Today's protest was smaller compared to last years May Day protest. I would say roughly 10,000 people gathered beside City Hall at the end of the day. There were three groups, and photographed each of them, the first while it was gathering at Olympic and Broadway, the second from their rally point in MacArthur park to the intersection of 5th and Broadway where I met up with the Legalize LA group, which seemed to be the largest of the three.
Here are some of the photos from today:
Penelope and I touched down in Hawaii today for a friend's wedding. We're staying at the Kauai Marriot in Lihue. Before we left I picked up a waterproof camera, the Olympus Stylus 850, which I'm very happy with so far. I love having a waterproof ultracompact camera. Here are a few shots from today:
Check out the rest of our Hawaii photo gallery.
Chris Paget stirred up much controversy at Black Hat DC with the release of his RFID cloner. The cloner can be easily built with "a high school level of electronics" and some free time. Unfortunately, due to the threat of a massive patent lawsuit he is unable to release the schematics or source code for the cloner. He demoed his cloner and it was quite effect in cloning RFID cards that operate in the 134 kHz range. He also showed that the RFID tinfoil "shields" are completely ineffective for the 134 kHz RFID cards. Here are some photos of Paget and his cloners:
And that's it for my Black Hat 2007 live blogging... it's time to meet up with the wife and drink! More to come from Defcon. =]
This is going to be a short post, but here are a few photos from today. Mike Spindel and Eric Schmiedl gave a talk about access control system, read locks, which was interesting and informative, but didn't have much ground breaking information, here are a couple of photos:
Charlie Miller gave a talk about hacking OS X, and talked about the recent root exploit he found on the iPhone. Luckily for the iPhone users out there, Apple released an update that fixed this problem, and it happened to come out the day before Black Hat started. Luckily for Apple, Miller is a white-hat hacker and he disclosed his findings to them several weeks before Black Hat, and let them know he would be talking about it and releasing the exploit code. Here is a photo from his talk:
During the first part of his talk, Adam Laurie demonstrated some of his new research on hotel safes in which he opened a hotel safe using only a paperclip and multi tool in under a minute. He had a member from the audience read the marketing hype from the safe manufacturer while he opened the safe and recovered his previously "safe" beer.
His talk was actually about RFID chips, which are Radio Frequency IDentification systems. They are passive chips that are activated by a radio signal. There are two types of chips, smart and dumb, the smart ones have circuitry that processes input and return a signal. Dumb chips just respond with a code when lit up with radio frequency. The dumb chips are used in everything from hotel keys to car keys to pet implants. RFID plants are also being implanted in humans for military access control, mental patient tracking, and even as a digital wallet for beach-goers.
The point that the manufactures always drives home is that the chips are unique and can't be duplicated. In actuality, RFID chips can be easily cloned with a device that costs under $20, which you can get plans and parts to build here. There are numerous other kits available to clone RFIDs. The RFID industry's response to the ability to clone chips was they they aren't true clones because they don't have "the same form factor." Laurie took this as a challenge and decided to to clone an RFID chip using the same form factor.
He researched RFID tag types, and found two that are multi-format configurable and that can be loaded with user selectable data. He happened to be in possession of a Q5 [pdf download] reprogrammable tag from the office where he works. Using a simple keyboard wedge he read the ID of the chip he wanted to clone. He then used a program he wrote in python, called rfidiot, to reprogram the chip with the cloned ID. He demoed the whole thing in about 1 minute and it work as designed, good show.
He then demoed a clone of the animal implant chip, and rewrote the chip in his wrist (watch) to the same chip ID. Verichip uses the same type of chip for identification, but the difference is that they use a 4 digit country code instead of a 3 digit code and being that no commercial software can write a 4 digit country code. Luckily Laurie wrote software that can write any code, no matter how long, to the card, thus defeating the "security" of the Verichip.
The next part of his talk focused on "smart" RFID cards, which most notably are being used in passports, including those from the US and UK. These chips can use a combination of a psuedo-random UID, strong authentication (3DES) and content encryption. So far no countries are using encrypted content, mostly because there is no published standard as of yet.
The key happens to be printed on the passport, which to me anyway, defeats most of the benefit of having strong auth. Although the passports have the shared key printed inside the front cover, it is still possibly to brute force the key, as there is no brute force prevention built in to the passport RFID.
Although cloning the passport is trivial and just a matter of copying the files, modifying the data should not be possible because of the use of a Certificate Authority and public key infrastructure. The possibility of signing the passport with your own key has recently been avoided due to a public repository of keys, but this only came out in April, so until then it has been possible to modify passports.
