Out Six Twenty-Five

The Hacker Factor Blog

Tools, Techniques, and Tangents

Monday, February 22. 2010

Magazine Shopping

What about the contents?

Frames...

Sex as a weapon

A little too late

Looking for Literature

Search

Calendar

Recent Book

Feeds

I usually bring a book or a magazine with me when I travel. Since airplanes forbid the use of electronics during the beginning and end of the flight, and turbulence can kill hard drives, old fashioned printed paper is a good way to pass the time. I try not to bring something too deep (e.g., advanced calculus or particle physics) or too shallow (Newsweek or Time). Occasionally I'll buy a copy of 2600: The Hacker's Quarterly. However, I was so disappointed with the latest issue, I think I won't buy one again.

I don't buy 2600 regularly. Most of the time the articles are worthless. But if one or two articles are interesting, then I'll get a copy to bring on the airplane. However, the most recent issue (Winter 2009-2010) actually managed to offend me. I am offended when a hacker magazine advocates stupidity and activities that are unethical at best and potentially illegal.

I should have known better. They say that you cannot judge a book by its cover. But in this case, the photoshopping is so horrendous as to be offensive. It really should have been a clue to me...

Just a few of the problems:

The drop switchboard is floating. It's only visible leg casts no shadow. It also isn't plugged into anything.
There are shadows on the floor between the woman and the switchboard, but they just fade away. Nothing is casting the shadows.
The baseboard changes angle as it passes the woman. Yet the wall behind her shows no corner or bend.
The woman is wearing a headset. The chord actually becomes thin and faint as it passes the name tag.
Does the woman have an adam's apple?
The edges of the "photo" have been drawn so as to appear old, with dust and water stains. Yet the artist forgot that photo damage virtually never stops right at the edge of the picture. The picture itself has no damage.

While 2600 (both the magazine and radio show) has never been known for high quality, this lack of attention to detail is even startling by their standards. (2600 usually photoshops their covers, but this is the first one that is really, amazingly bad.)

Just reading the articles, I was amazed by the amount of bogus information. For example, the first article was "Pwning Whole Disk Encryption" by m0untainrebel. Basically, he describes a weakness for whole disk encryption. The weakness? If you have physical access to the hard drive, then you can place a boot sector virus and capture the decryption password.

Let's backup for a moment... If you have covert, physical access then you already pwn the system. You can install a keyboard logger, internal HD bus intercept, video camera to watch the victim enter the password, or even malware on a USB drive plugged into the back of the computer (where the user will never notice). Worst case? You can mirror the drive and crack the password at your convenient off-site lab.

And remember: this is a lay-and-wait strategy. It must be covert. If the victim suspects that you did anything to the computer, then they are unlikely to login. Law enforcement would probably not use this technique -- it would require a very hard-to-get court order and has a high risk of failure (since it requires stealth). Considering that it bypasses a security mechanism, I cannot envision any legal reason for non-law enforcement to use this technique. Thus, the author not only overlooks the obvious (physical access means access), he also appears to promote a technique that can only have unlawful purposes.

Another article was even worse. In "Revenge is a Dish Best Served Cold", Valnour describes the way he got back at a high school bully. He was being harassed via Windows net send messages. So... he went to class early and planted a program on the bully's computer to send a stupid insult to the entire class (including the teacher). The result? The bully was suspended.

This article shows a clear lack of ethics and a lack of the hacker mentality. First off, you don't frame someone for something they didn't do. While the bully may have used net send, he was not responsible for sending the message to the class -- that was Valnour who did it. The bully was falsely accused of sending the message that got him in trouble. It does not matter that he sent other messages to Valnour; the bully was still falsely accused of a crime that he did not commit. Valnour has no sense of ethics.

