Sponsored By:
All:
It was my pleasure to make and appearance on the Network Security Podcast with Martin McKeay and Rich Mogull. We had some interesting conversations about SQL Injection, how we got started in computer security, thoughts on the CISSP certification, PCI and its usefullness, and general security banter.
You can download the Network Security Podcast episode 103 here.
Enjoy!
PaulDotCom
All:
The April Late-Breaking Computer Attack Vectors webcast this month will be held on:
Wednesday, April 30, 2008 2:00 pm EDT (GMT -04:00, New York)
Register Here For This Webcast
This month we I will discuss some of the latest attacks, including hacking kiosks, attacking your desk, and darkets for defense. Hope to see you there...
PaulDotCom
At 9:00PM EST tonight I will be chatting with Rich & Martin from the Network Security Podcast. Should be fun, we will bat around PCI, SQL injection, and hopefully a few other topics of interest.
You can see and hear it all on our live Ustream channel here.
Cheers,
PaulDotCom
Live from the PaulDotCom studios...
Hosts: Larry "Uncle Larry" Pesce, Paul "PaulDotCom" Asadoorian
Email: psw@pauldotcom.com
Audio Feeds: 
NOTE: Our streaming method has changed as of episode 100, and is reflected in the links below.
The live stream should be active about 6:15-6:30 PM EDT, Friday April 25th. We should begin recording the live show at about 6:30 PM EST. Please keep in mind that these times are all estimates, but we will try to do the best that we can.
Don't forget to join in on the IRC channel during the stream - we can take live comments and discussion from the channel! Find us on IRC at irc.freenode.net #pauldotcom.
When active, the live stream(s) can be found at:
Ustream: http://ustream.tv/channel/pauldotcom-security-weekly
Icecast: http://radio.oshean.org:8000
Please join us, and thanks for listening!
- Larry & Paul
Social networks have become a very popular usage of so-called "Web 2.0" technology. Web sites, such as Facebook and LinkedIn, have begun to move towards targeting working professionals, in addition to the traditional younger college and/or high school crowd. Myself, and others, have been doing extensive research into the security (and insecurity) present in social networking web sites. You may now be wondering, "Just how have you been doing your research?". Well, we decided to register ourselves on several social networking web sites to see just how they work, and just how ourselves and others could break them and abuse the security present in these web sites. What we've found has been very interesting, and useful for providing the community with information about the risks, and tips to protect themselves:
The “Evil Twin” attack was an experiment we performed, and turned out to be wildly successful. We registered a Facebook account as someone else, using an email address we controlled, pictures we downloaded from the Internet, and information we gathered from various publicly available sources. Our attack was very successful, several people believed that the person we faked was real and started to add them as a friend. The best defense here is to register yourself on social networking web sites to prevent others from doing so. We did a segment about this which you can read about and listen to here.
If you use social networking sites regularly you might say, “only people in my network can see my information or my pictures”. This may be true, however XSS vulnerabilities have exposed that information. For example, millions of pictures marked “private” on the popular social network site MySpace, and subsequently Facebook, were suddenly public due to a vulnerability. Once something is “public” on the Internet, there is no going back, its archived in cyberspace forever. Even without vulnerabilities there are groups on sites such as Facebook, and to a certain extent LinkedIn, that automatically allow others in your group to see your profile. For example, I was placed in the group “Providence, RI”, a group anyone can join, and now thousands of people can see my profile. You should always treat information on the Internet as public, whether marked "private" or not.
Recently there has been an unknown exploit of Facebook that is hijacking people’s Facebook accounts and putting up grotesque images, a social network “Rick Roll” attack with a bizarre twist. Reportedly there was a vulnerability in Facebook that allowed this to happen. However, recently I got the following email:
Looking at the link highlighted in red closely you see that it does not go to Facebook at all, but to some other site, which looks exactly like the Facebook login page, but really is an attacker collecting your username and password. Why would someone launch a phishing attack against Facebook? I'm still not certain why this information is so valuable that it is being targeted by attackers? If nothing else it proves that social networking sites are not only more popular, but represent an area that potentially could be profitable for attackers - as soon as I figure out how, I will let you know :).
