Movies 'n' Laser Graffiti With CCCKC

Movie night was a blast! There are tons of people to thank:

  • The CCCKC Guys for setting this up
  • My pastor for letting me borrow our high-power video projector for this project!
  • All the awesome people who came out and helped us raise some funds
People watching the movie

A home-built laser persistence-of-vision pattern machine (not using the LaserTag setup we brought out)

Getting things started on the AT&T Building downtown


Watch out, there's a cop down there!  Surprisingly, the police left us alone all night.

Some videos of the Laser Graffiti in action (projected onto the brick wall at Harry's)

A game of Tic-Tac-Toe


Introduction to Proximity Cards

Introduction to Proximity Cards

  1. Summary
  2. Description
  3. Hacking Projects involving proximity cards
  4. Conclusion
  5. Informative Resources

This article is intended for basic familiarization on Proximity identification cards.

Proximity cards are one of the more popular ways to lock buildings from undesired guests while avoiding dealing with physical keys. Just stuff the card in your wallet and swipe it against a proximity card reader pad, which beeps cheerfully, flashes a green light and the door opens. Or it politely rejects you by beeping and flashing a stern red light. Or if you are like a few of my friends it blinks a light , and beeps in a cheerful manor and either lets you in or it doesn't. But securing buildings isn't the only thing that proximity technology is used for. Proximity technology is used in: Pay cards, transit cards, key cards, RFID tags and more.

1. Summary
A Proximity Card is a small credit card sized passive electronic device which Is typically used for physical access control. Simple cards return a code when activated, more complex cards are basically a wireless smart card which issues an encrypted challenge response along with stored personal information.

2. Description
So here's an explanation on how a proximity card works:

The card itself consists of a physical plastic card which contains a special wire with a coil and an IC. This is similar in concept to a smart card except instead of electrode pads the wire and coil take care of communication. What happens is that when the card is passed in the general proximity of a reader (roughly 1 to 3 inches usually) the reader transmits a signal which is intercepted by the special circuit in the card which then reacts and passes and reflects back a changed signal back to the reader. The reader then transmits the results back to a central control computer which either accepts or rejects the transaction and allows or denies entry (Westhues 2008)(Wikipedia 2008).

This process is called the Wiegand Effect. The special wire is made out of a mixture of cobalt, iron and Vandium, and is also known as Vicalloy. This is then cold-worked into a wire known as a Wiegand Wire. The wire reacts to a magnetic field by causing a small burst of power which is detected by a coil wrapped around the wire. This burst of power is called a Barkhausen jump or Barkhausen Effect. (Wikipedia 2008)

Simple RFI cards are configured with a id number, part of this number is a company id, the other part is a unique number. Each person is given a uniquely numbered card which the card transmits when it encounters a carrier field from a card reader. If the user tries the card at another company, the card will transmit its code but will be rejected because the card has a different company code (wikipedia, 2008).

ISO 14443 specifies that this signal exchanged may contain data which can be cryptographically signed. For instance US Department of defense badges are smart cards which contain information about that person along with cryptographic keys for authentication and encryption and decryption of data (Wikipedia 2008).

There are other standards like ISO 15693 which is the Vicinity card standard. It is functionally similar however uses a different wireless handshaking process with different radio frequencies.

3. Hacking projects involving Proximity cards

Eliot Phillips on Hack-a-day posted an article by Jonathan Westhues which detailed how to build a proximity card reader/spoofer (Westhues, 2008). Multiple Metropolitan transportation cards have gone to a proximity card to increase efficiency. Once again this is using a form of wireless smart-card. The most recent of these methods was slated to be discussed at Defcon in 2008. However the group was sued by the transit authority before they could do so. The MiFare hack allowed for cloning of pay cards(Anderson, Ryan and Alessandro, 2008).

The Olin College Prox Card team designed a USB 1.0 proximity card reader capable of reading 125 khz proximity cards and reading the response information.
This device used a pc micro-controller to read and relay the Proximity card information to a computer as a USB device (Olin College Prox Card Team, 2004).

4. Conclusion
Proximity cards are the entry method of choice, it allows keys to be given out in mass, combined with a computerized building entry system keys can be activated or de-activated with a minimum amount of physical effort. They cards themselves are convenient to the user because they can walk up to a door and either hold the card with in 3 inches of the pad and the door will open as opposed to fishing through a large key chain.

Because the old style proximity card systems rely on a static analog signal for identification, the basic installations have a serious flaw which makes the system as effective as an old style physical lock. The new standards including cryptographic handshaking are much more effective for security. Though as the MiFare hack demonstrates that even newer system are not immune to issues caused by improper design and implementation.

5. Informative Resources

Anderson , Zack, Ryan , RJ and Chiesa , Alessandro. "The Anatomy of a Subway Hack." Presentation Materials from Defcon 16 (2008). www.defcon.org

The Olin College USB prox card team. (Accessed Sept 2008) "The USB Proximity Card Reader." (2004)

Westhues, Jonathan. (Accessed Sept 2008) "Proximity Cards"

Wikipedia. (Accessed Sept 2008) "Wiegand Effect."

