Why?

UCSniff was created as a Proof of Concept demonstration tool and a method of creating awareness around VoIP/UC threats. It can be used by VoIP/UC Administrators to test their own VoIP or Video Infrastructure in a pilot before vulnerabilities are rolled into production. It can also be used by security professionals as a method of convincing IT decision makers that security best practices should be applied to VoIP/UC in the same way that they are applied to other TCP/IP based, client-server applications.

New Features

• Real time VoIP and Video monitoring.
• New codec support, G729, G726, G723.
• GUI version of Windows and Linux.
• TFTP MitM Modification of IP phone settings.
• New VideoSnarf tool – Converts offline RTP pcap file to media file.
• Windows VLAN implementation, for VLAN Hopping in Windows.

Or read more here.

And guess what, someone thought of using it to crack passwords. It seems the cut-off would be a 12 character password as even with all lower case characters it would cost USD1.5 million to crack.

It gets exponentially cheaper as you remove each character (due to the calculation using the power of the number of characters) so a 10 character password would only cost you just over USD2000!

Forget what you’ve learned about password security. A simple pass code with nothing more than lower-case letters may be all you need – provided you use 12 characters.

That’s the conclusion of security consultant David Campbell, who calculated the cost of waging a brute-force attack on various types of passwords using cloud computing services offered by Amazon.

Based on hourly fees Amazon charges for its EC2 web service, it would cost more than $1.5m to brute force a 12-character password containing nothing more than lower-case letters a through z. But user beware, an 11-character code costs less than $60,000 to crack, and a 10-letter phrase costs less than $2,300.

Adding upper-case letters and numbers to a password offers some additional security, but not as much as you might think. Such a phrase using 10 characters would cost less than $60,000 to attack, while an 11-character code would cost roughly $2.1m. Even passwords that contain an additional 32 characters such as !@#$% are relatively cheap to crack if they are short enough. An eight-character password would cost a little more than $106,000.

I’d say adding upper case letters and numbers makes quite a difference, a 10 character passwords jumps from just over USD2000 to crack all the way up to USD60,000. That’s a factor of 30!

I’d say a 10 character password containing uppercase, lowercase, numbers and specials characters should be well into the millions and keep you fairly safe.

I did write some guidelines and tips on creating a secure password a while back, you can check it out here – Good Password Guidelines – How to Make a Strong/Secure Password.

The analysis, which Campbell posted here, builds off of research fellow security consultant Haroon Meer of SensePost presented earlier this year at the Black Hat conference. In it, he showed how EC2 could provide criminals using stolen credit cards with the equivalent of a super computer to crack encryption keys and passwords.

And that, in turn, will require new ways of thinking on the part of white hats.

“As it becomes possible now for the black hat community to get their hands on large amounts of computing power, we as security professionals are going to need to reassess threat models that we thought previously were not a factor,” said Campbell. “Using stolen credit cards, they could create a super computer that would be faster potentially than what the three-letter agencies have and they wouldn’t be paying for the CPU cycles.”

Although Amazon takes pains to ration resources it makes available to single customers, Meer showed it was possible to get around such limitations using a single credit card. Presumably, it would be even easier to bypass those controls using hundreds or thousands of stolen credit cards, something that is trivial for criminals to get a hold of. Campbell’s assumptions are based on simple arithmetic.

It’s interesting research nevertheless, I’d say Cloud Computing is only going to get more powerful and cheaper to rent so character based passwords may become completely defunct at some point in the future.

The computing power is not at the point where you have to worry about your 1024 bit RSA encryption quite yet, but it may well be in the near future as it’s already advised to use a 2048 bit key length!

Combining this platform with the abundance of stolen credit card details the blackhats have could be quite devastating.

Source: The Register

Not quite so catchy though is it.

Well at least they doing something to try and nurture talent in the security arena, even if it is a little misguided.

The UK government has launched plans to find the best young hackers through a talent competition.

Would-be cyberdefenders will be rated on their abilities to thwart attacks and hack into websites. Winners will be offered courses by the respected SANS Institute and assigned mentors.

University course and work placements also form part of the putative programme, due to take its first intake late next year, The Times reports.

Hack Idol may be a catchy concept, and it’s easy to see how eccentric security minister Lord West – who famously reckons reformed naughty-boy hackers might play an important role in Britain’s cyber-defence – might get sold on the idea.

