יום חמישי, 5 בדצמבר 2013

How from security flaw in banks phone kiosk I found myself into breaking gates (not really) and parking service system

אם מעניין אותכם איך גיליתי את פרצת השערים, תיכנסו לפוסט תדלגו לתגובה  # 4 של Sro ותבינו איך מפירצה לבנקים התגלגלתי לפרצת שערים,ואז לפירצה לפנגו


יום שני, 2 בדצמבר 2013

Security flaw in Pango+ the major parking service in Israel - Solved great job Pango-Milgam!

Will be update soon


פרצת אבטחה במערכת הטלפוניה של שירות פנגו / פנגו+ (חברת מילגם חניה סלולארית בע"מ) + ציון לשבח לחברת מילגם בעלת השירות

כמו שהבטחתי אני מעדכן, כרגע בקצרה:
השירות פנגו של חברת מילגם שירותי חניה סלולארית (Pango) היה פרוץ עד לאחרונה
חשוב להדגיש שנציגיה הטכניים של החברה עשו מעל ומעבר לצורך תיקון הפרצות וביצעו זאת בזמן מהיר במיוחד (שעות ספורות) וזאת במהלך סוף השבוע מעבר לשעות העבודה המקובלות.
אני ממליץ לקרוא את דבריו של עו"ד יורם הכהן ראש הרשות לאבטחת מידע וטכנולוגיה במשרד המשפטים-רמו"ט לשעבר,פעולות רמו"ט בעבר וכן את המלצותיו והתיחסותיו השונות של עו"ד יונתן קלינגר בנושאי מאגרים ביומטריים.
בכדי להפוך את הנושא למעניין עוד יותר,אתם מוזמנים לעיין בפיצוח פרשיית מאגר אגרון שנבנה על בסיס גניבת מאגר נותנים ממשרד הפנים.
לסיום חשוב להבין שאת הטלפון שלכם עדיין ניתן להשיג בחברת התקשורת שלכם,וגם אם לא שם מספיק שיהיה לכם כלב עם צ'יפ ז"א שיש לקחת בחשבון שמאגרי מידע חוקיים כמו Dog Center של משרד החלקאות הינם כלי אולטימטיבי לאיסוף פרטים אישיים של אנשים,חלקם כאלו שמספר הטלפון הנייד שלהם לא מופיע בשום מקום אחר.

קיימות מגוון תוכנות ושירותים מסחריים לשינוי שיחה מזוהה,המספקים יחד תשתית לביצוע פעולות זו מכל תוואי אפשרי על עוד יש לו חיבור לקו טלפון. 
בנוסף ניתן לבנות תשתית זו באופן עצמאי על בסיס מרכזיות טלפוניות.
על ידי שינוי שיחה מזוהה (Spoof Caller ID) התאפשר לתוקף לבצע מגוון פעולות חודרניות.
1. כניסה לחשבון הטלפוני של המשתמש ללא כל צורך בסיסמה תוך שימוש במספר טלפון  כסיסמא (מלבד חריגים כמו נהג נוסף או הגדרת מערכת)
2. קבלת מספר לוחית הזיהוי של הרכבים שבהם משתמש בעל המספר הסלולרי
3. הכנסה לחניה
4. הוצאה מחניה
5. קבלת אינפורמציה עד מתי החניה אמורה להתקיים
6. קבלת אינפורמציה באיזה עיר החניה  מתקיימת 
 לכתבה בנושא

יום שבת, 30 בנובמבר 2013

קידום חקיקה בישראל נגד זיופי שיחות

החוק בארצות הברית


אני מחפש דוגמאות נוספות לחדירה    למערכות דרך שינוי שיחה מזוהה


יום שלישי, 19 בנובמבר 2013

על זיוף שיחה מזוהה,שינוי שיחה מזוהה, שערים חשמליים וטרויה

על זיוף שיחה מזוהה,שינוי שיחה מזוהה, שערים חשמליים,סוס טרויאני מודרני, ולמה בעצם האדם לא לומד מטעויות אלא רק מחמיר אותן

העברתי אתמול הרצאה במסגרת קבוצת דפקון בישראל (dc9723.org) על היכולת לזייף שיחות או בעברית יפה שינוי שיחה מזוהה,ולמה זה נוגע לכולנו.