Wikipedia. (Accessed Sept 2008) "Access Badge"

Wikipedia. (Accessed Sept 2008) "ISO/IEC 14443."

Social Engineering: Avoiding Storefront Solicitors

Social Engineering isn't always used for malice. In its purest form, "Social Engineering" is simply taking advantage of predictable social behavior and habits. More advanced social engineering exploits revolve around the human tendency to trust and help others whose plight sounds remotely convincing. Millions of people use some form of social engineering without knowing it. While that doesn't make them good social engineers, it does mean that pretty much anyone can do it.

A simple example is avoiding solicitors who position themselves between you and somewhere you wish to go. This can be people pushing samples on you at the grocery store, people trying to sell merchandise as you leave from concerts, and even charity fundraisers operating in front of businesses.

Your objective is simple: Get in. Get what you need. Get out. If you see someone waiting to pounce on you with a survey, goods for sale, or something else you really don't have the time for, just whip out your cell phone and act like you're having a conversation. It won't stop you from looking like a self-important jerk, but it will save you and your would-be solicitor a few seconds of your lives. Okay, the solicitor's not going to be saved any time, really, but maybe they'll find someone else to talk to who would be more responsive anyways.

Obviously, this works because in most advanced civilizations, we've been trained not to interrupt someone who is talking on their phone. In taking advantage of this habit, you can get in and out quickly (remember to whip out the phone again as you exit!) without the hassle of solicitors.

Having said that, there are some great charity organizations I believe in who position themselves in front of stores. There are also a lot of scumbag scalpers and shrewd salespeople who force their wares on you at social events. Pick your social engineering adventures wisely.


UNIX Tips: MAC Address Spoofing/Changing

I don't advocate using MAC Address spoofing for evil purposes such as:

  • Using a MAC-Address Filtered wireless Access Point
  • Deception
  • Cloning an ethernet card already in use to confuse a network
  • In order to mess with ethernet switches
  • ... Plenty of other malevolent uses ...
MAC Spoofing has several constructive troubleshooting uses:
  • Get a new IP Address from your DHCP server
  • Testing Ethernet switch port security rules
  • Troubleshooting issues with ARP
  • ... plenty of other great uses ...
The Technique to temporarily change your MAC address is pretty similar across the board.  I'll go over some. In any of these examples, replace IFace with the name of the ethernet/wireless interface name such as "eth0", "en1", "rausb0" etc.  Obviously, you can make the ethernet address whatever you want.  The addresses I provide are arbitrary. It just has to be six pairs of hexadecimal (0-9 or A-F) digits separated by colons.  Obviously, these commands must be run with sudo or otherwise with root privileges.  Also, it helps if the ethernet interface is "down" first:
ifconfig IFace down

Mac OS X: 
ifconfig IFace ether 00:12:34:56:78:90

ifconfig IFace lladdr 00:11:22:33:44:55

ifconfig IFace hw ether 00:de:ad:c0:ed:ba:be

ifconfig IFace link 10:00:ca:b0:05:e5


Adding a favicon to your hosted blog (New HiR Logo)

I thought it was about time for a logo and a favicon.

I'm no graphics designer, so it's pretty simple. Just not as simple as a block of text. 

Just because you've got a blog hosted at Blogger or even Wordpress, it doesn't mean you can't have a custom favicon logo as pictured left.  Simply make a 16x16 pixel image then use GIMP or another image tool to save it in Windows ICON format (with a .ico extension) and then find a place to host the image. Flickr works, for example.  Then, in the blog HTML template, add the following block of code near the top of the template, after <head>  and before </head> , replacing the URL to the HiR favicon to the URL of your image hosted elsewhere. 

<link rel="shortcut icon" type="image/ico" href="http://stuff.h-i-r.net/favicon.ico">


HiR Reading Room: Into The Breach

"Missing: 25 million child benefit records..."

"South Korean police on Sunday arrested four people over the theft of data on 11 million customers of a local oil refiner in what is being called the country's largest-ever data leak..."

Data Loss Headlines like these are enough to leave many consumers dumbfounded. Now, imagine being the director of the team tasked with protecting the data.  

Michael J. Santarcangelo, II (a.k.a. Security Catalyst) takes us Into The Breach to expose how these things happen. Usually, human error, ignorance and apathy is to blame. In both of the above headlines, data had been stored on media, then that media was later misplaced or discarded improperly. Catalyst asks "What happens when breach is only a symptom?"

The industry has responded to breach threats with Data Loss Prevention suites that disable external media and ports on computers, Network Access Control schemes that ensure only authorized computers can get on the network, and network content analysis tools.

None of these can protect all of the data all of the time. It's not because technology fails. It's because humans and business processes fail. Throwing more technology at this problem is not the only answer. Santarcangelo asserts that technology is best used to support information security in an environment where people think and act responsibly and are held accountable for information under their care. 

Furthermore, what with all the compliance buzz about electronic data, "sensitive information" has become synonymous with "data" whereas the truth is that sensitive information is everywhere: it lies within stacks of papers and as facts rattling around within peoples' heads. Breach encompasses any and all leaks, whether from attackers, a misplaced laptop or DVD, phone conversations or casual discussions in a public place. Folks, all the software in the world won't help you so long as the people who need that information lack understanding and/or accountability.

