Rogue Device Spotlight: VoCore

RISK ASSESSMENT RATING: 6.67

 

Popularity: 4

How often the rogue device is used in the wild to conduct real-world attacks, with 1 being the rarest, 10 being widely used.

While not yet commonly used (to our knowledge), the VoCore’s Indiegogo funding helped it to become well known in theory, if not yet in practice. With its ease of use, low cost, and low physical profile, it is likely that the VoCore will be seen on a more consistent basis in the near future.

 

Simplicity: 9

The cost or “DIY burden” of the device, availability (ease of acquisition), and degree of skill necessary to deploy/operate the device, with 1 being expensive/difficult to build, not publicly available, and requiring deep technical expertise to operate, 10 being low-cost, available for purchase online, plug-and-play operation.

The VoCore is extraordinarily easy to acquire and use. While DIY kits are available, for slightly more money a fully-assembled unit can be purchased and deployed with extreme ease.

 

Impact: 7

The potential damage caused by successful execution of the attack, with 1 being exposure of trivial information from the target, 10 being organization-wide superuser-level compromise or equivalent.

The VoCore is the kind of device that can cause substantial damage in the hands of either an experienced or inexperienced user – with some knowledge of how to properly take advantage of its full capabilities, the VoCore can be used to compromise an entire network. Even an inexperienced user, however, could leave a sizeable security hole in a network’s defenses by simply plugging the device into an Ethernet jack.

 

VoCore

The VoCore is the perfect example of a low-cost micro-computer (coin size) that acts as an easy to use transparent wireless bridge. Simply plug this tiny device into your wired network and by default it will immediately start broadcasting an open wireless network. Once a wireless client connects to the VoCore wireless access point, the wireless client will obtain an IP address directly from the wired network the VoCore is plugged into. What’s even scarier about this device is because it acts as a “transparent bridge” it is virtually undetectable on the wired side of the network. It doesn’t get an IP address on the wired or wireless side, making it invisible and not accessible to detect or configure once plugged into the wire. In addition, the wireless chipset on this device supports packet injection and can easily be modified to attack wireless networks or clients and run EvilAP attacks.

 

Hardware Specifications:

  • CPU: RT5350(360MHz MIPS)
  • RAM: 32 MB
  • OS: OpenWRT
  • I/O: USB, 10/100M Ethernet, UART, SPI, I2C, I2S
  • Radios: Ralink RT5350
  • Storage: 8MB SPI Flash

 

Photos:

 VoCore

 

Notable Features:

The VoCore is best known for its diminutive size – at merely 25 x 25 mm, it can be placed (and used) almost anywhere. The VoCore is an Indiegogo funded project and can today be easily acquired online, assembled or as a DIY kit, and has been suggested as a low cost WiFi module for inexpensive, home-built connected devices.

 

Conclusion:

Devices like the VoCore are why it’s so important to maintain an awareness of wireless security, especially if your organization doesn’t use wireless networking.  Many times organizations that don’t use wireless have limited awareness or visibility of wireless security threats as they pop up and emerge in their environment, mainly due to the thought that “we don’t use wireless so it’s not something we have to worry about”.  With inexpensive and available wireless bridges and regular APs, it is only a matter of time before someone brings in some type of wireless AP for convenience and opens a major hole into your network. Laptops and mobile devices can also pose wireless security threats in the same manner if not properly locked.



FREE Industry Report on IoET


Lenovo Puts Ad Revenue over Security with Superfish

We have been talking for quite a while now about the obvious “rogue” devices hiding in your enterprise, but there is another issue highlighted in our post on gifts that has resurfaced again: potentially vulnerable devices within your network that are not obviously rogue.

The security and privacy communities have been on absolute fire since news broke about the “Superfish” advertisement software Lenovo decided to pack in with some of their Windows-based machines in 2014. While everyone agrees that Lenovo pre-installing malware designed to push advertisements onto users’ screens is pretty, Superfish is looking to be considerably more dangerous than your standard manufacturer bloatware. Superfish messes up the HTTPS standard so badly that many in the industry have been left wondering how the companies involved could possibly have signed off on something so against standard security practices.

