MBTA Drops Lawsuit Against MIT Subway Hackers

December 23, 2008 by Eliot 8 Comments

The Massachusetts Bay Transit Authority (MBTA) has dropped its federal case against three MIT researchers, “the subway hackers”. This happened in October and now the EFF brings news that the students will be working with the MBTA to improve their system. The overall goal is to raise security while keeping expenses minimal.

This whole mess started in August when a gag order was issued against the students’ presentation at Defcon. It’s a shame no one ever saw it because it covers a lot of interesting ground. A PDF of the banned slides is still online. They performed several attacks against both the subway’s fare system and physical security. Our favorites by far were using GNU Radio to sniff the RFID card’s transaction and bruteforcing Mifare Classic with an FPGA.

Securing Your Data

December 20, 2008 by Eliot 6 Comments

Lifehacker has published an overview of some of the many ways you can secure your data. The post was prompted by recently released browser vulnerabilities: first IE, then Firefox. They cover techniques far beyond just browser security, like how to properly wipe your iPhone. They mention disk encryption go-to TrueCrypt along with password management tools like KeePass. They also suggest using temporary credit cards to mitigate the impact of fraud.

[photo: Rija 2.0]

New WPA TKIP Attack

November 9, 2008 by Eliot 7 Comments

wifibox

[Martin Beck] and [Erik Tews] have just released a paper covering an improved attack against WEP and a brand new attack against WPA(PDF). For the WEP half, they offer a nice overview of attacks up to this point and the optimizations they made to reduce the number of packets needed to approximately 25K. The only serious threat to WPA so far has been the coWPAtty dictionary attack. This new attack lets you decrypt the last 12 bytes of a WPA packet’s plaintext and then generate arbitrary packets to send to the client. While it doesn’t recover the WPA key, the attacker is still able to send packets directly to the machine they’re attacking and could potentially read back the response via an outbound connection to the internet.

[photo: niallkennedy]

[via SANS]

Voting Roundup

October 29, 2008 by Kimberly Lau 31 Comments

[youtube=http://www.youtube.com/watch?v=0Q9NSVUu8nk]

With the election coming up in less than a week, voting machine security (or the lack thereof) is critical, especially with the popularity of early voting this year. While we’ve previously discussed voting machine insecurities, it looks like the problems haven’t been fixed, and in some cases, it’s escalated. Voters in states like West Virginia and Tennessee have complained about voting machines “flipping” their votes, even after they were recalibrated as in the video above. Voters have been advised to avoid voting straight Republican or Democratic tickets, to avoid the likelihood of their votes being flipped. What if you actually do want to vote a straight ticket? Video the Vote is an organization that advises documenting as much of your voting process as possible. Other ways you can protect your vote include voting absentee so that a paper trail is available, and refusing to accept provisional ballots, which are often thrown out. After seeing videos of ROM swapping and finding out that the locks can be opened with hotel minibar keys, we’re waiting to see what’s going to fail this year… and voting absentee.

Default Password Network Scanning

October 13, 2008 by Eliot 15 Comments

Midnight Research Labs has just published a new tool. Depant will scan your network and check to see if services are using default passwords. It starts by performing an Nmap scan to discover available services on the network. It organizes these services by speed of response. Using Hydra it does brute force password checking of these services with a default password list. The user can supply an alternate list for the first phase or an additional list to be used in a followup check. Depant has many different options for configuring your scan and will certainly help you find that rogue piece of hardware on your network that someone failed to set up securely.

Palin Hacking Roundup

October 9, 2008 by Kimberly Lau 49 Comments

[youtube=http://www.youtube.com/watch?v=Ps71T3EcyWs]

[David Kernell], the 20-year-old son of Democratic politician [Mike Kernell], turned himself in for hacking into Vice Presidential nominee Governor [Sarah Palin]’s Yahoo! email account. He was indicted on one felony count of violating the 1986 Computer Fraud and Abuse Act. Although the charge would normally be a misdemeanor, the indictment invokes another statute, the Stored Communications Act to beef up its claim. Some lawyers are of the opinion that the U.S. Department of Justice overreached in charging [Kernell] with a felony. They claim that the government’s justification is flawed and relies on “circuitous logic”. [Kernell] has been released without bond, and instructed not to have any contact with [Governor Palin], her family, or any witnesses to the case. If convicted fully, he faces a maximum sentence of five years in prison and a fine of up to $250,000. We also discovered that this isn’t [Kernell]’s first time in trouble. In high school, he received detention for guessing the password of the school server and obtaining access to some lesson plans.

ATM Skimmers With SMS

October 7, 2008 by Kimberly Lau 40 Comments

You may want to be more careful where you put that ATM card. There are now ATM skimmers with SMS notification. ATM skimmers are placed over real ATM slots and the information off the cards as they’re inserted. The new models will send the skimmed information via SMS notifications to a phone that’s attached to a computer. This solves the problem of scammers needing to retrieve their skimmers without attracting the attention of police. ATM skimmer manufacturers have so far been really successful because of their commitment to security, from the paint they use to cover their skimmers to their exclusive clientele. The manufacturer of this particular model claims that none of their clients who’ve used this new ATM skimmer has been arrested, and they only accept business from “recommended” clients. We think it’s interesting and ironic how these criminals have adapted their security procedures to deal with institutions we wish were more secure.