Wardriving (Bus Version)

A while ago I was coming to our capital city from my home home town 83km  away, on that way I thought why not monitor all wireless devices, because I’d always wanted to know how (in)secure the wireless devices over here were, and as I watched the AP number increasing while drinking a half warm coke.

I saw that in general people thought that an simple WEP protection is enough for them to feel secure xD, even thought WEP is known to be a buggy and weak security algorithm, people use it a lot here and everywhere else.

From 805 wireless devices I’ve been able to capture during the drive, were 363 with no security at all! from the remaining 442 where only 37% with an WPA/WPA2 protection, all the rest relied on an easy to break WEP protection.

Here bellow you’ll see a thew screens I made in the middle of the road while monitoring.



If someone has done any similar scans in his city, I’d love to know the number of (in)secure wireless connections :).


Administration privilege escalation on any Blogger account

That vulnerability could be used by an attacker to get administrator privilege over any blogger account (Permission Issue)

HTTP Parameter Pollution vulnerability in Blogger that allow an attacker to add himself as an administrator on the victim’s blogger account. “Google Pwned”

The vulnerability mentioned here has been confirmed patched by the Google Security Team very fast


Owned and Exposed – ISSUE no 2

Greetings followers, welcome to the second issue of owned and exp0sed.This file is encoded with UTF-8, so to view it properly use unicode.

We owned ettercap because we were tired of people firing that shit up and pretending to be a l33th4x0r sheep who think they are the greatest hackerz with their ARP spoofing toolkitz.. If you have installed ettercap in the last 5 years you may want to check yo shit (;p).

We owned offsec including backtrack and exploit-db because they are fucking security “expert” maggots (oops s/m/f/) who just fail so hard at security that we wonder why people really take their training courses. We imagine it’s like open mic night at the laughatorium.

We owned inj3ct0r because they are lameass wannabe milw0rm kids whose sole purpose in life is to disclose XSS 0dayz in Joomla (RSnake anyone?).

We owned carders.cc (AGAIN) because they are unable to learn from their mistakes and keep spreading garbage around the underground.

We owned free-hack because they are developing into one of the largest, most arrogant script-kiddie breeding grounds on the intertubez.

Full Disclosure: http://pastebin.com/x3NKDNnf

Deutsche Post Security Cup – Bug Bounty Contest

The trend of paying for bugs is certainly catching on, the most recent entrant to the field is Deutsche Post the German postal service. They announced this week a security cup for their new online secure messaging service. The bug bounty trend has resurfaced recently with Mozilla increasing its bounty to $3000 and Google increasing their offering shortly after that too.

Teams will have seed money and will be awarded additional bounties for major and minor bugs. There’s quite a lot of money up for grabs if you count the seed money + find at least 2 critical bugs and a few minor bugs you could walk away with quite a fat stash.

Deutsche Post, the successor to the German federal postal service, will offer bounties for bugs researchers find in its E-Postbrief secure message service, the company announced this week.

The firm, which also operates the DHL overnight delivery service, will kick off a contest in October after it pre-approves research teams that apply for what it’s calling the Deutsche Post Security Cup. Each team will be seeded with €3,000 ($3,800), but must use their own tools and agree to not touch any private data they come across during their work. The teams must also keep quiet about any vulnerabilities they find until December, when Deutsche Post will award prizes and reveal the bugs it’s patched.

You can look at this two ways really, on one hand this is a good initiative meaning the system will be secured in some way. Of course that’s entirely dependant on the skill level of the people who enter the ‘cup’. But judging by the bounty amounts I’d say they are likely to attract a fairly decent crowd.

On the other hand you could say this is a form of crowd-sourcing, they are avoiding paying big bucks to a proper security company for an audit and farming it out under the guise of a bounty scheme to whoever shows up.

Bounties of €6,000 ($6,400) and €1,000 ($1,300) will be paid for major and minor bugs, respectively, with a four-member jury classifying the reported vulnerabilities. The jury includes Jennifer Granick, the civil liberties director of the Electronic Frontier Foundation (EFF) and Thorsten Holz, the co-founder of the German Honeynet Project, which places vulnerable systems on the Internet to collect malware.

