This is really all you need to know from Dan Kaminsky’s talk, “Something About Network Security”. We got first dibs on it at Black Hat USA 2009:
“If only we could find a big enough Care Bear, we could totally ride this pony.”
I’ll have some slightly more useful Black Hat and Defcon posts once it’s over and I can get my notes straight.
Quick post while I take care of things around here before leaving:
I’ll be arriving in Las Vegas for Black Hat and Defcon tommorow (Tuesday) evening. If you’re looking to run into me in Vegas, here’s a picture of me with current-facial-hair-status:
…extrapolate to plus-however-many-days of beard growth.
I just had business cards printed as well, so I’ll be able to hand out contact information easily. The design isn’t bad for a 30-minute rush-job in Gimp. If you want to see em, you’ll have to track me down 
. I’ll be on Twitter and email whenever I can, and I’ll have my cell phone with me if you want to contact me privately to get that number. I’m always interested in grabbing a bite to eat or drink, talking shop, and sharing notes.
Here are the talks I’m likely to attend at Black Hat:
There are a lot of talks that look interesting that are going on at the same time, so I’ll have to wait for the videos to be released of some of them. I haven’t really made any decisions yet about what talks I’ll see at Defcon.
A few days before I travel, I like to gather up information about my trip and load it up into my iPod Touch (substitute iPhone or netbook as needed) so that I have it handy. Airport/hotel layouts, itineraries, schedules, etc., can be very useful to have quick electronic access to without requiring Internet access wherever you’re at. I use “Air Sharing Pro” to load the jpg’s, pdf’s, and other files onto my iPod for convenient viewing, however there are many other apps that do the same thing.
Here’s what I’m loading up, and you might too (links where appropriate):
Test it all out once you get it on your device to make sure the formatting is good enough, and that your PDF’s aren’t too “heavy” for a portable device. You can always just take screenshots of what you really need out of them, as jpg’s and png’s are very easy to view.
Just found out via the Dallas Observer’s blog that Jesse “GhostExodus” McGraw has been indicted by a federal grand jury, and has been charged with two counts of “transmitting a malicious code”, in reference to the malicious code he allegedly installed on computer systems at a hospital in the Dallas area:
If convicted, he faces up to 10 years in prison, and $250,000 in fines and restitution.
Meanwhile, the remaining members of ETA are a lot more quiet than they used to be. XXxxImmortalxxXX, now also known as “system666″, is still a member of ETA, according to his signature on this forum, despite being the one that inadvertently tipped me off to GhostExodus’ activities:
The Fixer, a member, or at least former member, is confused about the difference between the script kiddie hacker group ETA and the Basque seperatist group ETA (“Euskadi Ta Askatasuna”):
If you’d like to catch up, here are the previous posts in this series:
This is just a quick note to serve as a warning to anyone who might be considering buying “Stealing the Network: The Complete Series Collector’s Edition” after reading the description on the Elsevier site:
While I was reading the book and preparing my review, I found that the publisher’s description was inaccurate and misleading, emailed a contact at Syngress, and I thought I had verified that it had changed. Either I was mistaken and was only looking at the more-accurate Amazon product description, or the changes on the Elsevier site have been reverted.
Here’s what it looks like right now:
The “Stealing the Network Series” has developed a passionate, cult following which includes more than 30,000 readers. Over 3,000 readers have registered their copies of Stealing on the Syngress Web site. The Stealing book signings at the Black Hat Briefings in Las Vegas have become an annual event, attracting hundreds of readers, who want to meet the authors who serve as the heroes and villains of the series. These are true fans. They want the inside scoop. They want their picture taken with the legend, Kevin Mitnick. They want to know if the elaborate hacks in the stories are actually based on real-life, close-encounters. They want to know it all?.Did Jay Beale base his character on the movie “Real Genius”?…..Does FX ever smile?…How tall is Thor?…Is ?Blah? really Roelof Temmingh? Did the guys from Sensepost really receive death threats in South Africa for ?revealing too much?. But maybe most importantly?..they want to know: How does the story end?
