Shut the Backdoor! More IoT Cybersecurity Problems

We all know that what we mean by hacker around here and what the world at large thinks of as a hacker are often two different things. But as our systems get more and more connected to each other and the public Internet, you can’t afford to ignore the other hackers — the black-hats and the criminals. Even if you think your data isn’t valuable, sometimes your computing resources are, as evidenced by the recent attack launched from unprotected cameras connected to the Internet.

As [Elliot Williams] reported earlier, Trustwave (a cybersecurity company) recently announced they had found a backdoor in some Chinese voice over IP gateways. Apparently, they left themselves an undocumented root password on the device and — to make things worse — they use a proprietary challenge/response system for passwords that is insufficiently secure. Our point isn’t really about this particular device, but if you are interested in the details of the algorithm, there is a tool on GitHub, created by [JacobMisirian] using the Trustwave data. Our interest is in the practice of leaving intentional backdoors in products. A backdoor like this — once discovered — could be used by anyone else, not just the company that put it there.

Continue reading “Shut the Backdoor! More IoT Cybersecurity Problems”

Is Your Child A Hacker?

Parents in Liverpool, UK, are being prepared to spot the signs that their children might be hackers. The Liverpool Echo reports on the launch of a “Hackers To Heroes” scheme targeting youngsters at risk of donning a black hat, and has an expert on hand, one [Vince Warrington], to come up with a handy cut-out-and-keep list. Because you never know when you’re going to need one, and he’s helped the Government so should know what he’s talking about.

Of course, they’re talking about “Hacker” (cybercriminal) while for us the word has much more positive connotations. And it’s yet another piece of ill-informed media scaremongering about technology that probably fits like so many others in the “People are having fun. Something Must Be Done About It!” category. But it’s still something that will probably result in hassle for a few youngsters with an interest in technology, and that’s not encouraging.

The full list is reproduced below, if you’re a parent it seems you will need to watch your children if:

  1. They spend most of their free time alone with their computer
  2. They have few real friends, but talk extensively to online friends about computers
  3. Teachers say the child has a keen interest in computers, almost to the exclusion of all other subjects
  4. They’re online so much it affects their sleeping habits
  5. They use the language of hacking, with terms such as ‘DdoS’ (pronounced D-dos), Dossing, pwnd, Doxing, Bots, Botnets, Cracking, Hash (refers to a type of encryption rather than cannabis), Keylogger, Lulz, Phishing, Spoof or Spoofing. Members of the Anonymous Hackivist group refer to their attacks as ‘Ops’
  6. They refer to themselves and their friends as hackers or script kiddies
  7. They have multiple social media profiles on one platform
  8. They have multiple email addresses
  9. They have an odd sounding nickname (famous ones include MafiaBoy and CyberZeist)
  10. Their computer has a web browser called ToR (The Onion Router) which is used to access hacking forums on the dark web
  11. Monitoring tools you’ve put on the computer might suddenly stop working
  12. They can connect to the wifi of nearby houses (especially concerning if they have no legitimate reason to have the password)
  13. They claim to be making money from online computer games (many hackers get started by trying to break computer games in order to exploit flaws in the game. They will then sell these ‘cheats’ online).
  14. They might know more than they should about parents and siblings, not being able to resist hacking your email or social media
  15. Your internet connection slows or goes off, as their hacker rivals try to take them down
  16. Some circumstantial evidence suggests children with Autism and Asperger’s could be more vulnerable to becoming hackers.

Reading the list, we can’t help wondering how many Hackaday readers would recognise as perfectly normal behaviours from their own formative years. And some of them look ripe for misinterpretation, for example your internet connection slowing down does not automatically mean that little [Jimmy] is selling a billion compromised social media accounts on the Dark Web.

Particularly concerning though is the final association of computer crime with children who are autistic or have Asperger’s Syndrome. Picking on a minority as a scapegoat for a public moral panic is reprehensible, and is not responsible journalism.

Still, you have to laugh. They remembered to include a stock photo of a hacker using a keyboard, but they’ve completely missed the telltale sign of a real hacker, which is of course wr1t1n9 11k3 r341 1337 h4xxx0rzzz.

Via The Register.

Liverpool skyline, G-Man (Public domain) via Wikimedia Commons.

Do you trust your hard drive indication light?

Researchers in the past have exfiltrated information through air gaps by blinking all sorts of lights from LEDs in keyboards to the main display itself. However, all of these methods all have one problem in common: they are extremely noticeable. If you worked in a high-security lab and your computer screen started to blink at a rapid pace, you might be a little concerned. But fret not, a group of researchers has found a new light to blink (PDF warning). Conveniently, this light blinks “randomly” even without the help of a virus: it’s the hard drive activity indication light.

All jokes aside, this is a massive improvement over previous methods in more ways than one. Since the hard drive light can be activated without kernel access, this exploit can be enacted without root access. Moreover, the group’s experiments show that “sensitive data can be successfully leaked from air-gapped computers via the HDD LED at a maximum bit rate of 4000 bit/s (bits per second), depending on the type of receiver and its distance from the transmitter.” Notably, this speed is “10 times faster than the existing optical covert channels for air-gapped computers.”

