USB Authenticated Deadbolt Lock

October 22, 2008 by Caleb Kraft 29 Comments

The Makers local 256 sent us this USB authenticated deadbolt prject. For roughly $60 these guys built an authentication system that reads the serial number off of the chip in a USB storage device. The actual content on the memory in the USB device is not used at all. They are using a Freeduino board to control its behavior. It has a magnetic sensor that keeps it from initiating the lock when the door is open. They mention that they are using Transparent Aluminum as an enclosure, we assume they mean the Star Trek variety, not Aluminium oxynitride. Be sure to check out the video after the break.

Continue reading “USB Authenticated Deadbolt Lock” →

Eavesdrop On Keyboards Wirelessly

October 20, 2008 by Caleb Kraft 71 Comments

[vimeo http://vimeo.com/2007855%5D

Every time you press a key on your keyboard, a small burst of electromagnetic radiation is let out. This radiation can be captured and decoded. Though it only affects some models, this is pretty serious. They tested 11 different keyboards and they were all vulnerable to at least one of the four methods of attack. Tests have shown that the data can be read through walls and up to 65 feet away. That is pretty scary stuff. Someone could be setting up in the apartment or office right next to yours to listen to every keystroke you type. Check out the second video after the break.

Continue reading “Eavesdrop On Keyboards Wirelessly” →

Default Password Network Scanning

October 13, 2008 by Eliot 15 Comments

Midnight Research Labs has just published a new tool. Depant will scan your network and check to see if services are using default passwords. It starts by performing an Nmap scan to discover available services on the network. It organizes these services by speed of response. Using Hydra it does brute force password checking of these services with a default password list. The user can supply an alternate list for the first phase or an additional list to be used in a followup check. Depant has many different options for configuring your scan and will certainly help you find that rogue piece of hardware on your network that someone failed to set up securely.

Buy An Eee Box And Get A Free Virus

October 9, 2008 by Caleb Kraft 22 Comments

Some of the Eee Box PCs have been shipped with viruses on board and ready to go. The virus was sitting on the D: drive, labeled as recycled.exe. As soon as that drive is opened, the virus is unleashed on the other drives and removable media attached. Strangely, Microsoft has come to the rescue as their Malicious Software Removal Tool detects it and removes it. This was only on some models, and apparently mostly in Japan.

Before you denounce ASUS for this oversight keep in mind that they make things that we really want, such as the touch screen Eee PC promised in 2009.

[via Gizmodo]

ATM Skimmers With SMS

October 7, 2008 by Kimberly Lau 40 Comments

You may want to be more careful where you put that ATM card. There are now ATM skimmers with SMS notification. ATM skimmers are placed over real ATM slots and the information off the cards as they’re inserted. The new models will send the skimmed information via SMS notifications to a phone that’s attached to a computer. This solves the problem of scammers needing to retrieve their skimmers without attracting the attention of police. ATM skimmer manufacturers have so far been really successful because of their commitment to security, from the paint they use to cover their skimmers to their exclusive clientele. The manufacturer of this particular model claims that none of their clients who’ve used this new ATM skimmer has been arrested, and they only accept business from “recommended” clients. We think it’s interesting and ironic how these criminals have adapted their security procedures to deal with institutions we wish were more secure.

Yahoo! Employee Accused Of Involvement With Terrorists

October 7, 2008 by Kimberly Lau 15 Comments

[Mohammed Mansoor Asghar Peerbhoy], a software engineer at Yahoo!’s Indian facility, has been accused of involvement with one of India’s most-wanted terrorist organizations, the Islamic Mujahideen. According to investigators, [Peerbhoy] wrote and sent emails just before and after terrorist attacks in Delhi, Ahmedabad in Gujarat, and Jaipur in Rajasthan. [Peerbhoy] makes an unlikely suspect; he visited the U.S. on several occasions for work without suspicion, but authorities claim that he was a “mastermind” who hacked into wireless internet sites to send hostile emails. The local community and his family have rallied around [Peerbhoy], calling the arrest an attempt to “defame the Muslim community”. There are also claims that his arrest, and other similar arrests, were made to soothe political pressures and not based on any factual evidence.

[photo: josemurilo]

Quantum Cryptography In-band Attack

October 6, 2008 by Eliot 10 Comments

Quantum cryptography is an emerging field, but low install base hasn’t kept researchers from exploring attacks against it. It’s an attractive technology because an attacker sniffing the key exchange changes the quantum state of the photons involved. All eavesdroppers can be detected because of this fundamental principal of quantum mechanics.

We’ve seen theoretical side-channel attacks on the hardware being used, but had yet to see an in-band attack until now. [Vadim Makarov] from the University of Science and Technology in Trondheim has done exactly that (Internet Archive). Quantum key distribution systems are designed to cope with noise and [Makarov] has taken advantage of this. The attack works by firing a bright flash of light at all the detectors in the system. This raises the amount of light necessary for a reading to register. The attacker then sends the photon they want detected, which has enough energy to be read by the intended detector, but not enough for the others. Since it doesn’t clear the threshold, the detectors don’t throw any exceptions. The attacker could sniff the entire key and replay it undetected.

This is a very interesting attack since it’s legitimate eavesdropping of the key. It will probably be mitigated using better monitoring of power fluctuations at the detectors.

[via I)ruid]