I’m on my way to my first ever DEFCON. It’s a very popular hacker / cybersecurity conference in Las Vegas that some people compare to Burning Man for hackers. I’m super excited.
But, I’m a fool. So instead, I’m bringing the least secure computer possible to see how deep pwnage can go. Then, after the event, I’ll try to figure out what happened.
You’d think this would be as easy as finding a Lappy 486 at a thrift store and slapping Windows ME on it, but you’d be wrong. Laptops that old can’t connect to modern wifi, and might not even be able to mount malicious USB devices. I’d probably go the whole conference without getting hacked, and that’s unacceptable.
I need vulnerabilities that are still in the wild, and a computer that is capable of connecting to modern wifi networks. Specifically, I need a computer that meets these requirements:
I discussed this with my helpful coworkers. One of them had recently found a laptop in a recycling heap: a Lenovo Ideapad U110. It seemed to meet most of my requirements, and had a bonus feminine red case.
I started adjusting it to fit my needs, but quickly encountered some issues. The boot disk was connected with a delicate, proprietary ZIF40 cable, and required partial disassembly to access. I attempted to repurpose some components widely available for iPod hacking to change it to a CompactFlash, but I only ended up learning way too much about the challenges of booting Windows XP from CompactFlash.
After hours of hacking away I coerced Windows XP to install, and boot off of a comically long chain of adapters: ZIF40 to CompactFlash to SD to MicroSD. Unsurprisingly, it was slow and flaky. It booted about 30% of the time.
I decided my time was better spent coming up with easter eggs, so I cleaned up the U110, and moved on.
A couple hours of research turned up the Thinkpad X220. It met all of my minimum requirements, and was a respectable laptop in its day. I snagged one in great shape for under $100 on ebay.
I picked up some 16GB SATA SSDs that fit great once I removed some of the drive casing. Installing Windows XP on this laptop went smoothly, and drivers were pretty easy to find from official sources.
The only challenge I encountered was around programmable chips on the main board. I know that the BIOS, WiFi module, and several other components could conceivably be reprogrammed, but I was unable to figure out how to dump them, or even get a checksum. All I could find was a mysterious CD-ROM bootable BIOS flasher. Theoretically, this should help me recover from a compromised BIOS, but reverse engineering it to get a checksum was one too many yaks to shave.
All the ThinkPad needed was some Windows XP era tech stickers, and it was ready to go!
With the laptop usable, I had to make it worth exploring to my hacker friends. I registered 5 new email accounts, and hid them in various places about the laptop. Some are pretty easy to find, others are hidden behind riddles that I’m not sure anyone will solve.
Hopefully, someone will find some of them and drop me an email to say hi :)
Here’s the full project kit. It includes:
Once I make it to DEFCON, I plan to engage the conference community through a variety of channels:
If the laptop becomes unusable due to excessive pwnage, I’ll swap the boot drive and repeat. Whenever I get a break I’ll save an image of the compromised disk and restore it to a clean Windows XP installation.
I hope that I’ll encounter a variety of interesting attacks that will be educational and enjoyable to investigate for weeks to come. I hope I make some new friends who each out to me on the planted email addresses. But, projects like this one rarely go as planned.
It’s possible that every time I boot up, my laptop immediately stops working, and every time it’s for the same boring reason. That’d be a bummer, but I can deal with that by actually patching some of the vulnerabilities or running a different operating system.
It’s also possible that nothing happens. If I make it a day without any visible intrusion, I’m going to step it up a notch. I’ll fire up a bunch of known insecure services like obsolete versions of IIS, MySql, and WordPress.
In any case, I’m going to find out soon. Wish me luck, and check back later for an update on the aftermath.
This is the second entry in a series about Spring Cleaning for your Internet-connected 21st century lifestyle. Confused? Check out the first entry about authentication and passwords.
This entry is all about user connected apps and sessions.
You know when you log in somewhere with Facebook, or click on a button that gives a website access to your profile photo on Google? That’s called a connected app, or in techie jargon OAuth.
OAuth is a wonderful protocol. It gives you the power to selectively share your data between websites and mobile apps.
But that convenience comes with a wrinkle of complexity: it’s easy to forget about all the apps you’ve connected. To make matters worse, some of these app connections will keep working after you reset your password.
So, take some time and review all of your connected apps. Don’t recognize something? Disconnect / revoke / remove it.
Here’s a list of places you might have connected apps:
If you have more than one account at any of these providers, don’t forget to check each one.
Some online services keep a memory of previously authenticated web browsers and mobile apps. This phenomena goes by many names including trusted computers, sessions, devices, and recognized browsers.
Trusted devices and browsers have easier access to your account. Sometimes they bypass multi-factor auth, sometimes they are completely trusted. In any case, they’re another gateway to you account that you should keep tidy.
App passwords are a weird consequence of multi-factor authentication. They are passwords that allow you to sign in from applications that do not support multi-factor auth, even if your account it set to require it for all access. This may seem silly, but you might have used it for an old desktop email client. They typically give full, unrestricted access to your account, so it’s important to keep them tidy too.
While you’re in there, go ahead and clean out any old / unused SSH keys too. These are not as common, but if they get out bad things can happen. You may have accidentally leaked one when you sold an old laptop on Craig’s List.
As a general practice, never reuse SSH keys. Generate a new one for each device / service connection.
There are more ways into your accounts than just your password. Keep them tidy too!
Did I miss any services that you use? If so, please tell me on Twitter.
In the next blog entry, I’ll move away from authentication (as exciting as it is), and into a more meaty part of the series: almost forgotten social media posts and other uploaded data. I promise an exciting journey down memory lane.
Back in the olden times the custom of spring cleaning was about scrubbing the soot from your wood burning stove off of the walls. But we live in the 21st century, and our heaters don’t leave much soot behind. We do, however, leave bits and pieces of our personal information all over the Internet.
A couple of years ago I adapted the custom of spring cleaning to my Internet life. I do things like audit my passwords, delete abandoned online profiles, expunge embarrassing tidbits of angst-ridden teenage blogging, and generally tidy stuff up.
It’s a wonderfully cathartic practice, and it makes online life safer to boot. So, I’m going to share my spring cleaning regimen with all of you. It’s a grouped checklist, and it’s pretty long, so I’ve broken it up into a few entries.
This entry is all about user authentication and passwords: the gateway to your personal information.
Multi-factor auth, also known as two-factor auth, is awesome. Are you using it wherever it’s available? You should be. It’s a wonderfully effective tool for personal info security.
When setting up accounts, favor the most secure option available. Generally, U2F hardware tokens are best, followed by mobile apps, and finally SMS.
Strong individual passwords are important, but general password hygiene is even more important.
One of the tricky parts here is remembering all of websites on which you have accounts. I probably have hundreds. Here are places you can scan to jog your memory.
Once you have an idea of where all you have accounts, fix those passwords up.
There, don’t you feel better already? That’s just step one. There’s still lots of cleaning to do, but that will have to wait for a future blog entry.