Defensive Computing

Do you block your phone number from appearing on Caller ID? If so, don't count on it. At The Last HOPE hacker conference, Kevin Mitnick, arguably the most famous hacker of all, demonstrated how call blocking can be hacked, and the hidden phone number exposed.

The hack starts with a VoIP telephone number. Mitnick uses Flowroute as his provider, but he told me afterwards that the same thing can also be accomplished with a few other VoIP providers.

Kevin Mitnick speaking at The Last HOPE conference

He starts by forwarding calls to an Asterisk server that he maintains.

According to Wikipedia, "Asterisk is an open source/free software implementation of a telephone private branch exchange (PBX)". The Asterisk website says it runs on GNU/Linux, OpenBSD, FreeBSD, and Mac OS X. On the hardware side, all you need is a computer to use Asterisk with VoIP calls (to interface with the public telephone network requires additional hardware). In other words, it's not an expensive thing to set up.

Asterisk has its own scripting language. Once a phone call hits Mitnick's Asterisk server, a script that he demonstrated analyzes information in the SIP header. The script can see the originating phone number and can also tell that the caller wanted their number hidden. But, just because you ask for something doesn't mean you'll always get it.

Mitnick's script forwards all calls to his cellphone. But, calls that requested privacy have an arbitrary three digit code pre-pended to the phone number. The net effect is that, when Mitnick's cellphone rings, he not only sees the callers' phone number, he can also tell that they tried to hide it.

The basic issue, as I see it, is that once telephone calls become computer data, they can be manipulated like any other type of data.

Caller ID can be hacked in other ways too. In June 2007, Good Morning America did a story on Caller ID spoofing. That is, calling from one phone number but making it appear that you called from another number. Mitnick briefly appeared in that story which is available on YouTube.

See a summary of all my Defensive Computing postings.

Lots of travelers have their checked luggage abused, but it takes a hacker to find out what really goes on behind closed doors. The first such hacker, who goes by the name "Algormor," is on the case.

In a presentation at the just-concluded hacker conference The Last HOPE, Algormor explained his method and motivation, and offered a glimpse behind the curtain.

No doubt, many can relate to his motivation, which started with one too many "Notice of Baggage Inspection" tags from the Transportation Security Administration. The last straw was when a zipper on his luggage was broken.

Algormor speaking at The Last HOPE conference

Bagcam derived from a perfect storm of circumstances:

• Algormor travels a lot, referring to himself as an "elite" flier. Among other reasons to frequently travel, he and his girlfriend live a few thousand miles apart.
• He's a techie, having been employed in IT for 15 years.
• He holds a private pilot certificate.
• His luggage has frequently been inspected and (in his estimation) abused.
• The illogical nature of airport security provided even further motivation.

On the last point, Algormor made it very clear that he is not an expert on aviation security. Still, he referred to it as "security by facade" and compared U.S. security to Europe's which he considers less invasive yet more productive.

This being a hacker conference, Algormor went into the details of how he hacked together a video camera and his luggage. The camera he used, costing about $500, is one solid piece (no moving parts) not much bigger than a hand. The camera supports motion detection to extend the battery life, which maxes out at about 10 hours. Video was recorded at 128x128 and 15 frames per second.

Extracting the video from the camera and converting it to a standard format was a major pain. But I was surprised at how small the hole he cut in the side of his luggage needed to be.

What has he recorded so far? By his own words, nothing damning. The videos he showed were at once fascinating and boring. For the most part, they offered a bag's-eye view of life on a conveyor belt. But there were some shots of TSA employees at work, and there was the expected shot of bags being mercilessly thrown into the cargo hold of a plane. Never pack anything fragile.

Surprisingly, the bagcam itself has yet to raise suspicion. You might think the video recorder would look suspicious to the scanning machines, but it has not yet been detected. What will happen when the TSA opens a bag and finds an active camera inside? An interesting question--and one for which Algormor doesn't have an answer.

Algormor can be reached via e-mail at algormor at gmail. He expects to post the presentation to Algormor.org soon. Could this be the beginning of something big?

Eighty percent of the audience at The Last HOPE also said they found a TSA notice in their luggage. When a bag is mutilated, Algormor said the airline blames the TSA, and the TSA blames the airline.

Frustrated and violated travelers are potential bagcam creators. Maybe someday the spread of bagcams will work like a deterrent. Stranger things have happened.

There are, however, legal issues. Algormor recorded only video, not audio. He strongly advised getting legal advice before constructing your own bagcam, as the rules for surreptitious audio-video recording vary from state to state.

Video of presentations at The Last HOPE conference will be available in the future. Exactly how, when, and where, I don't know, but watch the conference Web site and Hackerdvds.com.

See a summary of all my Defensive Computing postings.

The Last HOPE conference, now being held in New York City, is as much for people interested in hacking the real world as it is for computer techies.

One such real world presentation on Friday was called "Undoing Complexity--From Paper Clips to Ball Point Pens." Despite the title, it was about hacking high-security electronic locks from Medeco. (The paper clip in the title is a reference to using one as a way of bypassing one type of security in Medeco locks.) The presentation was very well attended, SRO in a large room.

