tag:blogger.com,1999:blog-58227337826127553752024-03-13T11:51:57.419-06:00Mass Media SecurityCommentary on information security topics presented in movies and television.The Information Security Guyhttp://www.blogger.com/profile/16923294453303691410noreply@blogger.comBlogger23125tag:blogger.com,1999:blog-5822733782612755375.post-2149298081363437682009-01-03T13:58:00.027-07:002009-01-03T19:26:43.588-07:00Numb3rs "Frienemies"<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjEfTMBF1E-0hLqriRXMCD0S4iASNC7HGeQoojy3xbB-R68ACJG3OnJhRZfF6cCWWWgk_eitIQ79RMo2h3xH1qF9ABKwoVLNeXUajhyphenhyphenGz_rXPMKYqyVhT4R8nbrXUsLk3f4Uc5Fx_jEcF8/s1600-h/l_433309_f34c4104.jpg"><img style="margin: 0pt 10px 10px 0pt; float: left; cursor: pointer; width: 226px; height: 320px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjEfTMBF1E-0hLqriRXMCD0S4iASNC7HGeQoojy3xbB-R68ACJG3OnJhRZfF6cCWWWgk_eitIQ79RMo2h3xH1qF9ABKwoVLNeXUajhyphenhyphenGz_rXPMKYqyVhT4R8nbrXUsLk3f4Uc5Fx_jEcF8/s320/l_433309_f34c4104.jpg" alt="" id="BLOGGER_PHOTO_ID_5287176433079833618" border="0" /></a>It has been a while since <span style="font-style: italic;">Numb3rs</span> has dealt with an information security topic so badly that it warranted my attention and "Frienemies" does not disappoint.<br /><br />The episode begins with a botched robbery of a high school--it seems that a bunch of would-be laptop thieves were stopped by a vigilante group called Vanguard. On the way out of the school, a member of the Vanguards drops a cellphone on the gym floor. The FBI bags the phone as evidence and sends it back to the lab for analysis.<br /><br />Being true to form, the writers follow this up with the ever popular "explain it in English" scene:<br /><br /><div style="text-align: center;"><div style="text-align: left;"><span style="font-size:85%;"><span style="font-weight: bold;"><br />FBI Geek</span>: Someone scraped off the MIN...and the ESN.<br /><span style="font-weight: bold;">FBI Agent</span>: Translation?<br /><span style="font-weight: bold;">FBI Geek</span>: The MIN is the phone number, the ESN is the electronic serial number.<br /></span><br />For those of you who are not familiar with cell phone cloning, the MIN, or Mobile Identification Number, and the ESN are the two pieces of information cell phone providers use to identify a phone when it connects to their networks. If you copy both the MIN and ESN to another phone, that second phone will be indistinguishable from the first. However, this only applies to cell phone networks that use CDMA, such a Verizon and Sprint. More on that later.<br /><br />Both the MIN and ESN are electronic and embedded in the memory of the cell phone, so they can be removed--or changed in the case of cloning--by removing the memory chip or overwriting the memory location in which they are stored. The cell phone manufacturers have tried to make this more difficult, but a knowledgeable attacker can still accomplish it with the right hardware and software. Manufacturers also put stickers printed with the ESN on the phone to make it easier to find, but scraping off that sticker will not erase or change it.<br /><br /><div style="text-align: center;"><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgBYcbR1iMo5e4cQ6wRfOXA0eX__ItIodEO5vnrUb9tROsPeOWKOQHCqeXPdZJYjqB3cKvCtWSbqGdXV2Zy4qMtkfIsEh-dPeQxYVwsVxVhDwyRVuoj9zWG5A9r3bW0b5Saeg4X4TsH-9k/s1600-h/esn_cap.jpg"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 320px; height: 159px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgBYcbR1iMo5e4cQ6wRfOXA0eX__ItIodEO5vnrUb9tROsPeOWKOQHCqeXPdZJYjqB3cKvCtWSbqGdXV2Zy4qMtkfIsEh-dPeQxYVwsVxVhDwyRVuoj9zWG5A9r3bW0b5Saeg4X4TsH-9k/s320/esn_cap.jpg" alt="" id="BLOGGER_PHOTO_ID_5287205335476564338" border="0" /></a><br /><span style="font-size:78%;">The scraped off ESN<br /></span></div><br />The FBI, being completely stumped but the low tech approach to hiding the ESN, bring the cell phone over to CalSci for further analysis. Charlie and Amita, being avid Wikipedia readers*, explain to the FBI that they can extract the data from the cell phone with a cold boot attack, "also know as a cold ghosting attack [or] iceman attack."<br /><br /><div style="text-align: center;"><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi55zi07tsoIKKkjAuvPMzAdcvo71IT5NbljucXeDGw7fIyxnkg2sIA9dhIWC1H2DlwyYlNbNpeD1KvJrZniJ7M3nCehIU7eckKRKDrB_N7e0uvizI8sBqi997zteaR9XilCk9W0WG3V9k/s1600-h/iceman_cap.jpg"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 320px; height: 160px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi55zi07tsoIKKkjAuvPMzAdcvo71IT5NbljucXeDGw7fIyxnkg2sIA9dhIWC1H2DlwyYlNbNpeD1KvJrZniJ7M3nCehIU7eckKRKDrB_N7e0uvizI8sBqi997zteaR9XilCk9W0WG3V9k/s320/iceman_cap.jpg" alt="" id="BLOGGER_PHOTO_ID_5287219889345383282" border="0" /></a><br /><span style="font-size:78%;">Amita freezing the memory chip with an upside down can of liquid air.<br />Notice that the sticker is no longer scraped off.<br /></span></div><br />What Amita freezes and subsequently pulls out of the cell phone is a SIM card, which are used almost exclusively in GSM cellphone networks, not CDMA. There are many technical differences between CDMA and GSM, but the most important here is how subscribers are identified on the network. <br /><br />GSM uses small smart cards, known as a SIMs, to perform subscriber authentication. A unique cryptographic key, known as the Individual Subscriber Key, is programmed into the SIM and is used in a series of cryptographic challenges and responses to authenticate the subscriber to the network. This explains why the FBI could not find the MIN/ESN combination (hint: the phone never had one.)<br /><br />SIMs, like other smart cards, use non-volatile memory to allow for long term storage of data without the need for a power source. As we know from my <a href="http://blog.massmediasecurity.com/2008/10/my-own-worst-enemy-butterfly.html">previous write up on cold boot attacks</a>, cooling is only needed if you want to read data from volatile memory. In other words, Amita simply needed to remove the SIM card and put it into the reader--freezing it would have made no difference at all.<br /><br />Better yet, Amita or the FBI could have simply read the 18-digit serial number off of the SIM card to figure out what account the phone was linked to. The writers could have even had Charlie figure out a missing part of the serial number by using the check digit, which would have had the extra benefit of adding one of those the layman explanations of complex mathematical subjects with cool graphics.<br /><br />* I bet you are wondering how I know that Charlie and Amita read Wikipedia? Simple: it is the only place outside of a somewhat obscure Microsoft technical publication that refers to the cold boot attack as "iceman."<br /></div></div>The Information Security Guyhttp://www.blogger.com/profile/16923294453303691410noreply@blogger.comtag:blogger.com,1999:blog-5822733782612755375.post-52597093173973985152008-10-29T18:53:00.026-06:002008-12-04T20:08:21.931-07:00My Own Worst Enemy "Butterfly"<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhcwfNwc3GelwK3qgqJ5JiXYKCFtqcYtheY8ceL41zpHNLIQpzV_bRf2LmiIPizBnjtv7CZgCO4KNdc60td9vjcvdEsYLvMXAYKeW1PF8AKBtzbtQb4IA6XK4TmEIeNOK5JT1Spi_tc5f0/s1600-h/MV5BNDAyNjQ3NzY4M15BMl5BanBnXkFtZTcwNDM3ODg5MQ@@._V1._SX94_SY140_.jpg"><img style="margin: 0pt 10px 10px 0pt; float: left; cursor: pointer; width: 94px; height: 139px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhcwfNwc3GelwK3qgqJ5JiXYKCFtqcYtheY8ceL41zpHNLIQpzV_bRf2LmiIPizBnjtv7CZgCO4KNdc60td9vjcvdEsYLvMXAYKeW1PF8AKBtzbtQb4IA6XK4TmEIeNOK5JT1Spi_tc5f0/s400/MV5BNDAyNjQ3NzY4M15BMl5BanBnXkFtZTcwNDM3ODg5MQ@@._V1._SX94_SY140_.jpg" alt="" id="BLOGGER_PHOTO_ID_5267958811595294402" border="0" /></a>In July 2008, a group a researchers from Princeton University released a paper that described a new technique that recovered encryption keys from volatile memory on a freshly rebooted laptop. This technique is now known as a cold boot attack. These findings went against a long standing assumption that once power was cut to this type of memory, all data would be lost almost immediately.<br /><br />Volatile memory, commonly known as RAM or Random Access Memory, is used by a computer to store data it needs temporarily for computational activities. Long term data storage is done with non-volatile memory, such as a hard drive or USB key fob. A frequent way to describe the difference between the two is to say that volatile memory loses its data when a computer is turned off, but non-volatile memory does not.<br /><br />This distinction is often used when computer software is designed. For example, when an application stores passwords on a hard drive they are (hopefully) encrypted; when those passwords are moved into memory, they are typically stored in plain-text. It was generally assumed that this was a safe practice, and in defense of this type of thinking, encrypted data has to decrypted at some point in time and non-volatile memory is the safer place to store the plain-text.<br /><br />To prevent attackers from grabbing passwords and other sensitive information from running memory , developers began clearing, or wiping, the areas of non-volatile memory that contained the sensitive data once it is no longer needed. Some operating systems also provide an additional level of protection by preventing other running application from accessing the memory locations where the sensitive data reside.<br /><br />The decrypt and wipe process works fairly well for applications that only need to use the password or key once at start up, or intermittently during user activity, but for high performance applications that need a password or cryptographic key for every transaction, it may not be feasible from a performance stand-point. One such application is full disk encryption.<br /><br />Modern hard drives are capable of transferring 80 or more megabytes of data per second, so you will see a pretty substantial performance decrease every time the operating system has to transfer encrypted data to or from the hard drive. If you have to decrypt and then wipe the encryption key every time you read or write data, you make these performance problems much worse.<br /><br />To reduce this additional overhead, most whole disk encryption software loads the plain-text encryption keys in memory at startup and rely on the assumption that the key is erased when the computer is shutdown or loses power. Which leads us back to the Princeton researchers.<br /><br />What the researchers discovered is that non-volatile memory actually loses its data slowly and predictably over a time frame of a few seconds to a few minutes. This allows an attacker to cut power to a computer and reboot it with a specially designed operating system and extract the encryption keys from memory before the data has time to fade away.<br /><br />Additionally, they found that when the memory chips where cooled to -50 °C, you have more than enough time to remove the memory chip and read it on another computer or device. This can be accomplished by spraying the chip with an upside down canned-air spray duster, such as Dust-Off. For more advanced attackers, the chip can be cooled with liquid nitrogen to increase the decay time to a few hours.<br /><br />The writers of this episode got most of their facts right, but in the first clip, the tech guy says that cooling the memory chips enables you to extract the keys, which is not correct because you can actually perform that attack without doing so.<br /><br />The second clip shows one of the agents pulling a single cooled memory chip from a server and putting it into a device that extract the encryption keys. In this scenario, the cooling would be important to give the agent time to remove the chip and install it in the second computer.