Irregular Expressions


April 14, 2010  9:58 AM

ATM Malware – Part 2

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

There has been an update to the original story I posted the other day, it now appears that there is a dollar value with the thief.  Released court documents put the loss between $200,000 and $400,000! that’s a whole lot of ATM withdraws.

There was some interesting information about the malware and the ATM’s that I did find.  On newer ATM’s (After 2004) encrypt the PIN as it’s leaving the pad, I would like to know the details on how that works.  If a PIN is 4-8 digits that’s only 32 – 64 bits, that should be pretty easy to create a rainbow table with such a small pool of numbers to work with, or even figure out the encryption method if you already have physical access to the ATM.

April 14, 2010  9:20 AM

NSA USB Detector

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

There has to be more then a few people out there that would really like to get a hold of this application.

http://whatsbrewin.nextgov.com/2010/04/nsa_on_the_flash-media_hunt.php

Being able to detect mass storage devices connected to the network would make more then one security professionals life easier.  Disabling the USB ports is something you can do in most cases, but being alerted when someone who has authority to use a mass storage device connects it is a great audit feature.


April 12, 2010  11:53 AM

ATM Malware – Part 1

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

A former Bank IT worker has been charged with installing malware on ATM machines with Bank of America, the amount of money that he stole is not posted anywhere that I can find but it is above $5,000.

There is no specific information about the malware that he used to commit the fraud.

On a related note I have found some technical information regarding malware discovered on European ATM’s that is finding it’s way into North America. The primary function of the malware is to capture mag stripe and pin information as customers use the ATM, it also has the ability to arbitrarily dispense cash from the ATM.

The malware appears to be controlled by inserting controller cards into the card reader ( Neat! ) displaying the control interface and allowing the user to preform a variety of functions on the terminal.  It intercepts the information as it’s processed on the system and stores it in the C:\Windows\ dir as a file called ‘kl’.

The story on the Bank of America guy is here http://www.wired.com/threatlevel/2010/04/bank-of-america-hack/

Information on the malware is here http://www.wired.com/threatlevel/2009/06/new-atm-malware-captures-pins-and-cash

And here is the link to the pdf write up about the malware http://www.wired.com/images_blogs/threatlevel/2009/06/trustwave-security-alert-atm-malware-analysis-briefing.pdf


April 12, 2010  8:51 AM

Problems with BGP

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

From what I would think was a configuration error a small Chinese ISP effectively hijacked part of the Internet.

IDC China Telecommunication announced routes for tens of thousands of 
networks -- about 10% of the Internet. Typically this small ISP 
announces about 30 routes.

The bad routes where configured around 10 AM EST on April 8th and were accepted by the down stream China Telecommunications ( State owned according to ComputerWorld.com ) .

Thanks to the way BGP functions even though the routers at other major ISP around the globe had accepted the routes, they would have selected a route better then sending the traffic to China and back.

You can see the full article at computerworld.com here http://www.computerworld.com/s/article/9175081/A_Chinese_ISP_momentarily_hijacks_the_Internet_again_?taxonomyId=17&pageNumber=1

Also there is information at bgmon.net http://bgpmon.net/blog/?p=282 they are also following the story.

There was also a similar issue a couple weeks ago, you can see that story here http://www.renesys.com/blog/2010/03/fouling-the-global-nest.shtml


April 7, 2010  8:21 PM

Miracle on Thirty-Hack Street

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

The Ethical Hacker Network has posted the results of the Miracle on Thirty-Hack Street contest.

The answers are posted here.

http://www.ethicalhacker.net/content/view/305/1/

Here are the answers.

1) “What is the name of the following mathematical property? If a=b and b=c, then a=c.”

This is the transitive property of equality. ( http://www.mathwords.com/t/transitive_property.htm ).

2) What FQL query or API call can be used to retrieve information about vacations from Kris Cringle’s (uid 100000565751882) Facebook account?

Information about the API’s to use are here.

http://wiki.developers.facebook.com/index.php/FQL
http://wiki.developers.facebook.com/index.php/API#Data_Retrieval_Methods

3) What Facebook privacy setting allowed this data leakage?  What is the default value of this setting?

