IT Security

Google: time to start being a little evil

September 4, 2006 von Harald Puhl

I was reading an article over at The Register, an excellent tech news site (don’t forget to check the BOFH!), that explains a plan by Google to use a microphone connected to your PC to record the ambient sound, extract information about what you are watching on a nearby TV, and then deliver targeted advertising to you based on your selection. I wonder what would they deliver if you are a horror movie fan, or if you are watching Sir David Attenborough’s nature documentaries…but I digress.

In my book, this is plain and simple espionage. There are laws in some countries (also at state level in the U.S.) that govern wiretapping and conversation recording; in some cases, recording as long as you have the consent of one of the parties involved is OK, in others it is just plain illegal. Of course, Google would argue that they do not send the actual sound anywhere, but only a mere derived “signature”. Jim Atkinson’s tscm.com site has some really good information on the subject, as he has been dedicated to hunting down the spies for decades.

All this brings me to a new subject, which is the amount of information that Google may already be collecting about you – personally. Do you have a Gmail account? Do you know about something called Google Analytics? Some of you will have already put two and two toghether (answer is not three). Gmail privacy statement mentions:

Google scans the text of Gmail messages in order to filter spam and detect viruses, just as all major webmail services do. Google also uses this scanning technology to deliver targeted text ads and other related information. This is completely automated and involves no humans.

OK, so they have the contents of every email you send and receive, classified in terms of what sort of things you may buy if they present you with targeted advertising. On the other hand, Google Analytics is a statistics tool widely used by people and companies to track usage of their websites with a great deal of precision. Information collected by Analytics includes the IP addresses of visitors, every action they take, and every navigation path they follow.

Now, combine the two bits of information common to your Gmail account, and somebody.com’s tracking data of your browsing session – the IP address used to send the email, or to browse the site. It can be argued that in many cases, these IP address can be dynamic, or belong to a large organization behind a proxy – but hey, Google is now potentially handling millions of bits of statistical data, so they could eventually learn a great deal about what you do online. Now they only need what you are watching on TV, and your assimilation will be complete. Resistance is futile.

Can anyone say separation of powers? If you are really concerned about your privacy, you probably know what this will do, once placed in your hosts file:

# [Google Inc]
127.0.0.1 www.google-analytics.com
127.0.0.1 ssl.google-analytics.com

If you don’t, then welcome to the era of privacy deprivation..

[Edit: I have changed the post’s title, as it looks like the strike tag was causing problems with indexers…sigh]

Downloading music over the SGAE’s WiFi

August 30, 2006 von Harald Puhl

The SGAE (Sociedad General de Autores y Editores, or General Ass. of Authors & Editors), is Spain’s equivalent of the RIAA. I was rather amused by this video, where a couple of members of a TV show attempt and succeed at connecting to the SGAE’s WiFi network (it had no encryption enabled!), and download music – alledgedly pirated. They then add an extra twist by actually walking into the SGAE’s offices and asking to see someone, laptop in hand, saying they have just had an attack of good will and want to turn themselves in…

The audio is in spanish, but you will get the general idea even if you don’t understand the talk. My oppinion is that they shouldn’t have done this, as connecting to WiFi networks without the owner’s permission is illegal in most countries, Spain included – so they have actually provided potential prosecutors a perfect piece of evidence.

My Boeing 767 runs Linux, and yours?

August 20, 2006 von Harald Puhl

This was seen on a Boeing 767 while en route from Las Vegas to Atlanta, the flight being operated by Delta. Apparently, many people were having problems with their purchased movies, and so the crew decided to reset the system, provoking a nicely familiar sight.

Now we could all start making jokes about nmapping the plane, or trying to run Asterisk off a USB drive plugged into the management console, which by the way was accessible to anyone who wandered to the toilet and happened to look left. It had a nice big “Reset all” button too, two USB ports, and a gigabit etherenet RJ45. I just hope they don’t run a kernel with some remote_crash_plane() buffer overflow exploit…

DEFCON 14 – A hacker’s paradise

August 20, 2006 von Harald Puhl

I have just returned from a vacation, interluded by a couple of trips – one of them to DEFCON, the world’s largest hacker conference. This year, it ran at the Riviera hotel and casino in Las Vegas at the beginning of august.

There was plenty to see and do, from conferences as interesting as war-rocketing to an insight into the US-VISIT program, and it’s plans to implement RFID tags into the green visa waivers, or the 2D barcode receipts given out at airports.

I participated in the wardriving events, organised by Thorn, and which consisted of the Running Man and Fox Hunt competitions. Our team was led by Renderman, and we had some backup that put up some noise (fake APs, floods, etc.) to make the contest more interesting.