קיבוצים ישובים מושבים מפעלים בתי חולים והרבה מקומות אחרים הטמיעו במשך שנים מערכות שתפקידם לנתר תנועה ולאבטח את הכניסה למקום.
על ידי חיוג לשער החשמלי מתקבלת פקודת הפעלה שגורמת לשער להיפתח.

מה שאנשים לא מבינים שככה אפשר לנצל את הסוסים הטרויאניים שנבנו במשך לפחות שבע שנים בשערים מודרניים של יישובים קיבוצים מפעלים ארגונים ומוסדות שונים.
לפעמים זה החניון שלכם.

תחשבו שהורדוס או בנאי אחר היה ממציא שיטה שבה בכל שער יהיה מנגנון לפריצה של החומה,עכשיו תדמיינו את הכניסה למפעל, הקיבוץ,המושב או השער החשמלי בבית שלכם.

המשך יבוא


יום ראשון, 17 בנובמבר 2013

Next chapter - spoof Caller ID as a tool to hack into Gates Attacking gates chapter two

License Plate Generator (Spoof LPR) Attacking gates chapter one

This is Geekcon project, which is the most creative place you should be in

We put together a page which generates a random (or predefined) license plate image. Check it out here - http://lph.intrpx.com
The page is compatible for tablets (thanks airbase CSS dude). The idea is to show the license plate image to parking lot cameras, in order to fool them that you have a different number.
This way you could perhaps avoid paying for parking and/or cause the parking lot to believe there are a bunch of cars inside, although there aren't. 
Who: Michael Hermon, Amitay Dan  

We of course don't encourage anybody to break the law

יום שישי, 1 בנובמבר 2013

Manipulations on databases

Manipulations on databases
By Amitay Dan

Disclaim:This article is only for study and public knowledge,
many people don't see email and ID reset as something to secure.
My motivation is to change this.

While looking at databases as a target, my main idea is to find irregular weaknesses which can give me abilities to attack the database.
In my study I was looking at the database as a fortress, and my main vision was to use manipulation as a tool to conquer it.
In my opinion using the rubbish tunnel as a way to attack the city, will be much more fun than attacking it with normal force.
Every citadel needs water supply or someone in the gates to check the people, but in the virtual world you can mix technique and be very creative while having attack.
In my article I will share my research of how can we gain information without using force, how can we gets databases by just asking it small questions, knowing that every machine needs to react after it getting orders or questions.
Sometimes you just need to ask the website to give you new passwords after typing email, while other times it’s about you calling the credit card issuer by the phone, inserting random ID’s and by the answer you can gain the users databases.
In my article I will share how this kind of technique can be a tool for new kind of blackmailing, political and inelegance data mining, as well as privacy concern.
As I can see it the main target in the closes future will be to create augmented reality with people databases.
As you know Google has a plane to sell glasses with augmented reality abilities, in my opinion the day when we look at person faces knowing his political opinion, email, sexual status and many more small data is not so far from now.
Let's start with giving faces to email lists
What can be done with spam list? There are many websites which are selling email list1 for later uses. Basically the idea is to sell something or to send something to this emails, sometimes you can buy two million emails for very cheap price. 

Figure 1

As for me I was thinking more and more about the hidden benefits behind this kind of email list, what can be done with the most common ID in the virtual life, the one that you carry everywhere, in every website that asking you to register?  
The answer was to find this people in the reality, but first to gain information on them using very common weaknesses in databases, the reset.
Before going there we need to go back to the beginning, how can we gets people faces by having their emails, and how that can be the basic for our attack?
The social network is the most known place to gain information about people, actually as part of Facebook system you would be able upload 2
a file contain a huge amount of emails, and since this is the way they work, you can use Facebook to attach to people their faces and then you have email plus faces plus Facebook account, and that’s just the first step in the association process.

