I’ve been mouthing off about the much anticipated arrival of my new EEE PC, and when it arrived at work for its glorious unboxing, my wonderful co-workers were ready to own me with a samba exploit -locked and loaded. Reference: ASUS Eee PC rooted out of the box

That’s what you get when you work in this industry. I had it coming I suppose. The EEE PC is just too damn cute. How could anybody forcibly overflow its cute tiny little heap! That’s just cold hearted pwnage.

A series of updates were released for the Asus EEE PC today, pdf reader, messenger, firefox, openoffice, the samba daemon of course, and some other tweaks.

Recognize! My EEE PC is patched like a mug now! Leave my lil’ EEE PC alone!

-higB

What is http://port139online.com:139/ ?

• Port139online.com:139/ IS a website
• Port139online.com:139/ IS a protocol
• Port139online.com:139/ IS a service (a service that tells you if your ISP is providing a tampered, filtered, limited, and incomplete service.)

I started port139online.com:139 to annoy the tech support agents at Cox Communications. I subscribed to their business Internet service because the sales rep told me that absolutely NO port filters existed for business customers. I don’t know if the sales rep lied to me on purpose to meet a quota, or if she just didn’t have all the information.

After several phone calls to Cox support, I finally got them to admit which ports they filtered (both inbound and outbound). They offered to reduce my bill by 45 dollars a month, but they would not remove the filters. I’m now a Verizon Business FIOS customer and couldn’t be happier with my pure, unmolested Internet.

Shortly after my Shmoocon presentation, Comcast went before the FCC. An executive vice president for Comcast lied to the FCC commissioner and the rest of the panel, when he said:

“I’m going to say again, on the record in front of this Commission, Comcast does not block any Web site, application, or Web protocol, including peer to peer services. Period. Doesn’t happen.”

Oh really? Well http://port139online.com:139/ IS a website AND an application AND uses a WEB PROTOCOL… and guess what? Comcast IS blocking it.

Read more about it here:

http://arstechnica.com/news.ars/post/20080225-comcast-and-net-neutrality-advocates-clash-at-fcc-hearing.html

And listen to the MP3 here: http://arstechnica.com/news.media/fcchearing25feb08.mp3

Reference: Comcast does block websites, ports, and protocols: http://taosecurity.blogspot.com/2005/07/what-does-your-isp-block-only-low-cost.html

http://www.dslreports.com/forum/remark,15481407

**** NOTE ****

You can only visit http://port139online.com:139/ from Internet Explorer. Firefox blocks many ports.

Someone beat us to the shmooball launcher.  It’s probably for the best since we were going to order parts from this company. We heard ambulances only take 180 seconds to get to the hotel.

The presentations were very hit or miss this year, with unfortunately a bit more of the latter.  I felt a lot of presentations would have fit a shorter turbo style time slot better than the hour long time slots.  For example, the ‘baffle’ application for wireless AP finger printing looks like a very cool first generation tool. Easy to use, hack around with, well researched, and makes pretty graphs. Score. Unfortunately they dragged out the presentation with the whole history of tcp finger printing and made us wonder what the students were IM’ing about as they sat on the stage trying not to look too embarrassed or bored.

Mad props go out to Brad Antoniewicz and Joshua Wright. Not only for releasing a cool tool for wireless PEAP/TLS client credential pwnage (FreeRADIUS - Wireless Pwnage Edition), but for fun presentation skillz and shmooball dodging.  Find the video for this one. It was probably my favorite talk of the con (not sure if the camera man caught the start of the talk though).

The guys at Vigilar also rocked with a new and improved version of VoIP Hopper; complete with practical usage scenarios and some good demos with a standard VoIP phone.  They showed how to get on to the corporate network bypassing vlans setup for the VoIP traffic. I could think of a number of locations I’ve been at where it would be handy to have this tool with me.

Our very own Jaime and Aaron got a lot of people thinking with their forced internet condom. They’re moving the web hosting provider, but there’s some good data about what ports ISPs are blocking over at portscan.us (and you can help add to the project as well).

I unfortunately missed h1kari’s (David Hulton) GSM talk due to train delays, but the word at the hotel bar was that it was one of the most techincal and interesting talks of the con.  His GSM rainbow tables may make things very interesting when the FPGAs complete in three months (anyone get a link to where that will be?).  Speaking of FPGAs, I’m proposing the FDA needs to start looking into these things since they’re basically giving every geek I know an erection that is lasting way longer than 4 hours.

