ramblings of a {sys,net}admin…

From CNN: Census Bureau loses hundreds of laptops:

The Census Bureau, the main collector of information about Americans, lost 672 computers. Of those, 246 contained some personal data, the department said in a statement. However, no personal information from any of the missing computers has been known to have been improperly used, the department said.

…and…

More than 30,000 laptops were used within the department’s 15 operating units since 2001, the department said, and a total of 1,137 were stolen or missing.

How the fuck do you lose 1,137 laptops? Out of 30,000? MY organization would notice that, but apparently not the government. How many of those 1,137 do you figure went home with employees and mysteriously never returned?

[ Read More… ]

From F-Secure:

Once again there is a browser vulnerability that allows for the remote execution of code. And the only action necessary to become infected is to view a malicious webpage using Internet Explorer or an HTML formatted e-mail.

It was discovered in the wild by Sunbelt. Microsoft published Microsoft Security Advisory (925568) yesterday regarding the issue. The update is currently scheduled for October 10th - the next regular patch Tuesday. [ Read More… ]

They also list a workaround, which is to unregister vgx.dll. Like the Windows WMF Vulnerability from the beginning of this year, I guess I’ll write another batch file to silently unregister the DLL, use Group Policy to enforce it, then start rebooting all the computers in our building…

Hmm, guess I should go ahead and reboot the laptop into Windows and do that. At least I can be comfortable laying here on the couch while I’m doing it. sigh

By Michael Hampton:

A well coordinated attack against multiple critical infrastructure points launched via the Internet could overwhelm the federal governmentâ’s ability to respond, according to a report released by the Department of Homeland Security last week on the Cyber Storm exercise conducted in February.

Conducted from Feb. 6-10, 2006, Cyber Storm was an exercise in coordinating public and private sector response to a series of simulated terrorist attacks on Internet-connected critical infrastructure, such as the electrical power grid and air traffic control, as well as general attacks on the integrity of the Internet as a whole, conducted by fake left-leaning groups for political purposes. My favorite part was when the hackers disabled the heating systems in government buildings.

[ Read More… ]

The Mozilla Corporation has released new versions of Firefox, Thunderbird, and Seamonkey.

Release notes are also available for Firefox, Thunderbird, and Seamonkey.

Upgrade!

Looks like there’s a 0-day vulnerability in Internet Explorer and will probably be working exploits in the wild soon. Read more at blogs.ittoolbox.com…

Why, after all this time, do people STILL rely on MAC-based authentication? Can someone tell me that?

First, let me say that we employ MAC-based authentication on the wireless network I set up at $work. We do not rely on it, however.

In order to get a valid IP address from our DHCP server, the access points must “authenticate” your MAC address. You could spoof or change your MAC in order to get onto our wireless network. It wouldn’t do you much good, however.

The access points are configured such that one client cannot talk to another client. In addition, once you’re associated with the A.P. and have a valid IP address from the DHCP server, you still can’t do anything! You are, in effect, on an isolated subnet. ACLs are in place that prevent your device from communicating with anything else in the world except for a VPN server on another subnet. In order to “get out”, you first have to establish a VPN connection. This, of course, requires valid credentials.

Even though, you’re somewhat limited. ACLs in place there allow outgoing traffic on 22/TCP, 80/TCP, and 443/TCP. That’s it. Yes, I know that one could set up proxies outside of our network or otherwise bypass these restrictions, but I’m not too concerned with that, to be honest.

Maybe that’s it. Maybe people just aren’t concerned if others “spoof” their MAC addresses and gain access to their wireless networks?

Case in point: Netsurf USA. They provide Internet access to this small town over 802.11 wireless. We have two large water towers, one at each end of town. They’ve got large 802.11 antennas on top of these two water towers, and they put a directional antenna at each customer’s site in order to get them connected. I noticed this tonight when I was sitting on the front porch with the laptop. (Remember, Blueriver hasn’t gotten my DSL up and running as of yet).

NetStumbler showed me a few networks and I remembered these particular SSIDs. I fired up aircrack-ng and it immediately spit out the MAC addresses of a few clients that were communicating with the access point.

Guess how long it took me to get connected (hypothetically, of course). =)

One other thing that I’m going to do now that I’m back in Mitchell is to “relaunch” my consulting business, LinuxWiz Consulting. I stopped taking new clients and finished up my active projects months ago because a certain somebody complained that it took up too much of my time. That won’t be an issue anymore, so I’m going to start it back up. There’s some legal paperwork I’ll have to take care to operate in this county again, but nothing major. Hopefully within the next 30 days or so, LinuxWiz Consulting will be back in full-swing!

Take “Security Now” off the list of podcasts that I listen to. I listened to episode #42 today and that was enough to take me over the edge. Steve Gibson is such a f**kin’ retard… listening to him explain “how NAT works” today had me cussin’ out loud to no one. I’m not quite sure how to articulate what I’m thinking about him at the moment, but I’ve removed “Security Now” from my aggregator. Enough of that shit…

so cracking wep really is as easy as they say…

i was sure of this since i don’t really have a reason to not believe anyone who has says it, but i’m one of those people who like to see things before i believe them. i also use the metasploit framework to run exploits against my own networks, just to verify that they are real.

anyways, i wanted to crack wep. my laptop has the intel pro/2200 wireless (centrino) built-in but apparently it can’t do packet injection, which is kinda a must.. reports that i read indicated that most of the atheros-based cards worked wonderfully, so i set out to find one (the netgear wg511t was specifically mentioned). i ran to office depot and managed to find one, and it’s even on sale for $20 off (instant rebate, not a stupid mail-in rebate). anyways, i bought it and came home.

after downloading the madwifi code/modules from livna for fedora core 5 on the laptop, it just worked(TM). i got to work with aircrack and started looking to see what kinda activity was going on. anyways, there was no traffic on the network i wanted to crack. aireplay-ng worked perfectly, associating to the access point so that i could capture the association traffic and replay it. it started injecting/replaying almost immediately and i watched the initialization vector (IV) packet count start increasing pretty quickly. i left it running and went to bed.

when i woke up this morning, there were 1,020,384 IVs that had been captured. since most docs i’ve read say that 128-bit wep can be cracked with around 200,000, i was sure this was plenty. i was right.

i fired up aircrack-ng, pointed it at the file containing the captured IVs and let it go to work. i didn’t have to wait long… four seconds later, it informed me that the key had been found. it was done. i was then able to use the encryption key to then connect to the network (using “iwconfig”) and post this blog entry. =)

here’s a png image of aircrack-ng finding the key.

First, let me say that I am, and have been for years, a member of the Electronic Frontier Foundation. I encourage everyone who values their “Internet rights” to become the same. Here’s the latest e-mail I’ve received from them:

—–Original Message—– From: Electronic Frontier Foundation [mailto:membership@eff.org] Sent: Friday, May 12, 2006 5:10 PM To: Gaddis, Jeremy L. Subject: Donate to EFF and Stop the Illegal Spying!

Your World. Delivered. To the NSA.

Recent news reports have revealed that AT&T, Verizon, and BellSouth are violating the law and the privacy of millions of ordinary Americans by secretly giving the NSA information about your telephone calls without a court order.

In January, EFF filed a lawsuit against AT&T for collaborating with the NSA. This case is the best way for us to uncover and shut down the government’s secret spying program and to hold AT&T accountable.

Stand up for your rights by supporting EFF and our case against AT&T. And please forward this message and spread the word to your friends and family members.

Join EFF today! http://secure.eff.org/att More info about the case: http://www.eff.org/legal/cases/att/