The prizes are pretty good for anyone into infosec, courses from SANS, uni courses and possible work placement.

It would be a great start to a security career for the average hacker nerd currently doing his A-Levels at college.

I guess as well as building the security industry, they are also trying to entice the more blackhat students to defect to the white side – or at least be a little more grey than black.

In addition, there’s a precedent from across the Atlantic. The UK scheme resembles the much larger US Cyber Challenge programme which is “looking for 10,000 young Americans with the skills to fill the ranks of cyber security practitioners, researchers, and warriors”.

The winner of the first US Cyber Challenge was Michael Coppola, 17, of Connecticut, who gained plaudits for breaking into the scoring system and awarding himself extra points – a move straight out of cult haxploitation flick WarGames.

Sounds like good fun, but the idea of taking the now-ubiquitous TV talent show/glorified karaoke concept and applying it to computer security to find the next Neo sounds more than a little wrong-headed.

It definitely does have some similarities to the US program, which as new as it is hasn’t really proved anything yet either.

It’s something to watch out for, we’ll have to see where it goes.

Source: The Register

Flawfinder is specifically designed to be easy to install and use. After installing it, at a command line just type:

flawfinder directory_with_source_code

Flawfinder works on Unix-like systems today (it’s been tested on GNU/Linux), and it should be easy to port to Windows systems. It requires Python 1.5 or greater to run (Python 1.3 or earlier won’t work).

Speed

Flawfinder is written in Python, to simplify the task of writing and extending it. Python code is not as fast as C code, but for the task I believe it’s just fine. Flawfinder version 0.12 on a 400Mhz Pentium II system analyzed 51055 lines in 39.7 seconds, resulting in an average of 1285 analyzed lines/second. Flawfinder 1.20 and later will report their speed (in analyzed lines/second) if you’re curious.

How it works

Flawfinder works by using a built-in database of C/C++ functions with well-known problems, such as buffer overflow risks (e.g., strcpy(), strcat(), gets(), sprintf(), and the scanf() family), format string problems ([v][f]printf(), [v]snprintf(), and syslog()), race conditions (such as access(), chown(), chgrp(), chmod(), tmpfile(), tmpnam(), tempnam(), and mktemp()), potential shell metacharacter dangers (most of the exec() family, system(), popen()), and poor random number acquisition (such as random()). The good thing is that you don’t have to create this database – it comes with the tool.

Flawfinder then takes the source code text, and matches the source code text against those names, while ignoring text inside comments and strings (except for flawfinder directives). Flawfinder also knows about gettext (a common library for internationalized programs), and will treat constant strings passed through gettext as though they were constant strings; this reduces the number of false hits in internationalized programs.

You can download Flawfinder here:

flawfinder-1.27.tar.gz

Or read more here.

The legal system has ticked along and now they have to stand up for their charges, which are spiraling as more and more cases are linked to them.

Albert “Segvec” Gonzalez has been indicted by a federal grand jury in New Jersey — along with two unnamed Russian conspirators — on charges of hacking into Heartland Payment Systems, the New Jersey-based card processing company, as well as Hannaford Brothers, 7-Eleven and two unnamed national retailers, according to the indictment unsealed Monday. Gonzalez, a former Secret Service informant, is already awaiting trial over his involvement in the TJX hack.

According to the court document, the hackers allegedly stole more than 130 million credit and debit card numbers (.pdf) from Heartland and Hannaford combined. Prosecutors say they believe these breaches constitute the largest data-breach and identity-theft case ever prosecuted in the United States. They’re investigating other breaches and have not ruled out Gonzalez’s involvement in even more intrusions.

“We’re not seeing a huge array of hackers capable of doing this, but rather a more select group, [and that] demonstrates that there is a level of sophistication involved in these hacks,” said Assistant U.S. Attorney Erez Liebermann of the Justice Department’s New Jersey district office.

As with most things, 80% of the damage is done by 20% of the people. I’d say in this case it’s more like 98% of the damage is done by 2% of the hackers only a few of which ever get caught.

I think these guys just got too greedy and went after too many targets, but then their credit card theft ring is called “Operation Get Rich or Die Tryin”. They aren’t likely to die, but they are likely to go down for a long time.

