Thursday, August 19, 2010

UAV Drone Sniffs WiFi in the Sky

By: Stephen Geldersma, Digital Designs LLC


WASP - (Wi-Fi Areal Surveillance Platform) is a fully functional Unmanned Aerial Vehicle (UAV) for information gathering with penetration testing capabilities via Wi-Fi. It is a product of two guys interested in computer security with some time on their hands that started back in October 2009.
Equipment/Specs:
The airframe is a US Army target practice drone acquired from an army surplus store. The UAV's avionics are controlled by A DIY Drones' "ArduPilot" (based on the popular Arduino) with some custom additional code tweaking and enhancements. 
Surveillance capabilities are possible with an onboard Via Epia Pico ITX PC with a Via C7 500 MHz CPU with 1 GB RAM, running the Backtrack 4 suite.


Communication:
In addition to Wi-Fi network features it also has Bluetooth, Cellular, and imaging capabilities. The UAV communicates via Secure Shell over PPP tunnel and is able to have multiple people log in at once for looking at Wi-Fi, 3G and the on-board camera. A 1-watt Alpha Wi-Fi card with a belly mounted 9dbi patch panel antenna pointed down giving 60 degree cone arch of coverage on the ground (400 feet altitude gives about 1000 sq feet of coverage). Telemetry data is communicated with a ground station (1 GHz Via Pico ITX PC with 1 GB of RAM) for real-time tracking, payload interaction, flight operations, and data download (communicates 900MHZ RF or Edge/3G with onboard internet connectivity).

Flight:
Besides the manual takeoff and land, the preprogrammed set of GPS coordinates plotted with Google Earth allow it to fly in a predetermined pattern while collecting data, and then returns to base. The UAV’s course is able to be interrupted and cause it to "loiter" in a circle around an interesting target, allowing the developers more time to investigate and gather more information.

The UAV is said to need some minor tweaks to center gravity. The airframe is modeled after the Russian Cold War MiG design. "It goes very fast or falls out of the sky" said one of the developers. They are constantly on a balancing act at the moment and are looking to get it much more stable in the near future. Hak5 gave an interview at Defcon18 with the developers - Mike and Rich, who said they once took "20-25G direct impact to the nose of the airframe while full throttle and were able to repair the airframe in about an hour - half of which was waiting for the 30-min epoxy to dry".


In the end the WASP comes to about 13 pounds, 76 inches in length, and a wingspan of 67 inches.

Flight time: 30-45 minutes | Max altitude: 22,000 feet.

Their Next Step/Future:
The developers wish to integrate a USRP with OpenBTS for GSM network cracking capabilities. Pending that a USRP would fit or if they moved on to a larger airframe to handle the additional size and weight.

More information:
Rabbit-hole.org – build blog, pictures, spec sheet of features



Links:
(from the guys at Rabbit-hole.org provided to help make your own UAV Drone)
http://www.DIYDrones.com (ArduPilot and accessories)
http://www.horizonhobby.com/ (R/C parts servos, motor, reciever & radios, etc)
http://www.via.com.tw/en/initiatives/spearhead/pico-itx/ (payload & ground station control computers)
http://www.sparkfun.com/commerce/categories.php (Xbee radios + misc electronics) 
http://www.backtrack-linux.org/ (payload computer OS)

Disclaimer: 
Understand that operation of this type of vehicle is dangerous and prone to accidents, operation of such a vehicle might violate laws in your area. The WASP is a proof of concept vehicle flown under controlled conditions with supervision of trained personnel, please do not attempt to fly any remote control or autonomous UAV over populated areas as this is dangerous and could result in serious injury or property damage. We are very serious about this. Fly only in approved airspace and within line of sight. Contact your local authorities if you wish to know the laws governing the operation of these type of vehicles in your area prior to flying. This information is for informational use only, use at your own risk - (Rabbit-hole.org)

Final Thoughts:
It's almost scary to imagine the ability to crack into GSM cellular networks from the sky. I will explain more on GSM cracking in a future blog post. However, I really like their goal of building this UAV drone without breaking the bank too much, using already existing equipment as much as possible, open-source software, and wanting people to be able to follow their footsteps without having to basically have a PhD in electrical or aeronautical engineering. These are two guys that definitely pulled their talents together while empowered by their common interest in computer security.



