Archive for August, 2011

Saturday Dining Conspiracy updates.

Sunday, August 21st, 2011

Added May, June, and July 2011.

There’s only been one SDC in August, and I need to get some information before I post that. Also, I need to back fill some information for one of the May conspiracies, and add Lawrence’s comments when he gets them to me. (This isn’t badmouthing him; he’s tied up and will get them to me as soon as he can.)

I’m thinking about converting the SDC to a more standard blog format, but I haven’t made up my mind if and how I’m going to do that yet.

That ivy-coverd burial ground.

Friday, August 19th, 2011

Chicago Cubs general manager Jim Hendry out.

The Cubs went 749-748 in his tenure.

Does anyone know if the Cubs are, officially, mathematically eliminated yet? I want to make sure my bet with Lawrence is properly settled.

(Subject line hat tip: come on, if you don’t know the words of the national anthem, what’s wrong with you? Okay, it isn’t the national anthem, but it should be. Either that, or Dave Van Ronk’s “Last Call”.)

TMQ watch: August 16, 2011.

Wednesday, August 17th, 2011

Tuesday! Tuesday! Tuesday! Nitro-burning Tuesday Morning Quarterback after the jump!

(more…)

Staplerfahrer Klaus, call your office, please.

Wednesday, August 17th, 2011

A Fort Worth man remained in custody Tuesday on at least five charges after he climbed aboard a forklift and led police on a chase that reached 16 mph and ended on Interstate 30.

The gentleman is charged with stealing the forklift (duh), drinking while driving (and that should be pretty easy to prove, since he’s also charged with throwing beer bottles at traffic), evading police, and…aggravated assault. Aggravated assault? Does that mean that he…tried to kill someone with a forklift?

Also, it is apparently not a good idea to follow a police chase and film it with your iPhone. Important safety tip there, guys.

(Subject line hattip.)

TMQ watch watch.

Wednesday, August 17th, 2011

Yes, TMQ is back. WCD is a bit tied up, but we hope to have the first TMQ Watch of the new season up tomorrow later today. We would have sworn we’d posted this last night…

Surrender, surrender, but don’t give yourself away….

Tuesday, August 16th, 2011

I am a shy and private person.

Whenever someone does the “go around the room and introduce yourself” thing, I cringe. When my turn comes up, I give the minimum amount of information I can get away with: basically name, rank, and serial number.

(As a side note, there’s a story in Chuck Hustmyre’s book, Killer with a Badge, that I find darkly amusing. Basically, the Fine New Guy brought in to head up the New Orleans PD is going around the room doing the “introduce yourself and tell us a little about you” thing, he gets to our hero, and our hero stands up and says “Hello. My name is Eddie Rantz, and I’m an alcoholic… <long pause> I’m sorry. I must be at the wrong meeting.”)

Tycho’s promotion of Google-, “the social network for narcissists”, has a certain emotional resonance for me. (Though I don’t consider myself to be a narcissist; just, as I said earlier, almost pathologically retiring.)

My resistance was never about privacy. I don’t trust Facebook, Google, or any other large corporation (as I’ve said before, anyone who trusts a large corporation, outside of the bounds of a legally enforceable fiduciary duty, should have their sanity checked), but I believe I’m smart enough to manage the privacy issues.

There was a strong element of drama avoidance going on. I didn’t (and don’t) want to water people’s Farmville crops or get caught up in all the other various interpersonal dramas that seemed to play themselves out on Facebook. Not having a Facebook account gives me what the Nixon administration called “plausible deniability”.

So  “Why did ‘mr. anti-social networking’ decide g+ was worthwhile?” to quote an email I received this morning?

Two reasons:

  1. It isn’t Facebook.
  2. A very close, very dear friend asked me to join. When I say “very close, very dear”, I mean if they came to me and said “I’m storming the gates of hell. Want to ride shotgun?” I wouldn’t even stop to pack a sack lunch.

So, yeah, I’m on Google+ now. I’ll probably add a link to the contact information. I’m following Lawrence’s policy; I only add people to my “Friends” circle if they can pick me out of a police lineup. However, the nice thing about Google+ is that I can have another circle for people who don’t meet that criterion. Indeed, I can have many circles; one for fellow bloggers, another for people I like but who would fail the police lineup test, another for family, and even another for the mothers of my illegitimate children. (Just kidding, Mom. I don’t have any. That I know about.)

The fun never stops here at WCD. Watch this space for more random G+ thoughts as they come to me.

(And thank you, again, to my friend, who shall remain anonymous to protect his/her privacy.)

