Slashdot Mirror

If only it used Bluetooth instead of some insecure proprietary solution.

Spoken like a true M$ fanboi! I think you have never been to http://www.remote-exploit.org/ or http://www.governmentsecurity.org/. For starters, just try http://www.nessus.org/. If you believe that privileges can't be escalated, would you mind if I use your PC?

I just read the entire wikipedia article, and I've done all of that, and more, with backtrack for FREE.

Why has the STD distro not been updated in over 5 years?

Have you tried http://www.remote-exploit.org/backtrack.html? It's geared towards pen testing and ethical hacking... but it's VERY good, and modern.

My school doesn't "support" LINUX but that's the beauty of Linux when faced with a barrier go around it.

Been running Backtrack ( http://www.remote-exploit.org/backtrack_download.html ) since year 1 (going on 4th now)

Found that I actually have more "options" with my BT than my Windows partition.

If they don't know of/support Linux make them wish they did ;)

Seriously, why don't people use encryption? I always assume someone is tapping my Internet connection if I don't use it.

Of couse, sometimes that doesn't matter.

Exhibit B

BackTrack 3 is awesome, light on resources, installs with lower requirements than Ubunty 8.04, no driver headaches. GET SOME http://www.remote-exploit.org/backtrack_download.html ! Overview and history http://en.wikipedia.org/wiki/BackTrack . Enjoy!

Here's a little hack that you can all run from home, right now!

It's the BlueBugger tool. Most phones with bluetooth support, if you're near them, you can send text messages through their phone, read their text messages, read/write phonebook entries, set call forwards (Which you can then turn around, to listen in on calls), connect to the internet, and forcing the phone to use other providers.

You might say "Oh, but you have to be close to them..", but hey you'd be surprised with how many phones go in and out of a Starbucks on a busy day. Just set a shell script to check for vulnerable phones once a minute and sit and relax.

Posting anonymously just incase. :3

I've been looking into a similar setup. You need multiple wireless adapters and a load-balancing utility.

http://forums.remote-exploit.org/archive/index.php/t-7419.html

A quick and dirty way to do it with Linux iptables:

http://tetro.net/misc/multilink.html

My goal is to create a monster wardriving setup for constant on-the-road connectivity.

You know I've posted this on /. like three or four times now and you'd think it'd be more common knowledge by now... but getting encryption keys from RAM is pretty trivial. It's called a cold boot attack.

http://citp.princeton.edu/memory/
http://en.wikipedia.org/wiki/Cold_boot_attack

This attack was sort of one that was under the hat of pentesters and hobbyists until a few months ago when it was rather a do-it-yourself thing, but then McGrew Security made a followup PoC - http://mcgrewsecurity.com/projects/msramdmp/ to the Princeton paper. I played with it right after it came out, and then awhile later threw up a tutorial on remote-exploit. Now, Mati Aharoni's a really smart guy and most assuredly knew about the PoC before I did, but shortly after the tutorial and some discussion on IRC, it's now in BackTrack 3 (http://www.remote-exploit.org/backtrack.html) as a syslinux boot option putting the attack within the reach of everyone.

http://tourian.jchost.net/shadow/liveusb/boot.png

Getting the encryption keys out of the ram dump isn't a point and click operation, but the code's out there and it compiles. People are walking around right now with this on their USB key, and it's the sort of attack that is a real problem that physical access and untrusted users present now. Even without the encryption keys, you've still got the contents of previous webpages, cookies, IM conversations, unencrypted files, and everything else in RAM. Disabling boot from USB doesn't matter much because you can just use a grub CD, and carry around a laptop drive and do dumps on multiple machines. Hell, if you felt like dealing with it you could make it a PXE image... even disabling both boot from USB and CD, most cases in public places(think Dell) can be quickly popped open with the power still on and the BIOS jumper tripped.

