Is it Art or is it Craft?

July 7, 2014


Tiny card skimmers may not be “sophisticated” in their method of attack, but they sure are nifty.



A safe that dispenses cash on command.

May 30, 2014

It seems like the sophisticated ATM attacks that occur around the world (the ones not using skimmers and cameras) happen because the attackers manage to acquire or gain access to a representative ATM of the type they want to attack.

eBay has plenty of used Hyosung and Triton ATMs for sale.  Picking one up is a great investment for an attacker who wants to understand the software and hardware weaknesses of the devices.  Heck, starting up a tunrkey ATM business is probably an even better investment, since you’ll get access to the latest and greatest to experiment on.

It reminds me of the gambling industry, and how their slot machine security depended partially on “crossroaders” not being able to get a look at the internals.  This turned out as well as you’d expect.  One former casino thief named John Soares wrote an entertaining book going into some depth on the subject.

Many like to call this security by obscurity and leave it at that, but a little analysis shows the underlying risk decisions.

If you go back 40-50 years to mechanical slot machines as described in Loaded Dice, you can reconstruct the “threat profile” casinos likely constructed around people who can successfully attack slot machines:

  • They need to be technically adept to understand the inner workings of slot machines, and how to ensure payouts
  • They need to be dexterous and accurate to effect the attack in a reasonable amount of time
  • They need to gain unrestricted access to a similar machine for practice

That limits the pool of attackers.  To defend against these threat actors, some countermeasures were put in place:

  • Supply chain regulation, which makes direct acquisition of the equipment riskier and more susceptible to future investigation
  • Common casino surveillance practices extended to the slots floor that limit what actions can be taken by an attacker in the scope of time, noise, and visual detectability
  • A mix of high-payout and low-payout machines with a corresponding traffic flow that makes the desirable target machines have a correspondingly smaller window of opportunity for the attacker.

With less time, and less freedom of action, an attacker must be *extremely* dexterous and accurate to have a reasonable chance of success.  When it is hard to buy or acquire target slot machines, tracking down the perpetrators after the crime occurs can be easier.  This in turn limits the pool of threat actors.  The attackers need to be *very* good, *very* fast, and *very* careful about how they acquire their knowledge to put the risk equation in their favor.

In Loaded Dice, John Soares’ crew is very good.  The fact that casinos they hit didn’t go bust because of them and other crews manipulating machines implies that the bar was raised high enough to limit just how many people could successfully attack desirable slot machines.




’nuff said.

May 21, 2014


To be fair, the Cyber-Beltway is not known for knowledge of the field or impressive research.


Regulating vulnerability markets

May 19, 2014


Didn’t read it?  It’s about how the US should regulate the “0-day vulnerability marketplace” so that “bad guys” can’t get the “0-days”.

There is an underlying flaw in the thinking, which may be pervasive in the beltway cyber-echo-chamber, that vulnerabilities are things — things that someone invents or manufactures.  Vulnerabilities (in the 0-day or Øday or whatever sense) are not inventions.  They are facts that are discovered.  It is an important distinction.  A working exploit is the result of occasional invention on the part of the researcher, but the flaw being exploited is not.

Understanding what a security flaw is helps deconstruct the idea of a “Øday vulnerability marketplace”.  The purchasers in this market are not “buying 0-dayz”.  They are outsourcing vulnerability research and testing.  More to the point, they are outsourcing it as piece-work.  The sellers in this market are engaging in a race/lottery to get paid.

Microsoft, Google, The NSA, etc. have the capability to discover software and hardware security flaws.  In addition to this work, they offer bounties (payment) to any and all comers (or those on a procurement schedule) for usable discoveries.  There are incredible advantages to doing this.

The purchaser pays once to acquire the discovery — the fact.  The seller gets paid a decent amount that made searching for and verifying the vulnerability worthwhile.  Say Google paid $25K for a Chrome vulnerability, which the seller took 95 hours to find and a few hours to weaponize.  The seller earns $250/hr for a labor of love.

