Awesome ATM hack

ATM fraud is not new but what those guys have done is pretty cool (from the technical point of view, of course) :

Cybercriminals are improving a malicious software program that can be installed on ATMs running Microsoft's Windows XP operating system that records sensitive card details.

The malware records the magnetic stripe information on the back of a card as well as the PIN (Personal Identification Number), which would potentially allow criminals to clone the card in order to withdraw cash.

The collected card data, which is encrypted using the DES (Data Encryption Standard) algorithm, can be printed out by the ATM's receipt printer.

The malware is controlled via a GUI that is displayed when a so-called "trigger card" is inserted into the machine by a criminal. The trigger card causes a small window to appear that gives its controller 10 seconds to pick one of 10 command options using the ATM's keypad.

The entire article is here and the analysis of the malware is here.

Mind-blowing netifera upcoming features

I have to say that I'm very proud for the work that the guys have been doing on netifera.

Even tough I'm not working with them anymore, I know the guys and what they were capable of and this is the proof.
Those upcoming features like Probe deployment and Geographical Visualization are only the tip of the iceberg.

There is not much to add, just take a look at the video and you'll understand...

Conficker C analysis

For all of you living under a rock, there is a very interesting virus infecting machines all over the internet and into corporate networks as well (more than you think... ehehehe).
It had a huge impact due to certain characteristics it posses and it's worth reading about them.

The people of SRI International have made a great analysis of the virus and I recommend everyone reading it because it's very interesting.
Click HERE to see the analysis.

Enjoy!

netifera beta 2 is out!

If you are a lazy bastard who didn't contact us to receive notification about netifera then move your lazy ass and and download it HERE.

This version doesn't include any new exciting eye-candy feature but it does have something new. If you like developing security stuff then you'll probably love this release cause you will be able to develop sniffing modules by following the Sniffing Module Tutorial in the documentation section of netifera home page.

This is just the first one of a series of articles about how to create your own sniffing modules and integrate them into netifera either by using a your favorite text editor and a script or using Eclipse (which is now the number one IDE in my list). you may think that it's more comfortable not to use Eclipse but I promise you that once you try it, you love it and you want to keep using it every time.

If you are interested in the changes/bug fixes done for this beta 2 then take a look at the changelog.

netifera beta was released at XCON2008

A couple of the guy and I came to Beijing, China to talk about netifera.
For those who has been living under a rock, netifera is the next generation, ass-kicking platform for security tools done in Java supporting multiple OS's and remote tools execution with an awesome piece of code called 'peludo' and it's partner called 'the probe'.

If you are interested in reading the presentation you can take a look at it here at the end of this post and also I'd recommend to download netifera and try it.

At this moment netifera beta builds for Linux and Mac OS X are available for download HERE (yes, dumb-ass, click here!) and also you will find a startup guide explaining some interesting aspects of it along with it's installation process which is really simple. In a future we'll have the windows version available also, but not yet :)

All the feedback will be very appreciated and if you are interested on seeing something implemented on netifera for the next release, let us know. I cannot make promises but we'll surely appreciate everyones opinions (if they match our opinions... ehehehe).

There are some interesting posts at the netifera blog here so you should take a look at it.

Here are the slides of the presentation.. have fun:

New dreams, new challenges, old friends... Netifera

What am I talking about? It's about something that I've been waiting for long time. It's the opportunity to create something from scratch, being able to do something awesome and share it with others, working with incredible intelligent people, creating a cutting edge security related stuff which will blow everyone' head off ... all this things I've described and more are the things I feel about working on Netifera, the next generation multi-platform security framework.
We all have bunch of experience in the security field but saying it is one thing and proving it is another so we'll try to probe the last one by creating the ultimate security platform.
If you are interested on what I talking about then stay tuned and also checkout Netifera website to see the news about this kick-ass tool :)

CitectSCADA vulnerability 90's Style

Does the SCADA community get interested in security? I think they not because they always say "don't touch those things, you could hurt people" to avoid moving their asses to secure their networks so with this bug and the previous about Wonderware DoS they will probably start to really secure their products and do better things during the development process.

Some people asked me how I found the vulnerability and the answer is simple:

1) Download and install the soft, duh!!!!
2) Select a process with a port listening for incoming connections (I just selected the first one I saw)
3) Start your favorite debugger
4) Set a breakpoint on recv() function (the one that receives info from TCP connections)
5) Use your favorite programming language (mine is python) and create a script to send a bunch of A's.
6) When the breakpoint hits, start debugging. You'll usually see that a byte of two are read from the socket and that is processed as the length of the rest of the packet so you could adjust your script to send a packet with those bytes at the beginning representing the length.
7) If you step out a function or two, you'll see the function that processes the packet content according to the length specified.
8) In those parser functions, you'll usually see that a byte or two are read from the packet and interpreted the field type (That is usually a huge switch-case).
8) According to the operation selected by the byte read, a byte or two are read as the size of the field to process (like Tag-Length-Value).
9) The field is copied into a fixed-size buffer on the stack by the length specified in the packet... OUCH!!! Eip = 0x41414141 ??? That's not good (for them... ahhaha)

peace!!!!!!!!!!!!!