Ahh..netcat..how useful you are to me! If you don't use netcat for pen testing you absolutly have to. Good article below on how you can use netcat. Some examples:

* Outbound or inbound connections, TCP or UDP, to or from any ports
* Full DNS forward/reverse checking, with appropriate warnings
* Ability to use any local source port
* Ability to use any locally-configured network source address
* Built-in port-scanning capabilities, with randomizer
* Built-in loose source-routing capability
* Can read command line arguments from standard input
* Slow-send mode, one line every N seconds
* Optional ability to let another program service inbound connections

Netcat - The TCP/IP Swiss Army Knife

I remember awhile back reading this article about how a pen testing company came up with a a really neat way to social engineer the employees of a company. How? Place USB thumb drives at strategic locations (like the main entrance) and see if employees plug them in and open up applications or pictures contained on the drives. Great way to test your security policies! You can also conduct this type of test with CD-ROM's and even floppy disks.

digg - Social Engineering, the USB Way

This is a nice suprise from Microsoft! The patch to fix an exploit..causes a crash the is able to be exploited! (say that fifty times in a row) What to do?

- Windows XP: Make sure you are on XP Service Pack 2. SP2 is not vulnerable. Or, disable HTTP1.1 functionality.

- Windows 2000 IE SP1: Disable HTTP1.1 functionality or better yet, upgrade to XP w/SP2.

Hopefully Microsoft releases a patch for the patch soon!

SecuriTeam - MS06-042 Related Internet Explorer 'Crash' is Exploitable

Very good article from the NY Times today about wireless security in airports and public hotspots. With an article in the "business" section of the NY Times, it goes to show that wireless security is becoming more of an issue. Some key points from the article:

- Educate your employees on how small of a circle you travel in, noting that when you are on your cell phone others are listening to your conversation.

- Someone could easily be using a packet sniffer at the airport or hotspot to sniff all of the traffic from your machine. Sniffers are easy to download and use.

- You should always use a VPN when surfing or checking email. That way all the traffic from your machine is encrypted. Most (smart) corporations provide VPN access to their employees. You can also use subscription services like HotSpotVPN for about $10 a month or use a free solution like Hamachi (highly recommended) to connect back to your home network via VPN and surf from your home Internet connection.

- Never use a public computer to access the Internet! It is way to easy to install a keylogger on these computers and everything you type (passwords, CC#'s) could be logged and sent to a malicious person. If you must use a public computer, use a solution like RoboForm ($30 shareware) that defeats keyloggers and encrypts your passwords to a USB key.

- Use a cable lock to lock your laptop to a chair or table if you leave your laptop unattended. This is especially important at a conference or hotel room.

- Use a Notebook Privacy Filter. This cool device only allows you to read your laptop screen. You can't view anything on the screen when looking at it from any angle but head on.

Web Surfing in Public Places Is a Way to Court Trouble - New York Times

A few months ago I heard on the "Security Now!" podcast that there was a really good open-source encryption application that is so good that it is literally scary. It is so good, and so well done that you can use it for "plausible deniability". In TrueCrypt, this provides you with (from the TrueCrypt website):

1. True hidden volumes.

2. It is impossible to identify a TrueCrypt volume. Until decrypted, a TrueCrypt volume appears to consist of nothing more than random data (it does not contain any kind of "signature"). Therefore, it is impossible to prove that a file, a partition or a device is a TrueCrypt volume or that it has been encrypted.

Pretty cool eh? As a bonus, you can create a TrueCrypt volume on a USB flash drive for portablity. So now you can carry a USB flash drive around with nothing but "random data"...and if you are caught with the secret plans to take over the world..they can be safely hidden within a secret volume..which on the outside contains your income tax returns that you were safeguarding. :) I hope to do a full review of TrueCrypt in the near future and let you know how the installation and ease of use is.

TrueCrypt - Free Open-Source On-The-Fly Disk Encryption Software for Windows XP/2000 and Linux

So the truth comes out...here is a great quote from the article:

“Despite SecureWorks being quoted saying the Mac is threatened by the exploit demonstrated at Black Hat, they have provided no evidence that in fact it is,” Apple Director of Mac PR, Lynn Fox, told Macworld. “To the contrary, the SecureWorks demonstration used a third party USB 802.11 device–not the 802.11 hardware in the Mac–a device which uses a different chip and different software drivers than those on the Mac. Further, SecureWorks has not shared or demonstrated any code in relation to the Black Hat-demonstrated exploit that is relevant to the hardware and software that we ship.”

