A shiver ran down my spine as Cole’s shadow faded back into the compound.

“Okay, this could be worse,” I muttered. Standing quickly, determined to find an exit, I began my mission of circling the building. I put my left arm out with my fingers extended, so that my fingertips brushed along the side of the wall as I walked.

“What a night!” I grumbled, moving slowly in the dark, my pupils now fully dilated, compensating for the lack of light.

Reaching the corner of the wall, I could make out, that the wall was cutting off entry to the side of the building. Feeling trapped, I turned and ran back the way I had come. I slowed my pace as I reached my initial starting point. I walked as before, except this time running the fingertips of my right hand along the side of the wall.

I made my way around the barrier, stopping at the corner, on the opposite end of yard, my breathing sporadic. It wasn’t looking very bright.

You would think there would be a gate or something but I guess that would be to easy for the type of night I was having.

I wasn’t getting anywhere. I headed towards the front door to check on the whereabouts of my new found “friend”.

After a few meters, a small green light suddenly shone on my right hand side. A light appeared through a now opening door. I stepped back and clinched my eyes for a few moments.

It felt as if any minute, my heart would come tearing through my chest. I had stopped just outside the building to catch my breath.

As I looked out into the night I noticed something frightfully peculiar. At that moment my head felt as if it was in a James Bond cocktail.

“Nothing, absolutely nothing” I whispered.

The lights from the building had lit up the night air creating a two or three meter perimeter, and then nothing! Not a light, not a sound, nothing! My greatest fear had always been the nothingness of space. It reminded me of a blackhole.

I had imagined being sucked into a blackhole as a boy. I had often pondered over space singularity’s. If anyone could ever survive the gravitational forces of such a monster, would he be trapped in a place where time and the emptiness of space were infinite, unable to escape the grasp of such a thing.

“Walking into the pitch black night is not my idea of a night out,” I said trying to cheer myself up in what seemed a dire situation.

After a few meters the tips of my fingers connected with a wall type structure.

I began to panic, I felt like a trapped Gecko.

Above me were stars. Their glaze giving me some comfort, and lighting a black framed wall which lay in front of me. I jumped in desparation attempting to scale the wall. After a few minutes of jumping my fingers and hands were feeling raw.

“Michael, where are you?” I could see Cole standing by the door. I quietly and carefully bent down until haunched, and then lay down gently so that my stomach was touching the floor.

“Michael, I know this has been a crazy night for you, but its going to be alright. If I was going to do something, I would have done it already. Come out so we can talk, I promise nothing will happen to you, you mean to much to me and this institution. ”

I noticed a small fire alarm box joined to the right wall, adjacent the glass table in the centre of the room. I had initially thought to make a run for the front door while Cole had been scratching around in the desk for the Temporary Pass. I feared however, that the entry doors would be locked, it was night time afterall. I had kept Cole talking while I came up with a plan to reach the fire alarm.

Most fire alarm systems when triggered, would automatically override the access control system, thereby forcing open all electronic doors. This was a requirement in most buildings – at least for those who cared to follow health and safety regulations.

I turned to face the door, and took a step forward. I made sure to keep one eye on Cole. “If implemented correctly RFID can be extremely secure, cant it?” Cole mimicked my movement and now stood beside me. He cleared his throat, “Well one hopes so.”

I took the RFID tag from Cole and held it in my hand. “So I just stick this to my wrist right?” “Yes sir! I’m starved so lets get moving.” I motioned as if to stick the tag on my wrist. “Lead the way Cole.” As Cole began heading for the door, I ran toward the fire alarm. I punched it and broke the glass”. Cole had heard me make the run and yelled after me, “What are you doing?” I quickly pushed the button. A very loud alarm began to sound. The front doors swung open, as I had hoped. I made a run for the door… Cole was shouting after me. I couldn’t hear what he was saying and I really didn’t care. I had one thought on my mind. Michael Daw was leaving the building.

I was captivated as I glanced at the transparent RFID chip that Cole now held before me. With this technology had come a plethora of ideas and possibilities. Passports, driving licenses, petrol stations, cars, the London underground in the form of Oyster cards, anti-theft systems in shops were all RFID driven. Heck, it was now being used in humans.

