SonyxTeam has released a downgrader for the PSP. The downgrade works by exploiting a buffer overflow in libtiff which resides in PSP’s toc2rta 2.0. The downgrade utilizes the overflow as there is no other way to run non-Sony approved software on the PSP 2.0. The downgrade opens up the PSP device to independent software development for Sony’s device which hasn’t been Sony-approved.

In my opinion this is the first time a buffer overflow has been used for “good“, i.e. execute a good piece of software, rather than for “evil“, execute a bad piece of software. It would be interesting to see how would Sony react to this, and whether this will speed Sony’s responsiveness to software vulnerabilities found in their product.

Although the article isn’t new, it is still good reading material to those that are looking into implementing some sort of RFID for security or identification.

“The Texas Instruments DST tag is a cryptographically enabled RFID transponder used in several wide-scale systems including vehicle immobilizers and the ExxonMobil SpeedPass system. This page serves as an overview of our successful attacks on DST enabled systems. A preliminary version of the full academic paper describing our attacks in detail is also available below.”

To summarize the article you can do almost anything with their DST simulator and reader:

• Sniff a DST tag in a victim’s pocket
• Crack the key in a DST tag
• Start a car
• Buy gas

Now that I have your attention well Commwarrior is a worm that is spreading to Bluetooth based Cellular phones. Actually it spreads to Symbian Series 60 devices using MMS and Bluetooth communication.

MMS, for those that don’t know, stands for “Multimedia Messaging System”, a younger brother of SMS, that allows 3G cellular phones to send short sounds, movie clips and other multimedia as a message that looks like SMS, using the Internet Message Format (RFC 2822) . MMS starting to be highly popular like many other gimmicks of the 3rd generation and the world of cellular phones.

Anyway, as far as I could find, there are two versions of Commwarrior, both of them spread by “Virtual Sex”. It does so by looking for Bluetooth phones near by, and sending them infected SIS file. The SIS files that Comwarrior sends are named with random file names, so you can’t just ignore a certain file name and be safe.

Regardless of Bluetooth, the worm also tries to send MMS with itself to all of the phones listed on the contact/address books.

Here some details from F-Secrue about the worm:

The Comwarrior contains the following texts:

CommWarrior v1.0 (c) 2005 by e10d0r
ATMOS03KAMA HEAT!

The text “OTMOP03KAM HET!” is Russian and means roughly “No to braindeads”.

Replication over bluetooth

Comwarrior replicates over bluetooth in SIS files that have random name, the SIS file contains the worm main executable commwarrior.exe and boot component commrec.mdl.

The SIS file contains autostart settings that will automatically execute commwarrior.exe after the SIS file is being installed.

When Comwarrior worm is activated it will start looking for other bluetooth devices, and send a copy of itself to each of these phones one after another. If target phone goes out of range or rejects file transfer, the commwarrior will search for another phone.

The replication mechanism of Comwarrior is different than in Cabir. The Cabir worm locks into one phone as long as it is in range, and depending on the variant will either look another variant after losing contact or stay locked.

The Comwarrior worm will look for new targets after sending itself to the first target, thus it is able to contact all phones in range. And possible spreading faster than Cabir.

Commwarrior replicates over Bluetooth only from 08:00 to 23:59, based on the phone’s own clock.

Replication over MMS

Comwarrior replicates over MMS by sending MMS messages that contain infected SIS file to other users. The MMS messages contain variable text message and Comwarrior SIS file with filename commw.sis.

Unlike in bluetooth spreading the SIS file name is constant, otherwise the SIS file is identical to the one sent in bluetooth spreading.

The numbers where Commwarrior sends the MMS messages are read from the phone address book.

The comwarrior uses following texts in MMS spreading:

MatrixRemover
Matrix has you. Remove matrix!

3DGame
3DGame from me. It is FREE !

MS-DOS
MS-DOS emulator for SymbvianOS. Nokia series 60 only. Try it!

PocketPCemu
PocketPC *REAL* emulator for Symbvian OS! Nokia only.

Nokia ringtoner
Nokia RingtoneManager for all models.

Security update #12
Significant security update. See www.symbian.com

Display driver
Real True Color mobile display driver!

Audio driver
Live3D driver with polyphonic virtual speakers!

Symbian security update
See security news at www.symbian.com

SymbianOS update
OS service pack #1 from Symbian inc.

Happy Birthday!
Happy Birthday! It is present for you!

Free SEX!
Free *SEX* software for you!

Virtual SEX
Virtual SEX mobile engine from Russian hackers!

Porno images
Porno images collection with nice viewer!

Internet Accelerator
Internet accelerator, SSL security update #7.

WWW Cracker
Helps to *CRACK* WWW sites like hotmail.com

Internet Cracker
It is *EASY* to *CRACK* provider accounts!

PowerSave Inspector
Save you battery and *MONEY*!

3DNow!
3DNow!(tm) mobile emulator for *GAMES*.