<br /><br />The problem I have with this scene is that, unlike laptops, servers usually have several memory chips to provide redundancy and additional capacity. Depending on how the server spreads the data out across the individual chips, pulling out only one chip, or pulling out one chip at a time, would probably not get you the encryption key. To make things worse, the agent pulls the chip out of what appears to be a running system, which would potentially introduce unpredictable errors into the memory and would likely cause a complete system failure unless the system had hot swappable memory.<br /><br />The only way to ensure that the keys would be extracted in the short period of time that agent had, rebooting the server with the special operating system would be the only viable approach.<br /><br /><br /><!---<br /><br />Clip 1:<br /><br /><object height="296" width="512"><param name="movie" value="http://www.hulu.com/embed/rN8FuAC-b3eQau6iun3AiQ/1730/1781"><embed src="http://www.hulu.com/embed/rN8FuAC-b3eQau6iun3AiQ/1736/1781" type="application/x-shockwave-flash" height="296" width="512"></embed></object><br /><br />Clip 2:<br /><br /><object height="296" width="512"><param name="movie" value="http://www.hulu.com/embed/rN8FuAC-b3eQau6iun3AiQ/1928/1972"><embed src="http://www.hulu.com/embed/rN8FuAC-b3eQau6iun3AiQ/1928/1972" type="application/x-shockwave-flash" height="296" width="512"></embed></object><br /><br />--->The Information Security Guyhttp://www.blogger.com/profile/16923294453303691410noreply@blogger.comtag:blogger.com,1999:blog-5822733782612755375.post-36230190130634818232008-09-20T21:40:00.020-06:002008-11-12T19:09:47.679-07:00Law & Order: Criminal Intent "Legacy"<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQFdaayTCUFw2czlkpfwZ3AOWiQ_P2aglFyZhu_37XKB-Dj9SlJJL85ALT9sHaQBJt2s80CdLaBqIb6xv-bW2VA_KE7yOsmTCQhwgN9FKi14i7dHHAVe_e6mcCooHHACbSW15E-phpVPQ/s1600-h/locipg.jpg"><img style="margin: 0pt 10px 10px 0pt; float: left; cursor: pointer;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQFdaayTCUFw2czlkpfwZ3AOWiQ_P2aglFyZhu_37XKB-Dj9SlJJL85ALT9sHaQBJt2s80CdLaBqIb6xv-bW2VA_KE7yOsmTCQhwgN9FKi14i7dHHAVe_e6mcCooHHACbSW15E-phpVPQ/s400/locipg.jpg" alt="" id="BLOGGER_PHOTO_ID_5248330157974554482" border="0" /></a><a href="http://www.imdb.com/title/tt0275140/"><span style="font-style: italic;">Criminal Intent</span></a> is one of the half-dozen or so spin-offs of the ever popular procedural drama <span style="font-style: italic;">Law & Order. </span> The series follows a group of detectives--members of the NYPD's Major Case Squad--who are dedicated to bringing New York City's worst criminals to justice.<br /><div style="text-align: center;"><div style="text-align: left;"><br />In this episode, the elite crime fighting squad get called to a prestigious private school to investigate a murder that was made to look like a suicide. During the course of their investigation, they find a laptop belonging to one of the suspects, and like all good television detectives, they turn it over to a nerdy guy named Ira for analysis.<br /><br /><span style="font-size:100%;">As this plot line develops, the writers introduce two of my favorite gimmicks: the nonsensical technical monologue and the </span><span style="font-style: italic;font-size:100%;" >explain it in English</span> one-liner:<span style="font-size:100%;"><br /></span></div><span style="font-size:100%;"><span style="font-style: italic;"><br />"</span></span><span style="font-style: italic;font-size:100%;" >Kiana</span><span style="font-size:100%;"><span style="font-style: italic;"> used data utility wiping freeware but it performs like malware." </span><br /><span style="font-style: italic;">"In English, Ira."</span><br /><span style="font-style: italic;">"She download a free program to permanently delete a video file but it just moved it to another part of her hard drive."</span><br /><br /></span><div style="text-align: left;"><span style="font-size:100%;">I'm not really sure what "</span><span style="font-size:100%;"><span>data utility wiping freeware</span><span style="font-style: italic;">"</span><span> is exactly, but from the English explanation, I can only assume that it is a program that permanently deletes files off of a computer's hard drive, otherwise know as a disk or file wiping utility.<br /><br />Techno-gibberish aside, I understand why the plot needs the girl to use </span>a this type of program--it shows that she understands what she did was wrong--but there is no reason for the program to be malware, or for her to even use it, to have the same plot outcome</span><span style="font-size:100%;"><span>.<br /><br />Let me explain.<br /><br />When someone edits a documents, especially with video editing software, temporary files are created to help keep track of changes for rollbacks (undo) or to preserve changes in the event of a system crash.<br /><br />An every day example of this is when you have auto-save enabled in </span></span><span style="font-size:100%;"><span>Microsoft Word</span></span><span style="font-size:100%;"><span>. If you look in the directory of the document you are editing, you can see a series of temp files that look like<span style="font-style: italic;"> ~wrdxxxx.tmp</span>. Another exampleare the temporary files that the operating system creates when you print a document--this is known as print spooling. These files usually get deleted by the application or operating system when they are no longer needed, but sometimes they don't.<br /><br />This can create a serious problem if you want to encrypt or permanently delete a file. Most people assume that the file they just encrypted or deleted is the only copy on the disk drive, but in some cases it is not.<br /><br /></span></span><span style="font-size:100%;"><span>Additionally, most people assume that when you empty the trash everything in it is permanently deleted, when in reality, these files are very easy to recover if the computer is not used heavily after the deletion.</span></span><br /><span style="font-size:100%;"><span><br />So, a more likely scenario for recovering the file would be Ira using a data recovery application or finding a temporary file that the suspect didn't know was there. The data wiping utility </span></span><span style="font-size:100%;"><span>malware </span></span><span style="font-size:100%;"><span>angle, while possible, just does not seem likely.<br /></span></span></div></div>The Information Security Guyhttp://www.blogger.com/profile/16923294453303691410noreply@blogger.comtag:blogger.com,1999:blog-5822733782612755375.post-87840887973917569812008-09-19T17:39:00.018-06:002008-12-04T20:08:59.639-07:00Burn Notice "Good Soldier"<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgNKysmgEsaBg_aVVqxbOyJPpCsroFQCd4RQ_18P9yc-NhHVRQqIEp4wVutfnXsUViHDJWRPvWLtadQr4EJ6qVzN_WVB-_z3OUCR6-dSxtHfBjeSzqCrT5lHZ9TQjSkxjkF1SyFmhyphenhyphenZfLo/s1600-h/10m.gif"><img style="margin: 0pt 10px 10px 0pt; float: left; cursor: pointer;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgNKysmgEsaBg_aVVqxbOyJPpCsroFQCd4RQ_18P9yc-NhHVRQqIEp4wVutfnXsUViHDJWRPvWLtadQr4EJ6qVzN_WVB-_z3OUCR6-dSxtHfBjeSzqCrT5lHZ9TQjSkxjkF1SyFmhyphenhyphenZfLo/s400/10m.gif" alt="" id="BLOGGER_PHOTO_ID_5247922723949589666" border="0" /></a>Hollywood has always had a love affair with biometrics. They were a mainstay of military, spy, and science fiction movies long before they were included on consumer laptops and door locks.<br /><br />Because Hollywood got such a jump start on biometrics, most people's expectations have been set by these fictional depictions. In reality, the effectiveness of most biometric systems do not come close to what you see in movies and television.<br /><br />An unfortunate side effect of this is that corporations have spent millions of dollars promoting and implementing these ineffective systems and, more discouragingly, governments have based public policy on these Hollywood induced misconceptions.<br /><br />If you remember back to the Burn Notice <a href="http://blog.massmediasecurity.com/2007/06/burn-notice-pilot.html">pilot</a>, the protagonist--black listed spy Michael Weston--opens a biometric safe with a print he lifted off of its finger print reader.<br /><br />This episode shows an attack against another biometric security mechanism, this time a facial recognition system that is designed to generate an alert when an unauthorized person enters a room.<br /><br />Earlier this year, the Japanese government introduced regulation that allows for the prosecution of vending machine companies that sell cigarettes to persons under the age of 20.<br /><br />Long before facial recognition became fashionable, 41 states and the District of Columbia implemented policies that restricted the sales of cigarettes through vending machines, in some cases these policy resulted in a complete ban on the practice.<br /><br />These policies were implemented based on years of research that suggested that younger children where more likely to obtain cigarettes from vending machine than any other source, including friends and family. Additionally, subsequent research data has shown that a complete ban on cigarette machines in places frequented by young children is significantly more effective than alternatives such as device locks.<br /><br />So why did the Japanese government choose not to ban vending machines? While I am no expert in Japanese politics, I suspect that a vending machine company named Fujitaka convinced the regulating body that they could accurately judge the age of a purchaser by using biometrics--at least 90% of the time.<br /><br />What Fujitaka and the Japanese regulators soon found out was that a 3-inch magazine photo placed in front of the camera would fool the system into selling cigarette to underage kids. Oops.<br /><br />This is exactly what Michael Weston does to gain entry to the hotel room of his sexy nemesis Carla. Armed with a 8x10 head shot of the room service guy, he easily gains entry into the room without setting off the alarm. Sound familiar? You can thank a bunch of Japanese school girls for this one.<br /><br /><!---<br /><br /><object height="296" width="512"><param name="movie" value="http://www.hulu.com/embed/DJBs6_xTzAGTIf_HIj2RDg/920/976"><embed src="http://www.hulu.com/embed/DJBs6_xTzAGTIf_HIj2RDg/920/976" type="application/x-shockwave-flash" height="296" width="512"></embed></object> --->The Information Security Guyhttp://www.blogger.com/profile/16923294453303691410noreply@blogger.comtag:blogger.com,1999:blog-5822733782612755375.post-21532081718049106212008-07-19T15:57:00.016-06:002008-12-04T20:09:48.354-07:00Burn Notice "Turn and Burn"<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEio10abBQBIz6GMCIHCQKECstDogWh11_51nFDttzs4iDnyMmCqvCjzLHp1rRmofco7WgLaZTMmwMERUCzfVpho13Q2KWOOjNXGjTsgRlipfyQXA__tq3CdrGHjW8GQa4CzGcTcaAH-za8/s1600-h/10m.gif"><img style="margin: 0pt 10px 10px 0pt; float: left; cursor: pointer;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEio10abBQBIz6GMCIHCQKECstDogWh11_51nFDttzs4iDnyMmCqvCjzLHp1rRmofco7WgLaZTMmwMERUCzfVpho13Q2KWOOjNXGjTsgRlipfyQXA__tq3CdrGHjW8GQa4CzGcTcaAH-za8/s400/10m.gif" alt="" id="BLOGGER_PHOTO_ID_5247922897901008242" border="0" /></a>Steganography, for those of you who don't know, is the art of hidden writing. While cryptography scrambles or obscures the content of a message, steganography attempts to hide the fact that a message is being sent. The example used in this episode shows a message hidden in a crossword puzzle, but modern techniques have been developed that allow messages to be hidden in everything from digital photographs to common network protocols.<br /><br />In steganography the message is hidden by a technique, or process, but does not use a key in the same way that cryptography does, so once the encoding technique is discovered you can extract the plain text from the stegotext without any additional information. With cryptography, on the other hand, you would need both the method and a key to extract the plaintext message.<br /><br />When the episode's opening voice-over tells the audience that "unless you have the key" you won't wont be able read the message, it is a little misleading because the differences between steganography and cryptography is not explained.