Long-Range RFID Hacking Tool to be Released at Black Hat

Out of necessity come many interesting inventions.
Fran Brown, a year ago, was working a penetration test for an electric utility doing an assessment of its SCADA network. His first challenge was to get inside the facility, meaning, in short that he had to break in. To do so, he decided to test the utility’s physical security systems, specifically, the low-frequency RFID proximity cards used for building access.
While past research on the problem existed, including Kristin Paget’s groundbreaking 2007 talk at Black Hat DC on RFID cloning, most of the work on the topic included tools that were never released or papers that were largely theoretical. His scouring for information included everything from past talks on the subject, to reading product manuals and even translating some information he found online from a Czech professor.
Next week at the Black Hat Briefings in Las Vegas, Brown will release the end result: a modified RFID reader that can capture data from 125KHz low frequency RFID badges from up to three feet away. Previous RFID hacking tools must be within centimeters of a victim to work properly; Brown’s tool would allow an attacker or pen-tester to store the device inside a backpack and it would silently grab card data from anyone walking close enough to it.
“This is the difference between a practical and impractical attack,” said Brown, managing partner at consultancy Bishop Fox. Brown said his attack has been tested numerous times with a 100 percent success rate; he added he’s been able to train other consultants to use the tool and have them capable of doing so within 10 minutes.
“Hopefully we can start getting ahead of these attacks as they become more applicable,” Brown said, highlighting the example of Disney moving to RFID readers for everything from ticketing, fast passes inside its parks, and souvenir purchases with a Disney-specific credit card. “Every office we tested, whether it was a Fortune 100 customer or government agency, I’ve not come across a system not using one of these legacy readers.”
The RFID systems have no security, such as encryption, behind them, making it trivial to intercept badge information. An attacker can in theory capture card data, clone it onto a new card, and be able to access a physical facility. Compounding the problem for enterprises is that these readers and badges are often managed by physical security teams and generally operate on a 20-year product lifecycle. For a large company with 100,000 employees, you’re looking at at least that many replacement badges and readers, often in many countries. HID, a leading proximity-card manufacturer, admitted in a June blogpost that its legacy 125KHz cards are vulnerable, yet are still in place in 80 percent of physical access control systems despite the availability of more secure alternatives.
“There is no security, they’ve been hacked, there’s no protection of data, no privacy, everything is in the clear and it’s not resistant to sniffing or common attacks,” said Stephanie Ardiley, product manager, HID Global.
Brown’s attack involves the customization of a RFID reader by using an Arduino microcontroller to turn it into a long-range reader capable of reading card data from up to 36 inches away making stealthy approaches possible.
“This involved the creation of a small, portable [printed circuit board] that can insert into almost any commercial RFID reader to steal badge info and conveniently save it to a text file on a microSD card for later use such as badge cloning,” Brown said.
Brown said penetration testers will be able to purchase an Arduino microcontroller, install the code he will make available after Black Hat, and replicate his tool and attack.
“[Hackers] who are seriously motivated can build custom stuff on their own. This is targeted toward the Fortune 500 security professional,” Brown said. “As with any penetration testing tool, this one can be turned malicious. But the way I think of RFID Hacking is that it’s where Web application security was 10 years ago. Until people are doing SQL injection and here’s me stealing with SQL injection, no one is going to be motivated to do anything about it.”
Brown said he will share some mitigation advice during his talk, including recommendations on which protective sleeves work better at thwarting these types of attacks, and which security screws should be used to secure RFID readers. He will also talk about software-based anomaly detection systems that should be configured to detect people using access cards at odd hours or unusual locations.

Hawaii cyber range launches anti-hacking training

HONOLULU — The state of Hawaii on Wednesday launched a center to train people to defend computer systems from attack. 
 

The so-called "cyber range" is a collection of servers and routers in a room on the University of Hawaii's Manoa campus. The equipment will allow people to practice hacking computer systems as a way to learn about network vulnerabilities.
The machinery will get a workout in early August when the university hosts a training exercise for up to 100 people. Participants will split into a red team of hackers and a blue team responsible for defending a hypothetical business's computer systems.
"You can really do a good job of fortifying your system but you don't really know how fragile a system is until you try and break it. That's what a cyber range is about," said Brian Chee, the director of the university's Advanced Network Computing Laboratory.
Most ranges in the country have been built for the military and they are still rare in the civilian world, he said.
"This is taking the cyberwarfare game and stepping it up a lot," said Chee, whose lab tests equipment for Info World, a network equipment trade magazine.
Pretending to be a "black hat" or malicious hacker is good practice, he said.
Chee recounted how he once scanned open wireless network connections while sitting in a downtown Honolulu park between the state's major banks. He found one, and was able to use it to see financial transactions being carried out. He called his friend in the bank's information technology department, who discovered a bank employee had installed an unauthorized Wi-Fi access spot under his desk.
"They created this big giant puka behind the firewall," he said using the Hawaiian word for hole. "I was actually seeing financial transactions go by. If a black hat decided to take advantage of that, they could wreak havoc."
The equipment for the cyber range would cost just under $2 million if bought new, Chee estimated. But the state spent only about $1,000 on it because most of it was donated from places like Chee's lab and the Maui High Performance Computing Center, said Franklin Jackson, cyber security executive for the state Department of Defense.
University officials, private sector workers and the Hawaii National Guard worked together to get the center going.
Gov. Neil Abercrombie said at a dedication ceremony for the range his administration will follow up during the next legislative session with proposals to invest more in information technology.
Underscoring the importance of the cyber range to the state, Abercrombie was joined by the state adjutant general, Maj. Gen. Darryl Wong, Honolulu Police Department Chief Louis Kealoha and the top federal prosecutor for Hawaii, Florence Nakakuni, at the ceremony.

