But as the time evolved, those methods became obsolete and hardly few of those  hacks still persist and the ones that remain in sight are relative harder and un-popular.

With the latest Hack, as demoed at BlackHat conference, it can get pretty easy. Barnaby Jack, director of security testing at Seattle-based IOActive,  brought two ATMs onto the Black Hat conference stage and demonstrated that with a press of a button, ATM machine is spits out its cash till the last one in the Pile.

“I hope to change the way people look at devices that from the outside are seemingly impenetrable,” said Jack. He demonstrated a hack that allows the hacker to connect to the ATM through a telephone modem and, without knowing a password, instantly force it to bankrupt the ATM machine.

How the Hacking started

Initially, in order to kick start hacking, Jack said that he had bought a pair of standalone ATMs–one from  Tranax Technologies (yea, its not Taranfx) and the other by Triton. His study yielded success in within few years, during which he discoverred Vulnerabilities that had let him gain complete access to those machines.

Jack seems to be so confident about his technique that he said, “Every ATM I’ve looked at, I’ve found a game-over vulnerability that allows an attacker to get cash from the machine” .

On the good note, he had been an Ethical hacker and hence had brought up vulnerabilties to the notice of both ATM companies and was fixed an year ago. However, theres a twist to the tstory. These updates were pushed to ATMs which had been under support from the companies, not every ATM had been updated, hence,  a large number of the machines remain vulnerable.

Hacking ATMs: Now & then

Hacking ATMs had been popular under two techniques known as “card skimming” and “card trapping” which are now relatively uncommon coz these electronic cash-extraction techniques were limited because they didn’t rely on a deep analysis of an ATM’s code.

We got to knew what exactly happened when Cybercriminals hacked into Bank ATMs in Eastern Europe.

Most modern ATMs run on Windows CE with an ARM processor and use a dialup or leased-line connection to connect to the other branches over the interent/Intranet VPNs, ost of which is through a serial port connection. Jack used standard debugging techniques to interrupt the normal boot process and instead start Internet Explorer, and using some nasty IE hacks, he got access to the file system for copying off the files for analysis.

A remote access vulnerability was found to occur on Taranax ATMs, that allows full access to the machine, without password. The Hack uses two softwares: a utility called Dillinger, which attacks an ATM remotely, and one called Scrooge, a rootkit that inserts a backdoor and then conceals itself from discovery. Scrooge “hides itself from the process list, hides itself from the operating system, there’s a hidden pop-up menu that can be activated by a special key sequence or a custom card.”

For Triton’s ATMs, scenario was different. PC motherboard that dispenses cash from the vault was protected only by a standard (shared) key that could be purchased over the Internet for about $10. So Jack found out that he could force the machine to accept his backdoor-enabled software as a legitimate update, which then can do the damage thats irreversible.

Both companies have responded to the hacks, but necessary actions may still not have been taken place to fix all the machines. I just hope someone takes care of this sometime soon.

The difficult part in hacking the ATMs is evaluating the software for vulnerabilities, but once some one like Jack  creates it, its a childsplay to empty the machine.

We write about Google, Twitter, Security, Open Source, Programming, Web, Apple, iPhone,Android and latest in Tech @taranfx on Twitter or by subscribing below:

Recently, at Black Hat DC conference, a security consultant (Jorge Luis Alvarez Medina) demoed how it’s possible to exploit a flaw in Internet Explorer browser that turns your personal computer into a public file server. In other words, attacker can remotely read files on the victim’s local drive.

There are a few ways to initiate the attack, which is somewhat complex because you have to “string alot of the features together to build an attack tool,” Medina said. One method involves enticing the victim to click a link to a malicious Web site.

The flaw is said to work across all versions of Internet Explorer, and just can’t be fixed in a single shot. Medina said it doesn’t appear that the IE flaw is subject to patching because it encompasses design features related to how IE and Windows Explorer handle zone elevation, HTML code and MIME types.