Things like this should make you really nervous if you were freaking out about Microsoft's little COFEE ( http://tech.slashdot.org/article.pl?sid=08/04/29/1441215&from=rss ) toy, since it's no more impressive than a customized "Gonzor's Payload" U3 USB Drive ( http://wiki.gonzor228.com/index.php/SBConfig ) with a Microsoft Sticker and this is quite a bit more, well, dirty.

BackTrack 3 Beta has fully support for the EEE and this was completed before the EEE was even released into the wild?!?!?!?!

http://www.offensive-security.com/
http://remote-exploit.org/backtrack.html

HackaDay ran an article on this a few days ago that went into some detail: http://www.hackaday.com/2007/12/02/wireless-keyboards-easily-cracked/ [QUote] e first covered breaking the commodity 27MHz radios used in wireless keyboards, mice, and presenters when [Luis Miras] gave a talk at Black Hat. Since then, the people at Dreamlab have managed to crack the encryption on Microsoft's Wireless Optical Desktop 1000 and 2000 products (and possibly more). Analyzing the protocol they found out that meta keys like shift and ALT are transmitted in cleartext. The "encryption" used on each regular keystroke involves XORing the key against a random one byte value determined during the initial sync with the receiver. So, if you sniff the handshake, you can decrypt the keystrokes. You really don't have to though; there are only 256 possible encryption keys. Using a dictionary file you can check all possible keys and determine the correct one after only receiving 20-50 keystrokes. Their demo video shows them sniffing keystrokes from three different keyboards at the same time. Someone could potentially build a wireless keylogger that picks up every keystrokes from every keyboard in an office. You can read more about the attack in the whitepaper(pdf). [/QUOTE] Link to Video (for lazy /.er's) - http://www.remote-exploit.org/max/automated.html Link to Whitepaper (for all the people who post RTFA) - http://www.dreamlab.net/download/articles/27_Mhz_keyboard_insecurities.pdf

Do you want Obscurity?
Hide your nearly-complete LiveCD Back|Track2 http://www.remote-exploit.org/backtrack.html !!!

Sr. Police, my OEM PC is running Windows only. My hard disk is 100% pure Hasefroch Windows.

1-hour ago ...:

Running Back|Track2 ...

$ dig http://bundestag.de/ ;; ANSWER SECTION:
bundestag.de. 43200 IN A 217.79.215.140

$ whois 217.79.215.140 # i'm waiting long time ... i break it with Ctrl-C
Interrupted by signal 2...
Timeout.
$ # how stupid am i if they are spying me with their hacking tools because the protocol's 'whois' doesn't answer me!!!
The 'whois' protocol is mangled by the e-government!!!
$ traceroute 217.79.215.140
664 * * *
665 ge-1-2-22-ed1.ixsolutions.net (212.68.205.83)
666 ge-0-2-22-bg1.ixsolutions.net (217.68.155.35)
667 ge-2-2-22-ed2.ixsolutions.net (217.79.208.25)
668 * * *
$ ./vir_collect_execute --propagate --redcode 80 --weeks 3 no-deutsch-crime-law.worm
$ halt & exit

Do we play to 'Who is who?' game?
Govern wins - you loses.

My redcode worm is running for you, byebye 8)

Touche! I was frustrated (this due to the fact that Time Warner fucked me around for a month and still haven't heard back from them to when they will come out and install my cable) so I quickly went through the setup so yes, I may have missed a few minor details. My point was that it was better than defaults for most routers. I too use WPA. Given the fact that BackTrack helped my crack (err. obtain) some WEP keys in my hood to steal (err. borrow) some wireless before I was able to get an internet connection setup, helped buy me some time will I was WOI (with out internet)

I'm disappointed nobody has mentioned BackTrack yet. Live, bootable Linux CD loaded with wireless scanning and hacking tools. To be honest, I haven't tried it yet, but Free sure is cheaper than $3600!

Uh, they already use Infrastructure connections. Bummer, eh?