The amount of systems that are implementing RFID for "secure" purposes is growing everyday. Clearly this technology has many vulnerabilities and major changes are needed to ensure the security of these systems. I'm glad I recently got a passport last year, and that it doesn't have an RFID chip in it.
Many modern cars have built in navigation / traffic systems. In North America data is transmitted over FM radio using the Radio Data System (RDS). The system can display station names, time, program type, and news override. The signal piggybacks on standard FM radio signals. RDS Traffic Message Channel (RDS-TMC) transmits traffic data over RDS and was introduced in Germany in 1997. Although it is a 10 year old protocol, it is just now being implemented in modern satellite navigation systems. TMC can also be transmitted over digital radio like DAB and Satellite radio.
RDS is a very simple protocol with each packet consisting of 104 bits. The security issue with RDS is that it has no data authentication built in, which makes is easy to sniff and send fake messages using off the shelf components. The components to make a sniffer cost under $20 and can be easily made with very little technical skill according to the speakers. The specs and code for the PIC can be downloaded from the Inverse Path development website if you want to make your own RDS sniffer / injector.
The injection code is still quite crude, as you have to edit the source and recompile every time you want to change what you are injecting. What's important is that it works, although it does happen to look somewhat like a bomb. When they brought their setup through TSA checkpoint, the TSA officer upon inspecting it, flipped a switch and said "boom". Barsiani said "apparently TSA officers are allowed to make jokes about bombs, which would get anyone else arrested."
One of the features of RDS-TMS is the news override which forces your tuner to change stations to a different frequency. Barisani said they tested their system during a Saturday soccer match, which potentially enraged numerous Italians when their match was overridden by their radios tuning to a station with a carrier tone.
Some of the fun things you can do by injecting RDS-TMC messages is show fake road closures, traffic slow downs, dangerous weather, road work. You can also close roads and tunnels. The wacky stuff you can do is to display codes like: Terrorist Incident, Air raid danger, Air Crash, Bomb Alert, and a more generic Security Alert. The best one they showed though was "Bull Fight".
According to Barisani, his father was never impressed with his software and kernel hacking research, but when he showed him the RDS-TMC hacking his father said, "Wow, you have a cool job."
You can download Andrea Barisani and Daniele Bianco's CanSecWest 2007 presentation here [13mb PDF] and all the supporting files and schematics to make your own sniffer / injector here. Their website is Inversepath.com. [A complete list of the codes you can send can be found after the jump.]
BIOS is the system in your computer that initializes hardware, memory and loads basic user settings then finally loads a bootloader which will start your operating system. For years there have been methods of loading malicious code into a compromised host's BIOS, although physical access may be required.
One popular method of compromising a host through a BIOS is an option ROM rootkit. A rootkit prevents the user of a compromised system from being able to tell their system has been hacked by hiding traces of the malicious code, and thus gives full control of the compromised system to the attacker. A BIOS rootkit has multiple interrupts available to hook to including video, disk, and memory. Detection of this type of rootkit is fairly easy and is just a matter of dumping the content of the BIOS ROM.
Another method of of BIOS rootkitting is through ACPI, which is the hardware that controls power management of your system as well as provides temperature information to your operating system. ACPI has the ability to modify system memory and allow the attacker to deploy a rootkit. ACPI rootkits are independent of the operating system so will work on multiple platforms. ACPI is written in a high level language called AML that makes writing both malicious and non-malicious code easy. Not all operating systems have ACPI device drivers, and some prevent AML from accessing system memory by sandboxing it.
The Extensible Firmware Interface (EFI) is the replacement for the legacy BIOS system. EFI reuses existing systems including FAT filesystem and ACPI. EFI is a much more robust system than BIOS and is also backwards compatible with BIOS. The implementation that Intel uses is called "The Framework," it is partially open source and it what is inside the new Intel based Apple OS X systems.
There are many ways to get code into the EFI environment. An attacker can modify the bootlader directly, modify bootloader varibles in NVRAM, modify and reflash firmware or exploit an implementation flaw in the driver. Once the attacher is in, they can shim a boot service, modify an ACPI table like in the tradition BIOS attack, load an SMM driver, or hook interrup handlers. Modifying the boot loader is actually quite simple in Mac OSX as the bootloader binary is located in user disk space: /System/Library/CoreSerbvice.boot.efi. This isn't very stealthy as you are modifying a file on disk which could easily be detected by verifying checksums with an application like tripwire.
System Management Mode (SMM) is a "get out of jail free bard" for system designers. It allows an attacker to execute code that is hidden from the operating system like virtualization rootkits. EFI provides various protocols and a set of services for accessing SMM. SMM is normally used for error logging, enabling/disabling ACPI, power button spport when not using ACPI and various other system workarounds. SMM may be triggered on external events, I/O events, and timed events. SMM has been used in the past to disable BSD securelevel by Loic Duflot [PDF Download].