Related:

• All Windows PC Exploited by a Hack
• Windows 7 Kills Laptop Battery

As a response, Microsoft prompted a security advisory

Our investigation so far has shown that if a user is using a version of Internet Explorer that is not running in Protected Mode an attacker may be able to access files with an already known filename and location. These versions include Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service 4; Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4; and Internet Explorer 6, Internet Explorer 7, and Internet Explorer 8 on supported editions of Windows XP Service Pack 2, Windows XP Service Pack 3, and Windows Server 2003 Service Pack 2. Protected Mode prevents exploitation of this vulnerability and is running by default for versions of Internet Explorer on Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008.

A workaround, according to Medina, would include setting “IE Network Protocol Lockdown,” adjusting the security level setting for the Internet and Intranet Zones to “high,” and disabling Active Scripting for the Internet and Intranet Zones with a custom setting.

Perhaps, the best that can be done is to use a different browser.

One weakness in IE is that it “doesn’t behave consistently. when accessing the same resources,” he pointed out. This exploit leverages it by “chaining the exploitation of a series of weak features.”

His dialogue with Microsoft’s security team about the exploit so far has indicated that Microsoft thinks this is not something it can fix because the flaw is so much a part of the fundamental design of the browser.

Complete Details available in this Paper [PDF]

Wake-up “User“, Are you still on IE?

We write latest in Microsoft, Windows 7, Android, Google, iPhone, Tech Guides, Open Source, Security get them all @taranfx on twitter or below:

Unfortunately, Microsoft has a different story. After 17 years of windows, someone found a hole that makes every windows PC on this earth prone to hacking.

This hole allows users with restricted access to escalate their privileges to system level – This is possible on all 32bit Windows Platforms: Windows 3.1 to Windows 7. (and upcoming win7 SP1 too)

The vulnerability is going to have severe impact on a business/office user, on the other hand, a home user might get malware/viruses/worms more easily and readily.

The root cause is Virtual DOS Machine (VDM) introduced to support 16-bit applications for 8086 Mode (VM86) in 80386 processors and other stuff like BIOS calls.

A Typical hack implementation will allow an unprivileged 16-bit program to manipulate the kernel stack of each process via a number of tricks. This can enable attackers to execute code at system privilege level.

Google security analyst, Ormandy, has published exploit which functions under Windows XP, Windows Server 2003, Windows Vista and Windows 7.

Its said that Microsoft was already informed of the hole in mid 2009.

The FIX

For windows 2003: Start group policy editor and enable the “Prevent access to 16-bit applications” option in the Computer Configuration\Administrative Templates\Windows Components\Application Compatibility section. The settings won’t interfere with 16-bit applications compatibility, but will make it secure for sure.

Windows 3.1, 95, 98, ME, 2000, XP, Vista, Windows 7:

Users will have to create a Registry Key under:
\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppCompat
with a D-Word value of VDMDissallowed = 1.

Under Windows XP, to prevent the system from being vulnerable to the exploit, users can place the following text:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppCompat]
"VDMDisallowed"=dword:00000001

into a file called vdmdisallow.reg and double click the file. Windows will then automatically import the key.

For more Windows, Open Source,  Security, and Tech News get in touch @taranfx on Twitter.

Apparently, we know that hackers exploited a Vulnerability in Internet Explorer, but little was known about it untill the code that hacked Google became public.

So what does this code do ?

In Easy Words: Basically, the script creates a blank element on the page. This element has an “address” like a house. Then the element “moves out” and something else takes up the space of the house (it might even move the house around, or be larger than the house and contain it). But the script still knows where the house was, and can put things in there and if another bit of the program happens to overlap, some code put in that place might get executed maliciously.

