Madrock

The problem has been discovered in the Virtual DOS Machine (VDM) introduced in 1993 to support 16-bit applications (real mode applications for 8086). VDM is based on the Virtual 8086 Mode (VM86) in 80386 processors and, among other things, intercepts hardware routines such as BIOS calls. Google security team member Tavis Ormandy has found several vulnerabilities in this implementation that allow an unprivileged 16-bit program to manipulate the kernel stack of each process via a number of tricks. This potentially enables attackers to execute code at system privilege level.

In addition to the unpatched hole in Internet Explorer, a now published hole in Windows allows users with restricted access to escalate their privileges to system level – and this is believed to be possible on all 32-bit versions of Windows from Windows NT 3.1 up to, and including Windows 7. While the vulnerability is likely to affect home users in only a minor way, the administrators of corporate networks will probably have their hands full this week.

The problem is caused by flaws in the Virtual DOS Machine (VDM) introduced in 1993 to support 16-bit applications (real mode applications for 8086). VDM is based on the Virtual 8086 Mode (VM86) in 80386 processors and, among other things, intercepts hardware routines such as BIOS calls. Google security team member Tavis Ormandy has found several vulnerabilities in this implementation that allow an unprivileged 16-bit program to manipulate the kernel stack of each process via a number of tricks. This potentially enables attackers to execute code at system privilege level.

Ormandy has also published a suitable exploit which functions under Windows XP, Windows Server 2003 and 2008, Windows Vista and Windows 7. When tested by the The H’s associates at heise Security, the exploit opened a command prompt in the system context, which has the highest privilege level, under Windows XP and Windows 7. No patch has become available, although Ormandy reports that Microsoft was already informed of the hole in mid 2009. The developer decided to publish the information regardless because, in his opinion, there is a simple workaround: to disable the MS-DOS subsystem.

The workaround requires users to start the group policy editor and enable the “Prevent access to 16-bit applications” option in the Computer Configuration\Administrative Templates\Windows Components\Application Compatibility section. When tested with these settings by the heise Security team, the exploit no longer functioned. The settings reportedly don’t cause any major compatibility problems for most users while no 16-bit applications are being used.

Update – The above option is only available through the group policy editor on Windows 2003 systems. Some versions of Windows do not include a group policy editor. As an alternative, users can also create a registry key under \HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppCompat with a D-Word value of VDMDissallowed = 1. Under Windows XP, to prevent the system from being vulnerable to the exploit, users can place the following text:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppCompat]

“VDMDisallowed”=dword:00000001

into a file called vdmdisallow.reg and double click the file. Windows will then automatically import the key (admin rights are required to perform this action).

Update 2 - Microsoft has now confirmed the privilege escalation hole in Windows. The company says that it wants to complete its investigation of the vulnerability and will then decide whether, how and when to close it.

See Also:

• Microsoft Windows NT #GP Trap Handler Allows Users to Switch Kernel Stack, security advisory from Travis Ormandy.

REDMOND — When it rains, it pours. Especially in the Seattle area. Tavis Ormandy has published full details on a privilege escalation hack of all versions of Windows including Windows 7.

The exploit takes advantage of a bug in the Windows implementation of the ‘virtual DOS machine’ used to run legacy 16-bit programs. The exploit can be avoided by turning the VDM ‘feature’ off but the danger of course is that enough Windows lusers won’t know about the bug and/or bother turning the ‘feature’ off.

16-bit applications need BIOS support; the Windows kernel supports virtual BIOS interrupts in its ‘Virtual-8086′ mode monitor code. The code is implemented in two stages. The #GP trap handler transitions to the second stage when CS:EIP faults with specific ‘magic’ values.

The transition requires (subsequent to authentication) restoring the context and the call stack from the faulting trap frame. But the authentication process is flawed, relying as it does on three incorrect assumptions.

• Setting up a VDM context requires SeTcbPrivilege.The barrier to getting a VDM context can be subverted by requesting the NT VDM subsystem and then using CreateRemoteThread() to run code in the context of the VDM subsystem. The VDM subsystem already has the necessary flag set.
• Ring 3 (unprivileged) code cannot install arbitrary code segment selectors.Using the two least significant bits of CS/SS to calculate the privilege of a task doesn’t work when it comes to Virtual-8086 mode. The 20-bit addressing (by adding CS << 4 to the 16-bit IP) is also used to map onto the protected linear Virtual-8086 address space. If CS can be set to an arbitrary value, then the privilege calculation can be circumvented.
• Ring 3 (unprivileged) code cannot forge a trap frame.Returns to user mode are through IRET. An invalid context can cause IRET to fail pre-commit, which in turn forges a trap frame. And even with address randomisation it’s trivial to use NtQuerySystemInformation() to obtain the address of the second stage BIOS handler.

Affected Systems

This bug dates back 17 years and affects all systems released since 27 July 1993 – Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, and Windows 7. See the links below for further details.

See Also
MITRE: CVE-2010-0232
Windows plagued by 17-year-old privilege escalation bug
NEOPHASIS: Trap Handler Allows Users to Switch Kernel Stack

Recently I have been looking into the vulnerabilities in the TLS negotiation process discovered late last year.

There are a range of experts debating the exploit methods, tools and how it may be fixed (server or client site or both). From what I have seen so far this may prompt a change to the TLS standard to introduce an extension to the protocol to validate sessions (session hand off and certificate validity).

www.ietf.org

isc.sans.org

• The original description (site is suffering from a slashdot effect as I write this)
• The summary by the IETF TLS workgroup, and promises for an amended protocol
• Marsh Ray’s paper
• March Ray’s protocol diagrams

www.win.tue.nl/hashclash/rogue-ca/

www.sslshopper.com/article-ssl-and-tls-renegotiation-vulnerability-discovered.html

I’m also trying to find some tools which may assist in testing for this. It looks like the exploit relies on an ARP poison or similar and then inserting plain text into the negotiation process.

Could be something that can be fixed over time as servers and clients are patched.

Amateur Packet Radio Australian

Aussiewide Packet Radio Network http://www.ampr.org.au/

AAPRA http://members.optusnet.com.au/aapra

Australian Amateur Packet radio directory http://www.wia.org.au/links/Packet Radio Directory 050703.PDF

Data Group Sub Committee WICEN Vic http://datagrp.vic.wicen.org.au/

Queensland APRS Users Group http://www.tech-software.net/

VK2KFJ’s Packet Radio Links page http://www.qsl.net/vk2kfj/pacradio.html

VK3JED http://quest.apana.org.au/~tl/vk3jed/

VK4TTT XROUTER http://xrouter.ampr.org.au/

VK4ZU http://www.users.on.net/~trevorb/

VK5 AX25 Packet Network Map (VK5AH) http://homepages.picknowl.com.au/wavetel/vk5pack.htm

Winlink

Winpack

10GHz data Link http://www.cck.net.au/areg/inside/projects/10ghz/10ghz.htm

International

About Digital Ham Radio http://home.teleport.com/~nb6z/about.htm

Amateur Packet Radio Gateways http://www.ampr-gates.net/frame_e.htm

Amateur Packet Radio, net 44, and AMPR.ORG `http://www.ampr.org/

American Febo Enterprises http://www.febo.com/index.html

ARRL HSMM Links http://www.arrl.org/hsmm/links.html

Athenian TCP/IP http://www.athnet.ampr.org/freeserv.htm

BayCom http://www.baycom.org/

BBS Hierarchical Addressing Protocol http://www.tapr.org/tapr/html/Fbbssig.html

Colin’s packet info http://website.lineone.net/~colin_mccord/Radio/packet_radio.htm

CHIFLEY A R CLUB http://hamgate.rpi.net.au/netstat.html

CHIFLEY A R CLUB http://hamgate.rpi.net.au/chifley/packet.html

CX2SA http://cx2sa.net/

digitalhamradio http://www.digitalham.net/

DRSTM (Data Radio Standard Test Methods) http://www.rocler.qc.ca/burt/drstm.html

Flexnet http://dl0td.afthd.tu-darmstadt.de/~flexnet/

FUNET http://www.funet.fi/pub/ham/packet/

FUNET ftp://ftp.funet.fi/pub/ham/packet/

F4DAY http://perso.wanadoo.fr/jf.fourcadier/index_e.htm

F6FBB http://www.f6fbb.org/

GB7DIP TNOS/PBBS http://www.qsl.net/gb7dip/access.html

GB7IMK http://www.gb7imk.co.uk/

G4JKQ http://www.btinternet.com/~g4jkq/

G4JKQ TCP/IP Telnet listing http://www.qsl.net/g4jkq/tcp.htm

G7JJF TNC Driver Support (WINTNC) http://www.g7jjf.demon.co.uk/

High speed (2 Mbit/s) data signaling project http://perso.wanadoo.fr/jf.fourcadier/haut_debit/projet/projet_e.htm

High speed packet http://hydra.carleton.ca/articles/hispeed.html

High Speed Packet radio http://www.lmrgroup.com/ke3ht/hspr.html

High-speed Packet Radio http://cacofonix.nt.tuwien.ac.at/~oe1kib/Radio/

KE5FX http://www.qsl.net/ke5fx/

K4ABT (home page) http://www.packetradio.com/

K4ABT (packet radio primer) http://www.packetradio.com/primer.htm

Linux® / Amateur Radio Information http://delbert.matlock.com/linux-radio.htm

Linux projects http://cacofonix.nt.tuwien.ac.at/~oe1kib/Linux/

Linux AX25-HOWTO http://tldp.org/HOWTO/AX25-HOWTO/

MPRG http://www.mprg.ampr.org/index.html

NNA http://www.btinternet.com/~nna/

Netterm http://www.cs.unca.edu/~edmiston/handouts/netterm.html

PA3CGO http://www.qsl.net/pa3gco/

Packet Cluster information http://cpcug.org/user/wfeidt/Misc/pctut.html

Packet  Info and Downloads http://www.packetradio.com/

Packet Links http://www.stack.serpukhov.su/~victor/hamradio/packet/packet.html

Packet Net (VK5 packet map) http://www.packetnet.org/

Packet Net (FBB software) http://www.packetnet.org/fbb.htm

PAcket Digital Amateur Network (PADAN) http://www.weaksignals.com/

PZT Software by G8PZT (Xrouter, PZT BBS) http://www.g8pzt.pwp.blueyonder.co.uk/software/software.htm