The VeriChip organisation is one of the world’s leaders in human-RFID synthesis. They had recently made their first sale to Brampton Hospital. Children there will be RFID tagged. A security system will detect and alert staff in the event that someone attempts to remove or steal a child. Their other “interesting” projects included, RFIDing our rear-ends. This permits paramedics and doctors access to our medical records via a unique ID placed within an RFID chip. This could be handy where patients were unconscious or unable to speak. I could see the news article now titled, “Unique ID in backside saves life”. VeriChip is also trying to sell the idea to the government to allow them to implant chips into 1.4 million US soldiers. Did someone say RFID maniac… or conspiracy… hmm…

Noticing that my eyes had become glazed while staring at the RFID tag, Cole resumed the conversation. “Many warnings from the security community have surfaced over the years with regards to this technology. Just like the Internet, it was never designed with security in mind.” “So why would a organisation like yours use them”, I asked inquisitively. “They are extremely flexible and very useful. We also recently had Purehacking.com perform a security audit on our RFID implementation.” He quickly continued, “we obviously used a front company for the business venture.” “I remember listening to Lukas Grunwald give a presentation on RFID hacking at a Blackhat conference a few years ago” I added. Cole smiled, “Astounding how quickly things move isn’t it?.”

References:
http://www.rfidjournal.com/article/articleview/2622/1/1/
http://digg.com/politics/US_thinks_of_sticking_RFID_chips_inside_troops
http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Grunwald.pdf
http://www.engadget.com/2006/02/03/dutch-rfid-e-passport-cracked-us-next/
http://www.infoworld.com/article/05/03/17/HNrfidcrack_1.html?RADIO%20FREQUENCY%20IDENTIFICATION%20-%20RFID
http://www.verichipcorp.com/

I found myself in a long white corridor with Cole. There was not a soul in sight. The drowsiness one feels when waking up after a bad nights sleep began to wear off. I realised the seriousness of my situation. Hours earlier I had been on a train and now I was in some weird building with some weird guy apparently a top-secret government agent. Although I felt as though I knew Cole, my heart began pounding with fear. I decided to play it cool until an escape route presented itself. Attempting to act relaxed, I sarcastically commented, “Cole, you need to give me your interior designer’s name, this place is stunning” Cole laughed. “You’ve been to quite a few government buildings haven’t you?” I nodded my head and replied, “well, this has got to be the barest office I’ve seen – saving tax payers money for a change?” Cole grinned as we turned and entered an open door marked, “Reception.” I was in luck!

It was an oval shaped room with a half moon table on the one side and two large tinted glass doors on the other making it impossible to see out at this time. Three white leather sofas lay in the middle of the room surrounding a round glass table with a pile of neatly stacked books. Oddly, I had not seen a soul since awakening. Surely, heavily armed military personal would be pacing the hallways and guarding doors in a top-secret building like this.

“Michael, your visit this evening has already been registered on our system. We now need to give you authorisation before we head to the café’ for a bite. Cole opened the top drawer and pulled out a little black box. Cole carefully opened the box and took out a transparent stamp sized strip. He then politely asked me to hold out my hand. “What’s this, some kind of RFID stamp?” “Yes, it is based on Radio Frequency Identification. It’s what we call TP or Temporary Pass.”

As I stood up I felt as if I was going to be sick. This was attributed to the sinking feeling in my stomach and my raging curiosity. The man began walking towards the door at the far end of the room. I followed a few steps then paused, “So what’s your name?” I hoped to ask a few more questions to try and figure out what the hell was going on before proceeding any further. “Sorry, where are my manners. I am known to friends as Cole.” “Is this a prison?” Cole began chuckling. “No Michael, you will find this hard to believe but you are in a top secret government facility.”

The butterflies in my stomach began to settle. I felt a lot more at ease due to Cole’s friendly nature. I also sighed with relief after his reassurance that I wasn’t in some holding cell. I was no stranger to secret agencies. In my field I had consulted with all types. I continued walking with Cole.

As we walked my mind was drawn to recent email correspondence between myself and a government contact named Bill Steely. He requested my presence at the MI5 building in London to discuss my whitepaper. I felt confident that all this was related somehow.

I had read a news article that a terrorist organisation called, “ANT” had used Cross Site Scripting attacks to gain access to military intelligence installations. It seemed clear to me now that my services were obviously required and that Cole would discuss this with me at dinner.

ANT knew a number of their websites were being monitored by intelligence agencies around the world. However, it was a risk they had to take, the Internet had become their largest recruitment facility.

News had always shown terrorists pushing when pushed. This time they had planned to pull when pushed.

