I've now seen 2 hacks for the mifi. 

First is one against the pre-set  WPA-TKIP PSK's that are based on the mac address of the access point, and have limited entropy.    That one is something you can completely mitigate by doing the usual smart thing of changing your SSID to something unique (for which no one is likely to have precomputed PSK hashes lying around cn their hard drive), and setting a strong, long, random pre-shared key.  For bonus points, strengthening your config with WPA2-AES vs the default WPA-TKIP gives and extra cushion.

As for the admin interaface hack linked earlier, that one is going to require a firmware update, best I can tell once they come out.  NoScript would be well advised of course, but even it won't be complete protection. 

I need to get more familiar with the admin interface hack before saying much more though.

And of course you didn't.  Great talk Chris--enjoyed it.  Badass stuff. 

Mighty impressive.  Kaminsky took it in stride with several self effacing jabs at himself with the leaking of his passwords in the hack. 

You can find the attacker's treatise and all the info they grabbed in their massive txt file missive.  I'd suggest wget and reading it in less or more

http://r00tsecurity.org/files/zf05.txt

Curious if anyone's jumped on the new kismet yet.  One thing I'm lookin for is a relatively easy path to annotated google maps of a site...  Not sure if it's in there or not? 

If not, anyone invented this wheel to convert .gps to something google maps would like?   I haven't looked into the google maps api at all so this may be trivial, but any info would be useful.

I think you're on the right track.  One thing I recall from my first exposure to incident response:  once you're compromised, that machine can't be trusted to tell you ANYTHING until you fdisk, reformat and reinstall from original readonly media.    Therefore, I totally disagree with any endorsement of any anti-malware cleanup software.  There's no way to know you got "everything" with such tools, particularly with polymorphic payloads that so easily evade signature based detection, or don't leave any traces behind anyway. 

One very passive thing you can do to see what's going on (if it's a home machine) is disconnect all devices but the suspect machine, slap a hub between your cable model or dsl router  and your router/switch, hang a backtrack box (without starting networking and dhcp) off of it,  don't assign an IP to the ethernet interface, and passive listen to the traffic going out of your network with wireshark.    If you can add snort into the mix to analyze things for you on the fly, so much the better.

The problem with netstat on the box... is you don't know if netstat itself has been trojaned to hide connections that are occurring.  Running a statically linked binary off a cd may be better, but if the kernel is sufficiently owned, it may lie to the binary, etc.   It's a bit of a house of cards with respect to trust. 

Good luck, and I hope your efforts are both educational and turn up that it's all much ado about nothing!

Congrats on the pass!   Bask in the glow of not having to study for a test any longer, but studying for the job at hand!    Well done.

A CISSP will get you considered for positions you otherwise wouldn't, particularly in consulting.   However, there's a stigma to it in the pen testing community in that it's a very broad cert, and I've actually heard bandied about in pentest circles "oh, you're getting your CISSP--you looking to move into security management? Hah!" 

A CEH is not terribly hard cert to get (at least it wasn't when I got mine about 3 or 4 years ago).  I don't have a magic story for you about it.   Also, like so many certs, I know some people with  a CEH that wouldn't really have the first clue to successfully doing a quality pen test. 

CEH does have decent name recognition though, and I do get a remarkable number of recruiter hits because it's on my resume when they have a client that asks for it specifically (though, I'm always a little suspicious of the security credentials of a customer who targets CEH's specifically). 

Overall, I'd say that for pen testing,  you'd be better served with neither.  If you can get OSCP, on the other hand, then you may have somethin.  They don't have the name recognition of CEH I don't think, but within the pen testing community, it seems to be a well respected cert that includes a practical.

That said, the CEH isn't worthless--I learned a ton from Infosec Institute's delivery of their ethical hacking and advanced eh courses.  I just didn't think the exam quality was good enough to really put much of a halo around having achieved cert on the CEH.     

While we'r etalking about cool tools and GNU,   if you find yourself on the command line of *nix boxes a lot and aren't familiar with Gnu screen (commandline command is just screen), it's the cat's ass. 

multiple virtual command windows,   if you lose your connection of disconnect voluntarily   screen -r   puts you back right where you were.     