Radio-TNC Wiring Diagrams http://users3.ev1.net/~medcalf/ztx/wire/

RST http://www.qsl.net/on1blu/

Russian Packet http://www.stack.serpukhov.su/~victor/hamradio/packet/packet.html

Slovenian ATV/Packet http://lea.hamradio.si/~s51kq/

Sound Card Packet http://www.qsl.net/soundcardpacket/index.html

TAPR http://www.tapr.org/

TCP/IP Telnet listing http://www.btinternet.com/~g4jkq/tcp.htm

TNC-X http://www.tnc-x.com/

TPK http://www.f6fbb.org/f1ebn/index.htm

TNOS Central http://www.lantz.com/tnos/

TVIPUG http://www.tvipug.org

United Kingdom Internet Protocol http://www.gb7imk.co.uk/ukip/

VHF/UHF/Microwave Radio Propagation: A Primer for Digital Experimenter http://www.tapr.org/tapr/html/ve3jf.dcc97/ve3jf.dcc97.html

WA4DSY 56k RF Modem http://www.wa4dsy.net/

Yet Another 9k6 Modem http://www.microlet.com/yam/

1.2 GHz TRX http://www.ccr.jussieu.fr/physio/f6bvp/txenglish.html

9600 BAUD – A SHOPPERS GUIDE: http://www.g1gyc.demon.co.uk/martin/9600.htm

---

Sound Card Packet

ILINKBOARDS.com http://www.ilinkboards.com/

Sound Card Buddy http://www.sparetimegizmos.com/Hardware/SoundBuddy.htm

Soundcard Interfacing http://www.qsl.net/wm2u/interface.html

Sound Card Packet AGWPE (KC2RLM) http://www.patmedia.net/ralphmilnes/soundcardpacket/SV2AGW http://www.elcom.gr/sv2agw/ Sound Card Interface with Tone Keyer (WA8LMF) http://members.aol.com/wa8lmf/ham/tonekeyer.htm

QDG sound card interface

Return to Top

---

Winlink

Winlink! 2000 http://winlink.org/

Aussie Winlink http://www.aussiewinlink.org

Pactor Communications Australia http://www.pca.cc/

---

Winpack

Winpack home page http://www.peaksys.co.uk/

Winpack info http://www.g4fip.cwc.net/winpack.htm

Winpack info http://www2.tpg.com.au/users/peteglo/winpack.htm

Winpack info http://www.btinternet.com/~gb7omn/winpack.htm

---

TNC  information

General

Data Group Sub Committee WICEN Vic http://datagrp.vic.wicen.org.au/

Setting Your TNC’s Audio Drive Level http://www.febo.com/packet/layer-one/transmit.html

TNC and Radio mods http://www.johnmather.free-online.co.uk/tnc.htm

TNC 2 – MFJ 1270 – Tone Calibration Procedure http://datagrp.vic.wicen.org.au/mfjtones.htm

TNC Mods by Warren Stirling VK3XSW http://203.36.211.21/xswmods/

MFJ

Alignment of MFJ-1270B http://www.packetradio.com/1270algn.htm

MFJ-1270 Tone Calibration http://gyld.online.se/mods/misc/MFJ1270

MFJ-1270B mods http://www.mods.dk/mods.php3?radio=tnc&model=mfj-1270&selectid=1073#1073

MFJ 1270B Modifications http://203.36.211.21/xswmods/mfj1270b.htm

MFJ-1270B Electromagnetic Interference http://datagrp.vic.wicen.org.au/mfj_emi.htm

MFJ-1278B Care and maintenance http://www.qsl.net/ke4mob/

AEA

PK-88 Mods http://www.mods.dk/mods.php3?model=pk-88&radio=tnc

PK-88 birdie fix http://732.com/ham/mods/aea/pk88fix.htm

AEA radio and TNC mods http://www.k7on.com/mods/aea/mods/aeamod.txt

Other suppliers

BYONICS http://byonics.com/

Fox Delta http://www.foxdelta.com/

Hal Communications http://www.halcomm.com/AmateurProducts.htm

Kantronics http://www.kantronics.com/

PacComm http://www.paccomm.com/

PKTerm for Windows http://www.cssincorp.com/pkterm/

Small Wonder Labs http://www.smallwonderlabs.com/

The DXZone Digital and Packet Radio http://www.dxzone.com/catalog/Manufacturers/Digital_and_Packet_Radio/

Tigertronics http://www.tigertronics.com/

Timewave http://www.timewave.com/amprods.html

TNC-X – The Expandable TNC http://www.tnc-x.com/

YAM Modem http://www.nordlink.org/yam/

---

Gateways

Amateur Packet Radio Gateways http://www.ampr-gates.net

G4JKQ http://www.g4jkq.co.uk/

Packet gateways http://www.packetnet.org/packet_gateways.htm

Radio Gateway Project http://www.cisi.unito.it/radiogw/index.html

The Gateways Home Page http://www.ampr-gateways.org/

Return to Top

---

High-Speed Digital Networks and Multimedia (Amateur)

N5OOM’s HSMM Projects http://www.n5oom.org/hsmm/

ARRL High-Speed Digital Networks and Multimedia http://www.arrl.org/hsmm/

North Texas High Speed MultiMedia group http://groups.yahoo.com/group/ntms-hsmm/

San Antonio 802.11 http://home.satx.rr.com/wdubose/

Also take a look at the wireless LAN pages

---

APRS

Aus APRS http://www.radio-active.net.au/vk2_aprs.html

APRS http://www.radio-active.net.au/web/gpsaprs/aprsrept.html

APRS http://aprs.rutgers.edu/

APRS http://web.usna.navy.mil/~bruninga/aprs.html

APRS http://www.cave.org/aprs/

APRS http://www.ew.usna.edu/~bruninga/aprs.html

APRS in Adelaide http://vk5.aprs.net.au/

APRS+SA Home Page http://www.tapr.org/~kh2z/aprsplus/

APRS maps & stuff http://www.users.cloud9.net/~alan/ham/aprs/

APRS Maps for G4IDEs UI-VIEW http://www.gb7iph.demon.co.uk/APRS_Maps___Links/aprs_maps___links.html

AVR-Microcontroller http://www.qsl.net/dk5jg/aprs_karten/index.html

APRS in the UK http://www.aprsuk.net/

aprsworld http://www.aprsworld.net

APRS.DE http://www.aprs.de/

APRS-Berlin http://www.aprs-berlin.de/

APRS-Frankfurt http://www.aprs-frankfurt.de/

BYONICS (Electronics Projects for Amateur Radio) http://www.byonics.com/

CanAPRS http://www.canaprs.net/

Dansk APRS Gruppe http://www.aprs.dk/

findU.com http://www.findu.com/

France APRS http://www.franceaprs.net/

Kansas City APRS Working Group http://www.kcaprs.org/

KD4RDB http://wes.johnston.net/aprs/

Le Club ARPS France http://aprs.free.fr/

Live Australian APRS data maps http://www.aprs.net.au/japrs_live.html

NIAN http://nian.aprs.org/

N2YGK http://www.users.cloud9.net/~alan/ham/aprs/Ohio APRS NET http://www.ohioaprs.net/

Queensland APRS Users Group http://www.tech-software.net/

Tri-State APRS Working Group http://www.tawg.org/

---

Other Digital Modes

General HF-FAX http://www.hffax.de/index.html The Digital Ham Radio Revolution! http://home.teleport.com/~nb6z/about.htm NB6Z http://home.teleport.com/~nb6z/ ZL1BPU http://www.qsl.net/zl1bpu/

Morse Code

CW FACTS AND OPERATING TIPS http://www.magiclink.com/web/shurst/Page2.html

CW Operators’ QRP Club Inc. http://www.users.on.net/~zietz/qrp/club.htm

Fists Down Under http://fistsdownunder.morsekeys.com

FISTS DOWNUNDER http://www.fistsdownunder.org

LEARN MORSE CODE in one minute ! http://www.learnmorsecode.com/

MRX morse code http://www.mrx.com.au/

NZART CW program http://www.nzart.org.nz/nzart/Exam/morse.html

Not Morse Code, Slow Scan , Packet or APRS

HamDream by HB9TLK (digital radio) http://www.qslnet.de/member/hb9tlk/

JE3HHT, Makoto (Mako) Mori http://www.qsl.net/mmhamsoft/

PSK31 and other PC Magic http://www.psk31.com/

SIMPLE32 http://www.simple32.com/

WSJT ACTIVITY IN AU (follow link) http://www.tased.edu.au/tasonline/vk7wia/

---

Amateur Digital Radio

AR Digital Voice Communications http://www.hamradio-dv.org/

ARRL digital voice http://www.arrl.org/tis/info/digivoice.html

ARRL Digital Voice the next new mode? http://www.arrl.org/tis/info/pdf/0201028.pdf

Australian National D-Star http://www.dstar.org.au/

G4GUO (HF digital modems) http://www.chbrain.dircon.co.uk/index.html

Ham Radio digital info http://www.hamradio.com/pdf/dstar.pdf

ICOM America digital http://www.icomamerica.com/amateur/dstar/

TAPR digital http://www.tapr.org/tapr/dv/

Temple University Digital Voice Project http://www.temple.edu/k3tu/digital_voice.htm

Temple University Vocoder Redux http://www.temple.edu/k3tu/VocoderRedux.pdf

WinDRM – HF Digital Radio Mondiale http://n1su.com/windrm/

W2BRI’s Digital Voice Site http://www.standpipe.com/w2bri/fastmodem/fastmodem.htm

---

D-Star

Australian D-Star information http://www.dstar.org.au/

D-Star users http://www.d-starusers.org/

D-Star wikipedia http://en.wikipedia.org/wiki/D-STAR

ICOM America D-Star Forums http://www.icomamerica.com/en/support/forums/tt.asp?forumid=2

