Archive for the ‘Bluetooth’ Category

DEFCON 21 update: August 5, 2013.

Monday, August 5th, 2013

Yeah, I know, I’ve been quiet. Much of Friday’s blogging time was eaten by Bluehost instability, and Saturday and Sunday were busy.

But I do have some updates and links.

I’m going to cut things off here for right now. I’m still trying to find links to some of the other presentations I mentioned (in particular, I’d love a link of some sort to Anch’s “Pentesters Toolkit” if anyone has one) and will post updates as they come in. Depending on what I dig up, there may be a second post tomorrow. In the meantime, this should keep you busy.

DEFCON 21: -1 day notes.

Wednesday, July 31st, 2013

Just because I’m not going to DEFCON 21 doesn’t mean I can’t try to cover it. From 1,500 miles away. Sort of half-assedly.

DEFCON hasn’t even started yet, but Black Hat is going on, and some stuff is coming out. The biggest story so far has been Barnaby Jack’s death. I haven’t mentioned it previously because I’ve felt like it was well covered elsewhere (even FARK).

Another “big” (well, I think it is) story that I haven’t seen very much coverage of is the phone cracking bot. Justin Engler (@justinengler on Twitter) and Paul Vines, according to the synopsis of their talk and the linked article, built a robot for under $200 that can brute force PINs. Like the one on your phone.

Robotic Reconfigurable Button Basher (R2B2) is a ~$200 robot designed to manually brute force PINs or other passwords via manual entry. R2B2 can operate on touch screens or physical buttons. R2B2 can also handle more esoteric lockscreen types such as pattern tracing.

This is one I’ll be keeping an eye on.

Borepatch is in Vegas this year, attending both Black Hat and DEFCON. He’s got a couple of posts up: a liveblog of the NSA director’s presentation at Black Hat, and another post about the links between black hats and political candidates.

So the DEFCON schedule is up. If I was going, what would get me excited? (I’ve included the Twitter handles of the speakers from the DEFCON 21 schedule information; I figure this gives a central source for looking up someone’s feed and getting copies of their presentation.)

From Thursday’s talks: I’d probably go to “Hacker Law School“, as I’m a frustrated wanna-be lawyer anyway. Why not?

Anch’s (@boneheadsanon) “Pentesters Toolkit” talk makes my heart skip a beat:

You’ve been hired to perform a penetration test, you have one week to prepare. What goes in the bag? What is worth lugging through airport security and what do you leave home. I’ll go through my assessment bag and show you what I think is important and not, talk about tools and livecd’s, what comes in handy and what I’ve cut out of my normal pen-test rig.

Push some more of my buttons, please.

The Aaron Bayles (@AlxRogan) “Oil and Gas Infosec 101” talk kind of intrigues me, but it would depend on my mood at the time as to whether I went to that one, or skipped out for a break.

Likewise with the Beaker and Flipper talk on robot building: yeah, robot building is something I’m interested in doing, but I might just be in a mood to visit the Atomic Testing Museum instead, and read your slides later. Nothing personal: I’m sure it will be a great talk.

I’m intrigued by the ZeroChaos (@pentoo_linux) panel on the Pentoo LINUX distribution for penetration testing. I’m not sure how that differs from, say, BackTrack, but I’d probably show up just so I could find out.

The “Wireless Penetration Testing 101 & Wireless Contesting” talk by DaKahuna and Rick Mellendick (@rmellendick) hits yet another of my hot buttons. I can’t tell from the description how much of this is going to be describing contests in the Hacker Village, and how much will be practical advice, but I’d show up anyway.

That takes us into Friday. Just from a preliminary look at the schedule, it looks like the big thing this year is hacking femtocells. Doug DePerry (@dugdep) and Tom Ritter (@TomRitterVG) are doing a talk on “I Can Hear You Now: Traffic Interception and Remote Mobile Phone Cloning with a Compromised CDMA Femtocell”:

During this talk, we will demonstrate how we’ve used a femtocell for traffic interception of voice/SMS/data, active network attacks and explain how we were able to clone a mobile device without physical access.

The Charlie Miller (@0xcharlie) and Chris Valasek (@nudehaberdasher) talk, “Adventures in Automotive Networks and Control Units“, sounds interesting as well. I’m just slightly more interested in femtocells than automotive hacking, so apologies to Mr. Miller and Mr. Valasek: if the two weren’t in conflict, I’d hit your talk for sure.

