Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

8/7/2008
09:30 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

'Bringing Sexy Back' to Hacking

DefCon session will feature iPhones running WiFi scans and sophisticated spear-phishing tricks

LAS VEGAS -- DefCon 16 -- This time, the iPhone is doing the hacking: a pair of researchers will reveal here tomorrow at DefCon 16 how they ship iPhones running security tools to their client sites to remotely conduct some elements of a penetration test.

It’s just one fun hacking method that Errata Security’s Robert Graham and David Maynor will demonstrate in their “Bringing Sexy Back: Breaking in With Style” session here. The researchers also have created a novel method of spear phishing that they also use for their clients.

“We’re just saying you have to be a little creative with the tools you have and you can do some fun stuff,” says Graham, CEO of Errata Security.

The idea for shipping an iPhone equipped with WiFi auditing tools like TCP dump and Nmap came mostly out of necessity for Graham and Maynor: “One of our customers that was out of state wanted us to do a wireless audit for them as part of a pen test, but we would have been sniffing packets and then twiddling our thumbs” for the basic audit, Graham says, plus the client had multiple out-of-state sites. “This was a simple solution that didn’t [require] us going onsite.”

So the researchers enable the tools on the iPhone and add a separate battery pack and ship it out via overnight delivery. Once there, the iPhone collects security data on the WiFi network, such as whether encryption is deployed and if so, what type, as well as detecting rogue access points or laptops vulnerable to WiFi-borne hacks. There’s an SSH connection to the iPhone so they can run the tests via a command line, Graham says.

Graham says the data and packets it captures are then run through the firm’s Ferret WiFi hacking tool. “We have a Ferret build for the iPhone, but it’s not working yet,” Graham says. They’re also looking at running the powerful Metasploit hacking tool on the iPhone as well, he says.

WiFi fuzzing is another option for this, Graham says, and the researchers may try it with the Nokia N810 smart phone.

Graham and Maynor have also added a few twists to gauging a firm’s vulnerability to a targeted, or spear phishing attack. They set up a phony 401K management firm site for a client that looks a lot like a legitimate company. The researchers then gather user email addresses from their client, and send out a bogus message purportedly from the human resources department saying that the company is changing 401K providers.

“It says the user needs to log on and opt in,” Graham says. “So we can get usernames and passwords.” But unlike most phishing attacks that attack the desktop directly, this one goes after the browser using an ActiveX tool that it gets “signed,” so it appears legitimate and will run on the victim’s machine. They also managed to establish legitimacy for the site and were able to purchase an SSL certificate from VeriSign, he says. “So the user will download and run the ActiveX code and now we own their computer,” he says. “They get a nice, trusted SSL connection.”

“Most [phishing] hackers aren’t doing this because they have low margins... they would not pay $1,000,” he says. “But for us, we create one Website with $1,000 and do all of the phishing attacks” for our clients’ penetration tests, he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • Errata Security Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
     

    Recommended Reading:

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    COVID-19: Latest Security News & Commentary
    Dark Reading Staff 6/5/2020
    How AI and Automation Can Help Bridge the Cybersecurity Talent Gap
    Peter Barker, Chief Product Officer at ForgeRock,  6/1/2020
    Cybersecurity Spending Hits 'Temporary Pause' Amid Pandemic
    Kelly Jackson Higgins, Executive Editor at Dark Reading,  6/2/2020
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Write a Caption, Win a Starbucks Card! Click Here
    Latest Comment: What? IT said I needed virus protection!
    Current Issue
    How Cybersecurity Incident Response Programs Work (and Why Some Don't)
    This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
    Flash Poll
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2020-13864
    PUBLISHED: 2020-06-05
    The Elementor Page Builder plugin before 2.9.9 for WordPress suffers from a stored XSS vulnerability. An author user can create posts that result in a stored XSS by using a crafted payload in custom links.
    CVE-2020-13865
    PUBLISHED: 2020-06-05
    The Elementor Page Builder plugin before 2.9.9 for WordPress suffers from multiple stored XSS vulnerabilities. An author user can create posts that result in stored XSS vulnerabilities, by using a crafted link in the custom URL or by applying custom attributes.
    CVE-2020-11696
    PUBLISHED: 2020-06-05
    In Combodo iTop a menu shortcut name can be exploited with a stored XSS payload. This is fixed in all iTop packages (community, essential, professional) in version 2.7.0 and iTop essential and iTop professional in version 2.6.4.
    CVE-2020-11697
    PUBLISHED: 2020-06-05
    In Combodo iTop, dashboard ids can be exploited with a reflective XSS payload. This is fixed in all iTop packages (community, essential, professional) for version 2.7.0 and in iTop essential and iTop professional packages for version 2.6.4.
    CVE-2020-13646
    PUBLISHED: 2020-06-05
    In the cheetah free wifi 5.1 driver file liebaonat.sys, local users are allowed to cause a denial of service (BSOD) or other unknown impact due to failure to verify the value of a specific IOCTL.