Xmas: netbook gift

Like the Kindle, netbooks are going to be a popular gift for Xmas. Also like the Kindle, you should understand their limitations - there's a good chance the recipient won't like the limitations.

The primary limitation of a netbook is speed, no CD-ROM, and keyboard/screen size. In exchange, you get increased portability and longer battery life. You can't play games well on it, but you can carry it with you wherever you go and sit for hours in a café typing away.

Intel’s Atom vs. Cybersecurity

Intel has two new exciting CPUs: the low-powered "Atom" and the fast "Nehalem" aka. Core i7. I thought I'd cover some points related to the Atom processor.

WHAT MAKES IT DIFFERENT

The Atom sacrifices performance for power efficiency. It's roughly 1/10th as fast as the fastest desktop processor, but consumes 1/100th the electrical power.

It's a completely new design. Intel's current processors (like the Nehalem/Core-i7 and the Core2) are derived from the line of processors first shipped in 1998 as the "Pentium Pro" or "P6". The major difference in the designs is that the mainstream processors are "out-of-order", whereas the Atom is "in-order/hyper-threaded". That means for single-threaded applications, the Atom is roughly half as fast in comparison.

The major competitor to the Atom is the "CULV" or "Consumer Ultra Low Voltage" processors from Intel. You'll see equivalent netbook/notebook designs from manufacturers like Asus, Acer, or MSI that look otherwise identical except for the processor: either a 1.6-GHz Atom or a 1.4-GHz Core2-Solo/CULV. Because of the in-order vs. out-of-order, the single threaded tasks will be half as fast on the Atom machines. On the other hand, in applications that can take advantage two threads, the Atom machine is just as fast the CULV machine.

DISPOSABLE COMPUTING

In my pentests, I need computers that I can damage, lose, or deliberately throw away. The Atom forms the basis for more cheap $200 "netbook" computers. This is less than our hourly consulting rate, so fits the bill perfectly.

These are great for "wired" assessments, where I'm running tools like Nessus to scan behind the firewall or sniff packets from a (100-mbps) connection.

These are even better for "wireless" assessments, where I need to leave a computer outside a building scanning, or setting up an "evil twin" to trick employees. Maybe somebody will have discovered the computer and taken it, maybe it gets rained on -- it's only $200, so it's not a big deal.

The devices are also extremely small and portable. We can travel with a bunch of them on the plane in our carry-on luggage. They are also damn sexy: I've never been one to mess up my laptop with stickers and trinkets, but it's fun to decorate the cheap netbooks.

This story is apparently about a pentest/hack where the perp sent netbooks to an office appearing from HP, but likely containing malware.

VIRUS ANALYSIS

I'm infecting my Windows netbooks with viruses. It's pretty easy to clone a small system, infect it with a virus, then restore the cloned image.

I prefer doing this because I get a more "real" assessment of the virus. A lot of them check for VMware, a lot of them check for "known" IP addresses. I can take a netbook to a public cafe, log on there, infect my computer, then sniff the traffic with a second computer. It simulates a much more "real" environment for the virus.

LOW POWER

Like all such geeks, I have a large test lab running many operating systems and servers. These systems run 24-hours a day. This causes a large electricity bill. I've converted most of these to Atom processor systems, such as the Eee Box desktop computer (typically 15 watts), netbooks (10 watts), and I'm thinking of the Acer easyStore home server.

This is has had a noticeable effect on my server room, drastically reducing temperatures. It's a big drop from a system running over 100-watts at idle to one running 15-watts.

Note that the Atom processor itself run at just a couple watts, but the remaining chips in the system run at 10 to 15 watts. I notice that on the lowest power system I have, it's less than 1 watt difference between "sleep" mode and "password cracking" mode.

FULL FEATURE

The Atom processor line supports all the recent major features of Intel processors, such as "virtualization", "NX" bit, SSE3, 64-bit, hyper-threading, and so on.

Strangely, there isn't a single version of the processor that supports all these features at the same time. The ones that support 64-bit don't support the VT virtualization extensions (although you can still do the older form of virtualization). According to this website, a guy is running ESXi on a Dell Mini 9.

Intel has a nice site for comparing features of the Atom processor.

