Posts Tagged ‘infosec’

(almost) 90 days with the Motorola Xoom

Monday, May 16th, 2011

Just about three months ago I wrote a quick post about having the Motorola Xoom for approximately 12 hours.

First I’d like to address some of the points I made in my last post:

Now the TODO list:

  • I have both ubuntu and backtrack5 running on this thing in chroots. While I now have access to tools like nmap, skipfish and other command line tools, some of the interesting ones (ettercap, aircrack) do not yet function due to lack of the proper kernel modules. I’ve contributed to the Tiamat kernel thread on the XDA forums asking if adding that kind of functionality was feasible.

 

Verdict:

Everywhere I go, I get asked “is that the new ipad?” and I answer “no, its better”. People look confused. I used to get into debates about it, but now I just dont care. I’ve accepted the fact that the vast majority of people prefer a snappy UI and pretty pictures over functionality and an open attitude. I’ve recently figured out how to get my eye-fi to work with the thing, and I’ve been out a few times while taking pictures and having them zip from my leica directly over the xoom (this is a REALLY cool party trick – I intend on utilizing this somehow combined with a projector at this years ninjapenguin party.).

This platform does everything I need that doesn’t require massive horsepower including simple security tasks – like portscanning and browsing open fileshares, nmapping, and running metasploit. I can watch movies on it, get directions (chrome to phone is awesome on this thing), watch full-screened high-res episodes of southpark from southparkstudios.com and other flash sites (since it supports flash) browse full HTML5 and flash websites, and even set it up like a mini entertainment set – with the jawbone jambox speakers setup as bluetooth speakers.

It’s overclocked from 1ghz to 1.6 ghz with little to no impact on the battery. The modified kernel allows me to have external SD storage enabled and PTP and USB OTG modes so that I can plug in external devices and storage (though I have not yet tried a mouse or keyboard, usb sticks and my leica d-lux 4 work like a champ – for some reason the d3s isn’t properly recognized, so I’ve opened a ticket with google). I hope to use it in a photography sense as well (in Vegas this year, if I’m lucky) with the square reader and squareup app – which lets me accept credit cards as an individual. I can torrent from the thing, as well as use it as a backup phone by way of a skype-in number and a bluetooth headset. The list just goes on and on!

I’ve been tapped to use it as a support tool – once at drinkup a friend had a need to use a variety of basic linux tools such as traceroute, ping and telnet – I was able to hand him my xoom in an ubuntu chroot and tell him ‘go to town’. I can use it to remote control any of my computers as well, even remotely ‘hamachi style’ using a tool called neorouter.

I intend for this to be my “computer” while I’m at Defcon/Blackhat this year. I can easily offload all my photos to it, and it does everything I need while I’m on the go. Someday I hope to actually give a talk from this thing, completely without a laptop.

tl;dr: If you just want a toy, buy an ipad. If you want a tool? Buy the xoom.

 

Wishlist:

  • I still want a site survey tool. Especially overclocked past %50. this thing screams.
  • Having the jambox speakers helps when I want other people to hear stuff, otherwise I want a case that has little ‘ears’ to funnel the speakers forward.
  • Having backtrack5 on this thing is badass, but some of the more impressive stuff is unavailable – I cant send arp traffic and I cant put the wifi interface into monitor mode or inject traffic. I’ve asked about it on the xda thread.
  • I really wish someone would port VLC over to android. This hardware has so much still untapped potential – I want to be able to watch a 720p mkv. Standard dvd rips work fine, highres stuff chokes – because the players don’t leverage the GPU
  • I want to find out why the hell it doesn’t work with my Nikon D3s. It sees the camera, but never sees any photos. wtf?

Tags: , , , , , , , , , , , , , ,
Posted in insight, review, technology | 2 Comments »

Zipline – a VPN security product.

Wednesday, December 16th, 2009

How many of those wordpress, joomla, drupal blogs, web2.0 products of various sort and other websites do you go to that are encrypted using SSL(https)? How many times a day to you enter your credentials, or use cookie based (the ‘remember me’ checkbox type) authentication on websites a day? Do you find yourself in coffee shops, or other public wifi frequently and sometimes wonder who is watching your traffic?

I know I do. Up until now I’ve been using SSH tunnels to get my traffic back home where I know nobody is running a packetsniffer. The trouble with SSH tunnels though is that they’re fickle, and often drop. I wanted a better solution – so I made one.

www.atenlabs.com/zipline

(more…)

Tags: , , , , , , , , , , , , , , , ,
Posted in Uncategorized | 2 Comments »

State of the pwnion.

