Chip & PIN relay attacks – Man in the middle style

Saar Drimer and Steven Murdoch, members of Security Research Team of University of Cambridge Computer Laboratory have introduced their detailed analysis entitled “Chip & PIN (EMV) relay attacks”.

Link to the very interesting blog posting is here. Picture of the credit card, ‘fake terminal’ and their device included.

These researchers are the guys behind the Chip & PIN terminal playing Tetris too, YouTube video (49secs) here.


The day of the safer Internet – today

Today, 6th February is Safer Internet Day in more than 40 countries.

The organizations behind the day are European Schoolnet (EUN) and Insafe – a network of national nodes that coordinate Internet safety awareness in Europe.

The Blogathon in several schools of participating countries is part of the “SID2007″ day too.

But are these days of targeted 0-day attacks and continuous Month of Something Bugs safer or not?


Botnets, Security Ops and Boxing

What do they have in common?


Second Life: Virtual Worlds Botnet Attacks

hey, do i smell history repeating itself? bots on irc used to be useful too, and then used for local flooding. only later did they become the botnets that they are today. :)

so, from automated playing when you are not around to keep stuff active (rings a bell?) to botnets that throw… privates at people. :)

worth a read. i always love when the real world and the virtual meet, whether by marriages or by physical world police taking complaints because “someone stole my weapon on world of worldcraft!!”

we do live in interesting times. :)

gadi evron,


Botnets: a retrospective to 2006, and where we are headed in 2007

a few months back i released a post on where i think anti-botnets technology is heading. now it’s time for what happened in 2006, and what we can expect from here on.

i am not a believer in such retrospective looks, as often, they are completely biased and based on what we have seen and what we want to see. this is why i will try and limit myself to what we know happens and is likely to get attention, as well as what we have seen tried by bad guys, which is working for them enough to take to the next level.

what changed with botnets in 2006:

1.botnets reached a level where it is unclear today what parts of the internet are not compromised to an extent. count by clean rather than infected.
2. botnets have become the most significant platform from which virtually any type of online attack and crime are launched. botnets equal an online infrastructure for abusive or criminal activity online.
3. in the past year, botnets have become mainstream. from a not existent field even in the professional realm up to a few years ago, where attacks were happening constantly reagrdless, it has turned to the main buzzword and occupation of the security industry today, directly and indirectly.
4. websites have returned to being one the most significant form of infection for building botnets, which hadn’t been the case since the late 90s.
5. botnets have become the moving force behind organized crime online, with a low-risk high-profit calculation.
6. new technologies are finally being introduced, moving the botnet controllers from using just (or mainly) irc to more advanced c&c (command and control) channels such as p2p, or multi-layered, such as dns and irc on the osi model.
7. botnets used to be a game of quantity. today, when quantity is assured, quality is becoming a high concern for botnet controllers, both in type of bot as well as in abilities.

what’s going to happen with botnets in 2007:

botnets won’t change. all will remain the same as it has been for years. awareness however, will increase making the problem appear larger and larger, perhaps approaching its real scale. the bad guys would utilize their infrastructure to get more out of the bots (quality once quantity is here) and be able to do more than just steal cash. maximizing their revenue.

further, more and more attackers unrelated to the botnet controllers will make use of already compromised systems and existing botnets to gain access to networks, to facilitate anything from corporate espionage and intelligence gathering, to shame-less and open show of strength to those who oppose them (think blue security), in the real world as well as the cyber one (which to the mob is one and the same, it’s the income that speaks).

meaning, the existing botnets infrastructure will be utilized both in an open fashion, due to the fact online miscreants (real-world mob) face virtually no risk, as well as quiet and secretive uses for third-party intelligence operations.

gadi evron,


Evil twin WiFi hackers know their target – rich people

Bogus hotspots aka ‘Evil Twins’ was found in the first class lounge of an international airport, and in garages that specialise in expensive cars that offered Wi-Fi while you wait, reports Iain Thomson of Vnunet.

The article defines the evil twin like this:

So called ‘evil twin’ attacks involve putting a wireless access point near a commercial hotspot and giving it the same name.

The company interviewed by the reporter sees this threat as ‘Wireless phishing‘.


Credit card data from cash machine line to…MP3 player!

This The Guardian article is quite confusing:

A [Manchester] man who used MP3 players to bug cash machines and steal the personal details of unsuspecting bank customers has been jailed for 32 months.

The report continues that 41 years old man and his team attached MP3 players to the backs of _free-standing_ cash machines in bars and bingo halls etc.

The data they recorded was the sound familiar from acoustically coupled modems and when you call to fax machine phone line!

The team had a special software for decoding the tones to readable information. It is easy to guess – yes, they cloned several credit cards with this mean.


Budapest Declaration on machine readable travel documents

So-called Budapest Declaration on Machine Readable Travel Documents has been released by FIDIS – “Future of Identity in the Information Society” recently.

It is worth of reading in days of these RFID threats.


