iPhone. Single. Looking to make friends on any network.

I'm at SFO, connected to the public wifi, and in the span of 15min have already denied my MacBook Pro Lion from connecting to over 40 iPhones and iPads. What's going on?

Being a geek, a security geek, and slightly paranoid about what's going on in my laptop, I use a wonderful little utility called Hands Off! This app enables me to control network and file operations on a per program basis. Since connecting to the SFO wifi I'm being bombarded with pop-ups like this one:

According to this site usbmuxd is a "usbmuxd: USB Multiplex Daemon. This bit of software is in charge of talking to your iPhone or iPod Touch over USB and coordinating access to its services by other applications."

Other posts link this to iTunes and iPhone/iPad synchronization. I don't own an iPhone (it's a nice device but I love my Nexus S), do have an iPad, and am not currently running iTunes. Still my laptop detects all sorts of devices on the network.

I wonder if the owners realize they're broadcasting their names loud and clear?

The next step is to connect to some of these devices to see what they say. Unfortunately I have a flight to catch!

Locking down Apple's new Find my iPhone / iPad

Kudos to Apple for making this service free, it's well worth enabling.
However to make sure you're properly protected there are a few changes
you should make in Settings.

Enable Passcode Lock and, optional but recommended, Auto-Lock.

Next enable restrictions and disable deletion of apps and accounts.
This will prevent thieves from nuking your MobileMe account or your
Find my iPhone / iPad app.

Defcon Day Two Highlights

If there was a theme to the presentations I saw on Saturday, it's that as a technology is increasingly closed, its security decreases exponentially. The solution is sunlight: bring the products and their vulnerabilities out in the open. Yes, it does mean running the risk of vulnerabilities becoming known. But it's the only solution we've found that actually produces fixes. An obscure, insecure product helps only the black hats.

Insecurity Engineering of Physical Security Systems: Locks, Lies, and Videotape by Marc Weber Tobias, Tobias Bluzmanis, Matt Fiddler
A good example of this was a talk by three locksmithing experts. Though their preamble was too long, the main part of presentation was fascinating. They showed how to break five different types of locks: from a re-keyable mechanical lock to a fingerprint reading lock. All were defeated with simple attacks, some so simple that they beggared belief. The fingerprint reader, for example, has a standard bypass lock in case the battery runs out of the reader... With the insertion of the paperclip in the bypass lock, it opened like a charm. Wired has a great writeup, including videos.

Extreme-range RFID Tracking and Practical Cellphone Spying by Chris Paget
Chris gave two great presentations. The first showing how to read RFIDs at ranges of a couple hundred feet. The second focused on how to build your own GSM base station. Both talks were full of technical information and Chris did a good job at clearly walking us through the steps he'd taken. The GSM talk was fascinating. In essence, it is surprisingly easy not just to create your own base station (cost ~$3,000) but it's also trivial to spoof an existing carrier such as AT&T. When audience cellphones connected, Chris' fake tower would instruct them to drop encryption (a fact that handsets don't advertise to their users BTW) enabling the capture of phone conversations. While this currently only worked for outbound calls, it was still an impressive demonstration. One solution? Switch to 3G, it's a lot more secure than 2G.

We Don't Need No Stinkin' Badges: Hacking Electronic Door Access Controllers by Shawn Merdinger
This pres was a good example of the evils of security by obscurity. Electronic door access control is ubiquitous throughout the business world, yet these systems are usually run by building management. These folks may know a lot about physical security, but not information security. The result? Vendors supplying shockingly insecure systems that are never patched. Shawn focused on a product by S2 Security but claimed many competitors also had flaws such as insecure default configurations, full access to nightly database backups, an unprotected URL to reset the device to factory defaults, leveraging vulnerable software components, etc. etc. etc. Basically, if your company's door access controller is on an (internal hopefully!) network, you had best isolate it as much as possible. To my knowledge Shawn hasn't uploaded his pres anywhere here are the four S2 CVEs he submitted.