Social networks are all about sharing information, however they’re a great way to distribute attacks. Attackers are not looking to use social networks to distribute links to a trusted audience, not just for fun, but profit! Use extreme caution when using social networks and try to think how attackers could use this information and technology against you.
Recently I taught a 2-day hacking course titled "Cutting-Edge Hacking Techniques", writen by Ed Skoudis, and offered by The SANS Institute. The students learned a lot, and as always when I teach, so did I. I summarized my thoughts and experiences on a guest blog posting I wrote for my friends over at GNUCITIZEN:
Enjoy!
Cheers,
Paul
Live from the PaulDotCom studios with special guest Wesley McGrew talking about memory analysis tools.
Hosts: Larry "Uncle Larry" Pesce, Paul "PaulDotCom" Asadoorian
Email: psw@pauldotcom.com
Audio Feeds:
Live from the PaulDotCom studios with special guest Kevin "The Hacker Princess" Johnson! In the second part of this episode we wrap up the discussion on web app testing and cover the stories for the week.
Hosts: Larry "Uncle Larry" Pesce, Paul "PaulDotCom" Asadoorian
Email: psw@pauldotcom.com
Audio Feeds:
NOTE: Our streaming method has changed as of episode 100, and is reflected in the links below.
The live stream should be active about 6:15-6:30 PM EDT, Friday April 11th. We should begin recording the live show at about 6:30 PM EST. Please keep in mind that these times are all estimates, but we will try to do the best that we can.
Don't forget to join in on the IRC channel during the stream - we can take live comments and discussion from the channel! Find us on IRC at irc.freenode.net #pauldotcom.
When active, the live stream(s) can be found at:
Ustream: http://ustream.tv/channel/pauldotcom-security-weekly
Icecast: http://radio.oshean.org:8000
Please join us, and thanks for listening!
- Larry & Paul
I've been poking at some metadata for information gathering lately for a project or two. One of the document types that I've been focuses on has been JPEG images. Why, you ask? Take a look at this web page. See all those pretty pictures. JPGS. Same with just about every other website on the planet.
Look like we have plenty of fodder for our metadata cannon.
So, I began analyzing metadata on JPGS form random websites that struck my fancy. In a few cases, I came across some good information; the type of software used to produce the image (great selecting a particular exploit), the author (great for selecting a target), dates of authorship (good for determining validity of attack and target) and finally some camera types (good for determining some basic financial commitment, and who's memory cards to steal on a physical assessment). Mostly, I came across a whole bunch of sanitized data. Clearly I needed a better set of JPGS to play with.
Then, 18 gigs of Myspace JPG images fell into my lap.
I figured that I'd be in metadata heaven. I also figured that I might be able to put an author name behind the image of the two dogs humping, or better, the hottie showing off her naughty bits.
I was mistaken.
I ran exiftool on about 10,000 images (with some fits and starts; exiftool is a perl app, and providing it too many images at once caused it to barf), all with the same result. Every image appears to have had the metadata stripped so that only the metadata needed to correctly render the image is left. No author. No creation tool. No dates. No camera info.
Apparently, Myspace sanitizes all of the metadata when you upload your pics.
Good Myspace.
Of course, I had to test, especially since the 18 Gigs of images could have been played with to protect the innocent, given that they originally came from some acquisition techniques that could be described as ethically questionable (they were not acquired by me in that fashion). Here's how I tested:
First, I needed an image that I knew had good juicy metadata. How about the one from the news story about the hacker 0x80 that Slashdot folks used to track down some pretty scary info on the anonymous 0x80 using the intact metadata:
Yes, this image has the metadata intact.
