Archive for August, 2019

« Older Entries
Newer Entries »

Please refrain from tasting the KNOB.

Friday, August 16th, 2019

As a Bluetooth guy, and as someone who just posted a bunch of DEFCON 27 stuff, I feel compelled to say something about the Key Negotiation of Bluetooth Attack (aka KNOB) which has been getting a lot of attention the past few days.

Here’s the actual paper from the USENIX Security Symposium.

The attack allows a third party, without knowledge of any secret material (such as link and encryption keys), to make two (or more) victims agree on an encryption key with only 1 byte (8 bits) of entropy. Such low entropy enables the attacker to easily brute force the negotiated encryption keys, decrypt the eavesdropped ciphertext, and inject valid encrypted messages (in real-time). The attack is stealthy because the encryption key negotiation is transparent to the Bluetooth users. The attack is standard-compliant because all Bluetooth BR/EDR versions require to support encryption keys with entropy between 1 and 16 bytes and do not secure the key negotiation protocol. As a result, the attacker completely breaks Bluetooth BR/EDR security without being detected. [Emphasis in the original – DB]

Here’s a higher level overview of how the attack works.

Also of interest, also from USENIX, also getting some media attention: “Please Pay Inside: Evaluating Bluetooth-based Detection of Gas Pump Skimmers“. What’s cool about this is that the authors have developed Bluetana, an Android app that scans for Bluetooth devices in the area (every five seconds), displays a list of devices it found, and highlights ones that show characteristics similar to those of Bluetooth skimmers.

First, the app checks the device’s class. All skimmers studied within this work, whether discovered by Bluetana or not, had a device class of Uncategorized. If the device class is not uncategorized, the data is saved for later analysis. The device’s MAC prefix is then compared against a “hitlist” of prefixes used in skimming devices recovered by law enforcement. If the device has a MAC that is not on this hitlist, it is unlikely to be a skimmer, and the app highlights the record yellow. Next, if the device name matches a common product using the same MAC prefix, the record highlights in orange. If all three fields (MAC prefix, Class-of-Device, and Device Name) indicate the device is likely to be a skimmer, Bluetana highlights the record in red. The highlighting procedure is the result of a year of refinements based on our experience finding skimmers in the field, and Bluetana includes a remote update procedure to account for these incremental changes.

I’m fascinated by both of these papers, just based on a preliminary skimming. I’m hoping to do a detailed reading at that mythical point in the future when I have more free time…

Posted in Android, Bluetooth, Geek, Radio | Comments Closed

Black Hat/DEFCON 27 links: August 16, 2019.

Friday, August 16th, 2019

Apologies for being behind on this: I’m also working on another project that’s taking up a lot of my blogging time, but I hope to be done with that soon.

Posted in Bluetooth, DEFCON, DEFCON 27, Locks, Radio | Comments Closed

Obit watch: August 14, 2019.

Wednesday, August 14th, 2019

Dr. Carl A. Weiss Jr.

The name may ring a small bell for some of you. Others of you may be more familiar with his father…

…Dr. Carl A. Weiss, aka “The man who shot Huey Long”.

Maybe.

Carl Jr. would go on to learn a great deal about the senator and his father: that Long — who had seized near-dictatorial power to become what President Franklin D. Roosevelt branded as the most dangerous man in America — lingered 31 hours before he died of a single bullet wound, a victim, some said, of botched medical care by a patronage appointee at a Baton Rouge hospital; that his father — whose Tulane University yearbook had proclaimed that he was “bound to go out and make the world take notice” — died instantly, his body perforated with 61 bullet holes; and that his father — an antagonist of the Long regime but by most accounts an unlikely murderer — was just as rapidly convicted in the court of public opinion as the assassin.

The junior Dr. Weiss spent much of his life trying to prove that his father did not shoot Long. Some historians agree:

The counternarrative asserts that the doctor had only punched Long, that the bodyguards had overreacted and that Long was actually killed in the fusillade of their bullets. The guards were said to have then covered up their reckless response by pinning the death on Weiss.
“In his heart he knew the allegations weren’t true,” Carl III said of his father in a telephone interview. “The one-man, one-gun, one-bullet is not what occurred.”
Professor Richard D. White Jr., dean of the E. J. Ourso College of Business at Louisiana State University and the author of a more recent biography, “Kingfish: The Reign of Huey P. Long” (2006), shares those doubts.
“As a historian I cannot say either way, but deep in my heart I do not believe Carl shot Huey, but instead a stray bodyguard bullet hit him,” Professor White, who had met with Dr. Weiss Jr., said in an email this week.

