I’ve recently analysed a range of Honeypot data relating to about 3 months of malicious attempts against a number of Internet exposed ports and services The data has been sourced from a typical Australian Internet connection.
From the analysis, the traffic type and source countries were more or less as expected, although it was interesting to see the ratio of attacks received from each country.
I thought I would share some of the initial results (see the graphics below). Over the coming months I will share more of the analysis and detail.
General port scans and most of the spider/crawler traffic has been removed from the baseline data, so these results relate to actual malicious attempts – automated tools and manual techniques.
China and Hungary have been seen to contribute to the highest number of Internet attack attempts.
The top 10 countries who are attacking Australians:
1/ China – CN
2/ Hungary – HU
3/ United States – US
4/ Canada – CA
5/ Australia – AU
6/ India – IN
7/ Republic of Korea – KR
8/ Brazil – BR
9/ Russian Federation – RU
10 Puerto Rico – PR
I went to a security presentation yesterday with one of the guys from work which summarised some of the cooler Blackhat and Defcon presentations from Las Vegas this year.
One of these presentations demonstrated the use of the open API’s available for some of the social media sites. The below list represents some of the search engine I’ve found that allow search words to be queried against publicly available information. I’ve found that these searches far exceed what is indexed on the social media site search option.
The problem has been discovered in the Virtual DOS Machine (VDM) introduced in 1993 to support 16-bit applications (real mode applications for 8086). VDM is based on the Virtual 8086 Mode (VM86) in 80386 processors and, among other things, intercepts hardware routines such as BIOS calls. Google security team member Tavis Ormandy has found several vulnerabilities in this implementation that allow an unprivileged 16-bit program to manipulate the kernel stack of each process via a number of tricks. This potentially enables attackers to execute code at system privilege level.
In addition to the unpatched hole in Internet Explorer, a now published hole in Windows allows users with restricted access to escalate their privileges to system level â€“ and this is believed to be possible on all 32-bit versions of Windows from Windows NT 3.1 up to, and including Windows 7. While the vulnerability is likely to affect home users in only a minor way, the administrators of corporate networks will probably have their hands full this week.
The problem is caused by flaws in the Virtual DOS Machine (VDM) introduced in 1993 to support 16-bit applications (real mode applications for 8086). VDM is based on the Virtual 8086 Mode (VM86) in 80386 processors and, among other things, intercepts hardware routines such as BIOS calls. Google security team member Tavis Ormandy has found several vulnerabilities in this implementation that allow an unprivileged 16-bit program to manipulate the kernel stack of each process via a number of tricks. This potentially enables attackers to execute code at system privilege level.
Ormandy has also published a suitable exploit which functions under Windows XP, Windows Server 2003 and 2008, Windows Vista and Windows 7. When tested by the The H’s associates at heise Security, the exploit opened a command prompt in the system context, which has the highest privilege level, under Windows XP and Windows 7. No patch has become available, although Ormandy reports that Microsoft was already informed of the hole in mid 2009. The developer decided to publish the information regardless because, in his opinion, there is a simple workaround: to disable the MS-DOS subsystem.
The workaround requires users to start the group policy editor and enable the “Prevent access to 16-bit applications” option in the Computer ConfigurationAdministrative TemplatesWindows ComponentsApplication Compatibility section. When tested with these settings by the heise Security team, the exploit no longer functioned. The settings reportedly don’t cause any major compatibility problems for most users while no 16-bit applications are being used.
Update – The above option is only available through the group policy editor on Windows 2003 systems. Some versions of Windows do not include a group policy editor. As an alternative, users can also create a registry key under HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsAppCompat with a D-Word value of VDMDissallowed = 1. Under Windows XP, to prevent the system from being vulnerable to the exploit, users can place the following text:
into a file called vdmdisallow.reg and double click the file. Windows will then automatically import the key (admin rights are required to perform this action).
Update 2 -Â Microsoft has now confirmed the privilege escalation hole in Windows. The company says that it wants to complete its investigation of the vulnerability and will then decide whether, how and when to close it.
REDMOND — When it rains, it pours. Especially in the Seattle area. Tavis Ormandy has published full details on a privilege escalation hack of all versions of Windows including Windows 7.
The exploit takes advantage of a bug in the Windows implementation of the ‘virtual DOS machine’ used to run legacy 16-bit programs. The exploit can be avoided by turning the VDM ‘feature’ off but the danger of course is that enough Windows lusers won’t know about the bug and/or bother turning the ‘feature’ off.
16-bit applications need BIOS support; the Windows kernel supports virtual BIOS interrupts in its ‘Virtual-8086’ mode monitor code. The code is implemented in two stages. The #GP trap handler transitions to the second stage when CS:EIP faults with specific ‘magic’ values.
