SoldierX.com SquidBlackList - the world's largest porn blacklist! HAX Radio - The stream the FBI Listens to! Offensive Security Wireless Professional PWNIE 2012 Nominations The Hip-Hop Realm

Archive for the ‘In the News’ Category

Harness Unused WiFi Signals for Power with Metamaterials

Tuesday, November 12th, 2013

I recently saw this article (http://tinyurl.com/ssrwifi) from a comment iBall made on FaceBook.

First, this isn’t that new. It’s been worked on for about a decade now and founded/hypothesized back in 1968. And yeah, from 1968 to about 1999 most of the work was “theoretical.” What I am talking about is a material designed to “catch” electro[magnetism].

In Physics, there is something called the “index of refraction” which is measured by how electro[magnetic] energy changes velocity in a new material. A simple example of refraction is in the case of light into glass or water. Have you ever seen a long rigid pole go into water and thought that it looked bent?

This refraction is the cause for that bend. Light bends as it enters a denser material. This is also true with other forms of electromagnetism including WiFi. If we have an orthogonal normal and send light straight down it from air into glass, we will see the light bend to the left, for example. This would be normal refraction. If the light bent in the opposite direction into a material away from the orthogonal normal, it is said to be a negative index of refraction since it bends into the negative side of our point of reference.

A lot more diffraction/refraction/reflection physics goes on behind the scenes, but for generalization purposes, let’s use these simple examples. Now for a negative refraction to occur, the permittivity and permeability BOTH need to be negative. This is unusual, and doesn’t occur naturally in nature. Some metal materials can have negative permitivity at lower wavelengths of radiation, but to achieve negative permeability, the “meta” material needs to be align and designed to do so. A material which has one, but not both of these negative refraction properties will not allow WiFi’s electro[magnetism] to pass through it.

Let’s not confuse refraction with reflection:

Refraction is a surface phenomenon, but remember the article I wrote addressing the leakage of WiFi and how that should NOT be labeled a “crime” to analyze incoming signals that seemingly trespass (technically it is a shared ISM/free band anyways.) into one’s own property? Well, this “Mylar” material I was speaking of, actually has an extremely low transmittance level due to it’s amazing ability to reflect radiation. In fact, if we analyze a curve or wavelength and transmittance with Mylar, we see that the closer we get to the smaller wavelengths of WiFi (2.4-5GHz) we see the transmittance percent drop completely. This means that mostly all radiation is reflected and nothing passes through. Refraction is a different concept and relies on the density and molecular structure of how the material the light goes into is structured. Permeability and Permittivity are different from refraction and are why i have outlined the word “magnetism” in “electromagnetism” in this article. They deal with how magnetism effects the internal molecular alignment. Lining a room with Mylar, or emergency blankets is a cheap way to keep radiation in and/or out using reflection!

Now, to make a material which is not affected by an external magnetic field (in our case from the electro[magnetism] within an a WiFi signal), we need to make the permeability level negative. This is done in the construction of the meta-material. The meta-material is a set, or aligned grid of SRRs, or “split ring resonators.”

These resonators are just copper split-rings that when affected by electromagnetism generate an internal looping current which in turn generates it’s own magnetism which perfectly opposes the field from the WiFi signal’s electromagnetism. These “rings” are not rings. They are non continuous with a small section removed. This small gap is not visible in the article’s image because they have the SRRs in foam to brace them, but they are there. These rings with small gaps in them allow the SRR to accept a variable of wavelengths larger than the ring itself. If the ring were closed, it would only accept a tiny amount of frequencies.

The rest of the small circuit is just a DC doubler which utilizes the bias of the diodes to direct each portion (negative and positive from the wave) of the AC current into the twin capacitors. This is an extremely simple concept and design. The paper is mostly about how they are optimizing the captured current from the current loops in the SRRs when any RF at around 900MHz is received. WiFi has been used at 900MHz, and will more openly be used at 900MHz with the new 802.11 amendment “ah” The authors are able to harness 7.4VDC at 104mA at the load. Now, if you’re thinking, “great! I could use one of these, I have a WiFi router!” You may be missing the whole picture. This is low power we are talking about here, even if we are to swallow up a large charge into, say, a battery. It would cost less to harness the power to charge that battery directly from your power source at the wall outlet. Let’s take a look at why.