Desktop manager
Official Symbian desctop manager.

CheckDisk
*FREE* CheckDisk for SymbianOS released!MobiComm
Norton AntiVirus
Released now for mobile, install it!

Dr.Web
New Dr.Web antivirus for Symbian OS. Try it!

Infection

When the Comwarrior SIS file is installed the installer will copy the worm executables into following locations:

\system\apps\CommWarrior\commwarrior.exe
\system\apps\CommWarrior\commrec.mdl

When the comwarrior.exe is executed it copies the following files:

\system\updates\commrec.mdl
\system\updates\commwarrior.exe

And rebuilds it’s SIS file to:

\system\updates\commw.sis

After recreating the SIS file the worm starts spreading over MMS.

Commwarrior replicates over MMS only from 00:00 to 06:59, based on the phone’s own clock.

For reference please look at:
F-Secure Commwarrior.A
F-Secure Commwarrior.B
MMS
rfc2822
Some Bluetooth stuff
Bluetooth specs

Good news from Lexar – one of the world’s bigger CompactFlash manufactures – as they start shipping their security oriented Lexar LockTight CompactFlash. Lexar’s LockTight CompactFlash support encryption and the ability to establish security settings on the memory card and digital camera to prevent unauthorized use – read and write – of the CompactFlash.

The encryption algorithm is said to utilize 160 bit encryption technology, using the SHA-1 (Secure Hash Algorithm), a standard approved by the NIST (National Institute of Standards and Technology).

The idea behind Tempest is not new, however, the website I found is – at least to me.

The website proposes the idea of playing an MP3 music file on your screen and listening it through your radio. Were the only “connection” between the two are the emissions transmitted by your CRT screen and the radio picking them up.

A nice solution built by MERL to prevent shoulder surfing is to display a flickering picture and provide glasses that would be able to filter out these flickers resulting in a dual image:

This means that the display that can only be viewed with magic glasses.

Although the solution is simple, you can use this to “encrypt/hide” data quite well – i.e. show someone one picture while the person with the special glasses sees another one.

The only draw back is that the glasses need to be wired to the screen, making the solution not very portable.

This would also give a whole new meaning to “I can’t work today as forgot my glasses at home”

News flash!
“There’s fully functional device known as Super PASS designed to play NDS Roms downloaded from the Internet with your Nintendo DS”.

Why is this important?

Well simple, if the previously suggested secure environment of the Nintendo DS environment has been cracked, I see no reason why the Microsoft’s Xbox 360 claims of uncrackable would hold any ground as Microsoft expects.

You can learn more about this Super PASS device at the following location: China Has Successfully Cracked Nintendo DS, 10 Latest Games Tried Out and here NDS games can now be played on your NDS device.

It’s not often that I buy stuff off the cuff. My buying habits are relatively conservative, and I usually do a lot of research on equipment before I buy it. This Friday was an exception to the rule – when I saw the WRT54GC in Fry’s for $40, I just couldn’t miss out. The device is very slender, very nearly pocket-sized, and has a built-in antenna with a jack for an external one and 5 ethernet ports (1 external).

Wireless technology is in use for nearly a decade now, and securing a wireless network today is relatively easy. Yet as I plug this baby into the socket and hit refresh on the laptop, I see a new network: SSID linksys, channel 6, no encryption. Great. A few tweaks later and the device no longer publishes its SSID (no it’s not linksys anymore), and would only let you connect if you speak WPA2 to it. And ‘admin’ was a lame administrator password anyway.

Here’s a question for you: How many people actually go through the extra few clicks to secure their wireless device? If this device sold only 1000 units, I bet there are now 800 new open wireless networks.

Let’s consider the following imaginary scenario, involving Joe, your average computer user:

1. Joe buys his new device and connects it to his cable modem, like the manual says
2. Joe then looks for a wireless network with his laptop. There it is, SSID linksys, no encryption
3. Joe connects to the unencrypted network and tries to browse the web
4. Joe’s web connection is hijacked to a local web-server on the device, which asks him for a 6 digit code on a sticker on the device.

Several interesting things can happen now: Maybe Joe can surf the net immediately, while the device sets up a MAC filter for his current MAC address. Not very secure, but it’s better than nothing. Or Joe might have to choose a WPA key, and a small signed Java applet would setup his computer with the new key.

Now I’m not Joe, so maybe my perspective is all skewed. Is it really too much to ask from a user to go through a linear, consistent process before his network is set up, ensuring he is running an encrypted network, or at least MAC-filtered? Is it that much of an annoyance?

Is it more expensive to manufacture? The device already has an individualized sticker on it with the MAC address, I don’t think adding another 6 digits to it is much of a hassle, and the device already has an embedded web server. Yes, some more code.

Disclaimer 1: I know, this is still insecure, because Joe still uses a wireless unencrypted medium to transmit the code. It can be solved with an SSL web server, but even if it’s unencrypted, the window of vulnerability is greatly reduced.

