Burn Notice "Good Soldier"

Hollywood has always had a love affair with biometrics. They were a mainstay of military, spy, and science fiction movies long before they were included on consumer laptops and door locks.

Because Hollywood got such a jump start on biometrics, most people's expectations have been set by these fictional depictions. In reality, the effectiveness of most biometric systems do not come close to what you see in movies and television.

An unfortunate side effect of this is that corporations have spent millions of dollars promoting and implementing these ineffective systems and, more discouragingly, governments have based public policy on these Hollywood induced misconceptions.

If you remember back to the Burn Notice pilot, the protagonist--black listed spy Michael Weston--opens a biometric safe with a print he lifted off of its finger print reader.

This episode shows an attack against another biometric security mechanism, this time a facial recognition system that is designed to generate an alert when an unauthorized person enters a room.

Earlier this year, the Japanese government introduced regulation that allows for the prosecution of vending machine companies that sell cigarettes to persons under the age of 20.

Long before facial recognition became fashionable, 41 states and the District of Columbia implemented policies that restricted the sales of cigarettes through vending machines, in some cases these policy resulted in a complete ban on the practice.

These policies were implemented based on years of research that suggested that younger children where more likely to obtain cigarettes from vending machine than any other source, including friends and family. Additionally, subsequent research data has shown that a complete ban on cigarette machines in places frequented by young children is significantly more effective than alternatives such as device locks.

So why did the Japanese government choose not to ban vending machines? While I am no expert in Japanese politics, I suspect that a vending machine company named Fujitaka convinced the regulating body that they could accurately judge the age of a purchaser by using biometrics--at least 90% of the time.

What Fujitaka and the Japanese regulators soon found out was that a 3-inch magazine photo placed in front of the camera would fool the system into selling cigarette to underage kids. Oops.

This is exactly what Michael Weston does to gain entry to the hotel room of his sexy nemesis Carla. Armed with a 8x10 head shot of the room service guy, he easily gains entry into the room without setting off the alarm. Sound familiar? You can thank a bunch of Japanese school girls for this one.

Burn Notice "Turn and Burn"

Steganography, for those of you who don't know, is the art of hidden writing. While cryptography scrambles or obscures the content of a message, steganography attempts to hide the fact that a message is being sent. The example used in this episode shows a message hidden in a crossword puzzle, but modern techniques have been developed that allow messages to be hidden in everything from digital photographs to common network protocols.

In steganography the message is hidden by a technique, or process, but does not use a key in the same way that cryptography does, so once the encoding technique is discovered you can extract the plain text from the stegotext without any additional information. With cryptography, on the other hand, you would need both the method and a key to extract the plaintext message.

When the episode's opening voice-over tells the audience that "unless you have the key" you won't wont be able read the message, it is a little misleading because the differences between steganography and cryptography is not explained.

It may have been better to say that without knowing how or where the message is hidden, you would even know its there. Better yet, you could have bored the audience with a lengthy explanation of the history of steganography and how it differs from cryptography.

WarGames 25th Anniversary

Looks like they are going to re-release WarGames into theaters for one night to coincide the with the release of the direct-to-video sequel to this 1983 classic.

Even with all of its technical inaccuracies and idealistic plot, this movie did for hacking in the '80s what Gidget did for surfing in the '60s.

In the mayhem that ensued from this hacker renaissance, a writer for Newsweek magazine suggested that parents should lock up modems like they would firearms--they were simply that dangerous. The nerve. Imagine if the ghost of hacking future had given him a peak at what was in store with the Internet!

Much of the cold war paranoia and fear will not play as strongly with a modern audience, but if you're looking for a trip down memory lane, this might be the ticket for you.

http://www.fathomevents.com/details.aspx?eventid=724

The Incredible Hulk (2008)

A recent study conducted in London showed that 21% of the 578 people stopped on the street by the researchers where willing to reveal their passwords in exchange for a chocolate bar. The obvious flaw in this study is the fact that the researchers had no way of verifying that the passwords provided were real, but I wonder how many people are devious enough to realize that giving a fake password will still get them that little piece of heaven.

The Incredible Hulk was already in the can when this study was released, so I have to give Zak Penn (or Edward Norton who apparently did an uncredited rewrite of the script) credit for coming up with a similar social engineering technique. Towards the end of the movie Bruce Banner, played by Edward Norton, needs to get into a high security university research building to gain access to a computer network. How does he do it (spoiler)? He brings several pizzas from the pizzeria that he was hiding out in and uses them to bribe a security guard and a graduate student into looking the other way while he accesses the network with his ex-girlfriend's user name and password.

