EFT Syetms and Device Considerations

Aug 05, 2008 in Banking and EFTPoS, Security

devices and systems differ depending on vendor, country and / aggregator.
Below is a list of things you may like to consider. This list is off the top of my head so it is probably not complete.

Looking at the products and relationships us usually a good start.

Things to consider:

No Comments »

DNS Hack Needs Patching - Serious Problem

Jul 10, 2008 in Security

This has been kept under wraps by the Operating System and vendors for the last few weeks and now patches have finally been released for many , software applications and devices.
If you provide or rely on DNZ services (external and Internal) you should consider quickly your servers/devices.

Although Internal servers may not be exposed to an , we see many more internal attacks within larger organisations which involve or services being established within the firewalled trusted . As a result, this lifts the level of internal systems/services and therefore the need for effective timely .

Also consider asking the question of your hosting facility, upstream or provider to see if they have patched their servers and forwarders.

http://www.doxpara.com/?p=1162 This link also has a checker.
http://afp.google.com/article/ALeqM5hwFqcnWAuDWlcqfvfyHu5PGG9RMQ
http://www.kb.cert.org/vuls/id/800113

This is a full list of vendor links
http://www.betanews.com/article/Major_fix_to_DNS_vulnerability_impacts_Windows_Debian/1215551008

Good Luck

No Comments »

Financial Transaction Processing

Jul 02, 2008 in Banking and EFTPoS

I have been recently working inside one of the larger Banks in .
Through this work I have been looking at the controls and surrounding the of and cards around the Asia Pacific.

I get perform many and systems assessments.
Over the years I have always considered the of the as one of the key considerations.

Until yesterday I had never seen an or tools. I think some scripted use of these tools could be very interesting.
The site hziggurat29.com

Many of the other tools on this site are also very unique and worth a look.
Big thanks to ziggurat29 for providing such awesome tools.

As many of these sites are of this nature are difficult to find and often seem to vanish over the years, I have chosen to replicate the the from this page and provide local copies on the files.
It is worth periodically visiting the ziggurat29 site every now and again to see if any additional tools have been posted.

One of the more extraordinary files is the Atalla Module ()  and for (simulation) tools. So I wonder if and are shaking in their boots. Some how I don’t think so. ;-)

——– ziggurat29 ———

These are all Windows command-line utilities (except where noted); execute with the -help option
to determine usage.

DUKPT Decrypt (<- the actual file to download)

This is a that will Encrypted Blocks that have been produced via the triple- method.  I used this for testing the output of some Pad software I had created, but is also handy for other debugging purposes.

VISA PVV Calculator (<- the actual
file to download)

This is a that will compute and verify Values that have been produced using the .  It has a bunch of auxiliary functions, such as verifying and fixing a PAN (Luhn ), creating and encrypting blocks, decrypting and extracting PINs from encrypted blocks, etc.

VISA CVV Calculator (<- the actual file to download)

This is a that will compute Values that have been produced using the .  MasterCard CVC uses the , so it will work for that as well.  It will compute , CVV2, CVV3, iCVV, CAVV, since these are just variations on service code and the
format of the expiration date.  is simply comparing the computed value with what you have received, so there is no explicit function.

Atalla AKB Calculator (<- the actual file to download)

This is a that will both generate and Atalla AKB cryptograms.  You will need the plaintext MFK to perform these operations.  When decrypting, the MAC will also be checked and the results shown.

BogoAtalla (<- the actual file to
download)

This is an Atalla (or simulator).  This software (simulation) of the well-known Atalla Module () that is used by banks and processors for cryptographic operations, such as verifying/translating blocks, authorising transactions by verifying
/CSC numbers, and performing key exchange procedures, was produced for testing purposes.  This implementation is not of the complete HP Atalla command set, but rather the just
portions that I myself needed.  That being said, it is complete enough if you are performing acquiring and/or issuing functions, and are using more modern schemes such as and , and need to do generation, , and translation.

This runs as a listening socket and handles the native Atalla command set.  I have taken some liberties with the error return values and have not striven for high-fidelity there (i.e., you may get a different error response from native ), but definitely should get identical positive
responses.  Some features implemented here would normally require purchasing premium commands, but all commands here implemented are available.  Examples are generating values and encrypting/decrypting plaintext values.

BogoAtalla for Linksys (<- the actual file to download)

This is the Atalla ported to Linux and build for installation on an OpenWRT system.  Makes for a really cheap ($60 USD) /test device.