-Stephen Geldersma, Digital Designs LLC


Sources: 
Rabbit-hole.org
Hak5.org


Last Updated: 08/19/2010 20:15 ET

*Posting is provided "AS IS" with no warranties, and confers no rights.*

Wednesday, August 18, 2010

10 Points to Define When Working with Consultants


Here are some important points to define when working with consultants. I came across this post on TechRepublic's Blog by Calvin Sun - 10 ways to keep your sanity when working with consultants: "Any time your organization brings in outside IT help, there's an opportunity for misunderstandings, inefficiencies, and conflicts. These steps will help preempt problems."





1: Define all acronyms

Even though both you and the consultants are IT professionals, acronyms still can cause confusion. For example, when they say ATM, do they mean asynchronous transfer mode or Adobe Type Manager? Some of your co-workers might even be thinking automatic teller machine. Sure, the context could make the acronym clear. But why take the chance? Define the acronyms the first time you use them so that everyone is clear.

2: Insist on being kept informed

Mushrooms are grown by being kept in the dark, while regularly being covered with manure. Don’t let that happen with you. Make sure the consultants keep you informed of progress and more important, of any problems. If you are wary of status meetings as a waste of time, at least ask for email or text updates regularly.

3: Make sure they document their work

I hope you don’t wish your consultants would step in front of a bus. However, if something does happen, you need to be able to continue their work. Have they left clear instructions about how the system operates and updates about the status of the project? Losing a consultant is enough of a change. Having to search for documentation is a duty you don’t want to have.

4: Have measurable milestones

How often does it happen that within the first three weeks of a project, coding becomes “90% complete,” only to remain that way for the next six months? The problem with milestones such as “coding completed” lies in the difficulty of defining such a term. Instead, consider milestones that can be defined and agreed upon, such as “coding specifications signed off by [person x].”

5: Ask to be notified before extended absences

Consultants often have multiple clients and multiple engagements. However, as a paying client, you have a right to know when they are absent from your location. The fact that they have documented their work and that it can continue in their absence is irrelevant here. Make sure the consultants keep you informed about when they will be out.

6: Be clear about leadership

If you were dealing with criminals hiding in a building, the police department would be in charge. If you were dealing with a fire in a building, the fire department would be in charge. Who’s in charge, though, when those criminals set the building on fire? That same issue can arise with respect to your management and the management of consultants.
Be clear about who is or will be in charge of the project for which you have brought in the consultants. This issue might be more complex than you think. Are you merely bringing in one or two developers to augment an existing in-house programming effort? Or are you bringing in an entire team of consultants, with their own “project manager”? In that latter case, make sure your manager and the consultant manager are clear about responsibility and authority. Does one report to the other? Will you have a committee? Will you decide by consensus? Whatever you decide, make sure everyone knows.

7: Be clear about expenses

You probably don’t want your consultants staying at the Ritz-Carlton. But neither should they be required to stay at your local fleabag. If you’re going to compensate consultants for actual and reasonable expenses, consider setting daily limits for hotels, meals, and other expenses. Alternatively, consider establishing a per diem allowance and leave it up to the consultants to deal with their own arrangement within that allowance. The worst alternative is to reimburse with no allowances and no limits.

8: Ensure a turnover plan

You don’t want the consultants in your office forever. Yes, they developed your system. Yes, when they operate it and maintain it, you and your staff are free for other things. However, their consultant clock continues to run while they’re onsite. Therefore, once their project or system is complete, get them to educate you and your staff on how things work so that you can take over. Have them document the tasks involved and how training will occur. Having such a turnover plan makes you and your staff self-sufficient and stops the consultant clock.

