RATB/Metrorex Card Activ Hacked
…and “Mifare Classic Dark-Side Key Recovery Tool” released under GPL!

Well… It was about the time for RATB/Metrorex Card Activ in Bucharest to fall… And it is not even news. OV Chipkaart in Netherlands, Oyster Card in London were broken in the near and not so near past…

RATT Contactless Ticketing in Timisoara and EasyCard in Taipei are the next samples of cards to be “hacked", i.e. the keys are recovered, need only to analyze the data.

Mifare Classic is both theoretically and practically broken in both active (sniffing) and passive (card-only) attack scenarios.

Thanks to ignorance, lots of money/interest (14 Millions of Euros) and UTI/PMB (Primaria Municipiului Bucuresti/Bucharest City Hall) involvement, RATB/Metrorex still uses Mifare Classic.

Hell ya, where are they gonna go? It’s a logistic nightmare to upgrade the readers in the entire RATB fleet and all Metrorex entrances, manage the exchange of already 800.000 sold cards, not telling about additional several Millions of Euros for upgrade equipment and software upgrades…

Even though researches were blowing the whistle from last year, no system integrator or vendor seems to care . Well it seems that few smart guys (and not pointing to me, I just implemented what other had know and researched for a long time) can fcuk up dozen of systems, each costing Millions of Euros.

Nice equation: (a dozen of smart guys * their brain IQs of Millions) >>>OUT-WEIGHTS>>> (the dozens of projects * XX Millions of Euros)

Long story short, here we go - food for the brain (yes - food for the brain, not spoon-feeding - note the difference):

RATB/Metrorex Mifare Card Security Assessment Document (PDF)

RATB/Metrorex Mifare Card Security Assessment Document (MS Word 2007)

MFCUK (MiFare Classic Universal toolKit) http://code.google.com/p/mfcuk/

Enjoy!

PS: (14 Nov 2009)
Ironically, on the night of publishing this paper/post and the open-source/binary for key recovery, UTI has posted these news “Cardurile de călătorie RATB se pot reîncărca online sau la bancomat (13 noiembrie 2009)” (i.e. “RATB cards can now be topped-up online or at some BCR ATMs”).

DISCLAIMER: The information and reference implementation source/binary contained herein is provided:

• for informational use only as part of academic or research study, especially in the field of informational security, cryptography and secure systems
• as-is without any warranty, support or liability - any damages or consequences obtained as a result of consulting this information if purely on the side of the reader
• NOT to be used in illegal circumstances (for example to abuse, hack or trick a system which the reader does not have specific authorizations to - such as ticketing systems, building access systems or whatsoever systems using Mifare Classic as core technology)

Tags: mifare, classic, key recovery, mifare classic key recovery tool, mifare classic key hack tool, mifare key recovery source binary executable, key crack, ratb metrorex hack, ratb.ro metrorex.ro hack, ratb metrorex crack, ratb.ro metrorex.ro crack, crypto1, crapto1, lsfr_common_prefix, dark side attack, dark side paper, dark side implementation, darkside libnfc, darkside crapto1, darkside attack implementation, ratb metrorex card activ sat spart hackuit crackuit, uti ratb metrorex card activ hack hacked, ratt hack, ratt card hack, ratt.ro hack, ratt.ro card hack, ratt card crack, ratt crack, ratt card spart hackuit crackuit, easycard mifare classic taipei card hack crack, crypto1 crack, crypto1 hack, crapto1, libnfc key recovery, proxmark3 key recovery

iPhone Face Detection

I think it is pretty amazing, since as far as I know and searched, it seems that it is the first face detection app to be running on iPhone itself.

Regarding comparison with iFace and iPhoto - it looks like these apps snap the picture and send it to a central server for processing and etc. (I am not going to go in a detailed description and comparison of all these apps features though)

Also, it seems like hotels far away from home may act as energy and ideas boosters. One year back once setting up my site, I proposed myself to make the code portable and run on as many platforms, including iPhone which I got at that time. One year of delaying and finally few days of hotel lock-up and I have it working for the iPhone.

Feeling of satisfaction is unbeatable.

