TV-B-Gone experiments - Part 1

Prolog

For those who don’t know, TV-B-Gone is a device that makes TVs… well, to be gone… (As in Boris-The-Bullet-Dodger). It was invented by Mitch - Altman, and is sold as a ready (but limited in flexibility) unit, as well as a soldering/programming kit from Limor aka LadyAda.

I bought my TV-B-Gone kit version 1.1 from LadyAda some time back, but only recently with help from VadimBo, we got it soldered and (re)programmed.

Just to give you an idea what can be done (but not actually advised though ) - check “Confessions: The Meanest Thing Gizmodo Did at CES”

To the point

The downsides of the version 1.1 are:

• there are mainly NA codes only supported in firmware 1.1 and 1.1b
• there are only around 40+ codes supported in firmware 1.1 and 1.1b

So, I backported from tvbgone firmware 1.2 (Caitsith corrected WORLDcodes.c #ifdef version) into firmware 1.1b the following:

• removed NAcodes, which are UNcompressed version of limited codes table
• added WORLDcodes, which are compressed/optimized version of extended codes table
• modified main() to use compressed codes table routines
• modified Makefile to use EU/NA/both tables

Downloads

• Sources and .hex of firmware 1.1b for tvbgone containing backport of WORLDcodes from 1.2
• .hex of the original shipped “factory” version of tvbgone 1.1 from LadyAda (in case you want to restore original)

Read more! »

UPDATE 20101012

By a very nice coincidence I have bumped into this interesting paper (dating around 15 Jul 2008) - “BREAKING THE BANK - VULNERABILITIES IN NUMERIC PROCESSING WITHIN FINANCIAL APPLICATIONS” - ENJOY the reading!

Given I currently work in a telecom billing software company - I just cannot find enough words and meanings to confirm with sorrow that pretty-fucking-many of my fellow programmers do not give a shi…ny glass for avoiding this kind of problems. Worst, they don’t even realize it :-S…

PS: …and YES, Bank Of Cyprus (along with its new migrated Java/JSF-based banking application - a special post on this to follow) allows/uses:

• input like “1E+3″ which gets translated into “1000″
• “round-to-nearest, ties away from zero” for 3rd decimal, i.e. “0,004″ gets translated to “0,00″ and “0,007″ gets translated to “0,01″

Happy hacking…

Money

When it comes to speaking about money, a lot of people get interested. And nowadays most money discussion evolve around or near-by the EUR-USD exchange rates.

Some people (including me sometime ) are unhappy to depend and always lose their honestly earned savings because of some avid and greedy circles of interest are playing with exchange rates and make them uncontrollable…

Read more! »

RATB/Metrorex Card Activ Hacked
…and “Mifare Classic Dark-Side Key Recovery Tool” released under GPL!

Well… It was about the time for RATB/Metrorex Card Activ in Bucharest to fall… And it is not even news. OV Chipkaart in Netherlands, Oyster Card in London were broken in the near and not so near past…

RATT Contactless Ticketing in Timisoara and EasyCard in Taipei are the next samples of cards to be “hacked", i.e. the keys are recovered, need only to analyze the data.

Mifare Classic is both theoretically and practically broken in both active (sniffing) and passive (card-only) attack scenarios.

Thanks to ignorance, lots of money/interest (14 Millions of Euros) and UTI/PMB (Primaria Municipiului Bucuresti/Bucharest City Hall) involvement, RATB/Metrorex still uses Mifare Classic.

Hell ya, where are they gonna go? It’s a logistic nightmare to upgrade the readers in the entire RATB fleet and all Metrorex entrances, manage the exchange of already 800.000 sold cards, not telling about additional several Millions of Euros for upgrade equipment and software upgrades…

Even though researches were blowing the whistle from last year, no system integrator or vendor seems to care . Well it seems that few smart guys (and not pointing to me, I just implemented what other had know and researched for a long time) can fcuk up dozen of systems, each costing Millions of Euros.

Nice equation: (a dozen of smart guys * their brain IQs of Millions) >>>OUT-WEIGHTS>>> (the dozens of projects * XX Millions of Euros)

Long story short, here we go - food for the brain (yes - food for the brain, not spoon-feeding - note the difference):

RATB/Metrorex Mifare Card Security Assessment Document (PDF)

RATB/Metrorex Mifare Card Security Assessment Document (MS Word 2007)

http://code.google.com/p/tk-libnfc-crapto1/

Enjoy!

PS: (14 Nov 2009)
Ironically, on the night of publishing this paper/post and the open-source/binary for key recovery, UTI has posted these news “Cardurile de călătorie RATB se pot reîncărca online sau la bancomat (13 noiembrie 2009)” (i.e. “RATB cards can now be topped-up online or at some BCR ATMs”).

