If you see many computers of the same make and model with the same type of label, this means the organization probably has a centralized asset purchasing and tracking system. It’s likely that the each of these computers is running the same operating system, which is centrally managed and patched. (Bonus points if there’s a barcode on the label.)

More commonly, you’ll see some computers that are the same, and then a couple of “random” computers that are totally different, without standard nametags. This indicates a partially centralized asset management system– there’s probably a central IT group that receives funding and deploys systems, but over the years other groups have purchased and deployed their own computers. If you were to scan this company’s network, you would probably see many systems running the standard OS at the same patch level, and then a smattering of other operating systems at a variety of patch levels. There are also probably issues with backups, because non-centrally-controlled systems are generally not backed up regularly. It is highly unlikely that this network would have 802.1x authentication (difficult without centralized management).

Keep your eyes peeled for VoIP phones. Often these run web servers by default, and they are usually on a separate VLAN. Also watch for visible wireless access points, of course - people tend to put them where the antennae stick up. If it’s a cheap Linksys or some other model they sell at Best Buy, you know it’s not part of a centrally managed, authenticated network.

Sometimes you might see old or unused computers sitting on top of filing cabinets or in corners. This indicates an absent or ineffective equipment retirement and disposal system, which is how old company hard drives end up on eBay. It also means that the incident response system is crippled, because without effective asset tracking, you can’t detect lost or stolen equipment in a timely manner.

“Dirty desk, dirty network,” says a friend of mine. On your way past cubicles and offices, note unattended screens and unattended desks cluttered with paper. You can infer a lot about corporate security awareness from a quick glance at how employees leave their screens and desks while they’re away. If screens are unlocked and papers are left out, you can social engineer the hell out of that organization, because the only thing that defeats social engineering is user awareness.

Back in 2005, the same NSA inventor, Michael Reifer, and a colleague were granted a patent called “Method for Geolocating Logical Network Addresses.” At the time, this made a bit of a splash. It was a technique for matching IP addresses to physical geographical locations, based solely on packet timing information.

“‘If someone’s engaged in a dialogue or frequenting a “bad” Web site, the NSA might want to know where they are,’” said Mike Liebhold, a researcher at the Institute for the Future^.2 Rather than examining packet content (which could be encrypted, or require a warrant), looking up registrant information (often incorrect) or soliciting information from an ISP/law enforcement (slow, may run into privacy laws), the NSA’s 2005 patent “relies on measuring the latency, meaning the time lag between computers exchanging data.”³ The NSA would have to place numerous sensors throughout the Internet and measure the packet latency between the sensors and many other IP adresses, effectively generating a “network latency map.” Then, to geolocate an unknown IP address, they would measure the amount of time that it takes to connect to the unknown system, and look up the location in the network latency map.

One hurdle for geolocating IP addresses using this technique is that content filters, firewalls and other devices can add to the latency time of a route, thus skewing the results and diminishing the accuracy. Furthermore, attackers could intercept and retransmit traffic, also skewing results. To effectively geolocate an IP address, the NSA would need more information about the devices on the path.

Enter last week’s patent by the same inventor, “Method of detecting an intermediary communication device,” (Michael Reifer). This new patent is built on the same general technique– it uses timing information alone to detect stepping stones on a path, and identify their functions.

Using this second patent in conjunction with the first, the NSA could track Internet users with better accuracy, and also maintain an increasingly comprehensive map of Internet topology and devices. One application of these network geolocation and mapping capabilities is to catch crooks. Another is to track communications en masse and locate everyday Internet users.

Timing information isn’t the most precise method for finding the origin or path of a transmission. However, this technique has several benefits. It allows the NSA to track and analyze Internet communications:

1) Without analyzing content (often requires a pesky warrant, and sometimes inaccessible due to encryption)
2) Without sending out traffic (this would tip people off and cause network congestion)
3) Without capturing timestamps “at many places on the Internet” (minimizes equipment)

The patent author detailed this explicitly towards the end of “BACKGROUND OF THE INVENTION.”

The NSA’s Internet geolocation and mapping patents require a network of sensors throughout the Internet, which the NSA explicitly states “may be passive or active.” Each sensor could either send out its own test traffic, or just silently monitor existing traffic.

What level of precision could the NSA achieve today? It’s likely that right now their results would not be very granular, but consider that thirty years ago, computers were the size of a room. The foundations of communications monitoring today are merely crude outlines of what could evolve into a sophisticated global analysis system.

As with any technology, the NSA’s Internet geolocation and network mapping technologies can be used to facilitate free communications or as a method of control. I don’t know to what extent this technology has been implemented, or how it is being used. I do know that if the NSA can get it to work with reasonable accuracy, then this will have major consequences for anonymity and privacy on the Internet. For better or for worse, the Wild West would be gone.

Sherri Davidoff

I was surprised to see these signs:

“NYPD Security Camera in Area.”
 
Where are the cameras?

Aha! Here’s one keeping tabs on the suspicious pretzel vendor. (Look way up high at that lamppost.)

There are many more just like it. Back in 2005 and 2006, the NYPD spent $9 million installing 500 of these wireless video recorders throughout the city. According to a NY Post article last month “Police intend to be using 2,000 cameras by 2009 and 3,000 by 2011. They also hope to tap into images from an additional 2,000 private cameras.”

 
Let’s take a closer look:

These cameras are manufactured by a company called TotalRecall, which also handled surveillance for the RNC in New York. The cameras near Penn Station don’t have obvious make and model info, but in this 2006 photo of the same type of camera in Brooklyn, you can clearly see the word “CrimeEye,” plastered across the front. This looks like the CE-505, produced by TotalRecall.

