Risk Assessment: Electronic Lock Impressioner

I've kept kind of quiet about this wonderful device. It's an electronic lock impressioner.

Barry Wels talks about the possible mode of operation on his excellent Blackbag blog. I kind of assumed that's how it worked, since it claimed to work only on Ford locks for the time being.

Meanwhile, people are freaking out, labeling it "a car thief's wet-dream."

While I could agree that this device has some potential value to nefarious ne'er-do-wells, there's a fatal flaw in the media panic: You can't steal a car by impressioning the lock.

This device will give you a series of numbers, known as a key code. If you told me the key code to a car right now, I'd honestly have no clue what that key should look like. I could look it up on the Internet, probably. But then I'd need to get out my dremel, a file, a key blank and my digital calipers. If I had a cheap key-milling machine, it might save me a little bit of time. If I spent several thousand dollars, I could get a computer-controlled machine that would simply spit out a key with the right cuts. If I was convincing enough, I *MAY* be able to trick a professional locksmith to cut a key exactly to a code, but most of them would be hesitant to do this without seeing an original key, even if it was a badly damaged one.

The barrier to entry here isn't exactly high, but it's not like you can simply insert this tool into a car door and immediately drive off with it. It's going to take quite a bit of effort or a pricey initial investment for this tool to pay off. The initial investment has already been made by licensed locksmiths who already have these tools laying around. J. Random Carthief, however, probably does not. A successful auto-theft ring MAY have these tools at their disposal. As we already know: if you're being targeted by a sophisticated attacker, it's game over. They'd probably just tow your car away, repo-man style, and break it down at a chop shop.

Let's just assume for the sake of argument that you used this device to get the key code for the car's door, and spent the time to fabricate or acquire a matching key. That's a lot of hassle, but now you can open the car's door, maybe its trunk and glove box. You could even put the key in the ignition. But you couldn't steal the car. Let me explain.

This is my car. I got it a decade ago. Do you like my license plates?

At of the time of purchase, Ford (and many other manufacturers) had already been using two-factor authentication of some variety behind the scenes for years to activate the ignition system. Long gone are the days of pulling a bundle of wires out of the steering column and touching some wires together to start the car, as are the days of simply getting a copy of the car key.

Inside many keys, there's an RFID module or some other device that's somewhat unique to the key. On snazzier cars, this is an encrypted challenge/response module that can't be easily copied. On others, it's a small handful of static "signatures" which may be easy to clone with an RFID programmer or other specialized tools. Either way, without the proper code, the car won't start. In fact, if this module is missing or un-recognized, the car will often completely disable its Engine Control Unit for a period of time, usually 10 minutes.

To provide a further layer of complexity to the issue, the end-user must provide proof of owning two separate keys in order to authorize new keys to start the car. In my case, if I had two keys and lost one, I would need the dealership or a high-end locksmith to attach a special computer to my car in order to authorize a new key. That keeps the valet guy from copying your key and activating it himself. Typically, these systems require the programmer to stay connected to the car for a period of one hour before new keys can be added. Even a miscreant would need unfettered access to your car for a whole hour in order to configure a key that works.

In short, the Electronic Lock Impressioner would give a bad guy the ability to make a key that allowed him to steal the stuff in your car, and nothing else. That person would be much better off shattering your window with a brick. In the hands of a good locksmith who has all the proper tools and skill to create a key from a key code and re-program your car's ignition system, this tool should save many hours that would otherwise be spent replacing or re-keying locks. This savings will ultimately be passed on to the customer. In my opinion, this is a revolutionary device that provides benefits to the locksmith industry as well as people who need to use their services. It does so without providing much incentive to car thieves.


Teaching curiosity

A theme that commonly comes up among security professionals and hackers:

"Is it possible to teach the curiosity that's so important to this field?"

"Can you really teach someone how to be a hacker?"

And so on. I'm usually of the opinion that curiosity is somewhat intrinsic, and that some people are just born curious, or at least their natural curiosity wasn't stifled by oppressive and over-protective child-rearing techniques. But the more I think about it, the more I believe that people can become good at it later on in life if that's what they want to do.

I was interviewed by a student today who was asking what skills one needs for my career. Hands down, the most important skill I have is Critical Thinking. Most of us use a derivative of the Scientific Method when tinkering, whether we acknowledge it as such or not. Being able to clearly communicate the results of our research is also very important.