K5TIT http://www.k5tit.org/

---

Software Defined Radio

FlexRadio Systems Software Defined Radios http://www.flex-radio.com/

Rocky software for SoftRock-40 hardware http://www.dxatlas.com/rocky/

SDRadio – a Software Defined Radio http://digilander.libero.it/i2phd/sdradio/

SoftRock-40 Software Defined Radio http://www.amqrp.org/kits/softrock40/index.html

The Weaksignals pages og Alberto I2PHD (software) http://www.weaksignals.com/

Winrad software defined radio http://www.winrad.org/winrad/index.html

---

Digital Radio

BBC digital Radio http://www.bbc.co.uk/digitalradio/

DABdigital http://www.ukdigitalradio.com/home/default.asp

Digital Audio Broadcasting http://www.digitalradio.ca/

Digital Radio Broadcasting http://happy.emu.id.au/lab/info/digradio/index.html

Digital Radio is the sound of the future http://www.radio.cbc.ca/radio/digital-radio/drri.html

Digital Radio http://www.magi.com/~moted/dr/

Digital radio mondiale http://www.drm.org/indexdeuz.htm

DRDB http://www.drdb.org/

DRM – Digitaler Rundfunk unter 30 MHz http://www.b-kainka.de/drm.htm#dritte

SimplyRadios.com http://www.simplyradios.com/dab/dabhome.htm

---

Amateur Radio Direction Finding

Amateur Radio Direction Finding – ARDF http://www.nzart.org.nz/nzart/ar_info/ardf.html

Amateur Radio Direction Finding and Orienteering http://vkradio.com/ardf.html

Amateur Radio Direction Finding Webring http://www.qsl.net/vk3zpf/webring1.htm

Homing In http://members.aol.com/homingin/

RON GRAHAM ELECTRONICS (ARDF and more) http://users.mackay.net.au/~ron/

Victorian ARDF Group Inc. http://www.ardf.org.au/

---

Repeater Linking

There are currently There are 5 internet linking projects that I know of :-

IRLP,  iPHONE, iLINK, eCHOLINK and WIN SYSTEM (May 2005)

EchoLink http://www.echolink.org/

Hamlink (K1RFD) http://www.hamlink.net/

KWARC (live audio) http://www.kwarc.org/listen/

Internet Linking http://www.qsl.net/g3zhi/index2.html

IRLP http://www.irlp.net/

IRLP status http://status.irlp.net

IRLP VK2RBM http://www.bmarc.oz-hams.org/irlp.html

IRLP VK4MTV http://www.throbware.com.au/irlp/

WIN SYSTEM http://www.winsystem.org/

Wires http://www.vxstd.com/en/wiresinfo-en/

iLINK

G4CDY-L Internet Gateway http://www.g4cdy.co.uk/

G7WFM Repeater Linking http://www.g7wfm.co.uk/

iLink http://www.aacnet.net./

VA3TO iLINK INTERFACE http://www.ilinkca.com/

VK2JTP iLINK gateway http://www.qsl.net/vk2jtp/

WB2REM & G4CDY’S  iLINK boards http://www.ilinkboards.com/

WB4FAY http://www.wb4fay.com/ilink_FAQ.html

INTERFACES

ILINKBOARDS.com http://www.ilinkboards.com/

---

laser diodes

A Lightwave Communication http://www.n1bug.net/tech/laser/alc_wa6ejo.html

A R Laser Communications http://www.qsl.net/wb9ajz/laser/laser.htm

Australian Optical DX Group http://groups.yahoo.com/group/Optical_DX/

Driver Enhancements http://www.misty.com/people/don/laserdps.htm#dpsdepm

European Laser Communications http://www.emn.org.uk/laser.htm

Laser Communications http://www.arrl.org/tis/info/laser.html

Laser Communications http://www.gbonline.com/~multiplx/wireless/laser/

Mike’s Electric Stuff http://www.netcomuk.co.uk/~wwl/electric.html

Ronja http://atrey.karlin.mff.cuni.cz/~clock/twibright/ronja/

---

Amateur Radio Licence

Amateur Regulations Examination Guide http://www.wiavic.org.au/edu/regs.html

Australian  info http://www.wia.org.au/info/gettingstarted.html

radiofun http://www.alphalink.com.au/~parkerp/gateway.htm

Radio and electronics School http://www.radioelectronicschool.com/about_course.html

Worldwide Information on Licensing for Radio Amateurs by OH2MCN http://www.qsl.net/oh2mcn/license.htm

---

Amateur Radio Clubs and Organisations

Also see ATV link page

and VHF link page

Australian

Adelaide Hills Amateur Radio Society http://www.qsl.net/vk5bar/

Amateur Radio Victoria http://www.amateurradio.com.au/

APC news http://vk3apc.mdrc.org.au/apcnews/

Barossa Amateur Radio Club VK5BRC http://www.qsl.net/vk5brc/

Bayside and District A R Society http://www.freewebs.com/vk4bar/

Brisbane Amateur Radio Club http://www.qsl.net/vk4ba/index.html

Brisbane VHF Group

Central Coast Amateur Radio Club http://www.ccarc.org.au/

Central Goldfields A R Club http://www.cgfar.com/

CHIFLEY A R CLUB http://chifley.radiocorner.net/

Coffs Harbour & District Amateur Radio Club http://www.qsl.net/vk2ep/index.html

CW Operators’ QRP Club Inc. http://www.users.on.net/~zietz/qrp/club.htm

Darling Downs Radio Club http://www.qslnet.de/member/ddrc/

Eastern and Mountain District Radio Club http://www.emdrc.com.au

Gippsland Gate Radio and Electronics Club http://home.vicnet.net.au/~ggrec/

Gold Coast AR Society http://www.gcars.com.au/

Healesville Amateur Radio Group http://www.harg.org.au/

Historical Wireless Society of South East Queensland http://www.hws.org.au/

Ipswich Metro Radio Group http://imrg.ips-mesh.net/

Ipswich Radio Club http://www.vkradio.org.au/

Lockyer Valley Radio and Electronic Club Inc http://www.qsl.net/vk4wil/

Locan West http://www.loganwest.cableable.com

Manly-Warringah Radio Society http://www.qsl.net/vk2mb/

Mid North Coast Amateur Radio Group http://www.mncarg.org

NWTARIG http://vk7ax.tassie.net.au/nwtarig/

QRP Amateur Radio Club International http://www.qrparci.org/

Queensland APRS Users Group http://www.tech-software.net/

RADAR Club Inc http://radarclub.tripod.com

Radio Amateurs Old Timers Club Australia Inc http://www.raotc.org.au/

Radio Sport http://www.uq.net.au/radiosport/

Radio and Electronics Association of Southern Tasmania http://reast.asn.au/

Redcliffe & Districts Radio Club Inc. http://vk4rc.we.net.au/

Riverland Amateur Radio Club http://www.rrc.org.au/

South Australian Packet User Group Inc. (SAPUG) http://www.sapug.ampr.org/

SERG http://serg.mountgambier.org

South Coast AMATEUR RADIO Club http://www.scarc.org.au/

SOUTHSIDE AMATEUR RADIO SOCIETY http://www.qsl.net/vk4wss/

Summerland Amateur Radio Club Inc http://www.nor.com.au/community/sarc/

Sunshine Coast Amateur Radio Club http://vk4wis.org/Tablelands Radio and Electronics http://www.trec.aussiewide.com Townsville Amateur Radio Club http://vk4zz.no-ip.org/tarc/

Twin Cities Radio & Electronics Club http://members.iinet.net.au/~sargeant644/tcrec/index.html

VK Young Amateur Radio Operator’s Net http://www.geocities.com/vk_ya/

VK3APC http://www.mdrc.org.au/

VK3BEZ (WIA Eastern Zone Amateur Radio Club) http://www.qsl.net/vk3bez/

VK4WIL http://www.qsl.net/vk4wil/

West Australia Repeater Group http://www.warg.org.au

WESTLAKES AR Club http://www.westlakesarc.org.au/

WIA VK4 Qld http://www.wiaq.com/

WIA VK4 QNEWS NEWSROOM http://www.wiaq.com/qnews/upload/qnews.htm

WIA VK3 http://www.wiavic.org.au

WIA http://www.wia.org.au/ WICEN Australia http://www.wicen.org.au/ WIA WICEN Queensland page http://www.wiaq.com/wiaq/wicen.htm

WICEN Brisbane Qld

New Zealand

NZART http://www.nzart.org.nz/nzart/

NZART Branches http://www.nzart.org.nz/nzart/Branches/

Papakura Radio Club http://www.qsl.net/zl1vk/

Tauranga AR Club http://home.clear.net.nz/pages/chrisle/index.htm

Wanganui Amateur Radio Society Inc. http://www.zl2ja.org.nz/

Wellington VHF Group http://www.vhf.org.nz/

International

American QRP Club http://www.amqrp.org/index.html

ARAC Online http://homepage.ntlworld.com/mikeadams/index.htm

ARRL http://www.arrl.org/

Clear Lake Amateur Radio Club http://www.clarc.org/

FRARS http://www.frars.org.uk/

HKAR http://www.hkra.org/

HRDXA http://www.qsl.net/vr2dxa/

ISSARO http://www.issaro.net

KIDSHAMRADIO http://www.kidshamradio.com/

K2MFF Amateur Radio club http://www-ec.njit.edu/~k2mff/

K9IU Indiana University AR Club http://www.indiana.edu/~k9iu/

North TeXas Repeater Association http://www.ntxra.com/main_page.htm

N0WGE http://www.sckans.edu/~sireland/radio/

Peterlee Radio Club G0KVJ http://www.g0fbw.demon.co.uk/

The Repeater Builders Technical Information Page http://www.repeater-builder.com/rbtip/index.html#main-index

