Archives for : hardware

    No need to bypass security with a boot disk – 17 year old Windows exploit found

    The problem has been discovered in the Virtual DOS Machine (VDM) introduced in 1993 to support 16-bit applications (real mode applications for 8086). VDM is based on the Virtual 8086 Mode (VM86) in 80386 processors and, among other things, intercepts hardware routines such as BIOS calls. Google security team member Tavis Ormandy has found several vulnerabilities in this implementation that allow an unprivileged 16-bit program to manipulate the kernel stack of each process via a number of tricks. This potentially enables attackers to execute code at system privilege level.

    In addition to the unpatched hole in Internet Explorer, a now published hole in Windows allows users with restricted access to escalate their privileges to system level – and this is believed to be possible on all 32-bit versions of Windows from Windows NT 3.1 up to, and including Windows 7. While the vulnerability is likely to affect home users in only a minor way, the administrators of corporate networks will probably have their hands full this week.

    The problem is caused by flaws in the Virtual DOS Machine (VDM) introduced in 1993 to support 16-bit applications (real mode applications for 8086). VDM is based on the Virtual 8086 Mode (VM86) in 80386 processors and, among other things, intercepts hardware routines such as BIOS calls. Google security team member Tavis Ormandy has found several vulnerabilities in this implementation that allow an unprivileged 16-bit program to manipulate the kernel stack of each process via a number of tricks. This potentially enables attackers to execute code at system privilege level.

    Ormandy has also published a suitable exploit which functions under Windows XP, Windows Server 2003 and 2008, Windows Vista and Windows 7. When tested by the The H’s associates at heise Security, the exploit opened a command prompt in the system context, which has the highest privilege level, under Windows XP and Windows 7. No patch has become available, although Ormandy reports that Microsoft was already informed of the hole in mid 2009. The developer decided to publish the information regardless because, in his opinion, there is a simple workaround: to disable the MS-DOS subsystem.

    The workaround requires users to start the group policy editor and enable the “Prevent access to 16-bit applications” option in the Computer ConfigurationAdministrative TemplatesWindows ComponentsApplication Compatibility section. When tested with these settings by the heise Security team, the exploit no longer functioned. The settings reportedly don’t cause any major compatibility problems for most users while no 16-bit applications are being used.

    Update – The above option is only available through the group policy editor on Windows 2003 systems. Some versions of Windows do not include a group policy editor. As an alternative, users can also create a registry key under HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsAppCompat with a D-Word value of VDMDissallowed = 1. Under Windows XP, to prevent the system from being vulnerable to the exploit, users can place the following text:

    Windows Registry Editor Version 5.00



    into a file called vdmdisallow.reg and double click the file. Windows will then automatically import the key (admin rights are required to perform this action).

    Update 2 - Microsoft has now confirmed the privilege escalation hole in Windows. The company says that it wants to complete its investigation of the vulnerability and will then decide whether, how and when to close it.

    See Also:

    REDMOND — When it rains, it pours. Especially in the Seattle area. Tavis Ormandy has published full details on a privilege escalation hack of all versions of Windows including Windows 7.

    The exploit takes advantage of a bug in the Windows implementation of the ‘virtual DOS machine’ used to run legacy 16-bit programs. The exploit can be avoided by turning the VDM ‘feature’ off but the danger of course is that enough Windows lusers won’t know about the bug and/or bother turning the ‘feature’ off.

    16-bit applications need BIOS support; the Windows kernel supports virtual BIOS interrupts in its ‘Virtual-8086’ mode monitor code. The code is implemented in two stages. The #GP trap handler transitions to the second stage when CS:EIP faults with specific ‘magic’ values.

    The transition requires (subsequent to authentication) restoring the context and the call stack from the faulting trap frame. But the authentication process is flawed, relying as it does on three incorrect assumptions.

    • Setting up a VDM context requires SeTcbPrivilege.The barrier to getting a VDM context can be subverted by requesting the NT VDM subsystem and then using CreateRemoteThread() to run code in the context of the VDM subsystem. The VDM subsystem already has the necessary flag set.
    • Ring 3 (unprivileged) code cannot install arbitrary code segment selectors.Using the two least significant bits of CS/SS to calculate the privilege of a task doesn’t work when it comes to Virtual-8086 mode. The 20-bit addressing (by adding CS << 4 to the 16-bit IP) is also used to map onto the protected linear Virtual-8086 address space. If CS can be set to an arbitrary value, then the privilege calculation can be circumvented.
    • Ring 3 (unprivileged) code cannot forge a trap frame.Returns to user mode are through IRET. An invalid context can cause IRET to fail pre-commit, which in turn forges a trap frame. And even with address randomisation it’s trivial to use NtQuerySystemInformation() to obtain the address of the second stage BIOS handler.

    Affected Systems

    This bug dates back 17 years and affects all systems released since 27 July 1993 – Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, and Windows 7. See the links below for further details.

