Archive | January, 2011

Happy New Year Geohot – Court Orders Seizure Of PS3 Hacker’s Computers

Keep on Guard!


We published the story about the Playstation 3 (PS3) Finally Hacked & Exploit Released back in January 2010. The exploit of course developed by the very prolific hacker and jailbreaker extraordinaire Geohot.

He became notorious way back in 2007 by fulling unlocking the iPhone and then again in 2008 by jailbreaking the iPhone running 1.12 and 1.13 firmware.

At some point he also turned his attention to rooting the Playstation 3 and broke through the OtherOS leading Sony to disable it. The latest news is Sony is going all out against him for breaking the DMCA, for copyright infringement and a string of other accusations.

A federal judge ordered prolific hacker Geohot to turn over his computers and hard drives and to stop publishing the tools used to root Sony’s PlayStation 3 after finding his hack was likely a violation of US copyright law.

The temporary restraining order was issued on Thursday by US District Judge Susan Illston of San Francisco. It’s a major victory for Sony and a setback for hacker hobbyists who believe they should be permitted to modify hardware they legally own. It comes in a lawsuit Sony filed two weeks ago against New Jersey-based Geohot shortly after he deduced the security key Sony used to lock down the PS3.
Click here to find out more!

The ruling also comes as a defeat to 21-year-old Hotz, who two weeks ago, argued he wasn’t subject to the suit because he doesn’t have sufficient ties to Northern California, where the action was brought. Shortly after release of the order, his attorney vowed to fight on.

“Needless to say, we’re disappointed about the issuance of the TRO, but this doesn’t end the question of personal personal jurisdiction of Mr. Hotz, and we still intend to go forward with that motion,” San Francisco-based lawyer Stewart Kellar told The Register. “Suffice it to say it is burdensome to my client for him to give up his computers and hard drives for the order.”

It’s a tricky area as people assume once they’ve bought the hardware (the PS3 in this case) they own it and it’s their to do as they please with. Whilst that stands correct for the hardware, it does not for the software or bootloader on the machine – that is merely licensed to the user and still belongs to Sony.

So what Sony are claiming is George does not have the authority to reverse engineer the software or release the cryptographic key used to sign games to the public and by doing this he has damaged their business and therefore revenue.

They are also bringing the the DMCA into the the mix (Digital Millennium Copyright Act), which never ends well.


Sony’s complaint claimed that by publishing the means to bypass the protection measures built into the console, Hotz violated provisions of the Digital Millennium Copyright Act. Illston said Sony had “submitted substantial evidence” showing the hack constituted a DMCA violation and that Sony was likely to “suffer irreparable harm” if it wasn’t curtailed.

Sony’s suit names some 100 other people from a hacking collective known as fail0verflow, who in late December revealed the key used to sign PS3 games and demonstrated how to use it to run homebrew apps on the console. A few weeks later, Hotz independently deduced the “metldr” key, which allowed him to root the PS3. Sony’s complaint also alleges the hackers violated the Computer Fraud and Abuse Act.

The PS3’s use of IBM’s Cell processor makes the console ideal for tackling brute-force cryptography attacks and other parallel computing operations. Once upon a time, Sony included a modified version of Linux with the PS3. Sony eventually disabled the so-called OtherOS after Hotz devised a way to use it to gain full memory access to the console.

Hotz was among the first to jailbreak Apple’s iPhone so it would work on carrier networks other than AT&T’s. Last year, the US Copyright Office exempted iPhone jailbreaking from the DMCA so that they can run apps not officially sanctioned by Apple.

The PS3 is a very powerful piece of hardware locked down by a proprietary OS so that it can’t be ‘misused’ according to the definitions enforced on the users by Sony. As is normal with consoles, the console itself is actually sold at a loss (especially in the early days) and the companies make money from selling games. Now if somehow comes along and cracks the copy protection on the games and the console and allows everyone to play pirated games – their business model is screwed isn’t it?