9: Employ hands-on learning

When the consultant starts training, make sure that you and your staff are doing the driving. That is, don’t just sit and watch as the consultants run the controls and screens of the system. Instead, insist on getting hands-on experience while the consultants point out various aspects of the system. Remember that old proverb, “I see and I forget; I hear and I remember; I do and I know.”

10: Give positive as well as negative feedback to consultant boss(es)

If you have issues with the consultants, tell them. Keeping quiet will only make things worse. If you can’t resolve the issue, escalate it to their boss or bosses. At the same time, though, recognize their good work. When you do, you build good will, and make those consultants more willing to extend themselves for you in the future.

Original Post By: Calvin Sun | Techrepublic | http://www.calvinsun.com

Tuesday, August 10, 2010

Microsoft Patch Tuesday - August 2010

Microsoft is releasing 14 bulletins addressing a total of 34 vulnerabilities. Microsoft has broken their record for the quantity of patches being released and tied with the largest number of vulnerabilities being addressed since the start of their Patch Tuesday program. Fourteen of the issues are marked as critical and affect Windows, SMB Server, Internet Explorer, Word, and Silverlight. The SMB vulnerability can be exploited remotely without any authentication. The remaining vulnerabilities are marked as important and moderate and affect SMB Server, Windows, Word, and Excel.

Security Best Practices Tips:

•  Install vendor patches as soon as they become available after proper testing in a test environment before applying to a production environment.
•  It is important to run all applications at the user level (least privileges) and only run the administrator account and as a privileged user to maintain functionality of the machine as needed (i.e. When needing admin privileges to install an application, a user can use the RunAs function to quickly switch to Administrator privileges while logged into a lower-privileged user).
• Users should avoid downloading files from unknown or questionable sources - whether an email with attachment from an unknown sender, downloading from questionable website, or using flashdrive media where the integrity of the drive such as the drive's origin is in question.
•  Block external access at the network perimeter to systems until specifically required.

Microsoft’s summary of the August releases can be found here:
http://www.microsoft.com/technet/security/bulletin/ms10-aug.mspx

Critical Vulnerabilities Summary
1. MS10-054 Vulnerabilities in SMB Server Could Allow Remote Code Execution (982214)
CVE-2010-2550 (BID 42224) Microsoft Windows SMB Pool Overflow Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Rating: 8.2/10)
A remote code-execution vulnerability affects the Microsoft Server Message Block (SMB) protocol when handling certain SMB packets. An attacker can exploit this issue by sending a malformed request to an SMB server. A successful exploit will result in the execution of arbitrary attacker-supplied code with system-level privileges. This may facilitate a complete compromise of an affected computer.

2. MS10-053 Cumulative Security Update for Internet Explorer (2183461)
CVE-2010-2556 (BID 42257) Microsoft Internet Explorer Uninitialized Memory CVE-2010-2556 Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Rating: 7.1/10)
A remote code-execution vulnerability affects Internet Explorer because of the way it accesses an object that has not been properly initialized or has been deleted. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a Web page containing malicious content. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.
CVE-2010-2557 (BID 42288) Microsoft Internet Explorer Uninitialized Memory CVE-2010-2557 Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Rating: 7.1/10)
A remote code-execution vulnerability affects Internet Explorer because of the way it accesses an object that has not been properly initialized or has been deleted. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a Web page containing malicious content. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.
CVE-2010-2558 (BID 42289) Microsoft Internet Explorer Race Condition CVE-2010-2558 Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Rating: 7.1/10)
A remote code-execution vulnerability affects Internet Explorer because of the way it accesses an object that may have been corrupted due to a race condition. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a Web page containing malicious content. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.
CVE-2010-2559 (BID 42290) Microsoft Internet Explorer Uninitialized Memory CVE-2010-2559 Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Rating: 7.1/10)
A remote code-execution vulnerability affects Internet Explorer because of the way it accesses an object that has not been properly initialized or has been deleted. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a Web page containing malicious content. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.
CVE-2010-2560 (BID 42292) Microsoft Internet Explorer HTML Layout Uninitialized Memory Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Rating: 7.1/10)
A remote code-execution vulnerability affects Internet Explorer because of the way it accesses an object that has not been properly initialized or has been deleted. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a Web page containing malicious content. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.