Technical Language: It is essentially a mixture of Buffer Overflow and brute forcing the following passwords: Love, Secret, Sex, and sometimes God. The possible mechanism goes here:

• Script creates objects within the rendered page, specifically the “comment” HTML element which isn’t rendered
• Script retains a pointer to the element. (Saves a way of accessing the element)
• Script deletes the element it created, but holds on the the pointer.
• Script then tries to update the memory of the element, which it has since deleted, via the pointer
• Seeing as the element no longer exists, its memory is used for other things
• By updating the memory with a command, whatever the memory is NOW being used by, executes what’s in the bit of memory that the pointer points to.

It actually builds that string 200 times, so as to fill 100 MBs of heap space with 200 copies of the exploit, before discarding it all. Presumably this gives a high probability that a random future allocation will land somewhere that, should the instruction pointer end up there, will likely lead to execution of shellcode.

More on this, Even Metasploit has detailed on how to reproduce this bug in IE.

All in all, the code is quiet complex and hard to understand at first look. Let me know if you feel it’s something more than what is explained above. Truly, a high profile attack.

Get more Security, Tech News @taranfx on Twitter or by subscribing below:

In simple words, it was nothing but a DNS hijacking attack in which Twitter’s DNS records were altered. That means surfers trying to reach the website directly via name resolution services were redirected to a fake domain, while the Twitter servers were running. As a result,  applications that depended upon Twitter’s API - such as TweetDeck or mobile phone apps - were unaffected by the attack. Hence, Twitter servers were never hacked!

Rik Ferguson, a security consultant at Trend Micro, explains that this type of DNS hijacking usually involves compromising the systems at the registrar responsible for the DNS records of the victim company before altering the relevant DNS records, in a blog posting here.

This kind of DNS hijacking usually involves compromising the registrar responsible for the DNS records of the victim company, the attackers then make unauthorised changes to the DNS records. These changes mean that when someone types a address into browser, we are directed Not to the real web site but to a second site, set up by the hackers, in this case the “Iranian Cyber Army”. This has the net effect of making it look like, in this example, servers belonging to Twitter were compromised when in reality that was not the case.

When it comes to attacking high profile targets it can often be that the registrar is the most vulnerable point in the security armour. In fact Zone-H, the defacement archive, has previously noted that registrars have been “one of the main aims of the past months”. Once a Registrar is compromised, it becomes very easy to alter DNS records, updating NameServers alone does the trick.

As Hacking as a Service Prevails, DNS attacks had been common. DNS has had several vulnerabilities in the past, these sorts of attacks are usually limited to hacktivism activities. Companies should be monitoring their DNS resolution on several servers to become aware as early as possible when this kind of attack takes place.

Let’s go by an example. Try accessing Gmail on iPhone or Android phone,  you will have notice some differences from what it used to be a month ago. The new thing worth noticing is the introduction of the offline access.

Gmail went down, offline in September, but credits to Gears, Gmail was still up and running with select Browsers. On the other side, iPhone Safari doesn’t have a Gears plugin, so how was it still running?

The answer lies with the HTML 5 standard, more specifically: the local database storage. Though HTML 5 is still in-progress, WebKit powered browsers, such as Safari, Mobile Safari, (and Firefox) have already adopted local database storage. This opens a new door of opportunities for developers to create and innovate subsequently to read from/write to a fully capable: Locally stored, Relational SQL database via the web browser itself.

Current Gmail’s iPhone release is the first web app that I’ve seen using the technology.

I foresee offline-access as an important feature for NextGen web applications: for speed and availability. Like Google believes with Chrome OS , we have, practically, continued to decrease the gap between desktop apps and their web  counterparts using technologies such as AJAX, Flash, JavaFX, Silverlight, etc. which have continued to push the hard limits.

But, despite all of the added functionality, web apps suffer from inherited old limitation – They don’t exist when you go off the line. Well, that’s about to change with HTML 5.

HTML 5 App with Local Storage:  Gmail

The iPhone doesn’t allow raw file access(I’m talking of Virgin iPhone), I’ll demonstrate Gmail’s use of HTML 5 via Safari on a standard OS X platform. First thing first, in order to get Google to serve the HTML 5 version of Gmail, we’ll change the User-Agent of our PC to match that used by the iPhone.