Specialist security groups around the world had been using honeypots for years to track hacker, worm and virus activity. Honeypots were basically networked systems that were purposely and strategically designed to be vulnerable. These systems were also carefully setup to log all hacker type activity.

Terrorists had found a way to track government intelligence agencies and gain access to highly protected computers using Cross Site Scripting attacks.

Firstly, additional websites posing as terrorist recruitment sites were setup as honeypots. Logs were correlated and put through a statistical reporting system. This system provided information such as, number of visits, the web browser, location and operating system of the visitor.

This operation proved that most visitors were using Internet Explorer. A web browser-fuzzing tool named AxMan – which was designed to automatically find open holes in Internet Explorer, was used to locate Zero Day browser vulnerabilities. Zero Day exploits were those that were not yet known or made public. Therefore, no security fix was available.

References:

• http://metasploit.com/users/hdm/tools/axman/
• http://www.newshounds.us/2006/07/09/kasich_leaks_national_security_secrets_is_this_treason.php
• http://www.gnucitizen.org/blog/xssing-the-lan

I opened my eyes and sat up. I found myself in a square room with no windows and bare white walls. My head was hurting like hell! A thinly built man stood in front of me. He was wearing a black coat. I flapped by eyelids a couple of times as my eyes attempted to focus in the bright-lit room. “Am I dead?” “No” the man responded. His voice was deep and echoed off the walls. “It’s been to long Michael”. “How do you know my name?” “Lets get out of here and get a bite to eat. I’ll explain everything over dinner.”

What the hell was going on! Who was this guy! Where the heck was I. I felt a horrible sinking feeling in my stomach. This looked like some kind of prison cell. Desperately, I began listing all my activities over the past few weeks. What had I done? A ray of light suddenly yielded a possible answer. It was that damn Cross Site Scripting paper.

I had released a whitepaper on persistent XSS exploitation, titled, “Awakening the sleeping giant”. It discussed various exploitation techniques to bypass application filtering. It also detailed an array of attack scenarios in which to utilise these exploits. This included attacks such as JavaScript port scanning and HTTP(s) brute forcing. It was now possible for script kiddies to gain access to hundreds of thousands of computer systems, using JavaScript and URL based exploits or browser based vulnerabilities. I also made the point that we may see an increase in JavaScript exploit code where shellcode is embedded within JavaScript rather then in a traditional Perl or C exploit. This would allow hackers to use Cross Site Scripting as a catalyst or vehicle to gain access to networks behind firewalls and other security mechanisms.

References:

• http://michaeldaw.org/projects/awakening-the-sleeping-giant-v10/
• http://en.wikipedia.org/wiki/Cross_site_scripting
• http://www.gnucitizen.org/projects/attackapi
• http://p.ulh.as/xploitsdb/NT/6078.html

I began packing away my laptop. John, the security manager popped his head round the door. “You off Michael?” “Yes sir, I will be back tomorrow to continue.” “One of the network engineers just informed me that there is a new administrator account on the network.” “Ye, looks like one of your boys secured the primary domain controller with a Microsoft SQL sa password of ‘Startrek’.” John sighed. “Do people ever follow policy? Sarah wants to know if you’re still coming around for dinner tomorrow night?.” “Absolutely!”

It was good seeing John again. He was like the father I never had. John and his darling wife Sarah had taken me in. I don’t remember much about my past. All I remember is that John had caught me after attempting a skimming attack at an ATM machine not far from his house. I was only 17 years old. My heart sank as I thought back to the event.

Skimming back then wasn’t as fancy as it was today. I would approach an ATM machine and carefully place matchsticks into the card readers. An unsuspecting victim would slip their card into the machine and enter their PIN number, only their card would become jammed. I would agree to wait as they called for help. John was a little too streetwise to fall for that one. How things had changed I thought to myself. These days we have organised criminal syndicates setting up fake card readers and micro cameras. Interesting times…

I finally got to Victoria station. I hopped on the train and turned on my XDA. I looked over the Bluetooth message I had received earlier. I felt odd as I looked over the message. “Those characters! I know them”. I began searching my mind deeply in an attempt to recollect the void which was before me. I started to feel dizzy.. I continued pushing for the answer.. flashes… memories… my vision became blurred.

“Michael… Michael Daw… welcome home lad.”

References:

• http://www.bankrate.com/brm/news/atm/20021004a.asp?prodtype=bank

“That was a really cool trick you did with your phone”, Michael said, slightly deepening his voice and passing a credit card to the waitress.

