16 December 2009

New Adobe 0-Day Added To Metasploit

via HDM's Twitter feed:

Adobe PDF 0.9-day added to Metasploit: [msf> use exploit/windows/fileformat/adobe_media_newplayer.rb] (via jduck/pusscat/myself) SVN r7881

20 August 2009

Next Target Acquired - Twitter

So, I'm going on holiday in a little while and will be afk for about 3 weeks, and I can't wait. In the interim though, I have decided to focus my sites on a new target, with a hope of finding something new and fun, namely Twitter. I'll update if I do manage to find anything interesting, and I hope that they're response is as good as Facebook's if of course I find anything.

Facebook and responsible disclosure

Okay, so a few nights ago, I decided to spend some time finding some vulnerabilities on Facebook, and lo and behold, I found one. Once I managed to find a contact for the security team at Facebook, I dropped then an e-mail on what I found, and I got a response the same evening. All I can say on the topic of a quick response from a company in response to Facebook is WOW! These guys really are serious about security. I was planning on publishing the details on what I found over at SecuriTeam, but I have decided against it, purely because of the response that I received from Facebook. Thank you Facebook, you have restored my faith in social networking. A huge thanks to Gerry.Eisenhaur and Technocrat for their help in testing, couldn't have done this without you guys.

12 August 2009

SQL Injection Cheat sheet


SQL Injection cheat sheet

[From SQL Injection Cheat sheet: Esp: for filter evasion - by RSnake]
----------------
Been meaning to blog this one for a while, hope it helps someone out.


Pirate Party UK - The party is registered!

The party is registered! Submitted by Andy_R on 11 August 2009 The long-awaited news has finally arrived, the Pirate Party UK is now officially registered as a political party! This means we can raise funds, have Pirate Party Candidates at the next general election, and do all the other things that political parties do. Getting to this stage has been a long process, we've had to elect officers, raise funds, fill out forms, meet with some (very helpful) people at the Electoral Commission, and learn far more about electoral law and the special party funding rules that apply to Gibraltar than any same person would ever want to. Andrew Robinson, Party Leader and Eric Priezkalns, Party Treasurer at the Electoral Commission offices in Westminster. Andrew Robinson, Party Leader and Eric Priezkalns, Party Treasurer at the Electoral Commission offices in Westminster. Now the party can really start. It's time for us to tell the world that we exist, to recruit members, raise funds and gear up to fight the General Election. The officers and web team have built the framework that the party needs to get going, now it's time for YOU to make things happen. Join the party, tell the media about the party,tell your friends about the party, take part in policy and news debates on the forum, join our Facebook group, donate or set up a regular payment to provide financial support, set up a branch in your constituency, school or workplace, join the specialist workings groups for members with key skills like lawyers and journalists and volunteer to take part in canvassing and campaigning in your constituency at the general election... The success of Britain's newest party depends on you, the members!

[From Pirate Party UK - Blog - The party is registered!]

Half A Million Intercepts of Communications Data in 2008

Via eff.org

This week, the United Kingdom's Interception of Communications commissioner, Sir Paul Kennedy, announced his latest statistics for Britain's phone and email surveillance systems, to generally shocked responses by the British Public. In 2008, law enforcement, local authorities and the secret services in that country demanded "communication data" — the "who, how, when and where", but not the actual content of messages — 504,073 times. That's 1,381 times a day; or one inquiry every year for every 78 people in the UK.

Sir Kennedy's report is, in many ways, all the public oversight these half a million requests get.
In the United Kingdom, there is no judicial review of these requests; law enforcement together with the Information Commission regulate their own regime, and are bound only to a government "code of conduct".

Communications data continues to be viewed by lawmakers as non-invasive and therefore not regarded as requiring strict regulation, despite the growing range of personal information that can now be revealed by a communications data intercept request. These orders can reveal lists of websites visited, email headers, name and address lookups, and, perhaps most controversially, the real-time location of a particular mobile telephone.

Such a breadth of information so readily available make these intercepts increasingly tempting for law enforcement; modern technology makes them far easier to capture and process en masse; and with no probable cause or other conditions on obtaining such data, these numbers will keep rising. To guard against the misuse of these invasive powers, we need more than just aggregate statistics presented at the end of the year. Across the world, these frequent invasions of privacy need full judicial oversight, once case at a time.

-----------------

This has got to stop soon!

30 April 2009

Linux SCTP Vulnerability

Well, what's to say really?

Code here.

