Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

8/7/2008
09:30 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

'Bringing Sexy Back' to Hacking

DefCon session will feature iPhones running WiFi scans and sophisticated spear-phishing tricks

LAS VEGAS -- DefCon 16 -- This time, the iPhone is doing the hacking: a pair of researchers will reveal here tomorrow at DefCon 16 how they ship iPhones running security tools to their client sites to remotely conduct some elements of a penetration test.

It’s just one fun hacking method that Errata Security’s Robert Graham and David Maynor will demonstrate in their “Bringing Sexy Back: Breaking in With Style” session here. The researchers also have created a novel method of spear phishing that they also use for their clients.

“We’re just saying you have to be a little creative with the tools you have and you can do some fun stuff,” says Graham, CEO of Errata Security.

The idea for shipping an iPhone equipped with WiFi auditing tools like TCP dump and Nmap came mostly out of necessity for Graham and Maynor: “One of our customers that was out of state wanted us to do a wireless audit for them as part of a pen test, but we would have been sniffing packets and then twiddling our thumbs” for the basic audit, Graham says, plus the client had multiple out-of-state sites. “This was a simple solution that didn’t [require] us going onsite.”

So the researchers enable the tools on the iPhone and add a separate battery pack and ship it out via overnight delivery. Once there, the iPhone collects security data on the WiFi network, such as whether encryption is deployed and if so, what type, as well as detecting rogue access points or laptops vulnerable to WiFi-borne hacks. There’s an SSH connection to the iPhone so they can run the tests via a command line, Graham says.

Graham says the data and packets it captures are then run through the firm’s Ferret WiFi hacking tool. “We have a Ferret build for the iPhone, but it’s not working yet,” Graham says. They’re also looking at running the powerful Metasploit hacking tool on the iPhone as well, he says.

WiFi fuzzing is another option for this, Graham says, and the researchers may try it with the Nokia N810 smart phone.

Graham and Maynor have also added a few twists to gauging a firm’s vulnerability to a targeted, or spear phishing attack. They set up a phony 401K management firm site for a client that looks a lot like a legitimate company. The researchers then gather user email addresses from their client, and send out a bogus message purportedly from the human resources department saying that the company is changing 401K providers.

“It says the user needs to log on and opt in,” Graham says. “So we can get usernames and passwords.” But unlike most phishing attacks that attack the desktop directly, this one goes after the browser using an ActiveX tool that it gets “signed,” so it appears legitimate and will run on the victim’s machine. They also managed to establish legitimacy for the site and were able to purchase an SSL certificate from VeriSign, he says. “So the user will download and run the ActiveX code and now we own their computer,” he says. “They get a nice, trusted SSL connection.”

“Most [phishing] hackers aren’t doing this because they have low margins... they would not pay $1,000,” he says. “But for us, we create one Website with $1,000 and do all of the phishing attacks” for our clients’ penetration tests, he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • Errata Security Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    The Security of Cloud Applications
    Hillel Solow, CTO and Co-founder, Protego,  7/11/2019
    US Mayors Commit to Just Saying No to Ransomware
    Robert Lemos, Contributing Writer,  7/16/2019
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Current Issue
    Building and Managing an IT Security Operations Program
    As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
    Flash Poll
    The State of IT Operations and Cybersecurity Operations
    The State of IT Operations and Cybersecurity Operations
    Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2019-13640
    PUBLISHED: 2019-07-17
    In qBittorrent before 4.1.7, the function Application::runExternalProgram() located in app/application.cpp allows command injection via shell metacharacters in the torrent name parameter or current tracker parameter, as demonstrated by remote command execution via a crafted name within an RSS feed.
    CVE-2019-5222
    PUBLISHED: 2019-07-17
    There is an information disclosure vulnerability on Secure Input of certain Huawei smartphones in Versions earlier than Tony-AL00B 9.1.0.216(C00E214R2P1). The Secure Input does not properly limit certain system privilege. An attacker tricks the user to install a malicious application and successful ...
    CVE-2019-1919
    PUBLISHED: 2019-07-17
    A vulnerability in the Cisco FindIT Network Management Software virtual machine (VM) images could allow an unauthenticated, local attacker who has access to the VM console to log in to the device with a static account that has root privileges. The vulnerability is due to the presence of an account w...
    CVE-2019-1920
    PUBLISHED: 2019-07-17
    A vulnerability in the 802.11r Fast Transition (FT) implementation for Cisco IOS Access Points (APs) Software could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition on an affected interface. The vulnerability is due to a lack of complete error handling conditi...
    CVE-2019-1923
    PUBLISHED: 2019-07-17
    A vulnerability in Cisco Small Business SPA500 Series IP Phones could allow a physically proximate attacker to execute arbitrary commands on the device. The vulnerability is due to improper input validation in the device configuration interface. An attacker could exploit this vulnerability by access...