And the US courts have already ruled that jailbreaking your iPhone is legal, so why not the PS3 as well?

I hope Geohot gets his computers and hard-drives back soon as having your stuff hauled away is one of the worst things that can happen.

Source: The Register


Posted in: Cryptography, Exploits/Vulnerabilities, Hardware Hacking

Tags: , , , , , , , , , , , ,

Posted in: Cryptography, Exploits/Vulnerabilities, Hardware Hacking | Add a Comment
Recent in Cryptography:
- Signal Messaging App Formal Audit Results Are Good
- SHA-256 and SHA3-256 Are Safe For the Foreseeable Future
- Up1 – Client Side Encrypted Image Host

Related Posts:

Most Read in Cryptography:
- The World’s Fastest MD5 Cracker – BarsWF - 47,914 views
- Hackers Crack London Tube Oyster Card - 45,442 views
- WPA2 Vulnerability Discovered – “Hole 196” – A Flaw In GTK (Group Temporal Key) - 33,392 views


Mausezahn – Fast Traffic Generator/Packet Crafting Tool

Outsmart Malicious Hackers


Mausezahn is a free fast traffic generator written in C which allows you to send nearly every possible and impossible packet. It is mainly used to test VoIP or multicast networks but also for security audits to check whether your systems are hardened enough for specific attacks.

Mausezahn can be used for example:

  • As traffic generator (e. g. to stress multicast networks)
  • To precisely measure jitter (delay variations) between two hosts (e. g. for VoIP-SLA verification)
  • As didactical tool during a datacom lecture or for lab exercises
  • For penetration testing of firewalls and IDS
  • For DoS attacks on networks (for audit purposes of course)
  • To find bugs in network software or appliances
  • For reconnaissance attacks using ping sweeps and port scans
  • To test network behaviour under strange circumstances (stress test, malformed packets)

Mausezahn is basically a versatile packet creation tool on the command line with a simple syntax and context help. It could also be used within (bash-) scripts to perform combination of tests. By the way, Mausezahn is quite fast; when started on my old PIII-Laptop (1.4 GHz, Gigabit Ethernet) I measured 755 Mbit/s using the interface packet counters of an HP ProCurve 5400 switch.

Currently Mausezahn is only available for Linux platforms. Please do NOT PORT Mausezahn to Windows! (Here is a nice explanation why; I really share Felix von Leitner’s point of view.)

Yoiu can download Mausezahn here:

mz-0.40.tar.gz

Or read more here.


Posted in: Hacking Tools, Network Hacking

Tags: , , , , , , , , , ,

Posted in: Hacking Tools, Network Hacking | Add a Comment
Recent in Hacking Tools:
- PyExfil – Python Data Exfiltration Tools
- Netdiscover – Network Address Discovery Tool
- Kautilya – Human Interface Device Hacking Toolkit

Related Posts:

Most Read in Hacking Tools:
- Top 15 Security/Hacking Tools & Utilities - 2,001,055 views
- Brutus Password Cracker – Download brutus-aet2.zip AET2 - 1,512,333 views
- wwwhack 1.9 – Download wwwhack19.zip Web Hacking Tool - 692,194 views


Digital Underground Offering Cheap Botnets For Hire

Outsmart Malicious Hackers


Perhaps even the cyber-criminals are effected by the recent recession – botnets for hire are hitting rock-bottom rates starting at just $2. We reported back in April 2010 about the Texas Man Who Pleaded Guilty To Bot Network For Hire.

They are becoming more multi-talented as well rather than just offering bot networks for DDoS attacks or Spam you can also hire them to get stolen credit card info, PayPal accounts, bank accounts for credit references, to set up a secure VPN and much more.

As always the bad guys are ahead of the game and adapting their ‘business model’ to suit consumer demands. It still not easy to get hold of these kind of services, but they are out there and as reported they are cheap.

