Saturday, January 26, 2008

usb key evil tools

In the movies "hackers" plug in devices to computers and progress bars appear showing "downloading". This is not reality. Below are two tools that are reality. Usb keys can be used to silently install and retrieve and email keyloggers.
USB Switchblade
"The goal of the USB Switchblade is to silently recover information from a target Windows 2000 or higher computer, including password hashes, LSA secrets, IP information, etc... "

USB hacksaw
"The USB Hacksaw is an evolution of the popular USB Switchblade that uses a modified version of USBDumper, Blat, Stunnel, and Gmail to automatically infect Windows PCs with a payload that will retrieve documents from USB drives plugged into the target machine and securely transmit them to an email account.

Monday, December 10, 2007


If you don't know about airpwn, then you're missing out on some funny. Remember kids, the "man in the middle" attack is sometimes very very disturbing!
Over the course of defcon, we fielded 7 different airpwn configurations to see how well it worked, and of course to watch as 31337 h4x0rz got goatse up in their mug. The configurations were:

HTTP goatse, 100% of the screen
HTTP goatse replacing all images
HTTP goatse as the page background via CSS
HTTP tubgirl replacing all images
HTTP "owned" graphic, replacing all images (eventually I felt bad about all the ass pictures)
HTTP javascript alert boxes, letting people know just how pwned they were
FTP banners (while this worked, nobody pays attention to FTP banners so we abandoned this quickly)

Sunday, December 9, 2007

Off the record messaging (forward security)

Interesting concepts, especially forward security

The idea here is to have secure messaging with a few more benefits than have been available by encrypted chat (offered by gaim and many others for several years). It's supported by everyone's favorite client, Adium X. One of the problems with other methods of encrypted conversations is that they were all authenticated with the same key, so that if your machine is ever compromised the attacker can now read all your past conversations. Also, if your machine is compromised, you cannot deny having said what you said since it was signed with your key.

OTR messaging uses crazy math to ensure that each conversation is encrypted with a different key derived from the same original secret key. Therefore you cannot use a captured private key to unencrypt previous messages but you know the current conversation is authenticated because all the subkeys must have been made with the original key. (This is part of the gpg specification.)

AdiumX is available as a download beta with OTR built in.
I used to use encrypted chat but only 3 of my friends had compatible versions, so unless this were to gain traction amongst a high proportion of your friends, it is probably not very useful. However, the novel abilities of OTR would be nice to see in other products.

Imagine someone capturing your secret key and having the ability to decrypt all your previous communications. That's what happened to the Nazis when they got lazy and started reusing keys.

Tuesday, December 4, 2007

How to build a kitchen timer

Check out these circuit diagrams. What? It's a kitchen timer. What did you think it was?

The guy from has lots of great projects.

It's a kitchen timer. Use it to time spaghetti, or maybe an egg. It uses two PICs, one acts as a keyboard encoder, the other drives the display and supports the timer functions. You key in the desired time and press '#'. It's accurate to 1/100th of a second, which can make all the difference I'm sure you'll agree

Also, the duct tape is critical to it's operation! Let me know when you attempt to bring one of these on board an airplane!

Radio scanning in Louisiana, frequency lists available

Radio scanning in Louisiana, frequency lists available
(Current list that I use.)
(Current list of open channels of all kinds of businesses and agencies)

Louisiana is supposed to be switching over to the Louisiana Totally Interoperable Environment (LATIE) system for all police, fire, EMS, etc radio communications. Some parishes are up and running, and some are taking their time. Listed at that link are frequencies and ID codes for State Police, local police, and basically every other LATIE equipped department. Please note that Lafayette Parish has switched over to encryption with their systems. To listen to LATIE traffic you must have one of two different models currently available. The Uniden BCD369T handheld going for $300-500, or the super bad-ass Uniden BCD996T which is basically sentient.

Here is the forum for LATIE related questions for hobbyists:

My personal belief is that encryption is too difficult for the state guys to even mess with for at least one more generation of gear. Most agencies will continue to use the easiest, cheapest, oldest, and least secure methods of communication until they are forced to adhere to some new minimum requirement. This is good for those of us who want to hear them talk (including reporters, news channels, and any hobbyist.)

I've compiled a massive list of *currently used, non-trunk frequencies of everyone from the cops to mcdonalds and drive throughs, and LSU services available here below the fold. Please enjoy.

If the cops are going to be blasting their radio waves directly into my apartment, then they have no right to complain that I decide to listen to them.