In real life this probably would not have worked on a trained security guard--I recently saw someone try something very similar and fail--but there is no doubt in my mind that the graduate student would have handed over the keys to the kingdom for a free pizza.

Firewall (2006)

This film garnered a significant amount of criticism in the computer community for its presumed technical inaccuracies, most notably for how Harrison Ford's character used his daughters iPod to store bank account numbers. However, as Roger Ebert correctly pointed out in his review of the film, "...an iPod can do that -- act as a backup hard drive...."

With a few Google queries, its easy to figure out that you can connect digital cameras to iPods and use them to store images, so, its not that far of a stretch to assume that the scanner acted in the same way. Come on people, get a grip.

To that point, I have been finding that critics, like screen writers, have gotten into a bad habit of assuming that the general public's lack of knowledge somehow negates their responsibly to know how a technology works before they write about. This was painfully obvious in the criticism of Untraceable, and just as evident in the focus of the criticism of this movie. I'm not saying that this movie isn't flawed, just that the true flaws were overlooked.

The most obvious flaw, from my perspective, shows up about 7 minutes into the film. While too short to be called a technical monologue, the following lines start things off:

"Let's try a rule change on him and see what he does. I'll put in an IPS signature that black holes the pattern...see if that slows him down."

Possibly afraid that Harrison Ford's delivery of the line would not play on its own, the film makers quickly cut to a shot of him typing commands into a computer:

For those of you who don't immediately see the problem, I may need to explain what IPS is.

Intrusion prevention systems, or IPS, are inline intrusion detection systems that monitor traffic looking for specific signatures, or patterns, in network packets and attempt to block attacks. Traditional IDS simply send alerts when they detect patterns, but do not attempt to stop the attack.

The following is an example of an intrusion detection signature, or rule, that would detects brute force logins to a Web application, which is similar to what is describe in the dialog:

alert tcp $WEB_SERVERS 80 -> $EXTERNAL_NET any (msg:"WEB AUTH LOGON brute force attempt"; flow:from_server,established; content:"Authentication unsuccessful"; offset:54; nocase; threshold:type threshold, track by_dst, count 5, seconds 60; classtype:suspicious-login; sid:2275; rev:2;)

The first thing that you will notice is that the IDS rule looks nothing like what is being typed into the administrative console. What they shown in the film is actually a Cisco ACL (Access Control List) that blocks all traffic from the 172.16.2.0 subnet, not an IPS signature. This would be resilient to false positives, but wouldn't stop an attacker coming from Hong Kong, Korea, and Malaysia.

The other problem, which is not as obvious, is that the traffic that they are showing is unencrypted HTTP. Needless to say, this is not something you want to do when you are running a banking Web site.

An interesting thing about that, however, is that intrusion detection systems are not very effective with encrypted traffic. There are things you can do to make it work, but in real life, brute force login attempts would most likely be tracked and blocked by the Web application, not something that monitors the network.

Untraceable (2008), part 2

For those of you not in the know, black holing, a term used in the technical monologue from the previous post, is a technique used by internet service providers, also known as ISPs, to block access to phishing sites and other criminally themed internet destinations.

Black holing is usually done in two ways. The first is to prevent traffic from reaching the IP address of the server by manipulating the ISPs routing configuration, or routing table, to force any packet destined for the server to go to an non-existent network location. This is also called null routing.

The problem with this approach is that more than one Web site can be associated with a single IP address--large Web site hosting companies will do this to save money and simplify configuration. Consequently, if an ISP black holes the IP address of a criminal site that is hosted by, lets say, Yahoo! GeoCities, they could inadvertently block hundreds, if not thousands, of legitimate sites in the process. This is not a good thing.

The second method is changing the DNS record on the service provider's name servers to map a domain to another IP address, usually 127.0.0.1--which is your local computer. Alternatively, an ISP can point to an informational Web site that they host explaining that the site has been blocked. The limit of this approach is that you can't black hole by URL, only by domain name.

A URL, or Universal Resource Locater, is the combination of the domain name, protocol, and location of the object, such as an image or Web page, on the Web server. For example if you look at the address bar on you browser, you can see all three elements. The first component http:// specifies the protocol, the second, blog.massmediasecurity.com is the domain, and the third, /2008/02/Untraceable.html is the location of this page on the web server. In simple terms, with DNS black holing you can block entire Web sites, but not specific pages contained in them.

