Help us. CCC is still looking for (security) talks for 25C3.

If you think you can give an interesting talk for the 25th Chaos Computer Congress, please submit it to the CFP. Help us make this 25th edition a special one !!!!!

You still have lots of time to hand in your talks for the 25th Chaos Communication Congress, as submissions are due October 5th, 2008 (Midnight UTC). Then again, you may not want to wait too long.

We currently have about 70 submissions in our queue and there is definitely room for more. Some of the proposals for talks we received are very good and will probably make it into the final program of the Congress. However, some make us scratch our heads: With nothing more than a title and a name of a speaker entered, it’s rather tricky to decide if the submission is any good.

Please take your time and read through the submission guidelines carefully. At the very least, we need a description and an abstract for both the talk and the speaker. We also love to see pictures of the speaker and maybe a nifty title graphic for the talk. The more complete your submission is, the better. Now go and hand in that presentation that will change the lives of 25C3 visitors forever. The deadline is only a bit over one month away… (Source CCC Event Blog)

The Chaos Computer Congress is the annual four-day conference organized by the Chaos Computer Club (CCC) in Berlin, Germany.First held in 1984, it since has established itself as "the European Hacker Conference" attracting a diverse audience of thousands of hackers, scientists, artists, and utopists from all around the world.

We want you to join and be a part of this unique event which serves as a public platform for cross-culture inspiration and borderless networking. 25C3 is fun!

Related posts:

• After WhatTheHack2005 (WTH), we present you: HAR2009: Hacking at Random
• 25th Chaos Communication Congress: Call for Participation
• 24C3 Review day 4 (30-12-2007)
• 24C3 Review day 3 (29-12-2007)
• 24C3 Review day 2 (28-12-2007)
• 24C3: Recorded videos from the congress are already available
• 24C3 Review day 1 (27-12-2007)
• Get a feeling of 24C3 security conference
• Overview of 24C3 Conference presentations online
• Presentations and Videos from Hack.lu and CCCamp 2007
• Get a feeling of 24C3 security conference
• CCCamp 2007: Final remarks and impression

(Photo under Creative Commons from antenne's photostream)

Some new features of NMAP explained

Fyodor made several enhancements to the NMAP scanner. Daniel Miessler was one of the lucky persons which attended his latest presentation at Blackhat and posted an overview of some of the new features (dmiessler.com).

Abstract:

The --top-ports Scan Option

One of Fyodor’s main focuses was improving Nmap’s speed through improved efficiency. One of the best ways to do this is to allow for scans of fewer ports, but this requires that you choose those ports carefully so as to miss as little as possible. So what he did, through trial and error and tons of scans, was figure out the most frequently open ports on the Internet.

Here they are for each protocol:

TCP

1. 80
2. 23
3. 22
4. 443
5. 3389
6. 445
7. 139
8. 21
9. 135
10. 25

UDP

1. 137
2. 161
3. 1434
4. 123
5. 138
6. 445
7. 135
8. 67
9. 139
10. 53

Ok, so now that we know what the top 10 ports are, wouldn’t it be cool to be able to scan based on them? And what if we wanted to scan the top 50? Or the top 100?

Fyodor has built this in with the --top-ports option. It’s wicked nice, and you invoke it like this:

nmap –top-ports 100 $target

And of course, 100 is just an arbitrary number, so you could just as easily do this:

nmap –top-ports 3000 $target

As you increase this number you obviously gain more and more accuracy, but because the ports are organized according to the most commonly found on the Internet, you can scan relatively few and still have good chances of finding everything open.

Stats from his presentation on TCP port efficiency using --top-ports:

–top-ports 10: 48%
–top-ports 50: 65%
–top-ports 100: 73%
–top-ports 250: 83%
–top-ports 500: 89%
–top-ports 1000: 93%
–top-ports 2000: 96%
–top-ports 3764: 100%

This means for just curiosity scans I can go with --top-ports 1000 and get roughly 93% accuracy in a fraction of the time.

Read his full post for the other options.

BGP, DNS, SNMPv3 flaws. Is the internet hosed?

We have seen several issues this year. The SNMPv3 issue, the DNS issue and now the BGP issue (slashdot).

BGP stand for Border Gateway Protocol and is the core routing protocol of the Internet.
A good example of what can go wrong when someone can inject wrong or false routes into BGP is the story where Youtube became unreachable by the hands of Pakistan Telecom (Renesys blog).

Now how serious is this? Well, just like the DNS issue, it's not the first attack or issue we have seen. So let's not overhype this. There is no money to be made with bringing down the internet. And redirect routes through BGP is like working with a sledgehammer, it's not really subtle.

Dan Kaminsky has a very good article discussing the SNMP, DNS and BGP issue together and is a must read (doxpara.com). Like he said, it's 2008 and we need to look at some of our core protocols and the way they do authentication and encryption.

(Photo under creative commons from billaday's photostream)

Multiple Security LiveCDs combined in one DVD (and make it boot from your USB thumbdrive)

Some of the USB thumbdrives mentioned in my previous post are meant to replicate a part of Larry's Hacker Keychain (see Paultdotcom's shownotes). Now the following will maximize the use of my USB thumbdrives.

All credits go to Mubix for posting this on room362.com:

MultiISO LiveDVD is an integrated Live DVD technology which combines some of the very popular Live CD ISOs already available on the internet. It can be used for security reconnaissance, vulnerability identification, penetration testing, system rescue, media center and multimedia, system recovery, etc. It's a all-in-one multipurpose LiveDVD put together. There's something in it for everyone. I hope you enjoy it.

MultiISO LiveDVD Version 1.0 consists of :

• Backtrack 3
  
• Damn Small Linux (DSL) 4.2.5
  
• GeeXboX 1.1
  
• Damn Vulnerable Linux (Strychnine) 1.4 edition
• Knoppix 5.1.1
  
• MPentoo 2006.1
  
• Ophcrack 1.2.2 (with rainbowtables 720MB)
  
• Puppy Linux 3.01
• Byzantine OS i586-20040404.
  

