Tuesday, June 10, 2014

Comcast xfinitywifi and hidden wifi network

Recently, on twitter, I talked about Comcast and their xfinitywifi network. Here is the full story

If you have Comcast and a recent modem from them such as one of those, it creates by default a wireless network called xfinitywifi (if it doesn't now, it will do it soon). So that other people with Comcast can login to it and have Internet access when they are traveling.

It's a pretty good idea since it does not use any of your bandwidth (based on what they say and Slashdot had a story today from the Houston Chronicle) but it could slow down your wireless network since it is on the same channel. However, I really don't like the way they implemented it: it is enabled by default and you can only disable when logging on your account online, there is not a single mention of it in the modem configuration. It's also a bad idea because you can easily fake it to steal credentials (it's an Open network, no encryption).

Unfortunately, I had to spend quite a lot of time with their tech/customer service to figure out and get it disabled (their first attempt to disable it failed). And they will try to convince you to leave it. I knew they have access to the cable modem and they can reset/upgrade the firmware. What's really worrying is that they can access all the settings of the modem, including the wireless settings and they could tell me what my WiFi settings were. They might also be able to access your network.

Moving on. Another issue I mentioned to their tech was that there was another wireless network along xfinitywifi and my personal network. A hidden network with the same security settings as my personal network (or it's just a coincidence I use the same settings as them). The MAC address is also very similar to the one of your modem. What changes is the first byte.
As of now (last time I spoke to them was 2 or 3 week ago at least), this hidden network is still there and I have absolutely no idea what that network is. So, I'll disable the wireless on the modem and have another AP between the modem and my network. Here is a picture of the network (let me know if you'd like a PCAP).

Does anybody knows what that hidden wireless network is for? Comcast hasn't responded yet to that question on twitter.

Sunday, June 8, 2014

Custom trac+svn or GitHub (or other alternative)

Recently, I had a small discussion about moving to GitHub (or another similar solution) on IRC. The subject has come up several times (and I thought several times about it) and I'd like to have a more opinions about it.

I'm really tempted to move it since it might decrease cost a little bit and most importantly, it will decrease the amount of maintenance I have to do. However, I have some concerns and I'm open to new ideas.

I like GitHub since it has most of the features of (a base) trac (and I don't need more than that). User management is built-in, as well as anti-spam. There is a big community around it and we can do continuous integration (using Travis CI). And I don't have to spend time cleaning up the spam, updating the server (and making sure it's secure; I guess GitHub have security measures).

Here is what I don't like with GitHub:
  1. You don't have control of your code anymore.
  2. One way thing: you can import trac (tickets and stuff) to GitHub but I never heard of tools to back that up
  3. You depend on them: if they're down, you'll have to wait for their stuff to come back up. If they get hacked, you might be in trouble. They can close your project; If you guys remember WhatsApp, a few days before it was bought by Facebook, GitHub received DCMA letters and had to close a bunch of projects that were related to WhatsApp (or API library).
  4. You need an account to create a bug report.
 However, the cons can be somehow alleviated:
  1. Hosting my own git repository and syncing to GitHub (as well as other GitHub alternatives)
  2. If there is no tool to back up GitHub, I might develop one (and open source it) or pay somebody to create one.
  3. Using multiple services. We could have GitHub as main the main location and using other services as back-up (read-only). If GitHub gets down, we can switch any other to read-write. However, we'll need a software to do the sync (and it also depends on the back-up program in the previous point.
  4. If they don't have an account: Accept bug reports by email and/or have people post in the forum (you don't need an account to post) and I take care of adding them to GitHub.

So, here are my questions:
  1. What is your opinion about using GitHub (and git) for Aircrack-ng instead of trac+svn?
  2. What are the alternative to GitHub (free, hosted)? If you've used it, please give me your opinion about it. I'm also willing to pay a few dollars a month if there is a serious one.
  3. What are the installable (to your own server) alternatives to GitHub. It's better if it's free/open source but I don't mind paying if the solution is good.
Here is what I found (and heard about): GitLab (to install, as backup, using gitlab-mirrors), BitBucket, Gitorious, Kiln. However, I need more feedback about them.

As I get feedback, I'll update the post.

Wednesday, April 16, 2014

Anti-virus issues and open letter to Anti-virus

Anti-viruses have a bright side and a dark side.

Well, Antivirus are like baby sitters, they prevent dangerous thing happening to your computer. In a certain light, it's a good thing but when you grow up (in this case, know how to use computers safely and want to use security tools), that baby sitter becomes more an annoyance.

What I mean is that most security tools are flagged by anti viruses and Aircrack-ng isn't an exception. Sometimes, they just flag it as 'hacktool' or 'not-a-virus' but a few of them have weird looking names and googling them doesn't even give you an answer of what it means.