While this is an improvement over blocking by IP address, it is not without its problems. Sometime in 2007, the MySpace page of Alicia Keys was compromised. The attackers embedded malware on the site in a way that fooled users into downloading it by inadvertently clicking on a hidden link. By using Alicia Key's fan site to host their malware, the bad guys effectively prevented any ISP from black holing the site because the service providers would have needed to block everything on MySpace just to block the one file.

All that being said, implementing black hole filters is not something that ISPs do without significant debate. Additionally, the FBI does not have direct access to core internet routers, nor would a country that has constitutional protection of free speech allow any of its agents to block access to any Web content without due process.

In the real world, the FBI would have sought a court order to have the Web site shutdown, or the a service provider would have implemented the filters on behalf of their customers . Either way, it would have been the ISPs that took the action, not the FBI. This is another thing that the writers of Untraceable got wrong.

Untraceable (2008)

Untraceable follows an FBI cyber crimes investigator as she attempts to track down a spree killer who posts live videos of his victims being tortured and killed on the Internet. As if that was not bad enough, the victims are killed faster as more people visit the Web site.

The title is derived from the fact that the FBI investigator, played by Diane Lane, is unable to track down the killer nor shutdown the his Web site down.

So how did the suspect hide and prevent the FBI from bring his site down? The movie describes it this way:

"The site's IP keeps changing constantly. Each new address is an exploited server. It is running a mirror of the site. The site's Russian main server uses a low TTL so that your computer constantly queries the name server's record. And that is how it gives you a new address so consistently. There are thousands of exploited servers on the Internet, so he is not going to run out of victims anytime soon. But he is accessing these servers so quickly; he has got to be running his own botnet. I mean, we are black holing these IPs. Every time we shut one mirror down another one pops up."

What this technical monologue describes, with surprising accuracy and correct pronuciation, is fast-flux DNS. Let me explain how it works in a little more detail.

DNS, or Domain Name System, are the servers--sometimes known as name servers--that turn human readable domain names, such as www.killwithme.com, into numeric Internet address, such as 64.37.182.110. These mappings--known as DNS records--include a mechanism to tell the requester how long the mapping is valid. That mechanism is know as time-to-live, or TTL.

Bot herders, the nefarious operators of botnets, figured out that you could use a low TTL to avoid having a botnet or phishing site shutdown. To do this, these lawless vagabonds create DNS records that map a single domain to hundreds or thousands of IP addresses. When they add the low TTL, which causes the IP address maps to update as fast as once per minute, it makes it possible to deploy a phishing site or botnet controller across thousands of mirrors--computers with copies of the Web site or controller application--while the ISPs' security staff played whac-a-mole trying to knock the servers off the Net.

In spite of the fact that the the screen writers got the description of fast-flux correct, in the scenario that they presented, it would not have prevented the FBI from tracking down the source of the videos. What the screen writers missed in their logic was the fact that the videos were live, not pre-recorded. A pre-recorded video would have been extremely difficult to track down unless the investigators knew exactly when it was seeded to the mirrors; had the video been seeded into a peer-to-peer network for distribution, it would have made the source almost impossible to find.

With live video, on the other hand, a network stream would have to originate, in real-time, from the physical location where the event is taking place. To track down the source of a live video, the FBI could have started with a single mirror of the Web site and worked backwards based on the network traffic being sent to it. As you can see from the diagram below, even if the killer hid behind multiple layers of servers, a properly trained investigator would still have been able to determine the origin of the video by tracing the network traffic from node to node.


The investigator would have used data generated from a tool known as Netflow. Netflow works by extracting information from network packets that are received by a router's interface and creating records that describe the unique flows. For the layman, flows are groups of similar packets from the same source and destination that are sent and received during the same period of time. For the more advanced reader, flows are based on the 5-tuple, which is source address and port, destination addresses and port, and protocol. Start time of the flow is defined when the first packet is seen, and an aging timer is used to determine the end time--when the router sees a new packet it resets the aging timer, if the timer reaches zero before another packet is seen, the flow is considered complete. For TCP, the end time is also determined when a session teardown is initiated with FIN/FIN-ACK packets.

The live video would have produced an easily identifiable flow that could have been used to track the network location of the creator and subsequently their physical location. With a little router command line magic, it could have been done in real-time. Whether the FBI could have mobilized fast enough to save the victim and catch the bad guy is another issue, but the bad guy would have definitely been traceable.

Untraceable, Continued