And if you haven’t been to a software defined radio talk, Balint Seeber’s (@spenchdotnet) sounds promising.

The Secret Life of SIM Cards” by Karl Koscher (@supersat) and Eric Butler (@codebutler) intrigues me the most out of the 11:00 talks. And I’m kind of interested in the Ryan W. Smith (@ryanwsmith13) and Tim Strazzere “DragonLady: An Investigation of SMS Fraud Operations in Russia” presentation because, well…

This presentation will show key findings and methods of this investigation into top Android malware distributors operating in Russia and the surrounding region. The investigation includes the discovery of 10’s of thousands of bot-controlled twitter accounts spreading links to this type of SMS fraud malware, tracing distribution through thousands of domains and custom websites, and the identification of multiple “affiliate web traffic monetization” websites based in Russia which provide custom Android SMS fraud malware packaging for their “affiliates”. During this investigation we have mapped out an entire ecosystem of actors, each providing their own tool or trade to help this underground community thrive.

There’s not much that intrigues me after Benjamin Caudill’s (@RhinoSecurity) presentation on “Offensive Forensics: CSI for the Bad Guy“. If I was at DEFCON, this is the time where I’d probably be browsing the dealer’s room, though I might go to the Amir Etemadieh (@Zenofex)/Mike Baker (@gtvhacker)/CJ Heres (@cj_000)/Hans Nielsen (@n0nst1ck) Google TV panel: these are the same folks who did the Google TV talk at DEFCON 20.

I feel kind of conflicted at 4:00. The Daniel Selifonov talk, “A Password is Not Enough: Why Disk Encryption is Broken and How We Might Fix It” sounds interesting. But I’m also intrigued by the “Decapping Chips the Easy Hard Way” with Adam Laurie and Zac Franken. Decapping chips is something I’ve been fascinated by, and it looks like Adam and Zac have found methods that don’t involve things like fuming nitric acid (and thus, are suitable for an apartment).

This is also the time when we, once again, present the “Hippie, please!” award to Richard Thieme for “The Government and UFOs: A Historical Analysis“.

I’m slightly intrigued by Nicolas Oberli’s (@Baldanos) talk about the ccTalk protocol, “Please Insert Inject More Coins”:

The ccTalk protocol is widely used in the vending machine sector as well as casino gaming industry, but is actually not that much known, and very little information exists about it except the official documentation. This protocol is used to transfer money-related information between various devices and the machine mainboard like the value of the inserted bill or how many coins need to be given as change to the customer.

Saturday morning, we have the second femtocell talk, “Do-It-Yourself Cellular IDS”, by Sherri Davidoff (@sherridavidoff), Scott Fretheim, David Harrison, and Randi Price:

For less than $500, you can build your own cellular intrusion detection system to detect malicious activity through your own local femtocell. Our team will show how we leveraged root access on a femtocell, reverse engineered the activation process, and turned it into a proof-of-concept cellular network intrusion monitoring system.

Opposite that, and worth noting, are the annual Tobias/Bluzmanis lock talk, and the David Lawrence et al talk on using 3D printers to defeat the Schlage Primus.

More than likely, I’d hit the Daniel Crowley et al (@dan_crowley) talk, “Home Invasion 2.0 – Attacking Network-Controlled Consumer Devices“, and the Philip Polstra (@ppolstra) presentation “We are Legion: Pentesting with an Army of Low-power Low-cost Devices“. I’m particularly intrigued by the Polstra talk, as one of my areas of interest is how small can we make devices that can still do useful hacking? What’s the smallest feasible wardriving system, for example?

I do want to give Jaime Sanchez (@segofensiva) a shout-out for his talk on “Building an Android IDS on Network Level“. This is worth watching.

I’d have to go to the Phorkus (@PeakSec)/Evilrob “Doing Bad Things to ‘Good’ Security Appliances” talk:

The problem with security appliances is verifying that they are as good as the marketing has lead you to believe. You need to spend lots of money to buy a unit, or figure out how to obtain it another way; we chose eBay. We now have a hardened, encrypted, AES 256 tape storage unit and a mission, break it every way possible!