So much for credibility huh?

Macworld: News: MacBook Wi-Fi hack didn't use Apple drivers

So Immunity is about to release a wireless handheld called "SILICA" that includes hundreds of exploits to perform automated pen testing. If you are not aware Immunity sells a product called "Canvas" which is in direct competition with "Core Impact" from Core Security Technologies. Basically, both these companies offer products very similar to the Metasploit Framework but a bit more automated. Whether or not commercial products are better then Metasploit for pen testing is a hot topic..I personally think you can get everything you want (and more) from Metasploit..but I really like the idea of putting all of this together in a handheld wireless device. As a bonus you can apparently connect this up to a "wired" network as well through ethernet via USB cable so it can be used on non-wireless networks as well. Too bad the going rate will be $3,000! However, I would think that his is just the beginning of open source tools and software that will be ported or available to pocket pc type of devices in the future.

'Pen' Testing in the Palm of Your Hand

LURHQ once again has done a very good analysis of how the latest Mocbot (which exploits the MS06-040 vulnerability) works in detail. It also is a good overview on how bots, botnets, and botherders's control thousands of Zombie machines to do thier bidding. Also shows you how security researchers spy on the botherders to learn how these bots work...be careful though, you could get DDoSed!

LURHQ - Mocbot Spam Analysis

Interesting article on Biometric polygraph for airport security. This works by detecting emotional responses to a series of questions. If the person was nervous or worried the system could determine that. In tests it has flagged 85% "mock" terrorists and 8% of innocent passengers! 8% is a large amount....

So the question is..what if you are just nervous to fly, had a bad day or are just a emotional wreck to begin with? Biometrics is still an young technology that should be allowed to mature before sending this into every airport in America. The more undeveloped technology that is deployed for airport security, the longer it's going to take to get though security thats for sure.

Biometric polygraph next for airport security?

LURHQ has relased a very good analysis of the MS06-040 IRC Bot which started exploiting vulnerable systems this weekend. You can view the analysis at the LURHQ website. SANS also has a very good article on some steps to take to block or detect this on your network. Note the following:

- Lookout for laptops coming back into your internal network. Telecommuters that VPN in from home then come back to the corporate network could be vulnerable if not patched.

- Outgoing traffic to 18067/TCP bniu.househot.com, ypgw.walloan.com.

- Outgoing traffic to port 445/TCP (scans could be internal and external) looking for computers to infect.

- Anti-virus vendors may not be up-to-date with definitions so patching is your best defense right now.

I was digging though some of my links today and noticed I had bookmarked a really good demo of how to crack WEP in 10 easy steps easily using free tools that you can download from the Internet (WHAX Live CD Distro, Aircrack, etc...).

How to crack WEP in 10 Easy Steps!

This once again shows how important it is that you use a "more" secure encryption like WPA. Most home cable/dsl wireless routers should now support the WPA-PSK (pre-shared key) standard. This should include vendors like Linksys, Dlink, and Netgear. Many home users don't know why WPA is so insecure and why WPA-PSK is the best way to secure a home wireless network.

What is WPA-PSK?

WPA-PSK is a mode of WPA that is for home users without enterprise authentication requirements (business). WPA-PSK overcomes the major encryption issues with WEP, however, a weak WPA passphrase can be cracked in less then 30 seconds if a bad guy can manage to trick your wireless access point to reveal it's intial handshake with the wireless client. Don't confuse passphrase with password as they are totally different. A good example of a weak passphrase that can be easily cracked is something like "myaccesspoint" or "passphrase". A bad guy can take this handshake data and crack your pre-shared key with a brute force or dictionary attack. The only defense against this type of attack is to use a long passphrase that would take years to crack even with the powerful computers we use today.

How to create a good passphrase?

