July 7, 2005 - New Doors To Your Network

by Jeff Moss

Every advancement of technology comes with a new entry point for exploitation. Over the last few years we’ve witnessed the explosion of two areas that provide public access to private systems: wireless access points and web application service APIs. This week top researchers Beetle and Bruce Potter announce the release of a new rouge wireless access point vulnerability tool that builds on the popular Airsnarf study released last summer. On a different track from the wireless crew, Alex Stamos and Scott Stender hypothesize on how the growing popularity of web service interfaces will fuel a new type of injection attacks.

  Owning Access Points, I Will.

by Beetle posted July 7, 2005

I'll be honest, our research was driven by being utterly stunned this past winter when a group of academics were reported on as having "discovered" what many of us knew for quite some time--stand up a rogue access point and people will give you important, private, and in many cases, lucrative information. A couple years earlier, when Bruce and I demo'd "Airsnarf" at DefCon 11, the kicker was showing it running from an overpowering Zaurus PDA in my pocket--not the old news (back then even) that you could steal usernames and passwords from hotspot users with a Linux box and hostap drivers. There's no badass discovery here, folks. Even if "Evil Twin" research made Slashdot. There wasn't anything

... stand up a rogue access point and people will give you important, private, and in many cases, lucrative information.

badass about "Airsnarf" back then--it was a shell script and a few lines of Perl to play DNS tricks. There's nothing badass about rogue AP attacks now.

Well, that just invalidates my presentation, doesn't it? Crap.

Regardless, I felt it was important to not only cover the rogue AP basics for anyone who's just heard of this trickery, but to get people thinking about the more advanced havoc one can wreak with a rogue AP. Yes, usernames and passwords are nice, but there's a slew of social engineering subtleties available to you when you have a user hop on to YOUR access point. My talk will cover all of that and more-including release of a new tool called "Rogue Squadron".

Yes, I'm a Star Wars nut, so feel free to talk with me about impressions of Episode III while we're in Vegas--if you can't find me at the bar or blackjack tables, I'll be at the movie theater again. Now, if I can finish another project or two, not get killed while racing this Summer, and manage to keep all my demo ducks in a row, this should be nifty for people to see. If anything, I'll give away a bunch of Shmoo stickers in advance of DefCon to attendees of my Black Hat talk. heh. Seed the audience, so to speak. If you'd like to see what I'll be recycling / plagiarizing in advance of my talk, here are some links you should check out:
"Airsnarf" -DefCon XI presentation
"Rogue AP 101" - Black Hat Federal presentation
and code "802.1x eap" Google query ;)

  Greasing Web Services with Slippery SOAP

by Alex Stamos and Scott Stender posted July 7, 2005

We spend most of our time attacking and reviewing new enterprise and financial applications, and we’ve been running into a lot of insecure web service interfaces in the last 6 months. Web services have become another check mark that technical management needs to get budget, and so SOAP interfaces and XML output is appearing everywhere you look. Unfortunately, nobody really understands how to write secure web service apps, and the fact that the frameworks hide all of the detail from developers makes it very easy to let bugs slip by.

Web services also offer a huge new attack surface, often opening up deeply buried legacy systems to the firewall-friendly world of port 80. Web app security doesn’t just mean SSL, XSS, and SQL injection anymore; often, we’ve seen SOAP messages flowing all of the way from an attacker’s machine to a core mainframe. Enterprise systems have always worked like this, with some kind of connectivity reaching down into the dark bowels of IT, where long-bearded hackers tend to their creaking (whirring?) OS/390 machines. But now, it’s XML end-to-end, and that gives an attacker a much better chance of controlling that last jump into the electronic guts of that hospital, bank, or government agency…