Stealing the Network: The Complete Series Collector’s Edition, Final Chapter, and DVD answers all these questions and more. Not only will longtime fans of the series find out how the story ends in the much anticipated “Final Chapter” (The “Final Chapter” will also be available separately as an E-Only product six months after publication of the Collector’s Edition). They will get much more than this. The collector’s edition also contains author-annotated versions of the entire series: How to Own the Box, How to Own a Continent, How to Own and Identity, and How to Own a Shadow. For the first time, the authors will reveal which of the stories and characters are actually based on fact. The authors will share e-mails they exchanged during the writing of the books….and even a few flames directed at one another! Fans of the series have always been attracted to the “rock stars” of the hacking underground who have contributed to the series over the years including: Dan Kaminsky (Effugas), Fyodor, Tim Mullen (Thor), Johnny Long, Ryan Russell (Blue Boar), Jay Beale, Joe Grand (Kingpin), Jeff Moss, and Kevin Mitnick…just to name a few. Friends and foes alike of the authors scour the internet for information on the authors, and some some have even successfully hacked into their computers and e-mail to find out more about them. Now…they can find out everything they ever wanted to know without risking federal prosecution in Stealing the Network: The Complete Series Collector’s Edition, Final Chapter, and DVD.
In addition to The Final Chapter and the Annotated Complete Series, the fanatics will also receive a DVD containing extended, personal interviews with the primary authors and editors of the series. The DVD also contains digital photographs from exclusive and secretive author dinners and meetings at Black Hat and Defcon.
Long time fans of the series as well as a new generation of hackers will be drawn to this unique collector’s edition either for themselves or as a gift for their favorite hacker.
This is an excellent description of what the book should have been. Unfortunately it’s not the book that you’re ordering. I’m sure the intent was to have all of these features that would make it a must-buy for fans of the series, but it just doesn’t. None of the books in the compilation are “author-annotated”. There is one email shared in the introduction, not the back-and-forth and flames the description claims. There are no photos on the DVD. These are all features that were intended for the book, but did not make the cut (presumably a deadline thing).
What you get:
Depending on how much you pay for it, it could be a really good deal if you do not already have the series (which I do like).
I tried to get the publisher to change the misleading description back when I wrote my review, but apparently it didn’t do any good. I’m just posting this to make sure that readers of this site and others that stumble across it googlin’ are informed.
Earlier today, this was making the rounds on twitter:
It’s a cute-looking manga-style comic about team Sapheads’ experiences with the “Binary 300″ challenge in the Defcon 17 CTF pre-quals. It’s kind of entertaining, and looks informative, if a bit engrish-y. I scrolled through it quickly, bookmarked it, and planned to give it a good read later.
At first glance, I especially liked that there was a female character on the team, which I thought could be a very positive thing. That is, until I saw this making the rounds on twitter later today:
…the above is a discussion of the “Tiffany” character in the comic strip, who turns out to be a ridiculously stereotypical depiction of how some view women and computer security research. Not only is “Tiffany” an offensive stereotype, she’s a terribly one-dimensional and annoying character, only serving as a foil. She asks questions about what’s going on to give the other characters a chance to go into detail, acts all confused, and that’s about it. I suppose the other characters are just too l33t to be able ask those questions of each other.
As far as I can tell from the original Binary 300 write-up and anything else I can find out about the Sapheads, the comic’s characters aren’t based on their actual team line-up.
The author of the Female Stereotypes post also relates her own experiences of how she’s treated as a female in security research, and it’s very eye opening. I highly recommend reading it, as well as the original PDF writeup of the Sapheads attempt at this challenge.
Edit: The author/artist of the comic updated the page to apologize and explain. In future comics on other challenges, the “Tiffany” character will serve a more useful role than “cheer-leader”. It turns out that there is no female member of the Sapheads team, and that the character is based on a famous Korean singer.
