Adrian “Irongeek” Crenshaw has done it again. I wasn’t able to go make it for the 2nd year in a row of not getting tickets. (partyly my fault).
One day I will make it, but here are some of the videos. This is now on my list of things to do.
http://www.irongeek.com/i.php?page=videos/shmoocon-epilogue-2012
Here are the firetalks:
http://www.irongeek.com/i.php?page=videos/shmoocon-firetalks-2012
I am thinking of doing a quick podcast, maybe video cast of infosec topics, tutorials for basic security techniques. This will be 101/intro stuff and slowly grow. I can do screencasting or audio or even video podcasting.
Things I have in mind are:
- using nmap, hping, ping(loL), etc
- defense techniques
- news discussions
- attacks techniques
- metasploit usage
More to come.
Site: Louisville, Kentucky
This was the first conference known as Derbycon, organized by Dave Kennedy, Adrian Crenshaw, and Martin Bos. The history is very interesting as it started out by small security meetings and classes that demonstrated demand and higher than expected attendance. A con was the next idea, which resulted in what is now #Derbycon.
The first day started out with a Keynote by HD Moore, who talked about his recent work with Warvox and the newest version coming out, 2.0. The interesting thing about this is that it reminds us of ways to gather information and exploit businesses through their voicemail systems. Are they locked down with PINs, do they give out useful information, do they forward to cell phones, fingerprint PBX systems, etc. There is also a metasploit module for this at auxillary/scanner/voice/recorder
Next Dave Kennedy and Kevin Mitnick talked about adaptive pentesting and some of their experiences. The cool thing was the teensy device and what it can do if physical access is acquired. The fun continued with good talks by Pat McCoy and Chris Silvers.
The next day Brian Baskins talked about how to react once you get compromised. Dos and Donts, and security events to look for. Joe Schorr gave a good talk about physical assessments and some interesting things people will fall for.
Carlos Perez gave a very good talk. The quote taken from his talk was “Lion is Apple’s Vista”. Later this question was asked in trivia and I won a free book for remembering it. 
The slides are definitely ones to look over as they contain good technical data on the deficiencies of Lion as well as some windows registry pointers.
The talks were great, but they also had a CTF, which I participated a bit in. It was fun and challenging. Ended up being 2 systems to hack and were actually fully patched, so a 0 day was required. I ended up with 135 points while the winners had something like 400. I stopped after day 2, as I wanted to see more talks.
Here is a picture of the early standings:
One of the amazing things of this conference was the Talk given by Johnny Long from Hackers for Charities. He came from Uganda to tell his story, which was the first time I heard it. I highly recommend you view his talk here:
Support for Johnny was given by an auction that was held and he raised $13,617 dollars total at the conference for his cause!
The conference had some good meetings as well. Tenable had a users group meeting. As Attendees we met new people and joined together as a community. I met a few AHA members in the airport. On the way home Greg Evans was paged, which was quite humorous. I believe Jayson Street is the responsible one .
Derbycon is on a great start and the organizers are promising an even better Derbycon 2.0.
If you didn’t make it you can check the videos out at Adrian Crenshaws website, www.irongeek.com
On the Full Disclosure mailing list a denial of service perl script was put out that pretty much takes down a server running Apache.
SpiderLabs did a good write up that I recommend reading here:
http://blog.spiderlabs.com/2011/08/mitigation-of-apache-range-header-dos-attack.html
I did a small test of this using an attacking machine, BackTrack5 against a small Apache webserver running on Metasploitable.
*note on BT5, to run the perl script you will need to get and install the following perl module:
apt-get install libparallel-forkmanager-perl
So this is a top of my metasploitable machine:
Everything normal right?
Now this is the script being run, targeting my metasploitable webserver.
(read more about how the script works on the Spiderlabs link above)
Finally lets look at top once again:
not looking good.
Finally, I will mention that I only let this run a few minutes, and the website did still work, even though at times very slowly. The top still shows the effectiveness of the exploit. In addition to the modsecuity mitigation technique, a fix is in the works.
Credit to:
Michal Zalewski
Kingcope
Some big conferences this past week are going on in Las Vegas. I was able to go to BlackHat last year, but missed out this year. I am working on going to DerbyCon 2011, however.
I want to document links and locations of the various sites for streaming these events and video/audio locations for previous conferences.
NotaCon 8 took place earlier this year and they have a site with all the talks for you to download.
I was listening to the Security Justice podcast and they mentioned a talk by Matt Neely on Penetration Testing so that is one that I am currently checking out.
Hopefully the BH, DC and BSidesLV talks get posted somewhere on the internets soon and I will post links here.
Finally, here is a pic of an ATM in Vegas taken today by :
You probably have heard of the Epsilon hack that most likely has exposed your email address to whoever snagged it from Epsilon. Dont know who Epsilon is? You most likely have heard of its clients who have given them your name and email information. Below I listed out the companies that have been reported to have sent out notices that your email information was compromised and to expect spam or spear phishing attempts.
So why would these companies have your email address? Because you gave it to them when you registered for their service or created an account.
