Security

My Boeing 767 runs Linux, and yours?

August 20, 2006 von Harald Puhl

This was seen on a Boeing 767 while en route from Las Vegas to Atlanta, the flight being operated by Delta. Apparently, many people were having problems with their purchased movies, and so the crew decided to reset the system, provoking a nicely familiar sight.

Now we could all start making jokes about nmapping the plane, or trying to run Asterisk off a USB drive plugged into the management console, which by the way was accessible to anyone who wandered to the toilet and happened to look left. It had a nice big “Reset all” button too, two USB ports, and a gigabit etherenet RJ45. I just hope they don’t run a kernel with some remote_crash_plane() buffer overflow exploit…

DEFCON 14 – A hacker’s paradise

August 20, 2006 von Harald Puhl

I have just returned from a vacation, interluded by a couple of trips – one of them to DEFCON, the world’s largest hacker conference. This year, it ran at the Riviera hotel and casino in Las Vegas at the beginning of august.

There was plenty to see and do, from conferences as interesting as war-rocketing to an insight into the US-VISIT program, and it’s plans to implement RFID tags into the green visa waivers, or the 2D barcode receipts given out at airports.

I participated in the wardriving events, organised by Thorn, and which consisted of the Running Man and Fox Hunt competitions. Our team was led by Renderman, and we had some backup that put up some noise (fake APs, floods, etc.) to make the contest more interesting.

The Running Man started well, but unfortunately the other team tripped casino security by walking past their booth with a magmount omni antenna on each shoulder, a laptop, several WiFi cards dangling from their belts, a YellowJacket, and other gear – apparently, the IT guys freaked out, and they wanted the contest shut down. After the intervention of Ross and Priest, we were allowed to carry on, but limiting the search area to the venue, and not the whole casino. After the contest resumed, we found the Running Man in around 15 minutes, and won!

The second contest, Fox Hunt, consisted of a hidden WRT54G that was only on for 15 seconds every minute. One was supposed to locate the fox, connect to it, and change the SSID after brute-forcing admin account. 15 seconds to do all that is not a lot! So, our plan was to locate the fox….and make a run with it to a safe place, so we could kill the 15 second timer circuit, reduce the amount of RF leaking out and have a go at changing the SSID. The first part of the plan went well, but then the other team got slightly miffed, called Thorn, who in turn called us to go back to the contest table with the WRT so the other team could also have a go at it.

Interestingly, Thorn had taped the admin password to the bottom of the router, but neither team noticed it! In fact, the other team ended up brute-forcing the AP and changing the SSID. We contested that since when we removed and reapplied power to the AP, the SSID went back to its default, we had in fact won, but Thorn wasn’t having any of it. The contest was a tie, which was decided by the question “Who owns the OID 00:00:00?”, the answer to which is Xerox. We got it wrong, and so we lost. Next year we will be better prepared for sure.

Here are a few pictures from the event:

215968623_41bb4d0a52

Thorn and Renderman giving their presentation on the Church of Wifi, with CoWPatty, the WPA rainbow table generator, and the WRT54G mods, which included my WaRThog.

215972088_93d246f6a7

The war-rocketing guys, and their awsome rocket. I wonder how they got that thing past airport security.

219943777_5f1822fcfd

The WaRThog on the left, with two more of CoWF’s modified WRT54Gs.

219943269_35eee99859

If you used DEFCON’s wireless network to check your email, access your corporate network, etc., but didn’t use any form of security (VPN, SSH…), you are bound to be in the Wall of Sheep. It displays captured user names, passwords, domains and access methods – I actually had the two colleagues travelling with me show up here, even though I told them to not even open their laptops while at the con.

See you next year!

My smelly trip from Romania, and why deodorants are more dangerous than lithium batteries (not!)

Juli 31, 2006 von Harald Puhl

Last week I had to go to Romania for a meeting with a team of coders, landing at Cluj-Napoca on Tuesday. Scheduled to return on Wednesday, I duly turned up at the airport by 08:00, joining the long line leading to the security checkpoint. Wait. A long line? We’re talking about an airport with a single runway, one transfer bus (you could actually walk the 50 yards to the plane, but hey, if they have it they might aswell put it to some use!), about a dozen flights a day, all of them small turboprops with a capacity for around 60 people – which usually fly half empty.

So, what was the reason for the holdup? An overzealous security guard, who stared at each bag on the x-ray monitor while squinting his eyes as if it would bring more detail to the picture. After the long radioactive scrutiny, he would open the bags, shout a few things to their owners, and sometimes pull things out of them. Dangerous stuff such as sticks of SEMTEX I though.

When my turn arrived, some forty minutes later, I was rather curious apart from annoyed at what was captivating this guard. I should have guessed. Romania must have a healthy black market for….spray deodorants. My tiny Nivea sample spray tin was also taken, with a bad boy stare from the guard.

According to international safety regulations, flammable sprays are not allowed on board aircraft (albeit agencies such as the TSA allow toiletries in small quantities), just as dangerous chemicals, explosives, live ammunition, and a whole bunch of other nasty stuff. This guy had the right to take away my little piece of odour-fighting equipment – but was it really necessary to do so? I had almost calmed down, fearing I would miss my connection at Vienna, when I noticed the also tiny duty-free shop, which looked recently refurbished. On a closer look, they were selling…yep, you guessed it – a truckload of flammable products, from large hair sprays ten times larger than my former deodorant, to cologne with a high alcohol content. I could have just bought one and carried on with my world domination plans just as well, but all I wanted was to get to Vienna.

This got me thinking about the recent hubbub about exploding Dell laptops, basically when their batteries vented with flame and smoke, as it is technically defined. Laptop batteries are made of lithium-cobalt, or more recently, lithium-manganese oxide. This type of chemistry is very efficient at holding charge, and making it available at high rates, without damage or aging to the battery. The drawback is that they are very dangerous. A lithium battery can explode violently, sending chemicals and debris out at high speed and causing a lot of damage. They can also vent with flame and smoke, as seen in Dell’s promotional footage. For a great explanation of battery technologies, visit the Battery University.

The TSA officially allows laptops and their batteries in both checked and cabin luggage, so do we have to worry? If you ever find yourself sitting next to a burning laptop on a flight, take this comforting thought with you: there is nothing on the plane that can put out a lithium chemical fire.

Happy flying!

RFID Security

Mai 30, 2006 von Franz Hieber

RFID, which stands for Radio Frequency Identification, is ubiquitous in our lives. We find RFID tags in our library books, grocery, consumer goods, printer cartridges, and are even implanted into people’s bodies.

The basic principle behind RFID is that a simple, passive device responds to a burst of RF with a unique number, which can be used to identify the object to which the device is attached. There are many types of tags, some of them can even be written to. When I have the time, I will write an in-depth article on this subject.

RenderMan, Thorn and Audit have written a book on this topic, titled RFID Security. You can get this book at Amazon.com. RenderMan is very active in the Church of WiFi, Thorn has participated in other books, such as Wardriving: Drive, Detect, Defend. Audit is a very active moderator of the Netstumbler forums, hosts personalwireless.org, and also participates in many WiFi-related projects.