10.18.2013 12:26

Google Maps Engine QGIS plugin

Ujaval just released the Google Maps Engine Connector for QGIS (>= 2.0)!

I got to help out with code reviews, which was a blast! You can check out the code here:

https://github.com/googlemaps/mapsengine-qgis-connector

Posted by Kurt | Permalink

10.17.2013 09:43

AIS hack in a box is not an AIS hack

While I think this is a nice demonstration, it is most definitely NOT an AIS hack. I'm not saying that AIS is in any way secure (unless maybe you talk about blue force encrypted messages). However, this is a nice example of why you don't want to have totally open ports on your server accepting random data. Okay, so there are some cases where accepting data on a port can be sort of a good idea, but this is not one of them. You can shove any AIS message you craft at the marinetraffic.com server and it will process it and add it to the map. Yes, if there was a signature component to AIS, these messages could be cryptographically rejected, but that's a separate issue. If marinetraffic had a way to vet people and only allowed vetted people to send messages to the server (e.g. using ssh with a list of known ssh public keys), then this attack is dead, but AIS would still be the same old swiss cheese. You just would either have to spend some work to trick marine traffic that you are a good guy or go near a receiver and transmit your attack packets. The later is trivial. Also, if marinetraffic payed attention to which receiver the packet came from, the location, timestamps (no, they don't take a receiver timestamp), receive strength and direction, then they would have a chance to filter some attacks, but again, there would be plenty of attacks still on the table.



This attack does have merit on grounds that these two guys did not mention. First, Iceland's Coast Guard runs a control station that has to allow uncleared people to work in it. Therefore, they can't show the NATO EU AIS feed in the room. To have vessel traffic up, you guessed it, they use marinetraffic.com. So Iceland's Coast Guard is vulnerable to this trouble because they trust a website that has no measure of security.

Second, the USCG sends messages for NAIS without encryption. You could easily craft a man-in-the-middle attack with any consumer of NAIS data and inject or remove messages at will. No, the packets aren't raw NMEA, but they are just zlib compressed and I saw nothing in the code that checks the validity of these messages. I just ran a java decompiler on AISUser. Note that this was when I found out that they are using the unix ls command to get the inode of the current directy for the authentication key for an ais server. Why didn't they just use OpenSSH and have users send them their public key or use one of the many other easy ways to do this cleanly?

This means that the ERMA disaster service that I helped build is susceptible to this mode of attack. There is nothing that the ERMA team can do to prevent the attack and it may be hard to detect if done carefully.

I believe the upstream sending of messages to the NAIS aggregation is equally weak and if you inject there, you could hit all of the USCG and any of their NAIS customers.



Thanks to gcaptain for posting with a link to this video: Researchers Discover Serious Security Vulnerabilities to AIS Data (but I would suggest a different title)

Could you build a very secure system to do what AIS is designed to do? Yes, but you should just throw out all of the AIS standards out there and only use them as a source of use cases. I'd call it something totally different because it would have little relationship to current AIS.

Update 2013-10-18: This made it to the BBC: Ship trackers 'vulnerable to hacking', experts warn By Dave Lee which has quotes from Lloyds.
...
"The spoofing would immediately be identified by [Lloyd's List
Intelligence] as a warp vessel,"
...
That assumes that Lloyd's is seeing the input that marinetraffic.com, which is a separate country. It would be possible to do an injection of fake data that would be extremely hard to detect. e.g. If you have a transmitter near a ship, send out noise to corrupt that ships packets. You only have to detect the mmsi portion and then start noise to corrupt the packet's tail. Then, transmit on a different slot, and slowly change the location of that ship. There are enless variations that would be hard for anyone to catch.

The hack described just used a laptop, so I'm not sure how this cost 600 euros. This was just sending UDP packets over the internet, so I don't see any need for extra hardware (I'm assuming you already have a computer).

As for pirates, I don't see much evidence for the use of AIS. They go out and attack what ever they see, which includes warships. Their boats are often barely afloat. There is no need for AIS when a constant stream of targets goes by. And socat/netcat is free open source software.

Posted by Kurt | Permalink

10.14.2013 10:33

AIS vulnerabilities

Thanks to Jordan for pointing me to this article. I'll be curious to see if I got all of the weaknesses that these folks say they will be using. Yes, AIS is swiss cheese when it comes to security and integrity. Back in 2006/2007, the USCG directly asked me not to talk about these issues, but that makes no sense. Anyone with a Class A device or a software defined radio can make a mess of things with little effort - everything from denial-of-service (DOS), to changing the frequencies used by some shipts, making fake announcements, specifically stepping on others' transmisssions, send fake dgps corrections, and the list goes on. Life is already painful enough if you look at the issues that are out there without any black hats adding to the mix.

