Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for the ‘Hopeless gestures’ Category

ASSESSMENT: X-Ray Machine Exploits and TIP File Manipulation

leave a comment »

PH2010112902199

Exploiting The X-Ray Machines, TIPs, & TSANet:

A few years ago I worked with a startup who’s main goal was to protect the L3/Smith/Rapiscan machines from compromise from physical and network attacks. At the time the claim was made that the systems were not connected to any networks and were in fact islands and that this type of attack was not a real problem. Of course in the process of assessing these machines (one of them in a garage with an explosives expert) it became quite clear that these machines were wholly insecure and likely to be compromised at some point to allow things through the system. The connectivity issues aside, the physical access to the systems could be procured by saboteurs working in TSA and local compromise of the weak OS (Win98 as well as Xp based as the article states in Wired) could be carried out locally with a USB drive. So when looking at the threat-scape and reporting back to TSA and the makers of these machines it was clear that this type of attack could be possible but my issue was whether or not there was a probability of it being used as an attack vector. When talk was started about networking these machines as well as others (i.e. bomb sniffers) to the TSANet the startup changed their direction a bit and began to work the idea of a SOC to monitor the machines and the network to insure no tampering had been carried out. Unfortunately though the TSA and other entities did not really buy off on the idea and in fact the technologies on the systems did not make it easy for any kind of monitoring to be carried out. I went on my way having had a good insight into how TSA/DHS/Detection machines worked and had fun with the explosives expert messing around with the technologies and talking about red team exercises he had carried out in the old days with simulants. Then I saw the article in Wired yesterday and hit up my explosives and machine experts who got a bit unhappy with the article.

Exploit to Terrorism:

The Wired article on the whole of it is correct, it is quite possible to insert those already pre-made images into the system because that is how it is supposed to work. The article though mentions being able to insert socks over a gun for example in an image to cover up the fact that the gun is there. This one point was vehemently refuted by the guys I worked with as too hard to pull off live and that, as I agreed, it would just be easier to pass along a similar imaged bag image itself instead of trying to insert an image into an image to obfuscate things. I think perhaps that the reporter got that idea a bit wrong in translation but perhaps the researchers thought they could pull that off. Either way, this issue brings up a larger issue of the exploit itself being used at all. In hacking and exploits like terrorism often times the attackers opt for the path of least resistance approach. In this case I personally don’t see this type of attack as the first go to for any attacker. It think it would be much more advantageous and easier for the attackers to insiders to allow things to get past the systems or bypass them altogether to effect their goals. This type of attack has been seen before within the airports security mechanism with regard to thefts and smuggling so it is a higher likelihood that if AQAP were to attempt to board a plane with guns or other explosives, they would use insiders to pass that through the system without being seen by any X-ray or bomb detection at all and not attempt to hire hackers to compromise a networked or physically access a machine to pass a gun or guns through the TSA line. This also is why at the time of 9/11 the 19 went for very low tek solutions of box cutters to overtake planes and use them as missiles against buildings, it’s just the path of least resistance.

Failure Rates on X-ray and MM Wave Results:

Meanwhile the TSA has never been seen as a bastion of security by the public from day one. As time has progressed the people of this nation have realized that much of the function of the TSA seems to be to harass the passengers and provide a simulacra of security that really isn’t there. How many times have you dear traveller passed things through security, primarily the color x-ray Smith/L3/Rapiscan machines without even trying? I have gone through TSA on many occasions with forgotten knives and other things that are forbidden and TSA completely missed them on the scans. Once again I would point to the systems being insecure or the processes being lax that would lead to compromise of the overall security and not so much a hack on a Smith machine for a terrorist attacks success. A recent OSINT search in Google turned up an interesting document of an assessment of Hartsfield, Atlanta’s airport by the OIG that shows just how this airport at least was not following processes and procedures that would make an attack much easier for the prepared aggressor.  There are other documents out there and you can go dig them up but the point is that if you are not carrying out the policies and procedures, the technologies will not prevent their being bypassed. Additionally, there are issues around the technologies accuracy as well that have been addressed by the makers of the machines and the government so these systems are in no way foolproof and it requires vigilance to make them work well. The net/net here is that the technology can fail, be tampered with, or bypassed altogether without the need for an exotic and technical exploit series to be carried out on them to forward a terrorist attack.

