CSI: NY "You Only Die Once"

With the writers of Numb3rs playing it safe this season by limiting their expedient exaggerations to areas of physics and mathematics, I was relieved to see that CSI: NY stepped up to the plate to keep me occupied.

As you may have guessed from the title, this episode deals with a band of James Bond like criminals who drive around in a high-tech sports car and fast-rope out of high-rise luxury condos. The CSI team discovers that the criminals are not looking for traditional valuables such as furs and jewelry--they are after personal information stored on electronic devices. The team surmises this while examining a coat that was taken off a man found face down in a gutter.

How did they come to this conclusion? The department IT folks called and informed the team that they had a firewall breach and someone was illegally accessing the network. Our quick-witted investigators power down the lab to contain the breach, but are puzzled when the examination table's florescent lights continue to flicker. They determine it has something to do with the jacket, so they pull it apart and find a mesh of wires connected to a MiniSD memory card.

What they discovered in the jacket was a device that can magically download information off of any device using wireless connections. The most amazing part of this contraption is that the whole thing is heat activated. I can only assume that they meant that it was powered by body heat, or other heat sources, because a device like this that only turns on when its hot doesn't make any sense at all.

A little research on my part found that a group of German researchers at the Fraunhofer Institute have created a similar generator that can produce 200 millivolts of power. But, According to our friends over at Engadget, you'd need about 1 watt to power just the processor of a modern hand held device. The Fraunhofer generator produces about 2 milliwatts. Sorry Charlie, even with the long underwear, you come up short in the power department.

To compound the power problems, you would need both WiFi and Bluetooth radios, plus a CPU and operating system that can perform moderately complex cryptographic functions. None of which I saw on the device.

I'm not sure why the wannabe secret agents needed a device like this in the first place. They were the party planners and staff, so rigging a laptop to do the same thing and attaching it under the buffet table would have been much easier, more effective, and would have gone completely unnoticed. Moreover, if you take the risk of breaking into someone's condo, you're better off attaching a USB or Firewire drive to the computer and downloading the information that way--when you are in the middle of a B&E, you really don't want to wait around for your system to crack the WiFi and then break into the computer, assuming that there are any vulnerabilities to be exploited in the first place.

As for how the lab was hacked, what they were trying to describe is an "evil twin" attack. By mimicking an existing WiFi access point, or AP, an attacker can trick a computer into connecting to a network they control. By exploiting weaknesses in a commonly used WiFi link encryption protocol, you can even mimic an AP that has encryption enabled. At that point, the attacker has a direct network connection to the computer, but would still need to exploit a vulnerability to gain access to anything on it. Technically speaking this bypasses any network based firewalls that may be in place, but does not render them insecure as they stated in the script.

If you like to learn a little more on the WEP attack, Infoworld as detailed (but non-technical) description here.

Watch CSI: NY for free on CBS.com:

CBS Innertube

The 13 Hackiest Hacking Movie Moments

Maxim Magazine has jumped on the bandwagon and created their own list of ridiculous movie hacking moments. They missed some classics, but still a good list. Checkout it out here.

Live Free or Die Hard (2007)

The latest installment in the Die Hard series has our hero John McClane chasing after a crew of hacker-terrorists that are systematically shutting down the critical infrastructure of the United States. The movie describes this as a "fire sale," as in "everything must go."

While I do not pretend to be part of the in-crowd when it comes to national security terminology, I don't recall ever hearing this term used to describe any scenario relating to critical infrastructure attacks. I suspect the screen writers just made it up.

At any rate, the action begins in an FBI operations center that makes the fictional NORAD command center from WarGames look like, well, the real NORAD command center. Even with its modern architecture and sleek interface design, the most amazing part of this set is the fact the 20-foot projection screens have relevant network security information from every U.S. government network, as well as the national energy grid--truly unbelievable.

With all of the creativity that Hollywood has to offer, I'm sure its still difficult for someone to visualized a network intrusion in a way that most people would find interesting, but showing computer screens dim, go black and then suddenly come back to life just doesn't do it for me. But this is exactly how the action gets kicked off and, without much investigation, the FBI knows immediately that it was the work of hackers. Holy crap, I thought someone forgot to pay the power bill!

