Dave Bullock / eecue

photographer, director of engineering: crowdrise, photojournalist, hacker, nerd, geek, human

Blog

New Borat Trailer

After our most excellent 17 mile bike ride through the fake downtown of Huntington Park which Mack Reed describes so wonderfully, Sean Bonner mentioned that there was a new Borat Trailer before Snakes on a Plane. I found it here on Yahoo, it's nice... I like.

Blog

RPA Photo Use

My photography has been published before in a local music rag called Jointz Magazine. I was excited to find out that one of my protest photos (shown below) will be published in a report about American population growth and land use trends for a New York based not-for-profit organization called the Regional Plan Association. I will post a copy of the report once it prints.

Protesters

Blog

Lightfoot Hawkins

Where are you man? We were good/best friends in High School. I can't seem to find you on the web except for this photo of you from 1996. If you stumble across this let me know!

baby hawk? hawk okonomiyaki okonomiyaki sauce okonomiyaki spicy tofu sausage tofu pate tofu shumai and tofu croquettes turkey tofu meatball sandwich
Blog

Subverting Vista Kernel For Fun And Profit

Joanna Rutkowska

Joanna Rutkowska gave a highly informative talk at Black Hat called "Subverting Vista Kernel For Fun And Profit." In the first part of her talk, she demonstrated an attack on Vista's code signing feature that requires any code that is loaded into the kernel to be signed by Microsoft. Her attack did not take advantage of an implementation bug or a vulnerability, but instead used the built in raw disk write access to change a few lines in the pagefile. Once the pagefile was altered and the changed data was read back into memory she was able to load any code she desired into the kernel. She stated that this didn't mean that Vista was insecure, just not as secure as Microsoft says.

I talked to her for a few minutes today about her talk and asked if she was going to be releasing the code, and she said she didn't see the point of doing that. Her goal was not to provide people with a way to hack systems, but to alert the community and Microsoft of a flaw in the system. She also mentioned that she is in active informal discussions with Microsoft and they are aware of the problem and the potential solutions she laid out in her talk, but she didn't want to comment on what they were going to do about it.

Joanna Rutkowska

The second part of her talk covered a proof of concept root kit called Blue Pill that takes advantage of the extremely powerful new virtualization features in the new 64 bit AMD processors. Blue Pill takes a running operating system and completely virtualizes it beneath a Hypervisor which can then be used to intercept certain system calls and execute arbitrary code nearly completely invisible to the user. As the system is truly virtualized on the processor level and not in kernel and userspace, the virtualized system has direct access to the hardware (except for calls the hypervisor is intercepting) and detection would be non-trivial to say the least. Although she did her research on the AMD processor, she said the same attacks would be possible on the new Intel chips, although their virtualization implementation was not as powerful.

where do you want to go today?

Blog

Hardware Hacks and Cracks with FPGAs

FPGA Array

"Faster Pwning Assured: Hardware Hacks and Cracks with FPGAs" with David Hulton & Dan Moniz. I didn't stay for this talk, as I'd seen Hikari's original talk at LayerOne a couple years back, but I did get a couple shots of him and the expanded setup of FPGAs.

Hikari, David Hulton

Blog

Xerox Multifunction Device In Your Network?

Brendan O

Brendan O'Connor gave a talk called "Vulnerabilities in Not-So Embedded Systems" about how easy it is to take over the computers that run the Xerox Multifunction Devices. Basically he wants people to treat these supposed embedded systems as servers which they really are. Through his research he found that the Xerox systems didn't have the GRUB boot loader locked down with a password so he was able to gain access to the system and basically do whatever he wanted with it. These systems are dangerous because they are full linux systems, but the user doesn't have access to it so they are unable to secure it. As you know services are constantly being found to be vulnerable and relying on a technician to come and patch your copier isn't going to keep your network safe. It would be wise for vendors to allow users access to these systems so that they can keep them safe.

Blog

Breaking AJAX Web Applications - Black Hat 2006 Day 2

Alex Stamos

Alex Stamos and Zane Lackey gave a talk at Black Hat called "Breaking AJAX Web Applications: Vulns 2.0 in Web 2.0". As AJAX evolves from a toy used by teenyboppers to a serious tool used by banks, hospitals and uncle same, it becomes more and more important to ensure bug free code. AJAX has changed web attacks by exposing the use of frameworks used by the applications via included .js files which expose supported calls. Cross site scripting becomes more complicated as you can inject script into the javascript stream. Injection attacks are also more dangerous due to front ends that are exposed in the client side code. Business logic in applications has become more complex so parameter manipulation vulnerabilities are still excellent attacks.

XSS becomes more complicated and more interesting because you can just put javascript right into a running javascript engine, which becomes harder to escape as you're no longer looking for brackets and tags.

