In addition, says Fortify, the software security assurance specialist, with the latest cars now coming with as many as 50 or more interconnected computer systems – controlling everything from the brakes to the door locks and ignition system – now that the vehicles are becoming wirelessly-enabled, they are a lot easier to electronically hack into.

“It’s interesting to see that the researchers have identified that most cars built since the late 1990s have a computer diagnostic port, since this port needs direct physical access to operate and therefore hack”, said Barmak Meftah, Fortify Software’s chief products officer.

“But now these systems are being wirelessly enabled and held together with several tens of megabytes of code, it’s a relatively small step to modify the code and allow hackers an easy and wireless back door into a car’s computer system”, he added.

The hacking project was, says Meftah, no theoretical exercise, as the researchers were able to load new firmware onto their own circuitboard and, by plugging the board into the car’s internal network, translate the data flowing between the vehicle and a laptop.

This reverse engineering process allowed the researchers to develop a customised vehicle network interface and effectively take control of the car’s electronic nervous system.

So far, so normal, the Fortify chief products officer says, but the killer hack was when the researchers were able to generate network commands wirelessly from another car.

“In theory this will eventually allow a wireless drive-by attack on the firmware of a car, to the point where it’s central locking and ignition protection systems can be disabled. A professional thief can then saunter up, open the car and simply drive off,” he explained.

According to Meftah, car manufacturers should have foreseen the development of hacking attacks on their vehicle computer systems and built security safeguards into the firmware to stop this type of electronic hacking.

“It’s all very well saying that the manufacturers should enhance the security of their car computer networks and the protocols used, but this potential fiasco could be have been avoided if car developers had built security in from the ground up on a vehicle’s electronics systems”, he said.

“That way, if someone were to hack into the electronics, the car’s central nervous system would realise it was under attack and take appropriate action, such as immobilising the vehicle

You’re safe if your password isn’t in any dictionary, including the special dictionaries used for password cracking (these dictionaries will try random words in combination, as well as common letter-number substitutions such as “1″ for “i” and so on). The crack works on WPA and WPA2-locked networks.

Your best bet is a long, random string for a password — 64 bits of random noise will probably foil something like this for a good time to come. But good luck reading the password aloud to your visiting friend when she needs to get her laptop online.

Malicious insiders can exploit the vulnerability, named “Hole 196″ by the researcher who discovered it at wireless security company AirTight Networks. The moniker refers to the page of the IEEE 802.11 Standard (Revision, 2007) on which the vulnerability is buried.
Hole 196 lends itself to man-in-the-middle-style exploits, whereby an internal, authorized Wi-Fi user can decrypt, over the air, the private data of others, inject malicious traffic into the network and compromise other authorized devices using open source software, according to AirTight.

The researcher who discovered Hole 196, Md Sohail Ahmad, AirTight technology manager, intends to demonstrate it at two conferences taking place in Las Vegas next week: Black Hat Arsenal and DEF CON 18.

The Advanced Encryption Standard (AES) derivative on which WPA2 is based has not been cracked and no brute force is required to exploit the vulnerability, Ahmad says. Rather, a stipulation in the standard that allows all clients to receive broadcast traffic from an access point (AP) using a common shared key creates the vulnerability when an authorized user uses the common key in reverse and sends spoofed packets encrypted using the shared group key.

Ahmad explains it this way:

WPA2 uses two types of keys: 1) Pairwise Transient Key (PTK), which is unique to each client, for protecting unicast traffic; and 2) Group Temporal Key (GTK) to protect broadcast data sent to multiple clients in a network. PTKs can detect address spoofing and data forgery. “GTKs do not have this property,” according to page 196 of the IEEE 802.11 standard.

These six words comprise the loophole, Ahmad says.

Because a client has the GTK protocol for receiving broadcast traffic, the user of that client device could exploit GTK to create its own broadcast packet. From there, clients will respond to the sending MAC address with their own private key information.

Ahmad says it took about 10 lines of code in open source MadWiFi driver software, freely available on the Internet, and an off-the-shelf client card for him to spoof the MAC address of the AP, pretending to be the gateway for sending out traffic. Clients who receive the message see the client as the gateway and “respond with PTKs”, which are private and which the insider can decrypt, Ahmad explains.

From there, “the malicious insider could drop traffic, drop a [denial-of-service] attack, or snoop,” Ahmad says.

The ability to exploit the vulnerability is limited to authorized users, AirTight says. Still, year-after-year security studies show that insider security breaches continue to be the biggest source of loss to businesses, whether from disgruntled employees or spies who steal and sell confidential data.
What can we do about Hole 196?

“There’s nothing in the standard to upgrade to in order to patch or fix the hole,” says Kaustubh Phanse, AirTight’s wireless architect who describes Hole 196 as a “zero-day vulnerability that creates a window of opportunity” for exploitation.

1.Position your wireless router (or wireless access point) in a central location
2.Move the router off the floor and away from walls and metal objects (such as metal file cabinets)
3.Replace your router’s antenna
4.Replace your computer’s wireless network adapte
5.Add a wireless repeater
6.Change your wireless channel
7.Reduce wireless interference
8.Update your firmware or your network adapter driver
9.Pick equipment from a single vendor
10.Upgrade 802.11b devices to 802.11g
want to get in Detail please follow this
Top 10 in Detail

Security researchers on Friday unveiled an open-source device that captures the traffic of a wide variety of wireless devices, including keyboards, medical devices, and remote controls.

Keykeriki version 2 captures the entire data stream sent between wireless devices using a popular series of chips made by Norway-based Nordic Semiconductor. That includes the device addresses and the raw payload being sent between them. The open-source package was developed by researchers of Switzerland-based Dreamlab Technologies and includes complete software, firmware, and schematics for building the $100 sniffer.