Download MultiISO LiveDVD here (torrent). Download it and help us seed this image!!!

Now I don't know if I heard it first on Hak5 or Pauldotcom's podcast, but you can use UNetbootin to boot various Linux distributions from an USB drive.

(Photo under creative commons from Nephiel's photostream)

PortablePwnage Part 2: Hardware upgrades/extensions for the eeePC 901 (updated)

Now, let's not start modding my Eee PC 901 just yet. Let's have a look at some 'normal' upgrades. I'm not sure I'll do all upgrades but this is a list of points on how to improve my umpc.

1. Memory upgrade: Kingston ValueRam 2 GB DDR2-667 (Alternate.be) @ 35 Euro
2. Bootdevice extension: Some SD(HC) cards for alternate OS booting (from geheugen-online.com):
   1x G074949: TRANSCEND, 16GB SDHC CARD, EUR 43,90
   1x G075118: TRANSCEND, 4GB SD CARD (133X), EUR 11,00
   
3. Bootdevice extension: Some USB Thumbdrives for various purposes (including making an USB multi-purpose keychain) (from geheugen-online.com):
   1x G140520: KINGSTON DIGITAL MEDIA, DT101C/8GB, EUR 22,90
   2x G140522: KINGSTON DIGITAL MEDIA, DT101N/4GB, EUR 11,70
4. WLAN replacement: A mini-PCI Express Atheros WLAN card (to replace the RTlan card) from OxfordTec.com for 19 pounds:
   1 x GIGABYTE WI01GT miniPCI EXPRESS Wireless card - Atheros
5. Battery upgrade: a 10400MAH battery for 82€ to increase the battery life to 10+ hours. (from laptoppen.nl). I have to verify if this shop' s offer is really compatible with my 901. This one is not compatible with the 901. Batteries from the 7xx series and the 900 cannot be used for the Eee PC 901 or 1000. I'm still looking where to buy these.
   

I checked the hardware support of the madwifi drivers before ordering the WLAN card and it seems fine. The card is easily replaced through the same panel as where the RAM module resides. Only 2 screws (I checked) and no soldering required. I will post pictures of the process in a future post.

There are a lot of other upgrades or modding possibilities like a backlight keyboard or adding a 3G card. Here are some of the interesting resources with more info:

• Disassembly of the Eee PC 901 (bit-tech.net)
• EeePC School: add a keyboard backlight for under 15$ (popsci.com)
• Eee PC Internal Upgrades Wiki (beta.ivancover.com): an enourmous wiki about upgrading/installing an USB hub, GPS with antenna, Bluetooth, Card reader, Flash drives, , Wifi cards, FM transmitters, Modems, ....

More to come when I get all of my parts.

Previous posts:

• How to Enable Multi-Touch PAD in Eee PC 901
• PortablePwnage Part 1: Choosing an UMPC. (updated x2)

(Photo under creative commons from tnkgrl's photostream)

How to Enable Multi-Touch PAD in Eee PC 901

A little first Eee PC Hack. I'm keeping XP on the onboard SSD for now and will install Linux/Backtrack on a SDHC card. But for now, let's enhance the system.

The 901 sports a multi-touch pad but the included Asus OEM driver doesn't provide all the functionality (like the ones in the video below).

Go to http://www.elantech.com.tw/download.aspx and download the original drivers. This will enable a lot more gestures. An icon will appear in the bottom right, with which you can modify the gestures to your need. (for example, three fingers move left is 'back' and three fingers move right is 'forward'.

PortablePwnage Part 1: Choosing an UMPC. (updated x2)

So I decided to buy an UMPC so I could have some more portable "fun".

Last week I was looking at the HP Mini 2133 vs The Asus eeePC 901. At first sight, the HP seemed to have benefits like being somewhat larger, sporting a bigger keyboard and a 80GB harddisk etc... but it's also more expensive and has less battery life then the 901. The thing that really made me go for the 901 is that I couldn't find the HP in any PC shop in Belgium. I don't like to order electronics from eBay or outside Belgium (postorder) for various reasons.

My previous article mentioned that the HP Mini did have more performance then the eeePCs but this was before the arrival of the 901 with the Atom Processor. As this CPU test from notebookreview.com shows:

Notebook / CPU	wPrime 32M time
Asus Eee PC 901 (Intel Atom @ 1.8GHz)	111 seconds
Asus Eee PC 900 (Intel Celeron M ULV @ 900MHz)	203.734 seconds
HP 2133 Mini-Note (Via CV7-M ULV @ 1.6GHz)	168.697 seconds
Asus Eee PC 4G (Intel Celeron M ULV @ 630MHz)	289.156 seconds
Asus Eee PC 4G (Intel Celeron M ULV @ 900MHz)	200.968 seconds
Everex CloudBook (VIA C7-M ULV @ 1.2GHz)	248.705 seconds
Fujitsu U810 Tablet PC (Intel A110 @ 800MHz)	209.980 seconds
Sony VAIO VGN-G11XN/B (Core Solo U1500 @ 1.33GHz)	124.581 seconds
Sony VAIO TZ (Core 2 Duo U7600 @ 1.2GHz)	76.240 seconds
Dell Inspiron 2650 (Pentium 4 Mobile @ 1.6GHz)	231.714 seconds

The Atom CPU does rock it seems. Comparing the 406€ (umpcshop.be) to the 726€ for the HP Mini (only available for me via the Netherlands), my decision was made.

To defend the HP Mini, there will be an update of this model featuring the Intel Atom or Via Nano, so this disadvantage is only temporary.

So I got my 901 yesterday and my first impression is good. The only part that is bugging me is the small keyboard. I knew that from the start but I need to get used to it's really small size.

Today, I happened to start reading my latest c'T Magazine and saw a review of the Asus eeePC 900 versus the Medion Akoya mini E1210.

Basically, it resembles the HP mini alot featurewise but it sports the Atom CPU!!! So is it the best of both breeds?