So, to those of you who are still in school or who are thinking of going back to school, I would suggest that the following classes will help you sharpen your skills in realms that will come in handy for most analytical careers, especially in information security, programming, and systems administration:

  • Logic and Critical Thinking
  • Research Skills
  • Technical writing
  • Public Speaking
  • Elementary Debate
  • Any introductory course that provide hands-on lab time to learn the Scientific Method
There may be pre-requisites for some of these, or the need to pass an appropriate placement test, but the above courses would likely fit into any degree program you're considering, even if they go above and beyond the basic requirements for the degree. These will provide valuable skills to help you in your career path. Even if you didn't grow up with an intrinsically inquisitive nature, I believe that pretty much everyone is capable of "learning how to be curious."

Thoughts? Any other suggestions? Were there some other non-IT courses that provided you with tools you use daily?


Nominated for Best Of Craigslist

Someone want to help him out? You could get a whole bunch of VHS tapes. Hahah.

I'll pass.


Fraud and Identity Theft are not "Hacking"

[H]ard|OCP: Hacker gets record 13-year sentence for hacking.

Originally a haven for hardware hackers looking for advice on extreme overclocking, system cooling, gaming, and case modifications, you'd figure [H]ard|OCP would "get it", wouldn't you? At least one front page contributor doesn't.

I'm not one of the hopefuls that really thinks society will ever ditch its stigma against "the H word" but this story strikes several nerves for me, and continuing to sensationalize "hacking" like this is only part of it.

Max Butler (now known as Max Vision) got a whopper of a sentence, but it wasn't for "hacking," it was for multiple counts of wire fraud, identity theft, and transfer of stolen identity data. While Max undoubtedly had the mindset of a hacker for most of his life, his ethics (I'll get to that in a moment) made him a criminal. Although he was obviously brilliant and capable as a hacker, Max abused his skills to become a carder, a con man, and a low-life, deceptive criminal. Those are the things that got him into trouble. Criminals with little technical skill get busted for the same things.

More disturbing, though, is how Max came to the center of this vast arena of identity theft. With a troubled past, he emerged as a skilled security consultant with a bit of a naughty streak -- a habit that would get him thrown into the slammer (for computer fraud) after breaching government and military networks with a clever tool that would patch a well-known hole while leaving a back-door for him to use later. This is the kind disruptive mischief that used to be associated with "cyber criminals" years ago, putting him in the same arena as Robert Morris, Adrian "The Homeless Hacker" Lamo , and MafiaBoy, to an extent.

During this 18-month stay in the pokey, he would befriend the hardened career criminals who would eventually conspire with him to create genuine financial havoc, on par with the destructive forces of those responsible for the TJX and Heartland breaches.

What do I make of it? I'm not entirely sure. It's hard telling if Max Vision would have found collaborators outside of prison and ended up on the same path, or whether prison life genuinely corrupted him. I do know, however, that no one gets arrested for "hacking."


Oh noes! Google Buzz FUD!

Silicon Valley Insider came up with this wonderful sensationalist FUD piece: WARNING: Google Buzz has a huge privacy flaw!


They recommend shutting off Buzz completely, or un-following your automagically-generated "friends" that Google "chose" for you (i.e. other Google Profiles that you exchange e-mail, Google Reader, or GTalk with). This isn't really a Buzz issue at all, though. It's been a "problem" since Google Profiles came out, it's just a lot more intuitive to see who people interact with in Google Buzz, since it's built into GMail directly now.

UPDATE: It looks like contact sharing *IS* enabled only once you sign up for Buzz. So, shame on Google? If you don't sign up for Buzz, these options won't even show up (and neither will your contacts on your Google Profile) - Thanks, Genesiswave, for pointing this out.

Oh noes! Ph34r!!!

Or, you could think rationally, and simply un-check the option to make public the list of people you interact with. Imagine that?

So, take a deep breath, log in to some google service, then click this link to edit your profile if you're really that worried. Again, this option is only displayed once you opted in to Google Buzz.

Relief. Whew.

Now, the followers/following links are only visible to myself. I verified this through Google Buzz and by looking at my profile page from a different google account.


IT Security Certifications: Path to payday, or just a farce?

Network World claims that security certifications are worth their cost while other certificates aren't holding their value so well.

I'm going to use Network World against themselves. You see, they also put Security Specialist/Ethical Hacker at the top of the list of the 10 best IT jobs right now.

By all metrics, IT Security careers are on the rise. Qualified pros are in demand and the pay is up. Since the majority of people who have these certificates are working in an "on the up-swing" industry, that alone could explain the reason that people who hold these certs are getting raises when non-security certs don't seem to be paying off.

