Sunday, October 14, 2007

CSI: NY "You Only Die Once"

With the writers of Numb3rs playing it safe this season by limiting their expedient exaggerations to areas of physics and mathematics, I was relieved to see that CSI: NY stepped up to the plate to keep me occupied.

As you may have guessed from the title, this episode deals with a band of James Bond like criminals who drive around in a high-tech sports car and fast-rope out of high-rise luxury condos. The CSI team discovers that the criminals are not looking for traditional valuables such as furs and jewelry--they are after personal information stored on electronic devices. The team surmises this while examining a coat that was taken off a man found face down in a gutter.

How did they come to this conclusion? The department IT folks called and informed the team that they had a firewall breach and someone was illegally accessing the network. Our quick-witted investigators power down the lab to contain the breach, but are puzzled when the examination table's florescent lights continue to flicker. They determine it has something to do with the jacket, so they pull it apart and find a mesh of wires connected to a MiniSD memory card.

What they discovered in the jacket was a device that can magically download information off of any device using wireless connections. The most amazing part of this contraption is that the whole thing is heat activated. I can only assume that they meant that it was powered by body heat, or other heat sources, because a device like this that only turns on when its hot doesn't make any sense at all.

A little research on my part found that a group of German researchers at the Fraunhofer Institute have created a similar generator that can produce 200 millivolts of power. But, According to our friends over at Engadget, you'd need about 1 watt to power just the processor of a modern hand held device. The Fraunhofer generator produces about 2 milliwatts. Sorry Charlie, even with the long underwear, you come up short in the power department.

To compound the power problems, you would need both WiFi and Bluetooth radios, plus a CPU and operating system that can perform moderately complex cryptographic functions. None of which I saw on the device.

I'm not sure why the wannabe secret agents needed a device like this in the first place. They were the party planners and staff, so rigging a laptop to do the same thing and attaching it under the buffet table would have been much easier, more effective, and would have gone completely unnoticed. Moreover, if you take the risk of breaking into someone's condo, you're better off attaching a USB or Firewire drive to the computer and downloading the information that way--when you are in the middle of a B&E, you really don't want to wait around for your system to crack the WiFi and then break into the computer, assuming that there are any vulnerabilities to be exploited in the first place.

As for how the lab was hacked, what they were trying to describe is an "evil twin" attack. By mimicking an existing WiFi access point, or AP, an attacker can trick a computer into connecting to a network they control. By exploiting weaknesses in a commonly used WiFi link encryption protocol, you can even mimic an AP that has encryption enabled. At that point, the attacker has a direct network connection to the computer, but would still need to exploit a vulnerability to gain access to anything on it. Technically speaking this bypasses any network based firewalls that may be in place, but does not render them insecure as they stated in the script.

If you like to learn a little more on the WEP attack, Infoworld as detailed (but non-technical) description here.

Watch CSI: NY for free on

CBS Innertube

Saturday, October 6, 2007

The 13 Hackiest Hacking Movie Moments

Maxim Magazine has jumped on the bandwagon and created their own list of ridiculous movie hacking moments. They missed some classics, but still a good list. Checkout it out here.

Saturday, June 30, 2007

Live Free or Die Hard (2007)

The latest installment in the Die Hard series has our hero John McClane chasing after a crew of hacker-terrorists that are systematically shutting down the critical infrastructure of the United States. The movie describes this as a "fire sale," as in "everything must go."

While I do not pretend to be part of the in-crowd when it comes to national security terminology, I don't recall ever hearing this term used to describe any scenario relating to critical infrastructure attacks. I suspect the screen writers just made it up.

At any rate, the action begins in an FBI operations center that makes the fictional NORAD command center from WarGames look like, well, the real NORAD command center. Even with its modern architecture and sleek interface design, the most amazing part of this set is the fact the 20-foot projection screens have relevant network security information from every U.S. government network, as well as the national energy grid--truly unbelievable.

With all of the creativity that Hollywood has to offer, I'm sure its still difficult for someone to visualized a network intrusion in a way that most people would find interesting, but showing computer screens dim, go black and then suddenly come back to life just doesn't do it for me. But this is exactly how the action gets kicked off and, without much investigation, the FBI knows immediately that it was the work of hackers. Holy crap, I thought someone forgot to pay the power bill!