Richardson Wireless Klub http://www.k5rwk.org/

RADARS http://www.mbc.co.uk/RADARS/

RSGB http://www.rsgb.org/

SARL http://www.sarl.org.za/

Submarine Veterans Amateur Radio http://w0oog.50megs.com/

Southgate AR club http://www.southgatearc.org/index.htm

TEARA http://www.teara.org/

The 500 KC Experimental Group for Amateur Radio http://www.500kc.com/

Tucson Amateur Packet Radio http://www.tapr.org/

Winona Amateur Radio Club http://www.jarviscomputer.com/warc/

W6DEK 435 Los Angeles http://www.w6dek.com/

---

Amateur Radio

Australian

Amateur  Radio  Australia http://www.amateurradio.org.au/index4alt.htm

Amateur and other Links http://members.ozemail.com.au/~vk2wi/links.html

Australian AR Repeater Map http://vkham.com/australimaps.html

AMATEUR RADIO WIKI http://www.amateur-radio-wiki.net

HAM FAQ http://members.ozemail.com.au/~andrewd/hamradio/hamfaq.html

HAM SHACK COMPUTERS http://www4.tpgi.com.au/users/vk6pg/

Ham Radio in Australia with VK1DA http://members.ozemail.com.au/~andrewd/hamradio/

HF Radio Antenna Tuners http://www.users.bigpond.net.au/eagle33/elect/ant_tuner.htm

Queensland AR Repeater listings http://vkham.com/Repeater/vk4map.html

Radioactive Networks: Ham http://www.radio-active.net.au/web/ham/

Tony Hunt VK5AH (Home of Adelaides 10m Repeater) http://homepages.picknowl.com.au/wavetel/default.htm

VK Amateur Radio Page http://www.home.gil.com.au/~bpittman/

VK1DA’s Amateur Radio Web Directory http://members.ozemail.com.au/~andrewd/hamradio/radlink.html

VK1KEP http://www.pcug.org.au/~prellis/amateur/

VK1OD http://www.vk1od.net/

VK2AFL http://www.qsl.net/vk2afl/

VK2BA (AM radio) http://www.macnaughtonart.com/default.htm

VK3PA http://www.vk3pa.com/home.asp

VK3UKF http://members.fortunecity.co.uk/vk3ukf/index.html

VK3XPD http://www.users.bigpond.com/alandevlin/index.html

VK3YE’s Gateway to AR http://www.alphalink.com.au/~parkerp/gateway.htm

VK3ZQB http://members.datafast.net.au/vk3zqb/

VK4CEJ http://www.hfradio.org/vk4cej/hamlinks.html

VK4TEC http://www.tech-software.net/

VK4TUB http://www.vk4tub.org/

VK4ZGB http://members.optusnet.com.au/jamieb/index.html

VK4ZQ http://users.bigpond.net.au/vk4zq/

VK4ZU http://www.users.on.net/~trevorb/

VK5ARD http://www.vk5ard.com/

VK5BR http://users.tpg.com.au/users/ldbutler/

VK5KK http://www.ozemail.com.au/~tecknolt/index.html

VK7AX http://www.vk7ax.tassie.net.au/

VK8JJ http://www.qsl.net/vk8jj/

New Zealand

Micro Controller Projects for Radio Amateurs and Hobbyists http://www.qsl.net/zl1bpu/micro/index.htm

Precision Frequency Transmission and Reception http://www.qsl.net/zl1bpu/micro/Precision/index.htm

ZL2TZE http://zl2tze.ath.cx

ZL3TMB http://www.hamradio.co.nz/

International

AC6V’s AR & DX Reference http://www.ac6v.com/

A DTMF Beacon controller http://ns1.mesh.net/~g4fre/dtmf.htm

Amateur radio with Knoppix http://www.afu-knoppix.de/

Amateur Radio Resources http://hamster.ivey.uwo.ca/~amsoft/amsoft0.htm

Amateur Radio Soundblaster Software Collection http://www.muenster.de/~welp/sb.htm

AM fone.net http://www.amfone.net

AMRAD Low Frequency Web Page http://www.amrad.org/projects/lf/index.html

Colin’s site http://website.lineone.net/~colin_mccord/Radio/index.htm

CX2SA http://cx2sa.net/

DL4YHF http://www.qsl.net/dl4yhf/

Direction finding http://members.aol.com/homingin/

DSP Links http://users.iafrica.com/k/ku/kurient/dsp/links.html

Electric-web.org www.electric-web.org

EI4HQ http://www.4c.ucc.ie/~cjgebruers/index.htm

EI8IC http://www.qsl.net/ei8ic/

EHAM http://www.eham.net/

eQSL (electronic QSL) http://www.eqsl.cc/qslcard/

HamInfoBar http://www.haminfobar.co.uk/

Felix Meyer http://home.datacomm.ch/hb9abx/

ftp list http://ftp.pspt.fi/pub/ham/ftp.ucsd.edu/

FUNET http://www.funet.fi/pub/ham/

F4DAY http://perso.wanadoo.fr/jf.fourcadier/index_e.htm

Gateway to Amateur Radio http://www.alphalink.net.au/~parkerp/gabra.htm

Grid Square Locator http://www.arrl.org/locate/grid.html

G3PTO http://www.qsl.net/g3pto/

G4FGQ’s Software http://www.btinternet.com/~g4fgq.regp/

G4KLX (The [ON/]G4KLX Page) http://www.qslnet.de/member/g4klx/

HAM RADIO EQUIPMENT & ACCESSORIES http://www.area-ham.org/library/equip/equip.htm

Ham-Links http://www.k1dwu.net/ham-links/

HAMUNIVERSE.COM http://www.hamuniverse.com/

Hamview DSP software http://www.qsl.net/k3pgp/Hamview/hamview.htm

Harry’s PDF Library http://hem.passagen.se/sm0vpo/

HA8ET http://www.pollak.sulinet.hu/www/radio.html

Homebrew RF Test Equipment And Software http://www.qsl.net/n9zia/wireless/appendixF.html#10

KA7NOC http://www.magiclink.com/web/shurst/

KB4VOL   link site http://pages.prodigy.com/kb4vol/

KE5FX http://www.qsl.net/ke5fx/

KF6VTA & KG4TBJ http://www.geocities.com/silensiosham/index.html

KU4AY ham radio directory http://www.ku4ay.net/

KU5F Ham tools and links http://www.wtrt.net/~ku5s/

KU9Z AR links http://my.ais.net/~n9bkm/page1.htm

K1DWU http://www.k1dwu.net/

K1TTT http://www.k1ttt.net/

K1TTT Technical Reference http://www.k1ttt.net/technote/techref.html

K3PGP http://www.k3pgp.org/

K3TZ Ham Radio Experimentation http://www.qsl.net/k3tz/

K6XC (links) http://home.earthlink.net/~rluttringer/

Lighthouses (International Lighthouse/ Lightship Weekend) http://illw.net

Links2go http://www.links2go.net/more/www.ampr.org/

Links http://imc23.univ.trieste.it/links.html

Mels AMATEUR RADIO LINK’S http://www.users.zetnet.co.uk/melspage/amlinks.htm

Michael Todd Computers & Communications http://www.arcompanion.com/

MoDTS http://www.m0dts.co.uk/

n e o a m a t e u r . o r g http://neoamateur.org/

NT8N http://www.qsl.net/nt8n

NW7US   (Amateur and Shortwave Radio) http://hfradio.org/

N3EYR’s Radio Links http://www.isrv.com/~joel/radio.html

PD0RKC http://www.qsl.net/pd0rkc/

PI6ATV (ATV, Antenna, software, info) http://members.tripod.lycos.nl/PI6ATV/software.htm

QRP and SWL HomeBuilder http://www.qrp.pops.net/

Radio Links http://www.angelfire.com/ri/theboss1/

Radio Corner (forum) http://www.radiocorner.net

Ray Vaughan http://rayvaughan.com/

Reference http://www.panix.com/~clay/ham/

Simplex radio software http://perso.clubinternet.fr/f1orl/simplexg.htm

S-Meter http://www.smeter.net/

streaming radio programs http://live365.com/home/index.live

The DX Zone http://www.dxzone.com/catalog/Reference/Radio_Spectrum/

The Elmer HAMlet (information) http://www.qth.com/antenna/index.htm

VE1XYL and VE1ALQ http://www.qsl.net/ve1alq/downloads/tetrode-ps/pwrsup.htm

WB6VUB (links) http://www.mpicomputers.com/ham/

WL7LP http://www.geocities.com/TimesSquare/Castle/3782/wl7lp.html

WA6TWJ http://www.jps.net/nwr/wa6twj.htm

W2XO http://www.w2xo.pgh.pa.us/

XE1BEF  (DX, mods, links and more) http://www.geocities.com/xe1bef/

---

Communications Equipment

Australian

Andrews Communication Systems http://www.andrewscom.com.au/

AUSTRALIAN ENTERPRISE INDUSTRIAL http://www.spin.net.au/~aeitower/

BENELEC www.benelec.com.au

Bushcomm www.bushcomm.com.au

connektron www.connektron.com.au

G. & C. COMMUNICATIONS www.gccomm.com.au

Hamak (RM Products Italy) http://www.hamak.com.au/

Hamshack http://www.hamshack.com.au

Jenlex http://home.vicnet.net.au/~jenlex/

KENWOOD Australia http://www.kenwood.com.au/

Kyle Communications http://www.kyle.com.au/

ICOM Australia http://www.icom.net.au

Mini-kits http://www.minikits.com.au/

One Man Towers http://homepages.ihug.com.au/~aeitower/

OZGEAR http://www.ozgear.com.au/

Radio-Data (links) http://www.radio-data.net/

Radio Specialists (equipment connectors and antenna) http://www.radiospecialists.com.au

STRICTLY HAM http://www.strictlyham.com.au/

TET-EMTRON www.tet-emtron.com

Tower communications www.towercom.com.au

Townsville CB& Communications http://www.vk4tub.org/tcb/tcb.html

TTS Systems http://www.ttssystems.com.au/

VK4-ICE Communications http://www.vk4ice.com

WiNRADiO (PC based receivers) http://www.winradio.com.au

International

MFJ http://www.mfjenterprises.com/index.php

Vertex Standard http://www.vxstd.com/en/index.html

W7FG VINTAGE MANUALS CATALOGUE http://www.w7fg.com/index.html

Z Communications Company (repair of old radio equipment) http://home.comcast.net/~zcomco/