To fake iPhone’s Safari using Safari in Windows or Mac,  In Safari, click on Preferences, then go to Advanced tab. Check the checkbox for Show Develop menu in menu bar option. Exit from the Preference dialog window, a new “Develop” menu will show in the menu bar. Click on Develop, and then select User Agent in the pull down menu. Click to select Mobile Safari 3.0 – iPhone. Here is the resultant User-Agent:

Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_0_0 like Mac OS X; en-us) AppleWebKit/525.18.1 (KHTML, like Gecko) Version/3.1.1 Mobile/5H11 Safari/525.20

Now next time we visit Gmail, the iPhone specific version of the app opens. And, the local database storage is automatically setup.

One thing that raises concern here is that the end-user is NOT informed of this. Data is being stored locally in plain text, and user is un-aware.  On the other side, Gears will at least mandate the end-user to acknowledge before it actually makes a copy of data, offline. The phone will carry a local copy of their email, which could be accessible to just anyone, if the phone was ever lost.

Now let’s see exactly what has been stored locally. The database is set up in the following location:

Windows: C:\Users\taranfx\AppData\Local\Apple Computer\Safari\Databases\https_mail.google.com_0\0000000000000001.db

Mac: /Users/taranfx/Library/Safari/Databases/http_mail.google.com_0/0000000000000001.db

New databases will be created for each separate Gmail account logged-in, each one gets an incremented number instead of “1″ that you see over there.  Now you might be thinking Which Database is that? It’s SQLite database. Surprisingly, there is no encryption, no protection, the database content can be viewed with any SQLLite compatible app: I used SQLite Browser. And the Results were alarming:

1. cached_contacts - Top 20 frequent contacts, including email address, names
2. cached_conversation_headers - Abbreviated content from email messages including the full subject, sender’s name and first sentence or two of the message.
3. cached_labels - User defined labels which can be assigned to emails.
4. cached_messages - Similar to cached_conversation_headers
5. cached_queries – Certain queries
6. unclearconfig_table - Application version number
7. hit_to_data – ??
8. log_store – Some logging info.

All are  shown in the screenshot below:

Now if someone gets access to your machine or mobile, you can guess the level of risk you are under.

Verdict:

Gears and HTML 5 represent great technologies, but  poorly implemented, and hence result in increased security risk.

Applications interface with local data storage via JavaScript API calls.  The calls, as per the specification,  are  restricted by the same origin policy to ensure that only the application which originally created the data, can then subsequently access it. When sites are vulnerable to XSS vulnerabilities, a remote attacker could gain access to local database storage and perform any type of  client-side SQL injection attacks.

Gmail might be currently suffering from any XSS vulnerabilities, as they had numerous times in the past. What’s more critical is the fact that XSS remains a too-common vulnerability and as developers adopt local database storage via HTML 5, we are sure to see plenty of vulnerable sites, which will place everyone at risk.  It is not just a privacy concern, it’s also a data integrity concern: What if an attacker can manage to write to the database just as easily as they can read from it?

Nothing more or less, I feel that the HTML 5 specification has a great deal to offer and it’s good to see it’s early adoption. But the fate of the game lies in the hands of the developers , who will have to ensure that powerful features such as local database storage do not expose end-users to increased threat.

Every year, some hacker comes out and breaks something crucial to us, which makes us and authorities learn it the HARD WAY, “We are not safe”.

The best work is done by BlackHat and DEFCON, which are open forums for Hackers, especially DEFCON, which has open hacking challenges.

If you ever went to the DEFCONs, you know what I’m talking about. These guys can take down a military of servers down in couple of hours. They can hack anything from a conventional “lock” to GSM phones.

This year was no exception. Karsten Nohl, a PhD candidate from the University of Virginia gave quite a talk. He wants to generate a rainbow table that will decipher GSM (AT&T and Tmobile) phone calls. A rainbow table is basically a look-up table that could speed up password cracking for almost anything by factor of 10x or even more.

