Hacking TiVO, PS2, Palm, GPRS, or your riding bikes

Probing mobile (cell) networks

Mobile networks have many disparate types of devices.  You can probably guess what some of them are, or even go to the provider’s store or kiosk and get a list.  But there are going to be more devices out there.  So why not scan the IP addresses on your subnet?

Well, the access points for mobile networks generally don’t allow promiscuous access.  So you may have to go to ARIN and other lists in order to start getting some ranges to check.  You can also check access logs of a Website to find visitors with mobile devices.  (Of course, there is always the NATting that the providers do, not to mention DHCP, and the fact that most mobile devices don’t run servers or services.)

Colin Mulliner, of the Berlin Institute of Technology, did manage to find a fair amount of interesting stuff.  Windows Mobile tended to be a useful source of open ports and services (usually open FTP services on mobile devices).  He also found and was able to identify a number of specialized devices that were identifiable from responses to probes.  Some of the most interesting were mobile access points: connecting to the mobile networks and then providing local wifi for computers.  Others were HTTP servers for surveillance cameras.  (Others were GPS tracking devices which, oddly, had no security against “guest” login  🙂  (Some were smart meters.  With smart meters rolling out here in BC, lets hope they are more secure …)

Possibly of concern was the large number of jailbroken iOS devices.  Many of them still had the default “alpine” password.  (If you hack your own device, you’d better be prepared to secure it.)  This could form the basis of a fair sized worm and/or botnet.  Then again, iOS users aren’t alone here.  An awful lot of people seem to think nothing of creating mobile devices and hooking them up to mobile networks with very little in the way of security.

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

Smartphone vulnerabilities

Scott Kelly, platform architect at Netflix, gets to look at a lot of devices.  In depth.  He’s got some interesting things to say about smartphones.  (At CanSecWest.)

First of all, with a computer, you are the “tenant.”  You own the machine, and you can modify it any way you want.

On a smartphone, you are not the only tenant, and, in fact, you are the second tenant.  The provider is the first.  And where you may want to modify and customize it, the provider may not want you to.  They’d like to lock you in.  At the very least, they want to maintain some control because you are constantly on their network.

Now, you can root or jailbreak your phone.  Basically, that means hacking your phone.  Whether you do that or not, it does mean that your device is hackable.

(Incidentally, the system architectures for smartphones can be hugely complex.)

Sometimes you can simply replace the firmware.  Providers try to avoid doing that, sometimes looking at a secure boot system.  This is usually the same as the “trusted computing” (digital signatures that verify back to a key that is embedded in the hardware) or “trusted execution” (operation restriction) systems.  (Both types were used way back in AV days of old.)  Sometimes the providers ask manufacturers to lock the bootloader.  Attackers can get around this, sometimes letting a check succeed and then doing a swap, or attacking write protection, or messing with the verification process as it is occurring.  However, you can usually find easier implementation errors.  Sometimes providers/vendors use symmetric enryption: once a key is known, every device of that model is accessible.  You can also look at the attack surface, and with the complex architectures in smartphones the surface is enormous.

Vendors and providers are working towards trusted modules and trustzones in mobile devices.  Sometimes this is virtual, sometimes it actually involves hardware.  (Personally, I saw attempts at this in the history of malware.  Hardware tended to have inherent advantages, but every system I saw had some vulnerability somewhere.)

Patching has been a problem with mobile devices.  Again, the providers are going to be seen as responsible for ongoing operation.  Any problems are going to be seen as their fault.  Therefore, they really have to be sure that any patch they create is absolutely bulletproof.  It can’t create any problems.  So there is always going to be a long window for any exploit that is found.  And there are going to be vulnerabilities to exploit in a system this complex.  Providers and vendors are going to keep trying to lock systems.

(Again, personally, I suspect that hacks will keep on occurring, and that the locking systems will turn out to be less secure than the designers think.)

Scott is definitely a good speaker, and his slides and flow are decent.  However, most of the material he has presented is fairly generic.  CanSecWest audiences have come to expect revelations of real attacks.