See also Kits and components

---

Radio mods, cables, connection info

batlabs (Motorola radio connection, cable info) http://www.batlabs.com/

Philips FM900 information http://members.fortunecity.com/romeo_fox_53/

Hall Electronics http://www.hallelectronics.com/getech/proglink.htm

Radio Mods http://www.mods.dk/

WWW.ham.dmz.ro (mods info and more) http://www.ham.dmz.ro/

W4RP IC-2720H Page http://www.w4rp.com/ic2720/

XE1BEF  (DX, mods, links and more) http://www.geocities.com/xe1bef/

Please also look at manufacture’s sites

---

Lightning Protection

ARRL Lightning Protection http://www.arrl.org/tis/info/lightning.html

www.DaStrike.com (video and links) http://www.dastrike.com/

Grounding and Lightning Protection http://www.packetradio.com/grounds.htm

K9WK Amateur Radio http://www.k9wk.com/litenin.html

Lightning Protection Institute http://www.lightning.org/

Marine Grounding Systems http://www.sailmail.com/grounds.htm

Moonraker boat lightning information http://www.moonraker.com.au/techni/lightning-marine.htm

NLSI http://www.lightningsafety.com/nlsi_lhm/effect.html

PolyPhaser http://www.polyphaser.com/

RFI Lightning protection http://www.rfindustries.com.au/rfiproducts/lightning/lightning.htm

WIND&SUN http://www.windsun.com/Lightning_Protection.htm

---

Amateur Spread Spectrum

Spread Spectrum Scene http://www.sss-mag.com/map.html

Spread spectrum http://www.amrad.org/projects/ss/

Spread Spectrum (TAPR) http://www.tapr.org/ss/

SS Info http://www.ictp.trieste.it/~radionet/1997_workshop/wireless/notes/index.htm

---

Call-sign finders

The DX Notebook http://www.dxer.org/callbook.html

QRZ http://www.qrz.com/

QSL.NET http://www.qsl.net/

---

LIPD Information

AREG http://www.cck.net.au/areg/radio/lipd/lipd.html

VK3YNG http://users.bigpond.net.au/vk3yng/lipd/

Barry’s LIPD information http://members.optusnet.com.au/~barryog/freqs/mlipd.html

ACA class licensing http://www.austel.gov.au/publications/info/lipd.htm

Equipment suppliers and manufacturers

Easy-radio (your DNS server may have problems finding this site) http://www.easy-radio.co.uk/

---

Kits and Components

Australian and selected international suppliers

ACRES ELECTRONICS http://www.acreselectronics.co.nz/product.htm

Allthings http://www.allthings.com.au/

Altronics http://www.altronics.com.au/

Antique Electronic Supply http://www.tubesandmore.com/

Antenna Systems and Supplies Inc. (sm) http://www.antennasystems.com/

Av-COMM http://www.avcomm.com.au/

BYONICS http://www.byonics.com/

Chassis Kits & Custom Enclosures http://home.flash.net/~k3iwk/

Clarke & Severn Electronics http://www.clarke.com.au

Cliff Electronics (Aus) Pty. Ltd http://www.cliff.com.au/

Computronics http://www.computronics.com.au/tools/

David Hall Electronics http://www.dhe.com.au

Dick Smith Electronics http://www.dse.com.au/cgi-bin/dse.storefront

Digi-Key http://www.digikey.com/

Dominion Electronics http://www.dominion.net.au/

DOWN EAST MICROWAVE www.downeastmicrowave.com

Electronics http://www.michelletroutman.com/index.htm

Elliott Sound Products http://sound.westhost.com/index2.html

Farnell http://www.farnell.com/

Fox Delta http://www.foxdelta.com/

G1MFG.com (ATV and more) http://www.g1mfg.com/index.html

Hammond Mfg http://www.hammondmfg.com/

Hy-Q International http://www.hy-q.com.au

IRH Components http://www.irh.com.au/index.htm

Jackson Brothers http://www.jacksonbrothers.com.au

Jaycar http://www.jaycar.com.au/

Kuhne electronic GmbH http://www.kuhne-electronic.de/english/frameset.htm

Microwave Dynamics http://www.microwave-dynamics.com/

MicroZed Computers http://www.microzed.com.au/

Mini-Circuits http://www.minicircuits.com/

Mini-kits http://www.minikits.com.au/

Mouser Electronics http://www.mouser.com/

NEWTEK ELECTRONICS http://www.newtek.com.au/

Oatley electronics http://www.oatleyelectronics.com/

Ocean State Electronics http://www.oselectronics.com/

Ozitronics http://www.ozitronics.com/

pacific DATACOM http://www.pacificdatacom.com.au

Phil Rice’s Home Page (frequency meter and other projects) http://ironbark.bendigo.latrobe.edu.au/~rice/

Picaxe http://www.Picaxe.com.au

Prime Electronics http://www.prime-electronics.com.au/

Radio Parts http://www.radioparts.com.au/

Raedale Pty Ltd http://www.raedale.com.au/products.htm

R.C.S. Radio (circuit boards) http://www.rcsradio.com.au/

RF Modules Australia (ZigBee) http:\\www.rfmodules.com.au

RFShop (Brisbane) http://www.rfshop.com.au/

Rockby Electronics and Computers http://www.rockby.com.au/

Rojone (antenna, cables and connectors) http://www.rojone.com.au/index.html

RS Components http://www.rsaustralia.com/

Semtronics http://www.semtronics.com.au/

Sicom http://www.sircom.co.nz

Silvertone Electronics http://www.silvertone.com.au/

South Island Component Centre (New Zealand) http://www.sicom.co.nz/

Surplus Sales of Nebraska http://www.surplussales.com/

Surplustronics (New Zealand) http://www.surplustronics.co.nz/

Tandy (Australia) http://www.tandy.com.au/

Teckics http://www.techniks.com/

TTS Systems http://www.ttssystems.com.au/

VK2XGL (Microwave and RF Modules) http://www.users.bigpond.com/graham.lewis/Module Man.htm

VK3TFH Designs http://www.users.bigpond.com/vk3tfh/

WB9ANQ’s Surplus Store http://www.qsl.net/wb9anq/

Wiltronics http://www.wiltronics.com.au/

Worldwide Electronic Components http:/www.iinet.net.au/~worcom

13cm.co.uk http://www.13cm.co.uk/

Also look at the ATV links

---

PCB layout and schematic programs baas electronics LAYo1 PCB http://www.baas.nl/layo1pcb/uk/index.html circuitsonline http://www.circuitsonline.net/ Easytrax http://www.cia.com.au/rcsradio/

Electronics WORKBENCH http://www.ewbeurope.com/Franklin Industries http://www.franklin-industries.com/Eagle/starteagle.html McCAD http://www.mccad.com/ OrCAD http://www.orcad.com/downloads.aspx TARGET 3001! http://www.ibfriedrich.com/english/engl_vordownload.htm Tech5 http://www.tech5.nl/eda/pcblayout TinyCAD http://tinycad.sourceforge.net/ VEGO ABACOM http://www.vego.nl/abacom/download/download.htm

---

Amateur Satellites and space

AMSAT http://www.amsat.org/

AMSAT Australia http://www.physics.usyd.edu.au/~ptitze/amsatvk/index2.html

AMSAT-DL http://www.amsat-dl.org/

AMSAT-ZL (kiwisat) http://www.amsat-zl.org.nz/

Australian Space Research Institute http://www.asri.org.au/ASRI/index.xml

bluesat project http://www.bluesat.unsw.edu.au/

CSXT Civilian Space eXploration Team http://www.civilianspace.com/

electric-web.org http://www.electric-web.org

esa http://www.esa.int/esaCP

Heavens-above http://www.heavens-above.com/

International Space Station (ARISS) http://ariss.gsfc.nasa.gov/

JAESAT http://www.asri.org.au/ASRI/research/satellite/JAESAT/index.xml

liftoff http://liftoff.msfc.nasa.gov:80/RealTime/JTrack/Spacecraft.html

ISS fan club http://www.issfanclub.com

PCsat http://web.usna.navy.mil/~bruninga/pcsat.html

PCSAT2 Operations http://www.ew.usna.edu/~bruninga/pec/pc2ops.html

Sarex http://sarex.gsfc.nasa.gov/

SATSCAPE   (free satellite tracking program) http://www.satscape.co.uk/

Satellite tracking software http://perso.club-internet.fr/f1orl/index.html

Satsignal http://www.satsignal.net/

Space.com http://www.space.com/

UHF-Satcom.com http://www.uhf-satcom.com

Viktor Kudielka http://cacofonix.nt.tuwien.ac.at/~oe1vkw/

---

Propagation

NOAA http://www.sec.noaa.gov/

IPS Radio and Space Services http://www.ips.gov.au/

IPS prediction services http://www.ips.gov.au/asfc/current/predsvs.html

ITS http://www.its.bldrdoc.gov/

Near-Real-Time MUF Map http://www.spacew.com/www/realtime.php

Radio Mobile (path prediction) http://www.cplus.org/rmw/english1.html

Tropospheric Ducting Forecast http://iprimus.ca/~hepburnw/tropo_aus.html

VK2KRR sporadic E study http://www.users.bigpond.com/vk2krr/sporadic_e_study.htm

VK4ZU (Propagation) http://www.users.on.net/~trevorb/

W1AW propagation bulletins http://www.arrl.org/w1aw/prop/

---

Satellite TV

AV-COMM http://www.avcomm.com.au/

Dalsat http://www.dalsat.com.au/

John’s Electronics http://www.johnselectronics.com.au/index.html

KANSAT http://www.kansat.com.au/

KRISTAL electronics http://www.kristal.com.au/index.html

Lyngsat http://lyngsat.com/

Nationwide Antenna Systems http://www.uq.net.au/~zznation/index.html

Satcomm20 http://www.satcomm20.co.uk/

Satcure http://www.satcure.com/

SatcoDX1 http://www.satcodx1.com/

SAT TV http://www.sattv.com.au/

---

Radio Education

Radio and Electronics School http://www.radioelectronicschool.com/

---

Radio and Scanning

Australian

Australian Airport Frequencies http://www.labyrinth.net.au/~wombatt/

Australian Scanning Encyclopaedia http://www.scanaustralia.bigpondhosting.com/

Brisbane Radio Scanner http://www.angelfire.com/id/samjohnson/

Extreme Worldwide Scanner Radio http://members.optushome.com.au/extremescan/scanning.html