Viva, viva…er, something or other.

Tuesday, August 16th, 2011

Today’s LAT brings word that MGM Resorts International wants to stage another building implosion in Vegas.

The target in this case is unusual: the Harmon tower, part of MGM’s City Center project.

Construction of the Harmon was halted after inspectors discovered problems with steel reinforcing bars in 2008. Other parts of the CityCenter complex opened in 2009.

More:

Last month, an engineer hired by MGM said in a report that a strong earthquake could fell the building, which stands between the Cosmopolitan resort and CityCenter’s Crystals mall on Las Vegas Boulevard.

I know I drove past the Harmon (because I remember seeing the Cosmopolitan) but it doesn’t stand out in my mind.

(To be fair, though, I didn’t drive the Strip as much as I did on previous trips; I was staying at the Rio, which is off-Strip, and given traffic on the Strip, I found it easier to drive Paradise or Koval to Flamingo, then go up Flamingo to the Rio.)

(Speaking of Vegas, there’s a Gilley’s in front of Treasure Island now? What the heck?)

(How common are “strong earthquakes” in Las Vegas, anyway? I don’t recall Nevada being a seismically active zone.)

Important safety tip (#5 in a series).

Friday, August 12th, 2011

If you’re going to sell “lobster salad” in your store, it is a very good idea to make sure that your “lobster salad” contains actual lobster.

No, I’m not convinced by the argument that crawfish is close enough to lobster for it to count.

DEFCON 19 update #1.

Wednesday, August 10th, 2011

Added links to the following presentations:

DEFCON 19 notes: day 3.

Tuesday, August 9th, 2011

“Earth vs. The Giant Spider”: This was described as a collection of weird, bizarre, freaky, and unusual hacks compiled by the presenters during penetration tests. I figured this would probably be a high energy, lots of fun, lots of laughs panel. I ended up kind of disappointed. Maybe high energy is too much to expect at 10 AM on DEFCON Sunday, but the presenters seemed curiously subdued. (This may have had something to do with non-functional equipment that resulted in them having to drop the live penetration test portion of the presentation.)

As for the hacks…well, okay, owning an entire country’s credit card processing (bypassing the firewall by sending packets from source port 0) is kind of cool. Getting cheap food from a restaurant chain by hacking a Javascript that communicates with a 3rd party server, and doesn’t validate data being sent from the restaurant’s website to the server? Meh. The story about cloning the support mailbox on an old ROLM PBX (default field service user ID/password) which ended up with the penetration testers doing Checkpoint support for one of the corporate users? Mildly funny. The other hacks (doing a HTTPS man in the middle attack with a self-signed certificate, and using information gathered that way to hijack a session to an external VPN by cloning cookies; high-def IP cameras with undocumented default accounts located right over keyboards, Oracle session hijacking), well, maybe you just have to have been there.

As for the “Caucasian-American love hack” (in which they were able to guess an admin’s password from his profile on an Asian-American dating site), I felt more pity for the poor admin, who was probably just looking for love (and not even in all the wrong places) rather than admiration for the penetration testers. Sorry, guys: I know your intentions were good, but this didn’t click with me. It may just have been a personal thing: YMMV.

“Seven Ways to Hang Yourself with Google Android”: An excellent presentation by Yekaterina Tsipenyuk O’Neil (Fortify) and Erika Chin (UC-Berkeley) about the major mistakes programmers making developing Android applications. Specifically:

  1. “Intent spoofing”. Basically, “intents” are a type of message Android uses for inter-application communications, intra-application communications, and system event messages. Android intents can be either “explicit”, where the intent is directed to a specific destination or “implicit”, where the destination isn’t specified and Android decides where the intent should be delivered. The issue is that many developers just use implicit intents, which makes it possible for someone to write a malicious application that creates intents requesting some sort of change in state, and send those intents to other applications that use implicit intents.
  2. SQL query string injection. Yes, you can build a malicious app that queries Android’s SQLite database and (possibly) returns data the app otherwise wouldn’t be able to see.
  3. “Unauthorized intent receipt”. Very similar to #1, except instead of requesting a change in state, the malicious app harvests information from public intents intended for other non-malicious applications.
  4. “Persistent messages: sticky broadcasts”. Android has the capability to send broadcast intents to applications (more specifically, to components of applications that are set up to receive broadcast intents). There are some issues with this. The first issue is that any application registered to receive broadcast intents will get all broadcast intents; there’s no way to restrict broadcast intents to specific receivers. It is also possible to create “sticky” intents, which hang around after they are delivered, and are even rebroadcast to new receivers that are enabled in the future. And with the proper permissions, a malicious application can also remove “sticky” intents, possibly before they are received by the intended recipients.
  5. Insecure storage. Files on the SD card can be read by the entire world. Files created by an application (which might contain things like, oh, I don’t know, passwords?) persist even after the application is deleted, and can be accessed by other, possibly malicious, applications.
  6. Insecure communications. Basically, developers need to get into the habit of acting like their mobile applications are web applications, and use similar best practices; don’t send passwords in cleartext, for example.
  7. Overprivileged applications. Developers have a tendency to request more permissions than their app really needs. For example, an application that just displays images doesn’t need the “camera” permission; only an application that actually uses the camera to collect images needs that permission. One of the interesting facts that came out of this portion of the presentation was how Android’s developer documentation handles explaining permissions and what they represent. Quoting the presenters: “Android 2.2 documents permission requirements for only 78 out of 1207 API calls. 6 out of 78 are incorrect. 1 of the documented permissions does not exist.”

