Dragan on Security

There is interesting article about Voice over IP (VoIP) Sniffer and Call Detector at: http://www.enderunix.org/voipong/
It is stated there that VoIPong is a utility which detects all Voice Over IP calls on a pipeline, and for those which are G711 encoded, dumps actual conversation to seperate wave files. It supports SIP, H323, Cisco’s Skinny Client Protocol, RTP and RTCP.
Quote from site:

It’s been written in C language for performance reasons, proved to be running on Solaris, Linux and FreeBSD; though it’s thought to compile and run on other platforms as well.

On a 45 Mbit/sec actual network traffic, it’s been verified that VoIPong successfully detected all VoIP gateways and the VoIP calls. CPU utilization during the run has been found ranging between 66% - 80% on a 256MB RAM, Celeron 1700 Mhz Toshiba notebook.

Features

Produces real .Wav files for direct audio hearing.
Simple, optimized, extandable fast code
The algorithm doesn’t depend on signalling but on RTP/RTCP
Detailed logging. (Comfortable for ‘cut’ and ‘cat’ operations to produce statistics.)
Powerful management console interface
Easy installation and administration
Easy debugging.

Note: Thanks to Robert B. who pointed me to this tool.

Interesting web site for MD5 Online Cracking using Rainbow Tables can be found at http://passcracking.com/. Authors say:

This project is dedicated to crack md5 hashes online through web interface. At the moment we can crack md5 hashes in this character range: a-z;0-9 [8] which means we can break almost all hashes (99.56%) which are created from lowercase plaintext with letters and/or digits up to length of 8 characters…

… This project is using RainbowCrack technology, which is based on Philippe Oechslin’s faster time-memory trade-off technique to crack the md5 hashes. We use 80 Rainbow tables each 610 Mb of size. So total size of the tables reach 47.6 Gb. Average time for checking one hash is ~40 minutes, but the speed increases as the count of hashes is getting higher. So generally the speed of cracking is ~150 hashes / 24 hours.

Also, visit http://www.antsight.com/zsl/rainbowcrack/ to find more interesting ideas.

The theory behind FMS-type attacks is described in the classic article that started the world of WEP cracking: “Weaknesses in the Key Scheduling Algorithm of RC4″ by Scott Fluhrer, Itsik Mantin, and Adi Shamir, which is available via Web search. Utilities that break WEP encryption by taking advantage of weak IVs are called “FMS utilities” . For a quick hop, see www.drizzle.com/~aboba/IEEE/rc4_ksaproc.pdf.

Airsnort is available from The Schmoo Group (airsnort.shmoo.com/). AirCrack (www.cr0.net:8040/code/network/) is the latest and greatest WEP cracking package. Weplab (weplab.sourceforge.net/) combines brute force, dictionary attacks, and statistical methods to find the WEP key. These products support the new KoreK methodology, which can be seen in program chopper (www.netstumbler.org/showthread.php?t=11878&page=2; you must register to get the download). A packet-by-packet decryption technique has also been created and implemented in the program chopchop (www.netstumbler.org/showthread.php?t=12489; you must register to get the download).

WEPwedgie (sourceforge.net/projects/wepwedgie/) allows traffic generation on an encrypted wireless network through either the Internet or a wireless client.

WPA crackers will gain popularity and influence as WPA grabs more of the market but for now, here are some tools: WPA Cracker (www.tinypeap.com/html/wpa_cracker.html), and coWPAtty (new.remote-exploit.org/index.php/Codes_main).

LEAP crackers: leap (packetstormsecurity.nl/0310-exploits/leap.tgz), anwrap (www.securiteam.com/tools/6O00P2060I.html), THC-LEAPcracker (www.thc.org/download.php?t=r&f=thc-leapcracker-0.1.tar.gz), and asleap (asleap.sourceforge.net).

To create a dictionary for dictionary attacks, John the Ripper is state of the art (www.openwall.com/john/).

For further reading on wireless insecurities, check out Wi-Foo (www.wi-foo.com). A book that was just released is Network Security Tools by Nitesh Dhanjani and Justin Clarke; the later chapters provide some useful technical information on WiFi hacking.

For anyone seriously interested in this topic, the best resource is the hands-on SANS course on Auditing Wireless Networks (www.sans.org) written, and occasionally taught, by Joshua Wright. Attendees have the opportunity to work with many of the tools and techniques mentioned here.

More interesting technical details on this topic you can find at magazine: Communications of the ACM, Volume 48, Number 8 (2005), Pages 21-28. (www.acm.org).

After installing Winamp on computer with ZoneAlarm firewall software, next message poped up:
“Winamp is trying to monitor your mouse movements and keyboard strokes”.

I wondered why I got this message and why “Winamp is trying to monitor your system to observe what events are occurring”. When I pressed SmartDefense Advisor button “More Info”, it took me to ZoneLabs Web site and next message appeared:

Winamp is trying to monitor your system to observe what events are occurring.
The current security setting for Winamp does not permit this action, or else ZoneAlarm Pro is asking you whether you wish to allow this behavior or not. Your computer is safe.

