Rss

    Archives for : Internet

    Interesting results from social search engines

    I went to a security presentation yesterday with one of the guys from work which summarised some of the cooler Blackhat and Defcon presentations from Las Vegas this year.

    One of these presentations demonstrated the use of the open API’s available for some of the social media sites. The below list represents some of the search engine I’ve found that allow search words to be queried against publicly available information. I’ve found that these searches far exceed what is indexed on the social media site search option.

    Search engines

    Google Buzz API Browser: explore what’s publicly visible through the Google Buzz API
    Facebook API Browser: explore what’s publicly visible through the Facebook Graph API
    Wink People Search
    Showdan HQ – Computer search engine (looks for MAC address)

    No need to bypass security with a boot disk – 17 year old Windows exploit found

    The problem has been discovered in the Virtual DOS Machine (VDM) introduced in 1993 to support 16-bit applications (real mode applications for 8086). VDM is based on the Virtual 8086 Mode (VM86) in 80386 processors and, among other things, intercepts hardware routines such as BIOS calls. Google security team member Tavis Ormandy has found several vulnerabilities in this implementation that allow an unprivileged 16-bit program to manipulate the kernel stack of each process via a number of tricks. This potentially enables attackers to execute code at system privilege level.

    In addition to the unpatched hole in Internet Explorer, a now published hole in Windows allows users with restricted access to escalate their privileges to system level – and this is believed to be possible on all 32-bit versions of Windows from Windows NT 3.1 up to, and including Windows 7. While the vulnerability is likely to affect home users in only a minor way, the administrators of corporate networks will probably have their hands full this week.

    The problem is caused by flaws in the Virtual DOS Machine (VDM) introduced in 1993 to support 16-bit applications (real mode applications for 8086). VDM is based on the Virtual 8086 Mode (VM86) in 80386 processors and, among other things, intercepts hardware routines such as BIOS calls. Google security team member Tavis Ormandy has found several vulnerabilities in this implementation that allow an unprivileged 16-bit program to manipulate the kernel stack of each process via a number of tricks. This potentially enables attackers to execute code at system privilege level.

    Ormandy has also published a suitable exploit which functions under Windows XP, Windows Server 2003 and 2008, Windows Vista and Windows 7. When tested by the The H’s associates at heise Security, the exploit opened a command prompt in the system context, which has the highest privilege level, under Windows XP and Windows 7. No patch has become available, although Ormandy reports that Microsoft was already informed of the hole in mid 2009. The developer decided to publish the information regardless because, in his opinion, there is a simple workaround: to disable the MS-DOS subsystem.

    The workaround requires users to start the group policy editor and enable the “Prevent access to 16-bit applications” option in the Computer ConfigurationAdministrative TemplatesWindows ComponentsApplication Compatibility section. When tested with these settings by the heise Security team, the exploit no longer functioned. The settings reportedly don’t cause any major compatibility problems for most users while no 16-bit applications are being used.

    Update – The above option is only available through the group policy editor on Windows 2003 systems. Some versions of Windows do not include a group policy editor. As an alternative, users can also create a registry key under HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsAppCompat with a D-Word value of VDMDissallowed = 1. Under Windows XP, to prevent the system from being vulnerable to the exploit, users can place the following text:

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsAppCompat]

    “VDMDisallowed”=dword:00000001

    into a file called vdmdisallow.reg and double click the file. Windows will then automatically import the key (admin rights are required to perform this action).

    Update 2 - Microsoft has now confirmed the privilege escalation hole in Windows. The company says that it wants to complete its investigation of the vulnerability and will then decide whether, how and when to close it.

    See Also:

    REDMOND — When it rains, it pours. Especially in the Seattle area. Tavis Ormandy has published full details on a privilege escalation hack of all versions of Windows including Windows 7.

    The exploit takes advantage of a bug in the Windows implementation of the ‘virtual DOS machine’ used to run legacy 16-bit programs. The exploit can be avoided by turning the VDM ‘feature’ off but the danger of course is that enough Windows lusers won’t know about the bug and/or bother turning the ‘feature’ off.

    16-bit applications need BIOS support; the Windows kernel supports virtual BIOS interrupts in its ‘Virtual-8086’ mode monitor code. The code is implemented in two stages. The #GP trap handler transitions to the second stage when CS:EIP faults with specific ‘magic’ values.

    The transition requires (subsequent to authentication) restoring the context and the call stack from the faulting trap frame. But the authentication process is flawed, relying as it does on three incorrect assumptions.

    • Setting up a VDM context requires SeTcbPrivilege.The barrier to getting a VDM context can be subverted by requesting the NT VDM subsystem and then using CreateRemoteThread() to run code in the context of the VDM subsystem. The VDM subsystem already has the necessary flag set.
    • Ring 3 (unprivileged) code cannot install arbitrary code segment selectors.Using the two least significant bits of CS/SS to calculate the privilege of a task doesn’t work when it comes to Virtual-8086 mode. The 20-bit addressing (by adding CS << 4 to the 16-bit IP) is also used to map onto the protected linear Virtual-8086 address space. If CS can be set to an arbitrary value, then the privilege calculation can be circumvented.
    • Ring 3 (unprivileged) code cannot forge a trap frame.Returns to user mode are through IRET. An invalid context can cause IRET to fail pre-commit, which in turn forges a trap frame. And even with address randomisation it’s trivial to use NtQuerySystemInformation() to obtain the address of the second stage BIOS handler.

    Affected Systems

    This bug dates back 17 years and affects all systems released since 27 July 1993 – Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, and Windows 7. See the links below for further details.

    See Also
    MITRE: CVE-2010-0232
    Windows plagued by 17-year-old privilege escalation bug
    NEOPHASIS: Trap Handler Allows Users to Switch Kernel Stack

    The Internet is the modern day electricity

    Recently I have been been sorting through some of my old electronic engineering books and found myself randomly flicking through circuit design principals and practical electronics/radio theory application of calculus.

    I remember the amount of hours I spent trying to get the different laws (Faraday, Coulomb, Kirchhoff, Lenz, Ohm, etc.) stuck in my head ready for the gruelling exams at the end of each term. I quickly realised that as I have moved from radio/electronics to the computer industry that most of my applied detailed knowledge has been lost.

    I think the old adage that you loose it if you don’t use it, definitely applies here.

    internet

    This got me thinking about the evolution of computing and the Internet and how there are many parallels to the introduction of electricity to the modern world and how we consider/use the Internet today.

    Examples that came to mind are:

    • Electricity was originally only available to business and the very wealthy
    • Electricity was originally only available in isolated segments of heavily populated areas
    • Electricity grids, once created, provided many more distribution opportunities, introduced redundancy and increased the customer reach which in-turn provided economies of scale to drive down costs
    • Modern society can not function without electricity
    • Electricity production methods and the resulting pollution has had a profound effect on our planet, where the production of consumer electronics and infrastructure supporting the never ending thirst of modern society for faster, more feature rich, communication methods. This is still spiralling out of control through the production of extraordinary high levels of non-recyclable waist, heavy metals and other planet destroying bi-products
    • Electricity has been essential to survive in modern day society for some time.

    The internet is quickly becoming (some would argue has become) essential to survival in our modern society and required to be available to all socio-economic groups and developing countries to allow them to participate in the global economy.

    But at what cost?

    Ham Radio Links

    Amateur Packet Radio Australian

    Aussiewide Packet Radio Network http://www.ampr.org.au/

    AAPRA  http://members.optusnet.com.au/aapra

    Queensland APRS Users Group http://www.tech-software.net/

    VK2KFJ’s Packet Radio Links page http://www.qsl.net/vk2kfj/pacradio.html

    VK4ZU http://www.users.on.net/~trevorb/

    VK5 AX25 Packet Network Map (VK5AH) http://homepages.picknowl.com.au/wavetel/vk5pack.htm

    Winlink

    Winpack

    International

    Amateur Packet Radio Gateways http://www.ampr-gates.net/frame_e.htm

    Amateur Packet Radio, net 44, and AMPR.ORG `http://www.ampr.org/

    American Febo Enterprises http://www.febo.com/index.html

    BayCom http://www.baycom.org/

    FUNET http://www.funet.fi/pub/ham/packet/

    FUNET ftp://ftp.funet.fi/pub/ham/packet/

    F4DAY http://perso.wanadoo.fr/jf.fourcadier/index_e.htm

    F6FBB http://www.f6fbb.org/

    GB7DIP TNOS/PBBS http://www.qsl.net/gb7dip/access.html

    G4JKQ TCP/IP Telnet listing http://www.qsl.net/g4jkq/tcp.htm

    G7JJF TNC Driver Support (WINTNC) http://www.g7jjf.demon.co.uk/

    High speed packet http://hydra.carleton.ca/articles/hispeed.html

    High Speed Packet radio http://www.lmrgroup.com/ke3ht/hspr.html

    High-speed Packet Radio http://cacofonix.nt.tuwien.ac.at/~oe1kib/Radio/

    KE5FX http://www.qsl.net/ke5fx/

    K4ABT (home page) http://www.packetradio.com/

    Linux® / Amateur Radio Information http://delbert.matlock.com/linux-radio.htm

    Linux AX25-HOWTO http://tldp.org/HOWTO/AX25-HOWTO/

    PA3CGO http://www.qsl.net/pa3gco/

    Packet Info and Downloads http://www.packetradio.com/

    Packet Links http://www.stack.serpukhov.su/~victor/hamradio/packet/packet.html

    Packet Net (VK5 packet map) http://www.packetnet.org/

    Packet Net (FBB software) http://www.packetnet.org/fbb.htm

    PAcket Digital Amateur Network (PADAN) http://www.weaksignals.com/

    Radio-TNC Wiring Diagrams http://users3.ev1.net/~medcalf/ztx/wire/

    RST http://www.qsl.net/on1blu/

    Slovenian ATV/Packet http://lea.hamradio.si/~s51kq/

    Sound Card Packet http://www.qsl.net/soundcardpacket/index.html

    TAPR http://www.tapr.org/

    TNC-X http://www.tnc-x.com/

    TPK http://www.f6fbb.org/f1ebn/index.htm

    TNOS Central http://www.lantz.com/tnos/

    TVIPUG http://www.tvipug.org

    WA4DSY 56k RF Modem http://www.wa4dsy.net/

    Yet Another 9k6 Modem http://www.microlet.com/yam/

     

    Sound Card Packet

    ILINKBOARDS.com http://www.ilinkboards.com/

    Sound Card Buddy http://www.sparetimegizmos.com/Hardware/SoundBuddy.htm

    Soundcard Interfacing http://www.qsl.net/wm2u/interface.html

    Sound Card Packet AGWPE (KC2RLM) http://www.patmedia.net/ralphmilnes/soundcardpacket/