The transition requires (subsequent to authentication) restoring the context and the call stack from the faulting trap frame. But the authentication process is flawed, relying as it does on three incorrect assumptions.
Setting up a VDM context requires SeTcbPrivilege.The barrier to getting a VDM context can be subverted by requesting the NT VDM subsystem and then using CreateRemoteThread() to run code in the context of the VDM subsystem. The VDM subsystem already has the necessary flag set.
Ring 3 (unprivileged) code cannot install arbitrary code segment selectors.Using the two least significant bits of CS/SS to calculate the privilege of a task doesn’t work when it comes to Virtual-8086 mode. The 20-bit addressing (by adding CS << 4 to the 16-bit IP) is also used to map onto the protected linear Virtual-8086 address space. If CS can be set to an arbitrary value, then the privilege calculation can be circumvented.
Ring 3 (unprivileged) code cannot forge a trap frame.Returns to user mode are through IRET. An invalid context can cause IRET to fail pre-commit, which in turn forges a trap frame. And even with address randomisation it’s trivial to use NtQuerySystemInformation() to obtain the address of the second stage BIOS handler.
This bug dates back 17 years and affects all systems released since 27 July 1993 – Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, and Windows 7. See the links below for further details.
I was reading some posts on the Full-disclosure mailing list and came across the some posts relating to WPA hacking (WPA attack improved to 1min). After spending hundreds of hours using the AIR tools to crack WEP encryption and looking into networks as part of my previous job, I was very interested to see how things are progressing.
A few years back, some friends and I were messing around with a Taco Bellâ€™s drive-thru frequencies. RijilV and isotek showed me how easy it was to hijack the frequencies of just about any fast food restaurant with a very simple mod to a ham radio. The radios they used were Yaesu VX-5 and VX-7 models. We had a few weeks of occasional fun, sitting a few parking lots away and saying all kinds of horrible things to potential fast food customers. For the most part, I didnâ€™t record any of it. But you can find a few clips of our fast food hijinks if you scroll down on the PLA Sound Clips Archive page.
Finally we decided to capture a bit of our FCC violations on video. But instead of capturing actual customers being harassed by us as they placed an order, I drove through the Taco Bell drive-thru myself with a video camera sitting on the dashboard. As I attempted to place my order, RijilV informed me of some crazy new Taco Bell policies and a manager immediately rushed out to explain to me that I wasnâ€™t actually talking to an employee. Here is that video:
After spending several years on Google Video and YouTube, itâ€™s been watched approximately 20,000 times. And of those 20,000 people who have viewed it, approximately all of them have emailed me and asked me what kind of radio we used and how can they use a radio to do the same thing. So in the spirit of April 1st and in order to quell the number of emails sent to me and posts on the PLA Forums asking the same thing, Iâ€™ve decided to write this tutorial to help those people out.
But Iâ€™m not going to explain how to modify a Yaesu VX5 or a Yaesu VX7. A simple Googlesearch will show you how to modify these ham radios. The problem with these mods is that, even though theyâ€™re fairly simple, you have to buy the radios which could cost you anywhere from $200 – $400. Then, after removing a couple solder points, you have to learn how to use it, you have to look up fast food frequency lists, you have to understand the difference between the transmit frequencies and the receive frequencies and you have to scroll through PL tones using trial and error to find the correct one.
Or how about we do this a different way. A way that uses a couple items that you might already have in your home. You can easily modify most old CB radios in a way that will allow them to transmit directly to drive-thru frequencies. You wonâ€™t have to scroll through hundreds of possible drive-thru frequencies, because a CB radioâ€™s channels line up in exactly the same way as most drive-thruâ€™s channels, only at a higher frequency. How do you get your CB radio to run at a higher frequency? A simple replacement of the crystal inside, with a 6.5536 MHz crystal. This triples the megahertz that are broadcast on and there is no learning required. You just take the modified CB radio to a fast food restaurant and start broadcasting to the customers.
â€œBut RBCP, I donâ€™t have a 6.5536 MHz crystal lying around my house,â€ you might be whining at this point. But this isnâ€™t true. Just about any house has several 6.5536 MHz crystals in them if you know where to look. This just happens to be the exact same crystal that you can find in electric heaters, hair dryers, electric stoves, curling irons, electric hot water heaters, irons, and toasters. These crystals are in just about any item that has heated coils and are used to control the frequency of the heating elements so that they donâ€™t burn your house down.
So for this modification you needâ€¦
1 CB radio. It has to be a 40 channel CB radio with a digital display, which includes just about any CB radio manufactured after the mid 1980â€™s. The old 23 channel CBs from the 1970â€™s will not work. It can even be a walkie talkie CB radio. If you donâ€™t have one, you can find one at Goodwill or a yard sale for probably less than $10.
