Hack a Day » blackhat

POV fan EEPROM hack

Mike Szczys — Fri, 09 Oct 2009 20:00:38 +0000

Hacking with Gum got their hands on one of the persistence of vision display fans that Cenzic was giving away at Blackhat this year. It’s not the biggest fan-based POV display we’ve seen but it’s still a fun device to tinker with. They hacked into the EEPROM on the device in order to change the message the fan displayed.

This is very similar to the other EEPROM reading/writing we’ve seen recently. Hacking with Gum read the data off of the EEPROM and then disassembled it to discover how the message data is stored on the chip. This was made easier by noting the messages displayed when the fan is running. The first byte of data shows the number of words in the message, then each chunk of word data is preceded by one byte that represents the number of letters in that work. Data length was calculated based on the number of pixels in each display character. Once he knew the data-storage scheme, it was just a matter of formatting his own messages in the same way and overwriting the chip.

This is a great write-up if you’re looking for a primer on reverse engineering an unknown hardware system. If you had fun trying out our barcode challenges perhaps deciphering EEPROM data from a simple device should be your next quest.

[Thanks James]

Posted in led hacks, security hacks

Clickjacking webcast tomorrow

Eliot — Wed, 19 Nov 2008 22:20:32 +0000

[Jeremiah Grossman] and [Eric Lawrence] will be presenting on clickjacking and browser security in an online seminar tomorrow. Clickjacking allows an attacker to transparently place links exactly where a user would be clicking, essentially forcing the user to perform actions without their knowledge. This method of attack has been known for a few years, but researchers have focused their attention on it lately because they feel the threat has been underestimated. Recently, Adobe patched a vulnerability specifically because of this issue. Tune in tomorrow for more info on the attack.

Posted in news, security hacks

Dan Kaminsky’s DNS Black Hat video

Eliot — Mon, 25 Aug 2008 22:30:00 +0000

Black Hat has published the media from Dan Kaminsky’s infamous DNS vulnerability talk. You can get the full video (101MB) or just the audio.

The full archive of slides and white papers from this year has been posted too.

Black Hat 2008: NIC based rootkit

Eliot — Wed, 13 Aug 2008 18:15:00 +0000

While Black Hat and Defcon have both concluded, we’re going to post a few more talks that we think deserve attention. [Sherri Sparks] and [Shawn Embleton] from Clear Hat presented Deeper Door, exploiting the NIC chipset. Windows machines use NDIS, the Network Driver Interface Specification, to communicate between the OS and the actual NIC. NDIS is an API that lets programmers talk to network hardware in a general fashion. Most firewalls and intrusion detection systems monitor packets at the NDIS level. The team took a novel approach to bypassing machine security by hooking directly to the network card, below the NDIS level.

The team targeted the Intel 8255x chipset because of its open documentation and availability of compatible cards like the Intel PRO/100B. They found that sending data was very easy: Write a UDP packet to a specific memory address, check to make sure the card is idle, and then tell it to send. The receive side was slightly more difficult, because you have to intercept all inbound traffic and filter out the replies you want from the legitimate packets. Even though they were writing low level chipset specific code, they said it was much easier to implement than writing an NDIS driver. While a certainly a clever way to implement a covert channel, it will only bypass an IDS or firewall on the same host and not one on the network.

[photo: Big Fat Rat]

Black Hat 2008: Google Gadgets insecurity

Kimberly Lau — Sun, 10 Aug 2008 01:00:00 +0000

Black Hat presenters [Robert "RSnake" Hansen], CEO of SecTheory, and [Tom Stracener], security analyst at Cenzic, criticized Google in their presentation “Xploiting Google Gadgets”. [Hansen] and [Stracener] say that there’s currently no way for Google to confirm whether Google Gadget creations contain malicious content or not; this leaves the application vulnerable to a wide range of hacking ugliness such as data poisoning, worms, and theft of data. [Hansen] himself isn’t exactly on the friendliest terms with Google. He’s got a bit of a contentious history and he claims that Google has threatened legal action against him. Nevertheless, if what was presented is true and accurate, then Google has a huge security issue that needs to be addressed sooner rather than later. Google has not yet commented on the situation.