27 April 2009

Plan To Monitor All Internet Usuage

From the BBC

Communications firms are being asked to record all internet contacts between people as part of a modernisation in UK police surveillance tactics.

The home secretary scrapped plans for a database but wants details to be held and organised for security services.

The new system would track all e-mails, phone calls and internet use, including visits to social network sites.

The Tories said the Home Office had "buckled under Conservative pressure" in deciding against a giant database.

Announcing a consultation on a new strategy for communications data and its use in law enforcement, Jacqui Smith said there would be no single government-run database.

But she also said that "doing nothing" in the face of a communications revolution was not an option.

The Home Office will instead ask communications companies - from internet service providers to mobile phone networks - to extend the range of information they currently hold on their subscribers and organise it so that it can be better used by the police, MI5 and other public bodies investigating crime and terrorism.

Ministers say they estimate the project will cost £2bn to set up, which includes some compensation to the communications industry for the work it may be asked to do.

"Communications data is an essential tool for law enforcement agencies to track murderers, paedophiles, save lives and tackle crime," Ms Smith said.

"Advances in communications mean that there are ever more sophisticated ways to communicate and we need to ensure that we keep up with the technology being used by those who seek to do us harm.

"It is essential that the police and other crime fighting agencies have the tools they need to do their job, However to be clear, there are absolutely no plans for a single central store."

21 April 2009

Computer Spies Breach Fighter-Jet Project

This just scares the hell out of me, but at the same time, it makes me really glad that I'm working in this industry.

------------------------------

Via Washington Post

WASHINGTON -- Computer spies have broken into the Pentagon's $300 billion Joint Strike Fighter project -- the Defense Department's costliest weapons program ever -- according to current and former government officials familiar with the attacks.

Similar incidents have also breached the Air Force's air-traffic-control system in recent months, these people say. In the case of the fighter-jet program, the intruders were able to copy and siphon off several terabytes of data related to design and electronics systems, officials say, potentially making it easier to defend against the craft.

The latest intrusions provide new evidence that a battle is heating up between the U.S. and potential adversaries over the data networks that tie the world together. The revelations follow a recent Wall Street Journal report that computers used to control the U.S. electrical-distribution system, as well as other infrastructure, have also been infiltrated by spies abroad.

Attacks like these -- or U.S. awareness of them -- appear to have escalated in the past six months, said one former official briefed on the matter. "There's never been anything like it," this person said, adding that other military and civilian agencies as well as private companies are affected. "It's everything that keeps this country going."

Many details couldn't be learned, including the specific identity of the attackers, and the scope of the damage to the U.S. defense program, either in financial or security terms. In addition, while the spies were able to download sizable amounts of data related to the jet-fighter, they weren't able to access the most sensitive material, which is stored on computers not connected to the Internet.

Former U.S. officials say the attacks appear to have originated in China. However it can be extremely difficult to determine the true origin because it is easy to mask identities online.

A Pentagon report issued last month said that the Chinese military has made "steady progress" in developing online-warfare techniques. China hopes its computer skills can help it compensate for an underdeveloped military, the report said.

The Chinese Embassy said in a statement that China "opposes and forbids all forms of cyber crimes." It called the Pentagon's report "a product of the Cold War mentality" and said the allegations of cyber espionage are "intentionally fabricated to fan up China threat sensations."

The U.S. has no single government or military office responsible for cyber security. The Obama administration is likely to soon propose creating a senior White House computer-security post to coordinate policy and a new military command that would take the lead in protecting key computer networks from intrusions, according to senior officials.

The Bush administration planned to spend about $17 billion over several years on a new online-security initiative and the Obama administration has indicated it could expand on that. Spending on this scale would represent a potential windfall for government agencies and private contractors at a time of falling budgets. While specialists broadly agree that the threat is growing, there is debate about how much to spend in defending against attacks.

The Joint Strike Fighter, also known as the F-35 Lightning II, is the costliest and most technically challenging weapons program the Pentagon has ever attempted. The plane, led by Lockheed Martin Corp., relies on 7.5 million lines of computer code, which the Government Accountability Office said is more than triple the amount used in the current top Air Force fighter.

Six current and former officials familiar with the matter confirmed that the fighter program had been repeatedly broken into. The Air Force has launched an investigation.

Pentagon officials declined to comment directly on the Joint Strike Fighter compromises. Pentagon systems "are probed daily," said Air Force Lt. Col. Eric Butterbaugh, a Pentagon spokesman. "We aggressively monitor our networks for intrusions and have appropriate procedures to address these threats." U.S. counterintelligence chief Joel Brenner, speaking earlier this month to a business audience in Austin, Texas, warned that fighter-jet programs have been compromised.

