Physical access

You can do a lot if you have physical access to a computer.

Stealing login sessions with PoisonTap

PoisonTap is a pocket-sized Raspberry Pi device that you can plug into a computer’s USB port. It impersonates a new wired network connection and responds to outbound HTTP traffic. If the computer’s user is logged on to any of an extensive list of popular web sites, PoisonTap is able to capture the cookies and write them to a text file on the USB device.This works even if the screen is locked.

If your character needs to gain access to someone’s online accounts, your character could follow her target to the coffee shop, wait for the target to go to the bathroom, plug this device into the target’s computer for a minute, and be gone before the victim knew what was happening. If the target happened to be logged on to the online resource your character needs to access, she’ll have the session IDs on the USB drive. She may need to hurry: those session IDs will become invalid as soon as the target logs out of those web sites.

Reading the MacOS FileVault2 password with PCILeech

This is a vulnerability that Apple patched just this month, so it wouldn’t work on a real-world Mac running Sierra v10.12.2 or better. But Macs were vulnerable to this particular exploit for more than four months.

PCILeech refers to a mix of hardware and software that your character could use to break in to an unpatched Mac. The video shows using a laptop attached to the device that your character would plug into the target Mac. (Maybe it would be possible to use something smaller, like a tablet or a Raspberry Pi or Arduino.)

PCILeech is able to recover the FileVault2 password from the Mac’s memory after rebooting the Mac. Once your character has the FileVault password, she has full access to the Mac. This will work even if the Mac is locked with a screensaver or hibernating, but it won’t work if the Mac is completely powered off. And the target might notice that his Mac rebooted.

USB kill stick

And if your character just wants to destroy a target device, there’s the USB kill stick. It’s a USB device that looks like a harmless thumb drive. It has several capacitors that start drawing power as soon as it’s plugged in. When the capacitors are charged (which appears to take no time at all), the kill stick rapidly discharges the capacitors right back into the port. Some devices have hardware protection against this, but many do not. The video on the page shows the researcher plugging the stick into several devices, frying many of them. It makes a lovely noise when that happens.


I bet you think twice about leaving your laptop unattended. Remember to…

  • Hope that your favorite devices have overvoltage protection
  • Never, ever use the Internet for anything



Phishing can be effective

Have you ever gotten an email that looks real but feels wrong, an email trying to get you to click a link in the body of the message? It may have been a phishing attack, and that sort of thing is becoming more and more common.

Fish, which sounds like phish, and has nothing to do with phishing

A typical phishing attack email is a message that tells you that there’s something wrong with one of your online accounts and that you need to click a link and log in right away to do something. That’s the kind of message that tricked John Podesta, the chairman of Hillary Clinton’s presidential election campaign. He got a message saying there was some problem with his gmail account, he clicked the link, got something that probably looked like the gmail login page, and he typed in his username and password. But the message wasn’t from gmail, and the login page didn’t belong to google. Unknown to him at the time, Podesta had just handed over his gmail credentials to criminals who then logged on to his gmail account, downloaded copies of his email, and published them on wikileaks.

That motherboard article shows a screen shot of a similar phishing message sent to someone else on Clinton’s campaign. The message told the staffer that someone had just logged on to his account from the Ukraine, and that he needs to use the link in the email to change his password immediately.

email messages like that prey on our fears, and they work well. If you get an email like that, don’t click anything in the message. Go to gmail (or whatever) via a bookmark or a web search or by typing the address yourself. Then log in and check on your account, changing the password if you need to.

Sometimes phishing messages try to appeal to emotions other than fear. The holiday season sees lots of phishing messages claiming to be from Fedex or UPS telling people to click a link to  track a package. Other effective phishing attacks ask the victim to click a link to make a charitable donation right after a natural disaster.

If you need more evidence of how effective these attacks are, remember that the Target breach happened because someone fell for a phishing attack, or read about how the city of El Paso lost $3.3 million in a phishing scam.

The main character in your story might want to use phishing to take over someone’s email. It’s the kind of thing your readers will find plausible, because they’ve probably heard lots of stories of that happening. They may have even experienced it themselves.

Photo credit to Ching for Fish, Creative Commons.

Yesterday’s IoT attack on Dyn

Yesterday criminals used an “Internet of Things” (IoT) botnet to attack, a provider of name services. The domain name service (DNS) is the network protocol that converts something memorable (like into the IP address you browser needs ( in order to connect to the remote server hosting the web page you want to visit. is a company that provides these services. And as the InfoSec Handlers point out, lots of big-name web sites including twitter and spotify use services and were affected by the attack.

IoT is the name given to consumer devices that you can buy and then attach to the Internet for various reasons (I’ve written about IoT before). Many of these devices have really poor security. They commonly have default and well-known passwords that many users don’t change. So there are lots of Internet-connected devices (easily discoverable with databases like Shodan) with no protection against someone who knows the default passwords.

Brian Krebs has a lot of good detail about yesterday’s attack and how it was the work of IoT devices like video cameras and DVRs controlled by Mirai. Mirai is (publicly available!) malware that scours the Internet looking for devices with default passwords and uses them to attack specific targets. Yesterday someone pointed those devices at, and that’s why you had trouble tweeting about why you couldn’t listen to your music.

Manufacturers have sold a lot of this IoT junk, and we’ll be stuck with this sort of thing for years.