I had to deal with a lot of stuff because of that:

  • Emails from people telling me their antivirus detected aircrack-ng as a virus and I had to tell them it's perfectly safe and their antivirus is wrong
  • Yahoo who has or had a safe page system using MacAfee. It was telling Aircrack-ng website wasn't safe despite all messages saying it's perfectly safe
  • VIPR anti-virus who was removing links to Aircrack-ng.org because they thought it wasn't safe.
  • And a few other things I don't even remember. Here is one I just found in the forum

It hasn't been a problem until now because my hosting provider uses a service from C-Sirt.org to do online scanning of files to make sure there's no virus. In most cases, they are right but there is always an exception. The problem is that they think their system is perfect as you can see when they talk about false positive:

At first, I was surprised and took their incident seriously. I started checking the MD5 and SHA1 of the file (which haven't changed), submitted files to virustotal.com. That's where I saw why they think Aircrack-ng is a virus. As you can see, some of them give a name that will make you freak out (and using google to find out what that means gives you NOTHING) but most of them don't detect or clearly see it as Aircrack-ng.

I emailed the guy behind C-Sirt.org. Unfortunately, his english is more than approximate and if I understand correctly what he tells me, I should simply contact all anti-viruses and ask them to remove Aircrack-ng from their definitions so that his algorithm won't flag it as a virus anymore.
Well, I would be more than happy to do so but my experience with first line customer service is not successful so I doubt it will work out.

Back to my provider. Even though I've been a customer for more than 6 years, they blindly trust C-Sirt.org and wrongfully shut down one of my server where they thought the file was (and I'm still having issues getting it back up) and threatened to shut down my hosting where I told them where the file is because of a mistake in C-Sirt (due to antiviruses definitions). I tried to convince them without any success and I'll gladly show you the emails if you guys want (as well as the single email I got from C-Sirt.org).

So, Anti-virus vendors, please be smarter nannys. I'm ok with you flagging viruses but flagging security tools, that doesn't make sense and hurt us. Please remove Aircrack-ng and other security tools from your definitions.
In the meantime, I'll just repack the file and add a password so you won't be able to scan it and it won't be wrongfully flagged.
And if you're not planning to take it off your definition, I've got a request to add another well know security tool who's using Aircrack-ng: Core Impact. They even submit a new attack for Aircrack-ng which gives you a good reason (and a proof that it's not a virus) to take it off your definitions.

Monday, March 31, 2014

Aircrack-ng 1.2 Beta 3 release

And a third beta. I can guarantee there will be at least a fourth one before the final 1.2 release.

  • Finally properly fixed the buffer overflow.
  • Fixed channel parsing (eg 108, 125) and updated radiotap parser.
  • Various other small fixes.

Saturday, November 30, 2013

Aircrack-ng 1.2 Beta 2 release

Here is a second beta. Enjoy it ;)

Release Notes:
  • Airbase-ng IE order fixed
  • Improved WEP cracking speed using PTW
  • Fixed WPA capture decryption when WMM is used
  • Fixed memory leaks in several parts of the suite
  • Fixed compilation with recent version of gcc, on cygwin and on Gentoo hardened
  • Now using Coverity Scan for static code analysis
  • Lots of other small fixes

Detailed changelog:
  • Airbase-ng: Fixed order of IE when creating soft Access Point.
  • Airbase-ng: Fixed Caffe Latte Attack not working for all clients.
  • Aircrack-ng: Improved PTW speed thanks to Ramiro Polla.
  • Airmon-zc: Fixed improper use of the interface.
  • Airdecap-ng: Fixed decoding captures with WMM enabled.
  • Various: Fixed memory leaks in Aircrack-ng, Aireplay-ng, OSdep.
  • Added support for static analysis using Coverity Scan.
  • Fixed compilation due to PIC unfriendly assembly on Gentoo hardened.
  • Fixed running tests using 'make check'.
  • Fixed building aircrack-ng with recent version of gcc and also on cygwin.
  • Various other small fixes.

Saturday, May 25, 2013

Aircrack-ng 1.2 Beta 1 Release

After a few years, we finally got a release: 1.2 Beta 1. Enjoy ;-)

Release summary:
  • Compilation fixes on all supported OSes.
  • Makefile improvement and fixes.
  • A lot of fixes and improvements on all tools and documentation.
  • Fixed licensing issues.
  • Added a few new tools and scripts (including distributed cracking tool).
  • Fixed endianness and QoS issues.

You can find more details in the ChangeLog and even more in our subversion history.

And, 2 more things:
  • The forum will be ready in a few days.
  • We are now using Travis CI for continuous integration