2008-08-29

Ye-Olde Tech: 8- and 16-bit video game music!


Local geek and friend of HiR, (jeff)isageek threw me a serious curve-ball today. 8-bit music. I used to totally dig Module Music and had a pretty serious archive of it somewhere. It's probably still around on floppy disks somewhere. I also really enjoyed some of the lo-fi tunes that came out of arcade cabinets and olde-school game consoles.

I can't contain my joy. I can't stream music at work, but as I write this, I'm recording as much of it as I can to my MiniDisc recorder!

2008-08-26

Audit Rant

I'm in the middle of our twice-annual SAS 70 audit.  Audits are pretty much a part of any InfoSec professional's life at one time or another.  Some of us act as the proxy for our organization, providing what's needed to the auditors.  Others of us are responsible for doing the auditing.  There are several jobs in InfoSec that don't really deal with Audits, but if you work in the industry long enough, you're likely to experience audits eventually.


Some have asked me what exactly an audit is.  Those who've been through a tax audit know that audits aren't fun.  There are many types of audits depending on the industry you're in.  Hospitals and Medical firms must comply to HIPAA.  Firms that handle payment card information must comply to PCI DSS, and if you work for a publicly traded company in the US, you can thank the turn-of-the-century financial scandals of Enron, Tyco, WorldCom and others for the Sarbanes-Oxley Act and the audits that ensued.  The list goes on and on, and there are audits to ensure proper controls are in place.

Being on the "receiving" end of the SAS 70 this time around, I can try to convey what happens.  Imagine if someone comes by and asks for your car's odometer readings at each fill-up, all of your phone bills and bank statements for the past six months.

Imagine after having turned that over, you get them back a while later, with a bunch of items highlighted.  The auditor wants to know where you drove on 20 specific tanks of gas or on specific days.  He wants to know what you purchased with 50 randomly-highlighted withdrawals from your bank statement, and wants to know the nature of a bunch of your phone calls.

Now, take that a step further, and widen the scope. I have to provide that kind of detail, but not about personal finances and the like, but about my entire enterprise.  The people, the systems, the procedures, the documentation authorizing certain actions to be done, and all that.  Yes, at this point, the "auditee" (that's me) is tasked with answering for pretty much every action that's taken place within their organization, regardless if they had anything to do with the actions taken or not.

I've been on the auditor end of things as well, but it's been quite a few years.  It comes with its own challenges.  That's another rant for another day... or does someone feel like doing a guest post with a counter-point to this article?

2008-08-24

Geek-Out, August 29, 2008

For those of us who are going to the Geek-Out at Daily Dose this coming Friday night (at 11:00pm), I'll be bringing some new toys, not the least of which is a 500mW Alfa Networks AWUS036H. On the affordable consumer end of the market, this one is gaining popularity and is arguably the grand-daddy of port-powered USB adapters. I've paired mine with a whopping 10dBi omni-directional antenna (not shown), as well. Hopefully, I'll have Karmetasploit (or at least Karma on BackTrack 3) working with this adapter in time for the geek-out.

Asmodian X and I have also been messing with the less powerful Linksys WUSB54GC adapters with varying success. Both seem to work quite well for wireless network monitoring, but when it comes to interception, the tools and kernel drivers available require a lot of work to get things functioning the way they should.

I'll also be showing off Sun's VirtualBox, which is an open-source virtualization hypervisor that seems to be flying under most peoples' radar.

Got something else cool and geeky to show off? It doesn't necessarily have to be security or even computer related. Let us know, and hope to see you this Friday!

2008-08-20

Breadboard: You're doing it wrong!



Found on Teipen via Make.  I still can't stop laughing.  

Stryde Hacks The Olympics...

Stryde takes matters into his own hands and uses China's sports records against them in determining the true age of Olympian He Kexin. Within, he asks others to archive their screen shots of the data:

Much of the coverage regarding Hexin's age has only mentioned "allegations" of fraud, and the IOC has ignored the matter completely. I believe that these primary documents, issued by the Chinese state, directly available from China by clicking on the links above rise to a level of evidence higher than "allegation". The following points bear mentioning:

  1. Google's cached copy of the spreadsheet does not contain Hexin's age record, and Baidu's does. This does not necessarily imply that Google allowed its data to be rewritten by Chinese censors, but the possibility does present itself.
  2. From the minute I pressed the publish button on this blog, the clock is ticking until Hexin's true age is wiped out of the Baidu cache forever. It is up to you, the folks reading this blog, to take your own screenshots and notarize them by publishing them. If you put a link in the comments section, I'll post it.