The CrimeEye cameras have some pretty interesting traits. According to one of TotalRecall’s marketing documents:

“The ‘Networked’ CrimeEye™ solutions… are connected via fiber or a wireless network. Each unit is accessed and recorded within the network, and all cameras can be viewed from a single location… The activities are archived digitally on an internal DVR. This information can be retrieved by an authorized laptop…. The system records in real-time, high resolution at 30 frames per second and archived for up to 30 days at the command center.

* Dual camera solution - each capable of running a pre-programmed pattern or parked in a fixed position.
* Day/Night cameras that work in most lighting conditions.
* All information is recorded digitally on an internal DVR.
* Commercial UPS provides 2 hours of battery back-up.
* Hot Spot radio allows remote viewing and playback from
100+ feet.
* Sits on a mount that bands to a traffic light or telephone
pole and requires 120 volts.”

Other marketing documents indicate that the networked CrimeEye systems feature “remote web clients” and have “wireless access points for streetside viewing and control.”

Wow. It sounds like each of these powerful video surveillance cameras runs a web server and has a wireless access point which allows people on the street to connect to it.

Are our government’s security systems secure?

Surveillance isn’t going away. At this point, densely-populated urban centers have already become high-tech police states, and this is only the early stage. Many Americans have voiced concerns about “Big Brother,” while others encourage surveillance as a protective measure.

Debate may slow, but cannot stop, the proliferation of surveillance technology. At this point, the real questions are: What happens to all this surveillance data? What is to prevent it from being misused by the government? How can we protect the surveillance system itself from being hacked? Most of all, how can the American people give input and verify the answers to these questions?

As an American citizen, I’d like to see routine third-party verification that our government’s surveillance systems are reasonably secure, properly managed and that the data is used for appropate purposes. If the police are going to collect extensive surveillance data about millions of innocent citizens, we deserve verification that these recordings of our daily lives are protected from misuse.

If we can’t stop Big Brother from watching us, then let’s keep an eye on Big Brother.

“I don’t know,” she frowned. “The Internet’s down. I can’t access our product catalog.” (Gah!)

Weeks later, I walked into a U-Haul to rent a truck. The computers weren’t working properly, and the manager was having trouble completing my transaction. “What happens if the computers are down?” I asked. “Can you still rent me a truck?”

“Well, I can,” he said, “But that’s because I’ve been here for fifteen years and I remember how to use the forms. That kid over there–” he gestured toward the younger employee, “He doesn’t even know the paper forms exist.”

As communication technology advances, society has shifted from a thick client to a thin client model. Until recently, Radio Shack employees maintained product knowledge in their heads and on paper that they could physically access. U-Haul staff used paper and ink to rent out their trucks. Individual stores could operate independently of the central system, at least until supplies ran out. They each had to maintain up-to-date books and forms, and train employees.

More and more, information resides on remote systems, which distributed franchises and employees access in order to conduct transactions. On the one hand, this increases efficiency. Gone are the reams of preprinted contracts and forms to be manually filled out for each transaction. Employees have less to memorize, as information and procedures are built into software systems.

On the other hand, individual locations are increasingly vulnerable to network disruptions. Many businesses today rely upon the Internet in order access central databases and conduct normal transactions. Without connection, they’re just appendages cut off from the central body. Radio Shack may have FM transmitters, and U-Haul may have trucks, but without network access they have difficulty conducting business. Many businesses do not physically have the paper and supplies to support manual transactions, let alone the knowledge of manual procedures.

Do the benefits of the thin client model outweigh the costs? That depends on your perspective. From Radio Shack’s point of view, the vast savings from cutting employee training and paper supplies probably does outweigh occasional losses due to network outages. This is especially true if they create a more stable infrastructure than their competitors. Furthermore, in the thin client model, employees require less specialized knowledge, and are therefore more mobile (and expendible).

However, as a society our economic dependance on the Internet may be premature. The Internet was not designed for security, and as noisy worms have demonstrated, it can be brought to a standstill by small groups of people or even by accident. If a widespread network outage brought businesses to a halt, Radio Shack might not lose market share compared to other businesses, but society and the individuals within it would suffer.

The vulnerability of the thin client model was strikingly illustrated back in 2002, when Beth Israel Deaconess hospital “experienced one of the worst health-care IT disasters ever. Over four days, [the] network crashed repeatedly, forcing the hospital to revert to the paper patient-records system that it had abandoned years ago. Lab reports that doctors normally had in hand within 45 minutes took as long as five hours to process.” The emergency department was forced to close down and divert patients elsewhere.¹

The disaster also helped hospital staff understand the benefits of the thin client system. One physician commented, “When I do this on computer, it checks for allergy complications and makes sure I prescribe the correct dosage and refill period. It prints out educational materials for the patient. I remember being scared. Forcing myself to write slowly and legibly…Without that dashboard of information I’d get from the computer, I had to walk up to patients I had treated before and ask basic questions like, What allergies do you have? Even if I thought I remembered, I didn’t trust my memory.”²

Will individuals become “dumb terminals”? Or will we simply evolve different kinds of processing capabilities? During the past few decades in the computer market, we’ve oscillated from thin clients to thick clients and back again. In the early days of computing, people used dumb terminals to access a mainframe, which stored and processed the data. Later, personal computers emerged, and each individual machine ran specialized applications and hardware.³ Nowadays, with the emergence of web-based business applications such as Google Apps and other client-server business processing systems, data is increasingly stored and processed on central systems once again.

Business processes will always mirror the technologies upon which they depend. As computers and business become increasingly intertwined, the efficiencies and vulnerabilities of our economy reflect those of our information technology. Humans have limited information storage capabilities, and leveraging centralized data storage systems helps us function as a group more efficiently.

How can we leverage the efficiencies of the thin client model, while still maintaining a robust and reliable infrastructure?

 
Sherri Davidoff

Oddly enough, all the pump handles were covered with plastic bags. The guy from the car in front of us came up to our truck and tapped on the glass. “Pumps are closed,” he said. “I used this one anyway, and they came out and told me they were bagged off for a reason. Guess it works, but they don’t want you to use them.” He shrugged. “Cheapest place around, though.”