To generate the table, we choose a random set of initial passwords from P, compute chains of some fixed length k for each one, and store only the first and last password in each chain. The first password is called the starting point and the last one is called the endpoint. In the example chain above, “aaaaaa” would be the starting point and “kiebgt” would be the endpoint, and none of the other passwords (or the hash values) would be stored.

These hashes are then used in recovering the plaintext password from a password hash generated by a hash function, often a cryptographic hash function.

Whether To DO or NOT to?

Nohl might have declared this publicly, but it has raised a concern among the authorities. Should such attacks be publicized?

If this is allowed, the cellular systems will be fully hacked within 6 months. Analysts appear to be concerned. They are saying methodology required to crack GSM encryption has been available for 15 years. Cellcrypt CEO Simon Bransfield-Garth mentioned:

“Everybody has known for quite some time that a theoretical hack of GSM existed. This news means that the theoretical risk will become a very real one within the next six months.”

Stan Schatt, Vice President and Practice Director, Healthcare and Security at ABI Research pointed out:

“Potentially this news could have as profound an impact on the cell phone industry as the breaking of WEP encryption had on the wireless LAN industry.”

The Dark Secret of GSM

The cryptographic protection is but a small part of the 130 volumes and over 6,000 pages which make up the GSM standard. Unfortunately, the cryptography was designed in secret and is still kept secret, provided to individuals at smartcard and cellphone manufacturers on a “need-to-know”‘ basis.

“As shown so many times in the past, a design process conducted in secret and without public review will invariably lead to an insecure system,” says Marc Briceno, Director of the SDA. “Here we have yet another example of how security by obscurity is no security at all.”

The origin of the breach was when the SDA (smartcard developer association), while designing a smartcard, discovered the cryptographic algorithms used inside the SIM’s and cellphones. The SDA first verified that the algorithms were accurate. The exact details of the algorithms were not known to the public but the verified algorithms matched the facts that were publicly known. Next the SDA brought in David Wagner and Ian Goldberg, researchers in the Internet Security, Applications, Authentication and Cryptography (ISAAC) group at the University of California, Berkeley. Within a day, Wagner and Goldberg had found a fatal cryptographic flaw in COMP128, the algorithm used to protect the identity inside the SIM. They created a system to exploit the flaw by repeatedly asking the SIM to identify itself; by processing the responses they were able to extract the secret from inside the SIM.

“There’s no way that we would have been able to break the cryptography so quickly if the design had been subjected to public scrutiny”, says David Wagner. “Nobody is that much better than the rest of the cryptography research community.” David Wagner was previously known for his work on the breach of CMEA, a cipher used in digital cellphones. As in this case, the cryptographers who did the work on CMEA blamed the design process for the insecurity of the system.

The BIG Impact

Today, there are billions of people using GSM phone technology. So, cracking GSM encryption has BIG concerns underneath.

What’s at stake if GSM-encrypted traffic is no longer secure?

• Loss of Privacy over Voice Calls – Any damn GSM call can be intercepted. This means everything.
• Jamming calls – Today, Jammer’s do exist but new kind of jamming technology can be introduced that can take down communications in larger areas.
• Financial institutions that use text messages as authentication tokens would be in trouble.
• Business – Almost all Business end-customers will be impacted, the potential loss to the business could touch billions.
• PDA and Smart-phone IP Traffic – Users that surf web, use internet over their phones for Business EMail will no longer be secure.

Why Nohl wants this move?

As a cryptography expert, Nohl understands this. He explained-

“We’re not creating a vulnerability but publicizing a flaw that’s already being exploited widely. Clearly we are making the attack more practical and much cheaper, and of course there’s a moral question of whether we should do that.”

It’s not just that he’s the first one to do it. GSM had been hackable since decades. There are devices, today,  capable of cracking GSM encryption, though expensive. Nohl plans on offering the solution for free and that’s what could bring trouble.

