Surviving A Hacker Conference

December 25, 2008 by Eliot 14 Comments

concrowd

With another hacker conference looming in front of us, it’s time to start thinking about hardware security. Hacker conventions have the most hostile network you’ll ever encounter. [Security4all] points out that 25C3 already has an extensive page on securing your hardware. It starts from the ground up with physical security, BIOS passwords, and locking down bootloaders. There’s a section on securing your actual OS and session. Finally, they cover network usage. It mentions using SSH for dynamic forwarding, which we feel is a skill everyone should have. We’ve used it not just for security, but for bypassing brainless bandwidth restrictions too. There’s also the more trick transparent version. Every piece of data you bring with you, you risk losing, so they actually recommend just wiping your iPhone and other devices before attending. It’s important to remember that it’s not just your own data at risk, but everyone/thing you communicate with as well.

NYC CCTV Scouting

December 25, 2008 by Eliot 18 Comments

nypd

On a recent trip to New York City, [sherri] noticed the abundant “NYPD Security Camera” signage. She Ò on her little sousveillance tour and did some digging to learn more about the system. According to a recent NY Post article, the city intends to have 2,000 cameras installed by 2009. Each unit has at least two cameras, an onboard DVR, battery backup, a webserver, and wireless connection. The CrimeEye product line is manufactured by Total Recall—the people who brought you BABYWATCH. While the company site doesn’t list any specs, we found a price list that was provided to New York State. Each unit lists for $28-39K. They can have image sensors up to 2 megapixels, hold 30fps video for 5-15days, and transmit wirelessly on the 4.9GHz public safety band.

[sherri] wonders what systems are in place to guarantee the security of the camera network and to make sure the data is handled properly. We’ve seen bad implementations of cameras with webservers
in the past. She suggests a third-party system to verify security, operation, and storage. Right now there’s no reason the government won’t use footage for invasive data mining. As a publicly funded system monitoring public areas, we see no reason why the video streams from these devices shouldn’t be widely available.

[Thanks Tendency]

25C3 International Capture The Flag

December 23, 2008 by Eliot 5 Comments

Capture the Flag (CTF) is a long running tradition at hacker conventions. It pits teams of security researchers against each other on the same network. Every team gets an identical virtual machine image. The VM has a set of custom written services that are known to be vulnerable. The teams work to secure their image while simultaneously exploiting services on the machines of other teams. A scoring server monitors the match as it progresses and awards points to teams for keeping their services up and also for stealing data from their competitors.

The Chaos Communication Congress in Berlin December 27-30, 2008 will host a CTF competition. Most CTF matches are done head to head in the same room. While 25C3 will have local teams, it will also be wide open for international teams to compete remotely. Remote teams will host their own images on a VPN with the other competitors. Now is a good time to register and familiarize yourself with the scoring system. It will certainly be interesting to see how this competition plays out now that teams that can’t make the trip can still compete.

MBTA Drops Lawsuit Against MIT Subway Hackers

December 23, 2008 by Eliot 8 Comments

The Massachusetts Bay Transit Authority (MBTA) has dropped its federal case against three MIT researchers, “the subway hackers”. This happened in October and now the EFF brings news that the students will be working with the MBTA to improve their system. The overall goal is to raise security while keeping expenses minimal.

This whole mess started in August when a gag order was issued against the students’ presentation at Defcon. It’s a shame no one ever saw it because it covers a lot of interesting ground. A PDF of the banned slides is still online. They performed several attacks against both the subway’s fare system and physical security. Our favorites by far were using GNU Radio to sniff the RFID card’s transaction and bruteforcing Mifare Classic with an FPGA.

Free Issue Of Hackin9

December 23, 2008 by Eliot 9 Comments

hackin9

Until midnight tonight, you can download a free copy of the 1/2008 issue of security magazine hackin9. It’s 84pages, 10.5MB, and requires you to provide an email address they don’t verify.

[via TaoSecurity]

Tor Hardware Privacy Adapter

December 21, 2008 by Eliot 33 Comments

hardwaretor

The Janus team have published a preview of their new Privacy Adapter. It’s a small two port router. You just plug it in-line between your computer/switch and your internet connection. It will then anonymize all of you traffic via the Tor network. You can also use it with OpenVPN. The hardware appears to be a Gumstix computer mounted to a daughtercard with two ethernet ports. It will have a web configuration just like a standard router. This looks like a great plug-n-play privacy device. The only improvement we would suggest is adding auto-detect so a crossover cable isn’t required.

Janus is responsible for JanusVM, a virtual machine designed to protect your privacy with technologies like Tor and OpenVPN.

[via @hdmoore]

Securing Your Data

December 20, 2008 by Eliot 6 Comments

Lifehacker has published an overview of some of the many ways you can secure your data. The post was prompted by recently released browser vulnerabilities: first IE, then Firefox. They cover techniques far beyond just browser security, like how to properly wipe your iPhone. They mention disk encryption go-to TrueCrypt along with password management tools like KeePass. They also suggest using temporary credit cards to mitigate the impact of fraud.

[photo: Rija 2.0]