Strange. We thanked him, and headed into the station to find out if we could use the pumps. “Excuse me,” I said to the man behind the counter. “We noticed that the pumps are covered with bags. Are any of them open?”

“Computers are down,” he said. “Can’t take credit cards. Sorry.”

“We can pay cash.”

“We can’t control the systems. Computers are down. Sorry. No gas.”

As we drove away, we saw that all twenty of the gas pumps were covered with plastic bags. “Every gas pump must be an autonomous point-of-sale system,” commented Jonathan. “That gentleman in front of us was able to fuel up, presumably with a credit card. What was offline was the store’s ability to communicate with the sales systems.”

We drove back onto the highway in search of another gas station, our money burning holes in our pockets.

“An erroneous headline that flashed across trading screens Monday, saying United had filed for a second bankruptcy, sent the airline’s stock plummeting. United Airlines shares fell to about $3 from more than $12 in less than an hour before trading was halted, wiping more than $1 billion in value.” (Note: original reports indicated that the stock fell to $.01 per share.)

United Airlines identified the source as “an old Chicago Tribune article that, it said, was posted on the Web site of The South Florida Sun-Sentinel newspaper. That article was picked up by a research firm, Income Securities Advisors, which then posted a link to it on a page on Bloomberg News, which sent a news alert based on the old article.” -A Mistaken News Report Hurts United

Jonathan Ham wrote in to say, “Seems to me a pretty good proof of concept for a web hack resulting in financial windfall. I’d sure as hell have bought UAL at $.01 if I *knew* the rumor to be false. It was bound to recover most of its value by the end of the day… If I’d bought $1,000 of UAL at $.01 this morning, it’d be worth $1.2M right now… If I’d spent $1M defending SEC inquiries, I’m still not working very hard anymore.”

Big business just got an expensive lesson in the importance of verifying the source and publication date of news articles. I have to wonder if this will generate interest in cryptographically signed news articles, which would allow consumers to quickly verify the original source and release date of the article. News companies and their affiliates could market client software which would verify the date and report back, perhaps as part of a premium subscription service. Alternatively, third-party software vendors could verify articles from many news sources. News organizations could make a profit from distributing verification keys to software developers.

Cryptographic verification could also be used as a mechanism to maintain readership. Major vendors could ensure that their keys were distributed by default in popular verification software (as with certificates and web browsers). End users could always add their own keys, but the easy availability of keys from major news vendors would help the status quo maintain readership.

With the UAL crash this week, there’s demonstrated financial incentive for both the news industry and big business to invest in developing an infrastructure for cryptographically verifying the original source and publication date of news articles. It’s about time! We haven’t yet learned to fully capitalize on the idea of selling trusted information on the Internet, but as the UA stock crash demonstrated, there is a need. Perhaps when this market matures, a lot of the technology that privacy geeks have been fighting for all along will finally become mass implemented.
 
 

“Banking institutions and Foreign Exchange networks rely heavily on precision timing so a stock order placed on one side of the globe can be received almost instantly in New Yorks, Wall Street, at the same market price, without losing any valuable data along the way. Timing, synchronisation and security are paramount when dealing with digital monetary transactions, where great losses could be sustained if any data is lost, or 2 points do not synchronise simultaneously.” - Wikipedia, “GPS Timing”

For less than $1,000 of off-the-shelf equipment which fits in the trunk of a car, anyone can forge GPS timestamps. If you’re within a half mile or so of a GPS receiver that is used by the financial industry, you could cause major meltdowns that would be difficult, if not impossible, to trace. How many GPS receivers exist within a half mile of Wall Street? Good question.

Jon Warner of Argonne National Laboratories set out to examine GPS security one Saturday afternoon. Jon is part of the Vulnerability Assessment Team (VAT), a small group whose goal is to uncover flaws in our systems so that they can be fixed. “We try to think like the bad guys,” Jon said, “so that we can plug the holes they might use.”

To test out GPS security, Roger Johnston, head of the VAT, challenged the team to demonstrate how to steal a cargo truck and get away with it. Cargo trucks generally contain a GPS tracking device which relays position and speed information to a central office. This enables freight companies to track their drivers’ locations and ensure that trucks are on course. If a truck veers off course, it sets off an alarm at headquarters. If an attacker could falsify or “spoof” GPS information, he or she could hijack the truck and steal the cargo without being noticed.

Based on this, Jon developed two cargo truck hijack test scenarios:

1) Hijack the truck, and then use GPS to send a false position signal to headquarters. Headquarters would see that the truck had stopped, but once the fake GPS signal was deployed, they would think the the truck was back en route.

2) Send a counterfeit signal before ever hijacking the truck. This way, even if the driver panicked and sent an alert, the attacker could make it appear that the truck was at a different location. This would require that the attacker disrupt and spoof the truck’s GPS signals from a distance, without close range contact.

Demo: “Hijacking” the Truck

“It does not take a great deal of time or effort to spoof a GPS signal,” said Roger. The GPS system consists of 24 to 32 satellites orbiting the earth, which relay microwave signals to the ground. GPS receivers on the ground can use these signals to determine absolute position and precise timing information.

“If the adversary controls the signal that the truck is receiving, then the false position calculated by the receiver will be relayed to headquarters regardless of the encryption algorithms or communication protocols used. In other words, garbage in, garbage out.”¹

Jon used a desktop computer attached to a GPS satellite simulator to create a fake GPS signal. Portable GPS satellite simulators can fit in the trunk of a car, and are often used for testing. They are available as commercial off-the-shelf products. You can also rent them for less than $1K a week– peanuts to anyone thinking of hijacking a cargo truck and selling stolen goods.