Poking around on various “hacker” forums, this sort of thing is a common sight:
If I had the stamina and will to maintain a “skiddie clown quote of the day” for any length of time, this would be a prime candidate. Especially this part:
im sick of being hacked ive done nothing wrong expect steal about 200 passes
Looking at posts like this got me to thinking about this scene’s combination of wanting to learn about “hacking”, inexperience, and the desire to do something immediately “fun” (important point: they want to jump straight to 0wnage, with a minimum of time studying how). It reminded me of a phenomenon I was seeing on forums like this a while back, where members were becoming aware of the CSIS and SANS US Cyber Challenge competitions:
These challenges are geared towards high school students and undergraduates, and it gives them a interesting and competitive outlet for exercising skills that might otherwise be used for more script-kiddie-like endeavors. In addition, it helps give them motivation to learn new skills that’s missing when you have an entire Internet’s worth of computers out there that have vulnerabilities you already know how to exploit. In a recent interview with Forbes, the director of SANS, Alan Paller, stated the logic behind this kind of competition well:
“Offense must inform defense,” he says. “We’d like it to be just training defenders, but if they don’t know how attacks are performed, they’ll be incompetent.”
It might work, too. If the structure of this training (which is still in its infancy) is good, and it’s interesting and challenging enough, then it could be possible to leverage script-kiddie-level skills into something useful.
This might be what some of the people on these forums are looking for. I’ve already witnessed an entire “hacking group” that normally occupies themselves with web defacement split into teams and sign up for the DC3 forensics challenge. On another site, I noticed that GhostExodus, before he was arrested, had signed up for the DC3 challenge as well, as had XXxxImmortalxxXX (the guy who bragged to me about GhostExodus’ hacks).
Maybe in the near future, activities like the US Cyber Challenge will get people like this on a productive path before they wind up getting into trouble.
I meant to post this a little more than a week ago, but all the GhostExodus stuff sort of bumped this up until now. If you’re new to the site because of all the recent action, here are the posts that lead up to this one:
Core Security are still visiting the site on a daily basis, which is pretty cool. It looks like they occasionally verify that I’m still ranked higher on google than them for searches for their own party, but they seemed interested in the GhostExodus stuff too.
As a token of appreciation for pointing out their rude and unnecessarily elitist invitation processes, Kimberly Legelis, Core Security’s VP of marketing, sent me a Core Security t-shirt and a Core Security USB sparkly lamp thing:
It was accompanied by a nice handwritten note from Kimberly. I’m looking forward to dropping by their booth at Black Hat to meet her and the others in-person.
This probably won’t keep me from poking fun at Core Security every once in a while here (especially now that I have them reading this site on a regular basis), but I will feel slightly guilty about it now. I’ll get over it 
.
Previous posts:
Note: The language in the videos and quotes on this post have not been censored. This may be not-safe-for-work, for some definitions of work.
In this post, we’ll take a look at some members of the online community’s reactions to Jesse “GhostExodus” McGraw’s arrest. It’s not hard to find folks who think it’s a good thing, just look at most of the comments on these posts and other blogs/articles on the Internet. On the “hacker” forums that I have seen with threads on the topic, the vast majority of members agree that GhostExodus went too far. Since it’s more interesting to take a look at viewpoints you disagree with, I’m going to focus on reactions of people that feel that the alleged crimes are not all that serious.
There are a couple of entertaining YouTube videos that summarize this viewpoint. The first one is from RamHat, who feels strongly enough about my involvement that I think it’s fair to give him some time here to state his case to you:
Quotes:
Don’t forget what this is about. It’s about video-fighting, it’s about debating, making pwnage videos, funny accounts. It’s about having fun. It’s not about hacking, and none of you guys can hack anyways…
GHOST is just a wild dude that made some poor choices
We all done stupid stuff before
This guy’s response is actually pretty entertaining towards the end:
Quotes:
I’m behind the whole Free Ghost Exodus Movement
..the type of shit that I heard in the video? It’s like, that’s retarded. So you’re saying someone hacked something and then controlled an air conditioning unit? Was that really going to kill anyone if you turned off an air conditioner, or maybe even turn it lower?
He just wanted to prove that he could do it, because there’s a lot of people on here that talk a lot of B.S. about how they can do this and that
The running theme here is that some people don’t realize how serious of a crime this is. You just can’t do things like this to prove a point or have fun.