DISCLAIMER: The information and reference implementation source/binary contained herein is provided:

• for informational use only as part of academic or research study, especially in the field of informational security, cryptography and secure systems
• as-is without any warranty, support or liability - any damages or consequences obtained as a result of consulting this information if purely on the side of the reader
• NOT to be used in illegal circumstances (for example to abuse, hack or trick a system which the reader does not have specific authorizations to - such as ticketing systems, building access systems or whatsoever systems using Mifare Classic as core technology)

Tags: mifare, classic, key recovery, mifare classic key recovery tool, mifare classic key hack tool, mifare key recovery source binary executable, key crack, ratb metrorex hack, ratb.ro metrorex.ro hack, ratb metrorex crack, ratb.ro metrorex.ro crack, crypto1, crapto1, lsfr_common_prefix, dark side attack, dark side paper, dark side implementation, darkside libnfc, darkside crapto1, darkside attack implementation, ratb metrorex card activ sat spart hackuit crackuit, uti ratb metrorex card activ hack hacked, ratt hack, ratt card hack, ratt.ro hack, ratt.ro card hack, ratt card crack, ratt crack, ratt card spart hackuit crackuit, easycard mifare classic taipei card hack crack, crypto1 crack, crypto1 hack, crapto1, libnfc key recovery, proxmark3 key recovery

iPhone Face Detection

I think it is pretty amazing, since as far as I know and searched, it seems that it is the first face detection app to be running on iPhone itself.

Regarding comparison with iFace and iPhoto - it looks like these apps snap the picture and send it to a central server for processing and etc. (I am not going to go in a detailed description and comparison of all these apps features though)

Also, it seems like hotels far away from home may act as energy and ideas boosters. One year back once setting up my site, I proposed myself to make the code portable and run on as many platforms, including iPhone which I got at that time. One year of delaying and finally few days of hotel lock-up and I have it working for the iPhone.

Feeling of satisfaction is unbeatable.

Few notes:

• Code is almost 100% portable. Yes, few minor tweaks of settings for the compiling environments, but overall the same routines are used for all these platforms: Windows, Linux, Cygwin, iPhone (FW 1.1.2), Mac OSX.
• It is good to see false-positives and missed true-positives if talking from research point of view, since this means there is room to improve and study. The percentages of detected true-positive, missed true-positives and false-positives seems to be around 80%/15%/5%.
• Still have to check and properly evaluate processing times. No figures here yet
• Compilers used are gcc flavors for the corresponding platform/architecture
• For the iPhone I used iphone-dev team’s toolchain for iPhone FW 1.x
• Unfortunatelly, I cannot share or release code at this point. Please don’t ask for it at least for the moment
• However, if you have any serious research or commercial offers, don’t hesitate to contact me (contacts on right panel)
• Click here for related links of my previous work

TODOs:

• Seems like last minute hassle made my facial features (eyes-mouth triangle) not to work properly. Hopefully will be fixed next time I touch the code (never know when it happens)
• Face recognition. I have some experimental code for PCA method, though I want more research on this.
• Face and flow tracking in video feed from iPhone (crappy) camera

Stay tuned…

Tags: iPhone face detection recognition tracking iFace iPhoto iFaceFriend image video processing computer vision digi-face digiface digi-face.net digi-face.org andrei costin andreicostin.com

eJobs.ro security hacked screwed again - execution with cool-blooded SQL injection

Yes boyz and pretty girlz, eJobs.ro gets it again into the face and gives away 1.3 Mln resumes and personal information! More - passwords in clear, not at least hashed…

My two cents on this:

1. Nice work from the guys here - HackersBlog.org

2. Some of my early whistle-blowers to the ejobs.ro here (ejobs XSS1) and here (ejobs XSS2) - seems like they have either deaf or inexistent security assesment team… Too pitty for them…

3. It seems that the method used by the guys was in one of my earliest attack methods which I left asside for some dumb reasons. eJobs.ro Attack Vectors file

The below is what I was exercising back then, and the similar attack vector is what the guys really used to SQL-inject (the below is not working already for obvious reasons… )

Code:

4. Also, if you go specifically to http://ejobs.ejobs.ro (yes, double times ejobs, it is not a typo!) you will see an internal eJobs position posting. The interesting details I have highlighted below:

eJobs job posting - hahaha

Till next time, enhance your

Knowledge of Secure Programming Best Practices

Tags: ejobs, ejobs.ro, ejobs ro, ejobs.ro sql injection, ejobs.ro sqli, ejobs.ro hacked, ejobs.ro hackuit, ejobs.ro security, ejobs.ro spart, ejobs.ro database, ejobs.ro baza de date, ejobs.ro CVuri