How I lived without it, I'll never know.

Me me me me!    I've got plans to be at defcon and would sure love to get to BH again.  Ye ole employer has cut the knees out from the training budget this year (like many have I suspect).    BH last year was my first, and I'd love to return.  Kudos on getting some great prizes Don.

PyHacker, 

I was fortunate enough get a copy of Justin Seitz's  Gray Hat Python: Python Programming for Hackers and Reverse Engineers at  Chicagocon 2009s a month or so ago, and it looks great from what I've read of it.   It's an O'Reilly book, and I've yet to see that publisher lay an egg yet really.   Check it out:

http://oreilly.com/catalog/9781593271923/

By the way, when will the next one be.  Don, will you be doing a 2009f?

Todd

No doubt, after having met all 3 of em at Chicagocon, EL has me hooked.   The latest one wiht the story about 2 master social engineers killing time by messing with religious recruiters and their personality tests had me on the floor... it was so damned funny.

From all I've heard, OSCP is the way to go for more hands on.  I know the class I had with Infosec Institute that happened to include CEH testing was also very hands on, but I'm not confident you'll find that across the board.  There were some folks in my class who passed the test who weren't... um.. so good.  There were also some bad ones who did fail too, which gave a person some faith as well.   But, by all accounts, OSCP is the cert associated with more hand-on stuff than a CEH.

On the other hand, I actually have gotten recruiter emails simply because their hiring client mentioned CEH specifically in requirements, and I bubbled up on top of others for that reason.   CEH definitely has the more accessible and better known name of the two to the broader public.   

I never even saw a study guide or knew of the official coursewhere for the CEH by the way, and rocked the hell out of that test, but this also wasn't my first security course ever, I came in quite comfy with linux and windows, and had been doing vulnerability assessment as a  job for a year or so when I took it. 

Heya Novo,

It's not terribly uncommon in my experience to come upon internet facing RDP.  With RDP's checkered security history, and MITM-prone past, it is cringeworthy, but not necessarily a hangin crime like... say, and SQL server listening out there with a blank SA password.  LOL.    RDP can be configured with FIPS compliant encryption at least, these days, but as another points out, making it so easy for unsecured computers to connect to these servers without strong firewall and policy enforcement in place, there's a lot to think about there.  Share out some drives over the RDP session, and suddenly there's an inbound malware propagation vector.

The general recommendation I like to make upon findings like this focuses on verifying the encryption level they're providing, and recommending that it like any other proprietary protocol be accessible only inside a fully configurable and monitored VPN. 

With SSL VPNs now available, the argument that VPNs are too complex for users to employ on a variety of platforms becomes lighter and lighter.

I'll save you some time:  ain't likely to happen.   That's best practices wireless config you've found right there.  :-)   If it's Cisco infrastructure, maybe you'll find some other BSSID's from the same physical access point  that are configured more loosely and attempt to join those if you can find clients and or ESSID's that are associated with those. 

Alternative approaches:  Callback trojan burned onto an autorun configured CD or U3 enabled usb key labeled "private photos" and leave it somewhere the owner of the access point or anyone the lan will pick it up and put it into their computer.

Or if you wanna still stay in the wireless realm, go after the clients. See if the client or network involved has some of those lovely braindead Windows XP machines that bleat for their remembered access points probing out to them hoping they respond.     airbase-ng  can then be used to set up a trojan access point with an ESSID matching those for which those clients are probing,   setup a dhcp server on teh same box serving addresses to the tun interface airbase-ng creates for ya,  the "sheep" client box associates, you cheerfully offer it a dhcp address, and then you can attempt to see if it's vulnerable to anything over the network.  Or, if you have internet conenctivity you can MITM them with the full karmetasploit ball of wax and capture credentials as they try to go out to the net and instead find your rogue metasploit replicas of popular websites, and they'll give up some credentials in the process, more than likely. 


Good luck!  And again, this presumes you're going after a network you have written legal permission to attack.