Thursday, August 6th, 2009 
message begins
Personal details were revealed, emails, chat logs – pretty scary stuff – and very sobering. A clear demonstration that things like cross site scripting and the spreading of malware (likely for the use of cascading spam or addition to botnets) is the least of our problems. Also clear proof that people who consider themselves security folks have to be very wary of using creature comforts such as reusing passwords or even operating a wordpress blog (3 updates in a month?! and 2.8.2 is vulnerable? gaw!).
The textfile the group distributed was called zf05.txt and after skimming it’s abundantly clear that wordpress played a huge part in these folks getting rooted. Almost every example was sort of an ‘all in one’ server that was used for ‘whatever’. Its also become clear that jam packing one server with a bunch of services makes it more vulnerable to compromise. Ever heard of KISS? “Keep it simple, stupid”. It’s used very commonly among engineers, computer people – you name it. Anyone that has to build things or design things. The minute you start adding complexity for no reason the proverbial altimeter begins its decline.
People who fake tech exacerbate things. There are groups that call themselves “tech” when in reality they are simply PR or Marketing. The Web 2.0 craze has hypnotized people into putting almost everything they think and do ‘behind the scenes’. They let someone else worry about it. Some ruby programmers I’ve met are incapable of manually issuing a sql query. Others are incapable of interacting with sql unless they have phpmyadmin. These folks generate a requirement to artificially make systems more complex and less secure entirely to suit their evergrowing hatred of looking things up themselves or actually learning anything about the technology they use every day. The easiest way to think about it is this: Think of some people. Now think of these people all owning cars. Think of these people now requiring something as simple as an oil change, a tire change, or a simple tune up. Now think of these people taking their cars to a shop to get work done – for whatever reason: maybe they lack the tools, maybe their HOA doesn’t allow them to perform work on their cars on the grounds (those HOA people desperately need to be stabbed in the lungs, by the way) or maybe they just don’t know how. Now lets imagine these people have the work done, and are talking to the mechanics as they are preparing the invoice behind the counter. The mechanic begins to explain how their oil was changed, and these people abjectly refuse to learn or understand how this works even from a top-level non-technical aspect – they plug their ears and yell “NO! NO! AAALALALALA!! NOT LISTENING NO NOOOO! ALLALAAAAAA!”.
These people strongly support a fancy new term. “Cloud Computing”. Cloud computing will make this worse for everyone.
Let me jump away for a moment. I’d like to point out a fact. The attackers that distributed zf05.txt made a valid point – a point I’ve tried to make to peers, friends and clients alike – If your site/data are on shared hosting and you consider them secure that may mitigate some amount of risk. But if the other people hosting their data are vulnerable and your data is on the same system, you’re still vulnerable.
Now we have some ingredients – lets make a stew. Lets take these bits of information and put them all together and let it simmer.
- Non technical people whos requirements and behavior are insecure and promote systems being rooted
- Systems with lots of various services running on them
- A new trend of mashing these systems together to form giant systems that do the same thing, ending up being bigger and more powerful
- Commonly used software being exploited within a week of a patch.
Mix in a bowl with a wisk until creamy. Add a teaspoon of extra virgin olive oil to a cast-iron skillet. Add a bit of freshly cracked pepper to the oil and some freshly pressed/minced garlic. Let simmer until the pepper and garlic begin to bubble, then pour the mixture from the bowl into the skillet and add a squeeze of fresh key lime if you wish. Cook until firm or golden brown, flip once, then serve! Let stand for 10 minutes to cool. What do you get? What does it smell like? (Well if people actually taste of chicken then that may make one hell of a breakfast omlette). We dont know. Here’s why we don’t know:
- “Business people” like the idea of getting rid of systems administrators and IT overhead
- “Cloud Computing” does not have a security model yet
- There are no standards – this stuff is too new
- Far too many people are comfortable being hacked, and say “oh there’s nothing important on that sit/box”
.. Really, guys? You don’t use that same wordpress password everywhere? For your bank, for gmail, for your car insurance or your mobile provider to login? If a blackhat gets that password you’re really okay with it? If thats the case, I’d like you to kindly leave the internet, never to return. Please – do us all a favor, for the people that like keeping their privates private and their secrets secret, go away.
So we’re going to take all of these insecurities, vulnerabilities and holes – package them up with non-technical people demanding insecure practices so that they don’t have to learn or think and we’re going to replicate this ad nauseum and store the results in one gigantic computer grid system? Awesome. Maybe I should trade in my whitehat for a black one – since thats obviously where all the focus, media, fear and money are going to be. Or maybe I’ll just make my white hat bigger – perhaps people will come to their senses and listen to fact and reason. Perhaps not. I guess we’ll see.
I’m not the only one, either…
http://darkreading.com/securityservices/security/app-security/showArticle.jhtml?articleID=218102139&cid=RSSfeed
http://www.sensepost.com/blog/3706.html – open the ppt, this was the defcon talk. they pwned amazon ec2.
http://evilpacket.net/ – see the ‘theft of a rackspace cloud api key’. These guys got root on the rackspace/mosso cloud.

I was late to hear – by a day. Thats 10 years in internet time, we all know. If you’re not in InfoSec you probably didn’t hear. Maybe you heard somewhere, irc, twitter, other bits of the intarnets that Kevin Mitnick got hacked. Everyone chuckled. As it turns out a whole bunch of people got compromised. People I know personally who I consider friends. Rob Fuller, Dan Kaminsky, the Hak5 group and a handful of others, including Kevin Mitnick.

Personal details were revealed, emails, chat logs – pretty scary stuff – and very sobering. A clear demonstration that things like cross site scripting and the spreading of malware (likely for the use of cascading spam or addition to botnets) is the least of our problems. Also clear proof that people who consider themselves security folks have to be very wary of using creature comforts such as reusing passwords or even operating a wordpress blog (3 updates in a month?! and 2.8.2 is vulnerable? gaw!).

(more…)

Tags: , , , , , , , , , , , , , , , , , , , , ,
Posted in insight, rants, review, speculation, technology, Uncategorized | 1 Comment »

Making Security Research Relevant

Monday, January 19th, 2009

I’m very very open and transparent about security, technology and what I do. I’ve written documentation so thorough that my clients have ended the contracts stating “we dont need you anymore – with these docs we can do the work ourselves” – in the grander scheme of things thats awesome. I love it when clients learn from me and it makes me feel really good about what I do – especially if it sticks the first time – but it certainly is prohibitive towards me paying my rent.

I’ve been very vocal in the last year about what I do – to the point it manifests itself as talks I give during BarCamp (LA and San Diego), and Refresh San Diego which is held at Qualcomm. Here is my most recent talk


Security 102, part 1 from Dan Tentler on Vimeo.


Security102, part 2 from Dan Tentler on Vimeo.

Video courtesy of @northlight


(more…)

Tags: , , , , , , , , , , , , , , ,
Posted in insight, rants, review | 1 Comment »