Fri, 21 Jul 2006
The Future of Wireless Pen Testing
Around 2001
802.11 became
very widespread in consumer devices. Laptops and little access points, wireless
"gaming adaptors" (aka a wireless media bridge) and even PDA phones. The
problem is that all the security features in the written and accepted spec are
broken.
Renderman mentioned a flaw in
802.11i which is sometimes called WPA2 by Cisco, which is where I first heard about
it. It has a nice feature where if an associated device sends a packet with the
wrong
Michael MIC
checksum in too short of a time, the radio shuts down for 60 seconds and
kicks all the other devices. This is supposed to be a security feature. In
those 60 seconds you can power up your own AP with the same SSID and grab all
their data to a network you own.
Dragorn mentioned that
802.11w is supposed to address
packet authentication better.
Probably the most interesting part was a discussion of driver level exploits
that can give the exploited code access to the hardware's memory, bypassing any
kind of operating system controls. It can also go straight to the memory where
the operating system's kernel lives and break that. Cool!
I asked the question of how to properly secure a 802.11 network since both WPA
and WEP are broken by design. Dragorn's response is to open the radios and
secure everything on layer 3 with a VPN.
posted at: 20:21 | path:
/hopenumbersix |
permanent link to this entry
Friday Night Keynote. RMS Is Crazy
Richard M Stallman
is the founder of the
GNU movement since
publishing the GNU Manifesto in 1985. He is speaking right now at HOPE. He gave
some shouts to
Defective By
Design and talked about how the
GPL
version 3 will
try and prevent further manipulation of GNU code by adding clauses defining
freedoms related to DRM. The GNU
project's legal arm is the
Free Software
Foundation, which is a group of
lawyers who work to ensure software freedom stays that way.
ed. I am a
member of the FSF, so I'm definitely biased
He seems very touchy and came off as distracted during the first part of the
speech. Then he attempted a joke where he wore a halo and crowned himself a
saint of the GNU church of
Emacs. He then uttered the quip
that
vi vi vi is the
editor of the beast, which was damn funny. So yeah. He's crazy...
...but totally cool because he redeemed himself during the Q/A session.
Almost every person had an antagonistic question concerning his idealism and he
aptly challenged each one. The cool part about RMS is that he's 100% consistant.
Free Software makes us free thus is good for humanity; proprietary software
removes freedom thus is bad for humanity. Can't beat that really.
posted at: 17:37 | path:
/hopenumbersix |
permanent link to this entry
Magnetic Stripe Technology and the New York City MetroCard
Joseph Battaglia is pretty damn cool. He heard about
card
bending and got curious. Why the hell are people getting free fares by some
weird urban lore of intentionally breaking discarded metrocards? He figured it
out and explained it and basically the entire proprietary metro card magnetic
stripe format from 2004. Of course this format has been changed due to the large
mainstream media attention the security flaw got.
I'll try and be concise cause this one is really deep.
Cubic is the name of the
company that made the
magnetic stripe
algorithm for the MTA. It's different than
other cards, for example a starbucks gift card in that it has a non-standard
sequence of binary data encoded on to the magnet. Fortunately, to be compatible
with the global market for these little swipey card things it conforms to a
number of ISO standards. Namely
ISO 7810,
ISO 7811, and
ISO 7813. Yea! reference
points.
Mr Battaglia use these and more (including the patents Cubic filed with USPO)
to implement a
card
read/write chart which he
published.
posted at: 13:00 | path:
/hopenumbersix |
permanent link to this entry
How to Steal Someone's Implanted RFID - And Why You'd Want To
Annalee Newitz put an RFID
implant in her arm to prove a point. Then she talked to us about how simple,
cheap and insecure it was. This procedure is commonly used in a very ethical manner for
tagging pets and livestock. A company called
VeriChip
makes human implantable tags containing personal data. They sell them off as
good for the emergency room when you might not be able to communicate nor have
any identifying paper on your person. Whatever. The shit they implanted in Ms.
Newitz's arm is a simple pet tag. A totally unencrypted
RFID transponder running at
13.56mhz. Anyone who can listen on that frequency can record the signal in it's
entirety. Then if they have the antenna to transmit the same signal, can clone
that tag. Stupid. Maybe good for inventory...maybe only good for these kind of
demos.
Newitz paid $400 for her implant, but did not recommend this method. Her
co-presenter, Jonathan Westhues said that any skilled body piercer can implant
it for about $20. The parts can cost another $20. So you'd only be out $40 if
you wanted to get your very own implant.
Newitz also had a good quip referencing her
Democracy
Now! appearance. When Liz Mcintyre asked "What if Hitler had RFID?".
Newitz's response was that genocidal dictators did just fine killing millions
before digital technology. Blaming RFID on mass murder is barking up the wrong tree.
posted at: 12:00 | path:
/hopenumbersix |
permanent link to this entry
