Security4all - Dedicated to digital security, enterprise 2.0 and presentation skills

The date for the Hackerspace Antwerp Startup Meeting

2010-01-05T13:54:00.004+01:00

A lot of people responded for a startup meeting in Antwerp and are really divided over two possible dates. So I decided I will be there on both dates, although I can't stay very late.

So on Saturday the 9th or Friday the 15th, please join us. Here is the original doodle: http://doodle.com/pci5yiksm5nwimg6

Feel free to comment and to share the link to others!!!

(Photo under creative commons from "Scott Beale / Laughing Squid")

Download the #26C3 videos and bonus material

2010-01-04T01:09:00.004+01:00

So the 26th Chaos Communication Congress is over and it was a blast. For those that missed some talks (like me) or couldn't watch the live streams, you can download the video of almost all presentations.

Best location to find the lastest videos is:
ftp://mirror.fem-net.de/CCC/26C3/

There you will find the videos in mp4-format, in mp3 or ogg audio files or mp4-ipod formatted videos.

You can also watch the videos online thanks to CCC-TV. No need to download everything.

I made some recordings of some the things happening around the conference. Check my Ustream.

Discussing about Hackerspace Antwerp

2009-12-23T22:27:00.003+01:00

Some people have been thinking aloud about also starting a hackerspace in Antwerp. I decided to gather all these people and have a beer. Let's see if there are enough people to set the first step. If you know people that could be interested, please let them know.

If you want to join us, have a look at http://doodle.com/participation.html?pollId=pci5yiksm5nwimg6&0

A hackerspace is an interdisciplinary community for learning, teaching, and creating. Instead of starting with a defined range of projects or programming, a hackerspace is driven by its members. It is a place where members have the infrastructure and resources to work on projects that interest them. Hackerspaces promote people to be hackers in the broadest sense: to learn all they can about the fields that interest them, explore their bounds, and create new and interesting ways to apply that knowledge.
The people in a hackerspace also share their knowledge with others who share their interests, through classes, working groups, or day-to-day discussion while working on projects. That is where the fascinating educational potential of the hackerspace lies: there is no finite list of the skills that can be taught and exchanged. People share what they know with members and the community at large, and it results in more people having the knowledge to make something new and tangible out of their ideas and interests. (source: pumping station one)

(Photo under creative commons from mightyohm's photostream)

#26C3 Mobile Schedule for Android and iPhone

2009-12-19T23:30:00.005+01:00

In less then a week, it will be time for the biggest hackerconference in Europe: The Chaos Communication Congress (which I will be visiting). I will be covering the event and documenting some tips. Let's start with a few good ones.

For your convenience, two applications were made with the 26C3: Here be Dragons Schedule (Fahrplan), one for Android and one for the iPhone (iTunes link). Kudos for the people who made them.

If you don't have PDA/Smartphone but are bringing a DECT phone: Call Voicebarf on DECT#7666 to know the upcoming talks at that moment.

There will also schedules displayed throughout the conference center so don't print them and save some trees.

If you can't make it to the conference, several locations around the world will be displaying the live video streams. Go out and meet some new people. Check "Dragons everywhere" for locations.

If it's your first time to this conference, have a look at: Preparing your laptop (or iPhone) for a security/hacker conference.

For all other matters, read through the 26C3 wiki and their FAQ.

Follow @security4all on Twitter for live tweets about the conference or follow the #26c3 hashtag in general. Some clients like tweetdeck support following hashtags or you can use http://search.twitter.com. Either online or through an RSS feed.

If you want a free BruCON sticker, find me at the conference. ;-)

Related posts:

(Photo under creative commons from wili_hybrid's photostream)

Ways to bypass the Big Belgian firewall

2009-10-31T19:53:00.000+01:00

Yes, the Belgian government can decide which websites we visit and which we don't. The first step on a road that will lead us to situations like we have seen in Australia (According to Child Support groups, Net filtering is a waste of money)

Here is the best Belgian article I have read to date about this issue which covers all aspects : "zwarte lijst voor belgische surfers omstreden" by Els Bellens (Zdnet.be)

Like Tim Berners-Lee, inventor of the WWW stated, the internet was designed to be used without limitations. The main argument of government officials to start with this blacklist, is that "average users won't be able to stumble upon these bad websites anymore. It's for their own protection. "

And in a typical Belgian fashion, (luckily for us), it's implemented in the least efficient manner: a DNS blacklist.