Few notes:

• Code is almost 100% portable. Yes, few minor tweaks of settings for the compiling environments, but overall the same routines are used for all these platforms: Windows, Linux, Cygwin, iPhone (FW 1.1.2), Mac OSX.
• It is good to see false-positives and missed true-positives if talking from research point of view, since this means there is room to improve and study. The percentages of detected true-positive, missed true-positives and false-positives seems to be around 80%/15%/5%.
• Still have to check and properly evaluate processing times. No figures here yet
• Compilers used are gcc flavors for the corresponding platform/architecture
• For the iPhone I used iphone-dev team’s toolchain for iPhone FW 1.x
• Unfortunatelly, I cannot share or release code at this point. Please don’t ask for it at least for the moment
• However, if you have any serious research or commercial offers, don’t hesitate to contact me (contacts on right panel)
• Click here for related links of my previous work

TODOs:

• Seems like last minute hassle made my facial features (eyes-mouth triangle) not to work properly. Hopefully will be fixed next time I touch the code (never know when it happens)
• Face recognition. I have some experimental code for PCA method, though I want more research on this.
• Face and flow tracking in video feed from iPhone (crappy) camera

Stay tuned…

Tags: iPhone face detection recognition tracking iFace iPhoto iFaceFriend image video processing computer vision digi-face digiface digi-face.net digi-face.org andrei costin andreicostin.com

eJobs.ro security hacked screwed again - execution with cool-blooded SQL injection

Yes boyz and pretty girlz, eJobs.ro gets it again into the face and gives away 1.3 Mln resumes and personal information! More - passwords in clear, not at least hashed…

My two cents on this:

1. Nice work from the guys here - HackersBlog.org

2. Some of my early whistle-blowers to the ejobs.ro here (ejobs XSS1) and here (ejobs XSS2) - seems like they have either deaf or inexistent security assesment team… Too pitty for them…

3. It seems that the method used by the guys was in one of my earliest attack methods which I left asside for some dumb reasons. eJobs.ro Attack Vectors file

The below is what I was exercising back then, and the similar attack vector is what the guys really used to SQL-inject (the below is not working already for obvious reasons… )

Code:

4. Also, if you go specifically to http://ejobs.ejobs.ro (yes, double times ejobs, it is not a typo!) you will see an internal eJobs position posting. The interesting details I have highlighted below:

eJobs job posting - hahaha

Till next time, enhance your

Knowledge of Secure Programming Best Practices

Tags: ejobs, ejobs.ro, ejobs ro, ejobs.ro sql injection, ejobs.ro sqli, ejobs.ro hacked, ejobs.ro hackuit, ejobs.ro security, ejobs.ro spart, ejobs.ro database, ejobs.ro baza de date, ejobs.ro CVuri

google.com - malware problem

As many might recall the Google’s glitch to tag every single site as malware site. More details are:
- @ Google Blogs (fcuk - I think someone will get pretty fudged up in the ase at Google for this human-error, since it was necessary for one of the biggest corporations VP to officially give explanations and appologies - those who worked or are working for some kind of corporations know this kind of price…)
- @ StopBadware.org

One of the most nicest things is

Google to tag itself (i.e. Google) as malware

.

Philosophically speaking, Google being a source of trust for a wide majority of people/systems AND in the same times tagging itself as malware (even though for a very small amount of time AND by “mistake” - I would love to believe that it was a mass-social-experiment ) - doesn’t it raises the question of old classes of computer-field (and not only) problems “Chain of trust and breaking the chain of trust?!”

Here is my screenshot :

Google tags Google as malware

Tags: google malware, google is malware, google stopbadware

In an older post I have been trying to figure out how to make the T-Mobile’s Sidekick prepaid plan to work with iPhone - without success, but with some useful info.

Now, basically it’s reportedly possible to have Sidekick plans (both prepaid and contract) on iPhone, given the following are satisfied:

1. You have a Sidekick plan activated for your SIM and you use hiptop.t-mobile.com as APN in the Settings->General->Network->EDGE of your iPhone
2. You have changed you iPhone’s IMEI (BEWARE: it’s illegal) to match a Sidekick device IMEI.

Now, how to know a Sidekick device’s IMEI or IMEI pattern (just for informational/education purposes on topic of IMEIs):

1. Buy a Sidekick device or borrow a device from a friend - I think this is the easiest, though the most expensive (price-convenience trade-off)
2. Search Google - you will be suprised how many people openly and desperately are posting their devices’ IMEIs
3. Generate an IMEI - just look for Advanced IMEI Generator keeping in mind Sidekick devices have Type Allocation Number (TAC - this is publicly available information) something like: 01016000, 01019000, etc. - just search entire TACs list for yourself if you are interested.

WARNING: Changing IMEI is illegial (at least the claims are like this - learn your country LEGALese language) in many countries. Check your country if you are “elligible” too. Do this on your own risk. I am not responsible on what you do with IMEI of your phones/iPhones.

DISCLAIMER: this post is intended purely for research and educative purposes. Any use of this information is sole responsibility of the reader/user and the author is not to be held liable for any miss-use of the above informative technical details.

TAGS: iPhone, IMEI, change iPhone IMEI, iPhone EDGE T-Mobile, TMobile, T-Mobile, EDGE, iPhone Sidekick, iPhone T-Mobile, Sidekick prepaid, Sidekick data iPhone