Botnets for hire to launch your own spam campaign and stolen credit card information sold at the rock bottom price of $2 are just two of the commodities easily found on the cyber-crime black market today, according to a report released this month by Panda Security. The report, which was conducted by PandaLabs researchers who posed as cyber criminals, details a vast criminal network selling stolen bank account information in forums and dedicated online stores.

“This is a rapidly growing industry and cyber-criminals are aiding and abetting each other’s efforts to steal personal information for financial profit,” Panda Security officials note in a release on the findings. “The cyber-crime black market, which has traditionally centered on distributing bank and credit card details stolen from users around the world, diversified its business model in 2010, and now sells a much broader range of hacked confidential information including bank credentials, log-ins, passwords, fake credit cards and more.”

The report also delves into a detailed pricing system and the digital black market prices for various types of stolen information. However, PandaLabs discovered that while the information may be available, it can only be accessed by personally contacting the hackers who are promoting their information for sale on forums and in chat rooms.

It seems like $2 will get you a legitimate but unverified bank account or credit card number. It won’t however get you the verification number or the available account balance.

The bad guys are almost operating on a freemium model, offering basic card/bank details at close to nothing ($2) and then raising the price for additional information or in some cases larger credit lines/bank balances.

I’d imagine operating in such a way they are making quite a profit from their botnets, rather than just renting out the compromised machines they are also benefiting from the information stolen from the home desktops they have infected with their malware.


Once the information is in a criminal’s hands they can easily defraud any bank or credit card account long before the hack is discovered, the report claims. The data can be purchased for as little as $2 per card. But $2 will not provide the buyer with additional information or verification of the account balance available.

“If the buyer wants a guarantee for the available credit line or bank balance, the price increases to $80 for smaller bank balances and upwards of $700 to access accounts with a guaranteed balance of $82,000,” said researchers.

The report also details an intricate price structure for accounts with a history of online shopping or use of payment platforms such as PayPal. If stolen credit card numbers aren’t your thing, prices are also available for botnet rental to launch a spam campaign. The price range varies depending on the number of computers used and the frequency of the spam, or the rental period, the report reveals. Prices start at $15 and rise to $20 for the rental of a SMTP server or VPN to guarantee anonymity. One can also hire cyber criminals to assist with the set up of a fake online store to use rogueware techniques for stealing user details and profiting off unsuspecting victims who pay for fake antivirus products.

“There are also teams available to deliver turnkey projects, design, develop and publish the complete store, even positioning it in search engines,” the report states. “In this case, the price depends on the project.”

It seems like the criminals have quite an extensive ‘menu’ of offerings and can provide SMTP servers for spamming or VPN services to provide anonymity. You can also hire them to help you as a kind of cyber-criminal consultant to set up a fake online store or phishing site.

They offer the whole work-flow just like a professional software development company – design, deployment and even SEO services.

Pretty interesting stuff.

Source: Network World


Posted in: Malware, Phishing, Spammers & Scammers

Tags: , , , , , , , , , , ,

Posted in: Malware, Phishing, Spammers & Scammers | Add a Comment
Recent in Malware:
- Androguard – Reverse Engineering & Malware Analysis For Android
- Android Devices Phoning Home To China
- Linux kernel.org Hacker Arrested After Traffic Stop

Related Posts:

Most Read in Malware:
- Nasty Trojan Zeus Evades Antivirus Software - 77,577 views
- Hospital Hacker GhostExodus Owns Himself – Arrested - 47,707 views
- US considers banning DRM rootkits – Sony BMG - 45,006 views


Mantra Security Toolkit – Free & Open Source Browser-Based Security Framework

Outsmart Malicious Hackers


Mantra is a dream that came true. It is a collection of free and open source tools integrated into a web browser, which can become handy for students, penetration testers, web application developers, security professionals etc. It is portable, ready-to-run, compact and follows the true spirit of free and open source software. Mantra is a security framework which can be very helpful in performing all the five phases of attacks including reconnaissance, scanning and enumeration, gaining access, escalation of privileges, maintaining access, and covering tracks. Apart from that it also contains a set of tools targeted for web developers and code debuggers which makes it handy for both offensive security and defensive security related tasks.

