Category Archives: Hack

Ghost in the Wires

Posted on by
Reply

Or the official biography of Kevin Mitnick.   In the 90s, Kevin Mitnick was known as the World Most Wanted Hacker.  He is an artist of social engineering.   His book “The Art of Deception” is a reference on the topic.

This new opus tells the history of Kevin from his youth till the day he was free.  Do you remember the “Free Kevin”  protesting movement?  Is this new book interesting?  I read with pleasure “The Art of Deception”.   It is not the case with this book.  It could have been a good thriller, but the style is not right to create suspense.  It could have been a book on the havcking mindset, but the described introspection is too shallow. It could have been  a technical book, but the rare technical descriptions are uninteresti

The main interest of the book is to have an insight of his motivations:  “Getting access to things that he was not authorized”.  Nevertheless,  “The Art of Deception” gives a better view on social engineering.    An unanswered question:  why did he need to go to jail to become an ethical hacker?

We will  keep a good description of ethical hacking.

What I do now fuels the same passion for hacking I felt during all those years of unauthorized access.  The difference can be summed up in one word: authorization.
I don’t need authorization to get in.
It’s the word that instantly transforms me from the World’s Most Wanted Hacker to one of the Most Wanted Security Experts in the world.  Just like magic.

Conclusion: This book is not mandatory on the shelves of security people.  “The Art of Deception” is mandatory.

Reference

[1]
K.D. Mitnick and W.L. Simon, Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker, Little, Brown and Company, 2011

[2]
K.D. Mitnick and W.L. Simon, The Art of Deception: Controlling the Human Element of Security, John Wiley & Sons, 2003.

Degate

Posted on by
Reply

Martin Schobert has designed an open source software, called Degate, to help reverse-engineering hardware components.   The process is the following:

  • You must first take pictures of the layout of the depassivated hip
  • Degate will attempt to recognize standard cells image pattern matching.
  • Degate attempts also to reconstruct the netlist of wires and vias (vias are electronic connection between different layers).
  • Then, it can build the full or partial logical layout.

Of course, the better the quality of the initial pictures (for instance using a Focussed Ion Bean (FIB)), the easier (and better) the automated result.

Degate will not do all the job.  It is a software aid to reverse engineer.  In any case, at the end, you will have to understand what the logic layout does.  Degate is not a tool for script kiddies.  It requires a good knowledge of micro electronics.  You’re working at the transistor/cell level.

The site provides also an interesting repository of documentation related to IC reverse-engineering.

Lesson: As for software obfuscation, the less reused patterns in the design of the chip, the more robust to reverse-engineering.

 

Sony once more under fire, but proper reaction

Posted on by
Reply

Philip Reitinger, CISO of Sony, has announced that about 93,000 accounts on Sony’s systems have been compromised.  They monitored a suspect massive set of trials of login/passwords.  Most of them were unsuccessful, but about 93,000 succeeded.  Most probably, the attackers get access to a database of plugin/passwords of another web site (such information is available on the Darknet).

Some people use the same login/password for different sites.  These persons may be the victims of this attack.

We must congratulate Sony for its reaction:

  • Transparency;  they were clear on what happened, and provided the data.  The reaction of customers was extremely positive
  • Monitoring:  this proves that Sony is carefully monitoring activities to detect strange behaviour or patterns.  This is key in security.

Lessons:

  • Customers are ready to hear the truth in case of attack.  I would even guess that they would rather be aware than listen about it once it is far too late.
  • Do not use the same password for all sites, at least not for the critical ones.

Glitching the Xbox

Posted on by
Reply

A group of hackers has designed a stunning attack to run arbitrary code on Xbox.  XBox uses a hypervisor (or boot loader) that checks that the software that is running is properly signed (or does not have the wrong hash).  They use fault injection techniques, here glitching.  The aim of the attack is to make the processor derail after a serious glitch when applied at the precise moment.  This technique was initially designed to attack smart cards or secure processors (For instance, see chapter 9 of  Markantonakis and K. Mayes, Smart Cards, Tokens, Security and Applications, Springer-Verlag New York, 2008)

In the case of Xbox, the attackers had to produce a 100 nS glitch on the chip reset when it compares the calculated hash with the stored values.  If well designed, the glitch should make the memcmp positively fail and thus should allow to run arbitrary code.  They had to succeed two challenges:

  • Find the precise moment for the glitch to occur, and find the right shape for this pulse
  • Find a method to slow down the processor; with a slower processor, the accuracy of the glitch can be reduced.

They succeeded!  It is interesting to note that they had to design two solutions: one for the fat Xbox, and one for the slim one.  They have different PCBs.  For the fot box, they found a pin to slow down the CPU, whereas for the slim one, they attacked PLL by over writing parameters in an I2C memory (this old serial bus is not protected).

It is a  nice piece of reverse engineering.  This is not a consumer-grade hack.  It is extremely complex.  I believe that here, the motivations are purely to succeed a technical challenge (real Hackers).