 

Local Files

bogoatalla002
atallaakbcalc
bogoatalla_10-1_mipsel
dukptdecrypt
visacvvcalc
visapvvcalc

2 Comments »

Bluetooth

Mar 24, 2008 in Bluetooth

Source

This article is about the wireless specification. For King Harold , see Harold I of Denmark

is an industrial specification for wireless personal area networks (PANs).

provides a way to connect and exchange information between devices like personal digital assistants (PDAs), mobile phones, laptops, PCs, printers and digital cameras via a secure, low-cost, globally available short range radio frequency.

lets these devices talk to each other when they come in range, even if they’re not in the same room, as long as they are within 10 metres (32 feet) of each other.

The spec was first developed by Ericsson, later formalised by the Bluetooth Special Interest Group (SIG). The SIG was formally announced on May 20, 1999. It was established by Sony Ericsson, IBM, Intel, Toshiba and Nokia, and later joined by many other companies as Associate or Adopter members.

Table of contents

* 1 About the name
* 2 General information
o 2.1 Embedded
* 3 Features by version
o 3.1 1.0 and 1.0B
o 3.2 1.1
o 3.3 1.2
o 3.4 2.0
* 4 Future uses
* 5 concerns
* 6 profiles
* 7 See also
* 8 External links

About the name

The system is named after a Danish king Harald Blåtand (<arold Bluetooth in English), King of Denmark and Norway from 935 and 936 respectively, to 940 known for his unification of previously warring tribes from Denmark, Norway and Sweden. likewise was intended to unify different technologies like computers and mobile phones. The logo merges the Nordic runes for H and B.

General information

A typical mobile phone headset

The latest version currently available to consumers is 2.0, but few manufacturers have started shipping any products yet. Apple Computer, Inc. offered the first products supporting version 2.0 to end customers in January 2005. The core chips have been available to OEMs (from November 2004), so there will be an influx of 2.0 devices in mid-2005. The previous version, on which all earlier commercial devices are based, is called 1.2.

is a wireless radio standard primarily designed for low power consumption, with a short range (up to 10 meters [1], ) and with a low-cost transceiver microchip in each device.

It can be used to wirelessly connect peripherals like printers or keyboards to computers, or to have PDAs communicate with other nearby PDAs or computers.

Cell phones with integrated have also been sold in large numbers, and are able to connect to computers, PDAs and, specifically, to handsfree devices. BMW was the first motor vehicle manufacturer to install handsfree in its cars, adding it as an option on its 3 Series, 5 Series and X5 vehicles. Since then, other manufacturers have followed suit, with many vehicles, including the 2004 Toyota Prius and the 2004 Lexus LS 430. The car kits allow users with -equipped cell phones to make use of some of the ’s features, such as making calls, while the itself can be left in a suitcase or in the boot/trunk, for instance.

The standard also includes for more powerful, longer-range devices suitable for constructing wireless LANs.

A device playing the role of “master” can communicate with up to 7 devices playing the role of “slave”. At any given instant in time, can be transferred between the master and one slave; but the master switches rapidly from slave to slave in a round-robin fashion. (Simultaneous from the master to multiple slaves is possible, but not used much in practice). These groups of up to 8 devices (1 master and 7 slaves) are called piconets.

The specification also allows connecting two or more piconets together to form a scatternet, with some devices acting as a bridge by simultaneously playing the master role in one piconet and the slave role in another piconet. These devices have yet to come, though are supposed to appear within the next two years.

Any device may perform an “inquiry” to find other devices to which to connect, and any device can be configured to respond to such inquiries.

Pairs of devices may establish a trusted relationship by learning (by user input) a shared secret known as a “passkey”. A device that wants to communicate only with a trusted device can cryptographically authenticate the of the other device. Trusted devices may also encrypt the that they exchange over the air so that no one can listen in.

The protocol operates in the license-free ISM band at 2.45 GHz. In order to avoid interfering with other protocols which use the 2.45 band, the protocol divides the band into 79 channels (each 1 MHz wide) and changes channels up to 1600 times per second. Implementations with versions 1.1 and 1.2 reach speeds of 723.1 kbit/s. Version 2.0 implementations feature Enhanced Rate (), and thus reach 2.1 Mbit/s. Technically version 2.0 devices have a higher power consumption, but the three times faster rate reduces the times, effectively reducing consumption to half that of 1.x devices (assuming equal traffic load).

differs from Wi-Fi in that the latter provides higher throughput and covers greater distances but requires more expensive and higher power consumption. They use the same frequency range, but employ different multiplexing schemes. While is a cable replacement for a variety of applications, Wi-Fi is a cable replacement only for local area network . A glib summary is that is wireless USB whereas Wi-Fi is wireless Ethernet.

Many adapters are available, some of which also include an IrDA adapter.

Embedded

devices and modules are increasingly being made available which come with an embedded stack and a standard UART port. The UART protocol can be as simple as the industry standard AT protocol, which allows the device to be configured to cable replacement mode. This means it now only takes a matter of hours (instead of weeks) to enable legacy wireless products that communicate via UART port.