Sunday, December 2, 2007

Mac Users: Set Your File Vault Master Password

Since this blog is, at least in part, about bringing to your attention possible security threats, I'll make my first post here about a threat I recently thought up.  I mentioned this to a friend and, the more we discussed it, the scarier it seemed.  Luckily, there's a simple fix.

The threat in question is the threat of an unset Master Password on your macintosh's File Vault.  Now, many of you are like me, and have been so scared reading about File Vault that you don't currently intend to ever turn it on.  But, at the very least, you should set a Master Password in the File Vault preferences pane (System Preferences > Security > File Vault).  Doing so will NOT turn on File Vault.

Why, you ask?  Well, I suppose that depends, in part, on where you're using your computer.  Mine, a Powerbook G4 running Leopard, stays open on my desk all day.  I'm a graduate student at a university, and my desk is in an office I share with many others.  The office itself remains open during the day and so passers by theoretically have direct access to my machine.

I regularly leave it there, protected by a laptop lock, and go get coffee, teach lab, or take a walk.  In addition to this physical protection, I've recently disabled automatic login and turned on password requirements to wake the computer from sleep or screen saver (both in System Preferences > Security > General).  I've also made an encrypted disk image (using Disk Utility) that contains all of my sensitive data.  This encrypted disk image means that even if someone gains physical access to my machine with the login passwords down, my most sensitive data is safe from prying eyes.  But despite all of these measures, the File Vault Master Password is another security hole that is too easily plugged to risk ignoring it.

It's an unlikely scenario, but one in which you would be completely fucked if it were to occur.  Let's say I'm off getting coffee and my officemates are off doing whatever they are doing.  Now further assume that in a moment of forgetfulness, I left my computer open and didn't trigger the screen saver.  A person with malicious intent could walk in before the screen saver automatically starts and, unopposed, access the File Vault Preferences.  If the Master Password is unset, they could set it themselves and trigger File Vault to lock up my home directory.  I would come back from coffee to an unusable machine in which all of my precious personal data, including any encrypted disk images that I put sensitive stuff in, was encrypted with a key that I did not possess.

While it's true that the antagonist still shouldn't have access to my most personal data, because it's in the encrypted disk image that I never mount unless I'm actively using, it would deny ME access to my own data, which is almost as bad.

I admit, it's an improbable happening, but one that, nonetheless, remains well within the realm of possibility and for which the countermeasures are far too easy to justify ignoring.  If you set the Master Password, then you and your computer are safe from would-be practical jokers or evil office trolls who might encrypt your home directory without giving you the key.   Having the Master Password set doesn't require you to turn File Vault on, but it does allow you to turn it off if someone else turns it on.  And, if that's not enough of an incentive to make you take action, I don't know what is.

Friday, November 30, 2007

WEP Cracking with kismac (you can't hide)

A friend recently informed me that he would be securing his wireless network with WEP encryption and hiding his SSID. While this is a good idea and will deter 99.99% of evil crax0z, it's important to remember that WEP is not safe.

In this video we see someone crack a WEP network and recover the password in 10 minutes, even though the SSID is hidden. They use the excellent tool kismac, which is great for casual wardriving as well as packet interception and WEP cracking.

Remember, security through obscurity only works if you are actually obscure!

And a great article on preventing hacks by running software so ancient that nobody remembers how to hack into it. Security through obsolescence. Even the article is old.
"I have one box still running a version of Solaris that's so old none of the script kiddies can figure it out," Brian says. "They tend to focus on the latest and greatest, and don't have the slightest idea how to handle my old Sun box."
Brian points out that some of the most secure Department of Defense Web sites -- ones that don't make headlines by getting cracked all the time -- run old versions of Mac OS and the venerable WebSTAR server suite. "

Wednesday, November 28, 2007

Copy the key. Make a good first impression.

copy a key using a soda can, copier, scissors.

You can easily get the master key for a building by asking the secretary to borrow it because you "forgot your X in room Y."
Social engineering. Learn it, love it, design against it.

Monday, November 26, 2007

The Death of Facebook

Cory Doctorow, eminent SF Author and contributor to BoingBoing finally tells about the billion dollar elephant in the room.
*disclaimer. I used to think Cory Doctorow was a publicity hungry SF faker, but after reading his work, I recognize his brilliance. The man can write. He is no poseur.

