Full disclosure?

Posted on by

Today I am doing anti-money laundering training. This comprises of
several things:
1. What is money laundering.
2. Why you shouldn’t do it.
3. How to spot money laundering.

Now, prior to today I only vaguelly knew what money laundering is. I
also just knew it was illegal, but not what others could lose from
doing it. Also I had no idea how to spot it.

But now, truth be told, all they have done is give me the information
to launder money successfully.

They have given me the motive – previously I didn’t know how it
disadvantaged people. I just look at the opposite side of it and see
how it would advantage me.

They’ve given me the means – I now know how it works.

They’ve also told me how to spot it, and by extension, how to avoid
being caught.

It really does seem that all the training has achieved is keeping the
honest people honest.

I guess however, when it comes down to it I fall into that group.

Hypocritical locksmith community still promoting security through obscurity

Posted on by

Locks and building security is a funny business. The fundamental goal of a lock is to only let someone with a certain key open that lock. But they are mechanical devices, so there will always be weaknesses and ways to open them without the key – that could be as simple as “carding” the bolt (bypassing the lock altogether) or as complex as single pin picking the cylinder.

The concept of a truly unpickable lock is a fallacy. After all, if a key can open it, something that assimilates the key can also open it. That’s all that lock picking is – assimilating the key. All we can do is make the lock stronger or more pick resistant. This has been going on for years – 100 years ago simple warded lever locks were common, whereas now most house front doors will have a deadlocking nightlatch as well as one or more 5-lever mortise locks incorporating anti-pick features. The silly thing is there is nearly always a window that can be broken right next to the door.

Quite frequently it turns out that locks have design flaws, which make the lock far more vulnerable than it should be. Examples of this are padlock shims, comb picks and the now legendary Kryptonite ball point pen problem. What’s the best policy in these situations? Keep it secret so that not even the bad guys know about it? Or tell everyone so that they can make an informed decision about upgrading their locks? The locksmith community has always promoted the security through obscurity route. Whether this is for the best or not, I don’t know.

One such recent vulnerability has been termed “lock snapping”. This has been known about for years. Most UPVC doors use euro profile lock cylinders – these are oval shaped cylinders which contain just the lock itself, and they are inserted into the door inside of a locking mechanism along with a handle and deadbolt. This allows the user to chose what lock to fit to the door, and makes it easy to replace.

And there is the problem – the cylinder is removable from the lock, and hence vulnerable to attack. There are two basic methods. One is to grab the lock with a pair of mole grips (locking pliers) and bend it backwards and forwards until it snaps in the middle. The other is to drive a hardened steel screw into the keyway, and then you can pull the entire cylinder out, sometimes using mole grips, and sometimes using a slide hammer. This can take less than 30s with practice.

Manufacturers have responded in several ways:

  • Hardened steel escutcheons prevent the lock from being grabbed onto. Generally you can still pull the cylinder with a screw.
  • Sacrificial outer sections snap off first, leaving the locking mechanism intact in the middle (Mul-T-Lock Break Secure). Again, vulnerable to the screw.
  • A laminated steel plate strengthens the cylinder (the CISA Astral range). These can still be snapped.

But as predicted, the locksmith community want to keep this under wraps. I can’t work out why – there are already a large number of burglaries that are carried out using this as the method of entry – the bad guys already know how to do this. Why shouldn’t people be made aware of a problem with their locks that render them practically ineffective?

Last week, a representative from Avocet locks turned up on one of the locksmith forums. He challenged anyone to come to their workshops and try to attack one of their new locks which are supposedly not vulnerable to snapping. As part of this, he posted several videos on youtube showing successful attacks against Cisa and other locks.

These videos seemed to annoy the locksmiths, despite the fact that there are loads of other videos available, and it’s pretty obvious how to do it anyway.

The best bit is, this forum is associated with a company that sells bump keys to anyone who wants them. I detect a certain level of hypocrisy here.

 

Is someone at UKPA really this dumb? Post slating Chip + PIN flaw originates from APACS IPs

Posted on by

An interesting development on the Chip and PIN flaw made public this week. On the lightbluetouchpaper.org blog of the Security Research group at Cambridge, a poster called Scrutineer comments:

The attack was never successfully executed. To be successful it had to be done against a card that was reported lost and stolen. Nowhere in the report do they assert that they reported their cards they tested as lost or stolen! All they have done is prove a genuine card can be processed with odd and inconsistent CVR and TVR settings. Hardly compelling evidence.

The rest of the post goes on to use ad-hominem and straw man arguments against the research. Although frequently the discussions on full-disclosure or other mailing lists will drop to this level, it’s pretty rare to see this kind of childish argument on this particular blog.

Indeed, the paper does actually present some opinion and conjecture – but what’s the point in purely theoretical security research? It’s vital that someone takes the time to think about how theoretical attacks can be extended into the real world. 

When it gets really interesting is when Ross Anderson himself performs a whois on the IP address – and it appears to be coming from APACS (which is now the UKPA) themselves. They are the body that should have really ensured that Chip and Pin wasn’t a gigantic fuck-up. It’s clear they failed, and failed badly.

Is someone who works for UKPA actually this stupid? 

The best bit is that his post admits that there is absolutely no value in the PIN. The only protection is simply:

  • Having a card in your possession
  • Not having a card in your possession but reporting it stolen.

It might be some kind of set up… but if not, EPIC FAIL.