Mantra is lite, flexible, portable and user friendly with a nice graphical user interface. You can carry it in memory cards, flash drives, CD/DVDs, etc. It can be run natively on Linux, Windows and Mac platforms. It can also be installed on to your system within minutes. Mantra is absolutely free of cost and takes no time for you to set up.


The Mantra is a powerful set of tools to make the attacker’s task easier. The beta version of Mantra Security Toolkit contains following tools built onto it –

Mantra Tools List

You can also always suggest any tools/ scripts that you would like see in the next release.

Supports forums are available here.

You can download Mantra here:

Windows – MantraPortable Alpha Release 200.12.exe
Linux – mantra-portable-pre-alpha.tar.bz2

Or read more here.


Posted in: Hacking Tools, Web Hacking

Tags: , , , , , , , , , , , ,

Posted in: Hacking Tools, Web Hacking | Add a Comment
Recent in Hacking Tools:
- PyExfil – Python Data Exfiltration Tools
- Netdiscover – Network Address Discovery Tool
- Kautilya – Human Interface Device Hacking Toolkit

Related Posts:

Most Read in Hacking Tools:
- Top 15 Security/Hacking Tools & Utilities - 2,001,055 views
- Brutus Password Cracker – Download brutus-aet2.zip AET2 - 1,512,333 views
- wwwhack 1.9 – Download wwwhack19.zip Web Hacking Tool - 692,194 views


Java Based Cross Platform Malware Trojan (Mac/Linux/Windows)

Outsmart Malicious Hackers


It’s pretty rare to read about malware on the Linux or Mac OSX platforms and even more rare to read about cross-platform malware which targets both AND Windows by using Java.

A neat piece of coding indeed, it targets vulnerabilities in all 3 operating systems – the sad thing? The malware itself is vulnerable to a basic directory traversal exploit, which means rival gangs can actually commandeer the infected targets.

They went to lengths to keep it secure and unseen (encrypted communications etc) – but didn’t program the malware itself securely…

From the department of cosmic justice comes this gem, spotted by researchers from Symantec: a trojan that targets Windows, Mac, and Linux computers contains gaping security vulnerabilities that allow rival criminal gangs to commandeer the infected machines.

Known as Trojan.Jnanabot, or alternately as OSX/Koobface.A or trojan.osx.boonana.a, the bot made waves in October when researchers discovered its Java-based makeup allowed it to attack Mac and Linux machines, not just Windows PCs as is the case with most malware. Once installed, the trojan components are stored in an invisible folder and use strong encryption to keep communications private.

The bot can force its host to take instructions through internet relay chat, perform DDoS attacks, and post fraudulent messages to the victim’s Facebook account, among other things.

Now, Symantec researchers have uncovered weaknesses in the bot’s peer-to-peer functionality that allow rival criminals to remotely steal or plant files on the victim’s hard drive. That means the unknown gang that took the trouble to spread the infection in the first place risks having their botnet stolen from under their noses.

“Even though it’s encrypted and even though it was written in Java to make it cross-platform, it was still vulnerable to basically a directory transversal exploit,” Dean Turner, director of Symantec’s Global Intelligence Network, told The Reg. “From a technical perspective, it goes to show that even if you have all those things where you’re building in a secure platform, if you’re not building application security into your malware, other bad guys will probably take advantage of it.”

It’s somewhat of an odd decision though, in terms of numbers obviously Windows machines far outnumber Linux and OSX desktop installations. On the web-server front perhaps Linux is a valuable target – but on consumer desktops? Is it really worth the effort for malware creators to make cross-platform trojans? Personally I don’t think it is, maybe it was just an experiment.