In his first experiments, Jon placed his desktop computer and GPS satellite simulator in the cab of his small truck, and powered them off an inverter. The VAT used a second truck as the victim cargo truck. “With this setup,” Jon said, “we were able to spoof the GPS receiver from about 30 feet away. If our equipment could broadcast a stronger signal, or if we had purchased stronger signal amplifiers, we certainly could have spoofed over a greater distance.”

During later experiments, Jon and the VAT were able to easily achieve much greater GPS spoofing ranges. They spoofed GPS signals at ranges over three quarters of a mile. “The farthest distance we achieved was 4586 feet, at Los Alamos,” said Jon. “When you radiate an RF signal, you ideally want line of sight, but in this case we were walking around buildings and near power lines. We really had a lot of obstruction in the way. It surprised us.” An attacker could drive within a half mile of the victim truck, and still override the truck’s GPS signals.

The GPS spoofing attack consisted of three parts, as detailed in the VAT’s initial 2002 paper:²

1) “The existing GPS receiver signal lock must be broken.” Initially, Jon thought that the adversary would have to “wait until the target truck drove under a bridge, forest cover, or some similar type of obstruction” to break the real GPS signal. During later experiments, Jon discovered that if his fake GPS signal was strong enough, it would also function as a jammer, overriding the real signal from distances over 4,000 feet without any need for physical disruption. “Our GPS satellite simulator was strong enough that it just overrode the regular signal.”

2) “The GPS tracking device in the target truck must be locked onto the counterfeit signal.” The receiver simply accepted the strongest signal, which was coming from Jon’s GPS simulator.

3) “The final step is to continue broadcasting the fake GPS signal.” This could be accomplished from the attacker’s truck, driving nearby. Even better, portable GPS simulator equipment could simply be placed inside the hijacked truck.

Protecting Against GPS Attacks

“We’ve come up with seven different ways to detect if the incoming signal is real,” said Jon. “These won’t stop the spoofing, but they would at least let you know that you’re being spoofed.” Below are a few simple remediations that the VAT suggested:³

1) Signal Strength

The signal strength of a normal GPS signal on the surface of the earth is fairly low: about -163 dBw. The signal coming from a GPS simulator is much higher. Unusually high GPS satellite signals should be considered suspect.

2) Signal Consistency Across Multiple Satellites

Normally, the signal strength of GPS satellites varies. Using a GPS simulator, engineers can typically simulate 10 or 24 satellites. This is used legitimately by engineers who build GPS satellite receivers for
phones, surveying devices, time synchronizing devices, and other equipment. However, by default GPS simulators send out the same signal strength for all satellites. As a result, the fake signal strength is much more consistent than in real life.

3) Noise

Simulated GPS signals have unusually low noise levels. If the GPS receiver detects a nice, crisp, clean signal, that should raise red flags.

4) Satellite Numbers

Each GPS satellite is numbered. “If we were sitting in the parking lot,” said Jon,” our GPS receiver might see GPS satellites 1, 2, 3, 4, 5 and 6. #24 might be on the other side of the earth.” A GPS simulator might not send the correct satellite numbers for a given location. “I’ve done this before, and sent satellite signals for Australia when I was in New Mexico.”

The VAT estimates that implementing these strategies would greatly enhance GPS security, at minimal cost. “It’s mostly a software solution,” commented Jon. “It amazes me that right now, if you look at
any receiver, it doesn’t compare the signal from moment to moment. If the GPS signal shoots up in the next second, the receiver won’t pick up on that.”

Satellites for the military GPS include authentication, meaning that receivers can verify through cryptographic exchange that the signal they are receiving is from a real GPS satellite. Civilian GPS doesn’t include that, but if it did, this would enable appropriately equipped receivers to verify that a GPS signal is legitimate.

“Back in the 70s,” Jon reflected, “Civilian GPS was more of an afterthought. It wasn’t really designed with security in mind. The military set it up to be nice. Nobody knew that it would take off like
this. Just like the Internet– it was completely unexpected.”

 
Sherri Davidoff

I believe the public’s next battleground is to gain control over what happens to our data, and how it’s used. Right now there is very little transparency. Transportation organizations are collecting a lot of information about people, and there is very little public input or disclosure regarding uses, length of storage time, or standards for securing this data.

Boston’s MBTA, for example, does not consider the CharlieCard’s serial number to be personal information, and it therefore reserves the right to store rider histories associated with each card indefinitely. Even when CharlieCards are obtained “anonymously” (not the majority) they can
always be linked to the financial transactions database which also stores the card serial number (ie. if you even once pay with credit card, your CharlieCard is not anonymous any more). The specifics aren’t publicized; this is information I obtained by doggedly calling the MBTA’s IT department.

I believe the public should have the following rights:

• Transportation organizations should be required to publicly disclose what data is collected about individuals, and how long that data is stored.
• Disabled people and senior citizens should have access to the same level of privacy as everyone else. (Right now in Boston, they cannot obtain a CharlieCard without having their personal information and photograph associated with the card and permanently stored by the MBTA.)
• The public should have regular input on how long personal data is stored and how it is managed.
• Individuals should be able to easily find out who has accessed their travel histories and the purpose of disclosure.
• Transportation organizations that store personal data should be subject to regular external audits to ensure that they are in compliance with standards, and that they have implemented appropriate measures to secure personal data. A summary of these results should be made public.

Personally, I don’t want to have a history of my travel stored in any database. Right now, purchasing a one-time CharlieTicket is a 30 cent surcharge per ride, but it is the only way to take the subway in Boston without creating a travel history. Privacy in public transportation should be equally accessible to all citizens, regardless of financial resources.
 
