First I’d like to address some of the points I made in my last post:

• I can now control my AR.Parrot drone with my Xoom (ad-hoc wifi access points work now, with a small tweak) though now I think that my drone has some physical damage to it, it doesn’t take off correctly. Must fix.
• I’m able to get interesting widgets and buttons using minimalistic text and widgetsoid
• the cifs client works like a champ, and I can stream everything I’d like, though the best player i’ve found (rockplayer) doesnt support mkv or certain types of divx.
• There are ad-block apps, but I cant tell if they’re working or not.
• Skype lags, still no video. Them being bought by MS is also likely not going to help things.

Now the TODO list:

• I have both ubuntu and backtrack5 running on this thing in chroots. While I now have access to tools like nmap, skipfish and other command line tools, some of the interesting ones (ettercap, aircrack) do not yet function due to lack of the proper kernel modules. I’ve contributed to the Tiamat kernel thread on the XDA forums asking if adding that kind of functionality was feasible.

Verdict:

Everywhere I go, I get asked “is that the new ipad?” and I answer “no, its better”. People look confused. I used to get into debates about it, but now I just dont care. I’ve accepted the fact that the vast majority of people prefer a snappy UI and pretty pictures over functionality and an open attitude. I’ve recently figured out how to get my eye-fi to work with the thing, and I’ve been out a few times while taking pictures and having them zip from my leica directly over the xoom (this is a REALLY cool party trick – I intend on utilizing this somehow combined with a projector at this years ninjapenguin party.).

This platform does everything I need that doesn’t require massive horsepower including simple security tasks – like portscanning and browsing open fileshares, nmapping, and running metasploit. I can watch movies on it, get directions (chrome to phone is awesome on this thing), watch full-screened high-res episodes of southpark from southparkstudios.com and other flash sites (since it supports flash) browse full HTML5 and flash websites, and even set it up like a mini entertainment set – with the jawbone jambox speakers setup as bluetooth speakers.

It’s overclocked from 1ghz to 1.6 ghz with little to no impact on the battery. The modified kernel allows me to have external SD storage enabled and PTP and USB OTG modes so that I can plug in external devices and storage (though I have not yet tried a mouse or keyboard, usb sticks and my leica d-lux 4 work like a champ – for some reason the d3s isn’t properly recognized, so I’ve opened a ticket with google). I hope to use it in a photography sense as well (in Vegas this year, if I’m lucky) with the square reader and squareup app – which lets me accept credit cards as an individual. I can torrent from the thing, as well as use it as a backup phone by way of a skype-in number and a bluetooth headset. The list just goes on and on!

I’ve been tapped to use it as a support tool – once at drinkup a friend had a need to use a variety of basic linux tools such as traceroute, ping and telnet – I was able to hand him my xoom in an ubuntu chroot and tell him ‘go to town’. I can use it to remote control any of my computers as well, even remotely ‘hamachi style’ using a tool called neorouter.

I intend for this to be my “computer” while I’m at Defcon/Blackhat this year. I can easily offload all my photos to it, and it does everything I need while I’m on the go. Someday I hope to actually give a talk from this thing, completely without a laptop.

tl;dr: If you just want a toy, buy an ipad. If you want a tool? Buy the xoom.

Wishlist:

• I still want a site survey tool. Especially overclocked past %50. this thing screams.
• Having the jambox speakers helps when I want other people to hear stuff, otherwise I want a case that has little ‘ears’ to funnel the speakers forward.
• Having backtrack5 on this thing is badass, but some of the more impressive stuff is unavailable – I cant send arp traffic and I cant put the wifi interface into monitor mode or inject traffic. I’ve asked about it on the xda thread.
• I really wish someone would port VLC over to android. This hardware has so much still untapped potential – I want to be able to watch a 720p mkv. Standard dvd rips work fine, highres stuff chokes – because the players don’t leverage the GPU
• I want to find out why the hell it doesn’t work with my Nikon D3s. It sees the camera, but never sees any photos. wtf?

Before we begin, however, I want to re-emphasize that it is VERY EASY to protect yourself against this sort of attack. Facebook supports HTTPS, so when you browse facebook (or twitter for that matter) or if you have it bookmarked – please make sure you’re using HTTPS:// rather than HTTP:// in the URL at the very least, if not using a VPN solution for further encryption. Also, if the ‘victim’ logs out of facebook, the attackers session becomes invalid – so it’s a good practice to actually log out of facebook and log back in again rather than using the ‘remember me’ checkbox.

Facebook like many sites operates using authentication cookies. Their auth cookies contain a variety of information, but for our purposes this is irrelevant. Here is a sanitized cookie for reference:

Cookie: datr=1276721606-b7f94f977295759399293c5b0767618dc02111ede159a827030fc; lsd=Xesut; lxe=greg.evans%40****************; c_user=100001230367821; lo=wl9fcGXMhPfoT4bAhKFP3Q; lxs=1; sct=1276721745; xs=a615cfe596448194d6e2a8d062a90e4e

You can see the ‘lxe’ field is the login. We haven’t done any further research into what the various other fields mean, but using facebook without any kind of security you’re both leaking the email address used for your login and the session cookie.

First thing you’ll want to do is fire up your favorite packet capture application. For this example we’ve used Wireshark:

Next, set the filter in the top left to ” http.cookie contains “datr” “. This should show you only packets captured which contain the cookie we’re looking for. You can see that in this screenshot we’ve already captured a cookie.