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

Paper safe

I first saw this, appropriately enough, on Improbable Research.  It’s appropriate, because, when you see it, first it makes you laugh.  Then it makes you think.

This guy has created a paper safe.  Yeah, you got that right.  A safe, made out of paper.  No, not special paper: plain, ordinary paper, the kind you have in your recycling bin.  He’s even posted a video on YouTube showing how it works.

Right, so everyone’s going to have a good laugh, yes?  Paper isn’t going to provide any protection, right?  It’s a useless oddity, of interest only to those with an interest in origami, and more free time on their hands than any security professional is likely to get.

Except, then you start thinking about it (if you are any kind of security pro.)  First off, it’s a nice illustration of at least one form of combination lock.  And then you realize that the lock is going to be useless unless it’s obscured.  So that brings up the topic of maybe security-by-obscurity does have a function sometimes.

Then you start thinking that maybe it isn’t great as a preventive control, but it sure works as a detective control.  Yeah, it’s easy to smash and get out whatever was in there.  But it’ll sure be obvious if you do.

So that brings up different types of controls, and the reasons you might want different controls in different situations, and whether some perfectly adequate controls may be a) overkill, or b) useless under certain conditions.

It’s not just a cute toy.  It’s pretty educational, too.  No, I’m not going to keep my money in it.  But it makes you think …

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

New computers – Kindle – Ebooks and education

Recently I was discussing the use of technology in education, when an odd (to me) question came up.  It was about the use of ebooks.  That wasn’t really high on my radar on the tech-in-ed landscape.  When I started (good grief, more than 30 years ago) the use of computers for textbooks was a vague, blue-sky idea that a guy named Vannevar Bush had once talked about.  (Actually, he was talking about a desk, rather than a book.)

Recently, of course, there has been a lot of discussion about ebooks.  School boards have been looking into cost savings.  Major tech corporations and publishing conglomerates are getting on the bandwagon.  So, her interest was natural.

Specifically, she wanted to know:

> Perhaps you talk to me a bit about why (from a non-environmental
> standpoint) it’s important for students to use digital e-books?
> Is there a learning curve when it comes to learning from an ebook
> rather than a textbook? Is there a shorter attention span?
> What about eye strain?
> How would this effect the structure of learning?

This I could do, having been given a Kindle for Christmas this year.  I have just finished doing my first review for the series, using an ebook on the device.  Definite tradeoffs: it was easier to grab quotes, much harder to make notes, easier to search, and a right royal pain to try and flip back and forth to check notes, index, etc.  Also a complete pain to check references in other works.

In terms of education, and using study materials in school, it was easier to grab quotes — which would make copying and plagiarism easy and very tempting.  That’s a bad thing.  It is much harder to make notes, and makes study, or writing your own paper, more difficult.  Again, given that the purpose of many assignments is to get students to practice creating their own writing, this is a bad thing.

On the other hand, it’s easier to search, and that’s good for studying.

But it’s a right royal pain to try and flip back and forth to check notes (most books don’t have footnotes any longer, they are no endnotes–at the back of the book), the index, appendices, and other material in the book.  It is also a complete pain to check references in other works — definitely bad for studying and learning.

In terms of it being “important” for students to use ebooks: as a former public school teacher I don’t think it is.  The only reasons would be cost, and getting up to date materials.  Frankly, the quality of almost all school texts is absolutely appalling, so having the latest version of tripe isn’t all that important.  So, that just leaves cost.

There is a learning curve to using an e-reader, but a fairly small one.  No, I take that back.  Actual reading isn’t that hard, but you do have to learn something about filing, arranging, and accessing material on the device, particularly in a school/learning situation.

The small screen size is a bit annoying, although you generally can increase the font size.  (The book I just finished reviewing was in PDF, and the options for font size for that are very much less.)  Generally I didn’t find much eye strain, although I’m used to reading small print, but in low light it was pretty awful.

In terms of learning structure, there could be some advantages.  As a teacher, I could create notes and send them to the devices of all the students: it would help that they could not say they didn’t have the assignment  🙂

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

New computers – Kindle – Books (part 1)

You can, of course, just buy books from Amazon.  It’s pretty easy: you choose the book, arrange payment, click on a link to send it to your Kindle, and, next time your Kindle is connected to a wireless network you choose “Sync & Check for Items” from the menu on the home page, and they get loaded onto your machine.

