Ed Skoudis here to introduce a new infosec- themed challenge for you to solve. In this one, challenge writer- extraordinaire Kevin Bong has brewed up a real doozy for you all based on a Scooby Doo theme. Grab a Scooby-Snack, hop in the Mystery Machine, and help the gang solve one of their toughest capers yet. Along the way, you'll contend with some fascinating forensics puzzles and develop your skills. Answers are due back by November 15, 2008. As always, we'll award the fine prize of a book to the best technical answer, the most creative technical answer that is also technically correct, and to a random-draw winner.

Please note that I'll be announcing the winner of our previous challenge, It Happened One Friday, in the next few days, so please stay tuned!

If you can’t answer this challenge 100%, still send something in to qualify as a random winner. This month’s prize is my book, Counter Hack Reloaded, which I authored with Lenny Zeltser. Each winner gets a signed copy.

Thank you,
--Ed Skoudis, InGuardians
The Ethicalhacker.net Challenge Guy

Study: Hotel network security lacking

Most U.S hotels are vulnerable to malicious attacks and are "ill prepared" to protect their guests from internet security problems, claims a study published by Cornell University.

The study, “Hotel Network Security: A Study of Computer Networks in U.S. Hotels” examined the security of 147  hotels through surveys, interviews and on-site testing.

“Many hotels have flaws in their network topology that allow for exploitation by malicious users, thereby resulting in the loss of privacy for guests,” the study says.

One of the study authors, Josh Ogle, a Cornell University graduate and founder of IT services company TriVesta, performed on-site testing at 46 hotels in Virginia, North Carolina, Texas, Maryland, Tennessee and Pennsylvania - making sure to hit both tourist and business travel destinations.

Ogle tested wireless networks at 38 hotels and wired networks at eight.  He found the majority were vulnerable to attacks.

“Out of the 38  wireless, I was able to break into 33,” Ogle told SCMagazineUS.com Monday. “And by break into I mean, accept data from someone else's computer that wasn't meant to be on mine.”

Ogle used the Linux distribution BackTrack, meant for network testing. In addition, following recommendations of hackers on vulnerability mailing list Full Disclosure, Ogle used a high-power wireless card and high-gain omnidirectional antenna to crack the networks. The setup cost less than $100, he said.

Ogle said using this method a hacker can see all unencrypted information coming into and leaving the network -- including passwords, email messages and any web pages people are viewing.

Of the hotels compromised, each took about 10 minutes to breach. Some hotel employees inadvertently assisted in the breach by providing passwords and access instructions.

“They are extremely unsecure,” Ogle said of hotel wireless security. “I was very disheartened by what I saw. I wasn't surprised, but I was disheartened.”

Ogle recommended that all hotels use Wi-Fi Protected Access (WPA) encryption, which requires a password to get on the network and encrypts all data transmitted. Of the hotel networks that Ogle was not able to crack, the majority used WPA encryption

For guests, Ogle recommended connecting to the internet using a Virtual Private Network (VPN), having updated anti-virus and firewall software and making sure each secured website starts with “https://” rather than “http://”.

The danger of not securing a hotel's network is that a malicious user could gain access to guest information or other confidential files, Domenic Carmona, director of IT at the W Dallas-Victory hotel, told SCMagazineUS.com Monday.

Carmona recommended hotels use WPA encryption as the minimum standard. He also stressed the importance of having a robust set of firewalls that are managed and properly configured, splitting networks, and educating staff of the importance of security standards.

Microsoft pen testers AKA ethical hackers, Billy Rios and John Walton, headline an impressive list of presentations by security researchers, practitioners and executives on Oct 31 and Nov 1, 2008 for the Ethcial Hacking Conference portion of ChicagoCon. And for only $100 including food and swag, it's a steal. Register NOW!!

Presented by The Ethical Hacker Network, a free online magazine for the security professional, ChicagoCon is a bi-annual security event held in the Windy City. In addition to numerous security boot camp courses taught by world-class instructors, ChicagoCon also features an Ethical Hacking Conference for two days of cutting-edge talks, peer networking and career advancement in the exciting and growing field of computer security.

WASHINGTON (CNN) -- First, there was "Einstein," the federal government's effort to protect itself from cyber attacks by limiting the number of portals to government computer systems and searching for signs of cyber tampering.

Then Einstein 2.0, a system now being tested to detect computer intrusions as they happen.

And in the future? Perhaps Einstein 3.0, which would give the government the ability to fight back.

Homeland Security Secretary Michael Chertoff on Friday said he'd like to see a government computer infrastructure that could look for early indications of computer skullduggery and stop it before it happens.

The system "would literally, like an anti-aircraft weapon, shoot down an attack before it hits its target," he said. "And that's what we call Einstein 3.0."

At a meeting with reporters to highlight National Cyber Security Month, Chertoff reiterated his belief that the government should aggressively defend its computer systems, saying that terrorists, if they gain expertise already available to others, would "cause potentially very serious havoc" to government systems.

"Let's make the investment now rather than wait until there's a huge catastrophe," he said.

But despite his emphasis on the risks posed, Chertoff said the government is moving slowly to avoid stepping on the toes of the private sector as it addresses calls to reorganize the governance of cyberspace to provide accountability and authority.