I also pulled down entire CSV data intact and archived it. Attached are my own screenshots of the Baidu Cached files: Cache 1 and Cache 2


2008-08-17

Some of the best music from DefCon 16 now online

Hands down my favorite musical talent of the weekend was DJ Great Scott. I didn't get to hear his set at the White Ball but the set he laid down at the i-Hacked Skybox Party was absolutely insane. Both mixes are available online at the links above. Feel free to share, mirror, torrent and otherwise disseminate them.

2008-08-15

OSWA Assistant

One of my local contacts that went to DefCon scored a copy of the latest build of OSWA Assistant, a Linux LiveCD Distro specifically for wireless auditing. From my understanding, this is a beta, newer than what's out on OSWA's site.

I booted it up on one of the HiR Lab systems and it looks like it's got some similarities to BackTrack, but with Bluetooth and RFID pen-testing goodness baked right in. For those who missed it, the OSWA folks were behind the Wall Of Sheep project at Black Hat and DefCon

** Update **

It looks like between the time we got the OSWA CD and now, they updated the version on their site. Go ahead and check it out. If you like tinkering with wireless, you will probably enjoy OSWA Assistant.

Office Hack: Erasing Perma-Marker

I really thought that the procedure for exorcising permanent marker from a whiteboard was common knowledge by now... Apparently, it's not.


Here, someone (me) has defaced a whiteboard (mine) with a permanent marker.


We'll just erase it, right?


Nope. It's not going anywhere.


Enter: The Dry Erase Marker (Black Hat Schwag via Asmodian X)


Just scribble over the permanent marker with the dry erase. Make sure to cover it well!


Then erase...


Where'd it go?!


The dry erase marker has a solvent in it. When you draw over permanent marker with a dry erase, the permanent ink ends up getting mixed in with the dry erase, and it almost always comes right off the white board. Sometimes you need to do it twice, but it usually works pretty well.


Again, you probably know this trick, but apparently it's not as well known as I thought.

Have any other office hacks? Post them in the comments!

You can't stop a social engineer

In Kansas City, we have two separate bus systems. One is a pretty well-designed intra-urban system on the Missouri side of the metro area managed by the Kansas City Area Transit Authority. The other is an anemic, under-funded system designed almost exclusively for the Nine-To-Five commuters from Johnson County, KS. I live in Johnson County, KS and thus have purchased a monthly bus pass for this bus system.

The benefits are that I can, if I must, use the Johnson County bus to get to downtown KC, MO and get a transfer from that Johnson County bus if my final destination is elsewhere in KCATA's system that my bus doesn't reach.

Last night, heading to the Cowtown Computer Congress, I decided to take a KCATA bus. Normally, the fare would be $1.25. I decided to ask one of the JC Bus drivers for a transfer. This worked once before. Hypothetically speaking, yesterday's events may have worked out like this:

Me: "Excuse me, could I get a favor? I really have to catch a Metro bus and I'm short on cash. I have this bus pass, though. Could you please print out a transfer for me?"

Bus Driver: "No?! You can't just walk up to the bus and get a transfer! You have to ride the bus."

Me: "Oh. I didn't know. (Feigning innocence and stupidity) How far south do you go before you leave Kansas City?"

Bus Driver: "Union Station, then Crown Center."

Me: "Oh, that'll be perfect! (Setting my bags down on a seat) Can I get a transfer?"

Bus Driver: "Sure."

After grabbing the transfer, I may or may not have just taken my bags and gotten the hell off the bus so I could catch a KCATA bus really quick. The bus driver may or may not have called me a few choice words.

Seriously, why would someone like a bus driver power-trip over this kind of thing? I'm going to get what I want one way or another. Worst case scenario, I would have ridden the bus for a few blocks after convincing another rider to get a transfer for me.

... like fish in a barrel, I tell ya ...

