An interesting incident happened this past week to a friend – he had his identity stolen. More specifically, someone got a hold of his social security number (SSN), his date of birth (apparently) and his address. What the scammers or their “mules” (a term used to describe criminals who act on behalf of the actual criminal at their behest) did was that they went to the bank and requested to wire a huge sum of money to an account. The neat trick they played was before actually going to the bank they called the Verizon helpdesk and suspended my friend’s phone service. When they reached the bank and showed the bank agent the ID (some sort of a non-standard / fake ID) and gave the SSN to the bank agent, he/she grew suspicious and tried to contact my friend. However, due to Verizon suspending his phone service, the bank agent couldn’t get a hold of my friend. Luckily, the bank agent also sent my friend an email to which he responded promptly. The culprits were arrested and the investigation is still on.
What was quite interesting was, the modus operandi where the criminals know that banks rely on calling the customers if they suspect fraud and they had this covered. Quite intelligent.
So, you know what you need to do if your phone suddenly stops working – check if ID thieves have had a run on you, change all your passwords including email, change your credit card accounts and bank accounts and PINs and place a hold on your credit history with the credit reporting agencies such as Experian, Equifax and TransUnion.

To avoid saving the truecrypt password in history files and mounting the Truecrypt partitions on bash the following trick helps:

history -d $((HISTCMD-1)) && sudo truecrypt --mount <PATH_TO_TRUECRYPT_VOL> --non-interactive -p <PASSWORD>

This will avoid saving the password in the .bash_history file and also mount the truecrypt volume from the command line.  Of course, if you use this in a shell script then the shell script will have the password in it, so you must not do that.

One of my acquaintances told me today of an innovative scam.
So this friend of mine posted an advertisement for renting her apartment out on craigslist. As soon as she posted the ad, an email response came that looked absolutely legitimate.
The respondent claimed that he was a professor in the UK and would be visiting the US on a sabbatical. He even listed a phone number for contact as well as gave some very legitimate looking references. The respondent also said that he wanted to rent the apartment in about 1 months’ time. So far all good. My friend contacted the respondent over the phone and there was nothing odd about the conversation.
In the subsequent conversations, the respondent requested my friend to collect delivery of the furniture for his apartment (which he had indicated that he was going to rent). The respondent said that he would send a check to her and she should then collect the delivery of the furniture and pay the furniture company out of her own pocket. The respondent even sent in a personal check to my friend in advance. She deposited it and sure enough, the amount showed up in the bank account. But what had her spooked out, was how could someone give away a check to some one just like that. For some reason, due to a weird hunch, she decided that she was not going to engage in any financial transactions on the behalf of someone who was sitting hundreds of miles away who she barely knew. In the end, it was this hunch that saved her from losing the money.
So the respondent (thinking that my friend had agreed to undertake the transaction on his behalf) gave her the phone number and information of the furniture company. My friend googled the furniture company but could not find anything. Moreover, the furniture company would not even pick up the phone. This put my friend in doubt over the dubiousness of the potential renter. As it turned out, that the check bounced a couple of days later and if she’d paid the furniture company it might have been used as a way to steal money from my unsuspecting friend.
I guess what could be interesting to know here is that if there was a legitimate phone number (say from Google voice) and a legitimate website (which costs a few dollars for a month now), then my friend could have possibly been duped.
This serves as a reminder to us of the reality of the world we’re living in where scammers are looking for an opportunity to dupe us.

I will be speaking in Prof. Sengupta’s class at John Jay College of Criminal Justice at the City University of New York on Oct 28, 2010.  The topic of discussion will where does Digital Forensics fit in the big picture of organizations.  The talk will introduce the students to a variety of topics including choosing a career as a digital forensics investigator, their duties as an investigator, being successful as an investigator, case studies and real-life problems faced by the computer forensic investigators.

I encountered various errors when compiling wepattack. This download does not come with a makefile that is compatible with the ubuntu distro that backtrack uses. First of all make sure that the wlan directory that you get when untarring the .tar.gz archive has execute permissions set to it.

$ cd WepAttack-0.1.3/src
$ chmod +x wlan

Once this is done “permission denied” errors should go.