Bug bounties and prizes gained momentum this summer after Mozilla and Google both hiked the rewards they pay to researchers who report vulnerabilities in Firefox and Chrome, respectively. Shortly after the bounty boosts, the long-running Zero Day Initiative (ZDI) bug payment program run by HP TippingPoint announced new rules, including a six-month deadline for patching reported problems.

More information about Deutsche Post’s bug contest can be found on its Web site.

I hope all findings are publicly published so we can really judge the value of the outcome and what kind of opportunity this represents for corporations who are looking for security solutions. It could bring about a whole new breed of ‘bounty hackers’ that solely exist (professionally) on these kind of offerings.

Plus the fact they do actually have some well-known judges who are credible and known in the industry. It seems like the whole bounty scheme could be heating up.

Source: Network World

Tools Digg this Forensic Toolkit (FTK v3)

Forensic Toolkit® (FTK®) is recognized around the world as the standard in computer forensics software. This court-validated digital investigations platform delivers cutting-edge computer forensic analysis, decryption and password cracking all within an intuitive and customizable interface. FTK 3 is built for speed, analytics and enterprise-class scalability. Known for its intuitive interface, email analysis, customizable data views and stability, FTK lays the framework for seamless expansion, so your computer forensics solution can grow with your organization’s needs. Forensic Toolkit 3 is now the most advanced computer forensics software available, providing functionality that normally only organizations with tens of thousands of dollars could afford.

Download: AccessData

Found on d3v1l’s  Blog

WPA2 Vulnerability Discovered – “Hole 196″ – A Flaw In GTK (Group Temporal Key)

Well as it tends to be, when something is scrutinized for long enough and with enough depth flaws will be uncovered. This time the victim is WPA2 – the strongest protection for your Wi-fi network which is standardized.

WEP fell long ago and there’s a myriad of WEP Cracking tools available. In 2008 it was reported flaws had been found in WPA and it was partially cracked.

These factors of course shifted a lot of people to WPA2, which has now been found to have certain flaws.

Perhaps it was only a matter of time. But wireless security researchers say they have uncovered a vulnerability in the WPA2 security protocol, which is the strongest form of Wi-Fi encryption and authentication currently standardized and available.

Malicious insiders can exploit the vulnerability, named “Hole 196″ by the researcher who discovered it at wireless security company AirTight Networks. The moniker refers to the page of the IEEE 802.11 Standard (Revision, 2007) on which the vulnerability is buried. Hole 196 lends itself to man-in-the-middle-style exploits, whereby an internal, authorized Wi-Fi user can decrypt, over the air, the private data of others, inject malicious traffic into the network and compromise other authorized devices using open source software, according to AirTight.

The researcher who discovered Hole 196, Md Sohail Ahmad, AirTight technology manager, intends to demonstrate it at two conferences taking place in Las Vegas next week: Black Hat Arsenal and DEF CON 18.

It’s a pretty interesting attack and leverages a man-in-the-middle style exploit to decrypt data from the wire and inject malicious packets onto the network.

The researched Md Sohail Ahmad is going to demo the exploit at 2 upcoming conferences (Black Hat and DEF CON 18) so I’ll be looking out for the slides and videos on that. We’ll have to wait and see if this is another ‘mostly theoretical‘ attack – or something that can actually be implemented in the wild.

The Advanced Encryption Standard (AES) derivative on which WPA2 is based has not been cracked and no brute force is required to exploit the vulnerability, Ahmad says. Rather, a stipulation in the standard that allows all clients to receive broadcast traffic from an access point (AP) using a common shared key creates the vulnerability when an authorized user uses the common key in reverse and sends spoofed packets encrypted using the shared group key.

Ahmad explains it this way:

WPA2 uses two types of keys: 1) Pairwise Transient Key (PTK), which is unique to each client, for protecting unicast traffic; and 2) Group Temporal Key (GTK) to protect broadcast data sent to multiple clients in a network. PTKs can detect address spoofing and data forgery. “GTKs do not have this property,” according to page 196 of the IEEE 802.11 standard.

These six words comprise the loophole, Ahmad says.

The upside is that the attack is limited to people who can genuinely authenticate to the network first, the downside that means large organizations using WPA2 in trouble – as generally most damage comes from the inside.

It’s also something to think about when connecting to ISP/public Wi-fi hotspots using WPA2 encryption.

I’m sure there will be more news about this soon.

Source: Network World (Thanks Austin)