Once you’ve found a suitable cookie, you can copy it into the buffer by right clicking on the cookie line, and clicking Copy -> Bytes (Printable Text Only)

Next you’ll want to open up firefox. You’ll need both greasemonkey and the cookieinjector script.

Simply browse to facebook – make sure you are not logged in:

Hit ALT-C to bring up the cookie injector dialog box:

Then paste in the cookie!

Hit refresh and – VIOLA! you’re now logged in as your victim! Now this doesn’t give you access to their credentials, this is about the equivalent to walking up to their workstation while they’re away from their desk and using facebook.

Neat huh? Pretty easy too. I smiled big when we demo’ed the attack in our lab – its old, sure, but being successful is always a good feeling!

P.S: This isnt REALLY Gregory Evans account. We setup this account because .. well.. the name was available! We thought it was in good taste as the No #1 hacker’s twitter feed got hacked the other day, his site is riddled with XSS exploits, and his book is copypasta from a variety of certification exam prep books. Thanks to Nick and mckt for the work and tootilage, respectively. No noobs were harmed in the making of this film.

I know I do. Up until now I’ve been using SSH tunnels to get my traffic back home where I know nobody is running a packetsniffer. The trouble with SSH tunnels though is that they’re fickle, and often drop. I wanted a better solution – so I made one.

www.atenlabs.com/zipline

Right now its pretty much just a VPN. My goals are pretty straight forward

• Obtain subscribers, and offer excellent service
• Grow the product, then upgrade the hardware and bandwidth
• Value-Adds, like in-line antivirus, antispam, malware etc – make the product SAFER
• Bolt on business-class solutions like traffic shaping, packet prioritization and SLA guarantees.

My inital product pricing will be something like this:

• $15/mo or $150 a year for the base package (You save 2 months worth by buying a year in advance)
• $25/mo or $250 a year for higher packet priority
• Business class services – still working this one out.

I’m totally open to collaboration. I built this for myself, and my friends – so that we could feel secure using sites, and applications that were built insecurely on public wireless networks without fear of someone capturing our credentials, or snooping in on our traffic (e.g. airpwn, ettercap, goatseAP and the others)

Ideas? Comments? Hatemail? Drop me a note!

I’ve been very vocal in the last year about what I do – to the point it manifests itself as talks I give during BarCamp (LA and San Diego), and Refresh San Diego which is held at Qualcomm. Here is my most recent talk

I’ve decided that it’s in everyone’s best interests to at least have a dialog about security. That being said I’m now offering free consultations! To my amazement I’ve even had a few people turn down FREE HOURS from me. For the first time in quite a while I was literally without words.

I thought it best at that point to illustrate exactly what I mean by security.

• This is a screenshot of the last ten days of SQL injection exploits posted to milw0rm.com. This is *ONLY* SQL injections, not any other vulnerabilities (for everyone that thinks using magic_quotes_gpc is safe, think again (and again and again)
• Securityfocus, which is a major vendor for security information has its own section JUST for Microsoft Vista.
• ONE command line will give you a command shell on a vulnerable windows machine. That leads to installing malware, stealing passwords, reading emails – the whole nine yards – just like theyre sitting AT your computer, or on your server.
• Using WEP for wireless security is a joke. If you don’t use WPA you may as well not bother encrypting. That also leads to people sniffing your information out of the air – passwords, credentials, AIM/Yahoo conversations – everything.
• The web2.0 community is just making things worse by being willfully ignorant

The point I’m trying to get across is that security isn’t just installing a virus scanner and an adware scanner and making sure your system is free of viruses. Code is developed every day that exposes crucial information to the world, which is then indexed by google. Security isn’t just about viruses, its about making your private information stay private – in all cases. Error messages that leak information such as filenames, database names, database tables, usernames etc just help attackers gain further entry into systems.

I do more than just security work – I’m a full-fledged Systems Architect with over ten years of experience in the field. Once you build a large scale enterprise environment, it has to be secured, right?
Every once in a while during conversations at meetups I tell people that I’m a Security Researcher and a Systems Architect and they end up asking me later “so what do you actually DO?”. So heres a short list:

• Information Tecnhnology(IT) and Information Security(InfoSec) consulting: working directly with sales, marketing and PR departments to coach bloggers, twitter users and writers on what terminology to use, what new technology is out there, what is safe, what isn’t safe, figures and reports on the latest attacks, bot nets, viruses and other threats influencing the world
• MSSQL and MySQL database administration, design, tuning, and security
• Designing networks: switches, routers, firewalls, intrusion detection, backups, redundancy
• Workflow Management: Setting up HRIS systems, ticketing systems, automating things like installations, software deployments, antivirus and other workstation maintenance procedures, creating a documentation repository using mediawiki
• Emerging Technologies: Staying abreast of all new versions of software and hardware available, defining when and what to upgrade, planning upgrades, defining when and how to scale, choosing the right hardware and software for the job, identifying when to decommission old equipment or software and how execute it
• Security: Staying abreast of all current and anticipated versions of software frameworks, firmwares, networking and phone equipment, defining what software and appliances need to be secured and or upgraded, defining what network resources get deployed where in the clients landscape and subequently documenting everything along the way

There is no environment alien to me, no operating system I do not have experience with, no development/scripting language I have no experience with and there is no limit to what can be done with the proper resources.

The Rates for hours at AtenLabs are fiercely competitive and in our wake we leave nothing but courage, confidence, and smiling clients.

If you’re even thinking about contacting us for us for a free consultation – stop thinking and contact us.