Foreign allies are helping develop the aircraft, which opens up other avenues of attack for spies online. At least one breach appears to have occurred in Turkey and another country that is a U.S. ally, according to people familiar with the matter.

Joint Strike Fighter test aircraft are already flying, and money to build the jet is included in the Pentagon's budget for this year and next.

Computer systems involved with the program appear to have been infiltrated at least as far back as 2007, according to people familiar with the matter. Evidence of penetrations continued to be discovered at least into 2008. The intruders appear to have been interested in data about the design of the plane, its performance statistics and its electronic systems, former officials said.

The intruders compromised the system responsible for diagnosing a plane's maintenance problems during flight, according to officials familiar with the matter. However, the plane's most vital systems -- such as flight controls and sensors -- are physically isolated from the publicly accessible Internet, they said.

The intruders entered through vulnerabilities in the networks of two or three contractors helping to build the high-tech fighter jet, according to people who have been briefed on the matter. Lockheed Martin is the lead contractor on the program, and Northrop Grumman Corp. and BAE Systems PLC also play major roles in its development.

Lockheed Martin and BAE declined to comment. Northrop referred questions to Lockheed.

The spies inserted technology that encrypts the data as it's being stolen; as a result, investigators can't tell exactly what data has been taken. A former Pentagon official said the military carried out a thorough cleanup.

Fighting online attacks like these is particularly difficult because defense contractors may have uneven network security, but the Pentagon is reliant on them to perform sensitive work. In the past year, the Pentagon has stepped up efforts to work with contractors to improve computer security.

Investigators traced the penetrations back with a "high level of certainty" to known Chinese Internet protocol, or IP, addresses and digital fingerprints that had been used for attacks in the past, said a person briefed on the matter.

As for the intrusion into the Air Force's air-traffic control systems, three current and former officials familiar with the incident said it occurred in recent months. It alarmed U.S. national security officials, particularly at the National Security Agency, because the access the spies gained could have allowed them to interfere with the system, said one former official. The danger is that intruders might find weaknesses that could be exploited to confuse or damage U.S. military craft.

Military officials declined to comment on the incident.

In his speech in Austin, Mr. Brenner, the U.S. counterintelligence chief, issued a veiled warning about threats to air traffic in the context of Chinese infiltration of U.S. networks. He spoke of his concerns about the vulnerability of U.S. air traffic control systems to cyber infiltration, adding "our networks are being mapped." He went on to warn of a potential situation where "a fighter pilot can't trust his radar."

20 April 2009

Blackout Europe

Everyone really needs to help out on this one, the link to the website can be found here.

Please take action!

---------------------------

The European open internet is under imminent threat

URGENT - VOTING IN EU PARLIAMENT 5th of MAY 2009

Don't let the EU parliament lock up the Internet! There will be no way back!

Act now!

Internet access is not conditional

Everyone who owns a website has an interest in defending the free use of Internet... so has everyone who uses Google or Skype... everyone who expresses their opinions freely, does research of any kind, whether for personal health problems or academic study ... everyone who shops online...who dates online...socialises online... listens to music...watches video...

The internet as we know it is at risk because of proposed new EU rules going through end of April. Under the proposed new rules, broadband providers will be legally able to limit the number of websites you can look

at, and to tell you whether or not you are allowed to use particular services. It will be dressed up as ‘new consumer options' which people can choose from. People will be offered TV-like packages - with a limited

number of options for you to access.

It means that the Internet will be packaged up and your ability to access and to put up content could be severely restricted. It will create boxes of Internet accessibility, which don't fit with the way we use it today. This is because internet is now permitting exchanges between persons which cannot be controlled or "facilitated" by any middlemen (the state or a corporation) and this possibility improves the citizen's life but force the industry to lose power and control. that's why they are pushing governments to act those changes.

The excuse is to control the flow of music, films and entertainment content against the alleged piracy by downloading for free, using P2P file-sharing. However, the real victims of this plan will be all Internet users and the democratic and independent access to information, culture goods.

Think about how you use the Internet! What would it mean to you if free access to the Internet was taken away?

These days, the Internet is about life and freedom. It's about shopping, booking theatre tickets ... holidays, learning, job-seeking, banking, and trade. It's also about the fun things - dating, chatting, invitations, music, entertainment, joking and even a Second Life. It is a tool to express ourselves, to collaborate, innovate, share, stimulate new business ideas, reach new markets - thrive without middlemen..