1 toaster. (Or other item with heating elements inside.) A toaster is the most ideal to use, because itâ€™s almost guaranteed to have the crystal inside of it. Itâ€™s more common to find curling irons and hair dryers that donâ€™t. Again, it should be a toaster manufactured within the past 20 years or so. Before that they didnâ€™t have crystal requirements for toaster manufacturers. (And incidentally, there were a lot more electrical house fires back then.) Goodwill will probably have a toaster for less than $10.
1 soldering iron and solder. Donâ€™t worry if you donâ€™t have soldering experience. Itâ€™s actually pretty easy. Click here for a soldering tutorial. You can purchase a soldering iron at Radio Shack or Sears for about $10.
A few screwdrivers
Even if you have to buy all these materials, youâ€™re only out $30. Thatâ€™s a lot better than the $300 you might end up spending on a Yaesu radio. And some of you might already have all these items so you donâ€™t have to pay anything. Ask a friend or a relative if theyâ€™ve got an old toaster or CB radio lying around that they donâ€™t need.
First youâ€™ll want to take apart your toaster. This isnâ€™t too hard. Just flip it upside down and start removing the screws. Youâ€™ll probably need to pull off the plastic lever and knobs before you remove the top of the toaster. Once you have the top off, youâ€™ll see a green or brown circuit board inside.
Flip the circuit board down and youâ€™ll see all the components on the other side, including the 6.5536 MHz crystal. The crystal is silver and will have 6.5 stamped on the side of it. In the picture below, Iâ€™ve used an arrow to show you where itâ€™s located.
The crystal is likely in a different spot in other toasters, but itâ€™s hard to mistake for any other electronic component. The crystal will have some form of 6.5 stamped on the side of it. In my toaster, it showed 6.55-12. While the official frequency needed is 6.5536 MHz, anything within 1.6 megahertz will work. So donâ€™t worry if your crystal just says 6.5 or 6.50 – itâ€™s all the same for our purposes.
Itâ€™s kind of hard to see what Iâ€™m doing in the picture above, but Iâ€™m heating up the leads on the crystal from underneath with my soldering iron to melt the solder, and Iâ€™m pulling on the crystal from above with a pair of needle nose pliers. It only takes a few seconds to get the crystal out of the toaster.
Now that the crystal is out of your toaster, throw your toaster away! Do not attempt to use it once the crystal is removed. Remember, the crystal is in there for safety and using your toaster without the crystal could burn your toast and/or start a kitchen fire. Itâ€™s likely your toaster wonâ€™t even turn on with the missing crystal, but please donâ€™t even try. Just throw it away.
As I mentioned before, just about any brand and model of CB radio will work, as long as it has the digital display on it. Which means, just about any CB radio manufactured after the mid 1980â€™s. These are the kinds of CB radios whose frequencies are controlled by a single crystal inside of them. For my mod, I used a Radio Shack TRC-207 walkie talkie CB radio, which is pictured above. I prefer using a walkie talkie CB radio because it doesnâ€™t requiring sticking a huge CB antenna on the roof of my car which might be noticed if a fast food employee starts looking around the parking lot for the culprits.
Taking apart your CB radio is just as easy as taking apart the toaster. Remove the screws and pop it open. You may or may not have to lift up the circuit board inside to find the crystal inside. In my particular model, the crystal actually plugged into a socket so I didnâ€™t need to even desolder the old crystal. I just pulled it out with my fingers and then plugged in the new 6.55 MHz crystal. I donâ€™t know how common this is, because in other CB radios that Iâ€™ve modified the crystal was soldered to the circuit board, just like in the toaster.
Put your CB back together and test it to make sure itâ€™s working. Youâ€™re finished! Obviously, you wonâ€™t be able to talk on normal CB channels anymore since your CB is transmitting and receiving at a much higher frequency now. But who cares, CB channels are lame anyway. Letâ€™s hop in the car and drive to our nearest fast food establishment to test it out.
Sit near the drive-thru and wait for a customer to pull up. While the customer is talking to the drive-thru speaker, start flipping through your channels until you hear them talking. Iâ€™ve found that most drive thrus end up being somewhere in the 16 – 25 channel range. Iâ€™ve never found one above channel 30 and only a few on channels 1 through 15. It all depends on how their drive-thru is set up and what frequencies theyâ€™re using. Anyway, push down your talk button and start talking to the customer.
The cool thing about using a CB radio to transmit on drive-thru frequencies is that a CB is designed to work for several miles. The headsets that those fast food people wear are only designed to work for about 100 feet. So you can easily overpower the employees, even if youâ€™re several parking lots away. In fact, you may be inadvertently screwing with several other drive-thrus in town without even knowing it. This is more likely when youâ€™re using the kind of CB radio thatâ€™s supposed to be installed in a car. Those usually run on 5 watts and can cover an entire city. This is another reason I like to use my walkie talkie. Itâ€™s lucky if it will work for even a mile, so Iâ€™m only harassing one restaurant at a time.