Because, tape! But the Wesley McGrew “Pwn The Pwn Plug: Analyzing and Counter-Attacking Attacker-Implanted Devices” talk also interests me.

The PIN cracking device talk is on Saturday, opposite Amber Baldet’s (@AmberBaldet) talk on “Suicide Risk Assessment and Intervention Tactics“. I’m glad DEFCON accepted her talk, and I am looking forward to seeing the presentation online.

Also noteworthy, I think: James Snodgrass and Josh Hoover (@wishbone1138) on “BYO-Disaster and Why Corporate Wireless Security Still Sucks“.

Todd Manning (@tmanning) and Zach Lanier (@quine) are doing a presentation on “GoPro or GTFO: A Tale of Reversing an Embedded System“. I don’t have a GoPro (yet) or much of a use for one (yet) but I think they are interesting devices, so I’ll be watching for slides from this talk. Same for the conflicting Melissa Elliott talk, “Noise Floor: Exploring the World of Unintentional Radio Emissions“.

This takes us to Sunday. There’s not a whole lot that really turns me on early, though I admit to some interest in the Jaime Filson/Rob Fuller talk on harvesting github to build word lists:

After downloading approximately 500,000 repositories, storing 6TB on multiple usb drives; this will be a story of one computer, bandwidth, basic python and how a small idea quickly got out of hand.

I like the idea behind John Ortiz’s “Fast Forensics Using Simple Statistics and Cool Tools“, and he teaches at the University of Texas – San Antonio, so I’d probably go to that.

Now is when things start heating up from my perspective. Joseph Paul Cohen is giving a talk on his new tool, “Blucat: Netcat For Bluetooth“:

TCP/IP has tools such as nmap and netcat to explore devices and create socket connections. Bluetooth has sockets but doesn’t have the same tools. Blucat fills this need for the Bluetooth realm.

Holy crap, this sounds awesome. All I ask for is code that compiles.

(Unfortunately, this is up against the Eric Robi (@ericrobi)/Michael Perklin talk on “Forensic Fails“, which sounds like fun. But Bluetooth hacking is a big area of interest for me; sorry, guys.)

Speaking of Bluetooth hacking, Ryan Holeman (@hackgnar) is doing a talk on “The Bluetooth Device Database”. Which is exactly what it sounds like:

During this presentation I will go over the current community driven, distributed, real time, client/server architecture of the project. I will show off some of analytics that can be leveraged from the projects data sets. Finally, I will be releasing various open source open source bluetooth scanning clients (Linux, iOS, OSX).

Dude lives in Austin, too! Holy crap^2!

And that takes us through to the closing ceremonies and the end of DEFCON 21. I will try to link to presentations as they go up, significant news stories, other people’s blogs, and anything else I think you guys might be interested in. If you have specific requests or tips, please either let me know in comments or by email to stainles at mac dot com, stainles at gmail dot com, or stainles at sportsfirings dot com.

I heartily endorse this event or product. (#8 in a series)

Tuesday, April 23rd, 2013

Silvercar.

This endorsement may be of limited utility to most of you, since Silvercar currently only operates in DFW and Austin. But I am hopeful that they will expand to other cities.

What are they? Silvercar is a car rental firm, but they’re different from your normal car rental company.

First of all, they only rent one type of car: silver Audi A4s. That’s not so bad, for reasons I’ll get into in a bit.

Second of all, their prices are reasonable: right now, they’re charging $75/day on weekdays and $50/day on weekends. That’s actually about what you’d pay for anything from Enterprise at the airport. (I just checked the Enterprise site: cheapest is $66.99 for a full-size car, going up to $127.56 for a “luxury” car.) That is with unlimited milage.

Thirdly, the experience is nowhere near as annoying as your average car rental agency is:

  • They pick you up at the airport. You pick your car. You scan the QR code with the Silvercar app on your phone. You drive away with your rental. If you want, they’ll give you a briefing on how to use the navigation and audio systems. If you need help, they have some very pleasant people available to walk you through the process.
  • Unlimited mileage.
  • Fuel is charged based on what you actually use (at prevailing market rate) plus $5 if you don’t return the car with a full tank.
  • They don’t get pushy about the “collision damage waver”. As a matter of fact, I don’t think they have such a thing.
  • Those nice people they have on duty kept asking if we’d like a bottle of water or something while we picked up and dropped off the car. When’s the last time Hertz asked you if you wanted a bottle of water?

