Attack Step
The device entices clients to connect, by responding to all wireless probes.

Prevention
Client wireless implementations should be more careful when beacons are sent out. Beacons should not be sent out for all stored wireless networks indiscriminately. Clients should use broadcast probes where appropriate instead. iOS 6 seems to now implement broadcast probes as standard. Whilst this is a positive move, most mobile wireless devices have connected to at least one wireless hotspot. Beaconing for popular SSIDs in the local area such as “BTOpenzone”, “FON”, “Boingo Hotspot” in the UK and so on will continue to attract most wireless devices. Another option would be to require that open networks are manually connected to by default unless that setting is manually overridden along with associated warning. In the mean time, not connecting at wireless hotspots, removing saved wireless hotspot profiles, and turning WiFi off when not in use are all options.

Attack Step
Once connected, assign the device an IP via DHCP and use DNAT to redirect all traffic to all hosts back to the device itself.

Prevention
The device should perhaps perform some tests to see if traffic manipulation is in use. This could be legitimate, but at least warn the user that something strange could be going on.

Attack Step
The device will answer iPhone or Blackberry’s HTTP test for internet access and return the expected response

Prevention
I suspect this feature is supposed to detect if an internet hotspot login is required. It should either be removed or secured better to avoid just opening an arbitrary page on connection to a hotspot. This feature alone could be exploited in other ways.

Attack Step
Client attempts to check email and perhaps contact other servers based on apps installed.

Prevention
Tighter verification of protocol implementations should be performed. User should be specifically warned if SSL is not in use.

Attack Step
SSL hijack.

Prevention
The client should display an SSL warning that clearly explains that the session may be being hijacked. Rather than a weak informational type message, the warning should be clear and explicit, and require the user to specifically accept that the connection may be being intercepted. The user should be particularly careful to note any out of character behavior such as suddenly prompting with identity or verification issues

WPS attacks

The majority of consumer grade wireless networking devices come shipped with WPS enabled by default. A WPS pin is either 4 or 8 digits long and can therefore be cracked in a relatively short time with a brute force attack. Once the WPS pin has been cracked, the WPA PSK can be discovered. The quickest solution is to turn off WPS all together, especially if it is not actively in use on the network…

WiFi Hotspot Authentication Attacks

Clients on wireless hotspot networks are easily attacked; there’s no encryption in use and so data can be sniffed that’s going over the air. Attackers can either passively sniff, or launch ARP attacks to actively redirect traffic through their own host, and this is something that has been covered in previous articles…

Ettercap and SSLStrip for SSL Hijacking

Further to the articles on MITM attacks and ARP flooding, these are two attacks that Ettercap was built for. Ettercap is an excellent tool that does MITM, connection sniffing, protocol decoding and much more. Once an attacker is positioned appropriately on a network, be that physical or wireless, Ettercap is one tool that will enable full end to end traffic sniffing. Sniffing plaintext protocols is simple, but Ettercap has an additional trick up it’s sleeve for SSL. Firstly we need a small tweak to the default etter.conf, which is to uncomment the iptables commands…

WIFI MITM attacks

Following on from the network MITM attack article, it’s important to look at how man in the middle attacks and sniffing can be used against wireless networks. Firstly, let’s consider an open network. By open, I mean one with no encryption running. This is regardless of whether it’s a free internet connection or some kind of hotspot that requires payment or login. If you are able to connect to the network, and receive an IP address without any type of encryption or authentication, it’s an open network. Consider an open network to be similar to a free for all hub – all data broadcasted by any client can be passively sniffed by an attacker in range. By passive, I mean that no active network interference or MITM attack is needed. The attacker could also choose to use an active MITM attack such as the ‘ARP flood’ detailed in the last article…

Network Man In The Middle (MITM) Attacks

A man in the middle attacks involves an attacker positioning himself between a client (victim) and his intended server. The purpose is usually to either sniff (intercept) data or to modify data as it is being transmitted and received…

Password Request

I recently issued a ‘forgotten password’ request on a site that I’m signed up with. To my horror, after filling in my username and email address the password was emailed to me. What’s the problem here? Firstly is the obvious one, anyone with access to my email account automatically has access to my account on this site. OK, more sites than not operate in this way. The bigger issue, is that my password is stored as-is in plaintext. The password should be hashed and salted…

Website Security Questions

Most sites offer a method to reset forgotten passwords. Typically these range from weak, i.e. simply sending a reset link to the registered email account, meaning that an attacker need only have access to the victim’s email account, to weaker, i.e. sending the plaintext password direct to the victim’s email account. The latter example shows that the password is being stored in plaintext and not even hashed…

Social Engineering Attacks

Social engineering attacks involve getting a person to disclose information or perform malicious actions without them realizing what they are doing or who they are really speaking to. For example, an attacker contacts an office worker, “Hi, I’m calling from your internet provider, we’re just performing some testing to fix some of the bugs reported recently, could I just ask you to perform the following steps on the PC for me please..”

CRLF injection

CRLF injection occurs when an attacker is able to insert a CR (carriage return or ‘\r’) and LF (line feed or ‘\n’) into an application where it was unexpected. Windows implements a newline with both a carriage return and a line feed whilst UNIX implements a newline with a line feed only...

A person is not an IP address

There seems to exist an unconscious notion amongst coders, that a given external IP address is essentially linked directly to a person. I frequently hear things such as, “what’s your IP, I’ll add you to the firewall?” and “we restrict access to this control panel to the admin’s IP address only,” or worse, “some of our developers have dynamic IPs but they’re always on the 123.something range, so we allow 123.0.0.0/8 to access the admin area”…

I use a CMS or framework. Is my site secure?

Using a popular framework brings both a host of advantages such as rapid application development as well as a team of developers under public scrutiny to name a few. There are also a number of disadvantages to be aware of, and we will discuss some of the potential security pitfalls here…

What is CSRF?

Cross Site Request Forgery, CSRF or XSRF is a type of attack launched against the Client. Each time a Client browser makes a request to a website, the browser automatically sends along the cookies that it has stored for that site as part of the request header...

I use a WAF. Is my site secure?

Mod Security is a popular Web Application Firewall (WAF). It’s an absolutely excellent add on to a web server, and offers powerful logging and filtering when configured properly. It is however, not an excuse for secure coding...

I have an SSL certificate. Isn’t my site secure?

No – it’s not. I’m still shocked at how many vulnerable web applications I find during auditing, and have a Client remark, “but we even bought that security certificate, what else did we need to do?” Unfortunately, whether it’s down to false advertising, consumer ignorance or both, there exists a myth that installing an SSL certificate means that ‘everything is now encrypted’, and the site and system are secure…

Secure Application Design

Good security is not necessarily based on secrecy, for example strong cryptographic algorithms exist and have gone under the scrutiny of mathematicians, engineers, and industry experts for years. If your password hashing algorithm needs to be kept secret for your security to stand up, it’s probably not very good. Eventually, your password database might be made public, and your non-salted md5 password database will fall...

Security as a Mindset

Secure programming standards and database design are absolutely essential when building an application, we know that, but what about looking at the bigger picture? A large part of security is based around trust…

When you need help

Whether you are the only internet user in your home or you’re running a company full of computer users, having your system checked by a security consultant is always a good idea.  A good security consultant can help you protect your information from hackers and other unsavory characters that would like nothing better than to find a weakness in your system and use it to send your online life into upheaval…

Cross Site Scripting – Stored and Reflected

We’ll look at two types of Cross Site Scripting (XSS) attacks here – stored and reflected.

Take the typical example of a web form where a user might enter his contact details into a membership section. Let’s look at one of the input boxes, one that takes the username…

What is SQL Injection?

SQL Injection is a type of attack where SQL (database query language) is literally injected through the web application into the database. SQL Injection allows for database queries to be executed by the database in ways that the programmer did not intend. The best explanation is by way of an example. Lets assume that we have a variable called $USERID and we need to construct a query that fetches the USERNAME from the database for that $USERID. We might design a query something like…

[Show as slideshow]

One of the biggest limitations is that the device has fuses on the USB ports that kick in at about 140mA. Technically, this is in line with the standard, although it’s come to be expected that the USB ports are able to output significantly more current. This makes it difficult to attach anything of use other than a keyboard or mouse to the Raspberry Pi without a powered USB hub. I’m pretty sure that keyboards and mice were all that the Raspberry Pi’s USB ports were really intended for, but this won’t suit our purposes. Seeing as I intended to run an Alfa AWUS036H on one of the ports and maybe a GPS device on the other, we’ll need more power than that. I soldered a wire between the +ve input pin and the +ve output pins on both USB ports. This bypasses the 2 140mA USB fuses and the 1 700mA input fuse. This has safety implications and will void your warranty!

[Show as slideshow]

You’ll notice that I have two batteries any way – that’s because I’m using the Tecknet iEP390 11000mAh and they have a maximum current output of 1A which unfortunately causes a drain on the board when the Alfa card is in use and triggers a kernel panic. I could get batteries that support more than 1A maximum current although the Tecknet batteries were extremely good value for money and are excellent products, so I’m not that bothered for now. Besides, having 2x 11000mAh capacity batteries means that the device can run fully active for about 20 hours or more without a charge.

Zeroshell runs on a regular Linux kernel, and SSH can be opened for full shell access. It doesn’t do anything that can’t be done manually via the Linux command line, but it’s an excellent and easy to use system that gets it done far quicker. It’s also proven to be completely stable, and allows me to max out the 65mbit DSL without issue.

root@zeroshell root> uptime
18:27:36 up 257 days, 55 min,  1 user,  load average: 0.16, 0.05, 0.01

Highly recommended and only takes as long to set up as writing the image to your CF card. Also compatible with Vmware.

Having done that, I decided to add line following ability to the larger robot. It’s quite a simple circuit and fits in nicely with my arduino experimentation. I have a strip of high power LEDs with a pot to trim the brightness. Underneath that, I have 5 light sensitive resistors, reasonably well spaced apart and separated by card. The theory here is that the light sensitive resistor  that is over the black line will have less resistance than the others, and using that, we can work out whether we need to move more to the left or the right.

[Show as slideshow]

The 5 analog inputs are fed to the Arduino chip, which converts them to digital output and passes it to the board over USB serial. From there we can write a simple algorithm to control movement.

I then decided to go ahead and test the new XBEE chips for wireless communication. They really are plug and play.. Here’s another video -

Anyway, some time ago, I became interested in wireless power. I don’t know a huge amount about electronic theory, but thought I’d give it a go. The circuit is really simple and really really REALLY inefficient. I use a signal generator to drive a high power transistor at about 10kHz square wave and then have 24VDC pulsed through the coil. The receiver is just a coil with a noisy weak AC current and some LEDs. I can increase efficiency slightly using a capacitor.

Of course, there are some far better circuits out there like http://iteadstudio.com/application-note/wireless-power-transmission-or-charge-module/ or http://www.youtube.com/watch?v=2ODW-ntPHSU but this was just a quick hacked together test without going too much into the electronic theory of it. Here’s some pics..

Main Board

◄ Back

Next ►

Picture 1 of 5

The headset itself comes almost ready to go, just attach the felt pads and wet them with saline. Affixing the headset to the head is a bit difficult the first few times and requires a bit of practice. Once you’ve done it a few times, it becomes a lot easier. The key is getting each of the felt pads absolutely soaking wet with saline before putting it on the head.

I’m going to be using the headset for a number of different purposes. As a BCI, I intend to use it to manipulate the robot, and probably in future other more useful tasks. Separately, I plan to use it to monitor sleep and meditation sessions which are a separate area of interest of mine.