Many are calling this the worst security gaff from a major tech player in recent history, and it has already been compared to the infamous Sony rootkit debacle of the mid 2000’s. Superfish has even gotten the attention of Homeland Security, which released a statement calling it a “critical vulnerability”. For its part, Lenovo claims they had no idea about the security implications of Superfish and have been working with Microsoft to get it automatically removed by Windows.

 

How Superfish Works

Superfish is described as a “Visual Discovery” platform, essentially software that matches the content of images with what they actually are. The creators claim this software helps consumers do things like identify what items are even if they don’t know how to textually describe them.

In the case of Lenovo computers, Superfish was included to analyze the images users were looking at and suggest advertisements that were relevant to them. So if the user was looking for images of dogs on their computer, they may start seeing advertisements related to animal adoption agencies while browsing the web. This is not unlike Google’s AdSense, just using images instead of text keywords to generate contextual ads. In other words, it might sound shady, but it isn’t something we aren’t already dealing with on a daily basis.

 

Man-in-the-Middle

The real problem is that Superfish was configured to intercept all of the data a user was sending out on the Internet, even if it was encrypted. It did this by installing it’s own self-signed root certificate, essentially making the computer think that Superfish was the issuing party for all SSL certificates. It then had free reign to view and modify the data the user was seeing in any way it wished, even though the browser said the page was encrypted and they had a secure connection to the site.

In other words, Superfish performed a classic Man-in-the-Middle attack against SSL encrypted sites. A trick that usually requires taking over the entire network with specialized software was done out of the box by the friendly folks at Lenovo.

But it gets worse.

If each installation of Superfish had a unique private key, this would still be an invasion of privacy on a large scale, but not exactly unheard of. For example, anti-virus software often installs a root certificate unique to each machine so it can check HTTPS encrypted sites for malicious code. But the company that provided Superfish with its SSL certificate, Komodia, decided to use the same private key for every certificate that got installed on a machine running Superfish. Which means anyone who has that key could fool a Superfish-equipt machine into believing they had a secure connection to any site they wished.

It only took a few hours for the private key Komodia used to get discovered, aided in no small part to the fact that they decided to protect the key with the password: “komodia”.

 

Lessons Learned

It’s becoming clear that more software than just Superfish was using the faulty Komodia private key. It’ll likely be awhile before the practical implications of the Superfish/Komodia software combination are fully known. How many machines are really affected? How likely is it for an attacker to leverage this against a victim in the real world?

But in the end the real point here is that the software included on a new machine simply cannot be trusted in an era where companies are playing fast and loose with users’ privacy and security. A full wipe and operating system reinstallation should be standard operating procedure on any new computer, whether it’s for personal or for business use.

With employees unaware of the potential dangers of their personal devices, it is vitally important to be aware of all devices connecting to your network.


New Call-to-action

Rogue Device Spotlight: #r00tabaga MultiPwner

RISK ASSESSMENT RATING: 6.67

 

Popularity: 7

How often the rogue device is used in the wild to conduct real-world attacks, with 1 being the rarest, 10 being widely used.

Another one of the “name brand” penetration testing devices, the #r00tabaga’s popularity stems from its usefulness to conduct multiple types of attacks on a tried and tested hardware platform.

 

Simplicity: 7

The cost or “DIY burden” of the device, availability (ease of acquisition), and degree of skill necessary to deploy/operate the device, with 1 being expensive/difficult to build, not publicly available, and requiring deep technical expertise to operate, 10 being low-cost, available for purchase online, plug-and-play operation.

While the #r00tabaga is another of the pre-built penetration testing tools, its two potential uses make it both slightly more expensive and challenging to use than either of its parts. However, with instructions on how to set up your own #r00tabaga and the availability of purchase online, the tool is fairly simple to acquire, if not quite as easy to use.

 

Impact: 6

The potential damage caused by successful execution of the attack, with 1 being exposure of trivial information from the target, 10 being organization-wide superuser-level compromise or equivalent.

