Slashdot Mirror
Attack Of The Dreamcasts
kevin_conaway writes "A pair of coders are now suggesting that it is possible, with a modified dreamcast system running Linux to sneek into an office building and stick it on a network drop and leave. The dreamcast will then probe for ways to connect to the outside world. They say they have created similar software for iPAQs and a special bootable cdroms for print servers and similar boxes. Just a reminder that are networks need to be as secure on the inside as they should be on the outside. Get the story here."
from sneaking in and connecting a laptop to the network? I mean, wouldn't a Dreamcast plugged into the company network be a bit more suspicious than a computer?
#include <sig.h>
They should replace "dreamcast" with "any machine with an IP stack". Physical security on a network is important in any case, whether it be small like a dreamcast or big like an e10k ;)
Is when someone hacks an iPod to do this. You could hide it in a wall and have an IEEE-1394 to 10base-T adapter with a cat-5 cable right into a patch panel in the wiring closet labeled D-103...
Someone strolls into the office, notices a dreambox in the corner... and they say "Hmmm, that is normal, I'll just ignore that"... hehe
More likely that they would say "Cool, lets see what game is in it!"
"CPU's Don't make mistakes....They just miss a few cycles sometimes..."
"but said that ultimately, there may be little an organization can do to prevent an attacker with physical access from setting up a covert channel home. " But if you can get physical access, why not just use one of the computers so thoughtfully preinstalled by the network administrator? Heck, they were probably even left logged in overnight by the lusers. This doesn't seem all that revolutionary..."If I can get into your building, I can do bad stuff". No? Really? Wow...noone's had that idea since...ummm...the invention of the house.
I'm pretty sure that someone would notice a dreamcast system sitting on their server rack. However, if you hide it behind a wall, it could sit there for years!
Wyatt
Karma: Marginal (mostly due to the border around the website)
Yes, it could. The nice thing about the dreamcast is that it is small and cheap. Less than $100 gets you a decent processor and a built in Ethernet adapter. If you're going to risk losing your box when it's discovered, I'd rather it was just a cheap dreamcast than a pricey laptop.
so much of today's lax security is due to legacy design, not inherent difficulty. this is worth remembering.
To only have connectivity on actively used network drops, and keep all switches in secure closets? To plug in an unknown machine in our office you would have to unplug a known one, and someone's gonna at least notice their computer stopped working. Wouldn't take long after that to discover the switch had taken place. That could easily be circumvented with a machine acting like a silent proxy, but still makes it a tad more difficult. Don't other companies practice similar procedures?
...if someone came into my house and dropped off a dreamcast! :-)
-Derek
With that in mind, when was the last time you walked into your company in non-work clothes, you knew where you were going, and walked confidently there and no one stopped and questioned you? I wear a name tag and go there every day, but in my shorts and tshirt with no name tag, I'm never stopped. I think thats the way it is in many places.
Sure you could plug a laptop in, but who wants to drop $300-400 for a cheap laptop that will probably get confiscated. For the same price you could by 4-5 Dreamcasts. You could scatter them around to a few drops as backup. In addition, the footprint of the box is small, and you don't need a standard PC case. Who wants to buy a BookPC or a Cappucino (sp) only to lose it.
Other way to look at this would be for a handy ligitimate network tool. It would be nice to plug a machine into a network, have it snoop around, and then come back the next day and get a report on bottlenecks, machine usage, etc.
--
"That's Homer Simpson sir. One of your drones from sector 7G"
Been to Pirate Training School?
Replacing 'our' with 'are' is a very common pirate thing to do. Of course, even that was slightly misspelled since 'arr' is the most correct usage, matey...
-.-
If you ignore the other uses of a tool, does that make the tool less useful, or you less useful?
"availability of an Ethernet adaptor"?
You almost have to kill someone to get a network adaptor for the Dreamcast. I'm not even sure they're being manufactured anymore (I wouldn't think so), but there are a few on eBay; the cheapest one is $60.
Besides, as other posters have mentioned, a Dreamcast doesn't exactly look inconspicuous to me, especially if some person I don't recognise is carrying one around in my building.