The number of Apple machines is certainly growing, the next big market we are going to see is tablets and smartphones I believe. I’d be on the lookout for more iOS and Android worms/trojans in coming months.

A self-replicating stealthy Android trojan with a previously unpatched zero-day remote root exploit could be devastating.


Jnanabot’s P2P feature is designed to make botnets harder to take down by providing multiple channels of communication. After sending an infected machine a single GET request, a website can discover all the information needed to upload any file to any location on the host’s file system. Attackers can then install a simple backdoor on a user’s machine by, for instance, writing a malicious program to a computer’s startup directory.

Attackers can use the same vulnerability to steal files on infected machines.

Turner said the number of Jnanabot infections so far is “measured in the thousands,” rather than the hundreds of thousands for some of the better-known trojans. Still, infection statistics gathered by Symantec in December are surprising. They show that about 16 per cent of infections hit Macs. They didn’t show any infections on Linux machines. Turner said that Jnanabot attacks on the open source platform weren’t able to survive a reboot.

The bot was discovered spreading over Facebook posts that planted the following message on infected users’ Facebook pages: “As you are on my friends list I thought I would let you know I have decided to end my life.” An included link leads recipients to a cross-platform JAR, or Java Archive file that can run on Windows, Mac, or Linux. Once the recipient is infected, his Facebook page carries the same dire warning.

It seems like the trojan theoretically can attack Linux, but so far hasn’t been seen in the wild and it can’t survive a reboot. Not that it really matters as from my experience most Linux users never reboot anyway except for kernel upgrades (which isn’t that often).

Perhaps it just doesn’t work that well on Linux, or Linux users don’t believe in installing JVM – it doesn’t usually come standard with OS installs as it’s considered non-free software.

The chosen vector for replication seems to be Facebook and a rather dramatic faux-suicide note – which sadly I think will be very effective.

Source: The Register


Posted in: Apple, Linux Hacking, Malware, Windows Hacking

Tags: , , , , , , , , , , , , , , , ,

Posted in: Apple, Linux Hacking, Malware, Windows Hacking | Add a Comment
Recent in Apple:
- Apple Will Not Patch Windows QuickTime Vulnerabilities
- FBI Backed Off Apple In iPhone Cracking Case
- Mac OS X Ransomware KeRanger Is Linux Encoder Trojan

Related Posts:

Most Read in Apple:
- KisMAC – Free WiFi Stumbler/Scanner for Mac OS X - 83,107 views
- Apple Struggling With Security & Malware - 24,150 views
- Java Based Cross Platform Malware Trojan (Mac/Linux/Windows) - 16,039 views


Inguma Is Back – The Penetration Testing & Vulnerability Research Toolkit

Keep on Guard!


Inguma is back and being actively developed again. It’s been quite a long time, far too long in fact. We first reported about Inguma way back in 2007 and our latest mention of it was in March 2008.

A new version has just been released almost 3 years later with some major changes and a big GUI revamp. Inguma is a penetration testing toolkit entirely written in python. The framework includes modules to discover hosts, gather information about, fuzz targets, brute force user names and passwords and, of course, exploits. While the current exploitation capabilities in Inguma may be limited, this program provides numerous tools for information gathering and target auditing.

There are some good docs to get you up and running too:

The announcement from the developers blog is here:

We are back

You can download Inguma 0.2 here:

inguma-0.2.tar.gz

Or read more here.