We weren’t born last night, and this is not the first time we’ve seen information transmission over air gaps. From cooling fans to practical uses, we’ve seen air gaps overcome. However, there are also plenty of “air gaps” that contain more copper than air, and require correspondingly less effort.

Continue reading “Do you trust your hard drive indication light?”

Ask Hackaday: Are Unlockable Features Good for the User?

There are numerous examples of hardware which has latent features waiting to be unlocked by software. Most recently, we saw a Casio calculator which has the same features as its bigger sibling hidden within the firmware, only to be exposed by a buffer overflow bug (or the lead from a pencil if you prefer a hardware hack).

More famously, oscilloscopes have been notorious for having crippled features. The Rigol DS1052E was hugely popular on hacker benches because of it’s very approachable price tag. The model shipped with 50 MHz bandwidth but it was discovered that a simple hack turned it into the DS1102E 100 MHz scope. Tektronix has gotten in on this action as well, shipping modules like I2C, CAN, and LIN analyzation on the scope but requiring a hardware key to unlock (these were discovered to have a horribly insecure unlock method). Similar feature barriers are found on Rigol’s new reigning entry-level scope, the DS1054Z, which ships with protocol analyzation modules (among others) that are enabled only for the first 70 hours of scope operation, requiring an additional payment to unlock them. Most scope manufacturers are in on the game, and of course this is not limited to our tools. WiFi routers are another great example of hardware hosting firmware-unlockable features.

So, the question on my mind which I’d like to ask all of the Hackaday community is this: are unlockable features good for us, the people who use these tools? Let’s take a look at some of the background of these practices and then jump into a discussion in the comments.

Continue reading “Ask Hackaday: Are Unlockable Features Good for the User?”

Retrotechtacular: Social Hacking is Nothing New

If you watch enough mainstream TV and movies, you might think that hacking into someone’s account requires a huge monitor, special software, and intricate hand gestures. The reality is way more boring. Because people tend to choose bad passwords, if you have time, you can task a computer with quietly brute-forcing the password. Then again, not everyone has a bad password and many systems will enforce a timeout after failed attempts or require two-factor authentication, so the brute force approach isn’t what it used to be.

Turns out the easiest way to get someone’s password is to ask them for it. Sure, a lot of people will say no, but you’d be surprised how many people will tell you. That number goes up dramatically when you make them think you are with the IT department or their Internet provider. That’s an example of social engineering. You can define that many ways, but in this case it boils down to getting people to give you what you want based on making them believe you are something you aren’t.

Everything Old…

We think of social engineering as something new, but really–like most cybercrime–it is just the movement of old-fashioned crime to the digital world. What got me thinking about this is a service from Amazon called “Mechanical Turk.”

That struck me as odd when I first heard it because for product marketing it is pretty bad unless you are selling turkey jerky or something. If you tell me “Amazon Simple Storage Service” I can probably guess what that might be. But what’s Mechanical Turk?

Mechanical Turk

Continue reading “Retrotechtacular: Social Hacking is Nothing New”

Hacking a Device That Lives Inside the Matrix

[Gerardo Iglesias Galván] decided he wanted to try his hand at bug-bounty hunting — where companies offer to pay hackers for finding vulnerabilities. Usually, this involves getting a device or accessing a device on the network, attacking it as a black box, and finding a way in. [Gerrado] realized that some vendors now supply virtual images of their appliances for testing, so instead of attacking a device on the network, he put the software in a virtual machine and attempted to gain access to the device. Understanding the steps he took can help you shore up your defenses against criminals, who might be after more than just a manufacturer’s debugging bounty.

Continue reading “Hacking a Device That Lives Inside the Matrix”

Program Your Brain, Hack Your Way to Productivity

Most people wish they were more productive. Some buckle down and leverage some rare facet of their personality to force the work out. Some of them talk with friends. Some go on vision quests. There are lots of methods for lots of types of people. Most hackers, I’ve noticed, look for a datasheet. An engineer’s reference. We want to solve the problem like we solve technical problems.

It's got the cover equivalent of click-bait, but the centimeter thick bibliography listing research sources at the back won me over.
It’s got the cover equivalent of click-bait, but the centimeter thick bibliography listing research sources at the back won me over.

There were three books that gave me the first hints at how to look objectively at my brain and start to hack on it a little. These were The Power of Habit by Charles Duhigg, Flow By Mihaly Csikszentmihalyi, and Getting Things Done By David Allen.

I sort of wandered into these books in a haphazard path. The first I encountered was The Power of Habit which I found to be a bit of a revelation. It presented the idea of habits as functions in the great computer program that makes up a person. The brain sees that you’re doing a task over and over again and just learns to do it. It keeps optimizing and optimizing this program over time. All a person needs to do is trigger the habit loop and then it will run.

For example: Typing. At first you either take a course or, if your parents left you alone with a computer for hours on end, hunt-and-peck your way to a decent typing speed. It involves a lot of looking down at the keyboard. Eventually you notice that you don’t actually need to look at the keyboard at all. Depending on your stage you may still be “t-h-i-n-k-i-n-g”, mentally placing each letter as you type. However, eventually your brain begins to abstract this away until it has stored, somewhere, a combination of hand movements for every single word or key combination you typically use. It’s only when you have to spell a new word that you fall back on older programs.

Continue reading “Program Your Brain, Hack Your Way to Productivity”