The 2009 edition of the Black Hat security conference in Las Vegas has just begun. The first interesting talk we saw was [Andrea Barisani] and [Daniele Bianco]‘s Sniff Keystrokes With Lasers/Voltmeters. They presented two methods for Tempest style eavesdropping of keyboards.

The first attack was against PS/2 keyboards. Inside the PS/2 cord, the data line isn’t shielded very well from the ground line, so all data could end up being transmitted back to the building’s electrical ground. The clock signal is also very slow compared to other signals generated by the computer. At about 10-16.7kHz, it should be easy to sample and filter out of the ground noise. They decided to monitor the ground line in an outlet 20meters from the keyboard in question. They used a ~150ohm resistor between the electrical ground and their reference ground. The reference ground was the building’s plumbing and is used to determine what’s actually noise in the electrical ground. They measured the voltage drop across the resistor and used finite impulse response to act as a bandpass filter for 1-20kHz. They were easily able to pick up the keyboard’s signal. It worked so well that they built a remote monitoring board that uses an AVR ATxmega128A1 to do the sampling and send the data over ethernet. In closing, they noted that USB uses differential signaling which should negate any leakage but the processor is more intensive and may end up being easy to pick up. They also stated that many ATMs are probably using PS/2 style keypads that leak this information.

For the second part of their talk, they covered using lasers to collect keystrokes. They pointed a laser at the back of a laptop lid and recorded the resulting vibrations just like a normal laser mic (closer to the hinge provided a cleaner signal). One of the first things they noticed was that the spacebar, being physically larger, created a very distinct signal that was much larger than all others. They used this information to determine where word breaks were. By comparing the captured waveforms to each other using dynamic time warping, they could determine the letter patterns. They then used these sequences with a dictionary to figure out what words had the same pattern and made sense in the same order. It worked quite well and they said it would go much faster if you can guess the context. They mentioned that logos on laptop lids were very reflective and worked well even in daylight and through glass.

You can find whitepapers and example code on their site.

The massive hacker camp Hacking at Random 2009 has extended their early bird ticket sales until April 14th. At EUR150, they’ve already managed to sell 1000 tickets. Every two years the european hacker community gathers together to hold a multiday camp that covers topics from hacking to art and politics. 2007′s CCCamp was largely the inspiration for this year’s ToorCamp. HAR2009 is looking for people to submit presentations, workshops, and lectures as well. They’re looking for entries that are very technology focused. The call for papers deadline is May 1st. The team is hosting a field day April 18th to tour the grounds with the various hacker villages that will be setting up. The main even is August 13-16 near Vierhouten, Netherlands.

With another hacker conference looming in front of us, it’s time to start thinking about hardware security. Hacker conventions have the most hostile network you’ll ever encounter. [Security4all] points out that 25C3 already has an extensive page on securing your hardware. It starts from the ground up with physical security, BIOS passwords, and locking down bootloaders. There’s a section on securing your actual OS and session. Finally, they cover network usage. It mentions using SSH for dynamic forwarding, which we feel is a skill everyone should have. We’ve used it not just for security, but for bypassing brainless bandwidth restrictions too. There’s also the more trick transparent version. Every piece of data you bring with you, you risk losing, so they actually recommend just wiping your iPhone and other devices before attending. It’s important to remember that it’s not just your own data at risk, but everyone/thing you communicate with as well.

The team behind 25C3 has published the first draft of this year’s schedule. The annual Chaos Communication Congress is happening December 27th to 30th in Berlin, Germany. There are plenty of interesting talks already in place. We’re spotting things we want to attend already: The conference starts off with how to solar power your gear, which is followed by open source power line communication. A TOR-based VPN, an open source BIOS, rapid prototyping, holographic techniques, and running your own GSM network are on the bill too.

We’ll have at least three Hack a Day contributors in attendance. Last year featured two of our favorite conference talks: [Drew Endy]‘s Biohacking and the MiFare crypto1 RFID crack. We hope to see you there.

Notacon has just announced their first round of talk selections. The Cleveland, OH area hacker conference will be celebrating its sixth year April 16th-19th. When we attended this year we saw talks that ranged from circuit bending to the infamous TSA bagcam. Self-taught silicon designer [Jeri Ellsworth] presented on FPGA demoing. [Trixter] covered his demo archiving process. You can find a video archive of this year’s talks here.

We’re really looking forward to the conference. [SigFLUP] is already on the schedule to cover Sega Genesis development. Get your talk in soon though; they’re already handing out space to the knitters.

