SecurityTubeBeta Watch ... Learn ... Contribute |
 |
 |
 |
 |
 |
 |  |
War Driving is so 2000, Here comes war shipping
This is a small video around the talk delivered by David Maynor and Robert Graham at Defcon16. Security is getting better; there is no doubt about that. High value targets are increasing their security while buying into the buzzword hype with phrases like "defense in depth". Firewalls, IPS, AV, NAC, and a host of other technologies have done a lot to give the pointy hair bosses of the world the ability to sleep easy...or has it. While those PHB sleep easy in their bed the ability to compromise a site at will continues to grow.
Remember the good old days of planting Trojans in microcontrollers of your enemy's hardware or shipping packages with system updates that contain backdoors? What happened to those days? What if I told you that breaking into a site is as easy as sending a package via some third party carrier or throwing up a website. This talk will cover penetration techniques that at first glance appear to be Hollywood fiction but are easy and reliable methods of intrusion.
Miss this video and you may never know why you have a package in your shipping department addressed to "U R Owned, INC.".
War driving is so 2000 here comes the war shipping, the shipping is not as in boats, but shipping as in packaging. David maynor did the remote wifi surveillance with the help of cheap wi-fi platforms delivered directly to your victim, and guess what that cheap platform was, i-phone.
This new and innovative attack was very timely to attract the media due to recent 100million+ credit card data theft through wi-fi means last week. David Maynor’s WarShipping trick solves this “need to be there” problem to launvh wireless attacks. Why travel and risk yourself being physically present there, when you can just mail a package with a WiFi and WAN enabled device and just hack remotely?
How does this attack work… describing in a sentence… Get a i-phone and attach a extended battery so that it will run for 5 days. Ship that i-phone to a non-existance person in victim’s company.. .and control the i-phone remotely to launch wireless attack.
“We’re just saying you have to be a little creative with the tools you have and you can do some fun stuff,” says Graham, CEO of Errata Security.
The idea for shipping an iPhone equipped with WiFi auditing tools like TCP dump and Nmap came mostly out of necessity for Graham and Maynor: “One of our customers that was out of state wanted us to do a wireless audit for them as part of a pen test, but we would have been sniffing packets and then twiddling our thumbs” for the basic audit, Graham says, plus the client had multiple out-of-state sites. “This was a simple solution that didn’t [require] us going onsite.”
So the researchers enable the tools on the iPhone and add a separate battery pack and ship it out via overnight delivery. Once there, the iPhone collects security data on the WiFi network, such as whether encryption is deployed and if so, what type, as well as detecting rogue access points or laptops vulnerable to WiFi-borne hacks. There’s an SSH connection to the iPhone so they can run the tests via a command line, Graham says.
Graham says the data and packets it captures are then run through the firm’s Ferret WiFi hacking tool. “We have a Ferret build for the iPhone, but it’s not working yet,” Graham says. They’re also looking at running the powerful Metasploit hacking tool on the iPhone as well, he says.
WiFi fuzzing is another option for this, Graham says, and the researchers may try it with the Nokia N810 smart phone. Graham and Maynor have also added a few twists to gauging a firm’s vulnerability to a targeted, or spear phishing attack. They set up a phony 401K management firm site for a client that looks a lot like a legitimate company. The researchers then gather user email addresses from their client, and send out a bogus message purportedly from the human resources department saying that the company is changing 401K providers.
“It says the user needs to log on and opt in,” Graham says. “So we can get usernames and passwords.” But unlike most phishing attacks that attack the desktop directly, this one goes after the browser using an ActiveX tool that it gets “signed,” so it appears legitimate and will run on the victim’s machine. They also managed to establish legitimacy for the site and were able to purchase an SSL certificate from VeriSign, he says. “So the user will download and run the ActiveX code and now we own their computer,” he says. “They get a nice, trusted SSL connection.”
David Maynor is a founder of Errata Security and serves as the Chief Technical Officer. Mr. Maynor is responsible for day-to-day technical decisions of Errata Security and also employs a strong background in reverse engineering and exploit development to produce Hacker Eye View reports. Mr. Maynor has previously been the Senior Researcher for Secureworks and a research engineer with the ISS Xforce R&D team where his primary responsibilities included reverse engineering high risk applications, researching new evasion techniques for security tools, and researching new threats before they become widespread. Before ISS Maynor spent the 3 years at Georgia Institute of Technology (GaTech), with the last two years as a part of the information security group as an application developer to help make the sheer size and magnitude of security incidents on campus manageable.
Robert Graham is the co-founder and CTO of Errata Security, a firm specializing in cybersecurity consulting and product verification. Mr. Graham learned hacking as a toddler from his grandfather, a WW-II codebreaker. His first IDS was written more than 10 years ago designed to catch Morris-worm copycats. He is the author of several pending patents in the IDS field. He is the author of well-regarded security-related documents and is a frequent speaker at conferences. Previously he was the chief scientists of Internet Security Systems. Before that he was the co-founder, CTO, and chief-architect of Network ICE which was acquired by Internet Security Systems.
 |  |  | |||
You are Viewing this Video Now! | |||||
1389 views | 614 views | 372 views |
Related links
Amit Vartak, 27 is working in wired and wireless security fields since last 3-4 years. His current area of interest includes IEEE 802.11 (Wi-Fi) suite of protocols, vulnerabilities in these protocols and countermeasure for those vulnerabilities. Working on cutting edge tools and technology always keeps him busy. He has contributed from concept level to final prototyping for the presentations in Defcon 2007 (The Emperor Has No Cloak - WEP Cloaking Exposed) and Toorcon 2007 (Caffe latte attack). He holds 2 patents with USPTO (current status: Patent Pending) and a few papers in IEEE journals on wireless protocol vulnerabilities. Prior to this, he was working on MEMS (Micro Electro Mechanical Systems) and has published a few papers in SPIE and ICMAT. (Yeah… kindda orthogonal fields… but technology really doesn’t limit the talent :) He did his masters in Electrical Engineering from one of the premier institutes in India, Indian Institute of Technology, Bombay (IIT-Bombay) and his under graduation, from University of Mumbai in Electronics and Telecommunication Engineering. He is currently working with AirTight Networks Inc. as a team lead in technology group since last 3 years.You can get in touch with him at amitcv[at]gmail[dot]com
©2007 Freak Labs |