Friday, July 30, 2010

Untangle OpenSource Server

Untangle is an opensource great solution for building your own router LAN or router Wireless.
Untangle has greats features, it is really easy to use and almost pre-configured with captive portal.
The Untangle Server gives you a simple way to protect, control, and monitor your computer network. It delivers the technology you need to protect from threats such as viruses, spyware, and attacks. It protects productivity by controlling illegitimate web surfing, and gives an in depth view of network activity. All this in a single usable interface. Reports provides clear, concise reports about network traffic and policy violations. With this information you can spot problems related to viruses or spyware and also monitor illegitimate user behavior, such as web surfing or instant
messaging. The Untangle Server runs on a PC located between your Internet connection (cable/DSL modem, etc.) and your computer network switch. It can either replace or complement an existing Router or Firewall.


And yes, it has an awesome "Application Store" within a lot of free, apensource and commercial applications ! I definitely suggest to try it. I was on smoothwall or IPCop, but this ditribution is really really awesome.

Wednesday, July 28, 2010

Passwords in the wild

Hey folks,
today I wanna point out this interesting post on the gap between theory and implementation regarding the use of the password practices.



This is a secure password glued to the wall suggesting its use for security purposes. Well originally it might be secure enough, but after being glued to the wall ... :)

Going back to the article:


The motivation for our report was a lack of technical research into real password deployments. Passwords have been studied as an authentication mechanism quite intensively for the last 30 years, but we believe ours was the first large study into how Internet sites actually implement them. We studied 150 sites, including the most visited overall sites plus a random sample of mid-level sites. We signed up for free accounts with each site, and using a mixture of scripting and patience, captured all visible aspects of password deployment, from enrolment and login to reset and attacks.

Have a nice reading !

Saturday, July 24, 2010

Moving Time

Really nice and intense days in Netherlands.



Probably the awareness of security problems in iGOV research field is pretty low, but it is such a young discipline that still has much other issues, for example iGOV definition by itself seems to be not really clear.

In the picture the formal model of the ontology problem that, under my particular point of view, seems to be one of the most important problems to solve. We run experiments and we found out that for each term "x" there where a GAP of definitions pretty big. The needed of a common ontology and common dictionary seems to be an important priority.

I wanna thank you all the participants to the iGOV Research Institute, especially a big hug to the DELTA team ;D !

WPA2 vulnerability found


That's gonna be huge guys.
Malicious insiders can exploit the vulnerability, named "Hole 196" by the researcher who discovered it at wireless security company AirTight Networks. The moniker refers to the page of the IEEE 802.11 Standard (Revision, 2007) on which the vulnerability is buried. Hole 196 lends itself to man-in-the-middle-style exploits, whereby an internal, authorized Wi-Fi user can decrypt, over the air, the private data of others, inject malicious traffic into the network and compromise other authorized devices using open source software, according to AirTight

The Advanced Encryption Standard (AES) derivative on which WPA2 is based has not been cracked and no brute force is required to exploit the vulnerability, Ahmad says. Rather, a stipulation in the standard that allows all clients to receive broadcast traffic from an access point (AP) using a common shared key creates the vulnerability when an authorized user uses the common key in reverse and sends spoofed packets encrypted using the shared group key.





How it works:

WPA2 uses two types of keys: 1) Pairwise Transient Key (PTK), which is unique to each client, for protecting unicast traffic; and
2) Group Temporal Key (GTK) to protect broadcast data sent to multiple clients in a network. PTKs can detect address spoofing and data forgery. "GTKs do not have this property," according to page 196 of the IEEE 802.11 standard.Because a client has the GTK protocol for receiving broadcast traffic, the user of that client device could exploit GTK to create its own broadcast packet. From there, clients will respond to the sending MAC address with their own private key information.

Friday, July 23, 2010

GSM Cracking Tool. Yes it's open source

Hey Folks,
this morning I am pleased to introduce the following open source framework named A5/1.

This project aims at publicizing cryptographic weaknesses found in today's cellular networks. We are not advocating to exploit these weaknesses but rather want to inform about the fact that GSM calls are already being intercepted and decrypted using commercial tools.

Some words from Frank A. Stevenson about his project:

I am pleased to announce the first release of a A5/1 cracker capable using the full Berlin set of rainbow tables for lookups. I have named this beast Kraken, after a Norse mythological creature capable of eating many things for breakfast. Kraken feeds of an exclusive diet of A5/1 encrypted data. Currently only a bare bone functionality is present, but the UI will be improved, with the specific goal of providing an easy to use tool for cracking GSM intercepts. But setting up this Leviathan can a bit cumbersome, so I will give a short howto here:
Prerequisites:

* Linux machine, multicore min 3GB RAM

* 1.7 - 2TB of HD partitions without filsystem ( ex Samsung spinpoint
F3s, with 4k aligned start of partition )

* The Berlin A5/1 Rainbow table set

* GPU support will be added for ATI Radeon HD


Setup:

