28 September 2010

Exciting Times!

Wow! I just had a look at this blog and realized that the last time I wrote anything was back in May this year. Things have been rather manic and interesting these last few months, I have been blogging, just not here. All the blogging that I've done lately has been for SecuriTeam, if you've never read any of the articles on the SecuriTeam site, now is a good time to start.

From my side, I probably won't be updating this blog as often as I'd like to going forward, as I have some really interesting news. I've now finished with the company that I was working for, 6 years is a long time to be working for someone, and now it's time for something new.

The "something new" is what I'm really excited about, I've decided to try my hand at a start-up again, now anyone who knows me will know that some of my best working times have been at start-ups, so I'm going to be doing that all over again. Only this time, with a bit of a difference, you see the start-up in question this time is mine.

If you haven't seen it yet, check out IT Security Geeks. This is my new pet project and we have some really exciting things coming to the site, but be sure to check the site regularly for updates. I'll also be spending a fair amount of time updating the IT Security Geeks blog with any relevant news as well, and all going well there should be a fair bit of interesting news.

The thought process behind starting IT Security Geeks went something along the lines of the following:

Why is it that a lot of IT Security consultancies(including the Big 4) never do things right?

Why is it that consultants never listen and deliver exactly what is required of them?

Why the hell are they so damn expensive, for not much work?

Why is it that every security consultancy wants to come in and change the way that we do business? We understand that they know security, but they don't understand our business model.

We wondered if we could change all those things, and deliver a truly client focused security experience, and that's how IT Security Geeks was born.

So keep an eye on the web site and keep checking the blog for updates.

As always all comments are welcome.

21 May 2010

Good Books on Wireless Security

Following on from my previous post, I'd just like to recommend a few decent books for anyone interested in wireless security.

So here you go, I can personally vouch that they are all a worthwhile read, and if you're going to buy any, please click through. TIA



Backtrack WiFu and the OSWP certification

So, I've been playing with wireless networks for a few years now, as have most people.
However I think that our definitions of playing may vary somewhat, my idea of playing, is setting up a wireless network, and breaking into it. Yeah I'm a geek, but hey, I can't help it if I get excited about high powered wireless cards, or directional antenna's.

So it should come as no suprise to those who know me, that something like Offensive Security's Backtrack WiFu course would grab my attention, and that it did. Granted it may have taken me a while to get around to actually doing the OSWP challenge, what can I say, life gets in the way sometimes.

I'm kind of at a loss for words on where to start on this one to be honest, yes I know that I wrote an article on this one for SecuriTeam blogs, but this one is a bit more personal. For starters I would say that this should be a pre-requisite course for anyone learning wireless network penetration testing, and anyone involved in networking and planning on deploying a wireless network in the near future. If I had my way, I'd even pay for my my friends to do this course and take the challenge, it really is that good! I know a lot of people that work in the IT industry, and well going round their houses, and seeing that they're running a wireless network named "Netgear", and encrypted with WEP drives me nuts!

The course is amazing value for $350, which in the UK currently equates to £243, which for a training course of this stature is well worth the money. To be honest, it's worth a lot more. Damn, all TJ Maxx networking and security staff should be forced to pass the challenge for this one!

So what's the course cover then?

It starts off with the terms and concepts of wireless networking, which is not the easiest to get through, but this is the stuff that you need to know if you want to be any good at wireless security and at deploying wireless networks. Trust me, getting through this section of the material may be tough, but it's a hell of a lot easier that reading RFC's. To anyone taking the course, make sure that you understand the concepts thoroughly before you move on.

You then dive into what I like to refer to as the "fun stuff", the Aircrack-ng suite of tools, and how you can use these to crack WEP and WPA, replay packets onto the network, deauthenticate clients, and so on. Other extremely useful tools are also covered in the course, so bear in mind that this is a wireless security course and not just an Aircrack-ng course.

I read through the help files and man pages for the Aircrack-ng suite, and I was able to use them to get the job done before I took this course, now I feel that I have truly mastered them.

The courseware is presented in an easy to understand format, you get a PDF and video training, and they compliment each other perfectly. There is always someone available for help should you need it in the #offsec channel on the Freenode servers, so you have all the support you could ask for, even that of past and present students.

The challenge itself is way too much fun, even though you feel the exam type of pressure, you still end up loving it. Challenge is the correct word for it though, and I would recommend that you purchase the recommended hardware and practice until you can do all that you've learned in you sleep.

If you want to learn about securing and cracking wireless networks, this is THE course!

I'm looking forward to taking the next step in Offensive Security training, which is the CTP course, as if the last two have been anything to go by, it's going to be damn tough, and I'm going to love every minute of it!