Here's the output from exiftool -t -s filename.jpg showing all of the metadata:
======== 0x80_cracker_with_laptop.jpg ExifToolVersion 7.23 FileName 0x80_cracker_with_laptop.jpg Directory . FileSize 44 kB FileModifyDate 2007:12:14 16:05:51 FileType JPEG MIMEType image/jpeg JFIFVersion 1.1 ProfileCMMType Lino ProfileVersion 2.1.0 ProfileClass Display Device Profile ColorSpaceData RGB ProfileConnectionSpace XYZ ProfileDateTime 1998:02:09 06:49:00 ProfileFileSignature acsp PrimaryPlatform Microsoft Corporation CMMFlags Not Embedded, Independent DeviceManufacturer IEC DeviceModel sRGB DeviceAttributes Reflective, Glossy, Positive, Color RenderingIntent Perceptual ConnectionSpaceIlluminant 0.9642 1 0.82491 ProfileCreator HP ProfileID 0 ProfileCopyright Copyright (c) 1998 Hewlett-Packard Company ProfileDescription sRGB IEC61966-2.1 MediaWhitePoint 0.95045 1 1.08905 MediaBlackPoint 0 0 0 RedMatrixColumn 0.43607 0.22249 0.01392 GreenMatrixColumn 0.38515 0.71687 0.09708 BlueMatrixColumn 0.14307 0.06061 0.7141 DeviceMfgDesc IEC http://www.iec.ch DeviceModelDesc IEC 61966-2.1 Default RGB colour space - sRGB ViewingCondDesc Reference Viewing Condition in IEC61966-2.1 ViewingCondIlluminant 19.6445 20.3718 16.8089 ViewingCondSurround 3.92889 4.07439 3.36179 ViewingCondIlluminantType D50 Luminance 76.03647 80 87.12462 MeasurementObserver CIE 1931 MeasurementBacking 0 0 0 MeasurementGeometry Unknown (0) MeasurementFlare 0.999% MeasurementIlluminant D65 Technology Cathode Ray Tube Display RedTRC (Binary data 2060 bytes, use -b option to extract) GreenTRC (Binary data 2060 bytes, use -b option to extract) BlueTRC (Binary data 2060 bytes, use -b option to extract) ApplicationRecordVersion 2 Caption-Abstract SLUG: mag/hacker DATE: 12/20/2005 PHOTOGRAPHER: Sarah L. Voisin/TWP id#: LOCATION: Roland, OK.CAPTION: .PICTURED: Writer-Editor SLV By-line Sarah L. Voisin By-lineTitle STAFF ObjectName mag/hacker Province-State OK Country-PrimaryLocationName USA OriginalTransmissionReference 175706 TimeCreated 12:38:30-06:00 DisplayedUnitsX inches DisplayedUnitsY inches GlobalAngle 30 GlobalAltitude 30 CopyrightFlag False PhotoshopThumbnail (Binary data 3276 bytes, use -b option to extract) PhotoshopQuality 12 PhotoshopFormat Standard ProgressiveScans 3 Scans ExifByteOrder Little-endian (Intel, II) ImageDescription SLUG: mag/hacker DATE: 12/20/2005 PHOTOGRAPHER: Sarah L. Voisin/TWP id#: LOCATION: Roland, OK.CAPTION: .PICTURED: Software Adobe Photoshop CS2 Macintosh Artist Sarah L. Voisin ComponentsConfiguration YCbCr Flash On UserComment InteropIndex R98 - DCF basic file (sRGB) InteropVersion 0100 Compression JPEG (old-style) ThumbnailOffset 17196 ThumbnailLength 3276 Orientation Horizontal (normal) YCbCrPositioning Co-sited XResolution 200 YResolution 200 ResolutionUnit inches Make Canon Model Canon EOS 20D ModifyDate 2006:02:16 15:43:01-05:00 CreateDate 2006:02:16 15:43:01-05:00 MetadataDate 2006:02:16 15:43:01-05:00 CreatorTool Adobe Photoshop CS2 Macintosh ExifVersion 0221 FlashpixVersion 0100 ColorSpace sRGB ExifImageWidth 3504 ExifImageHeight 2336 DateTimeOriginal 2005:12:20 12:38:30-05:00 DateTimeDigitized 2005:12:20 12:38:30-05:00 ExposureTime 1/30 FNumber 5.0 ExposureProgram Manual ISO 100 ShutterSpeedValue 1/30 ApertureValue 5.0 ExposureCompensation 