But these are just the latest in a string of high-profile breaches that have been connected to Gonzalez. He and 10 others were charged in May and August 2008 with network intrusions into TJX, OfficeMax, Dave & Busters restaurant chain and other companies. Jury selection is slated to begin Sept. 14 in one of those cases. With regard to the Heartland-Hannaford cases, Gonzalez and the two unnamed Russian hackers have been charged with one count of conspiracy to commit computer fraud and one count of conspiracy to commit wire fraud.

They each face a maximum penalty of five years in prison and a possible maximum fine of $250,000 on the computer-fraud count and an additional 30 years and $1 million fine on the wire-fraud count, or twice the amount they gained from the offense, whichever is greater.

Attorneys for Gonzalez were not available for comment.

According to the New Jersey indictment, Gonzalez, 28, and an uncharged conspirator identified only as “P.T.,” allegedly found their targets on a list of Fortune 500 companies and then did reconnaissance to determine the payment-processing systems they used and uncover vulnerabilities. The hackers used computers they leased or controlled in California, Illinois and New Jersey as well as in Latvia, Ukraine and the Netherlands to store malware, launch their attacks against the networks, and receive the stolen numbers.

If you tally up all the counts that could be one hell of a sentence, especially with the 30 years for the wire-fraud tacked on. I guess if they ever manage to get out of prison, they might get to enjoy the millions they have stolen.

That is assuming they’ve laundered it and stashed it safely somewhere outside the jurisdiction of a US federal investigation.

Either way it’s an interesting case and I’m sure there will be more news about it.

Source: Wired (Thanks Navin)

IKE Agressive Mode BruteForce Summary

Aggressive Mode IKE authentication is composed of the following steps:

1. Initiating client sends encryption options proposal, DH public key, random number [nonce_i], and an ID in an un-encrypted packet to the gateway/responder.
2. Responder creates a DH public value, another random number [nonce_r], and calculates a HASH that is sent back to the initiator in an un-encrypted packet. This hash is used to authenticate the parties to each other, and is based on the exchange nonces, DH public values, the initiator ID, other values from the initiator packet, and the Pre-Shared-Key [PSK].
3. The Initiating client sends a reply packet also containing a HASH, but this response is normally sent in an encrypted packet.

IKECrack utilizies the HASH sent in step 2, and attempts a realtime bruteforce of the PSK. This involves a HMAC-MD5 of the PSK with nonce values to determine the SKEYID, and a HMAC-MD5 of the SKEYID with DH pubkeys, cookies, ID, and SA proposal. In practice, SKEYID and HASH_R are calculated with the Hash cipher proposed by the initiator, so could actually be either SHA1 or MD5 in HMAC mode.

Project Details

IKECrack utilizes components from the following OpenSource/PublicDomain programs:

• MDCrack
• Ron Rivest’s MD5
• Simeon Pilgrim’s Reverse MD5
• MD5 and HMAC-MD5 PerlMods
• libpcap

Performance

Initial testing with Perl based IKECrack shows numbers of 18,000 tests per second with a PIII 700, and can bruteforce 3 chars of ucase/lcase/0-9 in 13 seconds.

MDCrack [a MD5 bruteforce tool] can achieve 1.5 million keys per second with pure MD5 and a PIII 700. PSK bruteforcing consists of 4 MD5’s, and 4 64 byte XORs….but should still be able to achieve 375,000 IKE keys per second. Preliminary tests in C have shown 26,000 keys per second with un-optimized routines. I’m hoping that Simeon Pilgrim’s MD5 routines will speed this up a bit more.

You can download IKECrack here:

ikecrack-snarf-1.00.pl

Or read more here.

A bootkit is a boot virus that is able to hook and patch Windows to get load into the Windows kernel, and thus getting unrestricted access to the entire computer. It is even able to bypass full volume encryption, because the master boot record (where Stoned is stored) is not encrypted. The master boot record contains the decryption software which asks for a password and decrypts the drive. This is the weak point, the master boot record, which will be used to pwn your whole system. No one’s secure!

For whom is Stoned Bootkit interesting?

1. Black Hats
2. Law enforcement agencies
3. Microsoft

Why is Stoned something new? Because it is the firts bootkit that..

• attacks Windows XP, Sever 2003, Windows Vista, Windows 7 with one single master boot record
• attacks TrueCrypt full volume encryption
• has integrated FAT and NTFS drivers
• has an integrated structure for plugins and boot applications (for future development)

“A bootkit is a rootkit that is able to load from a master boot record and persist in memory all the way through the transition to protected mode and the startup of the OS. It’s a very interesting type of rootkit.” – Robert Hensing about bootkits

You can download Stoned Bootkit here:

Open Source Framework – Stoned Bootkit Framework.zip
Infector file – Infector.exe

Or you can read more here.