"I think the question of what is the government's role in cyberspace in general needs to be discussed among all the stakeholders, because there is a culture of cyberspace that is an open architecture," he said. "And I think if we just came in and said we want to take it over, there'd be, understandably, a considerable amount of discomfort with that."

"We are deliberately going slowly because we recognize that the issue of government involvement in the Internet is fraught with all kinds of potential concerns and potential anxieties about not having the government have a big-foot impact on an area of communication and commerce that has traditionally been viewed as really independent and free."

Chertoff said the government is "feeling our way to what is the right mix of government involvement with protecting the Internet in the private domain while preserving everybody's comfort level that we're not going to be in their business in a way that would be inappropriate."

Asked if he envisioned a world with two cyberspaces, he said he envisions a world with "a lot of different levels of security and trust, depending upon the nature of what it is that you're doing."

"We already have that now, in the sense that we have classified systems which are walled off from unclassified systems," he said.

The Bush administration released its National Cyber Security Initiative in January. The "most immediate component" of it from the Department of Homeland Security's perspective, Chertoff said, is to increase security for federal government computer systems.

But another priority is to work with the private sector to address threats to businesses. This includes not only protection from hackers, but also from counterfeit parts, which an individual or another nation could use to create vulnerabilities in the United States, he said.

Cain & Abel v4.9.23 released

- Added LRWB-16Khz codec support in VoIP sniffer.
- Added MGCP/RTP sniffer filter. Cain can now extract SDP-RTP parameters from MGCP protocol.
- Fixed some bugs in SIP/RTP sniffer filter causing crashes while sniffing.
- All Dumper's DLL Injection functions have been rewritten to directly use undocumented ZwCreateThread API instead of CreateRemoteThread. On XP/2003, Cain now supports passwords/hashes/secrets extraction even if executed in Terminal Server sessions.
- Fixed a bug in dictionary attack "Double" option.

A new and previously unknown exploit toolkit exclusively targets Adobe's PDF format.

According to a blog on the company's TrustedSource site, Secure Computing's Anti-Malware Research Labs has identified a toolkit dubbed the “PDF Xploit Pack.”

The blog entry says: “Typical functions like caching the already infected users are deployed by this toolkit on the sever side. Whenever a malicious PDF exploit is successfully delivered, the victim's IP address is remembered for a certain period of time. During this ‘ban time' the exploit is not delivered to that IP again, which is another burden for incident handling.”

The exploit joins other toolkits that have been enhanced with PDF exploits, such as one called the “El Fiesta” toolkit. But other analysts feel that any rise in overall PDF exploits may be coming from older, more entrenched attack kits, notably Neosploit.

“Based on the statistics we're analyzing right now, extrapolating it onto the Neosploit code base, and looking at two months of history, the rise in the exploitation of PDF vulnerabilities can definitely be attributed to Neosploit,” said Ian Amit, director of security research, Aladdin Knowledge Systems.

“El Fiesta distribution is very limited," he added, "and anecdotal evidence seems to indicate that the large number of PDF attacks cannot be directly attributed to PDF Xploit Pack or El Fiesta."

A patch for these exploits is available from Adobe, but, as Amit noted, “Not everyone patches quickly – and these attacks are continuing to be successful.”

A VPN server that was bought for less than a dollar on eBay proved to be a security nightmare as the new user found that it automatically connected itself to private networks.

Andrew Mason from Random Storm, a UK-based vulnerability management firm, picked up the Cisco Virtual Private Network from eBay in August. The device, he found when he plugged it in, connected itself to an English metropolitan borough's servers when plugged in.

A spokesperson for the borough, Kirklees, said it was a reason for concern, but remained confident that “multiple layers of security” prevented access to data. The spokesperson said, “In the meantime the disposal process has been suspended until an investigation can be carried out and appropriate action taken.”

Richard Farnworth, general manager, Enterprise Solutions, NEC (UK), said: “Protecting networking equipment and network topology is just as important in preventing security breaches as the recent spate of laptop, CD and memory stick losses we have seen. This latest announcement should not only act as a wake-up call to others, but demonstrated the growth in utility and appliance-style computing where the data and the intelligence is as much inherently ‘in' the network as those devices that connect to the network."

He added: “As so much dependence is placed upon connectivity in the ‘networked society' we belong to, it is imperative that both public sector organizations and commercial businesses take special care when disposing of any IT products. It will not come as a surprise that many ‘black box' devices hold configuration information within them and even consumers have cottoned on to the importance of securing their wireless networks at home, wiping hard disk drives before disposing of PCs and clearing memory banks in mobile telephones before sending them off for recycling.”

Windows machines run services in the background, letting admins manage them via the Services Control panel (services.msc) or the sc command. Penetration testers sometimes want to create a Windows service that will allow them to gain and maintain remote access of a Windows machine, possibly a persistent listener offering up shell access on a given port. Unfortunately, while the Windows sc command can be used to run any .exe as a service, Windows waits 30 seconds for the given program to throw a given API call to indicate that the service has started successfully. If Windows doesn't hear back from the service, it kills the program, thinking that the service failed to start. Thus, with sc, you can make your service, but you'll only get 30 seconds of access.

Previously, various commercial and shareware programs were available that would wrap provided executables inside of code that makes the appropriate calls so that Windows would let the executable run as a service and avoid the 30-second kill rule. But, such programs were only available for a fee... until now.

InGuardians' ServifyThis program takes any Windows executable and converts it into a form suitable for use as a Windows service.