Figure 2

So what do we have? We do know that email lists are very common product to buy, and they can be a way to find people faces and that lead us to realize that this is the first step of recognizing people in the reality, in the street at the bar or even form the video camera from our home.
A company called Face.com # which sold to Facebook had an apps who called “klik” this apps gave to social network users like Facebook abilities to recognized and tag their friend in the reality, so the technology is here and since that facial recognition it’s not only in Facebook and social website  and if you want you can play with open source as well.
Now we should think forward and see that emails are actually the basic link between the reality and the cyber life, so why don’t we mix all the data about the people and make their virtual life to be known in the street, why don’t we push their virtual identity into the physical one?
This is not philosophical question but actually a the basic behind my study.
Many questions are being asked here, so let’s start to figure out the solution, but first let’s see what Facebook has to say about the issue.

Facebook and me
Since I understood that Facebook can be the best way to link between faces of people and their email which are taken from email lists, I was trying to ask the Facebook what they have to say about it, and here is the story:

-----Original Message to Facebook-----
From: ***********
Subject: Report a Possible Security Vulnerability

Name: Amitay Dan
E-Mail: **********
Type: db_injection
Scope: www
Description: Hi,

This week I have found a huge problem in Facebook database.

As you know Facebook gives the users the ability to find their own friend.

By opening new email and insert in a list of mails (which can get from spam list) I can sneak out from Facebook the whole public data of the users.

If you do so by searching for new users by email in the search box you get get it as well.

By that every spam list, or database with email can have very easy (by script) a face, pictures of the email owner.

Please contact me as soon as possible.

Best regards,

Amitay Dan
Ethical Hacker
Hi Amitay,

This is not a security vuln, anyone you can find via the find a friend email looking feature has the privacy setting "allow people to find me via" set for email.

Thanks for contacting Facebook,

My answer for that was:

Hello Emrakul,

Thank you for answering me.

I do know and aware to the fact you mention.

If that not a problem I do want to ask for your agreement to use my point as part of my study.

The regulators in many countries won’t accept so many people to be heart.

I would like to speak as well with someone from Facebook Israel or the relevant office.

I do agree that people knows that email are a legitimate tools to find them, but there are many ways to use it for bad and that should be avoid.

As I have found in my study while someone email account (Gmail) account is being hacked, the hacker can sneak out the whole data of his contact persons in the email.

Next step would be adding into the database the faces and the names which can be found by Facebook.
For this I had no answer back until today, so maybe now people should ask them self if they really want that every spammer or someone who have or bought database with their emails would be able to link between their email and the faces thanks to Facebook.
I got not answer about the abilities to use Facebook service with bulk amount of emails, so it seems that no one’s care over there.  
Now let’s back to the bad side.
Definition of ID
In the past ID social security number (SSN) and fingerprints where the most common identity stamp of people, now days, the email the phone number and nicknames are being very common ways to recognized people in the cyber world, and that’s why there are the main target to gain information from databases in my study.

