Attack Of The Dreamcasts 451
kevin_conaway writes "A pair of coders are now suggesting that it is possible, with a modified dreamcast system running Linux to sneek into an office building and stick it on a network drop and leave. The dreamcast will then probe for ways to connect to the outside world. They say they have created similar software for iPAQs and a special bootable cdroms for print servers and similar boxes. Just a reminder that are networks need to be as secure on the inside as they should be on the outside. Get the story here."
Even scarier (Score:4, Interesting)
What about WAPs? (Score:2, Interesting)
Did it. (Score:5, Interesting)
We used it to run a dump of all the packets on the network and get pretty much all the passwords used by anyone. We printed out a copy and sent it to the bozo they had in charge of IT, and he called in a mess of expensive consultants to reload everything on the network.
Of course, they didn't fix the basic problem or find our little friend. For all I know it's still running up above the 'ol drop ceiling -- we were to chicken to try and retrieve it. Of course, this was a private school, so the real joke was on us (the clue -- consultants were being paid for by our own stupid selves).
Did something similar (Score:4, Interesting)
One day we decided that we wanted to get free video games. After scoping the place out we discovered that all the 10baseT ports that the video games plugged into were in fact patched into a 3com 3300 switch and were active. The network designers I guess figured it would be easier to activate all the ports instead of making some video game tech figure out how to patch stuff in.
We brought in a laptop with a long cat5 cable and looked for a place to plug it in where we wouldn't be noticed. Jurassic Park 3 has this little thing you sit in a close the blinds so the ambient light would stay out. It would do nicely.
We watching what we could with different packet sniffers (we were also very paranoid of getting busted) and were able to bring up the Switches web management system. We discovered that the video games use DHCP to get an address in the 10.10.x.x subnet and the video games also seem to contact a master server for configuration information. ie. How much does this game cost. By this time we had been sitting in Jurassic Park 3 for 2 hours and were getting REALLY paranoid. So we decided to try something malicious. We arp-spoofed/flooded everything we could see. An interesting thing happened. When the game control units can no longer talk to their master server, they go into 'free' mode. I guess this is in case there is a network failure. They'd rather lose a bit of money than piss of 100s of people. While our little program ran, every game in the place became free. So I thought to myself, why not just unplug the Cat5 cable for a game to make it free. That doesn't seem to work. I think this is because it needs to detect a link before it will go to free mode. Anyhoo, I guess the moral of this story is to have some kind of port security on your network ports in your business. or something
Re:how is this any different (Score:3, Interesting)
Wouldn't it be cheaper and just as effective (Score:5, Interesting)
Hell, you might be able to modify a tomsrtbt to do this and wipe (or dd if=/dev/zero of=/dev/fd0; dd if=/dev/urandom of=/dev/fd0) the diskette once the ramdisk is loaded.
IOW, this whole thing strikes me as more of a "stunt" than a "hack."
-Peter
Re:how is this any different (Score:3, Interesting)
At a game company?
Actually though, at my company (not a game company) I could probably bring a Dreamcast in and get it on the network without anybody really noticing. If I disable the LED on it, I'm pretty sure most of the people here (even those that have a Dreamcast and play it) wouldn't consider looking to see if it was network connected or not.
There are advantages to keeping your desk cluttered like I do.
Re:how is this any different (Score:2, Interesting)
Security is only as good as your vigilance and your Doorman!
Do you _Know_ everyone in your office?
This is where your social skills or lack there of can be either an asset or a detriment.
Introduce yourself around Sysadmins... find out who those mysterious personell are... Heck you might just make some friends!
Java-based disposable ethernet board! (Score:4, Interesting)
Anyways, my point is this type of device is probably easier to program than a Linux Dreamcast. It may or may not be cheaper (sub-$100). And it's a lot easier to hide, if that's the goal. I've programmed a handful of hobby projects with this board, and it's really quite amazing for the price. (Compared to trying to implement an TCP/IP stack on a PIC microcontroller, say.)
TINI hardware [ibutton.com]
TINI [ibutton.com]
TINI board resource center [junun.org]
more resources [apms.com.au]
DalSemi discussions [dalsemi.com]
Social Engineering (Score:2, Interesting)
So, I propose that instead of using a relatively conspicuous DC, or even a laptop, you buy a TINI computer:
http://www.ibutton.com/TINI/hardware/i
And then modify it into an old Cisco plastic shell. Write something like, "Cisco Network Load Balancer" or something (in a believable fashion), slap it in as close to the server room as you can.
The issue here is not "can I crack people's networks from the inside?" but, rather, "can I _keep_ cracking the network for more than a couple weeks?" You think to look at a laptop or DC for a network spy, but who bothers to look at some random piece of Cisco hardware in a corner? I'd say the risk of discovery becomes far lower - and with TINI, you could theoretically put together a "button" that would wipe the contents of the device if it was moved.
Just an idea.
-Erwos
A simpler, cheaper alternative (Score:3, Interesting)
1) port and service scan
2) send out results via http/ftp/ping/email/etc
3) wipe the floppy clean
4) write an innoculous text or word document on the floppy
4) reboot the workstation again
This leaves nearly zero physical evidence that there was an intrusion. Just an abandoned floppy and a rebooted machine.
Sure, you _might_ get past building security with a video game console in your bag. But I guarantee you'll get in with a floppy. And would you rather be caught plugging a floppy into a workstation or a video game console into the network?
And you'll still have your Dreamcast at home, running DCMAME!
Thought of doing it (Score:2, Interesting)
More challenging would be setting up a way to get the machine to periodically reconfigure itself to get out of the office network and establish a tunnel to the outside that could be used to get back inside.
The way that occurs to me is to have it load a public web page periodically and parse out the destination IP and then have the "automaton" search for ways out of the network to a destination host set to listen for tunnel attempts from the automaton.
I'd imagine you'd have to come up with really clever ways to get out of heavily firewalled/proxied business networks, some really don't allow any random end nodes to get unfiltered/proxied packets out of the network. Best way would be to tap into a fax line and have the machine periodically dial out, leaving a more clever human to fix any dedicated network tunnel.
I'm not sure what I'd *do* with a host if I had one, though.
Re:Why is this specifically a problem for dreamcas (Score:2, Interesting)
1 - don't light up unused ports
2 - use switches instead of hubs and there'll be nothing to sniff...
Mark
Re:Here is a number for you to remember (Score:1, Interesting)
two: chances are he did it as a minor.
three: the law on computer crimes in '95 wheren't as draconian as they are now. He would be held to the laws of 95. (at least in the US that is)
OTOH: anyone doing that now