You're Stealing It Wrong! 30 Years of Inter-Pirate Battles by Jason Scott
A lighter look at the history of pirate groups and much much more. Scott, a computer historian and Defcon regular, gave a highly entertaining presentation and provided a wonderful trip down memory lane for many an audience member (myself included!). We gave him a standing ovation at the end of his speech (something I've rarely seen at Defcon). Jason, make sure you come back next year. Oh, and if you, dear reader, have old computer stuff you want to get rid of... Don't! Send them to Jason instead.

Malware Freak Show 2: The Client-Side Boogaloo by Nicholas J. Percoco and Jibran Ilyas
These two gents from Trustwave demo'ed four examples of malware found at client sites over the past year. Five years ago, they said, attackers focused on "smash and grab": find a vulnerability, exploit it, get as much info as you can, get out. Nowadays attackers are writing custom targeted malware that stays under the radar, allowing them to slowly infiltrate their victims' networks. Not sure what their sample size was but they claimed that on average malware infiltrates a site for 156 days before being detected. That's a long time.

Jackpotting Automated Teller Machines Redux by Barnaby Jack
Arguably the most talked about presentation at Black Hat and Defcon, Jack blew the doors wide open on ATM security. There are a lot of articles about his talk on the net, so I won't repeat it here. Jack basically found a number of vulnerabilities in these Windows CE devices (yes, Windows CE), including a remote exploit allowing him to reprogram the ATM. One of the most dramatic moments of his pres came when, in a matter of seconds, he popped open an ATM (cabinet master keys are apparently trivial to obtain), inserted an SD card with his own code, and power cycled the machine. Once the ATM booted you can see what appeared on the screen below and watch the video to see what happened next!

Defcon Day One Highlights

While a few of Friday's talks contained little new, original, or useful information (disappointingly the former Facebook CSO's talk was particularly inane), the majority of the presentations were interesting. A few were eye-opening. Here are some short summaries of my favorites.

Crawling Bittorrent DHTs for Fun and Profit by Scott Wolchok
Scott presented his research on creating a very comprehensive database of Bittorrent Distributed Hash Tables. Suffice it to say that his approach and findings will unfortunately prove very useful to record companies if they aren't already using these techniques. File sharers beware!

The Law of Laptop Search and Seizure by the EFF legal team
This talk focused on what law enforcement can and can't do (but may still try to get away with!) when seizing your laptop. There were a lot of details presented... orally. EFF, why no presentation? A few key points from my notes (oh, and in case you hadn't realized: IANAL!)
  • In general law enforcement can't just take your laptop and search it, your rights are protected by the fourth amendment
  • If law enforcement does want to search your laptop they need a warrant or you need to fall in a exception category such as: you have a public share on your computer, you're sharing via P2P, you've given consent, there's immediate danger that you might destroy the info, etc.
  • You can revoke consent at any time (i.e. if you first let law enforcement look at your laptop, you can change your mind)
  • If there are multiple users of a computer, any one of them could give consent, though courts have recognized that this consent only goes so far as the authorizing user has access (though the forensic tools they use make no such distinctions... Beware!)
  • All searches that occur at a border are considered reasonable. No suspicion is needed for any searches to occur, nor is a warrant needed (in other words: your rights go out the window!)
  • You cannot be forced to give over your encryption keys, courts have found that this is a fifth amendment right, and the gov't hasn't appealed this decision
  • Remote Computing Services, e.g. online backup or file sharing (like the very useful Dropbox). It is very easy for the gov't to get this data. They just need a subpoena, sometimes not even. Probably cause isn't required, since searching these cloud-based files often is how the gov't shows probable cause. They're not required to notify you within a reasonable time frame
  • Electronic Communication Services, e.g. online mail services like gmail. Your data is only protected for the first 180 days. After that the gov't doesn't need a warrant to get access to this info. However the gov't doesn't think this law applies to emails you've read, drafted, and sent. This is being appealed and the DoJ is fighting it. The EFF, ISPs, and others are trying to get a better law passed, maybe next year (the sooner the better!)
  • The EFF's advice: POP your mail, don't leave it in the cloud, and avoid online backups if possible

Lord of the Bing: Taking Back Search Engine Hacking from Google and Bing by Rob Ragan and Francis Brown
The most interesting talk of the day. These guys have taken google search engine hacking to a whole new level. Very creative. Sadly I haven't found their presentation online but the tools they wrote are. One of my favorite sections focused on combining google hacking with custom searches into a massive RSS feed for real time updates of vulnerable sites crawled by google. I'm sure we haven't heard the last of this...