The Running Man started well, but unfortunately the other team tripped casino security by walking past their booth with a magmount omni antenna on each shoulder, a laptop, several WiFi cards dangling from their belts, a YellowJacket, and other gear – apparently, the IT guys freaked out, and they wanted the contest shut down. After the intervention of Ross and Priest, we were allowed to carry on, but limiting the search area to the venue, and not the whole casino. After the contest resumed, we found the Running Man in around 15 minutes, and won!

The second contest, Fox Hunt, consisted of a hidden WRT54G that was only on for 15 seconds every minute. One was supposed to locate the fox, connect to it, and change the SSID after brute-forcing admin account. 15 seconds to do all that is not a lot! So, our plan was to locate the fox….and make a run with it to a safe place, so we could kill the 15 second timer circuit, reduce the amount of RF leaking out and have a go at changing the SSID. The first part of the plan went well, but then the other team got slightly miffed, called Thorn, who in turn called us to go back to the contest table with the WRT so the other team could also have a go at it.

Interestingly, Thorn had taped the admin password to the bottom of the router, but neither team noticed it! In fact, the other team ended up brute-forcing the AP and changing the SSID. We contested that since when we removed and reapplied power to the AP, the SSID went back to its default, we had in fact won, but Thorn wasn’t having any of it. The contest was a tie, which was decided by the question “Who owns the OID 00:00:00?”, the answer to which is Xerox. We got it wrong, and so we lost. Next year we will be better prepared for sure.

Here are a few pictures from the event:

215968623_41bb4d0a52

Thorn and Renderman giving their presentation on the Church of Wifi, with CoWPatty, the WPA rainbow table generator, and the WRT54G mods, which included my WaRThog.

215972088_93d246f6a7

The war-rocketing guys, and their awsome rocket. I wonder how they got that thing past airport security.

219943777_5f1822fcfd

The WaRThog on the left, with two more of CoWF’s modified WRT54Gs.

219943269_35eee99859

If you used DEFCON’s wireless network to check your email, access your corporate network, etc., but didn’t use any form of security (VPN, SSH…), you are bound to be in the Wall of Sheep. It displays captured user names, passwords, domains and access methods – I actually had the two colleagues travelling with me show up here, even though I told them to not even open their laptops while at the con.

See you next year!

Vodafone, security, and revenue

Juni 1, 2006 von Harald Puhl

Do you work a lot while on the road? If you use Vodafone’s GPRS/3G data service, it could be costing a lot more than you think.
You surely heard about Vodafone blocking Skype on their mobile network in the UK, with T-Mobile following suit, all in the name of ‘fair use’ and distribution of network resources. Supposedly, using Skype instead of downloading MP3s can make their network grind to a halt…let’s just move on.

I was involved in a project about a year ago, the goal of which was to write an IP stack for an embedded device. The approach was to write the stack in an easy-to-debug higher level language on a PC, then port it to the device. So, I went ahead and started writing the PPP code, aided by a GSM modem and a Vodafone SIM card with GPRS enabled.

To my surprise, as soon as the PPP session was established, a public IP address was given by the network, and packets started arriving. Curious about what this data was, but already suspicious of what it could be, I wrote a quick-and-dirty TCP decoder, and rightly so, the misterious packets were nothing more than the usual flurry of port scans any device attached to the internet is receiving all day long. NetBIOS ports, common trojans, SSH, you name it, it was all coming in.

It was obvious that the security implications of these port scans were just as if the internet connection was coming from a DSL line – but there was a twist. GPRS fees are paid for downloaded data, but what is the definition of downloaded data? Is it just the data portion of a TCP or UDP packet? Is it the whole packet? Thus, were you actually paying for these port scans, and even for getting hacked?

“Vodafone customer support, how may I help you?”

Turns out they couldn’t help me much. Not even the technical department understood what I meant by port scans, or ‘rogue’ data coming from the internet and being charged for it. I escalated and called the UK support line, and finally got someone to admit that they don’t perform any form of filtering, “for technical reasons, as it is something very difficult to accomplish”. Besides, they were sure some customer might want their NetBIOS ports open for the whole internet to see.

Fast-forward to 2006…and they are blocking Skype. If someone can come up with a decent explanation, other than they only block data harmful to their revenue, I’d be glad to hear it. They don’t care if some kiddie hacks into your computer, and turns it into a file dump, as long as you pay for the traffic. Alas, if you touch their voice revenue with a VoIP application, they will go to any length to “protect” you.