Used properly, a #r00tabaga can cause the damage of a Pineapple Hak5 or the MiniPwner. As always, the full exposure of information of the target depends heavily on the way that the organization’s security controls are structured, but the #r00tabaga gives an penetration tester an effective route into the target’s networks.

 

#r00tabaga MultiPwner

Building on the groundwork laid by the MiniPwner and WiFi Pineapple, ACE Hackware’s #r00tabaga MultiPwner combines the best traits of both devices into one exceptionally portable and capable penetration testing tool. The MiniPwner’s OpenWRT core gives the #r00tabaga all the dropbox tools you’d expect, and the WiFi Pineapple’s automated rogue access point functionality makes setting up a cloned network a hands-free affair.

The #r00tabaga MultiPwner is based on the TPLink MR3040 travel router, a device that’s proven popular in the OpenWRT community thanks to its low cost and built-in battery.

 

Hardware Specifications

 

  • CPU: Atheros AR7240 @ 400 MHz
  • RAM: 32 MB
  • ROM: 4 MB
  • OS: OpenWRT

  • I/O: Ethernet, USB, Serial

  • Radio: Atheros AR9331 802.11 b/g/n

  • Storage: USB Flash Drive

 

Photos

r00tabaga_ports_compact

 

Notable Features

The #r00tabaga operates in two distinct modes, called “MiniPwner” and “Pineapple”, which the operator can switch between by using the “activate minipwner” or “activate pineapple” commands accordingly. Switching modes therefore requires an interactive shell on the device, as well as a reboot to make the switch. This can make mode switching a bit cumbersome in the field.

By default the #r00tabaga operates in MiniPwner mode and creates a WiFi network the operator can connect to for configuration. When switched into Pineapple mode the user connects to the device via the Ethernet port, and the #r00tabaga will start cloning WiFi networks that client devices are looking for. Once clients have connected, the #r00tabaga has access to the full suite of WiFi Pineapple Infusions in addition to the standard penetration testing tools.

Since it’s based on open source projects, the #r00tabaga can be built from the ground up by a user who’s willing to spend the time working on their own TPLink MR3040 hardware. The team at ACE Hackware even provides instructions on how to setup your own #r00tabaga from the stock OpenWRT image.

 

Conclusion

Combining the MiniPwner and WiFi Pineapple software into one device is a logical evolution of these popular open source penetration testing projects, but the somewhat awkward process of switching between them hinders the overall experience. Further development to more seamlessly merge these two projects would create a formidable penetration testing device.

The #r00tabaga is more expensive than either of the products it’s based on, though at only $150 it’s still very affordable. Enabling users and developers to build their own version of the #r00tabaga from the OpenWRT sources offsets the higher cost to a degree, but the lack of clear and concise documentation makes this process more difficult than it could be.



Learn More About Rogue Devices

zANTI 2.0 on Pwnie Devices

Both the paid and community editions of the Pwn Pad and Pwn Plug currently include dSploit: an extremely comprehensive security suite that can map networks, scan for vulnerabilities, crack network passwords, and even launch sophisticated Man-In-The-Middle attacks, all from a slick and intuitive graphical user interface. Licensed as free and open source software under the GPLv3, it was a natural addition to the stock firmware on the Pwn Pad and Phone.

But if you’ve been trying to use dSploit on your Pwn device recently, you may have been in for a surprise. At the end of 2014, principle dSploit developer Simone Margaritelli announced he was officially merging his project with zANTI from Zimperium. Running dSploit now throws up a message about upgrading to the free of charge zANTI 2.0.

 

Upgrading to zANTI

When you try and start dSploit, it will immediately throw up a message about updating to the latest version. You can say no and continue to use the version of dSploit that came with the device (which will continue to work as normal), and even disable the update check if you don’t want to see this message anymore. If you continue to use dSploit, be aware that it will no longer be getting updates. While that isn’t a problem now, there is no telling what will happen in the future. In the absolute best case, it will be behind the curve, and in the worst, it may stop working in future versions of Android.

