Category: Network Forensics

Nov 30 2012

HoneyDrive – Honeypots In A Box

Honeydrive HoneypotHoneyDrive is a virtual appliance (OVA) with Xubuntu Desktop 12.04 32-bit edition installed. It contains various honeypot software packages such as Kippo SSH honeypot, Dionaea malware honeypot, Honeyd low-interaction honeypot and more. Additionally it includes useful pre-configured scripts and utilities to analyze, visualize and process the data it can capture, such as Kippo-Graph, Honeyd-Viz, and much more. Lastly, many other helpful security, forensics and malware related tools are also present in the distribution.

Features:

  • Virtual appliance based on Xubuntu 12.04 Desktop
  • Distributed as a single OVA file, ready to be imported
  • Full LAMP stack installed (Apache 2, MySQL 5), plus tools such as phpMyAdmin
  • Kippo SSH Honeypot, plus Kippo-Graph, Kippo2MySQL and other helpful scripts
  • Dionaea malware honeypot, plus phpLiteAdmin and other helpful scripts
  • Honeyd low-interaction honeypot, plus Honeyd2MySQL, Honeyd-Viz and other helpful scripts
  • LaBrea sticky honeypot, Tiny Honeypot, IIS Emulator, INetSim and SimH
  • A full suite of security, forensics and anti-malware tools for network monitoring, malicious shellcode and PDF analysis, such as ntop, p0f, EtherApe, nmap, DFF, Wireshark, ClamAV, ettercap, Automater, UPX, pdftk, Flasm, pdf-parser, Pyew, dex2jar and more
  • Firefox plugins pre-installed, plus extra helpful software such as GParted, Terminator, VYM, Xpdf and more

Download: Honeydrive_0.1_Santa_edition.ova

Installation: After downloading the file, you simply have to import the virtual appliance to your virtual machine manager/hypervisor (suggested software: Oracle VM VirtualBox).

More Info: HoneyDrive – BruteForce Lab’s Blog

Jan 26 2012

FBI will Monitor Social Media using Crawl Application

FBI Monitor FacebookThe Federal Bureau of Investigation is looking for a better way to spy on Facebook and Twitter users.

The Bureau is asking companies to build software that can effectively scan social media online for significant words, phrases and behavior so that agents can respond.

A paper posted on the FBI website asks for companies to build programs that will map sentiment and wrongdoing.

“The application must be infinitely flexible and have the ability to adapt quickly to changing threats to maintain the strategic and tactical advantage,” the Request for Information said, “The purpose of this effort is to meet the outlined objectives…for the enhancement [of] FBI SOIC’s overall situation awareness and improved strategic decision making.”The tool would be used in “reconnaisance and surveillance missions, National Special Security Events (NSS) planning, NSSE operations, SOIC operations, counter intelligence, terrorism, and more.

Although the police, including in Britain, already use Facebook routinely to ascertain the whereabouts of criminals, automatically filtering out irrelevant information remains challenging. The new FBI application will be able to automatically highlight the most relevant information.

The FBI is seeking responses by 10 February.

Jul 15 2011

Vodafone Hacked – Root Password Published

Vodafone Sure Signal HackThe Hacker’s Choice announced a security problem with Vodafone’s Mobile Phone Network.

An attacker can listen to UK Vodafone mobile phone calls.

An attacker can exploit a vulnerability in 3G/UMTS/WCDMA – the latest and most secure mobile phone standard in use today.

The technical details are available at http://wiki.thc.org/vodafone.

The problem lies within Vodafone’s Sure Signal / Femto equipment.

A Femto Cell is a tiny little home router which boosts the 3G Phone signal. It’s available from the Vodafone Store to any customer for 160 GBP.

THC managed to reverse engineer – a process of revealing the secrets – of the equipment. THC is now able to turn this Femto Cell into a full blown 3G/UMTC/WCDMA interception device.

A Femto is linked to the Vodafone core network via your home Internet connection. The Femto uses this access to retrieve the secret key material of a Vodafone customer who wants to use the Femto.

THC found a way to circumvent this and to allow any subscriber – even those not registered with the Femto – to use the Femto. They turned it into an IMSI grabber. The attacker has to be within 50m range of the UK Vodafone customer to make the customer’s phone use the attacker’s femto.

The second vulnerability is that Vodafone grants the femto to the Vodafone Core Network HLR /AuC which store the secret subscriber information. This means an attacker with administrator access to the Femto can request the secret key material of a UK Vodafone Mobile Phone User.

This is exactly what happened. The group gained administrator access to the Femto. An attacker can now retrieve the secret key material of other Vodafone customers.

This secret key material enables an attacker to listen to other people’s phone calls and to impersonate the victim’s phone, to make phone calls on the victim’s cost and access the victim’s voice mail.

This is clearly a design flaw by Vodafone. It is disgusting to see that a major player like Vodafone chooses ‘newsys’ as the administrator password, thus allowing anyone to retrieve secret data of other people.

Mar 23 2011

AT&T Facebook Traffic Takes a Loop Through China & South Korea

Traffic destined for Facebook from AT&T’s servers took a strange loop though China and South Korea on Tuesday, according to a security researcher.Facebook Route

As Barrett Lyon wrote on his blog, typically AT&T customers’ data would have routed over the AT&T network directly to Facebook’s network provider but due to a routing mistake, their private data went first to Chinanet then via Chinanet to SK Broadband in South Korea, then to Facebook. This means that anything you looked at via Facebook without encryption was exposed to anyone operating Chinanet, which has a very suspect Modus operandi.

Route to Facebook from AT&T on 22nd March 2011 :

route-server>show ip bgp 69.171.224.13 (Facebook’s www IP address)
BGP routing table entry for 69.171.224.0/20, version 32605349
Paths: (18 available, best #6, table Default-IP-Routing-Table)
Not advertised to any peer
7018 4134 9318 32934 32934 32934

The AS path (routing path) translates to this:
1. AT&T (AS7018)
2. Chinanet (Data in China AS4134)
3. SK Broadband (Data in South Korea AS9318)
4. Facebook (Data back to US 32934)

What could have happened with your data? Most likely absolutely nothing. Yet, China is well known for it’s harmful networking practices by limiting network functionality and spying on its users, and when your data is flowing over their network, your data could be treated as any Chinese citizens’. Does that include capturing your session ID information, personal information, emails, photos, chat conversations, mappings to your friends and family, etc.? One could only speculate, however it’s possible.

This happens all the time — the Internet is just not a trusted network.

One way to prevent this from happening to your account: Enable HTTPS.

In January, Facebook rolled out the HTTPS feature to all browsing done on the site, but it’s opt-in an not automatic setting. Previously, Facebook used HTTPS only when you entered in your password.

To enable this security feature, go to – Account Settings >> Account Security
Click “change”. Check mark “Browse Facebook on a secure connection (https) whenever possible”.

Facebook Account Security

Mar 05 2011

PacketFence – Open Source Network Access Control (NAC) System

PacketFence is a fully supported, trusted, Free and Open Source network access control (NAC) system.

Boasting an impressive feature set including a captive-portal for registration and remediation, centralized wired and wireless management, 802.1X support, layer-2 isolation of problematic devices, integration with the Snort IDS and the Nessus vulnerability scanner; PacketFence can be used to effectively secure networks – from small to very large heterogeneous networks.

What you can do with PacketFence :
PacketFence

  • Block iPods wireless access
  • Forbid rogue access points
  • Perform compliance checks
  • Eliminate Peer-to-Peer traffic
  • Provide guest access
  • Simplify VLAN management

Download: packetfence-2.1.0.tar.gz