Find out how many tables you want on each partition, (usually roughly
equal on each) and make the initial configuration file. An example
configuration folder can be found in tinkering/A5Util/indexes. This
folder should contain a tables.conf file. The example files shows a
setup of 4 disk having 10 tables each. The index files for the various
tables will be added to the index folder as they are written to disk.
The first section of the config file needs to be set up with the list of
available partitions, and the number of tables that each partition
should hold. A single table needs 42GB of space. (Do NOT change the
order of this section)

For safety reasons it is best not to build the tables running as root.
The you will then have to make your table partitions user accessible.
Add a file such as 10-disk.rules in /etc/udev/rules.d with one line for
each partition:

KERNEL=="sda1", OWNER="frank"

Then manually change the ownership of the device nodes with chown. Take
care when doing this, as you do not want to nuke any of your system
partitions.


Add tables to your disk array:

First build and make a symlink from your index folder to the
TableConvert tool. It is assumed that the Berlin tables are available in
either SSD or index free delta format. The python script Behemoth.py
will recursively search for tables, and add them to the disk array and
configuration file as needed. (Duplicates will not be added) - This
operation(s) will take some hours to complete, but when done you should
end up with a tables.conf file listing ~40 tables, their advance
parameter (id), which device they reside on, and a block offset into the
device.


Build and fire up Kraken:

./kraken path_to_index_folder

Currently it will only load up all tables, and crack TDMA burst 998 for
the challenge data. This takes 1.5 minutes on a 4 core Phenom II using
only CPU power, and the output should look like:

Cracking
00110111001100000000100000110001100010011011011001101101001111000
1101010100100101111111010111100000110101001101011

Found de6bb5e60617f95c @ 12

Found 6fb7905579e28bfc @ 23


A more interactive UI with appropriate data formats (representations)
will be added for easy interfacing with airprobe. Optional GPU support
will also be added for faster cracking time.

Tuesday, July 20, 2010

Research.

Hi Folks today I wanna share with you a deep and touching thought that I've heard from Marc Hebert (An anthropologist from Florida) about Research.

Today he said something like:

" .... if we ask people what they want, they would say: We want another horse... Research gave to them a car...."

Such thought made me thinking about what is going on research nowadays. Governments cut and cut funding to Research (I hope) without knowing that research will give us the "next car" .. I think it is pretty sad.






So thank you Marc and thank you to all of us that even if bad paid are still doing research.

Friday, July 16, 2010

Yet moving time. Destination Delft, Netherlands

Alright, here I am again ! Today is going to be another packing day, where I select the important stuff to take with me. Destination Delft, Netherlands; task "security expert"; organization iGov (University of Albany, USA) aka "how to approach people to politics through eGovernment".

What I aspect from this experience ? Well, for sure learning something more about eGovernment. As you probably know (if you read my blog) I've been working on electronic voting systems @ NIST (USA) and @ UCDavis (USA), so I know the meaning of security in these embedded systems, but I would like to see how not technical people see the problem under a political point of view. During the next 10 days I'll meet sociologists, politics, economists and so forth. The group is not really a technical one, I hope to be good enough for these "high level" topics. I will see.

Thursday, July 15, 2010

Quantum Noise Breaks Random Number Generator Record

This article is really interesting.

From the article:
The quantum noise in a laser beam has been used to generate random numbers at the rate of 300 Mbits per second, breaking a record that stood for just a few days.Random numbers are useful beasts, in particular for cryptographers who use them to generate their codes.But how best to make random numbers at useful speeds? The question is intimately linked to the nature of randomness. One way is to rely on a computer to do the task using an algorithm that generates numbers that look and feel random. For example, the digits of pi appear random but can be generated by a simple algorithm. [...]

SANS Investigative Forensic Toolkit

A new version of SIFT Workstation is out, here the new features:
  • VMware Appliance
  • Ready to tackle forensics
  • Cross compatibility between Linux and Windows
  • Forensic tools preconfigured
  • A portable lab workstation you can now use for your investigations
Option to install stand-alone via (.iso) or use via VMware Player/Workstation

Friday, July 9, 2010

Detecting Mobile Browsers

Hi folks,
this morning I went through this interesting project called Open Source Mobile Phone Detection . This web site does not only recognize if a mobile phone is surfing on it but it provides a great set of open source scripts to detect them.


Basically it provides a great regular expression within all (?, well I am not sure about "all") the mobile user agents. The following code is the php version (click on the image to expand it).