Read more here: http://www.kansascity.com/2013/07/24/4365315/hawaii-cyber-range-launches-anti.html#storylink=cpy

Read more here: http://www.kansascity.com/2013/07/24/4365315/hawaii-cyber-range-launches-anti.html#storylink=cpy

Exclusive: 'Bigger than phone hacking' - Soca sat on blue-chip dirty tricks evidence for years

Angry MPs join calls for secret list of those involved as banks and pharmaceutical firms are linked to rogue private investigators

 

Banks and pharmaceutical companies are on a secret list of blue-chip firms that hired private investigators who break the law, The Independent has learned.

The revelation that firms from two of this country’s biggest industries may have commissioned corrupt PIs – without facing prosecution – will fuel concerns that corporations potentially involved in the unlawful trade in private information have so far escaped proper investigation
This newspaper has previously revealed that law firms, insurance companies and financial services organisations have used PIs for years to obtain a range of private data.
Information on the banks and pharmaceutical companies is contained in an explosive list of corrupt PIs’ clients handed to a parliamentary committee by the Serious Organised Crime Agency (Soca). The list of 101 clients also includes some wealthy individuals.
Following weeks of damaging revelations in The Independent, Soca finally bowed to political pressure earlier this week and privately released to MPs the historical details which its investigators ignored for years.
However, the agency has classified the material as secret to safeguard individuals’ human rights and protect the “financial viability of major organisations by tainting them with public association with criminality”.
The decision comes as the newspaper industry is at the centre of the largest criminal investigation in British history over practices including the hiring of corrupt PIs.
Asked this evening if the classified information contained details of banks and pharmaceutical companies, Keith Vaz, chairman of the Home Affairs Select Committee, said: “This affects all manner of organisations.”
Mark Lewis, the lawyer who represents the Milly Dowler family and a long-time scourge of Fleet Street, said: “Consistency demands that the same rules apply to all, whether you run a newspaper, a pharmaceutical company or a law firm.
“As soon as you depart from the  equal applicability of law to all, then the law really does become an ass.”
Trevor Pearce, the director-general of Soca, decided to classify the details of blue-chip companies, in line with Cabinet Office guidelines about sensitive material.
He demanded the list be “kept in a safe in a locked room, within a secure building and that the document should not be left unattended on a desk at any time”.
However, in what would amount to a remarkable snub, the committee is so angry with Soca that it is considering releasing the information under parliamentary privilege.
Mr Vaz said: “We will come to a view as to whether or not we will publish this list. These events took place up to five years ago. Those companies or individuals who either instructed private investigators to break the law or did nothing to stop them must be held to account.”
It is understood other members of the committee are furious that they are being asked to participate in the cover-up. One source said: “This is bigger than the phone-hacking scandal and the committee does not want to be held accountable when all this comes out in the wash.”
Last month The Independent revealed that Soca compiled a dossier in 2008 that outlined how firms, individuals and organised crime bosses hired criminal PIs.
The investigators broke the law to obtain sensitive information, including mobile phone records, bank statements and details of witnesses under police protection.
Soca was analysing intelligence from mostly Scotland Yard investigations that had also failed to prosecute the offenders for the most serious offences – and completely ignored the blue-chip clients who may have profited from their crimes.
The report – which showed the practices went far wider than the newspaper industry – was dismissed by Lord Justice Leveson, who considered it fell outside the narrow terms of reference for his inquiry into the media.
One of five police investigations reviewed by Soca found private detectives listening in to targets’ phone calls in real time. During another police inquiry, the Soca report said officers found a document entitled “The Blagger’s Manual”, which outlined methods of accessing personal information by calling companies, banks, HM Revenue and Customs, councils, utility providers and the NHS.
Illegal practices identified by Soca investigators went well beyond the relatively simple crime of voicemail hacking and also included police corruption, computer hacking and perverting the course of justice.
Meanwhile, in an extraordinary joint admission on the Soca website, Mr Pearce and Commander Neil Basu of the Metropolitan Police admit the agency sat for years on evidence of criminality, until it was finally forced to act in May 2011 by former British Army intelligence officer Ian Hurst whose computer was allegedly hacked  by corrupt private investigators.
Mr Hurst told The Independent: “For reasons that remain unclear, the Leveson Inquiry did not touch the sides with regard to the police. In the final analysis, law enforcement agencies are going to have to justify why they conspired for years to protect the offenders and their clients, which extend way beyond the media.”
The joint statement also failed to address why Soca has still not passed all its historical evidence to Scotland Yard, which is currently investigating the crimes that the agency ignored.
Tom Watson, the campaigning Labour MP, said: “Why is the Met Police not in possession of all the information it would usually require to investigate criminal wrongdoing? Why did Soca not give all the physical evidence in the form of the original hard drives to the Met?
“The Yard and Soca need to provide an urgent explanation as to why the latter is still sitting on a bank of data that any decent police investigator would require to do a proper job.”
Rob Wilson, a senior Conservative MP, has written to Home Secretary Theresa May calling on her to sack Mr Pearce and Soca chairman Sir Ian Andrews over their refusal to publish the list of blue-chip clients.
A Soca spokesman said: “Trevor Pearce provided the chair of the committee with further confidential information on 22 July 2013. Soca is unable to comment further on that detail. However, as stated in the DG’s covering letter  – which is published on the Soca website –  the information provided does not allege, either expressly or by implication, that the individuals and companies named in it, or any individuals working for those companies, have or even may have committed a criminal offence.”