In a previous post, I showed how it was possible to control the robot using voice commands. Here, I’ve modified the voice control script to handle simple keystrokes instead. The Emotiv control panel comes with a tool called ‘Emokey’ that can issue defined keystrokes when certain actions are detected within the control panel. Here’s a video:

The purpose is really to show how simple it is to interface with any regular program/script using EmoKey. There are other more exciting possibilities such as directing music based on the Affectiv suit. The Affectiv suite deals in mind states such as frustration, alertness, meditation, etc.

There are other potential methods of triggering voice control. With a bluetooth enabled phone’s MAC address, it’s possible to l2ping it without any pairing needed. We can then tell it’s signal strength. I’ve already written a sample tool to speak “hello” and “goodbye” as a person['s mobile phone] gets closer or further respectively to the robot. Perhaps slightly too annoying on an ongoing basis, hence the 2 sets of 2 claps.

There are probably a few more options that I didn’t think of, although I decided on a reasonable but quite simple solution. I don’t think that the prerequisites are unreasonable:

1. The robot starts on it’s charging point
2. The following prerequisites are inherited from the automatic moving in general:
   1. The robot is not manually moved or pushed about. It needs to know where it is.
   2. If the robot finds objects it wasn’t expecting, it’s in trouble.
   3. The territory is mapped and functions are provided to navigate it in advance.

Using the automove covered in the previous 2 posts, the robot can move automatically throughout a mapped terrain. It can use any of it’s other sensors and logic to decide which routine (path) to take at the end of any given routine. The only difference here, is that a specific charge function has been written. The last function in the routine below ends the robot about 12 inches from the charging station. The charge function brings it back and closer in smaller increments, lining up using it’s right and back sensors. It then turns it’s charging terminals on, and makes smaller still movements and adjustments until it detects charge.

I’ll bullet point the changes as there are a few:

• Robot now has two charging contacts that need to be specifically enabled via controllable relay
• Excess acrylic was removed
• Robot’s LCD, Speakers, Cam & Battery are also all on relays and can be enabled or disabled via software.
• The Robot has a clap activated switch, and so programs can be triggered via clapping
• The current meter was hooked directly to battery output
• The Robot has additional IR distance sensors. Now 2 front, 2 left, 2 right and 1 back
• Wheels are now much better aligned
• The Robot now has a more compact mic for better voice recognition
• The speaker relay has a capacitor over it to avoid the initial surge when powered on.
• The carnetix voltage regulator had failed and so was replaced.
• The software has been rewritten in C to interface directly with the hardware, and python to provide a TCP server to interface with all necessary functions. I use PHP for the ‘client applications’, to interface with the python interface. Ideally I would use python for the client apps too, but I haven’t got around to learning Python properly, and this wasn’t the time to do it.

The new hardware and software address a lot of the problems that we had before, the platform is also more stable and more reliable. I’ve written a set of functions that allow the robot to move around automatically. I’ve mapped the flat into 5 different areas and written a set of rules for handing each area. Each ruleset gets the robot from the start of one section to the end, ready to hand over to the next ruleset. We only rely on the positioning of the robot vs known objects mapped out. i.e. while right_sensor_1 and right_sensor_2 are both sufficiently close to the wall and the front sensor is sufficiently far from the door, keep moving forward, whilst lining up straight with the right all type logic. The downside with this approach is unexpected objects in the robot’s path, doors left open, etc. This could be overcome with more sophisticated coding.

Here’s a video of the robot navigating automatically from the bedroom through to the lounge:

In the next article, I’ll show how the new hardware and software allows for greater control over movement in general when being controlled manually.

PayPal’s API doesn’t support everything you might want to do, specifically sending payments, so it’s possible that some of the functionality could only be achieved by scraping the site. My main list of features is as follows:

1. Instant popup on payment receipt
2. Fast and powerful reporting, stats and graphs.
3. Quickly and easily in a few clicks send a payment.

Any ideas or interest? Please let me know!