Why?
Winamp is potentially malicious. It may be attempting to monitor your system to observe what events are occurring to retrieve information about you or your system.

Also, I can remember that MSN Messenger asked for the same and have found on Internet some posts that say Yahoo messenger and some others have same behaviors. There is explanation for someone that the Yahoo messenger is trying to monitor your mouse and keyboard usage in order to know when to set you as “Away” or “Available”. Yahoo messenger polls the keyboard to see if its active in order to change your status.

But, I wonder if Winamp which basically isn’t IM kind of software need this type of status. Do you believe that these applications just check your keyboard and mouse in order to set status, or trying to spy your actions? I am not sure.

NYTimes published interesting article on security at Visa in light of the CardSystems fiasco that happened two months ago. In that incident the personal information of over 40 million people has been hacked. The hack occurred at CardSystems Solutions, a company that processes credit card transactions.

Visa, like the other major credit card companies, has managed to reduce financial losses stemming from fraud, but it continues to struggle with preventing the theft of card data in the first place. Indeed, policing the payment chain is a herculean task, because virtually every step is outsourced from the time a card is swiped to the time the monthly statement arrives.

Read more at: http://www.nytimes.com/2005/08/25/business/25visa.html

As you are reading this blog, I guess you are interested in security and cryptography. Also, you are open minded person. Do you like challenges that can help you to earn money? If you like it, this is good place to visit - RSA laboratories: http://www.rsasecurity.com/rsalabs/node.asp?id=2091. RSA is currently holding three cryptographic challenges.
Also visit http://mathworld.wolfram.com/news/2005-05-10/rsa-200/ to see how RSA-200 was factored by German Federal Agency for Information Technology Security (BSI).

Have a fun.

Users of Microsoft’s MSN Messenger should be aware of a new “smart” worm that checks the configuration of their Windows client and sends a message in the appropriate language, according to security companies Akonix Systems and Symantec. The message in English is: “haha i found your picture!”
If a user clicks on a link included with the message, a copy of the W32.Spyboot worm is automatically downloaded to their computer. Spyboot is a backdoor program that can, among other things, close security applications and help further spread the worm.
Read http://news.yahoo.com/s/pcworld/122308 for more details.

Washington Post (08/25/05) P. A1; Graham, Bradley; Eggen, Dan

Hackers have been focusing attacks on hundreds of unclassified U.S. government systems through Chinese Web sites for several years, reported anonymous government officials. Analysts are split on whether these intrusions are the work of a coordinated Chinese government initiative to breach U.S. networks and monitor government databanks, or other hackers using Chinese networks to mask the attacks’ point of origin. “This is an ongoing, organized attempt to siphon off information from our unclassified systems,” said one official, who noted that State, Energy, Defense, and Homeland Security Department networks are among those targeted. With roughly 5 million computers spread across the globe, the Pentagon has more computers than any other agency, making its network the most vulnerable target to both foreign and domestic hackers, the officials said. The Pentagon estimates that China is the No. 1 source of Defense Department hacks, though Lt. Col. Mike VanPutte of the U.S. Strategic Command’s Joint Task Force for Global Network Operations said this only proves that China is the probes’ “last hop” before they strike their targets. One anonymous government official downplayed the severity of the attacks, while another said an FBI investigation has yet to yield any definitive proof of who is orchestrating the intrusions. U.S. concerns about Chinese military initiatives in general are fueling worries about China-based cyberattacks, and the spate of attacks on unclassified systems has added urgency to the Pentagon’s effort to acquire new detection software programs and better train computer security specialists, according to several officials.
Click Here to View Full Article

Washington Post (08/25/05) P. D5; Krim, Jonathan

Starting Oct. 24, artists can go online to pre-register certain works for copyright protection with the U.S. Copyright Office, but are required to use Microsoft’s Internet Explorer browser. Technologists and other experts object to this requirement, claiming it gives preference to one browser and thus restricts the open use of the World Wide Web. “It’s a replay of the bad old days when you built a Web site according to the behavior of an individual browser,” says World Wide Web Consortium policy official Daniel Weitzner. World Wide Web creator and W3C director Timothy Berners-Lee points to the growing importance of standards as people employ a widening variety of handheld devices to go online, while Ari Schwartz with the Center for Democracy and Technology recommends the government guarantee that the most number of tools and devices can be used by implementing more rigorous scrutiny of technology contracts. Berners-Lee says the firm hired to manage the copyright registration system and database, Siebel Systems, could easily create a tool to ensure that other browsers are compatible, but Siebel’s Stacy Schneider claims her company cannot guarantee such interoperability. She says Siebel follows W3C guidelines, but does not certify that its products are compliant with all W3C standards; rather, Siebel tests its products with the individual browsers its customers most frequently use. Copyright Office COO Julia Huff says the Oct. 24 deadline does not give Siebel enough time to modify its system to support other browsers. Copyright Office officials say Internet Explorer was selected because it is the dominant browser and presents the least potential problems for registrants.
Click Here to View Full Article

This blog started on August 28, 2005.

Dragan Pleskonjic