You can grab a torrent of the talk via Hat Torrents by clicking here.

Overall, I thought that the talk went fine and the reception was rather positive. I got to meet a few people after the talk who were around for other Olympic years and it seems that a lot of what I came across were repeat mistakes from other events. I do plan to speak at other conferences about an upcoming project that I will be working on with a few other people.

There were a number of mistakes and errors that I made during this talk and I also found that I had trailed off from the notes I had prepared too. However, if you guys want a copy of the slides, you may download them as a PDF (6.8 MB).

Here are a few snapshots from the conference and my trip over all.

After my flight, I spent an hour across from the hotel watching the taxis drive by. Strangely, I spent a bit of the time also trying to stop my phone from rebooting while it was on AT&T's UMTS network. Stopped doing it once I switched to T-Mobile.
 

A classic computing club from the Northeast United States had a demonstration table that included a series of pretty neat and interesting computers.
 

One of the computers was a functional Apollo programme guidance computer.
 

Yeah right.
 

Da Beave of Telephreak and notkevin of 2600 giving a presentation on PSTNs.
 

aydiosmio of Crave DIY and rodent in the Hackerspaces Village.
 

The most badass corner of New York City I say.
 

I knew that they made the DS larger, but I didn't expect it to be THIS large.
 

Part of the "museum" display at Nintendo World.
 

A view from the very top of the Empire State Building. $35 to ride an elevator? Ugh.
 

Times Square is both awe-inspiring and downright disgusting.
 

It is up in the air if I will be going to HOPE in 2012 as the conference is in jeopardy due to the hotel's possible destruction and the fact that I am likely having my wedding that summer. With that said, I should be attending Toorcon in Seattle next spring and then DEFCON in Las Vegas in the summer.

As per the abstract:

"Brilliants Exploits" - A Look at the Vancouver 2010 Olympics
With the 2010 Winter Olympics having come and gone, it's not too late to look back at what an event it was. From a technology standpoint, CCTV cameras and ticket sales will be looked at, and from a social standpoint, matters involving intellectual property as well as the police will be examined.

A few of us did some research on the CCTV camera network prior to the Olympics and I am also giving an overview of the flaws in the ticket system that was used.

You'll find my presentation on the Lovelace track on Friday at 17:00h. A copy of the presentation will be posted here once I return to Vancouver.

On LIGATT and the scan itself

Anyway, I am sure that you have read the news on LIGATT so I will spare you the background. If you haven't heard of Gregory Evans, World's Number-One Hacker; read up on the links provided and I am certain that you'll begin to wonder how Kevin Mitnick's so-called "overwing" could fathom the concept of the firm.

Moving along, we are graced with an excellent photo of a yelling black man screaming, "am I hacker proof?" Needless to say, this is a question I scream at my boss every morning as I walk in. He doesn't speak to me much and doesn't invite me to team meetings anymore. Oh well.

I decided that since LIGNAT was offering the service that I'd take advantage of the free offer and see if I was as safe as I thought I was. Boy was I ever wrong and it has since caused me to place an extra seven layers of aluminium foil on my head.

According to LUGNUT's scan, the following were found thanks to my information and the scan itself!

• 327 web results
• 12 local results
• 164 video results
• 8 books results
• 208 blogs results
• 133 news results
• 16 images results

I am glad to know that there are books on Horatio out there.

What did it find besides books?

The results were that it found three vulnerabilities--them being ports open--on the host I connected from. However, it seems that LAGNAT is only doing a basic NMap scan. The scan appears to perform a broad scan and interpreting any open port as a vulnerability.

One of the many 'attempts' to bypass my gateway.

I didn't bother to monitor all activity, but I did at least log to determine what was going on. In particular, Apache and SSH were targeted by LEGNUT's scans.