The Akoya's only drawbacks are a 3-cell battery, no multi-touch and it's card reader (SD/SDHC) isn't as fast as the eeePC 901. If you are planning to run a second OS from an SDHC card, this is an additional disadvantage. So the battery life from the Medion doesn't come close to the 901 unless you start buying another battery. But then again, you can also buy the 10400MHA battery for the 901, extending it's operation to 8-10 hours.

So I'm not that sad I didn't see this article before. Though I will keeping an eye on this Medion Akoya E1210 (available at ThePhoneHouse.be for 399€) in case I won't get used to using a mini-sized keyboard. Since the Medion is equally priced with the eeePC, it's a really strong competitor.

For the moment I left the copy of Windows XP on the 901 as I will probably install Ubuntu or Backtrack using a SDHC card. More experimentation will follow.

Upcoming parts:

• Hardware upgrades/extensions for the eeePC 901
• Installing Ubuntu EEE for the eeePC 901 on a SD Flash Card
  
• Installing Backtrack 3 for the eeePC 901 on a SD Flash Card
• Installing OSWA for the eeePC 901 on a SD Flash Card
• Installing and configuring OpenVAS for BT3
• Installing and configuring Karmetasploit for the eeePC 901

----------------------------------------
UPDATE (25/08/2008): It seems they swapped the Atheros wifi chipset in the eeePC 901/1000 for the RaLink rt2860 wifi-b/g/n hardware which makes this model somewhat less attractive. The same goes for the Medion Akoya 1210 (no atheros).

A reader pointed me to the Acer Aspire ONE A150 which does have the Atheros chipset.

I'm looking at a hardware hack or replacement with the Acer Aspire ONE A150 (Tones.be) for 349€.

---------------------------------------------
UPDATE (26/08/2008): The Acer Aspire ONE A150 I mentioned above is a UMPC with a 120GB Harddisk. The Acer Aspire ONE A110 is the version with the Solid State Disk. Although it's only 8GB (vs the 901's 12GB) it also has only 512MB RAM (vs 901's 1GB). However it's available from laptopshop.be for only 299€. That's a 100€ difference from the eeePC 901. Acer has a weaker battery, smaller SSD and smaller RAM. But the bigger keyboard on the ONE is a big plus for me.

It isn't a clear choice against the eeePC 901 but a good competitor.

Related articles:

• Ultimate Pwnage UMPC: eeePC 901 vs HP Mini note 2133
• Karmetasploit 3 documentation available. Karmetasploit = KARMA + Metasploit 3

Video of Dan Kaminsky's DNS talk from Blackhat USA is now online

For those who weren't satisfied with slides alone from Dan Kaminsky's DNS talk, the video (m4v) and the audio (mp3) from Black Ops 2008: It's the end of the cache as we know it (ppt) is now available (courtesy of Blackhat.com). They already have the majority of presentations and whitepapers from Blackhat USA 2008 online on this page and it will be updated with videos as well. Keep an eye on it.

It's the end of the cache as we know it

View SlideShare presentation or Upload your own. (tags: dns internet)

Related posts:

• Defcon 16 and Blackhat 2008 presentations online.
• DNS Patching video: watch how (fast) DNS servers got patched on this worldmap
• DNS Patch hacked. Well, it's not the end of the world as we know it. RLLY!
• Dan Kaminsky's DNS Talk on #Blackhat: A small review and interesting tweets
• Following Blackhat & Defcon from home (update x3)
• Download the videos from The Last HOPE hacker conference
• Social engineering at work. Some videos from The Last HOPE conference
• Twitter and some of the best Tweets from The Last HOPE Conference
• Tune into The Last Hope Conference, an online Streaming Radio Broadcast
• How to follow The Last HOPE conference without being there

Hacker Media Archive is looking for a new home.

Darkoz was so kind of maintaining a huge media archive of talks of the past Defcon, Blackhat, Shmoocon, HOPE, and others conferences over at mirrors.easynews.com.

In the end, the archive was near a terabyte of diskspace and easynews couldn't support the archive anymore.

If you can help us with bandwith and storage, please check out Darkoz’s post over on his blog. Even if you don't have these resources, pass the word.

(Photo under creative commons from RobotSkirts' photostream)

Check your Redhat/Fedora OpenSSH Packages. Redhat servers were compromised.

Last week, some of Redhat's computer systems were compromised. During this incident, the attacker was able to sign a small number of OpenSSH packages relating only to Red Hat Enterprise Linux 4 (i386 and x86_64 architectures only) and Red Hat Enterprise Linux 5 (x86_64 architecture only).

As a precaution, Redhat is releasing an updated version of these packages. Redhat has also released a script with which you can test your system for any affected packages:

• openssh-blacklist-1.0.sh

The script has a detached GPG signature from the Red Hat Security Response Team (key) so you can verify its integrity:

• openssh-blacklist-1.0.sh.asc

This script can be executed either as a non-root user or as root. To execute the script after downloading it and saving it to your system, run the command:

   bash ./openssh-blacklist-1.0.sh

If the script output includes any lines beginning with "ALERT" then a tampered package has been installed on the system. Otherwise, if no tampered packages were found, the script should produce only a single line of output beginning with the word "PASS", as shown below:

   bash ./openssh-blacklist-1.0.sh
PASS: no suspect packages were found on this system

The script can also check a set of packages by passing it a list of source or binary RPM filenames. In this mode, a "PASS" or "ALERT" line will be printed for each filename passed; for example:

   bash ./openssh-blacklist-1.0.sh openssh-4.3p2-16.el5.i386.rpm
PASS: signature of package "openssh-4.3p2-16.el5.i386.rpm" not on blacklist

Source: (Redhat.com)

(Photo under creative commons from Michell Zappa's photostream)

More public DNS servers getting exploited in the wild (updated)

Ryan Naraine spotted an article describing how a Chinese ISP's DNS servers got poisoned because they were not patched. Their customers were redirect to a site which would launch exploits for known vulnerabilities in RealNetworks’ RealPlayer, Adobe Flash Player and Microsoft Snapshot Viewer. Read the full article for some screenshots.