    See Also
    MITRE: CVE-2010-0232
    Windows plagued by 17-year-old privilege escalation bug
    NEOPHASIS: Trap Handler Allows Users to Switch Kernel Stack

    Ham Radio Links

    Amateur Packet Radio Australian

    Aussiewide Packet Radio Network


    Queensland APRS Users Group

    VK2KFJ’s Packet Radio Links page


    VK5 AX25 Packet Network Map (VK5AH)




    Amateur Packet Radio Gateways

    Amateur Packet Radio, net 44, and AMPR.ORG `

    American Febo Enterprises







    G4JKQ TCP/IP Telnet listing

    G7JJF TNC Driver Support (WINTNC)

    High speed packet

    High Speed Packet radio

    High-speed Packet Radio


    K4ABT (home page)

    Linux® / Amateur Radio Information

    Linux AX25-HOWTO


    Packet Info and Downloads

    Packet Links

    Packet Net (VK5 packet map)

    Packet Net (FBB software)

    PAcket Digital Amateur Network (PADAN)

    Radio-TNC Wiring Diagrams


    Slovenian ATV/Packet

    Sound Card Packet




    TNOS Central


    WA4DSY 56k RF Modem

    Yet Another 9k6 Modem


    Sound Card Packet

    Sound Card Buddy

    Soundcard Interfacing

    Sound Card Packet AGWPE (KC2RLM)

    Sound Card Interface with Tone Keyer (WA8LMF)

    QDG sound card interface

    Return to Top


    Winlink! 2000

    Aussie Winlink

    Pactor Communications Australia


    Winpack home page

    Winpack info


    TNC information


    Setting Your TNC’s Audio Drive Level

    TNC and Radio mods


    MFJ-1278B Care and maintenance


    AEA radio and TNC mods

    Other suppliers


    Fox Delta



    The DXZone Digital and Packet Radio



    TNC-X – The Expandable TNC


    Amateur Packet Radio Gateways


    The Gateways Home Page


    High-Speed Digital Networks and Multimedia (Amateur)

    North Texas High Speed MultiMedia group

    Also take a look at the wireless LAN pages


    Aus APRS




    APRS in Adelaide


    APRS in the UK





    BYONICS (Electronics Projects for Amateur Radio)


    Dansk APRS Gruppe

    France APRS

    Kansas City APRS Working Group


    Live Australian APRS data maps


    Queensland APRS Users Group

    Tri-State APRS Working Group

    Other Digital Modes




    Morse Code

    CW Operators’ QRP Club Inc.

    Fists Down Under

    LEARN MORSE CODE in one minute !

    MRX morse code

    Not Morse Code, Slow Scan , Packet or APRS

    HamDream by HB9TLK (digital radio)

    JE3HHT, Makoto (Mako) Mori

    PSK31 and other PC Magic

    WSJT ACTIVITY IN AU (follow link)

    Amateur Digital Radio

    AR Digital Voice Communications

    Australian National D-Star

    Ham Radio digital info

    ICOM America digital

    Temple University Digital Voice Project

    Temple University Vocoder Redux

    WinDRM – HF Digital Radio Mondiale



    Australian D-Star information

    D-Star wikipedia

    ICOM America D-Star Forums


    Software Defined Radio

    FlexRadio Systems Software Defined Radios

    Rocky software for SoftRock-40 hardware

    SDRadio – a Software Defined Radio

    SoftRock-40 Software Defined Radio

    The Weaksignals pages og Alberto I2PHD (software)

    Digital Radio

    BBC digital Radio

    Digital Audio Broadcasting

    Digital Radio Broadcasting

    Digital Radio


    DRM – Digitaler Rundfunk unter 30 MHz


    Amateur Radio Direction Finding

    Amateur Radio Direction Finding and Orienteering

    Amateur Radio Direction Finding Webring

    Homing In


    Victorian ARDF Group Inc.

    Repeater Linking

    There are currently There are 5 internet linking projects that I know of :-

    IRLP,  iPHONE, iLINK, eCHOLINK and WIN SYSTEM (May 2005)


    Hamlink (K1RFD)

    KWARC (live audio)

    Internet Linking


    IRLP status



    G4CDY-L Internet Gateway



    VK2JTP iLINK gateway

    WB2REM & G4CDY’S  iLINK boards



    laser diodes

    A R Laser Communications

    Australian Optical DX Group

    Driver Enhancements

    European Laser Communications


    Amateur Radio Licence


    Worldwide Information on Licensing for Radio Amateurs by OH2MCN

    Amateur Radio Clubs and Organisations

    Also see ATV link page

    and VHF link page


    Adelaide Hills Amateur Radio Society

    Amateur Radio Victoria

    Barossa Amateur Radio Club VK5BRC

    Brisbane Amateur Radio Club

    Brisbane VHF Group

    Central Coast Amateur Radio Club

    Central Goldfields A R Club


    Coffs Harbour & District Amateur Radio Club

    CW Operators’ QRP Club Inc.

    Eastern and Mountain District Radio Club

    Gold Coast AR Society

    Healesville Amateur Radio Group

    Historical Wireless Society of South East Queensland

    Ipswich Metro Radio Group

    Lockyer Valley Radio and Electronic Club Inc

    Manly-Warringah Radio Society


    QRP Amateur Radio Club International

    Queensland APRS Users Group

    RADAR Club Inc

    Radio Amateurs Old Timers Club Australia Inc

    Radio Sport

    Radio and Electronics Association of Southern Tasmania

    Riverland Amateur Radio Club

    South Australian Packet User Group Inc. (SAPUG)


    South Coast AMATEUR RADIO Club


    Sunshine Coast Amateur Radio Club

    VK Young Amateur Radio Operator’s Net


    VK3BEZ (WIA Eastern Zone Amateur Radio Club)


    West Australia Repeater Group


    WIA VK4 Qld



    WICEN Australia

    WICEN Brisbane Qld

    New Zealand


    Papakura Radio Club

    Wanganui Amateur Radio Society Inc.