97.74.195.39 - - [21/Jun/2010:19:49:10 -0700] "GET %2F%2Fetc%2Fpasswd
HTTP/1.1" 404 512 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine;
http://nmap.org/book/nse.html)"

The above just repeats in similar fashion over and over again. It doesn't seem to make much of an emphasis on Apache bugs but rather at potential chroot escapes. With regards to SSH, it makes two attempts at exploiting two old bugs but nothing more than that.

Besides, SSH and HTTP, it scans for typical TCP/UDP ports such as FTP, mail services, Windows services, et cetera--nothing fancy really. Basically for $30 USD, LEGNUO will do what I will likely do for free if you ask me privately. There are also other services out there that will do the same for cheap or free.

The hosting provider he uses isn't really meant for such scans

To make matters more interesting, LUGJUG runs all of this off of a GoDaddy-provided server.

ckeigher@antares:~$ whois 97.74.195.39

[...]

NetRange: 97.74.0.0 - 97.74.255.255
CIDR: 97.74.0.0/16
OriginAS: AS26496
NetName: GO-DADDY-SOFTWARE-INC
NetHandle: NET-97-74-0-0-1
Parent: NET-97-0-0-0-0
NetType: Direct Allocation
NameServer: CNS1.SECURESERVER.NET
NameServer: CNS2.SECURESERVER.NET
NameServer: CNS3.SECURESERVER.NET
Comment: Please send abuse complaints to abuse@godaddy.com
RegDate: 2008-08-14
Updated: 2008-08-14

The scan happens to violate the AUP provided by GoDaddy themselves.

2. YOUR OBLIGATIONS

[...]

vi. interfere, disrupt or attempt to gain unauthorized access to any computer system, server, network or account for which You do not have authorization to access or at a level exceeding Your authorization;

vii. disseminate or transmit any virus, trojan horse or other malicious, harmful or disabling data, work, code or program;

viii. engage in any other activity deemed by Go Daddy to be in conflict with the spirit or intent of this Agreement or any Go Daddy policy; or

Before you initiate a scan, if you were to do this as a regular user, you'd unlikely understand what ports are and therefore the service would be violating the AUP. However, seeing that GoDaddy's track-record for enforcing their own policies and rather focusing on selling domains to dumbasses (such as Mr. Evans), I doubt that we'll see any action towards this practice.

Playing around

While feeding it some junk data, I did manage to get it to give me the following error:

Warning: Invalid argument supplied for foreach() in
/home/ligattsecuritycom/public_html/amihackerproof/check_this_scan_status_quick.php
on line 624

Going directly to the mentioned file gives the following:

Warning: session_start() [function.session-start]: The session id contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' in /home/ligattsecuritycom/public_html/amihackerproof/check_this_scan_status_quick.php on line 6
Error occured

That first error was achieved when I changed the IP fed by the form to 127.0.0.1. It still scanned my host when I attempted this, but it seems to have broken something else. The end results returned were no different and it still scanned my host once more.

Overall, LIGGGGGGGGGGGGGORT is being quite the charlatan.

With the company behind the client being local to my neck of the woods, I have found myself quite upset with how they've handled security with their URL shortening services.

A Very Brief Introduction

Because I don't care to elaborate too much about what Hootsuite does as a client, I won't include it as a part of the discussion. However, I'll bring up what sort of tracking capabilities Hootsuite does:

• Track statistics
• Work with other social networks such as Facebook, Ping.fm, and LinkedIn
• Let multiple users manage a single Twitter account

The Shorteners Themselves

In combination with the Hootsuite software, they offer two URL shortners known as ht.ly and ow.ly. The difference between the two shorteners is quite obvious: one just redirects you, the other places the shortened URL in a seperate frame.

Now, how does that sound to you? The ht.ly URL shortener obfusicates the URL by putting the desired page in an environment where the user cannot confirm whether or not the site is valid let alone secure. This is highly irresponsible and the responses by Hootsuite themselves is just staggering as you'll find.