We shouldn't criticize Chinese providers too much as we still have some vulnerable networks of our own. But it's about time, they all got patched (everywhere).

If it appears, you are using an unsafe DNS server, switch to openDNS. Here are the instructions.

UPDATE: Dan Kaminsky is confirming attacks in this article on Cnet. Remember that DNS (MX) records also decide the traffic flow of mail servers. This is why Dan added an additional test on his website to test your mailserver's DNS for the patch.

The story has also hit Slashdot.

Related posts:

• Dan Kaminsky's DNS Talk on #Blackhat: A small review and interesting tweets
• Did the DNS attacks begin? (part 2) - Fact or myth? Some facts. (updated x2)
• Poor software update mechanisms and DNS Cache Poisoning: a wicked combo by the Evilgrade Toolkit
• Did the DNS attacks begin?
• Recorded Blackhat webcast with Dan Kaminsky now online
• Microsoft Security Advisory (956187): Increased Threat for DNS Spoofing Vulnerability
• Govcert.NL publishes "The Kaminsky Code" Factsheet
• Short Review of Blackhat DNS Webinar with Dan Kaminsky
• Metasploit releases DNS cache poisoning exploit (part 2)
• Metasploit releases DNS cache poisoning exploit (part 1)
• NOW is the time to patch those unpatched DNS servers. Details have leaked. (updated)
• Dan Kaminsky Blackhat Webcast on the DNS vulnerability on the 24th of July (updated)

Video of the Pwnie Award Winners

A video of the Pwnie Award Ceremony is up on Google Video:



Here is the complete list of winners.

Flash banners taking over your clipboard

Several sites reported on the "Clipboard" attack. Through Adobe Flash and Actionscript.

According to US media reports, Flash banners that appeared on websites for Newsweek, Digg and MSNBC manipulated the clipboards on visitors' PCs. The banners copied the URL of a site, to the clipboard, that was supposedly an online antivirus scanner. This then sought to convince users to purchase software by frightening them with the message that their PCs were infected by a virus. Users who are in the habit of copying links from text and pasting them into their browser's address line were likely to have copied the URL to the spammers' site and ended up there. (Source: Heise)

That attack works under Windows, Mac OS and Linux. A side-effect is that the clipboard will freeze and cannot be used until the browser is restarted.

Adobe has reported it is looking into the problem, but doesn't have any patches at this point.

As long as you don't visit the URL contained in your clipboard, you are fine. But it's advisable to use a flashblocker or to use Noscript which also blocks Flash by default.

Despite some reports, NoScript will protect you. Of course, if you deactivate the features that are meant to protect you, you are vulnerable. It's like deactivating your virusscanner and blaming it for not stopping a virus. Noscript will block Javascript, Java, Flash and other plugins. But it's not made to block actionscript if flash protection/blocking is disabled. Default settings will keep you protected. Just make sure, you have the latest version.

This is also part of an email campaign to try to convince you, your PC is infected and tricks you into installing their Antivirus product (which is just a Trojan).

Here is a more detailed analysis of what happens, if you do happen to visit the clipboard URL and get infected.

A list of tools from Defcon 16 and some extras

Rob Fuller aka Mubix did a guest editorial at Zero Day with the Tools released during Defcon 16.

The tools include the following:

Beholder: An open source wireless IDS program

The Middler: The end-all be-all of MITM tools

ClientIPS: An open source inline “transparent” client-side IPS

Marathon Tool: A Blind SQL Injection tool based on heavy queries

The Phantom Protocol: A Tor-like protocol that fixes some of Tor’s major attack vectors

ModScan: A SCADA Modbus Network Scanner

Grendel Scan: Web Application scanner that searches for logic and design flaws as well as the standard flaw seen in the wild today (SQL Injection, XSS, CSRF)

iKat: A web site that is dedicated to helping you break out of Kiosk jails

DAVIX: A SLAX based Linux Distro that is geared toward data/log visualization

CollabREate: An IDA Pro plugin with a server backend that allows multiple people to collaborate on a single RE (reverse engineering) project.

Dradis: A tool for organizing and sharing information during a penetration test

WhiteSpace: A script that can hide other scripts such as CSRF and iframes in spaces and tabs

VoIPer: VoIP automated fuzzing tool with support for a large number of VoIP applications and protocols

Barrier: A browser plugin that pen-tests every site that you visit.

Psyche: An advanced network flow visualization tool that is not soley based on time.

All links can be found here. For the tools that were only on the Defcon CD and who are not online, here is a downloadable Defcon iso.

Bonus material (not in the list above)

1. Soon the be published, the tool from the presentation "[Pushing a Camel through the eye of a Needle]" called reDuh.

In 2007 SensePost demonstrated the how DNS and Timing attacks could be used for a variety of attacks. This year we take those attacks further and show how small footholds in a target network can be converted into portals we can (and do) drive trucks through.

2. One non Defcon related Tool but quite important:

Since Version 3, Nessus turned to a proprietary model and started charging for the latest plugins. This is why based on the latest available code, a properly organised forked development was made with the name of OpenVAS. Finally, again a free Vulnerability Scanner.

OpenVAS-Client is released under GNU GPLv2 and may be linked with OpenSSL.

You can download OpenVAS here:

OpenVAS Client
OpenVAS Server

Or here is the official OpenVAS site for more information.

(Photo under creative commons from guccio Photostream)

How to spot counterfeit Cisco equipment.

In a previous post "The attack from within (the router)", we mentioned a FBI report about counterfeit Cisco equipment. Here are some more countermeasures.

Are you using Cisco WIC-1DSU-T1-V2 cards? Then you should have a look at this guide from the Andover Consulting group. It provides detailed photos on where to look to find out if you have these counterfeit Cisco cards.

Or have a look at my first post to see some more general guidelines.