And as expected, a lot of internet users (e.g. blogologie, lvb.net, belgiancowboys.be, tik vzw) have started listing ways to bypass this filter just as a matter of principle (like the Streisand effect).

So let's hope that this blacklist will go away and the government will stop throwing away money on an inefficient systems that will never work.

Sign against Dataretention - bewaarjeprivacy.be

2009-10-28T19:42:00.004+01:00

Finally something in Belgium to be proud of. Several organizations in Belgium representing internet users, lawyers, journalists, etc.... have started a petition against the Belgian adaptation of the EU Dataretention law.

Why should you sign this petition?

It's an invasion on your privacy
It makes 10 million Belgians potential suspects
It invades the professional confidentiality between lawyers and their clients, journalists and their sources etc....
The necessity of Dataretention has yet to be proven
Dataretention provides no guarantee against terrorism or crime
It will result in a high price that consumers will have to pay....

So go to http://bewaarjeprivacy.be/ and sign the petition.

Automated Social Networking Surveillance Systems

2009-10-27T21:14:00.005+01:00

Last week, I noticed the existence of an EU surveillance project called "Intelligent information system supporting observation, searching and detection for security of citizens in urban environment" better known as "INDECT". You can have a look at their official website.

According to Wikileaks, INDECT’s “Work package 4″ is designed “to comb web blogs, chat sites, news reports, and social-networking sites in order to build up automatic dossiers on individuals, organizations and their relationships.” Ponder that phrase again: “automatic dossiers.” (source)

Automatic dossiers? Doesn't that give you a warm fuzzy feeling inside? There are a lot more reports and articles mentioned about similar projects (including network monitoring and data mining suites designed by Nokia Siemens, Ericsson and Verint) on this website.

I enjoy and believe in the benefits of social networks as long as commons sense prevails about what you publish. But how many people are aware of the potential issues? Not that mass surveillance should be expected and allowed.
Say a word online out of context and be labeled a potential 'problem' case. I don't believe in a technological magic wand who will correctly filter information. Too much possible false positives. Hasn't the world of IDS taught us that? Question is, who is making the alert filters for this systems? Who is going to watch the watchers?

Some time ago, the Social Media Security blog and podcast was founded. While I haven't really had time to spend some time on it, I highly advice to have a closer look at it.

So apart from cybercriminals, must we also fear our governments?

Related posts:

(Photo under creative commons from matthileo's photostream)

Privacy and the 'Belgian Mobility Card' (BMC)

2009-10-27T14:10:00.004+01:00

It has been some while since we blogged about the "Privacy failure in the Belgian RFID transport card", but the card will still be introduced nationally.

See Chipkaarten De Lijn niet voor volgend jaar (datanews)

Testing will occur in 2010 and the rollout will happen during 2011 and 2012. Time to go over some past facts.

Some researchers of the UCL published a report about a privacy issue together with opensource tools that they used to test the card. On http://www.uclouvain.be/sites/security/mobib.html

But the details of the research were removed soon after, together with the tool. Why? Were they pressured in removing it? What would the benefit be in removing it? Don't people know that security by obscurity doesn't work? Sound a bit like a conspiracy, considering who owns the transport card company and who subsides the university. But we can't say for sure.

Some details could still be found via google:

http://www.uclouvain.be/sites/security/download/slides/Avoine-2009-iwrt-slides.pdf

From the PDF:

Personal data are stored in the clear in the card.
Data stored in the card during its personalization: name of the holder, birthdate, zipcode, language, etc.
Data recorded by the card when used for validations: last three validations (date, time, bus line, bus stop, subway station, etc.), and some additional technical data.

How can this not be an issue? This can totally be abused by stalkers with a good antenna and a laptop in their backpack, just to name one of the obvious abuses. Fathers, lock up your wife and your daughters.