    Wellington VHF Group


    American QRP Club


    Clear Lake Amateur Radio Club





    K2MFF Amateur Radio club

    North TeXas Repeater Association


    The Repeater Builders Technical Information Page

    Richardson Wireless Klub




    Submarine Veterans Amateur Radio

    Southgate AR club


    The 500 KC Experimental Group for Amateur Radio

    Tucson Amateur Packet Radio

    W6DEK 435 Los Angeles

    Amateur Radio


    Australian AR Repeater Map



    Ham Radio in Australia with VK1DA

    HF Radio Antenna Tuners

    Queensland AR Repeater listings

    Radioactive Networks: Ham

    Tony Hunt VK5AH (Home of Adelaides 10m Repeater)

    VK1DA’s Amateur Radio Web Directory



    VK2BA (AM radio)




    VK3YE’s Gateway to AR










    New Zealand

    Micro Controller Projects for Radio Amateurs and Hobbyists

    Precision Frequency Transmission and Reception



    AC6V’s AR & DX Reference

    Amateur radio with Knoppix

    Amateur Radio Soundblaster Software Collection


    AMRAD Low Frequency Web Page


    Direction finding

    DSP Links




    eQSL (electronic QSL)


    Felix Meyer



    Gateway to Amateur Radio

    Grid Square Locator


    G4KLX (The [ON/]G4KLX Page)




    Hamview DSP software

    Homebrew RF Test Equipment And Software

    KB4VOL   link site



    KU4AY ham radio directory



    K1TTT Technical Reference


    K3TZ Ham Radio Experimentation

    K6XC (links)

    Lighthouses (International Lighthouse/ Lightship Weekend)



    Michael Todd Computers & Communications



    NW7US   (Amateur and Shortwave Radio)

    N3EYR’s Radio Links


    PI6ATV (ATV, Antenna, software, info)

    Radio Links

    Radio Corner (forum)

    Ray Vaughan


    streaming radio programs

    The Elmer HAMlet (information)

    VE1XYL and VE1ALQ

    WB6VUB (links)



    XE1BEF  (DX, mods, links and more)

    Communications Equipment


    Andrews Communication Systems





    Hamak (RM Products Italy)


    KENWOOD Australia

    Kyle Communications

    ICOM Australia



    Radio-Data (links)

    Radio Specialists (equipment connectors and antenna)



    Townsville CB& Communications

    TTS Systems

    VK4-ICE Communications

    WiNRADiO (PC based receivers)



    Vertex Standard


    Z Communications Company (repair of old radio equipment)

    See also Kits and components

    Radio mods, cables, connection info

    batlabs (Motorola radio connection, cable info)

    Hall Electronics

    Radio Mods (mods info and more)

    W4RP IC-2720H Page

    XE1BEF  (DX, mods, links and more)

    Please also look at manufacture’s sites

    Lightning Protection (video and links)

    K9WK Amateur Radio

    Lightning Protection Institute

    Marine Grounding Systems

    Moonraker boat lightning information



    RFI Lightning protection


    Amateur Spread Spectrum

    Spread Spectrum Scene

    Spread spectrum

    SS Info

    Call-sign finders

    The DX Notebook



    Equipment suppliers and manufacturers

    Easy-radio (your DNS server may have problems finding this site)

    Kits and Components

    Australian and selected international suppliers




    Antique Electronic Supply

    Antenna Systems and Supplies Inc. (sm)



    Clarke & Severn Electronics

    Cliff Electronics (Aus) Pty. Ltd


    David Hall Electronics

    Dick Smith Electronics


    Dominion Electronics


    Elliott Sound Products


    Fox Delta (ATV and more)

    Hammond Mfg

    Hy-Q International

    IRH Components


    Microwave Dynamics

    MicroZed Computers



    Mouser Electronics


    Oatley electronics

    Ocean State Electronics


    pacific DATACOM


    Prime Electronics

    Radio Parts

    R.C.S. Radio (circuit boards)

    RF Modules Australia (ZigBee) http:\

    RFShop (Brisbane)

    Rockby Electronics and Computers

    RS Components



    Silvertone Electronics

    South Island Component Centre (New Zealand)

    Surplus Sales of Nebraska

    Surplustronics (New Zealand)

    Tandy (Australia)


    TTS Systems

    WB9ANQ’s Surplus Store


    Worldwide Electronic Components http:/

    Also look at the ATV links

    PCB layout and schematic programs baas electronics LAYo1 PCB


    Electronics WORKBENCH Industries McCAD OrCAD TARGET 3001! Tech5 TinyCAD VEGO ABACOM

    Amateur Satellites and space



    AMSAT-ZL (kiwisat)

    CSXT Civilian Space eXploration Team



    ISS fan club

    SATSCAPE   (free satellite tracking program)

    Satellite tracking software





    IPS Radio and Space Services


    Near-Real-Time MUF Map

    Radio Mobile (path prediction)

    VK4ZU (Propagation)


    Satellite TV



    KRISTAL electronics


    Nationwide Antenna Systems


    SAT TV


    Radio and Scanning


    Brisbane Radio Scanner

    Extreme Worldwide Scanner Radio

    Newcastle Area Radio Frequency Guide


    New Zealand

    Kiwi Radio


    Wellington Scanner Frequencies


    ZL3TMB (Christchurch NZ)


    Frequency guide

    Incident Broadcast Network (including Australian feeds)

    Radio H.F.  (some ham stuff)

    Amateur Radio DX and Contest

    DX Cluster

    AA1V’s DX Info-Page

    AC6V’s AR & DX Reference

    Australian contesting

    Buckmaster callsign database

    DX Greyline

    DX Summit

    DX 425 News


    EI8IC Global Overlay Mapper

    eQSL (electronic QSL)

