justinclarke.com

I was just reading on Bruce Schneier's blog about Citibank cancelling ATM/debit cards, when used overseas in the UK, Canada, and Russia. These cards were (apparently) previously compromised from a US retailer a year ago, leading me to believe this is: a) not something Citibank is perhaps at fault for... but certainly b) could have been handled a hell of a lot better.

This reminds me of the relatively new mandatory disclosure laws in California, New York, and Ohio, and leads me to wonder whether the people involved were ever informed that their information had been stolen? Certainly the California law was in effect at the time (the New York law went into effect in December 2005, Ohio last month), so I wonder if the people in California had been notified that their cards had been compromised?

Bruce Schneier, well known security guru, has posted an interesting summary of expected federal law covering disclosure of data loss in the US. What Bruce doesn't mention is that a lot of the state laws that are in place include a notification exemption for where notifying customers that their data has been lost would be too costly to a company.

For example if a company did lose data relating to several hundred thousand customers it is not too hard to imagine that the cost involved could be greater than $250,000 (which is the limit for the Ohio notification law). The company could then opt for a "conspicuous posting" on their website, or to provide "notification to major media outlets" in lieu of informing each customer.

Not hard to imagine never hearing about your data being lost is it?

For some reason, search engines never seem to refresh their image archives to update for cases where images have been removed. To this end, I have a large number of 404 errors in my logs every day from people doing image searches, following a link, and ending up on my 404 page.

To that end, I have dug up the archive I had, and restored the travel pictures. You can find them here. All images are free to use for non commercial use, and high resolution originals are available on request. Enjoy!

Its getting to that time of year when thousands of security professionals and hackers congregate in Las Vegas for the Blackhat and Defcon conferences. My company is generously sending me and a few colleagues to Sin City to attend :-)

The Blackhat line up is pretty strong, and this year features a lot of web application security talks (as summarised here by Jeremiah Grossman). You might spot me there on the speaking list for the Oedipus talk, but I'm not actually planning on speaking this year.

As for EuSecWest earlier this year, I am going to blog a bit of detail about the talks that I make it to - its probably fair to say that these are going to lean heavilly towards the web application security side. I am also going to be attending Defcon, and am looking forward to catching up with a lot of people who don't really ever go to something quite as commercial as Blackhat.

So, if you're in Vegas for Blackhat or Defcon, and interested in catching up, drop me an email. I will probably be at the Shadow Bar at Caesar's on Wednesday night meeting other members of the webappsec mailing list, and otherwise will be around from the 1st to the 7th of August.

This is the week when computer security departments world wide will be short staffed because everyone who could beg, borrow, or steal tickets and time off will be heading to Las Vegas for the Blackhat and Defcon conferences....

Well, thats actually a bit of an exaggeration - after all there are a lot of good conferences these days - often smaller and less intimidating, or less corporate and more focused (such as Shmoocon for example). But in any case, the schedule for Blackhat has a lot of interesting stuff on it, as does the Defcon schedule, and I'll be looking forward to some interesting material being convered. I saw Major Malfunction's mag stripe talk at Uncon 9 - well worth a look in if you want to see some hacking it 0ld sk00l.

Now all I have to do is survive the 10-odd hour flight there from London...

I just got pointed to a couple of interesting posts on cross site scripting using plugins and other things that are on the user's system. The most interesting was a blog posting yesterday on Disenchant's blog on how to use the Adobe Acrobat plugin to perform cross site scripting using any pdf file found on the website. A URL of the following format:

http://some.random.site.com/foo.pdf#something=javascript:alert(123);

Will execute the script. I also got pointed to another followup of the same issue on the Gnucitizen blog.

I'm going to have a look into this issue and find out some combinations of where this issue is exploitable, and any where it isn't (if any). More to follow...

Edit: So far confirmed as working on the following combinations:

• Firefox / Adobe Acrobat Reader plugin / Windows XP SP2
• IE6 / Adobe Acrobat 6 (Pro) plugin / Windows XP SP2
• Firefox / Adobe Acrobat Reader plugin / Linux

I recently had the opportunity to try Major Malfunction's RFIDIOt toolkit out a RFID-enabled New Zealand passport (as we just got one for our daughter). The RFID reader I was using is a ACG Multi-ISO Compact Flash reader, which presents itself as a serial device when I plugged it into the Linux box (running Ubuntu 7.04 - Feisty Fawn) I was using.

First things first, you need to install a few libraries that aren't installed by default with Ubuntu:

sudo apt-get install python-imaging-tk python-serial python-crypto

This works nicely in Ubuntu 7.04 - for some reason the python-imaging-tk package seemed to be broken in Ubuntu 6.10 when I tried it (which is needed for the mrpkey.py tool which reads the passport).

Next step - edit the RFIDIOtconfig.py file to reflect the details of your RFID reader - in my case, this merely involved editing the first line to reflect the serial port (ttyS2 in my case):

# Out-of-Box Multi-ISO Serial
card= RFIDIOt.rfidiot(RFIDIOt.rfidiot.READER_ACG,'/dev/ttyS2',9600, 1)

So, first of all lets try performing a select on the passport - in this case, multiselect to perform multiple selects. This should tell us whether a New Zealand passport behaves like a UK passport in that there is ID generation going on.

