Operation n

I noticed a small fire alarm box joined to the right wall, adjacent the glass table in the centre of the room. I had initially thought to make a run for the front door while Cole had been scratching around in the desk for the Temporary Pass. I feared however, that the entry doors would be locked, it was night time afterall. I had kept Cole talking while I came up with a plan to reach the fire alarm.

Most fire alarm systems when triggered, would automatically override the access control system, thereby forcing open all electronic doors. This was a requirement in most buildings - at least for those who cared to follow health and safety regulations.

I turned to face the door, and took a step forward. I made sure to keep one eye on Cole. “If implemented correctly RFID can be extremely secure, cant it?” Cole mimicked my movement and now stood beside me. He cleared his throat, “Well one hopes so.”

I took the RFID tag from Cole and held it in my hand. “So I just stick this to my wrist right?” “Yes sir! I’m starved so lets get moving.” I motioned as if to stick the tag on my wrist. “Lead the way Cole.” As Cole began heading for the door, I ran toward the fire alarm. I punched it and broke the glass”. Cole had heard me make the run and yelled after me, “What are you doing?” I quickly pushed the button. A very loud alarm began to sound. The front doors swung open, as I had hoped. I made a run for the door… Cole was shouting after me. I couldn’t hear what he was saying and I really didn’t care. I had one thought on my mind. Michael Daw was leaving the building.

Update:
http://michaeldaw.org/md-hacks/rss-injection-in-sage-part-2/

I would often keep abreast of new vulnerabilities and exploits via my RSS feeds. Visiting page after page was just never fun. RSS allowed me to categorise, organise and track the security mayhem on the Internet. What was the point of employing a security analyst who was outdated and outgunned?

I decided to play with Sage, which is a popular RSS extension for Mozilla Firefox. It had a friendly interface and a nice option to turn HTML tags on and off. This was a feature I was certainly interested in. It meant I could prevent a number of attacks outlined by SPI Dynamic’s recent RSS Injection whitepaper. The recommendation given in this paper was the typical recommendation given to XSS attacks. Escape “<>” to “&lt; &gt;”

I turned off HTML tags and continued on as normal. However, something odd happened. When rendering my whitepaper “Awakening the Sleeping Giant” an insert of JavaScript was executed in my browser. How bazaar I thought. The security enabled feature makes me vulnerable. Sage was vulnerable to XSS! I immediately contacted pdp (architect). We worked on it for 30 minutes and for those 30 minutes all you could hear were sinister laughs.

First: Sage rendered “&lt,&gt” as “<>”. This means JavaScript can be executed when HTML tags are turned off (not the default).

Second: Logical mental progression put forward the question, what if we reversed it? “&lt, &gt” became “<>” when HTML tags were turned on (THE DEFAULT). This means we can effectively hack the latest version of Sage via RSS Injection regardless of which mode is set.

Thirdly: Sage converts the feed into an HTML file and stores it on the local system. This means we were now in the browser’s local zone policy. From here we could read any file from the local system.

See GNUCITIZEN more proof of concept example.

I was captivated as I glanced at the transparent RFID chip that Cole now held before me. With this technology had come a plethora of ideas and possibilities. Passports, driving licenses, petrol stations, cars, the London underground in the form of Oyster cards, anti-theft systems in shops were all RFID driven. Heck, it was now being used in humans.

The VeriChip organisation is one of the world’s leaders in human-RFID synthesis. They had recently made their first sale to Brampton Hospital. Children there will be RFID tagged. A security system will detect and alert staff in the event that someone attempts to remove or steal a child. Their other “interesting” projects included, RFIDing our rear-ends. This permits paramedics and doctors access to our medical records via a unique ID placed within an RFID chip. This could be handy where patients were unconscious or unable to speak. I could see the news article now titled, “Unique ID in backside saves life”. VeriChip is also trying to sell the idea to the government to allow them to implant chips into 1.4 million US soldiers. Did someone say RFID maniac… or conspiracy… hmm…

Noticing that my eyes had become glazed while staring at the RFID tag, Cole resumed the conversation. “Many warnings from the security community have surfaced over the years with regards to this technology. Just like the Internet, it was never designed with security in mind.” “So why would a organisation like yours use them”, I asked inquisitively. “They are extremely flexible and very useful. We also recently had Purehacking.com perform a security audit on our RFID implementation.” He quickly continued, “we obviously used a front company for the business venture.” “I remember listening to Lukas Grunwald give a presentation on RFID hacking at a Blackhat conference a few years ago” I added. Cole smiled, “Astounding how quickly things move isn’t it?.”