(Edited to add 8/10/2011: I’ve added a link to the final version of this presentation.)

“Build your own Synthetic Aperture Radar”: So this wasn’t as dangerous as I expected (the radar is low-power) and it wasn’t quite as awesome as I expected. But this was a decent presentation on radar technology, starting with an overview of basics and proceeding onwards to discussion of a homebrew radar system.

One minor problem with this presentation was that the presenter (Michael Scarito) had converted his system to use a custom-built data acquisition board (previous versions used a sound card and MATLAB) and didn’t have build documentation for that board prepared yet. However, much of Mr. Scarito’s work is based on other work done at MIT. The slides for the talk are not currently online, as far as I know, but here’s a link to a MIT Open Courseware presentation that gives exact, step-by-step detail, parts lists, and other resources for a very similar project (cited by Mr. Scarito in his presentation).

Wireless Aerial Surveillance Platform”: UAVs are fun. UAVs that have onboard computing power to crack WEP encryption are more fun. UAVs that add the ability to spoof cellular base stations are even more fun. UAVs that have the ability to communicate with a remote server and offload heavier computational tasks (like attacking WPA) are perhaps the most fun of all. Note: the link above doesn’t go to slides, but to the build blog maintained by the two presenters (Mike Tassey and Rich Perkins). The build blog provides a lot more detail than the presentation, and includes resource links. Very well done, gentlemen.

“SCADA & PLCs in Correctional Facilities: The Nightmare Before Christmas”: Borepatch posted a few days ago about a presentation at Black Hat on SCADA vulnerabilities. You could consider this the other shoe dropping.

Summary: many prisons and jails depend on programmable logic controllers (PLCs) to do things like unlock and unlock cell doors. Usually, these PLCs are all controlled from a central control center, so all you have to do, once you find a PLC vulnerability to exploit, is to get your exploit code into the central control center.

“But they aren’t connected to the Internet, right?” Sometimes they are: the systems need to get updates, or send information to other systems, or communicate with other people (food service vendors, for example). Sometimes the systems aren’t connected to the Internet, but other systems they connect to are. (The presenters cited one example where someone was able to upload arbitrary files to the wireless system on a patrol car, and from their to a central jail control system.) Someone could carry an exploit in on a USB drive.

“But the people who run these systems don’t go out to arbitrary sites, right?” The presenters cited examples, from their personal experience, of correctional institution employees watching videos on the Internet, checking GMail accounts, etc. Friend the right correctional institution employee on Facebook…

“But they couldn’t do anything bad, right? I mean, if they open the cell door, the control panel shows it, and won’t the guards catch them?” As for the guards catching them, I remember a story from Pete Earley’s book The Hot House: Life Inside Leavenworth Prison about an inmate who got hold of some clothes and a clipboard: he walked completely out of Leavenworth posing as a prison inspector. As for the control panel showing it, the presenters demonstrated an exploit that allowed a PLC controlled switch (think a door latch) to be open, while the PLC control software thought the switch was closed. (Video of this exploit is supposed to be on YouTube, but I can’t find it right now.) And opening jail doors isn’t the only thing you could do; you could also disrupt prison operations by trying to open all the doors at once. This would cause a massive power surge, and possibly destroy the system. (Generally, the doors open in a “phased” fashion, so you’re not trying to draw that much power at one time.) Or you could force the doors locked. Imagine the Mexican Mafia subverting a prison PLC system so they can force all the door locks for cells belonging to Aryan Brotherhood members closed at once. A squirt of rubbing alcohol or some other volatile liquid into each cell, toss in a match…

(“Christ, what an imagination I’ve got.” Spot the reference, win a cheese.)