0 MeteringMode Multi-segment FlashFired True FlashReturn No return detection FlashMode On FlashFunction False FlashRedEyeMode False FocalLength 85.0 mm FocalPlaneXResolution 3959.32203389831 FocalPlaneYResolution 3959.32203389831 FocalPlaneResolutionUnit inches CustomRendered Normal ExposureMode Manual WhiteBalance Auto SceneCaptureType Standard NativeDigest 36864,40960,40961,37121,37122,40962,40963,37510,40964,36867,36868,33434,33437,34850,34852,34855,34856,37377,37378,37379,37380,37381,37382,37383,37384,37385,37386,37396,41483,41484,41486,41487,41488,41492,41493,41495,41728,41729,41730,41985,41986,41987,41988,41989,41990,41991,41992,41993,41994,41995,41996,42016,0,2,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,20,22,23,24,25,26,27,28,30;3B11799D192F50186735EF6636B7FD47 DocumentID uuid:5A82A660A09311DAB292D9FC4FB3D5EC InstanceID uuid:5A82A661A09311DAB292D9FC4FB3D5EC DerivedFromInstanceID uuid:5A82A65FA09311DAB292D9FC4FB3D5EC DerivedFromDocumentID uuid:5A82A65FA09311DAB292D9FC4FB3D5EC Format image/jpeg Description SLUG: mag/hacker DATE: 12/20/2005 PHOTOGRAPHER: Sarah L. Voisin/TWP id#: LOCATION: Roland, OK.CAPTION: .PICTURED: Creator Sarah L. Voisin Title mag/hacker CaptionWriter SLV AuthorsPosition STAFF Credit TWP Source 20051220 City Roland State OK Country USA TransmissionReference 175706 ColorMode 3 ICCProfileName sRGB IEC61966-2.1 DateCreated 2005:12:20 History ImageWidth 228 ImageHeight 153 EncodingProcess Baseline DCT, Huffman coding BitsPerSample 8 ColorComponents 3 YCbCrSubSampling YCbCr4:4:4 (1 1) Aperture 5.0 DateTimeCreated 2005:12:20 12:38:30-06:00 ImageSize 228x153 ScaleFactor35efl 1.6 ShutterSpeed 1/30 ThumbnailImage (Binary data 3276 bytes, use -b option to extract) CircleOfConfusion 0.019 mm FOV 15.1 deg FocalLength35efl 85.0 mm (35 mm equivalent: 136.1 mm) HyperfocalDistance 77.02 m LightValue 9.6
Now, I upload it to my Myspace account, and then use Firefox to "Save image as..." to the resulting image:
Yes, I have a Myspace account. It's my dirty little information gathering secret.
Here the resulting metadata form the Myspace image, using the same exiftool command:
======== 0x08 from myspace.jpg ExifToolVersion 7.23 FileName 0x08 from myspace.jpg Directory . FileSize 6 kB FileModifyDate 2008:04:01 13:59:33 FileType JPEG MIMEType image/jpeg JFIFVersion 1.1 ResolutionUnit inches XResolution 100 YResolution 100 ImageWidth 228 ImageHeight 153 EncodingProcess Baseline DCT, Huffman coding BitsPerSample 8 ColorComponents 3 YCbCrSubSampling YCbCr4:2:0 (2 2) ImageSize 228x153
That's a BIG difference. Good Myspace. Yes, I know that putting those two words together in the same sentence seems...wrong.
What about Facebook? I uploaded the same original image (with the juicy metadata) to my profile on FaceBook. Here are the results:
...and the resulting metadata (again, same exiftool command)?
======== 0x80 form facebook.jpg ExifToolVersion 7.23 FileName 0x80 form facebook.jpg Directory . FileSize 6 kB FileModifyDate 2008:04:04 14:25:48 FileType JPEG MIMEType image/jpeg JFIFVersion 1.1 ResolutionUnit inches XResolution 72 YResolution 72 ImageWidth 228 ImageHeight 153 EncodingProcess Baseline DCT, Huffman coding BitsPerSample 8 ColorComponents 3 YCbCrSubSampling YCbCr4:2:0 (2 2) ImageSize 228x153
Yes. Good Facebook.
