Jul 31, 2009

Black Hat 2009: Parking meter hacking

>>>> Black Hat 2009: Parking meter hacking

via Hack a Day by Zach Banks on 7/30/09
meter
For day two of Black Hat, we sat in on on [Joe Grand], [Jacob Appelbaum], and [Chris Tarnovsky]'s study of the electronic parking meter industry. They decided to study parking meters because they are available everywhere, but rarely considered from a security perspective.

They focused on the San Francisco's MTA implementation of electronic smart card meters. To start they purchased several meters on eBay just to see the different styles. SF MTA lets you purchase disposable payment cards with values of $20 or $50. They decided to sniff the interaction between the meter and the smartcard using a shim. With that first capture they were able to easily replay the transaction. This didn't require a smartcard reader, just an oscilloscope. They then took the attack a little further.
[Joe] built a smartcard emulator using a PIC16F648A. They used it to capture multiple transactions and then decoded the interactions by hand. Luckily, the card was using the IEC 7816 standard so they had some insight into the protocol. They found that the card has a stored maximum value and only writes how many times the value has been decremented. As a proof of concept, they change the maximum value, which you can see on the meter above. They could also have just changed the acknowledgement so that the card never writes any deductions.
The PIC16F648A was a good choice because it's available in a smart card format called a 'silver card'. You can find the emulator code and slides from the talk on [Joe]'s site about the project.

Breaking SSL with NULL Character


Another interesting post about what's happening at Las Vegas BlackHat event now, SSL.

Moxie Marlinspike and Dan Kaminsky had independently found a problem in most implementations that enables an attacker to create certificates that appear valid for any web site. By cleverly embedding NULL characters to the certificate name field, a browser will incorrectly match a malicious certificate to a valid web site.

Early this year, we see how sslstrip hijacking SSL at BlackHat DC. This time, both the experts make the attack even more effective. See here:
You (evil admin) apply for a certificate. The certificate authority (CA) looks at the common name (CN) on the form and contacts the domain owner. The CA ignores the subdomain.

The trick is to drop in a [NULL] character in the subdomain, such as www.paypal.com[NULL].eviladm.org, the CA will contact the owner of eviladm.org and issue the cert.

When clients use browser to verify the cert, the null character causes them to think the certficate is valid for www.paypal.com because they stop at the null character. Even if the client examines the cert in their browser, it will show www.paypal.com. wildcards work as well. you could get a certificate for *[NULL].eviladm.org and appear as any site you want.
Moxie has released his new code soon, to be part of sslsniff 0.6.

Bootkit Bypasses Hard Disk Encryption

Bootkit = Bootable + Rootkit

This year, at BlackHat security conference, an Austrian IT security specialist Peter Kleissner presented an open development framework for creating rookits that activate early on in the boot process using MBR, aka bootkit.

This bootkit combines a rootkit with the ability to modify a PC's Master Boot Record (MRB), enabling the malware to be activated even before the operating system is started. The bootkit is called Stoned, which is capable of bypassing the TrueCrypt partition and system encryption.

You can access the BH USA 2009 media archives to get a copy of the slides and paper.

BIND 9 Dynamic Update DoS

This time, ISC BIND 9 contains a vulnerability that may allow a remote, unauthenticated attacker to create a DoS attack. Both POC Exploit and patch are available now. Here's the summary:
BIND Dynamic Update DoS
CVE: CVE-2009-0696
CERT: VU#725188
Posting date: 2009-07-28
Program Impacted: BIND
Versions affected: BIND 9 (all versions)
Severity: High
Exploitable: remotely
Summary: BIND denial of service (server crash) caused by receipt of a specific remote dynamic update message.
McAfee did a good job on summarizing how the attack works. You can follow it here if you are interested in the detail.

References:
POC exploit is available at:
Update: I found that there is a workaround that can be applied if case patch isn't available from vendor. Try this on your own risk.
iptables -A INPUT -p udp --dport 53 -j DROP -m u32 --u32 '30>>27&0xF=5'

“make it so that security is not the security team’s problem”

I have not been able to make it for the BlackHat event this year at Las Vegas. I wish I was there to listen to this excellent talk by the keynote speaker, Douglas Merrill.

MI5 Website Hacked

The website of the UK counter-intelligence and security agency MI5, has been hacked with the result that the identity of visitors could be stolen and viruses downloaded to their computers.

According to the source, it was hacked by a group of hackers, known as Team Elite, who has previously hacked into the WHO's website and attacked VISA's computer systems.

Read more on:

Jul 27, 2009

It is Time for Network Solutions

>>>> Half a million customers' credit card data stolen from Network Solutions

Unknown criminals have stolen more than 500,000 data sets containing credit card numbers from registrar and hosting provider Network Solutions. Apparently, the criminals managed to inject special code, designed to intercept transaction data, into 4,343 Network Solutions hosted merchant websites.

The injected code appears to have been activated on March 12 and was not discovered until June 8. During the period in which the code was active, details of 573,928 purchases, from web sites using the Network Solutions infrastructure, were intercepted. Details of how the attackers penetrated the system have yet to be disclosed.

Laws in many US states requiring customers affected by such cases to be informed have created an organizational nightmare for many small shop operators; not least, because the laws governing such cases vary from state to state. Network Solutions has extended these operators a helping hand, however, offering to handle informing shop owners' customers for free through a company called Trans Union that specialises in such matters.