2008-08-14

Weekly Technolust! Hak.5 Joins Revision3

Our buddies over at Hak.5 have some celebrating to do. It's confirmed that Darren Kitchen is going to start cranking up the Technolust with the help of Revision3, according to a press release issued this afternoon

The hints have been in the air for a while now. When I drove out to destroy my windshield hang out with Darren, it sounded like there might be something going on with Rev3. Going from monthly production to weekly is a huge step. I know I'll be sure to tune in! With Hak.5's wits and the production and distribution skills of Revision3, I really don't see how this partnership will be anything less than a home run.

Congrats, guys!

2008-08-13

Finally got the Badge working...

I know, you're sick of hearing about the DefCon Badge, most likely. I couldn't get it working on my Parallels Win2K Virtual Machine. I decided to clean up the solder joints a bit to see if that helped. Yes, I usually prefer my butane soldering iron when working on electronics.


That didn't help, unfortunately. I decided to take over my wife's older workstation still running Win2K. Driver detected off the CD (just like it did under Parallels) and so I fired up Hyper Terminal... Success!


Here's what it dumped out:


DEFCON 16 Badge by Joe Grand (Kingpin)

I might be growing up, but I'm never backing down

From corporate greed
And authority
From fighting for what I believe

From my enemies
And my family
From society's pressure of responsibility

From church and state
And blind belief
From those trying to rewrite history

From backstabbing friends
And snake oil fiends
From those in my past with no integrity

You
can't
silence
me.

Goto www.kingpinempire.com

Welcome to the debug terminal...

Entering TRANSMIT mode.
File name: AX0N-NFO.HTM
File size: 0000002239 ytes
Starting IR file transmit.

CRC16 = 0xBB4E

CRC16 = 0xC6C1

CRC16 = 0x598F

CRC16 = 0x14FD

CRC16 = 0xCCE6

CRC16 = 0x0000

IR file transmit successful!
Entering RECEIVE mode.
* Press Mode Button *
Entering TRANSMIT mode.
File name: AX0N-NFO.HTM
File size: 0000002239 bytes
Starting IR file transmit.
* Press Mode Button *
Going to SLEEP.
* Remove SD Card *
* Press Mode Button *
Entering RECEIVE mode.
* Press Mode Button *
Entering TRANSMIT mode.
Seending TV-B-Gone power off codes.
Power off code list complete. Repeating!
* Press Mode Button *
Going to SLEEP.


So you can see it transmitting the file and working as a TV-B-Gone from the serial console, all from the USB connection. Nice!



For anyone who's interested, this is the file my badge transmits.

I'll bring it along to CCCKC tomorrow so we can all play with them, if anyone else brings theirs along.

I am having trouble downloading the freescale software, but I do intend on tinkering with the firmware on the badge as soon as I figure out what I'm doing.

2008-08-12

Post-DefCon

Wow. I'm still on the mend from the crazy weekend. Even though it's already Tuesday, I lived through today with a serious case of the Mondays. The arid environment in Las Vegas combined with lack of proper water intake, lack of sleep, lack of food, excess of alcohol consumption and some travel woes really put a damper on my week so far.

All that said, I come home from DefCon with a renewed passion for security, a huge list of new contacts that I hope to keep in touch with, and a pile of notes, schwag, books, CDs and DVDs I have to wade through eventually.

At the end of my airport post last Thursday, I made a reference to an article I was writing in regards to smuggling lockpicks in my carry-on luggage. Also, I've been promising the guys at i-Hacked that I'd be willing to write some stuff for their site on occasion.

I delivered on both promises yesterday with my first i-Hacked guest post: Sneaking Lockpicks past the TSA in carry-on luggage. Within half a day, it already got the attention of Security Monkey and was posted on IT Toolbox. Then, it got submitted to Digg, although it's still a far cry away from hitting the front page. Feel free to Digg it up. Today, Network Security Podcaster/Blogger Martin McKeay posted his own take on getting lockpicks back home safely and his technique (used last year coming home from ShmooCon) is pretty similar to the one I came up with. I guess I wasn't expecting this much buzz about it.