She looked up, “please enter your PIN number sir”, “What trick?” she inquired.

“Didn’t you send that bluetooth message to my phone?”

“Ermm.. you lost me sir?” the waitress answered with a curious look on her face.

Lost for words, Michael ignored her question and kept his eyes on the device in her hands. The transaction was certainly taking its time… the wait reminded him of those Sunday morning soap opera’s his grandmother use to insist he watch.

he head of the receipt appeared from the top of the POS Data Collector. Michael took the card and receipt and exited the restaurant without saying another word.

Emabarrassed he made his way back down the road toward the bank he had been commissioned to test for the day.

Relaxing in front of his laptop, Michael eagerly looked at his screen, trying to forget his silly restaurant experience.

“My port scans should be just about done by now,” Michael groaned, raising his arms to the air and letting out a yawn.

The test was to simply locate critical vulnerabilities in some of the banks key servers, or atleast a duplicate of the key servers built on a VMware test lab. The idea behind using a VMware test lab, was to prevent downtime or data corruption from any of Michael’s simulated attack scenarios.

nmap had almost finished its port scan…

Michael looked over his typescript file, containing the arp-scan fingerprinting results:

$ for I in `cat hosts.txt` ; do arp-fingerprint -o "-I eth0" $I ; done

10.1.9.1   01000100000     Linux 2.2, 2.4, 2.6
10.1.9.5   01000100000     Linux 2.2, 2.4, 2.6
10.1.9.9   11110110000     Solaris 2.5.1, 2.6, 7, 8, 9, 10, HP-UX 11
10.1.9.10   11110110000     Solaris 2.5.1, 2.6, 7, 8, 9, 10, HP-UX 11
10.1.9.11   11110110000     Solaris 2.5.1, 2.6, 7, 8, 9, 10, HP-UX 11
10.1.9.12   11110110000     Solaris 2.5.1, 2.6, 7, 8, 9, 10, HP-UX 11
10.1.9.15 11110100000 FreeBSD 5.3, Win98, WinME, NT4, 2000, XP, 2003

• http://www.nta-monitor.com/tools/arp-scan/

I sat at a nearby restaurant called, “Joeys bar and grill” enjoying a succulent medium rare steak. The one perk when doing onsite work from the office was the company paid lunches. I finished my meal and sat quietly sipping on an ice cold Coke. “It always seems to taste better in a bottle”, I muttered with a satisfied smile.

I had recently switched my pay as you go mobile phone-if that is what you could call it, for a new 02 XDA II Mini. “It has WIFI capabilities”, I remember the cunning sales clerk saying. It was light, compact and cute I thought. I had been waiting a long while for a reason to upgrade my old piece of rubbish.

I had often used my phone to scan for insecure wireless networks nearby. It was a free and easy way to move around on the Internet and remain anonymous-if done right. Once connected, I could access websites or log into anonymous servers using pocket putty. I am always careful never to access personal resources across these channels, it just isn’t safe. I knew that rogue or malicious access points could be setup and monitored. There is also always the danger that if I chose to play around with something on the Internet they may attempt to track me down. So I stayed away from accessing email and other information that may give away my position. I had also changed the hardware or MAC address via the cell phone software. This made it virtually impossible to trace my connection should it be logged on a network device somewhere to be used later by the authorities.

I was getting ready to give a sign to the pretty looking waitress that I was ready for the bill when I heard a beeping sound. I immediately identified the sound and glanced down at my phone. A Bluetooth device was attempting to establish a connection with my phone or to pair – as they call it. Only, the name of the device connecting, identified itself as “hows the meal?”, it also had an array of odd-looking characters appended to the end. “Bluejacking”, I said with a smile, how fun! I remembered reading a oddly titled article, “how to play bingo and pickup girls with Bluetooth.”

I had often left bluetooth enabled on my phone with varying names just to see if anything would ever happen. Unexpectedly though, this was the first time. I also had a worrying nagging feeling that this may be some kind of worm or virus propogating via the Bluetooth protocol.

I knew that most Bluetooth devices had a limited range of about 10 meters. So I scanned my surroundings. No one was around. I scratched my head and felt rather confused. I looked around again only to find the waitress stairing at me with a smile and a bill in her hand. “It must be her” I thought. This was certainly my day. A cute waitress who understands Bluejacking. What a combination.

References:

• http://www.seeo2.com/product/XdaIImini/template/Product.vm
• http://www.bluejackers.co.uk/