sslstrip, hijacking SSL in network

Last week at Black Hat DC, [Moxie Marlinspike] presented a novel way to hijack SSL. You can read about it in this Forbes article, but we highly recommend you watch the video. sslstrip can rewrite all https links as http, but it goes far beyond that. Using unicode characters that look similar to / and ? it can construct URLs with a valid certificate and then redirect the user to the original site after stealing their credentials. The attack can be very difficult for even above average users to notice. This attack requires access to the client’s network, but [Moxie] successfully ran it on a Tor exit node.

D-Link adds captcha to routers

D-Link is adding captcha support to its line of home routers. While default password lists have been abundant for many years, it was only recently that we started seeing the them implemented in malware. Last year, zlob variants started logging into routers and changing their DNS settings. It’s an interesting situation since the people who need the captcha feature are the ones who will never see it, since they won’t log in to change the default password.

Time’s poll hacked

Though Time won’t admit it, their poll on the most influential person was hacked. Moot, the founder of 4chan is rated #1. Not only that, but if you read the first letters of the poll results, you get “Marblecake also the game”. This refers to the IRC Chanel where many 4channers congregate as well as “the game” an internet meme. This article is very interesting as it delves into the details of the attack. Focusing mainly on what happened when the autovoting software was shut down due to reCaptcha. you’ve probably seen reCaptcha before. It presents you with two words, made difficult to read by strange kearning, warping, and squiggles. If you can read it, you’re most likely a human. Anon, a common name for 4channers, first tried to hack reCaptcha.

Their attempt at hacking reCaptcha relies on the process reCaptcha uses to identify words. It presents you with two words, one of which it already knows. The other is compared to a database of common responses to that word. Anon decided that if they entered “penis” enough times, they could flood the database allowing their autovoter to function again. This, though clever, was unsuccessful. They eventually settled on manual voting. This was taking too much time, they feared they would never reach their goals. To help with this, they built a simple interface that would preload several reCaptchas and cue up votes. This streamlining allowed them to squeak in the votes they needed to accomplish this.

It’s also worth noting that Time didn’t close the vote entries when the poll closed. They removed the poll from their site, but the streamlined vote software was still working. Anon is a powerful force of nature. If only we could harness it to cure cancer or HIV.

WaitLess bus tracking system

Bus systems on campus can often be frustrating. You’re standing at the stop waiting and you don’t know if it would just be faster to walk. If you have a WaitLess tracking system at your stop, you can see exactly where the bus is and make that decision much easier. The unit is self contained, solar, and equipped with wireless internet. With an Arduino at it’s core, it displays the current location of the bus by lighting an LED on a map. You can see a video of it in action after the break.