Just think - what's your web address? Unless people have that address in their "package" of regular websites - they won't be able to find you. That means they can't buy, or book, or register, or even view you online. Your business won't be able to find niche suppliers of goods - and compare prices. If you get any money at all from advertising on your site, it will diminish. Yes, Amazon and a select few will be OK, they will be the included in the package. But your advertising on Google or any other website, will be increasingly worthless. Skype could be blocked. (As it is in Germany in the use from iPhone, already). Small businesses could literally disappear, especially specialist, niche or artisan businesses.

If we don't do something now - we could lose free and open use of the internet. Our freedom (of choice in information, market, culture, pleasure) will be curtailed. The EU proposals hold an enormous risk for our future. They are about to become Law - and will be virtually impossible to reverse. People (even the members of the European Parliament who are voting on it) don't really seem to understand the full implications and the legal changes are wrapped up in something called "Telecoms Package" which lulls people into thinking it is just about industry.

However, in reality, hiding from public view, the amendments are about the way the Internet will operate in future! Text that expresses your rights to access and distribute content, services and applications, is being crossed out. And the text that is being brought in, says that broadband providers must inform you of any limitations, or restrictions to your broadband service. Alternative versions use the word ‘conditions' - and it is seriously being proposed that you will be told the conditions of use of Internet services. This is made to sound good - it is dressed up as ‘transparency' - except that of course it means that the broadband providerwill have the legal right restrict your access or impose conditions,otherwise why would they need tell you? If the Telecoms Package amendmentsare voted in, the changes will not be reversible.

We all have a stake in the Internet! You need to act now to save it!

What can you do about it?

Tell the European Parliament to vote against conditional access to the Internet! Remind them that they need your vote in June and that internet still give us the tools to be watching and judging what they are doing! (link a la quadrature du net) You must know you are not alone: hundreds of organizations are working on that and thousands of people have already contact their parliamentarians about this issue.

So, act now:

1 - Email, write to or phone your MEP - follow this link to get theirdetails - a suggested template letter is attached. You can also use the following software that send the letter directly to all the parliamentarians. Believe, they will really receive it and they will really feel the pressure. You are welcome to personalize the letter and include information that will make MEPs wake up, take note and take appropriate action.

2 - Forward this email to everyone you know so that they can take action.

3 - Syndicate this page so that you keep been informed: disinformation is what they count on, we must be aware. Text for people to cut and paste to MEP: The coalition version needs to have instructions for people from each country. coalition members need to get a translated version online in their own languages and link to the LQ site for their own MEPs.

19 April 2009

The Hacker Manifesto

The time to post this one just seems fitting all things considered recently, for those of you that remember this one, drop me a line, let's catch up somewhere.

-------------------------------------

The Hacker Manifesto

by

+++The Mentor+++

Written January 8, 1986

Another one got caught today, it's all over the papers. "Teenager Arrested in Computer Crime Scandal", "Hacker Arrested after Bank Tampering"...

Damn kids. They're all alike.

But did you, in your three-piece psychology and 1950's technobrain, ever take a look behind the eyes of the hacker? Did you ever wonder what made him tick, what forces shaped him, what may have molded him?

I am a hacker, enter my world...

Mine is a world that begins with school... I'm smarter than most of the other kids, this crap they teach us bores me...

Damn underachiever. They're all alike.

I'm in junior high or high school. I've listened to teachers explain for the fifteenth time how to reduce a fraction. I understand it. "No, Ms. Smith, I didn't show my work. I did it in my head..."

Damn kid. Probably copied it. They're all alike.

I made a discovery today. I found a computer. Wait a second, this is cool. It does what I want it to. If it makes a mistake, it's because I screwed it up. Not because it doesn't like me... Or feels threatened by me.. Or thinks I'm a smart ass.. Or doesn't like teaching and shouldn't be here...

Damn kid. All he does is play games. They're all alike.

And then it happened... a door opened to a world... rushing through the phone line like heroin through an addict's veins, an electronic pulse is sent out, a refuge from the day-to-day incompetencies is sought... a board is found. "This is it... this is where I belong..." I know everyone here... even if I've never met them, never talked to them, may never hear from them again... I know you all...

Damn kid. Tying up the phone line again. They're all alike...

