Belated LayerOne entry number two.

May 09, 2007

1048 PST8PDT - Burbank Airport.

What a dump. I finally got to see more of it because I'll be stuck here for a few hours. When I originally arrived we were ushered out of the terminal to the curbside baggage pickup without ceremony, only security guards, so I wasn't able to take the fifty cent tour of the terminal.

It's small. There's noplace to eat, save for a really, really crappy cafe' that serves hideously bad wraps and lousy smoothies. By 'noplace' I mean just that - there are no other places to go in terminal B for food unless you want to try to live on chewing gum and potato chips that I don't much trust given how bad everything else is. On top of all of this, there are only pay-for-play wireless providers in this airport, which I studiously avoid if I can help it (not because I'm cheap but because I don't trust sending my credit card information out over wireless networks of any kind; I've done wireless security for too long to have any illusions about how safe it really is). On top of all of this, large numbers of ceiling tiles are gone, revealing shielded power cables (standard for large buildings), dangling hanging ceiling wires, and metal struts. You'd think that they started renovating and then gave up shortly after the effort began or something.

For the longest time I wondered why Lyssa would not eat rather than eat marginal food. I now understand the wisdom of doing this (or not doing this, depending upon your point of view). I want my $15us back.

Yes, in addition to being horrid it was also overpriced. I should have done the smart thing and got a muffin and coffee or something. Burn me once, shame on you. Burn me twice, shame on me. In the hour or so I've been here I've seen three things that I've never heard of happening. First off, I've seen a security guard take someone passing through the security checkpoint aside and go through the contents of their cellular phone - the TSA operative in question went through what appeared to be the contact list stored in the phone and the stored photographs from the camera while taking with someone (presumably a higher-up) on a hardwired telephone. I overheard the sentences "I don't think he should have pictures of this on here" as I stuffed the contents of my pockets back into place at the end of the security checkpoint.

I've also seen armed security guards dressed in BDU shorts and bright yellow vests combing the terminal while someone on the PA system said for everyone to hear, ", you must return to the security checkpoint. Your entry has been denied."

Two people are being hunted down by security as I write this. I feel ever so safe. I really hope that they don't ask why I'm hammering away on a highly non-standard laptop computer while wearing a corps t-shirt for a branch of the US Air Force that never existed.

Written at various times during the day, on the plane and while on layover:

So.. let me elucidate everything that happened yesterday, and you can rest assured that quite a bit did, in fact take place. I wound up waking up around 0800 PST5PDT on Saturday morning because I just wasn't able to sleep anymore (I'd set the alarm for 0900) and after getting dressed and packing up my gear headed downstairs to see what was going on with the convention. As it turned out, I ran into Aqeroz and MASMS from the night before. We were all looking for breakfast and coffee and an ATM not within a building housing a hacker con, so we hit the bricks and hiked a few blocks until we came to Schubert's Cafe' (451 East Colorado Boulevard; Pasadena, CA; 91101; phone 626-405-1414).

Schubert's has easily the best food I've had all weekend. Their coffee is tasty and the breakfast burrito was hearty, not greasy, cheap, and filling. If you happen to be in Pasadena, check this place out - it's worth the walk. I give it one flaregun out of a possible four. On the other hand, I can't say that I was too crazy about the food at the hotel. Like much hotel fare, I'm beginning to suspect, it was solidly average. The gyro that I had last night for dinner was just that: A gyro. The fries were all right, but on the whole it was actually kind of cold, and while as nutritious as one can expect was't very tasty. Aqeroz had gotten a cobb chicken salad which was.. large. Very large. Dinner-plate sized and piled high, with what we think was at least one sliced avocado forming the foundation. Later last night we had a pair of slices of Oreo cheesecake which were very enjoyable... I also have to give their staff reasonably high marks because they were friendly, remembered the customers they were working with, and easy to talk to.

I don't know what Aqeroz thought of her meal, but on the whole I have to give the Pasadena Hilton's restaurant and bar a rating of two and a half flareguns out of four - they're nothing to write home about, but dessert and the helpfulness and friendliness of the staff should be taken into account.