UPDATE

Seems like it is a wind-up, in as much as there is an open proxy running at UKPA.

Chip and No PIN – simple failure of protocol when verifying PIN.

Posted on by

We demonstrate a middleperson attack on EMV which lets criminals use stolen chip and PIN cards without knowing the PIN.

via lightbluetouchpaper.org

This is an epic fail on the part of the designers of the specification. No doubt people will say “the spec is fine, it’s the implementation”. You shouldn’t have given free reign into how it was implemented in that case.

BBC News – New anti-flying monkey air defences installed

Posted on by

Bill Tupman, an expert on counter-terrorism from Exeter University, told BBC News: “The problem is trying to predict the mind of the al-Qaeda planner; there are so many things they might do.

“And it is also necessary to reassure the public that we are trying to outguess the al-Qaeda planner and we are in the process of protecting them from any threat.”

via news.bbc.co.uk

I know it’s quite common for people to be misquoted but I can’t see how it could have happened here. It’s good to see an expert that thinks we need protecting against every single threat. It’s almost the definition of terrorism.

USB Electronic Key Impressioner looks like it is made up…

Posted on by
USB Electronic Key Imressioner could help you be gone in 60 milliseconds

If you’re stealing a car these days, there’s a good chance you’re not bothering to actually pick the locks, but if you are, your job is about to get a little easier. A device called the Electronic Key Impressioner is inserted into a car door and scans the position of the tumblers inside. It feeds information back to a PC over USB which then, when told the car’s model, can provide the necessary information to cut the perfect key on the first attempt. Right now it only works on Fords with simple metal keys (like, say, a 1967 Shelby GT500), but the hope is to expand the device to support other manufacturers and, possibly, electronic keys in the future. It will be available to locksmiths and authorized security professionals in 2010. Sorry, Nick, you’ll have to find another way to get into Eleanor.

via engadget.com

What’s this thing all about? I’m not sure how it could possibly work, or if there is much point to it. The lack of photo suggests it isn’t real.

$75 shipping GPL software… really not in the spirit

Posted on by

I’m doing a bit of research at the moment, and found that the product that I was looking into used GPL licensed software. I found an e-mail address on a page to request a copy of this software, so sent them a mail asking for the CDs to be delivered.

I get a reply an hour later:

Please note that our Network Access Solutions code itself is not open source covered by GPL licenses. Only the embedded LINUX and a few other applications that are also included in our VertX or EDGE products are covered by the GPL License.

If you are interested in becoming an HID Development Partner, we do offer API’s to our code for our non-Solo EDGE and VertX products enabling you to create your own custom Host interface. If this is the case, please contact Brenten Scott at bscott@hidglobal.com. Note that a mutual NDA will be required for these next steps.

However, if you are looking for the GPL LINUX source code used in our VertX and Edge products, then please send an email to gpl@hidglobal.comwith the following information:

Your name
Company Name (if applicable)
Address
Phone Number
FAX number
company web address (if applicable)
email address
part number of desired GPL disk (6080-515 for Vertx/Edge)

We will then enter an order to fulfill your request. We cannot process any orders without all of the above information.

Please note that there is a $75 US shipping and handling charge for distributing free software and you will be contacted by telephone to get your payment preference and details. We accept MasterCard, Visa, or American Express. If you feel comfortable in providing your credit card information in your reply, feel free to do so.

Bah. $75 dollars? For shipping some CDs? Why not make it available for download?

I’m thinking of sending a reply:

Sorry, that’s a ridiculous amount of money for shipping a CD. I’m interested in finding vulnerabilities in your products – I’m sure I can find it for download on the internet anyway.

Make the Pope Pay (or go away entirely)

Posted on by
Petition the PM

Make The Pope Pay

We the undersigned petition the Prime Minister to ask the Catholic Church to pay for the proposed visit of the Pope to the UK and relieve the taxpayer of the estimated £20 million cost. We accept the right of the Pope to visit his followers in Britain, but public money would be better spent on hard-pressed schools, hospitals and social services which are facing cuts.

I don’t mind religious figures visiting the UK – as long as their agenda isn’t to preach their homophobic, xenophobic, anti-abortion and sexist views. Especially when it costs so much money.

I’d rather the campaign was “stop the Pope coming altogether”. But please add your name to the petition.

Cashless vending protocol standards

Posted on by
Page0154

So I looked into the protocols that are used in vending machines a bit more. It turns out that the MDB / ICP (Multi Drop Bus / Internal Communication Protocol) which is a simple serial protocol. This is freely available from the NAMA (National Automatic Merchandising Association) website http://www.vending.org/technology/MDB_Version_4.pdf

I'll draw your attention to the attached page from the earlier version of the protocol. It shows what happens when a vend fails.

VEND REQUEST contains the amount that the item costs, and it is up to the reader to decide if it should allow the vend. If it does, it sends a VEND APPROVED with the amount it had deducted.

The VEND FAILURE doesn't have any information about how much to refund though – it's entirely in the hands of the card reader. This goes against what I thought in the earlier post, and points to there being a problem with the card reader itself. Unfortunately, there isn't much information about the reader – I'm fairly sure it is a rebadged version of an OEM reader but have yet to find it.

Another interesting thing is that the reader doesn't appear to have any connection to a network – any data offloaded needs to come through an infrared data port on the front. This uses the EMA CVS spec http://www.vending-europe.eu/en/standards/eva-cvs.html – which isn't truely free. Let's see if they give me access!