Security

LAS VEGAS--Showing off technology that James Bond would love, two researchers at Defcon on Friday demonstrated tools that allow people to eavesdrop on video conference calls and intercept surveillance camera video.

An attacker needs to be in the same building as the victims to carry out the man-in-the-middle attacks over the network.

The free UCSniff tool, available in Linux and Windows versions, offers a slick graphical user interface for sniffing video, said Jason Ostrom, director of the Viper Lab at Sipera Systems. The tool basically tricks the voice-over-IP network carrying the video into sending the data packets to the attacker's computer, he said.

This could be used to spy on people. For instance, an attacker could listen in on and record confidential conversations between an executive who is on a video conference call with another remote executive, according to Ostrom.

Ostrom and Arjun Sambamoorthy, a research engineer at Viper Lab, also have developed another free tool called VideoJak that can be used to intercept video streams.

Thieves planning to steal from a museum, for example, could use the tool to change live surveillance video being watched by a museum security guard so that it replayed previous video of the art, giving thieves time to steal art without detection.

Attackers can replay video from the same stream or inject other video, like pornography, the researchers said.

Companies can use encryption on the network server to protect against these attacks, but encryption is not enabled by default, Ostrom said.

"These assessment tools can show you the impact of the vulnerability to your network," he said.

John Draper, aka "Capt. Crunch," said he is interested in using the UCSniff tool to test the systems at start-up En2Go where he is chief technology officer. En2Go is signing up with companies to deliver high-definition media, including movies and corporate videos, to desktops.

"I want to ensure customers and clients that someone can't steal movies off Flyxo," En2Go's system, he said.

Intercepting streaming video isn't new, but UCSniff "makes it easier; it makes it plug and play," Draper said.

Azim Poonawala, aka QuakerDoomer, author of FBController.

(Credit: Azim Poonawala)

A computer security enthusiast in India has released a tool designed to allow people to take complete control of strangers' Facebook accounts if they can get hold of the targets' session cookies. It also could be used to manage large quantities of hijacked accounts.

FBController analyzes the communications that Facebook has with computers when they interact with the site and uses that information, along with the cookie data, to allow for accounts to be hijacked, said 26-year-old Azim Poonawala, who wrote the tool and provides details on his blog.

Cookies, meanwhile, can be obtained using network sniffing, cross-site scripting exploits, social engineering, and via open proxies where cookies are logged, he said in a recent interview over chat.

Poonawala, who goes by the alias "Quaker Doomer," said he wrote the tool as a proof of concept and because "writing network-related gray hat tools has always been an adrenalin rush."

Jeremiah Grossman, chief technology officer of WhiteHat Security, said he believed the purpose of the tool is to manage control over large numbers of accounts rather than merely hijack accounts one at a time.

"This is much easier than using a browser to log in and modify accounts individually," Grossman said in an e-mail. "The mere existence of such a tool leads me to believe that huge numbers of FB accounts are and continue to be compromised and the bad guys need to scale their access."

Facebook spokesman Barry Schnitt said the company is aware of the tool and that it does not impact the firm's ability to detect potentially malicious behavior.

"We have systems to detect phished or fake accounts on many different points, including at point of compromise, point of creation, point of login, and point of a spam send, among others," Schnitt said. "Multiple accounts taking the same action, at the same time, as this tool enables, can actually make this detection easier." Poonawala said his intention in creating FBController was not to allow control of multiple accounts, although "it can definitely be misused by bad guys to achieve that since it is free."

This is a shot of an FBController screen.

(Credit: Azim Poonawala)

(Credit: LiveJournal)

LiveJournal warned its users on Monday that lapsed Hotmail accounts are to blame for bloggers having their LiveJournal accounts hijacked.

"Recently some journals and communities have been broken into, their contents deleted, and their owners locked out," LiveJournal said in an e-mail to its users. "The problem appears to stem from Hotmail's policy of recycling inactive e-mail addresses."

Anyone can claim a Hotmail address if it has not been used in more than a year, the e-mail says. Hijackers are grabbing lapsed e-mail addresses that have been publicly displayed on LiveJournal profile pages and are re-registering them on LiveJournal.

It's unclear how the hijackers were able to figure out the passwords to the accounts.

A spokesperson for LiveJournal did not immediately return a phone call or e-mail seeking comment.

The LiveJournal e-mail urges users to keep their passwords secure and make sure they are in control of all the e-mail addresses associated with the account.