    Sound Card Interface with Tone Keyer (WA8LMF) http://members.aol.com/wa8lmf/ham/tonekeyer.htm

    QDG sound card interface

    Return to Top


    Winlink

    Winlink! 2000 http://winlink.org/

    Aussie Winlink http://www.aussiewinlink.org

    Pactor Communications Australia http://www.pca.cc/


    Winpack

    Winpack home page http://www.peaksys.co.uk/

    Winpack info http://www2.tpg.com.au/users/peteglo/winpack.htm

     

    TNC information

    General

    Setting Your TNC’s Audio Drive Level http://www.febo.com/packet/layer-one/transmit.html

    TNC and Radio mods http://www.johnmather.free-online.co.uk/tnc.htm

    MFJ

    MFJ-1278B Care and maintenance http://www.qsl.net/ke4mob/

    AEA

    AEA radio and TNC mods http://www.k7on.com/mods/aea/mods/aeamod.txt

    Other suppliers

    BYONICS http://byonics.com/

    Fox Delta http://www.foxdelta.com/

    Kantronics http://www.kantronics.com/

    PacComm http://www.paccomm.com/

    The DXZone Digital and Packet Radio http://www.dxzone.com/catalog/Manufacturers/Digital_and_Packet_Radio/

    Tigertronics http://www.tigertronics.com/

    Timewave http://www.timewave.com/amprods.html

    TNC-X – The Expandable TNC  http://www.tnc-x.com/


    Gateways

    Amateur Packet Radio Gateways http://www.ampr-gates.net

    G4JKQ http://www.g4jkq.co.uk/

    The Gateways Home Page http://www.ampr-gateways.org/

     

    High-Speed Digital Networks and Multimedia (Amateur)

    North Texas High Speed MultiMedia group http://groups.yahoo.com/group/ntms-hsmm/

    Also take a look at the wireless LAN pages


    APRS

    Aus APRS http://www.radio-active.net.au/vk2_aprs.html

    APRS http://www.radio-active.net.au/web/gpsaprs/aprsrept.html

    APRS http://aprs.rutgers.edu/

    APRS http://www.cave.org/aprs/

    APRS in Adelaide http://vk5.aprs.net.au/

    AVR-Microcontroller http://www.qsl.net/dk5jg/aprs_karten/index.html

    APRS in the UK http://www.aprsuk.net/

    aprsworld http://www.aprsworld.net

    APRS.DE http://www.aprs.de/

    APRS-Berlin http://www.aprs-berlin.de/

    APRS-Frankfurt http://www.aprs-frankfurt.de/

    BYONICS (Electronics Projects for Amateur Radio) http://www.byonics.com/

    CanAPRS http://www.canaprs.net/

    Dansk APRS Gruppe http://www.aprs.dk/

    findU.com http://www.findu.com/

    France APRS http://www.franceaprs.net/

    Kansas City APRS Working Group http://www.kcaprs.org/

    KD4RDB http://wes.johnston.net/aprs/

    Live Australian APRS data maps http://www.aprs.net.au/japrs_live.html

    NIAN http://nian.aprs.org/

    Queensland APRS Users Group http://www.tech-software.net/

    Tri-State APRS Working Group http://www.tawg.org/


    Other Digital Modes

    General

    HF-FAX http://www.hffax.de/index.html

    ZL1BPU http://www.qsl.net/zl1bpu/

    Morse Code

    CW Operators’ QRP Club Inc. http://www.users.on.net/~zietz/qrp/club.htm

    Fists Down Under http://fistsdownunder.morsekeys.com

    LEARN MORSE CODE in one minute ! http://www.learnmorsecode.com/

    MRX morse code http://www.mrx.com.au/

    Not Morse Code, Slow Scan , Packet or APRS

    HamDream by HB9TLK (digital radio) http://www.qslnet.de/member/hb9tlk/

    JE3HHT, Makoto (Mako) Mori http://www.qsl.net/mmhamsoft/

    PSK31 and other PC Magic http://www.psk31.com/

    WSJT ACTIVITY IN AU (follow link) http://www.tased.edu.au/tasonline/vk7wia/


    Amateur Digital Radio

    AR Digital Voice Communications http://www.hamradio-dv.org/

    Australian National D-Star http://www.dstar.org.au/

    Ham Radio digital info http://www.hamradio.com/pdf/dstar.pdf

    ICOM America digital http://www.icomamerica.com/amateur/dstar/

    Temple University Digital Voice Project http://www.temple.edu/k3tu/digital_voice.htm

    Temple University Vocoder Redux http://www.temple.edu/k3tu/VocoderRedux.pdf

    WinDRM – HF Digital Radio Mondiale http://n1su.com/windrm/

     

    D-Star

    Australian D-Star information http://www.dstar.org.au/

    D-Star wikipedia http://en.wikipedia.org/wiki/D-STAR

    ICOM America D-Star Forums http://www.icomamerica.com/en/support/forums/tt.asp?forumid=2

     

    Software Defined Radio

    FlexRadio Systems Software Defined Radios http://www.flex-radio.com/

    Rocky software for SoftRock-40 hardware http://www.dxatlas.com/rocky/

    SDRadio – a Software Defined Radio http://digilander.libero.it/i2phd/sdradio/

    SoftRock-40 Software Defined Radio http://www.amqrp.org/kits/softrock40/index.html

    The Weaksignals pages og Alberto I2PHD (software)  http://www.weaksignals.com/


    Digital Radio

    BBC digital Radio http://www.bbc.co.uk/digitalradio/

    Digital Audio Broadcasting http://www.digitalradio.ca/

    Digital Radio Broadcasting http://happy.emu.id.au/lab/info/digradio/index.html

    Digital Radio http://www.magi.com/~moted/dr/

    DRDB http://www.drdb.org/

    DRM – Digitaler Rundfunk unter 30 MHz http://www.b-kainka.de/drm.htm#dritte

     

    Amateur Radio Direction Finding

    Amateur Radio Direction Finding and Orienteering http://vkradio.com/ardf.html

    Amateur Radio Direction Finding Webring http://www.qsl.net/vk3zpf/webring1.htm

    Homing In http://members.aol.com/homingin/

    RON GRAHAM ELECTRONICS (ARDF and more) http://users.mackay.net.au/~ron/

    Victorian ARDF Group Inc. http://www.ardf.org.au/


    Repeater Linking

    There are currently There are 5 internet linking projects that I know of :-

    IRLP,  iPHONE, iLINK, eCHOLINK and WIN SYSTEM (May 2005)

    EchoLink http://www.echolink.org/

    Hamlink (K1RFD) http://www.hamlink.net/

    KWARC (live audio) http://www.kwarc.org/listen/

    Internet Linking http://www.qsl.net/g3zhi/index2.html

    IRLP http://www.irlp.net/

    IRLP status http://status.irlp.net

    WIN SYSTEM http://www.winsystem.org/

    iLINK

    G4CDY-L Internet Gateway http://www.g4cdy.co.uk/

    iLink http://www.aacnet.net./

    VA3TO iLINK INTERFACE http://www.ilinkca.com/

    VK2JTP iLINK gateway http://www.qsl.net/vk2jtp/

    WB2REM & G4CDY’S  iLINK boards http://www.ilinkboards.com/

    WB4FAY http://www.wb4fay.com/ilink_FAQ.html

    INTERFACES

    ILINKBOARDS.com http://www.ilinkboards.com/


    laser diodes

    A R Laser Communications http://www.qsl.net/wb9ajz/laser/laser.htm

    Australian Optical DX Group http://groups.yahoo.com/group/Optical_DX/

    Driver Enhancements http://www.misty.com/people/don/laserdps.htm#dpsdepm

    European Laser Communications http://www.emn.org.uk/laser.htm

    Ronja http://atrey.karlin.mff.cuni.cz/~clock/twibright/ronja/


    Amateur Radio Licence

    radiofun http://www.alphalink.com.au/~parkerp/gateway.htm

    Worldwide Information on Licensing for Radio Amateurs by OH2MCN http://www.qsl.net/oh2mcn/license.htm


    Amateur Radio Clubs and Organisations

    Also see ATV link page

    and VHF link page

    Australian

    Adelaide Hills Amateur Radio Society http://www.qsl.net/vk5bar/

    Amateur Radio Victoria http://www.amateurradio.com.au/

    Barossa Amateur Radio Club VK5BRC http://www.qsl.net/vk5brc/

    Brisbane Amateur Radio Club http://www.qsl.net/vk4ba/index.html

    Brisbane VHF Group

    Central Coast Amateur Radio Club http://www.ccarc.org.au/

    Central Goldfields A R Club http://www.cgfar.com/

    CHIFLEY A R CLUB http://chifley.radiocorner.net/

    Coffs Harbour & District Amateur Radio Club http://www.qsl.net/vk2ep/index.html

    CW Operators’ QRP Club Inc. http://www.users.on.net/~zietz/qrp/club.htm

    Eastern and Mountain District Radio Club http://www.emdrc.com.au

    Gold Coast AR Society http://www.gcars.com.au/

    Healesville Amateur Radio Group http://www.harg.org.au/

    Historical Wireless Society of South East Queensland http://www.hws.org.au/

    Ipswich Metro Radio Group http://imrg.ips-mesh.net/

    Lockyer Valley Radio and Electronic Club Inc http://www.qsl.net/vk4wil/

    Manly-Warringah Radio Society http://www.qsl.net/vk2mb/

    NWTARIG http://vk7ax.tassie.net.au/nwtarig/

    QRP Amateur Radio Club International http://www.qrparci.org/

    Queensland APRS Users Group http://www.tech-software.net/

    RADAR Club Inc http://radarclub.tripod.com

    Radio Amateurs Old Timers Club Australia Inc http://www.raotc.org.au/

    Radio Sport http://www.uq.net.au/radiosport/

    Radio and Electronics Association of Southern Tasmania http://reast.asn.au/

    Riverland Amateur Radio Club http://www.rrc.org.au/

    South Australian Packet User Group Inc. (SAPUG) http://www.sapug.ampr.org/

    SERG http://serg.mountgambier.org

    South Coast AMATEUR RADIO Club http://www.scarc.org.au/

    SOUTHSIDE AMATEUR RADIO SOCIETY http://www.qsl.net/vk4wss/

    Sunshine Coast Amateur Radio Club http://vk4wis.org/

    VK Young Amateur Radio Operator’s Net http://www.geocities.com/vk_ya/

    VK3APC http://www.mdrc.org.au/

    VK3BEZ (WIA Eastern Zone Amateur Radio Club) http://www.qsl.net/vk3bez/

    VK4WIL http://www.qsl.net/vk4wil/

    West Australia Repeater Group http://www.warg.org.au

    WESTLAKES AR Club http://www.westlakesarc.org.au/

    WIA VK4 Qld http://www.wiaq.com/

    WIA VK4 QNEWS NEWSROOM http://www.wiaq.com/qnews/upload/qnews.htm

    WIA http://www.wia.org.au/

    WICEN Australia http://www.wicen.org.au/

    WICEN Brisbane Qld

    New Zealand

    NZART http://www.nzart.org.nz/nzart/

    Papakura Radio Club http://www.qsl.net/zl1vk/

    Wanganui Amateur Radio Society Inc. http://www.zl2ja.org.nz/

    Wellington VHF Group http://www.vhf.org.nz/

    International

    American QRP Club http://www.amqrp.org/index.html

    ARRL http://www.arrl.org/

    Clear Lake Amateur Radio Club http://www.clarc.org/

    FRARS http://www.frars.org.uk/

    HKAR http://www.hkra.org/

    HRDXA http://www.qsl.net/vr2dxa/

    KIDSHAMRADIO http://www.kidshamradio.com/

    K2MFF Amateur Radio club http://www-ec.njit.edu/~k2mff/

    North TeXas Repeater Association http://www.ntxra.com/main_page.htm

    N0WGE http://www.sckans.edu/~sireland/radio/

    The Repeater Builders Technical Information Page http://www.repeater-builder.com/rbtip/index.html#main-index

