August 6th, 2002 - 4:00PM PST

                                  The dcphonhome.com FAQ



FAQ
This FAQ spawned from the comments posted by slashdot'ers and the pile of email we have been getting.

Q: What is 180 degree hacking?
A: 180 degree hacking is the concept of tunneling an internal network to
an attacker system through open data paths over trusted protocols.

Q: Why did you choose the dreamcast?
A: We wanted to get the point across that any "computer" can pose a
threat to an organization. We thought the dreamcast would be a good
platform to convey this. It runs linux, and we had the broadband
adapter.

Q: If your going to sneak into a company, why not drop off a laptop?
A: Of course that would work. The point of 180 degree hacking is not to
demonstrate weaknesses in physical security; Its to focus everyone's
attention on *data* exit points and show how these exit points, when not
protected, can be used to create covert back channels into an
organizations internal network.

Q: Why not just drop off an access point? Then you could sit in your car.
A: Since nearly half of the presentations this year were about finding
rogue access points and weaknesses in 802.11b, we figured that has been
covered quite enough. Again, 180 degree hacking isn't about weaknesses
in physically security.

Q: Why did you use the dreamcast instead of, X, Y, Z...
A: In order to prove that covert back channels can originate from any
"computer" we used the Compaq iPAQ, Sega Dreamcast, and a modified
trinux ISO. What we wanted everyone to understand is that the delivery
mechanism doesn't matter. It doesn't even have to be a stand alone
"thing." The same software we use to tunnel VPN's home, runs dandy on
many OS's and could easily be ported to a software package.

Q: Wouldn't it be easy to catch you since your IP address will be
hardcoded on the CD?
A: Yes, it would. However we are not worried about being "caught" since
our clients pay for our services and expect us to try to hack their
networks.

Q: Isn't it unethical to make it easy for hacker to use their game
systems to hack networks?
A: That is a silly question. First of all, this is by no means, "easy."
We have invented nothing new. The tunneling software we use (vTUN, cipe,
proxytunnel, ssh/ppp, etc.) is already available to everyone on the
internet. If a hacker wanted to use this software to create a back
channel they are not going to spend 100+ hours porting software to a
dreamcast. A hacker would run these applications on a system they
compromised instead of wasting 150+ CD-R's perfecting the distribution.
Again, the point of this is not the dreamcast. The message we are trying
to convey is that data paths gone unchecked, can be used to compromise
perimeter security.

Q: "from sneaking in and connecting a laptop to the network? I mean,
wouldn't a Dreamcast plugged into the company network be a bit more
suspicious than a computer?"
A: (sigh) Again, this is not the point, the thing we are focusing on is
what "it" does once "it" is there. "It" could be any computer. The use
of the dreamcast illustrates that we have misconceptions of what a
computer is. We need to be aware of all computers when it comes to
security.

Q: What tunneling can your dreamcast/iPAQ/x86 perform?
A: First it checks for common TCP ports let out of firewalls. If it
finds one, it starts vtun. If no TCP port are found, it checks for UDP
ports (like 53). If it finds a UDP port, it starts cipe over UDP. It
then checks of ICMP, if ICMP is available, it starts icmptunnel. If TCP,
UDP, and ICMP fail, it attempts to discover a proxy server. If a proxy
server is found, it starts PPP over SSH, via the proxy server, using
proxytunnel. Once the device starts the tunnel, it sends its network
information over the tunnel to the phonehome system so the attacker can
setup routes to the internal network.

Q: Couldn't you stop this attack with MAC address filtering?
A: Exactly! There are many things we can do to stop this. Unfortunately
people are not using security features they have available to them on
their internal networks.

Q: The broadband adapter is hard to find and very expensive now. How do
you expect people to hack networks with their dreamcasts without the
broadband adapter?
A: (sigh)

Q: So you made a dreamcast into auto-hacking device?
A: No, we ported some network discovery/tunneling software to a
dreamcast (and other hardware) to prove a point. The dreamcast doesn't
hack anything. It simply figures out ways to build encrypted tunnels
home. Any hacking that occurs post-delivery will come across the
encrypted tunnel where it's sure to be noticed by a companies IDS and
log files right? (Defense in depth anyone?) (many slashdoter's enjoyed
discussion about how they would hide things in an organization)

Q: Why don't you guy's hide the dreamcast in a drawer or a ceiling. This
way it won't be discovered.
A: Knock yourself out.

Q: Wouldn't be better to put a wireless card in the iPAQ?
A: Been there, done that, got the tee shirt. Isn't the real question;
Why would anybody put a $100 dollar 802.11b card in a $400 dollar PDA
when they could buy a $100 linksys AP and do the same thing?

Q: I want to hack the world with a dreamcast.
A: Think about this for a second, in order for the ppp/ssh tunnel to
work, you have to hardcode your ssh key on the CD so that ppp over ssh
can be started on your system. What else could someone do with you root
ssh key besides start ppp? One more thing to think about, this builds a
VPN tunnel, which goes both ways. You can get on somebody else's
internal network, which means somebody else can get on your.....

Q: Why can't I download any of your tools?
A: We are looking for a mirror. Downloads would kill our DSL line.