So I hope that the MIVB/STIB, minister Hilde Crevits and other parties involving the Belgian Mobility Card (BMC) will do the right thing and NOT store this sensitive information in the clear before launching this card!!!

Claiming that our national ID contains the same public information is true but it is not on a contactless card. Meaning I have to take it out of your wallet and physically put it in a reader. Comparing those two and claiming there is no issue with cleartext information on a wireless chip is a fantasy story.

There is enough information and other tools available to read the info on the card. e.g.

Other online articles mentioning the issue:

Met Mobib op het openbaar vervoer in Brussel: uw gegevens te grabbel? (Permanent Gecontroleerde Zones)
Gekraakte Mobib-kaart doet vragen rijzen naar privacy (Brussel Nieuws)

(Photo under creative commons from Jools of Sweden's photostream)

Flu epidemic already announced in Belgium

2009-10-12T12:41:00.003+02:00

First of all, this is about the general flu epidemic which occurs every year. It's nothing H1N1 specific, which has been overhyped. Act normal and use common sense. But this is relevant information. Apply good hand hygiene, eat healthy and get enough sleep. Enough said.

The Belgian center for Flu Control announced a flu epidemic in their latest week report (pdf) mentioned in their weekly newsletter. Here is the interesting bit translated to English.

Influenza Surveillance for week 40 (28 September tot 4 October)

The epidemic findings for week 40 are: The surveyed data show a heightened circulation of the Influenza virus and a moderate activity for the flu symptoms. According to the determined criteria, the flu epidemic has started.
...
The number of H1N1 cases have doubled compared to last week and was estimated at 4160 in week 39 with a cumulative total of 12678.

Google search results and other online sources are also a good indicator and they do confirm the results of the Belgian flu center. Have a look at the B.V.L.G blog for a detailed analysis (Dutch) with some nice graphs.

Related posts:

Business continuity and useful resources about the N1H1 Swine Flu.

Null character MITM Certificate released

2009-10-01T12:42:00.008+02:00

This year Dan Kaminsky and Moxie Marlinspike discovered that when requesting a certificate for example "Paypal.com\0.phishing.com" that some CAs would approve the request. What made it worse is that SSL client (and browsers) would ignore the characters after the null character, leading to an effective SSL Man in the Middle attack.

Although it isn't possible to request these certificates anymore, Jacob Appelbaum released such a certificate yesterday together with the private key, stating that everybody had time enough to fix the issue. If you're a developer, you might want to look into this issue. For example Blackberries were still vulnerable to the attack.

Firefox patched the issue a few days after the initial presentation but other browsers like IE and Chrome rely on Microsoft's CryptoAPI to process the certificate and are still vulnerable.

"There are thousands of products on Windows right now that are still vulnerable to this SSL attack, and if someone were to publicly publish a targeted null prefix certificate, they'd be in trouble," said the white-hat hacker, who goes by the moniker Moxie Marlinspike. "Basically, everything that runs on Windows would be vulnerable with that one certificate." (source: Theregister.co.uk)

Note: The wildcard SSL certificate that Jacob Appelbaum released tricks older versions of the Network Security Services library into authenticating any website on the internet. But a lot of other applications using CryptoAPI might still be vulnerable to similar SSL MITM attacks. Time to patch the API like Firefox did.

Security bloggers meetup London @ RSA

2009-09-29T21:52:00.004+02:00

Well, like last year us securitybloggers (-twits) are coming together for a drink and meet the people behind the avatars. It was a small but fun beginning last year and we hope to see even more people this year.

Details on location etc... can be found on securityactive.co.uk.

SMBv2 exploit for Vista and Server 2008 released

2009-09-29T12:56:00.004+02:00

While I was too busy with BruCON, it seems that a SMBv2 vulnerability was published: Security Advisory 975497. While it affects Windows Vista and Server 2008, other versions are not vulnerable (including Windows 7 and Windows Server 2008 R2).

