Sunday, February 27, 2011

Final Thoughts on Ethical Hacking Class

I cannot believe this class has come and gone already, wow. I think the biggest take away for me is how much there is to learn to be successful in this field. Also to qualify my four topics just a little I will say that I get a feeling there are people who have a genuine innate ability to do this and summon the wisdom to act in a legal ethical way. The two are not mutually exclusive. There is a risk of going over to the dark side if you are not grounded in strong moral fabric.
Now having said all of that I will lead off with my first of four elements. The broad availability of hacking tools on the internet which are merely a few clicks away is stunning. Like guns these tools can inflict real harm if placed in the wrong hands. Yet they are out there just as any other piece of software. Unlike guns you cannot fire a gun halfway around the world in a few seconds. The interconnectedness which make the Network of Networks possible also forms a pipeline for the bullet flying around the world. Personally I do not own a gun but the analogy seemed to fit.
Secondly, the PC as a canvas upon which you can construct any workable configuration is truly amazing. I love the computer for its non-judgemental qualities. I say that as a person who struggled with the Linux OS and through all of my confusion and trials the PC never passed judgment. I can imagine a young person who might be socially ackward would benefit from that type of interface to lay out their passions. They would seek affirmation from some (thing or one) and a PC either works or it does not. If it does work that might be the encouragement a young person needs if they are not getting it from a parent.
Thirdly, the rules by which a computer operates are not simple but they are fair. If you learn the rules to a PC you can begin to ascribe more value to some and not others. A protocol is a standard which a majority of some group of people had a hand in crafting. People are not perfect and their standards were defined in my TECH 140 book as the least level of acceptance a PC could operate in. I say that implying that if a person has other better ideas the PC that is not judgmental will work with those parameters also. This is where the wiggle room for bugs and flaws and security holes is created. How can I adjust this just enough to get by but not caught. Spoofing as a more general principal.
Finally, the cat in the equation of a cat and mouse game. We are cats learning to hunt. That is why we are here now. I think we need to be able to think in a way that is similar to the hacker but not in an illegal way. We must never lose sight of the line. When we use Nessus or Wireshark we bad better have permission and cover our legal flanks. Our desire to find the hacker will undoubtedly take us in some bad places in our non-judgemental environment too. I would caution all of my classmates to always act as though you screen is being streamed live on your local news feed. Remember who's side you are on.
As far as how my perceptions might have been altered i will say that I need to realize that the bad guys have the same tools as I do and are fighting by little if any code of ethics. I will keep that in mind and hope that i can employ some psychological tricks of my own to help level the playing field. The Honeypot is a great example of how greed and success starvation will lead an attacker right into a psychological trap. If they are willing to go there then they deserve to get caught.
I wish all of my classmates the best of luck and want to thank our instructor for her guidance and patience through this phase of our learning process.  

Thursday, February 24, 2011

NAT and PAT Bacics

Well I am sorry you did not have the a ha moment. I did already get my Net+ cert so I guess I did have some additional info to draw from. It was a dry technical video. There were some key words in it that were network specific.
I will attempt to restate the thrust of the video in my own way. This should help you get the video.
As you know a PC needs a nic to get online. It contains sensative unique identifying information. With this info an attacker can have a clear line of sight into your machine. So the point of NAT and PAT is to take that unique MAC address info and re classify it into a scheme of corresponding substatute numbers. Not unique ones like 192.168.1.104 ro 105 or 106 and so on. 
Now if you can visualize exiting a toll road where there are several lanes you might choose from. All the lanes will be marked 104 or 105 or 106 you must use your specific lane. Once you have gotten through the lane all of the traffic will be assigned another IP address. It will also get converged into 1 ramp to get on to the road that the exit was made for. This address (ramp) is unique to this Internet facing router but not to 104 105 or 106 they will all share this one number (or ramp). 104 goes to Google 105 goes to facebook and 106 goes to Angel Bryant Stratton (is a good student). These will be 2 way conversations. Google will reply to the unique IP that goes to the Internet facing router (ramp) the router will put the traffic back into the lane marked 104 or 105 or 106 since that is where it came from. Same for Facebook will put traffic on the router IP when it gets to the router it will be put into the 105 lane same for BS traffic will go on the 106 lane . 
The only difference is how the lane will be marked. If it is 192.168.1.104,105,106 that is a NAT using private network numbers. The router also has 65000+ ports to work with. So the sign in the lane would be PORT 22450 or PORT 43586 or whatever. They would be unique to the nic on the client workstation. It is a 3 part process either way. real MAC to 192 or 22450 to unique router IP which the ISP would assign to the site of choice and back to the router through the toll road lane marked 104 105 106 or port 22450 or 42586 and then back to you. Your real 48 bit MAC address would have never been sent out of your network. It would have been Translated.I hope this helps. 
Rich

More Social Engineering Rationalizations

I believe in a working environment there will be a certian level of civil behavior that permeates the culture. Most people I know want to be seen as being helpful and not make waves. I am sure that todays economic climate has people even more scared to stick out and be seen as a trouble maker.
I also think that most people want to believe that others they work with/for are inherantly good people. That might call into question their own judgement if they were to find out that they were working with a devious person and they didn't pick up on the clues. They might begin to doubt their own intuition about others. This is chiefly the aim of a social engineer to capitalize on these inate human truths. Well we need to get over it and realize that there are protocols that trump our own need to be liked and will preserve our job more than just being liked. If the company has a major breach and contracts in size and scale we might be out of a job anyway.
Rich 

Social Engineering Watch Your Back!