In this declaration, researchers on Identity and Identity Management (supported by a unanimous move in the September 2006 Budapest meeting of the FIDIS “Future of Identity in the Information Society” Network of Excellence[1]) summarise findings from an analysis of MRTDs and recommend corrective measures which need to be adopted by stakeholders in governments and industry to ameliorate outstanding issues.


Me All – For your wifi pentesting pleasure

Sitting at a security conference in Boston, I wrote down a quick and dirty script that just listen for ARP requests and responds to any such requests with … Hay That is Me ™ :) … The things you can find using that… here is a summary:

1) SNMP community names
2) SMB keypairs (you need to use fakesmb)
3) DNS queries (if you answer them it is even more fun)
4) HTTP requests for odd stuff (once you answered the DNS queries, and have set Apache to answer incoming connections you are all set)

I am sure a lot more can be done… I will leave it to your imagination

# Writen by Noam Rathaus, Beyond Security (r)

use Net::Pcap;

my $Interface = “eth1″;


RFIDIOt released RFID E-passport skimming PoC

Mr. Adam Laurie, UK has recently posted the demonstration code (Python) which

…will exchange crypto keys with the passport and read and
display the contents therein, including the facial image and the
personal data printed in the passport. Currently the data read is
limited to the following objects:


Project site (it stands for “RFID IO tools“) has other RFID passport related material as well.

This week with reported vulnerabilities in First-Generation RFID enabled credit cards is not good news to RFID technology! These NBC Today video and YouTube demonstration video show the skimming attack etc.

I’m not saying “Enjoy!”, I’m saying “Be careful!”


Utimaco replies to SafeGuard Easy encryption key vulnerability

As reported on Bugtraq list last Friday:

However, it seems that the encryption keys are hardcoded directly in the EXE file. So, they are easily recoverable and all these CFG files can be easily compromised.

This case is related to encryption level of configuration files (.CFG) when installing several workstations at the same time with centralised management tools. SafeGuard Easy is for encrypting hard drives.
Company’s response entitled as Statement on SafeGuard Easy Articles regarding Configuration File Vulnerability is located here [2-p PDF]:


USB Attacks Going Commercial?

in the public hacking world, so far we have mostly seen usb technology from security vendors… not the attackers side.

a few years ago we had discussions on pen-test, and later bugtraq and fd on these risks, following an article in 2600 and a post from me on the risks digest. on pen-test, harlan carvey and others also followed up.
since then there have been multiple threads everywhere. this was not new back then, either, imo.

back then i mainly addressed the risk of driver attacks (now more acknowledged since blackhat 2005 and blackhat 2006 presentations on the subject appeared), and didn’t get much attention. hackers did not know usb technology that well and most did not see what the heck drivers had to do with it.

what did come up were the risks of autorun technology (which is a simple solution to making usb devices execute code). these were not as easy as they first appeared, and did not work if windows xp’s screen saver was active. still, things were interesting and my fav quote of: the janitor is the richest person in the organization, got some interest.

today, with several usb buffer overflow discovered (mostly in the linux kernel) and driver attacks getting more attention, i came across the following blog entry by xavier ashe.

in his blog he discusses a usb autorun technology which is actually an hacking tool, (more…)


ATM hack

dd had a nice post today by halvar on an atm fraud:

according to a nathan landon who provided with more details:

they showed it on the news here in virginia. they have security camera footage of the guy who they believe is the perpetrator trying to pull out $250 and getting $1000. he did this twice apparently. he doesn’t look like the “engineer” type. they reported that he was able to turn on the glitch through a series of entered numbers. doubtful he knew what he was doing otherwise he could have turned it off between attempts. (more…)


RFID company: New e-Passport can trigger a bomb

Things are going on related to new biometric e-passports. This news published recently is worth of checking:

…group of security experts says the American passports could be used as potential bomb triggers.

There is a summary, technical analysis [PDF] and video “RFID Passport Shield Failure Demo” of 4min 28sec available from firm Flexilis.

We have switched to new biometric passport [picture] here in Finland today. Although The Ministry of the Interior declares that the case mentioned (passport about a half inch open) is not related to Finnish version of passports I have not so safety feeling…


Security by obstruction

In IT security we often borrow ideas, theories and experience from the physical security world. In this case, I’d like to give the airport security people some advice from the IT security world. Guys, whoever told you security and usability were opposites was wrong. Dangerously wrong. Whenever security comes without usability, whenever you put in place a device or procedure that makes it harder for your users to do what they’re trying to do, you are more likely to be weakening your overall security rather than strengthening it.

In the 1980s password policies were all the rage. We were trying to prevent attackers from guessing legitimate users’ passwords, and since we couldn’t trust the users to choose strong passwords by themselves we put in place programs that checked the passwords strength and prevented users from choosing ‘weak’ passwords.

But users couldn’t be bothered to remember those passwords, and so attackers learned that the password to the payroll system is either on a post-it note on the monitor or in the top desk drawer. Other users were smarter than us – no matter what password policy we set in place, there was a simple password strategy that conformed with this policy. Non-dictionary word? qwerty. Non-dictionary with numbers? qwerty1. At least 8 characters? qwerty123.