For customers whose credit card data was stolen, Network Solutions has offered to monitor transactions for suspicious activity for 12 months, free of charge. According to the company's information page, the offer only applies to customers located within the United States. It is still not clear whether customers in other countries have been affected. While the customer FAQ states that Trans Union will also inform foreign customers, the dealers' information page specifically mentions only "US-based customers."

Jul 26, 2009

ISO 27001 by Praxiom Research Group

Just found this site recently, and wish to share with everyone, who are interested in ISO IEC 27001:2005 and 27002:2005.

Here's the link that has lots of information and resources there.


Jul 25, 2009

Getting into Trouble for Tracking Hackers

Remember the news on DDoS attack against South Korea and US earlier?

According to news at InfoSec Magazine, VNCERT has received an "official complaint" from KrCERT about its efforts to track down the source of computer virus attacks.

Jul 24, 2009

This is Called Auto Login

To Infosecurity Magazine, this is called "AUTO LOGIN", not "BACKDOOR".
Infosecurity isn't really sure either, but the breathtakingly simple technology tweak appears to have been coded as a backdoor to Windows XP for administrators who are having password difficulties.

I'm surprise with Infosecurity Magazine post on "TuCows review shows how to start WinXP without a password" after watching the video on Butterscotch tutorial. This isn't a hidden command in XP. Anyone can simply issue the command and do so (with administrator priviledge).
control userpasswords2
My point is, how can InforSec Mag never know this?

Jul 21, 2009

JSON Hijacking

I've been introduced to this JSON Hijacking topic recently. It is a very nice write-up.

Basically this vulnerability requires that you are exposing a JSON service which…
  • Returns sensitive data with a JSON array.
  • Responds to GET requests.
  • Has JavaScript enabled (very likely the case)
  • Supports the __defineSetter__ method.
This type of attack seems similar as a variant of a Cross Site Request Forgery (CSRF) attack.

Amazon Web Services and IaaS

With Steve Riley starts his new role as evangelist and strategist for Amazon Web Services, we been introduced about Amazon business model on Infrastructure-as-a-Service (IaaS).

The Amazon’s cloud computing approach follows the infrastructure as a service (IaaS) model. AWS includes these components:

  • Elastic Compute Cloud (EC2)—virtual server instances on which you run your choice of operating systems, web servers, and applications
  • Simple Storage Service (S3)—persistent data object stores accessible through several standard protocols
  • SimpleDB—web-based data indexing and querying services without complex schemas
  • Simple Queue Service (SQS)—a message queuing service integrated with EC2 and other AWS services
  • CloudFront—a content delivery service for data served up from S3 stores close to end users
  • Elastic MapReduce—a hosted Hadoop framework for processing large amounts of data

Jul 17, 2009

HTTPS, SANS, FireStats, MySQL and Table Name

Ever wonder what are the engines powering SANS - Security Leadership Blog? An error message found while browsing to blogs.sans.org today. You can see MySQL is used and the table name.

And HTTPS never prevent information leakage error. :-)

Jul 16, 2009

Google Chrome Extension and New-New Tab

Starting in March 2009, Google Chrome begins to support extension. Google Chrome releases updates via 3 release channels:
  • Stable channel.
  • Beta channel (monthly update).
  • Dev channel: for developer preview.
First I upgrade my Google Chrome to Dev channel via early access release channels. Once everything is completed, it shows I'm running version 3.0.193.0 (as of now).

Then I modify the startup argument of the shortcut (or run from cmdlne) as below:
"C:\Documents and Settings\mylogin\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" --enable-extensions --load-extension="c:\myextension" --enable-user-scripts --new-new-tab-page
In case you wish to list/uninstall extension: type chrome://extensions at the address bar.

References:

DDoS Attack Master Server is Identified

Recently, there is a DDoS attack against South Korea & US networks. Vietnamese security experts, from Bkis, claimed that the master server of the cyber attacks was located in Britain. A report Korean authorities confirmed as credible.

Based on their investigation, about 166,908 "zombie" computers from 74 countries around the world have been used for the attacks and controlled by 8 Command & Control (C&C) servers. They successfully identify the master server after they hack into 2 of the 8 C&C servers.

With this, it allows them to determine the IP address of the master server, which is running Windows Server 2003, is 195.90.118.xxx and that it is located in the UK.


References:

Jul 14, 2009

Google Web Elements

Google Web Elements allow you to easily add your favorite Google products onto your own website.
  • Google Calendar
  • Google Search
  • Google Map
  • Google News
  • Google Conversation
  • Google Docs: Presentation & Spreadsheet
  • YouTube News

Jul 1, 2009

Get Free Airport WiFi

Blogger Felix Geisendorfer points out a clever URL hack that scored him free Wi-Fi at the Atlanta airport.
I found that I could easily visit sites like slashdot, Google, or even this weblog, when adding a ?.jpg at the end of the url. The next logical step was to automate that. I downloaded Greasemonkey and wrote a 4 line script that would add ?.jpg to every link in a document. That way I was able to browse most sites without a hassle.
This trick will only work on Wi-Fi networks that allow images to go through without a redirect, and though it may seem like a bit of a stretch, it's better than shelling out $7 for 30 minutes of Wi-Fi.

One of the users suggest to use "#" or "&" instead of "?", as "#" terminates the url as far as most of the browsers are concerned.

Next time, if i'll ever be stuck on an airport, i'll try this trick! :-D