FYI » Information Systems Auditing

Mobile Devices and Airbase-ng Attacks

Oct 102012

I don’t feel that this issue gets enough coverage so I am adding my voice to the mix in the hopes that someday the makers of our popular mobile operating systems will FIX THE ISSUE! What I’m going to discuss is a wireless association vulnerability that was first discovered by Max Moser (site here and his full disclosure) way back in 2004 for Windows XP. Using airbase-ng (part of the Aircrack-ng suite of tools) this same attack works against the latest versions of iOS5 and iOS6 (iPhone and iPad), Blackberry OS, and Android. Apple’s iOS, from AT&T Wireless, even comes with a helpful default profile so you can attack a device right out of the box (see Tweet by HD Moore). The only mobile OS that does not have this issue is Windows 8 on the new Nokia phones. I don’t know a soul that has one of these phones so I hung out in an AT&T Wireless store to conduct my testing. Those Microsoft devices will not associate with any Airbase-ng APs that mimic APs from the device’s probe packets. Some individuals have tried to tell the world about this issue. A great Youtube video was created by Jeffery Wilkins demonstrating this issue. Vincent Costagliola at patctech.com wrote this article mentioning the same issue.

My testing has shown that an iPhone will connect to airbase-ng even if it is already connected to a WPA encrypted access point. Just as described by Max Moser in 2004.

ISACA Atlanta Chapter – GEEK WEEK 2011

FYI No Responses »

Aug 232011

The 4th annual Atlanta Chapter of ISACA GEEK WEEK conference was held the week of August 22nd – 26th. GEEK WEEK is a track-oriented, full week Conference focusing on providing training, networking, and roundtable sessions on IT governance, audit & security.

I conducted the presentation Wireless Auditing on a Budget: Using Low Cost Hardware and Open Source Software. You can find the presentation slides here. For links and information on the other presentations you can go here.

Kennesaw – ISA 4220 Students

FYI No Responses »

Mar 302011

Students from ISA 4220 Server Systems Security can download the PowerPoint presentation from here.

Earning CPE credits in a down economy.

FYI No Responses »

Jan 252011

Earning CPE credits in a down economy for you Information Security certifications.

As we enter 2011 the financial talking heads say that our economy is recovering. While this can be debated as vigorously as Vi vs. Emacs you sit in your office with the knowledge that your company’s training budget is still next to nothing. Trips to information security conferences in Las Vegas, Miami, and Orlando are all out of the question. With all of the information security certifications that you have obtained to keep competitive in this tough economy you are required to earn Continuing Professional Education (CPE) credits. Below I will list some simple steps you can take to still keep current on the latest security trends while earning those valuable CPE credits to maintain your certification(s).
Continue reading »

Web Security Dojo

FYI, Installing & Using Tools No Responses »

Apr 172010

NA CACS conference hosted by ISACA (18-22 April 2010)

Remote Security Testing for Web Applications
Presented by David Rhoades
Maven Security Consulting

Attending this conference workshop session introduced me to Maven Security’s Web Security Dojo. This is a virtual image, Ubuntu based, that includes several free and open source tools used for web application auditing. The image also includes web application environments that are vulnerable to many common vulnerabilities to allow you to test and learn how to use the tools. This pre-configured environment is perfect for educational purposes. They also include a BASH script that will setup your own Ubuntu environment.

Password Length vs. Password Strength

FYI 1 Response »

Oct 212009

Take this hypothetical scenario (Okay, it really wasn’t hypothetical at the time). You recommend to your client that minimum 8 character passwords should be enforced but they want a minimum of 6 character passwords and instead they will enforce password complexity (alphanumeric and special characters).

As auditors we like to have facts to back-up our recommendations. What better fact than simple math.

Password strength in relation to the number of guesses an attacker needs to brute force the password is represented by the number of characters available to choose from raised to the power of the length of the password.
Continue reading »

Penetration Testing Ninjitsu

FYI, Installing & Using Tools, Scripts, Using the Tools 1 Response »

Dec 022008

Core Technologies hosted a series of three webcasts called Penetration Testing Ninjitsu by Ed Skoudis (http://www.coresecurity.com/content/webcast-series-with-sans). I highly recommend listening to these web casts and downloading the slides for your reference. I’m including the commands extracted from the slides that can be very useful for a penetration test.
Continue reading »

Auditing Windows Account Management

Configuration Tutorials, FYI, Installing & Using Tools, Scripts No Responses »

Oct 142008

At the NSAA IT Conference and Workshop, put on by NASACT, I presented on Auditing Windows Account Management. I’m posting the slides to my presentation as reference. I would love any feedback from anybody who attended the presentation. The tool PWDumpX was demonstrated during the presentation. A document on how to use the tool to obtain Windows Domain account password hashes has been posted.