Posted in: Database Hacking, Exploits/Vulnerabilities, Hacking Tools, Network Hacking

Tags: , , , , , , , ,

Posted in: Database Hacking, Exploits/Vulnerabilities, Hacking Tools, Network Hacking | Add a Comment
Recent in Database Hacking:
- Securing MySQL Installation on Ubuntu 16.04 LTS
- BBQSQL – Blind SQL Injection Framework
- DBPwAudit – Database Password Auditing Tool

Related Posts:

Most Read in Database Hacking:
- Pangolin – Automatic SQL Injection Tool - 77,706 views
- bsqlbf 1.1 – Blind SQL Injection Tool - 54,615 views
- SQLBrute – SQL Injection Brute Force Tool - 41,832 views


China Facing Problems With Android Handsets & Pre-installed Trojans

Outsmart Malicious Hackers


It seems like the Chinese are always coming up with inventive ways to scam people, this time the people in their own country. Android is of course growing quickly globally and China is no exception with the availability of cheap hardware there the open-source Android OS is a natural choice.

The latest scam is some new generation of “money sucking mobiles” – which are basically Android handsets that steal the users credit by making covert calls or sending premium SMS. It does this very slowly so the user doesn’t notice, it also enables the vendors to sell the handsets very cheaply as they are essentially subsidized by the fraud.

The Chinese government is to crack down on “money sucking” mobiles: Android-based handsets that subsidise themselves by stealing from the customer’s account.

The crackdown aims to involve network operators, target retailers and ensure that selling handsets featuring pre-installed Trojans is explicitly illegal, according to the Google translation.

The idea is to set up a central unit to manage complaints, though it seems the scam has been going on long enough to build up considerable momentum.

The handsets concerned are sold cheaply, and generally unbranded, though some bear forged logos. Once they go into use the Android-based handsets start quietly sending text messages, or making a silent call or two. The transactions only incur a fee of about around 20 pence (0.3USD) a time, in the hope the user will never notice, while the miscreant collects the termination fee or other premium charge.

It’s pretty shady, but not much different from the reports of US and UK consumers with branded network phones having all kinds of weird network charges which they can’t stop because the phones are loaded up with proprietary crapware (oh hello Vodafone, Orange, T-Mobile and so on).

It’s an interesting model for fraud and honestly I think it will continue for a long time as it’s unlikely the users of low end Android devices will bother reading such tech-news and even if they did…what can they do about it? If they are really techy of course they can just root the phone and remove the malware themselves.

But for the rest of the unwashed masses, what options do they have? Not a lot really apart from the ditching the phone and buying another with the hope that it doesn’t come pre-installed with a trojan.


The amounts are small, but the idea is to collect it over a long period, enabling the handset to be sold very cheaply and thus feeding a virtuous circle that benefits everyone – except the poor sap who thought he was getting a cheap Android handset.

“I think the software industry lacks a better business model, they can only make these knock-off and money-sucking software in order to survive,” said Zhao Wei, CEO of Chinese security company Knownsec, according to PC World. “This is fast becoming an industry in itself.”

Manufacturers and network operators have a long history of preinstalling applications which they hope will rake in additional cash, much to the annoyance of users. Hiding them from the user is an obvious evolution of that idea, though hopefully a step too far for the bigger brands at least.

It does show that these handset and mobile software developers don’t really have a sustainable legitimate business model. Partially due to the fact that the competition in China is just so immense and partially because this kind of business can prosper.

Just look at Huawei now.

Source: The Register


Posted in: Legal Issues, Malware, Privacy

Tags: , , , , , , , , , , , , , , , ,

Posted in: Legal Issues, Malware, Privacy | Add a Comment
Recent in Legal Issues:
- UK Teen Earned More Than US$385,000 From DDoS Service
- Massive Yahoo Hack – 500 Million Accounts Compromised
- Two Israeli Men Arrested For Running VDoS-s.com DDoS Service

Related Posts:

Most Read in Legal Issues:
- Class President Hacks School Grades - 80,757 views
- Hospital Hacker GhostExodus Owns Himself – Arrested - 47,707 views
- One Of The World’s Most Prolific Music Piracy Groups Busted - 43,642 views


MagicTree – Penetration Tester Productivity Tool

Keep on Guard!