Available

 

But let’s assume that you’re onboard with the change from dSploit to zANTI, and you tap “Yes”. This will begin the file download which you can check by pulling down the notification panel. Once the zANTI package has downloaded, you can install it just like any other side-loaded Android application.

It’s worth mentioning that installing zANTI won’t actually remove dSploit from your device, the two applications are completely separate and can both be installed at the same time.

Note: If you are having problems with the automatic update or would otherwise just jump right to zANTI, you can download the APK directly here.

 

Starting zANTI

The first time you start zANTI, you’ll see a prompt asking if you want to give it root-level permissions. Due to the advanced nature of the tools and techniques zANTI makes use of, there’s no way to use many of its features without agreeing by tapping “Grant”.

SuperUser Request

You’ll then be asked if you are a Community or Registered user. You don’t need to register to use the application, so you can simply stay on the “Community” tab, check the box next to “I accept Zimerium’s EULA”, and then tap “Start Now”. On the following screen you’ll be asked if you want to register, but you can simply touch “Skip” to continue.

Pwnie1

There are a few hints and tips that zANTI gives you along with a couple of screenshots you need to move through, and then finally you will be asked if you are authorized the perform penetration testing on the network.

Pwnie2

 

 

Quick Overview

The main screen in zANTI is the network map, which will begin populating with data as soon as you start the application.  This will show you pertinent information about all the discovered hosts in your network, such as IP address, MAC, and open ports. Given enough time to complete its scan, zANTI will even list device manufacturer and operating system best-guess for each entry. A full network scan can take awhile, so be patient. There’ll be a sound and notification when it’s complete, so you won’t miss it.

Zanti3

Selecting any one of the entries on this main list will take you to the individual page for that device. From here you can enter in some notes about this device, perform a deeper Nmap scan, and launch exploits and vulnerabilities against it.

Screen Shot 2015-02-18 at 1.41.34 PM

Selecting one of these exploits, in this case Main-In-The-Middle attack, you can see the wealth of options zANTI makes available to the operator. For MITM especially, there are some very impressive options to do things like intercept and replace data in real-time on its way to the targeted host.

zANTI 3

 

cSploit

While it isn’t up to the standard zANTI has set, there is an active fork of dSploit known as cSploit that was broken off of the main project when the merge with Zimperium was announced. For those who may want to hold off on jumping on the zANTI bandwagon, cSploit is probably the best option short of continuing to use the unmaintained final version of dSploit.

 

White House Security Summit Urges Cooperation

Amid a rising tide of security threats both foreign and domestic, the White House recently convened a Summit on Cybersecurity and Consumer Protection aimed at increasing security cooperation between government and private industry. Since the widely publicized attack against Sony Pictures, issues of cybersecurity have become a hot topic for the current Administration, culminating in this meeting of the minds between government, industry, and the public. When announced in January, President Obama said the goal of the Summit was to “bring everybody together — industry, tech companies, law enforcement, consumer and privacy advocates, law professors who are specialists in the field, as well as students — to make sure that we work through these issues in a public, transparent fashion.”

While few would argue that increased cybersecurity is something the nation should have a dialog on, the Summit was not without critics. Some questioned the White House’s motives when pushing for greater transparency and exchange of information with private industry, and there was the ever-present concern over privacy and respect of civil liberties. The true impact of the Summit on Cybersecurity and Consumer Protection won’t be known for some time, but there’s no question that it has already raised some very interesting points.

 

Government Information Exchange

At the Summit, the President explained that security was not something that either party should be working on in isolation of the other, “Government cannot do this alone. But the fact is that the private sector can’t do it alone either because it’s government that often has the latest information on new threats.” To this end, the President revealed his Executive Order entitled “Promoting Private Sector Cybersecurity Information Sharing”, which laid out the ground rules information exchange in as near to real-time as possible.

The very mention of government exchanging data with private industry is a red flag for many privacy advocates, and for good reason. Collecting even cursory data about an individual’s Internet usage can divulge a treasure trove of personal information, and print an eerily accurate image of a person’s digital life.