Black Hat 2008: What’s next for Firefox security

Kimberly Lau — Sat, 09 Aug 2008 01:30:00 +0000

Mozilla security chief [Window Snyder] made some surprising announcements about Firefox Next, Mozilla’s next major browser overhaul. In her chat at the Black Hat security conference, she introduced three new initiatives that focused on threat modeling, training, and vulnerability metrics. For the threat modeling initiative, she’s hired Matasano Security consultants to review Firefox’s code for weaknesses and recommend mitigation tactics to protect the browser from hacker attacks. This isn’t inherently unusual; what is abnormal is that the information, once the work is done, will be revealed to the public. The training initiative will have IOActive trainers working with Mozilla engineers on secure computer programming practices. At the end, according to [Snyder], online versions of the classes will be released to the public, along with the class materials. The last initiative revolves around security metrics, and is already in progress. Essentially, the project will ideally take the focus off of patch-counting and provide a better assessment of security and vulnerability issues. [Snyder] says “We’re in the early phase, working on incorporating feedback from the rest of the industry.” She also reveals some more Firefox developments, including possibly incorporating NoScript into the core browser and implementing protected mode, but they’re still a long way from becoming standard features.

Black Hat 2008: Pwnie Award Ceremony

Eliot — Thu, 07 Aug 2008 05:50:00 +0000

The first night of Black Hat briefings concluded with the Pwnie Award Ceremony. The awards reward achievements in security… but mostly failures. Notably, this was the first year anyone accepted an award in person. Hack a Day took home an early victory by producing a MacBook mini-DVI to VGA adapter (pictured above). The ceremony was fairly straight forward after that. Best Server-Side Bug went to the Windows IGMP kernel vulnerability. It was a remote kernel code execution exploit in the default Windows firewall. The Best Client-Side Bug went to Multiple URL protocol handling flaws like this URI exploit. Mass 0wnage went to WordPress for many many vulnerabilities. Most Innovative Research went to the Cold Boot Attack team. Lamest Vendor Response was won by McAfee for saying XSS can’t be used to hack a server. The Most Overhyped Bug went to [Dan Kaminsky] for his DNS vulnerability. Most Epic FAIL was won by the team behind Debian for shipping the OpenSSL bug for two solid years. Lifetime Achievement Award was won by [Tim Newsham]. Finally, the Best Song was by Kaspersky Labs for Packin’ The K!, which you can find embedded below.

Black Hat 2008: FasTrak toll system completely broken

Eliot — Thu, 07 Aug 2008 00:30:00 +0000

FasTrak is the electronic toll collection system used by the state of California. Motorists can purchase a toll transponder for ~$26 and link the serial number with a debit account to have their tolls deducted automatically. Today at Black Hat in Las Vegas, security researcher [Nate Lawson] presented not just the privacy problems with FasTrak, but why absolutely no transaction from the tag should be trusted.

On the privacy side, FasTrak claims that all the collected data is anonymized and not kept for long (they won’t tell you how or how long). The court system still subpoenas the data from time to time, so there must be something of use in there. As AOL taught us, user behavior is incredibly hard to anonymize. In addition to the toll booths, the transponders are also polled at all offramps for the statistical traffic data presented at 511.org.

[Nate] initially purchased a transponder to explore these privacy concerns. The transponder is an RFID device with a receive and transmit antenna, a low powered Texas Instruments MSP430 microcontroller, a long life battery, and a large analog demodulation section. Usually the firmware on the microcontroller can not be read via a JTAG cable, because the manfacturer will burn a fuse to prevent it. This was not the case with the three year old tag he purchased. A more recently purchased tag did have the fuse burned. Flylogic repackaged that silicon so it could be read back; the firmware turned out exactly the same.