The war against whitehats has started up again more vehemently recently with zine known as zero for owned or ZFO.

The latest edition has just hit the streets with some really high profile hacks this time and a HUGE amount of information disclosure. They don’t release any exploits or code, but they do point out sections of certain apps that may be vulnerable. It’s an interesting read, especially the commentary.

You can find the full zf05.txt issue here:

zf05.txt – be warned it’s a 29,000 line text file.

The highest profile hacks must be of Mitnick and Kaminsky, as of now doxpara.com is still down.

Two noted security professionals were targeted this week by hackers who broke into their web pages, stole personal data and posted it online on the eve of the Black Hat security conference.

Security researcher Dan Kaminsky and former hacker Kevin Mitnick were targeted because of their high profiles, and because the intruders consider the two notables to be posers who hype themselves and do little to increase security, according to a note the hackers posted in a file left on Kaminsky’s site.

The files taken from Kaminsky’s server included private e-mails between Kaminisky and other security researchers, highly personal chat logs, and a list of files he has purportedly downloaded that pertain to dating and other topics.

No one has ANY idea how long they’ve owned these boxes and been up your mailspoolz. Are they watching you, have they owned your box? If you’re a ‘notable’ whitehat, you speak at conferences and market yourself like a whore.

Most likely yes they are up in your shit.

One day they will rm -rf it and publish all your e-mails in the next edition of zfo zine.

The hacks also targeted other security professionals, and were apparently timed to coincide with the Black Hat and DefCon security conference in Las Vegas this week, where Kaminsky is unveiling new research on digital certificates and hash collisions.

Kaminsky made headlines last year for his Black Hat talk about vulnerabilities in the Domain Name System. He was accused by many in the security community of hyping the issue after he teased the topic in a press conference call a month before his talk without revealing details of the vulnerability, leading everyone to speculate on the nature of it. He was presented with a Pwnie award for Most Overhyped Bug and for “owning” the media.

The hackers criticized Mitnick and Kaminsky for using insecure blogging and hosting services to publish their sites, that allowed the hackers to gain easy access to their data.

Pretty scary stuff, considered all these self-proclaimed experts are having their own sites hacked. What hope do the rest of us mere mortals have?

Little to none, as always a skilled persistent attacker will ALWAYS get in.

A bunch of others got pwned too including hak5, Robert Lemos, Blackhat Forums, PerlMonks, Elite Hackers and BinRev (Binary Revolution).

Source: Wired (Thanks Navin)

The last one I recall was the Clickjacking Vulnerability, which also effected Chrome.

It seems like it’s not too serious of an issue and will only cause crashing, there’s no room for remote exploitation or code execution. So it may be an annoyance, but if it’s true – it’s not that serious.

Mozilla is denying that a bug that crashes Firefox 3.5 is a security vulnerability, countering earlier reports that the company’s latest browser contained a flaw even though it had just been patched.

In a Sunday post to Mozilla’s security blog, Mike Shaver, the company’s vice president of engineering, said that the bug, which had originally been disclosed on the milw0rm hacker site, is not a vulnerability. “The reports by press and various security agencies have incorrectly indicated that this is an exploitable bug,” Shaver said. “Our analysis indicates that it is not, and we have seen no example of exploitability.”

Exploit code hit milw0rm last Wednesday. Firefox developers immediately logged the bug into Bugzilla, Mozilla’s change- and bug-tracking database. The bug, continued Shaver, does crash Firefox 3.5 — and the recently-released 3.5.1 — in some situations. But there’s no way for an attacker to exploit that by injecting malicious code on the machine. The bug can crash Windows, Mac and Linux editions of Firefox, including Firefox when it’s being run on the still-unfinished Windows 7.

I guess they will fix it soon enough in the next release (3.5.2) which should come along fairly shortly. I’d have to say I believe the Mozilla developers if they say it’s not exploitable.

So it’s not too big of an issue to worry about, just wait for the next patch roll out and you should be saved from any random crashes caused by malicious sites.