Weaponizing Lady GaGa, Psychosonic Attacks by Brad Smith
Brad is an excellent speaker and by far the most entertaining of the day. He discussed the uses and misuses of psychosonics: the generation of (generally undetectable) sound patterns designed to alter a target's state of mind. One of the funniest parts of his speech came when he listed the top 10 sonic torture songs... :-)

Hacking the Defcon 18 Badge

Since its 14th edition, Defcon badges have gone electronic. Hardware wizard Joe Grand (he and I both worked at @stake a long time ago, though in different offices) creates these masterpieces and unleashes them on the thousands of people who descend upon Las Vegas every year for this oldest of the US hacker conferences, now in its 18th incarnation.

Befitting this conference, the badges have all sorts of hidden capabilities, easter eggs, etc. One of Defcon's many challenges is to find these backdoors. This year's badge is no exception. Sporting an LCD panel for the first time ever, pressing the badge's buttons causes all sorts of cryptic (and some not so cryptic) behavior.

One of the badge's challenges is to crack "Ninja mode" which you have to enable by picking an electronic lock consisting of fifteen tumblers, each one with three states (for a total of over 14million combinations).

I had fun with this one. I was making slow, steady progress until I thought of exploring the Defcon CD... Bingo! Joe was thoughtful enough to include a full development environment for the card, as well as the source code to the firmware! From that point "hacking" became a simple exercise in reverse engineering the code. I won't give the key away but I will say that Wolfram|Alpha proved very useful for quick conversions between binary, trinary, and hexadecimal.

In retrospect I should have looked at that CD much earlier :-)

The Gashlycrumb Terrors by Laura Pearlman

Love the winner of this year's Movie Plot Threat Contest, security expert Bruce Schneier's attempt to make us realize that we often overreact to highly unlikely scenarios, taking steps that curtail our own freedoms and don't make us any safer.

In Laura's own words "The challenge in this year’s contest was basically to create a story that would frighten small children into obeying their government without question".

A is for anthrax, deadly and white.
B is for burglars who break in at night.
C is for cars that have minds of their own
    and accelerate suddenly in a school zone.
D is for dynamite lit with a fuse.
E is for everything we have to lose.
F is for foreigners, different and strange.
G is for gangs and the crimes they arrange.
H is for hand lotion, more than three ounces;
    let’s pray some brave agent soon sees it and pounces.
...

Read the rest on Laura's blog.

Well done Laura, hope this does get illustrated!

AUSTIN - A PalmOS Vulnerability Scanner

About three years ago I wrote a vulnerability scanner for the Palm OS named AUSTIN. It was just a fun side project and after presenting it at Defcon 11, I forgot all about it.

But recently a few people started asking me for the code. Turns out that the Defcon 11 site has my slides, the audio of my presentation, and even the video! But no code, even though I gave it to the organizers. [I wish defcon didn't use Real media formats, they're so annoying to convert. To do so, grab the RTSP stream with a downloader like Offline Explorer Pro and use SUPER to convert it (See my post on video conversion).]

So without further ado, for anyone interested, here is the code to AUSTIN - a PalmOS Vulnerability Scanner.

Caveat emptor:

  • It was written to PalmOS 3.5.2 on a Treo 300 (160x160 screen). I don't know how it will fare on OS 5 Palms.
  • It was written with PocketC, I don't know whether the latest version will still run this code.
  • It works but is fairly basic and may even have some bugs (shocking, I know ;-)
  • It's GPL licensed.

If you end up finding it useful, please post a comment below and tell me what you're doing with it...