MagicTree is a penetration tester productivity tool, it allows easy and straightforward data consolidation, querying, external command execution, and report generation. In case you wonder, “Tree” is because its stores all the data in a tree, and “Magic” because it is designed to magically do the most cumbersome and boring part of penetration testing – data management and reporting.

I think this could be combined with something like dradis (the Open Source Security Reporting Tool) for very good project management.

MagicTree is a closed-source, proprietary software. This release is distributed free of charge and so will be the future releases of MagicTree Community Edition. They plan on offering a reasonably priced professional edition soon.


MagicTree Beta Two is mostly written in Java and has been tested on Linux, Windows, and MacOS. It has no complicated installation procedure.

Documentation is available here:

MagicTree Docs

You can download MagicTree here:

MagicTree-1300.jar

Or read more here.


Posted in: General Hacking, Security Software

Tags: , , , , , , , , , , , ,

Posted in: General Hacking, Security Software | Add a Comment
Recent in General Hacking:
- Fully Integrated Defense Operation (FIDO) – Automated Incident Response
- BADLOCK – Are ‘Branded’ Exploits Going Too Far?
- Dradis – Reporting Platform For IT Security Professionals

Related Posts:

Most Read in General Hacking:
- 10 Best Security Live CD Distros (Pen-Test, Forensics & Recovery) - 1,173,714 views
- Hack Tools/Exploits - 634,464 views
- Password Cracking with Rainbowcrack and Rainbow Tables - 438,688 views


Researchers Hack Mobile Calls On GSM Network

Outsmart Malicious Hackers


Gotta love a bit of hardware hacking in the new year, this Karsten Nohl guy has been busy lately – he recently exposed Car Immobilisers Using Weak Encryption Schemes and more relevant to this article we’ve written about him and GSM Hacking Coming To The Masses Script Kiddy Style before.

This kind of GSM snooping has been possible for a long time, but it’s always been prohibitively expensive. Now researchers using simple techniques and inexpensive equipment have managed to find a way to do it by running custom firmware on cheap Motorola handsets.

Researchers have demonstrated an alarmingly simple technique for eavesdropping on individual GSM mobile calls without the need to use expensive, specialised equipment.

During a session at the Chaos Computer Club Congress (CCC) in Berlin, Karsten Nohl and Sylvain Munaut used cheap Motorola handsets running a replacement firmware based on open source code to intercept data coming from a network base station.

Armed with this, they were able to locate the unique ID for any phone using this base, breaking the encryption keys with a rainbow table lookup.

Although far from trivial as hacks go, the new break does lower the bar considerably compared to previous hacks shown by the same reasearchers. In 2009, Nohl published a method for cracking open GSM’s A5/1 encryption design using a lookup table in near real time.

What was missing, however, was a way of identifying the call stream for an individual phone in order to apply the lookup to a real call within the clutter of data moving back and forth between a particular base station and the many phones using it. That is what Nohl appears to have worked out in his latest demo.

It’s by no means a simple or straight forwards attack but it just shows with the knowledge of the crypto algorithms used by GSM base-stations it’s possible to intercept conversations from specific handsets.

There hasn’t been a whole lot of stories about GSM hacking so it’s good to see something in this area as most of the World owns at least 1 GSM device and not a whole of people are looking at the security the networks are relying on.


Another important detail is that Nohl was able to replace the firmware of the handsets with custom software. According to the BBC report on which most stories are being based, this was only possible because the Motorola handsets in question had been reverse engineered after an unspecified leak.

How easy would it be to exploit the new hack? In short, not particularly easy. Creating a custom lookup table similar to Nohl’s would take months of work and any eavesdropper would still need to break into the handset in question.

The crack does lower the bar from being a hardware problem to one of software expertise, which will cause some alarm in the GSM engineering community.

Governments and the military won’t worry unduly as they will be using encrypted satellite phone systems and GSM phones equipped with extra layers of call encryption to make sensitive calls. Large companies might want to take note, however.