<br /><br />It may have been better to say that without knowing how or where the message is hidden, you would even know its there. Better yet, you could have bored the audience with a lengthy explanation of the history of steganography and how it differs from cryptography.<br /><br /><br /><!---<br /><br />Watch the episode now:<br /><br /><br /><br /><br /><br /><br /><br /><object height="286" width="502"><param name="movie" value="http://www.hulu.com/embed/qfwqeyT3HGp1wId-WzJjEQ"><embed src="http://www.hulu.com/embed/qfwqeyT3HGp1wId-WzJjEQ" type="application/x-shockwave-flash" height="286" width="502"></embed></object><br /><br />--->The Information Security Guyhttp://www.blogger.com/profile/16923294453303691410noreply@blogger.comtag:blogger.com,1999:blog-5822733782612755375.post-79943201731438557512008-07-02T19:21:00.003-06:002008-12-10T03:06:14.645-07:00WarGames 25th Anniversary<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEirD_lkqtw5TpddOx31qze0BphOtwXRRqUiQZBVYAoe0CXaMX_BUTePMs68AUsxubcA0S8MFU4SqdA5gguJyF5sSPDUo6rZ99zp3endfqc7QXvdZKYyX7pJIi3SByxPxTRXuEHoMkaYdKE/s1600-h/342.jpg"><img style="margin: 0pt 10px 10px 0pt; float: left; cursor: pointer; width: 240px; height: 355px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEirD_lkqtw5TpddOx31qze0BphOtwXRRqUiQZBVYAoe0CXaMX_BUTePMs68AUsxubcA0S8MFU4SqdA5gguJyF5sSPDUo6rZ99zp3endfqc7QXvdZKYyX7pJIi3SByxPxTRXuEHoMkaYdKE/s400/342.jpg" alt="" id="BLOGGER_PHOTO_ID_5218592290303814562" border="0" /></a>Looks like they are going to re-release <span class="blsp-spelling-error" id="SPELLING_ERROR_0">WarGames</span> into theaters for one night to coincide the with the release of the direct-to-video sequel to this 1983 classic. <br /><br />Even with all of its technical <span class="blsp-spelling-corrected" id="SPELLING_ERROR_1">inaccuracies and idealistic plot</span>, this movie did for hacking in the '80s what <a href="http://www.imdb.com/title/tt0052847/"><span style="font-style: italic;"><span class="blsp-spelling-error" id="SPELLING_ERROR_2">Gidget</span></span></a> did for surfing in the '60s. <br /><br />In the mayhem that ensued from this hacker renaissance, a writer for Newsweek magazine suggested that parents should lock up modems like they would firearms--they were simply that dangerous. The nerve. Imagine if the ghost of hacking future had given him a peak at what was in store with the Internet!<br /><br />Much of the cold war paranoia and fear will not play as strongly with a modern audience, but if you're looking for a trip down memory lane, this might be the ticket for you. <span style="text-decoration: underline;"><br /><br /></span><a href="http://www.fathomevents.com/details.aspx?eventid=724">http://www.fathomevents.com/details.aspx?eventid=724</a>The Information Security Guyhttp://www.blogger.com/profile/16923294453303691410noreply@blogger.comtag:blogger.com,1999:blog-5822733782612755375.post-61943360527613084672008-06-16T20:07:00.005-06:002008-06-16T21:24:37.311-06:00The Incredible Hulk (2008)A recent study conducted in London showed that 21% of the 578 people stopped on the street by the researchers where willing to reveal their passwords in exchange for a chocolate bar. The obvious flaw in this study is the fact that the researchers had no way of verifying that the passwords provided were real, but I wonder how many people are devious enough to realize that giving a fake password will still get them that little piece of heaven. <br /><br /><span style="font-style: italic;">The Incredible Hulk</span><span> was </span><span>already in the can when this study was released, so I have to give <a href="http://www.imdb.com/name/nm0672015/">Zak Penn</a> (or <a href="http://www.imdb.com/name/nm0001570/">Edward Norton</a> who apparently did an uncredited rewrite of the script) credit for coming up with a similar social engineering technique. Towards the end of the movie Bruce Banner, played by Edward Norton, needs to get into a high security university research building to gain access to a computer network. How does he do it (spoiler)? He brings several pizzas from the pizzeria that he was hiding out in and uses them to bribe a security guard and a graduate student into looking the other way while he accesses the network with his ex-girlfriend's user name and password.<br /><br />In real life this probably would not have worked on a trained security guard--I recently saw someone try something very similar and fail--but there is no doubt in my mind that the graduate student would have handed over the keys to the kingdom for a free pizza.<br /></span>The Information Security Guyhttp://www.blogger.com/profile/16923294453303691410noreply@blogger.comtag:blogger.com,1999:blog-5822733782612755375.post-65631560156997063902008-04-06T15:42:00.015-06:002008-12-10T03:06:14.677-07:00Firewall (2006)This film garnered a significant amount of criticism in the computer community for its presumed technical inaccuracies, most notably for how Harrison Ford's character used his daughters iPod to store bank account numbers. However, as Roger Ebert correctly pointed out in his <a href="http://rogerebert.suntimes.com/apps/pbcs.dll/article?AID=/20060209/REVIEWS/60131009/1023">review</a> of the film, "...an iPod can do that -- act as a backup hard drive...."<br /><br />With a few Google queries, its easy to figure out that you can connect digital cameras to iPods and use them to store images, so, its not that far of a stretch to assume that the scanner acted in the same way. Come on people, get a grip.<br /><br />To that point, I have been finding that critics, like screen writers, have gotten into a bad habit of assuming that the general public's lack of knowledge somehow negates their responsibly to know how a technology works before they write about. This was painfully obvious in the criticism of <a href="http://blog.massmediasecurity.com/2008/02/untraceable.html"><span>Untraceable</span>,</a> and just as evident in the focus of the criticism of this movie. I'm not saying that this movie isn't flawed, just that the true flaws were overlooked.<br /><br />The most obvious flaw, from my perspective, shows up about 7 minutes into the film. While too short to be called a technical monologue, the following lines start things off:<br /><br /><div style="text-align: center;">"Let's try a rule change on him and see what he does. I'll put in an IPS signature that black holes the pattern...see if that slows him down."<br /></div><br />Possibly afraid that Harrison Ford's delivery of the line would not play on its own, the film makers quickly cut to a shot of him typing commands into a computer:<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiabJowhyphenhyphen82FDrjQDzasF0XDHVBXx6I3loWzF9ZBuj2Brxh8wXsKDHL_QOr94kzfuuYtNv2ELmuWHbjY7bwd0QLOiv35XN0l13hCGRmLLD7TJmH7TEpOtS73mtgMLF5QJwY-7kxqAWlyNo/s1600-h/Picture+2.png"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 484px; height: 210px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiabJowhyphenhyphen82FDrjQDzasF0XDHVBXx6I3loWzF9ZBuj2Brxh8wXsKDHL_QOr94kzfuuYtNv2ELmuWHbjY7bwd0QLOiv35XN0l13hCGRmLLD7TJmH7TEpOtS73mtgMLF5QJwY-7kxqAWlyNo/s400/Picture+2.png" alt="" id="BLOGGER_PHOTO_ID_5186283071515912354" border="0" /></a>For those of you who don't immediately see the problem, I may need to explain what IPS is.<br /><br />Intrusion prevention systems, or IPS, are inline intrusion detection systems that monitor traffic looking for specific signatures, or patterns, in network packets and attempt to block attacks. Traditional IDS simply send alerts when they detect patterns, but do not attempt to stop the attack.<br /><br />The following is an example of an intrusion detection signature, or rule, that would detects brute force logins to a Web application, which is similar to what is describe in the dialog:<br /><br /><div style="text-align: center;"><span style="font-size:85%;">alert tcp $WEB_SERVERS 80 -> $EXTERNAL_NET any (msg:"WEB AUTH LOGON brute force attempt"; flow:from_server,established; content:"Authentication unsuccessful"; offset:54; nocase; threshold:type threshold, track by_dst, count 5, seconds 60; classtype:suspicious-login; sid:2275; rev:2;)<br /><br /></span><div style="text-align: left;">The first thing that you will notice is that the IDS rule looks nothing like what is being typed into the administrative console. What they shown in the film is actually a Cisco ACL (Access Control List) that blocks all traffic from the 172.16.2.0 subnet, not an IPS signature. This would be resilient to false positives, but wouldn't stop an attacker coming from Hong Kong, Korea, and Malaysia.<br /><br />The other problem, which is not as obvious, is that the traffic that they are showing is unencrypted HTTP. Needless to say, this is not something you want to do when you are running a banking Web site.<br /><br />An interesting thing about that, however, is that intrusion detection systems are not very effective with encrypted traffic. There are things you can do to make it work, but in real life, brute force login attempts would most likely be tracked and blocked by the Web application, not something that monitors the network.<br /></div></div>The Information Security Guyhttp://www.blogger.com/profile/16923294453303691410noreply@blogger.comtag:blogger.com,1999:blog-5822733782612755375.post-53044484859583337412008-03-07T21:58:00.005-07:002009-01-18T08:53:36.025-07:00Untraceable (2008), part 2<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhGvnO9j7mSNGa_n5pdtvLnflDz_uuuWar2SZicPivak1fbIlHwFz1EMm8HWih3XFwZYXIRLfyXf5w9KG6rhzMoh4S8qOoVEcRjOmh6hjuCHwsTsDuvwKANgaEx_xfV6uGJfX52b8ZYuF4/s1600-h/MPW-30201.jpeg"><img style="margin: 0pt 10px 10px 0pt; float: left; cursor: pointer;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhGvnO9j7mSNGa_n5pdtvLnflDz_uuuWar2SZicPivak1fbIlHwFz1EMm8HWih3XFwZYXIRLfyXf5w9KG6rhzMoh4S8qOoVEcRjOmh6hjuCHwsTsDuvwKANgaEx_xfV6uGJfX52b8ZYuF4/s200/MPW-30201.jpeg" alt="" id="BLOGGER_PHOTO_ID_5175231715287708978" border="0" /></a>For those of you not in the know, black holing, a term used in the technical monologue from the previous post, is a technique used by internet service providers, also known as ISPs, to block access to phishing sites and other criminally themed internet destinations.<br /><br />Black holing is usually done in two ways. The first is to prevent traffic from reaching the IP address of the server by manipulating the ISPs routing configuration, or routing table, to force any packet destined for the server to go to an non-existent network location. This is also called null routing.<br /><br />The problem with this approach is that more than one Web site can be associated with a single IP address--large Web site hosting companies will do this to save money and simplify configuration. Consequently, if an ISP black holes the IP address of a criminal site that is hosted by, lets say, Yahoo! GeoCities, they could inadvertently block hundreds, if not thousands, of legitimate sites in the process. This is not a good thing.<br /><br />The second method is changing the DNS record on the service provider's name servers to map a domain to another IP address, usually 127.0.0.1--which is your local computer. Alternatively, an ISP can point to an informational Web site that they host explaining that the site has been blocked. The limit of this approach is that you can't black hole by URL, only by domain name.<br /><br />A URL, or Universal Resource Locater, is the combination of the domain name, protocol, and location of the object, such as an image or Web page, on the Web server. For example if you look at the address bar on you browser, you can see all three elements. The first component<span style="font-style: italic;"> http://</span> specifies the protocol,<span style="font-style: italic;"> </span><span>the second</span><span style="font-style: italic;">, blog.massmediasecurity.com</span> is the domain, and the third, <span style="font-style: italic;">/2008/02/Untraceable.html </span>is the location of this page on the web server. In simple terms, with DNS black holing you can block entire Web sites, but not specific pages contained in them.