Slashdot Mirror

Yes, that is the biggest mistake no-name wireless installers and IT consultants (i.e. the guy installed a wireless AP in his house and now he's an expert) do with small businesses is they use different SSIDs and WEP keys for each access point. It is extremely annoying. Use the same SSID and the same WEP/WAP key for each access point. In the 802.11X standard, it is the responsibility of the wireless client to automatically determine which AP is best and automatically switch and potentially hop channels. You will want slight overlap of the wireless zones, but don't place them too far away or to close to each other. Be aware of any areas where a "firewall" is installed (not an electronic firewall, but a wall with extra insulation that protects different areas from spreading fire) and plan APs accordingly. One you place the APs with approximate locations, do a slow walk-around with your laptop and use airsnort to get signal strengths and tweak AP location before physically installing them in the ceiling or walls or wherever. A popular thing for businesses with the removable ceiling tiles is to cut a small hole in the tile and let the APs antenna(e) point downwards in to the actual normal airspace. Of course, this typically requires running power in to the crawlspace somehow.

An OLD distro which solves that problem:

http://tinfoilhat.shmoo.com/readme.txt

"* Keystroke monitoring.
THL has gpggrid , a wrapper for GPG that lets you use a video game style character entry system instead of typing in your passphrase. Keystroke loggers get a random set of grid points, not your passphrase."

It's as basic as can be, and dates back before flash drives. If OBL read Slashdot he'd have known about this years ago:

http://tinfoilhat.shmoo.com/readme.txt

Coral Cache:

http://www.goodgearguide.com.au.nyud.net/article/351651/12_most_interesting_unusual_useful_linux_distros/

List of the distros:

• Damn Vulnerable Linux
• Tinfoil Hat Linux
• CAINE (Computer Aided INvestigative Environment)
• CAELinux
• Ubuntu Christian Edition
• live.linuX-gamers.net
• Parted Magic
• Musix GNU+Linux
• Zeroshell Linux
• Mythbuntu
• Damn Small Linux
• Tiny Core Linux

steveha

We've used the resources of our LAN to brute force a password a fired user placed on one of our assets.

If you have LANMAN hashes on the local network, you can usually (well over 99.9% IIRC) get the password very quickly using the "alpha-numeric-symbol32-space" lanman rainbow tables available here.

Depends on what you build into it. Tinfoil Hat Linux has some interesting ideas:

http://tinfoilhat.shmoo.com/readme.txt

Instead of a floppy, one might use a multisession LiveCD.

"Otherwise, I could create a Linux distro that is THE safest operating system EVER... and just not let you do anything, no network connectivity, etc. Pretty safe! And useless."

Oh, I dunno... http://tinfoilhat.shmoo.com/ It has its uses.

Worst case implement the random onscreen keyboard they used on http://tinfoilhat.shmoo.com/

Back in 2005 Firefox briefly disabled its support for IDN after The Shmoo Group demonstrated the ease of using Internationalized Domain Names (IDNs) to spoof existing domains, including those for major retailers or banks. At the time, Mozilla said domain registrars were ignoring ICANN guidelines on IDN, and developed a list of problematic Unicode characters that could be banned in domain names to limit homographic attacks. Not sure if this is still current.

Tin foil hat has had protection against keyloggers in general for some time, by allowing the use of a virtual keyboard which changes on every keypress. In that case, screen captures would have to be taken as well.

The default settings of P2P applications share all documents and media files on your machine. Which P2P apps are they talking about?
P2P file exchanges generally violate international copyright laws. - Stop lumping P2P with piracy, DoD!
I'd say part scare tactic and part CYA. More than anything I'd wager the presenter was not interested in the breifing becoming a class on how to securely and ethically utilize P2P programs. Let's be honest, bigwigs usually aren't tech savvy - they have assistants for that.

CLASSIFIED CPU's should be at least 3 feet from UNCLASSIFIED CPU's - Cooties?
Google "Computer security TEMPEST". Then you can go download Tempest for Eliza for your own fun. Check out Tinfoil Hat Linux too :D (wiki at http://en.wikipedia.org/wiki/Tinfoil_Hat_Linux

Beating the rogue access point (AP) dead horse a bit here, and spelling it out for those who don't "get it".