Port 445 needs to be open for the service to be exploited. Microsoft hasn't released an (out of band) patch since there was no working exploit code but promised to do so if the threat landscape changed. Blocking ports 135 and 445 is one of the recommended countermeasures. You can also disable SMBv2 through a registry key if not needed.

So far it was only possible to crash the service, but that changed today. Working code has now been added to Metasploit. Although the code still needs improvement, it worked on several machines.

So, will we see new worms coming our way? Although Conficker was well written, fortunately it wasn't really used to it's full potential. Will we be that lucky again?

Discuss vulnerabilities instead of patches at your patch meetings, because only patching doesn't cut it. Have a look at NIST's Creating a patch and vulnerability management program.

CERT.be is hiring

2009-09-25T00:43:00.001+02:00

As was told during BruCON, we can stop complaining about a missing CERT in Belgium. BELNET is looking for people to extend their team and the team should be up and running by January 2010. A big applause for their introduction!

If you are interested, look at their website cert.be/jobs.

International Action Day “Freedom not Fear 2009 – Stop the Surveillance Mania!” on 12th September 2009

2009-09-08T18:36:00.003+02:00

I somehow completely missed any communication about this International Action Day “Freedom not Fear 2009.

Unfortunately, it seems that it is on the 12th of September already and that there is nothing planned in Brussels. Bad communication? Or is there nobody in Belgium at least a little bit interested in their privacy and civil rights?

More info on http://wiki.vorratsdatenspeicherung.de/Freedom_Not_Fear_2009

(Photo under creative commons from maha-online's photostream)

Possible 0-day in IIS5 and IIS6 FTP (updated x3)

2009-08-31T20:51:00.006+02:00

A zero day for IIS5 & 6 was posted today to the Full Disclosure mailinglist. Yes, we are talking shellcode. This seems to be real.

According to Thierry Zoller, it doesn't work reliably for IIS6 but it's not impossible (source: twitter) and confirmed by this comment on the mailinglist. But it will crash the service on Windows2003 as such. Seems an issue in the MKDIR command.

US CERT is advising:

US-CERT encourages administrators to disable anonymous write access to the FTP server to help mitigate the vulnerability, although a proper impact analysis should be performed prior to taking defensive measures.

So the impact seems limited to servers that allow anonymous (write) access. Unless you don't trust authenticated users or fear they can be easily compromised. Stay tuned for updates.

UPDATE: Thanks to a NMAP script from Xavier, you can now scan you environment for vulnerable servers.
UPDATE 2: If you need a snort signature for the milw0rm IIS-FTP
exploit. Emergent threats released signature tarballs and a history is available in CVS:
http://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_IISFTP
Wiki: http://doc.emergingthreats.net/bin/view/Main/2009828
UPDATE 3: Developers of the Backtrack played with the exploit and created an enhanced version that opens a listening port on a fully patched Windows 2000 system running IIS 5. They made a video.

HAR2009: where to get the presentation videos

2009-08-28T00:09:00.003+02:00

Well, HAR2009 was a blast. It was fun meeting a lot of other people, doing some workshops and some soldering. I missed some of the talks I wanted to see but luckily there were recordings of the presentations. They are about 24GB and you can find them at:

These are raw, unedited videos. Some edited videos are available on http://rehash.nl/ by streaming. But I prefer to have my videos offline.

Collection of Defcon 17 articles, videos, pictures and podcasts

2009-08-05T00:02:00.003+02:00

This is a list of articles and other fun stuff that people were tweeting about in the last week. This list is of course not exhaustive but a nice place to start reviewing the things that happened at the conference.

Articles:

Announcing the Warzone Project (uncommonsensesecurity.com)
DefCon Updates (A Day in the Life of an Information Security Investigator )
Defcon: New Hack Hijacks Application Updates Via WiFi (Darkreading)
Researchers offer tools for eavesdropping and video hijacking (CNet.com)
Korean 'journalists' booted from Defcon (computerworld.com)
Fake ATM doesn't last long at hacker meet (Computerworld)
Electronic High-Security Locks Easily Defeated at DefCon (Wired.com)
Fake ATM, skimmers found in Las Vegas hotels (Zero Day)
ATM scam at DEFCON clearly the work of ironic criminals (engadget.com)
The Best (and Worst) Hacks of Defcon Computer Security Conference 2009 (fastcompany.com)
Hacker demos persistent Mac keyboard attack (Zero day)
Hack-Proofing The Hackers (forbes.com)
DEFCON 17 Badge Hackers (infosecevents.net)
Defcon air traffic control hacker: Excuse me while I change your aircraft’s flight plan (deals.venturebeat.com)
Our Favorite XSS Filters and how to Attack them (sirdarckcat.blogspot.com)
Feds at DefCon Alarmed After RFIDs Scanned (wired.com)
Opinion: Irresponsibility runs amok at Black Hat, Defcon (computerworld.com)
Ax0n's DefCon 17 Wrap-Up (www.h-i-r.net)
Defcon talk: 0-day, gh0stnet and the Adobe JBIG2Decode disclosure debalce – Steven Adair (cupfighter.net)
Blackhat USA 2009: Reverse Engineering by Crayon (offensivecomputing.net)
Black Hat: Social Networks Reveal, Betray, Help Users (informationweek.com)

Video:

SSL rebinding video (stub.bz)
#defcon podcast meetup (youtube)
Hacking The Defcon 2009 Badge (youtube)
Metasploit Oracle videos (vimeo.com)
Hacker Charlie Miller on how he compromised the iPhone (venturebeat.com)

Podcast:

Defcon Microcast 1 – Johnny Long, Hackers for Charity (Network security)
Defcon Microcast 2 – Dark Tangent (Network security)
Defcon Microcast 3 – Saturday Wrapup (Network security)

Pictures:

http://www.defconpics.org/

(Photo under creative commons from ggee's photostream)

Get the #DEFCON 17 CD Archive (updated x2)

2009-08-01T14:16:00.004+02:00

The Defcon 17 CD Archive is up. Get it at https://media.defcon.org/dc-17/DEFCON-17-CD.rar

Update: The following file triggered some Antivirus engines

"Extras/bin/crackmes/manifest.exe". (in Sean Taylor's Extras.zip) - Detects as TR/Crypt.ZPACK.Gen

But it was confirmed by the Defcon team that it contained no trojan. Better be safe then sorry.

Related posts:

Day 2: A collection of #Blackhat articles: keeping remote track of the event

2009-07-30T22:43:00.007+02:00

As a follow up to my article of yesterday "BlackHat slides available and first blogposts", the following is a additional collection of articles I kept track off by staying glued to tweetdeck all day.

Articles:

Wildcard certificate spoofs web authentication (The Register)
Blackhat US – Roundup Day 1 (c22.cc)
How To Hijack 'Every iPhone In The World' (Forbes)
Researchers take control of iPhone via SMS (Zero Day)
HP researchers reveal details of browser based darknet (Heise)
Black Hat: PKI Hack Demonstrates Flaws in Digital Certificate Technology (Darkreading)
Vulnerabilities Allow Attacker to Impersonate Any Website (Wired)
Google Safe Browsing Feature Could Compromise Privacy (Darkreading)
Live Blog: Blackhat 2009 Day 1 (A Day in the Life of an Information Security Investigator)
Live Blog: Blackhat 2009 Day 2 (A Day in the Life of an Information Security Investigator)
Microsoft explains why killbits are needed (internetnews.com)
Black Hat 2009: Breaking SSL with null characters (Hackaday)
Google Safe Browsing Feature Could Compromise Privacy (Darkreading)
Verisigns' Tim Callahan's response to the SSL certificate issue #blackhat (verisign.com)
Researcher pressured to pull 'Conficker' talk (reuters.com)
Security researchers: Online transactions aren’t as safe as we thought (venturebeat.com)
Dan Kaminsky's New PKI Hack Discovery - The EMC/RSA viewpoint (RSA blog)

Slides:

Official Blackhat website with most of the presentations
Laws of Vulnerabilities 2.0 - Black Hat 2009 Edition (qualys.com)
Mo' Money Mo' Problems - Making even more money online the black hat way - Jeremiah Grossman (Slideshare)
"Smart" Parking Meter Implementations, Globalism, and You (crypto.nsa.org)

Videos:

More Tricks For Defeating SSL by Moxie

Pictures: live pictures from the event (hat tip to mubix)

(Photo under creative commons from angelsk's photostream)

BlackHat slides available and first blogposts

2009-07-30T00:01:00.004+02:00

Blackhat was really fast to upload some of their content. You can already get it at http://www.blackhat.com/html/bh-usa-09/bh-usa-09-archives.html.

