The Six Coolest Hacks Of 2010

Owned ATMs, a rogue cell tower, Firesheep, and a Samy comeback -- yep, it was a year to remember
There's not much that hackers can crack that surprises us anymore. In years past, nothing has been sacred: We've witnessed hackers sniffing 18-wheeler payloads while truckers nap at the truck stop, weaponizing the iPod Touch, hacking faces (think biometrics), and even the unthinkable -- silencing a texting teen.

So what's left? Well, this year it was making ATM machines indiscriminately spit out mountains of cash, intercepting GSM cellphones with a homegrown rogue cell tower, turning the tables on an attacker with a reverse hack, point-and-click WiFi sniffing for the Average Joe, a new breed of cross-site scripting (XSS), and pinpointing a victim's geographic location through his home router so you can show up at his place later with pizza and beer.

Lesson learned. There are always determined white-hat hackers who still seem to find ways to tickle -- or torture -- the imagination, and make consumers and enterprise IT folks think twice before they perform everyday tasks, like withdrawing money from an ATM machine or placing a voice call via GSM.

So put away that iPhone, pull up a bowl of figgy pudding, and read on as we reminisce about the coolest hacks of the past year.

Barnaby Jack's ATM Jackpot

Vegas has seen its share of cash payouts, but none like the one that security researcher Barnaby Jack performed on stage at the Black Hat USA conference this summer: Jack demonstrated how using vulnerabilities he had discovered in certain ATM machines could literally pay off.

Jack, director of research at IOActive, demonstrated attacks that would allow a criminal to compromise ATMs, allowing hypothetical thieves to steal cash, copy customers' ATM card data, or learn the master passwords of the machines. He targeted Tranax and Triton ATMs, but other brands have similar weaknesses, according to Jack.

Unlike the wave of ATM skimming attacks seen over the past couple of years by criminals, Jack's hacks were all about the software. In one attack, it took Jack all but a few seconds to open the ATM and insert a USB drive with code that overwrites the system to do his bidding. He also showed a remote attack that exploits a remote management feature in ATMs. "We are back to 1999 in terms of code quality," he said.

Jack wrote a remote administrative tool called Dillinger that lets an attacker select known ATM machines and grab data or send payloads, and he crafted a rootkit he named "Scrooge" that can be sent as a payload to an ATM and overwrite the system so the attacker can take over control of the ATM. The bugs he discovered in the machines were in the proprietary cash management applications, he said.

Jack demonstrated how Scrooge could be used to make the ATM spit out phony bills, inserting a card into the machine with specially crafted code stored on the magstripe or by typing code into the ATM. In case you weren't there live, you can view the photo gallery of Jack's ATM hack here.

Intercepting GSM Phone Calls

Chris Paget wanted to show how the GSM protocol is broken, so he crafted by hand his own GSM base station running over ham-radio frequency and brought his so-called "IMSI Catcher" to Defcon18 this year. During a live demonstration that was nearly nixed by the FCC, Paget, a security researcher, successfully fooled several attendees' cell phones into connecting to his phony GSM base station.

"The main problem is that GSM is broken. You have 3G and all of these later protocols with problems for GSM that have been known for decades. It's about time we move on," Paget said in a press briefing prior to the much-anticipated hack demo.

The hack almost didn't happen at all: The FCC initially voiced its concerns that the demo might involve the unlawful interception of phone calls, so after consulting with Electronic Frontier Foundation attorneys, Paget went forward, careful to issue sufficient warnings about his demo to attendees during his presentation. He even destroyed the USB stick that contained any data gathered from the "owned" phones on stage afterward. His use of ham-radio frequency to carry the GSM signal got around any spectrum violation issues with the FCC.

In all, it cost Paget only about $1,500 in equipment to build the IMSI (International Mobile Subscribe Identity) Catcher, which also included two directional antennas and a Debian laptop running OpenBTS and Asterisk, an open-source tool that turns a computer into a voice communications server. He used the device only to intercept and handle outgoing voice calls -- which were sent via voice-over-IP -- and not incoming calls nor data. "When the phone is looking for a signal, it looks for the strongest tower. This offers the best signal," Paget said, even though it's only 25 milliwatts.