To the guys at Offensive Security, thank you, and to Muts, thank you (you know what for)

Later world, time for sleep.

23 February 2010

Details of Web App Vulnerabilities Removed

Hey all,

Just to let you know I've removed all the details of the vulnerabilities identified on the following sites:

www.bt.com
www.nhs.uk
www.sony.com
www.three.co.uk
www.linksys.com

05 February 2010

The Web Application Hacker's Handbook: A book that that every penetration tester should have on their desk!

I've been meaning to write a review on this book for a while now, and I just never seem to be able to get around to it for some reason.

To be honest, if you're into web application hacking, then I'm pretty sure that you've probably already purchsed this tome of knowledge, if you haven't, what are you waiting for?

This covers a lot of the intricacies of web application penetration testing, and really has proved to be an invaluable resource to me. Let's put it this way, I actually have 2 copies, one for the office and another for home.

This is also an amazing read for any web application developers, as it shows you the kind of things to look out for, and how to mitigate against them, thus you help us to help you!

In the interest of full disclosure

Over the next couple of days I will be publicly releasing the information and screenshots of some XSS vulnerable sites that I identified and notified at the beginning of January. Some of these have now been fixed, and others have ignored my e-mails and LinkedIn contact attempts. So I will be naming, shaming and sharing all the gory details in the next few days! --Full disclosure is responsible disclosure

06 January 2010

Just realized that if I am going to get anywhere, I need a new website

So watch this space, as over the next few weeks, I'm going to be completely redesigning xyberpix.com.

Once the site is redone, I will update here, so please feel free to post comments.

Full Disclosure Policy 2.0

Okay so for the last couple of days, I’ve spent what feels like a lifetime trying to track down the relevant people to report some various web application security vulnerabilities, and it’s been a living hell!

I’m posting this, so that hopefully someone will read this from a vendor, and realise the way that things are supposed to work. This work is originally posted here .

—————————————————————————————————-

////// Full Disclosure Policy (RFPolicy) v2.0 //////
This policy is available at http://www.wiretrip.net/rfp/policy.html

\\ Executive overview for vendors and software maintainers \\

This policy states the ‘guidelines’ that an individual intends to follow. You basically have 5 days (read below for the definitions and semantics of what is considered a ‘day’) to return contact to the individual, and must keep in contact with them *at least* every 5 days. Failure to do so will discourage them from working with you and encourage them to publicly disclose the security problem.

This policy is not set in stone—in fact, it is encouraged that all parties regularly communicate with each during the process, adjusting as situations arise.

\\ Table of contents \\


Purpose of this policy

Policy definitions

Policy

Detailed/commented explanation of policy

Difference between version 1 and version 2 of RFPolicy

RFPolicy FAQ

Using this policy

Credits
\\ Purpose of this policy \\

This policy exists to establish a guideline for interaction between a researcher and software maintainer. It serves to quash assumptions and clearly define intentions, so that both parties may immediately and effectively gauge the problem, produce a solution, and disclose the vulnerability.

First and foremost, a wake-up call to the software maintainer: the researcher has chosen to NOT immediately disclose the problem, but rather make an effort to work with you. This is a choice they did not have to make, and a choice that hopefully you will respect and accept accordingly.

The goal of following this policy, above all else, is education:


Education of the vendor to the problem (ISSUE, as defined below).

Education of the researcher on how the vendor intends to fix the problem, and what caveats might cause a solution to be delayed.

Education of the community of the problem, and hopefully a resolution.
With education, through continued communication between the researcher and software maintainer, it allows both parties to see where the other one is coming from. Coupled with compensation*, the experience is then beneficial to the researcher, vendor, and community. Win/win/win for everybody. :)

(*Compensation is meant to include credit for discovery of the ISSUE, and perhaps in some cases, encouragement from the vendor to continue research, which might include product updates, premier technical subscriptions, etc. Monetary compensation, or any situation that could be misconstrued as extortion, is highly discouraged.)

\\ Policy definitions \\


The ISSUE is the vulnerability, problem, or otherwise reason for contact and communication.

The ORIGINATOR is the individual or group submitting the ISSUE.

The MAINTAINER is the individual, group, or vendor that maintains the software, hardware, or resources that are related to the ISSUE.

The DATE OF CONTACT is the point in time when the ORIGINATOR contacts the MAINTAINER.

All dates, times, and time zones are relative to the ORIGINATOR.

A work day is generally defined in respect to the ORIGINATOR.
\\ Policy \\

16 December 2009

New Adobe 0-Day Added To Metasploit

via HDM's Twitter feed:

Adobe PDF 0.9-day added to Metasploit: [msf> use exploit/windows/fileformat/adobe_media_newplayer.rb] (via jduck/pusscat/myself) SVN r7881