Anyway, after hitting what we're fairly sure was an un-tampered-with ATM, we walked back to the hotel to catch the first panel of the day, which had to do with SCADA (Supervisory Control And Data Acquisition), which is a family of technologies and networking protocols (notes will be forthcoming, as will links to online resources) that have to do with gathering status and management information from devices throughout a facility (for example, a water treatment plant, factory, or natural gas pipeline) and controlling them remotely.

You know, the little stuff that we depend on every day, like public utilities.

In short, most SCADA protocols were designed years ago and thus don't have much in the way of security: No authentication, no encryption, no protection against replay attacks, no command verification, and usually no sanity checking of commands to ensure that they haven't gotten accidentally corrupted somewhere in transit... anyone with a packet sniffer and decently good Perl skills (or a sufficiently unstable network link) could do a lot of damage.

This has happened at least three times in the past: The blackout on the eastern seaboard back in 2003 was the result of a number of SCADA systems getting screwed up because they recieved corrupted commands and crashed. There was also a documented instance of someone cracking the SCADA network of a natural gas pipeline in Russia about two years ago and shutting it down entirely.

The presenter works for eEye Security, and helped to develop a fuzzing kit (a utility that deliberately sends bad or malicious traffic) for SCADA units for the purpose of testing them to see how they'll react. Usually, they happily do bad things, or sometimes they'll crash so badly that they have to be replaced.

To quote the science films made by Dravo (an oil company that no longer exists) that they used to show us in elementary school, "Science... and... technology!"

Following that was a presentation by Datagram on shell coding, or more specifically some new tricks for exploit payload coding. I rather felt sorry for him because he had a lot of trouble getting his laptop hooked up to the projector and running properly. What he wound up doing was copying his presentation onto a USB key, borrowing a laptop, and booting a LiveCD to get everything running as required. If nothing else, I got some good quotes for my .plan file out of it... more on that in the next update.

Anyway, about his presentation: It is not only possible to write a payload that causes a shell to be spawned, practically any command can be executed, such as a command that causes the packet filters on a vulnerable server to be flushed, thus blowing away much of the security. Datagram talked about some assembly tricks that I all but forgot from my Commodore and VAX days that are still useful, and he even taught me a couple of new ones that I'm going to keep in mind. Datagram also talked about obfuscation techniques like encoding, using only values within 0x00 and 0xFF (i.e. ASCII text) to write the payload, commands that aren't NOPs (No-OPs) which still act like NOP padding, and polymorphic techniques which cause the code to re-write itself on the process stack while it's running and transform from code that an IDS of some kind won't recognise into active attack code.

There was quite a bit of demo code in his presentation - some nifty stuff that I'm hoping to get my hands on and take a closer look at. I'm glad that I picked up a couple of books on assembly language from New Starch Press while I was out here...

It was at this point that E-, Aqeroz, and I wandered around the dealer's room some more, checking out the books, the t-shirts, and the stickers (of which there really weren't many this year). We also spent a goodly amount of time talking to Nick Farr of the Hacker Foundation, which is a non-profit organisation dedicated to setting up sustainable hacker-friendly spaces for research around the United States. I suggested secure box hosting for those of us looking to move a server out of our home labs and into an environment that's more bandwidth friendly. Nick seems to like the idea.

He's also moving to the DC metroplex in a few months, so I spoke with him at length about the DC area and the folks I know in the area who'd be all over this like stickers on a ricemobile. I'm going to ping him when I get home; we'll see what happens. I'll definitely keep everyone informed about this project.

I think that it was CHS (one of the con organizers) who bought a box of unconsecrated communion wafers and was passing them out by the handful at the con. Many pictures were taken.... they're also surprisingly good with ketchup, I discovered. At some point someone claimed to have mixed them in with the large bowl of bar munchies, but I saw no signs of this.

Aqeroz, CHS, Nick, and I had a good old time with those communion wafers. Rest assured that photographs of the trifecta are forthcoming.