    German DX Foundation-GDXF

    GlobalTuners (provides access to remotely controlled radio receivers all over the world)

    Ham Atlas by SP6NVK

    Kiwi DX List

    Oceania Amateur Radio DX Group Incorporated

    Oceania DX Contest


    The AM Window

    The Daily DX

    IARU QSL Bureaus

    International DX Association

    Internet Ham Atlas


    IOTA groups and Reference


    IOTA 425

    Island Radio Expedition Fondation

    LA9HW HF Contest page

    NG3K Contest/DX Page

    Northern California DX Foundation

    Simple phrases in European Languages

    SUMMITS on the AIR

    Telnet Access to DX Packet Clusters

    The DX Notebook

    VE6OA’s DX Links Contest Club

    World of DK4KQ

    XE1BEF  DX and links

    Logging Software

    VK Contest Log (VKCL)

    VK/ZL Logger

    WinRD+ logging program




    CLX Home page

    DX CLUSTER programs




    DX PacketCluster Sites on the Internet

    DXSpider – DX cluster system is written in perl

    Packet Cluster user manual

    The DXSpider User Manual

    VE7CC-1 Dx Spider Cluster


    Short Wave DX


    Electronic DX Press (HF, MW and VHF)

    CQ World Wide DX Contest


    Longwave Club of America (also Ham)

    NIST time stations

    OK1RR DX & Contesting Page

    Prime Time Shortwave

    Radio Interval Signals


    SM3CER Contest Service

    The British DX Club

    Yankee Clipper Contest Club


    Radio Scouting

    Scouts Australia JOTA/JOTI

    The history of the Jamboree On The Air history.htm

    World Organization of the Scout Movement

    Australian Regulator


    International Regulator


    Electronic Information and technical reference

    AC6V’s Technical Reference

    Chip directory

    Circuit Sage

    CommLinx Solutions Pty Ltd

    Computer Power Supply Mods

    Discover Circuits

    Electronic Information

    Electronics Links and Resources

    Epanorama (lots of links)

    Electronics Tutorials

    Electronic Theory

    Fox Delta


    Hobby Projects (electronic resource)


    Information site

    ISO Date / Time

    Latitude/Longitude Conversion utility – 3 formats

    New Wave Instruments (check out SS Resources)

    Paul Falstad (how electronic circuits work)

    PINOUTS.RU (Handbook of hardware pinouts)



    RF Cafe

    RF Globalnet

    RHR Laboratories


    RS232 Connections, and wiring up serial devices

    RF Power Table

    Science Lobby (electronic links)

    Tech FAQ (technical information for mobile electronics installers)

    Electronic service

    Repair of TV Sets

    Sci.Electrinic.Repair FAQ

    Service engineers Forum


    Cable Data




    Coaxial cable data

    Coaxial Cable Page




    NESS Engineering

    RF Industries cables


    Times Microwave


    W4ZT Antenna cable chart

    50 W Coaxial Cable Information

    75 W Coaxial Cable Information

    Antique Radio

    Antique Electronic Supply

    Alan Lord

    Antique Radio

    Apex Jr

    Archives of Boatanchors

    Australian Vintage Radio MK II

    Australian Wireless (OZ-Wireless) Email List

    AWA and Fisk Radiola

    Crystal Radio


    Hammond Museum of Radio

    Historical Radio Society of Australia Inc.

    JMH’s Virtual Valve Museum

    John Rose’s Vintage Radio Home

    Klausmobile Russian Tube Directory


    Kurrajong Radio Museum

    Links to Vintage Radios (Amateur)

    Mike’s Electric Stuff

    Nostalgiar Air

    Phil’s Old Radios

    Radio A’s Vintage Radio Page

    Radio Era

    Rap ‘n Tap

    Replacing Capacitors

    Savoy Hill Publications

    South East Qld Group of the HRSA

    SEQG of the HRSA Crystal comp

    SEQG One Tube Radio comp


    The Vintage Radio Emporium

    The Wireless Works

    Triode Tube Data Tubesworld  (Valve Audio and Valve data)

    Vintage Radio

    Vintage Radio Times

    Vintage Radios and programs

    Vintage Radios UK

    Vintage Radio and Test Equipment Site

    Vintage Radio World

    Vintage Radio and Audio Pages



    Ye Olde Hurdy Gurdy Museum of Vintage Radio

    Valve Audio and Valve data Ake’e Tube Data CVC

    Data Sheet Locator


    Frank’s Electron tube Pages

    Hammond  Manufacturing

    House of Tubes

    High Voltage Tube Archive


    Industrial Valve Data


    NJ7P Tube Data Search

    RCA-R10 Data

    SAS Audio Labs

    Sowter Audio Transformers

    Spice Valves



    Tube datasheets

    Vacuum Tube Links

    Valves and Tubes

    Valve Data Links

    Valve Data

    Valves Unlimited

    Valve and Tube Supplies


    Audio Calculators and Links Calculators & References Links.htm


    Car Audio Australia

    DIY Audio

    Duncan’s Amp Pages

    Elliott Sound Products


    Norman Koren


    The Self Site

    The Class-A Amplifier Site


    DUBUS (VHF magazine)

    Elektor Electronics

    Harlan Technologies (Amateur Television Quarterly)

    Radio & Communications Monitoring Monthly


    VHF Communications Mag



    SETI Australia

    DUKPT Overview and Transaction notes


    I was asked on another post relating to DUKPT to provide some backgound. Given I have lots of material on the subject, I thought I would create this thread. Link


    I will come back at some stage and expand on this when I get time.