The transponders and readers perform no authentication. Someone could wander through a parking lot with an RFID reader and pick up the ID of every tag in the lot. They could then write their own transponder with the stolen IDs. Here’s the really bad part: the transponders support unauthenticated over the air upgrading. You can force any transponder to take on a new ID. An attacker could overwrite every tag passing a certain intersection and cause havoc in the toll system. Some have suggested that there are IDs in the system that are unbilled, since they’re assigned to administrators; these would be especially attractive to thieves.

How do we fix this system? Here’s the problem: the system is defined by California law. An update to the way things are done would take legislative action. [Nate] suggested one possible check that could be implemented to determine if the system was being exploited at this time: When a tag read fails now, the system takes a picture of your license plate so a human can determine what account it belongs to. The system could be updated to randomly take photos of cars that were reading correctly just to make sure the ID belongs to the car pictured.

As for the privacy issues, [Nate] is hoping to develop a timer circuit so you can power up the transponder only during the time you’re passing through the toll plaza. In the end though, none of the transactions with these FasTrak transponders can be trusted.

[photo: 24thcentury]

Black Hat 2008: Dan Kaminsky releases DNS information

fabienneserriere — Thu, 07 Aug 2008 00:00:00 +0000

[Dan Kaminsky]‘s much anticipated talk on his DNS findings finally happened at Black Hat 2008 in Las Vegas today. [Dan] has already uploaded the complete slides from his talk as well as posted a short summary to his site. New information in the slides since our previous coverage includes “Forgot My Password” attacks and new attacks on internal network vulnerabilities as a side of effect of DNS cache poisoning. [Dan]‘s talk today was over capacity; our shot of the conference room overflow is shown above.

Black Hat 2008: EFF Coders’ Rights Project announced

jimmierodgers — Wed, 06 Aug 2008 23:05:00 +0000

The EFF has just announce the creation of the Coders’ Rights Project website at the Black Hat conference. The sites’ main goal is to centralize legal information for coders, and to help protect important security work from legal actions that may be taken against them with the DMCA and other legal black holes. While this is in no way a fully comprehensive list of everything you need to know, it looks like a good place to start, and provides a few FAQs for suggestions on how to stay in the legal clear as much as possible. At numerous points the documents suggest you speak with a lawyer, if you have any deeper questions, which you absolutely should. This can be very helpful if a person or group finds a security risk, and wants to publish it, or just wants to start looking into possible security risks.

More on GIFAR

Kimberly Lau — Wed, 06 Aug 2008 08:15:00 +0000

[pdp] provides some perspective on the news regarding the GIFAR attack developed by researchers at NGS Software. As he explains, the idea behind the attack, which basically relies on combining a JAR with other files is not new. Combining JAR/ZIP files with GIF/JPG files will create hybrid files with headers at both the top and bottom of the file and allow them to bypass any image manipulation library as valid files. While tightened security and more stringent file validation practices are advisable, the problem is larger than just a vulnerability in browser security. ZIP is an incredibly generic packing technology used everywhere, from Microsoft files to Open Office documents, and of course, in JAR files. He closes with, “any file format that is based on ZIP, you allow your users to upload on your server, can be used in an attack”

[photo: Jon Jacobsen]

The GIFAR image vulnerability

Benjamin Eckel — Tue, 05 Aug 2008 02:00:00 +0000

Researchers at NGS Software have come up with a method to embed malicious code into a picture. When viewed, the picture could send the attacker the credentials of the viewer. Social sites like Facebook and Myspace are particularly at risk, but the researchers say that any site which includes log ins and user uploaded pictures could be vulnerable. This even includes some bank sites.

The attack is simply a mashup of a GIF picture and a JAR (Java applet). The malicious JAR is compiled and then combined with information from a GIF. The GIF part fools the browser into opening it as a picture and trusting the content. The reality is, the Java VM recognizes the JAR part and automatically runs it.

The researchers claim that there are multiple ways to deal with this vulnerability. Sun could restrict their Virtual Machine or web applications could continually check and filter these hybrid files, but they say it really needs to be addressed as an issue of browser security. They think that it is not only pictures at risk, but nearly all browser content.
More details on how to create these GIFARs will be presented at this week’s Black Hat conference in Las Vegas.