So what was compromised exactly? The power supply to the monitors? It obviously wasn't the computers because when the screen can back on, there was nothing to indicate that they were compromised or had even lost power. I don't mean to suggest that a comprised system would have some sort of visual indicator, but with all that the operations center had to offer, you'd think the screen writers or director could have come up with something a little more realistic or clever, such as showing that all of the FBI's computers are sending out spam for herbal Viagra. Just a thought.

I could bore you with paragraphs on SCADA system security, or ask why someone would spend money to build a networked system that shuts off lights that don't need to be turned off, but I'll simply focus on one of my biggest beefs with this movie which is the use of what I call "magical hacking tools."

While everything in a Hollywood production is larger than life, there seems to be an obsession with showing omnipotent hacking tools with elaborate graphical interfaces which, in addition to allowing easy access to every function of extremely a complex system, can also mimic any system's GUI.

In reality, even commercial security tools do not have this level of functionality or interface design, but I don't want to denigrate the advances that our blackhat friends have made over the last couple of years with their software. Take a look at this Web GUI used to control botnets. Most corporate systems don't look this good.

Burn Notice "Pilot"

What do spies do when they've been blacklisted? According to Burn Notice, they hang around in Miami, avoid their mothers, and get advice from alcoholic ex-spies. In this "Get Shorty meets The Equalizer" one hour drama, you also learn that blacklisted spies have many useful skills that they can pull from their tradecraft to assist people who can't get help from the law.

One of these skills is using latent fingerprints lifted from a fingerprint reader to open a safe.

You might be thinking that this is something the screen writer made up to get himself out of a jam, but according to a Japanese researcher, it can be done--with about an 80% success rate. However, what was shown in this episode is an overly simplified, and slightly inaccurate, depiction of what you would actually need to do to pull it off. Let me explain.

If Burn Notice were a two-hour procedural drama, you would have seen Jeffrey Donovan's character find a non-porous surface, such as a water glass, that he knew the safe's owner had touched. Getting the print from the safe seems like a logical idea, but in reality, the size and weight of the safe would make it difficult to work with.

Next, he would use a technique called cyanoacrylate fuming to draw out the latent prints. Cyanoacrylate fuming is just a fancy way of saying you expose the surface to vaporized Krazy Glue. These vapors, or fumes, react with with the amino acids and other proteins that are left when you touch something with your fingers. This reaction forms a white sticky material that outlines the ridges of the fingerprints. This white sticky material is another reason why you wouldn't want to use the safe to get the print--you'd have to clean that sticky crap off before you left.

Once the reaction is complete, you can stain the results with colored dust and photograph them. Despite what you may have seen on those CSI shows, this process can take more than two hours and also requires the object to be placed in an sealed container. You'd probably be better off doing this in a safe place, in other words, not a house you just broke into.

Next, he would transfer the photograph to a computer, enhance it with Photoshop and print it out on transparency paper. The transparency would be placed over the photosensitive material that hobbyists use to create custom circuit boards. The material would then be exposed to ultraviolet light and washed with acid. ] The pattern that was printed on the transparency would now be etched into the board, creating an accurate mold of the fingerprint. The materials needed to do this are available at most electric hobby shops for around $50.

To create his fake fingertip, he would pour gelatin into the mold and let it harden. He could then place the gummy fingertip on his own, and use it to fool the fingerprint reader and open the safe. Nice and easy.

Someone could probably create a portable kit so that this could be done on scene, but they'd need to speed up the cyanoacrylate fuming process to make the process streamlined enough for a black bag job.

Monday, June 25, 2007

What the CIA Could Learn from Hollywood

What I learned today is that at least one of the three writers that got WGA credit for The Recruit understood the basics of how cell phones work and what data is collected by service providers, but apparently failed to portray CIA training in an accurate light. Go figure.

If you are not familiar with this 2003 yawner, it follows several young CIA recruits though their training and first covert assignments. Towards the end of their training, the recruits go out on a surveillance and evasion exercise. Prior to the start of this exercise, one of their instructors specifically tells them to "turn your cell phones off because they act like tracking devices."