Badguy creates hostile "website" with Windows exploit. Badguy goes to local airport terminal or Starbucks and pretends to be a legitimate wireless hotspot using Airsnarf or similar rogue AP utility. Badguy FORCES any user who joins wireless network to browse the hostile website that has the Windows exploit. User gets owned. Lather, rinse, repeat.

You can do this to your neighbor, too, if they have an open access point. FYI.

The point is that it does NOT require coincidental surfing of hostile websites to gather and exploit targets with a Windows 0-day these days. The rich and elite road warriors carrying all their financial and corporate data with them are prime targets. Attackers with rogue AP setups can make easy money from hotspot users by FORCING them to browse a hostile "website" with a rogue AP "splash page".

Particularly vulnerable, are hotspot users that have the Windows operating system installed and use IE as their default browser.

Sincerely,

Beetle

http://www.shmoo.com/tempest/emr.pdf a nice overview of it. By Wim van Eck

These systems would also make ideal phishing grounds. Posting a fake "eBay" link ("look at this cool auction!!!") would take the target person to a faked eBay auction page (e.g with an IDN exploit) or just a scam domain (ebbay.com, etc.) that then asks for a eBay or Paypal password. Since many of the people that would follow a socially bookmarked eBay link are eBay/Paypal users the phisher would get a high hit rate.

Even if the system relies on some form of accumulated reputation or trust networks, its still possible for someone to cultivate a great reputation before abusing the system with spam or phishing.

IDN is inherently insecure. I already had it disabled for this reason.

I'll elaborate. Remember this?

selling them? http://rainbowtables.shmoo.com/ was giving out free torrents at defcon ... Its something like 30-60GB tho so watch out.

This is on of the most pathetic and unresearched articles ever posted, and that is a BIG statement to make. Zonk did you even read what the submission was or is just so slow today that you'll post anything? If you really want some interesting reading on WiFi security then go check out the http://www.shmoo.com/shmoo-fu.pdf Shmoo Fu article presented at DefCon and Black Hat in part for some really interesting WiFi security details.

I would consider it to be criminally negligent.

It is a shame that they allow these agencies to recieve funding or for their IS / IT departments to still have jobs.

Lets stop talking about Filibusters and start talking National Security

Maybe Tinfoil Hat Linux could be useful to someone after all.

There this neat little one-floppy-distro, Tinfoil Hat Linux (The site seems down @tm, so here's the Google Cache Version of it). Though it comes without networking support, due to its very paranoid approach to guarantee security. Beefed up with the things your mates need, they'd be virtually immune to (hardware) keyloggers - freeing their way to a on the box outside via ssh or something like that.

Didn't Aleph One describe this years ago?

The best article about buffer overflows is the well-known "Smashing the Stack for Fun and Profit" by Aleph One in Phrack. Here's the first link google gave me.

Everything else (like this article) pales in comparison.

I agree,

If anything, one should use this classic text:

http://www.shmoo.com/phrack/Phrack49/p49-14

This site should have what you are looking for! http://rainbowtables.shmoo.com/

Not MD5, but http://rainbowtables.shmoo.com/ has LanMan rainbow tables.

Ah, you're right - just tested this on http://www.shmoo.com/idn/. Even better then! :)

This dissertation will get this dude himself a position with the NSA.

He's already got a position with a three-letter org. TSG. Check out the membership list.

This dissertation will get this dude himself a position with the NSA.

He's already got a position with a three-letter org. TSG. Check out the membership list.

Here is an example how Firefox 1.0.1 shows IDN names.*
Click the Fake and Real link to see the difference.

The Fake site will not work with Internet Exporer with the latest service pack.

*Requires Firefox 1.0.1

The problem happens if a "trusted" authority issues certificates for sites like these. Then people go to to the site, think everything is okay, and securely give out information to the phishers. This is why automatically trusting these free certs is stupid and why you might as well just make your own certificate.

They don't, but they do have multiple code points that are commonly rendered to the same glyph (yet have different collation behavior, etc.) In these example exploits, the Cyrillic "o" (о = о = U+043E [*]) is used in place of the Latin "o". It looks identical, but it's a different domain.