DNS cache poisoning webcast

Eliot — Fri, 25 Jul 2008 02:00:00 +0000

UPDATE: Full audio of the webcast is now available

Today Black Hat held a preview webcast with [Dan Kaminsky] about the massive DNS bug he discovered. On July 8th, multiple vendors announced a patch for an undisclosed DNS vulnerability. [Dan Kaminisky] did not release the details of the vulnerability at that time, but encouraged security researchers to not release their work, if they did happen to discover the bug. On the 21st, the full description of the vulnerability was leaked.

In today’s webcast, [Dan] covered how he felt about the handling of the vulnerability and answered a few questions about it. He started out by talking about how he stumbled across the bug; he was working on how to make content distribution faster by using DNS to find the server closest to the client. The new attack works because DNS servers not using port randomization make it easy for the attacker to forge a response. You can read the specifics of the attack here.

[Dan] talked about the work that had been done since the July 8th announcement. A handful of researchers had contacted him with exact bug in hand, but as requested, did not release the information. When first announced, 86% of all servers voluntarily tested using the checker on doxpara.com were vulnerable. 13 days later, the vulnerability was published and only 52% of the people using the checker are vulnerable. That’s not perfect, but 13 days gave plenty of companies enough time to both test and roll out their patches.

[Jerry Dixon], the former Director of the National Cyber Security Division, pointed out that even though the vulnerability was eventually leaked, the patches had already been out for 13 days; this isn’t a zero day vulnerability with no fix. So, we’re in a fairly good position. That being said, even since our Metasploit announcement yesterday, they’ve pushed new module code that will take over an entire domain. Security researcher [Rich Mogull] has feels that producing this exploit code quickly was “bullshit” and “only helps the bad guys“.

[Dan] pointed out that some related work people have been doing to mitigate DNS cache poisoning using firewalls. [Michael Rash] wrote about using iptables in Linux to randomize outbound requests and [Jon Hart] covered using PF in OpenBSD. The team is actively contacting vulnerable servers to get them to patch. They’ve also advised IDS vendors to look for multiple replies with the same ID as a telltale sign of this attack.

You can check your DNS servers using the tool on doxpara.com. We’ve personally switched our machines to OpenDNS‘s servers 208.67.222.222 and 208.67.220.220. Not only did it give us some piece of mind, but the performance is way better than our ISP’s overloaded DNS.

Black Hat hackers face off in Iron Chef style competition

Juan Aguilar — Tue, 08 Jul 2008 02:40:00 +0000

Which is a better method for finding vulnerabilities, fuzzing or static-code analysis? The question will be put to the test at next month’s Black Hat USA conference, where two experienced ~~hackers~~ security researchers will be given a piece of mystery code and one hour to find all the vulnerabilities they can using one of the two methods. [Charlie Miller] from Independent Security Evaluators will use fuzzing and [Sean Fay] from Fortify Software will use static-code analysis to detect the vulnerabilities in the code. We reported on [Miller]‘s fuzzing talk while at Toorcon 9.

The pair will be allowed to use their own equipment, but they won’t see the code until the moment the showdown begins. For an added bit of fun, conference attendees are welcome to join in the contest. The audience member who finds the most exploits within the hour wins a free dinner at a new Las Vegas restaurant. But you don’t have to wait until then to weigh in; go ahead and post your thoughts on fuzzing vs. static-code analysis in the comments, just be ready to back up your claims.

Pwnie awards 2008, nominations open

Eliot — Tue, 24 Jun 2008 12:00:00 +0000

Nominations for the 2008 Pwnie Awards have opened. The annual event, in its second year, is accepting nominations in nine categories ranging from Mass 0wnage to Best Song. The awards will be presented at the Black Hat in Las Vegas in August. Linux.com covered last year’s awards ceremony.

[photo: GNUCITIZEN]
[via trailofbits]