For what it’s worth, the Executive Order does attempt to address these concerns from the start. A sentence early on in Section 1 of the Order explains that collection and transmission of the data must be done in the most secure way possible, and always done with privacy in mind:

 

“Such information sharing must be conducted in a manner that protects the privacy and civil liberties of individuals, that preserves business confidentiality, that safeguards the information being shared, and that protects the ability of the Government to detect, investigate, prevent, and respond to cyber threats to the public health and safety, national security, and economic security of the United States.”

 

But a keen eye will note the second half of the sentence, which notes that any methods used must not interfere with “the ability of the Government to detect, investigate, prevent, and respond to cyber threats”. In other words, while protecting civil liberties is important, the government still needs to be able to fully utilize the data however they see fit if it is deemed to be an issue of national security.

 

Getting the Cold Shoulder

Despite the President’s hope that the Summit would bring together all the major players in the technology world, it seemed many companies didn’t take the event quite as seriously as the White House would have liked. According to Bloomberg, Facebook CEO Mark Zuckerberg, Yahoo CEO Marissa Mayer, and Google’s Larry Page and Eric Schmidt all turned down invitations to attend; leaving a conspicuous gap in attendance at an event that was supposed to represent the tech industry as a whole.

Given the government’s track record, it should come as no surprise. Public opinion of the government in regards to civil liberties is at an all-time low, and tech companies are wary of being seen working closely with the government after the public backlash from the Edward Snowden leaks. While Google, Facebook, and Yahoo did send individuals from their respective security divisions to the Summit to take part in the discussions, the absence of their most forward-facing executives is a clear statement that the tech elite aren’t willing to publically work together with the government unless everyone is playing by the same rules.

Rogue Device Spotlight: Wireless KeyGrabber

RISK ASSESSMENT RATING: 8

 

Popularity: 7

How often the rogue device is used in the wild to conduct real-world attacks, with 1 being the rarest, 10 being widely used.

The KeyGrabber is a series of devices, all of which are designed for commercial use in addition to their use for other, maybe more questionable reasons.

 

Simplicity: 10

The cost or “DYI burden” of the device, availability (ease of acquisition), and degree of skill necessary to deploy/operate the device, with 1 being expensive/difficult to build, not publicly available, and requiring deep technical expertise to operate, 10 being low-cost, available for purchase online, plug-and-play operation.

The KeyGrabber stands alone in incredible ease of use. The device is sold commercially as a way of tracking children’s online whereabouts and employee productivity, so it is designed for the most inexperienced user. With a DIY kit and multiple models, the tool is also easily accessible.

 

Impact: 7

The potential damage caused by successful execution of the attack, with 1 being exposure of trivial information from the target, 10 being organization-wide superuser-level compromise or equivalent.

The impact of a KeyGrabber is entirely a function of what is typed: while most organizations cannot be taken down by the contents of an employee’s daily email, a few stolen username/password combinations could prove disastrous to the organization.

 

Wireless KeyGrabber

Created by KeeLog, the KeyGrabber product line includes no less than 6 distinct types of devices designed for the express purpose of capturing, storing, and reporting intercepted keystrokes from a locally connected keyboard. Each one is intended for a slightly different deployment, from a bare PCB the user needs to solder into the keyboard to “nano” sized units that easily slip between the computer and peripheral. KeeLog even offers an open source DIY keylogger that anyone can build around a Atmel microcontroller.

KeeLog’s top of the line product is the KeyGrabber Wi-Fi Premium, an Internet-connected keylogger, which allows for device configuration and data retrieval over the local network or Internet. Once a KeyGrabber Wi-Fi Premium is properly deployed, it could be left operational on-site indefinitely.