Related posts:

• The Cisco Security Response: Rootkits on Cisco IOS Devices
• Cisco and the Golden shield project
• The attack from within (the router)
• Cisco releases first annual security report

(Photo under Creative Commons from sdiver's Photostream)

Improve your personal skills: learn to be an active listener

I got a nice compliment from the Remes IT blog the other day about my posts on presentations skills. Thank you very much.
I started reading up on presentation skills because it was one of the domains I needed to work on. And learning about it was a blast. Have a look at this blog's presentations tag for some insights. It's still work in progress. I still have books lying ready to be read but I'm lacking the time. Even as my three Amazon wish lists seems to be growing at an alarming rate (My Tech wishlist, My Non-Tech Wishlist and My Japan Wishlist)

Good communication exceeds telling a good story and having good slides. The Remes IT blog started with some good pointers on which I want to expand today.

Non-verbal communication (posture, gestures, intonation, eye contact,...) should match verbal communication. Actually, it's funny but non-verbal communication makes up 90% of the whole.
Remember the presentations tip that people respond best to visual stimulii? The style of your hair, you clothes, your posture are all used to communicate something about you. Often overlooked by a lot of people. If you're unsure about your looks, visit a styling consultant. Why not?
A little quote from the The Last Hope talk (From Black Hat to a Black Suit): "Dress as the job you want, not the job you have".

My co-blogger Karim mentioned a interesting quote in his little post on communication skills last week.

"Bad communicators only talk, Good communicators are able to listen & Great communicators adapt to context!"

So let's have a look at some communication pointers on active listening:

Non-verbal listening:

• Look interested. Dedicate your entire concentration to the conversation. (You might turn your cell phone to silent or even off).
  
• Make an angle of 90 degrees to the other party, it will give you more liberty to break eye contact from time to time. Too much eye contact looks too dominant. Not enough eye contact makes you look insecure.
• Nod your head from time to time to show that you are listening
• Use apropriate gestures and body language. eg. Don't cross your arms.
  

Verbal listening:

• Use short words to show that you are listening: uhuh, ow, yes, sure,....

Using open and closed questions:

• Avoid closed questions. These are questions that can only be answered with yes or no and won't advance the conversation. eg. Do you practice sports?
• Try to use as much open questions as possible. eg. Which sports do you practice?
  
• Try to ask different kind of open questions: What? Which? How? Who? Why? When?
• Listen to the answers carefully as the answer might help you provide the next question.

Enforce your listening:

• Digging: Ask for additional information. "Brazilian Jiu-jitsu seems to be a special sport. What do you like about it?"
• Repeating a part of the conversation? "Brazilian Jiu-jitsu?"
• Verifying the information: if you are not sure what the other person means, ask for clarification: "So Brazilian Jiu-jitsu is based on Jiu-jitsu but it's different?"
• Summerize: "So Brazilian Jiu-Jitsu (BJJ) is a martial art and combat sport that focuses on grappling and especially ground fighting with the goal of gaining a dominant position based on early 20th century Kodokan Judo?"
  

Use your mental capacity:

• Concentrate and stop all other activity
• Try to summerize in your mind what the other person is telling
• Make a difference between important points and details
• Be analytical: can the speaker support his vision? Where is the proof?
• Improve your concentration: Listen to the radio or television for 10 minutes and try to summerize it to see what you retained

Be positive:

• Be open and friendly
• Be positive in your reactions
• Learn to cope with your anxiety.

Knowing these tips is not as important as training in them. Form a group of 4 persons and exercise. One is the listener and one person is the speaker. The other 2 persons make observations and provide feedback on the points above. Let them also keep an eye on body posture. It makes you more aware of any nervous ticks you have. Then change roles.

And to finish this post, I'm providing a few book tips. I haven't read them (yet) but they look like books that fit this topic.

• Etiquette is hip (Dutch)
• People Skills: How to Assert Yourself, Listen to Others, and Resolve Conflicts (English)
  
• The No Asshole Rule - Building a civilized workplace and surviving one that is not (English

(Photo under Creative Commons by OrangeBeard's Photostream)

New Webapplication Security LiveCD: "Samurai Web Testing Framework"

A new Web security toolkit has been released as a LiveCD. The top testing tools were collected and were pre-installed to provide the perfect environment for testing webapplications.

The user name and password to log onto the CD are "samurai.”

Download it from sourceforge here.

(Photo under Creative commons from Amin Allen Tabrizi's photostream)

Some recent examples of The Streisand effect

Last month, I encountered the "Streisand effect" for the first time. I also saw it mentioned on the Network Security Podcast in the MBTA article a few days ago. So maybe it's time to explore this phenomenon. So what is it? From Wikipedia:

The Streisand effect is a phenomenon on the Internet where an attempt to censor or remove a piece of information backfires, causing the information to be widely publicized. Examples are attempts to censor a photograph, a file, or even a whole website, especially by means of cease-and-desist letters. Instead of being suppressed, the information sometimes quickly receives extensive publicity, often being widely mirrored across the Internet, or distributed on file-sharing networks. Mike Masnick said he jokingly coined the term in January 2005, “to describe [this] increasingly common phenomenon.” The effect is related to John Gilmore's observation that "The Net interprets censorship as damage and routes around it."
The term Streisand effect originally referred to a 2003 incident in which Barbra Streisand sued photographer Kenneth Adelman and Pictopia.com for US$50 million in an attempt to have the aerial photo of her house[5] removed from the publicly available collection of 12,000 California coastline photographs, citing privacy concerns.

As Martin from the Network Security Podcast said, the MBTA case was an example of the Streisand effect. By trying to suppress the presentation from the MIT students, the information got widely publicized. Far more then it would originally have been. It even lead to the disclosure of more information then the presentation slides would have showed through the public court documents.
What a lot of people don't know, is that the security issues of the Mifare Classic has been widely discussed at various previous security conferences like 24C4. Brenno De Winter has a good overview of the discussion about the Mifare Classic card which replaced the MBTA talk on Defcon. His slides can be downloaded here.

