Researchers disassemble an AT&T microcell and find that even AT&T’s backdoors have backdoors

• A microcell is a small consumer device that increases the signal strength of your mobile connection be acting as a miniature cell tower in your house, using your broadband internet connection to connect back to the telco via a secure IPSEC tunnel
• The device is fairly complex and includes two System-on-Chips (one Ralink, the other picoChip), a Xilinx FPGA, radio hardware and a GPS module. GPS is used both for radio timing and for determining the position of the box. The box is only ‘allowed’ to work when within the area nominally serviced by AT&T.
• The device includes a nice little tamper-detection mechanism which uses a set of 6 possible jumpers (3 of which are marked in purple on the above photo) to detect when someone removes the covers. The specific jumper-settings are supposedly unique per device. However researches believe they have worked around this.
• After opening the device, researchers were able to locate the serial console for the Ralink device fairly quickly.
• At boot time, the device spews a lot of information, and allows you to interrupt the boot process by pressing a number to select a ‘bootloader shell’. The bootloader is u-boot.
• Using the u-boot ‘md’ (memory display) command, we were able to dump the Ralink’s flash memory over the serial connection
  +The Ralink SoC runs a 2.6.21 linux kernel. The kernel contains an lzma-compressed initramfs, which is the root filesystem for the device. It is mounted rw, but changes don’t persist between reboots
• The system includes users for ssh and root, both of which have the same password. The password is non-dictionary, but after around 5 days of average processing, we were able to determine the password. This allows us to log-in to the device at the serial console
• Topping it all is the ‘wizard’: It turns out that wizard is quite the magician. Its main trick is to provide a full backdoor to the device, allowing for full, remote, unauthenticated, root command execution on the box. You only need to know where to point your netcat
• It is probably only intended to be used over the secure IPSEC tunnel which the picoChip SoC creates automatically. In other words, the microcell creates a tunnel back ‘home’ to AT&T headquarters, then they connect over this tunnel, and send packets to the wizard. Unfortunately, they set up the wizard to bind on 0.0.0.0 (an alias for all IP addresses), so the backdoor is accessible over the WAN interface, allowing anyone with access to control the device
• The backdoor uses simple UDP packets to transmit requests and receive responses.
• There are a number of operations supported, but the most useful one is called ‘BackdoorPacketCmdLine’. Yes. It’s actually called ‘Backdoor’. This command lets you execute any linux command. Execution is performed using the backticksh function.
• The response packets are sent to a hard-coded UDP address: 234.2.2.7. In order to get around this, we can set up a ‘redirection’ in the iptables firewall running on the box, to make packets which would go to 234.2.2.7 instead go to our own host – allowing us to see the output of the commands we send.
• Hardware Tear Down

FTC fines RockYou for making claims about user privacy and data security while storing user passwords in plaintext

• In late 2009 social gaming site RockYou.com was breached and their database of 32 million email address and passwords was leaked online
• The critical part of this story is that the passwords were stored in plain text, this was one of the largest such breaches of plain text passwords and results in some interesting studies on the patterns people use to select passwords
• Unlike other breaches such as gawker, where the passwords were insecurely hashed, the analysis extended beyond just weak passwords that could easily have their hashes cracked, the passwords being in plain text meant that every password was exposed, giving researchers more insight into the more secure passwords as well
• Further exacerbating the issue was the fact that 179,000 of the accounts that were exposed belonged to minors, and were collected in violation of the COPPA laws
• The site was compromised via a fairly trivial SQL injection
• the FTC specifically took issue with the security claims on RockYou.com’s website, and as part of the settlement, RockYou.com has been barred from making future deceptive claims about user privacy and data security, must submit to regular 3rd party security audits for the next 20 years, delete all user data illegally collected from minors and pay $250,000 in civil fines
• Full settlement details
• Nitpicking: the ZD article ends quite a quote “if you store your customers’ data in plain text, please go encrypt it”. Passwords should NOT be encrypted, encryption is reversible, and requires the same key to encrypt as to decrypt, meaning the system must have to key in order to store new passwords, and that same key can be used to decrypt all passwords, providing almost 0 additional security if that server is compromised. Passwords should always be hashed using a cryptographically secure hashing algorithm, such as a salted SHA256 or Blowfish hash
• Slashdot coverage of original breach

Feedback:

• Luke from the UK writes, asking us to spread the word about a petteition to Scrap Plans to Monitor all Emails and Web Usage

• Andy writes, and wants to know how Allan backs up all his big data (lol)!

War Story:

What happens when the IETF (Internet Engineering Task Force) shows up for their conference at your hotel, and your wireless and wired internet is flaking? They fix it for you

Major players in the IETF showed up in Paris last week for the 83rd IETF meeting only to find the hotel’s wifi network almost entire unusable. The wired network was not much better, a situation exacerbated by the fact that the in room TV systems share the data connection.

“I’ve got what looks like a pretty good 802.11 connection, but am seeing about 30% packet loss. It’s really not usable from my room as it is currently performing,” noted attendee Ben Campbell.

“There was no WiFi signal when on the desk in front of the window in my room, but after some experiments, I discovered that the signal was quite good… on the ceiling of the bathroom,” emailed Marc Petit-Huguenin. “I have a Nexus S phone, so I taped it on the ceiling of the bathroom, and used tethering over Bluetooth to bridge the gap to the desk”

The hotel was also having power problems with network equipment of all types above the 27th floor

Attendees negotiated with the hotel and were given access to the network infrastructure, the IETF makeover team made a number of changes, included:

• Decreasing the AP receiver sensitivity (changing the distance setting from “large” to “small”
• Increasing the minimum data and multicast rate from 1Mbps to 2Mbps
• Decreasing the transmit power from 20dBm to 10dBm
• And, turning off the radios on numerous APs to reduce the RF noise
• Installing netdisco and rancid and establishing a makeshift NOC to manage the network

(The network appears to have been setup by relative amateurs who assumed that jacking up the radio power would result in stronger connections, and who added too many APs without doing a proper site survey to determine where the APs should be placed)

There were also problems caused by the international spectrum of visitors, different countries allow different RF spectrum, and so some channels that are allowed in France and not allowed in the US, and vise versa.

US Apple Macs won’t associate to WIFI channel 13. This is something that the IETF has argued with Apple about–I believe it should be up to the AP to set the allowed channels and clients should be able to use them. I’m not worried about this in this case–folks should see other channels at acceptable signal strengths, and the Europeans, for example, will get a bit of a speed advantage

Later on, after the situation was less critical and they had time to better understand the existing network and develop a plan, a new scheme was developed:

Each floor now has approximately two access points on each of these four channels, with the channels staggered on adjacent floor. That design maximizes the distance between access points on the same channel. “I hope this will significantly improve the coverage in some rooms that had marginal or no signal while also improving the signal to noise ratio for all,” he said
In addition, he switched a couple of the single-radio Colubris access points on each floor from 2.4 to 5 GHz, which would let at least laptops make use of one of four channels on the much less crowded band.

Round Up:

• Google reveals Project Glass(es)
• Details of the FBIs takedown of LulzSec
• Are 600,000 infected Macs with Flashback?
  +More info on Flashback
• Your xbox logs your credit card details
• The details of any credit card ever used on your xbox can easily be stolen with physical access
• even if the xbox has been reset to factory defaults
• so, don’t sell your used xbox without DBANing the hard drive first. Also consider carefully where you take your xbox to get it repaired.
• Microsoft says the attack is unlikely
• Interview With Incarcerated NASA Hacker Jeremey Parker
• ACTA Could be Passed in 10 Weeks; Take Action Before It’s Too Late
• An example of what the future Internet might look like