    Transaction Process narrative:

    The diagram describes a mobile terminal/ATM is described using the a AS2805 (‘2805’) message type and 3DES DUKPT and dual direction auth SSL from the terminal to the aquirer (transaction switch).

    A good explanation of DUKPT can also be found at Wikipedia.


    Diagram of the flow


    DUKPT transaction flow - terminal to bank

    DUKPT transaction flow - terminal to bank


    Background notes:

    • The terminal or ATM firstly encrypts the user entered pin (may be a unique DUKPT key or static, depending on the design and banks involved) prior to incorporating it into the AS 2805 transaction message.
    • the message is then encrypted again using the DUKPT key which has been established through the merchant logon process within the aquirer Host Security Module (HSM) i.e. the user entered pin is encrypted separately and encapsulated within the DUKPT encrypted 2805 message to provide full message encryption.
    • In the diagram a separate dual authenticating SSL session is also used between the terminal/ATM and the aquirers infrastructure. This allowing the transaction including the pin to traverse the external Wired/GPRS/LAN within 2 primary independent layers of encryption, with a 3rd protecting the PIN.
    • When the transaction enters the aquirer environment the message encapsulation layer provided by SSL is removed.  This leaving the DUKPT’ed 2805 message which also encapsulates the separately encrypted PIN.
    • This encrypted message is passed to the aquirer switch engine through to the aquirer’s HSM for decryption of the 2805 message excluding the user entered pin.
    • This is when transactional information necessary for aquirer’s merchant reporting (truncated card number, transaction amount, transaction type, etc.) and fraud management data is collected.
    • The aquirer switch then passes the encrypted PIN to the aquirer HSM requesting that the PIN be decrypted using the aquirer’s PIN encryption and translated to the next banks (Bank 1)  PIN Encryption Key (Pin translation only occurs within the aquirer HSM) This is then sent back to the aquirer Switch engine as the Bank 1 encrypted PIN.
    • The aquirer switch engine then send the decrypted 2805 message with the newly encrypted PIN back to aquirer HSM to be encrypted with the Bank 1 MAC key.
    • The resultant Bank 1 key encrypted message is then sent to Bank 1 for processing and/or passing to the card issuer (using a similar process as described above).
    • When the result is received back from the issuing bank it is encrypted with the Bank 1 MAC key (the pin will not be present in the result message).
    • This is then decrypted by the aquirer HSM, the transaction fate result stored into the aquirer merchant reporting system and the transaction fate re-encrypted with the original aquirer DUKPT key (should be different per terminal/merchant instance) and the result sent back to the terminal through the original established SSL encrypted terminal connection.

    The aquirer may terminate the the SSL connection on a hardware device such as a CISCO Content Service Switch (CSS), or equivalent instead of the design described in the diagram which terminates onto a SSL session server/gateway (Possibly including a Certificate Authority) or on the aquirer transaction switch.

    When PIN blocks are received by the aquirer processing centre, the PIN encryption is translated from the terminal key to the Local Master Key (LMK) by the Host Security Modules (HSM).

    When the message is sent on the upstream bank interchange link to the issuer or gateway , the aquirer HSM translates the encrypted PIN block from the LMK to the Zone Master Key (ZMK) of the aquirer interchange link. The PIN block is always encrypted using DEA3 (3DES) whenever outside of the Terminal or ATM.

    HSM-8000-User Guide V2.2

    EFT Syetms and Device Considerations

    EFT devices and systems differ depending on hardware vendor, country and bank / payment aggregator.
    Below is a list of things you may like to consider. This list is off the top of my head so it is probably not complete.

    Looking at the products and relationships us usually a good start.

    Things to consider:

    • Card skimming methods
    • Some EFT POS devices restrict the connection of a skimmer
    • Review levels of associated fraud
    • Review devices and EFT methods
    • Review terminal identification (merchant and customer)
    • Manual processing. (internal and external)
    • eCommerce products
    • PC based software
    • Dedicated server services (Nobil, etc.)
    • Web based engine (Custom objects, Web pop-ups, etc)
    • Authorisation / identification methods (Merchant and customer)
    • TCPIP session hijacking / session spoofing
    • Direct Debit as well as Credit Cards.
    • Swift (methods and controls)
    • Telegraphic transfer (methods and controls)
    • Payment aggregator relationships (eg. Payment Tech, manual processing, cheque scanning, etc.)
    • Internet banking facilities (attack / penetration,  Certificate registration / management, ISP SLA’s, etc.)
    • Implementation of Smart Card and / or alternative customer recognition devices.
    • Outsourcing and associated risks / service level agreements
    • Payment processing
    • Payment clearance
    • Payment switching
    • Reporting (segregation of merchant / customers / aggregators / partners / local / international)
    • Fraud detection and reporting
    • 3rd party acquiring risks
    • Single merchant ID many businesses
    • Allows moneys to be laundered if the payment aggregator does not place appropriate controls on the merchant.
    • Encryption used
    • Internet / trusted partner / inter-bank / extranet
    • Private and / or public certificates
    • Single use certificates
    • Client side certificates
    • Remittance advice processes and controls.
    • EFT disaster recovery and manual fall back procedures (associated security and reconciliation risks)
    • Trusted partner relationships, SLA’s, liabilities and risks.
    • EFT regulatory / legal requirements (inter-bank and government)
    • Refund processing / authorisation. (policies, procedures, controls, etc.)
    • CVV, CVV-2 / CVC-2 processing and management. (
    • Fraud detection mechanism (neural networks, inter-bank / department customer checks, etc)
    • Supported card schemes (AMEX/Visa/Mastercard/Discover/etc )
    • Review EFT floor limits (corporate and SME merchants)
    • Review the ability to withhold merchant settlement until the presence of fraud has been determined.
    • Review customer identification details. Such as (This varies around the world depending on local regulations / privacy laws)
    • Review real-time and batched processing methods and controls (sequence numbers, access to raw data, etc.)
    • Review processing with and without expiry dates. (exception controls and policies)
    • Review exception / fraud reports.
    • Review payment store and forward policies and procedures.
    • Review Pre-Auth and Completion controls.
    • Token based payment (eCash, etc)
    • Merchant reconciliation, reporting methods and controls (paper, Internet, email, PDF, Fax, etc.) and associated security.
    • Real time gross settlement policies, procedures and controls. (IT and amounts)
    • Card issuing policies and procedures. (customer ID checks, etc)
    • Banking infrastructure (ingress / egress) controls and security. (Web, partner, payment switches, outsourced infrastructure, monitoring / reporting.)
    • Use of Internet technologies for inter-bank transfers and remote equipment.
    • Physical security and controls of devices, ATM,s, line encryptors, etc.