References:
http://www.rfidjournal.com/article/articleview/2622/1/1/
http://digg.com/politics/US_thinks_of_sticking_RFID_chips_inside_troops
http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Grunwald.pdf
http://www.engadget.com/2006/02/03/dutch-rfid-e-passport-cracked-us-next/
http://www.infoworld.com/article/05/03/17/HNrfidcrack_1.html?RADIO%20FREQUENCY%20IDENTIFICATION%20-%20RFID
http://www.verichipcorp.com/

I found myself in a long white corridor with Cole. There was not a soul in sight. The drowsiness one feels when waking up after a bad nights sleep began to wear off. I realised the seriousness of my situation. Hours earlier I had been on a train and now I was in some weird building with some weird guy apparently a top-secret government agent. Although I felt as though I knew Cole, my heart began pounding with fear. I decided to play it cool until an escape route presented itself. Attempting to act relaxed, I sarcastically commented, “Cole, you need to give me your interior designer’s name, this place is stunning” Cole laughed. “You’ve been to quite a few government buildings haven’t you?” I nodded my head and replied, “well, this has got to be the barest office I’ve seen – saving tax payers money for a change?” Cole grinned as we turned and entered an open door marked, “Reception.” I was in luck!

It was an oval shaped room with a half moon table on the one side and two large tinted glass doors on the other making it impossible to see out at this time. Three white leather sofas lay in the middle of the room surrounding a round glass table with a pile of neatly stacked books. Oddly, I had not seen a soul since awakening. Surely, heavily armed military personal would be pacing the hallways and guarding doors in a top-secret building like this.

“Michael, your visit this evening has already been registered on our system. We now need to give you authorisation before we head to the café’ for a bite. Cole opened the top drawer and pulled out a little black box. Cole carefully opened the box and took out a transparent stamp sized strip. He then politely asked me to hold out my hand. “What’s this, some kind of RFID stamp?” “Yes, it is based on Radio Frequency Identification. It’s what we call TP or Temporary Pass.”

As I stood up I felt as if I was going to be sick. This was attributed to the sinking feeling in my stomach and my raging curiosity. The man began walking towards the door at the far end of the room. I followed a few steps then paused, “So what’s your name?” I hoped to ask a few more questions to try and figure out what the hell was going on before proceeding any further. “Sorry, where are my manners. I am known to friends as Cole.” “Is this a prison?” Cole began chuckling. “No Michael, you will find this hard to believe but you are in a top secret government facility.”

The butterflies in my stomach began to settle. I felt a lot more at ease due to Cole’s friendly nature. I also sighed with relief after his reassurance that I wasn’t in some holding cell. I was no stranger to secret agencies. In my field I had consulted with all types. I continued walking with Cole.

As we walked my mind was drawn to recent email correspondence between myself and a government contact named Bill Steely. He requested my presence at the MI5 building in London to discuss my whitepaper. I felt confident that all this was related somehow.

I had read a news article that a terrorist organisation called, “ANT” had used Cross Site Scripting attacks to gain access to military intelligence installations. It seemed clear to me now that my services were obviously required and that Cole would discuss this with me at dinner.

ANT knew a number of their websites were being monitored by intelligence agencies around the world. However, it was a risk they had to take, the Internet had become their largest recruitment facility.

News had always shown terrorists pushing when pushed. This time they had planned to pull when pushed.

Specialist security groups around the world had been using honeypots for years to track hacker, worm and virus activity. Honeypots were basically networked systems that were purposely and strategically designed to be vulnerable. These systems were also carefully setup to log all hacker type activity.

Terrorists had found a way to track government intelligence agencies and gain access to highly protected computers using Cross Site Scripting attacks.

Firstly, additional websites posing as terrorist recruitment sites were setup as honeypots. Logs were correlated and put through a statistical reporting system. This system provided information such as, number of visits, the web browser, location and operating system of the visitor.

This operation proved that most visitors were using Internet Explorer. A web browser-fuzzing tool named AxMan – which was designed to automatically find open holes in Internet Explorer, was used to locate Zero Day browser vulnerabilities. Zero Day exploits were those that were not yet known or made public. Therefore, no security fix was available.

References:

• http://metasploit.com/users/hdm/tools/axman/
• http://www.newshounds.us/2006/07/09/kasich_leaks_national_security_secrets_is_this_treason.php
• http://www.gnucitizen.org/blog/xssing-the-lan