Old scene is getting new blood

So, I have been attending the local 2600 meetings in an effort to meet new people and get a feel for the local community. There are actually some really good security people out here. They are doing great research and are just cool people.

I have also organized a meet and drink after the 2600 meeting at the Foundry nightclub. Last week we had 6 people show up and just hang out. We all broke out the laptops and spent alot of time just snooping for local wireless connections and sharing stories.

The talk also turned to starting a packet wars club in the Dayton area. Everyone is really interested in setting up a packet wars competition and putting our skills to the test. Angus, our fearless leader has stated that he would be very interested in starting the packet wars, but he wants to look into getting sponsors for our events. I say, let's get started and then get the money after the fact.

I have also found my hacker name. It seams that all cool hackers have some sort of name like pixel or sokket or something cool. I wanted my hacker name to kinda sum up who I was as a person. So, from this point forward, I will be know as "xs" in the hacker community. Simple and sweet. Why xs? Because it seems like everything I do is done to excess. Thus the name "xs".

Later

A long time ago... I posted on this site

OK... I got a little lazy. :)

I had a little bit of work pile up around the office and I had to focus on my duty, but I am back.

I want to let the world know that I have several upcoming articles that I will be posting. One is on developing a risk assessment solution that not only evaluates technical risk, but it also reviews operational risk.

Next, I will be updating everyone on what it takes to sniff traffic from a Cisco switch. This will include, at a high level, what you need to look for as a security professional to prevent this from happening. Very leet paper!

Then, I am going to give a brief overview on UNIX shell scripting and how they can help you during an audit of your systems. I will be including several examples of scripts that I have wrote and use on systems I review.

I have also been reading like a geek in heat and I have several books that I will be recommending to new ubergeeks out there that want to learn more about hacking, but were afraid to ask.

So, stay tuned because these articles will be online over the next few days.

madnos

Dark side of the force very weak in Dayton

OK. First let me say that the art of Hacking (and I believe it is truly an art form) interests me. I read as many online and print publications on the subject that I can get my hands on. The Ed Skoudis book "Counter Hack" is an excellent resource for someone who wants to learn how to attack a network.

With that being said I also believe that there is a time and a place for this to be done. I recently went to the Dayton 2600 meeting. 2600 is a printed publication that deals with hacking, phone phreaking, lock picking and just about any other topic under the sun. It can be purchased at Barnes and Nobles for around $5 dollars. There are local chapters of 2600 groups in almost every major city in the US. They meet once a month and "discuss" hacker issues (mostly they just drink beer, and geek out).

The meeting place in Dayton is the Marion's pizza by the Dayton Mall. When I arrived, I found very few people where there. When the group did arrive, I found that I was surrounded by teenage kids and a few middle age misfits (including myself). There was no formal topics discussed and talks ranged from new game systems, to digital cable boxes. The one thing I found is that the group was very disorganized and lacked leadership.

This is actually a good thing for the Dayton community. I mean, hear we have the core of the Dayton hacking underground and most of them have no real direction in life. If they had someone to step in and take control and provide direction and order, this group could do great things. By that I mean that they could help each other by sharing there knowledge, teaching each other vital skills that will be needed in the work force and also providing a social outlet for these people.

You can also turn the tables and say that if someone stepped in and turned them out against companies in the area, infosec people could be in trouble. Fortunately for local companies, these people lacked real direction and motivation to even try to hack into companies. It also appears that, in the event that they did attack someone, they would go after the "low hanging fruit" (i.e. unsecured wireless networks).

I brought up my training ground idea and did get positive feedback from the group. But, again the lack of leadership and motivation stiffled this group. Also, there was talk of setting up Daycon and having 2 or 3 days of hacking competitions like capture the flag, wireless hacking and infosec presentations. The idea needs someone to run with it and turn it into a reality. Stay tuned for more info on Daycon.

So, to rate this group I would rate them a 5 out of 10. This was a first impression and I will go to a few more meetings to gather more data on this group. I will post all my findings here, so stay tuned.

Dagobah training grounds

I have been building a lab in my basement that I want to use to test my hacking skills. I recently setup a Windows NT 4.0 server. This baby is a PDC and will be running DHCP, DNS and any other services that I feel most people turn on by default. I also have a Redhat Linux web server, a Redhat laptop, a Knoppix 3.3 station that will be attacker #1, a Windows 98 client. I plan on deploying a Windows 2000 server and a Citrix metaframe box, a Solaris SPARC 5 workstation that will run Solaris 9 and a wireless AP (vendor unknown but something cheap).

