Tuesday, May 28, 2013

Curiosity and Old Computers: The CarolinaCON #9 Badge

Curiosity

This year's CarolinaCON badge was a an old 5.25" floppy disk with custom labels made for the CON.  It was a great idea and a throwback to the days of old.  If you notice in the picture below, the label even peels up like they used to!  Of course, it was an opportunity for those senior members of our fraternity to bash (pun intended) on those less advanced (in years) also in attendance.
CarolinaCON 2013 Badge
The question of the CON soon became "does the badge really work?"  As you can imagine at a hacker CON, all sorts of assumptions are made about the contents of the disk.  The irony was that with all the tech present, nobody had a drive to read the thing and find out!  At least not a drive with them...

I was lucky enough to hear the story from Curbob himself who procured the badges.  After coming up with the idea to use old 5.25" floppies, Curbob was tasked with finding a large quantity of them for the CON.  When he found a vendor that had a sufficient amount of them available he laughed in telling us "they were curious what they were being used for."  He told them it was for a technology conference and was immediately hit with "but do you need them to work?"  The difference in price was quite hilarious for which he responded along the lines of "they're for badges and don't need to work...send me the broke ones."


Old (Vintage) Computers

So even though we knew these things shouldn't work, my cohort in crime Noah wasn't satisfied.  Noah is a bit of a hoarder when it comes to electronics.  I thought it was a bit of shtick when he would talk about his "collection" of vintage computers.  As it turns out, he was telling the truth and has one of the most incredible museums of paperweights I've ever seen!  Surprisingly, a lot of it still works!








I can't remember which one it was, but one out of the several Noah tried actually booted its last in the process.  I thought I was actually going to see him cry when it happened.  Eh...

At some point, I'll do a blog post to inventory all the random computers, laptops, PDAs, cell phones, cameras, etc., etc., that he has.  It is truly a walk down memory lane!



Read more »

Monday, May 13, 2013

ATM Fail

I've held off on posting anything about this for the better part of a year.  In some part, there is always the fear of someone either trying to repeat it or being blamed for some ATM hack.  Either way, with all the news in the past few weeks on ATM hacks, I figured it would be interesting to post my own experiments in the area.  It was thoroughly entertaining!

So…before we begin…DO NOT DO THIS!!  DO NOT ATTEMPT IT!  IF YOU DO THIS WITHOUT PERMISSION, YOU WILL GO TO JAIL!!  IF YOU DON'T KNOW HOW TO GET PERMISSION, DO NOT DO THIS!!

It isn't useful to discuss the who, what, when, where of this test, only suffice to say, this is likely repeatable on other vendors.

We start with said ATM…names obscured to protect the…well, me!

Step #1:  Generate Error

Sometimes this is easier than you might expect.  Press the wrong combination of buttons.  Tap the touchscreen and find a "magic combination" of places to trigger the admin mode.  In my experience, the methods I just mentioned are pretty useless.  You may get lucky, but there usually isn't an admin mode you can access without cracking into the box.  You may have better luck…just saying.

In this instance, it was using a magnetic stripped card that wasn't a debit/credit card.  Go figure right!  I mean, who makes an ATM that doesn't validate that the information on the card isn't real?  Well, apparently this ATM validated it, but did a rather poor job of handling errors.  We'll get to that at the end, so lets continue.

Step #2:  Explore



Imagine my surprise that this thing is running Windows 7!  Ok, so this should be pretty easy.  Just wander your way through the menus and open the onscreen keyboard and…we're off!



Imagine my "WTF" when I open IE and it gets online!  Why does it need to get on the internet?  Oh, because many ATM vendors are putting them in locations where they share an internet connection.  I'm not going to get into this one (as I'm sure many will refute it or "correct" me), but this is my observation of common practice.   Sure, many still use dialup and some are using cellular and other connections, but there are many that are using ethernet connections to somewhere.

Also, why wasn't this thing "hardened" and non-required programs removed?  This joker was a full blown Windows 7 Professional install!  What were you thinking ATM guys!  Moving on...

Step #3: Profit



As I mentioned before...DO NOT DO THIS!!  IF YOU ARE NOT AUTHORIZED, IT IS A FEDERAL OFFENSE.

Sometimes breaking into things is easier than magic key combinations and secret backdoor knowledge.  Sometimes, a little perseverance and luck will get you farther.  In this instance, it was bad error handling!  Walking through the steps to withdraw or deposit and listening to the hardware engage and disengage even when failing to recognize my card gave me the hint.  I don't know why, but it did.

I for sure as heck wasn't using a legit card.  I used what I had available…my Flamingo hotel room card from a previous stay.  After a series of trial and error I was able to repeatably generate errors when hardware would engage and I would swipe the card.  The card would read as bad and cause the software to crash, but only in certain situations.  I'm not going to say what they were.

As mentioned before, a little perseverance pays off.  I found other instances where using combinations of the card and hitting cancel, enter, or touching buttons on the screen would allow the program to continue.  This of course eventually lead to the mother load!



Name and pertinent info obscured for obvious reasons.  You may notice, this is a deposit receipt.  Why was I putting money in instead of taking money out you ask?  Well, the long story short is not everything works right when you're breaking it and the machine would not generate withdrawal receipts.  Pretty funny I guess!

This machine was particularly cool because, not only could you make realtime deposits to the bank,  the machine would spit out prepaid debit cards!  I was actually able to register my Flamingo debit card as a source the machine would repeatably recognize and was able to redeposit my ill gotten gains back into the machine and onto my card!

If I don't get in trouble for making this, my first serious post, there will be more to follow on other projects and failings.

On a side note, if you see me at a CON and I'm wearing the Flamingo hotel card, you now know why.  It is a badge of honor that, until now, has been an inside joke.  This was my hotel room card from DEFCON 20.  And hilariously proved useful for more than just getting erased by my cell phone and locking me out of my room at an inconvenient moment of inebriation.
Read more »

Monday, May 6, 2013

Security CONs...


Been a crazy year already for CONs.  I made it out to CarolinaCON, Outerz0ne, and a handful of meet ups, CTFs, and competitions so far.  Already got tickets to Blackhat, DEFCON, and the crazy "vendor" events that are sure to be…educational.

Skydog beating me up…I deserved it.
Not everyone gets one of these! Thanks Skydog!

Strangely, my perspective on all these events is a little skewed as of late due to some interesting CFP feedback.  Vendors drive the conferences and subsequently suck up all the good slots!  So…

Bringing me to the point, I'm putting it out for one CON that you need to make it to this year…SkydogCON.  I've gotten sucked in and in a good way.  After making it out in 2012, I got plugged in with Skydog and now work on staff to support, plan, and stage the CON.

If you were lucky enough to make it to Outerz0ne at the beginning of April, in Atlanta, GA, then you probably got to see me…trust me, you would remember if you were there!  But don't let that experience or my recommendation keep you from showing out!





Read more »