Even worse, their 200mW cards will out-power the real 40mW access points so Windows will prefer to use the attacker's "closer" "access point".

http://www.remote-exploit.org/backtrack.html

Am I wrong to think that vulnerability could be tested from the Backtrack Live cd?
http://www.remote-exploit.org/index.php/BackTrack
If I'm wrong I apologize,If not,well,it's a free download fulla' tools.
maybe I'm missing something here,maybe not.

I currently carry around with me:
Kororaa XGL live CD v0.3 and 0.2
There is nothing better than to show off the power of Linux to your friends and the non believers. 0.3 is only ATI cards at the moment, while 0.2 supports both. People are usually impressed by this.

Backtrack 1.0
The best in security analysis live cd's.

Damn Small Linux
Good for older machines :)

Offline NT Password and Registry Editor
Always good to have when people forget their admin password or something on a windows machine...

Auditor Security collection from the backtrack people. I still have this around because it supports a bit more hardware than backtrack did

Knoppix
Good when you are at public terminals and are kinda paranoid...

I also carry around various install cd's for recent versions of linux.

Define 'Linux'.

I'm running Gentoo and would strongly assert that the task is on the far 'minor pain' end of the spectrum. I did it using losetup, basic steps:

1. dump/restore everything to another HDD.
2. chroot/boot new HDD.
3. dd if=/dev/urandom of=/dev/hda bs=8192
4. wait
5. losetup -e aes256 /dev/loop0 /dev/hda
6. mke2fs /dev/loop0
7. mount /dev/loop0 /mnt/tmp
8. restore onto /mnt/tmp


Niggly details in papers here http://tldp.org/HOWTO/Encrypted-Root-Filesystem-HO WTO/ and here http://www.remote-exploit.org/index.php/Encrypted_ EFS.

Granted, you speak of customers, but for those with middling to good Linux skills this shouldn't be too hard.

The "last smartcheck time" and other time variables on hard drives are just measured in total runtime minutes. Though the OS could warn the user if it was discovered on startup that the hard drive had been running for long since the last shutdown, that could just mean that someone powered on the computer and entered the BIOS setup, since last shutdown.

What someone could have done, and the article doesn't mention is booting the laptop from a CD like Auditor, mount a network volume and then do a copy of the laptop's hard drive with "dd if=/dev/hda of=/mnt/nfs/GovVolume.img"

As long as you're using protection (gloves), that leaves absolutely no trace whatsoever.

Max Moser and some of the guys at remote-exploit have a few great tools and collections for wireless sniffing (all types, including bluetooth) such as the Auditor Collection.

Just a blatant plug for a friend, check it out. I think it's pretty cool.

There are people who work on this very thing. Evil Twins are one of wireless networking's biggest vulnerabilities, and they're why I connect to unsecured WAPs and then immediately connect to my VPN with MS-CHAPv1 authentication disabled.

You're right about the Man-in-the-Middle SSL attacks; getting your username and password is just the beginning, but it's a damn good start.

The best thing you can do is use a tool such as Ethereal to find the IP of the system or systems causing it, and subject them to a good cleanup.

For a good toolset, check out the Auditor Security Tools LiveCD for a collection of tools you can take with you wherever you go...

Auditor tools

I ran into this easy to follow tutorial on setting up encrypted filesystems under linux, including virtual drives through loopback, and also entire devices/partitions/mount points: http://new.remote-exploit.org/index.php/Linux_encr ypt

"Finally enough bandwidth for us all to cut the cord?"

Your a tech of some form I am assuming since your writing a slashdot article, and yet your think bandwidth is the reason large chunks of us are staying away from Wifi. Ahem. Interesting theory.

Try this instead, if I have a cat5 running from my PC to my router I can see the cord.

I know if theres some vampire tap going on. Someone has to physically break into my home (which I can add multiple additional layers of security too to not risk a single point of failure of a dodgy old doorlock) and connect something to it so I have a damn good chance of spotting something that is intercepting my bandwidth.