You bet your ass we're all alike... we've been spoon-fed baby food at school when we hungered for steak... the bits of meat that you did let slip through were pre-chewed and tasteless. We've been dominated by sadists, or ignored by the apathetic. The few that had something to teach found us willing pupils, but those few are like drops of water in the desert.

This is our world now... the world of the electron and the switch, the beauty of the baud. We make use of a service already existing without paying for what could be dirt-cheap if it wasn't run by profiteering gluttons, and you call us criminals. We explore... and you call us criminals. We seek after knowledge... and you call us criminals. We exist without skin color, without nationality, without religious bias... and you call us criminals. You build atomic bombs, you wage wars, you murder, cheat, and lie to us and try to make us believe it's for our own good, yet we're the criminals.

Yes, I am a criminal. My crime is that of curiosity. My crime is that of judging people by what they say and think, not what they look like. My crime is that of outsmarting you, something that you will never forgive me for.

I am a hacker, and this is my manifesto. You may stop this individual, but you can't stop us all... after all, we're all alike.

17 April 2009

Pirate Bay Verdict Guilty!! -- WTF???

This is wrong on so many levels! Via Torrentfreak Just minutes ago the verdict in the case of The Pirate Bay Four was announced. All four defendants were accused of ‘assisting in making copyright content available’. Peter Sunde: Guilty. Fredrik Neij: Guilty. Gottfrid Svartholm: Guilty. Carl Lundström: Guilty. The four receive 1 year in jail each and fines totaling $3,620,000. While only a few weeks ago, it seems like an eternity since the trial of The Pirate Bay Four ended and the court retired to consider its verdict. The prosecution claimed that the four defendants were ‘assisting in making copyright content available’ and demanded millions of dollars in damages. The defense did not agree, and all pleaded not guilty - backed up by the inimitable King Kong defense. Today, Friday April 17, the court issued its decision: article continuously updated “The court has found that by using Pirate Bay’s services there has been file-sharing of music, films and computer games to the extent the prosecutor has stated in his case,” said the district court. “This file-sharing constitutes an unlawful transfer to the public of copyrighted performances.” brokep Peter Sunde (born September 13, 1978) alias ‘brokep’: Verdict: Guilty - 1 year in prison, damages to pay: $905,000 Peter Althin, brokep’s lawyer said, “I spoke to Peter and he wasn’t very surprised. A journalist he’d spoken to knew an hour before it was public that all four would be convicted. The verdict was leaked from the court. I have to think about what effects that can have on the sentence. It is unacceptable that the court is leaking.” TiAMO Fredrik Neij (born April 27, 1978) alias ‘TiAMO’: Verdict: Guilty - 1 year in prison, damages to pay: $905,000 ‘ ‘ ‘ ‘ Anakata Gottfrid Svartholm (October 17, 1984) alias ‘Anakata’: Verdict: Guilty - 1 year in prison, damages to pay: $905,000 Anakata’s lawyer Ola Salomonsson said, “We’re appealing. It’s very surprising that the court has chosen to treat the accused as a team.” Carl Lundstrom Carl Lundström (born April 13, 1960) Verdict: Guilty - 1 year in prison, damages to pay: $905,000 ‘ ‘ ‘ ‘ The court said that the four defendants worked as a team, were aware that copyrighted material was being shared using The Pirate Bay and that they made it easy and assisted the infringements. It categorized the infringements as ’severe’. The judge said that the users of The Pirate Bay committed the first offense by sharing files and the four assisted this. While the court did not agree with the plaintiff’s exaggerated estimates of losses, it still set the damages at 30 million SEK ($3,620,000). This a hugely significant amount and the court has ordered that the four should pay this amount between them. The judge also stated that the usage of BitTorrent at The Pirate Bay is illegal. Rest assured, other torrent sites hosted in Sweden will be keeping a close eye on developments. The defense put it to the judge that he had folded under intense political pressure. The judge denied this stating that the court made its decision based on the case presented. At one point the judge was asked if he was concerned for his personal safety after handing down this decision. The judge said he hadn’t received any harassment and was quite surprised at the question. While the judge won’t be getting any flowers for this verdict, Roger Wallis who spoke in favor of The Pirate Bay at their trial and received a mountain of floral tributes in return, noted, “This will cause a flood of court cases. Against all the ISPs. Because if these guys assisted in copyright infringements, then the ISPs also did. This will have huge consequences. The entire development of broadband may be stalled.” Peter Sunde has already explained that this decision does not mean the end of the line in this case. There will be an appeal which means we are still far away from the ultimate decision - possibly years away. Any appeal from either side must be submitted to Sweden’s higher Court by 9th May 2009. Rasmus Fleischer, one of the founders of PiratbyrĂ„n commented, “The sentence has no formal consequence and no juridical value. We chose to treat the trial as a theater play and as such it’s been far better than we ever could have believed.” As for the fate of the site, Peter has already promised that The Pirate Bay will continue. The site itself was never on trial, only the four individuals listed above. This is a breaking news story, please check back frequently for updates.

