We've got plenty of swag for you at our new Cafepress store!

We've got shirts for the guys and the ladies, coffee mugs for those late night hacking sessions, and of course, beer steins (mmm, beer)! There are even a few special treat for your pets, and maybe for that special lady in your life.

Now, we do make a little money on each item (very little actually), so that we can support buying new and special swag for giveaways. Yes, we will continue to give away great swag, and usually they will NOT be available on the store.

Please go check it out, and help us give back to you.

For a direct link, the url is: http://www.cafepress.com/psw

- Larry

It looks like we will find out exactly what is going on, however we will have to wait until ToorCon 8 where Cache and Maynor will give a presentation:

Recently we gave a public demonstration of an exploit in a wireless device driver. We thought it was timely, important, but most importantly it was super cool. Since the first details of our demo were reported two camps instantly formed, people who thought the work and research was good and people thought we faked everything and we are horrible people. How could opinions differ go greatly? What is the story behind exactly what happened and more importantly what does this response mean for the security industry as a whole? This presentation won't be a typical as it will cover the complete story, but it will also offer analysis and commentary of public responses while at the same time giving anyone who has a question a chance to have it answered.

I am a little disappointed that we have to wait a month before we can hear the real story, however I am certain that they have good reasons for doing it this way. I will speculate that a month gives vendors more time to fix vulnerabilities, Mac enthusiasts to make even bigger fools of themselves, and skeptics to report yet even more wacky conspiracy theories. As we have stated, we are standing behind the security researchers on this one and waiting until we have all the facts before we report any real details. For now, my suggestion is to keep your wireless card turned off when not in use.

Paul.com

Live from the PaulDotCom Security Weekly Studio....

• Sponsored by Core Security, listen for the discount code at the end of the show
• Sponsored by Syngress, be the first to post the answer to the question at the end of the show and win a free book!
• You should register for SANS Las Vegas 2006, we will be there doing a live show!
• Please go update our frapper map!
• Full Show Notes

Hosts: Larry Pesce, Paul Asadoorian, "Twitchy", Joe Conlin
Email: psw@pauldotcom.com

Direct Audio Download
No Video This Week, we are working on the next episode, hoping for a September release.

For those of you who use F-Secure's Blacklight rootkit detector and have a fear of GUIs, F-Secure just did us a big favor;  they have released a command line version of Blacklight!  I'm really liking this, as now it will be easier for me to add blacklight into some automated scanning tools.  Besides, what Security Professional doesn't have a love affair with the command line?

Go give it a download.

- Larry

Our very own Nick "Twitchy" DiPetrillo has posted his presentation from MIT Security Camp. Nick takes us through a brief introduction on how many people, including security professionals, can become owned (my presentation followed and demonstrated this).

He then goes on to describe "The Car Battery Security Model", and numerous layers of defense that you can employ to protect your assets. It is important to note that these are tips and tricks for advanced users, not something you want to roll out to your end user necessarily (unless you want a riot on your hands).

Direct Presentation Download

Enjoy!

Paul.com

Live from the PaulDotCom Security Weekly Studio....

• Sponsored by Core Security, listen for the discount code at the end of the show
• Sponsored by Syngress, be the first to post the answer to the question at the end of the show and win a free book!
• You should register for SANS Las Vegas 2006, we will be there doing a live show!
• Please go update our frapper map!
• Full Show Notes

Hosts: Larry Pesce, Paul Asadoorian, "Twitchy"
Email: psw@pauldotcom.com

Direct Audio Download
No Video This Week, we are working on the next episode, hoping for an August/September release.

I would like to thank everyone who has been sending me feedback on my presentation that I posted the other day. I have gotten some great suggestions which I plan to add to future revisions:

• A listener pointed out that the Redfang tool can be used to brute force the bluetooth address (MAC) to find non-discoverable devices
• tbsearch can also be used to do the same, and the authors of this tool appear to be working on a bluetooth sniffer based on gnuradio. (Thanks Nelson!)
• GNUradio is interesting, touting itself as "GNU Radio is a collection of software that when combined with minimal hardware, allows the construction of radios where the actual waveforms transmitted and received are defined by software.". Hmmm, sounds like when combined with USRP it could be used for wireless research (Wimax? EVDO? Bluetooth?) They are all just radios...
• Another listener pointed out that there are vulnerabilities in certain wireless chipset implementations that allow an attacker to dumb-down the connection from WEP to open. You can find more information here at the www.wirelessve.org site. (Thanks Christopher!)
• Christopher has also built a tool to help people audit mis-configured clients. You can find a copy here. The description reads "ThinkSECURE's Probemapper is a tool which detects probe requests from 802.11-enabled laptops with wireless client profiles and displays their encryption and capability information."