The privacy option within Facebook that allow such access is the “Friends of Friends” setting on the note when it was posted.

4) What is the text from the decrypted message from the Judge?

By decrypting the PDF with the passphrase of “norway” we get the original PDF which appears to be a Christmas letter from the Judge to Santa.

I’ll leave you to read the bonus question.


April 7, 2010  6:59 PM

The Financial Management of Cyber Risk

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

This was posted on isc.sans.org a couple of days ago, it’s worth reading but you will have to register.

http://webstore.ansi.org/cybersecurity.aspx

Some of the statistic’s in the report are pretty interesting and the shear amount of financial loss quoted is staggering.


March 29, 2010  5:46 PM

OpenSSL v1.0.0 released

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

OpenSSL v1.0.0 has been released, this is a major release of OpenSSL.  When they say major they mean major, the list of changes is pages and pages long.

Head over and get a fresh copy http://www.openssl.org/ .


March 28, 2010  9:48 PM

Communication During A Business Continuity Event – Part 1

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

During a major disaster recovery or a business continuity event maintaining team communication and co-operation can be a great asset during the event.  I have seen several different solutions use from skype, MSN / GTalk or other hosted IM, internal Jabber server and cell phones / black berries.  I think any solution that meets the needs of the company is good but I think they should be concerned of where that data is going when using these systems.  Once data has left the network I really don’t think it’s your data anymore, it can be copied, replicated and recorded with out your knowledge.

Hosting your own solution at your DR site or primary network lets you control where it goes and who sees it.  I have used a jabber solution as the medium before but there is things like screen sharing, video conferencing, and white boarding that would be a great asset to have.

I have found a excellent solution called OpenMeetings.

http://code.google.com/p/openmeetings/

Part 2 will be a installation guide.


March 28, 2010  9:14 PM

Parsing XML with regular expressions – Part 2

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

You cam also run into XML formatted like this.

                <global>
                        <pref name="trusted_ca" value="cacert.pem" />
                        <pref name="hide_toolbar" value="no" />
                        <pref name="hide_msglog" value="no" />
                        <pref name="auto_enable_new_plugins" value="yes" />
                        <pref name="use_client_cert" value="no" />
                        <pref name="nessusd_port" value="yes" />
                        <pref name="nessusd_user" value="openvas" />
                        <pref name="paranoia_level" value="yes" />
                        <pref name="targets" value="192.168.0.197" />
                        <pref name="name" value="Report 20100304-235837" />
                        <pref name="comment" value="" />
                </global>

While this might look daunting it’s easy to pull anything that you want out with almost the same code as in the last example.

foreach (@file) {
	if(/<global>/ ... /<\/global>/) {
		if(/<pref name="(.+)" value="Report (.+)" \/>/) {
			$name = $1;
			$report = $2;
		}
	}
}

In a regex a “()” indicates a group, in perl you can refer to these groups by starting at 1. A “.” is a wild card match and a “+” states that it will match at least once but will continue to match if it can.


March 20, 2010  8:37 PM

Parsing XML with regular expressions – Part 1

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

Many applications now have the ability to produce XML reports, while perl does have modules available to parse this information I find regular expressions are faster on extremely large data sets.

A small example.

<date>
	<start>Thu Mar  4 23:27:03 2010</start>
	<end>Thu Mar  4 23:58:37 2010</end>
</date>

Get the XML you need to parse into an array, you can use perl’s open or a shell command to do so.

$target = "/path/to/what/you/want.xml";
open(FH, $target) || die("Could not open file!");
@file=<FH>;

OR

@file = `cat /path/to/what/you/want.xml`;

Now you just need to step through the array, you can use a foreach loop for this.

foreach(@file) {
}

Now going through the file you can use the ‘…’ regex to match between two markers and then get down to what you are looking for.

foreach(@file) {

	if(/<date>/ ... /<\/date>/) {
		if(/<start>(.+)<\/start>/) {
			$report_start = $1;
		}
		if(/<end>(.+)<\/end>/) {
			$report_end = $1;
		}
	}
}


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: