Pages

2016-02-29

Introducing System Bus Radio

This new project transmits radio on computers without radio transmitting hardware.

I am releasing it publicly now, and it is based on the recent RAMEAR project.

This is (yet another) TEMPEST / exfiltration project that allows you to transmit data from an air gapped computer. The cool thing is that it works without any additional hardware, and can be received using off-the-shelf radio receivers.

Here is the project page https://github.com/fulldecent/system-bus-radio

Slashdotted at http://hardware.slashdot.org/story/16/03/01/1727226/microcasting-color-tv-by-abusing-a-wi-fi-chip

2016-02-25

Trust is the biggest threat to privacy & security

Part of the reason I trust Google is because I assume that people who work there have values like me. If unethical marching orders came in one day then engineers might resist them or one person might leak it. It took just one technician to blow the lid off of Room 641A. Google's past record of exiting mainland China because of Chinese spying should illustrate the commitment of Google to its users. This serves as an effective deterrent to people that might think of coercing Google to abuse its power. (Let's ignore the fact that Google did NOT leave the US market when the NSA tapped its server room interlinks.)

Unfortunately, this is not enough. The biggest risk to privacy and security is trust itself. The FBI / Apple case has made obvious that Apple has the ability to collect information from iPhones (before 5s). The effort would be herculean, but is it possible.

Bo Xilai is a political dissident in China and was jailed by premier Xi Jinping for conspiring to take over the national party. The level of assurance provided by Apple's iPhone 5c was not enough for Mr. Bo to conduct his operations. It is assumed that Apple's 5s and on are beyond even the reach of Apple.

In summary, when considering the privacy and security assurances of a system, it is usually the human element or the implementation details that are weakest. This can be quantified with the "ransom factor": 
How many people would need to be served National Security Letters, served with All Writs Act injunctions or have their children taken ransom would it take to break the system?

2016-02-11

Internet Marketing Ninjas client report vulnerability

EMBARGO: THIS ARTICLE IS HELD FOR RELEASE ON 2016-02-11

William Entriken and Internet Marketing Ninjas worked together the week of December 7th, 2015 to find and correct a data enumeration vulnerability on IMN's client reporting system.

Following is the dashboard which IMN clients can use to see information related to their account.



Additionally there is a view where clients may see the results of linkbuilding efforts by the company.



This website uses AJAX heavily to refresh and deliver reporting content to the user. It is possible to recreate these requests using a command line interface. (Although this may be a violation of IMN terms of service, so don't do it without their permission!)

SYNOPSIS 

The following command can be used to download a list of a client's reports. The number ### is the client's ID number. It requires client access to the website, which is given through the Authorization Basic HTTP header. However, the number can be changed to any number to download that user’s account information.

curl -H "Authorization: Basic XXXXXXXX==" --data "func=reports_list&client_id=###” https://reports.internetmarketingninjas.com/index.php

Likewise, the following command can be used to download links for that client's site. However, the number ### can be changed to any number to download links for a given account.

curl -H "Authorization: Basic XXXXXXXX==" --data "func=links_report_url_all_download&client_site_id=###" https://reports.internetmarketingninjas.com/index.php

RISK

The risk is that this command can be surreptitiously issued for each number. This would produce IMN's entire client list and all reports created for any client. This vulnerability applies to any client or other user with access to the IMN system. I have not reviewed any other potential vulnerability and there may be other risks.

RECOMMENDATION

Another part of the client reporting system, accessible at the /report-files/ URL is secure from this vulnerability. It is recommended that the same security in use there be applied to the two cases above.

------------------------

RESOLUTION

Full details of this vulnerability were reported to the vendor on Friday December 11, 2015 at 12:45 and the issue was resolved within two hours and fifteen minutes. We consider Internet Marketing Ninjas' response time to be exemplary. At this time, no evidence has been found to suggest that unauthorized access to client data has occurred. There are no remaining known vulnerabilities for client data at this time.