Software
As far as the drivers go, it's BlueZ or nothing. This is an excellent package that works enough to be qualified Bluetooth 2.0 though with some implementations out there, this may or may not be a selling point. But the point of the matter is, nab this and it'll work just like Windows.
As far as software to interact with Bluetooth devices, it depends on what you want to do. I don't connect my phone via Bluetooth (preferring a USB cable) so I can't help you with that. However make sure you have hcitools installed to pair with devices and scan for new ones around you. To test your set up, put your phone (or headset, or keyboard, or whatever) into detection mode and then run:
hcitools scan
If you're set up, it should detect your device and identify its MAC Address and Device Name.
After you're set up legally checking on your phone, you can try checking out others. Try an hcitools scan in a busy area and see if any phones show up. Or perhaps a parking lot if you're really devious. I'd recommend checking out the Trifinite Group for ideas of what evilness can go on over Bluetooth.

Device Lookup
Now that you have my 2 cent description of how to get Bluetooth working on Linux (Ubuntu 7.10) and done your own research on what vulnerabilities (might) exist out there, you may be interested in a quick way to identify devices you find. Quick identification of devices around you allows for quick knowledge of what exploits exist. I'm not advocating breaking devices, but this may be extremely useful when penetration testing a company or school. I wrote a quick perl script that will take a given MAC address and return the company that device is registered to. It has two text files with it, one is a list of known Bluetooth manufacturers and the device prefixes registered to them, the other is a full list of all MAC prefixes and who they're registered to. Download this tarball, untar the file, change into the mac_address directory, and then run it using:


tar -xf mac_address.tar
cd mac_address
perl mac_lookup.pl 00:16:8f:c0:5X:XX

It'll spit out info looking a little like:


Looking up: 00:16:8f:c0:51:11
Manufacturer Prefix: 00:16:8f
Device Type: c0:51:11
Manufacturer: GN Netcom as


I'm quickly porting it to php and tossing all that info into a database so you'll be able to bounce requests off of a php page to grab the relevant information. More information will come on that in a day or two, once I have it up and running. Of course all this was inspired by the BluePrinting project, and I hope to work that into my database.

EDIT: Whoops, it appears I mis-read a paper and wrote a hasty article. It is not possible to assume the second three bytes of a Bluetooth MAC are the device model, as every manufacturer is different. I've changed bits of the above article to reflect this knowledge, and changed the output of my tool. I'd also like to note there is another tool that is similar to this, @stake's redfang tool. However this tool is used to *find* non-discoverable devices, via brute-force, whereas mine is a simple lookup tool.

Also it should be noted that I'm using the term Bluetooth MAC address, though this may not be the best term. Its also called the Bluetooth Device Address.

Bottom line: For large amounts of data accept the higher overhead per unit when it'll lessen the overall overhead. Now my script runs happily all day without decreasing my speed. I only post so you geeks out there can laugh at me, and I'll remember this handy little lesson later on.

(I feel the need, as I do freelance programming, to point out I'm normally quite smart regarding how I design my code, and I'm posting this because I can't believe I did that!)

Well, I just tried to log in to that site on an account I haven't used in... well.. a long time, lets leave it at that. Sadly, I'd forgotten my password, and they do a very smart thing in limiting how many failed logings one can have before resetting the password, forcing me to reset my password. Up to this point, everything is working as it should, removing the possibility of brute force attacks with only limited user annoyance every few months.

Then I noticed that... uh-oh... the reset page wasn't SSL. I thought "Oh, don't worry, I'll bet its posted to an SSL domain," but grepping the source proved otherwise. Bugged, I decided to sniff my traffic and see what was happening, and sure enough, my password flew by in plaintext. This time it wasn't anything as stupid as a "Mother's Maiden Name" type question that also requires a little social engineering, this is MY PASSWORD, and MY USERNAME flying by.

Here's a look at a sanitized version of the information in the packet that gives it all away.

Content-Type:application/x-www-form-urlencoded
Content-Length:102
submitok=1
cc=ff6cda68ba7b4c
tt=1180114618
email=****@****.***
newpass1=PLAINTEXT
newpass2=PLAINTEXT

The Impact:
If I have to be sniffing the traffic in order to catch the password, this isn't as effective as, say, just phishing for the credentials, but this attack doesn't require any human stupidity.

However, this again is a very effective attack for large networks. ARP Poisoning is fairly trivial in this day and age, so even on a switched network one can grab these credentials. On a large network such as a dormitory, or campus this attack will work on as many people as are connected to the router you have access to. Worse, combine this with a botnet or other malware on a victim's machine, and it'll work on everyone who logs on to the site on an infected computer.

Another fun trick, as identified by the researchers at Indiana University, is subverting routers. If one subverts a router to modify the firmware, such an attack could easily be set up to happen on all traffic passing through the router, eliminating the need for ARP Poisoning. However, this requires an insecure router to start with, and the target would be a much smaller number.

The Attack:
I'll talk through an attack from a dormitory, as that's the first I thought of. Once you're set up with your ARP Poisoning, its time to get users to reset their password. Get a large list of email addresses from your school (this is very, very easy to script, you should be able to get tons of addresses. Now, you can either exploit the password reset security feature, or simply hit the reset.php page with each email address. Once you've reset the password, sit and sniff the network for any packets going to the page that actually does the resetting. Save all those packets, and you have all the information you need to compromise the accounts of everyone in your dorm!

I happen to know (whipped up a script to prove it) that this can quite easily be done in Perl where you never have to do anything, just sit and watch the logins go by.

The Payoff:
Once you have all the logins, you can either be very malicious and overt, or very subtle and clever. One might immediately hit the account page to change the password to something to lock out the legitimate user, or maybe even delete the account. Or, to be clever, throw all the logins into a database for later exploitation. It'd be smarter to do the second, because then the attack will go unnoticed for a while.

My Actions:
As usual, I'm accompanying this post with an email to the development squad of that website. I'm not releasing the name of the site, will delete any comments that say what site it is, and won't make my exploit code available anywhere. I will speak for the quality of the site's developers, from my last dealings with them, and know this will be fixed before any real attacks can be launched.

My registration page right now asks for first name, last name, an email, and a password. I needed data to through into those fields so a quick google search turned up this fine document. I decided I'd use the nickname as a first name, and the real name as a last name. The password would be the first name concatenated with "1". This'll provide some overlap, along with unique passwords, and a password scheme I could easily figure out looking at hashed passwords in my database.

use WWW::Mechanize;
my $mech = WWW::Mechanize->new();
open(NAMES, "$ARGV[0]");
while($_ = ) {
if(/^#.*/) {
} else {
m/^(\S*)\s*(\S*)\s*/;
$firstname = $1;
$lastname = $2;
$password = "$firstname";
$email = $firstname."@".$lastname.".com";
$mech->get("http://192.168.1.3/o2h/www/register.php") or die "Can't load page!\n";
$mech->form(1);
print "Registering $firstname $lastname!\n";
print $mech->set_visible("$firstname", "$lastname", "$email", "$password", "$password");
$result = $mech->click_button(number=>1);
}
}
close(NAMES);

This is a whopping 17 lines, took 10ish minutes to write. Yes, it could get smaller, but I wanted it somewhat readable. In about 10s of running I had 537 new additions to my users to test with, yippee!

This can easily be adapted for any website (that doesn't use CAPTCHAS and asks for information of the same nature as mine), feel free to steal it.