Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

8/7/2008
09:30 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

'Bringing Sexy Back' to Hacking

DefCon session will feature iPhones running WiFi scans and sophisticated spear-phishing tricks

LAS VEGAS -- DefCon 16 -- This time, the iPhone is doing the hacking: a pair of researchers will reveal here tomorrow at DefCon 16 how they ship iPhones running security tools to their client sites to remotely conduct some elements of a penetration test.

It’s just one fun hacking method that Errata Security’s Robert Graham and David Maynor will demonstrate in their “Bringing Sexy Back: Breaking in With Style” session here. The researchers also have created a novel method of spear phishing that they also use for their clients.

“We’re just saying you have to be a little creative with the tools you have and you can do some fun stuff,” says Graham, CEO of Errata Security.

The idea for shipping an iPhone equipped with WiFi auditing tools like TCP dump and Nmap came mostly out of necessity for Graham and Maynor: “One of our customers that was out of state wanted us to do a wireless audit for them as part of a pen test, but we would have been sniffing packets and then twiddling our thumbs” for the basic audit, Graham says, plus the client had multiple out-of-state sites. “This was a simple solution that didn’t [require] us going onsite.”

So the researchers enable the tools on the iPhone and add a separate battery pack and ship it out via overnight delivery. Once there, the iPhone collects security data on the WiFi network, such as whether encryption is deployed and if so, what type, as well as detecting rogue access points or laptops vulnerable to WiFi-borne hacks. There’s an SSH connection to the iPhone so they can run the tests via a command line, Graham says.

Graham says the data and packets it captures are then run through the firm’s Ferret WiFi hacking tool. “We have a Ferret build for the iPhone, but it’s not working yet,” Graham says. They’re also looking at running the powerful Metasploit hacking tool on the iPhone as well, he says.

WiFi fuzzing is another option for this, Graham says, and the researchers may try it with the Nokia N810 smart phone.

Graham and Maynor have also added a few twists to gauging a firm’s vulnerability to a targeted, or spear phishing attack. They set up a phony 401K management firm site for a client that looks a lot like a legitimate company. The researchers then gather user email addresses from their client, and send out a bogus message purportedly from the human resources department saying that the company is changing 401K providers.

“It says the user needs to log on and opt in,” Graham says. “So we can get usernames and passwords.” But unlike most phishing attacks that attack the desktop directly, this one goes after the browser using an ActiveX tool that it gets “signed,” so it appears legitimate and will run on the victim’s machine. They also managed to establish legitimacy for the site and were able to purchase an SSL certificate from VeriSign, he says. “So the user will download and run the ActiveX code and now we own their computer,” he says. “They get a nice, trusted SSL connection.”

“Most [phishing] hackers aren’t doing this because they have low margins... they would not pay $1,000,” he says. “But for us, we create one Website with $1,000 and do all of the phishing attacks” for our clients’ penetration tests, he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • Errata Security Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Where Businesses Waste Endpoint Security Budgets
    Kelly Sheridan, Staff Editor, Dark Reading,  7/15/2019
    US Mayors Commit to Just Saying No to Ransomware
    Robert Lemos, Contributing Writer,  7/16/2019
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Write a Caption, Win a Starbucks Card! Click Here
    Latest Comment: Now this is the worst micromanagment I've seen.
    Current Issue
    Building and Managing an IT Security Operations Program
    As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
    Flash Poll
    The State of IT Operations and Cybersecurity Operations
    The State of IT Operations and Cybersecurity Operations
    Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2018-17210
    PUBLISHED: 2019-07-20
    An issue was discovered in PrinterOn Central Print Services (CPS) through 4.1.4. The core components that create and launch a print job do not perform complete verification of the session cookie that is supplied to them. As a result, an attacker with guest/pseudo-guest level permissions can bypass t...
    CVE-2019-12934
    PUBLISHED: 2019-07-20
    An issue was discovered in the wp-code-highlightjs plugin through 0.6.2 for WordPress. wp-admin/options-general.php?page=wp-code-highlight-js allows CSRF, as demonstrated by an XSS payload in the hljs_additional_css parameter.
    CVE-2019-9229
    PUBLISHED: 2019-07-20
    An issue was discovered on AudioCodes Mediant 500L-MSBR, 500-MBSR, M800B-MSBR and 800C-MSBR devices with firmware versions F7.20A to F7.20A.251. An internal interface exposed to the link-local address 169.254.254.253 allows attackers in the local network to access multiple quagga VTYs. Attackers can...
    CVE-2019-12815
    PUBLISHED: 2019-07-19
    An arbitrary file copy vulnerability in mod_copy in ProFTPD up to 1.3.5b allows for remote code execution and information disclosure without authentication, a related issue to CVE-2015-3306.
    CVE-2019-13569
    PUBLISHED: 2019-07-19
    A SQL injection vulnerability exists in the Icegram Email Subscribers & Newsletters plugin through 4.1.7 for WordPress. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected system.