    Richardson Wireless Klub http://www.k5rwk.org/

    RADARS http://www.mbc.co.uk/RADARS/

    RSGB http://www.rsgb.org/

    SARL http://www.sarl.org.za/

    Submarine Veterans Amateur Radio http://w0oog.50megs.com/

    Southgate AR club http://www.southgatearc.org/index.htm

    TEARA http://www.teara.org/

    The 500 KC Experimental Group for Amateur Radio http://www.500kc.com/

    Tucson Amateur Packet Radio http://www.tapr.org/

    W6DEK 435 Los Angeles http://www.w6dek.com/


    Amateur Radio

    Australian

    Australian AR Repeater Map http://vkham.com/australimaps.html

    AMATEUR RADIO WIKI http://www.amateur-radio-wiki.net

    HAM SHACK COMPUTERS http://www4.tpgi.com.au/users/vk6pg/

    Ham Radio in Australia with VK1DA http://members.ozemail.com.au/~andrewd/hamradio/

    HF Radio Antenna Tuners http://www.users.bigpond.net.au/eagle33/elect/ant_tuner.htm

    Queensland AR Repeater listings http://vkham.com/Repeater/vk4map.html

    Radioactive Networks: Ham http://www.radio-active.net.au/web/ham/

    Tony Hunt VK5AH (Home of Adelaides 10m Repeater) http://homepages.picknowl.com.au/wavetel/default.htm

    VK1DA’s Amateur Radio Web Directory vk1da.net/radlink.html

    VK1KEP http://www.pcug.org.au/~prellis/amateur/

    VK1OD owenduffy.net

    VK2BA (AM radio) http://www.macnaughtonart.com/default.htm

    VK3PA http://www.vk3pa.com/home.asp

    VK3UKF http://members.fortunecity.co.uk/vk3ukf/index.html

    VK3XPD http://www.users.bigpond.com/alandevlin/index.html

    VK3YE’s Gateway to AR http://www.alphalink.com.au/~parkerp/gateway.htm

    VK3ZQB http://members.datafast.net.au/vk3zqb/

    VK4CEJ http://www.hfradio.org/vk4cej/hamlinks.html

    VK4TEC http://www.tech-software.net/

    VK4TUB http://www.vk4tub.org/

    VK4ZGB http://members.optusnet.com.au/jamieb/index.html

    VK4ZU http://www.users.on.net/~trevorb/

    VK5BR http://users.tpg.com.au/users/ldbutler/

    VK5KK http://www.ozemail.com.au/~tecknolt/index.html

    VK8JJ http://www.qsl.net/vk8jj/

    New Zealand

    Micro Controller Projects for Radio Amateurs and Hobbyists http://www.qsl.net/zl1bpu/micro/index.htm

    Precision Frequency Transmission and Reception http://www.qsl.net/zl1bpu/micro/Precision/index.htm

    ZL3TMB http://www.hamradio.co.nz/

    International

    AC6V’s AR & DX Reference http://www.ac6v.com/

    Amateur radio with Knoppix http://www.afu-knoppix.de/

    Amateur Radio Soundblaster Software Collection http://www.muenster.de/~welp/sb.htm

    AM fone.net http://www.amfone.net

    AMRAD Low Frequency Web Page http://www.amrad.org/projects/lf/index.html

    DL4YHF http://www.qsl.net/dl4yhf/

    Direction finding http://members.aol.com/homingin/

    DSP Links http://users.iafrica.com/k/ku/kurient/dsp/links.html

    Electric-web.org www.electric-web.org

    EI4HQ http://www.4c.ucc.ie/~cjgebruers/index.htm

    EI8IC http://www.qsl.net/ei8ic/

    EHAM http://www.eham.net/

    eQSL (electronic QSL) http://www.eqsl.cc/qslcard/

    HamInfoBar http://www.haminfobar.co.uk/

    Felix Meyer http://home.datacomm.ch/hb9abx/

    FUNET http://www.funet.fi/pub/ham/

    F4DAY http://perso.wanadoo.fr/jf.fourcadier/index_e.htm

    Gateway to Amateur Radio http://www.alphalink.net.au/~parkerp/gabra.htm

    Grid Square Locator http://www.arrl.org/locate/grid.html

    G3PTO http://www.qsl.net/g3pto/

    G4KLX (The [ON/]G4KLX Page) http://www.qslnet.de/member/g4klx/

    HAM RADIO EQUIPMENT & ACCESSORIES http://www.area-ham.org/library/equip/equip.htm

    Ham-Links http://www.k1dwu.net/ham-links/

    HAMUNIVERSE.COM http://www.hamuniverse.com/

    Hamview DSP software http://www.qsl.net/k3pgp/Hamview/hamview.htm

    Homebrew RF Test Equipment And Software http://www.qsl.net/n9zia/wireless/appendixF.html#10

    KB4VOL   link site http://pages.prodigy.com/kb4vol/

    KE5FX http://www.qsl.net/ke5fx/

    KF6VTA & KG4TBJ http://www.geocities.com/silensiosham/index.html

    KU4AY ham radio directory http://www.ku4ay.net/

    K1DWU http://www.k1dwu.net/

    K1TTT http://www.k1ttt.net/

    K1TTT Technical Reference http://www.k1ttt.net/technote/techref.html

    K3PGP http://www.k3pgp.org/

    K3TZ Ham Radio Experimentation http://www.qsl.net/k3tz/

    K6XC (links) http://home.earthlink.net/~rluttringer/

    Lighthouses (International Lighthouse/ Lightship Weekend) http://illw.net

    Links2go http://www.links2go.net/more/www.ampr.org/

    Mels AMATEUR RADIO LINK’S http://www.users.zetnet.co.uk/melspage/amlinks.htm

    Michael Todd Computers & Communications http://www.arcompanion.com/

    MoDTS http://www.m0dts.co.uk/

    NT8N http://www.qsl.net/nt8n

    NW7US   (Amateur and Shortwave Radio) http://hfradio.org/

    N3EYR’s Radio Links http://www.isrv.com/~joel/radio.html

    PD0RKC http://www.qsl.net/pd0rkc/

    PI6ATV (ATV, Antenna, software, info) http://members.tripod.lycos.nl/PI6ATV/software.htm

    Radio Links http://www.angelfire.com/ri/theboss1/

    Radio Corner (forum) http://www.radiocorner.net

    Ray Vaughan http://rayvaughan.com/

    Reference http://www.panix.com/~clay/ham/

    streaming radio programs http://live365.com/home/index.live

    The Elmer HAMlet (information) http://www.qth.com/antenna/index.htm

    VE1XYL and VE1ALQ http://www.qsl.net/ve1alq/downloads/tetrode-ps/pwrsup.htm

    WB6VUB (links) http://www.mpicomputers.com/ham/

    WL7LP http://www.geocities.com/TimesSquare/Castle/3782/wl7lp.html

    W2XO http://www.w2xo.pgh.pa.us/

    XE1BEF  (DX, mods, links and more) http://www.geocities.com/xe1bef/


    Communications Equipment

    Australian

    Andrews Communication Systems http://www.andrewscom.com.au/

    AUSTRALIAN ENTERPRISE INDUSTRIAL http://www.spin.net.au/~aeitower/

    BENELEC www.benelec.com.au

    Bushcomm www.bushcomm.com.au

    G. & C. COMMUNICATIONS www.gccomm.com.au

    Hamak (RM Products Italy) http://www.hamak.com.au/

    Hamshack http://www.hamshack.com.au

    KENWOOD Australia http://www.kenwood.com.au/

    Kyle Communications http://www.kyle.com.au/

    ICOM Australia http://www.icom.net.au

    Mini-kits http://www.minikits.com.au/

    OZGEAR http://www.ozgear.com.au/

    Radio-Data (links) http://www.radio-data.net/

    Radio Specialists (equipment connectors and antenna) http://www.radiospecialists.com.au

    STRICTLY HAM http://www.strictlyham.com.au/

    TET-EMTRON www.tet-emtron.com

    Townsville CB& Communications http://www.vk4tub.org/tcb/tcb.html

    TTS Systems http://www.ttssystems.com.au/

    VK4-ICE Communications http://www.vk4ice.com

    WiNRADiO (PC based receivers) http://www.winradio.com.au

    International

    MFJ http://www.mfjenterprises.com/index.php

    Vertex Standard http://www.vxstd.com/en/index.html

    W7FG VINTAGE MANUALS CATALOGUE http://www.w7fg.com/index.html

    Z Communications Company (repair of old radio equipment) http://home.comcast.net/~zcomco/

    See also Kits and components


    Radio mods, cables, connection info

    batlabs (Motorola radio connection, cable info) http://www.batlabs.com/

    Hall Electronics http://www.hallelectronics.com/getech/proglink.htm

    Radio Mods http://www.mods.dk/

    WWW.ham.dmz.ro (mods info and more) http://www.ham.dmz.ro/

    W4RP IC-2720H Page http://www.w4rp.com/ic2720/

    XE1BEF  (DX, mods, links and more) http://www.geocities.com/xe1bef/

    Please also look at manufacture’s sites


    Lightning Protection

    www.DaStrike.com (video and links) http://www.dastrike.com/

    K9WK Amateur Radio http://www.k9wk.com/litenin.html

    Lightning Protection Institute http://www.lightning.org/

    Marine Grounding Systems http://www.sailmail.com/grounds.htm

    Moonraker boat lightning information http://www.moonraker.com.au/techni/lightning-marine.htm

