Tag Archives: security

FBI Snatch Attack

From the Silk Road trial:

As soon as Ulbricht was distracted, another agent grabbed the open computer and gave it to Kiernan, who is an FBI computer specialist. Kiernan spent the next three hours doing “triage” on the machine. Without allowing it to go idle, and thus become encrypted, he took photographs, went through the browser history, and ultimately handed it off to another agent who imaged the hard drive.

So the FBI grabbed the laptop, shoved a mouse jiggler into the USB port and began to photograph the screens while simultaneously arresting Ulbricht. Good. Clever. Maybe b cause I was a a wannabe script kiddie (I never did anything) reading alt.2600 and alt.cypherpunks back in the day, but I read this and immediately thought about ways to make a deadman switch to foil the snatch attack.

Great Job Receipt Checker

Today, I saw a mother and her son steal a box of Honey Nut Cheerios Marion, Illinois Sam’s Club. They walked right out with it.

My dad and I were getting ready to check out when I saw the woman and her late junior high, or early high school son walk through one of the many closed but not roped off checkout lines that are endemic at all “discount department stores” these days. They went to the concession stand at the front of the store and bought a bottle of water and stood there until someone went to leave and was being “checked” by the “receipt guard.” When she was occupied, they walked right past to their car.

The cart was empty except for the Cheerios.

I thought about embarrassing the receipt checker by asking her if she checked every receipt, or perhaps asking to talk to the manager, but I didn’t. It would have embarrassed my dad, and probably got the woman fired from a job that doesn’t even pay above poverty. And for what? Participating in security charade that exists nationwide?

Nah. Fuck The Man™.

This Message Has Been Approved By Seatac Astronomy

Me thinks Larry Page and the Zuckster have same ghostwriter at the NSA.

Google Facebook
Dear Google users—

You may be aware of press reports alleging that Internet companies have joined a secret U.S. government program called PRISM to give the National Security Agency direct access to our servers. As Google’s CEO and Chief Legal Officer, we wanted you to have the facts.

First, we have not joined any program that would give the U.S. government—or any other government—direct access to our servers. Indeed, the U.S. government does not have direct access or a “back door” to the information stored in our data centers. We had not heard of a program called PRISM until yesterday.

Second, we provide user data to governments only in accordance with the law. Our legal team reviews each and every request, and frequently pushes back when requests are overly broad or don’t follow the correct process. Press reports that suggest that Google is providing open-ended access to our users’ data are false, period. Until this week’s reports, we had never heard of the broad type of order that Verizon received—an order that appears to have required them to hand over millions of users’ call records. We were very surprised to learn that such broad orders exist. Any suggestion that Google is disclosing information about our users’ Internet activity on such a scale is completely false.

Finally, this episode confirms what we have long believed—there needs to be a more transparent approach. Google has worked hard, within the confines of the current laws, to be open about the data requests we receive. We post this information on our Transparency Report whenever possible. We were the first company to do this. And, of course, we understand that the U.S. and other governments need to take action to protect their citizens’ safety—including sometimes by using surveillance. But the level of secrecy around the current legal procedures undermines the freedoms we all cherish.

Posted by Larry Page, CEO and David Drummond, Chief Legal Officer

I want to respond personally to the outrageous press reports about PRISM:

Facebook is not and has never been part of any program to give the US or any other government direct access to our servers. We have never received a blanket request or court order from any government agency asking for information or metadata in bulk, like the one Verizon reportedly received. And if we did, we would fight it aggressively. We hadn’t even heard of PRISM before yesterday.

When governments ask Facebook for data, we review each request carefully to make sure they always follow the correct processes and all applicable laws, and then only provide the information if is required by law. We will continue fighting aggressively to keep your information safe and secure.

We strongly encourage all governments to be much more transparent about all programs aimed at keeping the public safe. It’s the only way to protect everyone’s civil liberties and create the safe and free society we all want over the long term.

You don’t need to go in through the back door when you go in through the front.

Pwnie Express

Pwnie Express, a company that apparently receives DARPA funding, develops clandestine network sniffers. Disguised as innocuous power strips or transformers, these boxes hide Ubuntu powered computers that contain packet sniffers and keyboard loggers with cellular network connections.

