unstdio.org

I had meant to write about this a couple days ago but just have been pretty busy. At Toorcon 12 I mentioned that the last talk I saw was about session hijacking (sidejacking) and they (Eric Butler and Ian Gallagher) released a pretty nifty tool that makes it really easy to steal a users session while on the same wifi AP. I downloaded it when I was at the airport and was the 14^th person to download it. After checking this morning it has 373,535 downloads. That’s amazing and kind of frightening since I know what this tool can do.

So the theory isn’t that new, it’s been a problem for quite a while. I actually remember talking about this at a coffee shop with a friend while still in college. When accessing most popular sites that require logins you receive a HTTP session cookie from the server once you authenticate. The vulnerability is not about getting a users password and user name, because most times those are done using SSL and you aren’t able to sniff that data. The vulnerability comes into play when you move from a https page to a http page. (ie login page to regular non-encrypted page) When you log into a page and successfully authenticate, you are issued (or start) a session id(cookie) by the server. That id is used by the site to recognize you as the user you logged in as. It displays certain preferences and adds functionality when you are logged in to that site. If you can somehow steal that id(cookie) lets say over wifi or something, since everything is broadcast to everyone on that access point, you would then become that person to the website. So for example, if I was sniffing wireless traffic and was able to obtain someone’s facebook session and used that session id to go back to facebook, I would then see their account and would be logged in as that user.

So if that’s not a new vulnerability then why has it been so popular in the last few days?

Firesheep. It’s a program that makes it super easy to do what I just described above automatically. No programming, or learning how to use packet tools, or loading cookies into your browser. I literally installed this firefox extension in less than 5 minutes. (Including DL time) The hardest part was trying to find out how to display the side bar.

So, like, how do I use this tool?

First, lets start with downloading the firefox extension. I’m using OS X but I’m pretty sure you can use Windows too but you have to install winpcap. You can download it here. Once you have it you can either open it with firefox or click on it and choose firefox as the application. Note: I had an older version of FF and I had to update my version before being able to install the extension. Once it’s installed, you can choose Tools -> Add-ons then find the Extensions tab. You should now see Firesheep 0.1 installed. Click preferences and check the Capture option to make sure that it’s pointed to your wireless device. (en0 for me) Websites is where you add new websites to the list of sites that you know how the session cookie is stored. Advanced is what type of traffic you would like to filer, default is TCP traffic on port 80. Once everything is setup you can then enable it by going to View -> Sidebar and then choosing Firesheep. You will then get a sidebar on the left hand side with a button that says start capturing. Once you start capturing people’s data and hijacking their sessions you are probably breaking one law or another depending on where you are. What you do at this point is up to you.

Can I protect against this?

Kinda. You can do a few things like VPN, tunnel http over ssh to a location that you know is legit, use ssl on the site if they have/allow it, or don’t access any of those sites while on public wifi. Those will definitely work but are not really convenient. I think the point of this tool was to make it so widespread for anyone to run this type of attack that it would force sites to use ssl for everything. So go complain to vulnerable sites that they need to improve their security.

I’m finally back from Toorcon after some flight delays. I had a good time. Met some cool people and saw some good talks. One worth mentioning was Dan Kaminsky’s talk on DNSSEC. He brought up some good points on how DNSSEC could be the “answer” we have been searching for, for secure email. (and other things) Another awesome talk was about Session Hijacking. Although this isn’t a new topic, Eric Butler and Ian Gallagher did release a pretty badass tool called firesheep, which I will be talking about in my next post.

The Badge

Before Toorcon I was under the impression that the badge would be an electronic badge by the guys who made the Defcon Ninja Badge this year. (cstone and woz) After emailing them a couple days before, I was informed that due to some time constraints it wasn’t going to happen. They might possibly use it for another con in the future.

The actual badge was some laser cut acrylic (possibly from metrix?) in different colors for various types of attendees. They were shaped in the Toorcon gear logo.

They announced they would have a badge hacking contest and provided some parts to solder up cool stuff to the badge. I apparently didn’t get the memo they would be providing free (as in beer) stuff to do some hardware hacking on the badge. So I took a trip on the bus to the closest radio shack and bought some LEDs and stuff.

I really wanted to find/buy an ATmega (168 or 328) to put on the badge but I couldn’t get a hold of one. By that time I had already put in the LEDs, 9v bat, and LM7805 voltage reg. So I looked around the table and found an NE555 timer chip. My theory was to blink the LEDs on off in a sequence. After spending a ton of time trying to wire the thing up with the proper resistors and capacitor I ended up giving up and just wiring them up. Either the chip was bad or I messed up on the resistors/capacitor and the timing was just really fast so it looked like it was constantly on. Here are a few pics:

I had to leave a bit early to catch a flight home, so I didn’t get to a few talks I would have liked to see. (woz’s “Hardware will cut you.” And Joel’s “LANrev’s Multiple Vulnerabilities Come to Light”)

Oh, I did meet someone from “Square” which makes software (and a small device) for doing credit card transaction on your iPhone or iPad. He ended up giving me one.

