InfoSec Daily Podcast

ISDPodcast Episode 167 for July 7, 2010.  In this episode we talk with Iftach Ian Amit on this research into a scammer that is preying on Security Newbies.   This podcast was hosted by Rick Hayes and the intern, Karthik Rangarajan.

Announcements:

MyHardDriveDied.com:

• MHDD Data Recovery Class current dates and locations:
  • Atlanta, GA – July 12th-16th
  • Dallas, TX – October 11th – 15th
  • Washington, DC – December 6th – 10th
  • Cost is $3500 for all classes to reserve and register, call (678) 445-9007, email: smoulton@nicservices.com or go to http://www.myharddrivedied.com Use the Discount Code: isdpodcast for a $300 discount.

SANS Mentoring Program:

• Jason Lawrence will also be putting on the SANS Mentor Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, October 12, 2010 – Tuesday, December 14, 2010 (http://www.sans.org/mentor/details.php?nid=21538).  Use the Discount Code: isdpod15 for a 15% discount.

Atlanta ISSA:

• ISSA International Conference – September 16, 2010  (http://www.issa.org/page/?p=105)
• SANS 560: Network Penetration Testing and Ethical Hacking – September 17-22, 2010 (http://www.sans.org/atlanta-2010-cs2/description.php?tid=3142)
• SANS 577: Virtualization Security Fundamentals – September 17 & 18 (http://www.sans.org/atlanta-2010-cs2/description.php?tid=3807)
  9am-5pm US ET
  Hilton Atlanta Airport Hotel
  1031 Virginia Avenue
  Atlanta, GA 30354

Kentuckiana ISSA Meeting
July 9th from 11:30 AM to 1:00 PM at Sullivan University.
(http://www.issa-kentuckiana.org/index.php?option=com_content&view=article&id=13&Itemid=13)
Ohio Information Security Forum:
July 10th, 2010 from 8:30AM-5:30PM  at SCC Research Park, Auditorium (http://www.ohioinfosec.org/anniversary.htm)
The Louisville Metro InfoSec Conference
Thursday, October 7th, 2010 at Churchill Downs (http://www.louisvilleinfosec.com)
Registration’s made between now and July 16th, 2010 receive a
50% DISCOUNT on the $99 ticket price!  After July 16th the ticket price will go back to normal

Friends of the Podcast:

Webhosting services:WebSpeedway

Corrections:

Stories of Interest:
News item 1:  Transcript of Iftach Ian Amit’s conversation with Mohd Fadzil Mahfodh (fadzilmahfodh).  Mohd Fadzil Mahfodh runs the WiFi Security blogspot (http://fadzilmahfodh.blogspot.com).   According to his website you can decode WPA without using dictionary in four easy steps:

Step 1. Setup your rogue AP
————————————–
Set up a rogue (aka phishing, clone, honey-pot, evil-twin) access point duplicating the exact essid, channel and login web interface of the real AP.

Download WPA without dic
WPA_without_dic will automatically setup and transform your ordinary wifi adapter into an ACCESS-POINT, resolved DNS, DHCP, POP3, FTP, HTTP, CONTROLLER-SERVLET and FAKE LOGIN WEBPAGE. Everything will be done for you. You can run WPA_without_dic in both bt3 and bt4.

HOW TO RUN WPA_without_dic
a. Download bg1.sh, bg2.sh, karma.sh and rogue.tar.gz and copy to ‘Home’
b. Open konsole and type ‘chmod +x /root/karma.sh’ then ‘/root/karma.sh’
c. Activation code will be emailed after user gives undertaking (indemnity) not to use karma for illegal purpose. This is a requirement to protect us under user TOS (Term Of Service).

Do as follows:-

I: Download WPA_without_dic (bg1.sh, bg2.sh, karma.sh, rogue.tar.gz)
II: Request for activation code. Our dedicated server will auto-respond your request.
III: Email undertaking (indemnity text) for activation code. Our dedicated server will auto-respond. (Indemnity text: “Yes, I want activation code and will never use for illegal purpose”)

Step 2. Do Denial-of-Service on real AP
——————————————————-
Do a mass deauthentication DoS (Denial-of-Service) on the real AP using ‘aireplay-ng 0 0 bssid interface’ command. This will disconnect the real AP from all its existing user. You can ‘block’ the real AP for as long as you like.

Step 3. Setup rogue login web page
————————————————-
Upon which a rogue login web page will be presented to the user requesting for either network key, password or username input.