So what was compromised exactly? The power supply to the monitors? It obviously wasn't the computers because when the screen can back on, there was nothing to indicate that they were compromised or had even lost power. I don't mean to suggest that a comprised system would have some sort of visual indicator, but with all that the operations center had to offer, you'd think the screen writers or director could have come up with something a little more realistic or clever, such as showing that all of the FBI's computers are sending out spam for herbal Viagra. Just a thought.

I could bore you with paragraphs on SCADA system security, or ask why someone would spend money to build a networked system that shuts off lights that don't need to be turned off, but I'll simply focus on one of my biggest beefs with this movie which is the use of what I call "magical hacking tools."

While everything in a Hollywood production is larger than life, there seems to be an obsession with showing omnipotent hacking tools with elaborate graphical interfaces which, in addition to allowing easy access to every function of extremely a complex system, can also mimic any system's GUI.

In reality, even commercial security tools do not have this level of functionality or interface design, but I don't want to denigrate the advances that our blackhat friends have made over the last couple of years with their software. Take a look at this Web GUI used to control botnets. Most corporate systems don't look this good.

Burn Notice "Pilot"

What do spies do when they've been blacklisted? According to Burn Notice, they hang around in Miami, avoid their mothers, and get advice from alcoholic ex-spies. In this "Get Shorty meets The Equalizer" one hour drama, you also learn that blacklisted spies have many useful skills that they can pull from their tradecraft to assist people who can't get help from the law.

One of these skills is using latent fingerprints lifted from a fingerprint reader to open a safe.

You might be thinking that this is something the screen writer made up to get himself out of a jam, but according to a Japanese researcher, it can be done--with about an 80% success rate. However, what was shown in this episode is an overly simplified, and slightly inaccurate, depiction of what you would actually need to do to pull it off. Let me explain.

If Burn Notice were a two-hour procedural drama, you would have seen Jeffrey Donovan's character find a non-porous surface, such as a water glass, that he knew the safe's owner had touched. Getting the print from the safe seems like a logical idea, but in reality, the size and weight of the safe would make it difficult to work with.

Next, he would use a technique called cyanoacrylate fuming to draw out the latent prints. Cyanoacrylate fuming is just a fancy way of saying you expose the surface to vaporized Krazy Glue. These vapors, or fumes, react with with the amino acids and other proteins that are left when you touch something with your fingers. This reaction forms a white sticky material that outlines the ridges of the fingerprints. This white sticky material is another reason why you wouldn't want to use the safe to get the print--you'd have to clean that sticky crap off before you left.

Once the reaction is complete, you can stain the results with colored dust and photograph them. Despite what you may have seen on those CSI shows, this process can take more than two hours and also requires the object to be placed in an sealed container. You'd probably be better off doing this in a safe place, in other words, not a house you just broke into.

Next, he would transfer the photograph to a computer, enhance it with Photoshop and print it out on transparency paper. The transparency would be placed over the photosensitive material that hobbyists use to create custom circuit boards. The material would then be exposed to ultraviolet light and washed with acid. ] The pattern that was printed on the transparency would now be etched into the board, creating an accurate mold of the fingerprint. The materials needed to do this are available at most electric hobby shops for around $50.

To create his fake fingertip, he would pour gelatin into the mold and let it harden. He could then place the gummy fingertip on his own, and use it to fool the fingerprint reader and open the safe. Nice and easy.

Someone could probably create a portable kit so that this could be done on scene, but they'd need to speed up the cyanoacrylate fuming process to make the process streamlined enough for a black bag job.

What the CIA Could Learn from Hollywood

What I learned today is that at least one of the three writers that got WGA credit for The Recruit understood the basics of how cell phones work and what data is collected by service providers, but apparently failed to portray CIA training in an accurate light. Go figure.

If you are not familiar with this 2003 yawner, it follows several young CIA recruits though their training and first covert assignments. Towards the end of their training, the recruits go out on a surveillance and evasion exercise. Prior to the start of this exercise, one of their instructors specifically tells them to "turn your cell phones off because they act like tracking devices."