Another "Streisand effect" example was a HD-DVD encryption key published on Digg.

“The online uproar came in response to a series of cease-and-desist letters demanding that the code be removed from several high-profile Web sites. Rather than wiping out the code,the letters led to its proliferation on Web sites, in chat rooms, inside cleverly doctored digital photographs and on user-submitted news sites. The ironic thing is, because they tried to quiet it down, it’s the most famous number on the Internet. at this writing, about 283,000 pages contain the number […] There’s a song. Several domain names including variations of the number have been reserved. (Source: wikipedia)

The site www.thestreisandeffect.com has numerous more examples.

Instead of trying to suppress information, try to work together with the parties involved and try to improve your security. Try to ignore it or try to publish positive news about your company to counter negative publicity. But suing or intimidating people to surpress information could lead to the "Streisand effect".

(Photo under creative commons from ElitePete's Photostream)

XKCD: The issues with electronic voting machines.

xkcd makes a bitter but funny point. Electronic voting is very tricky and has lead to a lot of controversy. I'm not going into a long debate but I will provide some resources to read and show why electronic voting is dangerous without the proper security mechanisms.

Audio (mp3) from The Last HOPE:

• Building a Better Ballot Box (We all know by now the folly of current election technologies from Premier and Sequoia Voting DRE (Direct Record Electronic) systems as well as some of the new, more promising systems on the horizon such as the open source OVC (Open Voting Consortium ) and Scantegrity. The question of whether we can do better will be raised. What needs to be done to make this process better than it is today?)
• Hacking Democracy: An In Depth Analysis of the ES&S Voting Systems (Last Fall, Ohio Secretary of State Jennifer Brunner commissioned Project EVEREST, a comprehensive security review of the electronic voting technology used in her state. The project contracted several academic teams and others to examine the election procedures, equipment, and source code used in that state, with the aim of identifying any problems that might render elections vulnerable to tampering under operational conditions.)

The Dutch movement against voting machines has some interesting articles: http://www.wijvertrouwenstemcomputersniet.nl/English_Press

A presentation from 22C3: e-Voting: The silent decline of public control (Why German voting machines do not meet the requirements of democratic elections.)

(Cartoon under Creative Commons by XKCD)

Defcon 16 and Blackhat 2008 presentations online.

Two fellow bloggers were so kind to upload the presentations from Defcon and Blackhat.

Defcon 16 ISO @ i-hacked.com

Blackhat 2008 @ michaelboman.org

Thanks!

(Photo under creative commons from fakedankaminsky's Photostream)

Bulletin Board System: The Documentary. Some nostalgia.

A trip to the past. I do remember owning a 14.4k modem at one time. Documentary released under Creative Commons (see http://www.bbsdocumentary.com/warez/).

If you don't know what a BBS is, shame on you!!!


via videosift.com

(Photo under Creative Commons from ClintJCL's Photostream)

Some interesting information on the cyberattacks on Georgia

I'm not going to start a political debate. I just want to review some of the technical aspects of this attack. Out of all the articles, I was waiting for Arbor Networks to post an article and they did. Here is their summary of observations. Abstract:

Raw statistics of the attack traffic paint a pretty intense picture. We can discern that the attacks would cause injury to almost any common website.

Average peak bits per second per attack	211.66 Mbps
Largest attack, peak bits per second	814.33 Mbps
Average attack duration	2 hours 15 minutes
Longest attack duration	6 hour

While Arbor Networks has a good view on the total scale of the attack, shadowserver has some views on the Control & Command servers behind the attack. They have 3 articles, dated the 11th, 12th & 13th of August:

• Georgian Websites Under Attack - DDoS and Defacement

• Georgian Websites Under Attack - Don't Believe the Hype

• Georgian Attacks: Remember Estonia?

Claiming that Russia is being the cyberattacks, is like saying that China was behind several attacks in Western Countries. It's very hard or impossible to proof government involvement. Evidence now points at hacktivism: "patriotic" operators inside Russia. The guys from Shadowserver found several Russian blogs, forums, and websites are spreading a Microsoft Windows batch script that is designed to attack Georgian websites. It's very similar to the attacks on Estonia. Read the above articles for more information.

Related posts:

• NATO will open a Cooperative Cyber Defence in Estionia
• Cyberattack: A risk management primer for CEOs and directors
• Botnets as machines of War
• New Belgian government department to monitor hacking and espionage activity
• Chinese hacking in Belgian media (updated)
• Germany caught spying on other countries with Trojan

(Photo under Creative Commons from MauronB's Photostream)

Using Google Alert to track script injections in Belgian webpages

In a earlier post "Asprox bot (re-)visiting Belgium with sql injections", I mentioned I wanted to use Google Alerts to track Asprox injected pages in Belgium. You could easily do this by using the following search parameters:

"script src=http://*/""ngg.js"|"js.js"|"b.js" site:BE

However I hit a small problem, all the saved alerts got "&lr=lang_en" appended and this excluded non-english pages. I couldn't find any way to change this. But my fellow blogger miekiemoes came to the rescue. Before adding an alert in Google, you have to set the interface language in the URL.

So use http://www.google.com/alerts/manage?hl=nl&gl= (for Dutch). After saving the alert, it will work perfectly for the language you specified. Kudos for her help!!!

(Photo under Creative Commons from Jeff Youngstromm's Photostream)

Ultimate Pwnage UMPC: eeePC 901 vs HP Mini note 2133

I was interested in testing out an UMPC (Ultramobile PC) like the Asus eeePC. The eeePC might not be a high performer but compared to others, it's really cheap and really portable. Since it has an Atheros chipset, it opens up possibilities to use it as a portable wireless auditing device. For example, here is a section in the Pauldotcom Weekly shownotes on how to use Karmetasploit to own an iPhone. Since battery life is very important to me, I decided to wait for the Intel Atom edition (the 901). But it's not yet available in Belgium.

But then I saw a tweet from HD Moore linking to his Infiltrator 1200.