But, let’s suppose you are, like me, cheap.

Well, Amazon is still a source.  You can search on “public domain,” for example.  (Type in “public ” and Amazon will helpfully suggest something like “public domain books for kindle free.”)  That will get a list of books, most of which will be available free of charge.  (Most of them probably started life in Project Gutenberg.  We’ll get there later.)  You can even do it while your Kindle is connected via wireless, in the “Shop in Kindle Store” option on the home page menu.  Some of the books that come up will be books about the public domain, and those you’ll probably have to pay for.  Also, some of the books, even in the public domain, bear a charge, although it’s probably fairly modest.  You will have to wade through them until you come up with something you want to read.  (You will also have to wade through a whole bunch of titles in German.)

Now, these public domain books tend to be old.  There are definitely classics to be found: Austen, Dickens, Wilde, Twain, and many, many others.  If you want more recent titles, there are other searches you can do.

Try searching on “0.00”  That is the price you will see if the book truly is free of charge.  You’ll still see some of the public domain books, but you will also see some more modern titles.  (For some reason, lots of romances.)  Amazon seems to mess with searches for “0.00” especially if you add limits, like “0.00 science fiction”  You will only get a very few titles.  (The day I tried it, one was a science fiction magazine.  The description even said that this subscription was always free for Kindle users.  When I tried to subscribe, it asked for a credit card for “recurring charges.”)

But, there are many, many other sources.

As previously noted, there is Project Gutenberg.  This is the Grandfather of all free online book sources, started by Michael Hart.  There are over 20,000 titles in the catalogue, with more being added all the time.  They used to just be text, but they now come in half a dozen formats.  For Kindle, you’ll want .MOBI.  (I’ve also mentioned the formats Kindle will handle.)  Most of these titles appear elsewhere, including ManyBooks, which provides the texts in even more formats.

There is also a Website called Kindle Review.  They have suggestions about where to get free books (although they mostly seem to sell Kindles).  They have suggestions about books free at Amazon, particularly ones that are only available for a short time.  You have to search for some entries, and the site is not easy to navigate, but I found this Amazon listing of limited time offers to be quite useful.  They aren’t all free, but a fair number are.  (Remember, on Amazon, that in the upper right of the page you can sort, and one of the options is by price, lowest to highest.)

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

New computers – Kindle – More Encounters

A few random observations along the way:

The Kindle has rebooted spontaneously a couple of times since I got it, and sometimes it refuses to connect to wireless unless it gets rebooted.  Since the device is so simple, I would have thought that this shouldn’t be a major process, but it seems to take about two minutes to do a reboot.

One of the times that it wouldn’t connect, and I rebooted it, it scared the liver out of me.  It seemed to be at the end of it’s boot process, came up with the home page–except that it said I had zero items on the device.  At that point I had loaded about 50 books onto it, and sorted them into half a dozen collections, none of which were in evidence.  Shortly after that it did decide that my stuff was there, but you shouldn’t scare old people like me in that way.  It could have major medical consequences.  For my pants, if nothing else.  (When I finally tried out the USB connection to the computer, the first thing I did was back up the whole thing.)

Logging on to hotspots with redirection is still inconsistent.  Sometimes it has no problem at all; other times I go from “Shop in Kindle Store” to “Sync & Check for Items” to the browser, and a couple of times around before I get a chance to a) pick a network to which to connect, and b) a chance to reload whatever page the browser was on before, which finally prompts the redirect and login.

Amazon doesn’t like “selling” you the same book more than once, even if it is free.  (It will offer to reload the book for you, though, in case you’ve lost itor accidentally deleted it.)  If you send books via email, though, it will quite happily load the book twice, and give you two entries for it.

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

New computers – Kindle – BC Libraries

Even before I was given a Kindle, I was vaguely interested.  I use my local library a lot, and review and annotate stuff on their new system.  Recently the library has been pushing the fact that ebooks are available for borrowing.  In fact, they had a meeting about e-readers (which, worse luck, I was unable to attend), and even have some e-readers as loaners.