WMBC freeform/independent online radio.
Why not just stick a wireless access point on the network. Put it on the floor near a window or something, and you should be in business... This would even work on the most secure networks.
I want my rights back. I was actually using them when our government stole them after 9/11.
for those of you w/real reasons to be concerned- would be that if these guys have thought of this - who else already has something much better in a nice small, concealable package.
And then think about how many businesses don't even come close to providing physical security to all the ports that connect to their network. Sure the computer room is locked- but how many cleaning people are in the offices at night? Usually if you worry about them at all- it would be that they steal, not leave something behind.
I had to do some work once at a call center for a client of ours. A large credit card company.
I pulled up to their building but it was this big glass box and I wasn't sure where the entrance was. I just walked around until I found a door. It was open and their were people standing around smoking. So I walked in. I was in the back by the break room.
I wandered around in there for 10 minutes or so until I found the front desk. When I walked into the lobby from inside the building and asked for the guy I was supposed to meet she was pretty freaked out. They brought up security people and asked how I got in, etc.
I hope my credit card company isn't that easy to get into. But I'd be surprised if its much more secure. I wouldn't be surprised it it is less secure.
Something to think about.
.
It's hard to believe that's how Micronians are made. Why don't we see it right now by having you both kiss one another?
... so I just popped in NFL2K2 and showed the hacker who was boss!!
Good quote, too many chars. Seriously, the slashdot 120 char limit sucks!
All those girl ninjas running around stealthily tucking Dreamcasts under their arms - They weren't trying to steal them. They were trying to deploy them!
Now I understand the tagline... It's thinking...
"Mod, mod, mod...and another troll bites the dust."
A Sun IPX (or any lunchbox style) system with an AUI port and a modified transceiver is much better. I use one of these as a secure syslog; in particular because you can modify the transceiver so that while it is capable of receiving data, it is incapable of sending at a hardware level. There is no way, short of physical access, to detect the machine. It's great for packet sniffing and logging -- syslog using UDP is connectionless, and works well with read-only network connections. This is also better than modifying the ethernet cable, because these modified cables do not actually work properly (the transceiver with tx pins removed will keep a valid *empty* tx signal, whereas a modified cable usually just pumps the rx'd signal back to tx, confusing the equipment into maintaining a link).
And if you can sneak in once, why not twice? Or better, equip the computer with a cell modem or amateur radio equipment (How many "wartalkers" look for that, eh?) , and dial in. No need for probes which may set off IDS systems, or outgoing packets (like ARP or DNS requests) that alert crackers to a computer's presence.
I think you cut pins 3 and 10 (on the connector to the computer on the transceiver) but that's not certain.
I'd like to see you hide an E10k in the ceiling.
We used it to run a dump of all the packets on the network and get pretty much all the passwords used by anyone. We printed out a copy and sent it to the bozo they had in charge of IT, and he called in a mess of expensive consultants to reload everything on the network.
Of course, they didn't fix the basic problem or find our little friend. For all I know it's still running up above the 'ol drop ceiling -- we were to chicken to try and retrieve it. Of course, this was a private school, so the real joke was on us (the clue -- consultants were being paid for by our own stupid selves).
Every year during my review, I just pray the words "slashdot.org" aren't mentioned.
The point is it is toy-like. People may think a laptop can hack their systems, but a dreamcast? "That is a little game thing my son plays with."
:>
I laughed out loud when I read this.
"Never, never suspect the dreams within the dreams of dreaming children." ~The Amazon Quartet
...hacking a company with the Playstation 2 - it can scan 75 million ports a second, 20 million with effects.
From the article: Cyberpunks will be toting cheap game consoles on their utility belts this fall
Yeah, the Dreamcast is dirt cheap. The "broadband adapter" needed to hook it up to an ethernet network? Quite pricey.
I would think much in the same way, a Dreamcast running linux can be used to seriously injure a person, but sneaking up on them and hitting them over the head with it, repeatedly. Of course that's not newsworthy, unless it's a Dreamcast running linux.
sic transit gloria mundi
As soon as I read this story, I jumped up and combed our office for sinister-looking dreamcasts creeping about the floor plugged into network ports.
