Secret Listening To Elevator Music

May 24, 2016 by Elliot Williams 24 Comments

While we don’t think this qualifies as a “fail”, it’s certainly not a triumph. But that’s what happens when you notice something funny and start to investigate: if you’re lucky, it ends with “Eureka!”, but most of the time it’s just “oh”. Still, it’s good to record the “ohs”.

Gökberk [gkbrk] Yaltıraklı was staying in a hotel long enough that he got bored and started snooping around the network, like you do. Breaking out Wireshark, he noticed a lot of UDP traffic on a nonstandard port, so he thought he’d have a look.

Continue reading “Secret Listening To Elevator Music” →

Facebook Open-Sources Their Capture-the-Flag Hacking Challenges

May 13, 2016 by Elliot Williams 3 Comments

If you want to learn how to defeat computer security, nothing beats hands-on experience. Of course, if you get your hands on someone’s system without their permission, you may end up having a very short training that ends with a jail term. And that’s where capture-the-flag (CTF) events come in.

A CTF is a system of increasingly-difficult challenges that can’t be too easy or too hard. A well-designed CTF teaches all of the participants stuff that they didn’t know, no matter how far they get and what skills they came in with. Designing a good CTF is difficult.

But since it’s also a competition, running one also involves a lot of horrible bookkeeping for the folks running it. Registering teams and providing login pages is the dirty work that you have to do in the background, that takes away time from building the systems which others are going to take apart.

Which is why it’s great that Facebook is opening up their CTF-hosting platform, along with a few starter challenges, for us all to play along. We love CTFs and related hacking challenges. If this spurs the creation of more, we’re all for it. You can find the whole setup on GitHub.

If you’re new to CTFs, here’s an awesome collection of CTF-related material on GitHub to get you started. And if your tastes run more toward hardware hacking, we’ve covered previous firmware CTFs, but frankly there’s a lot more material out there. We feel a feature post coming on…

Thanks [ag4ve] for the unintentional tip!

The Dark Arts: Anonymity

May 3, 2016 by Will Sweatman 34 Comments

Love him or hate him, Edward Snowden knew a thing or two about anonymity. In June of 2013, he blew the whistle on the NSA’s out-of-control programs that can target virtually anyone plugged into the digital age. The former CIA employee was working as a contractor for the NSA, where he had access to highly classified documents for many of these general populace surveillance programs. He eventually took off to Hong Kong and released the documents to a handful of reporters. One of these documents was a power point presentation of the NSA complaining about how the TAILS operating system was a major thorn in their side. Naturally, Snowden insisted that the reporters and himself only communicate via the TAILS O/S. He used PGP, which is an encryption method with the highly sophisticated title of “Pretty Good Privacy”, and asked not to be quoted at length for fear of identification via stylometry.

In this article, we’re going to go over the basics of anonymity, and introduce you to methods of staying anonymous while online.

Continue reading “The Dark Arts: Anonymity” →

I Am Satoshi Nakamoto

May 3, 2016 by Elliot Williams 74 Comments

OK, you got me. I’m not. Neither is Dorian Nakamoto, pictured above, and neither is this [Craig White] guy. Or at least, his supposed proof that he is “Satoshi” doesn’t stand up to scrutiny. Indeed, you can re-create it yourself and pretend to be “Satoshi” too.

If you haven’t been following along, “Satoshi Nakamoto” is the person or group of people who invented Bitcoin, and who holds a decent fortune’s worth of the currency. He’s been exceedingly careful at keeping his identity secret. So much so, that upon hearing another “We Found Satoshi” story in the news, we actually laughed at our wife this morning. But then it was picked up by the BBC and is forthcoming in the Economist. Serious journalism.

Well, if you read the BBC piece, they note that “Security expert Dan Kaminsky said the procedure was almost ‘maliciously resistant’ to validation.” Hint: If Dan “DNSSEC” Kaminsky can’t verify a signature, there’s a good chance it’s not the real deal.

The really embarrassing part is that this [Craig White] character claimed to be Satoshi in December 2015. If he actually were Satoshi, who is probably a cryptographic genius, do you think it would take him five months to figure out a cryptographically sound way of proving his identity? Nope.

So here’s how he did it, according to [Patrick McKenzie]’s GitHub, linked above. There is a hashed secret out there that only “Satoshi” knows. Hashes are one-way functions; they produce a number that’s easy to calculate if you know the original data, but devilishly hard to work from the hash backwards to get the data out. This hashed value is public, and part of the blockchain, so we can be pretty sure that it hasn’t been altered.

