Entries Tagged "passwords"

Page 24 of 27

Online Hacker Forums

Really interesting article about online hacker forums, especially the politics that goes on in them.

Clearly enterprising and given to posting rambling messages explaining his strategic thinking, Iceman grew CardersMarket’s membership to 1,500. On Aug. 16, he hacked into four rival forums’ databases, electronically extracted their combined 4,500 members, and in one stroke quadrupled CardersMarket’s membership to 6,000, according to security experts who monitored the takeovers.

The four hijacked forums—DarkMarket, TalkCash, ScandinavianCarding and TheVouched—became inaccessible to their respective members. Shortly thereafter, all of the historical postings from each of those forums turned up integrated into the CardersMarket website.

To make that happen, Iceman had to gain access to each forum’s underlying database, tech-security experts say. Iceman boasted in online postings that he took advantage of security flaws lazily left unpatched. CardCops’ Clements says he probably cracked weak database passwords. “Somehow he got through to those servers to grab the historical postings and move them to CardersMarket,” he says.

Iceman lost no time touting his business rationale and hyping the benefits. In a posting on CardersMarket shortly after completing the takeovers he wrote: “basically, (sic) this was long overdue … why (sic) have five different forums each with the same content, splitting users and vendors, and a mish mash of poor security and sometimes poor administration?”

He dispatched an upbeat e-mail to new members heralding CardersMarket’s superior security safeguards. The linchpin: a recent move of the forum’s host computer server to Iran, putting it far beyond the reach of U.S. authorities. He described Iran as “possibly the most politically distant country to the united states (sic) in the world today.”

Posted on October 23, 2006 at 2:54 PM

Programming ATMs to Believe $20 Bills Are $5 Bills

Clever attack:

Last month, a man reprogrammed an automated teller machine at a gas station on Lynnhaven Parkway to spit out four times as much money as it should.

He then made off with an undisclosed amount of cash.

No one noticed until nine days later, when a customer told the clerk at a Crown gas station that the machine was disbursing more money than it should. Police are now investigating the incident as fraud.

Police spokeswoman Rene Ball said the first withdrawal occurred at 6:17 p.m. Aug. 19. Surveillance footage documented a man about 5-foot-8 with a thin build walking into the gas station on the 2400 block of Lynnhaven Parkway and swiping an ATM card.

The man then punched a series of numbers on the machine’s keypad, breaking the security code. The ATM was programmed to disburse $20 bills. The man reprogrammed the machine so it recorded each $20 bill as a $5 debit to his account.

The suspect returned to the gas station a short time later and took more money, but authorities did not say how much. Because the account was pre-paid and the card could be purchased at several places, police are not sure who is behind the theft.

What’s weird is that it seems that this is easy. The ATM is a Tranax Mini Bank 1500. And you can buy the manuals from the Tranax website. And they’re useful for this sort of thing:

I am holding in my hands a legitimately obtained copy of the manual. There are a lot of security sensitive things inside of this manual. As promised, I am not going to reveal them, but there are:

  • Instructions on how to enter the diagnostic mode

    • Default passwords

  • Default Combinations For the Safe

Do not ask me for them. If you maintain one of these devices, make sure that you are not using the default password. If you are, change it immediately.

This is from an eWeek article:

“If you get your hand on this manual, you can basically reconfigure the ATM if the default password was not changed. My guess is that most of these mini-bank terminals are sitting around with default passwords untouched,” Goldsmith said.

Officials at Tranax did not respond to eWEEK requests for comment. According to a note on the company’s Web site, Tranax has shipped 70,000 ATMs, self-service terminals and transactional kiosks around the country. The majority of those shipments are of the flagship Mini-Bank 1500 machine that was rigged in the Virginia Beach heist.

So, as long as you can use an account that’s not traceable back to you, and you disguise yourself for the ATM cameras, this is a pretty easy crime.

eWeek claims you can get a copy of the manual simply by Googling for it. (Here’s one on eBay.

And Tranax is promising a fix that will force operators to change the default passwords. But honestly, what’s the liklihood that someone who can’t be bothered to change the default password will take the time to install a software patch?

EDITED TO ADD (9/22): Here’s the manual.