Luckily, we were safe--THIS time. Those security-sapping plastic mosquitos could hide anywhere though, so maintain constant vigilance!
- - - - - - - -
Don't worry, being eaten by a crocodile is just like going to sleep in a giant blender.
Near where I live there is this giant uber arcard called Playdium. Instead of using coins or tokens in the machines to get credits you swipe a little plastig card with a barcode on it through a reader. This reader in turn is hooked up to a solid-state machine running MSDOS which then contacts a MS SQL server to see if their is enough credit on the card and if there is it sends an authorization to the machine.
:)
One day we decided that we wanted to get free video games. After scoping the place out we discovered that all the 10baseT ports that the video games plugged into were in fact patched into a 3com 3300 switch and were active. The network designers I guess figured it would be easier to activate all the ports instead of making some video game tech figure out how to patch stuff in.
We brought in a laptop with a long cat5 cable and looked for a place to plug it in where we wouldn't be noticed. Jurassic Park 3 has this little thing you sit in a close the blinds so the ambient light would stay out. It would do nicely.
We watching what we could with different packet sniffers (we were also very paranoid of getting busted) and were able to bring up the Switches web management system. We discovered that the video games use DHCP to get an address in the 10.10.x.x subnet and the video games also seem to contact a master server for configuration information. ie. How much does this game cost. By this time we had been sitting in Jurassic Park 3 for 2 hours and were getting REALLY paranoid. So we decided to try something malicious. We arp-spoofed/flooded everything we could see. An interesting thing happened. When the game control units can no longer talk to their master server, they go into 'free' mode. I guess this is in case there is a network failure. They'd rather lose a bit of money than piss of 100s of people. While our little program ran, every game in the place became free. So I thought to myself, why not just unplug the Cat5 cable for a game to make it free. That doesn't seem to work. I think this is because it needs to detect a link before it will go to free mode. Anyhoo, I guess the moral of this story is to have some kind of port security on your network ports in your business. or something
to just burn a CDR that boots Linux and does all the same stuff on a PC with any of the top X ethernet cards? Set it up to stubbornly ignore all keyboard input and never display anything on the screen. Write "coaster" on it with a black magic marker, drop it in some currently unused PC and hit power/reset and haul ass. Do it at 4:50 PM on a Friday and you'll probably have to 9:00 AM on monday to own some other box on a more permanent basis.
Hell, you might be able to modify a tomsrtbt to do this and wipe (or dd if=/dev/zero of=/dev/fd0; dd if=/dev/urandom of=/dev/fd0) the diskette once the ramdisk is loaded.
IOW, this whole thing strikes me as more of a "stunt" than a "hack."
-Peter
If you mod the box into something black with LEDs, it might not look so out of place. Especially if you tape a while piece of paper with "67...2 Router:Smurphy" to the top (well not look out of place to the peons, anyway). Everyone will be afraid to touch it.
Take a look at the Dallas Semiconductor TINI. It's a Java runtime environment on a 72-pin SIMM, complete with ethernet, serial, I2C, parallel IO, battery up to 1 meg of NVRAM, filesystem emulated in RAM, etc, etc. You can write web or ftp services for it in a few lines of Java, thanks to the supplied classes. You develop your Java code on your PC, compile it to Java bytecode, and then FTP it up to the little TINI device. My description is not doing this hardware justice, so I'll leave some links below.
Anyways, my point is this type of device is probably easier to program than a Linux Dreamcast. It may or may not be cheaper (sub-$100). And it's a lot easier to hide, if that's the goal. I've programmed a handful of hobby projects with this board, and it's really quite amazing for the price. (Compared to trying to implement an TCP/IP stack on a PIC microcontroller, say.)
TINI hardware
TINI
TINI board resource center
more resources
DalSemi discussions
There is really very few ways to prevent such an attack. (I've been thinking about this for some time). Even if you had MAC-Address filtering, a drop machine could be configured to learn MAC addresses, and take over the MAC and IP when that MAC is no longer present on the network (is shutdown).
