Wikileaks to Release more Secret Documents this Week

Wikileaks is at it again. According to a FoxNews report, Wikileaks is set to release several hundred thousand sensitive diplomatic messages this week, possibly as soon as Friday. 

This release will mostly be diplomatic cables mainly involving; yes you guessed it, the US.

Due to the sensitive nature of these cables, the relationships with several allied nations could be affected. The State Department has already begun notifying allies about the pending release.

“We are prepared for the worst — and the worst is that this will have an impact on our diplomatic relations with many, many countries,” State Department spokesman P.J. Crowley said. “They are going to create tension in relationships between our diplomats and our friends around the world.”

So it appears that Wikileaks assault against the United States continues. An article earlier this month on Time.com mentioned that Wikileaks next release would include documents involving Russia and China. It would appear though from the news today that again the US will be Wikileaks target.

Several reports issued this year said that Wikileaks plans on releasing Russian documents, but is having language barrier issues. This is an odd comment in this day and age as Google Translate seems to work very well. Maybe there is another reason why Wikileaks is holding off exposing Russian secrets.

In January, a Russian secret services agent denied that Wikileaks posed them any threat and warned that the “right team” of people could simply shut down the whistleblower website forever according to The Moscow News. Also, according to the article:

Longstanding links between hacker cells and the FSB lend credence to this thinly-veiled secret services threat. Investigative journalist Andrei Soldatov has detailed how the Russian FSB “maintain a sophisticated alliance with unofficial hackers, such as those who carry out cyber attacks on the websites of enemies of the state”.

According to the FoxNews article, WikiLeaks founder Julian Assange is leading a fairly paranoid life now due to the earlier US Document releases. I am sure that adding the Russian FSB and Chinese intelligence agencies to the mix will do little to assuage his fears. 

Advertisements

How Israel Screens for Terrorists

Vodpod videos no longer available.

 

The TSA is currently using some very controversial tactics to secure our airports from terrorist activity. This includes the use of revealing body scanners and what some claim to be very inappropriate physical searches.

Also, as some may know, white hat hacker Moxie Marlinspike was stopped, had his phone and computer confiscated and searched without warrant. Apparently he was put a Federal Terrorist watch list.

Is all this really necessary? I mean come on, do we really need to come to this to stop a few bad apples? Israel deals with a lot more terrorist activity than we do, and yet they have not had an incident with a plane in decades. Their secret? They never let them on the plane.

Check out this exceptional WSJ video.

Backtrack 4 R2 Released!

An updated version of Backtrack 4, hands down the top open source security testing Linux distro, is now available! Website info says Kernel has been upgraded, interface streamlined, faster desktop, completely re-written Metasploit… the list goes on and on.

Check it out! Downloading my copy now! 

How to Spy on Another Person’s Browser: Man-in-the-Middle Attacks

I dusted off Ettercap the other day and started playing with it again. With Ettercap, you can very easily perform Man-in-the-Middle attacks with ARP poisoning. In layman’s terms, ARP poisoning is simply placing your machine between the target machine and the internet, so you can view all the traffic of the target.

This is done by altering the ARP cache so the target PC thinks you are the router, and the router thinks you are the target PC. Several programs offer ARP poisoning, but Ettercap offers some interesting modules and filters that you can use that do different functions.

Today, I want to look at the “Remote Browser Attack” feature of Ettercap. This basically allows you to remotely spy on a target PC and a copy of the website they are visiting will be displayed on your computer.

To do this attack there are just a couple of settings to change in the Ettercap config file.

Ettercap Instructions in Backtrack 4:

Edit the “/etc/etter.conf” file.
Under the [privs] section,
Change:
EC_uid =65534
EC_gid = 65534
to:
EC_uid = 0      #65534
EC_gid = 0       #65534

And, scroll down to the [Strings] section.

If the target is using Firefox, change:
remote_browser = “Mozilla -remote openurl(http://%host%url)”
to:
remote_browser = “firefox -remote openurl(http://%host%url)”

Now start up Ettercap-GTK. 

When it starts up, pick “Sniff” and then “Unified Sniffing” and then pick your network card.

Now, just select “Hosts” and scan the network for hosts. Next, click “Hosts” and “Host list”. A list of the available host’s IP addresses will appear. 

Click on the target PC, then click on “Add to Target 1”, then click on the router, then click “Add to Target 2”.

Click on the “Plugins” menu. Select “Manage the plugins”. Scroll down the list and Double click on “Remote_browser”. An asterisk will appear in front of it when it is selected. Next click the “Mitm” menu tab and select “ARP Poisoning”.

Then just hit “Start” and “Start Sniffing”

Finally, make sure you open the Firefox browser on your Backtrack attacker machine. The webpage for every website your target visits will show up in your Firefox browser.

That’s it, just go to the target machine and surf the web. On the attacker machine, you can see that Ettercap is capturing the target’s surfing:

As the target surfs to different webpages, the Firefox on the attacking machine will also auto-update with the page they are on:

Notice the tabs in Firefox on the attacking machine. These are a history of all the pages that the target has visited since the attack began.

For targets, I used an updated version of Windows 7 and Windows XP SP 3 in this test. Ettercap is an older program, and has not been updated in a while.  This attack used to work very well against older versions of Windows XP. On XP Service Pack 3, normal pages show up fine, but encrypted webpages would not show up on the attacker machine. So, for example, you could go to and login to Gmail on the target machine, but only the login page would show up on the attacker browser.

Also, many of Ettercap’s older password sniffing functions no longer work on updated machines and websites.

Windows 7 fared the best against the Ettercap attack. With just using the ARP poisoning attack, Windows 7 would not allow you to open SSL encrypted sites at all. It sensed something was wrong and gave this error:

If you tried to continue, the web address would turn red and a message came up saying due to security issues the page would not be displayed.

Also, when trying to run the remote browser module attack against the Windows 7 machine, as soon as you tried to surf to any webpage, standard or encrypted, the internet connection would drop completely.

Okay, how to defend against these types of attacks. Man-in-the-Middle attacks are possible because of Arp Poisoning, if your ARP cache could not be modified, this attack would not be possible. Unfortunately, it appears that changing your ARP cache to static is not feasible or practical on many networks.

Some internet security programs protect the ARP cache from being changed. Also many IDS systems will detect when a program tries to change the ARP cache. If you a network manager and are not familiar with these types of attacks, check into it to see what is the best solution for your system. For home users, a quick solution is do not share your wireless router with your neighbors, lock it down!

Windows 7 with its more advanced security features held up better against these attacks than Windows XP SP3 did. It just may be time to consider upgrading from XP to Windows 7.