How to cheat computer
Normally when you see a weapon pointing at you should know that you need to protect yourself, yet, sometime the uses of uncommon vector to gain access into places can be smarter.
As you might know there are a lot of uses in women as a way to get into data places and secure area, males are thinking different when they see a pretty woman and most of people won’t suspect you while you carry a baby or a child with you, it’s a good cover.
Looking at computer as the target can give us an headache, they have no emotion (yet) and they don’t care.
The best way to make computer to be confuse is to understand that a human made them, and then to realized step by step how to steal from them the database with no single shot.  
Starting from Linguistic Journey
Before the battle began, we needs to gain inelegance ,and words will be our best tools for that, after we fulfill the emails from the email list we got with pictures names and nick names of the people we want more data about them.
The mission will be to find places where after inserting inside emails, we will get an answer that telling us if this email is known in the database.
This answer is wrong website should never say what is in the database, and who the clients are.
Let’s start with searching in Google the words like:
Reset by email” “please enter your email reset” and see what’s happen, many website are coming with an option to send new password to the user email, and when we got bingo we know that this person from the email list is part of the database.
After time we can understand that looking only for the error answer like  ”Email Address Not Registered
No account with this email address was found“ , “You have not entered an email address that we recognize. Please try again or contact the administrator”, ”E-mail address not registered or being creative” Email address already registered “ “email address is already registered” can take us very fast to websites that don’t protect their databases from attack like that.
Mostly even if you can’t gets reaction from the website by resetting using email , you can just try to register as a new user with a known email, and then even the most secure system will tell you that your already part of it (unless it’s ok to have two user in one email).
I don’t want to go deeply into the linguistic trip but it’s very interesting to see how looking for simple words taking you into a place where you can get many website with problems in the databases.
It’s time to do some examples
Choosing targets
The first step is to find places where there is a benefit behind the database.
Case study #1
Sexual preference is something that not all of the people want to share if it’s not straight, many people are living behind the cupboard, and since that many of them have family there are very easy target to be blackmail.
I believe that website that giving services to this community needs to protect the privacy of the users more than others.    
So let’s began, all you need to do is to find popular website where the user can type his email to gets new password, after it you need to see what is the website answer.#

As mention before cases like can be a way to gain a lot of money from the victims, you actually dealing with knowledge.
People will pay you money so you don’t crash down their life.
Figure 3

Case study #2
Jihad and freedom fighters movement are places where people like to hide, it’s too risky for some of them to be known by the real name. In places like that we can try as well to use the reset or registration technique# and gain inelegance about the faces behind the website.
Figure 4

Let other help you
Since the main idea is to know everything you can get, there are websites# that can help you to find OSINT (open source inelegance) from the internet.

    Gaining data from phone systems   
Many security specialist and pen tester doing a lot of work in the internet, but protecting phone systems from hackers and phreakers# is something more difficult.
If you want to cancel a credit card of a person, or just know what credit card he his holding all you need to do is to start canceling process according to stealing.
Another option is to insert random ID into the bank or credit card issuer using wardiling attack using known bulk ID’s database.
Sometime all you need to do is to start phone recognition process and stop it after you’re being asked to type the password, the method is working like the internet databases.

Political agenda
Sometime people said what is there political agenda, but if you are in the army, in government office it’s you prefer to keep it secure.
My next step is to show out how can we get’s people political background.
Since it’s not easy to hack into the database we will do something else, we will try to signup# for email updates in the Liberation party website.
Figure 5

As you can see the privacy of the user is not being kept, the website is telling us that “You are already signed up” so we can connect now between the person data and the Libertarian Party website.

Now let’s go and see what’s going on in the Democrats#  website maybe they do better?

Figure 6

Well, even here it’s seems that we can’t trust our privacy, the users database is open to the public, since the system telling us that “No accounts match the email address you entered”

Health status
Let’s said we want to know something more useful, something that can make people life being hell, while other can be aware of the problems around them, why don’t we check who has AIDS or HIV.
Without going too far into the questions behind the motivation, we do need think about it a bit.
What should make people pay more money, removing fake antivirus# or blackmailing using their medical problem as a flag, pay me or I will publish that you have AIDS?
These kinds of security problem are not normal, they are not sexy and no one will pay money to solve them without being sew in the court. Yet, they should concern us much more than normal ones since they can change people life.
Thinking about the subject made me look into website who giving service to this kind of community#,and very easy I’ve the reset area where all you need to type is email#.

Figure 7

Since we needs two for tango let’s find another examples to this systematic privacy problem, even more than two#

 Figure 8

Figure 9

Figure 10
Figure 11
Figure 12

Now, all you need to do is to enter the email from email list or just  your new partner’s email and see what happened, maybe the answer will be negative - we don’t know this email, but it might be as well positive this email known by the system and he his one of us.
Now you can take this answer and using the email you can get this face, his full name and facebook account, and you should suspect that he or she has HIV or Aids.
That’s not small security problem, it’s not security issue at all, it’s something else.