If you found this tutorial useful, you might also enjoy the video Iâ€™ve made on the same subject. It includes much of the same information in this tutorial, but also includes actual footage of us messing with a drive-thru with this CB mod. Enjoy!
Steve: It’s like, oh, goodness, yeah. It’s quite something. So the big news, though, I just sort of had to kind of smile because I told all of our listeners this was going to happen. I said just wait, this is a bad idea, we’re going to see how bad it is. Trojans have – Trojan software has been found in ATMs located in Eastern Europe.
Leo: Oh. Oh.
Steve: From many different vendors.
Leo: Oh, dear.
Steve: But what one thing do all of the trojan-infected ATMs have in common, Leo?
Leo: Let me guess.
Steve: Windows XP.
Leo: Ai yi yi.
Steve: The LSASS service is the manager of protected content in the system. It’s not quite the right acronym. I can’t think of what it is right now. But it’s like the main security service. And fake ones have been found in the Windows directory. The LSASS EXE normally lives in the Windows System32 directory. They were written in Borland’s Delphi.
Leo: You’re kidding.
Leo: Well, that’s kind of sophisticated for a hacker. Wow.
Steve: And it’s considered, I mean, it’s commercial-grade code. It’s good code.
Leo: Oh, boy.
Steve: These are not remote installation Trojans. It’s believed that somebody had to have access to the machines.
Leo: Oh, even worse.
Steve: But they have special credit cards. When they swipe the special credit card in the infected machine, it accesses the trojan software, which among other things allows them to dump out all the cash from the machine. But in the meantime it’s logging all of the users’ information and PINs, which it’s able to dump out encrypted with DES encryption from the printer, from the ATM printer in the front of the machine.
Steve: So the – and anyway, so it’s interesting to me. Again, it’s, you know, people defended the idea of implementing these things that I contend should never have been written in Windows. They say, well, but it’s easier to write them. And it’s like, yes.
The terminal or ATM firstly encrypts the user entered pin (may be a unique DUKPT key or static, depending on the design and banks involved) prior to incorporating it into the AS 2805 transaction message.
the message is then encrypted again using the DUKPT key which has been established through the merchant logon process within the aquirer Host Security Module (HSM) i.e. the user entered pin is encrypted separately and encapsulated within the DUKPT encrypted 2805 message to provide full message encryption.
In the diagram a separate dual authenticating SSL session is also used between the terminal/ATM and the aquirers infrastructure. This allowing the transaction including the pin to traverse the external Wired/GPRS/LAN within 2 primary independent layers of encryption, with a 3rd protecting the PIN.
When the transaction enters the aquirer environment the message encapsulation layer provided by SSL is removed.Â This leaving the DUKPTâ€™ed 2805 message which also encapsulates the separately encrypted PIN.
This encrypted message is passed to the aquirer switch engine through to the aquirer’s HSM for decryption of the 2805 message excluding the user entered pin.
This is when transactional information necessary for aquirerâ€™s merchant reporting (truncated card number, transaction amount, transaction type, etc.) and fraud management data is collected.
The aquirer switch then passes the encrypted PIN to the aquirer HSM requesting that the PIN be decrypted using the aquirer’s PIN encryption and translated to the next banks (Bank 1)Â PIN Encryption Key (Pin translation only occurs within the aquirer HSM) This is then sent back to the aquirer Switch engine as the Bank 1 encrypted PIN.
The aquirer switch engine then send the decrypted 2805 message with the newly encrypted PIN back to aquirer HSM to be encrypted with the Bank 1 MAC key.
The resultant Bank 1 key encrypted message is then sent to Bank 1 for processing and/or passing to the card issuer (using a similar process as described above).
When the result is received back from the issuing bank it is encrypted with the Bank 1 MAC key (the pin will not be present in the result message).
This is then decrypted by the aquirer HSM, the transaction fate result stored into the aquirer merchant reporting system and the transaction fate re-encrypted with the original aquirer DUKPT key (should be different per terminal/merchant instance) and the result sent back to the terminal through the original established SSL encrypted terminal connection.
The aquirer may terminate the the SSL connection on a hardware device such as a CISCO Content Service Switch (CSS), or equivalent instead of the design described in the diagram which terminates onto a SSL session server/gateway (Possibly including a Certificate Authority) or on the aquirer transaction switch.
When PIN blocks are received by the aquirer processing centre, the PIN encryption is translated from the terminal key to the Local Master Key (LMK) by the Host Security Modules (HSM).
When the message is sent on the upstream bank interchange link to the issuer or gateway , the aquirer HSM translates the encrypted PIN block from the LMK to the Zone Master Key (ZMK) of the aquirer interchange link. The PIN block is always encrypted using DEA3 (3DES) whenever outside of the Terminal or ATM.