A Simple Example

Here's the problem simply put:

As you can see, the URL bar shows the URL provided by ht.ly, there is a bar taking over the top, and the actual URL is placed in the title tags. If you want to see the example, you can go here (it will be up as long as Hootsuite keeps it there) and you'll be presented with a castrated Facebook login page. I wouldn't try to login as I didn't make much effort to cleanse the page.

For someone who reading this article, they're likely to not enter their credentials blindly, but for the average user and considering that day-by-day Twitter is getting more popular, this is indeed a problem and Hootsuite doesn't seem to mind, care, and or comprehend.

Hootsuite's Response

I made tweets towards concerning this Hootsuite's own staff, and got some pretty interesting responses. Here's the dialogue:

Me: @Hootsuite http://ht.ly/1VWKD This is why your masq. is a problem. Why must you have this bar for other than market research purposes? (8:20 PM Jun 8th)

Me: @Hootsuite_Help http://ht.ly/1VWKD What do you think is wrong with this picture? Your bar must exist for marketing reasons and nothing but. (9:10 PM Jun 8th)

HS (Chris Trottier, Ambassador of Happiness): @afreak Hootsuite also offers ow.ly which does clean redirects and does not have a bar. ^CT (Wed Jun 09 2010 11:09:41)

Me: @Hootsuite_Help You are missing the point. ht.ly has the bar, which is ripe for abuse from phishers. Nobody can trust the ht.ly shortner. (12:03 PM Jun 9th)

HS: @afreak Since you can only use ht.ly if you have a Hootsuite account, we have been very proactive in identifying potential abuse. ^CT (Wed Jun 09 2010 12:08:02)

Me: @Hootsuite_Help I didn't create a Hootesuite account to do this. (12:09 PM Jun 9th)

Me: @Hootsuite_Help I simply went to ht.ly, pasted the URL, and it gave me a ht.ly shortened URL. Do you guys even know your own product? (12:10 PM Jun 9th)

HS: @afreak Thank you for calling our attention to that. There should have been a base level redirect. We'll make appropriate changes. ^CT (Wed Jun 09 2010 12:22:42)

Now, before I start, why the hell would you call one of your employees the "Ambassador of Happiness"? I understand this is a Web 2.0 start-up, but give me a break. "Community Wrangler" is a weird title, but it sounds a bit more respectable. As a friend of mine said, it sounds straight out of 1984.

Why does Hootsuite's staff act so seemingly inept when it comes to both their product and security? Do they not understand the concept of phishing or the idea that perhaps their products should have some sort of element of security around it other than a password? Of course, it comes down to user responsibility when clicking on any link shortened or not, but at the same time you cannot expect that your product will be used for good intentions all the time.

To add to it, if they're so proactive about abuse, how come I can still create the URLs a day and a half after with the ht.ly service even though I am not supposed to?

Ht.ly and Ow.ly are the Same

If you create a shortened URL with ow.ly, it's interchangeable with ht.ly and vice versa. The creation once again doesn't require the user to be logged into the Hootsuite service or via the Twitter API service. It's just a matter of replacing the hostname and that's it.

Closing Remarks

Hootsuite needs to wisen up and fix this problem. The bar is unnecessary and if it is necessary, what purpose does it serve? The only logical conclusion that I can have is that it's to keep further track of browsing activities once the user has navigated away from the initial referred URL.

Do us a favour, Hootsuite developers and fix this problem and stop setting yourselves up for embarrassment. The rest of us in Vancouver don't want to look like idiots because you naively believe that nobody will use the service at some point to attack someone. You are vulnerable and you have so far failed to acknowledge that.

A USB keyboard attached to the Wii should never display key presses on the on-screen keyboard especially when a password input is at play. Now, I know that the console isn't designed with user security in mind, but some common sense should prevail.

Skip ahead by a minute to get through me launching the Wii, browser, et cetera.

Bonus points if you can figure out what I typed in as password.

Good things are coming soon!

