Cisco IP Phone 7936 Default Passwords

Found it hard to find some of this info so thought I'd mention it my blog for fellow hackers/ Pen testers.

Passwords for the Cisco IP Phone 7936;

User Level Access @ Web interface: 7936

Admin Level Access @ Web Interface:**#

No actual username is required ! and after doing a bit of research it turns out if you change the accounts the rightful owner has no mechanism to change them back. If you thought a re-flash might be the answer the device requires administrator access to perform that function! So there is no mechanism to reset to factory defaults without admin access! There are a few stories of bricked phones as a result !

Being an infosec professional and having PCI knowledge is sometimes a curse

One of the curse's of being an infosec professional has always been a healthy dose of paranoia. However this is often compounded by knowing the rules that people have to follow. Today I noted two really bad practices.

1.) The privacy laws in Sydney one are crap and two are not really followed but today I saw a great example of something to be scared of. I was in Kings Cross (Shopping I might add accompanied by my wife before you ask). We entered the swans club and as we are out of the 5km radius which allows us to enter as visitors we just have to prove it with photo ID. This is something we are all accustomed with. But when my wife gave it to them before you could say boo they scanned it and printed a "visitor pass" wtf?

Did they just take an electronic copy of my wife's drivers license ? Where is that stored ? How long do they keep it ? what do they use it for ? How do they dispose of the data when at end of life ?

There was no point going into a conversation with the burly front guy about his data security management plan so another potential risk to us a family...

2.) Then after a nice meal and a few czech beers I went to pay. I payed by visa and went to sign for the goods she checked my signature (could not speak english) her boss a guy who looked liked he'd worked in the cross for about 50 years next to her. She then proceed to ask me where on my visa was my security code (CVV2) I explained there but why and she wen to write it down !! Whoa sorry not letting you write that down.

The boss gave me a steely scare as I explained that was not required and not a practice merchants needed to use. He said it was good for him ... I'm sure it was given the dodgy area but I was not going to let them so I whipped my card away. The stare from the ex-croatian war vet was very chilling best I leave my PCI speech / best practices speech on this guy for another day ;-).

It's tough being a infosec professional ...

Telstra's crap customer service for the iPhone

A week of waiting, 10 calls, many hours on, hold still don't have my iphone unlocked! I bought it outright so i could use on any carrier and then rang the magic number to get it unlocked to any carrier 1800 782 489.

Rang them on Monday no joy. Received a call Tuesday from customer service section saying that they were waiting on Apple. Now a week later and many calls to telstra today I got fobbed off by saying that I had to follow the instructions on the apple site and that my IMEI had been logged with Apple as being unlocked and that I would have to do something my end to complete it ?

Wtf ? So I asked what that was and telstra customer support did not know and then the said look it up in the documentation supplied with the phone. Jeez so I doubled checked everything looked at the web site and left yet another message for the person dealing with my unlocking request.

No answer once again. Waiting ..

Loosing faith in PCI enforcement

Whilst PCI-DSS is mandatory for compliance when an organisation processes, transmits and stores Credit Card data. It is up to the acquirer (the banks) to enforce the merchants (businesses taking CC transactions) to measure the compliance against PCI-DSS. This information is then passed on to the card brands as a report on the status of compliance of it's merchants against the standard.

The reason I have lost some faith as it became known to me that one large organisation doing millions of CC transactions who are not PCI compliant choose to pay the fines instead of ensuring they comply with the standard as it was cheaper in the short term.

What is the cost of non-compliance fine well don't forget the acquirer decides this but one customer is only fined $20,000 a year. Which for them is a very very small amount compared to the revenue they are making from taking CC transactions.

Lets hope these fines increase to the point where security actually starts getting some real attention by C-Levels.

Now a PCI-DSS QSA !

I did the exam and training two weeks ago and got the results of passing yesterday. Now I'm armed and dangerous ;-)

Finding Credit Card Data for PCI Compliance Work

During a PCI Audit compliance piece of work, you are as a QSA required to verify that various types CC sensitive data are not stored period. Although some types are permitted i.e. PAN (CC Number) and the expiry date as long as they are "protected". Well as someone with audit experience you know you won't get a truthful or comprehensive answer from the customer being audited. Often they don't know the entire process or they know that there might be "grey"areas.

So you have to test portions of the environment this is tricky at best. There are some tools however to help you find sensitive data in the environment;

https://source.its.utexas.edu/groups/its-iso/projects/senf/

http://www.hackaday.com/2008/06/20/finding-sensitive-data-with-freeware/

Malware at Auscert 2008 handed out by Telstra on USB Stick

Funny this one I was there but didn't get a stick on the Thursday when it came to my attention (I was teaching a tutorial on the friday) as a student mentioned I tried to get one.

Which of course they refused to give me. They did tell me that they had 500 gave out 85 and only got back 15 so 70 odd infected sticks are still out there!

ZDNet USA

Appearance on SBS Insight 13 May 2008

I was an invited guest on the SBS insight program. Which is a current affairs chat/panel show style. Managed to get some quotes in as the token "professional hacker" (Well someone had to play the role ;-) ).

SBS Insight - ID Theft MP4 Movie File

Overview & Transcript

Technorati Tags: Media

Appearance on Risky Business Podcast #58

I did a brief interview with Patrick Gray on the Risky Business podcast episode number 58. Just a quick chat about the phising attempts on the australian seek.com.au website. These are being performed to garner the login details of the advertisers.

Our assumption is that is that it's to advertise fake jobs to collect mules to help launder money being siphoned away illegally from fraud victims. You know the adds earn thousands whilst working from home adverts.

Patrick does a great job and it is worth a listen every week to keep up on top of events and new information which routinely breaks from the podcast.

Listen here

Nmap to Nikto Parser

I had long been a wikto guy as it has much better integration and a nice flow to it when enumerating directories to launch the nikto database at. However it's been a little flaky on some of the larger sites recently and I needed to give the new nikto (version 2.02) a go. They have since implemented the same "AI" techniques i.e. fingerprinting web responses for 200 ok's and 404's not found etc. to give more accurate results (previous Nikto's had lots of false positives because it did not have this).

So as I had quite a few targets and all running web servers on various ports I needed a way to parse the nmap scan to nikto. Wow I was surprised I couldn't find anything, there are lots of Nessus/Nmap/nikto combined tools but I just needed something to format a file so I could easily just send it to Nikto. (Note:Maybe I missed something if so email me). The inital scans took so long to run due to the size of the target I wasn't about to use the nikto in nessus option which would have solved this as I didn't have the time.

Anyhow it came down to some old fashioned grepping.

Cat nmap.gnmap | egrep " 80/open| 443/open" > openweb.txt

(open file the file and make sure it look right do minor edits)

perl nikto.pl -h openweb.txt

I was surprised that there was not an easier way i thought these two and nessus would have been well developed and integrated by others by now. The new version of nikto is good and it outputs to html and hyperlinks all of the findings for you which makes verification much easier.