FM broadcast maps http://welcome.to/pacificfm

Gold Coast Radio Scanner Frequencies http://users.ion.com.au/~young/index.html

Kev’s Scanner Page http://members.dodo.com.au/~kevcat/kevs_scan_page.htm

Newcastle Area Radio Frequency Guide http://scanhunter.tripod.com/index.html

RADIO FREQUENCIES AND INFORMATION http://www.qsl.net/vk1zmc/information.html

Scanner Fanatics http://www.scannerfanatics.au.tt/

Scanner Monitoring in South Australia http://users.chariot.net.au/~mattb/scan/scanner.htm

Scan Victoria http://www.scanvictoria.com/

New Zealand

Kiwi Radio http://kiwiradio.blakjak.net/

NZscanners http://www.nzscanners.org.nz/

Wellington Scanner Frequencies http://wsf2003.tripod.com/

ZLScanner http://homepages.paradise.net.nz/lovegrov/

ZL3TMB (Christchurch NZ) http://www.hamradio.co.nz/

International

Frequency guide http://www.panix.com/~clay/scanning/

Incident Broadcast Network (including Australian feeds) http://www.incidentbroadcast.com

Radio H.F.  (some ham stuff) http://www3.sympatico.ca/radiohf/

RadioReference.com http://www.radioreference.com/index.php

---

Amateur Radio DX and Contest

DX Cluster

AA1V’s DX Info-Page http://www.goldtel.net/aa1v/

AC6V’s AR & DX Reference http://www.ac6v.com/

Announced DX Operations http://cpcug.org/user/wfeidt/Misc/adxo.html

ARRL DXCC Countries List http://www.arrl.org/awards/dxcc/listmain.html

ARRL DXCC rules http://www.arrl.org/awards/dxcc/rules.html#si

Australian contesting http://www.vkham.com/index.html

Buckmaster callsign database http://www.buck.com/cgi-bin/do_hamcall

DX CENTRAL http://www.dx-central.com/

DX Greyline http://www.fourmilab.ch/cgi-bin/uncgi/Earth/action?opt=-p

DX Summit http://oh2aq.kolumbus.com/dxs/

DX 425 News http://www.425dxn.org/

EHAM http://www.eham.net/

EI8IC Global Overlay Mapper http://www.mapability.com/ei8ic/

eQSL (electronic QSL) http://www.eqsl.cc/qslcard/

German DX Foundation-GDXF http://www.gdxf.de/

GlobalTuners (provides access to remotely controlled radio receivers all over the world) http://www.globaltuners.com/

Ham Atlas by SP6NVK http://www.hamatlas.eu/

Ham FTP email database http://members.eunet.at/hagenbu/ftp.htm

Kiwi DX List http://groups.yahoo.com/group/kiwidxlist/

Oceania Amateur Radio DX Group Incorporated http://odxg.org/

Oceania DX Contest http://www.oceaniadxcontest.com/

QRZ.COM http://www.qrz.com/site.html

The AM Window http://www.amwindow.org/index.htm

The Daily DX http://www.dailydx.com

The DX Zone http://www.dxzone.com/catalog/Reference/Radio_Spectrum/

IARU QSL Bureaus http://www.iaru.org/iaruqsl.html

International DX Association http://www.indexa.org/

Internet Ham Atlas http://www.hamatlas.eu/

IOTA http://www.425dxn.org/iota/

IOTA groups and Reference http://www.logiciel.co.uk/iota/shtlist.html

IOTA RSGB http://rsgbiota.org

IOTA 425 http://www.425dxn.org/iota

Island Radio Expedition Fondation http://www.islandradio.org/

Islands on the air Japan http://www3.ocn.ne.jp/~iota/

LA9HW HF Contest page http://home.online.no/~janalme/hammain.html

NG3K Contest/DX Page http://www.cpcug.org/user/wfeidt/

Northern California DX Foundation http://www.ncdxf.org

Simple phrases in European Languages http://web.onetel.com/~stephenseabrook/

SUMMITS on the AIR http://www.sota.org.uk/

Telnet Access to DX Packet Clusters http://cpcug.org/user/wfeidt/Misc/cluster.html

The DX Notebook http://www.dxer.org/

VE6OA’s DX Links http://www.compusmart.ab.ca/agirard/dxlinks.htmVK Contest Club http://www.vkcc.com

World of DK4KQ http://www.dl4kq.de/

XE1BEF  DX and links http://www.geocities.com/xe1bef/

Logging Software

RD logging program http://vk5dj.mountgambier.org/Amateur_radio.html VK Contest Log (VKCL) http://web.aanet.com.au/mnds/ VK/ZL Logger http://www.vklogger.com

WinRD+ logging program http://www.rjmb.net/rd/index.htm

Cluster

AR-Technology AB5K.net http://www.ab5k.net/Home.aspx

Clusse http://he.fi/clusse/

Clusse download page http://www.euronet.nl/~icu13524/download/clusse.html

CLX Home page http://clx.muc.de/

DX CLUSTER programs http://pages.cthome.net/n1mm/html/English/DXClusters.htm

DXCluster http://www.dxcluster.org/

DXCluster.Info http://www.dxcluster.info/

DxNet http://www.dxnet.free.fr/

DX PacketCluster Sites on the Internet http://www.n4gn.com/cluster.html

DXSpider – DX cluster system is written in perl http://linux.maruhn.com/sec/dxspider.html

Packet Cluster user manual http://www.yccc.org/Resources/ysa/manual/

The DXSpider User Manual http://www.dxcluster.org/main/usermanual_en.html

VE7CC-1 Dx Spider Cluster http://www.ve7cc.net/

WinCluster http://kh2d.net/software/wc/index.cfm

---

Short Wave DX

Australian Broadcasting http://www.aba.gov.au/broadcasters/

AUSTRALIAN RADIO DX CLUB http://www.ardxc.info/

Australian MW Group http://members.optushome.com.au/onleydw/mwoz/

Electronic DX Press (HF, MW and VHF) http://members.tripod.com/~bpadula/edxp.html

Contesting.com http://www.contesting.com/

CQ World Wide DX Contest http://www.cqww.com/

Glenn Hauser’s DX Listening Digest http://www.dxing.com/dxr/dxld2196.htm

K3SA http://www.affcom.com/cqcontest/

K6XX http://www.k6xx.com/

Longwave Club of America (also Ham) http://www.lwca.org

NIST time stations http://www.boulder.nist.gov/timefreq/stations/wwvb.htm

OK1RR DX & Contesting Page http://www.qsl.net/ok1rr/

Prime Time Shortwave http://www.primetimeshortwave.com/

Radio Interval Signals http://www.intervalsignals.org/

shortWWWave http://swww.dwerryhouse.com.au/

SM3CER Contest Service http://www.sk3bg.se/contest/index.htm

The British DX Club http://www.bdxc.org.uk/

The DX Zone http://www.dxzone.com/catalog/Reference/Radio_Spectrum/

The OZ Radio DX Club www.ardxc.fl.net.au

Yankee Clipper Contest Club http://www.yccc.org/

---

Radio Scouting

Jota /JOTI   Queensland http://jota.scouting.net.au/

Scouts Australia JOTA/JOTI http://www.international.scouts.com.au/main.asp?iMenuID=9071085

The history of the Jamboree On The Air http://home.tiscali.nl/worldscout/Jota/jota history.htm

World Organization of the Scout Movement http://www.scout.org/jota/

---

Australian Regulator

ACMA http://www.acma.gov.au/

International Regulator

ITU http://www.itu.int/home/index.html

---

Electronic Information and technical reference

AC6V’s Technical Reference http://www.ac6v.com/techref.htm

Bowden’s Hobby Circuits http://ourworld.compuserve.com/homepages/Bill_Bowden/homepage.htm#menu

Chip directory http://www.embeddedlinks.com/chipdir/abc/s.htm#simm

Circuit Sage http://www.circuitsage.com/

COAX calculator http://www.ocarc.ca/coax.htm

CommLinx Solutions Pty Ltd http://www.commlinx.com.au/default.htm

Computer Power Supply Mods http://www.qsl.net/vk4ba/projects/index.html

Data Sheets http://www.techstuff.co.uk/electronics/datasheets.htm

Dictionary of Electronic Components http://www.jfk.herts.sch.uk/class/technology/ks4/electronics/glossary/electro.htm

Discover Circuits http://www.discovercircuits.com/

Electronic Information http://www.beyondlogic.org/

Electronics Links and Resources http://yallara.cs.rmit.edu.au/~pleelave/electronics1.html

electronic calculators http://www.radioelectronicschool.com/elecal.html

Epanorama (lots of links) http://www.epanorama.net/

Electronics Tutorials http://www.electronics-tutorials.com/

Electronic Theory http://www.electronicstheory.com/

Fox Delta http://www.foxdelta.com/

GREG’S DOWNLOAD PAGE http://www.rfcascade.com/index.html

GridSquare Conversion http://www.amsat.org/cgi-bin/gridconv

Hobby Projects (electronic resource) http://www.hobbyprojects.com/tutorial.html

Hittite http://www.hittite.com

Information site http://www.epanorama.net/

ISO Date / Time http://wwp.greenwichmeantime.com/info/iso.htm

Latitude/Longitude Conversion utility – 3 formats http://www.directionsmag.com/latlong.php

latrobe Electronic Engineering Links http://www.ee.latrobe.edu.au/internal/links.html

Mark Gentiles http://www.ee.latrobe.edu.au/~mg/

Mike’s Electric Stuff http://www.netcomuk.co.uk/~wwl/electric.html

New Wave Instruments (check out SS Resources) http://www.newwaveinstruments.com/index.htm

