July 7, 2005 - New Doors To Your Network
by Jeff Moss
Every advancement of technology comes with a new entry point for exploitation. Over the last few years we’ve witnessed the explosion of two areas that provide public access to private systems: wireless access points and web application service APIs. This week top researchers Beetle and Bruce Potter announce the release of a new rouge wireless access point vulnerability tool that builds on the popular Airsnarf study released last summer. On a different track from the wireless crew, Alex Stamos and Scott Stender hypothesize on how the growing popularity of web service interfaces will fuel a new type of injection attacks.
Owning Access Points, I Will.
by Beetle posted July 7, 2005
I'll be honest, our research was driven by being utterly stunned this past winter when a group of academics were reported on as having "discovered" what many of us knew for quite some time--stand up a rogue access point and people will give you important, private, and in many cases, lucrative information. A couple years earlier, when Bruce and I demo'd "Airsnarf" at DefCon 11, the kicker was showing it running from an overpowering Zaurus PDA in my pocket--not the old news (back then even) that you could steal usernames and passwords from hotspot users with a Linux box and hostap drivers. There's no badass discovery here, folks. Even if "Evil Twin" research made Slashdot. There wasn't anything
... stand up a rogue access point and people will give you important, private, and in many cases, lucrative information.badass about "Airsnarf" back then--it was a shell script and a few lines of Perl to play DNS tricks. There's nothing badass about rogue AP attacks now.
Well, that just invalidates my presentation, doesn't it? Crap.
Regardless, I felt it was important to not only cover the rogue AP basics for anyone who's just heard of this trickery, but to get people thinking about the more advanced havoc one can wreak with a rogue AP. Yes, usernames and passwords are nice, but there's a slew of social engineering subtleties available to you when you have a user hop on to YOUR access point. My talk will cover all of that and more-including release of a new tool called "Rogue Squadron".
Yes, I'm a Star
Wars nut, so feel free to talk with me about impressions
of Episode III while we're in Vegas--if you can't
find me at the bar or blackjack tables, I'll be at
the movie theater again. Now, if I can finish another
project or two,
not get killed while racing
this Summer, and manage to keep all my demo ducks
in a row, this should be nifty for people to see.
If anything, I'll give away a bunch of Shmoo
stickers in advance of DefCon to attendees of my Black
Hat talk. heh. Seed the audience, so to speak. If
you'd like to see what I'll be recycling / plagiarizing
in advance of my talk, here are some links you should
"Airsnarf" -DefCon XI presentation
"Rogue AP 101" - Black Hat Federal presentation
and code "802.1x eap" Google query ;)
Greasing Web Services with Slippery SOAP
by Alex Stamos and Scott Stender posted July 7, 2005
We spend most of our time attacking and reviewing new enterprise and financial applications, and we’ve been running into a lot of insecure web service interfaces in the last 6 months. Web services have become another check mark that technical management needs to get budget, and so SOAP interfaces and XML output is appearing everywhere you look. Unfortunately, nobody really understands how to write secure web service apps, and the fact that the frameworks hide all of the detail from developers makes it very easy to let bugs slip by.
Web services also offer a huge new attack surface,
often opening up deeply buried legacy systems to the
firewall-friendly world of port 80. Web app security
doesn’t just mean SSL, XSS, and SQL injection
anymore; often, we’ve seen SOAP messages flowing
all of the way from an attacker’s machine to
a core mainframe. Enterprise systems have always worked
like this, with some kind of connectivity reaching
down into the dark bowels of IT, where long-bearded
hackers tend to their creaking (whirring?) OS/390
machines. But now, it’s XML end-to-end, and
that gives an attacker a much better chance of controlling
that last jump into the electronic guts of that hospital,
bank, or government agency…
Psychology and Organized Crime
Sometimes we're so stuck on the screen that we forget to look beyond it. Mudge and Geers are here to remind us of the security angles we seldom explore, but that have an effect on what we do daily. On today's page we keep in mind economics, psychology, and the Russian mob when thinking about security. .. read more
Above the Law
A popular issue for the world's top security researchers is the unique relationship between security practices and their legal implications. Every aspect of today's security involves some form of legality. The justice system has allowed governments to enforce encryption bans, corporations to file mass lawsuits for identity thefts, and the U.S. Congress to debate the need for federal preemption. Jennifer Granick and Robert Clark continuously offer fresh perspectives on the ever changing legal landscape. This Black Page is dedicated to why I miss crime... read more
The Black Page is always looking for concise and interesting comments from researchers and experts about issues that affect the security community. Contact us here to learn more about submission rules