Aqeroz and I noticed something in talking with so many people at the con: We were the only ones who were without business cards. Between the two of us (and more generally, with the six or seven other people we hung around with at various times during the covention) we'd picked up enough business cards to play a round of pinochle with, but had none to exchange. E- was kind enough to hook us up with a package of punch-out laser printer business cards so that we could get ourselves up to speed. For the next half hour we hunted around the con to find anyone who happened to have a standard USB cable so that we could jack the laser printer into Windbringer and avoid the exorbitant prices of business center computer user, but sadly no one seemed to have such a thing. Mental note: Next time I get it in my head to purchase a universal travel cable kit... buy the damned thing.

We downloaded the appropriate Word template from the Avery website and hacked together a couple of batches of business cards that, if I do say so myself, look pretty sharp (albeit they're in black and white). We then wandered around the con and tracked down everyone we'd met and belatedly completed the exchanges of contact info. It must have looked kind of odd: "Hi, remember us? Here, have a business card."

After dinner (reviewed previously) we hit up the panel on BIOS rootkits, which are still on the obscure side, but pose a serious security risk nonetheless due to the fact that just about every PCI device in every computer these days has flashable firmware written in the machine language of the computer they're installed in (these days, Intel assembly language, usually x86). The way that firmware works is that it's copied out of the (E)EPROM into RAM after the system POSTs (Power-On Self-Test) and executed to initialize the system's BIOS so that it can be used. As I mentioned before, just about every PCI device out there has the capacity to have its firmware downloaded from the chip as well as uploaded back into the chip (the upgrade process colloquially known as flashing). So: An attacker can download the microcode from the chip, reverse engineer it (not a terribly difficult procedure once you understand the principles), modify the image so that there are new functions that rewrite parts of the OS' kernel after it's loaded into RAM and executed, and flash it back into the (E)EPROM chip.

The upshot of all of this is that the box is rooted from the get-go. Granted, you'd need access to the physical machine to accomplish this simply, but there are truly fiendish ways of doing this remotely: One of the jobs of a sysadmin or the IT staff is to keep abreast of updates, which includes the firmware of the computers installed in a particular site. DNS spoofing or a common phishing attack could be used to get a compromised firmware image into the hands of someone who can monkey around with the guts of systems. Due to a feature of many network interface cards these days called PXE (Pre-boot eXecution Environment), it would be possible to compromise theoretically any machine as it reboots because a lot of places don't bother to disable PXE support if it's not in use.

The reason this is possible? When purchasing computers from a particular manufacturer in lots (say, Dell), each batch tends to have the same kinds of components: Identical NICs from Intel, the same Nvidia graphics cards, the same motherboards (and thus, the same flashable BIOS code)... a little fingerprinting can help an attacker immensely.

Even if PXE can't be used, there are other ways of getting compromised code into place, such as e-mailing trojan horses to users, or by using viruses or worms that call the very OS functions that legitimate flashing utilities use. If I were to mention how few manufacturers set a jumper that disables such functionality completely, things start to look very grim indeed.

This technique applies for PCIexpress buses on newer motherboards, as well as the AGP (Accelerated Graphics Port) slots on slighlty older mainboards.

There are ways of keeping potentially compromised firmware code from being loaded in the first place, such as disabling ACPI support (which does the heavy lifting of copying peripherals' firmware into RAM for execution) and implementing authentication of firmware (which has its own problems, it was explained). It would also be possible to boot a machine with ACPI enabled, take a memory snapshot, reboot it with ACPI disabled, take another snapshot, and diff the two to look for discrepancies.

After the dinner break we sat in on Rooster's tutorial on genetic algorithms, which are a class of algorithm that simulate biological principles for solving problems. The biggest problem lies in finding the right kinds of problems to represent using bits of code referred to as 'genes' or 'chromosomes'. Some problems lend themselves to this, while others don't work terribly well. He discussed how problem spaces are modelled and the tactics used to determine what results constitute a valid solution and how a process that emulates genetic recombination (in the case of sexual reproduction) or mutation can be used to shuffle the set of all possible results and find new potential solutions. I'm going to link to his presentation as soon as I can, there's simply too much for me to write at this moment, and he put it far better than I can.

