In December of last year CNN carried a story about US military drones in Iraq having their video feeds “hacked.” The full article is here:
What I find amazing is the way, once again, the “h” word is thrown around. The fact is, the transmissions were unencrypted. I’m not downplaying the skills needed to intercept such signals. I’m not sure I could do it, but then again, if I can buy equipment and/or software (http://www.skygrabber.com) somewhere which would allow me to intercept the signals without having to have a passphrase or a certificate or a token or something, then no skills are really required. The US military were simply caught with their technological pants down. The article already mentions that higher-end,
The U.S. military and intelligence operations use pilotless drones in Iraq and Afghanistan both for surveillance and to fire missiles at targets.
While the CIA has never publicly acknowledged it, the agency operates the unmanned planes in Pakistan, where it has used drones to strike at Taliban and al Qaeda operatives, according to officials familiar with the strategy. But a U.S. official with knowledge of CIA and military UAV missions told CNN the drones used in Pakistan missions use encrypted feeds and are not vulnerable to hacking like the military drones used in Iraq.
The official said the drones employed by the intelligence community in Pakistan, which use state-of-the-art encryption technology, are used in a much more limited capacity than the military drones.
So the technology does exist to encrypt the transmissions as our intelligence agencies are using it, but the military is using older, less secure equipment in their drones. Apparently, at Langley they’re using WPA2 for their wireless and the Pentagon is using WEP (Or maybe just an open Linksys).
This leads to a higher concern. If the video surveillance can be intercepted and potentially altered, what about the actual commands that control these unmanned drones? Could a drone be turned around to attack our own troops?
All that aside, I think using the word “hacked” in any way associated with this incident is to shift blame. It would be like labeling someone a “spy” who overheard two soldiers at Wal-Mart discuss a secret mission and then later blogged about it.
My prediction is that, unfortunately, much more effort will go towards stopping people from developing software like Skygrabber than it will towards actually fixing the drone technology. We need a scapegoat, and it probably won’t be our military and the risk analysis performed when developing such technology.
We’ve all seen them. Mechanical Locks on doors with 5 vertical numbered buttons. Here’s an example
Here are some facts about these locks:
1. In any given combination, you can only push a digit once. This means that the same number will not show up in a combination sequence twice.
2. You may, however, push two buttons at the same time as part of the combination. But again, once these numbers are pushed they cannot be re-used. They are pushed simultaneously.
So, figuring all this out: Here’s how many possibilities you have. You have all the possible two number combinations which equal 10:
5-1, 5-2, 5-3, 5-4, 4-3, 4-2, 4-1, 3-2, 3-1, 1-2.
For each one, you have all the possible combinations of the remaining 3 numbers. 3! = 3 x 2 x 1 = 6 X 10 = 60.
If no two-button combinations are used, the possibilties are 5! = 120.
Ok, so here’s how I reduced the possibilities on a client office door….
On each button, I made a dot with an dry-erase marker. The next day I checked the door. “3″ was the only button with a mark left, so it was not used in the combination. Working as quickly as possible (and assuming a 4 digit combination) I worked through the list, starting with single digits….
1245, 1254, 1425, 1452, 1524, 1542, …and so on. About 25 tries into it, the doorknob turned and I was in their office. Because of this, they’ve since switched it out for a card reader. 
DH
A lot of stuff has been written and said lately about MITM attacks, and quite a number of different kinds of such attacks exist. SSL MITM attacks, such as SSLStrip, basic ARP Spoofing, and even a few wireless MITM attacks exist to cause end users grief.
It should be noted, however, that the average user sitting at home or in his office accessing his Paypal account is not that susceptible to such attacks unless his local network has been compromised. THe aforemented attack requires the attacker to have access to that network and place himself between the victim and the victim’s gateway in the actual data path. There’s no real way to perform ARP spoofing between a guy sitting in his basement in Idaho and his bank in New York if you’re on a system in Austin, TX. The public network we commonly call the Internet just doesn’t work that way, and inserting yourself passively between two entities there is nearly impossible unless you manage to hijack a router along the way or become a router. That’s probably not gonna happen.