In other news: while at DefCon, I was talking to Jur1st. He's the founder of Cowtown Computer Congress, a group that is striving to unite all the small yet talented cliques of hackers, geeks, and user-group-goers in Kansas City. Meetings are held every Thursday. More info can be found on their site. The current big project is establishing a hackerspace in Kansas City. Hackerspaces are buildings that members can use for user group meetings, collaborative projects, lab testing and social events. Every hackerspace is unique to suit the needs of its patrons, so it should be interesting to see how this one plays out.

I find it fascinating that the 2600 meeting that most of the HiR guys have attended since the mid-90s (I've attended regularly since '93) actually has a little bit of stigma attached to it. Our little "splinter cell" (as other Kansas Citians are calling us) has remained consistently small for the last 5 or 6 years, with 5 religiously regular Attendees (Frogman, Asmodian X, c0g, Dan and myself) and as many as 5 visitors per meeting who we see infrequently. Average age is mid-30s but only because c0g is fucking up our average. :P

I'm pretty stoked to start taking part in the Congress. There's actually a lot of talent in KC. We're just too jaded and cliquey to see the others. I really hope CCCKC fixes that.

I promise to start posting some details on the talks I went to as soon as I start feeling more like a human.

2008-08-10

Ax0n's DefCon Day 2 Recap

Talks: 

Joe Grand & Zoz - BSODomizer, a hardware VGA in-line hack that first displays a Blue Screen Of Death, then after a while switches to Goatse ASCII Art.  Evil.
Scott Moulton - Computer Forensics is ONLY for P.I.s - The recent changes to computer forensics laws threaten consultants who do investigative work without a private investigator's license.
John "Jur1st" Benson - When Lawyers Attack - Ties in quite a bit with Scott Moulton's talk in how laws are changing the way that digital evidence is handled and thus the instability of the computer forensics industry, even for law enforcement.
Jay Beale - Owning users with Agent In The Middle - Jay introduced a new tool for man-in-the-middle attacks and covered the dangers of MITM in a way that only Jay Beale can. 
K.C. & Mandias - Urban Exploration: A hacker's view - A discussion on the good, bad, and ugly of UE and the many similarities of UE to Hacking. 
Kushner & Murray - InfoSec Career Mythbusters - This floor-filler literally packed the house and offered eye-opening facts about employment in the field of InfoSec.

Post-Talk Events:
i-Hacked.com presents the Podcasters Meetup, where Securabit, PaulDotCom, SecurityJustice and plenty other of hosts streamed a live update on the goings on of DefCon.  Included was the Shmoocon 2009 announcement and a few other goodies.


Now I'm kicking it in Skybox 208 with the i-Hacked.com guys.  Again, great music, lots of energy, lots of fun. 


Oh yeah, we have a few copies of Into The Breach by Michael Santarcangelo available. Meet up with us at the next 2600 meeting and we'll have some copies to give away. I need to do a proper review of it as well, but we have plenty of copies already.

2008-08-09

Ax0n's DefCon Day 1 Recap

This is what I did yesterday:
Saw Asmo get stomped on by a giant circus circus clown. Notice the Circus Circus billboard in the background is seriously on the fritz.


At McDonalds for breakfast, we saw this guy.


Close-up of amusing Solaris code (kernel driver for the hme* ethernet interface) -- Apropriate.


Saw some talks:
Jeff Moss's Introduction
Kingpin's discussion on the badge
Shawn Moyer' and Nathan Hamiel's talk on pwning social networks
Marc Weber Tobias's "Open in 30 Seconds" Medeco talk
Eric Schmiedl's "Advanced Physical Attacks"

After that, Asmodian X and I went to eat sushi with some of the Security Twits.


ggee - Taking pictures of people taking pictures of people taking pictures. His photos of the SecTwit's Dinner are here.


Photo I took walking to the bus stop


When we got back to the convention, we had a nice talk with Shawn Moyer and got some more in-depth on the SocNet problem.

I wound down the night at the Black Ball and a few other parties put on by other groups here at the Riviera.




I'm currently in Kingpin's talk about the BSODomizer, an in-line VGA Dongle that fakes a windows (or MAC) crash with a BSOD... and a little surprise... (ASCII Art Goatse anyone?) I'm not sure what's up next for me, there are some really interesting tracks today!