 
Sherri Davidoff

We were in the Vulnerability Assessment Team’s (VAT) “museum,” a small display room in Argonne National Laboratory. The tables in the VAT’s museum were littered with locks, bolts, seals and unrecognizable electronics. I had been brought there by Eric Michaud, a fellow researcher on the team. Jon explained that the purpose of the VAT is to try to emulate the “bad guy,” investigating real threats for both industry and government. Much of their work focuses on “tamper-indicating devices such as bolt seals, adhesive label seals, etc.,” upon which our global supply chain relies.

Jon lined up four shipping container bolts on the counter in front of me. “Which one has been tampered with?”

I inspected them all diligently. The heights were the same. Perhaps some were a little more scratched than others? Upon close inspection, they all had almost imperceptible variation, but none which seemed to specifically indicate tampering.

Finally, I picked out the one that seemed to be the most scratched, and handed it to Jon. He twisted the top. “Nope.” Then he picked up one of the other bolts, and checked it. Suddenly, the top popped off.

“We modified the bolt seal so that we could open it when we wanted to ,” he said. “See, we can take a bolt seal that is already on a container being shipped, modify it and enter the container whenever we want.” Someone who managed to slip these tampered bolts into the supply chain could steal millions of dollars of merchandise, smuggle goods or people in legitimate containers, or contaminate the food supply.

I studied the bolt, intrigued that the security of our global supply chain rests on such an innocuous object.

Sherri Davidoff

The hardest way to shut down a botnet is to just collect IPs and report it to the provider and the Feds… Sometimes, you just need to get proactive.

Below are some excerpts from our latest discussion. Names have been changed. Reprinted with permission:

w: You asked me what I do sometimes. I mentioned Deconstructing Botnets and the social networks associated with them.

s: Oh yes. I asked how you destroy a botnet, and you said that you social engineer their friends?

w: Yeah, that is one method. They all wanna brag, and take each other out…

s: Like in Batman, when the bad guy just *has* to explain his whole plot before killing the good guy?

w: Yeah, exactly. It’s almost *that* bad… [laughs] What good is a botnet if you can’t show it off to your friends?

A really easy way is to get in good with the network that is hosting the botnet’s IRC command and control (C&C) channel.

s: How do you get to know them? Just hang out?

w: Hang out, share docs, tech, own them, let them own something of yours.. ” Oh man.. you got me good there.. Dude you’re so elite… “

s: Have you had to do this many times?

w: Depends on what you’d consider many… More than I can count on 2 hands? Yes.

s: Really!

w: They’re RUINING MY INTERNETZ SHERRI !!

s: OK, tell me a story of a good one, from the beginning.

w: OK. We’ve had this douchebag that has been bot herding for a long time… like 4 years or longer. We kicked him off the network when we found out what his deal was all about. He got mad upset since we wouldn’t let him chat on his favorite IRC network. He ended up DoS’ing us with like 2gigs for a couple weeks.

I rebuilt the network to keep it up, then started the process of stopping the DoS. The first time he hit us, I just collected IPs and reported it and weathered it…

Then he hit us 2-3 more times, using port 80 or 6667 SYN floods mostly from .ZA and all over. He would hit our DNS A record, which round robins to all the servers.

s: Did you just block those ports? Or was that not possible given your services?

w: Oh, we didn’t even run port 80 services. It was all blocked upstream; the issue was packets per second and line saturation. My ISPs usually null routed all my IPs =( It was enough to take down a border router of Bell Atlantic.

So when I found out his highest bandwidth pushers, I set our domain name to his IPs.

” Oh shit !? why am I DoS’ing myself. !? “

s: Hehehehe

w: After playing games for a while, he disappeared. I did a lot of asking around and Googling… and eventually someone bragged… When he came back last summer, he came back with a couple groups. One was Rapidfire. I know Rapidfire. He talked them into DoS’ing us, and then later Rapidfire’s admins came and apologized and kicked him out of the group… They said they just got a list of IPs and hit it, and then realized later it was us.

s: Huh. He doesn’t like you guys, or he was just being a general dick?

w: He’s a general Internet dick. DoS for hire, phishing, scamming douchebag.

s: Hm.

w: So Rapidfire gave me all his botnet code.

s: Sweet! What did it do?

w: It exploited mostly RedHat Enterprise servers, with weak installations of PHP that would allow ;’s and weak permissions so bots could write and execute in /tmp as Apache.

s: So, once you had the botnet’s code, how did you go from there to shutting it down?

w: Simulate a bot and let it idle for a week or two. Learn what I could about it. Log log analyze… Find out when he sleeps. See what he’s doing with the bots. Catalog all the IPs, and analyze those. See if they’re vulnerable from the outside… Some bots patch systems after they’ve been botted, and some don’t.

s: Did they patch in this case?

w: In this case, he didn’t change the PHP installation or the permissions.

s: How did you finally shut it down?

w: Delete the files, edit the php.ini, kill the processes.

s: You were on the victim box?

w: Who, me? Never. It was his bot. I just executed a command in his C&C to kill it.

s: Like the self-destruct button on spaceships?

w: [laughs] I knew the C&C channel name and key from the code. After a while, I figured out how to use his bots and get them to execute a script, such as find X files, find processes, change Y line in php.ini, kill processes or restart apache.

I’d just use his bot to execute what I needed to clean house and shut it down. Then I’d report the box to the provider.

s: Nice.

“The Transportation Security Administration has collected records on thousands of passengers who went to airport checkpoints without identification, adding them to a database of people who violated security laws or were questioned for suspicious behavior… The database has 16,500 records of such people and is open to law enforcement agencies, according to the TSA.”

But! Yesterday afternoon TSA “called the newspaper to say the agency is changing its policy effective today and will stop keeping records of people who don’t have ID if a screener can determine their identity.”

Kudos to the TSA for taking a step in the right direction.
 
(Hat tip to Kurt Opsahl.)

I was curious to learn more about the TSA’s new practices for ID-less travelers. As a security professional, I decided to research TSA’s latest security screening procedures. Below is a recounting of my experiment.