Obviously this doesn't happen during real CIA training. My evidence? Two dozen CIA agents were indited in Italy for kidnapping a suspected al Qaeda agent in Milan and transporting him to Egypt. How did Italian prosecutors track down those accused of the kidnapping? Cell phone data.

Seems that the alleged kidnappers not only left their cell phones on, they actually used them throughout the operation, which allowed investigators to track them from the location of the kidnapping to the Air Force base that was allegedly used to fly the abductee out of the country.

Read they story in Congressional Quarterly:

http://www.cq.com/public/20051026_homeland.html

You can't make this crap up.

Traveler "The Retreat"

Traveler is a new show about two recent college grads who are framed by their mysterious roommate, Will Traveler, for a bombing in New York City. The two are branded terrorist and quickly find themselves on the run from both the Feds and some yet to be identified organization who are presumably the real masterminds behind the bombing.

In "The Retreat," the FBI brings in one of the fugitive's girlfriend for questioning. While still in the FBI offices, she receives a call from her absconder boyfriend on her cell phone. The FBI promptly tries to trace the call, or as the the agent in charges describes it, engage in "a little T&T." I assume T&T stands for Trap and Trace, but with fictional FBI agents, you never know.

As the trace begins, the FBI technicians determine that the caller is using VoIP and it is "heavily encrypted" which will not prevent them from tracing the call, but would slow it down. The scene then cuts back to the boyfriend talking on his cell phone.

Again with the cell phone and VoIP--I not sure how this became so popular with TV writers, but there you go. In reality, there are a couple of services that will allow you to make VoIP calls from you cell phone, but they require either a WiFi enable handset, or the use of cell based data services, such as EVDO. However, handset support is limited and the cost of the data services really makes things unattractive for anyone except the well paid geek.

Thus from a technology perspective, the scenario created by the writers is possible, but the details around it are a little off base and the chances of this actually happening the way they show it are pretty unlikely given the background of the characters.

I'm not going to get into the details of how a traditional trap and trace works, but needless to say, by the time you declare "I know how long it takes to trace a call and you're five seconds to short" you're already screwed--any notion of beating the clock is pretty much a pipe dream under most circumstances. The time based trace does make for an effective tension building device, so it's a little hard to fault screen writers for using it. But that's beside the point.

Because the story left some gaps around how the phone call was made, I am going to assume that the boyfriend placed the call on a prepaid cell phone bought with cash, and that he signed up for the VoIP outbound service with a prepaid gift cards from Visa or American Express--which would have been bought with cash as well. He would need the outbound service to reach his girlfriend's cell phone via VoIP unless they had both set up the service prior to him being on the lamb, which doesn't seem likely. Doing this would prevent any preexisting trap and trace from nailing him as soon as he turned on his phone.

So how would "heavy encryption" slow down the trace of a VoIP call? Simply put, It wouldn't. The way the call was routed would be the biggest limiting factor from a real-time tracing perspective. Additionally, if the call was terminated on the PSTN, the encryption would only be established between the VoIP phone and the PSTN gateway meaning that anyone on the PSTN side would not know it was there.

As if that were not enough, even with encryption, you could not easily hide the source address of the VoIP call. Even if you use UDP--a protocol that allows for easy IP address spoofing--you would not be able to have a two sided conversation because any return traffic would be routed to the bogus address and not back to your phone or soft client. That being the case, once the person tracing the call has access to the source IP address from the PSTN termination box, you are, again, screwed.

Of course, the person would then have to map the IP address to the cell phone account, and then pull the call records (unless you already had a trap and trace set up) to get the person's physical location, assuming that the provider records that information (some do.) The time it would take to gather and correlate all of this information from the different providers and sources is what would have really delayed this Hollywood style trace. Once again, the way the call is routed is the delaying factor for this scenario, not the encryption.

Watch the episode for yourself on ABC.com:

http://dynamic.abc.go.com/streaming/landing

Heroes addendum

I guess we will have to wait until next season to find out how Micah's powers actually work, but we did get to see the extent of the damage he could inflict on electronic voting systems.