This isn’t a particularly new idea. I seem to remember a computer disguised as a UPS back in the late 90s or early aughts. There was also talk of using gum stick computer powered over ethernet as an inline network sniffer, although I wonder if it would have really worked back then. Still, these types of things always fascinate me, even if they seem relatively straight forward. It’s spy technology! I imagine sneaking into office buildings and secretly installing these either Mission: Impossible &endash; or more likely &endash; Sneakers style (i.e. in plain sight), and then retiring to a delivery van filled with electronic gear and retrieving whatever secrets I was looking for.

Needless to say, I have no use for these thing in real life.

via zdnet

Mobile Phone Keyboard Logger

Two related links, both involving using your phone to shoulder surf your passwords. Both attacks take advantage of the fact that smart phones with accurate accelerometers are now ubiquitous. By monitoring the the vibrations of the phone, the attacks inver what keys were pressed on a keyboard. Both of these a much more proof of concept, than actual sophisticated attacks, but they are interesting none the less.

At HOTSEC 11, Liang Cai and Hao Chen of UC Davis were able infer which key was pressed on an onscreen keyboard with 70% accuracy. By measuring how far phone was torqued around both the X and Y axises, the the location of where force was applied, and thus which key was pressed can be inferred. Cai and Chen made the task a bit easier for them. They held the phone in landscape mode, which spread the keys out more, thus causing a larger distribution of torques that could be measured. That’s not necessarily a problem since many people type in landscape mode. The bigger simplification was that they only looked at a touches on the dialing pad. A more interesting paper would have looked at attacking the alphabetical keyboard instead. I understand why they didn’t. The experiment was to find out if someone could use the accelerometers to read key presses at a high enough accuracy. Looking at their confusion matrix, I would think that determining alphabetical keyboard presses would need to be a two step solution. First, you’d get a distribution of what key was pressed. You’d then combine these presses with a Markov Chain language model to determine what the actual keyboard press was. “it was the durst of timez” becomes bit more Dickensian, a little less crappy rap-rock, and a lot less monkey.

Of course, sniffing the phone’s keyboard is one thing, figuring out what someone is typing on their laptop or desktop is something else, but that’s exactly what
Philip Marquardt and others at Georgia Tech did. In their work published at CCS 2011, they describe a technique where a phone placed next to keyboard read key presses via vibrations on the table at 80% accuracy. Unlike the method above, this team used a dictionary to increase the decoding accuracy. Their method feels the vibrations through the table and then attempts to categorize the key being on the left or right side of the keyboard (assuming the phone is placed to the left of the keyboard). Pairs of key presses are read, the distance between the first and second key of each pair is categorized as being either “near” or “far”. These triple are then passed through the dictionary in order to figure out what is the most likely English word typed. Left-right and near-far categorization is done using a neural net.

via Security News Daily,
ibidem

SneaKey

Back in 2008, Benjamin Laxton and Kai Wang at UCSD’s computer vision lab came up with SneaKey, a method to duplicate keys simply by imaging them. Reading the paper, SneaKey is a MatLab app that takes in an image of a key, along with certain control points identified by a human operator. The image of the key is then warped to a known configuration and the depth of the cuts on the key are estimated. They tested on sets of keys from two different manufactures, KwikSet and Schlage. While both could be decoded in a handful of attempts, the KwikSet keys were easier to guess, both in number of attempts and wider viewing angles. I would think it has to do with the handle part of the KwikSet keys having a large number of easy to identify control points, while the Schlage has comparatively fewer control points, but that’s just a guess. Schlage keys aren’t shown in the figures, so that’s just a guess. The authors do say that they believe that correct placement of the control points is critical to identifying the correct baseline in order to properly estimate the biting codes.

“Don’t Worry. Your Data is Safe.”

I took my laptop to the Apple Store to get it repaired. (The keyboard doesn’t work.) After explaining to the guy at the store, he starts taking down my contact info. When he’s done, he says. “And what’s your username and password? Don’t worry. Your data is safe.”

Aghast, I say “But my data is NOT safe if I give you my password!*

“Uhh….”

“Can’t you just boot off an external drive or something?”

“Well, umm… yeah, but this is how that prefer we do it.”

Sure enough, the Apple form has blanks for username and password.

In the end, I gave them Ming’s password, because really it didn’t matter. I was giving a perfect stranger an unencrypted drive. It does make me think though. After decades of telling users not to share they’re passwords. Not to give them to people saying they’re from IT. Not to trust anyone with your password, Apple is undoing this as part of standard operating procedure. Or maybe I’m just old, and I’m supposed to think of Apple as a parent.

* Yes, I recognized the naivete of believing a simple password provided adequate security in this situation.

My parents never read my stuff. I see no reason to read my child’s.