Into The Breach's sub-title is Protect your business by managing people, information and risk and that's exactly what's covered. From understanding peoples' justification for their behavior patterns and implementing The Strategy and beyond, the end result is a surprisingly concise angle on covering your ass while maximizing the effectiveness of your security budget... After all, your money goes a lot further with awareness than it does with six- and seven-figure software suites that will only serve to further mask the symptoms of a much larger systemic problem in your organization...

I got my hands on a pre-release copy of this book directly from Catalyst himself at DefCon. I'd like to personally thank him for handing over a few copies for me to pass around to colleagues and giving me a chance to get an advance peek at his work. I'm looking forward to flipping through the finished product, which likely has a little more information than the copy I've got in my hands right now.

The electronic edition of the final version is already available for the Kindle with the hardcover book hitting shelves (and Amazon) soon.

CCCKC: Hacker Super Fun Time (Beer + Movies + Lasers)

Updated info on Friday's Movie Night. This is going to take the place of anything resembling a Geek-Out night at Daily Dose.

I've written about this before, but it seems to be set in stone at a new location.

The idea is this: We're going to try to get more people together to understand what a hackerspace is, what "hackers" really do, and try to get some new recruits for Cowtown Computer Congress, a Not-For-Profit organization that is providing a space to work on your geeky projects.

Again, They're showing Hackers are People, Too and some stuff from Graffiti Research Lab... then we'll all go out and have some fun playing with a real Laser Graffiti rig if weather permits.

By the way, I had nothing to do with the naming of this party or the creation of the poster. I'm just getting the word out. :P

September 29th, 8:00pm
112 E Missouri Ave.
(Click for interactive map)


IT Security World Wrap-Up

I spent the first half of Wednesday in talks about compliance, then spent the rest of the day enjoying San Francisco in the daylight rather than in darkness as I had the days prior.

First things first, I went to a talk on using PCI Requirements to help drive your IT Security initiatives.  This focused mostly on the case study of one specific PCI DSS implementation and how the implementing team was able to finally get funding for common-sense security stuff in order to comply with PCI DSS. The company I work for doesn't directly do a lot of stuff in the Payment Card Industry, but it was an interesting topic with points that are directly applicable. In short: you can leverage compliance to drive security home with your executives.

The keynote for the day was from a forensic "cyber crime fighter" in the private sector. Glaring abuse of the word "hacker" aside, it was interesting to see the techniques used to help track malicious attackers, and interesting to hear about what techniques he's found in use "in the wild"... most of which boil down to social engineering attacks and other of which were exploiting lack of policy enforcement or poor security policies to begin with. This further bolsters security awareness as a factor that people should be looking at when budgeting for security in the enterprise.  The talk itself left me with the impression that the speaker is pretty clueless when it comes to what the "hacking scene" actually is and how cyber-criminals actually evolve. Case and point: most "curious kid in the basement" type "hackers" don't eventually progress into cyber-criminals, corporate spies and terrorists.  I'm pretty sure his naive, presumptuous commentary offended more than 10% of the attendees, many of which got our start in this industry as being the curious kid in the basement, tinkering with our computers.

Last, I went to a talk on SOX compliance, how to streamline parts of the audit process, and how to understand business processes surrounding SOX compliance. It was relatively short and to the point, but a little bland.

All in all, I come back here to Kansas City with a few thoughts:
  1. The presentations and presenters were varied and for the most part entertaining enough to listen to for an hour to an hour and a half.
  2. There are some presentations I really wish I could have seen, and would have rather gone to in lieu of the ones I did attend, but hit some presentations that are immediately relevant to my line of work. This was mostly to make by boss happy.
  3. Some of the presentations I attended specifically for my job carried very little take-away content that I can use. This makes me sad.
  4. The venue was nice. The accommodations were relatively lavish for the price (discount rate at the Marriott for conference-goers) and I really have a soft spot in my heart for San Francisco now.
  5. Maybe it's just me, but trying to network with thought leaders (what few were present) at ITSW was difficult and awkward. MISTI's attempt to add a few social elements here or there did NOT make this conference an event that fostered social interaction. Perhaps it was because managers and C-level execs have a different idea of networking than minions like me who work in the trenches all day long.
  6. It "SOXs" to get thrown headlong back into audit stuff after being in San Francisco for 4 days. :P
In closing, I must say that I would not pay my own way for this conference, even if I was working for myself as a security or audit consultant. I wouldn't mind going on the company's expense account again, but I'd likely eschew the talks that have anything to do with audit and compliance next time. I can honestly say I learned more and made more valuable contacts and friends via DefCon and the SecurityTwits list than anywhere else so far.


IT Security World Day 2: Brass & Ordinance

While I'm usually more interested in ordnance than ordinance, I must say that I loaded up pretty heavily on the managerial aspects of this conference today.

I'll have a big, huge link dump to our Delicious Page for a LOT of the links I got over the course of the conference, and they will show up via RSS if you're subscribed to our feed.