Forums are easy targets
Many forums are being built based on free and popular services, so the same problems of giving feedback while doing reset password are very common. Time after time I have realized that forums have problems, and basically they had much more problems than normal websites.

Manipulation and hacking
Since I was starting this career by realizing how to break into bank account using the phone kiosk in the front of the bank’s branch, while using the redial bottom to get ID’s and password after decoding them# I believe that we can gets many other things we want, like information from databases by using creative ideas.
I don’t like to use my force while it’s not needed. If you want to get database, many times all you need to do is to think what the real user will do if he forgets his data, and what’s the reaction of the machine will be.


Well, as you can see we are going into a place that 1984# is not a fiction, the difference is the fact that in here everybody has the power of the government, we all can be in the closest future a human-sniffer, who knows many things about the people around us.
In my opinion having on the way the Google glasses# which are the “Project Glass” or even starting now projects with the Recon’s android SDK# and the new camera options with augment reality, can be a fast step into the time when people will have RoboCop# abilities.
Since Apple and Google have a battle it won’t surprise me to see the answer of Apple answer for this development.
Knowing that you can already can get a product, write some code and starts analyzing the space around you make more sense than ever while thinking about the uses of stolen databases.

Figure 13

Figure 14

Going wild
It’s not any more about how to steal database by doing manipulation, or hacking into Jihad forums, or another sensitive places like areas with people who suffer from HIV.
With this glasses (without the ski parts) you can go into gays festivals,# record them by video tag them or crate people faces data from video in YouTube# and then create an application which showing you warning every time you see a gay, lesbian in the street.
Leaving the gay community behind, let’s think about something more creative.
Face and emails
As you know from the beginning of my article, the uses of email list for sell can be different in the future, no more spam but abilities to know what is the email behinds the face, knowing that will give us abilities to create dating application that will tell us by looking at the person who is single and who is not. Other abilities will be to have live sexual offender to protect your child#.
Since not everything bad, we can use the face recognition to track missing persons as well#.
Going with this line of mind can take us into brand new places, you walk at the street and you need something, someone else have it and he can be recognize by the “giving application” ,so you don’t know him but he will help you.

The future of database hacking
At the time when we will have abilities to create databases by our digital eyes, (and this time is almost here) hacking and stealing databases will be much more active.
No more standing behind the computer but wearable glasses or contact lances which creating dynamic database from nothing.
Doing counter civilian jobs as a private investigator will be different as well, and gathering data will be in different level.
Social Engineering
Since we will be able to start with web based databases, and then mix it with reality based data the next level will be to use this data to hack into the people mind, to make them believe us.
If you can know so much about a person that you never met why don’t you use it to get his Password very easy?
Automatic geo-location fishing systems
In the past advertise based on geo-location were made by SMS, thank to the tower location and the operator.
Now days they are more and more application that send coupons since you are close by, while thinking about it I had an idea, why don’t we use this kind of behave to attack the surround area?
Knowing that people want deals from the closes store around them made think about a funny attack, an apps for the wearable glasses which are scanning faces around you and sending them automatic phishing or Trojan assuming to be a coupon from the closes store.
That will work for sure in countries where coupons are popular tools# , and thanks to the email list and Facebook we can do it.
This article spoke about the idea that email lists can be a the basic tool to hack into people life by stealing databases in creative kind of scraping, after that this people can be found using their emails, in website and forums, linked them to illegal activities like terror, or just tag their political or self sexual activities, new kind of blackmailing is just want idea.

Having list of emails with the names and the faces can be very interesting tools while you using them for questioning website if they knows someone or not, or just saying, I forget my password please send me new one.

By then the website won’t understand that while he his guarding the database, he his actually helping the attacker to get the knowledge from the database.

Sometimes linking people to cyber activities can be just by trying to add theirs emails to website newsletters system, and they are less protected than many other system.

Facebook and similar social services are doing a lot of thing in the world, but the idea of using those services to linked stolen databases to people in the street, using augmented reality is something that we will see in the next future.

I believe that people will pay to hacker for this augmented knowledge, and I think that hacking database in the 21c will be much more interesting than the past.