Your router, by default, most likely came equipped with a dipole antenna and is spraying signal at a higher TX than needed for your application. The whole time the little batteries that the authors have designed are filling up with energy from the signal, your router is most likely using 5-12VDC at .250-3A! If we are to lower the amount of low power material our router is spraying, such as beacons which are sent out every 100ms usually, and lower our TX, or transmit power in the router, then use a proper antenna for applications which are wireless but stationary, or close to stationary – we can save more energy – obviously. Also, RF doesn’t necessarily mean 802.11 packets. It can be any radiation at 900MHz or even below (higher wavelengths) due to the simple, yet efficient design of the SRRs. Now, if you thought, “wow! I can harness the power from all RF at 900MHz” – that makes more sense!

Now, let’s scare ourselves. Imagine a low powered trolling drone equipped with a switched GPS radio that searches for a BSSID, or MAC of a phone or station that is powered by leaked RF? :) Next article up: a few WiFi device patents that I can’t afford!

~Douglas

InfoSec Institute Interview

Thursday, April 4th, 2013

Recently I was interviewed about WNL by Jay Turla from the InfoSec Institute. If you are new here and wanna read about the beginnings of WNL, check it out:

~Douglas

OpenWIPS-ng, SSWR, WPA, and SAMI

Monday, October 17th, 2011

Thomas d’Otreppe’s latest work on creating an open source WIPS (wireless intrusion prevention system) at DerbyCon:

This is a good video, and his methods are creative, but all of which are some things I have been thinking over for about 2 years now. My first implementation of an openWIPS (which took me about a year to finally start coding it) was a simple script that ran from a “server” just like his:

Then, after being interviewed by a security consultant, He gave me the idea to implement this directly in the router itself:

What his [Thomas's] OpenWIPS-ng has over mine is actual “frame analysis.” At the time, I wasn’t as familiar with C programming and libpcap – and decided it wasn’t really necessary to re-invent the wheel, as I knew how TCP/IP handled things like broadcast frames within a simple BSS. Thus, I used TCPdump. :) I am excited for his project and would love to contribute, but I’m already too swamped with my own projects now. What would be a good idea is to make, yet another, live CD just for his project. You could configure Lighttpd/Apache2/Inginx to run as root and create a nice web interface to log into and run the commands, analyze the logs, etc. :)

Then, just as I was studying for the CWSP exam, I thought of two things: First is the WPA(2) Phishing Attack (WPA). This attack simply creates an AP from a radio and hosts a DHCP server and HTTP server. When the victim attaches to the (cloned) network, he or she is presented with a typical Windows login screen:

Which brings me to final WIPS theory which I had. The second idea – was a true protocol (802.11) amendment, (close to 802.11w, which has yet to be implemented) which protects the network from injected MGMT frames:

It uses power statistics at the medium level to protect the network from frames that do not fall within the simple threshold which the math creates within the firmware of the radios.

“Wi-Fi–Hacking Neighbor From Hell” Wired Article

Thursday, July 14th, 2011

[Source of Article]
[Actual Sentencing Memo]

From “Hell” ??

I just couldn’t help myself to talk about this article. This is awful.

Ardolf downloaded Wi-Fi hacking software and spent two weeks cracking the Kostolnik’s WEP encryption.

Seriously? 2 weeks? What did he use, wireshark and Aircrack-ng only? Kismac? LOL!

A forensics computer investigator working for Kostolnik’s law firm examined the packet logs, and found the e-mail sessions sending the threats. In the data surrounding the threatening traffic, they found traffic containing Ardolf’s name and Comcast account .

Yeah, so, what lesson(s) do we learn here?

  • Don’t have your browser profile open your email page when you are leeching WiFi.
  • Remove any software that will “phone home” including email clients.
  • Spoof your MAC address.
  • When you can, get access to the AP and disable logging for the duration of your (spoofed) sessions.

…reams of evidence…hacking manuals with titles such as Cracking WEP Using Backtrack: A Beginner’s Guide; Tutorial: Simple WEP Crack Aircracking and Cracking WEP with BackTrack 3 — Step-by-Step instructions.

Aircracking” <-- LOL!!! Anyways, that's not evidence. At all. In fact, it is completely regular to any computer security enthusiast to have such items. Plus the assface at Wired got it wrong. Those articles were found by his supervisor at work after he was fired. This is form the real sentencing memo:

When he was terminated, a supervisor cleaned out his work space and found 25 printed pages containing articles relating to hacking into WEP-encrypted wireless routers.