Dr. Weiss ultimately cooperated with James E. Starrs, a forensic scientist at George Washington University, who tracked down Carl Sr.’s revolver (it was not unusual for Baton Rouge doctors making late-night house calls to be armed) and a single spent bullet.
They were found in a safe deposit box belonging to the daughter of Louisiana’s former top police official. Dr. Weiss joined the State Police in successfully suing to review the records and test fire the gun.
The police concluded that the bullet — if it was, indeed, the one that had killed Long — had not come from Weiss’s revolver.
Long’s clothes were also examined, and here the tearing of the material and the residue left on it indicated that Long had been shot at point-blank range. That undercut at least one theory — that Long was killed by a ricocheting bullet fired by a bodyguard.

I want to note here, for the record, that the supposed Weiss gun was not a revolver, but an FN Model 1910 pistol. As a matter of fact, it was this one.

I don’t know what to think about Long and Weiss. I’m inclined more in the direction of T. Harry Williams (who was writing close enough to the event that he could interview some first-hand witnesses, and believed that Weiss shot Long) than I am towards some of the later historians. On the other hand, the whole thing is just such a mess of botched investigations and chain of custody questions (how did the Weiss gun and the bullet end up in that guy’s safety deposit box?) that I doubt we’ll ever know anything for sure.

Posted in Guns, History, Obits | Comments Closed

Quel fromage!

Tuesday, August 13th, 2019

I don’t think this qualifies for flaming hyenas status. Yet.

The Santa Clara County District Attorney’s Office served a search warrant at the Sheriff’s Office last week, as part of an apparent corruption probe into allegations of political favoritism in the agency’s issuing of concealed weapons permits, according to sources familiar with the investigation.

…sources confirmed that the investigation involves an alleged “quid pro quo” between donors to six-term Sheriff Laurie Smith’s election efforts and people who have obtained concealed-carry weapons permits from her office, which has been relatively stingy about issuing the privilege compared to neighboring counties.
The sources also said that the probe, while publicly surfacing over the past few days, had been in the works far longer and that it is focused on some of Smith’s trusted advisers in the agency.

…at least four recipients of the 13 permits either issued or renewed last year donated at least $1,000 to Smith’s re-election efforts, including to her formal campaign or to the independent Santa Clara County Public Safety Alliance that supported her.
That includes match.com founder and Santa Clara County Valley Water District board member Gary Kremen, a Los Altos resident who donated $5,000 to the safety alliance group last fall, during Smith’s re-election bid for a sixth term.

Posted in California Über Alles, Guns, Law | Comments Closed

Black Hat/DEFCON 27 links: August 13, 2019.

Tuesday, August 13th, 2019

I had a lot of trouble finding this on the site, but: the DEFCON 27 media server is here.

I’ve got to wrap this up for now, as my lunch hour is almost over. I may try to do a second post tonight, if I find enough additional material to justify one. Otherwise, please share, enjoy, comment, and thank any presenters whose work you found particularly enjoyable or valuable.

Posted in DEFCON, DEFCON 27, Photography, Radio | Comments Closed

Obit watch: August 13, 2019.

Tuesday, August 13th, 2019

Dorothy Olsen. She was 103 when she passed away on July 23rd.

You’ve probably never heard of her, but she was one of the WWII Women Airforce Service Pilots (WASPs). The WASPs ferried military aircraft from manufacturing plants to points where they could then be flown overseas.

Transporting and testing the latest models, towing targets and transferring captured enemy planes, the WASPs collectively flew an estimated 60 million miles from 1942 to 1944. Thirty-eight died in accidents during training or on duty.
From her base in Long Beach, Calif., Mrs. Olsen flew 61 missions for the Sixth Ferry Group in nearly two dozen models, including P-38s, P-51s and B-17s. She flew them to West Coast airfields to be deployed in the Pacific, or to Newark to be deployed in Europe.

The WASPs were initially considered to be civil service employees and not military.

