Episode179

From Paul's Security Weekly
Jump to: navigation, search
Palo Alto Networks
Tenable Network Security
The SANS Institute
Pwnie Express
Black Hills Information Security

Sponsors

  • Tenable Network Security - This episode sponsored by Tenable network security. Tenable is a developer of enterprise vulnerability, compliance and log management software, but most notably the creators of Nessus, the worlds best vulnerability scanner. Tenable Security Center software extends the power of Nessus through reporting, remediation workflow, IDS event correlation and much more. Tenable also offers a Nessus Professional Feed to detect vulnerabilities in your network today! Tenable – Unified Security Monitoring!
  • Core Security - This episode is also sponsored by Core Security Technologies, helping you penetrate your network. Now version 10.0 with WiFi-fu good to go! Rock out with your 'sploit out! Listen to this podcast and qualify to receive a 10% discount on Core Impact, the worlds best penetration testing tool.
  • Trustwave Spiderlabs - Trustwave's SpiderLabs - providing advanced information security services to planet Earth. Visit them online at trustwave.com/spiderlabs!

Shameless Plugs & General Announcements

PaulDotCom Security Weekly - Episode 179 - For Friday December 11th, 2009

ITS LARRYS BIRTHDAY!! 35 years!!!

  • Sign up to get a free Website HealthCheck report from Cenzic to see how you can protect your Website from hacker attacks. As part of the Cenzic HealthCheck program, Cenzic will scan your Websites for “holes” that hackers can exploit and provide you with a detailed encrypted PDF report to you in 2-4 businness days. The report will contain:
  • An assessment summary of your Website’s “holes” (security flaws) and easy-to-read severity charts,
  • A prioritized listing of your most vulnerable Website locations (applications), and
  • A description of the security flaws and directions on ways to eliminate them.
For more information, please visit http://www.cenzic.com/2009HClaunch_PaulDotCom
  • Syngress Publishing - Quench your thirst for knowledge at syngress.com and use the referral link or the discount code "PaulDotCom" at checkout to save 20% on all security book titles!
  • Defensive Intuition - We are also sponsored by Defensive Intuition. Defensive Intuition is the provider of many security consulting services: penetration testing, physical assessments, and social engineering. Defensive Intuition: Owning your boxes, 7 ways to Sunday!
  • QuahogCon Call for Papers - QuahogCon is a Southern New England conference for the hacker culture in all forms, and is looking for presentations!

Episode Media

mp3 pt 1

mp3 pt 2

Tech Segment: Even more wireless hackery: Pager traffic! Co-starring Ben Jackson

Ben Jackson describes himself as "just another geek from the Boston area". He spends his days doing risk assessments, handling incidents, and generally breaking things for a large public sector organization. In his spare time he messes around with computers, VoIP, analog telephones, amateur radio, and generally anything with a button on it. He co-wrote "Asterisk Hacking" (Syngress publishing), holds SANS GCIA and GCIH certifications, and has spoken at DEFCON, HOPE, SOURCE Boston, and various other conferences.

Even more wireless hackery: Pager traffic!

Yes, yes, I like to do information gathering. I also like wireless goodies. So, why not put the two of them together? We've talked about information gathering from 900 Mhz voice conversations, but what other wireless technology can we intercept that would be valuable? Pagers!

For this tech segment I have a special guest, Ben Jackson:

  • Insert Ben's bio hère

The gear:

Now I suspect that Ben and I have different sets of gear. Me, not having a ham license, I get to use consumer grade gear. I have a nice little trunking scanner from Radio Shack, the Pro-97. This scanner is programmable - gone are the days of the crystal.

From Ben:

Consumer grade gear is the way to go as it's cheap and readily available, you don't need to get something new either, the scanner that I use for my discriminator port is about 15-20 years old. Since all it does is give me a feed from the discriminator, all you care about is the frequency range. Mine covers 29-54 108-174 406-512 806-956, which is where you will find most communications not related to the military. I purchased this scanner used from the MIT flea and originally had it to keep me company in my car when I was dating my wife. When I was starting to look at decoding trunked systems, I found out it was dead easy to modify.

