Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

8/7/2008
09:30 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

'Bringing Sexy Back' to Hacking

DefCon session will feature iPhones running WiFi scans and sophisticated spear-phishing tricks

LAS VEGAS -- DefCon 16 -- This time, the iPhone is doing the hacking: a pair of researchers will reveal here tomorrow at DefCon 16 how they ship iPhones running security tools to their client sites to remotely conduct some elements of a penetration test.

It’s just one fun hacking method that Errata Security’s Robert Graham and David Maynor will demonstrate in their “Bringing Sexy Back: Breaking in With Style” session here. The researchers also have created a novel method of spear phishing that they also use for their clients.

“We’re just saying you have to be a little creative with the tools you have and you can do some fun stuff,” says Graham, CEO of Errata Security.

The idea for shipping an iPhone equipped with WiFi auditing tools like TCP dump and Nmap came mostly out of necessity for Graham and Maynor: “One of our customers that was out of state wanted us to do a wireless audit for them as part of a pen test, but we would have been sniffing packets and then twiddling our thumbs” for the basic audit, Graham says, plus the client had multiple out-of-state sites. “This was a simple solution that didn’t [require] us going onsite.”

So the researchers enable the tools on the iPhone and add a separate battery pack and ship it out via overnight delivery. Once there, the iPhone collects security data on the WiFi network, such as whether encryption is deployed and if so, what type, as well as detecting rogue access points or laptops vulnerable to WiFi-borne hacks. There’s an SSH connection to the iPhone so they can run the tests via a command line, Graham says.

Graham says the data and packets it captures are then run through the firm’s Ferret WiFi hacking tool. “We have a Ferret build for the iPhone, but it’s not working yet,” Graham says. They’re also looking at running the powerful Metasploit hacking tool on the iPhone as well, he says.

WiFi fuzzing is another option for this, Graham says, and the researchers may try it with the Nokia N810 smart phone.

Graham and Maynor have also added a few twists to gauging a firm’s vulnerability to a targeted, or spear phishing attack. They set up a phony 401K management firm site for a client that looks a lot like a legitimate company. The researchers then gather user email addresses from their client, and send out a bogus message purportedly from the human resources department saying that the company is changing 401K providers.

“It says the user needs to log on and opt in,” Graham says. “So we can get usernames and passwords.” But unlike most phishing attacks that attack the desktop directly, this one goes after the browser using an ActiveX tool that it gets “signed,” so it appears legitimate and will run on the victim’s machine. They also managed to establish legitimacy for the site and were able to purchase an SSL certificate from VeriSign, he says. “So the user will download and run the ActiveX code and now we own their computer,” he says. “They get a nice, trusted SSL connection.”

“Most [phishing] hackers aren’t doing this because they have low margins... they would not pay $1,000,” he says. “But for us, we create one Website with $1,000 and do all of the phishing attacks” for our clients’ penetration tests, he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • Errata Security Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    COVID-19: Latest Security News & Commentary
    Dark Reading Staff 9/25/2020
    9 Tips to Prepare for the Future of Cloud & Network Security
    Kelly Sheridan, Staff Editor, Dark Reading,  9/28/2020
    Attacker Dwell Time: Ransomware's Most Important Metric
    Ricardo Villadiego, Founder and CEO of Lumu,  9/30/2020
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon
    Current Issue
    Special Report: Computing's New Normal
    This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
    Flash Poll
    How IT Security Organizations are Attacking the Cybersecurity Problem
    How IT Security Organizations are Attacking the Cybersecurity Problem
    The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2019-20902
    PUBLISHED: 2020-10-01
    Upgrading Crowd via XML Data Transfer can reactivate a disabled user from OpenLDAP. The affected versions are from before version 3.4.6 and from 3.5.0 before 3.5.1.
    CVE-2019-20903
    PUBLISHED: 2020-10-01
    The hyperlinks functionality in atlaskit/editor-core in before version 113.1.5 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in link targets.
    CVE-2020-25288
    PUBLISHED: 2020-09-30
    An issue was discovered in MantisBT before 2.24.3. When editing an Issue in a Project where a Custom Field with a crafted Regular Expression property is used, improper escaping of the corresponding form input's pattern attribute allows HTML injection and, if CSP settings permit, execution of arbitra...
    CVE-2020-25781
    PUBLISHED: 2020-09-30
    An issue was discovered in file_download.php in MantisBT before 2.24.3. Users without access to view private issue notes are able to download the (supposedly private) attachments linked to these notes by accessing the corresponding file download URL directly.
    CVE-2020-25830
    PUBLISHED: 2020-09-30
    An issue was discovered in MantisBT before 2.24.3. Improper escaping of a custom field's name allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript when attempting to update said custom field via bug_actiongroup_page.php.