I truly believe that I will be able to continue to give modified versions of this presentation for quite some time. I think we are just starting to see wireless technologies such as bluetooth, wimax, EVDO, and RFID make their way into the hacking radar. Of course, I also believe that the recent vulnerabilities found in wireless drivers are going to blow the lid off traditional 802.11 hacking.

Paul.com

I was interviewed for an article on Search Security titled "August Patch Management Woes Strike Again".

The basis of the article was why August is such a popular month for malware. While I can't say I agree with all of the other commentary, it did turn out to be a good article. I tend to think that all patches and updates are important. Don't you?

Full Article

Paul.com

I have made some significant changes to my current wireless presentation, which include:

• Coverage of Bluetoooth hacking (btscanner, bluesnarfer)
• Demonstrations of Wi-Spy and Airpwn
• Added presenter notes to each slide
• Updated defensive wireless computing section
• Links to flash tutorials that cover cracking WEP, WPA, and SSL (the original crimemachine tutorials)

Download Here

Please send me any comments/suggestions/feedback (paul /at/ pauldotcom.com)

Live from the PaulDotCom Security Weekly Studio....

• Sponsored by Core Security, listen for the discount code at the end of the show
• Sponsored by Syngress, be the first to post the answer to the question at the end of the show and win a free book!
• You should register for SANS Las Vegas 2006, we will be there doing a live show!
• Please go update our frapper map!
• Full Show Notes

Hosts: Larry Pesce, Paul Asadoorian, "Twitchy"
Email: psw@pauldotcom.com

Direct Audio Download
No Video This Week, we are working on the next episode, hoping for an August/September release.

Live from the PaulDotCom Security Weekly Studio....

This episode was also broadcast over our Icecast server. Details will be announced in our IRC chatroom #pauldotcom on Freenode (irc.freenode.net) and on the PaulDotcom blog.

• Sponsored by Core Security, listen for the discount code at the end of the show
• Sponsored by Syngress, be the first to post the answer to the question at the end of the show and win a free book!
• You should register for SANS Las Vegas 2006, we will be there doing a live show!
• Please go update our frapper map!
• Full Show Notes

Hosts: Larry Pesce, Paul Asadoorian, "Twitchy"
Email: psw@pauldotcom.com

Direct Audio Download
No Video This Week, we are working on the next episode, hoping for an August release.

During my normal, everyday, perusal of information security topics I happened to come across some of David Maynor's previous research when he used to work for ISS:

"You Are The Trojan" - Toorcon 2005 - Presentation Link

In the above presentation David show us how you can take advantage of reverse DMA mapping to execute exploits via the USB bus. At a more recent conference, Shmoocon 2006, this concept was further explored in:

"Cardbus Bus-Mastering: 0wning the Laptop " by David Hulton (Unfortunately, no presentation or video has been posted).

I won't speculate, okay so maybe I will. Could they be using similar techniques to achieve 0wnage with wireless drivers? If so, how do you prevent this?

It also looks as though Johnny "cache" has done some very interesting research as well:

"802.11 Wireless VLANs" - Toorcon 2005 - Presentation Link

It most likely is unrelated, but is interesting none the less.

Paul.com

This story, more than any other so far, has been getting the most press. We have carefully read the original Washington Post article, watched the video, read the follow-up posting, and I spoke with Larry last night who attended the talk. Here's what we know:

• There is a flaw in many wireless device drivers that allows an attacker to remotely exploit vulnerabilities that will gain shell access. It is not clear what privilege level the attacker gain, but considering the availability of privilege escalation exploits, its a moot point.
• The video demonstrates this attack running against a MacBook Pro with an undisclosed 3rd party wireless card. The built-in Apple wireless drivers are also known to be vulnerable and exploitable. The authors claim that vulnerabilities exist in other wireless drivers, and that exploits can be successful against Windows and Linux.
• The attack does not rely on hijacking ones wireless connection, as long as you can get the victim to receive the wireless exploit packet, the attack can be successful.
• They released the video instead of doing a live demo to avoid someone sniffing the wireless network at Blackhat and obtaining a copy of the exploit. The authors are giving the vendors time to released patched versions of the drivers (getting people to install them will be another challenge).
• Larry reports that the team is also working on similar exploits for Bluetooth and CDMA cell phone technology.
• The SANS Internet Storm Center has a nice write-up as well. They are recommending, as are we, that you disable you wireless card when not in use and be prepared to upgrade your wireless drivers. If you have an Intel Proset wireless card, you should already be upgrading your drivers.

Paul.com