There are some scanners out there that have discriminator output built in. However, these are quite expensive and would only really appeal to the hard core scanning enthusiast.

Finding frequencies:

For me this started fairly easy. I asked someone in my area with one of the large paging providers to show me their pager. I was going to look it up via FCC ID, but the frequency was listed right on the device! Woo hoo! Of course one could begin scanning common pager ranges as well, and looking for unusual sounds (think something like a modem). One could also look for pager frequencies in your area with something like citi-data.com. Now that you have some frequencies, get 'em programmed!

On another note, one could utilizes there frequencies across a wider area than just your local reception of signal. How about tuning in via someone else's radio via the interwebs! Try here: *

From Ben:

The FCC device listing is helpful to get you bands, but most pagers are "frequency agile" meaning a provider can program them to whatever their assigned frequency is. However, there is another option provided by the FCC which is the FCC ULS License Search from here you can check out any kind of license handled by the FCC (including my own!), you can search by geographic region, licensee name, frequency found, etc. You can limit your searches to all the paging services, or a specific paging type (VHF, UHF, etc)

If you want to know what a POCSAG tone burst sounds like you can check out the [Wikipedia page on POCSAG http://en.wikipedia.org/wiki/POCSAG] which has a audio file available for your listening enjoyment.

Tuning in:

In order for us to begin using them thar tones, we need to analyze the audio. Fortunately there is a bunch of free software on the internet that can take that audio, listen, and decode it. I tested several, and there was one that Kicked butt; PDW. I tried Multimon for linux but it blew chunks. The only thing it was good for was visualizing the wave form and the tone generators. PDW for Windows on the other hand works great.

So, take the audio that you hear, and pipe it to your microphone in on your sound card. fire up PDW, and let it go. One thing to note, turn off any automatic squelch, as the time that it takes for the tuner to determine that there is a valid transmission can truncate the audio to be decoded by PDW.

Now, I wish it was that easy to get the audio from one device to the other. On my Pro97 scanner, I had to enable discriminator output; a google search, a trip to the electronics parts store with an investment of about $3, and 10 minutes of warranty voiding with my soldering iron found me with discriminator output.

The fine art of the Discriminator:

Ben: If you are doing any kind of monitoring of digital signals from your computer, be it trunking systems, Marine AIS, POCSAG, or FLEX you need something called a discriminator output. A discriminator output allows you to listen to "unfiltered" audio from your receiver. Every kind of scanner does some kind of audio processing, filtering and amplifying, before hand to make the signal sound more intelligible to humans, however, this makes the digital signal distorted. A discriminator is the 'heart' of an FM receiver. By taking the signal direct off the discriminator, before the scanner can mess around with it, you get a perfect digital signal. When I was installing my tap with a friend, we compared a digital signal taken from the headphone jack and the discriminator output: The audio signal looked like a regular audio waveform, wavy lines, etc, similar to if someone was speaking. When we hooked the discriminator output, it was a flat digital signal, like something straight out of a textbook.

Now, its important to note that you don't NEED a discriminator output to decode a digital signal, if all you have is a headphone jack, that will work nicely. HOWEVER, you will have a greatly increased chance of decoding the signal successfully if you do.

The Legalities:

Ben:

There is nothing illegal about decoding POCSAG, FLEX, or any other digital signal, provided you have proper legal authority to do so. Now, in a penetration test example, if you have this covered by your RoE, you're set right?

  • BZZT*

Allow me to talk to you about something called the Electronic Communications Privacy Act of 1986, aka the ECPA. This wonderful piece of legislation is mostly known for making any US marketed scanner not able to pick up cellular telephones without some serious modifications. However, it amended federal law to put some... interesting... amendments to laws in place.