What Happened

[Names have been changed. This account was written an hour after the events, and is accurate within the limits of my memory.]

I last saw my wallet on Monday, August 4, 2008 at the FedEx counter in Cambridge, where I dropped it into the envelope marked “Las Vegas, Nevada.” On Wednesday around 4PM, I arrived at Boston Logan airport without my wallet.

Without an ID, JetBlue’s All Services line was my only hope for checking bags. The long line moved interminably slowly. A JetBlue representative with long blonde hair moved down the line, talking to
each passenger.

“Boarding pass? Anyone have a boarding pass?” She stopped at me. “Ah! You have a boarding pass.”

“I don’t have my wallet,” I looked at her, wide-eyed. “Is there any way I can get on the plane?”

“Oh, don’t worry,” she said. “They’ll just send you through special screening. It’ll be fine. ”

“Really?” I said. “Am I in the right line?”

“Yup, this is the right line. You’ll be fine.”

After about a half hour, I got up to the JetBlue counter. I handed my boarding pass to the woman behind the counter and explained, “I don’t have my wallet. Do you think I’ll make it on the plane?”

“Oh,” she said. “You’ll make it. But go to the gate right away, because now they have to make a phone call.”

“A phone call?”

“They call someone in Washington, I think.”

“Washington?”

“To check your identity.” She conferred with the woman next to her. “Yes, Washington. CIA or FBI or something, I guess. So you want to go through right away. Could take a while.”

I checked my bag, thanked her, and headed to the security screening.

At the end of the roped-off walkway, two TSA officers stood at a wooden podium, checking IDs and boarding passes. I handed one TSA officer my boarding pass. “ID?” he said.

“I don’t have my ID.”

He looked me in the eye. “You have to have ID to get through security.”

“I don’t have my wallet.”

“You need to have ID to go through security.”

“I really don’t have it.” I said.

Pause. “Well,” the officer said, “Hold on.”

Another white-uniformed TSA officer approached with a clipboard. He was a short, middle-aged man with a badge that read “Andrew,” followed by a number. He led me a few feet away, to a shiny metal table just next to the entrance, and put the clipboard down.

“You don’t have your ID?”

“No, I don’t have my wallet,” I said.

“You know, you need to have ID to fly,” he said.

There was another awkward silence.

“I really don’t have it,” I said.

“What happened to it?” he asked.

“I don’t know where it is,” I said.

“Do you have anything with your name on it?” he asked.

I thought a moment. “Nope. Everything I have was in my wallet.”

“Are you sure?” he asked. “Credit cards, anything?”

I poked through my purse, and flipped through my journal. “No… I’m sorry. It was all in my wallet.”

The officer looked at me sternly. “You know, two and a half months ago TSA took over this, and now our policy is that you have to have identification to get through security. Either a passport, if you’re a foreigner, or federal identification.”

“Ah,” I said. “Passport. That would have been a good idea.”

Another awkward silence.

“They’re going to have to interview you to verify your identity. I can’t guarantee that you’ll get through. It depends on your situation, and,” he emphasized, “your reasons for not having identification.” He looked me straight in the eye. “It could take a while. You may not get
on the plane.”

Silence. I nodded.

After a moment, he gestured to the clipboard. “You’ll need to fill out this form.”

There was a stack of white single-sided forms on the clipboard. I bent down to fill out the top one. It was very simple, and looked something like this:

Full Name:

Current Address:

Previous address (if no current address):

Signature:

Date:

Then there was a block of legalese which indicated that my disclosure of this information was voluntary, but failure to disclose it might prevent me from being granted access to the secured area. Finally, there was a block of text which indicated that falsifying information was
punishable by imprisonment or fines.

I printed my name and address, read the block of text carefully, and then signed the document.

A man in a dark suit with a TSA pin approached. The name on his badge was Peters. He introduced himself as John Peters.

“How old are you?” he asked.

“Twenty-seven.”

“And you don’t have identification?”

I shook my head. “I don’t have my wallet.”

“What happened to it?”

“I’m not sure where it is.”

“You need to have identification to pass through security.”

“I’m sorry,” I said. “I really don’t have it.”

At that point a large woman tried to walk past us, between the security workers and the silver table. Mr. Peters turned around and stopped her. “I’m sorry, ma’am, are you a passenger?”

“No,” said the woman, “I just dropped off my 90-year-old parents, and I need to go back there to help my mother find her cell phone.”

“I’m afraid I can’t let you through,” he said. “You’ll have to talk to the JetBlue staff.”

She argued with him for a little while, but he politely insisted, each time becoming visibly more frazzled. Finally, she repeated, “Go to the JetBlue counter.” He nodded. She left.

He returned. I smiled wanly. “Busy day.”

Mr. Peters nodded, and then looked down at the sheet which I had filled out and signed. “I’m going to have to make some calls to verify your identity.”

I nodded.

He pulled out a cell phone. I had assumed that we would be going to some separate screening room, but that wasn’t the case. He stood facing the silver table, and I leaned back against it. So this was the dreaded interview. People walked past us with bags and luggage.

“Hello,” he said. “Security.” Long pause. It sounded like he was transferred. He said a number that I think had the same number of digits as a phone number. Then he said a shorter number. “No, she
doesn’t.” He wrote something in small letters on the form. Then he spelled my name over the phone. “D-A-V-I-D-O-F-F. That’s Indigo Delta… yes.”

He looked at me. “What’s the name of a street that you lived on prior to your current address?”

“Inman.”

“Inman,” he repeated. There was a pause. “Where did you live in 2004?”

“Hmm…” I said. “New Mexico? I think? Maybe Massachusetts.”

He conferred with the person on the phone. “That’s fine.” He hung up.

“All right,” he said. “You’re going to go through full security screening.” He wrote “SSSS” in red marker on my printed boarding pass. He handed my form to one of the officers at the podium, and then gestured to the first screening line. “Right here.”