Obviously this doesn't happen during real CIA training. My evidence? Two dozen CIA agents were indited in Italy for kidnapping a suspected al Qaeda agent in Milan and transporting him to Egypt. How did Italian prosecutors track down those accused of the kidnapping? Cell phone data.

Seems that the alleged kidnappers not only left their cell phones on, they actually used them throughout the operation, which allowed investigators to track them from the location of the kidnapping to the Air Force base that was allegedly used to fly the abductee out of the country.

Read they story in Congressional Quarterly:

You can't make this crap up.

Thursday, May 31, 2007

Traveler "The Retreat"

Traveler is a new show about two recent college grads who are framed by their mysterious roommate, Will Traveler, for a bombing in New York City. The two are branded terrorist and quickly find themselves on the run from both the Feds and some yet to be identified organization who are presumably the real masterminds behind the bombing.

In "The Retreat," the FBI brings in one of the fugitive's girlfriend for questioning. While still in the FBI offices, she receives a call from her absconder boyfriend on her cell phone. The FBI promptly tries to trace the call, or as the the agent in charges describes it, engage in "a little T&T." I assume T&T stands for Trap and Trace, but with fictional FBI agents, you never know.

As the trace begins, the FBI technicians determine that the caller is using VoIP and it is "heavily encrypted" which will not prevent them from tracing the call, but would slow it down. The scene then cuts back to the boyfriend talking on his cell phone.

Again with the cell phone and VoIP--I not sure how this became so popular with TV writers, but there you go. In reality, there are a couple of services that will allow you to make VoIP calls from you cell phone, but they require either a WiFi enable handset, or the use of cell based data services, such as EVDO. However, handset support is limited and the cost of the data services really makes things unattractive for anyone except the well paid geek.

Thus from a technology perspective, the scenario created by the writers is possible, but the details around it are a little off base and the chances of this actually happening the way they show it are pretty unlikely given the background of the characters.

I'm not going to get into the details of how a traditional trap and trace works, but needless to say, by the time you declare "I know how long it takes to trace a call and you're five seconds to short" you're already screwed--any notion of beating the clock is pretty much a pipe dream under most circumstances. The time based trace does make for an effective tension building device, so it's a little hard to fault screen writers for using it. But that's beside the point.

Because the story left some gaps around how the phone call was made, I am going to assume that the boyfriend placed the call on a prepaid cell phone bought with cash, and that he signed up for the VoIP outbound service with a prepaid gift cards from Visa or American Express--which would have been bought with cash as well. He would need the outbound service to reach his girlfriend's cell phone via VoIP unless they had both set up the service prior to him being on the lamb, which doesn't seem likely. Doing this would prevent any preexisting trap and trace from nailing him as soon as he turned on his phone.

So how would "heavy encryption" slow down the trace of a VoIP call? Simply put, It wouldn't. The way the call was routed would be the biggest limiting factor from a real-time tracing perspective. Additionally, if the call was terminated on the PSTN, the encryption would only be established between the VoIP phone and the PSTN gateway meaning that anyone on the PSTN side would not know it was there.

As if that were not enough, even with encryption, you could not easily hide the source address of the VoIP call. Even if you use UDP--a protocol that allows for easy IP address spoofing--you would not be able to have a two sided conversation because any return traffic would be routed to the bogus address and not back to your phone or soft client. That being the case, once the person tracing the call has access to the source IP address from the PSTN termination box, you are, again, screwed.

Of course, the person would then have to map the IP address to the cell phone account, and then pull the call records (unless you already had a trap and trace set up) to get the person's physical location, assuming that the provider records that information (some do.) The time it would take to gather and correlate all of this information from the different providers and sources is what would have really delayed this Hollywood style trace. Once again, the way the call is routed is the delaying factor for this scenario, not the encryption.

Watch the episode for yourself on

Tuesday, May 29, 2007

Heroes addendum

I guess we will have to wait until next season to find out how Micah's powers actually work, but we did get to see the extent of the damage he could inflict on electronic voting systems.

Saturday, April 21, 2007

Heroes and other ramblings

Due to the mid-season hiatus that most network television shows are taking right now, there has been very little to comment on. The one exception might have been a recent episode of Numb3rs where an author of a piece of malicious software was found by analysing a "strange loop" found in the program. But sadly, the producers avoided another lambasting by not attempting to explain how Bernard the Elf was actually able to do this, so short of just saying "what the f***?!," I'll point out that if you read the Wikipedia entry for strange loop and then watch the episode, you'll find that the two explanations are strangely similar.