Hacking is not a sin people. However, hacking into a company that does not authorize you to do so is a crime! If you do not have permission to hack, then DON'T DO IT! This is where most hackers go wrong and end up in jail. Even gathering data through an open wireless connection is an illegal wiretap and can get you thrown in jail.

If you want to learn how to hack, buy some cheap @ss hardware and setup a lab. Most of the gear I am using is old P2 systems with 64 megs of ram. These machines are going very cheap on EBay. If you are local, TJC computers usually carries cheap systems that are low cost. They also have SPARC gear if you are interested in Unix.

So, please go out there and hack your lab. Blow it up till Windows spews forth many blue screens of death. Ignite the flames of your imagination and write many papers on your findings and share them with the infosec community. But be warned, blackhat hacking is like the Dark side of the force. Once you go down this road, there is no going back, and the Jedi council WILL find you.

May the force be with you.

Wri-Ti woann

Try this site out to build your Jedi name.

http://www.wilcoxusa.net/saber/swname.htm

Bruised, broke and def from Blackhat and Defcon

Hello fellow geeks,

Well, I made it back from Las Vegas and I have to say that I had a GREAT time. Black Hat 2004 and Defcon are worth the time and travel headaches.

I got to meet some pretty cool people. I meet Kevin Rose from TechTV on day 1 @ Defcon and got my picture taken with him. He was kinda cool in a dorky way.

8 days in Las Vegas was way to much. By day 5, I was already sick of the noise and broke as hell. Food was not as cheap as I thought it would be. The Hilton had a great buffet and the Star Trek experience was just COOL! I am happy to be back in Ohio... so I can geek out with my friends.

There where so many great presentations at both conferences that I have decided to add a few here for your viewing pleasure. Please feel free to download these papers and review them (just right click and save the file locally before viewing).

These papers are from my favorite presentations at Blackhat. I will be adding the Defcon papers very soon, so check back for more great hacking and security tips.

Later.

m@dn05

Download "You found that on Google"

Download "The Google Hackers Guide"

Download "Blind SQL injection automation techniques"

Download "Testing IKE implementations"

Download "Spam tracking and covert channels"

Download "The laws of vulnerabilities"

Backdoor man says "Have trojan will travel!"

A favorite way to compromise computer networks among less skilled hackers today is the use of trojan horse programs.

Trojan horse applications get there name from the ancient Greek siege of Troy. The Greeks tried for many years to get inside the walled city with little success. Finally the Greeks decided to use one more trick to capture Troy. They built the trojan horse. The Greeks would hide a hand full of men inside the horse, who would then open the city gates To the Trojans, the horse appeared to be an offering to the gods for forgiveness. The Trojans brought the horse inside of city of Troy as a war trophy and began to celebrate their great victory over Greece.

When night fell on Troy, the wooden horse opened up and Greek soldiers that had hidden inside of the horse opened the main gate and the waiting Greek army burned the city Troy to the ground.

So, the same is true with trojan horse programs. The trojan is designed to appear innocent in nature such as a picture, email, webpage etc. Trojans can be enbedded in almost anything that we find on networks or the internet today.

When a hacker gets a trojan on your machine, they can monitor almost anything you can think of. They can log everything you type on your keyboard, they can install apps remotely and view documents, log into servers or mainframes on your network and surf the web. Really anything you can do on your computer, the hacker can also do. Kinda scarey if you think about it. This one application can allow the hacker to bypass all of the wonderful perimiter defense systems that companies spend so much money on today (firewalls, proxy servers and IDS/IPS systems).

So, in this article we discover that the would be hacker is not the only one who can get access to your system. It appears that one of the top trojans used today (Backdoor.OptixPro.12) has a backdoor password that was built into it by the programmer (Sleaze). This would allow Sleaze to also log into your machine and use it for what ever reason he see's fit. The funny thing is that not even the original hacker who compromised the victim system would know about the system access. I doubt this will slow down the hacker underground from using this application, but to quote Rickie Ricardo from I love Lucy "Sleaze...You got some exlaining to do!"

The author of a free Trojan horse program favored by amateur computer intruders found himself with some explaining to do to the underground last month, after his users discovered he'd slipped a secret backdoor password into his popular malware, potentially allowing him to re-hack compromised hosts.

The program in question is Optix Pro (Backdoor.OptixPro.12), a full-featured backdoor that allows an intruder to easily control a compromised Windows machine remotely, from accessing or changing files, to capturing a user's keystrokes or spying on a victim through their webcam. Though some features could make Optix Pro usable as a legitimate remote management tool, others are clearly tailored to the underground, including a function that disables a machine's anti-virus and firewall software. The program has been downloaded nearly 270,000 times, according to a counter on the distribution site.