And the Audi A4s they rent are fun cars. Yes, they have Bluetooth. They also have WiFi. Seriously. You can use your rental car as a WiFi hotspot while driving. Most of this stuff is your basic Audi features, as far as I know, including the navigation and audio. But it is still really nice to have these features in a rental car, especially at this price.

I should note that I didn’t actually rent the car: Mike the Musicologist came up for a visit and handled the interaction with Silvercar. But I was along for the pickup and dropoff, and from what I saw it was the most friction-free car rental experience ever.

We drove the Audi down to New Braunfels Sunday night to have barbecue at the Cooper’s there (which I liked very much). Then we drove back through the city and stopped at the Buc-ees (yes, the one that won the “America’s Best Restroom” contest – and, yes, it is a darn nice men’s room). Monday, MtM and I drove down to Boerne and had lunch at a wonderful German restaurant called Little Gretel. I want to go back. Actually, what I want to do is take a long weekend, book a motel room in Boerne, and stay for a day or two, eating at Little Gretel, feeding the ducks in the creek across the street, and exploring the surrounding area.

We drove back to Austin by way of Fredericksburg (stopping briefly at the shop for the Nimitz Museum/Museum of the Pacific War) and the Audi never missed a beat. It felt like it was on rails even when I pushed it close to 100 MPH, and we got around 26 MPG for the entire Monday trip.

The one small issue I’d bring up with Silvercar, if they asked me, is that they only provide an iPod connector for the Audi MMI system. It’d be nice to have at least the Audi USB connectors as well. (I was unable to find a USB port in the car: the MMI system does have two SD card slots, though, as well as a SIM card slot.)

So, anyway, if you need a good rental car in Austin (or DFW), give Silvercar a try. And thanks to Mike for organizing this adventure.

DEFCON 18 notes: Day 3.

Wednesday, August 4th, 2010

“The Search for Perfect Handcuffs… and the Perfect Handcuff Key“: It seems that Sunday morning at DEFCON has become the default time for the lock picking and other physical security panels. Sometimes this bugs me a little; I can only sit through so many panels on compromising high security locks with common household objects before my eyes glaze over and I leave for the dealers room. It isn’t that these panels aren’t interesting, but three in a row…

Anyway, I say all that to say that this presentation from TOOOL was one of the better Sunday morning lock bypass presentations I’ve seen at DEFCON. Deviant Ollam and his crew gave a comprehensive overview of handcuffs, how they work, and how they can be defeated. Some key points:

  • A group of Dutch hackers managed to defeat the high security Dutch handcuffs by taking a photo of the key (hanging off someone’s belt) and using a 3D printer to duplicate it. The key can be found here.
  • You can shim many handcuffs with paper, believe it or not. Paper money (especially European paper money, which in many cases is more like plastic or Tyvek than paper) works especially well for this, as currency is generally designed to be tear resistant.
  • Handcuffs are generally a pretty simple mechanism. If they aren’t double-locked, it’s really easy to “shim” them (force a flat piece of metal, or something like that, down between the pivoting ratchet arm and the cuff itself), or pick the lock with something like a paper clip. (You know what really works well for a cuff pick? The sort of U-shaped metal arm that comes on those steel binder clips you can buy at Office Depot.)
  • If the cuffs are double-locked, it makes shimming and picking attacks harder. One way to defeat double-locking is the “whack attack”; slam the cuffs against a hard surface, and inertia will pop the double-lock locking bar back into the unlocked position.
  • It doesn’t take a lot of strength to break handcuffs. Breaking them is just a matter of binding the chains up. Once you’ve done that, it’s just leverage and simple physics to break the chain.
  • You can also rough up the chain with a small easily concealed diamond saw blade to make it easier to break. The folks at SEREPick sell such a thing; you can hide it in the seams of your clothes, in a belt, in the top of a shoe…
  • There’s a lot of design variation in handcuffs, which can cause problems, especially if you’re trying to find a universal handcuff key. Keyway sizes, size and number of pawls…lots of things can cause problems.
  • The TOOOL folks have collected a bunch of cuffs, so they got as many as possible together, took very precise measurements of the keys, and came up with a single “universal” handcuff key that opened all the cuffs they were able to try. No, they don’t sell it, but diagrams and measurements for the key were part of the presentation. The easiest thing to do, according to the presenters, is to start with a Smith and Wesson handcuff key, as that’s closest to the final dimensions of the universal key. After that, all you need is some minor cutting and filing which can be done with a Dremel tool.