After another stand-up-and-stretch and wander outside to hang out with the con staff for a while, I headed back to my room to change my clothes and freshen up a bit because I'd gotten the new environment I-feel-sticky feeling while E- and Aqueroz went to the access control system presentation by Zac, one of the British guys we'd gone to dinner with late Friday night. As it turned out he wasn't just doing an overview of physical security controls (like swipecards and magnetic locks), he'd figured out how to break them with relatively little effort. He started out by talking about the basics of access control, like RFID cards, smartcards, readers, and proximity (wave) cards, and how they communicate with a central control system. He also discussed in some depth how fingerprint, palmprint, iris, and retnia scanners work (and that you can sometimes find retina scanners on eBay because the biggest, most popular manufacturer of them went out of business a few years ago). As it turns out, most every physical security system designed since the late 1960's uses the exact same protocol to convey authentication data from the sensor to the central control system and from the control system back to the door motor/magnetic lock/what have you.

Just about every company that manufactures such devices, it's said, implement exactly the same protocol for maximum compatibility and interoperability. Or, they all implement it closely enough that they work together anyway.

So, he sat down with a BASIC stamp laying around the lab, some analysis gear, and a PC and built a tiny device about as long as the end of my thumb and half that in diameter with a pair of vampire taps on either end. The purpose of the device is simple: An attacker can remove the housing of a card reader or scanner, splice the device into the communication lines (which, he says, takes about three minutes, including removing the housing of the sensor), and put the whole shebang back together.

First, a quick demonstration: Zac had constructed a mockup proximity card authentication system with a small PIC microcontroller, a scanner, and a handful of cards that he'd programmed. Two of them were valid and a third was deliberately not. Swipe - lock unlocking sond. Swipe - lock unlocking sound. Swipe - siren goes off.

Then he connected said thumb-size device in series with the card scanner, so that it sat between the scanner and miniature authentication system. Swipe - lock unlocking sound. Swipe - lock unlocking sound. Swipe - siren goes off.

He then took a fourth card and swiped it. The door, if there had been one, would have been unlocked even though it'd never been enrolled in the security system.

The device he'd build was able to interpret the protocol used by the security system (remember when I said that most every security system on the market since the late 60's used it?) and record the data patterns corresponding to valid cards. The fourth magick card told the device to replay the last known valid card's signature. The authentication computer didn't know the difference because there is absolutely no protection from a transmission replay attack from behind the card reader, and sent the unlock command. There are a few more neat tricks in the device, too: A fifth magick card commanded the device to not relay card data to the authentication system at all unless it happened to be a particular card, effectively locking all of the authorized users out.

Zac also mentioned that it's possible to dump the contents of the reader's memory, and that a later iteration of his device would be able to do this. The way it can be done is simple: You know that little LED on the card reader that's red by default or green if it's considered valid? That LED is controlled by the central control system, or by his man-in-the-middle attack device, so it's possible to command the attack device to control the LED of its own accord. It's a nice little serial output device - 9600 bps, 8n1. All you need is a recording device with a photocell held up to the light to capture the data it's stored.

There is a saying which goes something like this: The more you know, the less well you'll sleep. I'm definitely not sleeping very well right now.

I plan on purchasing the DVD of his presentation when it becomes available.

After the shell shock of Zac's presentation, the convention as a whole retired to the outside lounge to make conspicuous use of the wet bar while the burlesque show set up inside the convention space. In an encore performance, a performance troupe called the Sinners and Saints Burlesque Show from Seattle, Washington (did I mention earlier that fully one third of the con is from Washington state?) was invited back for the amusement, edification, and entertainment of all concerned.

If you've never seen a burlesque show, you really should at least once in your life, if only to say that you have. I can't say for certain but my working hypothesis is that they are what Vaudville and strip shows evolved out of. There's a master of ceremonies who works the crowd and often sings a couple of songs.. and if they're any good they have absolutely no compunction against ripping into hecklers or drunken audience members who raise a stink. There are also a number of women who wear outlandish costumes (my personal favourite from last night was the woman dressed as a windup doll searching in vain for her windup key before her spring ran down) that won't stay on for very long... yes, burlesque almost always involves a striptease to some degree. This isn't to say that it's anything like a modern strip show - they tend to have far more class, theatrical planning, and diversity of, well, just about anything.