Almost through. I got into the security screening line as usual, pulled my laptop out and placed it into the gray bin. Instead of my usual hacker stickers, this time a sickeningly cute picture of puppy dogs gazed up at me. I had hurridly taped it over the hacker stickers before leaving for the airport, figuring I shouldn’t push my luck. I placed my flip flops and purse in the other gray bins and walked beside them down the conveyor belt.

When I got up to the metal detectors, I handed my red-scribbled boarding pass to the TSA employee. The big officer looked down at me and said something like, “Female assist, full screening, no alarm.”

A female officer named Menendez brought me to the end of the line, and another male officer carried my backpack, purse and laptop along with us. He placed my belongings on a counter next to explosives detection equipment.

Officer Menendez politely indicated that I should place my feet right on top of the painted yellow footprints, and then raise my arms straight out. She patted down my torso, legs and ran a detector over my body. Meanwhile, I watched the other officer check each of my bags for explosives. He used metal tongs to pick up a small white square which looked like paper, and then he ran the square it across the inside pocket of my backpack. Then he put it in the machine. The machine said, “Analyzing….” and then, in yellow, “Passed.” He did the same thing for my purse, and finally, my computer.

Apparently my computer was filled with explosives. The officers conferred with an older man who seemed to be the explosives machine expert, and then they picked up my laptop and it back to the X-ray machine a second time.

The puppy dogs looked a little sad rolling down the conveyor belt a second time. “Does it alert for computers a lot?” I asked officer Menendez.

“Oh, different things,” she said. “Computers, backpacks. We just run it through a second time.” The male officer brought my computer to the back counter. “You’re done.”

I stepped forward to pick up my stuff. The older explosives machine gentleman was standing next to me, tinkering with the machine.

“So what happened?” I said. “Why did my computer alert?”

He shrugged. “It happens. As long as it’s clean the second time, you’re fine.” I wasn’t sure he realized that they hadn’t run it through the explosives machine a second time, only the X-ray
machine. Not that it really mattered.

“Well, thanks!” I said.

“Have a wonderful evening.”

Analysis

• Recall that to indicate that I required extra screening, staff wrote in red Sharpie on my boarding pass. If I had simply printed off a second boarding pass at home, I could have presented that instead of the marked one, and gone through the metal detector as usual. In other words, passengers without ID can travel without undergoing any extra screening other than “identity verification.” A lawyer friend of mine commented that “if TSA marked ‘SSSS’ on a person’s hand rather than a piece if paper…the airport’s security would at least be as good as a bar’s.”

• Since the answers to the identification verification questions are so widely known, someone could easily have impersonated me and traveled under my name. Many people know that I lived in New Mexico, and the name of the street where I used to live.  As a private citizen, I would much rather that the TSA allow anonymous travel than create a system where identity “verification” is required, but it is very easy to impersonate other people.

• Real attackers will just use fake IDs or identities and pass through unnoticed. Thanks to the age restrictions on alcohol, America has a flourishing ID forgery and resale industry, and faking federal identification is not difficult.

• It’s interesting to know that there’s an on-call system which TSA agents can use to do a quick background check on passengers. What information is in this system? If an attacker were to remember or record the numbers used by the TSA officer during the call, could they later gain access?

Rather than increasing security, the new policy change merely ensures that private citizens who express the wish to travel anonymously are punished for doing so. As Bruce Schneier says, “I don’t think any further proof is needed that the ID requirement has nothing to do with security, and everything to do with control.”

It’s important for private citizens to be able to travel without being tracked if they wish. I am not a criminal. I just don’t believe it’s anybody’s business where I go. I understand the need for ensuring the safety of our transportation infrastructure, and as such, searching passengers before boarding makes sense.

The freedom to travel anonymously also underlies our right to peacefully assemble.  When a government tracks its citizens and can arbitrarily decide to limit or cut off travel, that threatens our democracy. This is especially true in our global society, where many people rely on air travel, trains and the highway just to see their families.

TSA’s new policy, which is to focus on finding “dangerous people” rather than objects, poses enormous challenges. It requires that the agency make sweeping judgments about travelers with very little information, and in a very short amount of time. It is simply not feasible to accomplish this accurately.

We need to make sure our airports are safe, but at the same time, we have to be very careful not to destroy the very thing we are trying to protect: our free country.

http://www.screwprivacy.com/

Yes! Now you can benefit when hackers in Guam steal your bank account password. Don’t be left out of the financial windfall. The more you upload, the more YOU EARN!

Don’t be a victim of data theft. Be a data entrepeneur!

Post more if you see ‘em…

Not far from my house is one of those temporary trailer-mounted variable message signs, which for the past several weeks has been advising motorists that

	 ALBANY
	 CLOSED
	@PACIFIC

	 DETOUR
	   VIA
	BROOKLIN

	 DETOUR
	   VIA
	BROOKLYN

 	 DETOUR
 	   VIA
 	BR'KLINE

Much better.

Dictionary.com says that “security” comes from the Latin word “séc?rus,” or “carefree.” Interesting, given the level of stress and effort involved in the modern pursuit of security. “Carefree” implies that by definition, if you are devoting serious attention to achieving security, you don’t have it.

According to the Online Etymology Dictionary, “secure” means:

secure

1533, “without care,” from L. securus “without care, safe,” from *se cura, from se “free from” (see secret) + cura “care” (see cure).

cure

c.1300, from L. cura “care, concern, trouble,” from PIE base *kois- “be concerned.”

The base “kois,” meaning “to be concerned,” was used by Proto-Indo-Europeans (P.I.E.) roughly 7-9,000 years ago. I wonder if it’s at all related to the root of the word “kosher,” used to refer to strict dietary considerations. In any case, I like that etymologically speaking, the goal of security professionals is to help people be “carefree.”