On a different note, we have at least one remaining ETA member rattling sabres. The following are comments from a couple of news articles:
If the numbers and their rate-of-change are to believed, by now there are 10′s, or possibly even 5′s of them left.
Previous parts (Pre-requisite information. There will be a pop quiz at the end.):
In this post I will be displaying and discussing some screenshots that Jesse “GhostExodus” McGraw posted online. These screenshots were taken on the PC controlling Carrell Clinic’s HVAC system, uploaded to a photobucket account owned by GhostExodus, and linked to in posts on anarchistcookbook.com and warezscene.org (still available there). When XXxxImmortalxxXX initially bragged to me about hacking this HVAC system himself, he linked the same photobucket images directly, which led me to discover the forum posts that linked the same images.
What you’re looking at in these screenshots, if you’re not familiar with control systems, is Human-Machine Interface (HMI) software. HMI software represents what would have once been a physical control panel with switches, dials, gauges, and other similar elements. The software displays the status of various elements of the system, and allows the operator to make changes, either directly (by flipping a switch, for example), or by modifying a parameter that the system automatically tries to maintain or use as a boundary.
Since the HMI for a control system is very specific to that system, HMI software is typically distributed as a combination of IDE (for developing the custom interface) and a runtime (for running the developed system). HMI systems also implement access control and auditing, features that often serve as a last line of defense for a control system. While I cannot speak for BACtalk’s security (I have no experience with it yet), a combination of misconfiguration and vulnerabilities in HMI products’ security features can lead to this layer of defense being weak. Until HMI software security improves, it’s very important to layer defenses around them, with strict control over who can access the systems physically or over a network.
Let’s take a look at the shots (click them to see them at full resolution):
In this shot, you can see what appears to be a “main menu” for the control system, with buttons that take you to other screens that control different sections of the hospital. The most interesting thing here is the dialog box, “BACtalk Alarm”. The “Acknowledge” buttons allow an operator to record that he or she has seen the alarm, which should go in an audit log that can be reviewed if there are problems in the future. An attacker with access to these systems and the associated logs could “acknowledge” alarms that were meant to be seen by operators, and potentially even modify the audit logs. The criminal complaint against GhostExodus made reference to problems with alarms this specific HVAC system was having after being compromised.
Here, we see a floorplan for an area of the hospital containing some operating rooms (OR 2 through OR 5). Among other things, you can see the open/closed status of the vents in various rooms. The buttons to the right of these status could be controls to toggle the status. I’m not really sure what the weird gray graphic between/overlapping the status of “AHU 7 OA Alarm” and “AHU 4 OR Alarm” is. If you have a guess, leave a comment. (Nevermind, glitch in GIMP.)
Note that since HMI interfaces are custom-designed in an IDE for the purposes of each control system, that the user interfaces are not always self-explanatory. Operators have to be trained to understand the elements of each system. This one’s not really that bad compared to a lot of them, though.
This is the scary one. It’s a list of parameters for systems in a “Surgery Center” or operating room. Here, an operator (or attacker) can modify the temperatures and levels at which pumps kick in, or shut things on and off. I’m not familiar with hospital control systems, and especially not with those involved in surgery, but I imagine that changes made to these systems could wreak some havoc.
These screenshots were posted by GhostExodus on the warezscene and anarchistcookbook forums with the following text:
Spreading botnets is boring. But sometimes you get a hefty prize for all your hard work and labor. Like this you see below. An HVAC server. An HVAC is: HVAC (pronounced either “H-V-A-C” or “H-vak”) is an initialism or acronym that stands for “heating, ventilating, and air conditioning”. HVAC is sometimes referred to as climate control and is particularly important in the design of medium to large industrial and office buildings such as skyscrapers and in marine environments yay for wiki
In reality, GhostExodus compromised the system with physical access as a night security guard. It is not known if this HMI was “legitimately” accessible remotely with RDP or similar protocols. It was revealed in the criminal complaint that malicious software allowing for remote access was confirmed to be installed on the system.
GhostExodus followed up in the same thread on warezscene with this post:
nice. You almost can’t help it ya know. It must be done!
Hopefully this isn’t something many people feel compelled to do.
Recent Comments