This is a picture of MI6 headquarters. The people in that building are quite curious how a camera loaded with super mega secret stuff was auctioned off on eBay. Well, maybe they are more curious as to whom was doing the selling and how they acquired the camera. They’re investigating it now.
[youtube=http://www.youtube.com/watch?v=aaxSF9EOjxw]
Watch in wonder as forensics expert [Jonathan Zdziarski] takes you step by step through the process of bypassing the iPhone 3G’s passcode lock. Gasp in amazement as he creates a custom firmware bundle. [Jonathan], creator of NES.app a Nintendo emulator for the iPhone, is well respected for his work on opening the iPhone. In this presentation, he sheds some light on the forensics toolkit he helped develop for law enforcement agencies that we covered earlier.
A few days ago a lone individual decided to crack [Governor Sarah Palin]’s private Yahoo! email account. He did this by navigating the password reset procedure. [Gov. Palin]’s birthday was publicly available and Wasilla only had two zip codes to guess. The follow up question “Where did you meet your spouse” required some more research. They met in high school so a few more guesses turned up “Wasilla high” as the answer. The original poster then read every single email only to discover that there really wasn’t anything of interest there. Frustrated, he posted the details to 4chan to let any wonk have at it. /b/ members began posting screenshots of the account, but very little came of it.
One screenshot of her inbox even revealed her daughter Bristol’s cell phone number. While there was no groundbreaking political information revealed, it is important to point out that it appears that Gov. Palin was using this private account to correspond to her assistants about potentially sensitive government information. This security breach should serve as a wake-up call to many public officials by showing how dangerous it can be to have a private e-mail account, especially when a free web-based service such as Yahoo! is used.
After the overwhelming response to the Hackit we posted about automated hard drive destruction last fall, we finally decided to test out some thermite hard drive destruction ourselves. This has been done on The Screen Savers but they did not show up close results of the platters. So, aluminum and black iron oxide were procured through eBay, and until it arrived we watched some YouTube videos that showed a lot of fire and no real results. We decided to see what it would take to completely obliterate a drive.
With the amount of personal data stored on your computer, we all understand the importance of destroying the data that is stored on the platters of a hard drive before disposing of it. There are many ways to destroy a hard drive; software, physical disassembly, drills, hammers, magnets/electromagnets, and acid, but none are quite as outrageous and dangerous as thermite. That’s what we’re going to do here today. Follow along for pictures and videos of the results.
With today’s release of Security Update 2008-006 Apple has finally addressed this summer’s DNS bug. In their previous update they fixed BIND, but that only affects people running servers. Now, they’ve updated mDNSResponder. Clients are no longer susceptible to DNS cache poisoning attacks thanks to the inclusion of source port randomization.
The Security Update addresses some other interesting bugs. Time Machine was saving sensitive logs without using the proper permissions, so any user could view them.
[photo: edans]
The Open Organisation Of Lockpickers (TOOOL) is planning a new annual gathering for lockpickers. October 9-12th they will hold the first ever LockCon in Sneek, Netherlands. The event was spawned from the Dutch Open lockpicking championships, but they’ve decided to expand beyond just competition into a full conference. This year the conference is limited to just 100 lockpickers, technicians, manufacturers, hackers, and law enforcement members. They’ll compete in picking competitions, safe manipulation, and key impressioning.
On a related note: Organizer [Barry Wels] just became the first non-German to win an SSDeV competition with his key impressioning skills. We covered key impressioning when we saw his talk about high security keys at The Last Hope. He says it’s only been about two years worth of study and 500 keys to become a master. He managed to open the lock in 5:13 filing two whole keys during that time.
[photo: Rija 2.0]
Making a passive network tap can be an easy and inexpensive undertaking as shown in this Instructable. Passive monitoring or port mirroring is needed because most networks use switches which isolate the network traffic and this does not allow for the entire network to be monitored. This example uses a single tap, using multiple taps will provide access to the full-duplex data separately. By using two taps you are able to monitor inbound data that is passed through one tap, and outbound data that is passed through the other tap. Separate taps are desired because most sniffer software handles half-duplex traffic only and requires two network cards for full-duplex.