And for more geek porn,  let me suggest the Solid State Drives Data Recovery Comparison to Hard Drives presentation.  Scott Moulton makes powerpoint look a commadore 64 next to his smoothly timed 3D graphics.  His guy also rocks for having them online for everyone to get jealous of… oh and teach us that deleting or wiping flash based drives is completely useless because of the wear-levelling process done by the controllers on these things. (and yes, I did sit there thinking of all the times I’ve futilely done PGP wipes of data on my flash drives). The good news though is that the recovery of that data sounds pretty damn hard at this time.  Also in good news, we can now write off a few power tools from home depot as business expenses since you’ll want a hammer now to “wipe” those drives.

A number of us caught the phishing talk by Syn Phishus. I think we’ll have a full follow-up post on that (but just to clear one rumor we heard, no, he does not work for or have anything to do with phishme.com). He obviously agrees with us that mock phishing exercises need to be done… but I’d say our approachs to this differ greatly.

-b3nn

Intrepidusgroup had a good time at shmoocon this year.  Jaime and I would like to thank those that came to our presentation on Saturday to learn a little bit about the history of Internet service providers changing the Internet on us when it doesn’t fit their business model.

After seeing the crowd rip apart a few other speakers we are grateful to those in our audience. As a presenter, I feel for the others, but I’d have to agree that the database security (Why are Databases so Hard to Secure) presenter deserved the lynching. Total weak sauce. I tried to stick it out but after 30 minutes I had to bail on that talk.

Something Shmoocon attendees should know: Many of us did not find out our presentations were accepted until January 11^th 2008. That doesn’t give the presenter a whole lot of time to prepare if their talk relies on collecting a lot of data or building a new tool. Overall I think this late notification had an impact on the quality of a few talks.

Shanit Gupta! Hey man.. I had a good time catching up with you this year. I picked up a lot of good kiosk and citrix breaking techniques from you. I was aware of some of the hot-keys but you showed me a bunch of others I didn’t know about. I think you probably learned the hard way about the challenges of live demos. I think you broke every rule of live demonstrations.

1. Don’t rely on the Internet
2. Don’t rely on wireless for a presentation
3. And especially, don’t rely on the wireless network a hacker conference provides you for a presentation

Brad – wish I could have seen your talk (PEAP: Pwned Extensible Authentication Protocol) with Josh but it was just too damn packed. I heard you rocked it. Good job! I’ll catch it on the videos.

The Renderman talk was meh— a good talk for newbs I suppose but Airport hi-jinks is nothing new to traveling security consultants. 

Should shmoocon let the presenter label their talk as “stuff for newbs”?  Maybe, it’s a tough call. On one side it would let more advanced attendees seek out more challenging material… but on the other side no one wants to self-label themselves as a newb.  Especially if they are attending a conference with their work buddies.  I saw this all the time in the many years I taught the Foundstone Ultimate Hacking and Ultimate Hacking Expert classes.   80% of the class who skipped the Ultimate Hacking course shouldn’t of have.  All too often I’d have students in the expert class who couldn’t FTP or map network drives on the command line. For the cons though, I’m getting rather tired of these old-obvious hacks being re-named so the press can go bonkers with it — “café-latte attack” kill me now.

So after the Shmoocon there is one thing that is certain. I’m getting a damn Asus EEE PC. They are just too cool and I’m not sure why.

Later,

-higB

I just got back from The Credit Union Information Security Professionals Association 3rd annual National event in Austin Texas where Rohyt and I were talking to the folks about www.PhishMe.com.
I have never attended a CUISPA event before and welcomed the opportunity. It was refreshing to see this industry work together. Credit unions don’t have the budgets larger institutions do and many of their technologists wear multiple hats. Security is a group effort. (as it should be)

Two major takeaways I had from the conference:

1.) Credit Union security professionals have a can-do attitude and value networking with their peers to solve their security woes
2.) Don’t show up to a Credit Union event dressed in New York-Financial attire (unless you enjoy looking like that creepy sales guy)

On the heels of the CUISPA event is a good white paper I saw on BankInfoSecurity.com titled The State of Information Security 2008 - Survey Executive Overview (Free signup)

Tom Field (Editorial Director) did a good job putting the overview together. The top security issues I heard the Credit Union folks discuss are the same ones captured in this survey. (It’s good to see that this paralleled what I saw in person at CUISPA … too often these days a whitepaper is just a synonym for marketing fluff.)