So, when I got the Kindle, the library site was one of my first stops.

It was not an unqualified success.

First of all, my local library has no ebooks for loan.  The actual ebooks seem to be loaned by the BC Libraries system.  I say “seem to,” because the actual ebooks, and the system for controlling them, seems to be run by an American outfit called OverDrive.  This becomes important once you start looking for titles and ebooks.  There is Kindle compatible material, but none of it is available in Canada.  (Which seems very odd when the site is supposed to be about the “BC” libraries.)

There are a very large number of ePUB format titles.  There are even some that appear to be free for the taking.  I tried one, converted it to .MOBI, and it seemed to work OK.

For the actual loan books, I placed a hold.  The hold came in.  I read the directions on the “Check Out Assistance” link.  I installed Adobe Digital Editions (ver. (even though I am, as a security specialist, really uncomfortable with Adobe products) in order to be able to return the item.  I “downloaded” the item to Adobe Digital Editions.  It now appears in my “library” on Adobe Digital Editions.  However, the way to “return” the item required help from a library tech, and it definitely is not intuitively obvious.  Oh, and it definitely won’t convert to Kindle format.

I guess I have to go to other sources.

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

New computers – Kindle – operation

Having been given a Kindle, what does one do with it?

Unless you have a Kindle Keyboard (a different model, with a keyboard about the size of that for a slide phone or Blackberry across the bottom of the screen), as noted, the virtual keyboard is a pain, so you aren’t going to do much writing.  That leaves reading.

First of all, then, you have to get some books to read.  You can copy them onto the Kindle, from your computer, with the USB cable.  I’ve done that now, and it works quite well.  Plug it into the computer, wait for the computer to read the device driver, and it shows up simply as a USB drive.  You can put files into the “My Documents” folder, and they show up on the device.  (You can also copy any or all of the “books” on the Kindle onto your computer, as backup.  Oddly, most ebooks seem to have four files associated with them, once you start reading them.)  I’m a bit loath to do the cable connection randomly just now, since, also as noted, plugging into a USB port on a computer starts charging, and, even though it’s a lithium polymer battery, I’d just as soon give it a few full cycles before I start messing with battery memory.

You can use the wireless connection in two different ways.  You can “shop” at the Amazon store.  Or, you can find your own files and ebooks, and email them to your Kindle.  When you set up, the device is assigned an email address.  You can find this under the “Settings” entry of the menu from the home page.  Find an ebook that you want, and send the file, as an attachment, to that address.  The next time the Kindle is attached to the net, you can sync, and that file will be downloaded to your device.  (If it doesn’t show up on the home page, it may be under the “Archived Items” section.  For some reason, some files seem to go there, possibly if the download isn’t complete.)

When I did some testing of the email-to-Kindle function, it generally worked well.  However, in my early tests, about half of the text files, and about a third of the .PDFs, didn’t come through.  I tested sending multiple files (four, all text) as attachments in a single message.  Two of them came through, and the other two never did.

So, you can just get any ebooks, right?  Well, not quite.  The Kindle seems to be fairly limited in this regard.  You can get ebooks from Amazon, of course.  These are indicated by an .AZW extension.  In terms of the ebook standards, you can also get and read .MOBI files.  (.MOBI and .AZW are apparently the same format, except that .AZW are locked by Amazon.  You can get some utilities to unlock and convert them, but I haven’t done a lot of testing with that yet.)  The Kindle can handle text files, but, of course, they don’t have any formatting.  Kindle says it can handle HTML, and that is partially true.  You can send an HTML file, and it will come through.  But it doesn’t render: you simply see the text of the file, HTML code and all.

Kindle says it can handle .PDF, although it also says this is experimental or beta.  It doesn’t support links within a .PDF, but it does support extracting text from a PDF (as long as it really is text, and not an image), which I found handy, and just a little surprising.  It does not, of course, handle locked or password protected files.

And it does not handle .ePUB format, which is a real nuisance.

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.