Just because he had these, spoonfeeding print-outs doesn’t mean he committed any crime. I mean, c’mon, the guy was a technician FFS. I am in no way sticking up for his actions, I just think it’s silly that we are so close minded sometimes. The other stuff, like the stolen mail stashed under his bed and the hand written notes about his plans for revenge, yeah, that’s just plain stupid and either planted by feds and police who know nothing about infosec and needed more momentum to get over the hump of the hill we call the patriot act, or hard evidence. A few thumb drives where reported found in his room full of useless information. The information was about his hacks and harassments. Who does this? Why would you keep logs or records of any of it EVEN if you did? This guy is insane.

One of the manuals had Ardolf’s handwriting on it and another had the unique identifying ID for the Kostolniks’ router typed into it

What? What is that? the BSSID? That’s not illegal information either. In fact, that’s sent out in Beacon packets 10 times per second. Sniffing beacons and other mgmt/ctrl frames is not illegal. Google could have avoided the whole lawsuit / Microsoft bash for sniffing wifi data if their programmers had brains and ignored/dropped the data packets. No joke. There’s another lesson for us:

  • Encrypt your traffic

he sent that family a postal-mail message consisting of a one-page, color print-out of the family’s “TurboTax” return with personally identifying information, in addition to several skull images

The “skulls” part made me lulz a little bit, I’m sorry.

With Kostolnik’s permission, they installed a packet sniffer on his network to try and get to the bottom of the incidents.

Ahh, hacking the hacker. This is great you know why? Because it can be implemented transparently. Want to give it a test? Grab an old Linux computer and put two NIC’s in it. Make the IP’s all zeros: 0.0.0.0 using ifconfig. Then use brctl and bride the two connections. plug your (in their case Qwest (according to the official sentencing memo)) modem into one NIC and then the wifi router in the the other. Start Wireshark, Snort or whatever, and begin monitoring your network. Because the IPs are non IPv[0-9] they won’t even show up in an arp scan with Ettercap-ng!

Alas, the actual sentencing memo states things like:

the Kostolniks woke the next morning to find that the tires on the vehicles had been slashed. The perpetrator was never identified.

So, it wasn’t him? Or it was?

Ardolf was also able to access all of the Kostolniks’ computers that were connected to the router.

He remotely exploited the systems, or they were so careless were sharing their C:\ drives with RW access? Proof? The files on his machine? If they were shared, they were shared. Gaining access to the network is still illegal.

…accessed a Yahoo.com email account he had created in Matt Kostolnik’s name and, posing as Matt Kostolnik, sent three separate emails to his coworkers.

So, the machines weren’t pwned? If they were, he would have no problem gaining their identity and would not have to “pose.” Also, since when is this illegal? Does Yahoo! make you agree to ToS saying “THIS EMAIL NICKNAME BETTER BE YOUR REAL NAME, ELSE { DIE(); }” ? He didn’t have to send them from their WiFi router to get them traced back to him, but it’s a sure fire way to speed the process up. If he can sniff packets, he can see the MAC address of the laptops used. spoof yours to theirs and use a coffee shop, with a baseball hat on and fake mustache. LOL!

The vandalism, however, was never witnessed or definitively connected back to Ardolf.

Again, this shouldn’t be in the memo if it wasn’t proved to be him. If it fits his MO, then what if he paid someone else to do it?

Also, was there any more evidence found in his home that fit the “pedophile” MO? Imagine if he really DIDN’T do what the kids parents said he did? The only thing I see is the two images used in the harassment.

Conclusion

I think about wireless security a lot, I guess. Radios have fascinated me since I was a child. There are a lot of changes being made to, not only network and computer security, but now radio and radio network security too. For instance, the fact that ISPs are trying to “formalize the concept that you are not permitted to run open Wi-Fi” Can this really be done? Locking down wifi means more than just not using WEP. You NEED WPA2. You NEED to be very careful as to where yo uare typing the WPA2 passphrase. You NEED a MAC filter. You NEED a VERY strong password. And still, you won’t be able to lock it down. Will 802.11ac change this? I tried in this paper here, which I submitted to engineers at Cisco. They said it was completely possible and worth pursuing, but either didn’t want to fork over the time/effort. Or they stole the idea. Who knows?

Dear Wired, how is this man “from Hell?” If this family really did see their son in danger of a pedobear, they would have secured their lives, cared more about security or moved. They neglected this? Isn’t this a relativity issue and you are spewing propaganda? Yeah. You should look at (both|all) sets of idiots in this case. Yours never, ~Douglas.