(Edited to add 8/10/2011: I’ve added a link to a white paper by the presenters that pretty well summarizes their presentation and findings.)

That concludes my DEFCON 19 roundup. As more of the presentations get online, I’ll be adding links to them, and there will probably be one or two update posts. If you attended a panel I missed at DEFCON 19, and think it is worth linking to, please feel free to mention it in the comments. Responses from presenters are also welcome, especially if I mis-represented or misunderstood a point.

DEFCON 19 notes: day 3 coming soon.

Monday, August 8th, 2011

Closing ceremonies ran a little long last night, and I went to bed pretty much immediately after they ended. I seem to be coming down with a cold or allergies or some sort of creeping DEFCON crud.

Please bear with me; I’m about to check out and leave for the airport, but I’ll have the notes for the last day up as soon as I possibly can.

DEFCON 19 notes: day 2.

Sunday, August 7th, 2011

What the well-dressed gun blogger is wearing at DEFCON 19:


Thanks, Sean!

“Safe to Armed in Seconds: A Study of Epic Fails of Popular Gun Safes“: Confession time. I didn’t just watch this panel, I actually volunteered for part of it. I don’t think that compromised  my objectivity, but better to be up front about it.

Deviant Ollam’s presentation concentrated on the smaller handgun safes, specifically the GunVault Microvault MV500, the BioBox, and the LokSAF PBS-001. Summarizing:

  • All of these safes have some sort of keypad or biometric locking system, with a keyed tubular lock as an override.
  • The Microvault and BioBox tubular locks were easy to pick with a tubular picking tool; the Microvault was a little more difficult to pick, while the BioBox basically flew open instantly. The LokSAF tubular lock was much more difficult to pick; Ollam himself hadn’t been able to pick it, but an audience volunteer managed to pick the LokSAF lock during the presentation. (Nobody had tried the Bic pen exploit on these locks.)
  • Using a long thin object, like a straightened paper clip or a lock pick, it is possible to compromise the BioBox from outside without unlocking it; basically, you can fool the BioBox sensors into thinking the device is open, which puts it into a mode that allows you to reprogram the BioBox sensor and open the safe.
  • Ollam and company were able to fool the fingerprint reader on the LokSAF, but it took some work. The basic method is to take an impression of the finger using dental alginate, then use a rubber molding compound (readily available at hobby shops) to take a cast of the impression. That cast can be substituted for a finger and used to open the LokSAF. Part of the panel was going to be a live demonstration of this using fingerprints from audience volunteers (of which your obedient servant was one); however, it took much longer than expected for the molding compound to set up, and that demo was pushed out until much later. Ollam did have video of this exploit working, though. There are some obvious questions, such as: how practical is this if you have to get a finger impression in dental alginate first? Answer: it may be possible to extend this exploit to use just a standard fingerprint, and watch for that presentation next year.

“DIY Non-Destructive Entry“: I missed this and “Battery Firmware Hacking” because I was still caught up in stuff from the gun safes panel. Sorry.

“Smile for the Grenade! ‘Camera Go Bang!’“: Nice guys, good presenters, total failure. The basic idea was to build a clone of military throwable/launchable video camera systems, using off-the-shelf parts (including the perfectly legal and not a destructive device at all 37mm grenade launcher) at a fraction of the cost. This looks like it could be a promising project, but the presenters only started working on it three months before the con, and only did their first test run the weekend before DEFCON. It didn’t go well; the powder they used to load their grenades was apparently defective, and they got no video. While it is interesting to see how small (and cheap!) wireless video cameras have gotten ($20 for the cameras they used, and $80 for the receiver), this is a presentation that should have been shelved for a future DEFCON.

“This is REALLY not the droid you’re looking for…”: From those wonderful folks who brought you Android rootkits, yet another Android exploit. Summary: because of Android’s design, and Google’s lack of strict enforcement of their user interface guidelines, it is possible to build an app that:

  • runs in the background as an Android service.
  • uses APIs from other applications to display login screens from those apps.
  • captures credentials the user enters into those login screens.
  • forwards the captured information to…say, a server in China.
  • override the normal behavior of the “back” button, so the user doesn’t suspect there is a problem.
  • and, because Android doesn’t have a standard “switching apps” visual animation, the user further doesn’t suspect there’s a problem.

This is a very high level summary; the authors went into much more detail about how to build this kind of application in their talk. And it’s not really easy to fix the problems that enable an application of this sort without changing both the Android OS and the way Google/the Android Market does things.