[Craig] claimed to have some text from Sartre hashed with “Satoshi’s” key, and that this proves his identity. But instead of providing the hash of the Sartre text, [Craig] apparently substituted a hash from the blockchain. When this supposed Sartre hash is validated against the blockchain, of course, it works. In short, he swapped hashes, and people failed to notice.

So I’m not “Satoshi”, and neither is this guy. Who is? The mystery continues. And given how careful “Satoshi” has been so far, it’s likely to remain so for a long while. But one thing’s for sure, when “he” does choose to reveal himself, it won’t be difficult to verify. After all “Satoshi” knows “Satoshi’s” password.

Image via the BBC, of another guy who isn’t “Satoshi”.

(Late Edit: Here’s another really nice writeup, this one by [ErrataRob].)

Reverse Engineering An ATM Card Skimmer

May 3, 2016 by Brian Benchoff 47 Comments

While vacationing in Bali, [Matt South] walked into a nice, secure, air-conditioned cubicle housing an ATM. Knowing card skimmers are the bane of every traveller, [Matt] did the sensible thing and jiggled the card reader and the guard that hides your PIN when punching it into the numeric keypad. [Matt] found the PIN pad shield came off very easily and was soon the rightful owner of a block of injection molded plastic, a tiny camera, and a few bits of electronics.

The first thing that tipped [Matt] off to the existence of electronics in this brick of plastic was a single switch and a port with four contacts. These four pins could be anything, but guessing it was USB [Matt] eventually had access to a drive filled with 11GB of video taken from inside this PIN pad shield.

An investigation of the videos and the subsequent teardown of the device itself revealed exactly what you would expect. A tiny pinhole camera, probably taken from a ‘spy camera’ device, takes video whenever movement is detected. Oddly, there’s an audio track to these videos, but [Matt] says that makes sense; the scammers can hear the beeps made by the ATM with every keypress and correlate them to each button pressed.

Of course, the black hats behind this skimmer need two things: the card number, and the PIN. This tiny spy cam only gets the PIN, and there wasn’t a device over or in the card slot in the ATM. How did the scammers get the card number, then? Most likely, the thieves are getting the card number by sniffing the ATM’s connection to the outside world. It’s a bit more complex than sticking a magnetic card reader over the ATM’s card slot, but it’s harder to detect.

Passwords? Just Use Your Head!

April 25, 2016 by Al Williams 26 Comments

Biometrics–the technique of using something unique about your body as a security device–promises to improve safety while being more convenient than a password. Fingerprints, retinal scans, and voice identification have all found some use, although not without limitations.

Now researchers in Germany want you to use your head, literally. SkullConduct measures vibrations of your skull in response to a sonic signal. A small prototype was successful and is particularly well suited for something you are holding up to your head anyway, like a smartphone or a headset like a Google Glass.

There are some limitations, though. For one thing, background noise can be a factor. It stands to reason, also, that more testing is necessary.

This looks straightforward enough that you could try your own version of it. After all, scanning veins in your hand has been hacked. We’ve even seen a biometric safe.

This Teddy Bear Steals Your Ubuntu Secrets

April 22, 2016 by Elliot Williams 20 Comments

Ubuntu just came out with the new long-term support version of their desktop Linux operating system. It’s got a few newish features, including incorporating the “snap” package management format. One of the claims about “snaps” is that they’re more secure — being installed read-only and essentially self-contained makes them harder to hack across applications. In principle.

[mjg59] took issue with their claims of increased cross-application security. And rather than just moan, he patched together an exploit that’s disguised as a lovable teddy bear. The central flaw is something like twenty years old now; X11 has no sense of permissions and any X11 application can listen in on the keyboard and mouse at any time, regardless of which application the user thinks they’re providing input to. This makes writing keylogging and command-insertion trojans effortless, which is just what [mjg59] did. You can download a harmless version of the demo at [mjg59]’s GitHub.

This flaw in X11 is well-known. In some sense, there’s nothing new here. It’s only in light of Ubuntu’s claim of cross-application security that it’s interesting to bring this up again.

And the teddy bear in question? Xteddy dates back from when it was cool to display a static image in a window on a workstation computer. It’s like a warmer, cuddlier version of Xeyes. Except it just sits there. Or, in [mjg59]’s version, it records your keystrokes and uploads your passwords to shady underground characters or TLAs.

We discussed Snappy Core for IoT devices previously, and we think it’s a step in the right direction towards building a system where all the moving parts are only loosely connected to each other, which makes upgrading part of your system possible without upgrading (or downgrading) the whole thing. It probably does enhance security when coupled with a newer display manager like Mir or Wayland. But as [mjg59] pointed out, “snaps” alone don’t patch up X11’s security holes.