Because your browser is running a javascript application, if an attacker sends you rogue code, in say link form in your cool AJAX email app, your browser will run the code sent in the webmail application instead of loading it in a new page and then the attacker would be sent your authentication cookie. The attacker would then have access to your web mail. The speakers used the fictitious company Webmail.com in this example, and when asked about gmail they responded that they have more lawyers than webmail.com, but it was pretty clear the attack they were talking about was possibly on gmail.

Dynamic script nodes allow attackers to embed malicious javascript in a website that would allow a cookie from any site to be pulled because browsers allow cross domain XmlHttpRequests, this is very bad!

Blog

State of Disclosure Panel

Jerry Dixon

The big vendors are more willing to talk to the researchers and the end users are more apt to work with the vendors. Most vendors are very cooperative about security issues and disclosure. The Cicso incident has made big vendors more willing to work with end users and security researchers, and all in all the incident was good for the security industry. Large customers of big vendors want earlier disclosure information to be shared with them before the smaller customers, but the consensus is that early disclosure for big customers is a bad idea, even to the point of not giving preferred treatment even to internal networks and devices. A very large part of the discussion involved when vendors have a vulnerability and not a fix. There was no clear consensus on this topic, but the vendors felt they shouldn't disclose a vulnerability unless they have a fix for it except in extreme circumstances. Vendors don't want to draw attention to a flaw that people don't know about, so they aren't likely to disclose. One of the best things is that vendors are talking more, talking to researchers and working together to fix problems.

Blog

BlueBag - Mobile Covert Bluetooth Attack and Infection Device

BlueBag

I missed Claudio Merloni and Luca Carettoni's talk about their cool suitcase based bluetooth hacking system named BlueBag, because I was fighting an epic battle with a cruel hangover this morning. I did get a chance to talk to them and photograph the bag up close in the press room. The system inside is a low powered Micro-ATX motherboard running Gentoo Linux and the custom software that does the actual hacking will be available soon on their website. The system can detect and attack bluetooth devices from distances of over several hundred feet thanks to the built in amplifiers and the attacker can access the BlueBag system via a laptop remotely. The BlueBag has a side effect of knocking out 802.11b within about 10 meters due to the bluetooth amps. They chose not to fly with the BlueBag and instead shipped it in to Vegas, which was probably a good idea due to the extremely suspicious contents of the case. More photos of the BlueBag here.

The guys from Flexilis a little bird told me... Shawn Embleton Ryan Cunningham Sherri Sparks Dan Kaminsky Ofir Arkin physical mail forwarders Dan Larkin Dan Larkin Jeff Moss and Dan Larkin Jeff Moss aka Dark Tangent Jeff Moss aka Dark Tangent Jeff Moss aka Dark Tangent black hat swag
Blog

Pushing Hackers to the Tipping Point

People love free booze and tickets to parties at which free booze is provided are a hot commodity at security conventions. A company called Tipping Point that is a subsidiary of 3Com is throwing a party tonight at Body English in the Hard Rock. To get an invite you would have had to RSVP with their PR people before the convention, which of course I didn't, or you would have to wait in "line" and get a ticket on a first come first served basis. I put line in quotes because the folks manning the booth didn't seem to have any idea about how to do an orderly giveaway. They told everyone to stand there and wait their turn, but never actually instructed people to get into a single file line. The "line" was actually more like a mob and when they started giving away the tickets it turned into a writhing blob of stinky geeks, I almost lost my camera bag in the chaos. In the end I got my pass to the party and I will go and take part in the booze drinking. I don't want to make a presumption about the quality of their product based on the lack of organization of their giveaway, but it is hard not to.

Update Last night we defeated the authentication system of the Tipping Point party and got about 12 people in with just the 1 token I won, plus 2 or 3 tokens that we temporarily borrowed from random people. The flaw in the system was pretty simple, the bouncers didn't take your token away when you got in so if you went outside to make a phone call or whatnot you could give your token or several you borrowed to your friends. The part was fun and being 23b, we danced.

Blog

Black Hat 2006 Day 1 - Sidewinder

Shawn Embleton

Frequently you find a speaker who is covering a very interesting topic, but may not quite have a firm grasp on keeping a crowd interested. Public speaking is not a skill that I have mastered, and I feel that the folks that were talking about Sidewinder are in the same boat. Sidewinder is a promising piece of software that Shawn Embleton, Sherri Sparks and Ryan Cunningham are working on. Sidewinder is a fuzzer that uses genetic algorithms to evolve the fuzzed input in order to get the funky data to the place in the code where you want it. The next logical step of their application is to add some software to create exploits once you get to the place in the code where you suspect a vulnerability may exist. Keep an eye on these three, I see big things coming from their collective intelligence in the next few years.