Posted on September 22, 2006 at 7:04 AMView Comments

Getting a Personal Unlock Code for Your O2 Cell Phone

O2 is a UK cell phone network. The company gives you the option of setting up a PIN on your phone. The idea is that if someone steals your phone, they can’t make calls. If they type the PIN incorrectly three times, the phone is blocked. To deal with the problems of phone owners mistyping their PIN—or forgetting it—they can contact O2 and get a Personal Unlock Code (PUK). Presumably, the operator goes through some authentication steps to ensure that the person calling is actually the legitimate owner of the phone.

So far, so good.

But O2 has decided to automate the PUK process. Now anyone on the Internet can visit this website, type in a valid mobile telephone number, and get a valid PUK to reset the PIN—without any authentication whatsoever.

Oops.

EDITED TO ADD (7/4): A representitive from O2 sent me the following:

“Yes, it does seem there is a security risk by O2 supplying such a service, but in fact we believe this risk is very small. The risk is when a customer’s phone is lost or stolen. There are two scenarios in that event:

“Scenario 1 – The phone is powered off. A PIN number would be required at next power on. Although the PUK code will indeed allow you to reset the PIN, you need to know the telephone number of the SIM in order to get it – there is no way to determine the telephone number from the SIM or handset itself. Should the telephone number be known the risk is then same as scenario 2.

“Scenario 2 – The phone remains powered on: Here, the thief can use the phone in any case without having to acquire PUK.

“In both scenarios we have taken the view that the principle security measure is for the customer to report the loss/theft as quickly as possible, so that we can remotely disable both the SIM and also the handset (so that it cannot be used with any other SIM).”

Posted on July 3, 2006 at 2:26 PM

Password-Protected Bullets

New invention, just patented:

Meyerle is patenting a design for a modified cartridge that would be fired by a burst of high-frequency radio energy. But the energy would only ignite the charge if a solid-state switch within the cartridge had been activated. This would only happen if a password entered into the gun using a tiny keypad matched one stored in the cartridge.

When they are sold, cartridges could be programmed with a password that matches the purchaser’s gun. An owner could set the gun to request the password when it is reloaded, or to perform a biometric check before firing. The gun could also automatically lock itself after a pre-set period of time has passed since the password was entered.

Posted on June 30, 2006 at 6:41 AMView Comments

Major Vulnerability Found in Diebold Election Machines

This is a big deal:

Elections officials in several states are scrambling to understand and limit the risk from a “dangerous” security hole found in Diebold Election Systems Inc.’s ATM-like touch-screen voting machines.

The hole is considered more worrisome than most security problems discovered on modern voting machines, such as weak encryption, easily pickable locks and use of the same, weak password nationwide.

Armed with a little basic knowledge of Diebold voting systems and a standard component available at any computer store, someone with a minute or two of access to a Diebold touch screen could load virtually any software into the machine and disable it, redistribute votes or alter its performance in myriad ways.

“This one is worse than any of the others I’ve seen. It’s more fundamental,” said Douglas Jones, a University of Iowa computer scientist and veteran voting-system examiner for the state of Iowa.

“In the other ones, we’ve been arguing about the security of the locks on the front door,” Jones said. “Now we find that there’s no back door. This is the kind of thing where if the states don’t get out in front of the hackers, there’s a real threat.”

This newspaper is withholding some details of the vulnerability at the request of several elections officials and scientists, partly because exploiting it is so simple and the tools for doing so are widely available.

[…]

Scientists said Diebold appeared to have opened the hole by making it as easy as possible to upgrade the software inside its machines. The result, said Iowa’s Jones, is a violation of federal voting system rules.

“All of us who have heard the technical details of this are really shocked. It defies reason that anyone who works with security would tolerate this design,” he said.

The immediate solution to this problem isn’t a patch. What that article refers to is election officials ensuring that they are running the “trusted” build of the software done at the federal labs and stored at the NSRL, just in case someone installed something bad in the meantime.

This article compares the security of electronic voting machines with the security of electronic slot machines. (My essay on the security of elections and voting machines.)

EDITED TO ADD (5/11): The redacted report is available.

Posted on May 11, 2006 at 1:08 PMView Comments

1 22 23 24 25 26 27

Sidebar photo of Bruce Schneier by Joe MacInnis.