<br /><br />While this is an improvement over blocking by IP address, it is not without its problems. Sometime in 2007, the MySpace page of Alicia Keys was compromised. The attackers embedded malware on the site in a way that fooled users into downloading it by inadvertently clicking on a hidden link. By using Alicia Key's fan site to host their malware, the bad guys effectively prevented any ISP from black holing the site because the service providers would have needed to block everything on MySpace just to block the one file.<br /><br />All that being said, implementing black hole filters is not something that ISPs do without significant debate. Additionally, the FBI does not have direct access to core internet routers, nor would a country that has constitutional protection of free speech allow any of its agents to block access to any Web content without due process.<br /><br />In the real world, the FBI would have sought a court order to have the Web site shutdown, or the a service provider would have implemented the filters on behalf of their customers . Either way, it would have been the ISPs that took the action, not the FBI. This is another thing that the writers of Untraceable got wrong.The Information Security Guyhttp://www.blogger.com/profile/16923294453303691410noreply@blogger.comtag:blogger.com,1999:blog-5822733782612755375.post-72863964345506381952008-02-19T21:07:00.038-07:002009-01-18T08:53:10.244-07:00Untraceable (2008)<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh1Gds0iZWusLyP2078sgwnQ-cIQhSgJIblTs__hX5lwlUg5646OXGR0y6YDO-f4X3No9Pfw1JyUyCRpzZQgGpmuxLWUZgzY2VcrlUCLE4u-M8D0NxyW3EvE7DO0gxU_mFOSXZFaMe-_QY/s1600-h/MPW-30201.jpeg"><img style="margin: 0pt 10px 10px 0pt; float: left; cursor: pointer;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh1Gds0iZWusLyP2078sgwnQ-cIQhSgJIblTs__hX5lwlUg5646OXGR0y6YDO-f4X3No9Pfw1JyUyCRpzZQgGpmuxLWUZgzY2VcrlUCLE4u-M8D0NxyW3EvE7DO0gxU_mFOSXZFaMe-_QY/s200/MPW-30201.jpeg" alt="" id="BLOGGER_PHOTO_ID_5170029028047849186" border="0" /></a><a href="http://www.imdb.com/title/tt0880578/"><span style="font-style: italic;">Untraceable</span></a> follows an FBI cyber crimes investigator as she attempts to track down a spree killer who posts live videos of his victims being tortured and killed on the Internet. As if that was not bad enough, the victims are killed faster as more people visit the Web site.<br /><br />The title is derived from the fact that the FBI investigator, played by Diane Lane, is unable to track down the killer nor shutdown the his Web site down.<br /><br />So how did the suspect hide and prevent the FBI from bring his site down? The movie describes it this way:<br /><br /><div style="text-align: center;"><object height="344" width="425"><param name="movie" value="http://www.youtube.com/v/JCkPeW8U_sI&hl=en&fs=1"><param name="allowFullScreen" value="true"><embed src="http://www.youtube.com/v/JCkPeW8U_sI&hl=en&fs=1" type="application/x-shockwave-flash" allowfullscreen="true" height="344" width="425"></embed></object></div><br /><div style="text-align: center;">"<span style="font-style: italic;">The site's IP keeps changing constantly. Each new address is an exploited server. It is running a mirror of the site. The site's Russian main server uses a low TTL so that your computer constantly queries the name server's record. And that is how it gives you a new address so consistently. There are thousands of exploited servers on the Internet, so he is not going to run out of victims anytime soon. But he is accessing these servers so quickly; he has got to be running his own botnet. I mean, we are black holing these IPs. Every time we shut one mirror down another one pops up</span>."<br /></div><br />What this technical monologue describes, with surprising accuracy and correct pronuciation, is fast-flux DNS. Let me explain how it works in a little more detail.<br /><br />DNS, or Domain Name System, are the servers--sometimes known as name servers--that turn human readable domain names, such as www.killwithme.com, into numeric Internet address, such as 64.37.182.110. These mappings--known as DNS records--include a mechanism to tell the requester how long the mapping is valid. That mechanism is know as time-to-live, or TTL.<br /><br />Bot herders, the nefarious operators of botnets, figured out that you could use a low TTL to avoid having a botnet or phishing site shutdown. To do this, these lawless vagabonds create DNS records that map a single domain to hundreds or thousands of IP addresses. When they add the low TTL, which causes the IP address maps to update as fast as once per minute, it makes it possible to deploy a phishing site or botnet controller across thousands of mirrors--computers with copies of the Web site or controller application--while the ISPs' security staff played whac-a-mole trying to knock the servers off the Net.<br /><br />In spite of the fact that the the screen writers got the description of fast-flux correct, in the scenario that they presented, it would not have prevented the FBI from tracking down the source of the videos. What the screen writers missed in their logic was the fact that the videos were live, not pre-recorded. A pre-recorded video would have been extremely difficult to track down unless the investigators knew exactly when it was seeded to the mirrors; had the video been seeded into a peer-to-peer network for distribution, it would have made the source almost impossible to find.<br /><br />With live video, on the other hand, a network stream would have to originate, in real-time, from the physical location where the event is taking place. To track down the source of a live video, the FBI could have started with a single mirror of the Web site and worked backwards based on the network traffic being sent to it. As you can see from the diagram below, even if the killer hid behind multiple layers of servers, a properly trained investigator would still have been able to determine the origin of the video by tracing the network traffic from node to node.<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjCtjKx8IBpr0tmPmAxDNudA3VKUMu9G3DFGKFmZIVUhW0xykyFDZxWN5S16VsK3EzjLjrLttGaqPpuBRKygMrrszlKTeZDwnPH8sgOIOc-uGAZEMDJuJGOJrBHZLKGsxTT31RI8jCZQTo/s1600-h/Untraceable.jpg"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjCtjKx8IBpr0tmPmAxDNudA3VKUMu9G3DFGKFmZIVUhW0xykyFDZxWN5S16VsK3EzjLjrLttGaqPpuBRKygMrrszlKTeZDwnPH8sgOIOc-uGAZEMDJuJGOJrBHZLKGsxTT31RI8jCZQTo/s200/Untraceable.jpg" alt="" id="BLOGGER_PHOTO_ID_5175144660595586338" border="0" /></a><br />The investigator would have used data generated from a tool known as Netflow. Netflow works by extracting information from network packets that are received by a router's interface and creating records that describe the unique flows. For the layman, flows are groups of similar packets from the same source and destination that are sent and received during the same period of time. For the more advanced reader, flows are based on the 5-tuple, which is source address and port, destination addresses and port, and protocol. Start time of the flow is defined when the first packet is seen, and an aging timer is used to determine the end time--when the router sees a new packet it resets the aging timer, if the timer reaches zero before another packet is seen, the flow is considered complete. For TCP, the end time is also determined when a session teardown is initiated with FIN/FIN-ACK packets.<br /><br />The live video would have produced an easily identifiable flow that could have been used to track the network location of the creator and subsequently their physical location. With a little router command line magic, it could have been done in real-time. Whether the FBI could have mobilized fast enough to save the victim and catch the bad guy is another issue, but the bad guy would have definitely been traceable.<br /><br /><a href="http://blog.massmediasecurity.com/2008/03/untraceable-part-2.html">Untraceable, Continued</a>The Information Security Guyhttp://www.blogger.com/profile/16923294453303691410noreply@blogger.comtag:blogger.com,1999:blog-5822733782612755375.post-20109592797566899382008-01-01T20:36:00.001-07:002009-01-18T08:54:01.656-07:00National Treasure: Book of Secrets (2007)<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvdLfr2iaE4wNZxwujcijjAlkV_I4oQzdvM9xZCW_ZLLUGD5qb9fkB-seDaX6kJLepx423ICp9jKOdCDxgmZgQPq_HLj8F88uVD9qj-gmYtFiCMpAyVIhly_RM7hYPBhPS4SHg9xJ_QWI/s1600-h/national_treasure_book_of_secrets.jpg"><img style="margin: 0pt 10px 10px 0pt; float: left; cursor: pointer;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvdLfr2iaE4wNZxwujcijjAlkV_I4oQzdvM9xZCW_ZLLUGD5qb9fkB-seDaX6kJLepx423ICp9jKOdCDxgmZgQPq_HLj8F88uVD9qj-gmYtFiCMpAyVIhly_RM7hYPBhPS4SHg9xJ_QWI/s200/national_treasure_book_of_secrets.jpg" alt="" id="BLOGGER_PHOTO_ID_5152408833615490818" border="0" /></a>The second installment of the <a href="http://www.imdb.com/title/tt0465234/"><span style="font-style: italic;">National Treasure</span></a> franchise brings us more riddles that unlock clues that bring more riddles. One of these clues (or was it a riddle? I cant keep track) is a burned piece of paper that contains a partial cipher text message. It turns out that this message was encrypted with the <a href="http://en.wikipedia.org/wiki/Playfair_cipher">Playfair cipher</a>, which was created in the mid-1800s by a gentalman named Charles Wheatstone and named after Lord Playfair, who promoted its use.<br /><br />By modern standards Playfair is extremely weak, but at the time it offered a relatively simple method for encrypting messages that made frequency analysis attacks difficult, if not impossible, to perform.<br /><br />If you are not familiar with substitution ciphers, the simplest example is ROT-13 (or rotate 13), a variation of the <a href="http://en.wikipedia.org/wiki/Caesar_cipher">Caesar cipher</a> that creates cipher text by replacing, or substituting, each letter in a word by the letter that is 13 places away in the Latin alphabet.<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEioLTM7BFgt3-ZUHwO10RAiJZNo-iZCZ-20jJ5wLLBPNlWAbv63_xkHCD4mSAYNbzhbK7oVgOeKLrhTB3Hv2kTWju-wQulJtnY85TsG6zgtDh7ghy2sTxuccxuGjGuariZDAPM-RsGot4g/s1600-h/800px-ROT13.png"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEioLTM7BFgt3-ZUHwO10RAiJZNo-iZCZ-20jJ5wLLBPNlWAbv63_xkHCD4mSAYNbzhbK7oVgOeKLrhTB3Hv2kTWju-wQulJtnY85TsG6zgtDh7ghy2sTxuccxuGjGuariZDAPM-RsGot4g/s200/800px-ROT13.png" alt="" id="BLOGGER_PHOTO_ID_5159608103485511842" border="0" /></a><br />Any fan of <span style="font-style: italic;">Wheel of Fortune</span> can tell you that the three most common letter in the English language are E, T, and A. With frequency analysis, it is pretty easy to determine that R, G and N represent E,T and A, simply by the fact that they occur most often in the cipher text. You can do further analysis by looking at the common ending letters, letters that most often follow E, etc. This type of analysis is made easier by the fact the ROT-13 keeps the structure of the words and sentences.<br /><br /><div style="text-align: left;">While still considered a substitution cipher, Playfair does a couple of things to break up frequency and structure. First, the plain text is broken down into groups of two letters called digraphs. If a grouping produces a double letter digraph, or there is a single letter left at the end, a substitution character is used, typically "X," for the second letter. For example, "he departed yesterday" becomes "he de pa rt ed ye st er da yx." Second, the plain text is encrypted using a 5 x 5 table containing a key word or phrase and some relatively simple <a href="http://en.wikipedia.org/wiki/Playfair_cipher#Using_Playfair">rules</a> that encrypt the plain text with 676 possible variations per digraph, versus 25 for each letter with Caesar type ciphers. The resulting cipher text will look something like "DA EA RD SA AE WT YG AQ ET ZY."