I have already glanced at lockpick forensics, sniffing keyboards with lasers and Breaking the security myths of Extended Validation SSL Certificates. Some really interesting stuff in there!!

Here are some blogposts fresh of the shelf as well:

Speeding up MD5 collision hashing on GPUs, breaking EV SSL, or just breaking SSL all together, I see a trend that says that public PKI is completely broken. Oh, wasn't there a study today that said users ignore SSL warnings anyway?

Keep tuned, I'm seeing tweets that Dan Kaminsky is having a go at X.509 as well. #ssl #epicfail??

Related posts:

(Photo under creative commons from Ben+Sam's photostream)

IE Killbits don't work, or why MS released an OOB Patch yesterday (updated)

2009-07-29T13:06:00.007+02:00

Now we know why Microsoft rushed out an out-of-band patch. It seems that shutting down a defective component is not as effective as fixing it. During the upcoming Blackhat talk of Ryan Smith, Mark Dowd and David Dewey it will be demonstrated how to bypass the "kill-bit" mechanism. A measure used by Microsoft to patch an ActiveX vulnerability on June 14th. So Microsoft rushed out to release an out of band patch before the presentation.

Smith has posted a video that demonstrates how they were able exploit a kill-bit copy of IE.

Halvar Flake mentioned the following on his blog:

"The bug is actually much 'deeper' than most people realize, [and] the kill-bit fix is clearly insufficient, as there are bound to be many other ways of triggering the issue,"

So this is why Microsoft is patching the vulnerability within ATL (the msvidctl.dll issue) . This has resulted in vulnerabilities in other crucial Windows files, and perhaps third-party applications whose developers had also used ATL. The following post from Adobe PSIRT blog confirms this:

We evaluated the impact of the vulnerable versions of the Microsoft Active Template Library (ATL) / CVE-2009-0901, CVE-2009-2395, CVE-2009-2493 / Microsoft Security Advisory (973882) on the Adobe product portfolio. We determined that Flash Player and Shockwave Player are the two products that leverage vulnerable versions of ATL. A Security Advisory for Flash Player and a Security Bulletin for Shockwave Player have been posted to our security bulletins and advisories page.

According to their bulleting, only Internet Explorer plug-ins are vulnerable. Firefox users as well as all other Windows-based browsers are not vulnerable. Macintosh, Linux and Solaris versions of Flash Player and Shockwave Player are not vulnerable.

So have a look at MS09-034 and MS09-035!! So until we have details on the Blackhat presentation, I wouldn't recommend using the killbit as only countermeasure for vulnerabilities.

If you want to delve deeper into this matter, the following two articles from the Microsoft Security and Defense blog are worth a read!

Update: A Slashdot story was running on this with this remarkable quote: "What's really scary is that Microsoft has issued 175 killbits fixes so far."

According to this Heise online article, Cisco extensions are also vulnerable. Google hasn't released any details yet.

Last but not least, the verizon business security blog has a very good article on the entire issue, a risk summary and a tool for developers to check their code.

(Photo under creative commons from jlkinsel's photostream)

Microsoft July 2009 Out-of-Band Releases

2009-07-28T01:52:00.002+02:00

If you haven't noticed it, Microsoft will release two out-of-band patches tomorrow. Which usually means they have a good reason for doing this. Apply them ASAP.