15 April 2009

PIN Crackers Nab Holy Grail of Bank Card Security

From Wired.com Hackers have crossed into new frontiers by devising sophisticated ways to steal large amounts of personal identification numbers, or PINs, protecting credit and debit cards, says an investigator. The attacks involve both unencrypted PINs and encrypted PINs that attackers have found a way to crack, according to the investigator behind a new report looking at the data breaches. The attacks, says Bryan Sartin, director of investigative response for Verizon Business, are behind some of the millions of dollars in fraudulent ATM withdrawals that have occurred around the United States. "We're seeing entirely new attacks that a year ago were thought to be only academically possible," says Sartin. Verizon Business released a report Wednesday that examines trends in security breaches. "What we see now is people going right to the source ... and stealing the encrypted PIN blocks and using complex ways to un-encrypt the PIN blocks." The revelation is an indictment of one of the backbone security measures of U.S. consumer banking: PIN codes. In years past, attackers were forced to obtain PINs piecemeal through phishing attacks, or the use of skimmers and cameras installed on ATM and gas station card readers. Barring these techniques, it was believed that once a PIN was typed on a keypad and encrypted, it would traverse bank processing networks with complete safety, until it was decrypted and authenticated by a financial institution on the other side. But the new PIN-hacking techniques belie this theory, and threaten to destabilize the banking-system transaction process. Information about the theft of encrypted PINs first surfaced in an indictment last year against 11 alleged hackers accused of stealing some 40 million debit and credit card details from TJ Maxx and other U.S. retail networks. The affidavit, which accused Albert "Cumbajohnny" Gonzalez of leading the carding ring, indicated that the thieves had stolen "PIN blocks associated with millions of debit cards" and obtained "technical assistance from criminal associates in decrypting encrypted PIN numbers." But until now, no one had confirmed that thieves were actively cracking PIN encryption. Sartin, whose division at Verizon conducts forensic investigations for companies that experience data breaches, wouldn't identify the institutions that were hit or indicate exactly how much stolen money was being attributed to the attacks, but according to the 2009 Data Breach Investigations report, the hacks have resulted in "more targeted, cutting-edge, complex, and clever cybercrime attacks than seen in previous years." "While statistically not a large percentage of our overall caseload in 2008, attacks against PIN information represent individual data-theft cases having the largest aggregate exposure in terms of unique records," says the report. "In other words, PIN-based attacks and many of the very large compromises from the past year go hand in hand." Although there are ways to mitigate the attacks, experts say the problem can only really be resolved if the financial industry overhauls the entire payment processing system. "You really have to start right from the beginning," says Graham Steel, a research fellow at the French National Institute for Research in Computer Science and Control who wrote about one solution to mitigate some of the attacks. "But then you make changes that aren't backwards-compatible." PIN hacks hit consumers particularly hard, because they allow thieves to withdraw cash directly from the consumer's checking, savings or brokerage account, Sartin says. Unlike fraudulent credit card charges, which generally carry zero liability for the consumer, fraudulent cash withdrawals that involve a customer's PIN can be more difficult to resolve since, in the absence of evidence of a breach, the burden is placed on the customer to prove that he or she didn't make the withdrawal. Some of the attacks involve grabbing unencrypted PINs, while they sit in memory on bank systems during the authorization process. But the most sophisticated attacks involve encrypted PINs. Sartin says the latter attacks involve a device called a hardware security module (HSM), a security appliance that sits on bank networks and on switches through which PIN numbers pass on their way from an ATM or retail cash register to the card issuer. The module is a tamper-resistant device that provides a secure environment for certain functions, such as encryption and decryption, to occur. According to the payment-card industry, or PCI, standards for credit card transaction security, PIN numbers are supposed to be encrypted in transit, which should theoretically protect them if someone intercepts the data. The problem, however, is that a PIN must pass through multiple HSMs across multiple bank networks en route to the customer's bank. These HSMs are configured and managed differently, some by contractors not directly related to the bank. At every switching point, the PIN must be decrypted, then re-encrypted with the proper key for the next leg in its