Lessons:

  1. As always, Law 1 is true.  Attackers will always find a way.
  2. Attackers may use top-notch techniques.

 

 

Lessons from RSA hack

Posted on by
1

It is now six months since RSA suffered from the hack that compromised secureID.  RSA had a positive attitude regarding the hack by providing some details and good visibility.  Thus, we can learn many things about it.

We know now how RSA was penetrated.  It was through a targeted email using an excel file.  The excel file had an embedded flash object inside.   The object, using a zero-day vulnerability, installed Poison Ivy Backdoor.  For more details see F-secure’s analysis.  The attacker used the backdoor to get access to the sensitive data to break SecureID.  The mail was addressed to four members of RSA, thus a targeted attack.  Once SecureID compromised, the attackers could access Lockeed Martin.

This is the first publicly known instance of Advanced Persistent Threat (APT).   This corresponds to extremely targeted attack that works stealthily, slowly in order not to be detected, and performed by extremely skilled attackers.  It was currently reserved to warfare.   As the final target was Loockhed Martin, we may believe that it as a high-profile attack.  They used a zero-day exploit which passed under the radar of any anti-virus scanner.

RSA and Kapersky Labs presented an interesting analysis of the attack.

What can we conclude:

  • The perimetric defense is not anymore sufficient, at least in a professional environment.  Skilled hackers will try to attack from inside.  We need new tools to detect suspect behaviour within the enterprise network.  For instance, an alert should be triggered when a device communicates with “exotic” IP addresses.  Unfortunately, they will be more complex to administrate and probably need more manual monitoring. :Weary:
  • Targeted attacks will be more and more used against industrial targets.  Security awareness will become key.  People must also be aware of business intelligence.  It is a reality that is too often downplayed by people.
  • I will rant against all these software that are used for other purposes than the initial ones.  How often did I see Excel used for other things than calculating!  For instance, to display tables of text.   As a result, software editors add new features.  Why should we have to add flash object in calculus?  In security, KISS (Keep It Simple & Stupid) is a golden rule.  The more features, the more potential  vulnerabilities.

 

 

 

 

Android Movie Rental and rooted devices

Posted on by
Reply

In May 2011, Google launched its new service of Video rental market for Android phones.  Soon, people discovered that the service was not available for rooted devicesRooting an Android device means giving yourself root permissions on the device.  In other words having FULL control of your phone.  This is not often the case with phones provided by operators.  Rooting is  equivalent to jailbreaking a device.  As Android is an open source system, very attractive to homebrew lovers, it is often the first thing they do to be able to create new apps.

The video app checks if the device is rooted and then refuses to play the content.  Why does Google do such a limitation?   The Video Rental Market uses a DRM to enforce the rental conditions.  One of the strong assumptions of software based DRM is that it runs in a rather trusted environment.  It is obvious that a rooted device does not fit with the definition of a trusted environment.  For instance, the app has no way to be sure that its system calls are not hijacked, or even if the system calls will act as expected.  Thus, it was obvious that Google had to take this measure.

Nevertheless, this limitation does upset the users who believe that open source means full control of their device.  Unfortunately, Open source and DRM are antagonist concepts.

As we could expect, the cat and mouse race has started.  It seems that a patched version of the app is available.  This version may not check the rooted device and accept to play the movie.  The movie is still protected by the DRM and you need a proper license to access your rented movie.

 

 

Password re-use

Posted on by
Reply

We often suppose that some users re-use the same password on many Internet sites. Most probably, the same password will be used to log on their company network. This is an extremely valuable path for hackers, as sometimes some Internet sites are not protecting correctly the stored passwords (if they even protect them). thus, an attacker that get access to such a list of accounts and passwords with a little bit of social engineering may try to log on companies’ accounts.

Gaw and Felten (Princeton, 2006) and Florencio and Herley(Microsoft, 2007) published empirical studies which evaluate the re-use at less than 20%.

Some password accounts have been hacked since the beginning of this year. Joseph Bonneau from Cambridge used this opportunity to make a new empirical study. His conclusions are that the ratio of re-use is higher. With a conservative approach, he estimates that 30% of the people may reuse passwords.

This is worrying but understandable. For every users, the number of sites requiring a logging is exploding. I just checked how many passwords my Firefox password handles (not far from 200 :( and with several different identities!) How can we reasonably expect users to use for each site a different password.

Nevertheless, it may be mitigated by some observations. One of the important factor is what are the sources of comparisons, i.e. the leaking sites. I suppose (or hope) that many people have multi-level approach of passwords: using a weak re-used password for non important sites, and more robust and diversified ones for more important sites.

For the sites where I do not care to be impersonated, I use the same very simple password. For sites where I must not to be impersonated, I use diversified robust passwords. And of course, for Technicolor accounts, passwords radically different from the ones I use on Internet.

What policy do you use?

In any case, Bonneau’s post is ineteresting to read.