While doing a critique of pure science fiction would be a little silly, one of the characters in the show Heroes, brings up an interesting mental exercise and, more importantly, provides me with a much needed topic of discussion.

If you are not familiar with the show, its the story of 9 or so people who have, through some form of genetic mutation, gained superhuman abilities. These abilities range from the ever popular flying and invisibility to the somewhat esoteric power of producing nuclear reactions with your body.

The character in question is Micah. Micah is the child of a woman who seems to be her own doppelganger and a man who can walk through walls. Not sure how the combination of those two mutations produced the ability to manipulate electronic devices, but that's what Micah can do.

We have only seen Micah use his ability twice, the first time he makes a phone call from a broken pay phone. The second time, he makes an unauthorized withdrawal from an ATM. The show has not yet explained how the ability actually manifests itself, but for the sake of argument, lets assume that its one of two ways:

1) Micah is able to generate electromagnetic energy that can mimic electronic components in the device, such as transistors or complete microchips

2) His body is able to produce nanoparticles that infiltrate the device and build circuitry that allows him to control it--similar to those produced by the Terminatrix in Terminator 3: Rise of the Machines.

So the exercise would be this: how would you defend a system against this type of attack?

The first thing that comes to mind is shielding--enclosing your system in a Faraday cage would probably do the trick for the first possible manifestation. For those of you not familiar with this type of shielding, a Faraday cage is an enclosure that is constructed in such a way that it either blocks or redirects electromagnetic and electronic fields so that they do not penetrate the surface of the enclosure. The most common example of this is the shielding they use in microwave ovens to prevent your eye balls from boiling when you press your nose up against the widow to watch Spaghetti-Os splatter all over the interior.

The second possible manifestation is a little more tricky to solve since their are no real life equivalents. One idea I came up with is creating nanotube mazes that would trap enough nanoparticles to limit any potential damage. The closest possible analogy to how this would work is fiberglass insulation, which slows the progress of heat and cold by trapping it in the various chambers that the fibers create. If you could develop some sort of attractor that would divert the nanoparticles into the tubes, you could create a semi-permeable membrane that would allow coolant or electricity pass.

Unfortunately, as demonstrated in the last Terminator movie, an easy way to get by this type of protection is to simply pierce the membrane and inject the particles into the area that is being protected. Unlike the Terminatrix, Micah does not have the power to change one of his fingers into an awl, but that wouldn't stop him from using an icepick to accomplish the same thing. To prevent this, you would have to completely encase the device with the membrane to eliminate any open space were the nanopartcles could form circuitry.

The problem with both of these method is the fact that devices such as ATMs and RFID readers need to interface directly with humans and electromagnetic radiation. This poses a problem since you may not be able to shield these devices completely, allowing avenues of attack to remain.

In these cases you might have to develop some kind of reverse Turing test by which each component in the system can verify that the signals they are receiving are not coming from a human, nor coming from circuitry that may have recently be built.

Turing tests were develop by Alan Turing in the early 1950's to determine the humanness of artificial intelligence implementations. The basic test would consist of a human judge conversing with two entities, one human and one computer. If the judge is unable to tell which is which, then the implementation passes the test.

If you remember that annoying little program called Eliza, which was intended to mimic a psychotherapist, you'll also remember that it was hard to tell the difference between her (the program) and drunk high school student that has been through peer counselor training. Whether this is a sign of actual intelligence, or not, is up for debate, but you get the point.

This approach has been used, somewhat in reverse, to help stop spam and other automated attacks against computer systems. You may have been fooled yourself by those annoying CAPTCHAs the last time you signed up for a online service or posted to bulletin board. CAPTCHA is short for "Completely Automated Public Turing test to tell Computers and Humans Apart" and consist of a bunch of obscured text, usually against a textured background, that are intended to fool computer based optical character recognition systems, otherwise know as OCR. It also tends to fool drunk people and those whose cognitive dysfunction is not chemically induced.