Researchers Highlight Security Vulnerabilities In Ship-Tracking System
...
At the upcoming Hack in the Box Security Conference in Malaysia, a
team of security researchers are preparing to demonstrate how an
attacker could hijack AIS traffic and perform man-in-the middle
attacks that enable them to turn the tracking system into a liability.
...
According to Trend Micro's Kyle Wilhoit, one of the researchers who
worked on the project, says the attacks can be broken up into two
categories: those that target the AIS Internet providers that collect
and distribute AIS information, and those that target flaws in the
actual specification of the AIS protocol used by hardware receivers in
all of the vessels. Without getting too deep into the vulnerabilities
ahead of the presentation, which is slated for Oct. 16, Wilhoit
explains that the upstream providers fail to authenticate AIS
sentences coming from ships.

"I could go out, and I could pretend to be a boat, and they don't even
fact-check it," he says. "They don't look at, OK ... is this AIS
sentence actually a boat? They don't check any of that. So it's all
accepted as is. It's accepted as true."
...
Back in November of last year, I finally got brave enough to post my white board summary of AIS weaknesses:

AIS Security and Integrity

Most of those weaknesses should be immediately obvious to anyone with an undergraduate CS background. This is what happens when you have non-practitioners, aka mariners, lawyers, electrical engineers, and bureaucrats design a network message specification instead of just writing out the use cases. Toils of AIS by Raymond and Schwehr tries to give a blunt description of this.

A challenge to the reader of my blog: Given 30 minutes and no prior knowledge of AIS, look at ITU 1371-4 and IMO Circ 289 and you should be able to come up with 10 really nasty things to do with AIS. The Spanish have mentioned in public that they have practiced making ghost fleets with AIS in preparation for war time deceptions.

Original article: Captain, Where Is Your Ship [trendmicro.com] That post shows just how easy it is to send random UDP packets to open services and send them crap. It's like turtle graphics / logo in AIS packets.

Posted by Kurt | Permalink

10.05.2013 23:10

geeking out with programming languages

I'm on vacation. The mountain bike just got a tune up. And then I read What's the Best Way for a Programmer to Learn a New Language? (note that the link takes you directly to James Williams' entry). So then I went and did
fink install erlang-otp
fink install swi-prolog
fink install nodejs
fink install lua52
fink install haskell-platform
fink install go # Yeah!  some beat me to packaging it
And then I remembered that I want to be working on my JavaScript skillz. Then I remembered emacs lisp and Xah's notes. Then I remembered that I want to break out some java again. Oh, and I meant to setup go in fink. Cause one of my projects has go in it thanks to Francesc. Oooh, and rhino needs to get forward ported. All that and I really need deep into IPython, Scipy and Pandas. Oh and Judd had some killer examples of looking at the assembly generated by various tiny C++ programs so you can see the difference (or lack thereof) in the resulting assembly from for(int i=0; i<10; i++) {} or for(int i=0;i<10;++i) {} and int i=0; while(i<10) {i++;}. Oh oh oh! I need to learn ruby so that I can work with Chef and/or Puppet (and Les think's ruby is "epic"). My SQL is okay, but really would be worth digging deaper.

Languages that I never want to see again: fortran*, basic*, ada, ml, Tcl/Tk, Verilog, AML, perl, awk/sed, Karol the F***ing Robot, php, csh, DOS batch files, etc.

Then there are the "what should I know?" languages... dart, pl/sql, m4 etc.

And the of course I know... GNU make, bash, lex/flex/yacc/bison, some assembly, etc. etc

In the "meh" catagory (aka I just don't care): cobol, groovy, rust, chicken, guile, logo, scheme, Objective C, and so on.

//en.wikipedia.org/wiki/List_of_Hello_world_program_examples

sigh. my overloaded brain is feeling soggy.

Note 2013-10-14: Trying out // and dropping the http: from the wikipedia link. I've been told that this is better?!?!