Groggily, I attended the Security Awareness talk first thing this morning, whilst drinking my first batch of tasty, french-pressed Nitro. During my time as a penetration testing consultant and in my current role in internal information security, I am constantly amazed by the lack of comprehension that people have surrounding security. Irina Piven from the US Federal Reserve Bank discussed many topics that have worked well for her organization.  This includes frequent Reminders and training, security awareness posters and even interactive games. 

After some light brunch, I went to Paul Glen's keynote on Leading Geeks.  This was among my favorites of the day. While I don't plan on becoming a manager right now, I do often find myself in less obvious leadership roles.  Here are some of my favorite points:
  1. Geeks are different from most other workers
  2. Geeks like hierarchy, they just don't like YOUR hierarchy (that is to say most prefer meritocracy over progression based on loyalty or longevity of service)
  3. Geeks are more loyal to their technology than they are to companies or managers
  4. Leaders can't provide intrinsic motivation, they can only provide a work environment that nurtures geeks' interests.
  5. Leaders should choose people who are going to be interested in a project, not those who have the most experience or most skill. Geeks acquire skills very quickly when they're interested in something.
Before lunch, I saw Craig Wright (who I met yesterday) talk about record and document retention and destruction as it pertains to various laws and regulations. This talk couldn't possibly go on without mentioning Anderson and the Enron debacle, but it drove a few good points home:
  1. You must have a document retention / destruction policy.
  2. You must try your darnedest to follow that policy, or else you'll have a hard time convincing the court that you really care about your documented policy
  3. Laws are always subject to interpretation by lawyers, jurors and judges.
  4. Tort law AND regulatory compliance both matter
I met Ira Victor (co-host of Information Security Podcast) over lunch. That was a pleasant surprise.  We talked for a while about conventions and geeky stuff (like blogs and podcasts).

After lunch, I attended Terry Behrens' talk on Identity Management. As IDM is a significant part of my current day job, I felt obliged to hit this talk. In a way, I'm glad I did. I really felt that the presentation of the content was lacking.  This talk focused on the technical details of a "roll your own" IDM Solution.  That might work if you're building an enterprise from the ground up.  It did a good job covering IDM Mechanics, but provided very little information for me to take back to the mothership. Oh yeah: most of Terry's "slides" were pre-drawn sheets of newsprint on an easel. An easel is great for making on-the-fly diagrams or fostering interaction with people in the session. These were used in lieu of power-point slides.  I'd pretty much consider that a sin at a conference like this.

I finished up the training today by going to George Dolicker's session on making Information Security a business process. George is CISO for Lenovo (you know, the laptop guys!) and he's put a lot of effort into public speaking. I can tell.  There's way too much information for me to even scratch the surface here, but his presentation was easily the one with the most immediately-applicable information.  I barely took any notes, because everything was covered well in the slides.  Even though a lot of the information covered was for Director and CxO-level people, my favorite points are:
  1. Give "Yes, and [insert challenges here]" instead of "no, because..." answers
  2. Like brakes on a car help it go faster safely, security can enable business processes if used properly.
  3. Planning only for worst-case scenarios usually leaves a huge gap in business continuity
It was a pleasure to meet all of the speakers today. Some provided a lot more useful information than others.

All in all, today lacked a lot of serious technical content but was still very rewarding.

Again, links will come in time (it might be a few days) and I'll probably have a final ITSecWorld post on Thursday or Friday.  Tomorrow will be a light day with only three sessions.  Stay tuned!

IT Security World Day 1: Hangin' with hackers

I landed in SF Last night a little later than expected, but aside from some weather delays between Kansas City and Chicago, all went pretty well.  Google Maps' newish Transit functionality got me from SFO to my hotel quickly via BART (Note the map on my laptop). I set up mobile HQ in the room as shown below.

I also inadvertently pulled the cover off of my 10dBi wireless antenna. I always wondered what was inside. I figured I would share. It's basically just a run-of-the-mill omnidirectional antenna with a plastic sheath around it. Go figure.

Today, I went to four different tracks.  First up was Window Snyder's keynote. Window is the Chief Security Something-Or-Other at Mozilla. On top of being personable, humorous and very intelligent, she is extremely energetic and effectively conveys a lot of information very quickly.  Trying to type notes, I could barely keep up with her, and had to revert to typewritten short-hand.  This is a first for me.  Window's talk was titled "Building multi-layer defenses to mitigate threats attackers haven't thought of yet" and fundamentally, it focused on developing high-performance security teams, design patterns and product security life-cycles.  

Next up was Rich Mogull's talk on disruptive innovations and future security. I somehow didn't cross paths with Rich at DefCon, so it was nice to finally meet him. He talked about how certain technologies are disruptive and how they can eliminate or completely change the way we're currently doing things.  Case and point: Virtualization is both a security enabler and a security risk, and requires security to be handled differently than you might traditionally handle individual hosts.

This led into predictions for the future of security and how technology that's in use today might evolve, and what kinds of new technologies might come out of this whole thing in the future. Some of it was logical (such as the direction that Data Loss Prevention could eventually take).  Some of it sounded like science fiction (for example: Grid Security). All of it was exciting.

After lunch, I saw Joe Grand (a.k.a. Kingpin), who I met at DefCon and was able to talk to a little more person-to-person today.  He even autographed my DefCon badge!