(I suspect there are some people who are going to ask “Why would you want to break out of handcuffs? And don’t you feel bad about sharing this information with criminals?” In the first place, the criminals have already learned all these tricks at one of our many institutes of higher education. In the second place, the bad guys are starting to use things like handcuffs and zip ties to restrain their victims; you might as well learn how to defend yourself.)

“Electronic Weaponry or How to Rule the World While Shopping at Radio Shack“: I’ll cut some slack for this guy being a first time presenter, but this was a “Meh” panel for me. It was heavy on the theory of things like RF jamming and EMP attacks, but short on practice. Most of the theory I already knew, so there wasn’t a whole lot there for me. At the end, he did demonstrate a “sound cannon”, which was interesting. It did not, however, even approach the “annoying” level for me, much less the “weapon” one, though the presenter was running it without amplification.

“Breaking Bluetooth By Being Bored”: Dunning (who also built Vera-NG, a Bluetooth and WiFi sniping rifle) presented a series of tools for banging on Bluetooth. These tools included:

  • SpoofTooph, a utility for cloning and spoofing Bluetooth devices. SpoofTooph can also be run in a logging mode, where it will collect data on devices it encounters.
  • The Bluetooth Profiling Project, which uses programs like SpoofTooph to collect Bluetooth device profiles for analysis. (For example, which device addresses correspond to which manufacturer?)
  • vCardBlaster, a utility for running a denial of service attack against a Bluetooth device by flooding it with vCards.
  • Blueper, which sends a stream of files over Bluetooth. You can send files to multiple devices in range, or target a single device and flood it with files. This is interesting because many devices cache received files before asking the user to accept them; if you push a continuous stream of files to one of those devices, you can fill up internal storage and possibly crash the device.
  • pwntooth, a suite of automated Bluetooth testing tools.

As a side note, after some banging around (mostly to resolve dependencies) I managed to compile and install SpoofTooph on Project e. So far, I’ve only tested it in my lab environment, but it seems to work as designed. This is one of the reasons I love going to DEFCON, as there’s nothing like that moment when you say “Holy f—ing s–t, that f—ing f—er actually f—ing works! S–t!”

There was no final attendance figure announced at the closing ceremonies. According to Joe Grand’s badge documentation, there were 7,000 electronic badges made, and those went fast. I would not be shocked if there were 15,000 people at DEFCON this year, and from what I saw in the closing ceremonies, a lot of those folks were attending for the first time.

The big piece of news from the closing ceremonies is that, after four years at the Riveria, DEFCON is moving to the Rio next year. My hope is that the move will make it easier to get into the more popular panels (DEFCON apparently will be using the Penn & Teller Theater at the Rio), and provide more room to move around. (And maybe even more room for vendors.)

Coming up later on: the final after action report and thank-yous.

0 Day DEFCON 18 notes.

Thursday, July 29th, 2010

This year, I got in on Wednesday, which reduced the stress level considerably. Mike the Musicologist met me here; Andrew “Swordfish Trombone” Wimsatt is flying in tonight.

Mike and I had a pretty good (and cheap!) dinner Wednesday night at Four Kegs, which some of you may recognize from “Diners,  Drive-Ins, and Dives“.

DEFCON 18 panels that I may, or may not, attend, but will point out for Lawrence‘s benefit:

Weaponizing Lady Gaga, Psychosonic Attacks

I’ve already missed the “Hardware Black Magic: Designing Printed Circuit Boards” and “Go Go Gadget Python: Introduction to Hardware Hacking” panels, but I figure most of the information from those is on the DEFCON 18 CD.

Panels I want to attend:

I’m torn between the annual “Making of the Badge” panel, and the “How To Get Your FBI File (and Other Information You Want From the Federal Government)” panel. If I do get moving that early, I suspect I’ll end up at the latter one.