Overall, I was shocked that both Myspace and Facebook had done this. Am I off base? Is this a common thing?
I guess I have a few more "social networks" to try. Twitter, Picasa, LinkedIn, Flickr (I KNOW they keep and analyze some metadata...), and more I'm sure haven't popped into my head yet.
Looks like I'm still in need of finding a good repository of metadata. Flickr, here I come.
- Larry "haxorthematrix" Pesce
larry /at/ pauldotcom.com
Larry & I hosted our first Linux Installfest this past weekend, and it was a huge success. Everyone had fun, ate pizza, drank beer, and spun our propellers installing Linux and just being extra geeky for a day. I made a blog posting detailing the event (including pictures) which you can find here.
PaulDotCom
Live from the PaulDotCom studios with special guest Kevin "The Hacker Princess" Johnson!
Hosts: Larry "Uncle Larry" Pesce, Paul "PaulDotCom" Asadoorian
Email: psw@pauldotcom.com
Audio Feeds:
NOTE: Our streaming method has changed as of episode 100, and is reflected in the links below.
The live stream should be active about 6:15-6:30 PM EDT, Thursday April 3rd. We should begin recording the live show at about 6:30 PM EST. Please keep in mind that these times are all estimates, but we will try to do the best that we can.
Don't forget to join in on the IRC channel during the stream - we can take live comments and discussion from the channel! Find us on IRC at irc.freenode.net #pauldotcom.
When active, the live stream(s) can be found at:
Ustream: http://ustream.tv/channel/pauldotcom-security-weekly
Icecast: http://radio.oshean.org:8000
Please join us, and thanks for listening!
- Larry & Paul
Over the past few months I've been contemplating a few projects for some WRTSL54GS routers with OpenWrt, however I really need these to have a high gain antenna on the WRTSL54GS. As you may recall, this model has a fixed antenna, with no option for adding one. I decided that I needed to fix that "design flaw".
Note: By adding various antennas to this device it may become possible to violate your local or federal regulations on output power. Be careful!
First off, we need to open the WRTSL54GS up. The screws are located under the rubber feet. Once apart, we need to de-solder the current, fixed antenna from the board. Follow the LMR cable from the antenna to the board, and de-solder both strands of the LMR from the board.
Once removed, the board should reveal two pads on which we need to solder our new connector.
Once de-soldered, we can remove the antenna from the case by pinching the end of the antenna on the inside of the connector. This will compress the size so that the outer locking ring will pass through the mount.
We need to make sure that we have an appropriate connector to attach a new antenna to. I happened to have scavenged parts from an old Linksys BEFSX series model. This old router had an internal PCMCIA card with two pigtails, one end with the standard RP-TNC antenna connector.
I removed the connector at the other end of the cable, as it is not important. I gave it a good pull, but certainly a pair of wire cutters will get the job done.
Strip the LMR cable back so that the inner and outer conductors are staggered. Match up the lengths that you need with the two pads to verify your length - the smaller inner conductor will be attached to the smaller pad on the board, while the outer conductor will be attached to the larger pad. Don't solder them together! This will create a short, and render your antenna inoperable, possibly even frying your router!
We also need to modify the case so that the external portion of the connector will fit through. My connector at the base was 3/4 of an inch, so I drilled a 3/4 inch hole into the edge of the case, right near the original connector.
Part of the selection of this location was so that it would still be at the top of the unit, and the board has a notch out of it at this location. The notch leaves a handy place to be able to fit the additional portion of the connector between the board and the edge of the case.
Once mounted, solder the LMR form our new connector to the board as described earlier. I utilized some electrical tape to maintain the bend in the LMR and to hold it down to the board. This allows me to have both hands free to solder!
Once complete we can reassemble our router and show off our new connector.
One of the nice features of using the RP-TNC connector is that we can reuse antennas from most of our other Linksys devices!
Have fun adding new antennas!
- Larry "haxorthematrix" Pesce
larry /at/ pauldotcom.com