The presenters, Matt Fiddler and Marc Tobias, didn't seem to hold a grudge. They said nice things about Medeco and its locks, which they claimed are used to protect the White House and England's royal family, among many other high value targets, such as server farms. But after 18 months of research, they claim to be able to hack into almost any Medeco high-security lock with ease. They also claimed to have had a good relationship with Medeco, until recently. Still, they must be Medeco's worst nightmare.

Much of the technical hacking details went over my head, but one thing came through loud and clear: don't trust the claims of vendors when it comes to the security of their locks. It was fascinating to hear how Medeco initially made a strong claim about its locks ability to resist one particular type of attack, then how it had to re-word that claim when that was proven untrue, and eventually, how it had to re-word the claim yet again to the point where it sounds good but has no real meaning at all.

Tobias was a guest, on the 2600 radio show Off The Hook on WBAI back on May 21. That show, is available for download here. He also spoke on "Lockpicking: Exploits for Mechanical Locks" at the prior HOPE conference. Audio of that talk is also available.

See a summary of all my Defensive Computing postings.

If there were ever a place for Defensive Computing, it's at a hacker conference.

So while attending the Last HOPE conference, a number of my previous postings came to mind.

First, there was the list of available Wi-Fi networks (see below) at the conference which, at times, showed four computer-to-computer networks (using the Windows XP terminology). These networks, also known as ad-hoc networks, are not governed by a router. While they may be set up on purpose, they are more likely to be accidental creations on the part of nontechnical computer users, or a purposeful trap set by someone with ill intentions. I wrote about this back in May. (See "A warning about 'free' public Wi-Fi.")

Everyone knows not to send anything sensitive, such as a password, over a wireless network. At a hacker convention, even a wired Ethernet connection to the outside world should be treated with caution. Not to pick on hackers, at any convention or at any hotel, a wired Ethernet connection deserves the same caution as a public wireless network. Back in January, I wrote that "wired connections to the Internet in a hotel are not, by their very nature, more secure than wireless connections." (See Ethernet connections in a hotel room are not secure.)

What to do? Rent a personal VPN.

The classic use for a VPN is an employee of a company using it to make a secure, encrypted connection to the office. But someone without a corporation, can rent a VPN that offers a secure connection to the VPN provider. Once data gets to the VPN company, it is dumped, unencrypted, on the Internet with everything else. The point is to encrypt everything coming into and out of your computer to protect it from any local bad guys.

The downside is speed. The speed test at Speakeasy.net showed that while I was connected to my VPN, the speed dropped by over half compared to using the Internet in an unprotected way.

The laptop I had with me was running the Online Armor firewall instead of ZoneAlarm, and as I noted a few days ago, I really missed not being able to see a log of intrusion attempts on my machine. At home, behind a router on my personal LAN, this isn't very interesting. But at a hacker conference, using a shared Wi-Fi network, it would have been fascinating to see who, if anyone, was knocking on my virtual door.

Something easily overlooked when connecting to public networks is file and printer sharing. While it's not the be all and end all, you're safer with it turned off. Windows XP users can find this with Control Panel -> Network Connections -> Properties of the network connection (you may want to do this for both wired and wireless networks) -> General tab -> checkbox for "File and Printer Sharing for Microsoft Networks."

Another easily forgotten protection involves turning off the wireless radio when you are not using it. This goes beyond the obvious issue of disconnecting from a public Wi-Fi network when you don't need it. There was a case where, due to a bug in some driver software, a computer could be hacked even when it was not logically connected to any network. All that was needed was for the Wi-Fi radio to be physically turned on. Plus, turning off the radio saves battery power.

Some laptops have a physical switch that turns off the radio. ThinkPads use Function-F5. As a last resort, Windows XP users can disable the Wi-Fi network. In my experience, that also turned off the radio.

Update July 19: Added topics on file and printer sharing and turning off the radio--thus proving, they are easily forgotten.

See a summary of all my Defensive Computing postings.

(Credit: 2600)

The seventh Hackers on Planet Earth conference, organized by 2600, starts Friday in New York. If you can't be at The Last HOPE, you can listen online.

Radio Statler (the hotel hosting the conference used to be called The Statler) will be broadcasting from radio.hope.net. The station will be live from 10 a.m. ET Friday until the close of the conference at 8 p.m. on Sunday.

There isn't a published schedule, most likely because there isn't an unpublished one, either. Plans are to stream the keynote presentations and other popular seminars, interview some of the speakers, carry reports from roving reporters, and talk to some of the attendees.

Hackers with their own podcasts are also invited to contribute. With a project manager named "LexIcon" a chief engineer who goes by "nikgod," it should be interesting. I'll be there, and maybe they'll even have a few minutes to talk to me.

For more, see 2600 HOPE conference bringing hacking to New York City and the Wikipedia entry for the HOPE conferences. Audio is still available from the prior HOPE conference.

Update July 18, 2008: There are two radio stations at The Last Hope. W2H (according to Bernie S., those are real, albeit temporary, call letters) is a ham radio station.

See a summary of all my Defensive Computing postings.