Imagine a gorgeous black woman aged about twenty-five (I'm guessing wildly - please don't hunt me down, Sydni) dressed like a flapper in mourning, in 1920's period widow's clothing, down to the little hat and widow's weeds (a black veil suspended from the brim of the hat that covers the woman's face). She drinks a green liquid out of an ornate cut glass prop bottle, ostensibly poison to follow her fallen husband into death. Cue a rather bawdy 20's dance tune through the PA system as she dances, spins, and from time to time hams up the act of dying of poison. The entire time, at least four layers of clothing are shucked and strewn all over the stage. Gloves are stretched and flung, outer and inner skirts are hiked up, torn off, and tossed towards the audience. The entire time, more and more skin (and incidentally tattoos - I've never seen anyone with an i ching hexagram tattooed on their flesh before (hexagram 46, for scholars of divination Out There)) are bared until she's down to a g-string, hose, granny boots, and pasties.

I've been to a couple of burlesque shows, most recently the one last year at SalonCon. I've been to a couple of strip shows in my day, too. Given a choice, however, I have to be honest and say that I'd go to see the Sinners and Saints perform any day. I had a blast, and yelled myself hoarse by the time the night was up. Dane, the MC, was an excellent sport about the whole thing, and gave as good as he got (even going so far as to bring three of the five women in the audience up on stage for a contest and involving someone whom I think was the con chair in a BDSM-themed skit). He's also got a good set of pipes for a lounge singer, and is pretty good at ad-libbing changes to lyrics. Filkers, as they say, are quick to anger and of course everybody remembers funny songs about prople...

After the performance was over E-, Aqueroz, MASMS, and I hung out in the patio where the wet bar was diminishing like a cow standing in a pond full of pirahnas. During intermission we'd bought little chapbooks of the troupe as souveniers, and the performing ladies were kind enough to hang out with everyone after it was over.

Yes, they were clothed.

Aqueroz and I made our rounds of the performers, including BJ the DJ and Dane the MC and got them to autograph their pages in the chapbooks. The pack of Djarum clove cigarettes and disposable lighter I'd wisely picked up earlier on Saturday went over well with everyone concerned, and nothing says chivalry and politeness like offering to light a cigarette for someone. E- had run a tab at the bar and was nice enough to buy a couple for Aqeroz and I (I now have my doubts about how civilised Pasadena really is for they had no Goldschlager available at the bar; they did, however, have a ready supply of Maker's Mark bourbon, which I was grateful for).

We went our separate ways around 0145 PST8PDT, slightly inhebriated and feeling the weight of the day upon our shoulders. I had to get up at 0800 to get ready to go to the airport and Aqeroz was just plain tired. I took a shower around 0200 and collapsed into bed after repacking my suitcase (mostly) and figuring out how to stow everything that I picked up at the conference.

Net loot for this year: Four books, courtesy of No Starch Press; six t-shirts courtesy of LayerOne, Ghettoshirts, and MASMS (which I'm wearing on the plane at this moment); large numbers of stickers from the Hacker Foundation (two of which now grace the lid of Windbringer); two shotglasses depicting a badly besotten Tux the Linux Penguin sitting before a terminal with the command rm -rf typed into a rootshell; two police-style universal handcuff keys.

Note to self: Print up Virtual Adept Network t-shirts and sell them out of my backpack next year.

It's now 2200 EST5EDT (Windbringer is configured for the eastern seaboard's time zone, even when travelling) and I'm en route back to our nation's capital. Specifically, I'm packed in almost the back row of seats in the plane taking a sold-out flight home, wishing that the guy in the seat in front of me would not try to put his seat all way back. I could almost take Windbringer off of the seat-back tray and rest it on said guy's forehead because it would be far more comfortable.