PASSWORD CRACKING

One of the biggest changes in the Core2 processor (vs. the older Pentium M and Pentium 4) is that the SSE instructions ran at the full 128-bit. Prior to that, while SSE registers were 128-bits wide, they would only process the first 64-bits in one clock cycle, then the second 64-bits in the next clock cycle. Thus, the Core2 represented an 2x increase in SSE speed.

That was one of my biggest questions for the Atom: is their SSE implementation like the old processors or the new processors? I couldn't find this documented anywhere, so I had to benchmark my password cracking code (which uses SSE instructions).

I assumed the worst, but was pleasantly surprised: the Atom processor executes a full 128-bits in a single clock cycle. That means that for SSE code, a 1.6-GHz Atom will be faster than a 1.4-GHz Core2-solo/CULV at password cracking. This is indeed the results that I get. Likewise, my dual-core Atom 330 system (Eee Box) is as fast as my dual-core MacBook Air 1.86-GHz Core 2 Duo (faster, even, because the cooling often kicks in throttling the CPU).

Note that the processors require different optimizations. The Atom requires a very simple code that can be easily hyperthreaded. The Core2 requires manually interleaving two streams of instructions that run in a single thread.

Since 100% CPU usage is roughly the same electrical power usage as 0%, I leave password cracking running in the background on Atom servers.

SMALL DEVICES


These netbooks use close to the same power as other devices in my home. My WRT54G uses 8-Watts, my Acer Aspire uses 12-Watts (picture on right) with screen turned off and battery removed (while running password cracker at 100% CPU). The WRT54G is a WiFi access-point/router from Cisco that is famous for hackers replacing the firmware with their own special Linux distros. With only 4-megs of flash and 16-megs of RAM, it's much more limited than netbooks that start at 4-GIGS of flash and 512-megs of RAM.

You can install "soft APs" to convert a netbook into an access-point, and install other goodies like intrusion-detection systems and firewalls. While they are far from perfect, they can make nice little home devices.

X86 VS ARM

In theory, RISC processors (especially ARM) should be a better solution for low-powered, highly-functional devices. There are lots of nice ARM solutions (like this wallplug computer or bigger devices like this one). The new ARM Cortex 9 looks extremely sexy.

Yet, these don't turn out so well in practice. These ARM devices don't work like computers I'm familiar with. I can't simply stick in a CD or USB drive, boot the machine, and install my favorite distro with my favorite developer tools. Instead, I have to install ARM cross compilers on my Linux box and go from there. It's very annoying. I'd be willing to go through the effort if I'm developing a special device to sell to customers, but I'm not willing to bother if I just want to create a device for myself. It's just easier to get a $200 netbook.

There is also some value with familiarity of the x86 instruction set. While Atom's in-order design is a radical departure from previous Intel CPUs, old rules for optimizations generally apply. More importantly, things like SSE behave the same, and work elegantly, whereas in the ARM process, multimedia instructions are a bit weird.

CONCLUSION

I like the Atom because I can now throw a cheap computer at a problem and solve it, especially my ever hotter server room.

The Perfect NetBook: Eee 701 2G Surf

The Register has a review of netbooks (mini notebook computers).

For security professionals, the best netbook I've found is the original one, the Eee PC 701 (aka. Eee PC 2G Surf). The thing that makes it perfect is the Atheros WiFi card in the computer and the $250 price tag.

WiFi hacking/pen-testing requires a card that can both receive packets in monitor mode and send/inject inject raw packets.

WiFi was designed with the idea that the chip should include it's own low-power microprocessor to take care of all the management traffic. In this way, the host machine can be asleep saving power. The consequence of this is that the host machine is typically unable to see the raw packets nor send raw packets of its own.

Atheros designed its chips to be more open. The "madwifi" project was able to create Linux drivers for Atheros chips that allow full control over packets.

Other chips allow a subset of these abilities. There are several others that allow "monitor mode" to receive packets. Few, though, allow the ability to send every type of packet. They will overwrite the sequence numbers, for example, or prevent fragmentation. Others will refuse to send corrupt packets.

When doing WiFi fuzzing, you need to be able to craft every type of packet, including corrupt packets (indeed, that's the point of fuzzing -- to see how a system handles corrupt packets).

The easiest method for WEP cracking is to replay encrypted ARP packets (identified by their size and broadcast address) over and over to generate encrypted responses. After about 40,000 response packets, the 128-bit WEP can be cracked in just a few seconds. I cracked my home WEP test network in about 15-minutes.