Build a Lie Detector/Beat a Lie Detector“. My desire to attend this is mostly based on nostalgia. When I was a young boy, my dad gave me several of the Radio Shack 50-in-1/100-in-1/250-in-1 electronic kits for Christmas. One of the projects in those was always a lie detector, and I always built that project.

Build your own UAV 2.0 – Wireless Mayhem from the Heavens!” How could anyone not go to that panel?

Exploiting Digital Cameras“. Another panel that seems designed to push multiple buttons on my user interface at once.

DCFluX in: Moon-bouncer“. Looks like it could be a fun panel on alternative methods of communication in a critical situation, like moon-bounce (something I’ve heard of from the amateur radio community).

Black Ops Of Fundamental Defense: Web Edition“. Dan Kaminsky. Again, enough said.

Extreme Range RFID Tracking“. I haven’t gotten that deep into RFID hacking yet (though I might change that this year), but I’m interested in this long-range low-power radio device stuff. Also, this is one of two Padget talks I want to see.

Jackpotting Automated Teller Machines Redux” The Black Hat version of this talk is already getting a lot of attention.

I’m having trouble deciding between “This Needs to be Fixed, and Other Jokes in Commit Statements“, which sounds like it could be very funny, and “Insecurity Engineering of Physical Security Systems: Locks, Lies, and Videotape“; I have a lot of respect for Tobias’ work.

Practical Cellphone Spying” is the other Padget talk I want to see.

We Don’t Need No Stinkin’ Badges: Hacking Electronic Door Access Controllers“: besides the title reference, this might make good background for that novel. I’m also considering “Wardriving the Smart Grid: Practical Approaches to Attacking Utility Packet Radios” as another possibility; I’d really like to see both.

Physical Security : You’re Doing It Wrong!” Well, if he’s going to talk about how to get vendors to take you to lunch, sure!

Physical Computing, Virtual Security: Adding the Arduino Microcontroller Development Environment to Your Security Toolbox“. I’ve been thinking about getting into microcontroller hacking, and this seems like it might be a good introduction to the Arduino (which is one of the environments I’ve considered).

Hacking with Hardware: Introducing the Universal RF Usb Keboard Emulation Device – URFUKED” and “Programmable HID USB Keystroke Dongle: Using the Teensy as a Pen Testing Device“: it sounds like there could be a lot of overlap between these two panels.

The Search for Perfect Handcuffs… and the Perfect Handcuff Key“. You never know when you might need to get out of a pair of handcuffs…

I haven’t decided between “Attack the Key, Own the Lock“, which sounds like it may be a rehash of some panels at previous DEFCONs, and “Constricting the Web: Offensive Python for Web Hackers“, which pushes the Python button.

Electronic Weaponry or How to Rule the World While Shopping at Radio Shack“. Not a lot of information on the DEFCON site; I’ll probably go and leave if I get bored.

Breaking Bluetooth By Being Bored“. I’m fascinated by Bluetooth attacks, so this is a must-see for me.

Panels I won’t be attending:

Getting Root: Remote Viewing, Non-local Consciousness, Big Picture Hacking, and Knowing Who You Are“. The usual hippie horse-pucky.

Any suggestions from anyone else who may be attending? Or presenting? Or wanted to go, but couldn’t?

Project updates.

Monday, November 9th, 2009

Project e update: I took the machine up to 2GB of memory earlier this week; it turned out to be much harder than I expected, mostly because getting the memory access door off the machine took more effort than I expected.

I just finished doing a clean install of Ubuntu 9.10 on Project e; I went the clean install route, instead of doing an upgrade in place, because there were some things I wanted to clean out, and I didn’t really have a whole lot invested in the current system. (However, I didn’t re-partition and blow away /home.) So far, wireless seems much more stable; no connection drops yet. Ethernet just works, straight out of the box (no loading of modules) and Bluetooth seems to work as well, modulo some flakiness in listing devices.

This install also took more effort, and more time, than I expected. However, much of that was my fault; the process for creating USB install disks changed from 9.04 to 9.10, and the instructions on the Ubuntu website are not clear on how to do that under OS X. I ended up having to move the 9.10 ISO over to the netbook and use the USB startup disk creator to make a bootable flash drive. I don’t see this as an Ubuntu problem as much as a “thought I knew what I was doing, should have read the docs first” problem.