The Infiltrator is based on the HP 2133 Mini-Note ultra-portable laptop. The 2133 hardware platform has been modified to use an Atheros-based (AR5007) wireless card and been upgraded to 2Gb of RAM. This system boots a customized version of Kubuntu from an internal 120Gb HDD and supports encryption offload through the Padlock feature of the Via C7-M processor. The operating system has been modified to use the Wireless-Testing Linux kernel, pre-patched with everything needed to use the Aircrack-NG toolkit. All standard ACPI features are supported, including suspend-to-disk, suspend-to-ram, screen brightness, and volume control keys.

He apparently sells this laptop for 999$ and the HP2133 provides best of both worlds. Mobility + power at a reasonable price. I was not entirely convinced since my budget is somewhat limited at the moment.
Last I week, I saw another review of the HP2133 Mini Note versus the Asus eeePC 701 by Stepto.

So I decided to give it a spin. I've been using the HP Mininote 2133 for a week now and can say hands down it beats the EeePC 701 and even the 901 series in just about every way. While there are some compromises to the design, I think I've finally gotten the minipc form factor that I will use to judge all further iterations. It's glossy bright screen is capable of displaying HD video in a bright and clear way, its full sized keyboard means not having to compromise being able to write or edit documents on the go (I've been writing almost all my blog entries and twitters and emails on it now for a week). While the processor is woefully underpowered, it's overall Vista specifications aren't bad at all. I thought the Eeepc build quality was fine for the price (I got a nice black one and while made of plastic, it was very solid and looked nice.), but the 2133 is just outstanding. A brushed chrome finish, solid hinges, and they didn't skimp on the style of the design such that in just sitting here in a sushi place in Vegas writing this review I've gotten at least three comments on how nice my laptop is. I even gave the manager on duty a brief tour of it running Vista.

Read the rest of his review. Well after having seen these two 'recommendations', I'm definitely interested in the HP. Problem is that I don't seem to find this one in Belgium either.

If I seem to find one, I might post some tutorials.

Update: JKK mentions that the battery life of the HP is less compared to the eeePC. Anything above 4 hours is okay with me. He has a very interesting site with some reviews of UMPCs.

DNS Patch hacked. Well, it's not the end of the world as we know it. RLLY!

DNS Patch is hacked!!! It's the end of the Internet!!! Not really, just kidding. Read on.

Well, I'm continuing my "it's not the end of the world" series. We have been seeing a lot of sensational headlines these last weeks. Let's start a little bit from the beginning. Start reading the unixwiz.net article that explains how DNS works and what the issue was that the Kaminsky patch solved. I think most of us can skip this part and move on to the current issue.

So, before the patch, you could poison a DNS server using 32,769 packets or about 10 seconds. After the patch, you needed in between 134,217,728 and 4,294,967,296 packets. That's an order of magnitude more. Nobody said that the patch was a final solution, just that it was good enough for now. Just till we will find a final solution. As Dan Kaminsky said in his latest post, it's about Risk management, not Risk elimination. Lori MacVittie had an excellent post today to proof this point: "The Unpossible Task of Eliminating Risk".

Now a Russian researcher has managed to poison a patched BIND DNS server by doing just that. Throwing more resources against it. It took him about 10 hours and several hundred thousand of packets to poison an entry. He proved what we all knew, we patched our systems to mitigate an easy exploit to a more difficult one. Ten seconds or ten hours is a big difference. There has been research in the past indicating that DNS Cache Poisoning was possible (pdf). Nothing has changed at all.

If you are being hit by 10mbit or more of UDP packets, and you are not detecting and monitoring this, you have more issues coming. Provided you've not been DDoS'ed by this datastream. So it's not the end of the world as we have seen in a lot of articles.

Yes, we need to look for a better solution in the long run. Dan Kaminsky has some suggestions here. Until then, patch and monitor.

(Photo under Creative Commons from swiv's Photostream)

Yet another security researcher gets misquoted

Vista's security features have all been bypassed and CAN'T be fixed!!! No really, just kidding. Read on.

First, HD Moore got misquoted in the press when his exploit was turned against one of his ISP DNS servers but it seemed like he was hacked himself. Then Christofer Hoff got misquoted for his Blackhat presentation on security virtualization. Both fell in bad graces with their employer through the incident while they essentially did nothing wrong. Now it seems, there is a third victim in a short while. Alexander Sotirov gave a presentation on new techniques to bypass security measures on XP and Vista and everybody started talking about unfixable security features. Don't worry, it's not the end of the world.

Ed Bott from Zdnet luckily gives a complete picture on what happened and provides the correct view on the presentation. Read his article and the followup article:

• Windows security rendered useless? Uh, not exactly (Zdnet.com)
• Alarmed about Vista security? Black Hat researcher Alexander Sotirov speaks out (Zdnet.com)

I hope it won't become a trend. HD, Christofer and Alexander are people who contribute a lot of their free time in their research. Research that benefits us all and helps us making systems more secure. Try to think critical and don't believe everything you read at face value.
This reminds me on a story on hakiri.org about critical thinking. It features a video 'Here be Dragons'. Just have a look.

(Photo under Creative Commons from CarbonNYC's Photostream)

Virtualizing will not save you money, it will cost you more. READ NOW!!!!

Quite a sensational headline, isn't it? This is how Christofer Hoff was quoted from his Blackhat talk "The Four Horsemen of the Virtualization Security Apocalypse" in an article on Network World.
However what Christofer actually said was "Virtualization security will not save you money, it will cost you more.” One word less but a world of difference. This has caused a massive headache for Hoff and his employer. Unfortunately, as Hoff said in his latest post "From the "Sucks To Be Me" Department...": there's no real retraction on the Internet.

This is why we are setting the record straight. Read his post for more information.

