This was the first AHA! technical meeting. It was graciously hosted by BreakingPoint Systems in their conference room and had 14 attendees. The meeting lasted about 3 hours and the format of the meeting was that "everyone" that attended had to speak on some topic for anywhere from 2 to 15 minutes.
H D Moore
Hacking with the Nokia 770
The Nokia 770 is a hand-held Linux device that is designed for quick and convenient internet browsing.
The device supports 802.11b, 80211.g, and Bluetooth. My talk described how the resource limits of
the Nokia 770 preclude it from becoming a true mobile penetration testing platform. Based on the
rumor that Immmunity's SILICA device is based on the 770, I made some predictions about performance
problems, stability, and effectiveness of the SILICA platform in the real world. I concluded the
talk with an outline of my own plans for the Nokia device:
1) Develop an interface that has 4 large buttons and a console log
2) The first mode puts the WiFi card into monitor mode and captures data
3) The second mode enters hostap mode and performs client-side attacks/password theft
4) The third mode joins each WiFi network and performs reconaissance
5) The fourth mode launches a small set of attacks on all nodes of all networks
Tracking with TOR
The TOR project was designed to allow anonymous communication over the internet. Unfortunately,
a number of folks are using public TOR servers to search for and download child pornography.
My talk described a series of countermeasures for detecting, tracking, and prosecuting
pedophiles that are using TOR. The source code will be released in the near future.
I spoke for roughly 20 minutes on SmartCard and GSM-SIM security. I won't be posting slides because I intend to turn this talk into a full-length presentation, and what I used for the meeting is essentially a draft deck.
Quick and Dirty MySpace E-Mail Enumeration
An easy filter development at work leads to a fun discovery — MySpaceIM returns "bad username" or "bad password" messages in the event of a login failure. Thus, it's easy to write a brute force / dictionary-based e-mail address enumerator to discover valid MySpace accounts.
This silly talk lasted about 10 minutes, and slides and source are available.
Since AHA 0x00, MySpace fixed this. Apparently, they took it more seriously than I did. But not serious enough to offer thanks for the vuln report, about which I now whine on my blog.
I did a quick demo of the insecurity in certain VOIP handsets, which download their configuration from an Asterisk server in the clear. This allowed me to observe the authentication settings for a number of phones in my office, and to spoof each extension. The demo consisted of a one-line shell script that iterated thru each phone extension, and I then called each extension in turn, causing my VOIP phone (laptop) to ring as the spoofed extension.