2008-08-08

One more badge post for the night

Sorry, guys. I've been obsessed with this thing all day, and while I don't plan on entering the badge hacking contest (I have NO developer skills at all), I would like to get as much info out there as possible. I hope that when the next wave of badges gets released, this helps some people get up and running ASAP. In theory, you should be able to read this and get your SD card ready ahead of time.

My last post had a bit of speculation to it when it came to the file transfer part. With some black-box testing between Shawn Moyer's badge and my own, and some help from Ryan Russell looking at the source code that Joe Grand put on the DefCon CD, I finally have some more solid information on how the file transfer feature works with the SD card inserted.

  • When you push the button on the back, it will power the badge on. The LEDs will scan (and remain in "look at me, for I am glitzy" mode)
  • When you push the button again, the LEDs will sweep from the center out, then the IR will try to handshake while a progress meter sweeps.
  • If a handshake is initiated, the LED bar will briefly alternate one LED on, one LED off, then as the transfer happens, the progress bar appears.
  • The SD Card has to be formatted FAT16
  • The file you wish to transfer must be named in 8.3 (README.DOC, 12345678.TXT, AUTOEXEC.BAT, etc)
  • The file you wish to transfer must be read-only
  • The file you wish to transfer must be smaller than 128k. There's a limit in the code for this (likely easy to remove) which supposedly minimizes the possibility of a transfer error. Ryan seems to think that's also a way to protect badge-to-badge exploits.
  • The files are transferred at speeds not unlike those used by a TV Remote. In other words: It's very slow. The files are read, written, and transmitted byte-by-byte in a loop. Simple but effective.
  • There's a hand-written FAT16 driver in the default code, and it will walk through the FAT and transmit only the first file (per the allocation table) which meets the criteria.
  • If the filename exists on the target SD card, it will replace the last character with a number (0-9)
  • The file that's created on the recieving end will NOT be marked read-only and this will never be re-transmitted without manipulation.
Basically, cram 128k or less of data into a file on your SD card and start copying it to others. Maybe it'll be a virus. Maybe it's your vCard or photograph. Perhaps it's an autorun file. You decide.

I must really give it up to KingPin this year. Just tinkering with this badge has made today a really social day for me and I've hung out with some people who I was really hoping to get to meet. It's been an ice-breaker of a project already. If you see me, I'll send you my goodies. :)

Keep an eye on the HiR Twitter page if you aren't following it already. I'll be live-blogging more Badge stuff in the morning from the keynote, and probably from other events as well. I'll attempt to stitch the mess of tweets together into coherent full HiR posts for some of the talks if time (or content) allows.

2008-08-07

More DefCon 16 Badge infoz

In the factory state, the DefCon badge works as follows.

When you attach the battery, there are three modes selectable from the pushbutton switch on the back:
Sleep (no scanning LEDs)
On (LEDs scan side to side)
TV-B-Gone - Turns almost any TV on or off (LEDs scan from center outward for a while, then ALL illuminate at the end of the cycle. Cycle re-starts)

You can verify that the IR Transmitter is actively sending data by looking at the Ninja's eye through a CCD element - Camcorder, camera phone, most digicams.

When you put an SD card in, there are three modes:
Sleep (no scanning LEDS)
Recieve (scanning side to side)
Transmitting (Scanning outward)

The SD Card needs to be formatted as FAT. The files you wish to share must be in the root directory of the SD Card, must be less than 128kb and the read-only attribute MUST be set. Then, you can share files! Hint: Give your files a fairly unique name because it won't likely overwrite files of the same name with the read-only bit set. According to the flyer, the LEDs will form a transfer status bar when a transfer is initiated. High-res shot of the (hard to read) badge documentation linked below:



If you solder the miniUSB jack onto the badge and hook it up to a Windows computer, the DefCon16 CD will have a valid driver for the badge. I don't know where to go from there yet, I'm just divulging this as I find out what's going on. Obviously, removing the 128kb limit would be a start. Perhaps more POV fun with the status LEDs and who knows what else is possible once you can upload custom firmware to the thing.

So, out of the box, I'm thinking of sharing GPG public keys and maybe some bookmarks. That's what mine will be transmitting!