Both Shaver in his blog post and developers on Bugzilla noted that the Firefox crash on Macs was due to a flaw in Apple’s operating system, specifically the ATSUI system library. “We have reported this issue to Apple, but in the event that they do not provide a fix we will look to implement mitigations in Mozilla code,” Shaver said.

Mozilla developer Vladimir Vukicevic countered that it was unlikely Apple would fix the problem. “We’ve reported this and similar bugs in the past to Apple; they have so far had no interest in fixing such bugs in their font rendering subsystems, especially if they’re in ATSUI and not CoreText,” said Vukicevic on Bugzilla.

Another Mozilla hand suggested that the Mac OS X bug may affect other browsers as well. “Chances are more applications use the same buggy API (Safari? Chrome?),” Andreas Gal said. Gal, a project scientist at the University of California-Irvine, was a key contributor to the TraceMonkey JavaScript engine that Mozilla added to Firefox with Version 3.5.

Just last Thursday, Mozilla patched Firefox 3.5 for the first time, issuing a fix for a critical vulnerability in TraceMonkey’s just-in-time (JIT) compiler. In the run-up to creating a fix for that flaw, Mozilla developers speculated that the hacker had dug through Bugzilla to find information that helped him exploit the vulnerability.

I’ve said for quite a while that open source is a double edged sword, especially when resources such as Bugzilla are public and allow people with malicious intent to dig through the archives and look for bugs that could be exploitable.

With the code being open and the bugs being open too, it makes it much easier to develop exploits.

Thankfully it also leads to less bugs and them being fixed faster, I know which I prefer any day.

You can find the exploit on milw0rm here:

Firefox 3.5 unicode stack overflow

Source: Network World

But then he exposed his IP address on IRC, posted his face on some freaky vampire site and posted up screenshots of the HVAC system he ‘owned’ on a forum.

He wasn’t exactly making it hard for someone to find him..especially seen as though he actually WORKED IN THE HOSPITAL.

The leader of a malicious hacker collective who used his job as a security guard to breach sensitive Texas hospital computers has been arrested just days before his group planned a “massive DDoS” attack for the July 4 Independence Day holiday.

Jesse William McGraw, 25, of Arlington, Texas, was taken into custody late Friday evening after posting screenshots showing he had complete control of computers that administered air-conditioning systems at The Carrell Clinic in Dallas, federal prosecutors said. McGraw also brazenly posted videos showing him installing malware on hospital computers that made them part of a botnet he operated, said a network security expert, whose sleuthing uncovered the breach.

As a contract security guard at the hospital, McGraw had no authorized access to any of its computers. But that didn’t stop the miscreant, who went by the handle GhostExodus, from taping himself as he walked down the halls of the hospital with a blue security guard uniform poking out through a gray hoody, as he bragged about gaining control over sensitive computers.

If there was ever an original script kiddy, I think this guy fits the bill perfectly.

Seems like his l33t hacking skills extend to walking into rooms he has access too (with a security card), and taking some screenshots!

Or perhaps even sometimes he booted in with BackTrack and reset the passwords.

“It’s a unique mindset among these hackers,” said Wesley McGrew, a 29-year-old network PhD network security researcher at Mississippi State University. “It’s all about respect and fame and the respect of their equally weird peers.”

According to McGrew and federal prosecutors in Dallas, McGraw was the leader of a hacker gang known as the Electronik Tribulation Army. He had recently posted videos admonishing fellow hackers to carry out a “massive DDoS,” or distributed denial of service, attack on July 4, a date he called “Devil’s Day”. While the target and other details of the attack are unknown, the investigators are taking the threat seriously because McGraw, prior to his arrest, had tendered his resignation as a security guard job effective July 3.

According to court documents, hospital officials had experienced problems with their HVAC, or heating, ventilation and air-conditioning, units and were perplexed why none of the system alarms had gone off as programmed. Had they seen screenshots posted here by someone calling themselves GhostExodus, they would have known why. They images showed the HVAC control window for the hospital’s surgery unit. A test alarm setting was turned to “inactive.”

“You almost can’t help it ya know,” GhostExodus writes. “It must be done!”

Yah you just can’t help messing with the critical HVAC system of a hospital YOU TOOL. What is the point of that anyway, other than bragging rights (which will only impress other script kiddies).

Who knows…I guess if he had any real skills he wouldn’t be working as a security guard and he’d actually be using his talent to make some real bank.

Oh well, good luck to you I say GhostExodus.

Source: The Register