P0wned! Don’t make the same mistake I did

I fell victim to an interesting attack, which I am recounting here so that others may avoid it.

In a nutshell, I fell victim to a trojan, which the malefactor was able to place in a trusted location in my search path. A wrapper obscured the malicious payload. Additionally, a second line of defense did not catch the substitution. I believe the attackers were not out to harm me, but that this trojan was put in place partially for lulz, and partially to allow a more-important attack on the systems RBAC mechanisms to succeed.

Attack Details

I was attempting to purchase a six pack of New Belgium Rampant IPA, shown immediately below.

IMG_2242.JPG

I obtained the six pack from the canonical location in the system – a reach-in refrigerator in the supermarket’s liquor aisle. I proceeded to the cashier, who rang up my purchase, bagged it, and accepted payment.

I realized upon arrival home, that this was a trojan six pack, as seen below:

IMG_2243.JPG

Clearly, the attacker to care to make his payload look legitimate. What I noticed later, was the subtle difference I zoom in on below

IMG_2245.JPG

:

IMG_2244.JPG

Yes, the attacker had substituted root beer for real beer.

Needless to say, this was a devious denial of service, which the perpetrators undoubtedly laughed about. However, this was likely not just “for the lulz”. I think this was the work of juvenile attackers, whose motives were to defeat the RBAC (real beer access control) system. Knowing that a purchase of real beer would be scrutinized closely, I believe they exfiltrated the target beer by hiding it in a root beer package.

Mitigations put in place by the system did not catch this error – the cashier/reference monitor allowed the purchase (and likely, the offsetting real beer as root beer purchase).

Possible Countermeasures

The keys to this attack were that the trojan was in the right place in the search path, and that it appeared legitimate. Obviously, this location must be readable by all, since items need to be fetched from it. However, allowing items to be placed in it by untrusted users is a definite risk. Technical constraints make the obvious countermeasure — allowing only privileged stocking, while permitting “world” fetching — presents serious usability concerns, and increases system cost, since the privileged stocker must be paid.

Nonetheless, such countermeasures are in place for certain other items, notably where the cost to the system — as opposed to the user — of an illicit item substitution is quite high.

Lessons learned

Ultimately, system usability and cost tradeoffs put the onus on the end-user. Before taking a non-idempotent step, inspect the objects closely!

Why the Star Wars Prequels Sucked

It is a truism that the Star Wars prequels sucked. (Elsewhere, I’ve commented that the franchise being sold to Disney means someone can finally tell the tragic story of Anakin Skywalker’s seduction by the dark side.)

But the issue of exactly why they sucked is complex and layered, and most of us prefer not to consider it too deeply. Fortunately, you no longer have to. You can simply get “Why the Star Wars Prequels Sucked, and Why It Matters,” a short “Polemic on Aesthetics, Ethics and Politics. With Lightsabers.”

Really, what else do you need to know?

An example? Ok, the diner scene, and how it compares to the cantina scene. The cantina exudes otherness and menace. The diner looks like it was filmed in 1950s and then had a few weird things ‘shopped in. The scene undercuts the world which Star Wars established. Or the casual tossing in that Anakin was a virgin birth, and how after tying to one of the most enduring stories in western culture, the subject is then never referred to again.

Or the utter lack of consequence of anything in the stories, since we already know how they’ll come out, and how, by focusing on characters whose fates we know, Lucas drains any dramatic tension of of the story. The list goes on and on, and if you want to know why you hated the prequels so much, this is a short and easy read, and highly worthwhile.

Oh, and you’ll learn how Lando Calrissian is Faust. So go buy it already.

One last thing. Delano Lopez? That’s a name I hadn’t heard in a very long time. But he and I went to school together.

The Gavle Goat is Getting Ready to Burn!

The Telegraph reports that the Gavle Goat for 2012 is up, and surrounded by guards, cameras, flame retardants, and arsonists.

Emergent Chaos has reporters on the ground internet, ready to report on this holiday story of a town, a goat, and an international conspiracy of drunken arsonists. Stay tuned!

This years goat is shown in its pre-fire state. Note the pre-positioned fire extinguishers surrounding it, along with what one might describe as an altogether insufficient fence.
Gavle Goat 2012

[Update: It turns out that the goat is blogging this year. Mixed English and Swedish.]

Now Available: Control Alt Hack!

Amazon now has copies of Control Alt Hack, the card game that I helped Tammy Denning and Yoshi Kohno create. Complimentary copies for academics and those who won copies at Blackhat are en route.

Control-alt-hack.jpg

From the website:

Control-Alt-Hack™ is a tabletop card game about white hat hacking, based on game mechanics by gaming powerhouse Steve Jackson Games (Munchkin and GURPS).

Age: 14+ years
Players: 3-6
Game Time: Approximately 1 hour

You and your fellow players work for Hackers, Inc.: a small, elite computer security company of ethical (a.k.a., white hat) hackers who perform security audits and provide consultation services. Their motto? “You Pay Us to Hack You.”

Your job is centered around Missions – tasks that require you to apply your hacker skills (and a bit of luck) in order to succeed. Use your Social Engineering and Network Ninja skills to break the Pacific Northwest’s power grid, or apply a bit of Hardware Hacking and Software Wizardry to convert your robotic vacuum cleaner into an interactive pet toy…no two jobs are the same. So pick up the dice, and get hacking!

TSA Approach to Threat Modeling, Part 3

It’s often said that the TSA’s approach to threat modeling is to just prevent yesterday’s threats. Well, on Friday it came out that:

So, here you see my flight information for my United flight from PHX to EWR. It is my understanding that this is similar to digital boarding passes issued by all U.S. Airlines; so the same information is on a Delta, US Airways, American and all other boarding passes. I am just using United as an example. I have X’d out any information that you could use to change my reservation. But it’s all there, PNR, seat assignment, flight number, name, ect. But what is interesting is the bolded three on the end. This is the TSA Pre-Check information. The number means the number of beeps. 1 beep no Pre-Check, 3 beeps yes Pre-Check. On this trip as you can see I am eligible for Pre-Check. Also this information is not encrypted in any way.

Security Flaws in the TSA Pre-Check System and the Boarding Pass Check System.

So, apparently, they’re not even preventing yesterday’s threats, ones they knew about before the recent silliness or the older silliness. (See my 2005 post, “What Did TSA Know, and When Did They Know It?.)”

What are they doing? Comments welcome.