I might trying playing with this a little bit when I have some spare time.

I’m on my way to San Diego for Toorcon 12 and I have a lay over in San Fran. As I jump onto the free wifi (provided by t-mobile) I’m greeted by a nice page with a “Check here to indicate you have read and agree to the Service Terms and Conditions.” and a limit on the free wifi time you get, “San Francisco International Airport is pleased to provide our airport visitors with 45 minutes of complimentary Wi-Fi access.” only 45 min? That’s kind of a bummer. I’m guessing it’s based on the MAC address of the device. Let’s see if we can get a little bit more time out of the free wifi.

I’m running 10.6 so this this might change for other versions. First we need to find our current mac address.

ifconfig en0 | grep ether

This finds the current address of your network card. You might need to change to en1 or whatever for your specific setup. If you want to save your original mac address run:

ifconfig en0 | grep ether > mac.orig

This stores your original mac in a file call mac.orig. Next you need to disassociate your wlan card with any networks you are associated. run this as root or add sudo to the beginning of the command.

/System/Library/PrivateFrameworks/Apple80211.framework
/Versions/Current/Resources/airport -z

Now lets change your mac to whatever you want. You might just want to change the last two characters of you mac to make it easier. run (as root):

ifconfig en0 ether 00:1f:5b:d7:f4:a3

You can run that or you can modify that if you want. Now do another ifconfig en0 to make sure your mac is changed and rejoin the the wifi network.

You will need to accept the terms of service, but you will be online for another 45 min. Rinse, Repeat, and Ruse.

I mentioned in my last post about trying to find and ultra cheap streaming media box. I did some research and found that most of the devices that I looked at (that would be good for this type of application) were a bit too expensive for my taste. I like cheap solid solutions.

I have been running XBMC on Apple TV for a couple of years now and really like it. However, recently it’s become a bit slow and sluggish when keeping up to date with the newest versions and releases. I planned on putting together a custom distro so that it didn’t have the bloatware of the ATV OS running underneath the XBMC since I never use it. I came up with an analogy to explain the dilemma to my GF.

Imagine you have a t-shirt (XBMC) and you like to wear that t-shirt all the time. But in order to wear you t-shirt you have to first put on a sweat shirt (ATV OS). So every time you just want to wear the t-shirt you need a sweat shirt on under it, vs just being able to put the t-shirt on directly.

After doing some searching on a lightweight distro, I found that there was already a project with the same goals, Openelec.tv. Open Embedded Linux Entertainment Center is a distro that is aimed at using a minimal linux install to boot directly into XBMC. They have options for installing it to a flash USB drive, compact flash, or directly to your HDD. It also has an ssh server (from what I read) to enable remote access and configuration.

Apparently the current generic imaged worked right out of the box with the ATV (minus some IR and wlan/lan drivers) using the atv-bootloader. They are now going to release an image for the ATV with all the drivers included. The release was scheduled for (10/15) but was pushed back to possibly today (10/22). It has not been released yet on their site but I suspect it will be up there soon. (within the next few days) According to some of the people beta testing it, it boots really fast. They also mentioned that it works really well and is also expected to include for support for CrystalHD. For anyone who doesn’t know, CrystalHD is a card that is installed in the ATV (replaces the WLAN card) to provide HD support for the Apple TV. You can find more info here. I like and use the wireless N all the time, and most of my content isn’t HD so I won’t be using that option on my setup.

I will be doing a writeup of installing and configuring this new distro when it’s released for the ATV. I may also buy a few more ATVs to install and sell them for people who want the application but don’t want to go through the work of setting it up.

Now, on my way to toorcon…

I will be going to Toorcon 12 tomorrow. I have never been to a San Diego or Toorcon, so this will be a first. It looks to be a pretty good line up of talks this year. In order to get back on Sunday I have to leave a bit early so I won’t be able to catch all the talks on Sunday.

I was also asked this week to write a few PHP functions. And while I didn’t do so hot on the spot, I did find a good way to accomplish the task. The question was: write a function to return true or false (or print) if two elements in a given array SUM to be 100. The first function is really slow, but more of an answer if all else fails type of approach.