 

Hardware Specifications

 

  • I/O: PS/2 or USB
  • Radio: 802.11 WiFi (open/WEP/WPA/WPA2)
  • Storage: 4 GB
  • OS: Closed Proprietary
  • Supported OS: OS Independent
  • Battery: Internal battery good for 7 years

 

Photos

wifi_hardware_keylogger_06

 

Notable Features

Traditional keyloggers utilize a special combination of keys which must be pressed to access the device’s internal menu and dump the data out to a text file. This requires the operator to recover the device from wherever its been deployed; often a risky proposition. But with its network connectivity, configuring the KeyGrabber and recovering the stored keystrokes can be done without having physical access to the device.

Captured data can be sent out as periodic email messages, or downloaded directly from a computer on the same network. By sending the data out as an email message the KeyGrabber doesn’t require anything more than a valid email recipient and can easily get around inbound firewalls.

In addition to network connectivity, the KeyGrabber can also be put into a USB Mass Storage mode which will make the host operating system see it as a standard 4 GB USB flash drive. The stored keystrokes, as well as the devices configuration files, are then accessible as standard plain-text files on the drive.

 

Conclusion

Software keyloggers are harder to install and could be detected by security software on the local computer, making them difficult to use effectively. By using a hardware-based approach, the KeyGrabber is effectively invisible to the host operating system; greatly reducing the chances it will be discovered.

Not having to physically recover the device to collect the captured data on the KeyGrabber Wi-Fi Premium makes it considerably more effective than traditional local-only keylogger devices. Remote command and control even opens up the possibility of running large numbers of keyloggers on the same network, a task which would not be feasible otherwise.

On the other hand, connecting to the network makes the KeyGrabber detectable to those who know that to look for. The risk of picking the KeyGrabber up on a WiFi scan has to be balanced against the considerable advantage network connectivity offers.

Distributed Security with Pwn Pulse: An Introduction

Since 2012, Pwnie Express has been a pioneer in the field of professional-grade penetration testing “dropboxes,” starting with the original Pwn Plug and continuing up to the latest R3 version. These devices, essentially tiny computers loaded with the latest security tools and the engineering to tie it all together, can be deployed at remote locations and report back to a security auditor from halfway across town, or the world. With the Pwn Plug, the security auditor simply needs to ship the device to the location to be audited and instruct whoever receives the package to plug it in; absolutely zero technical expertise is required on the receiving end.

The Pwn Plug allows a security auditor to monitor a remote location as if they were there themselves, greatly cutting down on cost and increasing response time. It allows one person, from a central location, to monitor multiple remote branches for changes in network topography or operation. If a new piece of hardware was added to the network, or some suspicious activity started consuming resources, it could be found and identified without having to physically visit the location.

But if there was one piece of the puzzle missing, it was a way to turn all of the raw data collected by remote Pwn Plugs into a concise, real-time, overview of the network. Managing the deployed Pwn Plugs could become a daunting task for operations utilizing them at multiple branches, and important clues could slip through the cracks.

 

Pwn Pulse

This is where Pwn Pulse comes in. Rather than thinking of the Pwn Plugs as remotely deployed computers that you manually interact with, Pwn Pulse reinvisions them as remote sensors. The data from these sensors is collected, filtered, and displayed to give the operator a snapshot of the overall network no matter where they are. Built-in analytics can identify trends in data over the entire network, or drill down to a single location. From rogue access points to an unfamiliar smartphone, network anomalies which may have otherwise gone unnoticed are immediately visible.

But Pwn Pulse isn’t limited to simply collecting data passively. It can also launch automated penetration tests and vulnerability scans from the remote sensors; so not only can the auditor see if a user has brought in their own device from home, they can instantly scan it for common vulnerabilities to determine its possible risk to the network. Scans can also be configured to run periodically, making sure the network is always operating as securely as possible.

 

Distributed Security

The value of a distributed security system such as Pwn Pulse is easy to understand in scenarios where there simply aren’t enough security professionals on staff to cover all of the remote branches in the organization. Rather than abandon the less utilized branches so manpower can be devoted to the higher priorities, Pwn Pulse allows the staff to virtually be everywhere at once.

Take as an example a bank which has multiple small locations in addition to its main headquarters. The smaller locations don’t have on-site IT staff, and outside of the occasional visit would generally be left on their own in terms of routine preventative network maintenance. These are the kind of locations attackers love to target, and for good reason.