<br /><br />One obvious weakness of Playfair is the fact that a digraph and its reverse will encrypt with the same pattern. From the example, you can see that "departed" has a reverse digraph, "DE" and "ED." In the cipher text they can be easily found as "EA" and "AE." Knowing that "ED" is one of the 10 most common digraphs in English you might be able to decipher "EA RD SA AE" by replacing the reverse digraphs to get <span style="font-style: italic;">"DE</span> RD SA <span style="font-style: italic;">ED." </span><br /><br /></div>So, while Ben Gates was racking his brain to figure out what debt that all men pay, his unfunny sidekick Riley Poole could have easily enhanced his computer program to discover the key or simply figured it out by hand. The small amount of cipher text may have complicated his analysis, but there are only so many word combinations and digraphs that could have produced "ME IK QO TX CQ TE ZY."<b><tt><span id="output"></span></tt></b>The Information Security Guyhttp://www.blogger.com/profile/16923294453303691410noreply@blogger.comtag:blogger.com,1999:blog-5822733782612755375.post-28938943679554156342007-10-14T17:23:00.000-06:002008-12-10T03:06:15.734-07:00CSI: NY "You Only Die Once"<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4PYFhRgehMwg7lkAg3lSp2sOxGHbjVuH81tP6FL8LjHOCoEb93Z0yOMHMLkq7HMQjRGeQxRz9ESDVKo6WZFLeLJfFjgePTAukh7EBvTxa8xCQiziRlQCiXR0P2d-NvFX5rdo6xwjCPpo/s1600-h/cover-csi-newyork.jpg"><img style="margin: 0pt 10px 10px 0pt; float: left; cursor: pointer; width: 236px; height: 248px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4PYFhRgehMwg7lkAg3lSp2sOxGHbjVuH81tP6FL8LjHOCoEb93Z0yOMHMLkq7HMQjRGeQxRz9ESDVKo6WZFLeLJfFjgePTAukh7EBvTxa8xCQiziRlQCiXR0P2d-NvFX5rdo6xwjCPpo/s320/cover-csi-newyork.jpg" alt="" id="BLOGGER_PHOTO_ID_5122483414503192866" border="0" /></a>With the writers of <span style="font-style: italic;">Numb3rs</span> playing it safe this season by limiting their expedient exaggerations to areas of physics and mathematics, I was relieved to see that <a href="http://www.imdb.com/title/tt0395843/"><span style="font-style: italic;">CSI: NY</span></a> stepped up to the plate to keep me occupied.<br /><br />As you may have guessed from the title, this episode deals with a band of James Bond like criminals who drive around in a high-tech sports car and fast-rope out of high-rise luxury condos. The CSI team discovers that the criminals are not looking for traditional valuables such as furs and jewelry--they are after personal information stored on electronic devices. The team surmises this while examining a coat that was taken off a man found face down in a gutter.<br /><br />How did they come to this conclusion? The department IT folks called and informed the team that they had a firewall breach and someone was illegally accessing the network. Our quick-witted investigators power down the lab to contain the breach, but are puzzled when the examination table's florescent lights continue to flicker. They determine it has something to do with the jacket, so they pull it apart and find a mesh of wires connected to a MiniSD memory card.<br /><br />What they discovered in the jacket was a device that can magically download information off of any device using wireless connections. The most amazing part of this contraption is that the whole thing is heat activated. I can only assume that they meant that it was powered by body heat, or other heat sources, because a device like this that only turns on when its hot doesn't make any sense at all.<br /><br />A little research on my part found that a group of German researchers at the Fraunhofer Institute have created a similar generator that can produce 200 millivolts of power. But, According to our friends over at <a href="http://www.engadget.com/2007/08/17/body-powered-circuits-developed-by-fraunhofer-institute/"><span style="font-style: italic;">Engadget</span></a>, you'd need about 1 watt to power just the processor of a modern hand held device. The Fraunhofer generator produces about 2 milliwatts. Sorry Charlie, even with the long underwear, you come up short in the power department.<br /><br />To compound the power problems, you would need both WiFi and Bluetooth radios, plus a CPU and operating system that can perform moderately complex cryptographic functions. None of which I saw on the device.<br /><br />I'm not sure why the wannabe secret agents needed a device like this in the first place. They were the party planners and staff, so rigging a laptop to do the same thing and attaching it under the buffet table would have been much easier, more effective, and would have gone completely unnoticed. Moreover, if you take the risk of breaking into someone's condo, you're better off attaching a USB or Firewire drive to the computer and downloading the information that way--when you are in the middle of a B&E, you really don't want to wait around for your system to crack the WiFi and then break into the computer, assuming that there are any vulnerabilities to be exploited in the first place.<br /><br />As for how the lab was hacked, what they were trying to describe is an "evil twin" attack. By mimicking an existing WiFi access point, or AP, an attacker can trick a computer into connecting to a network they control. By exploiting weaknesses in a commonly used WiFi link encryption protocol, you can even mimic an AP that has encryption enabled. At that point, the attacker has a direct network connection to the computer, but would still need to exploit a vulnerability to gain access to anything on it. Technically speaking this <span style="font-style: italic;">bypasses</span> any network based firewalls that may be in place, but does not render them insecure as they stated in the script.<br /><br />If you like to learn a little more on the WEP attack, Infoworld as detailed (but non-technical) description <a href="http://news.yahoo.com/s/infoworld/20071017/tc_infoworld/92675;_ylt=AoYdCR6a2GaPz6LZXqvERIWDzdAF" target="_new">here.</a><br /><br /><span style="font-weight: bold;">Watch </span><span style="font-style: italic; font-weight: bold;">CSI: NY</span><span style="font-weight: bold;"> for free on CBS.com:</span><br /><br /><a href="http://www.cbs.com/innertube/" target="_new">CBS Innertube</a>The Information Security Guyhttp://www.blogger.com/profile/16923294453303691410noreply@blogger.comtag:blogger.com,1999:blog-5822733782612755375.post-26852570976703236982007-10-06T10:08:00.000-06:002008-12-10T03:06:15.835-07:00The 13 Hackiest Hacking Movie Moments<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgUdy7OhkhBfx4vFpfRyQjxB5sUhjUBxsBQANugNJ7PqLcgrRBgICr8HUi5N75DuCF0zPs2tpqeymJswKlQpm2qPUz-gwCeeTKTnngQsRPIuzrLG7fnVUBe3Pm11yJSzllflxsoXXFRb5s/s1600-h/0063155_l.gif"><img style="margin: 0pt 10px 10px 0pt; float: left; cursor: pointer; width: 93px; height: 127px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgUdy7OhkhBfx4vFpfRyQjxB5sUhjUBxsBQANugNJ7PqLcgrRBgICr8HUi5N75DuCF0zPs2tpqeymJswKlQpm2qPUz-gwCeeTKTnngQsRPIuzrLG7fnVUBe3Pm11yJSzllflxsoXXFRb5s/s200/0063155_l.gif" alt="" id="BLOGGER_PHOTO_ID_5122492545603664178" border="0" /></a><a href="http://www.maximonline.com/index.aspx"><span style="font-style: italic;">Maxim Magazine</span></a> has jumped on the bandwagon and created their own list of ridiculous movie hacking moments. They missed some classics, but still a good list. Checkout it out <a href="http://www.maxim.com/Entertainment/HackiestHackingMovieMoments/slideshow/407.aspx" target="_new">here.</a>The Information Security Guyhttp://www.blogger.com/profile/16923294453303691410noreply@blogger.comtag:blogger.com,1999:blog-5822733782612755375.post-71051104907623019482007-06-30T20:07:00.001-06:002009-01-18T08:54:41.300-07:00Live Free or Die Hard (2007)<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4vYpEVZKnzDWm_99oWgfAaF_RagLTQnj5NPNY1Flgkrd_K4KHrTcl8TZmk2fKkMApNAeFsWf5jIFJ3U1lST3uCb92oyDyci-FQ_2rLE22SY6Fo5S66Z-5dYnP3yIWcH1utZwj_E616Js/s1600-h/livefreeordiehard1.thumbnail.jpg"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4vYpEVZKnzDWm_99oWgfAaF_RagLTQnj5NPNY1Flgkrd_K4KHrTcl8TZmk2fKkMApNAeFsWf5jIFJ3U1lST3uCb92oyDyci-FQ_2rLE22SY6Fo5S66Z-5dYnP3yIWcH1utZwj_E616Js/s320/livefreeordiehard1.thumbnail.jpg" alt="" id="BLOGGER_PHOTO_ID_5091693717269134434" border="0" /></a><br />The latest installment in the<a href="http://www.imdb.com/find?s=all&q=Die+Hard"> <span style="font-style: italic;">Die Hard</span></a> series has our hero John <span class="blsp-spelling-error" id="SPELLING_ERROR_0"><span class="blsp-spelling-error" id="SPELLING_ERROR_0">McClane</span></span> chasing after a crew of hacker-terrorists that are systematically shutting down the critical infrastructure of the United States. The movie describes this as a "fire sale," as in "everything must go."<br /><br />While I do not pretend to be part of the in-crowd when it comes to national security terminology, I don't recall ever hearing this term used to describe any scenario relating to critical infrastructure attacks. I suspect the screen writers just made it up.<br /><br />At any rate, the action begins in an FBI operations center that makes the fictional NORAD command center from <span class="blsp-spelling-error" id="SPELLING_ERROR_1">WarGames</span> look like, well, the real NORAD command center. Even with its modern architecture and sleek interface design, the most amazing part of this set is the fact the 20-foot projection screens have relevant network security information from every U.S. government network, as well as the national energy grid--truly unbelievable.<br /><br />With all of the creativity that Hollywood has to offer, I'm sure its still difficult for someone to visualized a network intrusion in a way that most people would find interesting, but showing computer screens dim, go black and then suddenly come back to life just doesn't do it for me. But this is exactly how the action gets kicked off and, without much investigation, the FBI knows immediately that it was the work of hackers. Holy crap, I thought someone forgot to pay the power bill!<br /><br />So what was compromised exactly? The power supply to the monitors? It obviously wasn't the computers because when the screen can back on, there was nothing to indicate that they were compromised or had even lost power. I don't mean to suggest that a comprised system would have some sort of visual indicator, but with all that the operations center had to offer, you'd think the screen writers or director could have come up with something a little more realistic or clever, such as showing that all of the <span class="blsp-spelling-error" id="SPELLING_ERROR_2">FBI's</span> computers are sending out spam for herbal Viagra. Just a thought.<br /><br />I could bore you with paragraphs on <span class="blsp-spelling-error" id="SPELLING_ERROR_3">SCADA</span> system security, or ask why someone would spend money to build a networked system that shuts off lights that don't need to be turned off, but I'll simply focus on one of my biggest beefs with this movie which is the use of what I call "magical hacking tools."<br /><br />While everything in a Hollywood production is larger than life, there seems to be an obsession with showing omnipotent hacking tools with elaborate graphical interfaces which, in addition to allowing easy access to every function of extremely a complex system, can also mimic any system's GUI.<br /><br />In reality, even commercial security tools do not have this level of functionality or interface design, but I don't want to denigrate the advances that our <span class="blsp-spelling-error" id="SPELLING_ERROR_4">blackhat</span> friends have made over the last couple of years with their software. Take a look at this Web GUI used to control <span class="blsp-spelling-error" id="SPELLING_ERROR_5">botnets</span>. Most corporate systems don't look this good.