3. MS10-055 Vulnerability in Cinepak Codec Could Allow Remote Code Execution (982665)
CVE-2010-2553 (BID 42256) Microsoft Windows Cinepak Codec Media Decompression Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Rating: 7.1/10)
A remote code-execution vulnerability affects the Cinepak codec when handling a malformed media file. An attacker can exploit this issue by tricking an unsuspecting victim into opening a specially crafted file with a vulnerable application. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.

4. MS10-049 Vulnerabilities in SChannel could allow Remote Code Execution (980436)
CVE-2010-2566 (BID 42246) Microsoft Windows SChannel Certificate Request Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Rating: 7.1/10)
A remote code-execution vulnerability affects SChannel because it improperly validates certificate request messages sent by a server. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a malicious Web page. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.

5. MS10-051 Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution (2079403)
CVE-2010-2561 (BID 42300) Microsoft XML Core Service Msxml2.XMLHTTP.3.0 Response Handling Memory Corruption Vulnerability (MS Rating: Critical / Symantec Rating: 7.1/10)
A remote code-execution vulnerability affects the Microsoft XML Core Services when handling malformed HTTP responses. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a Web page containing malicious content. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.

6. MS10-052 Vulnerability in Microsoft MPEG Layer-3 Codecs Could Allow Remote Code Execution (2115168)
CVE-2010-1882 (BID 42298) Microsoft MPEG Layer-3 Audio Decoder Buffer Overflow Vulnerability (MS Rating: Critical / Symantec Rating: 7.1/10)
A remote code-execution vulnerability affects the Microsoft DirectShow MP3 filter when handling malformed files. An attacker can exploit this issue by tricking an unsuspecting victim into opening a malicious file, or viewing a Web page containing malicious content. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.

7. MS10-060 Vulnerabilities in the Microsoft .NET Common Language Runtime and in Microsoft Silverlight Could Allow Remote Code Execution (2265906)
CVE-2010-0019 (BID 42138) Microsoft Silverlight ActiveX Control Pointer Memory Corruption Vulnerability (MS Rating: Critical / Symantec Rating: 7.1/10)
A remote code-execution vulnerability affects Microsoft Silverlight because of the way it handles pointers. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a Web page containing malicious Silverlight content. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.
CVE-2010-1898 (BID 42295) Microsoft Silverlight & .NET Framework CLR Virtual Method Delegate Code Execution Vulnerability (MS Rating: Critical / Symantec Rating: 7.5/10)
A remote code-execution vulnerability affects Microsoft .NET Framework because of the way the .NET Common Language Runtime (CLR) handles delegates to virtual methods. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a Web page containing malicious Silverlight content. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.

8. MS10-056 Vulnerabilities in Microsoft Office Word Could Allow Remote Code Execution (2269638)
CVE-2010-1901 (BID 42132) Microsoft Word Record RTF Parsing Engine Remote Memory Corruption Vulnerability (MS Rating: Critical / Symantec Rating 7.1/10)
A remote code-execution vulnerability affects Word when parsing rich text data. An attacker can exploit this issue by tricking an unsuspecting victim into opening a malicious RTF file or email. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.
CVE-2010-1902 (BID 42133) Microsoft Word Record RTF Parsing Engine Remote Buffer Overflow Vulnerability (MS Rating: Critical / Symantec Rating 7.1/10)
A remote code-execution vulnerability affects Word because it does not perform sufficient validation when handling rich text data. An attacker can exploit this issue by tricking an unsuspecting victim into opening a malicious RTF file or email. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.

-Stephen Geldersma, Digital Designs LLC

Sources:
Symantec

*Posting is provided "AS IS" with no warranties, and confers no rights.*