Note: I don't have any certificates nor degrees, and I've had several great interviews and a few job offers already in under a month of job hunting. Some of these even listed degrees or certificates in the "Required" or "Strongly desired" category of the job postings, but it didn't keep me from getting in front of a hiring manager. It's worth mentioning that WHO you know -- your network -- is often just as important if not more so than what you know or what pieces of paper you hold.

I might take an employer up on their offer to train me and pay for certification, but I haven't seen much solid proof that you need the certificates if you have the experience, the passion, and the references to back up your skills.

What's your take? Good for getting to the top of the applicant pile from HR? Good for landing you that dream job? Good for getting a raise once you're already in the industry? Or is it just a piece of paper?

Juxtaposition - Subscription-walls

A new paper on Johnny's "I Hack Stuff" blog requires a subscription. Meanwhile, Sensepost is abandoning their "Regwall" for research papers.

I feel the same way about news paywalls, really. They don't force people to pay, nor do they keep people from getting the news. They just make sure they don't get the news from YOU.

By the way, I threw together a Google Reader "Bundle" of my favorite security feeds. If you use Google Reader (and let's face it, why WOULDN'T you?!) you can easily import these. Beware: it's over 200 RSS feeds, and can get awfully noisy at times.


Wrapping insecure web apps with Apache

When dealing with a web service which for one reason or another cannot or should not be allowed on the web. Apache has several wonderful modules which allows the services to be wrapped and behave like a web app should (working SSL certificates, forced encryption, authentication ...)

In this article I will discuss and show some examples on how to create an authenticated reverse proxy with mod_authnz, mod_proxy,mod_rewrite and mod_security.

1. Prerequisites
2. Installation of Apache
3. Configuration of Apache

4. Configuration of mod_rewrite
5. Configuration of mod_proxy
6. Configuration of mod_authnz(optional)
7. Configuration of mod_security
8. Summary

9. Informative Resources
1. Prerequisites

In this example you will need:

  • Ubuntu Linux
  • LDAP compatible server with valid SSL certificate
  • Apache2
  • Wildcard ssl certificate or valid certificates for each service published
  • Apache mod_rewrite
  • Apache mod_proxy
  • Apache mod_authnz
  • Apache mod_security
2. Installation of Apache
Install Apache2 by any of your favorite package managers or at the prompt:
sudo apt-get install apache2
3. Configuration of Apache
Then create a new config file for each of your new relays.
Inside of the virtual host tag:
UseCanonicalName Off
LogFormat "%V %h %l %u %t \"%r\" %s %b" vcommon
#incase you have a self signed certificate on the ldap server

LDAPVerifyServerCert off
SSLEngine On
SSLCertificateFile /etc/apache2/ssl/generic/example.com.crt
SSLCertificateKeyFile /etc/apache2/ssl/generic/example.com.key
Servername weirdone_wrapped.example.com
CustomLog /var/log/apache2/access_log.relay-weird.vhost vcommon

4. Configuration of mod_rewrite
(mod-rewrite is included with apache2)
To enable mod_rewrite:
a2enmod rewrite
Then add the following virtual host entry to redirect http traffic:
RewriteEngine On

#Force HTTPS
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*) https://%{SERVER_NAME}/$1 [R,L]

5. Configuration of mod_proxy
First install additional mod_proxy:
sudo apt-get install libapache2-mod-proxy-html
Then enable the modules:
a2enmod proxy proxy_connect proxy_html proxy_http
Insert the proxy section and commands into the SSL (port 443) vhost section:
Order deny,allow ProxyPreserveHost On ProxyPass / http://weirdapp.example.com:50281/ ProxyPassReverse / http://weirdapp.example.com:50281/
6. Configuration of mod_authnz(optional)
First install mod_authnz:
apt-get install libapache2-mod-authnz-external
Then insert the following into the proxy block for ldap authentication of the connection:
AuthType Basic AuthBasicProvider ldap
AuthName "Please authenticate your connection using your network login."
#Some Ldap servers will reject un-encrypted simple authentication, plus this is

#just a good idea any way.

AuthLDAPURL "ldaps://" SSL

AuthzLDAPAuthoritative on
AuthLDAPBindDN cn=authbot,ou=users,o=org
AuthLDAPBindPassword password
AuthLDAPRemoteUserAttribute uid

AuthLDAPRemoteUserIsDN on

AuthLDAPGroupAttributeIsDN on

AuthLDAPGroupAttribute member

Require ldap-group cn=Staff,ou=groups,o=org
Satisfy All

7. Configuration of mod_security
First install mod_security:
apt-get install libapache-mod-security
Then enable it:
a2enmod mod-security
Mod_security is fairly tricky, I am using a default configuration but I am only logging errors and not preventing them. Configuration beyond this is outside the scope of this article.