The WASPs were finally recognized as veterans eligible for benefits in 1977 under President Jimmy Carter. In 2010 they received as a group the Congressional Gold Medal, one of the nation’s two highest civilian awards.

According to the paper of record, Ms. Olsen’s death leaves 38 surviving WASPs.

Henri Belolo, co-founder (with Jacques Morali) of the Village People.

I love the caption on that first photo.

Posted in History, Music, Obits | Comments Closed

TMQ Watch: August 2019.

Monday, August 12th, 2019

Looks like the NFL is getting fired up again.

Yes, the loser update will return this year. We haven’t sat down to consider which teams are likely candidates for the Owen-16 trophy, but maybe we’ll get some time to do that between now and the start of the regular season.

But we are sure everyone is asking this question: what of Gregg Easterbrook and “Tuesday Morning Quarterback”? Has he found a new home, since the “Weekly Standard” folded up their tent and headed into the long dark night? And what of “TMQ Watch”? Will that be a recurring feature next year?

To answer the last question first: sadly, no. No “TMQ Watch” in 2019. Why?

Not our choice, Easterbrook’s. We may try to keep an eye on his Twitter feed for noteworthy items relating to the NFL. But we’ve found that Easterbrook’s Twitter feed is a reliable way of pressure testing our cerebral arteries, so we don’t recommend making bets on how much and how often we’ll be doing that.

Posted in Admin, Books, NFL, Sports, TMQ watch | 2 Comments »

Bagatelle (#13)

Saturday, August 10th, 2019

Every now and then, I see a story in one of the papers and think to myself, “Dick Wolf’s going to get an episode of ‘Law and Order: Kinky Sex Crimes’ out of this one.”

Today is the first time I’ve ever thought “Dick Wolf’s going to get an entire season of ‘L&O:KSC’ out of this story.”

Posted in Bagatelle, Law, TV | Comments Closed

Black Hat/DEFCON 27 links: August 9, 2019.

Friday, August 9th, 2019

Some more stuff I’ve stumbled across from Black Hat:

I expect to be somewhere between slightly and highly busy this weekend, so updates will be catch as catch can. It might be Monday before I can pull more stuff together, but I’ll try as best as I can to get updates before then.

Posted in Apple, DEFCON, DEFCON 27, Planes | 1 Comment »

Obit watch: August 9, 2019.

Friday, August 9th, 2019

Rosie Ruiz, historical footnote. She apparently died in early July, but her death was not widely reported until recently.

For the younger set: Ms. Ruiz “won” the 1980 Boston Marathon, with a “finishing time” of 2:31:56.

But suspicions about her victory arose immediately. Spotters had not seen her at checkpoints along the 26-mile course, and after the race she told a television interviewer that she had run only one other marathon, the 1979 New York City Marathon, and that she had finished that race in 2:56:33.

Eventually, it came out that Ms. Ruiz hadn’t actually finished the NYC Marathon:

New York City Marathon officials invalidated Ruiz’s time after reviewing videotape showing that Ruiz had not crossed the finish line in the time she had mistakenly been assigned by a volunteer, who thought Ruiz was an injured runner.
Days later, Ruiz’s victory in Boston was also nullified. Race organizers there based their decision on about 10,000 photographs taken along the last mile of the race as well as on information supplied by the news media and observers along the route. In addition, at least one witness recalled seeing Ruiz enter the course at Kenmore Square, about a mile from the finish line.

Jacqueline Gareau was declared the women’s winner. According to Wikipedia (I know, I know) her time was 2:34:28, which was a record women’s time for the Boston Marathon.

Posted in History, Obits, Sports | Comments Closed

Black Hat/DEFCON 27 links: August 8, 2019.

Thursday, August 8th, 2019

So here’s the first round of stuff from Black Hat and DEFCON 27. I apologize that I’m just posting links, but I haven’t had time to really digest any of these presentations, and I want to get the links up while they are still semi-timely:

  • “Look, No Hands! — The Remote, Interaction-less Attack Surface of the iPhone” by Natalie Silvanovich. Slides here. Google Project Zero blog post here.
  • “Bypassing the Maginot Line: Remotely Exploit the Hardware Decoder on Smartphone” by Xiling Gong and Peter Pi. White paper here. Slides here. Blog post here.
  • “Attacking and Defending the Microsoft Cloud (Office 365 & Azure AD)” by Sean Metcalf and Mark Morowczynski. Slides here.
  • “Reverse Engineering WhatsApp Encryption for Chat Manipulation and More” by Roman Zaikin and Oded Vanunu. Slides here.