Disclaimer 2: The WRT54GC came with a CD, which I never bothered to take out of its sleeve. I could see no reason to run software on my PC when I could just as well configure the device over the web. Perhaps Joe’s magic one-click access point securifier exists on that CD, and I just didn’t bother to check.

Originaly posted in my blog

Microsoft’s Andre Vrignaud – Xbox Platform Strategy Group – has given a lecture at the recent GDC Europe 2005 and have been heard to state that:
Microsoft took 2 and a half years on security this time round, whereas the Xbox only had around a year. Vrignaud prompted: “Never say never”, but he thinks it’s going to be a long time before the Xbox 360 gets modded.

I think that like in the case of PSP – which until recently was considered quite hard to mod/hack – the momentum builds slowly, but once it gets rolling, nothing can stop it, not even new firmwares.

Nikon is planning on releasing new WiFi-enabled cameras to the market, as with all WiFi devices, it means that the camera will probably get an IP address and support some kind of connectivity protocol.

Its not yet clear what protocol is going to be used by Nikon to transfer the pictures between the camera and the computer, but they do mention the ability of transferring them wireless, not through a computer, to a PictBridge-enabled printer – BTW: The PictBridge standard talks about USB connectivity, but they could be planning on using Picture Transfer Protocol/Internet Protocol dubbed PTP/IP.

It will be interesting to see how long it will take until someone hacks this setup, during an important event such as a press conference or maybe a weeding , to broadcast false images or maybe even steal the competition’s images… Time will tell

According to Engadget, people that will hack their Blue-ray device will be punished by the makers of the device. It is not yet clear how will they be punished, all that is know is this:

On top of that, consumers should expect punishment for tinkering with their Blu-ray players, as many have done with current DVD players, for instance to remove regional coding. The new, Internet-connected and secure players will report any “hack” and the device can be disabled remotely.

It would be interesting to see how the consumers will react to such punishment, or if even such talk of punishment will be ever become true actions on the part of the vendor.

In any case if they do start to punish the consumer, the first thing that will be hacked in the Blu-ray device will be the “punishing-enabling” system

As many of you might have noticed Creative decided to give their mobile music device’s users a gift, a “cute little worm” called Wulilk.

According to Symantec:
The worm makes numerous copies of itself in random locations, and moves to a new location when Windows Explorer browses to the folder from which it runs. It can spread to floppy disks and shared network drives under some conditions.

So if you got your 5GB Creative Zen Neeon with the serial numbers between 1230528000001 and 1230533001680, be sure to run your antivirus software on it prior to using it

Tom’s hardware is running a story on how to turn your Xerox printer into a 25pages/min shredding device… cute idea, but isn’t a printer’s objective to print on paper and not shred it?

Link: Turning Your Printer Into A Paper Shredder (On Purpose)

Unlike most of the world’s airports, Israel’s airport car entrance is guarded by about a dozen (maybe more) uniformed guards that look at the driver’s faces and ask them questions, in an attempt to catch terrorists before they even enter the airport.

They now have appeared to further improve the terrorist identification mechanism by equipping the guards with an LPR – License Plate Recognition. This LPR technology allows the guards to get an alert whenever a suspicious vehicle tries to enter the airport premises.

I believe that these technologies are important, easy to implement, and provide a huge benefit over the “I’m looking into your eyes and I know you ain’t a terrorist” method of terrorist detection.

I wonder how long till additional checkpoints (border checkpoints for example) get this technology as well.

You can learn more about LPR from the following link: http://www.licenseplaterecognition.com/

I recently came across on eBay someone, actually more than one, selling used and brand new ATM machine (not cheap): ATM Machine on eBay

In the same category of ATM machnies you can see a lot of equipment used as Automated Teller Machines, not just what we call cash ATMs.

It appears that now someone went on and bought one such device and placed it (or hacked a similar device) during the recent DefCon event as can be seen in the following article:
http://www.hackaday.com/entry/1234000793052540/.

This ATM appear to have been “harmlessly” made into taking $2.00 off your credit account.

What next? putting your credit card into the ATM machine and getting money back ?

Image this:

You check into your hotel room, turn on the TV and hack you way into your next door neighbor’s hotel account. You can now charge him for your movies (mostly p0rn^H^H^H^Hentertainment), charge him for the room service, and basically live off his hotel account.

Sound ficticious? complicated? Well not as much as you’d expect. All you need according to Adam Laurie is

“… a laptop running Linux, an infrared transmitter and a USB TV tuner.”

One drawback is that:

“It could take hours to decipher the more than 16,000 possible codes a TV remote uses.”

But Laurie automated the process by using a program he wrote that analyzed and mapped all the possible codes in 35 minutes to see which ones were relevant for the system he was trying to crack.

Unfortunately :S Laurie doesn’t plan to release the program.