Now the questions goto the GSM consortium, Telcos -

• If GSM encryption is vulnerable, why haven’t the telcos/GSM done anything about it?

• Why does people like  Nohl have to come and show trigger to GSM authorities to get it fixed? Why can’t they fix it, when they know about it!

According to security researchers, a bug in the Linux kernel has just been uncovered that makes just about every distribution utilizing kernel 2.4 and 2.6 on just about all architectures since May of 2001 vulnerable to a certain kind of attack.

You can imagine. Out of Today’s Linux systems, 95% use >2.4 <=2.6, so almst every Linux kernel is Vulnerable to this attack.

The bug allows an attacker to escalate local privileges and completely compromise the entire system. Julien Tinnes, a security researcher who does know his way around kernel code, wrote the following details about the bug.

At first sight, the code in af_ipx.c looks correct and seems to initialize .sendpage properly. However, due to a bug in the SOCKOPS_WRAP macro, sock_sendpage will not be initialized. This code is very fragile and there are many other protocols where proto_ops are not correctly initialized at all (vulnerable even without the bug in SOCKOPS_WRAP)… Since it leads to the kernel executing code at NULL, the vulnerability is as trivial as it can get to exploit: an attacker can just put code in the first page that will get executed with kernel privileges.Since it leads to the kernel executing code at NULL, the vulnerability is as trivial as it can get to exploit: an attacker can just put code in the first page that will get executed with kernel privileges.

Rodney Taylor, from security research at Secorix, said that the bug “passes my it’s-not-crying-wolf test so far,” and that he’d definitely check his enterprise Linux systems (providing he had any), see if it was related, and see if he needed to get a patch.

The damage is done, fair enough but luckily, there already is a patch, and it should be implemented into all future kernels from here on out.

A Safer world again.

The newly found vulnerabilities affect only devices running Cisco IOS and Cisco IOS XE Software (here after both referred to as simply Cisco IOS) with support for RFC4893 and that have been configured for BGP routing.

This feature has a critical vulnerability on all recent IOS that support it. Cisco last week issued — and today updated — a security advisory for its IOS software.

Cisco IOS supporting RFC 4893 for four octet AS number spaces in BGP are susceptible to denial of service attacks when handling BGP updates. There are two DoS vulnerabilities in the software, according to the advisory:

1. Vulnerability could cause an affected device to reload when processing a BGP update that contains autonomous system (AS) path segments made up of more than one thousand autonomous systems.

2. Vulnerability could cause an affected device to reload when the affected device processes a malformed BGP update that has been crafted to trigger the issue.

Workaround - Configuring “bgp maxas-limit [value]“ on the affected device does mitigate this vulnerability. Cisco recommends using a conservative value of 100 to mitigate this vulnerability.

Cisco says it released free software updates to address these vulnerabilities. There are no workarounds available for the first vulnerability, software upgrade is necessary.

Apple had been silent on the Critical Vulnerability found by BlackHat’s security expert presenter, till Google went ahead with the similar fix for the Android platform.

I haven’t heard the official news coming directly Apple, but Carriers are doing it. First one to do is O2 UK, which announced that Apple will be releasing fix by weekend.

There’s no news from AT&T yet, but they are not far from.

It’s an admirably quick fix to a comically terrible problem. Probably, it will come as 3.0.1 or something similar. But at least Apple’s got an update infrastructure to match their relatively quick remedy; what’s really worrying is that some other vulnerable phones—mostly Windows Mobile handsets—are still vulnerable, and whatever updates Microsoft have in store may have a slightly harder time blanketing users without the near-daily update checking built into the iPhone’s usage style.

Android, iPhone are safe. Did anyone hear anything from Microsoft? uhmm

Few years back, Sir Lenin identified a Cisco security flaw that could bring down EVERY SINGLE CISCO ROUTER in the world. Lenin was from ISS (Internet Security Systems), he was fired & tortured, and what not. Cisco, at no cost, wanted their secrets to be revealed. Well, that was years back. since that year, we have more darker sides of the IT world.