OWASP

I have been reading about the OWASP Top 10. Apparently they are a list of common web security breaches. There seems to be a new list each year. Figure I had better know what they are, to lock down my site and maybe open up others.

OWASP stands for the Open Web Application Security Project. They are a non-profit. They focus on software security. But back to the Top 10. Last year they focused on things like SQL injection (or general injection). Of course cross site scripting was up there. So was miconfigured security.

Good stuff. I wonder what will be on the list for 2014?

Game King Video Poker Hacked

I read a great Wired article on two dudes who exploited a hack in the casinos to win a lot of cash. It was only one of the guys who actually discovered the bug in the video poker machines. He shared the info with his friend to extract the most cash from casinos. Unfortunately, things grew sour between the friends. Then a casino got wise and had the guys arrested.

Turns out these guys found a scenario where they could change their bets after the game was played. They used this to rack up big money when their hands won. It required a certain option switch for mega-money to be enabled on the machine. In the end, their cash was confiscated. And the IRS still wants to tax these dudes.

What was the moral of the story? There were a few. It is possible to hack even the seemingly locked down world of video slot machines. You should not enlist an accomplice. Don't get greedy when milking a cash cow. And so on.

Trouble on the LAN

I got a wireless network running at home. Got a lot of devices on it including a few printers. Recently I found that I could not print to any of our printers. Then I dug further and found I could not access any computers on the network. WTF?

The really weird thing was that I could access the Internet fine. What happened recently? Got a new wireless router that I plugged directly into to configure. Also took my computer to another location and tried to connect to the wireless network there. These things should not have messed me up.

I could not for the life of me figure out what the hell was going on. I contemplated restoring my system back to the factory settings and moving on from there. But I got all kinds of programs installed. So I took a chance to restore the system back to a recent restore point.

I recalled when I last knew the machine was working. Restored Windows back to that point. Bamn. The printing is working now. Got to check any other system changes I made. But I should be good to go. I still rely on printing out stuff. Did not know how much so until I could no longer print.

Hakar at the Gate

I was reading the paper while eating lunch. There was an ad for something titled "Hackers @ the Gate" near the back page of my paper. Not sure what that title even means. There were two featured speakers shown in the ad. One of them was Arati Prabhakar. Umm, is Hakar her real last name?

Turns out it is. She is the head of the Defense Advanced Research Projects Agency (DARPA). Previously she was head of the National Institute of Standards and Technology (NIST). If those credentials are not enough, she has a PhD in Applied Physics from CalTech. Bamn.

I went online to check out the link from the ad. Turns out this was for the Cybersecurity Summit being held tomorrow morning. The funny thing is that the other featured speaker was Mike Rogers, Chairman of the House Intelligence Committee. Yeah he might be a big deal. But Hakar is the one that caught my attention.

Making the Master

Sometimes you cannot get access to key blanks. That's okay. You can buy a bunch of locks and study similar keys that work. Or you can go the route of a smart key. This is a key that can potentially open multiple different locks. Just be warned that you might need to use a little force to budge the lock open.

If you do have access to some blanks, you can try a couple times to get through. The key (no pun) is to cut one key depth at a time. You might be able to create a key that works on multiple locks. You produce a master, then you become the master. Sounds like Star Wars, right?

The Reflecting Key

Some dude who goes by the handle Josh invented a key called the reflecting key. It was a simple but effective hack. This is also called the smart key. The key itself has wafers. You can look inside to see the heights that the key needs to be to unlock the lock.

The key itself is hollowed out. There is an angle that shines up into the lock mechanism. You can take pictures of what you see in the key. There are six possible depths you need to measure. This works on Schlage locks, even the secure ones.

Impressioning

Let's talk about rake keys. These are also called gypsy keys. You take a key blank and file it down. In essence you use the key like a pick. There is a large bump at the end of these type of keys. They are the same types used for automobiles.

This is a subset of what's known as impressioning. Like with rake keys, you start with a key blank. Then you use the lock itself to get information on how to modify the key to fit. You will need a file to carve the key. You will also need a magnifier to spy on the lock you are trying to bypass.

You should have a couple of key blanks if you are trying this technique. You should also have something to hold the key steady like vice grips. You put the blank in the lock and turn it. The marks on the key indicate how you should cut it.

You can color the key with a sharpie to see where the lock interacts with the key. Or your could use ultraviolet rays to do the trick. The goal is to produce a real key that works in the lock.