Most security professionals I know aren’t in the industry just because they’re entrepreneurial, but also because they are drawn to the broad intellectual and social challenges which it encompasses. “Phil”is the Greek prefix for “love,” so I like to think of people who are passionate about security as “philosecurers.”

Ever since the “warrantless wiretapping” FISA Amendements Act was passed by Congress a few weeks ago, I’ve been itching to find some practical voice communication system which isn’t trivially monitored by the government. I admit that, like many security professionals, part of me had become a little resigned to the prospect of an Orwellian future (present?) Little did I expect that someone would hand me a great short-range solution at the conference.

The TSX300 radios are awesome for a number of reasons. They’re based on Frequency Hopping Spread-Spectrum (FHSS) technology, meaning that rather than broadcasting on a static frequency, they constantly switch between many frequencies. This makes it very difficult to eavesdrop on the signal, and it also means that interference on one frequency has little impact on the overall quality of the communication.

Interestingly, the use of frequency hopping for communications privacy was pioneered by Hollywood actress Hedy Lamarr and composer George Antheil, who patented their “Secret Communication System” in 1942. Their invention used a piano roll to hop between 88 frequencies, and was “intended to make radio-guided torpedoes harder for enemies to detect or jam.” (Wikipedia)

Up until now, radios available to the general public have lacked privacy and suffered from severe channel overcrowding. According to bernieS’ excellent March 2008 article in Popular Communications, the TSX300 radios address both those issues, as follows:

The user chooses a 10-digit channel code. “Depending on which 10-digit channel code is chosen, an embedded pseudorandom number generator algorithm selects a different set of 50 [out of 700 possible] frequencies to hop and cycle through every 20 seconds. Each 400-millisecond hop frame contains both voice and data… Since FHSS can effectively create a nearly unlimited number of ‘virtual’ radio channels (by using many different hopping sequences), it could solve the severe channel overcrowding and privacy problems vexing tens of millions of… radio users.“¹

Genius! My favorite part of the article is a section called “Two-Way Radio Privacy For the Paranoid” (who, me?) Here’s a snippet:

“Arguably, TriSquare’s eXRS technology might offer the general public more short-range [communications security] than landline or cellular/PCS network phone calls, which can now be remotely and instantly monitored by many people at local, state and federal government agencies, thanks to CALEA (Communications Assistance for Law Enforcement Act) and the PATRIOT act.

“… An eXRS channel code is somewhat like a simple encryption key with 10 billion (10^9) permutations… Neither scanners nor other manufacturers’ two-way radios can receive eXRS’ FHSS radios signals– further reducing the likelihood of interception. The characteristic of FHSS that rapidly slices and scatters a signal to appear as noise across a wide swath of radio spectrum makes it inherently difficult to track and demodulate. Still, if you’re really paranoid, you should know that a well-equipped and determined eavesdropper could use a highly specialized surveillance receiver like the WJ-8654 Microceptor to track and demodulate eXRS’ FHSS radio signals. More affordable fast-sweeping receivers such as those from Optoelectronics aren’t quite fast enough to track and demodulate a 400-msec FHSS signal.”

In short, the TSX300 radios offer a practical short-range alternative to our centralized telecommunications infrastructure, which is controlled by a few corporations and tapped by the government. The TSX300 radios also support text messaging, address books and all that useful day-to-day stuff that make normal people happy.

I highly recommend reading both of bernieS’ excellent Popular Communications articles on the topic:

Digital Two-Way Radio Technology Reaches Consumer Market (Bernard Bates, November 2007)
An Innovative License-Free Alternative to FRS/GMRS (Bernard Bates, March 2008)

…and I’m totally psyched to try out my new radios at Defcon next week!

Footnotes:
¹Bernard Bates, “An Innovative License-Free Alternative to FRS/GMRS,” Popular Communications, March 2008
²Bernard Bates, “Two-Way Radio Privacy For the Paranoid,” Popular Communications, March 2008

Sherri Davidoff

]]> http://philosecurity.org/2008/07/28/off-the-grid/feed http://philosecurity.org/2008/07/27/art-break http://philosecurity.org/2008/07/27/art-break#comments Sun, 27 Jul 2008 03:48:14 +0000 sherri http://philosecurity.org/?p=90

]]> http://philosecurity.org/2008/07/27/art-break/feed http://philosecurity.org/research/cleartext-passwords-linux/ http://philosecurity.org/research/cleartext-passwords-linux/#comments Fri, 25 Jul 2008 15:19:29 +0000 sherri http://philosecurity.org/?p=88 During the last few months I’ve investigated Linux memory, and consistently found cleartext passwords– including my login, SSH, email, IM, Truecrypt, and root passwords. The following paper includes details regarding each password’s location in memory and surrounding context.

Cleartext Passwords in Linux Memory

Given the recent developments with cold boot memory dumping, the risk associated with cleartext passwords and other sensitive data in memory has significantly increased. Last week at HOPE Jacob Appelbaum released some of the cold boot tools which the Princeton, EFF and Wind River team used to dump and analyze memory.

My hope is that detailed information about cleartext passwords will be useful to forensic examiners and the Linux development community. For folks who would like to examine the data for themselves, below are a some snippets of process memory that I collected from my Ubuntu test system.

Each zipfile contains a pcat capture of process memory, as well as files containing the Ascii and Unicode strings. In the GDM process memory, you’ll find the login username, password, and shadow file information. In the Truecrypt process memory, you’ll find the volume location, password, and the command used to mount it. There’s other interesting stuff in there as well.

GDM process memory (.zip, 6.0M)
  login username: myname1
  password: !1MyPwd1!

Truecrypt process memory (.zip, 7.5M)
  volume location: /home/myname1/Desktop/tcvol
  password: !mytcvol!
  shell command: truecrypt Desktop/tcvol)

]]> http://philosecurity.org/research/cleartext-passwords-linux/feed