Like other species in a genus that includes BO2K, SubSeven, and Beast, the working end of Optix Pro is a server that the hacker must insinuate into a victim's computer, either through subterfuge - by misrepresenting it as an image file or an electronic greeting card - or by uploading it to an already-compromised machine. The hacker sets a password on the Optix Pro server, so that no other would-be intruders have the ability to slip through the open backdoor.

That is, none except for the author, a coder named "Sleaze" (he spells it "s13az3"), who secretly embedded in the program a random-looking 38-character "master password" that was known only to him.

Though the password was encrypted in the binary, at some point suspicious hackers teased the cleartext version from RAM, and it began circulating quietly in the underground, possibly as early as last year. Last month it surfaced on a hacker website, forcing Sleaze into an embarrassing admission. "I have never talked about master passwords before because I thought it best not to do so until one was ever found," Sleaze wrote, in a front page posting to the Optix Pro distribution site. "However, now I feel the time is right to confirm there is [one]."

In his defense, Sleaze noted, "I have never directly denied the existence of a master pass." He added that he never used the backdoor-within-a-backdoor to take over machines properly owned up by his users. He only included it for his own security.

If the FBI ever got too close to Sleaze he had intended to release the secret password to the world, causing Optix Pro to become less popular among intruders and easing the pressure from law enforcement. "That's when a master pass could potentially save a programmer," he wrote.

Merely writing a backdoor program is not illegal under US federal law, but arrests have been made in other countries, most recently Germany and Taiwan.

Rival hackware coder and self-described grey hat hacker "illwill," himself no stranger to security company threat profiles, says untrustworthy code has beset the underground for years: the popular SubSeven backdoor also included a secret password, he said, as does the more obscure Infector. "It's kind of a big deal to the kiddies," he wrote in an IM interview. "The authors see it as a way to control what they create, or let their 'krew' get in on the victims that other people get."

In a disclaimer evocative of advisories from more mainstream software vendors, Sleaze pointed out in his posting that the backdoor password in circulation only works on an older, unsupported versions of the Trojan horse, and that the latest version of Optix Pro uses stronger encryption to protect a different master password. "So make sure you update!," he wrote.

At least one security expert says there's a lesson to be learned from the whole affair. "It obviously says you should always use open-source Trojans," says Mark Loveless, a senior security analyst with Bindview Corporation. "That's the moral. You can't even trust Windows malware."

Rouge wireless AP's

So, when I hear the word "rouge" I always get wood. I mean how cool does that sound "We have detected a rouge AP on our perimeter". Reminds me of a Tom Clancy movie with Jack Ryan chasing the Russian sub skipper.

So, wireless is the new wave for businesses but companies are in such a hurry to deploy it that they rarely harden the AP's. In the end, a company will pay a price for this lack of foresight. Lowes had this problem and if their IT staff had not been proactively monitoring logs, they could have lost 2.5 million dollars in stolen credit card info. All this through an unsecured wireless AP that allowed the hacker to get access to the credit card db.

Enjoy

Wireless LANs will continue to be a major security headache for businesses over the next few years, despite the introduction of improved security standards. Inadequate policies and poor installation, rather than inherent security weaknesses, are the main problem.

The misconfiguration of WLAN access points and client software will account for 70 per cent of successful WLAN attacks in the next two years, according to Gartner. Updated security policies that address the particular demands of the mobile workplace must drive security for WLANs and personal digital assistants (PDAs), the analyst firm advises..

"Whether hackers are able to enter a company's WLAN through an unprotected AP (access point) or through a peer workstation, once they are associated with the network, they will be difficult to detect because they may not be visible in or near the network site," said John Pescatore, Gartner veep. "A clever hacker will play it safe and use the company's resources quietly, and as a result, may never be found."

Businesses must ensure there are no unauthorized (rogue) wireless access points on their network and that APs are configured securely. In dense environments, companies must ensure that their users don't connect to the networks of other companies or vice versa. The least expensive - and least effective - way of doing this is to buy a wireless sniffer handheld and walk the perimeter of the network. The most expensive - and most secure - is to install wireless intrusion detection sensors, according to Gartner

Internet Exploder does it again!

So, here is another reason why you should not use Internet Explorer and Outlook and why these applications suck. These vulnerabilities (I referee to IE and outlook) can help the potential hacker bypass many of the perimeter defenses that businesses spend so much money on.

Just another example why people should start looking at Linux.