With news that it is rather ridiculously simple to mimic authority with many webmail providers in order to coax an SSL certificate authority (CA) into creating one for the domain, I decided to take it upon myself to see who out there is actually vulnerable and provide information to the public on how prevalent this issue is as we speak.

Out of eleven webmail services chosen at random and without prejudice, just under half of them permitted me to register with credentials (ssladmin) that allowed me to create an SSL certificate in their name. In most of these cases, there was a pre-existing, legitimately-acquired certificate.

All of them were contacted prior to this blog entry being posted. Out of the five that I contacted, one responded to me directly and informed me that the issue was being addressed, another one had a ticket filed but has no followed up nor closed the account, one had my account banned outright, and the rest did not comment. I was successful in registering a new account for a CA service for one of the providers, but did not complete the request and didn't bother for the rest of them.

Backstory

News of the issue came out late last month that it was "trivially easy" to register certificates for webmail services. Typically, you'll see accounts such as "administrator", "postmaster", and "root" barred from registering as either they'll already exist or they'll have been included in some sort of blacklist.

Many CAs will issue certificates to a list of pre-existing e-mail accounts typically containing the administrator, postmaster, and root accounts, but also including ssladmin. Because of this irresponsible method, you have the situation that we have here.

With all of that said, it's a bit muddled on who is exactly at fault, but I will elaborate on this a bit later.

Offending services

As I had said earlier, I chose at random and without prejudice eleven free webmail services. Let's just cut to the chase and list off the services I attempted to register ssladmin with:

Sites that let me register

• Inbox.com
• Excite
• Lavabit
• Mail2World
• Ovi (Nokia)

Sites that won't let me

• AOL Mail
• Hushmail (says it is forbidden)
• Mail.com (same as above)
• Mail.ru (says it exists already)
• MobileMe
• Windows Live Hotmail
• Yahoo!

I would also like to point out that with Inbox.com, in order to register and use my account, I had to install some horrid, pointless, useless toolbar. It refused to permit me to log into the service without it being installed. I'd hate to imagine what the toolbar does outside of Inbox.com.

Why is this a problem?

The simple summary: man in the middle.

The not so simple situation: it takes a bit to pull off.

The easiest example I can make of how one can take advantage of this is with Nokia's Ovi service. Ovi is not only an e-mail service, but it also provides software updates, access to an application store, picture sharing, maps, and music. It can also provide access to personal data such as your contacts and files.

Being that Ovi is accessible from a wireless LAN, one could theoretically place an access point in a strategic point (such as a coffee shop) and wait for a Nokia user to check into their Ovi service. If the access point is setup to intercept traffic going to Ovi and the victim's phone connects via the wireless LAN, it could be setup with a certificate that is completely valid by the phone's standards. Once that is done, whatever else is up to the attacker.

While this may seem minor, this same problem could be pulled off via an ISP that allows self-registration of e-mail addresses. Seemingly trustworthy websites could end up becoming subject to attacks that otherwise would not be easily doable without severe compromising of existing accounts.

Demonstration

Being that it was the Easter long-weekend, I decided to register all accounts using the name "Jesus Christ"--this includes the Certcom certificate that I am about to demonstrate.

Since Inbox.com was the first and only one that I bothered to try and make an SSL certificate for, here are two screenshots demonstrating the problem at hand.

As you can see above, this is a normal account that was registered using normal means just like every other service.

And here's my SSL CA account registration. This is prior to providing a certificate signing request that I could have easily done on my own without using any webmail service's servers.

You'll also notice in the second screenshot that that HTTPS is not in use, but Inbox.com does have a valid certificate provided by Thawte.

This is what you should see when you attempt to register. It's funny how Hushmail here gave me alternatives but none of them worked anyway.

Aftermath

I contacted almost all of the noted offending webmail providers with a basic form letter explaining my method and suggested that they repaired the problem immediately. A form letter was created and sent to the individual postmaster and abuse accounts with a deadline of April 17th before this would be made fully public.