Everyone open up your copy of the United States Code to [Title 18, Chapter 119, Section 2511 http://www.law.cornell.edu/uscode/18/2511.html] and go down to (2)(g)(i). It reads that "It shall not be unlawful under this chapter or chapter 121 of this title for any person... to intercept or access an electronic communication made through an electronic communication system that is configured so that such electronic communication is readily accessible to the general public." -- Seems fair right and we're in the clear right? They're transmitting an unencrypted signal over the public airwaves anyone that can connect a computer to a scanner can decode. Sounds readily accessible to me. Right?

  • BZZT*

This is an amazing law as it makes "readily accessible" mean "readily accessible except if you're we think you shouldn't be monitored" lets go to United States Code to [Title 18, Chapter 119, Section 2510 http://www.law.cornell.edu/uscode/18/2510.html] and go down to (16)(d). A single bullet point suddenly makes "readily accessible to the general public" anything not "transmitted over a communication system provided by a common carrier..." So, this means that if you are monitoring unencrypted, completely insecure over the air transmissions from a common carrier, you're going to prison. No minimum-security white-collar resort prison either. No, you're going to a federal pound-me-in-the-ass prison.

FAIL.

Because, you know, all those people who are going to try to get information to break into your company are going to be DAMN SURE to follow wiretapping laws right? Sure they are.

EPIC FAIL

Now, while the transmission and monitoring all the common carrier traffic is very cut and dry, this brings up interesting legal questions. What happens if you get the company you're pen testing for to give you written authorization to monitor their pages and you have their CAP codes? Are you allowed to monitor those CAP codes? What about your own CAP code? These are the questions that make lawyers drool and their eyes turn into dollar signs. I don't have the answers and some research indicates that these questions have never been asked or answered.


This goes beyond sniffing for information gathering, but even more evil that if the attacker really doesn't give a damn about laws (and really, if they're going to break into your systems, do they really care about any laws?), since this is an open protocol, transmitted in the clear, with no authentication he or she could easily set up shop nearby someone he notices using a pager in the target organization and start sending his own messages to the person. CAP code, a commercial radio, and a couple of commercially available devices that transmit POCSAG. Bam. You are the paging service. "This is your boss, the CIO needs this firewall open, do it now." Whoops.

So, this seems interesting and you want to mess around with it. What are fine upstanding citizens like the PaulDotCom Security Weekly audience to do? Well, as stated before, there is nothing nothing illegal about decoding POCSAG, FLEX, or any other unencrypted digital signal, provided you have proper legal authority to do so.

There are other POCSAG systems out there. These are either Part 15 (FCC talk for low power non-licensed transmitters) or something that you would require a business license for. These are mostly designed to be used as a local paging system. As far as I can tell, neither of these would follow the "common carrier" designation, and I have never found one of these in operation. I would expect that these might be legal to monitor, however, I am not a lawyer.

There is another alternative that is open to me and might be open to your listening audience. I am a federally licensed amateur radio operator or "ham". This gives me rights to a boat load of spectrum that I can use for experimentation and communication purposes. This allows me to say "screw you guys, I'm setting up my paging system. With blackjack! and hookers!" All that is required is a amateur radio transceiver and a POCSAG encoder. Tune the transceiver to a unoccupied frequency, tune the scanner, transmit and decode POCSAG until the cows come home! All 100% legal!

The protocols:

While we won't get into the details of the protocols themselves, we do need to distinguish that the technology has evolved over the years. Initially, POCSAG, which started as numeric paging. POCSAG did evolve to be able to handle short text messages, but it wasn't ideal. Enter FLEX, which is more tailored to text, and real time alerting. In my experience, I've seen the post on POCSAG and FLEX protocols.

Interestingly enough, paging via wireless is a shared medium. All pages on the same frequency. Every pager receives every message. So, how do they only display the ones for certain pager numbers? CAP codes! Think of it this way; a paging frequency is like a hub, and a cap code is like an MAC address.

Now, usually that CAP codes are usually programed at the factory, or at the provider. However there are a few models of pagers that the CAP codes can be programmed by the user, can store multiple CAP codes, and need no special hardware other than your finger to program. One possibility is the Apollo Pilot XP for POCSAG.