Also, Valnour planted the code manually and after-hours. This is the mentality of script kiddie and not a hacker. Things a hacker would have considered:

Valnour said that each computer had a sticker that identified the hostname and IP address. The obvious hack: swap stickers with the teacher.
If you are there after-hours and have physical access, then modify the DNS server or swap IP addresses so a network resolution would yield the teacher's computer and not your computer. (You can also edit the hosts.conf file and/or add in a specific routing table entry.) Now when the bully sends his message to "you", it will actually go to the teacher. You might have reconfigured the computer, but he was the one who sent the message -- now he isn't framed for something he didn't do.
net send usually uses RPC over UDP but can use TCP. Since you know you are the target, setup a redirector so any IP requests from the bully's computer receive an ICMP redirect packet that tells his computer to resend the message to the teacher's computer. Again, it isn't a frame since he is the one sending the message. You're just telling his computer to send it somewhere else...
If you're going to login to his system, at least have the guts to do it while he's there! Don't be a coward, planting malware on his system during off hours. Even if you lack the ethics, a real hacker would login remotely, open a window on his desktop (so he can see it happening and feel panic) and send the message while he watches helplessly. Sure, it's a frame-up. But at least it isn't cowardly.

In "Social Engineering from a New Perspective", Lilith found out that she can flirt her way to passwords and unauthorized access. Wow! Incredible! I bet no other woman has ever realized that this is possible! What Lilith fails to understand is that flirting is a very superficial method of social engineering. As Kevin Mitnick has repeatedly shown, social engineering is about confidence and not looks. If the only tool you have are your looks, then you won't get far with social engineering.

I should also point out that flirting is not limited to females. In a red-team attack, I actually used "chit chat" (as Lilith calls it) to keep a female defender occupied while other red-team members altered the contents of her open vi cache while she was editing the password file. (This was an awesome hack with social engineering as a delay tactic.) When she saved the file, the altered cache was written to the password file.

Other articles were equally inane. For example, a person called "dolst" wrote about an Adobe side effect ("Hey Adobe! Leave My Boot Loader Alone!"). On Windows systems, some Adobe products store the product serial number in the boot sector. If you have a dual-boot system (e.g, Linux with GRUB in the boot sector), then this can corrupt the boot loader.

This would have been a really fascinating article... if it wasn't already known since at least 2004. (That's more than half a decade for you 2600 fans.)

With 2600 no longer a viable option, what do other people read on airplanes? I'm looking for something technical but not deep (short articles rather than a novel), interesting, and that doesn't require power during takeoffs and landings.

Posted by Dr. Neal Krawetz in Security at 22:35 | Comments (5) | Permlink

Comments

Display comments as (Linear | Threaded)

#1 Pete (Homepage) on 2010-02-23 01:31 (Reply)

Hakin9 is sometimes alright. I don't think it is always proof read, but they often shed some interesting light and analysis on some stuff.

Google can give you a good indication of their style. They have a bunch of pdf's up on their site.

#2 Ryan (Homepage) on 2010-02-23 06:12 (Reply)

Dr. Dobbs, maybe?

#2.1 Dr. Neal Krawetz (Homepage) on 2010-02-23 07:18 (Reply)

Is Dr. Dobbs still available in print?

I haven't been able to find it at any bookstores and their site makes it sound like they merged with InformationWeek.
http://www.drdobbs.com/subscribe/

#3 Marcus on 2010-03-01 18:05 (Reply)

About the bootloader thing by Dolst, yeah I knew about it for a few years now, but I never could find out how to fix it until his article... Did you actually read the article or just skip over it when you thought you already knew what it said?
If you can show me a howto that I can google about how to get around this (that was out before that article) then I'll agree with you.

#3.1 Dr. Neal Krawetz (Homepage) on 2010-03-01 18:28 (Reply)

The core problem is a corrupt boot loader installed in the MBR. This same problem happens when you install most Windows operating systems.

Here's a few links to how-to's for recovering the MBR after any Windows application corrupts it (and all of these pre-date the article by years):
http://www.videohelp.com/forum/archive/how-to-recover-grub-boot-loader-t302223.html
http://www.howtogeek.com/howto/ubuntu/reinstall-ubuntu-grub-bootloader-after-windows-wipes-it-out/
http://www.linuxforums.org/forum/suse-linux-help/116605-boot-loader-lost-grub.html

And while creating a batch file with the dd commands to backup/restore the MBR is a simple hack, I've found mbrfix.exe to be much more convenient for non-techies who don't know about dd.
http://www.sysint.no/nedlasting/mbrfix.htm

Add Comment

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.

Standard emoticons like :-) and ;-) are converted to images.

E-Mail addresses will not be displayed and will only be used for E-Mail notifications

RSS 1.0 feed

RSS 2.0 feed

ATOM 1.0 feed

September '10