Update I had a chance to speak with Shawn about the Sidewinder application and he told me it was all coded in just a few months. He isn't sure if he will have time to continue development on the application, but I encouraged him to as I feel it is a great concept and could grow to be one of the best fuzzers out there.

Blog

Major Flaw in Proposed RFID Passports

The guys from a wireless research company called Flexilis who happen to be based a block and a half from my loft, just showed me their proof of concept demo of a serious flaw in the upcoming RFID embedded Passports, scheduled to be released in October. The RFID passports incorporate a shielding mechanism to prevent rogue readers from picking up the sensitive information contained in your US passport, but as it turns out if the passport is slightly open it can be read. This may not seem like much of a big deal until you watch the following video where they created a proof of concept Improvised Explosive Device that detects the presence of a US passport and detonates a charge (or in their test case, some model rocket engines).

This hack could also be used to identify to unique individual and then detonate a device or track them. Because the RFID technology works at only close distances this attack is especially dangerous. I talked to them about the possibilities of attacking the RFID chip even if the passport is closed and it is possibly that with a very strong electromagnetic field, the data could be read on a subcarrier, but they still have more research to do in that area. Here is their abstract about the demo:
The FLX[2006‐0605] video security brief demonstrates a real‐world vulnerability associated with the failure of the shielding component in the current proposed electronic passport design. When partially open, as could be the case when in a pocket, purse, or briefcase, the currently proposed passport can be detected by a nearby inquiring RFID reader. The security brief also demonstrates an improved shield design that requires a passport to be significantly open before reading is possible.

You can read the full RFID Passport Technical Analysis (84K PDF) or the RFID Passport Shield Failure Demonstration (120 KB). The good news is they have proposed a fix for the problem, John Hering told me he had discovered the vulnerability 2 years ago, but didn't want to release knowledge of the problem until he had a fix to go with it.

Digg This Article

UPDATE Well it looks like the Department of State decided not to wait until October to begin issuing these dangerous passports. Here is their press release.

Blog

Black Hat 2006 - Opening Intro and Fighting Organized Crime Keynote

Jeff Moss and Dan Larkin

I just caught the opening intro from Jeff Moss aka Dark Tangent. He dispelled rumors that Microsoft had attempted to buy a track at the convention, explaining that he was hoping to have some of the Vista engineers at the con to talk about their work that would hopefully coincide with the imminent release of the new OS. As it turned out the Vista release date has been pushed back, so that didn't work out as planned.

The opening keynote was given by Dan Larkin, FBIU Unit Chief of Cyber Initiative & Resource Fusion Unit Cirf-U, a spinoff of IC3. He started out with some bad jokes about how far computers have come which elicited a sum total of zero laughs from the audience. His talk became more interesting when he talked about strides the feds had made in past years working with academia, industry and experts in the field. The FBI is actively investigating all types of cybercrime ranging from phishing to spamming to bank fraud and are uncovering vast organized crime organizations that span the globe.

I had a chance to talk to Dan Larkin more after his talk and I asked him about what percentage of the crime the investigate involves music, movie and software piracy and he said that the organized criminals involved really have their hands in anything and everything illegal that can make them money. He said 30% of the bad guys crime involves When it comes to music, software and music.

I am torn between three of the next talks scheduled, of which I will try and catch a few minutes of each: Bypassing NAC by Ofir Arkin, Black Ops 2006 by Dan Kaminsky and Trusted Computing Revolution by Bruce Potter. Dan's talks are always great and I've enjoyed Ofir's in the past as well. I am pulling the shots from the keynote off my CF card right now and will upload them as soon as they are done.

Jeff Moss aka Dark Tangent

Blog

Black Hat Day 1 - Registration

black hat swag

I am attending a 2 day security convention in Las Vegas called Black Hat. The flight in from LAX was short, although I did get the old TSA hassle, for the first time ever I was directed to stand in the little search corral and the frisked me, then swapped my bags and fed that to the spectrometer, I heard from another attendee that people all over the country are getting extra hassles.

I showed up at Caesar's Palace right at 8am to get my credentials and everything went smoothly. The line for the general credentials was insanely long, but luckily there was a press line that was only a dozen or so people deep. Jeff Moss will be giving his intro in a few minutes and then the keynote: "Fighting Organized Cyber Crime", which should be interesting. I'll get some photos of the speakers and try and upload them and give an update between talks. The photo above is of the free swag you get upon registration... a pretty good haul.

Blog

Dunk Me @ DefCon

This Saturday at 12:30pm I will be available for dunking in the DefCon EFF dunk tank. The proceeds go to the EFF so it is for a great cause. You know you want to dunk me!