    DNS Hack Needs Patching – Serious Problem

    This has been kept under wraps by the Operating System and Hardware vendors for the last few weeks and now patches have finally been released for many Operating Systems, DNS software applications and Hardware devices.
    If you provide or rely on DNZ services (external and Internal) you should consider quickly patching your servers/devices.

    Although Internal DNS servers may not be exposed to an Internet attack, we see many more internal attacks within larger organisations which involve rogue server or services being established within the firewalled trusted network. As a result, this lifts the threat level of internal systems/services and therefore the need for effective timely patching.

    Also consider asking the question of your hosting facility, upstream ISP or DNS provider to see if they have patched their DNS servers and forwarders. This link also has a DNS checker.

    This is a full list of vendor patch links

    Good Luck

    Financial Transaction Processing

    I have been recently working inside one of the larger Banks in Australia.
    Through this work, I have been looking at the controls and mechanisms surrounding the processing of credit and debit cards around the Asia Pacific.

    I get to perform many security architecture and payment systems assessments.
    Over the years I have always considered the protection of the card data as one of the key considerations.

    Until yesterday I had never seen an CVV or PVV decryption tools. I think some scripted use of these tools could be very interesting.
    The site

    Many of the other tools on this site are also very unique and worth a look.
    Big thanks to ziggurat29 for providing such awesome tools.

    As many of these sites are of this nature are difficult to find and often seem to vanish over the years, I have chosen to replicate the the text from this page and provide local copies on the files.
    It is worth periodically visiting the ziggurat29 site every now and again to see if any additional tools have been posted.

    One of the more extraordinary files is the Atalla Hardware Security Module (HSM)  and BogoAtalla for Linksys emulation (simulation) tools. So I wonder if Eracom and Thales are shaking in their boots. Some how I don’t think so. 😉

    ——– ziggurat29 Text ———

    These are all Windows command-line utilities (except where noted); execute with the -help option
    to determine usage.

    DUKPT Decrypt (<- the actual file to download)

    This is a utility that will decrypt Encrypted PIN Blocks that have been produced via the DUKPT triple-DES method.  I used this for testing the output of some PIN Pad software I had created, but is also handy for other debugging purposes.

    VISA PVV Calculator (<- the actual
    file to download)

    This is a utility that will compute and verify PIN Verification Values that have been produced using the VISA PVV technique.  It has a bunch of auxiliary functions, such as verifying and fixing a PAN (Luhn computations), creating and encrypting PIN blocks, decrypting and extracting PINs from encrypted PIN blocks, etc.

    VISA CVV Calculator (<- the actual file to download)

    This is a utility that will compute Card Verification Values that have been produced using the VISA CVV technique.  MasterCard CVC uses the CVV algorithm, so it will work for that as well.  It will compute CVV, CVV2, CVV3, iCVV, CAVV, since these are just variations on service code and the
    format of the expiration date.  Verification is simply comparing the computed value with what you have received, so there is no explicit verification function.

    Atalla AKB Calculator (<- the actual file to download)

    This is a utility that will both generate and decrypt Atalla AKB cryptograms.  You will need the plaintext MFK to perform these operations.  When decrypting, the MAC will also be checked and the results shown.

    BogoAtalla (<- the actual file to

    This is an Atalla emulator (or simulator).  This software emulation (simulation) of the well-known Atalla Hardware Security Module (HSM) that is used by banks and processors for cryptographic operations, such as verifying/translating PIN blocks, authorising transactions by verifying
    CVV/CSC numbers, and performing key exchange procedures, was produced for testing purposes.  This implementation is not of the complete HP Atalla command set, but rather the just
    portions that I myself needed.  That being said, it is complete enough if you are performing acquiring and/or issuing processing functions, and are using more modern schemes such as Visa PVV and DUKPT, and need to do generation, verification, and translation.

    This runs as a listening socket server and handles the native Atalla command set.  I have taken some liberties with the error return values and have not striven for high-fidelity there (i.e., you may get a different error response from native hardware), but definitely should get identical positive
    responses.  Some features implemented here would normally require purchasing premium commands, but all commands here implemented are available.  Examples are generating PVV values and encrypting/decrypting plaintext PIN values.