Joe's talk was about hardware hacking as it pertains to electronics that are responsible for information security.  While the talk was geared towards people who are even less electronically-inclined than I am (which is saying something, I'm not that talented), I still picked up some neat tricks and learned about some tools and methods that I hadn't thought of before as they pertain to circuit analysis and hardware hacking.

Last on the agenda was the Security Rock Star panel, featuring Joe Grand, Fyodor and several other high-profile security folks.  This was mostly a Q&A from the audience.

I shook some new hands, met some new people, and met some people who I've known online for a while.  I even met one guy from Australia that LinkedIN's "People You May Know" has been throwing into my list a lot lately... And that kind off freaks me out.  It was Craig Steven Wright, for those who care. I've never met him before today.

I wrapped up the day by walking a few miles and enjoying California.  I snapped the below pic of the moon over the SF Bay Bridge while I was out and about.


RSnake's Web Application Security Bookmarklets

I finally got to meet RSnake in person at DefCon 16. He's a very personable web application security thought leader among many other things. 

While some of his writings go way over my head, I've been having a lot of fun with his Firefox Web App Security Bookmarklets, little snippits of JavaScript that can tweak the way FireFox handles the page you're currently on. You simply drag the links from his page to your bookmarks bar (or, like I do, put them in a bookmark bar folder) and then go have fun.

Some of my favorites are "Edit Cookies" which gives you a pop-up to directly edit the content of the current site's cookie, and "Method Toggle", which flip-flops GET/POST methods on form submissions. It's sometimes peculiar to see how a web site handles data submitted via GET instead of POST or vice versa. This also allows you to quickly edit submitted content in the URL bar, if GET is accepted.

Tinkering with RSnake's bookmarklets is an easy way to get your feet wet in the fascinating world of web application security, and makes a good starting point for further forays into the subject.


Luggage Hacks: 1-Wire Zipper Pulls

A while ago, I got a nice piece of luggage that a neighbor was going to throw out. All the zipper pulls had broken and he'd gotten tired of dealing with it.  The zipper pulls were made of cheap aluminum and would crack as shown below. My initial response was to make zipper pulls from twine or yarn, because zippers are pretty difficult to deal with if there's no zipper pull.

Then, I got a geeky idea... I have a bunch of 1-Wire key fobs. Most of these are for two-factor authentication for various electronic vault locks (such as the Cencon S2000 and AuditLock) but 1-Wire has many different uses. Certainly, these would be not only functional but worth geek-cred points for anyone who knows what they are.

I pried open the zipper just enough to slide the key fob into place, and then clamped the zipper back with a pair of pliers.  Instant 1-Wire Zipper Pulls!

You could do the same with an old key (bonus points for using a blank or a bump key!) or many other things that can fit on a keyring. You can even replace fully functional zipper pulls with something geeky if you wish.  

I just needed functional zippers on this luggage bag for my trip to IT Security World next week. I ended up with some serious geek flair and luggage that's unmistakably my own and easy to spot.  Unlike my other luggage modifications, this one won't raise the ire of the TSA...


CCCKC Hacker Space

Frogman and I got the opportunity to see the future site of Cowtown Computer Congress. The full story and more photos are over on i-Hacked.com!

Cowtown Computer Congress is also hosting a member drive movie night.  CCCKC Movie Night details are also over at i-Hacked.  They're showing Hackers are People, Too and some stuff from Graffiti Research Lab... then we'll all go out and have some fun playing with a real Laser Graffiti rig if weather permits. 

Weekend Misc: Friday Geek-Out and ITSecWorld

A few quick things.  First: I'll actually be geeking out this evening at the Daily Dose. My wife is no longer working graveyards, though, and I can't be there every Friday.  Feel free to keep showing up and geeking out, though! It's always been pretty informal, and I'll try to be there every other week. This is your meeting, guys. I lit the fire, someone else can carry the torch if they choose. 

Also, this weekend, I'm heading out to San Fran for IT Security World 2008. I probably won't be Live-blogging anything, but I'll post daily recaps here.  Keep in mind that there are some tracks I'd like to attend which I won't be able to. Since my company's sending me, they get to choose what I go to.  If you're going to be there, let me know and we can meet up.  I'm all about networking, and rarely pass up an opportunity to find new people to bounce info-sec ideas off of. ax0n at h-i-r dot net. That's ax0n with a zero.

Got a REALLY old computer? Try PuppyLinux!

I'm a fan of ye-olde 8-bit hardware that couldn't dream of running a full-on Linux distribution. For the stuff that's just a little newer than that (think 200-600MHz), there's PuppyLinux.

Frogman introduced me to PuppyLinux when he brought a little thin client machine to the May 2600 Meeting, shown below: 

In his case, this was an x86-compatible system with Windows CE. Puppy was booting off of a low-capacity SD Card, plugged into a USB reader visible plugged into the front of the machine.  Puppy runs as a Live distro off of a CD, and easily installs to a USB drive, compact flash, IDE, SCSI or even CD-R media. When booted from a CD, you have the option to save the state to a file on removable media as well.