Step 4. Intercept WPA network key
————————————————
Once the user physically keyin the WPA key, user name or password into the rogue login page, WHAM!, the rogue AP will immediately capture and record the data in clear text as the rogue AP uses no bandwidth encryption scheme

—– Our chat on Wed, 7/7/10 2:53 PM —–
Iftach(2:34 PM): hey man
Iftach(2:34 PM): mind if a ask a couple of questions?
fadzilmahfodh(2:34 PM):  okey
Iftach(2:35 PM): cool. I’m doing this research on security tools and their authors…
fadzilmahfodh(2:35 PM):  okey
Iftach(2:35 PM): saw your tool and wanted to hear about how you got to write it, how well is it distributed in the community etc…
Iftach(2:36 PM): does that activation thing a common practice with free tools?
fadzilmahfodh(2:36 PM):  yes see, we need to maintain our website thus we need supporter
fadzilmahfodh(2:37 PM):  everyday there are at least 500++ people asking for code
Iftach(2:37 PM): I see.
fadzilmahfodh(2:37 PM):  i no longer able to provide for free
fadzilmahfodh(2:37 PM):  too time consuming and i need to be compensated for my time and effort
Iftach(2:38 PM): that’s a lot of people! do you by any chance do any demographics on them? I’m trying to do a piece on the “hacker profile”…
fadzilmahfodh(2:38 PM):  hope you understand
fadzilmahfodh(2:38 PM):  50% traffic from usa
fadzilmahfodh(2:38 PM):  about 30% from europe countries
fadzilmahfodh(2:38 PM):  others 20%
Iftach(2:38 PM): interesting
fadzilmahfodh(2:38 PM):  generally speaking
Iftach(2:39 PM): any strange requests that you got from ppl?
fadzilmahfodh(2:39 PM):  yes.
fadzilmahfodh(2:39 PM):  they usually ask for credit card, paypal account and ssl hack
Iftach(2:39 PM): hmmm, typical cracker stuff…
Iftach(2:39 PM): interesting
fadzilmahfodh(2:40 PM):  You are from Indiana , aren’t you?
Iftach(2:40 PM): now, about the tool – that’s a linux binary obviously (thought it was a shell script at the beginning). Did you base it on something existing or write yourself?
Iftach(2:40 PM): yes
fadzilmahfodh(2:41 PM):  i wrote it by my self then scramble the code
fadzilmahfodh(2:41 PM):  Fort Wayne far from your place?
Iftach(2:41 PM): hence the activation i see…
fadzilmahfodh(2:42 PM):  i can afford to give ‘free lunch’ to everybody. Hope you understand
Iftach(2:42 PM): pretty far from Richmond…
Iftach(2:43 PM): sure, i understand.
Iftach(2:43 PM): and you? from the US?
fadzilmahfodh(2:43 PM):  Well, my tracking need fine tunning..
Iftach(2:43 PM):
fadzilmahfodh(2:43 PM):  So you interested in the software?
Iftach(2:44 PM): more from a research point of view – for an article I’m writing
Iftach(2:44 PM): so, the installer you use, I see that it contains some additional code that is being compiled on the client.
fadzilmahfodh(2:45 PM):  Yes. The purpose is the code will be unique to user hardware
Iftach(2:45 PM): and I saw that there were some FTP connections made? Is that to verify that the client is a registered one?
fadzilmahfodh(2:46 PM):  Well, that is another story…
Iftach(2:46 PM): I’m listening
fadzilmahfodh(2:46 PM):  maybe some other time huh
Iftach(2:47 PM): OK. Last question – do you get a lot of account passwords through that keylogger that sends the data to your FTP?
fadzilmahfodh(2:47 PM):  sorry, no comment unless i am in court
Iftach(2:48 PM): aha, and it’s part of the installer because? just to make sure people can send the activation email correctly?
Iftach(2:48 PM): Back to statistics, out of the average 500 ppl asking for activation – how many passwords do you manage to grab?
fadzilmahfodh(2:49 PM):  well, the ftp is to confirm that software match with data in server
fadzilmahfodh(2:49 PM):  if it does not match, it will fail to run
fadzilmahfodh(2:49 PM):  or i can just change the data/activation code in the server
fadzilmahfodh(2:49 PM):  then everything will not run
Iftach(2:49 PM): and how does that relate to the keylogging?
fadzilmahfodh(2:50 PM):  well, that i another story…
Iftach(2:51 PM): I mean – the keylogger data is sent to that FTP. Is that part of the verification or is this a separate process?
Iftach(2:51 PM): So, on average, how many accounts you manage to get on that FTP server per day?
fadzilmahfodh(2:51 PM):  well, you do not even support my website and how the hell am i going to tell you
Iftach(2:52 PM): Let’s just get it straight – I’m not going to “support” the site… I’m just doing some research on security tools.
fadzilmahfodh(2:52 PM):  bye
Iftach(2:53 PM): You are free to tell, or not if you don’t want to. But I’m publishing the story as it is…
Iftach(2:53 PM): With your acknoledgment that you use a keylogger to steal your site visitor passwords. Unless you want to be quoted otherwise in the story…