Day 5, Blackhat Briefings

Electronic Discovery: John Benson
I didn’t care For Mr. Benson's speech; it was un-organized and didn’t really go anywhere.
Here are the factoids Jon discusses:
1.) To Lawyers, Information technology processes are barely even a blip on their collective legal counsel radar. They only know a handful of massive screw-ups of which they read less than a paragraph about of which consists of:
a. Document Meta-Data such as Words track changes feature and embedded data in picture files.
b. The extent of they knowledge of Electronic discovery is securing the backup tapes.
2.) According to a large percentage of lawyers the world is paper based, computers are not used. (According to John)
3.) The discovery process is outlined during the 26F meeting, which occurs 99 days before the trial begins. (In short your have a little over 3 months to secure requested data.)
4.) The Lawyers will ask for a “Data Map” which means something different to every one.
5.) Don’t worry about compliance until you get sued, electronic discovery (according to John) isn’t worth the costs of changing all of your processes.

In short sit down and pick your legal counsel’s brain to nail down exactly what the other party really wants. If they ask you to secure the backups it means you’re counsel doesn’t understand what they other party wants. Its possible the other party doesn’t know what they want and is issuing blanket request.

The rest of the information that leaked out was about the American Common Law Justice system and how it works.

John mentioned the Cow-town Computer Congress (Apparently his brain child.) I will have to visit and see what that is all about.

DNS Spoofing Exploit:
(This guy won the Pwny award for Pwning the media)
Basically the DNS server uses insufficient randomness in its keys to prevent some one from spamming every possible communication key with a bogus DNS entry result.

Also mentioned was the fact DNS would often allow an attacker to bypass a-non-stateful firewall and perform the attack.

The trick is to cause the DNS server to go out and seek DNS information from an external DNS server.

In short this is highly dangerous and needs to be updated ASAP. He has been working closely with vendors in helping them update.

Virtualization
The problem with mass implementing virtualization is that the software switch has ZERO network administrative features and is not fault tolerant. No available virtual security package is able to provide this functionality with out adding a huge load to your virtual infrastructure. The Virtualization environment by itself cant be monitored for mal-ware or other malicious software infections with out the use of API’s and products which wont be available for 6 months to 2 years even then at great cost.

In short, Virtualization is still way too young to be deployed in a secured environment, however it is more suited for small networks with light load and existing physical infrastructure.

Possible Bluetooth 2.1 Specification implementation issues:

BT2 uses a password, which is vulnerable to an off-line brute-force attack. BT2.1 has the same issue if the manufacturer does not enforce the user using a different key every time.

Debian OpenSSL Vulnerability
(Pwnie award)
In short the developers said: “Sorry our bad, but we did catch it, just a little too late”
The code comment out was the 3 out of the 4 sources of entropy used to encrypt data. So it was reduced to about 32,000 possible combinations from the current process ID. Since the PID changes every time the program is run, the numbers produced appeared to be random.

The people who did the presentation I think they misread the data, which said out of their sample of sites only 140 sites (as of the release of the vulnerability) were actually vulnerable.

The number is of course higher than that because that count did not include workstations.

If either host has one of these bad keys the encryption is nullified.

See also my post on this subject.

Keynote:

Older people have developed a cynical view on technology. I can agree with part of that in that people who are unaware of the past are doomed to repeat it. The speaker hit on this theme and brought up excellent points, which need to be addressed. A manager manages things and leads people and the speaker warned of the dangers of trying to manage people too and the distinction between installation of a tool and a system. To install a tool is to introduce a tool made for a purpose. A system is created not by the tool or the act of creating the tool, but the people using the tool to perform a purpose.
Management policies only cover a limited stretch of the bell curve so when a process operates out side of the process we run in a hazardous situation. Rather than stopping and treating the new situation as such, we try to match it to a situation, which is similar to one, which there is a process for which is a bad approach. Web applications when developed are perfect, so long as all input thrown at it is with in the realm of what was originally anticipated, the problem with buggy software is that it fails to adapt to new situations in a constructive fashion.

The speaker also noted that people were trying to use technology to solve bad systems where in reality the existing system is given the new tool and will use it in whatever way suits its purpose.

In short, IT is the constant making of tools for the system to use to promote its purpose. So long as a functional process is able to make use of the tool to increase productivity and other positive ends then technology is successful, if the system is broken then no tool in the world will solve the problem.