    BogoAtalla for Linksys (<- the actual file to download)

    This is the Atalla emulator ported to Linux and build for installation on an OpenWRT system.  Makes for a really cheap ($60 USD) development/test device.


    Local Files


    Bluetooth Wireless Specification


    This article is about the Bluetooth wireless specification. For King Harold Bluetooth, see Harold I of Denmark

    Bluetooth is an industrial specification for wireless personal area networks (PANs).

    Bluetooth provides a way to connect and exchange information between devices like personal digital assistants (PDAs), mobile phones, laptops, PCs, printers and digital cameras via a secure, low-cost, globally available short range radio frequency.

    Bluetooth lets these devices talk to each other when they come in range, even if they’re not in the same room, as long as they are within 10 metres (32 feet) of each other.

    The spec was first developed by Ericsson, later formalised by the Bluetooth Special Interest Group (SIG). The SIG was formally announced on May 20, 1999. It was established by Sony Ericsson, IBM, Intel, Toshiba and Nokia, and later joined by many other companies as Associate or Adopter members.

    Table of contents

    * 1 About the name
    * 2 General information
    o 2.1 Embedded Bluetooth
    * 3 Features by version
    o 3.1 Bluetooth 1.0 and 1.0B
    o 3.2 Bluetooth 1.1
    o 3.3 Bluetooth 1.2
    o 3.4 Bluetooth 2.0
    * 4 Future Bluetooth uses
    * 5 Security concerns
    * 6 Bluetooth profiles
    * 7 See also
    * 8 External links

    About the name

    The system is named after a Danish king Harald Blåtand (<arold Bluetooth in English), King of Denmark and Norway from 935 and 936 respectively, to 940 known for his unification of previously warring tribes from Denmark, Norway and Sweden. Bluetooth likewise was intended to unify different technologies like computers and mobile phones. The Bluetooth logo merges the Nordic runes for H and B.

    General information


    A typical Bluetooth mobile phone headset

    The latest version currently available to consumers is 2.0, but few manufacturers have started shipping any products yet. Apple Computer, Inc. offered the first products supporting version 2.0 to end customers in January 2005. The core chips have been available to OEMs (from November 2004), so there will be an influx of 2.0 devices in mid-2005. The previous version, on which all earlier commercial devices are based, is called 1.2.

    Bluetooth is a wireless radio standard primarily designed for low power consumption, with a short range (up to 10 meters [1], ) and with a low-cost transceiver microchip in each device.

    It can be used to wirelessly connect peripherals like printers or keyboards to computers, or to have PDAs communicate with other nearby PDAs or computers.

    Cell phones with integrated Bluetooth technology have also been sold in large numbers, and are able to connect to computers, PDAs and, specifically, to handsfree devices. BMW was the first motor vehicle manufacturer to install handsfree Bluetooth technology in its cars, adding it as an option on its 3 Series, 5 Series and X5 vehicles. Since then, other manufacturers have followed suit, with many vehicles, including the 2004 Toyota Prius and the 2004 Lexus LS 430. The Bluetooth car kits allow users with Bluetooth-equipped cell phones to make use of some of the phone’s features, such as making calls, while the phone itself can be left in a suitcase or in the boot/trunk, for instance.

    The standard also includes support for more powerful, longer-range devices suitable for constructing wireless LANs.

    A Bluetooth device playing the role of “master” can communicate with up to 7 devices playing the role of “slave”. At any given instant in time, data can be transferred between the master and one slave; but the master switches rapidly from slave to slave in a round-robin fashion. (Simultaneous transmission from the master to multiple slaves is possible, but not used much in practice). These groups of up to 8 devices (1 master and 7 slaves) are called piconets.

    The Bluetooth specification also allows connecting two or more piconets together to form a scatternet, with some devices acting as a bridge by simultaneously playing the master role in one piconet and the slave role in another piconet. These devices have yet to come, though are supposed to appear within the next two years.

    Any device may perform an “inquiry” to find other devices to which to connect, and any device can be configured to respond to such inquiries.

    Pairs of devices may establish a trusted relationship by learning (by user input) a shared secret known as a “passkey”. A device that wants to communicate only with a trusted device can cryptographically authenticate the identity of the other device. Trusted devices may also encrypt the data that they exchange over the air so that no one can listen in.

    The protocol operates in the license-free ISM band at 2.45 GHz. In order to avoid interfering with other protocols which use the 2.45 GHz band, the Bluetooth protocol divides the band into 79 channels (each 1 MHz wide) and changes channels up to 1600 times per second. Implementations with versions 1.1 and 1.2 reach speeds of 723.1 kbit/s. Version 2.0 implementations feature Bluetooth Enhanced Data Rate (EDR), and thus reach 2.1 Mbit/s. Technically version 2.0 devices have a higher power consumption, but the three times faster rate reduces the transmission times, effectively reducing consumption to half that of 1.x devices (assuming equal traffic load).

    Bluetooth differs from Wi-Fi in that the latter provides higher throughput and covers greater distances but requires more expensive hardware and higher power consumption. They use the same frequency range, but employ different multiplexing schemes. While Bluetooth is a cable replacement for a variety of applications, Wi-Fi is a cable replacement only for local area network access. A glib summary is that Bluetooth is wireless USB whereas Wi-Fi is wireless Ethernet.

    Many USB Bluetooth adapters are available, some of which also include an IrDA adapter.