• ToorCon September 26-28 San Diego, CA – In its tenth year, ToorCon has always been one of our favorites. The conference is fairly small, but features great content like last year’s fuzzing talk.
• Arse Elektronika (NSFW) September 25-28 San Francisco, CA – Happening the same time as ToorCon, this conference covers the sexual side of human and machine interaction. The device list has gems like The Seismic Dildo, which only turns on if there is seismic activity in the world.
• Maker Faire October 18-19 Austin, TX – It’s Maker Faire! In Texas!
• Roboexotica December 4-7 Vienna, Austria – The premier festival for cocktail robotics is also back for the tenth time. They’re always looking for more exhibitors. Check out our Hackit for ideas.
• 25C3 December 27-30 Berlin, Germany I think we pretty much covered all the bases on this incredible conference yesterday.

Did we miss anything?

We’re in the Defcon press room today and there’s still a buzz about these “sleazy” French reporters. We’re tunneling through our cell connection like any sane person at a security conference.

On the privacy side, FasTrak claims that all the collected data is anonymized and not kept for long (they won’t tell you how or how long). The court system still subpoenas the data from time to time, so there must be something of use in there. As AOL taught us, user behavior is incredibly hard to anonymize. In addition to the toll booths, the transponders are also polled at all offramps for the statistical traffic data presented at 511.org.

[Nate] initially purchased a transponder to explore these privacy concerns. The transponder is an RFID device with a receive and transmit antenna, a low powered Texas Instruments MSP430 microcontroller, a long life battery, and a large analog demodulation section. Usually the firmware on the microcontroller can not be read via a JTAG cable, because the manfacturer will burn a fuse to prevent it. This was not the case with the three year old tag he purchased. A more recently purchased tag did have the fuse burned. Flylogic repackaged that silicon so it could be read back; the firmware turned out exactly the same.

The transponders and readers perform no authentication. Someone could wander through a parking lot with an RFID reader and pick up the ID of every tag in the lot. They could then write their own transponder with the stolen IDs. Here’s the really bad part: the transponders support unauthenticated over the air upgrading. You can force any transponder to take on a new ID. An attacker could overwrite every tag passing a certain intersection and cause havoc in the toll system. Some have suggested that there are IDs in the system that are unbilled, since they’re assigned to administrators; these would be especially attractive to thieves.

How do we fix this system? Here’s the problem: the system is defined by California law. An update to the way things are done would take legislative action. [Nate] suggested one possible check that could be implemented to determine if the system was being exploited at this time: When a tag read fails now, the system takes a picture of your license plate so a human can determine what account it belongs to. The system could be updated to randomly take photos of cars that were reading correctly just to make sure the ID belongs to the car pictured.

As for the privacy issues, [Nate] is hoping to develop a timer circuit so you can power up the transponder only during the time you’re passing through the toll plaza. In the end though, none of the transactions with these FasTrak transponders can be trusted.

[photo: 24thcentury]

Now comes the fun part: What do you think the best use of this badge will be? Would Defcon be so cavalier as to equip everyone in the conference with a TV-B-Gone? I think our favorite possibility is if someone finds a security hole and manages to write an IR based worm to take over all the badges.

Defcon 14 introduced the first electronic badge which blinked in different patterns. Defcon 15 had a 95 LED scrolling marquee. [Joe Grand] will be posting more specific Defcon 16 badge details to his site after the opening ceremony. Check out more high resolution photos on Wired.

[Photo: Dave Bullock]

The explorers just find the videos; a separate group of scanner scripts checks the current status of videos. It checks both the new videos and ones that have been killed to see if they return. YouTomb archives every video it finds. They display the thumbnail of the video under fair use, but they’re still determining whether they can display each video in full.

YouTomb is tracking a little more than 282,000 videos right now and maintain a public MySQL snapshot for anyone that wants to build their own tools. The code is also open source. They’ve been archiving all their historical data too, all 70 million rows of it.

They’ve started trending country censorship. Germany, Poland, and France all have hate speech bans, so any video with a swastika can’t be viewed there. Thailand blocks anything that impugns the king. Crank That is blocked in 200+ countries.

YouTomb got a lot of press when it was initially released. The team feels that this is the result of a clear interface. They encourage others to take the time to present data clearly. As a final note, they pointed out that you can always file a DMCA counterclaim to get your videos restored.

[photo: mark]

In the new version, [Virgil]‘s team developed a Poor Man’s CheckUser. If you spend too much time editing a talk page, your session could end and when you hit save it attaches your IP. Most regular users will then log in and remove their IP. They found 13,000 username/IP address pairs by searching for IPs being removed and replaced with usernames. These are some of the most active users. Using this list, they could potentially uncover sockpuppets or potential collusion by top editors.

Another update to the Wikiscanner is based on the trademark database. In 2.0, companies are now associated with edits to their respective products. Link distance is also taken into account. So, pages that link to a corporation page are also tracked.

As part of a joke, [Virgil] compared a list of IP addresses that were specific to each MIT building. You can see exactly which building was editing the “tentacle rape” page. No, really, that’s a real example.

Finally, [Virgil] showed some wiki tools that others have built: a tool for building graphs from arbitrary data, a tool that shows the age of text for credibility, and another that does an overview of all page edits.