In case you were wondering what industrious hacker [Joe Grand] was doing when he’s not building stuff for Prototype This!, designing Defcon badges, or testifying before congress, it’s this: The BSoDomizer is a VGA pass through device that displays an image of your choice on the victim’s screen. It can do this either periodically or via an IR trigger. The image of choice is a Windows style Blue Screen of Death. It’s powered by a watch battery. The project site has all the schematics you need plus ASCII goatse imagery; you’ve been warned. Embedded below is a demo of the device. We unfortunately didn’t get to see it when it was originally presented during Defcon 16. Read the rest of this entry »

Popular Mechanics has an interview with [Zach Anderson], one of the MIT hackers that was temporarily gagged by the MBTA. The interview is essentially a timeline of the events that led up to the Defcon talk cancellation. [Zach] pointed out a great article by The Tech that covers the vulnerabilities. The mag stripe cards can be easily cloned. The students we’re also able to increase the value of the card by brute forcing the checksum. There are only 64 possible checksum values, so they made a card for each one. It’s not graceful, but it works. The card values aren’t encrypted and there isn’t an auditing system to check what values should be on the card either. The RFID cards use Mifare classic, which we know is broken. It was NXP, Mifare’s manufacturer, that tipped off the MBTA on the actual presentation.

Zero Day posted a list of tools and applications that were released at Defcon 16. The applications run the gamut, from Beholder, an open source wireless IDS tool, to CollabREate, a reverse-engineering plugin that allows multiple people to share a single project. The list covers a lot of ground, and there’s a lot for hackers to play around with and explore. It’s nice to see someone bothering to maintain a list since the majority of conference tools just get lost in the shuffle and are never seen again.

One of the more novel talks we saw at Defcon was [Zac Franken] presenting on access control systems. He covered several different types, but the real fun was his live demo of bypassing a hand geometry scanners like the one pictured above. With the help of two assistants, 4 pounds of chromatic dental alginate, and 5 liters of water, he made a mold of his hand. The box he placed his hand in had markings to show where the pegs on the scanner are located. After 2 minutes he could remove his hand from the cavity. They then filled the mold with vinylpolysiloxane, making sure to remove all bubbles. 20 minutes later the hand was solid and passed the scanner’s test. This may not be a completely practical attack, but it does defeat the overall idea of biometrics; biometrics are built on the assumption that every person is unique and can’t have their features reproduced.

[Zac] also showed an interesting magnetic card spoofer that emulated all three tracks using coils of magnet wire. We hope to see more about that in the future.

[photo: morgan.davis]

Wired’s Threat Level takes us on a photo tour of the Defcon Network Operations Center, giving a unique behind-the-scenes perspective of one of the largest computer security conventions. The Defcon Network Operations Center is run by a volunteer group named the “Goons”. They keep operations running smoothly and securely with both high and low-tech resources, like a Cisco fiber switch and an armed guard, to protect the router and firewall.

Since last month, when the Defcon warballooning event was announced, [Rick Hill] finished building his rig and even got FAA approval for the flight. Just when everything seemed set, the Riviera Hotel management decided not to allow the takeoff from their property. So, naturally, [Rick] and his team rented a moving truck and covertly inflated the balloon inside. They launched it in an abandoned parking lot and drove through the Vegas strip. They were surprised to find that about one third of the 370 wireless networks they scanned were unencrypted.

[photo: JoergHL]

[via /.]

A collaboration of various medical researchers in the academic field has led to proof that pacemakers can be remotely hacked with simple and accessible equipment. [Kevin Fu], an associate professor at the University of Massachusetts at Amherst, led the team. [Kevin] first tried to get documentation from the manufacturers, believing they would support the effort, but they were not interested in helping. They were forced to get access to an old pacemaker and reverse engineer it. They found that the communication protocol used to remotely program the device was unencrypted. They then used a GNU radio system to find access to some of the machine’s reprogrammable functions, including accessing patient data and even turning it off.

Although this was only done with one particular pacemaker, it proves the concept and should be taken seriously by the medical companies who produce these devices. If you are interested in the technical aspects, check out the paper the team released in May disclosing the methods.

[Zack Anderson], [RJ Ryan], and [Alessandro Chiesa] were sued by the Massachusetts Bay Transit Authority for an alleged violation of the Computer Fraud and Abuse Act after copies of their presentation slides were circulated at Defcon 16. The slides give an eye widening glimpse into the massive security holes present in the Boston subway system. There are at least 4 major security flaws in the subway, which allowed them to get free subway rides by finding unlocked, back door routes into the subway, spoofing magnetic and RFID cards, and attacking the MTBA’s network. Judge Douglas P. Woodlock has issued a gag order, stopping the trio from giving the presentation at Defcon or disclosing sensitive information for ten days. However, the MIT school newspaper, The Tech, has published a PDF of the slides online. The research culminated in the trio warcarting the MTBA’s headquarters and being driven off by police.

French reporters at Black Hat crossed the line when they sniffed fellow reporters’ login info on the designated “safe” wired network. Proud of their handiwork, they were nabbed when they tried to get their spoils posted on the wall of sheep, which is used to publicly post attendees credintials. It turns out that monitoring communications without informing one of the parties involved is a felony, so although it is legal to sniff convention goers’ login info with their knowledge, hacking reporters covering the event is a no-no. An FBI agent we ran into commented that in his experience, they’d probably just turn it over to the local US attorney’s office to see if they wanted to proceed with an investigation.

We’re in the Defcon press room today and there’s still a buzz about these “sleazy” French reporters. We’re tunneling through our cell connection like any sane person at a security conference.

Defcon will once again be one-upping the sophistication of the conference attendee badges. Wired has just published a preview of this year’s badge. The core is a Freescale Flexis MC9S08JM60 processor. The badge has an IR transmitter and receiver on the front plus eight status LEDs. On the back (pictured below), there is a mode select button, CR123A battery, Data Matrix barcode, and an SD card slot. You can add a USB port to the badge and upload code to it using the built in USB bootloader. All the dev tools needed will be included on the conference CD or you can download the IDE in advance. The low barrier to entry should lead to some interesting hacks. In previous years, you needed a special dongle to program the hardware. There is no indication as to what the badge does out of the box. Releasing the badge early is a first for Defcon and the one pictured isn’t the attendee color, but we’re sure someone will still come up with a clone.

Now comes the fun part: What do you think the best use of this badge will be? Would Defcon be so cavalier as to equip everyone in the conference with a TV-B-Gone? I think our favorite possibility is if someone finds a security hole and manages to write an IR based worm to take over all the badges.

Defcon 14 introduced the first electronic badge which blinked in different patterns. Defcon 15 had a 95 LED scrolling marquee. [Joe Grand] will be posting more specific Defcon 16 badge details to his site after the opening ceremony. Check out more high resolution photos on Wired.

Read the rest of this entry »