Where is WiFi security going to go now? I’d like to be there. :)

~Douglas.

Wardriving is not a crime

Monday, April 25th, 2011

Ethics are something which cannot be forced upon someone. They just happen. They result from you as an individual, your environment, and well, anything that influences you. Media, like the news, music, sitcoms, movies, and such can all have a deep effect on the psychology that goes into ethics and what decisions you as an individual make.

Imagine you walk through a bar where people are all yelling at the bartender like so:

man: “RTS!?”
bartender: “CTS!”
man: “I would like a drink, here is my credit card number! 1234-1234-1234-1234!! Sec code: 123!! expiration: 11-12!!!”
bartender: “ACK!”

and this is how drinks are ordered in the bar. Well, you may think to yourself, why are these people okay with yelling their cred card numbers? Well, what about the people who run the bar? They are okay with the customers yelling it out loud too? Well. I wouldn’t. I would go somewhere else. But imagine if they where yelling in different languages you could understand. They knew you couldn’t understand because you’re a dumb fat American. But with a dictionary, or a few classes, you could understand the language just fine. it’s not like the language is a secret.

What if you went into the bar with a tape recorder. you recorded everything for about 1 hour and left. You paid for classes in what ever languages you recognize don the tape. You then decifered the languages and were able to “hear” the credit card information of each customer. <-- You did nothing illegal up to this point. That is, unless there's a huge sign on the wall in the bar that says "no tape recorders." But then, what if you were blind? you relied on your senses to "hear" the communications only. This is similar to wardriving to an extent. The act of wardriving usually entails a lot of movement though, hence the "driving" part. You wouldn't really "hear" enough data to get a lot of credit card numbers, or even tell what language those people are speaking. The key to deciphering what language is being used comes from statistically analyzing 40 to 250 thousand words, minimum.

To make this analogy more realistic, let's say every person had a megaphone in their hands and used it to speak the credit card information in their native language (which you don't understand yet.) Now, you don't have to enter the building with the tape recorder, you can just sit outside. Well, because wireless mediums are shared, and most access points and network data can actually be "heard" from outside of the building - you are seriously not breaking any laws yet, no matter if there is a "no tape recorders in building" or if you were blind. Well, I guess if you were loitering in the back alley, or trespassing onto the bar's lawn, you would be busted.

With this in mind, read this article: ComputerWorld:Wardriving

“WEP has well-documented security flaws and has been considered for years to be unsecure, but was widely used in routers built between about 2000 and 2005.”

VeriZon’s own Actiontec routers STILL to this day come preloaded with WEP.

Here is the key statement:

“Because WEP’s encryption can be cracked using easy-to-find tools, even unsophisticated hackers can break into WEP networks and mine them for data.”

I retweeted this over the weekend and realised that you don’t necessarily have to “break into … networks” to get this data. The data is there. WEP’s IV, or initialization vector used for the PRGA keystream during RC4 is transmitted in plain text. So, here’s another example to get your gears going:

I can watch my neighbors (I don’t I assure you) as they watch Netflix for 15 seconds to 1 minute in HD and produce enough Data packets with Initialization Vectors to crack the key offline. No intrusion needed. Now, what if after they watch Netflix, or during that time, one of their computers running Thunderbird transmits a plain text password for IMAP or POP? Whoops, I can now see that using Wireshark and putting their key into the settings for packet decryption.

Another quote:

“…got many of the card numbers by wardriving retailers including TJX Companies, OfficeMax and Barnes & Noble”

This is where our bartender comes in. He owns the place and he was told by security standards officials (we’ll call them the PCI compliance people) to not use the megaphone / different language technique. But to use a far more secure technique called “WPA2″

What these people did wrong was misuse the data. The distributed it, abused, or sold it. That’s completely unethical. The fact that wireless signals go all over the place in 3 dimensions is not a flaw either. It’s how RF works with the dipole antennas. If your equipment is tool old to process the cipher block code (CCMP) used by WPA2 and you need to use WEP, use a weaker antenna. One that is directional to the receiver. Not one that will broadcast outdoors. What Google did in the past, wardriving and seeing your information wasn’t illegal either. In fact, they told everyone that they saw the data to teach them to not use unencrypted networks! And they got in trouble over it!!

“They confessed that emails, passwords and other sensitive public data had been collected by the fleet of cars from unsecure wireless networks.”

You can limit your libpcap based sniffing application to only capture beacon frames if you want too!

~Douglas.