This section should be short especially when using PDW. In the PDW preferences, you can select just the protocols that you want, or the CAP codes that belong to you or your organization.

Ben: CAP codes are essentially the address of the pager. Every time a page goes out over a paging network, all the pagers in range hear it, and ignore it if it's not addressed to their CAP code. This is essentially best described as a gentleman's agreement and as long as you have a pager's CAP code you can pick up any message sent to it. CAP codes are not special and a pager can be given any CAP code. This means that if you go on eBay, spend around $200 on a pager programmer and some 2nd hand pagers that are tuned for the right frequency, you can setup your own pager cloning station.

There is a fair amount of work in reprogramming and retuning pagers in the amateur service as a lot of VHF pagers designed to be used in the frequency allocation immediately above one of the Ham bands. This means that by tweaking a crystal and reprogramming a pager, you can have your own pager service. With certain restrictions of course.

The Goods:

What does all this get us form an information gathering perspective anyways? Think about the thinks that get sent to pagers! I've^H^H^H^HBob has seen:

  • Medical information, patient names, medications and diagnoses
  • Server outages, with IP addresses
  • Motion sensing on security cameras, with URLs for management and physical addresses

We can even discuss some interesting things that we can discuss "legally". What about the disclosure at wikileaks on the 9/11 WTC attacks. While some may argue that it was in poor taste to release, I was able to learn several things from an information gathering perspective. Here's what I was able to notice:

  • Activation method for reserve troops
  • Server outages, with server names
  • network outages, which could reveal infrastructure
  • phone numbers for emergency conference bridge
  • rally points for infiltration

Ben: What can't you find? IP addresses! e-mail addresses! server names! medical data! Phone numbers! Names of mistresses! The wikileaks data is a great example of what goes over these networks, but just imagine who in your company uses a pager. The medical industry uses a boat load of these. When my wife was pregnant with my son, we used the on-call doctor a few times and I know her name, phone number, chart number, and symptoms flew over the air unencrypted. Can you imagine someone nefarious using this for social engineering purposes?

"Hi Mrs. Jackson: We just got your page at the office but we can't locate your billing information, can I have your SSN?"

I'm a paranoid guy, but at some points when we called the doctor, I might have fallen for it.

In one of my old jobs, we had pagers and we would get alerts from our monitoring software. In there we would have the server name, the IP, the server location, and the use of the server. This was on top of what was wrong with it. This probably wouldn't have affected us, but in a larger organization you might be able to bluff your way past some kind of on call helldesk monkey into doing something to a server with that kind of information. "Run this patch for me will ya? Just download it off this website."

