Anonymous Deface Westboro Baptist Church Site Live On Air
Anonymous recently found themselves entangled with the Westboro Baptist Church (WBC) after the homophobic religious zealots published a taunt where they dared the hacktivist group to ‘bring it’. Anonymous quickly announced that they had never threatened the church in any way. I’m inclined to believe them because, as lame and hateful the church and their members are, Anonymous are busier fighting for freedom in North Africa and the Middle East than they are exposing ridiculous religious groups in Kansas. Instead, another hacktivist known as th3j35t3r (@th3j34t3r) joined in the fight, bringing down five of WBC’s hate-spewing websites.
Not happy to leave the matter alone, or rather perfectly happy for some more media whoring, Westboro decided to go on air and pour some fuel on the fire. In the interview Shirley Phelps-Roper, a ridiculously immature and inarticulate representative of WBC, faced off against a comparatively calm and bemused representative of Anonymous. Anon reiterated that they did not initially threaten WBC, and during the interview proceeded to deface one of the church’s sites with a message from the group. Excerpt:
Your continued biting of the Anonymous hand… has earned you a swift and emotionless bitchslap, in the form of this very message. [...] For this unremitting display of overzealousness, we award you no points. Take this defacement as a simple warning: go away. The world (including Anonymous) disagrees with your hateful messages, but you have the right to voice them. This does not mean you can jump onto Anonymous for attention.
These WBC idiots really make me rage, and they make honest Christians look bad. Anonymous, th3j35t3r, I tip my hat to you on this one. Check out the video of the interview below.
Researchers Extract iPhone Data and Passwords in Minutes
A group of German security researchers from the Fraunhofer Institute for Secure Information Technology have discovered a way of extracting personal information and stored credentials from a locked iPhone, by way of a jailbreak. By gaining physical access to an iPhone (or iPad/iTouch), an attacker is able to reboot it into recovery mode, thus allowing them to upload their own jailbroken firmware onto the device. As part of this process SSH is enabled and a script can then be uploaded to the device which uses built-in system calls to extract encrypted data (including credentials in the keychain) from the device. See the video below for a demo of their attack, which can take as little as six minutes.
This attack would not be possible without existing jailbreak mechanisms, which effectively bypass the iPhone’s sandbox and allow unsigned code to be executed. The second issue is the way that iOS handles stored data and credentials, allowing any application to request the information. This is actually a prime example of the dangers of having a jailbroken iPhone or iPad, as it makes it much easier for an attacker to execute malicious code on your device.
These kinds of issues are not isolated to iOS devices, and the same would exist on other devices that could be made to run custom scripts. This will be a tricky issue for Apple to resolve, as much of its security relies on a strong sandbox. Their best chance is to try to identify and patch as many of the vulnerabilities that could be used for a jailbreak. They will also need to review the way iOS handles encrypted data, and ensure that data cannot be extracted by arbitrary applications.
Luckily there is not yet a publicly available automated tool to perform this attack, so it is unlikely that a random thief will be obtaining your data. If you’re really worried, you can use Apple’s free Find My iPhone service to remotely wipe your iOS device should it be lost or stolen. Check out my article on protecting and recovering your iPhone from loss and theft for more information.
The team’s original research paper is available here (PDF).
Phil Mocek Acquitted on TSA’s No-ID and Recording Charges
In November 2009, Phil Mocek (@pmocek) was arrested by Albuquerque Police at Albuquerque Airport for not providing a piece of identification, and recording the TSA process on camera (video below). In the US, one’s right to fly is guaranteed by Federal Laws and the Constitution, and as long as you do not break any other laws, local or state police cannot legally prevent you from flying.
Mocek was charged with things like criminal trespass, refusing to obey an officer, concealing his identity, and disorderly conduct. On 21 January 2011, he was acquitted on all charges by a jury without the defense having to call any witnesses or provide any evidence. The prosecution’s case simply did not stand up.
In a previous court case against another man who refused to show ID, the TSA admitted that there is actually no law that requires travelers to present ID in order to be able to fly. In the US, it is also perfectly legal to record video in public areas of the airport, despite what signs, staff or police may claim.
