Ibrium's Blog

War dialing time!

2009-08-16T12:57:00.004+03:00

Here is a small time-occupier for you readers. Take a look at the 1-800-6x0-x0x free toll range. Among other things, a juicy unpassworded Cisco 3640 router is hiding in there. Somewhere.
And if you do do something fun with the router or the "other things" drop a note here. It will be interesting to hear the story.

Y****n Information Station

2009-05-02T21:04:00.011+03:00

Some software is secure, some is free, some excels in usability, other provides an unique functionality. And then there is the y****n (Oh, in case you didn't know, y****n is an information station software used by numerous higher education institutions). Whoever was responsible for usability tests on this thing should be kicked in the head $#@%#&!
No seriously, this thing should be a practical example on how not to do software development. I dare the developer to try to use y****n forum system!
But I digress. Let's discuss the interesting stuff...

Here is a nice example on why securing communications with SSL over a crappy infrastructure == waste of effort (and money, those certificates are not cheap).

In y****n user logs-in over HTTPS, gets assigned a cookie and then can navigate through the site using URL parameters, something like this:

https://y****n.****.ac.il/y****n/fireflyweb.aspx?appname=BSHITA&prgname=Menu&arguments=-N123456789,-A,-N012983489321984,-N0018,

What's interesting is that the very first argument -N123456789 which is used to identify the user when querying the database is actually the student teudat zehut number. Upon receiving a query the server only verifies that the user 123456789 is currently logged-in, but not that the id matches actual user who made the query. In fact one does not even need to be authenticated on the server to send a query. This essentially means that we could perform queries for any logged-in user within his privilege level.

For example, we could extract someone else`s exam sheet:

https://y****n.****.ac.il/y****n/fireflyweb.aspx?APPNAME=BSHITA&PRGNAME=NoteBooks_Open_Do&ARGUMENTS=-N[ID]-AH,-N[YYYY],-N1,-N[COURSEID][YY][MM],-N00,-N00[COURSEID],-N0001,-N1,-A&LineNo=1&Stat=U&LastPark=&IndexNo=&TaskDefinition=

where:
[ID] - student id
[YYYY] - current year
[COURSEID] - course id
[YYMM] - semester's starting date (two digit year/month format)

UPDATE: since this has a potential for abuse and me dislikes lawsuits the software name has been removed. sorry folks.

ilhack.org - israeli hacking conference. 04.05.09 24.05.09

2009-04-03T01:47:00.007+03:00

TOP 4 reasons why you should come:

* It's the first hacking con in four years (not counting OWASPs and such)
* It's probably the last hacking con for the next four years
* Did I mention that it's a hacking con?
oh and there just might be free pizzas

...and why it's bound to suck:

* Will last only 8 hours
* Most lectures look boring
* Taking place on ~~MONDAY~~ SUNDAY. This alone will cost you minus fifty points ilhack organizers!
* There is no mention of booze. Will there be any booze? What kind of con is it without any booze???
That reminds me. No mention of Hacker Jeopardy in the schedule either :(

Scamming on Purim. That's just low!

2009-03-10T21:44:00.007+02:00

While writing the previous post I received an intriguing call.
A female voice, calling me by my full name, asked if I have ever purchased from their store, pronouncing store`s name so fast I could barely understand it.
She then continued telling me that I have been marked in their lists as a VIP customer and eligible for a prize of my choice: silver necklace, exclusive leather purse, or juice squeezer. Yes that's right - a juice squeezer.
Which could be mine only for a small delivery fee of 39.90₪.
Needless to say our conversation ended there.

I guess we will never know whether it was "buy a 5₪ necklace for 40₪" scam or just an attempt to steal someone`s credit card info. But doing this on Purim? Where is the ethics!!!!

Better Place

2009-03-10T19:21:00.005+02:00

There this big thing going in Israel and subsequently in Denmark, Australia, US, and some other places - an attempt to convert current transportation infrastructure based on internal combustion engines to EV with renewable-energy in mind.
Besides of the economical and ecological prospects, what interests me the most is the purely technological side of the process.
There is not much information regarding this currently available, however during one of the Q&A sessions Shy (founder of the Better Place) mentions that each car will be equipped with GPS navigation system allowing driver to locate battery swap stations and/or make recharging spot reservation. Which in turn implies that some sort of two-way radio communication will be present.
The obvious question arises: is how well will it come along with personal privacy and will it open new horizons for abuse.
I think it's safe to assume that at least for the earlier steps of the project (counted in years) a statistics will collected about car travelling habits. It's necessary in order to provide a better recharging station coverage. There simply no way to do it efficiently and reliable basing solely on theoretical calculations.
Less likely, but this could also mean that a remote updates will be performed on the vehicle software in order to support newly arising recharging spots - in other words the vehicle's computer will be probably remotely controllable. The same computer in control of the vehicle mechanics.
It's not the possibility of malicious attacks that concerns me, mobile telephony have proved that the means for data transfer over air could be rather reliable (at least against the average hacker, government agencies are a completely different story), but the fact that a vehicle could be remotely controlled. On one hand all this could greatly reduce car theft. On other the idea of someone able to remotely control your vehicle makes one ponder.
In any case there is not much left to wait, according to the schedule full deployment is circa 2012. Will see then how it goes...