Paul Falstad (how electronic circuits work) http://www.falstad.com/circuit/

PINOUTS.RU (Handbook of hardware pinouts) http://pinouts.ru/

PUFF http://www.cco.caltech.edu/~mmic/puffindex/puffE/puffE.htm

RadioReference http://www.radioreference.com/

RF Cafe http://www.rfcafe.com/

RF Circuits http://www.mitedu.freeserve.co.uk/Circuits/RF/rf.html

RF Globalnet http://www.rfglobalnet.com

RHR Laboratories http://www.rhrlaboratories.com/#Software

rfshop http://www.rfshop.com.au/page7.htm

RS232 Connections, and wiring up serial devices http://www.airborn.com.au/rs232.html

RF Power Table

SCHEMATICS http://www.mitedu.freeserve.co.uk/schematics.htm

Science Lobby (electronic links) http://www.sciencelobby.com/

Tech FAQ http://www.tech-faq.com/

The Electronics Calculator Website http://www.cvs1.uklinux.net/calculators/

the12volt.com (technical information for mobile electronics installers) http://www.the12volt.com/

101science.com http://www.101science.com/

Electronic service

Repair of TV Sets http://www.repairfaq.org/sam/tvfaq.htm

Sci.Electrinic.Repair FAQ http://www.repairfaq.org/sam/tvfaq.htm

Service engineers Forum http://www.e-repair.co.uk/index.htm

Television Repair Answered http://www.mgh.jeeran.com/televisionrepair1.htm

---

Cable Data

Andrews http://www.andrew.com/default.aspx

Belden http://www.belden.com/

CDi2 http://www.cdi2.com/build_it/coaxloss.htm

CO-AX CABLE DATA http://www.electric-web.org/coax.htm

Coaxial cable data http://www.qsl.net/kc6uut/coax.html

Coaxial Cable Page http://www.cdi2.com/build_it/coaxloss.htm

HB9ABX http://home.datacomm.ch/hb9abx/coaxdat.htm

HB9HD http://www.hb9hd.ch/PDF/coaxcable.pdf

KC6UUT http://www.qsl.net/kc6uut/coax.html

NESS Engineering http://www.nessengr.com/techdata/coaxdata.html

RF Industries cables http://www.rfindustries.com.au/rfiproducts/cablesConnectors/coaxialCables.htm

Selected Coaxial Cable Data http://www.vhfdx.oz-hams.org/CoaxCable.html

THERFC http://www.therfc.com/coax.htm

Times Microwave http://www.timesmicrowave.com/

VK3KHB http://www.gak.net.au/vk3khb/atv/coaxchrt.html

W4ZT http://w4zt.com/coax.html

X.net Antenna cable chart http://www.x.net.au/antenna_cable.html

50 W Coaxial Cable Information http://www.dma.org/~millersg/coax50.html

75 W Coaxial Cable Information http://www.dma.org/~millersg/coax75.html

---

Antique Radio

Antique Electronic Supply http://www.tubesandmore.com/

Alan Lord http://www.dundeecoll.ac.uk/sections/cs/staff/al_radio/

Antique Radio http://antiqueradios.com/

Apex Jr http://www.apexjr.com/

Archives of Boatanchors http://www.tempe.gov/archives/boatanchors.html

Australian Vintage Radio MK II http://www.southcom.com.au/~pauledgr/

Australian Wireless (OZ-Wireless) Email List http://www.clarion.org.au/wireless/

AWA and Fisk Radiola http://203.44.53.131/Radiola/AWA1b.htm

Crystal Radio http://www.crystalradio.net/

Glowbugs http://www.mines.uidaho.edu/~glowbugs/

Hammond Museum of Radio http://www.hammondmuseumofradio.org/

Historical Radio Society of Australia Inc. http://www.hrsa.asn.au/

JMH’s Virtual Valve Museum http://www.tubecollector.org/numbers.htm

John Rose’s Vintage Radio Home http://personal.nbnet.nb.ca/jrose/radios/radiomain.htm

Klausmobile Russian Tube Directory http://klausmobile.narod.ru/td/indexe.htm

KK7TV http://www.kk7tv.com/kk7tv.html

Kurrajong Radio Museum http://www.vk2bv.org/museum/

Links to Vintage Radios (Amateur) http://www.qsl.net/ka4pnv/vrlinks.htm

Mike’s Electric Stuff http://www.netcomuk.co.uk/~wwl/electric.html

Nostalgiar Air http://www.nostalgiaair.org/

Phil’s Old Radios http://antiqueradio.org/

Radio A’s Vintage Radio Page http://www.mnsi.net/~radioa/radioa.htm

Radio Era http://www.radioera.com/

Rap ‘n Tap http://www.midnightscience.com/rapntap/

Replacing Capacitors http://antiqueradio.org/recap.htm

Savoy Hill Publications http://www.valvesunlimited.demon.co.uk/Noframes/savoy_hill_publications.htm

South East Qld Group of the HRSA http://seqg.tripod.com

SEQG of the HRSA Crystal comp http://www.clarion.org.au/crystalset/

SEQG One Tube Radio comp http://seqg.tripod.com/onetube/onetube.html

TEARA’S VINTAGE RADIO LINK PAGE http://www.ipass.net/~teara/vin.html

The Vintage Radio Emporium http://www.vintageradio.info/

The Wireless Works http://www.wirelessworks.co.uk/

Triode Tube Data http://www.triodeel.com/tubedata.htm Tubesworld  (Valve Audio and Valve data) http://www.tubesworld.com/

Vintage Radio http://www.vintage-radio.com/index.shtml

Vintage Radio Times http://www.vintageradiotimes.com/Page_1x.html

Vintage Radios and programs http://www.compusmart.ab.ca/agirard/VINTAGE.HTM

Vintage Radios UK http://www.valve.demon.co.uk/

Vintage Radio and Test Equipment Site http://www.geocities.com/eb5agv/

Vintage Radio World http://www.burdaleclose.freeserve.co.uk/

Vintage Radio and Audio Pages http://www.mcallister.simplenet.com/

VMARS http://www.vmars.org.uk/

W7FG VINTAGE MANUALS CATALOGUE http://www.w7fg.com/index.html

Ye Olde Hurdy Gurdy Museum of Vintage Radio http://ei5em.110mb.com/museum.html

---

Valve Audio and Valve data Ake’e Tube Data http://w1.871.telia.com/~u87127076/index.htm CVC http://www.chelmervalve.com/index.html

Data Sheet Locator http://www.duncanamps.co.uk/cgi-bin/tdsl3.exe/

Eimac http://www.cpii.com/eimac/index.html

Frank’s Electron tube Pages http://home.wxs.nl/~frank.philipse/frank/frank.html

Hammond  Manufacturing http://www.hammondmfg.com/

House of Tubes http://www.house-of-tubes.com/home/Library.asp

High Voltage Tube Archive http://www.funet.fi/pub/sci/electrical/tesla/tubes/

Kiewavly http://home.mira.net/~kiewavly/audio1.html

Industrial Valve Data http://www.netcomuk.co.uk/~wwl/data.html

Machmat http://www.machmat.com/

NJ7P Tube Data Search http://hereford.ampr.org/cgi-bin/tube?index=1

RCA-R10 Data http://www.nmr.mgh.harvard.edu/~reese/RC10/

SAS Audio Labs http://www.sasaudiolabs.com/

Sowter Audio Transformers http://www.sowter.co.uk/

Spice Valves http://www.duncanamps.com/spicevalves.html

Tubetec http://www.tubetec.freeserve.co.uk/

TUBEWORLD INC. http://www.tubeworld.com/

Tube datasheets http://www.wps.com/archives/tube-datasheets/index.html

Vacuum Tube Links http://www.michelletroutman.com/tubes.htm

Valves and Tubes http://www.euramcom.freeserve.co.uk/tubes.html

Valve Data Links http://www.thevalvepage.com/links/valvdata.htm

Valve Data http://www.arrakis.es/~igapop/referenc.htm

Valves Unlimited http://www.valvesunlimited.demon.co.uk/Noframes/links.htm

Valve and Tube Supplies http://www.valves.uk.com/

Valveamps.com http://www.valveamps.com/

---

Audio

Audio Calculators and Links http://www.audioscientific.com/Audio Calculators & References Links.htm

BKC GROUP http://www.bkcgroup.fsnet.co.uk/

Car Audio Australia http://www.caraudioaustralia.com/

DIY Audio http://www.diyaudio.com/

Duncan’s Amp Pages http://www.duncanamps.com/

Elliott Sound Products http://sound.westhost.com/audiolink.htm

GM ARTS http://users.chariot.net.au/~gmarts/

Norman Koren http://www.normankoren.com/Audio/

Rane http://www.rane.com/

The Self Site http://www.dself.demon.co.uk/

The Class-A Amplifier Site http://www.gmweb.btinternet.co.uk/

---

Magazines

DUBUS (VHF magazine) http://www.dubus.org/

Elektor Electronics http://www.elektor-electronics.co.uk/

Harlan Technologies (Amateur Television Quarterly) http://www.hampubs.com/

Radio & Communications Monitoring Monthly http://www.monitoringmonthly.co.uk/

SILICON CHIP http://www.siliconchip.com.au/

VHF Communications Mag http://www.vhfcomm.co.uk/

---

SETI

SETI http://www.setileague.org/homepg.htm

SETI Australia http://www.seti.org.au/

I thought this was cool. It may come in handy for Ham Radio.

Some Nmap examples I thought I would post.

Scanning past Watchguard Firewalls: nmap -sS -iL targetlist.txt -P0 -sV -T4

Verbose Scan: nmap -v <target IP>

This option scans all reserved TCP ports on the target machine. The -v option enables verbose mode.

nmap -sS -O <target IP>/24

Launches a stealth SYN scan against each machine that is up out of the 256 IPs on “class C” sized network where Scanme resides. It also tries to determine what operating system is running on each host that is up and running. This requires root privileges because of the SYN scan and OS detection.

nmap -sV -p 22,53,110,143,4564 198.116.0-255.1-127

Launches host enumeration and a TCP scan at the first half of each of the 255 possible eight-bit subnets in the 198.116 class B address space. This tests whether the systems run SSH, DNS, POP3, or IMAP on their standard ports, or anything on port 4564. For any of these ports found open, version detection is used to determine what application is running.

nmap -v -iR 100000 -PN -p 80

Asks Nmap to choose 100,000 hosts at random and scan them for web servers (port 80). Host enumeration is disabled with -PN since first sending a couple probes to determine whether a host is up is wasteful when you are only probing one port on each target host anyway.

nmap -PN -p80 -oX logs/pb-port80scan.xml -oG logs/pb-port80scan.gnmap 216.163.128.20/20

This scans 4096 IPs for any web servers (without pinging them) and saves the output in grepable and XML formats.