Wifi, unless I live in a faraday cage I am sending out signals that say "Oh please come and take a look at my network and start using it" to everyone in a short radius from my house or anyone going past who is into wardriving. It then becomes a matter of not IF someone is able to break in but a calculation as to how long it takes even with WEP and MAC addressing alot systems can be breached in 10minutes to 2 hours if they are high traffic. Any old script kiddy can go to Knoppix STD (http://www.knoppix-std.org/) or Remote Auditor (http://new.remote-exploit.org/index.php/Auditor_m ain) and breach every wifi system on the market I can think of, all it takes is time.

I'd gladly go through security five extra times (and when I say this, bear in mind that I require 3-4 trays when I open my 2 carryon bags because I carry 2 laptops, a digital projector, and about 25 pounds of cabling. It takes me 8 minutes plus lines to unpack and repack) if it increased the chances that the flight leaves and/or arrives on time. Flying out of KC isn't like flying out of O'Hare, Atlanta, or even Minneapolis.

I'm flying to Logan for the first time next week, then from Logan to KC, via O'hare. Ugh. I've heard bad stories other places than here about Logan, and am not looking forward to the trip. I give a 66.6% chance that I get there and back on the same days I'm scheduled, and a 10% chance that I get there and back with no delays.

Random link: Share wireless access on public hotspots

Auditor and Whax (formerly Whoppix) are merging.

You want the Auditor Collection CD and a decent directional antenna, such as a Cantenna or, if you have some cash, something by Huber & Suhner. Auditor is, by a far stretch, the best wireless security tools collection out there--it's a great complement to something like Knoppix-STD.

A Fluke Can help regarding signal strength, but the built-in antennas generally aren't great for spotting directions. They can help you start delimiting a general area without having you look like an idiot walking around with a laptop, though.

Also you may want to consider a Bumblebee -- I've seen one of these in use at PacSecWest, and it did a pretty good job finding transmitters. It's also a lot smaller than either a Fluke or a laptop.

If you're on a budget, try something like a Digital Hotspotter, although I wouldn't recommend this particular company due to delivery problems.

Theres an easy way to get around most of the problems discussed here. At a different computer (or at work, just to spite those bastards, surf over to the Auditor site and download the live CD ISO, and burn it to disk. Reset the computer with the disk in the drive and boot into auditor, thereby circumventing any email readers/IM sniffers/ whatever the hell they have installed on the godforsaken machine. From there, using the lovely built-in firefox, browse on over to https://gmail.google.com, and send your email. Alternatively, log into your favorite IM service with GAIM and shoot all those illegal/secret files to your cohorts outside company property ;). When you boot back into windows, make sure to run something very ram-intensive (or a RAM clearer) to delete any traces from your RAM, and there you have the perfect score. If someone from your IT department notifies your boss that your computer was "off" for a while, just tell your boss you were fixing a problem yourself instead of waiting a couple of hours for those buggers in IT, saving a lot of time and thereby increasing your productivity. Raise is on the way!

I had similar lack of knowledge and experience issues back when I first started down the linux/*BSD path, and it can be quite intimidating to a newcomer to *nix-based OSs.

Fortunately, these days it is much easier to get a handle on basic linux and *BSD operation/configuration/etc. There are now many excellent LiveCD distributions out there, including both linux and FreeBSD (FreeSBIE project).

They allow a newcomer to experience an operational, mostly configured system without risking your existing OS and data, and get familiar with it, and most can be installed to a hard drive while saving the configurations that were auto-detected by the LiveCD startup.

There are many flavors of linux LiveCD distributions out there like Knoppix http://www.knoppix.net/ and even "specialty" LiveCDs like P.H.L.A.K.(Professional Hackers Linux Assault Kit) http://www.phlak.org/ or Auditor http://new.remote-exploit.org/index.php/Auditor_ma in and for FreeBSD there is FreeSBIE http://www.freesbie.org/ which gave me my leg-up with the steep part of the learning curve for FreeBSD (the developers at #freesbie on Azzura.net on IRC are helpful and friendly!).

