[Jason Scott] curated a nice collection of links related to [Phil Lapsley]’s work on phone phreaking. [Lapsley]’s book, The History of Phone Phreaking, will be released in 2009. Meanwhile phone phreak enthusiasts can peruse his site and bone up on some interesting material, including documents that revealed the inner workings of the telephone switchboard(PDF), and the Youth International Party Line (YIPL)/Technological American Party (TAP) FBI files(PDF), which is really intriguing for the various doodles and conversations that were documented. If you have some spare time, we definitely recommend sifting through it.
Researchers at Georgia Tech are working on a Tongue Drive System, which transforms the tongue into a tool that can manipulate computers and manage appliances and wheelchairs. This project has huge implications for the disabled, especially for those with few motor skills and limited movement. Many disabled Americans are paralyzed from the neck down, and this system could be a literal lifesaver, providing them with a method of communication and control over their own lives. Scientists have been attracted to the tongue’s potential for a long time. It provides several advantages over using other organs or appendages. It’s very sensitive, tactile, is not connected to the spinal cord, and does not usually end up being harmed in accidents. By placing a tiny magnet underneath the tongue, it’s transformed into a virtual keyboard. Sensors placed in the cheek track the magnet’s movement and processes the commands into directions for electronics, be it a wheelchair or a home appliance. We’re excited to see where this will go.
Over the weekend, a hacker broke into FEMA’s new PBX voicemail system, made over 400 overseas phone calls to Asia and the Middle East, and ran up a $12,000 bill. The low tech hack took advantage of a “hole” that was not covered when a contractor upgraded the voicemail system. FEMA is currently conducting its own internal investigation, but FEMA spokesman [Tom Olshanski] did not have any information about the contractor responsible or what specific hole was the cause of the breach. Ironically, Homeland Security, of which FEMA is a part, had issued a warning in 2003 about the very same vulnerability.
Zero Day posted a list of tools and applications that were released at Defcon 16. The applications run the gamut, from Beholder, an open source wireless IDS tool, to CollabREate, a reverse-engineering plugin that allows multiple people to share a single project. The list covers a lot of ground, and there’s a lot for hackers to play around with and explore. It’s nice to see someone bothering to maintain a list since the majority of conference tools just get lost in the shuffle and are never seen again.
While we’re sure that just about everyone has heard about the conflict between Russia and Georgia, few have probably heard about the role of cyber attacks in the conflict. Shortly before Russia’s armed response, Georgian state web servers were attacked by individuals assumed to be Russian hackers. This attack almost completely obliterated Georgia’s online presence by shutting down the website for the Ministry of Defense, and the Central Government’s main site. The Russian attackers seem to be using some form of sustained DDoS to keep many Georgian sites offline. In an effort to preserve some web presence, the Georgian Government transferred [President Mikheil Saakashvili]’s site to a US hosting provider in Atlanta. The Ministry of Foreign Affairs even created a BlogSpot page after their website initially went down. While politically motivated DDoS attacks have not been rare in past months, this seems to be the first time where the attacking party can be clearly identified. This seems to be the start of a trend where the unconventional methods of cyber warfare are used to gain an advantage over the enemy.
[pdp] provides some perspective on the news regarding the GIFAR attack developed by researchers at NGS Software. As he explains, the idea behind the attack, which basically relies on combining a JAR with other files is not new. Combining JAR/ZIP files with GIF/JPG files will create hybrid files with headers at both the top and bottom of the file and allow them to bypass any image manipulation library as valid files. While tightened security and more stringent file validation practices are advisable, the problem is larger than just a vulnerability in browser security. ZIP is an incredibly generic packing technology used everywhere, from Microsoft files to Open Office documents, and of course, in JAR files. He closes with, “any file format that is based on ZIP, you allow your users to upload on your server, can be used in an attack”
[photo: Jon Jacobsen]