But with Pwn Pulse the situation is completely different. A Pwnie sensor can be shipped to each location, and all they have to do at the branch is plug in the power and Ethernet. After that, the sensor will call back home to Pwn Pulse and start adding its data to the collective. Rather than being a haven for attackers who want to remain undetected, every branch is now just as well protected as the others.

Naturally, increased security is the biggest advantage of a distributed security system, but it isn’t the only one. Organizations utilizing Pwn Pulse save money by not needing to staff each location with a security professional, and save downtime by keeping the IT staff constantly apprised of network health.



30 Day Risk-Free Trial

Learn More Here

Network Breaking and Entering: Ars tests the Pwn Plug R3

ars Technica

Network Breaking and Entering: Ars Tests the Pwn Plug R3

Feb 10, 2015

By Sean Gallagher

 

Imagine for a moment the following scenario: you’re the manager for a busy bank branch in a major city. You come back from lunch and are told by one of your employees that someone from corporate IT dropped by to check on a reported problem with a branch PC. You don’t remember putting in a trouble ticket with IT, but apparently the guy left after looking under a desk and re-plugging a network cable or something. It took less than five minutes. You think nothing of it and go back to approving loans.

Three days later, you get a call from the head of corporate security, wanting to know why someone at your branch has been performing wire transfers from the accounts of customers who’ve never used your branch to accounts at offshore banks. A few hours later, you’re unplugging the bank’s network equipment while he’s shouting at you over the phone about gigabytes of corporate data being pulled down from something in your bank. And when the security team and police arrive to investigate, they find a little nondescript box plugged into a network port, connected to a broadband cellular modem.

Something like this happened to banks in London last year. A man posing as an IT contractor wired networked keyboard-video-mouse (KVM) switches connected to cellular routers into PCs at two bank branches. The ring involved with the thefts was only caught because they decided to go for a third score, and their “technician” was caught in the act. The digital heists were a variation on the hacker “drop box” strategy: boldly walking into a place of business and planting a device, often hidden in plain sight, to use as a Trojan horse to gain remote access to the business’ network.

Drop boxes have another, more law-abiding use in the security business—they allow penetration testers to check the security of organizations’ networks. If you don’t know what your network’s vulnerabilities are, you can’t very well defend it. It’s why penetration testing has grown from a small but lucrative consulting field to an integral part of some companies’ internal security practices. Penetration testing appliances like those made by Pwnie Express (AKA Rapid Focus Security LLC) have made it a lot simpler for all sizes of organizations to do that sort of testing.

 

 

 

(Original Article)

Massive Breach at Healthcare Provider Anthem

The top tech story over the last few days is certainly the announcement that health care provider Anthem, the largest for-profit managed health care company in the Blue Cross and Blue Shield Association, was the target of a massive data breach. All told, personal information on over 80 million customers has been leaked to an as of yet unknown attacker, making this easily one of the industries largest breaches.

 

Leaked Data

A hastily put together website, anthemfacts.com, attempts to downplay the importance of the attack by saying in large letters at the top of the page there’s no sign that credit card and medical information have been compromised. That makes for a great quote, but reading the full text of the page reveals the true enormity of the situation:

 

“Anthem was the target of a very sophisticated external cyber attack. These attackers gained unauthorized access to Anthem’s IT system and have obtained personal information from our current and former members such as their names, birthdays, medical IDs/social security numbers, street addresses, email addresses and employment information, including income data.”

 

So while their customers credit card numbers may be safe, attackers seem to have made off with nearly every other important piece of information about their lives. Losing this much data, about this many customers, is absolutely huge. While customer data breaches seem to be becoming something of a monthly tradition as of late, they usually just include credit card numbers and maybe names; after all, most of these breaches have been at retailers.

 

Calls for Accountability

Demands that companies be held liable for loss of data in situations like this is nothing new and are unlikely to go away anytime soon with so much fuel being heaped onto the fire. This breach is yet another example of the increasingly sophisticated attacks being leveled against large corporations in an effort to smuggle out personal information. Given the gravely important nature of the data these companies hold on their customers, and the tenacity of those trying to steal said data, many believe government oversight of IT security processes is a necessary evil.