The speakers point was to stop trying to use technology as a replacement for existing systems and work with the system itself.

DefCon16 Badge Hacking

We got our DC16 badges pretty early in the game. Hevnsnt brought along some mini-USB headers and soldering supplies, we got started hacking early on


Lots of fun stuff




The badge has a TV-B-Gone built-in. You can see the dim IR transmitter on the right side.

Hacking Phoenix Sky Harbor Int'l Airport

My flight out of Kansas City got delayed. I arrived at PHX at around 10:00 PM -- about an hour after my flight to Vegas was supposed to leave. Next flight out of here? 7:30 AM or so.

Decisions, Decisions... Do I take US Failways up on their offer of a hotel room? It's only a 9 hour wait. No. I set up camp.


First, there's a seriously annoying problem with my MacBook. For some reason, it refuses to connect properly to Cisco captive-portal access points. It'll get a DHCP address and route, but when it goes to load the "I accept" page, it can't get to it. This happens EVERYWHERE I run into "Cisco Web Authentication". That happens to include the free WiFi at PHX airport.

But... we have another wonderful captive portal as well, the private one for US Failways and America West (now merged).

How lame is this login screen? Would you pay $120 for 90 days or $315 per year to get access to this super-elite traveler's club? I would kick someone in the nuts if I paid that kind of cash and got this as the login screen.

Every page you try to load, even via https, brings this page up.

Oddly, I fired up my proxy script that simply launches an SSH session to my house (with a few ports forwarded to tunnel web proxy, instant message and IRC traffic) and told it to connect to port 443 (https) of my home firewall. I have an SSH listener on port 443 since I have no use for SSL at home.

It worked like a charm.

So, here I sit, abusing US Airways Club's wifi. Stranded in Phoenix for a few more hours, and I think I've successfully skirted boredom... for now...

Next: How to smuggle sharpened metal (lock picks) through airport security in your carry-on luggage. I think I'm going to wait until I get back into Kansas City before I expose that one, though. ;)

DefCon is less than a day away. Hope I run into some of you.

2008-08-06

Ax0n's DefCon Agenda so far...

I'll be updating my Google Calendar as I figure out what all is happening. This is subject to change, so I figure I'll just embed an iFrame. You'll have to view this post on HiR Information Report because I'm pretty sure most RSS readers don't like iframes. If you're trying to catch up with me at DefCon, just tag me via Twitter - Preferably via dm, but I'll check my @ replies too, if I'm not following you for some reason. I'll be around all day Thursday without a whole lot to do. If you're in town, find me and we'll talk shop or geek out.

2008-08-05

DefCon Paranoia?

I've heard rumblings and full-on details of the lengths people are going to secure their data and laptops whilst at DefCon. 


Some describe DefCon's network as "The most hostile network in the world" - be that as it may, with a bit of common sense, it's not likely to be a good reason to trade your laptop for an abacus or pen and paper.  I haven't been to DefCon in about six years.  They had wireless, and it was as uncontrolled as it comes.  Ostensibly, the hostility level could have been worse.

One thing that was missing the last time I went was the infamous "Wall Of Sheep" - A projector that exposes the login details for anyone who dares to use unencrypted services.

If you have to "lock it down" for a hostile environment, then you're probably taking the wrong security stance.  Here are a few things to consider ALWAYS. Not just for DefCon:
  • Back. Up. Your. Data. You never know when your laptop will get lost, stolen, infected, or permanently damaged.  Your best bet is to make sure you have current backups and that those backups are usable.
  • Don't store private data in the clear.  Encrypt proprietary business information, your personal identification information, bank records, and other private data that you'd rather not make its way into the hands of everyone in the world.  I recommend TrueCrypt for Mac, Linux and Windows.  Part of what makes encryption work is PROTOCOL. Just using the software isn't good enough.  Guard your data and use encryption sensibly.
  • Use Strong Passwords.  And use them properly.  Make sure your screen saver makes you authenticate, make sure the system isn't set to log on automatically, and choose a password that's hard to guess and resistant to dictionary attacks.
  • Keep your software and anti-virus up-to-date, and beware of Evilgrade.
  • Shut down services and features you don't need.  This includes bluetooth, etc.
I really don't believe there's such a thing as paranoia -- just various levels of cautious behavior. Operating in "condition red" (Living in fear, all freaked out, the world is ending!) isn't healthy.  That said, an extra layer of caution probably isn't too bad when you're sharing a network with a few thousand hackers.  If you really want to take it to the next level, here are a few ideas:
  • Use out-of-band communication. Find another hotel or use a CDMA wireless card (wireless EDGE/EV-DO broadband).  While this is no guarantee of security, it does pull you off of the hacker-trodden DefCon network.
  • Tunnel everything. Set your system-wide proxy to a localhost port (for your IM and other services as well) and then tunnel port 3128 to a remote squid server on another network (such as at your home).  This will likely slow stuff down a bit, but it'll all go over SSH.
  • Set up firewall rules to block anything that won't go through the proxy.  On Mac OS X, I installed the following rules.  I love BSD's IPFW:
Chimera:~ axon$ sudo ipfw list