Enjoy

Detailed information on a brace of unpatched vulnerabilities in Internet Explorer has been posted onto a dull disclosure mailing list. The flaws involve a cross-zone scripting vuln and a bug in IE's Local Resource Access and pose an "extremely critical" risk to Windows users, according to security firm Secunia. The vulnerabilities affect both Internet Explorer 6 and Outlook.

Secunia has confirmed the vulnerabilities in a fully patched system with Internet Explorer 6.0. Improved security features in the XP SP2 reportedly block exploitation but users would be ill advised to rely on beta code for protection. SP2 doesn't help users of earlier versions of Windows who are also at risk.

The vulnerabilities are actively being exploited in the wild to install adware on users' systems, security researchers warn. Other exploits - include computer viruses - based on the same techniques of tricking users into visiting a maliciously constructed website housing malign script could follow.

Etienne Greeff, director at MIS Corporate Defence Solutions, said: "This is a very sophisticated exploit using encryption and stealth technologies to deliver its payload, using previously unknown vulnerabilities to work."

Windows users should disable Active Scripting support for all but trusted websites until Microsoft releases patches to address the vulnerabilities. The vulnerabilities were publicised by a Dutch 'white hat hacker' called Jelmer, who came across an example of an exploit of the flaws already in circulation last weekend.

Wardriver gets busted, now looking for soap on a rope

In a rare wireless hacking conviction, a Michigan man entered a guilty plea last Friday in federal court in Charlotte, North Carolina for his role in a scheme to steal credit card numbers from the Lowe's chain of home improvement stores by taking advantage of an unsecured Wi-Fi network at a store in suburban Detroit.

Brian Salcedo, 21, faces an a unusually harsh 12 to 15 year prison term under federal sentencing guidelines, based largely on a stipulation that the potential losses in the scheme exceeded $2.5m. But Salcedo has agreed to cooperate with the government in the prosecution of one or more other suspects, making him eligible for a sentence below the guideline range.

One of Salcedo's two codefendants, 20-year-old Adam Botbyl, is scheduled to plead guilty Monday, assistant U.S. attorney Matthew Martins confirmed. Botbyl faces 41 to 51 months in prison, but also has a cooperation deal with the prosecutors, according to court filings. The remaining defendant, 23-year-old Paul Timmins, is scheduled for arraignment on 28 June.

In 2000, as a juvenile, Salcedo was one of the first to be charged under Michigan's state computer crime law, for allegedly hacking a local ISP.

According to statements provided by Timmins and Botbyl following their arrest, as recounted in an FBI affidavit filed in the case, the pair first stumbled across an unsecured wireless network at the Southfield, Michigan Lowe's last spring, while "driving around with laptop computers looking for wireless Internet connections," i.e., wardriving. The two said they did nothing malicious with the network at that time.

It was six months later that Botbyl and his friend Salcedo hatched a plan to use the network to steal credit card numbers from the hardware chain, according to the affidavit.

FBI Stakeout
The hackers used the wireless network to route through Lowe's corporate data center in North Carolina and connect to the local networks at stores in Kansas, North Carolina, Kentucky, South Dakota, Florida, and two stores in California. At two of the stores - in Long Beach, California and Gainseville, Florida - they modified a proprietary piece of software called "tcpcredit" that Lowe's uses to process credit card transactions, building in a virtual wiretap that would store customer's credit card numbers where the hackers could retrieve them later.

At some point, Lowe's network administrators and security personnel detected and began monitoring the intrusions, and called in the FBI. In November, a Bureau surveillance team staked out the Southfield Lowe's parking lot, and spotted a white Grand Prix with suspicious antennas and two young men sitting inside, one of them typing on a laptop from the passenger seat, according to court documents. The car was registered to Botbyl.

After 20 minutes, the pair quit for the night, and the FBI followed them to a Little Ceasar's pizza restaurant, then to a local multiplex. While the hackers took in a film, Lowe's network security team poured over log files and found the bugged program, which had collected only six credit card numbers.

FBI agents initially identified Timmins as Botbyl's as the passenger in the car, apparently mistakenly, and both men were arrested on 10 November. Under questioning, Botbyl and Timmins pointed the finger at Salcedo. Timmins had allegedly provided the two hackers with an 802.11b card, and had knowledge of what his associates were up to.

Botbyl and Timmins, known online as "noweb4u" and "itszer0" respectively, are part of the Michigan 2600 hacker scene - an informal collection of technology aficionados.

The Lowe's Wi-Fi system was installed to allow scanners and telephones to connect to the store's network without the burden of cables, according to the indictment.