    NLSI http://www.lightningsafety.com/nlsi_lhm/effect.html

    PolyPhaser http://www.polyphaser.com/

    RFI Lightning protection http://www.rfindustries.com.au/rfiproducts/lightning/lightning.htm

     

    Amateur Spread Spectrum

    Spread Spectrum Scene http://www.sss-mag.com/map.html

    Spread spectrum http://www.amrad.org/projects/ss/

    SS Info http://www.ictp.trieste.it/~radionet/1997_workshop/wireless/notes/index.htm


    Call-sign finders

    The DX Notebook http://www.dxer.org/callbook.html

    QRZ http://www.qrz.com/

    QSL.NET http://www.qsl.net/


    Equipment suppliers and manufacturers

    Easy-radio (your DNS server may have problems finding this site) http://www.easy-radio.co.uk/


    Kits and Components

    Australian and selected international suppliers

    ACRES ELECTRONICS http://www.acreselectronics.co.nz/product.htm

    Allthings http://www.allthings.com.au/

    Altronics http://www.altronics.com.au/

    Antique Electronic Supply http://www.tubesandmore.com/

    Antenna Systems and Supplies Inc. (sm) http://www.antennasystems.com/

    Av-COMM http://www.avcomm.com.au/

    BYONICS http://www.byonics.com/

    Clarke & Severn Electronics http://www.clarke.com.au

    Cliff Electronics (Aus) Pty. Ltd http://www.cliff.com.au/

    Computronics http://www.computronics.com.au/tools/

    David Hall Electronics http://www.dhe.com.au

    Dick Smith Electronics http://www.dse.com.au/cgi-bin/dse.storefront

    Digi-Key http://www.digikey.com/

    Dominion Electronics http://www.dominion.net.au/

    Electronics http://www.michelletroutman.com/index.htm

    Elliott Sound Products http://sound.westhost.com/index2.html

    Farnell http://www.farnell.com/

    Fox Delta http://www.foxdelta.com/

    G1MFG.com (ATV and more) http://www.g1mfg.com/index.html

    Hammond Mfg http://www.hammondmfg.com/

    Hy-Q International http://www.hy-q.com.au

    IRH Components http://www.irh.com.au/index.htm

    Jaycar http://www.jaycar.com.au/

    Microwave Dynamics http://www.microwave-dynamics.com/

    MicroZed Computers http://www.microzed.com.au/

    Mini-Circuits http://www.minicircuits.com/

    Mini-kits http://www.minikits.com.au/

    Mouser Electronics http://www.mouser.com/

    NEWTEK ELECTRONICS http://www.newtek.com.au/

    Oatley electronics http://www.oatleyelectronics.com/

    Ocean State Electronics http://www.oselectronics.com/

    Ozitronics http://www.ozitronics.com/

    pacific DATACOM http://www.pacificdatacom.com.au

    Picaxe http://www.Picaxe.com.au

    Prime Electronics http://www.prime-electronics.com.au/

    Radio Parts http://www.radioparts.com.au/

    R.C.S. Radio (circuit boards) http://www.rcsradio.com.au/

    RF Modules Australia (ZigBee) http:\www.rfmodules.com.au

    RFShop (Brisbane) http://www.rfshop.com.au/

    Rockby Electronics and Computers http://www.rockby.com.au/

    RS Components http://www.rsaustralia.com/

    Semtronics http://www.semtronics.com.au/

    Sicom http://www.sircom.co.nz

    Silvertone Electronics http://www.silvertone.com.au/

    South Island Component Centre (New Zealand) http://www.sicom.co.nz/

    Surplus Sales of Nebraska http://www.surplussales.com/

    Surplustronics (New Zealand) http://www.surplustronics.co.nz/

    Tandy (Australia) http://www.tandy.com.au/

    Teckics http://www.techniks.com/

    TTS Systems http://www.ttssystems.com.au/

    WB9ANQ’s Surplus Store http://www.qsl.net/wb9anq/

    Wiltronics http://www.wiltronics.com.au/

    Worldwide Electronic Components http:/www.iinet.net.au/~worcom

    13cm.co.uk http://www.13cm.co.uk/

    Also look at the ATV links



    PCB layout and schematic programs baas electronics LAYo1 PCB http://www.baas.nl/layo1pcb/uk/index.html

    Easytrax http://www.cia.com.au/rcsradio/

    Electronics WORKBENCH http://www.ewbeurope.com/Franklin Industries http://www.franklin-industries.com/Eagle/starteagle.html McCAD http://www.mccad.com/ OrCAD http://www.orcad.com/downloads.aspx TARGET 3001! http://www.ibfriedrich.com/english/engl_vordownload.htm Tech5 http://www.tech5.nl/eda/pcblayout TinyCAD http://tinycad.sourceforge.net/ VEGO ABACOM http://www.vego.nl/abacom/download/download.htm


    Amateur Satellites and space

    AMSAT http://www.amsat.org/

    AMSAT-DL http://www.amsat-dl.org/

    AMSAT-ZL (kiwisat) http://www.amsat-zl.org.nz/

    CSXT Civilian Space eXploration Team http://www.civilianspace.com/

    electric-web.org http://www.electric-web.org

    esa http://www.esa.int/esaCP

    Heavens-above http://www.heavens-above.com/

    ISS fan club http://www.issfanclub.com

    SATSCAPE   (free satellite tracking program) http://www.satscape.co.uk/

    Satellite tracking software http://perso.club-internet.fr/f1orl/index.html

    Satsignal http://www.satsignal.net/

    Space.com http://www.space.com/

    UHF-Satcom.com http://www.uhf-satcom.com

     

    Propagation

    NOAA http://www.sec.noaa.gov/

    IPS Radio and Space Services http://www.ips.gov.au/

    ITS http://www.its.bldrdoc.gov/

    Near-Real-Time MUF Map http://www.spacew.com/www/realtime.php

    Radio Mobile (path prediction) http://www.cplus.org/rmw/english1.html

    VK4ZU (Propagation) http://www.users.on.net/~trevorb/

     

    Satellite TV

    AV-COMM http://www.avcomm.com.au/

    KANSAT http://www.kansat.com.au/

    KRISTAL electronics http://www.kristal.com.au/index.html

    Lyngsat http://lyngsat.com/

    Nationwide Antenna Systems http://www.uq.net.au/~zznation/index.html

    Satcure http://www.satcure.com/

    SAT TV http://www.sattv.com.au/


     

    Radio and Scanning

    Australian

    Brisbane Radio Scanner http://www.angelfire.com/id/samjohnson/

    Extreme Worldwide Scanner Radio http://members.optushome.com.au/extremescan/scanning.html

    Newcastle Area Radio Frequency Guide http://scanhunter.tripod.com/index.html

    RADIO FREQUENCIES AND INFORMATION http://www.qsl.net/vk1zmc/information.html

    New Zealand

    Kiwi Radio http://kiwiradio.blakjak.net/

    NZscanners http://www.nzscanners.org.nz/

    Wellington Scanner Frequencies http://wsf2003.tripod.com/

    ZLScanner http://homepages.paradise.net.nz/lovegrov/

    ZL3TMB (Christchurch NZ) http://www.hamradio.co.nz/

    International

    Frequency guide http://www.panix.com/~clay/scanning/

    Incident Broadcast Network (including Australian feeds) http://www.incidentbroadcast.com

    Radio H.F.  (some ham stuff) http://www3.sympatico.ca/radiohf/

    RadioReference.com http://www.radioreference.com/index.php


    Amateur Radio DX and Contest

    DX Cluster

    AA1V’s DX Info-Page http://www.goldtel.net/aa1v/

    AC6V’s AR & DX Reference http://www.ac6v.com/

    Australian contesting http://www.vkham.com/index.html

    Buckmaster callsign database http://www.buck.com/cgi-bin/do_hamcall

    DX Greyline http://www.fourmilab.ch/cgi-bin/uncgi/Earth/action?opt=-p

    DX Summit http://oh2aq.kolumbus.com/dxs/

    DX 425 News http://www.425dxn.org/

    EHAM http://www.eham.net/

    EI8IC Global Overlay Mapper http://www.mapability.com/ei8ic/

    eQSL (electronic QSL) http://www.eqsl.cc/qslcard/

    German DX Foundation-GDXF http://www.gdxf.de/

    GlobalTuners (provides access to remotely controlled radio receivers all over the world) http://www.globaltuners.com/

    Ham Atlas by SP6NVK http://www.hamatlas.eu/

    Kiwi DX List http://groups.yahoo.com/group/kiwidxlist/

    Oceania Amateur Radio DX Group Incorporated http://odxg.org/

    Oceania DX Contest http://www.oceaniadxcontest.com/

    QRZ.COM http://www.qrz.com/site.html

    The AM Window http://www.amwindow.org/index.htm

    The Daily DX http://www.dailydx.com

    IARU QSL Bureaus http://www.iaru.org/iaruqsl.html

    International DX Association http://www.indexa.org/

    Internet Ham Atlas http://www.hamatlas.eu/

    IOTA http://www.425dxn.org/iota/

    IOTA groups and Reference http://www.logiciel.co.uk/iota/shtlist.html

    IOTA RSGB http://rsgbiota.org

    IOTA 425 http://www.425dxn.org/iota

    Island Radio Expedition Fondation http://www.islandradio.org/

    LA9HW HF Contest page http://home.online.no/~janalme/hammain.html

    NG3K Contest/DX Page http://www.cpcug.org/user/wfeidt/

    Northern California DX Foundation http://www.ncdxf.org

    Simple phrases in European Languages http://web.onetel.com/~stephenseabrook/

    SUMMITS on the AIR http://www.sota.org.uk/

    Telnet Access to DX Packet Clusters http://cpcug.org/user/wfeidt/Misc/cluster.html

    The DX Notebook http://www.dxer.org/

    VE6OA’s DX Links http://www.compusmart.ab.ca/agirard/dxlinks.htmVK Contest Club http://www.vkcc.com