I'm just trying to get some old Pentiums and Celerons off the ground and into some state of usability. Puppy nicely fills the niche between bloated distros like Ubuntu and bare-bones disros like Gentoo and Arch.  It's surprisingly friendly, surprisingly nimble, and once configured by a casual geek, would probably make a great desktop OS for the not-so-savvy.

Oddly enough, Getting it installed to the internal hard drive was a head-scratcher for me.  The "Install" icon on the desktop is actually a package manager, not a system installer.  A quick RTFM pointed out the procedure nicely (hint: it's buried in the taskbar menu).  With GParted and the Universal Installer, pretty much any Windows power user can get Puppy installed with ease.

If you've got a kid coming of age and have been wondering what to do with that dusty old relic from the turn of the century, consider letting them cut their teeth on Linux. Better yet, take Puppy for a spin yourself. You just might like it. One can't have too many functional workstations, after all...


OS X: Deleting unwanted files from Time Machine

I was a goofball when I installed VirtualBox. I forgot to disable backups of my VM's. Some might want their Virtual Machines backed up, but as they're mostly just test environments, I consider them disposable. Anything important in the VM gets replicated and synced through Subversion.

The problem is when my virtual machines change, Time Machine suddenly tries to back up the entire virtual drive, gobbling as many as a few gigs of data as one file, and seriously cramping my old backups. Once I told Time Machine not to back up the VirtualBox directory, the old backups (hogging many gigs of backup space) remained on my external hard drive. Trying to get rid of them from the command-line wasn't working, as OS X puts some kind of restrictions on the file system.

The filesystem layout is pretty nifty, as shown below:

Chimera:chimera axon$ cd /Volumes/Time\ Machine\ Backups/Backups.backupdb/chimera/
Chimera:chimera axon$ ls -la
total 8
drwxr-xr-x@ 10 root staff 374 Sep 9 22:03 .
drwxr-xr-x+ 3 root staff 102 Jul 29 19:53 ..
drwxr-xr-x@ 3 root staff 204 Jul 5 18:52 2008-07-05-185224
drwxr-xr-x@ 3 root staff 204 Jul 29 22:00 2008-07-29-220053
drwxr-xr-x@ 3 root staff 204 Aug 5 21:50 2008-08-05-215007
drwxr-xr-x@ 3 root staff 204 Aug 30 16:53 2008-08-30-165311
drwxr-xr-x@ 3 root staff 204 Sep 5 23:26 2008-09-05-232659
drwxr-xr-x@ 3 root staff 204 Sep 6 11:42 2008-09-06-114242
drwxr-xr-x@ 3 root staff 204 Sep 6 21:38 2008-09-06-213829
drwxr-xr-x@ 3 root staff 204 Sep 9 22:03 2008-09-09-220316
lrwxr-xr-x 1 root staff 17 Sep 9 22:03 Latest -> 2008-09-09-220316

We won't get too deep into that, though, because it doesn't matter. The answer, oddly, was staring me right in the face... in the graphical Interface... The "Delete All Backups" option shows up under the gear menu, but only when you're browsing your time machine backups.

Obviously, this applies to questionable content and anything else you may have inadvertently backed up, which you no longer wish to be visible through Time Machine.  Keep in mind that forensic eyes can probably see it anyway, and that erasing evidence might be just as good as admitting guilt.

I'm sure there's some way to delete the files manually via the command-line. I'm sure the problems I encountered using "sudo rm [file]" could have been resolved (for example, via xattr), but in the interest of NOT corrupting all of my backups, I guess the GUI will have to suffice for now.


Extended Filesystem Attributes: OS X

In the case of OS X, in addition to supporting BSD Filesystem Attributes (which we've covered before), there are extended attributes.

Chimera:DMG axon$ ls -la audacity-macosx-intel-1.2.5.dmg
-rw-r--r--@ 1 axon staff 3483297 Aug 24 16:09 audacity-macosx-intel-1.2.5.dmg

Notice the @ after the permissions. In OS X, that means that there are extended attributes. Have you ever run into a warning like this?

That's the com.apple.quarantine flag talking. We use the xattr command to view and manipulate these attributes.
Chimera:DMG axon$ xattr audacity-macosx-intel-1.2.5.dmg
To view the contents of an attribute, use the -p flag.  I had already removed the com.apple.quarantine attribute from Audacity's DMG file, so I'll use the TrueCrypt DMG for this example:
Chimera:DMG axon$ xattr -p com.apple.quarantine TrueCrypt\ 6.0a\ Leopard.dmg

The contents of this attribute don't matter much, it's simply meta-data. Likely a time stamp and obviously some information about which application created the file. The mere existence of this attribute is causing the warning. 

Attributes can be created or existing values modified using the -w flag.  On an interesting aside, data can be hidden within a file's extended attributes. You can use an arbitrary attribute name, although I don't know what maximum length exists for the attribute name or its contents.
Chimera:DMG axon$ sudo xattr -w secret.message "all your base are belong to us" \

Chimera:DMG axon$
xattr -p secret.message audacity-macosx-intel-1.2.5.dmg
all your base are belong to us

To remove the attribute, use the -d [attribute] flag. 
Chimera:DMG axon$ sudo xattr -d com.apple.quarantine audacity-macosx-intel-1.2.5.dmg
Chimera:DMG axon$
xattr audacity-macosx-intel-1.2.5.dmg

Only secret.message and com.apple.diskimages.recentcksum remain. The last is an attribute containing (among other things) the checksum of the DMG file, for integrity purposes. I'd imagine it would be easy to modify manually, but I don't even know if the operating system uses this checksum upon mounting the disk image.