And the fight goes on: Force to change every month? Fine, qwerty128 (8 for August). This went on for about a decade – and eventually the users won. So we introduced biometric identification, smart cards, USB tokens and other devices that made it easier for our users to login, yet made our systems more secure. Wait – this made our systems more secure because it was easier for our users to login.

In the 1970s, programmers would connect with desktop terminals to the mainframe computer. Having natural urges, they would sometimes leave their terminal and come back after a few minutes. To prevent someone from ‘stealing’ their terminal while it’s logged in, the server would detect inactivity and log off the terminal. But programmers hate it when they’re in the middle of writing their COBOL program and as they come back from the bathroom (or lunch) they need to log in again, open the editor and find the line they were working on. Programmers are also smart – so they programmed programs to generate fake activity that prevented being logged out.
The solution came in the form of screen savers – rather than logging off the terminal, just lock it. When the programmers come back, all they has to do is type the password and they’re right where they left.
A little more than a decade later, this screen saver shows magnificent flying toasters. Suddenly it’s a great feature – and both the users and the security people are happy.

As we pat ourselves on the back users begin to realize that if John left work and Alice wants to use his (now vacant) station, she can’t – because it’s locked. Suddenly, the whole department is using pa$$word123 as their personal passwords, so that others can use their stations when they’re away. Sooner than we think this ‘policy’ becomes a part of new employee training. The users are happy, but the security people are going nuts – everyone on the department is using the same passwords, and those passwords are common knowledge (yet they beat our password policy enforcement rules).
All this work for personal home directories and ACLs is down the drain. Users can log into other accounts at will, and Authorization, Authentication and Accounting may be shortened by experts to AAA but is also shortened by our users to no more than an F.

Luckily, the desktop ‘switching’ feature is introduced and makes it possible for two people to share the same PC without knowing each other’s passwords. Some people will call this a ‘usability feature’, but I would call it a ‘security feature’. We’d both be right – there’s simply no contradiction.

Back to airport security. Bruce Schneier wrote a great analysis once on how El-Al airlines does passenger questioning. I fly El-Al a lot and I noticed something else, too – when the airline security person finds a cynic frequent flyer like me, someone who has heard the question “did you pack the luggage yourself” maybe hundreds of times, they stop the questions and say: “you know why I’m asking all these questions, right? It’s because…”. Their voice is not reprimanding. They are clearly trying to invoke my sympathy. They always succeed – I get the feeling that they’re here to assist me, not to obstruct. That we’re all on the same side. That they give me enough credit as a thinking person to clue me in on why they’re doing this. Actually, they are recruiting me to help them find terrorists by helping them eliminate me as a possible terrorist. Sure, I’ll help out!

Most TSA workers are courteous and polite. But they do not invoke my sympathy. By taking passengers’ water bottles and forcing us to take off our shoes they make the passengers hostile, and this in turn makes their job even harder. Now they have to deal with hostile passengers and long queues (that make the passengers even more hostile) rather than focus on finding suspicious people or potentially dangerous carry ons.
These hostile passengers, unlike the programmers from the 70s, are unlikely to try and purposely circumvent the security measures. For example, I doubt that anyone will be trying to intentionally smuggle water bottles on board. But I’m also sure that for many people seeing someone else sneaking a gel tube or a coke can onboard won’t make them call the TSA. They will probably get that feeling you get when you see someone ‘beat the system’ – the same way the person that figures out a way to beat the password policy feels.

Antagonizing your users is not a good idea. Next time someone tells you that security and usability are on two opposites, tell them that the corollary is that ordinary users who want to use the system are the enemies of the security people who try to limit this usage – and that’s probably not a good conclusion.


Vishing: Santa Barbara Trust (Voice or Phone Phishing)

as predicted in our circles last year, here is a documented vishing case. the wave file does not have a heavy russian accent attached, but it is interesting.

considering this bank also handles some tax refund issues, one would expect the irs to also take an interest in this.

today from dan hubbard at websense and our friends at castlecops pirt:

websense security labs™ has received reports of a new phishing attack that targets customers of santa barbara bank & trust. users receive an email message that is spoofed and has the subject “message 156984 client’s details confirmation (santa barbara bank & trust).”

unlike the most popular form of phishing where users are lured to click on a url and are directed to a fraudulent site, this lure uses a telephone number. the phone number is in the southern california area code and was answering at the time of this alert.

when victims dial the phone number, the recording requests that they enter their account number.

the phone response does not mention the bank name, which could be a potential indicator that this number is being used for fraud against other entities.

the vishing recording can be found here:

the actual phishing email with the number:

dear customer,

we’ve noticed that you experienced trouble logging into santa barbara bank & trust online banking.

after three unsuccessful attempts to access your account, your santa barbara bank & trust online profile has been locked. this has been done to secure your accounts and to protect your private information. santa barbara bank & trust is committed to make sure that your online transactions are secure.

call this phone number (1-805-xxx-xxxx) to verify your account and your identity.

santa barbara bank & trust inc.
online customer service

gadi evron,