    World of DK4KQ http://www.dl4kq.de/

    XE1BEF  DX and links http://www.geocities.com/xe1bef/

    Logging Software

    VK Contest Log (VKCL) http://web.aanet.com.au/mnds/

    VK/ZL Logger http://www.vklogger.com

    WinRD+ logging program http://www.rjmb.net/rd/index.htm


    Cluster

    AR-Technology AB5K.net http://www.ab5k.net/Home.aspx

    Clusse http://he.fi/clusse/

    CLX Home page http://clx.muc.de/

    DX CLUSTER programs http://pages.cthome.net/n1mm/html/English/DXClusters.htm

    DXCluster http://www.dxcluster.org/

    DXCluster.Info http://www.dxcluster.info/

    DxNet http://www.dxnet.free.fr/

    DX PacketCluster Sites on the Internet http://www.n4gn.com/cluster.html

    DXSpider – DX cluster system is written in perl http://linux.maruhn.com/sec/dxspider.html

    Packet Cluster user manual http://www.yccc.org/Resources/ysa/manual/

    The DXSpider User Manual http://www.dxcluster.org/main/usermanual_en.html

    VE7CC-1 Dx Spider Cluster http://www.ve7cc.net/

     

    Short Wave DX

    AUSTRALIAN RADIO DX CLUB http://www.ardxc.info/

    Electronic DX Press (HF, MW and VHF) http://members.tripod.com/~bpadula/edxp.html

    Contesting.com http://www.contesting.com/

    CQ World Wide DX Contest http://www.cqww.com/

    K6XX http://www.k6xx.com/

    Longwave Club of America (also Ham) http://www.lwca.org

    NIST time stations http://www.boulder.nist.gov/timefreq/stations/wwvb.htm

    OK1RR DX & Contesting Page http://www.qsl.net/ok1rr/

    Prime Time Shortwave http://www.primetimeshortwave.com/

    Radio Interval Signals http://www.intervalsignals.org/

    shortWWWave http://swww.dwerryhouse.com.au/

    SM3CER Contest Service http://www.sk3bg.se/contest/index.htm

    The British DX Club http://www.bdxc.org.uk/

    Yankee Clipper Contest Club http://www.yccc.org/

     

    Radio Scouting

    Scouts Australia JOTA/JOTI http://www.international.scouts.com.au/main.asp?iMenuID=9071085

    The history of the Jamboree On The Air http://home.tiscali.nl/worldscout/Jota/jota history.htm

    World Organization of the Scout Movement http://www.scout.org/jota/


    Australian Regulator

    ACMA http://www.acma.gov.au/

    International Regulator

    ITU http://www.itu.int/home/index.html



    Electronic Information and technical reference

    AC6V’s Technical Reference http://www.ac6v.com/techref.htm

    Chip directory http://www.embeddedlinks.com/chipdir/abc/s.htm#simm

    Circuit Sage http://www.circuitsage.com/

    CommLinx Solutions Pty Ltd http://www.commlinx.com.au/default.htm

    Computer Power Supply Mods http://www.qsl.net/vk4ba/projects/index.html

    Discover Circuits http://www.discovercircuits.com/

    Electronic Information http://www.beyondlogic.org/

    Electronics Links and Resources http://yallara.cs.rmit.edu.au/~pleelave/electronics1.html

    Epanorama (lots of links) http://www.epanorama.net/

    Electronics Tutorials http://www.electronics-tutorials.com/

    Electronic Theory http://www.electronicstheory.com/

    Fox Delta http://www.foxdelta.com/

    GREG’S DOWNLOAD PAGE http://www.rfcascade.com/index.html

    Hobby Projects (electronic resource) http://www.hobbyprojects.com/tutorial.html

    Hittite http://www.hittite.com

    Information site http://www.epanorama.net/

    ISO Date / Time http://wwp.greenwichmeantime.com/info/iso.htm

    Latitude/Longitude Conversion utility – 3 formats http://www.directionsmag.com/latlong.php

    New Wave Instruments (check out SS Resources) http://www.newwaveinstruments.com/index.htm

    Paul Falstad (how electronic circuits work) http://www.falstad.com/circuit/

    PINOUTS.RU (Handbook of hardware pinouts) http://pinouts.ru/

    PUFF http://www.cco.caltech.edu/~mmic/puffindex/puffE/puffE.htm

    RadioReference http://www.radioreference.com/

    RF Cafe http://www.rfcafe.com/

    RF Globalnet http://www.rfglobalnet.com

    RHR Laboratories http://www.rhrlaboratories.com/#Software

    rfshop http://www.rfshop.com.au/page7.htm

    RS232 Connections, and wiring up serial devices http://www.airborn.com.au/rs232.html

    RF Power Table

    Science Lobby (electronic links) http://www.sciencelobby.com/

    Tech FAQ http://www.tech-faq.com/

    The12volt.com (technical information for mobile electronics installers) http://www.the12volt.com/

    Electronic service

    Repair of TV Sets http://www.repairfaq.org/sam/tvfaq.htm

    Sci.Electrinic.Repair FAQ http://www.repairfaq.org/sam/tvfaq.htm

    Service engineers Forum http://www.e-repair.co.uk/index.htm

     

    Cable Data

    Andrews http://www.andrew.com/default.aspx

    Belden http://www.belden.com/

    CO-AX CABLE DATA http://www.electric-web.org/coax.htm

    Coaxial cable data http://www.qsl.net/kc6uut/coax.html

    Coaxial Cable Page http://www.cdi2.com/build_it/coaxloss.htm

    HB9ABX http://home.datacomm.ch/hb9abx/coaxdat.htm

    HB9HD http://www.hb9hd.ch/PDF/coaxcable.pdf

    KC6UUT http://www.qsl.net/kc6uut/coax.html

    NESS Engineering http://www.nessengr.com/techdata/coaxdata.html

    RF Industries cables http://www.rfindustries.com.au/rfiproducts/cablesConnectors/coaxialCables.htm

    THERFC http://www.therfc.com/coax.htm

    Times Microwave http://www.timesmicrowave.com/

    VK3KHB http://www.gak.net.au/vk3khb/atv/coaxchrt.html

    W4ZT http://w4zt.com/coax.html

    X.net Antenna cable chart http://www.x.net.au/antenna_cable.html

    50 W Coaxial Cable Information http://www.dma.org/~millersg/coax50.html

    75 W Coaxial Cable Information http://www.dma.org/~millersg/coax75.html



    Antique Radio

    Antique Electronic Supply http://www.tubesandmore.com/

    Alan Lord http://www.dundeecoll.ac.uk/sections/cs/staff/al_radio/

    Antique Radio http://antiqueradios.com/

    Apex Jr http://www.apexjr.com/

    Archives of Boatanchors http://www.tempe.gov/archives/boatanchors.html

    Australian Vintage Radio MK II http://www.southcom.com.au/~pauledgr/

    Australian Wireless (OZ-Wireless) Email List http://www.clarion.org.au/wireless/

    AWA and Fisk Radiola http://203.44.53.131/Radiola/AWA1b.htm

    Crystal Radio http://www.crystalradio.net/

    Glowbugs http://www.mines.uidaho.edu/~glowbugs/

    Hammond Museum of Radio http://www.hammondmuseumofradio.org/

    Historical Radio Society of Australia Inc. http://www.hrsa.asn.au/

    JMH’s Virtual Valve Museum http://www.tubecollector.org/numbers.htm

    John Rose’s Vintage Radio Home http://personal.nbnet.nb.ca/jrose/radios/radiomain.htm

    Klausmobile Russian Tube Directory http://klausmobile.narod.ru/td/indexe.htm

    KK7TV http://www.kk7tv.com/kk7tv.html

    Kurrajong Radio Museum http://www.vk2bv.org/museum/

    Links to Vintage Radios (Amateur) http://www.qsl.net/ka4pnv/vrlinks.htm

    Mike’s Electric Stuff http://www.netcomuk.co.uk/~wwl/electric.html

    Nostalgiar Air http://www.nostalgiaair.org/

    Phil’s Old Radios http://antiqueradio.org/

    Radio A’s Vintage Radio Page http://www.mnsi.net/~radioa/radioa.htm

    Radio Era http://www.radioera.com/

    Rap ‘n Tap http://www.midnightscience.com/rapntap/

    Replacing Capacitors http://antiqueradio.org/recap.htm

    Savoy Hill Publications http://www.valvesunlimited.demon.co.uk/Noframes/savoy_hill_publications.htm

    South East Qld Group of the HRSA http://seqg.tripod.com

    SEQG of the HRSA Crystal comp http://www.clarion.org.au/crystalset/

    SEQG One Tube Radio comp http://seqg.tripod.com/onetube/onetube.html

    TEARA’S VINTAGE RADIO LINK PAGE http://www.ipass.net/~teara/vin.html

    The Vintage Radio Emporium http://www.vintageradio.info/

    The Wireless Works http://www.wirelessworks.co.uk/

    Triode Tube Data http://www.triodeel.com/tubedata.htm Tubesworld  (Valve Audio and Valve data) http://www.tubesworld.com/

    Vintage Radio http://www.vintage-radio.com/index.shtml

    Vintage Radio Times http://www.vintageradiotimes.com/Page_1x.html

    Vintage Radios and programs http://www.compusmart.ab.ca/agirard/VINTAGE.HTM

    Vintage Radios UK http://www.valve.demon.co.uk/

    Vintage Radio and Test Equipment Site http://www.geocities.com/eb5agv/

    Vintage Radio World http://www.burdaleclose.freeserve.co.uk/

    Vintage Radio and Audio Pages http://www.mcallister.simplenet.com/

    VMARS http://www.vmars.org.uk/

    W7FG VINTAGE MANUALS CATALOGUE http://www.w7fg.com/index.html

    Ye Olde Hurdy Gurdy Museum of Vintage Radio http://ei5em.110mb.com/museum.html



    Valve Audio and Valve data Ake’e Tube Data http://w1.871.telia.com/~u87127076/index.htm CVC http://www.chelmervalve.com/index.html

    Data Sheet Locator http://www.duncanamps.co.uk/cgi-bin/tdsl3.exe/

    Eimac http://www.cpii.com/eimac/index.html

    Frank’s Electron tube Pages http://home.wxs.nl/~frank.philipse/frank/frank.html

    Hammond  Manufacturing http://www.hammondmfg.com/

    House of Tubes http://www.house-of-tubes.com/home/Library.asp

    High Voltage Tube Archive http://www.funet.fi/pub/sci/electrical/tesla/tubes/

    Kiewavly http://home.mira.net/~kiewavly/audio1.html

    Industrial Valve Data http://www.netcomuk.co.uk/~wwl/data.html

    Machmat http://www.machmat.com/

    NJ7P Tube Data Search http://hereford.ampr.org/cgi-bin/tube?index=1

    RCA-R10 Data http://www.nmr.mgh.harvard.edu/~reese/RC10/

    SAS Audio Labs http://www.sasaudiolabs.com/

    Sowter Audio Transformers http://www.sowter.co.uk/

    Spice Valves http://www.duncanamps.com/spicevalves.html

    Tubetec http://www.tubetec.freeserve.co.uk/

    TUBEWORLD INC. http://www.tubeworld.com/

    Tube datasheets http://www.wps.com/archives/tube-datasheets/index.html

    Vacuum Tube Links http://www.michelletroutman.com/tubes.htm

    Valves and Tubes http://www.euramcom.freeserve.co.uk/tubes.html

    Valve Data Links http://www.thevalvepage.com/links/valvdata.htm

    Valve Data http://www.arrakis.es/~igapop/referenc.htm

    Valves Unlimited http://www.valvesunlimited.demon.co.uk/Noframes/links.htm

    Valve and Tube Supplies http://www.valves.uk.com/

    Valveamps.com http://www.valveamps.com/



    Audio

    Audio Calculators and Links http://www.audioscientific.com/Audio Calculators & References Links.htm

