Thursday, May 29, 2014

Can I drop a pacemaker 0day?

Can I drop a pacemaker 0day at DefCon that is capable of killing people?

Computers now run our cars. It's now possible for a hacker to infect your car with a "virus" that can slam on the brakes in the middle of the freeway. Computers now run medical devices like pacemakers and insulin pumps, it's now becoming possible assassinate somebody by stopping their pacemaker with a bluetooth exploit.

The problem is that manufacturers are 20 years behind in terms of computer "security". They don't just have vulnerabilities, they have obvious vulnerabilities. That means not only can these devices be hacked, they can be easily be hacked by teenagers. Vendors do something like put a secret backdoor password in a device believing nobody is smart enough to find it -- then a kid finds it in under a minute using a simple program like "strings".

Wednesday, May 28, 2014

No, you can't remotely turn on phones

In the NBC interview, Snowden confirms that the NSA can remotely turn on Brian William's phone. This isn't true. Just because the NSA can hack into a lot of phones doesn't mean it can hack a specific model of phone at all.

The NSA has a lot of power over phones, but it's not omnipotent. There are limitations.

The basic hack Snowden is describing is hacking the "baseband processor". A phone is actually two computers: a low-power computer that managed communications with the cell tower, and a high-power compute that manages the screen. Right now, when your phone is in your pocket, that high-power computer is off, but the low-power baseband processor is still running, talking to the tower.

The code in baseband processors is crap. It's relatively easy to find vulnerabilities that can be used to take control of the baseband processor, either by reviewing the code, or setting up a hostile cell tower (like using OpenBTS) and fuzzing. The code is so fragile it's hard not to find a bug in it.

With that said, there are many different baseband processors. There's a good chance that when a vendor ships a new phone, the NSA doesn't have an 0day exploit yet for the new processor that comes with the phone. Also, while they can exploit most phones, there are some phones for which they never find a robust exploit.

Also, once they get into the baseband processor, they then have to get into the main phone system (Android or Apple). That requires a whole new set of exploits, which sometime won't work. That's what recent news about a debug feature in Samsung phones was so important -- because it created a "backdoor" allow a baseband processor to take control of the phone.

Snowden saw programs that were widely successful at getting intelligence from phones, but he doesn't understand the details. Yes, there may be a model of phone out there where the NSA was able to "remotely turn it on" (probably because a baseband processor was never truly off), but that doesn't mean that when you turn off your iPhone that the NSA can do anything with it. Your iPhone, or Brian Williams' phone, is safe from "remote turn on".  On the other hand, if you have an iPhone, the NSA is doing its best to find 0day vulnerabilities, in the baseband, in IOS operating system, in the browser, in apps, and so on. You are in danger -- but still, they aren't omnipotent over your phone.



Update: There has been some discussion about "implants" and how this changes the story. I'm not sure it does.

An "implant" is when the NSA intercepts your phone and installs hardware or software on it. Usually this is because they intercepted a shipment, snuck into your hotel room, or ran a remote exploit (via the Internet or via the baseband). Yes, an implant gives the NSA full control over your phone -- but it's difficult getting the implant on your phone in the first place.

Once the NSA installs an implant, then of course they can remotely "power on" your phone, because it's not really powered off -- even when you think it is.

But the question was Brian Williams holding a phone asking what the NSA could do to it -- in the future (power it on). He wasn't asking what they'd done to it in the past (install an implant).

My point is simply this: the NSA isn't omnipotent. They can't do everything. They can do a lot of things, and they've been very successful at doing a lot of things, but they aren't God, and they can't do Magic.



Update: The question whether the NSA can technically control a phone is often confused with whether they can legally control your phone.

In theory, the NSA can't operate in the United States -- so the department that'd be hacking your phone would be the FBI.

And what they can do legal is .... I just don't know anymore. I'd've said in the past that they'd need a warrant, but apparently police departments are hacking phones without warrants.


Tuesday, May 27, 2014

WordPress: unsafe at any speed

EFF technologist (and creator/maintainer of cool privacy tools), Yan Zhu noticed that WordPress still does not secure their session cookie, meaning users at the local Starbucks can have their accounts hijacked.