Detecting an SMM rootkit would be very difficult as hardware breakpoins to SMM and SMM memory access can be blocked. There currently is no SMM malware because bugging SMM code requires a hardware analyzer and the platform may be already using SMM.
The bottom line is that with the added functionality, EFI offers an attacker many more options than BIOS for exploitation. The EFI specification is not very clear with regards to security which will result in various vendors implementing insecure versions of EFI. In the future look out for nasty rootkits based on EFI.
John Heasman is an employee of Next Generation Security Software. The information in this post came from his "Hacking the Extensible Firmware Interface" talk at the Black Hat 2007 Briefings in Las Vegas.
Ok, I'm getting tired, I didn't get much sleep last night after driving from LA to Vegas. Here are some photos I shot at the last group of sessions:
In case you haven't noticed I'm liveblogging Black Hat 2007. I just watched the end of Phil Zimmermann's talk about his new VoIP encryption product / SDK: ZPhone. Z-Phone is an application that allows you to make secure, encrypted phone calls over the internet using standard VoIP protocols. As with Zimmerman's other well known project PGP, the source code and software is given away for free.
During the question and answer session he talked about his disdain for software patents, but added that he had recently applied for a patent for the ZPhone protocol, with an interesting twist. He is using the patent for good, and here is how: Part of the patent states that any time a key is copied and stored (which would allow a party to monitor / wiretap the call) a flag is set on that session that designates the wiretapping. This won't prevent interested parties from not using the flag, but it will prevent them from using the free license for ZPhone and thus force them to disclose that their product is wiretap friendly.
Here are some photos from the talk:
I just heard this random quote in the press pen: "Our experience is to stay off the wireless network at Defcon, we actually got hacked into a few years ago." I bring my own out of band connection with me to all security conventions and even with that I still do all my surfing / blogging / emailing through an ssh tunnel to a trusted server.
Dan Kaminsky just gave a talk about the nasty things that service providers are doing to your network traffic, how it relates to network neutrality and how to detect it. Basically nearly all router manufacturers are working on technology to do hostile things to your internet traffic, including slowing certain parts of it, monitoring it, modifying it in real time to do mean things like put their own ads in your web pages or worst of all, storing it and selling it.
Dan stated that this kind of trickery is going to either make web advertising obsolete, or force most if not all web traffic to be encrypted. If ISPs don't wake up and realize that what they're doing is wrong and bad the effect on the current internet ad market will be bad. I never thought of network neutrality as more than just shaping traffic or preferred routing, but Dan opened my eyes to the ugly things that vendors and ISPs are doing to our data.
Here are some photos from his talk:
His grandma is in the audience, and he was giving away some of her cookies to people who asked good questions:
I'm attending the Black Hat Briefings in Las Vegas. I just caught the tail end of Richard Clarke's keynote speech. One thing he said in a final question that I thought was really cool and spot on is that the government should be monitoring terrorists and hacking in to their computers, but should not be monitoring everyday citizens. I wish more government (or former government) officials felt this way as well.
This Black Hat is the largest ever with over 4,000 attendants. They completely streamlined the registration process and it is operating much more smoothly than last year.
Here are some photos from his talk:
And here is what came in the swag bag:
Yesterday Penelope and I made a trip down to the San Diego Zoo and about half way through our adventures my camera started taking photos on its own in rapid succession while flashing Error 99 on the LCD. I tried pulling the batteries and letting it sit for a while, but that didn't cut it. I looked through my photo archive and I've taken well over 50,000 photos with it since I bought it in February 2005. Looks like I will be without a digital SLR (still have a film SLR body) for a couple of weeks while I get it repaired.
Update After finding someone who had the exact same problem that I did and emailing said person, I found out that I needed to replace my shutter. Canon will do it for $196 which also includes a complete overhaul and cleaning of the camera. It takes 7-10 business days to complete. I am sending it off today.
Frequently you find a speaker who is covering a very interesting topic, but may not quite have a firm grasp on keeping a crowd interested. Public speaking is not a skill that I have mastered, and I feel that the folks that were talking about Sidewinder are in the same boat. Sidewinder is a promising piece of software that Shawn Embleton, Sherri Sparks and Ryan Cunningham are working on. Sidewinder is a fuzzer that uses genetic algorithms to evolve the fuzzed input in order to get the funky data to the place in the code where you want it. The next logical step of their application is to add some software to create exploits once you get to the place in the code where you suspect a vulnerability may exist. Keep an eye on these three, I see big things coming from their collective intelligence in the next few years.