Keykeriki not only allows researchers or attackers to capture the entire layer 2 frames, it also allows them to send their own unauthorized payloads. That means devices that don’t encrypt communications – or don’t encrypt them properly – can be forced to cough up sensitive communications or be forced to execute rogue commands.

It’ll be interesting to see what other kinds of devices they can successfully use this data capture technique on. Keyboards are one thing, and I’d imagine the transmission range of a wireless keyboard is fairly limited so you or the sniffing device would have to be physically near to the target.

At least Logitech seem to have stepped up the security a bit by using AES-128 for the transmission on their wireless keyboards, but the researchers say they still may be able to crack it due to the way the secret keys are exchanged.

Again most likely not an algorithm problem but an issue with the implementation.

At the CanSecWest conference in Vancouver, Dreamlab Senior Security Expert Thorsten Schroder demonstrated how Keykeriki could be used to attack wireless keyboards sold by Microsoft. The exploit worked because communications in the devices are protected by a weak form of encryption known as xor, which is trivial to break. As a result, he was able to intercept keyboard strokes as they were typed and to remotely send input that executed commands on the attached computer.

“Microsoft made it easy for us because they used their own proprietary crypto,” Schroder said. “Xor is not a very proper way to secure data.”

Even when devices employ strong cryptography, Schroder said Keykeriki may still be able to remotely send unauthorized commands using a technique known as a replay attack, in which commands sent previously are recorded and then sent again.

News time is always fun during conference season due to the fact all these interesting and new attacks and vectors are released for public consumption – generally along with code and examples.

If they can use the same techniques to own more interesting devices with more sensitive data, things could certainly get a little more heated.

try this http://nodedb.consume.net/nodedb.php

The security consultant at Core Security said his attack works by clicking on a single link that exploits a chain of weaknesses in IE and Windows. Once an IE user visits the booby-trapped site, the webmaster has complete access to the machine’s C drive, including files, authentication cookies – even empty hashes of passwords

This isn’t the first time security researchers at Core have identified security weaknesses in IE. The company issued this advisory in 2008 and this one in 2009, each identifying specific links in the chain that could potentially be abused by an attacker.

“Every time we reported this to Microsoft, they were fixing just one of the features,” Medina said in a telephone interview from Bueno Aires. “Every time they [fixed] it, we managed another way to build the attack again.”

Medina said he has fully briefed Microsoft on his latest attack, which he plans to demonstrate at next month’s Black Hat security conference in Washington, DC. Microsoft’s “rapid response team” didn’t reply to an email, but a statement sent to other news outlets said the company is investigating the vulnerability and isn’t aware of it being exploited in the wild.

The hole is difficult to close because the attack exploits an array of features IE users have come to rely on to make web application work seamlessly. Simply removing the features could neuter functions such as online file sharing and active scripting, underscoring the age-old tradeoff between a system’s functionality and its security.

Based on Medina’s characterization, it appears that fixing the weakness will require changes in a Windows network sharing technology known as SMB, or server message block, as well as the way Windows makes file caches available to a wide variety of applications.

“The things we are reporting are not bugs, they are features,” Medina said. “They are needed for many applications to work, so [Microsoft] can’t simply remove or truncate” them.

IE suffers from at least one other long-standing security bug that can enable attacks against people browsing websites that are otherwise safe to view. It can be exploited to introduce XSS, or cross-site scripting, exploits on webpages, allowing attackers to inject malicious content and code. Microsoft has said it’s unaware of this vulnerability being exploited

With this release includes a new kernel, a larger and expanded toolset repository, custom tools that you can only find on BackTrack, and more importantly, fixes to all (well, most..) major bugs that we knew of. This release we received an overwhelming support from the community and we are grateful to everyone that has contributed to the success of this release.

get it from here

http://www.backtrack-linux.org/downloads/

the WPA Cracker service bills itself as a useful tool for security auditors and penetration testers who want to know if they could break into certain types of WPA networks. It works because of a known vulnerability in Pre-shared Key (PSK) networks, usually used by home and small-business users.

o use the service, the tester submits a small “handshake” file that contains an initial back-and-forth communication between the WPA router and a PC. Based on that information, WPA Cracker can then tell whether the network seems vulnerable to this type of attack or not.

The service was launched by a well-known security researcher who goes by the name of Moxie Marlinspike. In an interview, he said that he got the idea for WPA Cracker after talking to other security experts about how to speed up WPA network auditing. “It’s kind of a drag if it takes five days or two weeks to get your results,” he said.

Hackers have known for some time that these WPA-PSK networks are vulnerable to what’s called a dictionary attack, where the hacker guesses the password by trying out thousands of commonly used passwords until one finally works. But because of the way WPA is designed, it takes a particularly long time to pull off a dictionary attack against a WPA network.

Because each WPA password must be hashed thousands of times, a typical computer can guess perhaps just 300 passwords per second, while other password crackers can process hundreds of thousands of words per second. That means that the 20-minute WPA Cracker job, which runs 135 million possible options, would take about five days on a dual-core PC, Marlinspike said. “That has really stymied efforts of WPA cracking,” he said.

WPA Cracker customers get access to a 400-node computing cluster that employs a custom dictionary, designed specifically for guessing WPA passwords. If they find the $34 price tag too steep, they can use half the cluster and pay $17, for what could be a 40-minute job. Marlinspike declined to say who operates his compute cluster.

The attack will work if the network’s password is in Marlinspike’s 135 million-phrase dictionary, but if it’s a strong, randomly generated password it probably won’t be crackable.

Security Auditors u look for it

http://www.nessus.org/download/