<br /><br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0Y2-k7e706INHSNwsnyNKTtqeqacZZWdSNEGYbWVTtuHH4T3-M1NZ7EfOySQh5zltWIrXyltXgfvOhGmvj0wUBNeOKl4VDNLjBZwiY0RaqpfJvFnHUTN0_bQiiq3s_RXR72secAoi8UQ/s1600-h/botnet_controller_gui_edited.JPG"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0Y2-k7e706INHSNwsnyNKTtqeqacZZWdSNEGYbWVTtuHH4T3-M1NZ7EfOySQh5zltWIrXyltXgfvOhGmvj0wUBNeOKl4VDNLjBZwiY0RaqpfJvFnHUTN0_bQiiq3s_RXR72secAoi8UQ/s320/botnet_controller_gui_edited.JPG" alt="" id="BLOGGER_PHOTO_ID_5091679681316011090" border="2" /></a>The Information Security Guyhttp://www.blogger.com/profile/16923294453303691410noreply@blogger.comtag:blogger.com,1999:blog-5822733782612755375.post-27211946591570350982007-06-30T20:06:00.003-06:002008-12-10T03:06:16.443-07:00Burn Notice "Pilot"<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjhuZ0SWcHaqcs6QPG63IB8rFHcOcYvSeTgwZwYSgLQI4xGTaODOj5zF-V2By0Lc61Q1SdrSxE9s5nQGYwXuZCdEhjGv5DmmwUWhH2FOlcmgNQAL7r8JeSbO7cVksT9yknk7cdMNP5BUKc/s1600-h/10m.gif"><img style="margin: 0pt 10px 10px 0pt; float: left; cursor: pointer;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjhuZ0SWcHaqcs6QPG63IB8rFHcOcYvSeTgwZwYSgLQI4xGTaODOj5zF-V2By0Lc61Q1SdrSxE9s5nQGYwXuZCdEhjGv5DmmwUWhH2FOlcmgNQAL7r8JeSbO7cVksT9yknk7cdMNP5BUKc/s320/10m.gif" alt="" id="BLOGGER_PHOTO_ID_5091695314996968562" border="0" /></a>What do spies do when they've been blacklisted? According to <a style="font-style: italic;" href="http://www.imdb.com/title/tt0810788/">Burn Notice</a><span style="font-style: italic;">,</span> they hang around in Miami, avoid their mothers, and get advice from alcoholic ex-spies. In this "<span style="font-style: italic;">Get Shorty</span> meets <span style="font-style: italic;">The Equalizer</span>" one hour drama, you also learn that blacklisted spies have many useful skills that they can pull from their <span class="blsp-spelling-error" id="SPELLING_ERROR_0">tradecraft</span> to assist people who can't get help from the law.<br /><br />One of these skills is using latent fingerprints lifted from a fingerprint reader to open a safe.<br /><br />You might be thinking that this is something the screen writer made up to get himself out of a jam, but according to a Japanese researcher, it can be done--with about an 80% success rate. However, what was shown in this episode is an overly simplified, and slightly inaccurate, depiction of what you would actually need to do to pull it off. Let me explain.<br /><br />If <span style="font-style: italic;">Burn Notice</span> were a two-hour procedural drama, you would have seen <a href="http://www.imdb.com/name/nm0232998/">Jeffrey Donovan</a>'s character find a non-porous surface, such as a water glass, that he knew the <span class="blsp-spelling-error" id="SPELLING_ERROR_1">safe's</span> owner had touched. Getting the print from the safe seems like a logical idea, but in reality, the size and weight of the safe would make it difficult to work with.<br /><br />Next, he would use a technique called <span class="blsp-spelling-error" id="SPELLING_ERROR_2">cyanoacrylate</span> fuming to draw out the latent prints. <span class="blsp-spelling-error" id="SPELLING_ERROR_3">Cyanoacrylate</span> fuming is just a fancy way of saying you expose the surface to vaporized <span class="blsp-spelling-error" id="SPELLING_ERROR_4">Krazy</span> Glue. These vapors, or fumes, react with with the amino acids and other proteins that are left when you touch something with your fingers. This reaction forms a white sticky material that outlines the ridges of the fingerprints. This white sticky material is another reason why you wouldn't want to use the safe to get the print--you'd have to clean that sticky crap off before you left.<br /><br />Once the reaction is complete, you can stain the results with colored dust and photograph them. Despite what you may have seen on those <span class="blsp-spelling-error" id="SPELLING_ERROR_5">CSI</span> shows, this process can take more than two hours and also requires the object to be placed in an sealed container. You'd probably be better off doing this in a safe place, in other words, not a house you just broke into.<br /><br />Next, he would transfer the photograph to a computer, enhance it with <span class="blsp-spelling-error" id="SPELLING_ERROR_6">Photoshop</span> and print it out on transparency paper. The transparency would be placed over the photosensitive material that hobbyists use to create custom circuit boards. The material would then be exposed to ultraviolet light and washed with acid. ] The pattern that was printed on the transparency would now be etched into the board, creating an accurate mold of the fingerprint. The materials needed to do this are available at most electric hobby shops for around $50.<br /><br />To create his fake fingertip, he would pour gelatin into the mold and let it harden. He could then place the gummy fingertip on his own, and use it to fool the fingerprint reader and open the safe. Nice and easy.<br /><br />Someone could probably create a portable kit so that this could be done on scene, but they'd need to speed up the <span class="blsp-spelling-error" id="SPELLING_ERROR_7">cyanoacrylate</span> fuming process to make the process streamlined enough for a black bag job.<br /><br /><object width="512" height="296"><param name="movie" value="http://www.hulu.com/embed/3D87yywVZRVs2ZFXmC5YlA"></param><embed src="http://www.hulu.com/embed/3D87yywVZRVs2ZFXmC5YlA" type="application/x-shockwave-flash" width="512" height="296"></embed></object>The Information Security Guyhttp://www.blogger.com/profile/16923294453303691410noreply@blogger.comtag:blogger.com,1999:blog-5822733782612755375.post-28278324048872114892007-06-25T21:56:00.000-06:002008-01-25T17:30:09.462-07:00What the CIA Could Learn from HollywoodWhat I learned today is that at least one of the three writers that got WGA credit for <a href="http://www.imdb.com/title/tt0292506/">The Recruit</a> understood the basics of how cell phones work and what data is collected by service providers, but apparently failed to portray CIA training in an accurate light. Go figure.<br /><br />If you are not familiar with this 2003 yawner, it follows several young CIA recruits though their training and first covert assignments. Towards the end of their training, the recruits go out on a surveillance and evasion exercise. Prior to the start of this exercise, one of their instructors specifically tells them to "turn your cell phones off because they act like tracking devices."<br /><br />Obviously this doesn't happen during real CIA training. My evidence? Two dozen CIA agents were indited in Italy for kidnapping a suspected al Qaeda agent in Milan and transporting him to Egypt. How did Italian prosecutors track down those accused of the kidnapping? Cell phone data.<br /><br />Seems that the alleged kidnappers not only left their cell phones on, they actually used them throughout the operation, which allowed investigators to track them from the location of the kidnapping to the Air Force base that was allegedly used to fly the abductee out of the country.<br /><br />Read they story in Congressional Quarterly:<br /><br /><a href="http://www.cq.com/public/20051026_homeland.html">http://www.cq.com/public/20051026_homeland.html</a><br /><br />You can't make this crap up.The Information Security Guyhttp://www.blogger.com/profile/16923294453303691410noreply@blogger.comtag:blogger.com,1999:blog-5822733782612755375.post-6534317062086569552007-05-31T10:35:00.000-06:002008-01-25T17:30:43.961-07:00Traveler "The Retreat"<a href="http://www.imdb.com/title/tt0805668/">Traveler</a> is a new show about two recent college grads who are framed by their mysterious roommate, Will Traveler, for a bombing in New York City. The two are branded terrorist and quickly find themselves on the run from both the Feds and some yet to be identified organization who are presumably the real masterminds behind the bombing.<br /><br />In "The Retreat," the FBI brings in one of the fugitive's girlfriend for questioning. While still in the FBI offices, she receives a call from her absconder boyfriend on her cell phone. The FBI promptly tries to trace the call, or as the the agent in charges describes it, engage in "a little T&T." I assume T&T stands for Trap and Trace, but with fictional FBI agents, you never know.<br /><br />As the trace begins, the FBI technicians determine that the caller is using VoIP and it is "heavily encrypted" which will not prevent them from tracing the call, but would slow it down. The scene then cuts back to the boyfriend talking on his cell phone.<br /><br />Again with the cell phone and VoIP--I not sure how this became so popular with TV writers, but there you go. In reality, there are a couple of services that will allow you to make VoIP calls from you cell phone, but they require either a WiFi enable handset, or the use of cell based data services, such as EVDO. However, handset support is limited and the cost of the data services really makes things unattractive for anyone except the well paid geek.<br /><br />Thus from a technology perspective, the scenario created by the writers is possible, but the details around it are a little off base and the chances of this actually happening the way they show it are pretty unlikely given the background of the characters.<br /><br />I'm not going to get into the details of how a traditional trap and trace works, but needless to say, by the time you declare "I know how long it takes to trace a call and you're five seconds to short" you're already screwed--any notion of beating the clock is pretty much a pipe dream under most circumstances. The time based trace does make for an effective tension building device, so it's a little hard to fault screen writers for using it. But that's beside the point.<br /><br />Because the story left some gaps around how the phone call was made, I am going to assume that the boyfriend placed the call on a prepaid cell phone bought with cash, and that he signed up for the VoIP outbound service with a prepaid gift cards from Visa or American Express--which would have been bought with cash as well. He would need the outbound service to reach his girlfriend's cell phone via VoIP unless they had both set up the service prior to him being on the lamb, which doesn't seem likely. Doing this would prevent any preexisting trap and trace from nailing him as soon as he turned on his phone.<br /><br />So how would "heavy encryption" slow down the trace of a VoIP call? Simply put, It wouldn't. The way the call was routed would be the biggest limiting factor from a real-time tracing perspective. Additionally, if the call was terminated on the PSTN, the encryption would only be established between the VoIP phone and the PSTN gateway meaning that anyone on the PSTN side would not know it was there.<br /><br />As if that were not enough, even with encryption, you could not easily hide the source address of the VoIP call. Even if you use UDP--a protocol that allows for easy IP address spoofing--you would not be able to have a two sided conversation because any return traffic would be routed to the bogus address and not back to your phone or soft client. That being the case, once the person tracing the call has access to the source IP address from the PSTN termination box, you are, again, screwed.<br /><br />Of course, the person would then have to map the IP address to the cell phone account, and then pull the call records (unless you already had a trap and trace set up) to get the person's physical location, assuming that the provider records that information (some do.) The time it would take to gather and correlate all of this information from the different providers and sources is what would have really delayed this Hollywood style trace. Once again, the way the call is routed is the delaying factor for this scenario, not the encryption.