I first popularized this problem in 2007 at BlackHat with my Hamster/Ferret tools, hijacking an audience member's GMail account (I probably shouldn't have done that -- but the demo was otherwise not working). Eric Butler then released a much easier tool called Firesheep which really got the ball rolling: my tool was for hackers, but Firesheep made it so anybody could exploit the bug.

Google quickly fixed their servers over the next two years. Yes, relative to everyone else, this was "quick" -- it took everyone else much longer. Today, it's considered standard that when you log into a website, the entire session must be encrypted with HTTPS.

But not so WordPress -- apparently they haven't even started working on solving the problem. It's been 7 years since this has been in the news, and they still haven't thought of dealing with it.

But, this isn't even the worst problem. On WordPress.com, their login screen is served via HTTP. Cookie hijacking only gives the hacker the current session, but not your password or ability to make major changes. Unencrypted login forms allow a local hacker (sitting next to you at Starbucks) to steal your password as you login. Since you are probably a dufus and use the same/related password for all your other accounts, this means the hacker can steal everything.


As it turns out, this may not even be the worst problem. The standard WordPress configuration is built on the LAMP (Linux-Apache-MySQL-PHP) system, which has been obsolete for more than a decade. The problem with LAMP is that it doesn't scale.

The result is that once you start writing a lot of blogposts on your WordPress blogs, SEO bots (search engine optimization robots) will start spidering your blog, downloading a copy of all the posts and comments. This frequently overloads your server, taking down your blog. People just learn to live with it, with friends occasionally complaining that they can't get to the blog.

I know several people who've had this problem, and have partially solved the problem with CloudFlare. This gets rid of most, though still not all, scalability issues.


The upshot is this: WordPress is fundamentally broken in every way something can be broken. There's no way to secure it. There's no way to make it fast enough without spending a lot of money. If you are starting a new project, do not under any circumstances use WordPress. If you are stuck with WordPress, well, then, it sucks to be you, I know of no way to help you.


Monday, May 26, 2014

Greenwald's extremism damages the cause

Government has long corrupted journalists. We see that in the last decade how mainstream journalists protected secret programs like NSA spying rather than reveal them. We see that in steady stream of stories coming from Washington D.C. correspondents citing unnamed officials pushing the government’s interests. We see this in their yearly party together called the “Washington Correspondent’s Dinner”. The NetFlix series “House of Cards” shows journalists whoring themselves in order to get “access” to top government officials – this is exactly what happens (well, not the sex, but the sacrificing of journalistic ethics in order to get access).

Greenwald’s dump of the Snowden material could’ve changed things – but has in fact made this worse. Firstly, the dump has been rather indiscriminate, including many things that legitimate journalists would never disclose. Secondly, it’s biased and distorted, serving Greenwald’s political agenda rather than informing the public.

Thus, rather than a foil against traditional journalism, proving how corrupt they’ve become, Greenwald’s reporting has done the reverse, justifying their pro-government approach as being the more responsible of the two alternatives. That’s what we’ve seen recently with journalists supporting Michael Kinsley’s op-ed against Greenwald. All agree that the Snowden leaks are legitimate news that should be reported, but disagree with how Greenwald has done it.


Mainstream journalism has been complicit in the NSA’s misdeeds, and Snowden was right to leak to somebody outside the mainstream establishment. Still, Greenwald has gone too far the other direction, turning away erstwhile supporters, damaging the cause.




A quick example of bad reporting is this story by Greenwald claiming that the NSA spied on the G20 summit in Canada. However, the leaked documents the story was based upon do not support that conclusion. Greenwald fabricated that conclusion ought of thin air. I have some experience in this area, so I know this is true reading the document. Moreover, other academics and experts have come to the same conclusion as mine.

After coming under fire, CBC has defended itself (here and here, h/t @LitThom), This defense is nonsense, of the quality of Newsweek's defense of its fraudulent Satoshi Nakamoto story, and NBC's defense of it's fraudulent "Hacking in Sochi" story.