You can also see something similar in the move Blade Runner. They call the test Voight-Kampff (for short) and it consists of a series of questions that will cause an artificial human to respond in non-human ways. As seen throughout the movie, the tester would use a device that monitors changes in the eye, most notably involuntary dilation of the iris, and after a battery of questions like "describe in single words only the good things that come into your mind about your mother," he would make the determination of human or Replicant, or get shot, depending on how good he was.

We will have to wait to see how the writers of Heroes decide to handle Micah and whether anyone will be able to protect their computer systems against his ability. It will also be interesting to see how close my speculation was...

Watch Heroes for free on

Saturday, April 7, 2007

Human Computer Interaction in Science Fiction Movies

This is an interesting paper on depictions of computer interfaces in some recent, and not so recent, science fiction movies. What I found most interesting was the influence of the MIT media lab, and other research, on the production design of Minority Report. There is also discussion of various biometric identification systems, from Gattaca's finger prick DNA test, to a seemingly absurd breath ID system show in Alien Resurrection.

It makes me wonder why information security research has not had as much influence on the entertainment industry. Part of me thinks that its simple because its not as flashy as interface design, but I wonder if its due more to the fact that information security research is often conducted in a culture of secrecy and need-to-know fraternities. In other words, would a University open up a computer virus research lab to a screen writer, or would a company like Symantec talk candidly with a screen writer about emerging trends in malware? I think the answer is no, but I could be wrong.

Saturday, March 10, 2007

Prologue Revistsed

I missed the third approach. I completely overlooked it. Ironically, this is usually what happens when screen writers or production crew use it. The third approach is doing proper research and getting it right. What's the down side of this? 99.9% of your audience will probably never even notice.

The best example of this is The Matrix Reloaded. If you were paying close attention and knew what you were looking for, you would have noticed that when Trinity hacks into the power plant's computer system, she uses a real-life security tool and exploit. But I bet you didn't.

You can read about it in this poorly researched BBC article:

Apparently this triggered a warning from The British Computer Society. I have a hard time believing that this is real, but the press release is still available on the Internet Way Back Machine so you can make your own judgements:

Thursday, March 8, 2007

Numb3rs "One Hour"

Numb3rs is a crime drama that centers around an FBI agent and his brother, a former math prodigy who is now a professor at a prestigious technical college--the fictional Cal Sci. A typical story line begins with a perplexing crime and when the FBI gets stuck, the math genius and his colleagues are brought in to help close the case.

"One Hour" strays a bit from this formula--the first half of this show focuses on a technological challenge rather than something that can be solved mathematically. The story begins with a violent kidnapping of a music mogul's child. Shortly after the FBI team arrives on the scene, they receive a ransom demand on the dead bodyguard's cell phone. The FBI agent who answered the call notices that the caller's phone number is a string of ones and when the FBI techs "ping" the number (I don't even know where to begin with that one) they determine the call originated as VoIP. Unable to trace the VoIP call on their own, the FBI calls in the pros from Cal Sci to help them out.

After being told they have less than one hour to find the kidnappers, the two professors jump in their car and, on the way to the FBI offices, one of them writes an "exploit" that will allow them to trace incoming VoIP calls from a cell phone which the kidnappers would call to give further instructions.

This is where the screen writers get themselves into trouble. They start innocently by describing VoIP as Voice Over Internet Protocol--although technically correct, I have yet to hear an industry professional say anything other than Voice Over IP. A nit-picky point, I admit, but when you say it the way the actors did, it sounds as if there is an actual protocol called Voice Over Internet (there isn't.)

It might have been better to say that VoIP is a collection of protocols and other technologies that allow telephone calls to be placed over Internet Protocol (IP) based networks, like the Internet or your office LAN. Was that so hard to say?

Defying all reason, these intellectual giants were able to write an application that would run on an unknown cell phone, connected to a unknown providers network, and somehow install it on the correct handset, based solely on a phone number given to them by the FBI. And all that in under fifteen minutes! I wish I was that good.

The screen writers problems become less earnest when you realized that a VoIP call would have to be terminated on the PSTN (Public Switched Telephone Network) prior to making its way to a cellular phone network, and subsequently, to the cell phone.

What this means is there is no practical way to get the originating IP address of a VoIP call in the way they described. In reality, the call would have to traverse three different network that do not share common protocols or addressing systems.