However, as I was able to pull off a Certcom registration with Inbox.com, I immediately filed a ticket telling them to close the account. They did so without any response to my alternative e-mail address and for whatever reason, Certcom had decided to block my home Internet connection.

Nokia's Ovi.com service still permits me to login. I did make an attempt to register a FreeSSL certificate for the site, but nothing came out of it.

Excite's customer support auto-responded no more than ten minutes after I had sent the message with the incident number 100407-000013. The account is still active as we speak.

Lavabit responded to me first within a half-hour of my message being sent. They have addressed the issue. Honestly, these guys were most on the ball.

Mail2World has yet to respond.

Conclusion

The simplest solution using pre-existing infrastructure is to force CAs to send e-mails only to contacts listed in the WHOIS. Provided that the record is valid and complete, it'll provide a much more secure method to registering and renewing certificates.

Beyond that, it may also be time to scrap CAs all together and adopt solutions such as DNSSEC. Being that becoming a trusted authority is rather trivial and that more and more it is appearing that the whole SSL CA system is littered with holes, an alternative is needed to take care of potential eavesdropping and certificate hijacking. DNSSEC is not the complete solution, but is definitely a part of the direction.

The fault in all of this doesn't completely reside with the webmail providers but really the CAs. With that said, those allowing customers to register e-mail accounts without proper and reasonable filtering need to be aware of potential abuses. A simple review of what is allowed and is not allowed as a name would do a lot of good.

If you're lucky enough to have an auxiliary input on your car stereo, you can easily pull off a simple Bluetooth-based speaker phone system for you car.

Items needed:

• Bluetooth adapter with headphone output - Deal Extreme $12.99 USD
• 3.5 mm headphone cable appropriate for input into your car stereo

Once it arrives, you can set it up as follows!

 

The call quality is excellent and doesn't need much amplification on my end. To make things even sweeter, there is no echo even at conversation levels for the receiving end.

I added some Velcro to the setup and it works great!

Back in February, a server came into our office from a client in the United States. I think that the images speak for themselves, but the damage was severe enough that the system wouldn't boot let alone turn on its fans. After the insurance was taken care of and the server was brought back to us from the United States even though they were told to ship it to us, I managed to successfully rescue the array--slowly.

More photos included in this post.

When they sent it back from the insurance adjuster, this is how it came:

I guess that the first time around, they shipped an elephant on top of this server and then on the second round, they just didn't care. I am not sure how the packing peanuts got inside, but ah well.

I was a good little boy to Sony as I had bought several games on top of the three I had already received and also bought two old PS1 games from the Playstation Network Store. However, Sony has now decided that I should make a choice: continue to use the online features such as the store or the PSN friends list and block my access to my Linux install; or I can forget online abilities and keep on using my Linux install. Didn't I purchase the device to do both?

The official logic for the removal of Linux (otherwise known as "Other OS") is for "security reasons". Here's the official statement from the Playstation blog:

The next system software update for the PlayStation 3 (PS3) system will be released on April 1, 2010 (JST), and will disable the “Install Other OS” feature that was available on the PS3 systems prior to the current slimmer models, launched in September 2009. This feature enabled users to install an operating system, but due to security concerns...

It then goes on to at least honestly tell you what you'll lose if you don't update:

Consumers and organizations that currently use the “Other OS” feature can choose not to upgrade their PS3 systems, although the following features will no longer be available;

• Ability to sign in to PlayStation Network and use network features that require signing in to PlayStation Network, such as online features of PS3 games and chat
• Playback of PS3 software titles or Blu-ray Disc videos that require PS3 system software version 3.21 or later
• Playback of copyright-protected videos that are stored on a media server (when DTCP-IP is enabled under Settings)
• Use of new features and improvements that are available on PS3 system software 3.21 or later

So basically what Sony is saying here is that you better upgrade as it is not your Playstation 3 and if you want to be a good, loyal customer, you must do as we say or else you'll have your future toys taken away. Effectively, Sony has encouraged piracy as while I will unlikely ever download a Blu-Ray video or a PS3 game, it does mean that I am going to have to get my firmware from other sources. Nothing like shooting yourself in the foot, hey?