$RandomArray = Array(74,122,103,125,80,29,127,123,35,33,142,91,
95,36,12,57,115,103,15,58,150,133,73,143,96,48,81,18,63,10,134,
30,30,28,88,25,30,84,40,27,102,136,32,93,115,132,55,142,68,60,
128,30,128,31,115,28,93,24,2,53,98,23,129,145,3,114,36,108,63,
60,70,97,66,26,28,64,62,96,104,114,5,7,121,4,145,62,38,115,112,
128,92,142,45,136,2,6,47,9,25);
$RequestedNum = 100;

function Search1($RandomArray, $RNum){
 while($count < count($RandomArray)){
  $count = 0;
  foreach($RandomArray as $Num){
   if($RandomArray[$count]+$Num == $RNum){
    echo $RandomArray[$count] . " + " . $Num . " = " . $RNum . " : True";
    break 2;
   }
  }
 $count++;
 }
 if(count > count($RandomArray)){
  echo "No match found :  False";
 }
}

The second one is a bit quicker and uses the built in function in_array();

function Search2($RandomArray, $RNum){
 asort($RandomArray);
 $SortedArray = $RandomArray;
 foreach($SortedArray as $SA){
  $findNum = $RNum - $SA;
  $Success = in_array($findNum, $SortedArray);
  if($Success == True){
   echo $SA .  " + " . $findNum . " = " . $RNum . " : True";
   break;
  }
 }
 if($Success == False){
  echo "No match found :  False";
 }
}

I’ve been playing around with the idea of an ultra cheap (sub $100) HTPC with XBMC running on it. Most boxes that would be suited for this are > $100. I’m looking around at some devices that might be able to run as a cheap media streaming box for those extra TVs you might have sitting around in your room/basement. Most of my focus has been towards Nettops and Thin Clients. I also found a cool project of someone in England porting it to a beagleboard.

This makes me want to get one and continue or contribute to his work.

Ubuntu 10.10

Ubuntu 10.10 came out this weekend and I had a chance to upgrade one of my desktops. I didn’t see a whole lot of design changes from the 10.04 release. I did notice there were a lot of packages that were upgraded. I took a while to upgrade the system but that’s what you get when you upgrade on release day.

One of the things I really like about the new version is the Netbook edition. The interface (Unity) has been well designed for the smaller screen. It reminds me of a mobile OS. I have always liked the idea of putting a mobile OS like Android on a Netbook. For the majority of what people use them for it’s great. Although with the tablet market on the rise we could see less Netbooks around.

Windows Phone 7

Windows phone 7 was officially released yesterday? It’s kinda hard to tell with all the leaks and people already having a copy of it to demo. I was pleasantly surprised on the design aspect they took. I’m not going to say it’s better than the iPhone but it is comparable. They added some nice features like auto wireless syncing. Obviously this just seems like a security issue waiting to happen, but hopefully they did it right. Maybe if I get my hands on a WP7 device I will do some testing. You can watch the demo video here (Need silverlight).

The one thing I thought was a bit disappointing was the lag and and slowness of the device. He even had multiple devices up there knowing that he might have to switch because of speed issues. The thing I care about most these days is speed on a device. I would gladly give up eye candy for speed and reliability. Hopefully they get some of the “vista” bugs worked out.

IO Badge

Now we are getting somewhere. I was able to get some help on Monday from Pierce a logos-electro.com. I was able to get most of the Eagle files done. I still have to tweak the LCD package to reflect the 14 pins on the no backlight LCD vs the 16 pin one that is on there now. Here is a pic of eagle file.

I know the design is pretty crude but its my first board and first attempt at eagle. The next project will be better. I hope to fix this up in the next day or two and send it out to have some prototypes made.

Last week I got the Ice Tube Clock kit for my birthday. (from my gf of course) I am pretty excited to assemble this over the weekend. The kit is from adafruit. You can find it here. It uses a Russian display tube, which is pretty awesome. Here is the kit after I took it out of the box.

Metaboard Kits:

Here is a few pictures of one of the metaboard kits I assembled. They were pretty easy to assemble and it took me maybe 45 minutes with distractions.

I haven’t got the chance to burn a chip with the USBaspLoader bootloader yet. I would like to do some testing on these. I know that the sketches arn’t loaded using the Tx and Rx pins on the board. This also limits you to no serial monitor output. I’m not sure if you can use soft serial to accomplish the same thing. This would be a big bummer for doing actual development, since that’s a major debugging feature.

I got a chance (for the first time) to go to San Francisco this past weekend. I met up with some friends from college and did some touristy stuff. One of the cool things I got to do was visit Noisebridge (SF hacker space) which was throwing a party. I was cool seeing another hacker space and seeing what other projects people were working on.

While in the city we rode a lot of metro transit. By the end of the weekend I had a pocket full of tickets but I found one to be interesting. The “muni” ticket felt a little bit different. After taking a closer look it was an RFID ticket. I haven’t gotten a chance to play with it yet or read any data, but I will this weekend.

Badge Progress

I started writing the code for the badge. Without spoiling it too much I will have a few integrated games. The coolest one being a ninja game. That’s all I’m going to say.

The Metaboards also apparently came did come in today. I got a package notice when I got home from work. I will do a post after I pick them up.

- C4