Posted by Kurt | Permalink

10.02.2013 09:45

Oddly names NOAA bathymetry grids

The US government is shut down, so I can't tell if these have been corrected, but here are some samples of the 47 NOAA BAG grids that do not match the established naming convention. These are all from http://surveys.ngdc.noaa.gov/mgg/NOS/coast/
D00001-D02000/D00168/BAG/D00168_UTM02_MB_4m_MLLW_1of5.bag            # UTM02?
F00001-F02000/F00583/BAG/F00583_EastBranch_MB_50cm_MLLW_1of6.bag.gz  # EastBranch?
F00001-F02000/F00586/BAG/F00586_MB_1m_NGVD29_1of1.bag.gz             # NGVD29
F00001-F02000/F00596/BAG/F00596_MB_1m_HRD_1of1.bag.gz                # HRD?
H10001-H12000/H11348/BAG/H11348_Combined_20m_MLLW_1of1.bag.gz        # Combined placement
H10001-H12000/H11384/BAG/H11384_2m__MLLW_1of1.bag.gz                 # __
H10001-H12000/H11407/BAG/H11407_50cm_MLLW_4oif7.bag.gz               # oif -> of
H10001-H12000/H11478/BAG/H11478_50cm_MLLW_1of13_A.bag.gz             # _A
H10001-H12000/H11640/BAG/H11640_MB_1m_awois_MLLW_2of3.bag.gz         # awois
H10001-H12000/H11849/BAG/H11849_Office_4m_MLLW_3pf4.bag.gz           # pf -> of
H10001-H12000/H11849/BAG/H11849_Office_2m_MLLW_2of4.bag.gz           # Office!
H10001-H12000/H11854/BAG/H11854_50cm_MLLW_Combined_16of16.bag.gz     # Combined placement
H10001-H12000/H11855/BAG/H11855_2m_VBES_1of10.bag.gz                 # VBES -> VB
H10001-H12000/H11856/BAG/H11856_MB_50cm_CRD_combined.bag.gz          # CRD?
H10001-H12000/H11929/BAG/H11929_50cm_MLLW_4o6.bag.gz                 # o -> of
H10001-H12000/H11973/BAG/H11973_MB_10m_MLWW_Combined.bag.gz          # MLWW -> MLLW
H12001-H14000/H12133/BAG/H12133_MB_1m_IGLD88_1of1.bag.gz             # 88 or no 88?
H12001-H14000/H12132/BAG/H12132_MB_50cm_IGLD_1of3.bag.gz
W00001-W02000/W00220/BAG/W00220_MB_1m_other_1of1.bag.gz              # other?
W00001-W02000/W00230/BAG/W00230_MB_8m_MLLW_Combined2.bag.gz          # Combined gets a number
I started with this regular expression that I think matches the general naming convention:
#!/usr/bin/env python

import re

FILENAME_RE = re.compile(
    r'(?P<survey>(?P<survey_type>[A-Z])(?P<number>[0-9]{5,})(?P<extra>[A-Z]*))'
    r'(_(?P<sensor>(VB|MB|LI)+))?'
    r'(_((?P<cell_size>\d+)(?P<units>m|cm)))?'
    r'(_(?P<vdatum>MLLW|MLW|MSL|MHW|MHHW))?'
    r'(_(?P<grouping>combined|((?P<item_num>\d+)of(?P<item_total>\d+))))?'
    r'(?P<complete_ext>\.(?P<ext>tif|bag|BAG|mb168)(\.gz)?)?$',
    re.IGNORECASE)

for filename in open('files.txt'):
  match = FILENAME_RE.search(filename)
  if not match:
    print filename,

This is the regular expression I ended up with:
FILENAME_RE = re.compile(
    r'(?P<survey>(?P<survey_type>[A-Z])(?P<number>[0-9]{5,})(?P<extra>[A-Z]*))'
    r'(_(Office|EastBranch|Lynnhaven|NewportNews|Pipeline|SouthBranch|Terminal|UTM..))?'
    r'(_Combined)?'
    r'(_((?P<cell_size_oops>\d+)(?P<units_oops>m|cm)))?'
    r'(_(?P<sensor>(VB|VBES|MB|LI)+))?'
    r'(_((?P<cell_size>\d+)(?P<units>m|cm)))?'
    r'(_awois)?'
    r'(_Combined)?'
    r'(_+(?P<vdatum>(MLLW|MLWW)|MLW|MSL|MHW|MHHW|IGLD(88)?|other|NGVD29|HRD|CRD))?'
    r'(_Combined)?'
    r'(_SwashChannel)?'
    r'(_(?P<grouping>combined\d?|((?P<item_num>\d+)(of|o|oi|oif|pf)(?P<item_total>\d+))))?'
    r'(_A)?'
    r'(?P<complete_ext>\.(?P<ext>tif|bag|BAG|mb168)(\.gz)?)?$',
    re.IGNORECASE)

Looking at vdatum_regional08132013.zip from http://vdatum.noaa.gov/download/data/, I see these:
IGLD85/hydroc1.tif
IGLD85/hydroc2.tif
IGLD85/hydroc3.tif
IGLD85/hydroc4.tif
IGLD85/hydroc5.tif
I know that NAVD29 is National Geodetic Vertical Datum of 1929 (NGVD29). Is HRD the hurricane research division? I would guess that CRD is the Columbia River Datum. Dear, National Geodetic Survey (www.ngs.noaa.gov), what are these?

Posted by Kurt | Permalink

10.01.2013 13:08

comcast lying

This is a load of crap:

http://customer.comcast.com/help-and-support/cable-tv/limited-basic-encryption/

... encryption allows us to automate certain system functions
and will reduce the need for scheduled in-home appointments, providing
greater convenience for our customers.


Unless they want to tell us the technical details of how that is better, I'm going to have to call bull shit.

Posted by Kurt | Permalink