The upshot is this: the leaked documents show simply that the NSA coordinated with helping security at the G20 summit, and nothing else. Extraordinary claims that they "spied on the G20" needs to cite specifics support. The document isn't enough -- if they have an expert that stands by their claim that it is, then they need to cite that expert.

...and this goes back to the origin claim up top: "journalism" means citing sources for your claims, something Greenwald and CBC do not. We have nothing to go on other than trusting CBC consulted the right experts. On the flip side, critics who say this is bunk cite named experts, who we ourselves can verify, by looking at their credentials and challenging their assertions. That Greenwald and his supporters expect to get away with unsubstantiated journalism offends real journalists.



Another example of Greenwald's bad reporting is described in this blog post. The story was a good one about intelligence services targeting activists -- but made exaggerated and unsubstantiated claims about DDoS.

In this case, the expert I'm citing on this is myself. Therefore, in the second part of my post, I prove my bonafides by showing you my code. Anybody can look at my code and confirm that yes, I am an expert.

Thursday, May 22, 2014

Kinsley vs. Greenwald: it's about principle

My twitter feed has exploded with hate over the Michael Kinsley review of "No Place To Hide". That's because they've focused on one small paragraph in the middle of the review rather than paying attention to Kinsley's larger point.

Kinsley is nominally on our side, agreeing that "the Snowden leaks were important — a legitimate scoop — and we might never have known about the N.S.A.'s lawbreaking if it hadn’t been for them".

What Kinsley disagrees with is Greenwald's lack of principle. For example, the NSA's breaking of the law demonstrates their perfidy, whereas Snowden's breaking of the law demonstrates his heroism. Greenwald changes his principle of the moment to show his side being good and the opposing side bad. Kinsley's long career in journalism is notable for his upholding journalistic principles. To somebody of integrity like Kinsley, somebody without integrity like Greenwald is an anathema.

This is an important point, showing the third leg to the NSA/Snowden Affair: people of principle. Most people take an "us vs. them" stance where their own side can do no wrong and the opposing side can do no right. The third leg is people of principle, who while supporting part of Snowden's actions nonetheless don't agree with everything. For example, as I've written before, I believe Snowden is a hero, but nonetheless I think he belongs in jail.

This is similar to why people of principle cannot abide by Julian Assange. Everyone who has worked closely with Assange confirms that the guy is a pathological liar (or, as Kinsley puts it, a "self-canonized narcissist"). Those who believe in the principle of truth and honesty cannot support Assange -- even while they support the principle of Wikileaks.

This idea of principle is the heart of Kinsley's review. Only as an afterthought does he claim the government should "have the final say over the release of government secrets" -- the statement that has generated so much disagreement. This is wrong, of course, but it stems from trust in the current system and his distrust of Greenwald's lack of principles. Where Kinsley errs is in not seeing how deeply delusional and corrupt the system has become. We have a system that errs on the side of leaking too few secrets rather than too many. That Greenwald has gone off the deep-end leaking too many is just a reaction to a delusional system that has been leaking too few.

In any case, my point is this: Kinsley's review isn't about argument the government should be the final arbiter (which is wrong). Instead, his point is that Greenwald sucks as man of principle (which is right).

Wednesday, May 21, 2014

FBI will now record interrogations

This is huge, so I thought I'd blog about this: after a century, the FBI has reversed policy, and will now start recording interrogations.

Prior to this, the FBI policy was to not record interrogations. They worked in pairs (always two there are) with one guy interrogating, and the second quietly writing down what was said. What they wrote down was always their version of events, which was always in their favor.

This has long been a strategy to trap people into becoming informants. It's a felony to lie to a federal agent. Thus, if you later say something that contradicts their version of what you said, you are guilty of lying -- which they'll forgive if you inform on your friends.

I experienced this myself. Two agents came to our business to talk to us about a talk we were giving at BlackHat. Part of it contained the threat that if we didn't cancel our talk, they'd taint our file so we'd never be able to pass a background check and work in government ever again. According to a later FOIA, that threat wasn't included in their form 302 about the conversation. And since it's my word against theirs, their threat never happened.