Callers in the Defcon session whose phones connected to Paget's phony tower got a recorded message when trying to dial out. "When attached to my tower, your phone is [considered] off, so incoming calls go straight to your voicemail," he said.

Overall, Paget captured anywhere from 17 to 30 phones at a time during the demo, even after configuring the base station to appear as an AT&T tower. The phones automatically defaulted to 2G because Paget's base station is 2G. The base station could also be configured to disable encryption, he notes, as well as to target specific brands of phones to connect to it.

In earlier tests he conducted, Paget found iPhones most commonly connect to his fake cell tower.

Hacking The Attacker

Ever wonder if you could actually fight fire with fire when hit with a targeted attack? That's just what security consultant Andrzej Dereszowski did at Black Hat Europe in April with a hack that basically turns the tables on an attacker.

Dereszowski came up with a proof-of-concept that wages a counterattack merely by finding vulnerabilities in the attacker's malware -- and then using those flaws against him.

His PoC is based on some fuzzing and reverse-engineering he conducted against malware used in an infected PDF that was sent to a pharmaceutical company. Dereszowski found a buffer overflow bug in the malicious toolkit, which was the Poison Ivy tool, and then built an exploit for it.

"I [had been] asking myself, in theory, what if you wanted to counterattack -- provided that it's possible," he says. "You can [actually] hack the hackers and counterattack" as demonstrated by the PoC, he says.

The catch? Such an attack would be illegal for a victim company to perform. The goal of Dereszowski's research is to show there are techniques for fighting back once a targeted attack is already under way, he says. "This is for the purpose of research," he says, although some special government agencies may be able to, or already are, deploying such techniques, he says.

Dereszowski says his research also shows how to quickly analyze malware, which would be useful to a company hit by a targeted attack. "My method of [malware] identification is quite generic and can be applied to any case. I think this could be beneficial to companies," he says. And it sheds light on finding vulnerabilities in targeted attacks themselves.

Here's how Dereszowski pulled a reverse: He began by assuming the PDF attacker in his research had used a toolkit that was publicly available online, which he found to be the Poison Ivy Trojan toolkit. He broke through the obfuscated code in the tool in order to run static analysis of the malware, and took it from there.

The exploit is invisible to the attacker, and the counterattacker would basically exit the system after he had finished, leaving the exploit behind with a window into the C&C server. Dereszowski ran a standard Metasploit shellcode to open an active connection to the C&C server. This form of counterattack could apply to other Trojans, such as Zeus, as long as you have access to the C&C and can get hold of the malware code.

Average Joes Now Can Be Hackers, Too

The dangers of unprotected WiFi have been well-documented, but that hasn't stopped most customers at Panera and Starbucks from using these connections while they sip their lattes. It used to be that it would take a relatively seasoned hacker across the caf or in the parking lot to pull off a so-called sidejacking attack against a WiFi user.

But a new tool unleashed in October by Eric Butler, a Seattle-based Web application software developer and researcher, made has now made it possible for the average Joe to hijack a WiFi user's Facebook, Twitter, or other unsecured account session while drinking a cup of Joe.

The controversial Firesheep tool is a Firefox plug-in that lets anyone hijack a WiFi users' cookies by merely pointing and clicking on a nearby WiFi user's Facebook or other account that automatically pops up on the attacker's screen.

Sidejacking attacks are nothing new-- most websites aren't SSL-encrypted today, leaving users open to having their sessions sniffed and hijacked when they log onto sites such as Facebook from the WiFi at Starbucks. Firesheep basically makes this type of attack easy enough for any nontechnical person to do: The tool pops up a window, you click the "Start Capturing" button, and it finds and displays user accounts currently on insecure websites via the WiFi network. "Their name and photo will be displayed: Double-click on someone, and you're instantly logged in as them," Butler explained in his blog post about Firesheep.

Robert Graham, CEO at Errata Security, who developed and released his Hamster sidejacking tool three years ago, says although sidejacking has been a well-known threat for ten years, Firesheep makes the attack more visual and easy to execute. "The way I did it with [my tool], I had to guess where the cookies were going," Graham says, adding that Firesheep grabs that information via the browser and more quickly. "[Butler's] tool works in cases where mine doesn't. It's a better solution."