Related posts:

• When Journalists Get It Wrong (Liquidmatrix)
• What a difference a word makes (NP-Incomplete)

Post Blackhat/Defcon: Some articles and presentations

Well, another Blackhat and Defcon has passed and the world will never be the same. It was hard to keep up with all the articles, presentations and tweets appearing. Here is just a tip of the iceberg of some of the stuff that I encountered in these last days. The first one is not Defcon/BH related but I really wanted to share it. Enjoy and there is more to come:

• When the olympic games started, it seems that internet access from the press center was restricted. Promises were made to lift the censorship but it seemed that access to some website still seems to be controlled. This is why the Chaos Computer Club releases Freedom sticks (ccc.de). This €20 USB dongle is pre-loaded with TOR (The Onion Router) The Tor network will cloak your connections, routing traffic around the world through anonymous computers, thus avoiding detection.
  
• TEMPEST is a codename referring to investigations and studies of compromising emanations. For example, a CRT screen 'leaks' signals which can be read from a distance and the image can be reassembled. TEMPEST shielding prevents this. Now there is a method (among others) to circumvent this. The Windows Jingle Attack (informationweek.com). is a method for encoding a user's password into audio data and concealing that data into the Windows startup sound, a publicly audible sound that can be read from afar with a local or remote microphone and then decoded.
• DefCon: Boston Subway Officials Sue to Stop Talk on Fare Card Hacks (Wired.com): The talk called The Anatomy of a Subway Hack: Breaking Crypto RFIDs & Magstripes of Ticketing Systems." was cancelled shortly before the show.
  

  The MBTA, is one of the largest transit system in the United States. It uses the CharlieTicket and the CharlieCard in its transport system. The CharlieCard is a MiFare Classic card, and previous presentations from researchers has shown serious flaws in it's design. It's also used in the Oyster card (UK) and the OV card (Netherlands). MBTA stopped the presentation but in the court documents, more information is revealed then the presentation was showing (from wired.com: a vulnerability assessment report). See the wired.com story for a partial copy of the slides since it was released on the Defcon CD a day earlier.

• How to open high security locks with a credit card, a copier and some scissors (wired.com). How keys can be simulated using plastic and simply by scanning or photographing a Medeco key, printing the image onto a label and placing the label onto a credit card or other plastic to cut out the key with an X-Acto blade or scissors and then use the key to open a lock covertly.
• SSL VPNs might pose a security issue (networkworld.com)
  
• Hackaday gives us an overview of the Pwnie Awards Ceremony.
• Richard from Taosecurity has his two part review from Blackhat: Black Hat USA 2008 Wrap-Up: Day 1 and Black Hat USA 2008 Wrap-Up: Day 2
• McKeay from the Network Security blog has a nine part micropodcast from the event: Black Hat Microcast 1: The first morning and Black Hat Microcast 2: Mike Rothman and Black Hat Microcast 3: Tyler Regully and Black Hat Microcast 4: Jeremiah Grossman and Black Hat Microcast 5: Jon Swartz and Black Hat Microcast 6: Closing out Black Hat and Black Hat Microcast 7 - Nate McFeters and Rob Carter and Black Hat Microcast 8: Raffael Marty and Defcon Microcast 9: Johnny Long.
• A Day in the Life of an Information Security Investigator has also a 2-part review of Blackhat. He actually made a lot of interesting notes during presentations like Fyodor's NMAP and the Hoff's Virtualization Security talk.. Just must read this one: BlackHat 2008 LiveBlog: Day 1 and BlackHat 2008 LiveBlog: Day 2.
  
• The presentation (pdf) "How to impress girls with browser memory protection bypasses" from Mark Dowd.
• Here is Jeremiah's: "Get Rich or die trying" from Blackhat below or you can download the PDF.

--

Get Rich or Die Trying - Black Hat 08072008

View SlideShare presentation (tags: flaws logic business form)

Related posts:

• Audio of The Last HOPE talks are now online (#thelasthope)
• Dan Kaminsky's DNS Talk on #Blackhat: A small review and interesting tweets
• Following Blackhat & Defcon from home (update x3)
• Download the videos from The Last HOPE hacker conference
• Social engineering at work. Some videos from The Last HOPE conference
• Twitter and some of the best Tweets from The Last HOPE Conference
• Tune into The Last Hope Conference, an online Streaming Radio Broadcast
• How to follow The Last HOPE conference without being there

(Photo under Creative Commons from fakekaminsky's Photostream)

Karmetasploit 3 documentation available. Karmetasploit = KARMA + Metasploit 3

HD Moore just posted documentation for Karmetasploit:

I just posted the first public documentation on Karmetasploit. This project is a combination of Dino Dai Zovi and Shane Macaulay's KARMA and the Metasploit Framework. The result is an extremely effective way to absorb information and remote shells from the wireless-enabled machines around you. This first version is still a proof-of-concept, but it already has an impressive feature list:

- Capture POP3 and IMAP4 passwords (clear-text and SSL)
- Accept outbound email sent over SMTP
- Parse out FTP and HTTP login information
- Steal cookies from large lists of popular web sites
- Steal saved form fields from the same web sites
- Use SMB relay attacks to load the Meterpreter payload
- Automatically exploit a wide range of browser flaws
(source: Metasploit blog)

Just one piece of advice. Unless you create an IPSEC tunnel or you can use WPA, don't use a wireless network. Too much can go wrong. If you want to know how many attacks are possible on an unprotected wlan connection, just download this video from The Last HOPE from Renderman: How Do I Pwn Thee - Let Me Count The Ways (torrent). Just set up a openVPN server at home (or use ssh tunneling in worst case).

Related posts:

• Forget wardriving, now you have warcarting and warballooning
• Netgear provides alternative opensource router
• Wireless Auditing Toolkits
• Rogue access point at Dutch Airport
• New version of coWPAtty 4.3 and some wireless tips
• Don't make life difficult
• A Wireless Pentest LiveCD: Russix
• (IN)SECURE Magazine Issue 14 released
• HowTo extend your WiFi range
• Ultimate Geek Shirt
• 50% of Belgian Wifi networks are unprotected
• Public Wifi at Blackhat and how to defend yourself

(Picture under Creative Commons from Blog Story's Photosstream)