journey, which is itself encrypted under a master key that is generally stored in the module or in the module's application programming interface, or API. "Essentially, the thief tricks the HSM into providing the encryption key," says Sartin. "This is possible due to poor configuration of the HSM or vulnerabilities created from having bloated functions on the device." Sartin says HSMs need to be able to serve many types of customers in many countries where processing standards may be different from the U.S. As a result, the devices come with enabled functions that aren't needed and can be exploited by an intruder into working to defeat the device's security measures. Once a thief captures and decrypts one PIN block, it becomes trivial to decrypt others on a network. Other kinds of attacks occur against PINs after they arrive at the card-issuing bank Once encrypted PINs arrive at the HSM at the issuing bank, the HSM communicates with the bank's mainframe system to decrypt the PIN and the customer's 16-digit account number for a brief period to authorize the transaction. During that period, the data is briefly held in the system's memory in unencrypted form. Sartin says some attackers have created malware that scrapes the memory to capture the data. "Memory scrapers are in as much as a third of all cases we're seeing, or utilities that scrape data from unallocated space," Sartin says. "This is a huge vulnerability." He says the stolen data is often stored in a file right on the hacked system. "These victims don't see it," Sartin says. "They rely almost purely on anti-virus to detect things that show up on systems that aren't supposed to be there. But they're not looking for a 30-gig file growing on a system." Information about how to conduct attacks on encrypted PINs isn't new and has been surfacing in academic research for several years. In the first paper, in 2003, a researcher at Cambridge University published information about attacks that, with the help of an insider, would yield PINs from an issuer bank's system. The paper, however, was little noticed outside academic circles and the HSM industry. But in 2006, two Israeli computer security researchers outlined an additional attack scenario that got widespread publicity. The attack was much more sophisticated and also required the assistance of an insider who possessed credentials to access the HSM and the API and who also had knowledge of the HSM configuration and how it interacted with the network. As a result, industry experts dismissed it as a minimal threat. But Steel and others say they began to see interest for the attack research from the Russian carding community. "I got strange Russian e-mails saying, Can you tell me how to crack PINs?" Steel recalls. But until now no one had seen the attacks actually being used in the wild. Steel wrote a paper in 2006 that addressed attacks against HSMs as well as a solution to mitigate some of the risks. The paper was submitted to nCipher, a British company that manufactures HSMs and is now owned by Thales-eSecurity. He says the solution involved guidelines for configuring an HSM in a more secure manner and says nCipher passed the guidelines to customers. Steel says his solution wouldn't address all of the types of attacks. To fix the problem, would take a redesign. But he notes that "a complete rethink of the system would just cost more than the banks were willing to make at this time." Thales-eSecurity is the largest maker of HSMs for the payment-card and other industries, with "multiple tens of thousands" of HSMs deployed in payment-processing networks around the world, according to the company. A spokesman said the company is not aware of any of the attacks on HSMs that Sartin described, and noted that Thales and most other HSM vendors have implemented controls in their devices to prevent such attacks. The problem, however, is how the systems are configured and managed. "It's a very difficult challenge to protect against the lazy administrator," says Brian Phelps, director of program services for Thales-eSecurity. "Out of the box, the HSMs come configured in a very secure fashion if customers just deploy them as is. But for many operational reasons, customers choose to alter those default security configurations — supporting legacy applications may be one example — which creates vulnerabilities." Redesigning the global payment system to eliminate legacy vulnerabilities "would require a mammoth overhaul of virtually every point-of-sale system in the world," he says. Responding to questions about the vulnerabilities in HSMs, the PCI Security Standards Council said that beginning next week the council would begin testing HSMs as well as unattended payment terminals. Bob Russo, general manager of the global standards body, said in a statement that although there are general market standards that cover HSMs, the council's testing of the devices would "focus specifically on security properties that are critical to the payment system." The testing program conducted in council-approved laboratories would cover "both physical and logical security properties."