From the MSRC blog:

We have just published our advance notification for an out-of-band security bulletin release, with a target of 10:00 AM Pacific Time next Tuesday, July 28, 2009.
While this release is to address a single, overall issue, in order to provide the broadest protections possible to customers, we’ll be releasing two separate security bulletins:

1. One Security Bulletin for Visual Studio

2. One Security Bulletin for Internet Explorer

How to follow Blackhat/Defcon without being there

2009-07-28T01:26:00.004+02:00

Well, I'm one of the poor souls who couldn't make it to the Blackhat/Defcon fun. Although going to HAR2009 makes up for a lot of it, there are some ways to follow the events in Vegas (real time). ;-)

The first tool is to use twitter and follow the hashtags #defcon and #blackhat. If you have a twitter account, I would recommend installing tweetdeck and setting up two search columns. For those without a twitter account, you can use the Twitter search (and import it through RSS) or even better: twitterfall.com which is more interactive.

Keep an eye on the Security Bloggers Network (RSS) and a Technorati search (RSS). A lot of security bloggers will be covering the event.

You can also monitor Flickr for the tag 'defcon17' (RSS) (couldn't find the one for Blackhat).

I think that's more then enough to follow the event except for a live video stream. ;-)

If you have some tips of your own, please mention them below.

Related posts:

How to follow The Last HOPE conference without being there (updated)

(Photo under creative commons from Kyle Wegner's photostream)

Preparing your laptop (or iPhone) for a security/hacker conference

2009-07-27T21:47:00.006+02:00

With Blackhat and Defcon about to begin, I thought it might be a good idea to review an old article from last year: "Preparing your laptop for a security conference".

The 2 main resources from that article are still online:

digital self-defense article from Didier Stevens
How to survive part of the 25C3 Wiki (Going from having your laptop lock tested by the lockpicking clubs to setting up a VPN for your iPhone)

The general advice is saw other bloggers give was:

Don't use the wireless, try to stick to 3G (and use tethering if possible)
Even if you use 3G, encrypt it (VPN, SSH-tunnel).... I read that an UMTS mitm was going to be demo'ed at Vegas next week.
Leave your data at home, backup the drive, reinstall a clean OS, reimage when you come back (also applies to iPhones)

Remember that even when using the wired access, there are risks (arp poisoning). So be careful or you'll end up on the wall of sheep. I'll mention one last article:

10 Tips for iPhone Users at DEFCON 17

But never never use a service that doesn't encrypt all the traffic. The safest still is to leave your gear at home. Have fun.

Now if you'll excuse me, I have some preparing to do for HAR2009!

Feel free to suggest additional tips below.

Update: Try to get a fixed IP. Running a DHCP client can get you in trouble. Two days ago, a vulnerability was found in dhclient. (hat tip to Jon). I'm guessing a lot of linux boxes will get owned in Las Vegas.

http://milw0rm.com/exploits/9265
http://vrt-sourcefire.blogspot.com/2009/07/dont-read-this-post.html

(Photo under creative commons from Blog Story's photostream)

Remote root exploit in DD-WRT httpd daemon.

2009-07-23T00:52:00.003+02:00

Due to a meta-character vulnerabilityin the httpd servers, users that run DD-WRT on their routers are vulnerable to a remote root exploit.

More information can be found on the DD-WRT Forum at http://www.dd-wrt.com/phpBB2/viewtopic.php?t=55173&postdays=0&postorder=asc&start=0

Although this daemon usually listens on the internal interface only, there are still ways to exploit it:

Metasploit now has in the 3.3 Dev SVN an exploit for embedded device Linux distribution DD-WRT. This exploit module abuses a metacharacter injection vulnerability in the HTTP management server of wireless gateways running DD-WRT. This flaw allows an unauthenticated attacker to execute arbitrary commands as the root user account. It was argued that this exploit is of low impact by some since the distribution only listens for HTTP connections thru the internal interface. In this example of using the exploit the exploit will be used thru a pivot obtained thru a client side exploit from which we will pivot, do a discovery, finger print the device and exploit it. In the following example we will start by showing our IP of the attacker machine, receiving the Meterpreter shell and showing the target box IP thru a cmd shell (For details, see Pauldotcom)

DD-WRT developer Sebastian Gottschall says the bug fixed firmware version "DD-WRT V24 preSP2" can already be downloaded.

(Photo under creative commons from patrick h. lauke's photostream)