Identity theft (the lazy way)

2008-11-01T22:05:00.005+02:00

Supposedly you need to register for something and a valid Identity Number (מספר זהות) is required. What would you do?
-->><<---
Or the actual photo of someone's id card:
-->><<---
Or full credit card information.
-->><<---

.. Nah, just kidding. I won't be surprised if some wisely crafted google query could get you even this though.

For a full personal information however there is nothing better than a good old resumes.
http://www.google.com/search?hl=en&q=%D7%AA.%D7%96.+%2B+%D7%A7%D7%95%D7%A8%D7%95%D7%AA+%D7%97%D7%99%D7%99%D7%9D
Most of the them contain more than enough information for a successful identity theft. This is obviously not some local phenomenon and happens all over the world. What sets Israelis apart however, is an overwhelming tendency to include ID numbers and helluva other personal information.
Fresh from college applicants tend to do this to fill their otherwise empty resumes, some search for jobs in government/military sector. Another source of the problem is recruiting agencies. Upon application you usually will be asked for ID number. Sole purpose of this is to ease applicants tracking in their internal database. The problem is that some agencies decide to spice up the resume and add an id number, among other things.
Anyway, next time some your friends decides to put his or hers CV for public viewing, remind them, for example up to what degree exactly the ID card is checked for validity at the bank on opening a new account.

Password Habits

2008-10-21T02:23:00.003+02:00

Data on users' password habits is hard to come by. Most available researches base their publications on data collected with help of control groups. While these results are fairly good and representative, it makes sense that there will be a number of inaccuracies dragged alongside due to how usually control groups assembled and people who generally participate in them (I was unable to find any research on the subject with good explanation of their selection criterion. Why is that never discussed in depth?). Fortunately for us, these inaccuracies or impurities are rather insignificant, and the collected information still can be successfully extrapolated over the general public. After all, most of us share similar preferences when it comes to remembering things.
Here I would like to present some real life statistics, albeit based only on ~48000 samples, it should give a good view of password selection habits. Only the actual results are shown, it's left up to the reader to draw any conclusions.

Background information:

Source data is a list of 48595 username-password pairs, coming partially from a public discussion board (28595) and partially from a corporate network resource (20000). Users awareness about information security is unknown, but we could assume with a great deal of certainty that the users' expertise represents a complete spectrum from 'casual user' to 'technically inclined'.
We can also assume that the average age for the 20000 list is 20+ (people working in the company are most likely after a college, army, etc.)
Alpha-numeric and general characters allowed. Minimum password length is 6.
Initial password generated by the administrator is 10 characters long, consist of interleaving cases and numbers. E.g. UaI7VyijSt
For passwords from public discussion board: users with last access date - registration date difference no greater than a week were removed. This is done in order to clean up the list from one-time users who presumably chose a common, simple to remember, combination. This should remove a great share of non representative passwords and give us better statistics.

Results:

Overall distribution by length (X axis - length, Y axis- distribution percentage):
Combination match in a publicly available wordlist (~3349730 words): 5.12%
Distribution by length:
Consists solely of numbers: 11.91%
Distribution by length:
Top 30 most frequently occurring passwords:
Has a numerical suffix (remaining characters are alphabetic): 19.83%
Has a numerical prefix (remaining characters are alphabetic): 2.81%

Top 30 suffixes/prefixes:
Original passwords assigned by server retained (under assumption that the passwords of the form UaI7VyijSt are indeed system assigned and not user chosen): 1.44%
Capitalized (remaining characters are lowercase/numbers/general): 2.41%
All letters are uppercase (remaining characters are either numbers or general): 0.19%
Consist solely of same repeating character (e.g. aaaaaaa, 33333333): 0.74%
A double pattern (e.g. funkyfunky): 2.84%
Password is an username derivative (e.g. username: vikk -> password: Zvikk007): 1.52%

Authorized Personnel Only

2008-10-18T15:49:00.000+02:00

A couple of weeks ago I decided, that a time has finally come to abuse my student status and purchase one of those, too good to be true, discounted Egged (Israeli Transport Cooperative) bus passes. Instructions at Egged's site on getting the card were surprisingly thorough. And so, I went wandering through Central Bus Station in search of platform number 19 opposite of which, according to the instructions, cards would be selling.
The only thing in front of the platform was a shady door marked with "Authorized Personnel Only". It didn't looked much like a box-office. At this point I am not sure whether it was my overwhelming confidence in Israeli bureaucracy or more likely just a brief moment of stupidity, but since there were no other doors in vicinity of the platform I went in.

Walking through the halls didn't yield much except of two workers, man sitting in front of bunch of computers at a commanding office of some sort and a teller, of whom neither showed even a slightest interest in an obvious stranger.
Eventually after some ten minutes of poking at offices another teller asked me if she can be of any assistance, and even that was not before a couple seconds of confusing blabbering from my side accompanied by 'Where the hell am I?' facial expression.

OK, lack of even the simplest physical security measures. Workspace with confidential data left unattended (raw materials for cards plus UNLOCKED terminal interface). Workers not instructed in basic security measures. Not that surprising really. But a box-office location being specified by its back entrance for personnel and not by the actual window for general public (located, apparently, near platform 17)?