Tuesday, March 3, 2009

ShmooCon ’09: Why My Next Wallet Will Be Metal (Not To Be Confused With My Tinfoil Hat)

RFID has been next year’s technology for about, oh, a century or so. The good news is that RFID’s here to stay for lots of applications which have been well designed from an operational and security posture.

And for some that aren’t.

Chris Paget’s talk on cloning travel documents wasn’t just interesting...it was kind of scary. Lots of reports have said he’s cloning passports; he’s not, although I’m sure it’s just a matter of time until RFID-embedded passports are pwn3d, too. Paget has been researching how to compromise and clone documents which are Western Hemisphere Travel Initiative (WHTI) compliant.

Government officials are very proud of their efforts on WHTI, so much so that in early December, Colleen Manaher, WHTI director for U.S. Customs and Border Protection, stated about critics: "They said it couldn't be done. They said we're going to fight you every step of the way. Well, all the pieces are in place -- documents, technology and infrastructure -- to meet the June 1, 2009, WHTI implementation date."

Uh, okay. But what if the thing turns out to be so poorly designed that someone with a little bit of expertise and a couple hundred bucks worth of gear can readily read and clone the documents sitting in your wallet or purse?

Someone like Chris Paget, for instance.

Maybe Manaher should have said “They said it couldn’t be done securely.” I don’t think anyone would argue with that point. This isn’t some type of hysterical, theoretical attack, capable of execution on only a computing environment the size of a Google data center. This is an attack that Paget wrote, on his laptop, using readily available software, hardware, and RFID devices.

In their recap of end-of-year accomplishments for 2008, DHS took pains to point out that “technology upgrades under the WHTI were completed at land border crossings marking the start for new RFID technology deployments at 354 northern and southern border ports that account for 95 percent of all cross-border travel into the United States.” In the next sentence, they point out that “In 2008, CBP apprehended 1,020,438 individuals, including 200 individuals with serious criminal records such as murder, rape and child molestation.”

That’s awesome. But here’s the problem. With an RFID architecture enabling ready cloning of WHTI-compliant documents (including electronic drivers licenses, and cards like NEXUS, FAST, and SENTRI), have we just made it easier (rather than tougher) for the bad guys to get into the country? This isn’t rocket science, either—with an encryption-free approach using irrelevant/non-existing authentication, the limitation on access basically becomes a physical security issue. PHYSEC is great when guards, guns, and gates are involved. But, Paget has shown that he can read tags at 10 meters or more; with the right gear, he believes that he’ll be able to read tags at 60 meters or (a whole lot) more, enabling compromise/cloning at a couple hundred feet. Apologists will talk about the incongruity of building specialized devices to do this type of surveillance. These same apologists have never seen Renderman or the Bluetooth Sniper Rifle. This is a COMSEC issue—although with no communications security in the process, I guess it’s actually a lack of COMSEC issue.

Paget’s talk included a demo where he cloned a card in seconds, as well as one where he passed a bag of ~30 tags over a reader in a very quick wave; 16 of the tags were read completely. The latter part of that statement is actually beneficial to the cause—we want to get people through our land and sea crossings quickly, right? Right. But, don’t we want to make sure that we’re getting the correct people across the border quickly, while keeping out the bad guys?

We can thank our lucky stars that researchers like Chris Paget are working for the good guys, but an architecture this poorly designed simply screams to the bad guys, “Come get me”. I can only hope that common sense prevails at DHS, and that they collaborate closely with the information assurance community over the coming months to ensure that a 6/1/2009 turn-on date occurs only if the security issues are resolved—and if they’re not, that all stakeholders work together to eliminate the vulnerabilities as soon as possible. Too little risk has been mitigated in the current system.

Find Chris’ ShmooCon presentation here, as well as his and others’ work at http://www.rfidhackers.com.

ShmooCon ’09: Fail 2.0

Nathan Hamiel and Shawn Moyer gave one of the best and most broadly-applicable talks this year, focused on attacking social networks. Odds are pretty good that if you’re reading this, you belong to one or more social networks. In their talk, Hamiel and Moyer weren’t looking to ridicule any particular socnet, although some certainly make it easier than others to do so; they were looking to raise awareness of socnet vulnerabilities in general. As you might expect, they succeeded.

A huge vulnerability with socnets is that by enabling the aggregation of content from more than a single site, attacks like cross-site Javascript hijacking and cross-site request forgeries (CSRF) end up being easy as pie (mmm, pie) to execute. Or, as the presenters put it, “Link to crap offsite = epic fail.” True dat.

Hamiel and Moyer also launched some “experiments” of their own; they were hesitant to describe these as 0days, but instead called them “featureibilities”, or design flaws. So, yeah, they’re jackin’, but they’re jackin’ socnets.

They presented examples of attacks on MySpace and LinkedIn, as well as examples of seriously dumb Twitter usage (like the congressman who twittered that he’d just landed in Baghdad…nice job paiting a bullseye on your back, Pal). The MySpace attack was a more technical attack, whereby you could force someone to show up as a friend. The LinkedIn attack was more of a true social engineering attack, with fake profiles of plausible people, resulting in the coughing up of information that people really wouldn’t want disclosed publicly.

The presenters went on to discuss a bunch of other socnet vulnerabilities, also mentioning the Firefox extension they're working on called CSRFblocker, whose progress you can follow at their site. (As an aside, you should check out the extremely interesting paper on drive-by downloads called “All Your iFRAMEs Point to Us”). They also showed how one can compromise certain AT&T DSL modems from Netopia/Motorola; more on that here. Again, way cool stuff.