    BKC GROUP http://www.bkcgroup.fsnet.co.uk/

    Car Audio Australia http://www.caraudioaustralia.com/

    DIY Audio http://www.diyaudio.com/

    Duncan’s Amp Pages http://www.duncanamps.com/

    Elliott Sound Products http://sound.westhost.com/audiolink.htm

    GM ARTS http://users.chariot.net.au/~gmarts/

    Norman Koren http://www.normankoren.com/Audio/

    Rane http://www.rane.com/

    The Self Site http://www.dself.demon.co.uk/

    The Class-A Amplifier Site http://www.gmweb.btinternet.co.uk/



    Magazines

    DUBUS (VHF magazine) http://www.dubus.org/

    Elektor Electronics http://www.elektor-electronics.co.uk/

    Harlan Technologies (Amateur Television Quarterly) http://www.hampubs.com/

    Radio & Communications Monitoring Monthly http://www.monitoringmonthly.co.uk/

    SILICON CHIP http://www.siliconchip.com.au/

    VHF Communications Mag http://www.vhfcomm.co.uk/



    SETI

    SETI http://www.setileague.org/homepg.htm

    SETI Australia http://www.seti.org.au/

    SCADA considerations

    Procedures

    • Corporate Information Protection
    • Security Management
    • Information Classification
    • Physical (and Environmental) Security
    • Personnel Security
    • Security Awareness Training
    • Security Incident Response
    • Security Monitoring
    • Network Security
    • PC/Workstation Security
    • Support and Operational Security Related
    • Encryption and Information Confidentiality
    • Authorization Controls
    • Identification and Authentication Mechanisms
    • Systems Life Cycle Security
    • Business Continuity Planning
    • Media Security
    • Third Party Services

    Typical concerns and points discussion:

    • Inbound and out Bound FTP
    • Suggest use of DMZ
    • Suggest use of Secure FTP
    • Suggest use of restricted secure IP addresses / tunnelling
    • Suggest use of private feeds

    Modem issues used with dial in services

    • No dial back
    • No Authentication
    • No Secure ID
    • Possibly automated scripts used, so hard coded usernames and passwords used.
    • Internet sharing may be turned on, allowing routing via workstations.

    Increased data security and integrity considerations

    • Data backups
    • System redundancy
    • Site and content filtering
    • Virus protection
    • Standard system procurement (discounts and spares)
    • Network and services redundancy
    • Network monitoring
    • Service availability monitoring
    • Internal controls
    • Vendor / external service supplier
    • Capacity management
    • Change management system
    • Asset management system
    • Telecommunication and telephony bulk cost discounting
    • Etc.

    Use and support for corporate application considerations

    • Email
    • Intranet
    • Internet
    • Corporate virus protection
    • Asset management
    • Change management
    • Project management
    • Performance / capacity management
    • Reduction of Cost
    • Use of corporate applications
    • Reduction of manual processes

    Other things to keep in mind:

    • SCADA monitoring system must be isolated from network errors and systems events. This will prevent SCADA operational systems being effected by network or corporate system issues / outages.
    • Review Network topology to ensure internal and external vulnerabilities are not currently being and cannot be abused.
    • Review of router configurations
    • Use of change management system
    • Review remote dial in systems
    • Firewall SCADA systems off from corporate applications
    • Uncontrolled networks and systems within the SCADA environment will compromise the corporate environments integrity and security.
    • Determine if systems used within SCADA are built to a standard operating environment.

    Nmap Examples

    Some Nmap examples I thought I would post.

    Scanning past Watchguard Firewalls: nmap -sS -iL targetlist.txt -P0 -sV -T4

    Verbose Scan: nmap -v

    This option scans all reserved TCP ports on the target machine. The -v option enables verbose mode.

    nmap -sS -O /24

    Launches a stealth SYN scan against each machine that is up out of the 256 IPs on “class C” sized network where Scanme resides. It also tries to determine what operating system is running on each host that is up and running. This requires root privileges because of the SYN scan and OS detection.

    nmap -sV -p 22,53,110,143,4564 198.116.0-255.1-127

    Launches host enumeration and a TCP scan at the first half of each of the 255 possible eight-bit subnets in the 198.116 class B address space. This tests whether the systems run SSH, DNS, POP3, or IMAP on their standard ports, or anything on port 4564. For any of these ports found open, version detection is used to determine what application is running.

    nmap -v -iR 100000 -PN -p 80

    Asks Nmap to choose 100,000 hosts at random and scan them for web servers (port 80). Host enumeration is disabled with -PN since first sending a couple probes to determine whether a host is up is wasteful when you are only probing one port on each target host anyway.

    nmap -PN -p80 -oX logs/pb-port80scan.xml -oG logs/pb-port80scan.gnmap 216.163.128.20/20

    This scans 4096 IPs for any web servers (without pinging them) and saves the output in grepable and XML formats.

    Instead of limiting ourselves to scanning just one target., let’s broaden our horizon’s to bigger and better things. In example 2 we used our IP address to base a scan against. Using that address again we can get a look at numerous targets in our “community”. At the command line type the following (substituting a valid address of your choice of course):

    nmap -sT -O 206.212.15.0-50

    What this does is instruct nmap to scan every host between the IP addresses of 206.212.15.0 and 206.212.15.50. If you happen to find many interesting feedback results from this or a larger scale scan then you can always pipe the output into your choice of a human readable file or a machine parsable file for future reference by issuing the following option:

    To create a human readable output file issue the -oN command into your nmap string so that it would look similar to this:

    nmap -sT -O -oN sample.txt 206.212.15.0-50

    Rather have a machine parsable file? Enter the -oM to pipe the output into a machine parsable file:

    nmap -sT -O -oM sample.txt 206.212.15.0-50

    *Back when I was becoming aquatinted with all the nmap options, I ran my first large scale scan against 250 consecutive machines using an arbitrary number (nmap -sX -O -oN sample.txt XXX.XXX.XXX.0-250).To my great surprise I was confronted with 250 up and running virgin Linux machines. Another reason why Linux enthusiasts should NEVER become bored.

    -I This is a handy little call that activates nmap’s TCP reverse ident scanning option. This divulges information that gives the username that owns available processes. Let’s take a look (Note that the host has to be running ident). At the command line issue this command against your target, in this case our default Eve running Linux:

    -iR Use this command to instruct nmap to scan random hosts for you.

    -p Port range option allows you to pick what port or ports you wish nmap to scan against.

    -v Use verbosity to display more output data. Use twice (-v -v) for maximum verbosity.

    -h Displays a quick reference of nmap’s calls

    Now that we have looked at nmap’s three basic usage types and some of it’s other options, let’s mix and match them.

    nmap -v -v -sS -O 209.212.53.50-100

    This instructs nmap to use a maximum amount of verbosity to run a stealth scan and OS detection against all machines between IP addresses 209.212.53.50 and 209.212.53.100. This command will also require root privileges due to both the -sS and -O calls. Of course this will display a very overwhelming amount of data so let’s log our results into a human readable file for future reference:

    nmap -v -v -sS -O -oN sample.txt 209.212.53.50-100

    Now let’s make nmap run a stealth scan and instruct it to look only for machines offering http and ftp services between the addresses of 209.212.53.50 and 209.212.53.100. Once again we will log the output (I’m a log junkie) for future reference into a human readable file called ftphttpscan.txt:

    nmap -sS -p 23,80 -oN ftphttpscan.txt 209.212.53.50-100

    Remember the -iR option mentioned previously? Let’s use it to take a random sampling of Internet web servers using the verbatim example from nmap’s man page:

    nmap -sS -iR -p 80

    Last but certainly not least, while gleaning information, don’t forget to nmap yourself. Just type at the command line: nmap 127.0.0.1 This is especially useful and recommended if you’re a newcomer to Linux and connected to the Internet via DSL or cable modem.

    Detect promiscuous network devices or sniffers on a network

    Old versions       nmap –script=promiscuous 10.0.1.0/24

    New Versions     nmap -sV –script=sniffer-detect 10.0.1.0/24

    EFT Syetms and Device Considerations

    EFT devices and systems differ depending on hardware vendor, country and bank / payment aggregator.
    Below is a list of things you may like to consider. This list is off the top of my head so it is probably not complete.

    Looking at the products and relationships us usually a good start.