/Desktop/WepAttack-0.1.3/src$ make
gcc -fno-for-scope -c -D__LINUX_WLAN__ -D__I386__ -o wepattack.o wepattack.c
cc1: warning: command line option "-fno-for-scope" is valid for C++/ObjC++ but not for C
wepattack.c: In function ‘loop_packets’:
wepattack.c:141: warning: incompatible implicit declaration of built-in function ‘strlen’
wepattack.c:146: warning: incompatible implicit declaration of built-in function ‘strlen’
wepattack.c:151: warning: incompatible implicit declaration of built-in function ‘strlen’
wepattack.c:156: warning: incompatible implicit declaration of built-in function ‘strlen’
wepattack.c: In function ‘clean_up’:
wepattack.c:184: warning: format ‘%d’ expects type ‘int’, but argument 3 has type ‘long int’
wepattack.c: In function ‘main’:
wepattack.c:309: warning: format ‘%d’ expects type ‘int’, but argument 2 has type ‘long int’
gcc -fno-for-scope -c -D__LINUX_WLAN__ -D__I386__ -o rc4.o rc4.c
cc1: warning: command line option "-fno-for-scope" is valid for C++/ObjC++ but not for C
gcc -fno-for-scope -c -D__LINUX_WLAN__ -D__I386__ -o wepfilter.o wepfilter.c
cc1: warning: command line option "-fno-for-scope" is valid for C++/ObjC++ but not for C
gcc -fno-for-scope -c -D__LINUX_WLAN__ -D__I386__ -o log.o log.c
cc1: warning: command line option "-fno-for-scope" is valid for C++/ObjC++ but not for C
gcc -fno-for-scope -c -D__LINUX_WLAN__ -D__I386__ -o modes.o modes.c
cc1: warning: command line option "-fno-for-scope" is valid for C++/ObjC++ but not for C
modes.c:25:30: error: wlan/wlan_compat.h: Permission denied
modes.c:26:28: error: wlan/p80211hdr.h: Permission denied
modes.c: In function ‘generate_rc4_key’:
modes.c:51: warning: incompatible implicit declaration of built-in function ‘memcpy’
modes.c: In function ‘process_rc4_key’:
modes.c:68: warning: incompatible implicit declaration of built-in function ‘memcpy’
modes.c: In function ‘mode_keygen’:
modes.c:125: warning: incompatible implicit declaration of built-in function ‘memcpy’
modes.c:127: warning: incompatible implicit declaration of built-in function ‘strcpy’
modes.c: In function ‘mode_wep’:
modes.c:145: warning: incompatible implicit declaration of built-in function ‘memcpy’
make: *** [modes.o] Error 1

The following patch file will take care of most errors and you should be able to get Wepattack compiled properly:

diff -aur WepAttack-0.1.3/src/Makefile WepAttack-patched/src/Makefile
--- WepAttack-0.1.3/src/Makefile 2002-10-23 09:11:36.000000000 -0400
+++ WepAttack-patched/src/Makefile 2010-09-26 04:54:20.000000000 -0400
@@ -6,23 +6,23 @@
LD=gcc
#
# CFLAGS
-CFLAGS=-fno-for-scope -c -D__LINUX_WLAN__ -D__I386__
+CFLAGS= -c -D__LINUX_WLAN__ -D__I386__
#
#
# LDFLAGS
-#LDFLAGS=
+LDFLAGS=-L../run
#
#
# Libraries to link against
-LIBS= -lpcap -lz -lcrypto
+LIBS= -lpcap -lz -lcrypto
#
#
# Install path for wepattack
INSTDIR=/usr/bin

// main loop to process key in modes on every packet

Copy the above patch in to a file called wepattack.patch. Copy wepattack.patch into the WepAttack-0.1.3 directory and patch it as follows:

$ patch -p1 <wepattack.patch
$ cd src
make
sudo make install

You should be able to get wepattack installed!

Last night I was trying to get a VeriSign issued SSL certificate installed on my ASA using Cisco ASDM 6.2. I installed the Intermediate CA and the CA certificates all installed. I then imported the SSL certificate into the “Configuration -> Device Management -> Manage Certificates -> Identity Certificates” but it did not seem to work. I kept getting an error “Failed to parse or verify imported certificate”. The certificate was in the .p7b form. Changing the format of the certificate to X.509 Base64 Encoded format resulted in acceptance of the certificate.
I sincerely hope that Cisco alters its error messages to accurately reflect that .p7b is not a format supported by them.

Update: This link has the information on how to install SSL certificates on ASA:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00809fcf91.shtml

In the past few days, coincidentally I’ve been thrown into situations where packet forgery has been required. So I thought it’ll be a great moment to enumerate some good options that network or security professionals have. The basis for most of these tools lies in libnet and libpcap which are some of the most wonderfully functional libraries out there.

• Packetforge-ng – On the wireless side this utility allows you to capture wireless packets and create legitimate packets with a pre-determined payload that can then be replayed using tools such as aireplay-ng
• Scapy – This is a python based tool and can be extended to write custom Python scripts to custom create packets. This library has great functions to form packets layer-by-layer and other functions such as fuzz() that allow fuzzing of packets out of the box. The greatest utility comes by the use of python language to create custom tools. Imagine creating custom thick clients just by using simple python scripts. The capabilities with this library are endless!
• TCPReplay – Just convert your pcaps into traffic by replaying them. An excellent tool but be careful if you’ve sniffed some ARP packets. You could end up corrupting the ARP table entries (unless that’s exactly what your intentions is 😉
• file2air – An excellent tool by Joshua Wright to replay packet contents.
• Packit – A really easy to use and functional linux based packet injection tool.