If you use socnets (and you know you do), make sure to check out Hamiel and Moyer’s slides. And, when I ignore your request to install a Facebook app tagging me as the coolest person on FB, or the app where you want me to throw a dead cow at Tony Soprano, you’ll now understand why—social networks as threat vectors concern me. If I’m going to get pwn3d, I’m going to get pwn3d somewhere else.

Monday, March 2, 2009

ShmooCon ’09: They Took My Laptop!

No, they didn’t take my laptop. That’s the name of the session Tyler Pitchford presented at ShmooCon ’09. Focused on the Fourth Amendment, Pitchford provided an excellent overview on search and seizure, as well as on clauses addressing “reasonableness” and “warrant”.

While a small percentage of ShmooCon attendees really do have something to hide, the vast majority of folks attend to learn, to share, to network. And to party. Definitely, to party. That said, even those of us with nothing to hide paid close attention to Pitchford’s talk. I spend enough time flying internationally that by some random principle, I’d guess that my number will eventually come up for a laptop search.

At which time I’ll be thoroughly pissed. No, I don’t have anything to hide. But, my laptop and everything on it count as my possessions, so I don’t really care to have someone rummaging through them without probable cause.

The good news is that I learned quite a bit from Pitchford’s talk, to be able to have a reasonable (?) discussion with folks who’d like to poke around my zeros and ones. To recap, the Fourth Amendment states: “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or the things to be seized.”

Things get a little complicated when you take those “effects”, put them on a computer, and return home from a foreign country. Pitchford focused primarily on discussions and examples of warrantless searches, which are the ones that I think concern most of us—when someone in a position of authority chooses to use that authority “just because”, without a legitimate level of suspicion.

Of course, one of the exceptions to the standard rules is when crossing a border. Pitchford discussed the case of U.S. v Arnold, in which the Ninth Circuit ruled in 2007 that laptops are no different that closed containers, and are thus subject to routine (suspicionless) searches. The case fits the bill as “routine”, since you’re crossing a border—but still annoys me. Again, I’d like to think I have nothing to worry about, since I have nothing to hide; and, having been on enough military installations, I don’t really have much of an expectation of privacy. But, I’m still concerned enough that I’ll continue to follow further developments in this space very closely.

One case whose ink is barely dry is if the entire drive is encrypted. In a case tried in Vermont over the past few years (most recently in re: Grand Jury Subpoena to Sebastien Boucher, 2009), the court had found that encryption keys are “products of the mind”, and are thus not subject to disclosure under the Fifth Amendment. The analogy here is a combination lock to a vault versus keys—you can be legally compelled to cough up keys (tangible), but not a vault combo (intangible). However, just a couple of weeks ago (shortly after ShmooCon), the District Court of Vermont ruled that Boucher would have to produce a copy of a portion of his hard drive; I don't think that this particular wording and this particular case counteracts the earliers findings, but the ruling is way too involved for me to go into here. Plus, I'm not a lawyer, so I encourage you to investigate the documents linked here. Warning: some of the content descriptions are not for the faint of heart.

I’d recommend that every international traveler have a look at Pitchford’s slides. Again, I’m not a lawyer, and Pitchford’s not your lawyer, but I’m still confident that you can learn something from his slides.

Recap: IEEE Consultants’ Network of Silicon Valley February Meeting

The February IEEE-CNSV meeting was again extremely well-attended, with a nearly overflow crowd for the second month in a row. Almost 100 members and guests spent the evening networking and learning. David Flynn, CTO of Fusion-io, gave the keynote, on the topic of NAND flash in the enterprise. Flynn presented an extremely in-depth overview of the technology and the market, and engaged in a lively debate with a number of other storage experts in the audience. My admittedly simpleton mind wasn’t able to follow much of the technical talk, but a few of Flynn’s points stuck with me.
  • We need a new memory tier that follows Moore's Law (silicon) rather than Newton’s Law (spinning disk), which is what NAND flash enables.
  • Compared to DRAM, NAND flash is 1/10th the cost per gigabyte; uses 1/100th the power and generates 1/100th the heat, and has 100x the capacity per module; all while being non-volatile and providing similar bandwidth.
  • The flip side is that the read access of NAND flash has much higher latency—25 microseconds, versus single digit nanoseconds in RAM.
  • Putting flash behind disk handicaps both the numerator and the denominator in the cost-benefit ratio. I found this statement particularly interesting, since we’re seeing more and more netbooks using exactly this architecture.
  • NAND flash will eventually be cheaper than RAM on a per-gigabyte basis. I found SanDisk’s solid state disk announcements at CES this year to be very compelling; I’m hopeful that through the efforts of SanDisk, Fusion-io, and everyone involved in the flash industry, I’ll soon have an affordable yet powerful netbook running multiple operating systems with long enough battery life to get me from SFO-Hong Kong on a single charge. THAT is gonna rock.
Don’t miss the next IEEE-CNSV meeting on 3/17/09, where CNSV member Dr. Jonathan Wells will be speaking on disruptive forces in the cellular industry. Jacky Hood of Foothill College will present “The Engineers' Survival Guide to the Service Economy” at the CNSV meeting in 4/28/09. As always, no RSVP is required, but show up early to network and get a good seat. Also feel free to join the marketing meeting which occurs prior to the general meeting itself. More details on the IEEE-CNSV website.