I think it’s still early for today’s Black Hat and DEFCON presentations. I may try to get another post up tonight.

Posted in Apple, DEFCON, DEFCON 27 | Comments Closed

Don’t be evil.

Wednesday, August 7th, 2019

I’m seeing reports that Google is deleting gun blogs.

The only one I’ve been able to “confirm” so far is “No Lawyers – Only Guns and Money”: John Richardson has posted on Twitter that his blog has been locked. (Hattip: SayUncle.)

Thing is, one data point doesn’t make a trend, and it could be just incompetent Google support (is that redundant?). Or it could indeed be a Google decision.

My point here is mostly: it doesn’t matter if you’re on Google, or on a third party hosting provider, or even if you own your own server. Back your (stuff) up.

And in that vein, thanks to McThag for the valuable reminder that I hadn’t backed my (stuff) up in a while. A failing which I have since corrected.

Posted in Admin, Backups, Guns | 2 Comments »

Lock, lock, baby, baby.

Wednesday, August 7th, 2019

I missed these the first time around, but the Hacker News Twitter linked to them a couple of days ago. I thought I’d blog them for the benefit of all my lock/computer security/Internet of Broken Things fans.

There’s a type of lock called the FB50 smart lock. It’s manufactured by a Chinese company, and sold “under multiple brands across many ecommerce sites”. As you might guess, it has Bluetooth and an app.

And, of course, it’s vulnerable. Once you get the lock’s MAC address (which, you know, you can get just by looking for Bluetooth devices in the area), you can use a series of HTTP requests to get the lock ID and the user ID, and then disassociate the user from the lock and associate yourself.

Discussion and proof of concept code here.

And the footnotes on that led me to another Pen Test Partners lock exploit (these are the folks who brought you the Tapplock one). This time the target is something called the Nokelock, which is apparently popular on Amazon (“…they do a number of different formats in a number of different body types, sometimes with other unlocking devices, such as a fingerprint sensors. There are other brand names they get repackaged as, such as Micalock.”)

So the Bluetooth packets are encrypted. But…

…the key can be obtained from the API by two methods. All the API requests need a valid API token, which can be obtained by simply creating a user with a throw away email address.

And:

…all traffic, including the user’s traffic is sent via the unencrypted HTTP protocol.

And there’s no authorization for API calls. All you need is a token, which (as noted above) you can get with an email address. Once you’ve got a token, you can grab the information about any lock, “including email address, password hash and the GPS location of a lock”.

And the password hash is unsalted MD5. “This is a cryptographically weak hash type that can be run through very quickly.”

Extra bonus points: the footnotes for the Pen Test Partners entry point to yet another lock exploit, this one for something called the Klic Lock.

An authentication bypass in website post requests in the Tzumi Electronics Klic Lock application 1.0.9 for mobile devices allows attackers to access resources (that are not otherwise accessible without proper authentication) via capture-replay. Physically proximate attackers can use this information to unlock unauthorized Tzumi Electronics Klic Smart Padlock Model 5686 Firmware 6.2

I don’t think I can put it any better than icyphox did:

DO NOT. Ever. Buy. A smart lock. You’re better off with the “dumb” ones with keys.

Posted in Bluetooth, Locks, Radio | Comments Closed

Also an obit watch.

Tuesday, August 6th, 2019

It has been really, really hard to find anything linkable on this, but Lawrence has a post up at his other blog:

Barry Hughart, noted fantasy writer. I’m not a big fantasy fan, but I’ve heard a lot of folks I trust (including Lawrence) rave about the Master Li and Number Ten Ox books. I do want to read them: I just haven’t been able to accumulate copies.

(Of course, if I were sufficiently motivated, Lame Excuse Books could probably take care of that.)

Posted in Books, Obits | Comments Closed

Layers and layers of fact checkers.

Tuesday, August 6th, 2019

I noticed this over the weekend and pointed it out to a few people, but it’s still going on:

Posted in Media, Music, Obits | Comments Closed

« Older Entries
Newer Entries »