14 April 2009

Tracking via Cell/Mobile phones

Really interesting article on the Reg about how using the various mobile phone cells along with your phone can be used to track your every movement, it makes perfect sense and is part of the technology, but it does make matters more interesting when you read my recent articles on the whole 1984 thing. This is pretty common knowledge, but is seems that a lot of people aren't really aware of this fact, also a lot of phones still transmit for a while when you take the battery out of your phone, removing the SIM card is the only way to stop this. Read more here

XSS Prevention Cheat Sheet

Following on from my previous post, OWASP have done an amazing job of writing a XSS Prevention cheat sheet, to me this is one of those things that all Web App developers should be made to read and understand before they actually start coding any new applications. Here it is XSS Prevention Cheat Sheet

XSS Cheat Sheet

I've been meaning to put a link up to this one for a while, as it really is a handy little cheat sheet when trying to perform XSS attacks on new web apps, and has really helped me to prove a point a number of times. So here is is the ha.ckers.org XSS Cheat Sheet

12 April 2009

V for Vendetta!

Ok, we need to do something now, things are getting out of hand!

From the BBC

New CCTV cars to catch drivers using their mobile phones or being otherwise distracted at the wheel are being piloted by Greater Manchester Police.

The small Smart cars, which have a 12ft (3.6m) mast with a camera attached, are parked at junctions to monitor traffic.

Mike Downes of the Greater Manchester Casualty Reduction Partnership said the scheme was successfully "driving the number of accidents down".

But the AA's Paul Watters said drivers "might regard it as Big Brother".

Proportionate and fair

Two cars are currently being piloted in Greater Manchester, the first of their kind in the UK.

Anyone seen driving while distracted - eating at the wheel, playing with the radio or applying make-up for instance - is filmed by the cameras.

Later, a letter is sent to the owner of the car, in many cases along with a fine.

Anyone caught using their mobile will be asked to pay £60 and have three points added to their licence. Fines could also be handed out to anyone who is thought to be driving without due care and attention, or similar offences

According to the Partnership - also known as Drivesafe - there have been 406 collisions in Greater Manchester in the past two years which can be attributed to distracted drivers.

Of those, 51 were said to involve the use of a mobile phone as a significant factor.

Mr Downes said the cars would only trace people who are committing an offence.

"The camera is only trained on the vehicle to secure the evidence," he said.

"I would say the actions we are taking are reasonable, proportionate and fair in light of the fact that we are trying to save lives."

'Lacks connection'

The scheme is only a few weeks into the pilot, so figures on the numbers of people who have been caught using this technology are unavailable.

But the CCTV cars have already attracted criticism from people who argue they are an infringement of people's privacy.

Paul Watters from the Automobile Association (AA), said he had reservations about the cars, and would watch the pilot scheme with interest.

"CCTV enforcement lacks connection with the driver until after the event and some drivers might regards it as Big Brother.

"We think that most drivers would prefer police in cars to dish out tickets on the spot and instil better driving behaviour," he said.

If the scheme is seen to be a success in reducing the number of accidents, those behind it hope it could be rolled out across the UK.

Some councils already use Smart cars with cameras to track parking and bus lane offences.


15 March 2009

More on the BBC botnet issue!

Securiteam has a very good post on this issue, well worth a read.

Read it here here

14 March 2009

When the BBC does it's not illegal...

This really gets to be, as if any security researcher were to do this in the UK, we'd loose our jobs, and probably be locked up for a minimum of ten years, but yet when the BBC does it, it's fine?

Taken from http://news.bbc.co.uk/1/hi/programmes/click_online/7938201.stm

"For a short time in February, I had complete control over 21,696 personal computers around the world. These were machines whose owners had not taken the basic security precautions necessary to stay safe online.

While their owners were busy checking their e-mails, or playing Solitaire, or doing their accounts, I could have made their computers do anything I wanted without anyone knowing.

I could have ordered the machines to log keystrokes as they were typed, and then send me anything that looked like a banking user name and password.

I could have redirected the users to fake shopping websites - identical to the originals, apart from the fact that come point of sale, the credit card and security numbers would have been delivered to me.

Or I could have used them to spread spam and phishing e-mails to thousands of other computers.

I did not, of course. That would have been illegal. "

So, let me get this straight, it's fine to have control of 21,696 PC's from around the world, and to gain access to them illegally, and some of these may have even been corporate PC's, so other laws could have been broken here as well.

It's fine though for Spencer Kelly to do this, and have the British Broadcasting Centre air this on a show on national television though, but yet he feels it's illegal to do the things mentioned above, is he serious?

I'd like to see documented proof that nothing was changed on any of these PC's that were under control, and were all the owners of these PC's made aware of what was going on?

Yet Gary Mc Kinnon hacks into some PC's in the US in search of UFO's, and they wanted to press charges of terrorism, and put him in Guantanamo bay.

What the hell is happening to this country?

07 March 2009

Blogging

Must blog again sometime, but Twitter's been way too much fun lately!

I also need to spend some time doing some major Facebook research, more to come soon, tee hee!