Good luck, hope that helps!

Strat

Use whatever's convenient for you, as in whatever works. I have an XP laptop for work with customers, a FreeBSD file & print server at home, a M0n0wall firewall, a second playing-around drive for my laptop with Debian Woody, a couple of live filesystem CDs with Auditor and other similar security-relevant distros as well as a Knoppix CD for recovery, and I'm buying a Powerbook soon to get real work done (network security analysis type stuff, PITA under Windows.)

OS evangelism is stupid, and you have some good points about usability.

As for your printing woes, please do have a look at CUPS--it's the mutt's nutts for UNIX printing as far as I'm concerned.

It's not really a PDA, it's a pocketable Linux computer.

First, the PDA side of things. People criticise it for having weak PDA features which, compared to Palms, and that's somewhat true; my previous Psion PDAs had a few extra features around the edges that I miss, but by and large the PIM features are fine for my moderately advanced use.

But there's so much more! SCUMMVM in the palm of your hand with mp3-encoded talkie versions of Fate of Atlantis or Day of the Tentacle is pretty nifty.Add a Wifi card, install Wellenwreiter or Kismet, and go low-profile warwalking. I have a Pocketop IR folding keyboard for long documentation on the go; the screen rotation software Just Works, unlike a lot of PocketPCs.

Unlike Palm owners, I can handle DOC and XLS files native on the device; this is particularly key because the Zaurus is a computer in its own right and not a PDA. The Hancom office apps shipped with it are usable enough for quick on-the-go editing and creation. I could do with one of these now for instant printing of invoices when I'm out at a client's site.

The big compelling piece of software is OpenZaurus, a completely open source and regularly updated distro to replace the Sharp ROM. It's a bit like trading Debian stable for unstable; kinda hacky at times, kinda buggy at others, but it's so exciting to get a massive batch of upgrades every few weeks full of improvements. It's never been buggy enough to lose my PDA data, and in any event with multisync, unison and rsync my data is backed up six ways to Sunday.

Other people like apps like opie-reader for ebooks, portable Ogg players (there are a few), portable DivX playback, email (this is noticeable ropy under OpenZaurus, but getting better), and many more... For more ideas, see this thread on zaurus.com.

Downsides? I find the QWERTY keyboard wearing after a few minutes, hence I have the Pocketop, and I've managed to scratch the screen under the handwriting recognition area so I can't really use it any more (I think that was my fault, to be fair). The battery life sucks too, but then it does on all these colour mobile devices. Apparently, the SL5600 is better.

So basically, if you want a PDA, get a Palm. If you want a pocketable Linux computer in a PDA form factor with respectable PIM features and a mountain of open source apps, get a Zaurus.

Although it wasn't on the list, Wellenreiter is really great wireless scanner. Plus, it runs on the Zaurus under OZ3, which makes it great for less conspicuous scanning since you don't have to lug a laptop around.

Basically what this guy did was realize that the MAC-generation algorithm in spoofing software Wellenreiter has a weakness, namely that the OUI's it generates aren't all legit. (OUI is the organizational unique identified which is in the first few bits of the MAC address.) Also see helpful Sourceforge description of Wellenreiter.

He similarly points out limitations in denial of service tools: AirJack and FakeAP software. However, this isn't the same as giving a general technique for analyzing MAC addresses on 802.11b, something which was strongly implied in the original post.

That only works if your card supports it. Mine (prism2) doesn't, according to this page. I think that's why 11thangel wrote, "Time to find a WiFi card that can MAC-hop."

Entrapment could be ever so easy: Look! He went to a child porno site!

Wasn't that you sitting outside my house breaking and entering my computer?