Predictably insecure electronic locks

A couple of researchers recently presented their analysis of a dozen or so consumer electronic locks. Some of these locks are the kind that you’d use on a typical door in place of a deadbolt, and some of them work like padlocks. Most of them use bluetooth for wireless operation: you purchase the lock, install an app on your phone, and then use your phone to lock and unlock the device.

Sounds great, right? That’s fewer keys in your purse or pocket or in that not-very-fake-looking rock on your porch. You can enable a temporary code that you send to your plumber, so that he can enter the house while you’re at work. Some devices even have access logs. (Did the plumber come when he said he would? How long did he stay?)

The researchers found that 75% of the devices they studied were vulnerable to different kinds of attacks. In many or most cases, these attacks involved capturing and analyzing the traffic between the smart phone and the lock. The researchers notified the vendors of the affected products, but none of them was interested in doing anything about it. And why would they? At the very best, it would mean an expensive and embarrassing public relations campaign to notify consumers that they had purchased a lock with a defect.

This offers a plausible way for your character to do some breaking-and-entering. Maybe she needs to enter the home or storage building of a gadget-lover. She might need to plant some kind of sniffer device near the lock she wants to defeat and leave it there long enough for someone to use the lock. The FTS4BT bluetooth protocol analyzer and packet sniffer looks like a USB device that she could plug in to a Raspberry Pi. Tricking the lock might be as simple as replaying the signal that the sniffer recorded. If the devices doesn’t have access logs (or if the owner doesn’t bother looking at them), your character could come and go as she pleases from then on.

Oh, and don’t use electronic locks in real life. There’s a reason people have used metal keys to secure their stuff for hundreds of years.

Project timelines

I find it very difficult to estimate project timelines. Things usually take longer than I expect, and I never seem to learn. When someone asks me for a project timeline, I usually tell them that it will take somewhere between two hours and eighteen months.

As a recent example, I wanted to add a skip-to-main-content feature to a web application, because the application was growing a large block of navigation links at the top of every page. I figured this problem would have a widely-accepted solution, and that this would be a ten-minute task.

A web search quickly disabused me of that assumption. Lots of people solve this problem in different ways. I was looking for something that would

  1. work in most or all modern browsers
  2. hide the skip link until the keyboard user TABs to it
  3. not require JavaScript
  4. (most importantly) manage focus such that using the TAB key again advances focus to the next focusable element.

Here’s the implementation I ended up using. It’s still not perfect, because it won’t work in Firefox on OS X (not without some help, anyway).

So with evaluating search engine results, trying several different things, and then testing on a bunch of browsers, this ten-minute task took all morning one day.

At times like this I’m reminded of The Money Pit, a 1986 film with Tom Hanks and Shelley Long about a couple who buy a house and hire a bunch of contractors to renovate it. Every time they ask the foreman how much longer the work will take, he says, “Two weeks” (typically with derisive laughter).

So if you’re writing about someone who works in technology and need some day-to-day flavor for her, have her deal with a money pit assignment and an impatient customer.

Late July 2016 roundup

Here are a few news stories that caught my interest lately. Maybe one of them will be good for a story.

Internet-connected cameras are a terrible idea

These devices seem like a great idea. You use one like a security camera, but it’s connected to the internet and has a web interface, so that you can log on to it from anywhere to download footage or pictures.

Unfortunately many devices like this don’t get much attention from the manufacturer after production. It turns out that lots of these cameras all have the same remotely-exploitable command injection vulnerability. So it’s not hard to use one or more of these cameras to perform distributed denial-of-service attacks on other targets. These cameras also have a common signature which makes them fairly easy to locate in things like the Shodan search engine.

A SANS infosec article about this points out that people install these devices on the same networks where they have servers hosting sensitive resources. So it’s not a stretch to imagine your main character using Shodan to find vulnerable cameras on a target network and using the cameras to attack the target’s web servers.

Turn your head and cough

Medical devices can have a similar problem. A hospital buys an X-ray machine, and it’s really expensive and mission-critical (it’s in the business of saving lives, after all), so no one wants to mess with it. The hospital just wants to install it and have it run perfectly forever.

But over time vulnerabilities creep in that neither the manufacturer nor the hospital wants to take the risk of patching, because who wants to stick a patient in an MRI machine only to find that the control system stopped working after running an update last night? As a result some of these medical devices are riddled with malware that crooks can use to attack riper targets. Does your character want to hack a hospital to get at patient data he can use for identity theft? It might not be that hard.

Grand theft auto

Here’s an article with video of someone using a laptop to steal a 2010 Jeep Wrangler. It’s not clear what the person is doing, but a policeman quoted in the article speculates that the thief used the laptop to persuade the car’s computer to recognize a key fob the thief had with him. It’s probably just a matter of time until that technique is possible with a phone. “There’s an app for that.”

And as if on cue, Fiat Chrysler is running a bug bounty to pay people to find and report security problems in cars’ computer systems.

July 2016 updates from Apple

Apple has recently released updates to many of its products. These updates address problems that are believed to be remotely exploitable, so it’s time to run updates on your Macs, iPhones, iPads, and everything else with an Apple logo. Here are the security bulletins for OS X and iOS, but there are also updates for iTunes, Safari, Apple watch, and others.