Mac OS X Internals covers many more of the attributes that are officially recognized by the operating system, as well as a wealth of other tricks with the kernel, sysctl etc, and is worth a read if this kind of stuff fascinates you.


Recover text from damaged MS Word documents

Sorry for posting so much of other peoples' news today, but I found this via LifeHacker and it's going to come in very handy for my own Mother (a college English professor) and several of my old co-workers at that same college. For a long time, I was the go-to-guy for student data recovery, and students seemed to have a knack for really borking their Word Documents, not having any backups, or bringing in files that were created by some un-known word processing suite whose native format couldn't be opened up by any software in the computer labs.

Of course, my best friends for this kind of thing were usually dd and strings... not exactly user-friendly enterprise applications. I'm going to e-mail this to my mother and some old co-workers now. I can just imagine the green marks all over this article's epic run-on sentence in the last paragraph. Yes, my mother grades her papers with green ink. Less intimidating than red, she claims. Hi, mom! Love ya lots.

Download Repair My Word for free! Sorry, Windows Only.

If it's broken...

If it's broken, I can probabaly fix it. If it works, I can probably improve it, or I can usually break it.

The thing I like about stuff that's been written off as "broken" is that there's nothing to lose by tinkering with it. Yet, it's my thought that nothing's actually broken until I've failed to make it work again. It's just temporarily on the fritz. The photo is a Creative Zen V that one of my co-workers plopped on my desk over lunch yesterday. The fix was surprisingly easy, as the battery pack's wiring had failed. Getting the little bugger apart was as simple as some prying with a flat-head screwdriver and removing some small philips screws with a jeweler's screwdriver. A little bit of "creative" (pun intentional) modifications to the wiring and all was right in the world again.

While improving a working process or device usually requires more than a mere modicum of grace and scientific process, the techniques one can use when working on a piece of non-functioning hardware can be as gentle or relentless as you desire. In the case of the broken MP3 player, it was more of a "here, tinker with this, it's broken" kind of a deal. I opted for a fairly gentle approach to disassembly and was able to return it to my co-worker in a functional condition. One of the buttons had cracked in half as well, remaining only as little pieces rattling around the inside of the MP3 Player case. I borrowed some clear fingernail polish from one of the ladies in my aisle to "glue" the button back together. Now, it works like new.

I apply the same method to many of my dumpster and curb-side finds, although I'll often turn around and re-sell them for a little extra geek-out cash, rather than return them to whom discarded them.

Are you the "MacGyver", fix-all person at the office or elsewhere? What have you fixed recently?

Passive Network Tap

At the 2600 meeting in May, Asmodian X brought a passive network tap to show off. It will capture bi-directional traffic on the line, while keeping the interfaces from being able to transmit anything. It does require two separate interfaces to collect all of the data on the line, but that's a small price to pay.

I found a great set of Passive Network Tap instructions on Instructables [via Make: Blog]. This is pretty much the same design that Asmodian X had set up, but this one is mounted in a three-jack wall-outlet faceplate. Head on over and take a look!


Backtrack3 + Karmetasploit + Alfa AWUS036H - What am I doing wrong?!

All the gnarly details are in the HiR Google Group (feel free to subscribe and respond there if you like, I've added a subscribe form at the bottom of this post...)

The short version, though, is that after modifying "evilap.sh" (which comes with the karma-msf-scripts on BackTrack3) for the Alfa's RTL8187 chipset, the script seems to run fine, but things just aren't adding up. Namely, once karmetasploit is all up and running and seemingly happy, the network (Named "FreeFI") shows up in "devices" on the wireless network list on OS X as shown in the above image. Similarly, I can't get Linux to actually associate to the network, either. Tcpdump doesn't log any packets. I'm wondering if airmon-ng is really able to work on this adapter, or what else the problem could be. Reply in the comments, or in the forum post if you wish. Any help would be appreciated.

This has been driving me nuts for a few weeks while I search forums and mailing lists all for naught. As much as I'd rather use HiR as a place to SPREAD information, it seems like as appropriate place as any to solicit it as well.

Google Groups

Subscribe to HiR Information Report


Visit this group


Bruce Schneier - I don't always agree with him...

Love him or hate him, Bruce Schneier always has a fascinating take on security. Sometimes I agree. Sometimes I disagree. When I disagree, it's like a train wreck... So horrible, but so hard to look away.

I must admit, though, that his take on "Movie Plot Threats" is one issue where my stance and his line up quite parallel. And he finally worded it so succinctly today, that I may just have a new favorite Schneier Quote:

... the very definition of news is something that hardly ever happens. [emphasis added] If an incident is in the news, we shouldn't worry about it. It's when something is so common that its no longer news - car crashes, domestic violence - that we should worry. But that's not the way people think.