[foo:~/Desktop/RFIDIOt-0.1k]$./multiselect.py 
multiselect v0.1f (using RFIDIOt v0.1j)
reader:  ACG MultiISO 1.0  (serial no: 34060218)
Card ID: 10B925A8
Card ID: 10B925A8
Card ID: 10B925A8
Card ID: 10B925A8

Apparently not - we get the same ID each time. Lets move on to trying to read the detail on the passport. This involves deriving some information from the Machine Readable Zone (MRZ) on the passport (if you've ever wondered what those two lines on the bottom of the passport photo pages translate to). For example (some information obscured), the second line of the MRZ on my daughter's passport (EAnnnnnn<3NZL07nnnn3F12nnnn6<<<<<<<<<<<<<<06), equates to:

• Passport number: EAnnnnnn
• Check Digit: 3
• Nationality: NZL
• Date Of Birth: 07nnnn
• Check Digit: 3
• Sex: F
• Expiry: 12nnnn
• Check Digit: 6
• Optional: <<<<<<<<<<<<<<
• Check Digit: 0
• Composite Check Digit: 6

So now we can run the the mrpkey tool to read the passport (note I had to edit TAG_TYPES, and change 6C to 6c and 6D to 6d for this to work):

[foo:~/Desktop/RFIDIOt-0.1k]$./mrpkey.py "EAnnnnnn<3NZL07nnnn3F12nnnn6<<<<<<<<<<<<<<06"
mrpkey v0.1g (using RFIDIOt v0.1j)
reader:  ACG MultiISO 1.0  (serial no: 34060218)

Passport number: EAnnnnnn<
Nationality: NZL
Date Of Birth: 07nnnn
Sex: F
Expiry: 12nnnn
Optional: <<<<<<<<<<<<<<

Generate local keys:

Key MRZ Info (kmrz): EAnnnnnn<307nnnn312nnnn6

Select Passport Application (AID):  OK
Select Master File:  Basic Access Control enforced!
Authenticating:  OK

Generate session keys: 

Kifd XOR Kicc (kseed):  1edfc8a6963509b658a131c582715ab4
Session Key ENC:  544929197fc7cdb96dae46e03876d6ce
Session Key MAC:  0b209e16f42c543743b97586016138d0

Calculate Send Sequence Counter: 

SSC:  e73e5c97ee24ba0e
60165f01
File Length:  24
Reading: 00000
EF.COM:  Length:  22
Tag: 5f01 (LDS Version)
  Length:  4
    Data:  30313037
Tag: 5f36 (Unicode Version)
  Length:  6
    Data:  303430303030
Tag: 5c (Tag List)
  Length:  4
    Data Group:  61 (EF.DG1 Data Recorded in MRZ)
    Data Group:  75 (EF.DG2 Encoded Identification Features - FACE)
    Data Group:  6c (EF.DG12 Additional Document Detail(s))
    Data Group:  6d (EF.DG13 Optional Detail(s))
EF.COM stored in /tmp/EF_COM.BIN

Select EF.SOD:  File Length:  2055
Reading: 00000
EF.SOD stored in /tmp/EF_SOD.BIN

Select DG1: 
615b5f1f
File Length:  93
Reading: 00000
EF.DG1 stored in /tmp/EF_DG1.BIN
EF.DG1:  Data Length:  88
  Decoded Data: P<NZLCLARKE<<xxxxx<xxxxxxx<<<<<<<<<<<<<<<<<<EAnnnnn<3NZL07nnnn3F12nnnn6<<<<<<<<<<<<<<06
    Document code:  P<
    Issuing State or organisation:  NZL
    Name:  CLARKE<<xxxxx<xxxxxxx<<<<<<<<<<<<<<<<<<
    Passport Number:  EAnnnnnn<
    Check Digit:  3
    Nationality:  NZL
    Date of Birth:  07nnnn
    Check Digit:  3
    Sex:  F
    Date of Expiry:  12nnnn
    Check Digit:  6
    Personal Number or other optional elements:  <<<<<<<<<<<<<<
    Check Digit:  0
    Composite Check Digit:  6

Select DG2: 
File Length:  14517
Reading: 00000
EF.DG2:  JPEG image stored in /tmp/EF_DG2.JPG
EF.DG2 stored in /tmp/EF_DG2.BIN

And voila! Passport read...

The recent change to German law to implement the EU Framework Decision on Attacks against Information Systems (enacted in Paragraph 202c of the German Penal Code) has caused many security researchers based in Germany to look to move elsewhere, or to remove previously available research findings.

The change in the law, which went into effect on August 10, criminalises the production, distribution, possession, and sale of tools that can be used to commit cybercrimes. Unfortunately, a strict interpretation of the changes would make possession of tools that could be used maliciously (such as nmap or Nessus for instance) illegal. While in reality, legal opinions are that the courts would differentiate between a cracker and a security researcher based on their intent, noone (unsurprisingly) seems to want to be the first test case.

The content for a number of projects have all but disappeared, such as the recent Month of PHP bugs, and the well known THC (The Hackers Choice) group, as well as smaller projects such as BtCrawler. Others are saying farewell to Germany and reestablishing themselves elsewhere such as the KisMac wifi scanner for OSX and the Phenoelit group.

All in all a hard strike against a country which has produced much valuable security research and expertise.

A couple of old colleagues of mine, Billy Rios and Nitesh Dhanjani (who I wrote "Network Security Tools" with) have been up to some interesting research into the wide spread and pervasive phishing problem.

Check out Nitesh's site, or Billy's site, check out the interview they did with Help Net Security, and see them talk about it at Black Hat Federal 2008 in DC on the 20th of February.