Stories For Discussion

  1. Botnet on EC2 - [Larry] Sure, a bonnet running on Amazon's EC2, but it is a bit different than that. Someone apparently had a vulnerable server hosted there, and the server was compromised to have the Zeus C&C server installed there. Just goes to show, no matter where you have your server located, you need to secure and configure it appropriately.
  2. Learn how to redact - [Larry] - Whoops. Allegedly the biggest screw by the TSA since 9/11. Yes, they posted a "sensitive document" to the interwebs and the redacting was less than stellar. Nothing like publishing the pictures of IDs, and items that were considered for on a need to know basis. I think that maybe we need to publish guide on safe redacting…
  3. Palin hacker leveraging the spewer defence - [Larry] - Wow, so overtime I^H Bob does something ethically questionable on his computer, he can claim that spyware had control of his machine. I suppose that this could be used to raise the reasonable doubt issue.
  4. Go Moxie! - Here's an awesome project form an awesome dude. Want to crack WPA/WPA2 passwords? 40 minutes (or less) $17 and an appropriate packet capture will get you time on their processors and 135 million words. This far surpasses the CoWF precomputed dictionary.
  5. Breaking Bitlocker - [Larry] - yes, it was broken before, but now the inclusion of a TPM won;t save you either. While still more difficult, it still relies on concepts from the Evil Maid attack, or the Stoned Bootkit.
  6. Droid Rooted - [Darren] - The droid has been rooted with some SD card trickery. Now you can get the features that Verizon shouldn't have disabled in the first place.
  7. Credit Card Scraper - [strandjs] - So PCI required crypto. That is great... Now the attackers are just pulling credit card numbers from the POS memory. Is it possible for any level of Crypto to make you "secure?"
  8. Facebook security settings - [strandjs] - So you get excited.... Possibly Facebook is going to start putting some better security in... Nope... Not that at all. They want users to make everything public. Well at least they are acknowledging that securing social media sites is very hard.
  9. Ping of Death back again - [strandjs] - Old vulnerabilities keep getting resurrected. Honestly, if you dont need to allow fragmented packets into your network, just drop them.
  10. Data breach legislation -[strandjs] -Will more legislation help the state of computer security? If anything it may mean more funds for information security teams. But is it under the correct context? I am afraid that we may be looking at another PCI. How many regulations and laws do we need? Ultimately, I fear that we will spend more time and money on compliance then on actually securing our systems.
  11. Schneier Says You SHould Do Nothing To Defend Against Vulnerabilities - [PaulDotCom] - I think Bruce has lost touch with reality (either that or he has been watching Seifeld episodes). Sure, we should not panic or go into firefighting mode. But his recommendations are laughable, ANti-virus and automatic updates, really? Come on! I'd argue that a patch management program, which encompasses all of your softare, and hardening guidelines with cross checks, is far more valuable. Couple that with log management and an incident response program, and you have something that smells of a successful security program. When an flaw in SSL comes out, make sure you tune accordingly. You should be asking questions such as, "What can I harden to further protect myself?", "Are there IDS rules or vulnerability scanning tools that will detect the vulnerability and are they finding it in my environment?". You need to look at what is happening in the world and react to change, not do nothing. Hey, I got a new pitch for a security program, its about NOTHING! Absolutely NOTHING! It will work great! They will love it!
  12. "it is the devil inside that I do not trust - [pauldotcom] - Insider threat happens, and this article by none other than Eric Cole gives a scary example. You should perform background checks on your employees, yes. I'd also advise internal security controls, limiting access to information on the inside, and monitoring what is leaving your network. These are all important things to protect your companies "assets".
  13. Shine a light on forgetten risks - [pauldotcom] - This is one of the best posts to hit the Core security blog. It keeps it real! You need to have a comprehensive audit and dust out those corners of your network. There are some great real-world examples here, no fluff. I think it underscores the need for vulnerability scanning and penetration testing, you need both.
  14. A determined attacker will physically alter themselves - [pauldotcom] - A woman previously deported from Japan had surgery to swap the fingerprints on her left and right hands. This granted her access back into the country! It just goes to show, a determined attacker will always get in. Of course, just swapping the fingerprints is easy to detect in software.
  15. Paul's Monthly Patch Tuesday Hate - [PaulDotCOm] - In this post I challenge MS to define "specially crafted", "could allow remote exploitation", and how you don't need a vulnerable version of Word to exploit it. One of the things I did not mention in the article was how they say tha the impact is lessened if a user is logged on with a non-admin account. I say, user's have access to data and thats good enough, botnets can be built with non-admin, and there are many privelage esceation exploits out there for targeted attacks. So don't just sit right back and hear the tale of how you are protected because your users are non-admin.
  16. I made the D-List! - [PaulDotCom] - An interview with yours truly that some of our listeners may find interesting. I talk about my first job as a programmer, how I got started in info sec, and more!
  17. Invision Power Board SQL PHP File Inclusion and SQL Injection - [PaulDotCom] - I thought this was a neat trick: "The Local PHP File Inclusion vulnerability can be especially dangerous in a shared hosting environment. Even if server has been configured to prevent users from reading each other's document roots (web server/PHP process running in a context of the site's owner), an attacker that has an account on the same server as the targeted site could use the vulnerability to place a php file in a shared directory like /tmp and cause the IPB forum on the target to execute his code thus gaining access equivalent to the owner of the website."

Other Stories Of Interest