The best way I could think of locating suspicious activity, is to setup a machine in the same range as the important servers... And investigate any connections to it (as no one should be connecting to it). This only stops the more active attacks though.
To sniff data off the wire, you only need to be getting an electrical signal. You don't need a MAC or IP address. To prevent this kind of sniffing, you would really have to go around and verify that the each active port (on the hub/switch) corresponds to a machine that should be up and running.
However, in a microsegmented network, where each network interface coresponds to a port on a switch, listening to the traffic on one port will not yeild much. So the sniffer would have to flood the switch with MAC addresses, or forged ARP replies. That kind of thing could be picked up if you monitor your switches.
So the point? Use switches directly to the computers anywhere remotly important... And protect your uplinks (links from switch to switch, switch to router, router to router) so that no-one can tap into them.
Of course, all this requires an incredibly great deal of manpower, and administrative vigilance. The real solution is to use IPv6 (or IPv4 with IPSec) since it encrypts all traffic.
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
"Draco dormiens nunquam titillandus."
Don't waste your Dreamcast! If you have physical access to the building, desks, etc, then why not just jam in a bootable floppy and reboot an unattended machine to:
1) port and service scan
2) send out results via http/ftp/ping/email/etc
3) wipe the floppy clean
4) write an innoculous text or word document on the floppy
4) reboot the workstation again
This leaves nearly zero physical evidence that there was an intrusion. Just an abandoned floppy and a rebooted machine.
Sure, you _might_ get past building security with a video game console in your bag. But I guarantee you'll get in with a floppy. And would you rather be caught plugging a floppy into a workstation or a video game console into the network?
And you'll still have your Dreamcast at home, running DCMAME!
Thats why I'm laughing at this whole thread.
I have a TINI (from Dallas Semiconductor) sitting behind me. I has an ethernet port, and serial port. Runs on 8 volts and is small enough you could put it anywhere. It was about $100.
On the other hand, a Dreamcast is about $50 (give or take) + 1 rare broadband adapter. Which boosts the price to $150-$250 for the device.
For $299 CANADIAN ($200 US?) I bought an XBox the other day. Gee, it has built in Ethernet, and, at the point when somebody fully cracks the bootflash could theoretically run Linux and do the same thing.
And have an 8gig drive to log data.
But I don't think that is a realistic use for an XBox either.
Well, there's the extra humiliation factor... Imagine a bunch of IT boys from different corps going out for a beer:
BOFH1: Yeah, I got 0wn3d today by a massive distributed DOS attack from thousands of zombie machines across the 'net.
BOFH2: Ha! That's nothing. I got r00t3D when someone compromised the latest openSSH source. That woz pretty elite.
BOFH3: (mumble mumble)
BOFH2: What was that?
BOFH3: [sobbing] An iPAQ! I got H4x0r3D by a fucking iPAQ, okay? Are you happy now?
BOFH1: What a l00zer.
BOFH2: Good grief.
Check out the SPINACH project at Stanford: http://mosquitonet.stanford.edu/publications/spina ch.html
It's designed to precisely address this issue by limiting network access from hosts whose Hardware Ethernet addresses are unknown to the local subnet only (not past the router) until it is authenticated (by some password or other scheme). Thus, if you put a Dreamcast on a SPINACH network, it could only reach hosts on the immediate subnet, unless you spoofed the MAC address or something...
There's 10 types of people in this world, those who understand binary and those who don't.
1-800-97-Legal. Its the number for Jacoby & Meyers because your going to need them after your arrested for "leaving a little back door".
For anyone else thinking about doing this, don't be stupid and please use a little common sense. If you do something like this and get caught you will not only pay a huge fine like $10-25k minimum, but could easily end up in jail.
If you wanna get rich, you know that payback is a bitch
On a related note, the Nintendo gamecube is a stock panasonic DVD mechanism. Sega and Nintendo can't afford to mass manufacture custom drives...hey, even Sony and Microsoft don't do that...
(-1, Raw and Uncut is the only way to read)