    Things to consider:

    • Card skimming methods
    • Some EFT POS devices restrict the connection of a skimmer
    • Review levels of associated fraud
    • Review devices and EFT methods
    • Review terminal identification (merchant and customer)
    • Manual processing. (internal and external)
    • eCommerce products
    • PC based software
    • Dedicated server services (Nobil, etc.)
    • Web based engine (Custom objects, Web pop-ups, etc)
    • Authorisation / identification methods (Merchant and customer)
    • TCPIP session hijacking / session spoofing
    • Direct Debit as well as Credit Cards.
    • Swift (methods and controls)
    • Telegraphic transfer (methods and controls)
    • Payment aggregator relationships (eg. Payment Tech, manual processing, cheque scanning, etc.)
    • Internet banking facilities (attack / penetration,  Certificate registration / management, ISP SLA’s, etc.)
    • Implementation of Smart Card and / or alternative customer recognition devices.
    • Outsourcing and associated risks / service level agreements
    • Payment processing
    • Payment clearance
    • Payment switching
    • Reporting (segregation of merchant / customers / aggregators / partners / local / international)
    • Fraud detection and reporting
    • 3rd party acquiring risks
    • Single merchant ID many businesses
    • Allows moneys to be laundered if the payment aggregator does not place appropriate controls on the merchant.
    • Encryption used
    • Internet / trusted partner / inter-bank / extranet
    • Private and / or public certificates
    • Single use certificates
    • Client side certificates
    • Remittance advice processes and controls.
    • EFT disaster recovery and manual fall back procedures (associated security and reconciliation risks)
    • Trusted partner relationships, SLA’s, liabilities and risks.
    • EFT regulatory / legal requirements (inter-bank and government)
    • Refund processing / authorisation. (policies, procedures, controls, etc.)
    • CVV, CVV-2 / CVC-2 processing and management. (http://www.atlanticpayment.com/CVV.htm)
    • Fraud detection mechanism (neural networks, inter-bank / department customer checks, etc)
    • Supported card schemes (AMEX/Visa/Mastercard/Discover/etc )
    • Review EFT floor limits (corporate and SME merchants)
    • Review the ability to withhold merchant settlement until the presence of fraud has been determined.
    • Review customer identification details. Such as (This varies around the world depending on local regulations / privacy laws)
    • Review real-time and batched processing methods and controls (sequence numbers, access to raw data, etc.)
    • Review processing with and without expiry dates. (exception controls and policies)
    • Review exception / fraud reports.
    • Review payment store and forward policies and procedures.
    • Review Pre-Auth and Completion controls.
    • Token based payment (eCash, etc)
    • Merchant reconciliation, reporting methods and controls (paper, Internet, email, PDF, Fax, etc.) and associated security.
    • Real time gross settlement policies, procedures and controls. (IT and amounts)
    • Card issuing policies and procedures. (customer ID checks, etc)
    • Banking infrastructure (ingress / egress) controls and security. (Web, partner, payment switches, outsourced infrastructure, monitoring / reporting.)
    • Use of Internet technologies for inter-bank transfers and remote equipment.
    • Physical security and controls of devices, ATM,s, line encryptors, etc.

    DNS Hack Needs Patching – Serious Problem

    This has been kept under wraps by the Operating System and Hardware vendors for the last few weeks and now patches have finally been released for many Operating Systems, DNS software applications and Hardware devices.
    If you provide or rely on DNZ services (external and Internal) you should consider quickly patching your servers/devices.

    Although Internal DNS servers may not be exposed to an Internet attack, we see many more internal attacks within larger organisations which involve rogue server or services being established within the firewalled trusted network. As a result, this lifts the threat level of internal systems/services and therefore the need for effective timely patching.

    Also consider asking the question of your hosting facility, upstream ISP or DNS provider to see if they have patched their DNS servers and forwarders.

    http://www.doxpara.com/?p=1162 This link also has a DNS checker.
    http://afp.google.com/article/ALeqM5hwFqcnWAuDWlcqfvfyHu5PGG9RMQ
    http://www.kb.cert.org/vuls/id/800113

    This is a full list of vendor patch links
    http://www.betanews.com/article/Major_fix_to_DNS_vulnerability_impacts_Windows_Debian/1215551008

    Good Luck

    Breaking VISA PIN

    Below is an article I found recently. This one of the most comprehensive descriptions of PIN Verification Value (PVV) hacking.

    I thought I would replicate it here for my local reference.

    As comments have been made regarding the grammar used in the original text, I have corrected some of the obvious errors whilst maintaining the context of the original material.

    http://69.46.26.132/~biggold1/fastget2you/tutorial.php

    ——– Original Text ———-

    Foreword
    Have you ever wonder what would happen if you lose your credit or debit card and someone finds it. Would this person be able to withdraw cash from an ATM guessing, somehow, your PIN? Moreover, if you were who finds someone’s card would you try to guess the PIN and take the chance to get some easy money? Of course the answer to both questions should be “no”. This work does not deal with the second question, it is a matter of personal ethics. Herewith I try to answer the first question.

    All the information used for this work is public and can be freely found in Internet. The rest is a matter of mathematics and programming, thus we can learn something and have some fun. I reveal no secrets. Furthermore, the aim (and final conclusion) of this work is to demonstrate that PIN algorithms are still strong enough to provide sufficient security. We all know technology is not the weak point.

    This work analyses one of the most common PIN algorithms, VISA PVV, used by many ATM cards (credit and debit cards) and tries to find out how resistant is to PIN guessing attacks. By “guessing” I do not mean choosing a random PIN and trying it in an ATM. It is well known that generally we are given three consecutive trials to enter the right PIN, if we fail ATM keeps the card. As VISA PIN is four digit long it’s easy to deduce that the chance for a random PIN guessing is 3/10000 = 0.0003, it seems low enough to be safe; it means you need to lose your card more than three thousand times (or losing more than three thousand cards at the same time 🙂 until there is a reasonable chance of losing money.

    What I really meant by “guessing” was breaking the PIN algorithm so that given any card you can immediately know the associated PIN. Therefore this document studies that possibility, analyzing the algorithm and proposing a method for the attack. Finally we give a tool which implements the attack and present results about the estimated chance to break the system. Note that as long as other banking security related algorithms (other PIN formats such as IBM PIN or card validation signatures such as CVV or CVC) are similar to VISA PIN, the same analysis can be done yielding nearly the same results and conclusions.


    VISA PVV algorithm


    One of the most common PIN algorithms is the VISA PIN Verification Value (PVV). The customer is given a PIN and a magnetic stripe card. Encoded in the magnetic stripe is a four digit number, called PVV. This number is a cryptographic signature of the PIN and other data related to the card. When a user enters his/her PIN the ATM reads the magnetic stripe, encrypts and sends all this information to a central computer. There a trial PVV is computed using the customer entered PIN and the card information with a cryptographic algorithm. The trial PVV is compared with the PVV stored in the card, if they match the central computer returns to the ATM authorization for the transaction. See in more detail.

    The description of the PVV algorithm can be found in two documents linked in the previous page. In summary it consists in the encryption of a 8 byte (64 bit) string of data, called Transformed Security Parameter (TSP), with DES algorithm (DEA) in Electronic Code Book mode (ECB) using a secret 64 bit key. The PVV is derived from the output of the encryption process, which is a 8 byte string. The four digits of the PVV (from left to right) correspond to the first four decimal digits (from left to right) of the output from DES when considered as a 16 hexadecimal character (16 x 4 bit = 64 bit) string. If there are no four decimal digits among the 16 hexadecimal characters then the PVV is completed taken (from left to right) non decimal characters and decimalizing them by using the conversion A->0, B->1, C->2, D->3, E->4, F->5. Here is an example:

    Output from DES: 0FAB9CDEFFE7DCBA

    PVV: 0975

    The strategy of avoiding decimalization by skipping characters until four decimal digits are found (which happens to be nearly all the times as we will see below) is very clever because it avoids an important bias in the distribution of digits which has been proven to be fatal for other systems, although the impact on this system would be much lower. See also a related problem not applying to VISA PVV.

    The TSP, seen as a 16 hexadecimal character (64 bit) string, is formed (from left to right) with the 11 rightmost digits of the PAN (card number) excluding the last digit (check digit), one digit from 1 to 6 which selects the secret encrypting key and finally the four digits of the PIN. Here is an example:

    PAN: 1234 5678 9012 3445
    Key selector: 1
    PIN: 2468

    TSP: 5678901234412468

    Obviously the problem of breaking VISA PIN consists in finding the secret encrypting key for DES. The method for that is to do a brute force search of the key space. Note that this is not the only method, one could try to find a weakness in DEA, many tried, but this old standard is still in wide use (now been replaced by AES and RSA, though). This demonstrates it is robust enough so that brute force is the only viable method (there are some better attacks but not practical in our case, for a summary see LASEC memo and for the dirty details see Biham & Shamir 1990, Biham & Shamir 1991, Matsui 1993, Biham & Biryukov 1994 and Heys 2001).

    The key selector digit was very likely introduced to cover the possibility of a key compromise. In that case they just have to issue new cards using another key selector. Older cards can be substituted with new ones or simply the ATM can transparently write a new PVV (corresponding to the new key and keeping the same PIN) next time the customer uses his/her card. For the shake of security all users should be asked to change their PINs, however it would be embarrassing for the bank to explain the reason, so very likely they would not make such request.

    Preparing the attack


    A brute force attack consists in encrypting a TSP with known PVV using all possible encrypting keys and compare each obtained PVV with the known PVV. When a match is found we have a candidate key. But how many keys we have to try? As we said above the key is 64 bit long, this would mean we have to try 2^64 keys. However this is not true. Actually only 56 bits are effective in DES keys because one bit (the least significant) out of each octet was historically reserved as a checksum for the others; in practice those 8 bits (one for each of the 8 octets) are ignored.

    Therefore the DES key space consists of 2^56 keys. If we try all these keys will we find one and only one match, corresponding to the bank secret key? Certainly not. We will obtain many matching keys. This is because the PVV is only a small part (one fourth) of the DES output. Furthermore the PVV is degenerated because some of the digits (those between 0 and 5 after the last, seen from left to right, digit between 6 and 9) may come from a decimal digit or from a decimalized hexadecimal digit of the DES output. Thus many keys will produce a DES output which yields to the same matching PVV.

    Then what can we do to find the real key among those other false positive keys? Simply we have to encrypt a second different TSP, also with known PVV, but using only the candidate keys which gave a positive matching with the first TSP-PVV pair. However there is no guarantee we won’t get again many false positives along with the true key. If so, we will need a third TSP-PVV pair, repeat the process and so on.

    Before we start our attack we have to know how many TSP-PVV pairs we will need. For that we have to calculate the probability for a random DES output to yield a matching PVV just by chance. There are several ways to calculate this number and here I will use a simple approach easy to understand but which requires some background in mathematics of probability.

    A probability can always be seen as the ratio of favorable cases to possible cases. In our problem the number of possible cases is given by the permutation of 16 elements (the 0 to F hexadecimal digits) in a group of 16 of them (the 16 hexadecimal digits of the DES output). This is given by 16^16 ~ 1.8 * 10^19 which of course coincides with 2^64 (different numbers of 64 bits). This set of numbers can be separated into five categories:

    Those with at least four decimal digits (0 to 9) among the 16 hexadecimal digits (0 to F) of the DES output.

    Those with exactly only three decimal digits.

    Those with exactly only two decimal digits.

    Those with exactly only one decimal digit.

    Those with no decimal digits (all between A and F).

    Let’s calculate how many numbers fall in each category. If we label the 16 hexadecimal digits of the DES output as X1 to X16 then we can label the first four decimal digits of any given number of the first category as Xi, Xj, Xk and Xl. The number of different combinations with this profile is given by the product 6 i-1 * 10 * 6j-i-1 * 10 * 6k-j-1 * 10 * 6 l-k-1 * 10 * 1616-l where the 6’s come from the number of possibilities for an A to F digit, the 10’s come from the possibilities for a 0 to 9 digit, and the 16 comes from the possibilities for a 0 to F digit. Now the total numbers in the first category is simply given by the summation of this product over i, j, k, l from 1 to 16 but with i < j < k < l. If you do some math work you will see this equals to the product of 104/6 with the summation over i from 4 to 16 of (i-1) * (i-2) * (i-3) * 6i-4 * 16 16-i ~ 1.8 * 1019.