But what is this "security concern" that Sony is so fearful of?

Yes. I am going to do this, Sony. I am going to open the bloody thing and do this.

Back in January, George Hotz (aka "geohot") had released an exploit that allowed full memory access and thus access to Ring 0, meaning full access to the Hypervisor. While this gives Linux full access to memory, it has nothing to do with Other OS but more the hardware itself. He effectively hooked up an FPGA to send a 40 nanosecond pulse to a point on the PS3's circuit board and was sometimes effective and sometimes not; it either worked or it panicked the system. It is indeed a hack, but all it really allows you to do besides mess with the Hypervisor is have potential access to the rest of the system's architecture—this does not mean that pirated games are possible with this method.

Weeks later, he published another blog entry where had gained further access to the hardware via the Cell's SPU. Effectively, he had total control over the PS3 in the same manner that the Playstation Portable and the iPhone has been before. No dirty process of taking apart the PS3 was necessary.

However, I don't believe that the above was entirely the concern.

I was lucky to meet Bushing of HackMii just days prior to Sony going even more retarded down at the Vancouver Hack Space and the topic of Geohot came up. It later developed into a conversation about Other OS and the lack thereof on the Slim PS3 models. Bushing brought up an interesting story about how Sony talks to their developers.

When Sony announced the slim model of the Playstation 3 back in the summer, they made it aware that there would be no Other OS feature included. Bushing's friend had a spouse at a PS3 software division within Sony, and even after the announcement was made, said spouse was oblivious and unaware of the fact that the feature was being left out. From the description that Bushing made, said spouse was not entirely impressed either.

Geohot demonstrates some custom themeing.

Later, Bushing learnt via some people he met at a conference that while it was said that Other OS was removed for "business reasons", all of the technical work was effectively done short of a driver or two not being completed.

In the Slashdot story, an e-mail was posted from a Cell software developer mailing list from February of this year containing a reply from a Sony developer indicating that the company would continue to support the Other Feature.

Please be assured that SCE is committed to continue the support for previously sold models that have the "Install Other OS" feature and that this feature will not be disabled in future firmware releases.

The text above was provided to me by SCE management. If you have any questions regarding it or any other feature of the PS3 please contact the Playstation Customer Support in your country. Using Playstation Customer Support will insure your inquiry is processed through the correct channels within SCE.

So not only do the developers not get told the proper story, but even management gets thrown out of the loop as well. The communication within Sony or lack thereof is staggering.

I think that the hack that Geohot demonstrated played a role, but I don't believe that it was the entire reason. Sony removed the Other OS feature from the Playstation 3 with the release of the slim under the guise of business reasons because it was solely that—business reasons. They do not want anyone just loading any media content on to the PS3; they want you to be in their control and only watch what they have to offer in either Blu-Ray or via the PSN Store.

Geohot appears to be a scapegoat. They see that he has made an exploit and because of this, they want to use him as their way to legitimize removal of Other OS on the older models. His hacks are not the fault for SCE's greed—they did this with rootkits on compact disc a few years back and they'll remove features from devices people own.

I purchased this console. I bought with the intention and purpose of playing games, movies, and installing Linux on it. These are features you offered and promoted, these are features I wish to keep. If you feel the need to remove a feature from my Playstation 3, you can give me a refund instead because I am better off buying an Xbox 360, a Blu-Ray player, and an HTPC instead. I liked the idea of having an all-in-one unit, but if this is how you're going to treat me, I am going to find alternatives. Once new firmwares are available, I will be installing them. Thanks for making me a criminal, Sony.

Sony will fail just as Apple, Microsoft, Nintendo, and other hardware vendors have had in the past.