Check out the full essay, which originally was published in The Guardian.

As a culture, we've become so fraught with fear of dozens upon dozens of little specific "threats" simply because we saw that it happened or that a plot was uncovered and made the news one time. Helicopters dumping anthrax into our HVAC systems, dirty radiological bombs, splinter cells targeting kids at shopping malls on Halloween, IEDs taking out bridges, poisoned water supplies, elaborate mechanical sabotage plots (when the TSA's done a better job sabotaging our airplanes than any terrorist has) and many, many more.

It's the classic game of attacker and defender. If the defense is constantly reacting to attacks as they happen rather than identifying and stopping the attackers, the defense will end up spinning its wheels trying to make sure the old attacks aren't happening. Meanwhile, the attackers are concocting something else that no one is even expecting.

Most of the terrorists who've been caught were caught through investigating leads based on intelligence gained through slip-ups or stool pigeons within the terrorist organization. After that, the specific plots-du-jour became paradigms of terrorism. You're doing it WRONG!

The security gate at the airport is the wrong place to be identifying terrorists. Profiling individuals at a choke point is a sure-fire way to fail, by metric of false positives (stopping a non-terrorist) or false negative (allowing a terrorist). If instead of hiring people to keep liquids and toenail clippers off of airplanes, we'd put more effort into following leads, identifying terrorists, and making their lives hell (instead of making the rest of our lives hell), I think we'd be a lot better off.


New Features in OpenBSD-Current [via KCBUG]

Friend of HiR and founder of Kansas City BSD User Group, dj_goku, has been playing with OpenBSD 4.4-current (the unstable and as-of-yet unsupported branch which should be released as OpenBSD 4.4 on November 1st). In his tinkering, he's found some interesting stuff.

First and in my opinion most importantly, is the fact that WPA/WPA2 seems to be working quite well with pre-shared keys (PSK), albeit with some ifconfig tweaking. Read the KCBUG post for a solid example on how to connect with WPA-PSK and then check out the announcement of WPA/WPA2 support over at Undeadly.org.

Next, he stumbled across the "VisualHostKey" option for OpenSSH 5.1 (included in OpenBSD 4.4-current). It adds a visual "fingerprint" for SSH host keys. This should allow you at a glance to see that the host key in the same, assuming you're used to seeing the same fingerprint every time. In practice, it's just a geeky piece of command-line flair. That's what we live for, though, right?

Kansas City Info-Sec meetings this week

Thursday, September 4th, 2008 6:00PM | Cowtown Computer Congress. As far as I know, it's meeting at Javanaut at 1615 W 39th St in midtown. This will be an important meeting covering Congress Membership (Which I'd imagine directly interfaces with what benefits members will get, how much it will cost, etc.) as well as more planning for the double-feature hacker party downtown later this month. Come out if you can make it! RSVP to the group if you think you can make it. (Google Groups Sign-up required)

Friday, September 5th, 2008 5:00PM | Overland Park KC 2600. Meets at the Oak Park Mall food court. Look for laptops and black t-shirts... or something. Among other things, we'll probably be demonstrating and lab-testing wireless exploits via BackTrack3, OSWA and Ubuntu Linux. Bring any other info-sec topics to discuss. Meeting usually moves to a nearby dining establishment and possibly to a dumpster or two for treasure hunting. Then, off to the geek-out!

Friday, September 5th, 2008 11:00PM | Friday Geek-Out. Meets at Daily Dose Bar & Coffee in Overland Park, KS. This is an all-geeks-welcomed event where you can pick your poison. The Dose is flowing with beer, wine, coffee, and smoothies all ripe for the picking. Gamer? Comic Geek? Anime Geek? Hacker? Movie Geek? Bring it: questions, curiosity, problems, projects, and gadgets of all types make this a good time for all.

Google Chrome

Well, I wanted to write about Chrome, the new web browser by Google, but I can't.

In my personal life, I'm pretty much Windows-free, and when I went to check out Chrome last night, Google didn't make it clear when I'd be able to use it on a Mac, Linux, or BSD box.

"That's okay," I thought to myself, "I have Windows 2000 installed under both VirtualBox and Parallels on my MacBook." and so, for the first time in weeks, I fired up Windows 2000 and went to the Chrome website only to find out that it won't even give me a download link. Instead, I'm taunted by The Big G saying that I must be using Windows XP or Vista in order to take the newest Beta Browser for a spin. I'm running XP at work, but usually opt not to install personal apps there. I may see if I can get it working in Win2K.

My general thoughts on Chrome are that it won't significantly impact the market for quite a while, much like Opera. We'll have to wait and see. With it touting so-called "better security", it'll be a quick target for security bugs. I'm guessing several will be found.

I don't think the security-conscious folks will use it as a primary browser. Firefox has been on the market for a very long time and is a favorite among almost all of the Info-Sec professionals I know in person. Some of this is because of the various extensions such as NoScript and Firebug. Likewise, being cross-platform helps, as many of us have to use various OSs throughout the course of our work.

I'm still kind of eager to try Chrome just to see what all the fuss is about, but you'll have to wait until I find an XP box (that doesn't belong to my employer) to play with.