This is a big deal in Dhjokar Tsarnaev (Boston bombing) case. The FBI interviewed Tsarnaev while near death on a hospital bed. Their transcription of what he said bears little semblance to what was actually said, omitting key details like how often he asked to talk to his lawyer, or the FBI agents denying him access to his lawyer, or the threats the agents made to him.

This policy proved beyond a shadow of doubt that the FBI is inherently corrupt. Now that they are changing this, such proof will be harder to come by -- though I have no doubt it's still true.

Update: other stories have focused on video taping interrogations after arrest, but more importantly, the policy change also covers investigations, when they talk to people whom they have no intention of arresting (such as my case).


Note: I used this in my short story for last year's DEF CON contest. It's interesting that it's now already out of date.




Monday, May 19, 2014

How to wiretap a country

The latest Snowden leak is that the NSA has been wiretapping all of the nation of The Bahamas -- not just the metadata, but full audio. How much data is that? Here are some numbers:


  • 12.2 kilobits/second = high-quality audio codec used by cellphones
  • 58 minutes = average time American spends on phone per day (proxy for Bahamians)
  • 371,960 = population of The Bahamas


Multiply these numbers together and you get the surprising number of:

1.84 terabytes/day

That's the size of a $90 hard drive worth of data every day, or $33,000 per year worth of storage.

Or, in terms of bandwidth, it's 160-mbps -- a lot slower than the gigabit Ethernet connection on your laptop.

The upshot is this: technologically, the ability to intercept an entire nation is trivial.





Friday, May 16, 2014

EFF: some are more equal than others

George Orwell's Animal Farm was about how revolutionary principles are quickly morphed to service those in power. For example, when the animals on the farm rebelled, they stated the principle that "All Animals Are Created Equal", but when the pigs took power, that was amended to include "...But Some Are More Equal Than Others".

That's a good description of the EFF, the Electronic Frontier Foundation. They have no fixed set of principles that they fight for, but instead change their principles according to whatever is popular at the moment, whatever will get them the most donations and influence.

An example of this is the "Declaration of Independence of Cyberspace", a document abjuring all regulation of the Internet, with forceful statements like "You have no sovereignty where we gather". This document was a reaction to how the telephone network was regulated as a public utility, which killed innovation. The pride it expresses in the Internet is that it invented itself, not merely without government's help, but despite government's hostility (e.g. the GOSIP regulations).

But today, the EFF has changed it's stance, calling for government to regulate cyberspace as it does other public utilities. For example, they have setup a website https://www.dearfcc.org/ asking you to lobby government for more regulation.

The same is true for other stances by the EFF. For example, they claim to support the rights of coders, but have had as one of their board members (Lawrence Lessig) somebody who championed that idea that code should be regulated, and have come out against 'bad' code like 0day exploits. Their excuse is that they haven't actually explicitly called for laws against 0days -- but that was their excuse back when they started championing Net Neutrality (that calling for net neutrality wasn't technically the same as calling for regulation).

This poses a quandary for me. On one hand, the EFF fights for many of the things I fight for, so I should work with them even if I don't agree 100%. On the other hand, their malleable principles makes me feel that I could just as easily end up like Snowball (the pig who gets eaten).

Thursday, May 08, 2014

300k servers vulnerable to Heartbleed one month later

It's been a month since the Heartbleed bug was announced, so I thought I'd rescan the Internet (port 443) to see how many systems remain vulnerable. Whereas my previous scan a month ago found 600,000 vulnerable systems, today's scan found roughly 300,000 thousand systems (318,239 to be precise).

The numbers are a little strange. Last month, I found 28-million systems supporting SSL, but this month I found only 22-million. I suspect the reason is that this time, people detected my Heartbleed "attacks" and automatically firewalled me before the scan completed. Or, another problem is that I may have more traffic congestion at my ISP, which would reduce numbers. (I really need to do a better job detecting that).

