Chris Hoff and I decided to have a little fun and fake some back and forth exploits to highlight some security risks. It’s nearing the end of the year; either crunch time for some of you, or boring time for the rest. We figured a little humor couldn’t hurt in either case. We decided to blow this open early so it doesn’t get away from us.
The attack Chris described could clearly work, but I’m surprised more people didn’t pick up the holes. While I do have a home automation system (but no cameras) I don’t know of any that use SCADA-based technologies. Then again, SCADA is going all IP so it might not be a stretch to define my system that way. For the record, I use an Insteon system but haven’t finished implementation yet.
Bonus points to the commenters that noticed there’s no way I’d have a yard with that much green in Phoenix.
The idea of the Quicktime rtsp attack was completely real. Until Apple released the patch a day or so ago, the only defense was avoiding clicking on potentially hostile links. I trust Chris, and would click on most things he sends me. Outbound filtering (which I do one one of my machines) could block the request unless it directed me to an unusual port; something Chris is capable of.
The idea of pwning my workstation is dead on- and one reason I often recommend SCADA workstations be isolated from the Internet. I don’t have to take over your SCADA network if I can take over the workstation and do whatever I want when you aren’t looking.
We were planning on highlighting a few other attack vectors in the next few days. Among them was a fake pretexting of Chris’s phone (we had a viable way for me to get his SSN) and username/password sniffing from wireless access points. All are common vectors that even us security pros are a little lax with sometimes.
I suspect most of you enjoyed this, and we’ll come up with something more creative for April 1.
Reader interactions
10 Replies to “End Of Year Humor And Awareness: No Folks, Hoff Didn’t Pwn Me”
[…] Mogull: Ohh… yeah. You didn’t see the post? […]
[…] End of year humor and awareness: No Folks, Hoff didn’t pwn me […]
Good twist. It shows once more that the industry revolves around trust and not around technology 🙂
Just like LonerVamp I was fooled as well. There was a second or two that I did have a funny feeling but didn’‘t trust it. Here are my basic reasons.
1) There is a trampoline in the picture. Rich doesn’‘t have any kids (that he claims), so I found it odd. Plus, as a Paramedic, I would think that he would have a problem with them because of head, neck, and back injuries.
2) Metasploit does not have a VNC payload for OSX. That doesn’‘t limit other tools or methods, but it does make it more difficult. Of course, I just figured either Core Impact or Canvas had this capability and Chris could afford it.
All-in-all, I think good job to both. It has raised awareness and generated conversation. Goals achieved.
Go forth and do good things,
Don C. Weber
Nice one! I thought it was an excellently crafted hack, and am happy Hoff wasn’‘t really engaging in something potentially illegal. 🙂 Much like my fascination for Hasslehoff, D., I need to make sure my icons remain unblemished on their pedastals!
The SCADA mention didn’‘t throw me off at all, as I figured it was just a tongue-in-cheek metaphor for running certain appliances over IP/centrally, such as the cameras and hottub temps, and not actual SCADA apps.
And, yes, of course I bought it, I had no reason not to! 🙂
@Andy:
Actually, you have the order incorrect.
I posted my original.
Then Rich posted his “house gone wild” and then again with his “knife/gun” post…
Not that it matters now, but we must keep the records straight for posterity’s sake! 😉
Is there anyway I can cash in Marcin’s points while he’s away for the holidays? All I want for Christmas is a SunSec meet and for all my local security industry favorites to show up. How about this Thursday at Four Peaks (Tempe) or possibly the local DJIA-listed company favorite, The Tilted Kilt?
Guys even though I had an idea it was a hoax http://andyitguy.blogspot.com/2007/12/possibly-biggest-security-story-of-2007.html
I think it was a great story. By the way the “real” giveaway for me was how conveniently Rich posted the first one about the home HA system freaking out and then Chris putting out his post. Just a little too convenient.
I, um, drive a 13 year old Ford Explorer. I also buy my clothes at Costco and Men’s Warehouse.
Crap! I could have kept it going then! TMI, TMI!
Curses.
/Hoff