Some materials adapted from Sam Bowne
Lock bumping: see next slides.
Don't rely solely on locks: use two-factor
authentication
PIN keypad
Fingerprint
Security guard
Cloning access cards: not so easy.
Magstripe vs RFID cards
Open RFID reader, and
a RFID hack reader and writer.
Every key pin falls to its lowest point
The key is hit with a screwdriver to create
mechanical shocks
The key pins move up and briefly pass
through the shear line
The lock can be opened at the instant the
key pins align on the shear line
Even Medeco locks used in the White
House can be bumped
ISO Standards specify three tracks of data
There are various standards, but usually
no encryption is used
USB connector
About $350
RFID cards use radio signals instead of
magnetism
Now required in passports
Data can be read at a distance, and is
usually unencrypted
Mifare is most widely deployed brand of
secure RFID chips (vulnerabilities).
$250 in
equipment
Can steal
passport
data from
a moving
car
The Massachusetts
Bay Transportation
Authority claims that
they added
proprietary encryption
to make their MiFare
Classic cards secure
But Ron Rivest's
students from MIT
hacked into it anyway
Bypassing ATA password security
Two kinds of ATA (AT
Attachment )
interfaces are used
PATA (Parallel ATA)
IDE is now called PATA
SATA (Serial ATA)
Newer and faster than
PATA
Requires a password to access the hard disk
Virtually every hard drive made since 2000 has this
feature
It is part of the ATA specification, and thus not
specific to any brand or device.
Does not encrypt the disk, but prevents access
Countermeasures
Don't trust ATA Security
Encrypt the drive with Bitlocker, TrueCrypt,
PGP, etc.
ATA Security is used on Microsoft Xbox hard drives and
laptops
BUT desktop machines' BIOS is often unaware of ATA
security
An attacker could turn on ATA security, and effectively
destroy a hard drive, or hold it for ransom
The machine won't boot, and no BIOS command can
help
This is only a theoretical attack at the moment
Hot Swap
With an unlocked drive plugged in, enter the
BIOS and navigate to the menu that allows
you to set a HDD Password
Plug in the locked drive and reset the
password
Use factory default master password
Not easy to find
Some examples given in 2600 magazine
volume 26 number 1
Vogon Password Cracker POD
Changes the password from a simple GUI
Allows law enforcement to image the drive,
then restore the original password, so the
owner never knows anything has happened
Works by accessing the drive service area
A special area on a disk used for firmware,
geometry information, etc.
Inaccessible to the user
U3: Software on a Flash Drive
Carry your data and your applications in
your pocket!
Its like a tiny laptop!
Just plug it in, and
the Launchpad
appears
Run your
applications on
anyones machine
Take all data away
with you
18
The U3 drive appears
as two devices in
My Computer
A Removable Disk
A hidden CD drive named U3
The CD contains software that automatically
runs on computers that have Autorun enabled
For more details, see
[Link]
19
PocketKnife is a suite of powerful hacking
tools that lives on the disk partition of the
U3 drive
Just like any other application
You can create a custom file to be
executed when a U3 drive is plugged in
Or replace the original CD part by a hack.
20
Steal
passwords
Product keys
Steal files
Kill antivirus
software
Turn off the
Firewall
And more
22
Traditional
Block all USB devices in Group Policy
Disable AutoRun
Glue USB ports shut (?!?!)
Better Solution: IEEE 1667
Standard Protocol for Authentication in Host
Attachments of Transient Storage Devices
USB devices can be signed and authenticated, so
only authorized devices are allowed
in Windows 7, Linux.
23
Example: ASUS Eee PC Rooted Out of the Box
The Eee PC 701 shipped with Xandros
Linux
The Samba file-sharing service was on by
default
It was a vulnerable version, easily rooted
by Metasploit
Easy to learn, Easy to work, Easy to root
Many devices ship with default passwords
that are often left unchanged
Especially routers (seen before)
In 2008, these men used
default passwords to
reprogram ATM machines to
hand out $20 bills like they
were $1 bills
Bluetooth supports encryption, but it's off by
default, and the password is 0000 by default
Mostly an engineering endeavor
Mapping the device
Sniffing the bus data
firmware reversing
JTAG -- testing interface device for printed
circuit boards.
Read the book for more details.