I say “passively” as to suggest a kind of a attack that requires no action on the part of the victim to perform. Some attacks do exist, usually on the Web application level, whereby a victim is tricked into launching a script or going to a harmful site while thinking they’re at their bank’s website. Not really the scope of what I’m discussing here. In future posts such types of attacks will be discussed.
However, while a guy sitting in is home may not be as vulnerable to passive MITM attacks, the guy sitting in Starbucks or using the wireless in his hotel is very vulnerable. How can someone be certain the SSID listed as “RamadaInn” is actually broadcasted from a hotel-owned access point and not some guy in the next room or at the next table with a laptop and/or a funny plastic pineapple? Forget wireless. Even the wired networks in many hotels are still based on hubbed networks where everyone sees all traffic, and even on a switched network, you’re still exposed.
Try to show some wisdom when using public internet hotspots, airport Wifi or complementary hotel wireless networks. There are people like me out there who know how to do perform these various kinds of MITM attacks, and many of them are not nearly as nice.
How many times have we heard people say “I know I’m safe when I visit my bank’s website because it uses SSL.”? Of course, there’s some element of truth here. Nobody casually sniffing the network is going to be able to read any of those SSL packets. The level of security here, of course, ignores any of the possible application vulnerabities on the site itself. SSL does not protect someone from XSS or the site from SQL Injection attacks. SSL is often thought of, unfortunately, as a cure-all for our website security woes.
But now, clients browsing SSL-enabled sites may fall victim to another form of attack. Using a MITM (Man-in-the-middle) method, an attacker is able to strip off all SSL from the victim’s session using a tool called SSLstrip. First, let’s look at the logical view of how it all works.
- An attacker on the victim’s network (LAN or possibly wireless) uses ARP spoofing to insert himself between the client and the gateway, intercepting all traffic between the two.
- The attacker forwards all HTTP traffic to a predetermined port.
- The attacker then launches SSLstrip and listens on that port.
- The victim attempts to visit an SSL-Enabled site, but what happens is that the attacker intercepts this request and serves the victim the site without SSL. The attacker still communicates with the site over SSL, but the victim is communicating through the attacker using clear HTTP.
- The victim’s username and password is collected by SSLstrip and stored in a log file.
The creator of this tool, Moxie Marlinspike, has a very good tutorial of how this tool works on his website here.
This adds a new level of danger for those using public WiFi in airports and hotels. Wireless MITM attacks are already know about, and SSLstrip makes them all the more effective. When using public hotspots, it is always recommended to do all such sensitive browsing over a VPN Connection.
As with all such tools mentioned on this site, SSLstrip should not be used for illegal purposes or without prior approval.
It’s so much easier to have a single password to remember, but do we realize the dangers involved with such a practice? Using the same password for Facebook, Paypal, Ebay, Twitter, and your system logon is convenient, but what if your password is compromised on one of these services or devices? One misplaced password file or one glance over your shoulder as you type could give someone the keys to your kingdom.
I understand the benifits of a single password. It’s difficult to remember multiple passwords, and remembering different passwords for each single service is out of the question. People who attempt this kind of password diversity often wind up writing all their passwords down or keeping them in an Excel spreadsheet. That’s not a terrible idea as long as the spreadsheet is protected in some way, but it’s not terribly manageable.
I recommend the use of password management software such as Keepass. It stores all your passwords in an encrypted file. The passwords can be organized and categorized as well. Keepass is available on many different platforms, including MS Windows and Linux. A portable version is also available to keep on your USB drive. Oh, did I mention it was free? More information and downloads may be found here.
Another alternative is Password Safe, created by Bruce Schneier (yes, THAT Bruce Schneier). It can be found here. It’s only available for Windows, but, does work ok in Linux with Wine.
A word of caution is necessary. I offer these two because of their reputation and open source nature, but be careful about installing other 3rd party password safe products. What you might get is a program that looks like a password safe and that maybe works fine as a password safe. What you don’t know is that the program is transmitting all your passwords to the bad guys. Stick with these two products and you’ll be fine.
Oh, one last bit of advice: whatever you do, don’t forget the password that opens Keepass.
Welcome to WordPress. This is your first post. Edit or delete it, then start blogging!