Question: does anyone know of a good Karmic-compatible eeePC tray utility, now that eeepc-tray has been end of lifed?

6.00 update: I’ve been tied up dealing with some personal issues that I don’t want to go into here (for reasons of other people’s privacy) and haven’t had as much time as I would like to work on this. I’ve gone through all of lecture 2, and I’m hoping to knock out the assignment and move on to lecture 3 this week.

School: Registered for CSYS 4334, “Implementing Information Systems In Organizations” (in other words, more SQL Server 2005) and CSYS 4330, “Advanced Networking/Network Security” next semester. That second one should be fun.

Project e: Part 2: The Ubuntuing

Sunday, August 23rd, 2009

Before I begin, a couple of notes:

First, I’d like to publicly acknowledge D. D. Tannenbaum as the first person to actually leave a real substantive comment on Whipped Cream Difficulties. (There was one spam comment before his, which I guess makes some sort of pathetic statement about the state of the Internet.) Thank you, sir.

Second, another size comparison:

IMG_0334 (Modified)

That’s my (somewhat beat up, as I’ve been toting it for a while) copy of Learning Python, 3rd Edition. As you can see, the eee is only slightly larger than the book; you can’t see this in the photo, but it is substantially thinner. I wanted to get a weight comparison between the two as well, but I don’t have a scale that will work well for that purpose; manufacturer’s quoted weight for the eee is 2.9 pounds.

On to The Ubuntuing.

(more…)

Project e: Part 1, the unboxing

Friday, August 14th, 2009

I’ve been wanting a netbook for a while now.

Why?

It isn’t because I’m unhappy with my MacBook; I love the MacBook (especially now that I’ve taken it up to 4 GB). I love it so much that the MacBook has almost become my primary desktop machine (pushing the beige G3 down on the stack; I’m now mostly using that for word processing and updating the SDC pages). Because the MacBook has become more of a primary machine, disconnecting everything to take it on the road has become an increasingly unattractive proposition.

What about the Nokia N800? Nice machine, very handy, very useful for checking email and some web browsing. Also great for running Maemo Mapper. But the N800 has been discontinued; while there’s a pretty active open source community right now, I don’t know how well that’s going to hold up in the future. Doing LINUX development on it is possible, but painful. And I’m getting to the point where I have trouble seeing the screen unless I zoom to 120% or 150%; doing that often messes up rendering in the browser.

What I wanted was a mid-size machine that I could use as a dedicated LINUX box, with a reasonably sized display, to do various things on:

  • sharpen my LINUX skills
  • penetration testing
  • Wi-fi hacking
  • learning Python
  • brushing up on my Perl, which has become rusty.

What I really wanted was one of the ASUS Eee PC 901 machines; the solid-state drive, form factor, and pre-installed LINUX were pretty attractive. But by the time I got ready to act, these machines had more or less vanished.

“Life is compromise”, said the Buddha. Or, if he didn’t, he should have. After the jump…

(more…)

DEFCON notes: Day 2

Monday, August 3rd, 2009

Saturday was a little calmer than Friday from my perspective. Part of the reason for that may have been Adam Savage‘s talk (and the meet and greet afterwards) took a lot of folks out of circulation for two or three hours. (I didn’t go.)

More quick takes:

“Hacker vs. Disasters Large & Small”: Michael Schearer, who did the first part of the presentation, also did the Hacker In Iraq presentation. As a Naval officer, he went through SERE school, so he’s got some hands-on survival experience which makes him worth paying attention to. Schearer’s part of the presentation basically covered short-term wilderness survival (as in, “I’m cold and there are wolves after me.“) and was more practical. Renderman’s half of the presentation was a more long-term, “How do we survive and rebuild society after the Big One?”, philosophical presentation. (Edited to add: links to the final versions of the slides; Part 1, Part 2.)
Key takeaways:

  • “Hacker skills are largely compatible with the skills necessary to survive in the wilderness or during a natural disaster.”
  • “Don’t be squeamish about breaking or destroying something to help you stay alive.”
  • “You are not Jack Bauer, MacGuyver, or Survivorman; you need practice to survive.”

“Personal Survival Preparedness”: Nice guy, okay talk, mostly dealing with survival in an urban environment after some devastating event (Katrina or worse).