LiveJournal has added a "Manage Email Addresses" feature that allows users to delete e-mail addresses that are no longer active. Users have to have been using their main e-mail address for at least six months in order to delete the others.

A network administrator will stand trial for allegedly hijacking the network he designed and maintained for the city of San Francisco.

A superior court judge ruled Wednesday that there was enough evidence to hold Terry Childs for trial on four felony charges of tampering with a computer network, denying other authorized users access to the network, and causing more than $200,000 in losses, according to a report in the San Francisco Chronicle. Childs, who has been in custody since July 13, had worked at San Francisco's Department of Telecommunication Information Services for five years. Childs, 44, is being held on $5 million bail and is scheduled to be arraigned on January 13.

Childs is accused of tampering with the city's Fiber Wide Area Network after allegedly being disciplined for poor performance. He was also accused of electronically spying on his supervisors and their attempt to fire him.

Childs allegedly denied other administrators access to the system, which maintains law enforcement, payroll, and jail-booking records. Childs reportedly refused to surrender secret codes that would allow access to the system.

However, after a week in the city's jail, Childs agreed to give the access codes to San Francisco Mayor Gavin Newsom during a secret jail house visit. The meeting reportedly was so secret that the police department and district attorney were not informed of the meeting ahead of time.

Childs' attorney has claimed that there was no destructive intent and that Childs was merely protecting the network from incompetent city officials who were trying to force him out of his job.

"Mr. Childs had good reason to be protective of the password," Erin Crane argued in an unsuccessful attempt to lower his client's bail. "His co-workers and supervisors had in the past maliciously damaged the system themselves, hindered his ability to maintain it...and shown complete indifference to maintaining it themselves...He was the only person in that department capable of running that system."

Only days after the city of San Francisco regained control of its computer network after an alleged hijacking, a new vulnerability has come to light--this time brought on by the city itself.

The San Francisco district attorney's office has apparently made public nearly 150 usernames and passwords used by city officials to gain access to the city's network. The list was submitted to the court as Exhibit A in a case against Terry Childs, a 43-year-old network administrator for the city who was arrested July 13 on four felony charges of tampering with the city's computer network.

Co-workers accused Childs of setting a "time bomb" that would sabotage the network the next time it went down, either for maintenance or due to a power outage.

Childs had effectively taken the city's network hostage by locking administrators out and refusing to give up the passwords needed to regain access. In a secret meeting with Mayor Gavin Newsom earlier this week, the San Francisco Chronicle reported that Childs handed them over directly to the mayor.

Later in the week, the DA's office reportedly filed a court document to argue against a reduction of the $5 million bail set for Childs, who is being held in the county jail. Exhibit A of the document contained the usernames and passwords used by nearly 150 employees to get into the city's virtual private network. And despite saying the passwords pose an "imminent threat" to the city's computer network, they are now of public record.

A source tells InfoWorld that a second password is needed to gain access to the VPN. Still, giving up these so-called phase one passwords is hardly recommended security policy.

And here I thought we San Franciscans were supposed to be good with this computer stuff.

The computer network hostage crisis in San Francisco is over, thanks to the city's mayor.

Terry Childs, a network administrator for the city of San Francisco, has been in custody since July 13 on four felony charges of taking control of the city's computer network and locking administrators out. Access to much of the city's information was blocked, including law enforcement, payroll, and jail-booking records.

Childs had reportedly refused to surrender the codes to his supervisors, but after a little more than a week as a guest of the city, he apparently had a change of heart and invited Mayor Gavin Newsom to meet with him, according to a report on the San Francisco Chronicle Web site Monday night.

A secret meeting was arranged at the city jail on Monday afternoon, where Childs gave Newsom the codes to the network. The meeting reportedly was so secret that the police department and district attorney were not informed of the meeting ahead of time.

The codes given to Newsom didn't initially provide access to the system, but a call to Childs' attorney got the city back in the system.

Although the city has regained control of its network, not all is necessarily forgiven. Erin Crane, Childs' defense attorney, is expected to cite his cooperation during a court hearing on Wednesday in a bid to have his $5 million bail reduced.

Crane has argued that Childs was merely protecting the network from incompetent city officials who were trying to force him out of his job.

"Mr. Childs had good reason to be protective of the password," Crane told the newspaper. "His co-workers and supervisors had in the past maliciously damaged the system themselves, hindered his ability to maintain it...and shown complete indifference to maintaining it themselves...He was the only person in that department capable of running that system."