This case is reminiscent of John Tyner, who was thrown out of San Diego Airport for refusing the new TSA (grope) patdown. Note that you may want to familiarise yourself with the relevant laws regarding ID and recording in your own country.
Full details are available here. Well done to Phil for protecting his rights, and in the process, all of ours as well. Speaking of TSA security measures, I thought this recent Dilbert comic was particularly fitting.
OpenLeaks Website Goes Live
The website for the independent whistleblowing platform, OpenLeaks, has gone live. The concept behind OpenLeaks is to provide a secure document delivery dropbox and storage method for would-be whistleblowers. On the receiving end, news organisations, human rights groups, and others will be able to access the files and make them public should they feel it necessary.
Unlike Wikileaks, OpenLeaks plays no part in the actual editorial and publication process, it is a content distribution method that bridges the gap between leakers and publishers.
Check out the video below for their introduction to OpenLeaks:
Pic of the Week: Assange vs Zuckerberg
Stumbled across this picture this week, and although it’s quoting Bill Hader playing as Julian Assange in the Saturday Night Live skit below, I feel the message still makes a point. It’s probably worth reminding people that Assange was voted for Person of the Year by the readers of TIME magazine. In that same vote Zuckerberg came in at a lagging 10th place. I know… how Zuckerberg got it confused me too.
[Update] Here’s an Assange/Zuckerberg mashup picture of the quote above:
XBMC Comes to Apple TV 2, iPad and iPhone
The XBMC team have announced an ARM-based release of their open source media player and entertainment hub for the Aple TV 2, iPad and iPhone. The software, that requires a jailbroken device, allows users to stream and play any audio and video format from local network stores. Your Apple TV also retains its normal functionality, and you can still watch/purchase content off iTunes.
Instructions are available for installing on the Apple TV 2 and the iPhone/iPad. Here are two videos of XBMC running on an Apple TV and an iPad.
XMBC is a great piece of software, and I have it installed on my original Apple TV streaming media from my 2TB ReadyNAS NV+.
Wikileaks Parody Music Video
Came across this parody music video of the whole Wikileaks/Cablegate debacle. It’s actually pretty good, check it out:
Swinglet CAM: Your Own UAV Spy Plane
This is epic full of awesomeness. The Swinglet CAM is a small computer-controlled flying thing (plane?) with a built-in camera. The computer software allows you to define a flight path that the Swinglet will automatically follow and pictures from the sky. You can even do in-flight path modifications and it will adjust its trajectory. It takes off when you throw it in the air, can fly for up to 30 minutes, and lands by itself.
Supposedly you can use it to look at the state of your crop fields from the sky, which sounds like a stupid use for this toy. If you know the girl next door sunbathes naked on the roof, now we’re talking! I want one but I’ll wait for a video-capable model that can fly for miles, and be controlled from my secret basement lair.
Check out this sample photo and the video below to make you want one for Christmas. The Swinglet CAM costs only €8,400 ($11,000)!
Pauldotcom Episode 221 – Talking Single Packet Authorization
Episode 221 of Pauldotcom Security Weekly is available for download. In it I give a tech segment about Single Packet Authorization, briefly describe how to configure your firewall and use fwknop to dynamically open ports.
The podcast is available on iTunes, and by direct download. Check out the show notes for full details. Thanks for having me on the show guys!
Here is a short video of fwknop in action:
Johnny Five Returns as Battlefield Rescue Bot
Remember Johnny Five from Short Circuit? If you don’t, or are already too young to remember one of the awesomest movies from the eighties, here’s a refresher:
P.S. If you were a fan, the Short Circuit Comedy Series are worth a watch: Episode 1.
You’ll probably also know Johnny’s cousin WALL-E from Pixar:
Anyway, to cut an overly long post short… a real-life Johnny Five is being built by Vecna Technologies and, just as the character was, is intended for use in battlefield situations. This robot is called BEAR which stands for “Battlefield Extraction-Assist Robot”:
Source: Weaponized Culture
Loading ...