<br /><br />Watch the episode for yourself on ABC.com:<br /><br /><a href="http://dynamic.abc.go.com/streaming/landing">http://dynamic.abc.go.com/streaming/landing</a>The Information Security Guyhttp://www.blogger.com/profile/16923294453303691410noreply@blogger.comtag:blogger.com,1999:blog-5822733782612755375.post-11457142936261050132007-05-29T16:25:00.000-06:002007-05-31T16:31:59.977-06:00Heroes addendumI guess we will have to wait until next season to find out how Micah's powers actually work, but we did get to see the extent of the damage he could inflict on electronic voting systems.Unknownnoreply@blogger.comtag:blogger.com,1999:blog-5822733782612755375.post-50423930350617553122007-04-21T20:41:00.000-06:002008-01-25T17:38:18.830-07:00Heroes and other ramblingsDue to the mid-season hiatus that most network television shows are taking right now, there has been very little to comment on. The one exception might have been a recent episode of <span style="font-style: italic;">Numb3rs</span> where an author of a piece of malicious software was found by analysing a "strange loop" found in the program. But sadly, the producers avoided another lambasting by not attempting to explain how Bernard the Elf was actually able to do this, so short of just saying "what the f***?!," I'll point out that if you read the <a href="http://en.wikipedia.org/wiki/Strange_loop">Wikipedia entry for strange loop </a>and then watch the episode, you'll find that the two explanations are strangely similar.<br /><br />While doing a critique of pure science fiction would be a little silly, one of the characters in the show <a href="http://www.imdb.com/title/tt0813715/"><span style="font-style: italic;">Heroes</span></a>, brings up an interesting mental exercise and, more importantly, provides me with a much needed topic of discussion.<br /><br />If you are not familiar with the show, its the story of 9 or so people who have, through some form of genetic mutation, gained superhuman abilities. These abilities range from the ever popular flying and invisibility to the somewhat esoteric power of producing nuclear reactions with your body.<br /><br />The character in question is Micah. Micah is the child of a woman who seems to be her own doppelganger and a man who can walk through walls. Not sure how the combination of those two mutations produced the ability to manipulate electronic devices, but that's what Micah can do.<br /><br />We have only seen Micah use his ability twice, the first time he makes a phone call from a broken pay phone. The second time, he makes an unauthorized withdrawal from an ATM. The show has not yet explained how the ability actually manifests itself, but for the sake of argument, lets assume that its one of two ways:<br /><br />1) Micah is able to generate electromagnetic energy that can mimic electronic components in the device, such as transistors or complete microchips<br /><br />2) His body is able to produce nanoparticles that infiltrate the device and build circuitry that allows him to control it--similar to those produced by the Terminatrix in<a href="http://www.imdb.com/title/tt0181852/"> Terminator 3: Rise of the Machines</a>.<br /><br />So the exercise would be this: how would you defend a system against this type of attack?<br /><br />The first thing that comes to mind is shielding--enclosing your system in a Faraday cage would probably do the trick for the first possible manifestation. For those of you not familiar with this type of shielding, a Faraday cage is an enclosure that is constructed in such a way that it either blocks or redirects electromagnetic and electronic fields so that they do not penetrate the surface of the enclosure. The most common example of this is the shielding they use in microwave ovens to prevent your eye balls from boiling when you press your nose up against the widow to watch Spaghetti-Os splatter all over the interior.<br /><br />The second possible manifestation is a little more tricky to solve since their are no real life equivalents. One idea I came up with is creating <a href="http://en.wikipedia.org/wiki/Nanotubes">nanotube</a> mazes that would trap enough nanoparticles to limit any potential damage. The closest possible analogy to how this would work is fiberglass insulation, which slows the progress of heat and cold by trapping it in the various chambers that the fibers create. If you could develop some sort of attractor that would divert the nanoparticles into the tubes, you could create a semi-permeable membrane that would allow coolant or electricity pass.<br /><br />Unfortunately, as demonstrated in the last Terminator movie, an easy way to get by this type of protection is to simply pierce the membrane and inject the particles into the area that is being protected. Unlike the Terminatrix, Micah does not have the power to change one of his fingers into an awl, but that wouldn't stop him from using an icepick to accomplish the same thing. To prevent this, you would have to completely encase the device with the membrane to eliminate any open space were the nanopartcles could form circuitry.<br /><br />The problem with both of these method is the fact that devices such as ATMs and RFID readers need to interface directly with humans and electromagnetic radiation. This poses a problem since you may not be able to shield these devices completely, allowing avenues of attack to remain.<br /><br />In these cases you might have to develop some kind of reverse Turing test by which each component in the system can verify that the signals they are receiving are not coming from a human, nor coming from circuitry that may have recently be built.<br /><br />Turing tests were develop by Alan Turing in the early 1950's to determine the humanness of artificial intelligence implementations. The basic test would consist of a human judge conversing with two entities, one human and one computer. If the judge is unable to tell which is which, then the implementation passes the test.<br /><br />If you remember that annoying little program called Eliza, which was intended to mimic a psychotherapist, you'll also remember that it was hard to tell the difference between her (the program) and drunk high school student that has been through peer counselor training. Whether this is a sign of actual intelligence, or not, is up for debate, but you get the point.<br /><br />This approach has been used, somewhat in reverse, to help stop spam and other automated attacks against computer systems. You may have been fooled yourself by those annoying CAPTCHAs the last time you signed up for a online service or posted to bulletin board. CAPTCHA is short for "Completely Automated Public Turing test to tell Computers and Humans Apart" and consist of a bunch of obscured text, usually against a textured background, that are intended to fool computer based optical character recognition systems, otherwise know as OCR. It also tends to fool drunk people and those whose cognitive dysfunction is not chemically induced.<br /><br />You can also see something similar in the move <a href="http://www.imdb.com/title/tt0083658/"><span style="font-style: italic;">Blade Runner</span></a>. They call the test Voight-Kampff (for short) and it consists of a series of questions that will cause an artificial human to respond in non-human ways. As seen throughout the movie, the tester would use a device that monitors changes in the eye, most notably involuntary dilation of the iris, and after a battery of questions like "describe in single words only the good things that come into your mind about your mother," he would make the determination of human or Replicant, or get shot, depending on how good he was.<br /><br />We will have to wait to see how the writers of <span style="font-style: italic;">Heroes</span> decide to handle Micah and whether anyone will be able to protect their computer systems against his ability. It will also be interesting to see how close my speculation was...<br /><a href="http://www.nbc.com/Video/rewind/full_episodes/heroes.shtml"><br />Watch <span style="font-style: italic;">Heroes</span> for free on NBC.com.</a>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-5822733782612755375.post-21263405208572916192007-04-07T17:42:00.000-06:002008-01-25T17:38:42.089-07:00Human Computer Interaction in Science Fiction Movies<a href="http://w5.cs.uni-sb.de/%7Ebutz/teaching/ie-ss03/papers/HCIinSF/">http://w5.cs.uni-sb.de/~butz/teaching/ie-ss03/papers/HCIinSF/</a><br /><br />This is an interesting paper on depictions of computer interfaces in some recent, and not so recent, science fiction movies. What I found most interesting was the influence of the MIT media lab, and other research, on the production design of <span style="font-style: italic;">Minority Report. </span>There is also discussion of various biometric identification systems, from <span style="font-style: italic;"><a href="http://www.imdb.com/title/tt0119177/">Gattaca'</a>s</span> finger prick DNA test, to a seemingly absurd breath ID system show in <span style="font-style: italic;"><a href="http://www.imdb.com/title/tt0118583/">Alien Resurrection</a>.</span><br /><br />It makes me wonder why information security research has not had as much influence on the entertainment industry. Part of me thinks that its simple because its not as flashy as interface design, but I wonder if its due more to the fact that information security research is often conducted in a culture of secrecy and need-to-know fraternities. In other words, would a University open up a computer virus research lab to a screen writer, or would a company like Symantec talk candidly with a screen writer about emerging trends in malware? I think the answer is no, but I could be wrong.Unknownnoreply@blogger.comtag:blogger.com,1999:blog-5822733782612755375.post-3265303479591675182007-03-10T13:13:00.000-07:002008-01-25T17:39:59.914-07:00Prologue RevistsedI missed the third approach. I completely overlooked it. Ironically, this is usually what happens when screen writers or production crew use it. The third approach is doing proper research and getting it right. What's the down side of this? 99.9% of your audience will probably never even notice.<br /><br />The best example of this is <a href="http://www.imdb.com/title/tt0234215/">The Matrix Reloaded</a>. If you were paying close attention and knew what you were looking for, you would have noticed that when Trinity hacks into the power plant's computer system, she uses a real-life security tool and exploit. But I bet you didn't.<br /><br />You can read about it in this poorly researched BBC article:<br /><br /><a href="http://news.bbc.co.uk/1/hi/technology/3039329.stm" target="_new">http://news.bbc.co.uk/1/hi/technology/3039329.stm</a><br /><br />Apparently this triggered a warning from The British Computer Society. I have a hard time believing that this is real, but the press release is still available on the Internet Way Back Machine so you can make your own judgements:<br /><br /><a href="http://web.archive.org/web/20051230150409/http://www.bcs.org/BCS/News/PressReleases/2003/May/PressReleases2003MayMatrixTricksWarning.htm" target="_new">http://www.bcs.org/BCS/News/PressReleases/2003/<br />May/<span class="blsp-spelling-error" id="SPELLING_ERROR_0"><span class="blsp-spelling-error" id="SPELLING_ERROR_0">PressReleases</span></span>2003<span class="blsp-spelling-error" id="SPELLING_ERROR_1"><span class="blsp-spelling-error" id="SPELLING_ERROR_1">MayMatrixTricksWarning</span></span>.<span class="blsp-spelling-error" id="SPELLING_ERROR_2"><span class="blsp-spelling-error" id="SPELLING_ERROR_2">htm</span></span></a>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-5822733782612755375.post-55416685800151078382007-03-08T16:16:00.000-07:002008-01-25T17:39:13.489-07:00Numb3rs "One Hour"<a href="http://www.imdb.com/title/tt0433309/" target="_new">Numb3rs</a> is a crime drama that centers around an FBI agent and his brother, a former math prodigy who is now a professor at a prestigious technical college--the fictional Cal Sci. A typical story line begins with a perplexing crime and when the FBI gets stuck, the math genius and his colleagues are brought in to help close the case.