As far as I know most military and government phones even when relying on GSM have another layer of encryption on top as stated in the article, so they should be pretty safe. But what about the rest of the World? Some big companies and important people are relying on standard GSM handsets without any extra protection.

I hope to see more news in this area as it has pretty big implications for everyone.

Source: Network World


Posted in: Cryptography, Hardware Hacking, Privacy

Tags: , , , , , , , , , ,

Posted in: Cryptography, Hardware Hacking, Privacy | Add a Comment
Recent in Cryptography:
- Signal Messaging App Formal Audit Results Are Good
- SHA-256 and SHA3-256 Are Safe For the Foreseeable Future
- Up1 – Client Side Encrypted Image Host

Related Posts:

Most Read in Cryptography:
- The World’s Fastest MD5 Cracker – BarsWF - 47,914 views
- Hackers Crack London Tube Oyster Card - 45,442 views
- WPA2 Vulnerability Discovered – “Hole 196” – A Flaw In GTK (Group Temporal Key) - 33,392 views


cross_fuzz – A Cross-Document DOM Binding Fuzzer

Keep on Guard!


cross_fuzz is an amazingly effective but notoriously annoying cross-document DOM binding fuzzer that helped identify about one hundred bugs in all browsers on the market – many of said bugs exploitable – and it is still finding more.

The fuzzer owes much of its efficiency to dynamically generating extremely long-winding sequences of DOM operations across multiple documents, inspecting returned objects, recursing into them, and creating circular node references that stress-test garbage collection mechanisms.

The cross_fuzz fuzzing Algorithm

  1. Open two windows with documents of any (DOM-enabled) type. Simple HTML, XHTML, and SVG documents are randomly selected as targets by default – although any other, possibly plugin-supported formats could be targeted instead.
  2. Crawl DOM hierarchy of the first document, collecting encountered object references for later reuse. Visited objects and collected references are tagged using an injected property to avoid infinite recursion; a secondary blacklist is used to prevent navigating away or descending into the master window. Critically, random shuffling and recursion fanout control are used to ensure good coverage.
  3. Repeat DOM crawl, randomly tweaking encountered object properties by setting them to a one of the previously recorded references (or, with some probability, to one of a handful of hardcoded “interesting” values).
  4. Repeat DOM crawl, randomly calling encountered object methods. Call parameters are synthesized using collected references and “interesting” values, as noted above. If a method returns an object, its output is subsequently crawled and tweaked in a similar manner.
  5. Randomly destroy first document using one of the several possible methods, toggle garbage collection.
  6. Perform the same set of crawl & tweak operations for the second document, but use references collected from the first document for overwriting properties and calling methods in the second one.
  7. Randomly destroy document windows, carry over a percentage of collected references to the next fuzzing cycle.

This design can make it unexpectedly difficult to get clean, deterministic repros; to that effect, in the current versions of all the affected browsers, we are still seeing a collection of elusive problems when running the tool – and some not-so-elusive ones. I believe that at this point, a broader community involvement may be instrumental to tracking down and resolving these bugs.

I also believe that at least one of the vulnerabilities discovered by cross_fuzz may be known to third parties – which makes getting this tool out a priority.

You can download cross_fuzz here:

http://lcamtuf.coredump.cx/cross_fuzz

Or read more here.


Posted in: Hacking Tools, Programming

Tags: , , , , , , , , , , ,

Posted in: Hacking Tools, Programming | Add a Comment
Recent in Hacking Tools:
- PyExfil – Python Data Exfiltration Tools
- Netdiscover – Network Address Discovery Tool
- Kautilya – Human Interface Device Hacking Toolkit

Related Posts:

Most Read in Hacking Tools:
- Top 15 Security/Hacking Tools & Utilities - 2,001,055 views
- Brutus Password Cracker – Download brutus-aet2.zip AET2 - 1,512,333 views
- wwwhack 1.9 – Download wwwhack19.zip Web Hacking Tool - 692,194 views