[*] - It's in this Unicode code chart.

The problem is that you can't always easily identify an international domain name. In particular, IDNs contain characters that are nearly identical to Latin character set but are treated differently. Slashdot won't let me put in examples, but examples here.

The paypal.com one is particularly scary. It looks like paypal.com in your status bar when you hover over the link. It reads paypal.com in your address bar. But it isn't Paypal. That's because the "a" isn't an "a" but is really Unicode D0B0 If they'd put any effort into making it look like Paypal, it would be easy for somebody to direct you there and steal your Paypal password.

In Firefox and IE they're indistinguishable. Even if they added a clue that something was different (e.g. colors to indicate an IDN) you'd have to look closely, and if IDNs became common you'd start to ignore the color coding. If the only difference between "paypal.com" and an identical spoof were small, you'd get tired of looking closely, and forget. If the warning was unignorable, like a popup, you'd turn it off.

So the upshot is, yeah, beware of web sites you don't know, but with IDNs you don't always know whom you know.

Details here: http://www.shmoo.com/idn/homograph.txt

Watch the exploit in action here: http://www.shmoo.com/idn/

To patch this (in most browsers):

1) Goto your Firefox address bar. Enter about:config and press enter. Firefox will load the (large!) config page.
2) Scroll down to the line beginning network.enableIDN -- this is International Domain Name support, and it is causing the problem here. We want to turn this off -- for now. Ideally we want to support international domain names, but not with this problem.
3) Double-click the network.enableIDN label, and Firefox will show a dialog set to 'true'. Change it to 'false' (no quotes!), click Ok. You are done.
4) Go check out the shmoo demo (above) again and notice it no longer works.

Details here: http://www.shmoo.com/idn/homograph.txt

Watch the exploit in action here: http://www.shmoo.com/idn/

To patch this (in most browsers):

1) Goto your Firefox address bar. Enter about:config and press enter. Firefox will load the (large!) config page.
2) Scroll down to the line beginning network.enableIDN -- this is International Domain Name support, and it is causing the problem here. We want to turn this off -- for now. Ideally we want to support international domain names, but not with this problem.
3) Double-click the network.enableIDN label, and Firefox will show a dialog set to 'true'. Change it to 'false' (no quotes!), click Ok. You are done.
4) Go check out the shmoo demo (above) again and notice it no longer works.

Details here: http://www.shmoo.com/idn/homograph.txt

Watch the exploit in action here: http://www.shmoo.com/idn/

To patch this (in most browsers):

1) Goto your Firefox address bar. Enter about:config and press enter. Firefox will load the (large!) config page.
2) Scroll down to the line beginning network.enableIDN -- this is International Domain Name support, and it is causing the problem here. We want to turn this off -- for now. Ideally we want to support international domain names, but not with this problem.
3) Double-click the network.enableIDN label, and Firefox will show a dialog set to 'true'. Change it to 'false' (no quotes!), click Ok. You are done.
4) Go check out the shmoo demo (above) again and notice it no longer works.

I'm not sure exactly what you guys are talking about. When I follow the paypal link from here, it doesn't look any different to me.

I even loaded that link and the real paypal in separate tabs. Then I flipped back and forth and they're exactly the same. Maybe it's different in Linux or something.

As far as seeing the real address in the status bar, well it loads so quick for me that I don't see that either.

Dammit, I wish I'd listen to those open-source hippies now! I now realise that the open-source model allows quick and easy patching to occur almost instantaneously, the vulnerability was only "just" discovered.

Go to about:config in the address bar.

search for the property:

network.enableIDN

Change this to false as per the advisory workaround in http://www.shmoo.com/idn/homograph.txt. "V. Workaround You can disable IDN support in mozilla products by setting 'network.enableIDN' to false. There is no workaround known for Opera or Safari.

"I just wear my tin-foil hat and everything seems to be in order...

Obligatory mention

"Tinfoil Hat Linux started as a secure, single floppy, bootable Linux distribution for storing PGP keys and then encrypting, signing and wiping files."

Of course, you never know who's put a hardware numlock-logger onto your computer...

can you (semi-serious question, this) buy transparent keyboards anywhere?