Key Hacking Scandals

High profile locks has been in the news. One that comes to mind is the Diebold voting machines. They showed the keys used to unlock the machines in public. Someone took a picture of the keys. Now they are owned. And if you can believe it, the same key opens up all the machines. WTF?

Next up we have the New York City metro transit authority. They use Yale locks throughout their travel systems. Those locks have been hacked. In fact, you can pick up a master key on the black market for about $50.

A prominent reporter bought an NYC MTA master key to use for a story he was writing. Ooops. The reported showed a picture of himself and his key. Now you average Joe does not even have to shell out the fifty bucks to bypass the MTA security.

Copying Keys

Schlage is one of the most common lock manufacturers in the USA. However the experts say they are not the most secure. Some simple techniques can be used to get past such locks if you know a few things.

You can make an impression of an existing key very quickly. Talking about a few minutes here. This works for all but high security locks. Put the working key in some putty. Makes a three dimensional impression. Let it harden and you are good to go for cutting a copy.

So if you lose access to your keys for even a short time, you are as good as owned. This is true even for secure locks. And you just don't have to lose physical possession of your key. Someone can take a picture of the key and clone it. Experts can just look at your key and figure out how to replicate it.

If you are trying to dup a key, you should try a couple different combinations. One of them is bound to work if you have a little skill. You can take advantage of the possible layouts of keys.

If you cannot take possession of a key, you can use long range photography to get the 411. Software now can even take into account the rotation of a key in a picture.

Lock Ownage

I watched a video from DefCon 18 on key attacks. Talking about phyiscal keys that open locks. Learned a whole lot in about an hour. Wish I was there in person. Took a couple pages worth of notes. Will record the highlights in the next few posts so I can keep this info around.

It might sound simple. But the best way to attack a lock is to get ahold of a key that works in it. If you possess the key, even for a short time, you can duplicate it in general. The key tells you all kinds of good stuff about the lock.

You can inspect the cuts made in the key. You can pretty much figure out the type of lock that it fits. Sometimes the actual model number of the lock is stamped on the key. You can measure the depth of the key cuts using tools such as a micrometer, a gauge, or caliper.

Information on locks is not hidden or made obscure. It is out there in the general public. Not too safe. Even the standard sizes of key cuts for all kinds of locks is freely available. Not good if you are truck to deter lock picks.

Anatomy of a Scam

I like to look at my spam folder in Gmail every once in a while. You never know what type of gems pop up in there. Today I found a scam email that rose the bar for letters from Nigeria. This time around, the story was that the FBI found that I was communicating with scamsters. The FBI negotiated on my behalf with some foreign country and has a settlement to pay me in the form of an ATM card. I just need to send in $250.00 total...

Here are the pieces of the email that I thought were getting better. They reference some specific units in the FBI. They also put the J. Edgar Hoover postal address in the email. And get this. They even make reference to the fact that there are some scammers out there that I may have lost money to! Precious.

Where do they continue to foul up? Well the email came from somewhere in France. Umm the FBI sends email from fbi.gov, right? They also want me to send my $250 to someone using their Gmail address. Once again, wrong domain. Gmail put all kinds of warnings around this email stating that it is most likely a ploy to steal my money.

Nice try guys. You are indeed stepping up your scamming skills. But you have not hit the home run yet. When will they ever learn?

Demoscene Drama

Someone released a 128 byte demo namd Wolf128 the other day. They tagged it as being done by Red Sector Inc. The demo is very cool. I have no idea how it could be implemented in 128 bytes alone. The real story is that people took offense at the work being credited to Red Sector Inc (RSI).

To tell you the truth, I did not know who the heck RSI is/was. That's because they are very old. They were started in the 1980s writing demos for the Commodore 64. In the 1990s they moved to writing demos for the Amige.

Sometime later the crew joined forces with with a group called TRS. Collectively they were then known as Tristar Red Sector Inc, or TRSI. Yeah. I know. Who cares right? Well apparently TRSI alumni do. Nevertheless, the demo is cool. Check out the Wolf128 page.

Codebabes

The Internet is abuzz with the launch of the Codebabes web site. This site tries to teach you topics such as HTML, CSS, and PHP. To encouage you to pay attention, the presenters are women in various stages of undress.

At first I thought this might be a joke. Then I thought it was a scam to get my credit card number. It does not seem to be either. As long as you answer the quiz questions correctly, you can proceed to the next lesson (and see some clothes come off your presenter).

I actually went all the way though the PHP tutorial. Not much was learned. I already know my PHP. Some of the quiz question answers were wrong. Oh well. The presenter seemed to be a bikini and lingeria model. At least she seemed to know how to present the material.