Firesheep takes advantage of websites that don't SSL-encrypt logins, so when a user visits Facebook, Twitter, Hotmail, or YahooMail, his cookies can be automatically lifted and used by an attacker on the WiFi network to take over his account.

Butler says he hopes Firesheep will force websites to go SSL. "Websites have a responsibility to protect the people who depend on their services. They've been ignoring this responsibility for too long, and it's time for everyone to demand a more secure Web. My hope is that Firesheep will help the users win," he said in his blog post.

Errata's Graham says he'd like to be able to say that sidejacking is old news. "I should be able to say that," he says. "But I can't because I can take this down to Starbucks and hack people, and get to their email and their bank account. That should not work."

Yet Another Form Of XSS

You know reflected, persistent, and DOM-based XSS attacks. Now there's another form of XSS attack that's especially tough to detect called Meta-Information XSS, or miXSS, which exploits commonly used network administration utilities.

"With miXSS, the input that the user provides is completely valid and properly sanitized," said Tyler Reguly, lead security research engineer at nCircle, who published a paper on the attack in April. MiXSS works differently than other forms of the popular attack method, he says.

"Think about those network administration utilities that so many webmasters and SMB administrators rely on -- tools that perform a whois lookup, resolve DNS records, or simply query the headers of a Web server," Reguly wrote. "They're taking the meta-information provided by various services and displaying it within the rendered website.

"The service then utilizes the user-provided data to gather data and display it for the user. It is in this data that the cross-site scripting occurs." An example would be a DNS TXT record that contains a certain value and a service designed to gather DNS TXT records for the purpose of testing sender policy framework (SPF) records. "The user provides the domain name pointing to the TXT record, while the service resolves the TXT data and displays the data to the user," he wrote. "Since the data contains JavaScript, the returned data is processed, and successful cross-site scripting has occurred."

Reguly says this attack could be on the rise in the future because Web-based tools such as these are increasingly used to quickly resolve network administration issues that might otherwise inhibit the user experience.

'Samy' Is Baaaack, And He Knows Where You Live

Remember the infamous 'Samy' worm that spread via MySpace in 2005 and infected some 1 million users within 20 hours? Well, researcher Samy Kamkar, who wrote a worm to make "friends" on MySpace, has re-emerged as an independent security researcher and came up with a hack this year detects where you live based on your home router.

Kamkar earlier this year published a proof-of-concept that identifies a user's geographic location via the victim's home router using a cross-site scripting (XSS) bug he discovered in a Verizon FiOS wireless router. Kamkar was able to obtain the browser's MAC address and then map it to the GPS coordinates via Google Location Services.

"The interesting bit is I'm not piggybacking off of the browser's geolocation feature. I simply reimplemented the feature as a server-side tool," Kamkar says. "This way if I can obtain the user's router's MAC address in any way, regardless of browser, nationality, or age, I can typically determine their location and show up at their place with pizza and beer later that night."

Although his attack is based on an XSS flaw in the Verizon FiOS router, Kamkar says it would work with any other router with a XSS vulnerability. There are a couple of caveats for the attack to work: The victim must be logged into her router and have visited a malicious or infected website loaded with the XSS exploit. The attacker then gleans the victim's router's MAC address via Ajax and maps it to her GPS coordinates via Google Location Services. Kamkar says the XSS could also be used to reroute DNS settings on the victim's end, he says, to divert traffic from the victim to his bank's site, for instance. "I can then divert any host name-based traffic to locations of my choice -- for example, sending DNS requests for '' to my own IP address/Website, which we'll just call 'Bank of Samy,' or simply proxy all traffic, becoming a man-in-the-middle [and] reading their email and chatting in place of them with their significant others," he says.

He says the crux of the problem is that security isn't part of the equation in router software. "It's probably assumed that because the router sits on your local network and isn't accessible from the outside world, it's safer," he says. "However, the fact is we can easily trick a user's Web browser to launch the attack for us."

Kamkar's advice to users: Change default passwords in your home router and don't remain logged into the router administrative interface unless you really need to be.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Editors' Choice
Tara Seals, Managing Editor, News, Dark Reading
Jim Broome, President & CTO, DirectDefense
Nate Nelson, Contributing Writer, Dark Reading