FMH, Converge, and BSides Detroit

Last week

We had to put the RFID antenna experiments on hold last week to work on the FMH project. We wanted to simulate the JBOSS exploit, and make sure we could pull the pcaps for forensic analysis before Daniel went out of town. We ran into some trouble while spinning up a Kali instance on the NUC; the hard drive was full. We needed to delete some old instances in order to make room for the new ones.

I spent the second half of the week at two conferences: Converge and BSides Detroit. There was a wide range of topics covered, from the security implications of the new MySQL 5.7 release, to developing security training programs for employees of large firms, and even tips for folk like me who have a Bachelor of Science in Information Assurance, and are now looking for the next steps. There were also many vendors there, including big international technology firms and smaller, local security companies, along with multiple ‘Capture The Flag’ (CTF) competitions.

A few brief conference highlights

MySQL 5.7 Security

Dave Stokes’ talk on the latest MySQL 5.7 release was full of useful information about the new features in this update. Database managers have a lot more control over user passwords now, including banning certain password, password rotation, and even connecting with external authentication mechanisms like PAM, LDAP, Kerberos, etc. The database no longer uses mysql.user.password, and now uses authentication_hash instead. Also to improve security, MySQL will create a key pair for you if you don’t already have one, and you want to use SSL. Also, MySQL can now use TLS v1.1 and v1.2 (!). There is a new root password generated on every MySQL installation. Usernames can now be 32 characters instead of 16 characters.

Dave Stokes is a Community Manager for Oracle, and his slides can be found here.

AppSec Awareness: A Blue Print for Security Culture Change

Chris Romeo gave a very interesting talk about security culture in large companies. As the Chief Security Advocate at Cisco Systems, he helped create the security training for Cisco employees. The training was very effective, and also looked fun. It was gamified; and you get a different color belt with each security training module you complete. The belt colors level up similar to karate belt colors. Chris believes the program’s success is partly due to the gamification, along with a clear end-point, and a fun theme that people enjoyed. Also, the training was not mandatory. Chris believes that opt-in training is much more effective than required training.

Now, Chris Romeo helps run A recording of Chris Romeo’s talk can be viewed here.

Learning Security the Hard Way: Going from Student to Professional

Benjamin Carroll works in Cyber Security Operations at Consumers Energy, but not long ago he and I were competing against each other at the Michigan Collegiate Cyber Defense Network (CCDN) competition. His team from Baker College usually won, but he had some really insightful critiques of the competition, and of Information Security classes in general. After gaining some industry experience, his main complaint about CCDN was the competition. Teams wouldn’t dream of sharing playbooks, but that is exactly what is necessary to be successful in cyber security, Ben argues. More often than not, similar businesses experience similar malware campaigns, and sharing information about these attacks is beneficial for everyone. Ben also discussed the different types of degrees we receive in Information Security. Most schools tend to lean either toward the science side, or to the business/policy side. His advice is to figure out which degree you’ve got, and work on your own to make up the difference.

Benjamin Carroll’s talk can be found here.

Other Experiences

I also competed in the CTF 313, helping my team come in 4th place. I mostly helped with data analysis, parsing log files on the command line, and using Python to parse JSON objects. I also enjoyed trying the physical lock and history challenges. I connected with security folks from Cisco, CBI, and Tenable, and even got to enjoy dinner with a team from Cisco. I was invited to GrrCon, MiSec, and ArbSec, which should be good ways to get more involved with the local information security community. I really enjoyed both Converge and Bsides Detroit, and I am looking forward to attending again next year.


Experimenting with RFID

There are three main frequencies that common RFID tags operate on: low frequency (LF), high frequency (HF), and ultra-high frequency (UHF).  These three are mutually exclusive, so we needed to determine where to start. We enumerated some of the commonly-found tags we’d like to scan:

  • Passports 13.56 mHz HF ISO 14443 Type A
  • Parking passes 865~928 mHz UHF ISO 18000-6C
  • Dog/cat/pet implants 125 kHz LF ISO 11784 & 11785
  • Key fobs 125 kHz LF
  • Mcard 13.56 mHz HF Mifare DESFire EV1 ISO 14443-4 Type A Smart Card
  • Library books 13.56 mHz HF ISO 14443A
  • Library books 13.56 mHz HF ISO 15693
  • Library books 860~960 mHz UHF EPCglobal
  • Credit cards/Payment cards 13.56 mHz HF
  • Flocktag 13.56 mHz HF MiFare Classic 1K ISO/IEC 14443 Type A

Of all the RFID tags we wanted to skim, it seemed that HF was the most popular.  Luckily, I was able to borrow a Samsung Galaxy Nexus running Android 4.3 Jelly Bean that had this exact reader built into it.  The Galaxy Nexus uses Near Field Communication (NFC) on the same frequency that we want to scan, 13.56 mHz.  Using the built-in reader and the NFC TagInfo app from NFC Research Lab Hagenberg, we were able to scan, parse, and save the data from a U.S. passport, the U-M school ID card, a FlockTag Rewards card, and a MasterCard® PayPass.

This was a good start, but we needed to extend the antenna, in order to hide it in our couch.  While there are expensive solutions available online, I decided to try a similar approach to what these folks did.  I was pleasantly surprised when it worked on the first try!

We learned that the NFC antenna in the phone is actually in the battery.  In fact, the Galaxy Nexus won’t scan any RFID when I put a counterfeit battery in it. However, when we use the correct battery, we can get the phone’s antenna to pair with an external antenna just by mimicking the size and shape of the former and setting them next to each other.

*Technical point: As confirmed by, an “NFC antenna isn’t an antenna at all – it is really just a [magnetic] inductor.”

So, the square part of our antenna must be that specific size and shape for this phone, but the circular part and the distance between them can be adjusted.  We will be experimenting with different diameters and distances.  Once we find a good combination, I’ll be able to hide the antenna in our RFID couch.

Check out this 30-second video of our DIY RFID antenna in action!

The antenna was made using UL1007 standard hook-up wire, 300V.  We used about 10.5ft of wire to wrap the coils, and then soldered the ends together to made it all one big loop.  Here is a link to the PDF with the design shown in the video above.

First post from the SPQR Lab

Getting ready to work for Dr. Honeyman and the Security and Privacy Research Group for the summer.  I have good notes on where we’ve been and how to run the software. Yesterday and today have been spent setting up my workstation, getting building access, printer drivers, parking passes, and writing brief descriptions of the three projects we’ll be working on.

  1. I’ll be working on Faux Memorial Hospital (FMH) while Evan is away for the summer.  His blog contains lots of information about the history of the project, the set-up details, and the previous issues they’ve had.
  2. We’ll be embedding RFID readers into a couch in order to test the security and privacy of various devices that emit RFID, and products designed to prevent this data leakage.
  3. Near the end of the summer, we’ll be working with High School kids on a project involving FitBits and data analysis.

I’ll post updates here, and tag each project accordingly.