While it’ll still be some time before we know if the government will directly step in on this case, we’re already seeing some individuals taking action. Bloomberg reports that a woman in California has already stepped forward with a lawsuit against Anthem, citing their failure to properly secure customer data.

Rogue Device Spotlight: MiniPwner

RISK ASSESSMENT RATING: 5.67

 

Popularity: 7

How often the rogue device is used in the wild to conduct real-world attacks, with 1 being the rarest, 10 being widely used.

While not possessing the cachet of the Pineapple, the MiniPwner is still a “brand name device” of the InfoSec world. It is built on fairly common hardware and is easy to acquire.

Simplicity: 6

The cost or “DYI burden” of the device, availability (ease of acquisition), and degree of skill necessary to deploy/operate the device, with 1 being expensive/difficult to build, not publicly available, and requiring deep technical expertise to operate, 10 being low-cost, available for purchase online, plug-and-play operation.

The MiniPwner can be either purchased or built, meaning that acquiring one is fairly simple. However, the device is not built for beginners: with little thought given to simplicity or ease of use, only intermediate to advanced operators can use the tool effectively.

Impact: 4

The potential damage caused by successful execution of the attack, with 1 being exposure of trivial information from the target, 10 being organization-wide superuser-level compromise or equivalent.

Slow and difficult to use, the MiniPwner’s battery power gives it the biggest boost in this category – with a time of almost five hours and no setup, it is considerably easier to hide than most devices in the category.

 

MiniPwner

Originally created in 2012 by security researcher Kevin Bong, the MiniPwner leverages the incredibly flexible OpenWRT project to turn cheap consumer wireless routers into highly capable penetration testing devices. The initial iteration of the project was little more than stock OpenWRT running on the immensely popular TPLink MR703N, but that was enough to get the ball rolling, and the project has been steadily evolving since.

The current version of the MiniPwner project is maintained by Michael Vieau and runs on the TPLink MR3040, an enhanced variation of the MR703N which features an internal battery.

 

Hardware Specifications

  • CPU: Atheros AR7240 @ 400 MHz
  • RAM: 32 MB
  • ROM: 4 MB
  • OS: OpenWRT
  • I/O: Ethernet, USB, Serial
  • Radios: Atheros AR9331 802.11 b/g/n
  • Storage: USB Flash Drive (16 GB included)

 

Photos

minipwner

 

 

Notable Features

The TPLink MR3040 router that MiniPwner is currently being developed for is especially well suited to mobile security work thanks to its integrated 2000mAh battery; a feature uncommon to even purpose-built penetration testing devices. The battery is recharged whenever the MR3040 is connected via USB, and is estimated to last for over 5 hours during continuous wireless and wired use.

The MR3040 also features a physical switch which can be configured from within the MiniPwner web interface to run user-configured scripts known as MiniModes, not unlike the boot mode selection on the Hak5 WiFi Pineapple Mk V. While this feature holds considerable promise for covert configuration of the MiniPwner device, developer Michael Vieau cautions this feature is still under development and should be used carefully.

In terms of its availability, the MiniPwner is unique in that it’s primarily a DIY project with optional sales of completed kits intended to help fund development. While users can purchase a MiniPwner directly from the developer, they can also download a current MiniPwner snapshot and apply it to their own MR3040 router with no loss in functionality or support.

 

Conclusion

The open source and community-driven nature of the MiniPwner project, combined with the very low cost of the hardware required, makes this a particularly appealing platform. For less than $50, an individual can have a completely self-contained mobile penetration testing device that runs the large majority of common Linux security tools.

On the other hand, the MiniPwner assumes a fairly strong working knowledge of those tools and Linux in general. There is little consideration given to automation or other user friendly enhancements in the MiniPwner software; an inexperienced operator could just as easily brick their own MiniPwner as launch an attack against a target.