As you might see the code is simple and clear. The core of the script is the following regular expression:

/android|avantgo|blackberry|blazer|compal|elaine|fennec|hiptop|iemobile|ip(hone|od)|iris|kindle|lge |maemo|midp|mmp|operam(ob|in)i|palm(os)|phone|p(ixi|re)\/|plucker|pocket|psp|symbian|treo|up\.
(browser|link)|vodafone|wap|windows(ce|phone)|xda|xiino/i',$useragent)||preg_match('/1207|6310|
6590|3gso|4thp|50[1-6]i|770s|802s|awa|abac|ac(er|oo|s\)|ai(ko|rn)|al(av|ca|co)|amoi|an(ex|ny|yw)
|aptu|ar(ch|go)|as(te|us)|attw|au(di|\-m|r|s)|avan|be(ck|ll|nq)|bi(lb|rd)|bl(ac|az)|br(e|v)w|bumb|bw
\-(n|u)|c55\/|capi|ccwa|cdm\-|cell|chtm|cldc|cmd\|co(mp|nd)|craw|da(it|ll|ng)|dbte|dc\s|devi|dica|
dmob|do(c|p)o|ds(12|\-d)|el(49|ai)|em(l2|ul)|er(ic|k0)|esl8|ez([4-7]0|os|wa|ze)|fetc|fly(\-|_)|g1u|g560
|gene|gf\-5|g\-mo|go(\.w|od)|gr(ad|un)|haie|hcit|hd\-(m|p|t)|hei\-|hi(pt|ta)|hp(i|ip)|hs\-c|ht(c(\-||_|a|g|p|s|t)|tp)|hu(aw|tc)|i\(20|go|ma)|i230|iac(|\|\/)|ibro|idea|ig01|ikom|im1k|inno|ipaq|iris|
ja(t|v)a|jbro|jemu|jigs|kddi|keji|kgt(|\/)|klon|kpt|kwc\-|kyo(c|k)|le(no|xi)|lg(g|\/(k|l|u)|50|54|e\-
|e\/|\-[a-w])|libw|lynx|m1\-w|m3ga|m50\/|ma(te|ui|xo)|mc(01|21|ca)|m\cr|me(di|rc|ri)|mi(o8|oa|ts)
|mmef|mo(01|02|bi|de|do|t(\-||o|v)|zz)|mt(50|p1|v)|mwbp|mywa|n10[02]|n20[23]|n30(0|2)|n50(0|2|5)
|n7(0(0|1)|10)|ne((c|m)\-|on|tf|wf|wg|wt)|nok(6|i)|nzph|o2im|op(ti|wv)|oran|owg1|p800|pan(a|d|t)|
pdxg|pg(13|\-([1-8]|c))|phil|pire|pl(ay|uc)|pn\-2|po(ck|rt|se)|prox|psio|pt\-g|qa\-a|qc(07|12|21|32|60|\-[2-7]|i\-)|qtek|r380|r600|raks|rim9|ro(ve|zo)|s55\/|sa(ge|ma|mm|ms|ny|va)|sc(01|h\-|oo|p\-)|sdk\/|se(c(\|0|1)|47|mc|nd|ri)|sgh\-|shar|sie(\-|m)|sk\-0|sl(45|id)|sm(al|ar|b3|it|t5)|so(ft|ny)|sp(01|h\-|v\-|v )|sy(01|mb)|t2(18|50)|t6(00|10|18)|ta(gt|lk)|tcl\-|tdg\-|tel(i|m)|tim\-|t\-mo|to(pl|sh)|ts(70|m\-|m3|m5)|tx\-9|up(\.b|g1|si)|utst|v400|v750|veri|vi(rg|te)|vk(40|5[03]|\v)|vm40|voda|vulc|vx(52|53|60|61|70|80|81|83
|85|98)|w3c(\-|)|webc|whit|wi(g |nc|nw)|wmlb|wonu|x700|xda(\-|2|g)|yas\-|your|zeto|zte\-/i




I believe it is a great open source project especially for web-masters who need to know exactly who is surfing on their web sites.

Wednesday, July 7, 2010

Windows WIN32 System Call Table

Today I found this URL pointing out a very interesting Table . This table shows the the System Calls codes for Windows NT, Windows 2000, Windows XP, Windows 2003, Windows Vista, Windows 2008 Server and Windows 7.


Obviously these codes are really interesting for shellcodes and memory hookers. ;)
Enjoy the table.


Monday, July 5, 2010

INUNDATOR.

Hey folks,
today I wanna point out this interesting tool called inundator.

inundator is a multi-threaded, queue-driven, IDS evasion tool. Its purpose is to anonymously flood intrusion detection systems (specifically Snort) with traffic designed to trigger false positives via a SOCKS proxy in order to obfuscate a real attack. Inundator would be used whenever you feel there is a significant chance the attack you're about to perform may be detected by the target's intrusion detection system. You would launch inundator prior to starting the attack, and continue running it well after you have finished the attack. The hope is that if your attack is detected by the IDS, the alert will be buried among several thousand false positives, thus minimizing the chance of an IDS analyst detecting the real attack.

Basically if you wanna hide your payload you know how to do it!
Enjoy you new safe "hider" software.

Thursday, July 1, 2010

After a while, back to the old boot

Has been a while... really a long one. I've been traveling a lot and I worked all over US for some of the most prestigious US Agencies. But now, it's time for vacation, it's time for relax and to be back to family and friends, at least for a bit.

Here the place where I belong


The old and fascinating, the controversy, the spartan and the proud to be Italy.