    Embedded Bluetooth

    Bluetooth devices and modules are increasingly being made available which come with an embedded stack and a standard UART port. The UART protocol can be as simple as the industry standard AT protocol, which allows the device to be configured to cable replacement mode. This means it now only takes a matter of hours (instead of weeks) to enable legacy wireless products that communicate via UART port.

    Features by version

    Bluetooth 1.0 and 1.0B

    Versions 1.0 and 1.0B had numerous problems and the various manufacturers had great difficulties in making their products interoperable. 1.0 and 1.0B also had mandatory Bluetooth Hardware Device Address (BD_ADDR) transmission in the handshaking process, rendering anonymity impossible at a protocol level, which was a major set-back for services planned to be used in Bluetooth environments, such as Consumerism.

    Bluetooth 1.1

    In version 1.1 many errata found in the 1.0B specifications were fixed. There was added support for non-encrypted channels.

    Bluetooth 1.2

    This version is backwards compatible with 1.1 and the major enhancements include

    • Adaptive Frequency Hopping (AFH), which improves resistance to radio interference by avoiding using crowded frequencies in the hopping sequence
    • Higher transmission speeds in practice
    • extended Synchronous Connections (eSCO), which improves voice quality of audio links by allowing retransmissions of corrupted packets.
    • Received Signal Strength Indicator (RSSI)
    • Host Controller Interface (HCI) support for 3-wire UART
    • HCI access to timing information for Bluetooth applications.

    Bluetooth 2.0

    This version is backwards compatible with 1.x and the major enhancements include

    • Non-hopping narrowband channel(s) introduced. These are faster but have been criticised as defeating a built-in security mechanism of earlier versions; however frequency hopping is hardly a reliable security mechanism by today’s standards. Rather, Bluetooth security is based mostly on cryptography.
    • Broadcast/multicast support. Non-hopping channels are used for advertising Bluetooth service profiles offered by various devices to high volumes of Bluetooth devices simultaneously, since there is no need to perform handshaking with every device. (In previous versions the handshaking process takes a bit over one second.)
    • Enhanced Data Rate (EDR) of 2.1 Mbit/s.
    • Built-in quality of service.
    • Distributed media-access control protocols.
    • Faster response times.
    • Halved power consumption due to shorter duty cycles.

    Future Bluetooth uses

    One of the ways Bluetooth technology may become useful is in Voice over IP. When VOIP becomes more widespread, companies may find it unnecessary to employ telephones physically similar to today’s analogue telephone hardware. Bluetooth may then end up being used for communication between a cordless phone and a computer listening for VOIP and with an infrared PCI card acting as a base for the cordless phone. The cordless phone would then just require a cradle for charging. Bluetooth would naturally be used here to allow the cordless phone to remain operational for a reasonably long period.

    Security concerns

    In November 2003, Ben and Adam Laurie from A.L. Digital Ltd. discovered that serious flaws in Bluetooth security lead to disclosure of personal data (see It should be noted however that the reported security problems concerned some poor implementations of Bluetooth, rather than the protocol itself.

    In a subsequent experiment, Martin Herfurt from the was able to do a field-trial at the CeBIT fairgrounds showing the importance of the problem to the world. A new attack called BlueBug was used for this experiment.

    In April 2004, security consultants @Stake revealed a security flaw that makes it possible to crack into conversations on Bluetooth based wireless headsets by reverse engineering the PIN.

    This is one of a number of concerns that have been raised over the security of Bluetooth communications. In 2004 the first purported virus using Bluetooth to spread itself among mobile phones appeared for the Symbian OS. The virus was first described by Kaspersky Labs and requires users to confirm the installation of unknown software before it can propagate. The virus was written as a proof-of-concept by a group of virus writers known as 29a and sent to anti-virus groups. Because of this, it should not be regarded as a security failure of either Bluetooth or the Symbian OS. It has not propagated ‘in the wild’.

    In August 2004, a world-record-setting experiment (see also Bluetooth sniping) showed that with directional antennas the range of class 2 Bluetooth radios could be extended to one mile. This enables attackers to access vulnerable Bluetooth-devices from a distance beyond expectation.

    Bluetooth uses the SAFER+ algorithm for authentication and key generation.

    Bluetooth profiles

    In order to use Bluetooth, a device must be able to interpret certain Bluetooth profiles. These define the possible applications. Following profiles are defined:

    • Generic Access Profile (GAP)
    • Service Discovery Application Profile (SDAP)
    • Cordless Telephony Profile (CTP)
    • Intercom Profile (IP)
    • Serial Port Profile (SPP)
    • Headset Profile (HSP)
    • Dial-up Networking Profile (DUNP)
    • Fax Profile
    • LAN Access Profile (LAP)
    • Generic Object Exchange Profile (GOEP)
    • Object Push Profile (OPP)
    • File Transfer Profile (FTP)
    • Synchronisation Profile (SP)

    This profile allows synchronisation of Personal Information Manager (PIM) items. As this profile originated as part of the infra-red specifications but has been adopted by the Bluetooth SIG to form part of the main Bluetooth specification, it is also commonly referred to as IrMC Synchronisation.

    • Hands-Free Profile (HFP)
    • Human Interface Device Profile (HID)
    • Hard Copy Replacement Profile (HCRP)
    • Basic Imaging Profile (BIP)
    • Personal Area Networking Profile (PAN)
    • Basic Printing Profile (BPP)
    • Advanced Audio Distribution Profile (A2DP)
    • Audio Video Remote Control Profile (AVRCP)
    • SIM Access Profile (SAP)

    Compatibility of products with profiles can be verified on the Bluetooth Qualification website.

    See also

    External links