Given enough time and access to the right data, theoretically you could pull the trace off, but its not as simple as they try to make it sound with their analogy of tracking a piece of luggage from airport to airport. Its more like tracking a piece of luggage through an airport, then a train station, and finally a taxi stand.

I suspect that a script consultant made the same realization about halfway through the shoot, because in the following scene, they explain that the cell phone had a program installed on it that allowed it to make and receive VoIP calls directly, therefore bypassing the need for PSTN termination. They further explained that the kidnappers were using this application to avoid paying for the PSTN termination, eliminating a credit card trail that could possibly identify them. Wow. I really wish I could hire these writer the next time I get into a technological pickle at work. Does anyone have their number?

Even though the writers blundered in regards to VoIP, the fact that the professors could trace the IP address to a physical location is not a fantasy dreamed up to expedite the plot--although the writers did exaggerated its effectiveness, just a bit.

Lets assume the IP address they got from the trace was A simple query to the American Registry for Internet Numbers--a database that contains all of the IP address assignments for North American and some of the outlying island--would have given them the owner of the IP address in question.

Let's see what we get:

(Actual results from

OrgName: Los Angeles Public Library
Address: 630 W. Fifth St.
City: Los Angeles
StateProv: CA
PostalCode: 90071
Country: US

It seems that we got lucky. Sometimes the information contained in these registries is not as accurate as you might want. IP addresses are reassigned without notifying the registry, and the mailing addresses shown are often that of administrative or support offices, not the physical location where the IP address is in use.

In this case, the street address is actually the Central Branch of the Los Angles Public Library. This was verified easily though the Library's Web site. I love how canned examples always work out so nicely.

In case your are interested, there are four other registries that provide similar information for South America, Africa, Europe and Asia Pacific, respectively.

A good information security practitioner will have a few techniques that can be used to work around the inaccurate information you find in these registries, but the end-all-be-all method--which is supposed to incorporate all of the available technique to produce significantly more accurate results--is IP GeoLocation. You can try it yourself on this free service:

My IP address returns a latitude and longitude about 15 miles north of my actual location. Using some of the other techniques that I didn't bore you with, you may have been able to get it down to about 5 miles southeast of where I am sitting. In either case, had the fictional kidnappers been using my WiFi, the poor FBI agent would have been listening to the wrong librarian complain about people talking on their phones, while the kidnappers laughed all the way to the bank. Its a good thing we don't listen to marketing hype.

On a side note, about 40 minutes into the program, you can see some quick shots of the application the two brainiacs are using to locate the kidnappers. The laptop screen shows a map and a series of area codes and prefixes for phone numbers in the greater Los Angeles area. I'm not sure how that really helps them map IP addresses to geographic locations, but I am not a Cal Sci graduate, so who am I to judge?

Finally, as you may know, TV shows and movies are not typically shot in chronological order. This may explain why the young professors, towards the end of the show, were suddenly able to trace a VoIP call that was made to a public pay phone. I suspect, by the time someone pointed out the issues in the script, the production crew had already shot the last scene and was not have been able to re-shoot it with the corrections. There was mention of someone violating two or three communications laws at one point, which may be another explanation, but sitting in the Los Angeles offices of the FBI, why would two professors from a top technical college risk jail time by doing something like that? I know I wouldn't.

To view this episode for free on

Monday, March 5, 2007


From what I have observed, screen writers seem to take one of two approaches when they incorporate information security into their scripts. The first approach is to make everything so far-fetched that any comparison to reality would be all but impossible. The second is to pepper the script with terminology they found on the Internet, or got from some other seemly reliable source, like the guy who fixes their computer when it wont print.

The latter generally produces random lines of gibberish that are mumbled and mispronounced by unwitting actors. As an example, a film I saw recently included a scene in which one of the lead characters was monologuing on how he would fix the security problems in the FBI's computer network. During his short diatribe of networking and security jargon, the actor pronounced WAN (Wide Area Network) as Juan (the Spanish form of John.) In case you are having trouble playing along at home, WAN should rhyme with "man."

You'd think that they would have fixed that in post production with Automatic Dialog Replacement during looping. Apparently, screen writers are not the only ones who can play the terminology game.