Of course the #3 issue “3) Training - Employees, Customers Need More.” grabs our attention as our http://www.phishme.com/ moves from beta and inches towards launch.
I’m beyond excited.
-higB

p.s. If you happen to attend my ShmooCon 2008 presentation please be kind with the Shmooballs.

I always knew I loved SSH keys. Often, my love was for the convenience factor and that warm feeling you get from authenticating with 1024 bits of encryption goodness. But tonight I’m marveling in the simplistic setup beauty these babies can give any Unix/Linux sysadmin. Most of us have had to play the role at some point of setting up the FNG on the shared linux box. We create the account then email him/her some version of their password and hope they actually login at some point to change it. Any brute force password list worth its weight in electrons has a few versions of the famous “ChangeM3” password. I’ve also been hesitant to ever disable password authentication in my sshd_conf since I thought I’d have to flip it back on anytime there is a new user.

From this ugliness comes my new reason to love SSH keys. Lets change the policy for creating new accounts to require that your noob first sends you an SSH public key (send them off to get PuTTYgen if they don’t already have one). Remember, this is their public key so it’s totally cool to be sent over clear text, or simply posted on the internet. Now as the sysadmin, add their account and drop off their public key in their .ssh/authorized_keys file.

What does this solve? No more login passwords in clear text over email or IM. No more worrying about the FNG changing their password. No more brute force SSH concerns. And for an extra bonus, if I’m the FNG, now I have one less password I need to remember because before, I was setting a unique password on each box. Hey, you never know when your admin might decide to run john the ripper on the shadow file.

When you’re ready to take the plunge and have your own keys in place, the lines you’ll want in your sshd_conf file to require keys and disallow standard login passwords should look something like this:

…snip…
RSAAuthentication yes
PubkeyAuthentication yes
ChallengeResponseAuthentication no
PasswordAuthentication no
UsePAM no
…snip…

-b3nn

I was adding a little special sauce to Phishme.com this past week and thought this might be fun to share. We have a few different ways a user can craft their phishing links. If he/she chooses the IP address option, then there is also the choice of encoding options. This lets you mask the IP address in an attempt to trick the user into thinking part of the sub directory is perhaps the host name. Or as in the case with my mom… she thinks it is just the phone number so the computer knows where to call. And it’s hard to blame her when you see a decimal encoded IP address.

http://2130706433/somecompany.com

The team over at Marshal has put together a good walk through of the encoding so you can follow along. If you would like to view the javascript, you can find it here. This may not work on all browsers, but it holds up pretty well on your corporate windows boxes with IE or Firefox. Want to test it out? Just put in an IP address below and click on the link it generates.

-b3nn

1. I would be very busy the week of Christmas, while IT security staff is probably operating at 20% normal strength. Not only is it the weakness in numbers, but also the holiday mood.  How many of you are actually working full days? IDS logs - thats probably the last thing on your mind now that you have Guitar Hero III in the breakroom.
2. I would get busy if I heard that a company was being acquired. From my experience, most companies put a freeze on all discretionary spending from the time a deal is announced untill it closes. Unfortunately, security is often thrown into that discretionary spending budget, making it easy on the bad guys for several months!
3. If I really wanted to spend Christmas with my family, I would just come back another time and phish employees…that works irrespective of season.

Wishing you all a very Happy New Year! Stay safe.

-Rohyt

Carnegie Mellon researchers presented a paper at the Anti-Phishing Work Group’s E-Crime Researchers Summit in October 2007. The results of the study indicated the following:

• Users learned more effectively when the training materials were presented after they fell for a phishing attack (embedded training), rather than when the training materials were simply emailed
• Users also retained more knowledge and transfered more knowledge about how to avoid phishing attacks when trained with embedded training

These are the underlying principles of PhishMe.com - Phish n’ Educate. PhishMe.com will facilitate the execution of mock phishing attacks against employees. Those that fall “victim” will be presented appropriate training materials.

-Rohyt

Those close to us know that we’ve been working on a self-service portal designed to help organizations run mock phishing exercises aimed at raising employee awareness. Shortly after the recent news about Oak Ridge National Laboratory and Los Alamos being targeted by spear phishing was published, I was interviewed by eWeek.

Read the full article here: Phishing Drills Teach Employees to Dodge the Hook

-higB