Last month, I found 1-million systems supporting the "heartbeat" feature (with one third patched). This time, I found 1.5-million systems supporting the "heartbeat" feature, with all but the 300k patched. This implies to me that the first response to the bug was to disable heartbeats, then later when people correctly patched the software, heartbeats were re-enabled. Note that only OpenSSL supports heartbeats, meaning that the vast majority of SSL-supporting servers are based on software other than OpenSSL.

Note: This scan was only port 443. I really should scan for other well-known SSL ports, like SMTP ports. If I get around to that, I'll post the results here.

Note: This was a scan of IPv4 addresses. Scans starting from DNS domain-names produce wildly different results. A lot of news stories focus on things like "the top million domain names", the results of which are unrelated to this scan.

Note: The count "22-million" is that of systems responding to the SSL handshake. There are many more systems that respond to the probe, but which do not talk SSL. Most systems that respond with a SYN-ACK make no further communication. Other's respond with things like Banner on port "SSH-2.0-OpenSSH_4.3" or "HTTP/1.0 403 Forbidden" -- which are not SSL.


Wednesday, May 07, 2014

No, McAfee didn't violate ethics scraping OSVDB

My twitter feed is full of people retweeting this claim that McAfee (the company) violated ethics by scraping http://osvdb.org. This is completely wrong: McAfee violated no ethics (nor law).

Public information is public, and it's not a crime (nor ethics violation) to access it. As a community, we strongly supported Aaron Swartz and Andrew Auernheimer defending this principle. If you'll recall, they were accused (and convicted in Weev's case) of scraping public websites. And this is all that some engineer at McAfee did. We can't apply this principle when it's convenient, when it's our friends, then turn around and deny the principle to others we don't like.

If McAfee then republishes that information without permission, that certainly could be an ethics/legal violation, because that's publishing copyrighted material. But that's not what McAfee is accused of doing. They are accused simply of accessing the information.

What about the clause from their license that says the following? Doesn't that forbid scraping?
4. Obtaining data from this website in a programmatic fashion (e.g. scraping via enumeration, web robot, crawler, etc) is prohibited. Such activity is likely to trigger security software that will permanently block your IP from accessing the site.
No, it doesn't. I can put a license file on my website that forbids anybody from accessing the site who isn't standing on their head, but such a thing has no ethical or legal meaning. The only thing that has meaning is that you published it on your website -- you can't retroactively take that back and tell people they can't access it despite it being public. Such a license can restrict how people republish the information, of course, and of course it can dictate terms for private access, but if you are making information public, it's public.

Indeed, OSVDB doesn't even have a robots.txt file that backs up this statement in the license:

# from http://www.last.fm/robots.txt
User-Agent: *
Disallow: /harming/humans
Disallow: /ignoring/human/orders
Disallow: /harm/to/self

# http://www.shopwiki.com/wiki/Help:Bot
User-Agent: ShopWiki
Disallow: /

User-Agent: www.changedetection.com
Disallow: /

User-Agent: Mozilla/5.0 (compatible; mon.itor.us - free monitoring service; http://mon.itor.us)
Disallow: /

User-Agent: cognitiveseo.com
Disallow: /


What we are looking for is a clause that says "User-agent: *" followed by "Disallow: /", but it's not there. Of course, even if it were there, it still doesn't make the license valid or the information private. Public information is public.

When your organization starts with the word "Open" and your robots.txt doesn't forbid scraping, it's pure lunacy to complain when people do exactly what these things imply.

All corporations care a lot about intellectual property. Individual employees often make mistakes, of course, but corporate policy and practices keep track of all third party contributions to what they sell. It's unlikely that OSVDB information would ever make it into McAfee products/services without it being clearly tracked by the company -- and paid for.

Conversely, what does happen is that engineers download open stuff and try it out. It's quite likely that an engineer would scrape some information, writing some Node.js scripts to parse it, and see how difficult it would be to integrate into an offering. When what they are working with is public, they certainly wouldn't ask permission. The assumption that scraping information means that the company intends to republish it is wrong.

Again, to reiterate, accessing public websites is not illegal, wrong, nor unethical. We've fought for this principle in the Weev/Swartz cases, and it applies equally here.


License for blog.erratasec.com: you may only read this website if you are standing on your head.