Could've sworn I publicly demo'd how to steal T-mobile, PayPal, E-Trade, you name it passwords from users with rogue APs ummm... almost 2 YEARS AGO.

http://airsnarf.shmoo.com

Maybe we just don't pay news organizations enough to pimp our shit and get some Slashdottin'? Shame on us.

We're obviously slacking, but the world better wake the fuck up. Slashdot, too. And maybe university professors with eureka-look-what-hackers-have-been-doing-forEVER moments.

FYI, we're hosting a hacker conference in D.C. in a couple weeks--just in case you want to get a head start on the news items that Slashdot will pick up on 2 years from now.

Sincerely,

Beetle
The Shmoo Group

Could've sworn I publicly demo'd how to steal T-mobile, PayPal, E-Trade, you name it passwords from users with rogue APs ummm... almost 2 YEARS AGO.

http://airsnarf.shmoo.com

Maybe we just don't pay news organizations enough to pimp our shit and get some Slashdottin'? Shame on us.

We're obviously slacking, but the world better wake the fuck up. Slashdot, too. And maybe university professors with eureka-look-what-hackers-have-been-doing-forEVER moments.

FYI, we're hosting a hacker conference in D.C. in a couple weeks--just in case you want to get a head start on the news items that Slashdot will pick up on 2 years from now.

Sincerely,

Beetle
The Shmoo Group

Perhaps you should read WEP: Dead Again, Part 1. It compares various WEP cracking tools to see how fast they can crack WEP keys with varying amounts of packets. While the popular AirSnort usually needs over 10 million encrypted packets to crack a WEP key, aircrack usually needs around 500,000. That's the difference between being able to gather enough packets in a day versus a week or more.

It would just be vulnerable to space snort.

TEMPEST @ Wikipedia
Another article with some more links.
I think the original poster may be referring to the Van Eck Phreaking, not TEMPEST as TEMPEST is the US code limiting the radiation out from electronic equipment, and Van Eck Phreaking is actually receiveing the signal emitted from the equipment.
Actually for more go to Google and look up "Van Eck Phreaking"

Lots of filtering, etc, but it's mostly that no good raw wireless packetgrabber (yes, you can use tcpdump, but without putting the wireless card into monitor mode you won't get packets that are just passing by) has been released for windows. You can get the Airopeek demo and use the included drivers and libraries with Airsnort as described here, but I tend to get periodic bluescreens.

This is more secure than nothing (although there is the danger of a false sense of security!) and it would allow you to use portable encryption on machines that belong to people you trust, but that's all.

It would be much better to boot a secure OS from the key. Something like Tinfoil Hat Linux (following the link is worth it just for the Tux picture), but with more features (Tinfoil runs from a 1.4MB floppy, I think). Tinfoil can play text output as Morse Code through the keyboard LEDs, however, to prevent Tempest attacks.

Since a BT keyboard tends to remain in the same general location, and a malicious listener can be a considerable distance away undetected, spending even a few days to crack the encryption is entirely reasonable. Wardriving tools for BT exist in the wild.

It's not as easy (or even possible in most cases) to add additional layers of strong encryption to BT as it is for WiFi. So while WiFi can also be cracked, cracking a transported VPN isn't currently feasible. BT has no such option, and once cracked anything typed (userid, password, bank account numbers, PINs, private correspondence, etc.) are easily read, in real-time.

I wonder if LostCluster uses TinfoilHat Linux?

Out of curiosity, why?

I don't recall the details, but an attack was found a few years ago that allows the key to be recovered if the attacker can get the first few bytes of the keystream. Doing it requires the first few bytes of many related keystreams, and getting the keystream from the ciphertext requires that the attacker have the plaintext. With WEP, RC4 is rekeyed for every packet, and the first few bytes of each packet are highly predictable, so an eavesdropper can fairly easily gather enough data to mount the attack.

Got any links so I can read up on the why and wherefore?

Google turns up plenty. Here is the original paper, which has all of the dirty details. Here is a paper that describes how to use it to attack WEP. And, of course, if you'd like to read code that implements the attack, look at Airsnort.