Screenshot from 2014-02-12 08:21:07

ANALYSIS:

My analysis here is that yet again the research is valid but the hype around the revealing of such research at places like the recent Kaspersky Security Analyst Summit is just a way to garner attention. Much like the issues with the power grid and physical attacks which I profiled last on this blog, we are enamoured with the idea of cyber attacks as a vector for terror but the realities are somewhat more mundane. A physical attack or an insider attack is much more probable in this case as in the power systems attacks as the main modus operandi not an elaborate hack to insecure machines that will require access to begin with. At such time as we have networked all of these machines (remember many are islands presently) then we will have to address these issues much more closely and yet still, this attack vector may be sexy to the hacker set, but not so much to the terrorist set today. The machines are insecure though, the researchers are bang on about that and these issues should be addressed but then you have to look at the government procurement process as well as the corporations that do not want to have to re-architect their systems completely. It was a pain to try and get these makers to add API’s to their code in order to allow for remote monitoring by a SOC so think about telling them then that they have to not only harden their systems but also re-architect them completely to run on more advanced systems than WIN98. I would also point you all to the recent revelation that 94% of the ATM’s in the world still run on Windows Xp… How about an upgrade there?

K.

Written by Krypt3ia

2014/02/12 at 13:38

OFFICIAL STATEMENT On (ISC)2 and The Freak Power Ticket

with 2 comments

;

Recently I added my name to the candidate list of ISC2 board members in the running this year. After a flagging showing thus far and some tweet conversations I am getting some impressions that people have some odd notions about ISC2 and perhaps my running. So I wanted to clear the air some and to set the record straight for those unable to navigate sarcasm or irony. I am running partially as a serious effort and partially as a farce. Now, this may escape some and I would encourage those who don’t get the motives or means to go look up Hunter S. Thompson’s run for Sheriff in Colorado for a little better understanding of my meaning.

I am running for the board while knowing that we, “The Four Horsemen of the Infosec Apocalypse” have little to no chance of getting on the board in the first place. Why do we have little to no chance?Because the org is an ossified bastille on a hill of old guard founders who don’t want the boat rocked at all. That’s why. All of us are undertaking not only a battle with little chance of winning in the first place (we all pretty much agree on this) but then, once inside, were any to make it, would surely be voted down on the changes we would like to make to this org.

All of us, all the horsemen, are seeking to change the org for the better because in some way we think we can and should. Others, like @errattarob feel that the org just needs to be burned to the ground and loathes it for its very aegis as it stands. I would agree with Robert, but, I don’t think that the org just needs to burn, instead perhaps there is a minuscule at best chance that some change can come with the right group of people rattling cages.

Oh god.. Does that make me a Pollyana? Crap…

Anyway, look, yeah, I am taking this all tongue in cheek, but, like Hunter, I do have a reason and that reason is not just for the LULZ. If I were on the board I would try to make things better. Short of that though, were there no way to effect change, then I would make their lives as miserable as possible. Why? Because they are doing all of us a disservice with the way things are run now. The very least of these things is the way that ethics are handled within this org by the old guard in place. Just look at the players here..

Do you really think any of us has a chance here? I mean, c’mon, we get 500 signatures and then the BOARD votes on who they want on it? WTF kind of election process is that?

EDIT: MEA CULPA, I did not read the bylaws and was misinformed. The voting is done by the masses via email evidently. MYBAD… So, the rest of my screed still applies, but I wanted to correct this factual error. At least the masses can vote for whom they want.

Vote for the horsemen… If not me, then the others. I am doing this on a lark really, but, it’s for a bigger point here. Those of you who take the ISC and CISSP seriously need to seriously look at your org. You need to take that rather large stick out of your asses and your fingers out of your ears and really LOOK at it all. Do you think that any of us with this certification really are good at what we do because we took that test and adhere to some crap ass ethics rules that the board ignores when they see fit?

Get over yourselves.

If that’s your gig, and you think everything in ISC2 is nirvana inc… So be it.. Continue on your way.

If you want change and effectiveness to this org and this certification.. VOTE for one or all of us.

“FREAK POWER!”

K.

;

TEXT

Written by Krypt3ia

2012/08/26 at 13:19