01000 allow tcp from any to any established
02000 allow ip from any to any via lo*
03000 allow icmp from any to any icmptypes 8
04000 allow icmp from any to any icmptypes 0
05000 allow log tcp from any to any dst-port 22 out
06000 reject log ip from any to any
I don't believe in wiping my entire hard drive just to show up to DefCon, nor do I believe in letting fear keep me from using technology. I don't plan on spending too much time online, though. All the people I want to talk to will be right there. I'll probably just turn off WiFi and Bluetooth when they're not needed, and take notes.

2008-08-03

Black hat briefings day 2

day 2:
discussed data source injection and programing best practices. also discussed code revision and auditing policies.
tips and tricks for safe sql.


At the end we had a comprehensive test that came in three parts. The first part had two red herrings. 1 a bogus hidden form value and 2 a trick question which was hacking the testing software itself to display the hardcoded userid and password. The 2nd component was to do a sql injection on a cookie value. lastly the third part was a windows shell injection to 'deface' the page. this was all in a test environment but still very cool.


I will post more details tomorow.

Black hat briefings day 1

The briefings consist of 4 days of training then two days of conference then it rolls right into defcon.

1st day:
XSS and CSRF plus http header manipulation with Web Scarab.


links of interest:
- www.OWASP.org

2008-08-01

BlackHat / DefCon Meetup Thursday Aug 7


A bunch of BH/DC-attending SecurityTwits (and some other DefCon attendees, likely) are wondering if there'll be anything going on for those who arrive Thursday. I'll actually get into Vegas late Wednesday night, and I will be checking my Twitter (twitter.com/ax0n) frequently. You can tag me there pretty much any time on Thursday. While you're scoping out Twitter, be sure to add the official HiR Information Report Twitter Feed. I'll be live-tweeting from DefCon.

I'm proposing meeting at Kady's Coffee Shop between 7pm and 9pm Thursday evening. Kady's is inside The Riviera (where DefCon is being held this year). This should be an all-ages venue, because I know there are plenty of under-21 folks that plan on attending. After 9:00PM, those of us who wish to partake in alcohol or gambling can make plans to do so. Kady's is 24/7 so the meetup there might go later than 9pm. It may also scatter (or get kicked out?!) before that. All I can say is watch Twitter - I'll post any updates to the meetup to both feeds.

Hope to see you there!

KC 2600 & Friday Geek-Out

KC 2600 is this evening at the Oak Park Mall Food Court. I'd imagine I'll be there around 5:00PM or so. We'll probably leave to eat at 7:30 or so, then perhaps go poke around in a few of our favorite dumpsters.

By 10:00 or 11:00, we'll be at Daily Dose, geeking out. All geeks welcome. InfoTech, Anime, Sci-Fi, New Media and "hacker types" are all welcome to join. Talk about your latest pet project, get your drink on, and meet some cool (or not?) people in the process.

(jeff)isageek showed up to last week's Geek-Out and wrote up a list of local real-life gatherings extending from the social media scene in Kansas City. Check it out.

F-Secure's Reverse Engineering Khallenge

F-Secure with Assembly Organizing is putting on the "Khallenge" once again.

The concept is simple. The contest itself will probably not be...

I'm not much of a reverse engineer. Even if I was, I'm stuck at work. If you feel like taking a stab at it, go on over!