For cracking WPA, you need to be able to send deauth packets to force stations to re-authenticate. You then grab this information and hope they've chosen an easily guessable password that can be dictionary cracked.

The best thing about the Atheros chipset is that there exists full access-point software. That means you can setup the Eee PC as a full access-point. For pen-testing, you can also set it up as an "evil twin" -- so that users log onto your access-point instead of their intended one (allows you to intercept their traffic as they surf the Internet).

The Eee PC models contain Ralink chips for 802.11n. Right now, there are no driver for either monitor mode or transmit for these chips. (Note that the Wikipedia article on Eee PC claims that all models use Atheros WiFi chips -- this is wrong). You can, however, buy $33 mini-pci cards and replace the WiFi if you want.

Another important feature is the SD slot within the Eee PC. At NewEgg, 4GB cards are $10 and 16GB cards $40. It's pretty easy to install BackTrack distro and boot from these cards. You could replace the existing OS, but I'm to lazy and boot distros like BackTrack and Knoppix from SD cards.

Booting OSWA on Eee PC with SD flash

These are some notes for making a bootable SD flash card for my Eee PC from the "OSWA Assistant" bootable CD.

A bootable or "live" CD is a popular way of distributing hacking tools. You just put the CD into any computer and boot from it (instead of your normal hard disk). You get a Linux desktop and pointers to a list of common programs. The most famous of these is probably the "Backtrack CD.

Another one for wireless auditing is "OSWA Assistant". I've never used it before, but they were handing out CDs at BlackHat 2008 Vegas.

The computer I want to use for this Asus Eee 2G Surf", a $299 disposable laptop. Everybody should probably have a handful of these around to play with.

The problem with the Eee PC is that it doesn't have a CD-ROM drive, so I can't boot the OSWA CD. However, it does have three USB ports and one SD flash port. The SD port is especially nice for booting. You can get 2-gig SD flash cards for $7; they are hella cheap.

To make a bootable SD card from the CD, I went through the following steps.

Step 1: I copied all the files to the SD card. I first put the SD flash card into my Windows PC which became the "D:" drive. I downloaded the latest oswa-assistant.iso image from the OSWA website, opened it in WinRAR on my Windows PC, and extracted all the files to the "D:" drive. You can use pretty much any tool for extracting the files, I just happened to have WinRAR handy. I didn't even know that WinRAR could extract files from ISOs - I just assumed that is the sort of thing that WinRAR ought to be able to do.

Step 2: I needed to make the flash bootable. Most bootable CDs use a tool called "isolinux" to go through the boot process. There is a sibling tool called "syslinux" for making bootable Linux flash devices, such as USB flash or SD flash. I downloaded the syslinux archive, extracted to "C:\syslinux". I opened a command prompt, went to "C:\syslinux\win32" and ran "syslinux.exe -ma D:" to make the SD card bootable.

Step 3: I had to change the "isolinux" configuration to a "syslinux" one. I renamed the "D:\boot\isolinux" directory to a "D:\boot\syslinux" directory instead. I also had to rename the "isolinux.cfg" file in that directory to "syslinux.cfg".

Step 4: I had to configure the Eee PC to boot from SD, otherwise it will boot from its own hard disk. When the system boots, I hit "F2" to go into the BIOS configuration, and change the boot order so that Removable Devices are at the top of the list.

At this point, the system boots. However, there several problems. First, it complains "You passed an undefined mode number.", which refers to the fact that it doesn't understand something about the text mode screen. Simply hit to continue.

When it reaches "Starting udev hot-plug hardware detection...", it will hang for a while with the message "Starting udev hot-plug hardware detection… udevd-event[2706]: run_program: '/sbin/modprobe' abnormal exit". Don't worry, it will continue on with the boot process after about 5 minutes. It's a bit annoying though. I wish I knew what was failing.

Step 5: There was one fatal error. X Windows hangs looking for an AGP card. The In order to fix this, I had to edit the "D:\boot\syslinux\syslinux.cfg" file and put "noagp" on the second line:
APPEND ramdisk_size=100000 init=/etc/init lang=us apm=power-off vga=791 initrd=minirt.gz nomce loglevel=0 quiet BOOT_IMAGE=oswa noagp

Step 6: Profit!