<br /><br />"One Hour" strays a bit from this formula--the first half of this show focuses on a technological <span class="blsp-spelling-corrected" id="SPELLING_ERROR_0">challenge</span> rather than something that can be solved mathematically. The story begins with a violent kidnapping of a music mogul's child. Shortly after the FBI team arrives on the scene, they receive a ransom demand on the dead bodyguard's cell phone. The FBI agent who answered the call notices that the caller's phone number is a string of ones and when the FBI techs "ping" the number (I don't even know where to begin with that one) they determine the call originated as <span class="blsp-spelling-error" id="SPELLING_ERROR_1">VoIP</span>. Unable to trace the <span class="blsp-spelling-error" id="SPELLING_ERROR_2">VoIP</span> call on their own, the FBI calls in the pros from Cal Sci to help them out.<br /><br />After being told they have less than one hour to find the kidnappers, the two professors jump in their car and, on the way to the FBI offices, one of them writes an "exploit" that will allow them to trace incoming <span class="blsp-spelling-error" id="SPELLING_ERROR_3">VoIP</span> calls from a cell phone which the kidnappers would call to give further instructions.<br /><br />This is where the screen writers get themselves into trouble. They start innocently by describing <span class="blsp-spelling-error" id="SPELLING_ERROR_4">VoIP</span> as Voice Over Internet Protocol--although technically correct, I have yet to hear an industry professional say anything other than Voice Over <span class="blsp-spelling-error" id="SPELLING_ERROR_5">IP</span>. A nit-picky point, I admit, but when you say it the way the actors did, it sounds as if there is an actual protocol called Voice Over Internet (there isn't.)<br /><br />It might have been better to say that <span class="blsp-spelling-error" id="SPELLING_ERROR_6">VoIP</span> is a collection of protocols and other technologies that allow telephone calls to be placed over Internet Protocol (<span class="blsp-spelling-error" id="SPELLING_ERROR_7">IP</span>) based networks, like the Internet or your office LAN. Was that so hard to say?<br /><br />Defying all reason, these intellectual giants were able to write an application that would run on an unknown cell phone, connected to a unknown providers network, and somehow install it on the correct handset, based solely on a phone number given to them by the FBI. And all that in under fifteen minutes! I wish I was that good.<br /><br />The screen writers problems become less earnest when you realized that a <span class="blsp-spelling-error" id="SPELLING_ERROR_8">VoIP</span> call would have to be terminated on the <span class="blsp-spelling-error" id="SPELLING_ERROR_9">PSTN</span> (Public Switched Telephone Network) prior to making its way to a cellular phone network, and subsequently, to the cell phone.<br /><br />What this means is there is no practical way to get the originating <span class="blsp-spelling-error" id="SPELLING_ERROR_10">IP</span> address of a <span class="blsp-spelling-error" id="SPELLING_ERROR_11">VoIP</span> call in the way they described. In reality, the call would have to traverse three different network that do not share common protocols or addressing systems. <br /><br />Given enough time and access to the right data, theoretically you could pull the trace off, but its not as simple as they try to make it sound with their analogy of tracking a piece of luggage from airport to airport. Its more like tracking a piece of luggage through an airport, then a train station, and finally a taxi stand.<br /><br />I suspect that a script consultant made the same realization about halfway through the shoot, because in the following scene, they explain that the cell phone had a program installed on it that allowed it to make and receive <span class="blsp-spelling-error" id="SPELLING_ERROR_12">VoIP</span> calls directly, therefore bypassing the need for <span class="blsp-spelling-error" id="SPELLING_ERROR_13">PSTN</span> termination. They further explained that the kidnappers were using this application to avoid paying for the <span class="blsp-spelling-error" id="SPELLING_ERROR_14">PSTN</span> termination, eliminating a credit card trail that could possibly identify them. Wow. I really wish I could hire these writer the next time I get into a technological pickle at work. Does anyone have their number?<br /><br />Even though the writers blundered in regards to <span class="blsp-spelling-error" id="SPELLING_ERROR_15">VoIP</span>, the fact that the professors could trace the <span class="blsp-spelling-error" id="SPELLING_ERROR_16">IP</span> address to a physical location is not a fantasy dreamed up to expedite the plot--although the writers did exaggerated its effectiveness, just a bit.<br /><br />Lets assume the <span class="blsp-spelling-error" id="SPELLING_ERROR_17">IP</span> address they got from the trace was 206.18.32.25. A simple query to the American Registry for Internet Numbers--a database that contains all of the <span class="blsp-spelling-error" id="SPELLING_ERROR_18">IP</span> address assignments for North American and some of the outlying island--would have given them the owner of the <span class="blsp-spelling-error" id="SPELLING_ERROR_19">IP</span> address in question.<br /><br />Let's see what we get:<br /><br />(Actual results from http://ws.arin.net/whois)<br /><br /><span style="font-style: italic;"><span class="blsp-spelling-error" id="SPELLING_ERROR_20">OrgName</span>: <span class="blsp-spelling-error" id="SPELLING_ERROR_21">Los</span> <span class="blsp-spelling-error" id="SPELLING_ERROR_22">Angeles</span> Public Library</span><br /><span style="font-style: italic;"><span class="blsp-spelling-error" id="SPELLING_ERROR_23">OrgID</span>: <span class="blsp-spelling-error" id="SPELLING_ERROR_24">LAPL</span></span><br /><span style="font-style: italic;">Address: 630 W. Fifth St.</span><br /><span style="font-style: italic;">City: <span class="blsp-spelling-error" id="SPELLING_ERROR_25">Los</span> <span class="blsp-spelling-error" id="SPELLING_ERROR_26">Angeles</span></span><br /><span style="font-style: italic;"><span class="blsp-spelling-error" id="SPELLING_ERROR_27">StateProv</span>: CA</span><br /><span style="font-style: italic;"><span class="blsp-spelling-error" id="SPELLING_ERROR_28">PostalCode</span>: 90071</span><br /><span style="font-style: italic;">Country: US</span><br /><br />It seems that we got lucky. Sometimes the information contained in these registries is not as accurate as you might want. <span class="blsp-spelling-error" id="SPELLING_ERROR_29">IP</span> addresses are reassigned without notifying the registry, and the mailing addresses shown are often that of administrative or support offices, not the physical location where the <span class="blsp-spelling-error" id="SPELLING_ERROR_30">IP</span> address is in use.<br /><br />In this case, the street address is actually the Central Branch of the <span class="blsp-spelling-error" id="SPELLING_ERROR_31">Los</span> Angles Public Library. This was verified easily though the Library's Web site. I love how canned examples always work out so nicely.<br /><br />In case your are interested, there are four other registries that provide similar information for South America, Africa, Europe and Asia Pacific, respectively.<br /><br />A good information security practitioner will have a few techniques that can be used to work around the inaccurate information you find in these registries, but the end-all-be-all method--which is supposed to incorporate all of the available technique to produce significantly more accurate results--is <span class="blsp-spelling-error" id="SPELLING_ERROR_32">IP</span> <span class="blsp-spelling-error" id="SPELLING_ERROR_33">GeoLocation</span>. You can try it yourself on this free service:<br /><br /><center><a href="http://www.fraudlabs.com/demoIP2Location.aspx" target="_new"><img style="width: 174px; height: 56px;" src="http://www.fraudlabs.com/images/ip2locationdemo.gif" border="0" height="56" width="174" /></a></center><br /><br />My <span class="blsp-spelling-error" id="SPELLING_ERROR_34">IP</span> address returns a latitude and longitude about 15 miles north of my actual location. Using some of the other techniques that I didn't bore you with, you may have been able to get it down to about 5 miles southeast of where I am sitting. In either case, had the fictional kidnappers been using my <span class="blsp-spelling-error" id="SPELLING_ERROR_35">WiFi</span>, the poor FBI agent would have been listening to the wrong librarian complain about people talking on their phones, while the kidnappers laughed all the way to the bank. Its a good thing we don't listen to marketing hype.<br /><br />On a side note, about 40 minutes into the program, you can see some quick shots of the application the two <span class="blsp-spelling-error" id="SPELLING_ERROR_36">brainiacs</span> are using to locate the kidnappers. The laptop screen shows a map and a series of area codes and prefixes for phone numbers in the greater <span class="blsp-spelling-error" id="SPELLING_ERROR_37">Los</span> <span class="blsp-spelling-error" id="SPELLING_ERROR_38">Angeles</span> area. I'm not sure how that really helps them map <span class="blsp-spelling-error" id="SPELLING_ERROR_39">IP</span> addresses to geographic locations, but I am not a Cal Sci graduate, so who am I to judge?<br /><br />Finally, as you may know, TV shows and movies are not typically shot in chronological order. This may explain why the young professors, towards the end of the show, were suddenly able to trace a <span class="blsp-spelling-error" id="SPELLING_ERROR_40">VoIP</span> call that was made to a public pay phone. I suspect, by the time someone pointed out the issues in the script, the production crew had already shot the last scene and was not have been able to re-shoot it with the corrections. There was mention of someone violating two or three communications laws at one point, which may be another explanation, but sitting in the <span class="blsp-spelling-error" id="SPELLING_ERROR_41">Los</span> <span class="blsp-spelling-error" id="SPELLING_ERROR_42">Angeles</span> offices of the FBI, why would two professors from a top technical college risk jail time by doing something like that? I know I wouldn't.<br /><br /><span style="font-weight: bold;">To view this episode for free on CBS.com:</span><br /><br /><a href="http://www.cbs.com/innertube/">http://www.cbs.com/innertube/</a>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-5822733782612755375.post-63469093694775989522007-03-05T08:51:00.000-07:002008-01-25T17:40:52.534-07:00PrologueFrom what I have observed, screen writers seem to take one of two approaches when they incorporate information security into their scripts. The first approach is to make everything so far-fetched that any comparison to reality would be all but impossible. The second is to pepper the script with terminology they found on the Internet, or got from some other seemly reliable source, like the guy who fixes their computer when it wont print.<br /><br />The latter generally produces random lines of gibberish that are mumbled and mispronounced by unwitting actors. As an example, a film I saw recently included a scene in which one of the lead characters was monologuing on how he would fix the security problems in the FBI's computer network. During his short diatribe of networking and security jargon, the actor pronounced WAN (Wide Area Network) as Juan (the Spanish form of John.) In case you are having trouble playing along at home, WAN should rhyme with "man."<br /><br />You'd think that they would have fixed that in post production with Automatic Dialog Replacement during looping. Apparently, screen writers are not the only ones who can play the terminology game.Unknownnoreply@blogger.com