What Google isn’t paying for is the hundreds of people who each looked at the same thing and either didn’t see the vulnerability, or brought it to Google a little too late.  That is thousands and thousands of of hours of effort that doesn’t hit Google’s bottom line.  If Google could only rely on their own search for vulnerabilities, they may well have to spend all that extra time and effort themselves to get the same result.

The second conceptual flaw is that this visible market mechanism (that happens to be currently in the news) is the main method by which bad actors are acquiring their discovered facts.  Some research in the matter would show the dedicated student that this is often the exact reverse of reality.

Attempting to regulate the transfer of this kind of knowledge hasn’t worked before.  The discovery of facts happens simultaneously, and is not tied to a particular geography or people.  Regulating the outsourcing of vulnerability research with the aim of preventing your enemies from acquiring the products of research is naive.  It assumes that your enemies are in fact tied to this outsourcing marketplace, and are unable to perform their own research.

For consideration:  When some seedy beltway contractor snags a vBulletin exploit off of a Romanian hacker forum, scrubs the author information, then turns around to sell it to the NSA, there is nothing in the transaction that stops the  People’s Liberation Army (cue scary music) from finding that same exploit on that same forum, discovering the flaw themselves, or paying similar government cronies in Beijing  for the same effort.


Now’s the time

April 15, 2014

If I were attacking a target I knew used something like Certificate Patrol, these last two weeks would be the time to start spoofing every SSL connection they try to make.  There’s been a lot of churn.


No Reader is Trustworthy

February 12, 2013

This guy.  This guy!

The protocol stands, but yet another implementation falls.  Take this as a lesson.

Holy crap, it worked! (Of course, it was only logical that it would, but it always gives you a thrill to see that “I’m in!” moment…) And in only 10 minutes too! Out of the 4.2 million bytes in the file, there were only 53,442 unique contiguous 16 byte chunks, and our key was the 13,675th.

This is the future of hacking.  Stay alert.  Trust no one.  Keep your JTAG interface handy.


Thanksgiving Advice to the Nation

November 22, 2012

Don’t brag about your elite hacking adventures on IRC.

Before making analogies about how Andrew Auernheimer (weev) did this or that, or the ethics of breaking into whatever, pay close attention to what he was actually found guilty of.

Auernheimer was not found guilty of accessing a computer without authorization.  He was found guilty of conspiracy to access a computer without authorization.  The prosecution didn’t make a case that he had actually broken into anything.

You can be found guilty of conspiracy without ever doing the deed.

So, in the case of this minor ICCID enumeration exercise, you can read for yourself the IRC log excerpts about how they were going to bring ATT to its knees, and how this was such a huge hack: “[T]his could be like, a future massive phishing operation serious like this is valuable data we have a list a potential complete list of AT&T iphone subscriber emails”.

What Andrew didn’t know is that the FBI had a confidential informant.  So, all that pie-in-the-sky bragging on IRC about what they “totally could do” ends up going into evidence.  Whoops.

It is a hacker tradition to inflate minor finds into Big Deals.  It is tradition to sit on IRC, bragging about what you could do — feasible or not — to impress and one-up your buddies.

It is a matter of time and place.  Bragging in front of a Senate committee that you “could totally take down the internet” can bring you fame and fortune.  Bragging on IRC about sticking it to ATT can put you in court.


The hammer falls.

November 20, 2012

Never brag about your exploits on IRC

“Andrew Auernheimer, 26, of Fayetteville, Arkansas, was found guilty in federal court in New Jersey of one count of identity fraud and one count of conspiracy to access a computer without authorization.”

Given that the problem they found was that ATT wasn’t using any authentication, the conspiracy charge is quite the slap in the face.



I don’t share your greed…

October 16, 2012

…the only card I need is:

Here is an interesting concern for people with proximity card access control systems. Does your brand of reader have a default “backdoor” card ID that is considered valid?

You really should tear apart and check your card readers.


“SAP believes this case has gone on long enough”

August 7, 2012

SAP has settled (maybe) Oracle’s lawsuit over TomorrowNow.  The cost so far to SAP is US$306M.  A little advice:  Next time, make sure you use the –clairvoyant flag in your wget scripts!

So far, it appears that Oracle has successfully used the California legal system as an access control method.