“Picking Electronic Locks Using TCP Sequence Prediction”: Excellent presentation, short, and scary. Brief summary: many electronic lock systems are IP based and the traffic on the network is not encrypted. This makes the locks vulnerable to a man-in-the-middle attack (to capture an unlock command) and a replay attack with a spoofed TCP sequence number (to replay the command). These attacks bypass the existing control software, so the spoofed unlock command leaves no audit trail. The author is a network admin at Texas State University; woo hoo! Greater Austin/San Marcos Metropolitan Area represent!

Sniff Keystrokes With Lasers/Voltmeters”: Two pretty amusing guys with another excellent presentation. In the first half, they presented an attack on PS/2 keyboards with very simple hardware; all you need is a slightly hacked power cord connected to a common circuit with the computer in question on one end, and an ADC plus a micro-controller (for data acquisition, filtering, and storage) on the other and viola! In the second half, they outlined a acoustic-based attack that builds on previous research, combined with microphone hardware using freaking laser beams. As the authors said, “How cool is that?”
Key takeaway: “girls will melt when you show this…”

“Bluetooth, Smells Like Chicken”: Pretty much what I expected from the summary. Using software-defined radio gear (about $1000) you can monitor the Bluetooth frequencies. Bluetooth does frequency hopping over about 79 MHz, and the software-defined radio gear can only monitor about 25 MHz (max) at one time. But you can monitor one channel and use information from that packet to actually predict the frequency hopping cycle. The authors also presented a technique that allows aliasing of the entire Bluetooth spectrum to the 25 MHz available in the radio gear they were using without compromising the ability to extract packets. Finally, they discussed Bluetooth attacks using off-the-shelf sub-$10 hardware to sample and inject data.

Key takeaway: there is no longer any such thing as a non-discoverable Bluetooth device.

0-Day DEFCON Notes

Thursday, July 30th, 2009

I like DEFCON. I like Dark Tangent personally. I like Joe Grand, the guy who has designed the DEFCON badges for the past few years.

But, guys, it looks really bad when, for the second year in a row, you run out of badges early on Thursday and have to issue temporary badges until more real ones get to the con Friday morning. You don’t even have the Olympics to blame this year. This is especially frustrating now that badge hacking is an official event/contest.

DEFCON talks I will not be attending:

“Hacking UFOlogy 102: The Implications of UFOs for Life, the Universe, and Everything.”

“Two years ago at Def Con 15, Richard [Thieme] presented Hacking UFOlogy. He supported his contention that (1) UFOs are real and (2) the data to support that statement is voluminous with numerous references and links…”

Hippie, please.

DEFCON talks I plan to attend:

“Is your iPhone Pwned”, Mahaffrey, Hering, and Lineberry. (This may be tough to get into, but it is scheduled against Dark Tangent’s intro and Joe Grand’s discussion of the badge, so we’ll see.)
“Hacking with the iPod Touch”, Willhelm
“That Awesome Time I Was Sued For Two Billion Dollars”, Scott
“Three Point Oh”, Long. (For the speaker’s reputation; I’ve heard Johnny Long speak before, and he’s someone I’d like to know better.)
“Something About Network Security”, Kaminsky. (Again, for the speaker’s reputation; Kaminsky is to TCP/IP what Musashi was to the sword.)
“Hacker vs. Disasters Large & Small”, RenderMan and Schearer
“Personal Survival Preparedness”, Dunker and Dunker
“Picking Electronic Locks Using TCP Sequence Prediction”, Lawshae
“Sniff Keystrokes With Lasers/Voltmeters”, Barisani and Bianco
“Bluetooth, Smells Like Chicken”, Spill, Ossmann, and Steward. (It looks like they’re going to talk about using software-defined radio to sniff Bluetooth, techniques for breaking the pseudo-random hopping sequence, and apparently some stuff that can be done with sub-$10 off-the-shelf hardware.)
“RAID Recovery: Recover Your PORN By Sight and Sound”, Moulton
“USB Attacks”, Vega
“Cracking 400,000 Passwords, Or How To Explain to Your Roomate why the Power Bill Is a Little High”, Weir and Aggarwal

I missed the panels on “Hacking With GNURadio” and “Hacking the Apple TV and Where your Forensic Data Lives”. Perhaps next year I need to arrive on Wednesday. If there is a next year.