Update I had a chance to speak with Shawn about the Sidewinder application and he told me it was all coded in just a few months. He isn't sure if he will have time to continue development on the application, but I encouraged him to as I feel it is a great concept and could grow to be one of the best fuzzers out there.
I am attending a 2 day security convention in Las Vegas called Black Hat. The flight in from LAX was short, although I did get the old TSA hassle, for the first time ever I was directed to stand in the little search corral and the frisked me, then swapped my bags and fed that to the spectrometer, I heard from another attendee that people all over the country are getting extra hassles.
I showed up at Caesar's Palace right at 8am to get my credentials and everything went smoothly. The line for the general credentials was insanely long, but luckily there was a press line that was only a dozen or so people deep. Jeff Moss will be giving his intro in a few minutes and then the keynote: "Fighting Organized Cyber Crime", which should be interesting. I'll get some photos of the speakers and try and upload them and give an update between talks. The photo above is of the free swag you get upon registration... a pretty good haul.
I love you, mom! Thanks for the greatest gift ever, life.
Today I hit the streets again and took some photos, here are a few of the 40 I uploaded.
Microsoft, who I personally don't care for too much, has once again proven itself to be the last in line at the pop stand. First of all they are partnering with MTV to create an online music store / subscription service called Urge, which will offer 2 million songs, but which won't work on iPods or Macintosh computers. The only snag for M$ is that iPods make up 75% of the portable music player market share, so they have engineered their own obsolescence before even releasing the service to the public.
Next they are partnering with MCI to provide VOIP support in their instant messenger program allowing you to make calls from your PC to landlines and cell phones. Gee nobody has thought of this before, oh wait there is Vonage (which I use and it rocks) and Skype, who have both been doing this for years, and of course Yahoo is about to beat them to market with the integration of their messenger and voice calling.
And finally M$ issued a patch for IE that fixes a "critical" security flaw, one so critical that it took them several weeks to issue a patch, during which time exploit code was released to the public. I'm glad I run OS X.
Actually there is one more thing, it looks like the new Russian government funded TV station Russia Today, is back on the air today after being down due to hacking:
Margarita Simonyan, the channel's editor in chief, said, "There was an attempted invasion of the computer system from outside, which gave rise to viruses, which in turn led to a breakdown in transmission. We apologise to the audience but the channel had to cease broadcasting until the technical malfunctions are mended."
Sounds like bad Microsoft jujus to me, but man are people really running TV station on Windows? Does this seem like a bad idea to anybody but me?
Today Penelope and I walked up the hill a few blocks to check out the Basquiat exhibit at MOCA. The collection is vast and supposedly the largest ever in one place. We very much enjoyed the vivid and tumultuous paintings of the young deceased artist, our favorites of the bunch being Grillo, Now's the Time (a Charlie Parker record) and the various Gray's anatomy inspired paintings, which were obviously inspired by the thick anatomy tome (even though that bit of information was unknown to us).
This continues after the fold...
Yesterday my superstar, amazing, wonderful fiance and I moved. We woke up at 6AM and drove to my storage unit in Redlands where we rented a truck and emptied my storage unit. Then we went to Penelope's house and loaded up her boxes and furniture and then to my house where we did the same. The 14' U-haul was totally filled up. We then drove to our new loft and moved in. Just the two of us! What a trooper Penelope is! I really love her. Boy am I tired.
so don't sleep.... here is what i have for sale:
IBM Thinkpad $5.00
Neon Genesis Evangelion 0:2 $10.00
Neon Genesis Evangelion 0:1 $10.00
Tupak Shakur: Before I Wake $10.00
Queen of the Damned $10.00
The Opportunists $10.00
Strange Days $10.00
Fritz the Cat $10.00
The Replacement Killers $10.00
Xetex Geiger Counter $20.00
Symbol Wireless Barcode Scanner PDA $40.00
IBM Hub 3299-2 NPFA Type II $5.00
Orckit DSL modem
Fluke 80T-IR Infrared Temperature Probe $40.00
2.4ghz antenna ceiling mount s2403bh $20.00
Rave MP3 Player $8.50
AT&T Cable modem $20.00
Ricochet USB Modem $5.00
Conar Model 202 Frequency Counter
Alinco DJ-S41 $31.00
Ezonics EZ Cam Digital Camera/Webcam USB $20.00
Aceco Frequency Counter $10.50
ICOM IC-Q7A $79.01
AOR AR8200MKII w/computer interface and more $113.50
Fujitsu 10GB Laptop HD $10.00
so place your bids!