Anonymous, Barr, Stuxnet and Soliciting Hackers Podcast [29:20]

Today, Mike Q and I recorded another podcast with Sam Bowne from City College of San Francisco about how Aaron Barr tracked down Anonymous and paid a heavy price, Stuxnet, The Jester and how U.S. Chamber lobbyists solicited and used hackers. 

You can listen to the 29 minute and 20 second podcast in your browser by clicking the play button below:

Here's the links we refer to in the show:

How one man tracked down Anonymous—and paid a heavy price

http://goo.gl/5Gkyy 

US Chamber's Lobbyists Solicited Hackers To Sabotage Unions, Smear Chamber's Political Opponents

http://goo.gl/zI9gp 

US Chamber's Lobbyists Solicited Firm To Investigate Opponents' Families, Children

http://goo.gl/uyWB8

If you have iTunes installed you can listen to and subscribe to our podcasts by clicking here.

Baseband Hacking Using Fake Cell Towers

In my last post I wrote about femtocells and femotozone services. Femtocells are little mini-antennas that can be place in a home, business, hotel, etc that connect using a broadband connection (DSL, Cable, Fiber, etc). They are great when it comes to filling in areas of poor cell reception.

Baseband hacking is described in an IDG News Service report along with a LinuxInsider report. Basically, the attack involves setting up a fake cell tower. There’s a couple of ways to do this - you can spend around $2000 and build your own cell tower or you can purchase a femtocell from one of the providers (AT&T, Verizon, etc) for $150-$200.

How can devices like femtocells be used by hackers? This is from a post over at ReadWriteWeb titled Baseband Hacking: A New Frontier for Smartphone Break-ins:

Security researcher Ralf-Philipp Weinmann says he has found a new way to hack into mobile devices - by using a baseband hack that takes advantage of bugs found in the firmware on mobile phone chipsets sold by Qualcomm and Infineon Technologies. Weinmann will demonstrate the hack on both an iPhone and an Android device at this week's Black Hat conference in Washington D.C.

To perform the attack according to Weinmann, a hacker sets up a rogue base transceiver station which is used to send malicious code over the air to the target devices. The code exploits vulnerabilities found in the GSM/3GPP stacks on the phones' baseband processors. Weinmann goes on to say industry bodies like the GSM Association and the European Telecommunications Standards Institute have not considered the possibility of attacks like this.

What’s really interesting about this is the attack exploits bugs in chip firmware which is something most hackers do not have a lot of experience with. What’s firmware? Here’s a quick definition from Wikipedia:

In electronics and computing, firmware is a term often used to denote the fixed, usually rather small, programs and/or data structures that internally control various electronic devices.

The Wikipedia definition goes on:

The term firmware was originally coined in order to contrast to higher level software which could be changed without replacing a hardware component, and firmware is typically involved with very basic low-level operations without which a device would be completely non-functional.

Most hacks to this point have been software based and not firmware because it is typically much easier to hack using software. Here’s more from the ReadWriteWeb post:

According to Sophos security consultant Graham Cluley, "if someone wanted to spy on your mobile phone conversations it would be easier to trick the user into installing an app that spied on them or gain physical access to the mobile to install some spyware code," he said. "I would be surprised if anyone went to all of the effort that this researcher suggests."

Interesting stuff.

Network Security – With a Little Help from Our Friends Podcast

A couple of days ago Mike Qaissaunee and I had the chance to talk with Dr Sam Bowne, Professor of Computer Networking and Information Technology at City College of San Francisco. Mike and I have known Sam since 2004. He's one of the best in the country - a tremendous classroom instructor who brings his extensive expertise and passion for networking and network security to his students and his colleagues. Sam is also generous with his knowledge, making his lectures and classroom materials available to anyone who wants to learn. In what we hope will be a recurring role, Sam joined us in a podcast to share his thoughts on security and provide us with a snapshot of the latest and greatest developments in the field of network security.

Here's some of the questions Sam answers:

1. Sam, you have a BS and a PhD in Physics – how did you end up in networking and security?
2. You’ve been at CCSF since 2000 – what classes do you teach?
3. Ethical hacking? Sounds like an oxymoron – what do you mean by ethical hacking?
4. I know you’ve taken some of your students to DEFCON in Las Vegas. This conference of hackers is probably unlike anything our listeners have ever attended. Could you tell us a little about it?
5. Are most of the attendees self-taught or do they attend formal classes?
6. In terms of recent developments (threats, security solutions, and research), what’s been on your radar screen lately?
7. Sam, how do you keep up with all of this information?
8. What about your own skills and knowledge? How do you keep these up-to-date?
9. If a student is interested in learning more about networking – in particular securing a network, how would you advise them to get started? What sort of characteristics – in a student – would make them a good candidate for this type of work?
10. Now for something from a chat session with a student:

• my twitter account was hacked :( -- maybe i should hop on that security course just for some personal safety
• do you, yourself actually keep different passwords for everything?
• i'm freaked out and want to differentiate all my passwords
• but, that's crazy!

What advice can you give my student?

Sam's class content, email and lots of other great stuff can be found at http://samsclass.info/ Check him out - one of the best!

Here's how to listen:

To access show notes and audio of our 28 minute audio podcast with Sam titled Network Security – With a Little Help from Our Friends click here.

Listen to it directly in your web browser by clicking here.

If you have iTunes installed you can subscribe to our podcasts by clicking here.

Tracking the Palin Email Hacker

Yesterday I wrote about how the alleged hacker got into Vice Presidential Candidate Sarah Palin's Yahoo email account on Tuesday, September 16. Today, let's take a look at how the hacker's IP address was traced starting with part of a message the hacker (username Rubico) had put up on the 4chan forum:

yes I was behind a proxy, only one, if this s*** ever got to the FBI I was f*****, I panicked, i still wanted the stuff out there but I didn’t know how to rapids*** all that stuff, so I posted the pass on /b/, and then promptly deleted everything, and unplugged my internet and just sat there in a comatose state.

Rubico had used a proxy service to try and hide his identity but quickly realized how vulnerable his identity was. Proxy services are commonly used to access sites that are sometimes blocked by IT departments. Typical blocked sites include YouTube, Facebook, MySpace, etc. Proxy services are also used to play web based on-line games on sites that are blocked. Here's a good definition of what a proxy server does from Wikipedia:

A proxy server is a server (a computer system or an application program) which services the requests of its clients by forwarding requests to other servers. A client connects to the proxy server, requesting some service, such as a file, connection, web page, or other resource, available from a different server. The proxy server provides the resource by connecting to the specified server and requesting the service on behalf of the client.

Here's a simplified diagram (modified from Wikipedia with some made up IP addresses) we can use to show how a proxy server/service works.

Let's describe what happened referring to the diagram:

Rubico made his attack by accessing yahoo.com from the client computer (IP address 132.168.2.10) and going to yahoo.com through the proxy server (IP address 10.7.5.3). As a result, yahoo.com saw the proxy IP address of 10.7.5.3 only - yahoo.com did not see the 132.168.2.10 client address Rubico was using. So.... using the proxy service masked his IP address from yahoo.com - yahoo.com servers logged the IP address accessing the account as 10.7.5.3. Sounds good so far - right? Yahoo logs the proxy address and Rubico is "hidden" from yahoo.com - at least for a little while.

This kind of setup works great for accessing sites that are commonly blocked by businesses but it does not really hide client IP addresses from law enforcement people. Rubico used a proxy service offered by Ctunnel.com. Ctunnel is a CGI Proxy service and it is simple to use - it does not require any special browser configurations and can be used to access most sites on the web. According to the Ctunnel website, the proxy service is administrated by Gabriel Ramuglia, owner of the Overnight PC computer repair shop located in Fairbanks, AK. Ramuglia setup the proxy so users could access a browser based game he runs called Oil Fight. Because Oil Fight is a game, it could potentially be blocked by schools or corporations.

Here's more from the Ctunnel website:

Why should I trust Ctunnel?

By going through any proxy, you trust any data you send or receive to the proxy owner. To earn your trust I will be as open and honest with you as possible....... Open proxies may be honeypots to steal your information, or may be left open accidentally and be down tomorrow, or be otherwise unreliable. Ctunnel however, operates solely off money derived from advertising shown during the proxy session, and therefore will not be down tomorrow. Because our visitors value their privacy, it is not in our interests to spy on you, lest we lose traffic and advertising revenue. Because government subpoena could require us to hand over our server access logs, access logs are regularly deleted to protect your privacy. In short, we value your browsing experience as well as your anonymity, and would not do anything to break your trust in us.

Less that 24 hours after the hack the U.S. Secret Service was knocking on Ramuglia's door with a subpoena. The proxy server log files had exposed Rubico - each Ctunnel user's IP address, the time and destination were logged and they had not been flushed yet. By Sunday morning the FBI was knocking on the door of accused University of Tennessee student David Kernell with a search warrant.

How Sarah Palin Got Hacked

You've probably heard by now that Vice Presidential candidate Sarah Palin's Yahoo account got hacked. According to Wired Magazine the story was briefly posted Wednesday to the 4chan forum where the hack first surfaced. Bloggers have connected the handle of the poster, "Rubico," to an e-mail address, and tentatively identified the owner as a college student in Tennessee. You've probably also heard that FBI agents served a federal search warrant to 20-year-old University of Tennessee student David Kernell on Sunday. David is the son of Democratic Tennessee State Representative Mike Kernell.

According to an MTV post, a Department of Justice spokesperson confirmed some "investigatory activity" in the Knoxville area related to the Palin case, but said no charges have been filed.

What I find most interesting is the ease at which the hacker got access to her account. I think most of us have forgotten a password or two and have had to click on "Forgot my password" to answer a few questions to reset it. This is exactly what the hacker did. The questions were pretty easy to research and answer on the web and, according to the hacker, it only took about 45 minutes. Here's how the hacker (referred to as Rubico) did it:

Rubico had made an attempt to hide behind a proxy service to anonymize his IP address but.... that was not enough. According to Wired he realized how vulnerable he was to being caught since he only used a single proxy service. Here's part of the message he posted Wednesday to the 4chan forum:

yes I was behind a proxy, only one, if this s*** ever got to the FBI I was f*****, I panicked, i still wanted the stuff out there but I didn’t know how to rapids*** all that stuff, so I posted the pass on /b/, and then promptly deleted everything, and unplugged my internet and just sat there in a comatose state

After Rubico posted the information on the 4chan forum, a white hat hacker tried to protect Palin by resetting the password and sending an email to Palin aide Ivy Frye. The white hat then posted a screen shot of the Frye email on the 4chan forum - that screen shot included the new password. Other 4chan readers (referred to as b/tards) jumped in and tried to access Palin's account with the frenzy causing the account to be locked for 24 hours.