Features by version

1.0 and 1.0B

Versions 1.0 and 1.0B had numerous problems and the various manufacturers had great difficulties in making their products interoperable. 1.0 and 1.0B also had mandatory Device Address (BD_ADDR) in the handshaking process, rendering anonymity impossible at a protocol level, which was a major set-back for services planned to be used in environments, such as Consumerism.

1.1

In version 1.1 many errata found in the 1.0B specifications were fixed. There was added for non-encrypted channels.

1.2

This version is backwards compatible with 1.1 and the major enhancements include

  • Adaptive Hopping (AFH), which improves resistance to interference by avoiding using crowded frequencies in the hopping sequence
  • Higher speeds in practice
  • extended Synchronous Connections (eSCO), which improves voice quality of audio links by allowing retransmissions of corrupted packets.
  • Received Signal Strength Indicator (RSSI)
  • Host Controller () for 3-wire UART
  • to timing information for applications.

2.0

This version is backwards compatible with 1.x and the major enhancements include

  • Non-hopping narrowband channel(s) introduced. These are faster but have been criticised as defeating a built-in mechanism of earlier versions; however hopping is hardly a reliable mechanism by today’s . Rather, is based mostly on cryptography.
  • /multicast . Non-hopping channels are used for advertising service profiles offered by various devices to high volumes of devices simultaneously, since there is no need to perform handshaking with every device. (In previous versions the handshaking process takes a bit over one second.)
  • Enhanced Rate () of 2.1 Mbit/s.
  • Built-in quality of service.
  • Distributed media- control protocols.
  • Faster response times.
  • Halved power consumption due to shorter duty cycles.

Future uses

One of the ways may become useful is in Voice over IP. When becomes more widespread, companies may find it unnecessary to employ telephones physically similar to today’s analogue telephone . may then end up being used for communication between a cordless and a computer listening for and with an infrared PCI acting as a base for the cordless . The cordless would then just require a cradle for charging. would naturally be used here to allow the cordless to remain operational for a reasonably long period.

concerns

In November 2003, Ben and Adam Laurie from A.L. Ltd. discovered that flaws in lead to disclosure of personal (see http://bluestumbler.org). It should be noted however that the reported problems concerned some poor implementations of , rather than the protocol itself.

In a subsequent experiment, Martin Herfurt from the trifinite.group was able to do a field-trial at the CeBIT fairgrounds showing the importance of the problem to the world. A new called BlueBug was used for this experiment.

In April 2004, consultants @Stake revealed a flaw that makes it possible to crack into conversations on based wireless headsets by reverse engineering the PIN.

This is one of a number of concerns that have been raised over the of . In 2004 the first purported virus using to spread itself among mobile phones appeared for the Symbian OS. The virus was first described by Kaspersky Labs and requires users to confirm the installation of unknown software before it can propagate. The virus was written as a proof-of-concept by a group of virus writers known as 29a and sent to anti-virus groups. Because of this, it should not be regarded as a failure of either or the Symbian OS. It has not propagated ‘in the wild’.

In August 2004, a world-record-setting experiment (see also Bluetooth sniping) showed that with directional antennas the range of class 2 radios could be extended to one mile. This enables attackers to -devices from a distance beyond expectation.

uses the SAFER+ for authentication and key generation.

profiles

In order to use , a device must be able to interpret certain profiles. These define the possible applications. Following profiles are defined:

  • Generic Profile (GAP)
  • Service Discovery Application Profile (SDAP)
  • Cordless Telephony Profile (CTP)
  • Intercom Profile (IP)
  • Serial Port Profile (SPP)
  • Headset Profile (HSP)
  • Dial-up Networking Profile (DUNP)
  • Fax Profile
  • LAN Profile (LAP)
  • Generic Object Exchange Profile (GOEP)
  • Object Push Profile (OPP)
  • File Transfer Profile (FTP)
  • Synchronisation Profile (SP)

This profile allows synchronisation of Personal Information Manager (PIM) items. As this profile originated as part of the infra-red specifications but has been adopted by the SIG to form part of the main specification, it is also commonly referred to as IrMC Synchronisation.

  • Hands-Free Profile (HFP)
  • Human Device Profile (HID)
  • Hard Copy Replacement Profile (HCRP)
  • Basic Imaging Profile (BIP)
  • Personal Area Networking Profile (PAN)
  • Basic Printing Profile (BPP)
  • Advanced Audio Distribution Profile (A2DP)
  • Audio Video Remote Control Profile (AVRCP)
  • SIM Profile ()

Compatibility of products with profiles can be verified on the Bluetooth Qualification website.

See also

External links

No Comments »