July 31st, 2014

Sued by RIAA? Get a free T-Shirt

A recent article on Boing Boing mentions a new insurance model by a company in Sweden. Tankafritt will pay all your fines in case you get sued by RIAA all for the measly $19 a year. Did I mention you will also get a free t-shirt? However, if RIAA is really out to get you and civil suit was filed, you will have to disclose any insurance you have thus prompting RIAA to raise claimed damages above the insured amount. Furthermore, the very fact you have purchased insurance can be considered evidence of willful infringement, which means damages of up to $150,000 for each infringing file. You can find more debates pertaining to copyright infringement insurances and their viability at this
site
. You can also visit Tankafritt (translation) for more details concerning their insurance plan.

A Chronology of Data Breaches

This is an interesting link to a site the covers a timeline of (almost) the last year and a half of data breaches that involve a loss or compromise of personal information. Just from these known instances from the last sixteen months, the count of compromised data instances totals 88,366,461. That’s Eighty-eight MILLION plus people exposed to potential identity theft. Of course there’s probably overlap in the people exposed, but that’s still almost 1 in 3 people in the US. I wonder how many times my information is in those files.

In case you are a victim of identity theft, here is a good link (linked from Schneier a while ago) that covers what to do, step by step, when your identity is stolen.

automating aircrack(ng)

This is pretty close to something that I’ve been wanting to do for a while now, it’s a script that automates wep cracking with aircrack-ng. Aircrack is great, but it still requires running 3-4 instances with different setup to perform various parts of the attack. This script brings up a menu of how you want it to run, and pops up the required windows with the appropriate instances of aircrack. It still requires a bit of interaction, but I think that can be easily changed based on specific use cases. The goal here would be to get a plugin for wicrawl that makes it a simple interface for all things related to wi-fi discovery and crawling. See here for details, including videos.

eyes in the sky

In a step closer towards hover cars and Escape from LA meets 1984, the LA police are now testing unmanned flying security drones for surveillance of urban areas. They say they are considered for use in searching for suspects on the run and monitoring hostage situations, among other things.

In the past two years, the Sheriff’s Department has teamed with Octatron of La Verne, California, to develop the SkySeer, a five-pound UAV powered by replaceable battery that lasts about 70 minutes. It has aluminum and nylon fabric wings atop a Kevlar fuselage.

With a top speed of just under 29 mph, the unmanned plane is too slow for car chases.

You’ve gotta love it when Science fiction plot-lines converge in real life. Well, except when it’ll probably used to spy on you. Now we just need to hack into them and install wicrawl, :) .

“Snake Plissken” in Escape from LA.

How to Build a Low-Cost, Extended-Range RFID Skimmer

This looks like it could be a fun project. Before going into construction details, he gives some background on RFID in general, talks about different specifications, and even covers a few of the other RFID hacks that have taken place. Their project is portable, and was made for less than $100.

Bitfields

Today we’re going to talk a little about the little-used bitfield feature of the C language. Sometimes, a programmer wants to define a structure that represents a bunch of bits; in my case, it’s the IPv4 header. It looks like this:

0                   1                   2                   3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Version|  IHL  |Type of Service|          Total Length         |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|         Identification        |Flags|      Fragment Offset    |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|  Time to Live |    Protocol   |         Header Checksum       |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                       Source Address                          |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                    Destination Address                        |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                    Options                    |     Padding   |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

As you can see, there’s this funny 13-bit bitfield called fragment offset, which is used when chopping up a packet into fragments for transmission on links with small maximum transmission unit (MTU) settings.  Now, a professional C programmer who hasn’t run into this problem might say this:

typedef IPV4_HDR {
uint16_t fragment_offset:13;
uint16_t  flags:3;
} IPV4_HDR;

The fields are swapped because we assume a little-endian machine for this example, and there’s a rule saying you have to define the fields backwards within a machine word on little-endian compilers.  What you get in this case isn’t what you expect:

0                   1
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|  Frag. Off 1  |Flags|Frg Off 2|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

What happened?  Well, we did get 13 bits of the fragment offset, and 3 bits of flags, but the fragment offset field is backwards.  It’s… byte swapped!  On a big-endian machine, you get what you’d expect:

0                   1
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Flags|     Fragment Offset     |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

The various C standards all cop out and say that what really happens with bitfields is implementation defined, and you should go consult your API documentation to figure out how the bitfields will be packed.  But GCC cops out too, and says that you should go consult your ABI.  Of course, the System V ABI for i386 doesn’t even include the word “bitfield”.  The Visual Studio compiler documentation doesn’t address this issue either.
So it seems that on the x86, it’s not possible to create a bitfield greater that 8 bits and have it pack correctly.  The solution?  Define the fragment offset and flags as a single 16 bit quantity and use macros to do the bit setting yourself:

#define SET_IP_FO(_IPV4_HDR_, _X_) (_IPV4_HDR_.ip_fo = _X_ & 0x1fff)

Current events

There are a few things coming up during the next week:

  • o Friday June 16th, Midnight Research Labs monthly meeting. This month we’ll be going over our participation in the recent Defcon CTF pre-qual event. I’ll be giving a “mini-presentation” on sensepost’s BiDiBlah (an “Automated Assesment Tool”). And we’ll also be playing with making some homemade FerroFluid after being inspired by a recent HackADay.com post (we’ll try to get some better pictures if it turns out).
  • o The RoboGames are this weekend. They are always fun, maybe next year we can compete.
  • o DorkBot SF is next wednesday, and they have some interesting topics (Liftport Space elevators, a quick presentation by one of the artists of the “FRANKENSTEIN THEORY AND ROBOTICS”, and others). Even if you don’t get to go to dorkbot, you should check out the gallery.
  • o BarCamp San Francisco is coming up 6/23-25. Looks like lots of interesting people will be there.

Let me know if you’ll be at any of these events, chances are that someone from MRL will be going. See you there!

ethereal forks… sort of

The main developer for Ethereal has started working for CACE technologies (known for win pcap), and has started a new fork of Ethereal called Wireshark. It’s not clear to me why they did the fork, and even though they haven’t done this yet, I’m wondering whether they’re going to pull a nessus and close the license for new releases.

From: http://www.wireshark.org/faq.html#q1.2:

Wireshark is almost (but not quite) a fork. Normally a “fork” of an open source project results in two names, web sites, development teams, support infrastructures, etc. This is the case with Wireshark except for one notable exception — every member of the core development team is now working on Wireshark.

Backtrack 1.0 Final Release is out!

Please welcome the arrival of Backtrack 1.0 Final Release, the result of merging of two security live cds Whax and Auditor. It took Backtrack team only 3 months to polish out a few bugs in the beta release which is a remarkable achievement considering all the tools on the distro. For a quicker download use this torrent link backtrack-v 1 0-260506 iso. Happy pentesting!

Backtrack 1.0 Final

Coroutines

PuTTY, like a lot of other terminal software, has to interpret a lot of funny grammars and syntaxes in its input.  The problem of how to do this clearly and maintainably in C is still an open problem which has no widely accepted solution.

The authors of PuTTY, however, came up with one I haven’t seen before: using the C preprocessor to break down the barriers between two cooperating functions which process grammar in their inputs.

Imhotep theme designed by Chris Lin. Proudly powered by Wordpress.
XHTML | CSS | RSS | Comments RSS