It was the urging of on of the instructors at B & S College that I sign up for a free account with Tech Republic. If you have not I advise checking them out, you will not be sorry. I found a white paper entitled "The ABC's of Social Engineering & Five Ways to Protect Your Organization." The paper was written by Kevin Prince Chief Technology Officer at Perimeter eSecurity.
The first paragraph starts off by saying social engineering has been used for centuries. I agree. He later includes as part of the definition of S.E. that it is like hacking people and I agree there too. He went on to mention Hollywood movies like SneakersThe Oceans 11/12/13 Trilogy, and Catch Me if You Can. Catch Me was one of my favorites. He said that this true story left out a technique employed by Frank Abagnale the leading character. He said that Mr. Abagnale would put an out of order sign on a night deposit box and dress up as a security guard and have the people just hand him their money. Simple and smart.
The other item that caught my attention was the vulnerability of interactive voice response systems at large companies. H he said that with a little luck the phone phisher could just call in and try extensions till they found a voice mail box and try very weak passwords. He said that the passwords on voice mail systems are known for being short and predictable like 1-2-3-4. Once he had a voice mail box he would call IT after hours and let them know he was locked out of the system and leave a new password on their voice mail. Simple and effective. He also said that people could record a banks voice response unit and then parse it up and e-mail people to call a false toll free number to verify info about their account. Then harvest the inputs and bam the attacker is off to the races.
I would strongly recommend this short 7 page paper. Check it out and all of the resources at Tech Republic and let me know what you think. I cannot believe it's midterm week already. Good luck everyone.   

Biggest WiFi Heist Ever TJ Maxx 2007

I have some additional details that were published in Seven Deadliest Wireless Technologies Attacks. According to this publication, one in my personal library, this attack was lead by Albert Gonzalez who was a member of Shadow Crew a group of hackers who were responsible for stealing 100 million credit card numbers and routing the theft through Latvia. As part of his plea agreement he took on August 28, 2009 he helped the US Sccret Service take down 19 other Shadow Crew members. While Mr. Gonzalez was in the custody of the Secret Service he spear-headed the TJX heist. It was done using wardriving techniques while members of his group traversed US 1 along Florida's Atlantic coast. I read that the Wi-Fi they tapped into was associated with locations in Miami, Florida. The networks were set up to link wireless bar-code-reading scanner guns to the stores servers. The guns firmware would not support the far superior WPA encryption and the company was slow to upgrade. Visa was aware of this security risk but gave them a pass and just said that they needed to take action in the future. Corporate e-mail showed that upgrade were delayed as a cost saving measure. Visa a member of the PCI the group charged with over seeing security associated with credit card transactions dropped the ball big time.
In retrospect the cost of upgrading the guns is tiny compared to the estimated 1 billion this will cost TJX over 5 years. Wire less is one of the greatest accomplisments of human achievement but without proper care it could be a disaster.
Haines, B. (2010). Seven Deadliest Wireless Technologies Attacks. Amsterdam: Syngress.
www.justice.gov/usao/ma/Press%20Office%20-%20%Press%20Release%20Files/IDTheft/Gonzalez,%20Albert%20-%Indictment%20080508.pdf 

Wi-Fi attacks Can You Say McHacker?? Check this out.

I have a copy of the book linked below. It is well written and if possible should be purchased. Starting on page 28 of this book there is some basic descriptions of some dangers associated with network hotspots. These so called hotspots are rich targets for and attacker with some basic tools and hacking savy.
I will first point out theat the SSID of a Wi-Fi connection in no way accounts for any authentication and any one can make up a network name of McDonadls Free and sit in a Mcdonalds broadcasting this SSID. The other main consideration is that my laptop and most othere I am assuming are capable of serving as a WAP. Now that we have established those two points we can go into the scarry stuff.
In the interest of time I will fast forward to 2004 when Dino Dai Zovi and Shane Macaulay wrote and distributed a program called Karma. Karma's main advantage was that it could take on multiple probes (requests to join a network at one time) this was the fast forwarded part. In doing so it could dynamically hear the request from a potential victim and just parrot back using a MadWiFi driver a Linux program what ever the network SSID was and say sure I am so and so network you are in. Karma also has a suite of tools used to emulate common services. "If the connected client had an e-mail client running, it would probably try and connect when the network connection was established. Karma would see the pop3 request and record the login username and password. Without a second card providing a back haul to the Internet, the request would not go through but now the attacker has your password and server address.Same goes for DNS requests being redirected, Web page requests, and other common services." This was a classic Man in the Middle attack. The attacker could see and record everything from multiple users. Ouch!!
The other thing was upon network connection establishment an RSS feed would try to authenticate anolg with browsers and other services configured. This is an awesome book and this is a small sample of chapter 2. The next part shows a further evolution of Karma being mounted on a Metasploit framework which could offer DHCP services and capture even more traffic from the victims client.
This is all in a McDonalds mind you. I thought the food was dangerous. Give me a Big Mac any day over this type of headache. I have been lucky in my use of hot spots but I will be sure to make my choices very carefully in the future. I have just opened this book and have not had a lot of time to read it given the 2 online classes I am taking now. I will power through it in March. Stay safe out there friends.
Haines, B. (2010). Seven Deadliest Wireless Technologies Attacks.Amsterdam: Syngress.