There is a reason that LiveJournal faded, and Blogger, and MySpace is on the way, and Friendster, and Linkedin, and Orkut, etc. Facebook is this week's boring rehash.
Everyone googles themselves, no one wants to be googled. You want to be found by long lost friends but you don't lose touch with long lost friends, you lose touch with creepy weirdos that you maybe kinda liked to hang out with, but now you'd rather save the energy and just not talk to.

Except you get a friend request. Then you're an asshole for saying no. So you start signing in less frequently because this person who you kinda liked to hang out with, but you don't really interact with anymore is now part of your "friends list" and you see every goddamn message they post. You can't escape me, I can't escape you, neither of us politely.

Let's all pretend that we're not "that guy". Right. You're "that guy" to somebody.

Facebook is a waste of your time and everybody's money. Close your account. In 10 years, all these undergrads will wonder why they wasted 6 hours a day on some stupid facebook garbage when they were missing out on college life. Oh well. C'est la vie.

Saturday, November 24, 2007

Firefighters sidestep the 4th ammendment

Firefighters sidestep the 4th ammendment

What scares me is not the sentiments of the author, nor the mainstream publication, but the blind obsequious acceptance. Only DoubleThink could allow someone to even write these words in the US. I do not fear the Authoritarians. I fear their followers. These are they. Let's fisk.
Unlike police, firefighters and emergency medical personnel don’t need warrants to access hundreds of thousands of homes and buildings each year, putting them in a position to spot behavior that could indicate terrorist activity or planning
You say this like it's a good thing.
Since the Sept. 11, 2001, terrorist attacks, Americans have given up some of their privacy rights in an effort to prevent future strikes.
We did not give them up. They were taken from us.
The American Civil Liberties Union says using firefighters to gather intelligence is another step in that direction.
Ok, wrong analogy, how about Fahrenheit 451. Burning forbidden knowledge via firefighters? Check!
“They’re really doing technical inspections, and if perchance they find something like, you know, a bunch of RPG (rocket-propelled grenade) rounds in somebody’s basement, I think it’s a no-brainer,”
Srsly. Does that happen often? Has any firefighter ever found an RPG in someone's burning down house? Call up the Malibu guys; no I'll wait. Srsly. I mean.. who the hell writes sentences like that? "But what if we found a buncha RPGS in a basement." That's actually what he said. Is this an epidemic?
said Jack Tomarchio, a senior official in Homeland Security’s intelligence division.
Oh well that explains everything. FAIL.
When going to private residences, for example, they are told to be alert for a person who is hostile, uncooperative or expressing hate or discontent with the United States; unusual chemicals or other materials that seem out of place; ammunition, firearms or weapons boxes; surveillance equipment; still and video cameras; night-vision goggles; maps, photos, blueprints; police manuals, training manuals, flight manuals; and little or no furniture other than a bed or mattress.
Fact. You have described every engineering student in the USA.
They list 19 criteria. I would fall under 17 of those.

Clearly I am a terrorist. Me,
and the cat.
(for those playing at home, I would behave or own the following in a private residence: 1) hostile, 2) Uncooperative, 3) expressing discontent with the US, 4) unusual chemicals, kinda vague eh? 5) materials out of place, 6) ammunition, ye gods tons of it. 7) firearms, boy howdy 2nd Amendment. 8) weapons boxes, they send ammo in these. 9) surveillance equipment, i have a police scanner and some mirrors. 10) still and video cameras, who doesn't have these? 11) night vision goggles, they're fun. 12) Maps, of my city, in my car, 13) photos, 14) training manuals, vague as hell, but yes. 15) I have a book on cesnas. 16) little or no furniture? hi all college males.

“We’re there to help people, and by discovering these type of events, we’re helping people,”
Wow. Whatever makes you sleep at night buddy.
And the fire service is also represented in at least 13 state and regional intelligence “fusion” centers across the country — where local, state and federal agencies share information about terrorism and other crimes.
Bruce Schneier specifically warned about these "fusion" centers and mission creep. It's like reading tomorrow's newspaper.
“So we see things and observe things that may be useful to law enforcement,” he said. “We can walk into your house. We don’t need a search warrant.”
Yeah Bob, that's kinda the problem. See.. the 4th Amendment. You are an authoritarian follower.
But Cade said that until recently, there’s been no mechanism for fire departments to share what they learn with law enforcement and intelligence analysts who could use it.
Fire departments are unable to use telephones? Riiiiiiiight.
Homeland Security said if its program with New York is expanded across the country, civil rights and civil liberties training would be included.
Yes. DHS is such a huge defender of civil liberties. Heckuva job DHS.