But why does Epsilon have my email address? Because they partner with the below listed companies to use your email address to notify you of offers or other notices via email. Legitimate service of sending you the latest deals or news on the site you have an account with. (I usually request no email correspondence from companies I sign up with, if given the option)
So what should I expect now that my email is out there? Spam, scams, spear phishing in you email inbox. Say for example they have your email and know you are a customer for 1800 flowers. They could craft an email to let you know that there is a sale on roses, and to click on a link to view the offer. You click on it, then the website request that you install flash or some addon and it asks you to download it and install. You do and you have now been hacked. Or easier than that, you click on the link in the email, get directed to a website that has a 0day flash vulnerability and you get hacked and they install keylogger software on your system. Now your really in trouble!
How do I avoid getting pwned? Don’t click on links in emails! Dont click on links anywhere. If you need to go to a website, then type it in! You know https://www.blahblahblah.com. Verify the person sending you email really are legit. Check email headers(google how to do it). Now not ever clicking on links may not be practical, but check to see what exactly you are clicking and not just what it says on the page. Check the url that you are being directed to in the status bar of your browser.
For real though, dont use facebook notifications to click and see what they posted/commented on your FB. Just type in facebook.com and do it that way. See Below:
Here is the list of companies with compromised customer emails:(credit to Brian Krebs)
http://krebsonsecurity.com/2011/04/epsilon-breach-raises-specter-of-spear-phishing/
I was looking into RFID emulation for access cards. Say the one to get access to your community swimming pool.
This site has what seems to be a good solution:
http://proxmark3.com/
It and other emulation solutions have been discussed on pauldotcom mailing list as well:
http://seclists.org/pauldotcom/2010/q3/497
But here is another solution to the problem. Credit to David Bryan and crew.
hackerhurricane.com
cybersecurityguy.com
Check out the vid:
We all know that hacking needs to be done with responsibility. Most of us know that to do any hacking you either do it in a test lab or as part of your job responsibilities. A penetration tester will complete a legal agreement with their client before performing “ethical” hacking on their network. A “get out of jail card” will be acquired to do their job and test the client system security.
I found the following definition of a hacker: (source)
“An ethical hacker is a computer and network expert who attacks a security system on behalf of its owners, seeking vulnerabilities that a malicious hacker could exploit. To test a security system, ethical hackers use the same methods as their less principled counterparts, but report problems instead of taking advantage of them. Ethical hacking is also known as penetration testing, intrusion testing and red teaming. An ethical hacker is sometimes called a white hat, a term that comes from old Western movies, where the “good guy” wore a white hat and the “bad guy” wore a black hat. ”
Now we have the case of Anonymous. A group of “hacktivists” who advocate free speech. They have done this by supporting Wikileaks and running denial of service attacks on mastercard, paypal, and others in defense of wikileaks. They had HBGary, a malware company, attempt to call them out and bother Anonymous enough, that they hacked the HBGary network causing a slew of internal email to be distributed via torrent. As a result, HBGary canceled their booth and talks at RSA and BSides San Francisco.
The Jester, another “hacktivist”, is a supporter of the US and especially the military. He has and continues to launch denial of service attacks to jihad and other similar sites, as well as recently the Westboro Baptist church. An organization that protests at funerals of military members.
So what is right and what is wrong. Are both of these “hacktivists” wrong for hacking without permission? Is attacking a jihad website wrong, even if it is against a website that promotes violence? Is wikileaks wrong for distributing sensitive information to all, or is this really free speech? Is anonymous wrong for defending them? Is anonymous wrong for the attack on HBGary and Westboro among others?
I can say, that I would not do any such activities. I have a sense of humor and find some of these actions as entertaining, especially the Westboro/Anonymous interview. There are many times when I am “in it for the lulz”. However, the internet really is “serious business”. I hack or pen test or scan or exploit or do anything other than sending a ping or normal http request only when authorized to do so.
The Jedi use their power for good.
Recently I’ve been getting notifications on local Security events in Austin. The following are some groups that get together and talk security, give presentations, ideas shared, hack and tons more!
AHA – Austin Hackers Anonymous
http://wiki.austinhackers.org/
This is a group of very intelligent people that get together once a month and give talks on hacking and such. Get info on their meetings at the website. Creator of Metasploit, HD Moore assists in the organization of this group.
Austin OWASP – The Open Web Application Security Project
http://www.owasp.org/index.php/Austin
This is a well known group nationally and a local chapter here in Austin has 2 meetings a month. See the site for schedules and mailing list/ning site information.
Austin ISSA – Information Systems Security Association
http://www.austinissa.org/
Also a well known group is the ISSA. They have an event setup for tomorrow. I believe your first meeting is free.
Austin ISACA – Information Systems Audit and Control Association
http://www.isacaaustin.org/
This group has a meeting March 1 on pen testing. 20/25 dollar cost depending on if you are a member.
Austin Hackerspace
http://www.atxhackerspace.org
This is a cool place for hacking of all sorts. I took a lockpicking 101 course recently and they do much, much more. They meet often and have a open house every week. Also they have a very active mailing list. Check them out Austinites.
BSides Austin
http://www.securitybsides.com/w/page/33728032/BSidesAustin2011
Don’t forget the yearly Austin BSides conference coming up next month. Check out the site for talks and this year I am really excited about the AppSec Guerrilla Camp!