products for others, followed by insurance companies as companies attempt to transfer the risk (look it up in your CISSP books) of future exploits. The security companies are somwhere after that.

"8. Network security is the result of a mistake, not an industry worth perpetuating." Either a troll or a cry for help. Network security is a need arising out of the fact that your company has a competitor. Ideally, life would be serene and no one would feel the need to steal your secrets. In the real world, someone sees some sort of profit (financial, emotional, relational) in breaking into your systems and changing something. Mr. Mogull's argument only holds water if you believe that somewhere out there, utopie exists.

"9. Disclosure is dead." WTF?!! Given their druthers, companies don't disclose sh#t. This is a massive troll that suffers from the wide-ranging, yet slowly moving pendulum of "accepted practice". Hint: a number of recent laws now require "disclosure" yet there's been a number of law suits which have forced limited disclosure of vulnerabilities and exploits.

"10. Momentum will destroy us, until it doesn't." Uh, huh? Innovation is a marketing practice. Operationalization is a marketing term (okay, vague rationalization for an irrational decision). The entire paragraph is basically a gripe that neither our employers nor the bad guys have remained static. Whiney troll!

"11. We can't fail." Mebbe as a whole. However, individual security companies fail often. They sometimes "take their customers with them". Just as the bad guys will never "win the war" (face it, it isn't a "war" where people die from every port scan), neither will the good guys. A much better analogy is to view it as a competion, where your goal is to "keep up".