    Analogously the number of cases in the second category is given by the summation over i, j, k from 1 to 16 with i < j < k of the product 6i-1 * 10 * 6j-i-1 * 10 * 6k-j-1 * 10 * 616-k which you can work it out to be 16!/(3! * (16-13)!) * 103 * 6 13 = 16 * 15 * 14/(3 * 2) * 103 * 613 = 56 * 104 * 613 ~ 7.3 * 1015. Similarly for the third category we have the summation over i, j from 1 to 16 with i < j of 6 i-1 * 10 * 6j-i-1 * 10 * 616-j which equals to 16!/(2! * (16-14)!) * 102 * 614 = 2 * 103 * 615 ~ 9.4 * 1014. Again, for the fourth category we have the summation over i from 1 to 16 of 6i-1 * 10 * 616-i = 160 * 615 ~ 7.5 * 1013. And finally the amount of cases in the fifth category is given by the permutation of six elements (A to F digits) in a group of 16, that is, 616 ~ 2.8 * 1012.

    I hope you followed the calculations up to this point, the hard part is done. Now as a proof that everything is right you can sum the number of cases in the 5 categories and see it equals the total number of possible cases we calculated before. Do the operations using 64 bit numbers or rounding (for floats) or overflow (for integers) errors won’t let you get the exact result.

    Up to now we have calculated the number of possible cases in each of the five categories, but we are interested in obtaining the number of favorable cases instead. It is very easy to derive the latter from the former as this is just fixing the combination of the four decimal digits (or the required hexadecimal digits if there are no four decimal digits) of the PVV instead of letting them free. In practice this means turning the 10’s in the formula above into 1’s and the required amount of 6’s into 1’s if there are no four decimal digits. That is, we have to divide the first result by 104, the second one by 103 * 6, the third one by 102 * 62 , the fourth one by 10 * 63 and the fifth one by 64 . Then the number of favorable cases in the five categories are approximately 1.8 * 1015, 1.2 * 1012, 2.6 * 1011 , 3.5 * 1010, 2.2 * 109 respectively.

    Now we are able to obtain what is the probability for a DES output to match a PVV by chance. We just have to add the five numbers of favorable cases and divide it by the total number of possible cases. Doing this we obtain that the probability is very approximately 0.0001 or one out of ten thousand. Is it strange this well rounded result? Not at all, just have a look at the numbers we calculated above. The first category dominates by several orders of magnitude the number of favorable and possible cases. This is rather intuitive as it seems clear that it is very unlikely not having four decimal digits (10 chances out of 16 per digit) among 16 hexadecimal digits. We saw previously that the relationship between the number of possible and favorable cases in the first category was a division by 10^4, that’s where our result p = 0.0001 comes from.

    Our aim for all these calculations was to find out how many TSP-PVV pairs we need to carry a successful brute force attack. Now we are able to calculate the expected number of false positives in a first search: it will be the number of trials times the probability for a single random false positive, i.e. t * p where t = 2^56, the size of the key space. This amounts to approximately 7.2 * 10^12, a rather big number. The expected number of false positives in the second search (restricted to the positive keys found in the first search) will be (t * p) * p, for a third search will be ((t * p) * p) * p and so on. Thus for n searches the expected number of false positives will be t * p^n.

    We can obtain the number of searches required to expect just one false positive by expressing the equation t * p^n = 1 and solving for n. So n equals to the logarithm in base p of 1/t, which by properties of logarithms it yields n = log(1/t)/log(p) ~ 4.2. Since we cannot do a fractional search it is convenient to round up this number. Therefore what is the expected number of false positives if we perform five searches? It is t * p^5 ~ 0.0007 or approximately 1 out of 1400. Thus using five TSP-PVV pairs is safe to obtain the true secret key with no false positives.

    The attack


    Once we know we need five TSP-PVV pairs, how do we get them? Of course we need at least one card with known PIN, and due to the nature of the PVV algorithm, that’s the only thing we need. With other PIN systems, such as IBM, we would need five cards, however this is not necessary with VISA PVV algorithm. We just have to read the magnetic stripe and then change the PIN four times but reading the card after each change.

    It is necessary to read the magnetic stripe of the card to get the PVV and the encrypting key selector. You can buy a commercial magnetic stripe reader or make one yourself following the instructions you can find in the previous page and links therein. Once you have a reader see this description of standard magnetic tracks to find out how to get the PVV from the data read. In that document the PVV field in tracks 1 and 2 is said to be five character long, but actually the true PVV consists of the last four digits. The first of the five digits is the key selector. I have only seen cards with a value of 1 in this digit, which is consistent with the standard and with the secret key never being compromised (and therefore they did not need to move to another key changing the selector).

    I did a simple C program, getpvvkey.c, to perform the attack. It consists of a loop to try all possible keys to encrypt the first TSP, if the derived PVV matches the true PVV a new TSP is tried, and so on until there is a mismatch, in which case the key is discarded and a new one is tried, or the five derived PVVs match the corresponding true PVVs, in which case we can assume we got the bank secret key, however the loop goes on until it exhausts the key space. This is done to assure we find the true key because there is a chance (although very low) the first key found is a false positive.

    It is expected the program would take a very long time to finish and to minimize the risks of a power cut, computer hang out, etc. it does checkpoints into the file getpvvkey.dat from time to time (the exact time depends on the speed of the computer, it’s around one hour for the fastest computers now in use). For the same reason if a positive key is found it is written on the file getpvvkey.key. The program only displays one message at the beginning, the starting position taken from the checkpoint file if any, after that nothing more is displayed.

    The DES algorithm is a key point in the program, it is therefore very important to optimize its speed. I tested several implementations: libdes, SSLeay, openssl, cryptlib, nss, libgcrypt, catacomb, libtomcrypt, cryptopp, ufc-crypt. The DES functions of the first four are based on the same code by Eric Young and is the one which performed best (includes optimized C and x86 assembler code). Thus I chose libdes which was the original implementation and condensed all relevant code in the files encrypt.c (C version) and x86encrypt.s (x86 assembler version). The code is slightly modified to achieve some enhancements in a brute force attack: the initial permutation is a fixed common steep in each TSP encryption and therefore can be made just one time at the beginning. Another improvement is that I wrote a completely new setkey function (I called it nextkey) which is optimum for a brute force loop.

    To get the program working you just have to type in the corresponding place five TSPs and their PVVs and then compile it. I have tested it only in UNIX platforms, using the makefile Makegetpvvkey to compile (use the command “make -f Makegetpvvkey”). It may compile on other systems but you may need to fix some things. Be sure that the definition of the type long64 corresponds to a 64 bit integer. In principle there is no dependence on the endianness of the processor. I have successfully compiled and run it on Pentium-Linux, Alpha-Tru64, Mips-Irix and Sparc-Solaris. If you do not have and do not want to install Linux (you don’t know what you are missing 😉 you still have the choice to run Linux on CD and use my program, see my page running Linux without installing it.

    Once you have found the secret bank key if you want to find the PIN of an arbitrary card you just have to write a similar program (sorry I have not written it, I’m too lazy 🙂 that would try all 10^4 PINs by generating the corresponding TSP, encrypting it with the (no longer) secret key, deriving the PVV and comparing it with the PVV in the magnetic stripe of the card. You will get one match for the true PIN. Only one match? Remember what we saw above, we have a chance of 0.0001 that a random encryption matches the PVV. We are trying 10000 PINs (and therefore TSPs) thus we expect 10000 * 0.0001 = 1 false positive on average.

    This is a very interesting result, it means that, on average, each card has two valid PINs: the customer PIN and the expected false positive. I call it “false” but note that as long as it generates the true PVV it is a PIN as valid as the customer’s one. Furthermore, there is no way to know which is which, even for the ATM; only customer knows. Even if the false positive were not valid as PIN, you still have three trials at the ATM anyway, enough on average. Therefore the probability we calculated at the beginning of this document about random guessing of the PIN has to be corrected. Actually it is twice that value, i.e., it is 0.0006 or one out of more than 1600, still safely low.

    Results


    It is important to optimize the compilation of the program and to run it in the fastest possible processor due to the long expected run time. I found that the compiler optimization flag -O gets the better performance, thought some improvement is achieved adding the -fomit-frame-pointer flag on Pentium-Linux, the -spike flag on Alpha-Tru64, the -IPA flag on Mips-Irix and the -fast flag on Sparc-Solaris. Special flags (-DDES_PTR -DDES_RISC1 -DDES_RISC2 -DDES_UNROLL -DASM) for the DES code have generally benefits as well. All these flags have already been tested and I chose the best combination for each processor (see makefile) but you can try to fine tune other flags.

    According to my tests the best performance is achieved with the AMD Athlon 1600 MHz processor, exceeding 3.4 million keys per second. Interestingly it gets better results than Intel Pentium IV 1800 MHz and 2000 MHz (see figures below, click on them to enlarge). I believe this is due to some I/O saturation, surely cache or memory access, that the AMD processor (which has half the cache of the Pentium) or the motherboard in which it is running, manages to avoid. In the first figure below you can see that the DES breaking speed of all processors has more or less a linear relationship with the processor speed, except for the two Intel Pentium I mentioned before. This is logical, it means that for a double processor speed you’ll get double breaking speed, but watch out for saturation effects, in this case it is better the AMD Athlon 1600 MHz, which will be even cheaper than the Intel Pentium 1800 MHz or 2000 MHz.

    In the second figure we can see in more detail what we would call intrinsic DES break power of the processor. I get this value simply dividing the break speed by the processor speed, that is, we get the number of DES keys tried per second and per MHz. This is a measure of the performance of the processor type independently of its speed. The results show that the best processor for this task is the AMD Athlon, then comes the Alpha and very close after it is the Intel Pentium (except for the higher speed ones which perform very poor due to the saturation effect). Next is the Mips processor and in the last place is the Sparc. Some Alpha and Mips processors are located at bottom of scale because they are early releases not including enhancements of late versions. Note that I included the performance of x86 processors for C and assembler code as there is a big difference. It seems that gcc is not a good generator of optimized machine code, but of course we don’t know whether a manual optimization of assembler code for the other processors (Alpha, Mips, Sparc) would boost their results compared to the native C compilers (I did not use gcc for these other platforms) as it happens with the x86 processor.

    Update

    Here is an article where these techniques may have been used.

    http://redtape.msnbc.com/2008/08/could-a-hacker.html