The best way that I have found to create a good passphrase is to use a secure password generator website like the one Steve Gibson has created. What is nice about Steve's website is that you can use this password page to generate a 64 random hex or 63 random ASCII/alpha-numeric passphrase (which one depends on what your router can handle) which is completly unique to you.

Once you have this passphrase you and copy/paste this into a blank text file and save it to a USB drive, floppy disk (if you still have these..), or burn it to a CD-R. With this text file you can then copy/paste the passphrase into your wireless access point configuration as well as your wireless clients. Keeping it on a remote device like a USB drive ensures you will have it for safekeeping. I keep mine locked away in my home safe with my other important documents.

This is the most recommended way to setup WPA-PSK on your home network. While there are more methods to properly secure a home wireless network, I will be discusing these in a future article.

eEye has just released a free MS06-040 vulnerability scanner for you network admins out there. It will tell you what machines are vulnerable. It comes in a 16 and 256 IP version. This might come in handy if you need to quickly audit a network for vulnerable systems.

Network Security | IT Security | Vulnerability Assessment | Intrusion Prevention

I guess it is just a matter of time...a worm is about to be released we can all feel it coming. New module is even been released for Metasploit..so now the script kiddies can have some fun too. By the way if you haven't patched for MS06-040..do it now!

Slashdot | Microsoft Bracing for Worm Attack

As I am sure all of you have heard in the news about the bomb plot that was recently uncovered in London. What is now starting to happen becuase of this is that all electronic devices with a battery will most likely be banned from all flights. This will dramatically change the way people fly...could you imagine a 6+ hour flight without your iPod or laptop? How would this change the entire business world as many people conduct lots of company business on long flights with a laptop? Lots of questions to answer with very few answers I am afraid.

CNN.com - Experts: Air security focuses on past threats - Aug 10, 2006

This is really scary..as having AOL installed on your machine isn't scary enough! Privacy of personal search data should never be disclosed as it can lead to all kinds of bad things. If I were an AOL subscriber..I would dump them in a heartbeat.

AOL search data identified individuals

Microsoft patch Tuesday brings us another very critical vunerability that needs to be patched ASAP! This one has the potential to be developed into a huge worm:

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System

Note: Even though this article says Windows SP2 can block this...patching should still occur regardless!

Looking for a free, open source host based IDS which also runs on Windows and Linux? Check out OSSEC:

OSSEC HIDS - Open Source Security

I will be installing this in a few days to give you my review. It look very promising! Kinda like Cisco CSA for the masses...hmmm..here is a good review on OSSEC as well:

Linux.com Review

Good write up and pics below on DefCon going on right now in Las Vegas. If you don't know, DefCon is the largest black hat/white hat/fed hacker conference in the US. Hoping next year I can get this on my training schedule! Gotta love that "Wall of Sheep"..lol.

DefCon: Friday Insanity!

Scary things those pesky proxy servers...Not only is this a problem for college networks but it is a major issue for corporate IT security as well. The majority of corporate networks are now starting to block Myspace. Especially with the recent "Flash banner ad Worm" that hit Myspace not long ago. These proxy sites allow users to basically bypass any web filtering that is installed at the gateway. There are hundreds of these sites and more poping up all the time. Products like Websense and SurfControl can help, however, these sites only get blocked when the products blocked lists get updated or the administrator manually adds the site(s) to a blocked list.

Slashdot | Proxy Sites Offer Secret Passage to Myspace

So this is seriously cool..you have heard of "War Driving" and "War Flying", etc...how about "War Rocketing"? Only at DEFCON:

War driving by rocket at 6,800 feet

Finally, MS is taking Vista to the wolves! It's about time. Nothing better then the worlds formost hackers taking stab at MS's upcoming OS. Will this make Vista more secure? Only time will tell but it is a much better strategy then what MS has done in the past.

CNN.com - Microsoft to hackers: Take your best shot - Aug 3, 2006

Very interesting read and demo on the SANS Internet Storm Center website today about how easy it is to gain "system" level acccess from an admin account:

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System

Hack a MacBook in 60 seconds?

Yep, it's true...imagine what could happen if this type of exploit got out in the wild? FSecure also notes that the patch for Centrino laptops is only a mere 129mb!

Hack a Mac in 60 seconds