Edit /etc/apache2/mods-available/mod_security.conf and use the configuration example in
"/usr/share/doc/mod-security-common/examples/" as a template.

If it proves to be too restrictive, you can switch the part which says:

SecRuleEngine On


SecRuleEngine DetectionOnly

8. Summary
So, after this is installed, Apache will listen to a static IP then relay a a website to the end user over SSL after authenticating the connection with an LDAP server. And if anything fishy happens it will be logged/(or blocked) with mod-security.

This is not a 100% silver bullet solution. Apache http authentication is generally a bad idea, especially over an unencrypted session. In this example it is partially mitigated with mod_rewrite but at this time Apache does not natively support any modern authentication technologies with hooks for LDAP or any other authentication service. If you have the opportunity to prevent the need to do this then make it so.

The best way is to do it right the first time and write into your web application (or specify in the RFQ) the correct security measures.

9. Informative Resources

Breach Security "Mod Security home page". (Accessed April 2009)

The Apache Software foundation. "Apache webserver website". (accessed Jan 2010)

See also :
Asmodian X's Securing php web applications:

Ax0n's OAMP (Apache, Mysql, PHP on OpenBSD) Article:

Asmodian X's Name based hosting mini-howto:

Asmodian X's Workbench - Suhosin :

Via Adrian Lamo's Twitpic...

Challenge/Response in real life. No, it's not photoshopped.


Guest post: Fonera Power-Over-Ethernet

Editor's notes:
This technique should be useful for short runs of ethernet (6' or less) and to power pretty much anything that needs 5VDC and doesn't require a lot of current. I've seen USB ports provide up to one amp of current, though it's usually advised to keep it under 500mW. If you have a dual-USB Power/Data cord like the ones that come with external 2.5" hard drives, I'd advise using that to help get more power to the Fon, but there are several people running USB power directly to the Fon, and it seems to work fine. This is the first time I've seen a POE injector/splitter used in combination with USB before. Pretty clever.

This is a guest post by cyb3rassasin, a student in the midwest that's interested in security technologies. You can follow him on Twitter.

Okay, so I’m sitting in the coffee shop with my LaFonera router in front of me, and my netbook on my lap. I look at my fon just sitting there with its 4 AA battery pack, pondering how else I could power this little guy. A battery pack is bulky, and I don’t really want to have to carry a wall wart with me everywhere I go.

So the options that come to mind are usb power, battery pack, and power over ethernet. The first two aren’t bad ideas but I was kinda looking for something a little more compact and cleaner. I decided to look at some PoE injectors/splitters because they’re inexpensive and compact.

The only problem I could forsee is again I’d have to carry a wall wart around with me. Then I thought why not cut the power adapter off the injector and replace it with a usb plug. It would be simple, clean, and I’d only have to have one cable running to the fon. The Fon can run from 5VDC just fine.

I decided to pick up a set of PoE cables from Passive PoE. I grabbed a usb cable from an old phone that I had, I chopped the end off and stripped all the wires. I then cut the power plug off of the injector and stripped the two wires. ( note: the copper is ground and the red is positive)

Now, don’t make the same mistake I did: put the heatshrink on the injector before soldering the usb plug and the injector together. I soldered up the connections, wrapped each individual connection in electrical tape, and heatshrunk it.

Before testing this with my fon, I thought it would be a good idea to make sure I got the polarity correct. I plugged the injector into my netbook, hooked up an ethernet cable, and then attached the splitter. I took a multi-meter and to the splitter and sure enough, I had the polarity right. Center pin: positive 5VDC, outer barrel: negative

Now it’s time to take a leap of faith and plug in my fon, and woot! It works!

So now I successfully have a compact way to power my fon via usb and PoE. I’ve found one downside to this, it drains my netbook battery faster than if I would use a battery pack. Other than that this is an effective alternative way to power the fon.

cyb3rassasin also showed me the Open-Mesh mini router, which seems to be nearly identical to the original Fon2100 shown here. Since the Fon2100 is no longer available new from the manufacturer, and the newer hardware isn't as friendly for things like Jasager/Karma, it's nice to know there is still a comparable piece of gear out there to take its place in our hackpacks. Long live evil wifi! Here are some photos he sent us, comparing the Open-Mesh and the Fon2100.