Instead of limiting ourselves to scanning just one target., let’s broaden our horizon’s to bigger and better things. In example 2 we used our IP address to base a scan against. Using that address again we can get a look at numerous targets in our “community”. At the command line type the following (substituting a valid address of your choice of course):

nmap -sT -O 206.212.15.0-50

What this does is instruct nmap to scan every host between the IP addresses of 206.212.15.0 and 206.212.15.50. If you happen to find many interesting feedback results from this or a larger scale scan then you can always pipe the output into your choice of a human readable file or a machine parsable file for future reference by issuing the following option:

To create a human readable output file issue the -oN<textfile name> command into your nmap string so that it would look similar to this:

nmap -sT -O -oN sample.txt 206.212.15.0-50

Rather have a machine parsable file? Enter the -oM <textfile name> to pipe the output into a machine parsable file:

nmap -sT -O -oM sample.txt 206.212.15.0-50

*Back when I was becoming aquatinted with all the nmap options, I ran my first large scale scan against 250 consecutive machines using an arbitrary number (nmap -sX -O -oN sample.txt XXX.XXX.XXX.0-250).To my great surprise I was confronted with 250 up and running virgin Linux machines. Another reason why Linux enthusiasts should NEVER become bored.

-I This is a handy little call that activates nmap’s TCP reverse ident scanning option. This divulges information that gives the username that owns available processes. Let’s take a look (Note that the host has to be running ident). At the command line issue this command against your target, in this case our default Eve running Linux:

-iR Use this command to instruct nmap to scan random hosts for you.

-p Port range option allows you to pick what port or ports you wish nmap to scan against.

-v Use verbosity to display more output data. Use twice (-v -v) for maximum verbosity.

-h Displays a quick reference of nmap’s calls

Now that we have looked at nmap’s three basic usage types and some of it’s other options, let’s mix and match them.

nmap -v -v -sS -O 209.212.53.50-100

This instructs nmap to use a maximum amount of verbosity to run a stealth scan and OS detection against all machines between IP addresses 209.212.53.50 and 209.212.53.100. This command will also require root privileges due to both the -sS and -O calls. Of course this will display a very overwhelming amount of data so let’s log our results into a human readable file for future reference:

nmap -v -v -sS -O -oN sample.txt 209.212.53.50-100

Now let’s make nmap run a stealth scan and instruct it to look only for machines offering http and ftp services between the addresses of 209.212.53.50 and 209.212.53.100. Once again we will log the output (I’m a log junkie) for future reference into a human readable file called ftphttpscan.txt:

nmap -sS -p 23,80 -oN ftphttpscan.txt 209.212.53.50-100

Remember the -iR option mentioned previously? Let’s use it to take a random sampling of Internet web servers using the verbatim example from nmap’s man page:

nmap -sS -iR -p 80

Last but certainly not least, while gleaning information, don’t forget to nmap yourself. Just type at the command line: nmap 127.0.0.1 This is especially useful and recommended if you’re a newcomer to Linux and connected to the Internet via DSL or cable modem.

The below lines can be placed into Google to find hidden cams on the net.

http://www.google.com.au/search?q=inurl:”ViewerFrame?Mode=

http://www.google.com.au/search?q=intitle:Axis 2400 video server

http://www.google.com.au/search?q=inurl:/view.shtml

http://www.google.com.au/search?q=intitle:”Live View / – AXIS” | inurl:view/view.shtml^

http://www.google.com.au/search?q=inurl:ViewerFrame?Mode=

http://www.google.com.au/search?q=inurl:ViewerFrame?Mode=Refresh

http://www.google.com.au/search?q=inurl:axis-cgi/jpg

http://www.google.com.au/search?q=inurl:axis-cgi/mjpg (motion-JPEG)

http://www.google.com.au/search?q=inurl:view/indexFrame.shtml

http://www.google.com.au/search?q=inurl:view/index.shtml

http://www.google.com.au/search?q=inurl:view/view.shtml

http://www.google.com.au/search?q=liveapplet

http://www.google.com.au/search?q=intitle:”live view” intitle:axis

http://www.google.com.au/search?q=intitle:liveapplet

http://www.google.com.au/search?q=allintitle:”Network Camera NetworkCamera”
http://www.google.com.au/search?q=intitle:axis intitle:”video server”
http://www.google.com.au/search?q=intitle:liveapplet inurl:LvAppl
http://www.google.com.au/search?q=intitle:”EvoCam” inurl:”webcam.html”
http://www.google.com.au/search?q=intitle:”Live NetSnap Cam-Server feed”
http://www.google.com.au/search?q=intitle:”Live View / – AXIS”
http://www.google.com.au/search?q=intitle:”Live View / – AXIS 206M”
http://www.google.com.au/search?q=intitle:”Live View / – AXIS 206W”
http://www.google.com.au/search?q=intitle:”Live View / – AXIS 210″
http://www.google.com.au/search?q=inurl:indexFrame.shtml Axis

http://www.google.com.au/search?q=inurl:”MultiCameraFrame?Mode=Motion”

http://www.google.com.au/search?q=intitle:start inurl:cgistart
http://www.google.com.au/search?q=intitle:”WJ-NT104 Main Page”
http://www.google.com.au/search?q=intext:”MOBOTIX M1″ intext:”Open Menu”
http://www.google.com.au/search?q=intext:”MOBOTIX M10″ intext:”Open Menu”
http://www.google.com.au/search?q=intext:”MOBOTIX D10″ intext:”Open Menu”
http://www.google.com.au/search?q=intitle:snc-z20 inurl:home/
http://www.google.com.au/search?q=intitle:snc-cs3 inurl:home/
http://www.google.com.au/search?q=intitle:snc-rz30 inurl:home/
http://www.google.com.au/search?q=intitle:”sony network camera snc-p1″
http://www.google.com.au/search?q=intitle:”sony network camera snc-m1″
http://www.google.com.au/search?q=site:.viewnetcam.com -www.viewnetcam.com
http://www.google.com.au/search?q=intitle:”Toshiba Network Camera” user login
http://www.google.com.au/search?q=intitle:”netcam live image”
http://www.google.com.au/search?q=intitle:”i-Catcher Console – Web Monitor”
http://www.google.com.au/search?q=inurl:viewerframe?mode= changing room
http://www.google.com.au/search?q=inurl:view index/shtml/home
http://www.google.com.au/search?q=inurl-’your frame?mode=motion’

http://www.google.com.au/search?q=inurl.”viewframe?mode=refresh”

http://www.google.com.au/search?q=sex inurl:/view/shtml

http://www.google.com.au/search?q=inural:view

http://www.google.com.au/search?q=inurl:viewerframe?mode=home

http://www.google.com.au/search?q=axis hacks
http://www.google.com.au/search?q=“inurl:”view from?mode=refresh”

http://www.google.com.au/search?q=/view/index.shtml.msn

http://www.google.com.au/search?q=”nurl:viewerframe?mode=refresh”

http://www.google.com.au/search?q=inurl:”viewerframe?mode=” naked
http://www.google.com.au/search?q=inurl:/view.index.shtml adult
http://www.google.com.au/search?q=inurl:”viewerframe? mode= refresh”
http://www.google.com.au/search?q=site:www.scribd.com inurl”viewframe?mode=refresh”
http://www.google.com.au/search?q=inurl:”viewerframe?mode=” live webcams

http://www.google.com.au/search?q=inurl:”view/index.shtml

http://www.google.com.au/search?q=reset mobotix camera
http://www.google.com.au/search?q=inurl: view

http://www.google.com.au/search?q=url:viewerframe?=mode

http://www.google.com.au/search?q=inurl:/view/shtml school

http://www.google.com.au/search?q=inurl::viewerframe?mode”refresh

http://www.google.com.au/search?q=inurl:view:/shtml porn
http://www.google.com.au/search?q=“inurl: /shtml”
http://www.google.com.au/search?q=inurl:”viewerframe?mode motion” motion

A link to others http://peep.ontheweb.nl/

Hi,

Recently I a questing was asked on another post relating to DUKPT. Given I have lots of material on the subject I thought I would create this thread. Link

I will come back at some stage and expand on this when I get time.

Transaction Process narrative:

The diagram describes a mobile terminal/ATM is described using the a AS2805 (’2805′) message type and 3DES DUKPT and dual direction auth SSL from the terminal to the aquirer (transaction switch).

A good explanation of DUKPT can also be found at Wikipedia.

Diagram of the flow

Background notes:

• The terminal or ATM firstly encrypts the user entered pin (may be a unique DUKPT key or static, depending on the design and banks involved) prior to incorporating it into the AS 2805 transaction message.
• the message is then encrypted again using the DUKPT key which has been established through the merchant logon process within the aquirer Host Security Module (HSM) i.e. the user entered pin is encrypted separately and encapsulated within the DUKPT encrypted 2805 message to provide full message encryption.
• In the diagram a separate dual authenticating SSL session is also used between the terminal/ATM and the aquirers infrastructure. This allowing the transaction including the pin to traverse the external Wired/GPRS/LAN within 2 primary independent layers of encryption, with a 3^rd protecting the PIN.
• When the transaction enters the aquirer environment the message encapsulation layer provided by SSL is removed.  This leaving the DUKPT’ed 2805 message which also encapsulates the separately encrypted PIN.
• This encrypted message is passed to the aquirer switch engine through to the aquirer’s HSM for decryption of the 2805 message excluding the user entered pin.
• This is when transactional information necessary for aquirer’s merchant reporting (truncated card number, transaction amount, transaction type, etc.) and fraud management data is collected.
• The aquirer switch then passes the encrypted PIN to the aquirer HSM requesting that the PIN be decrypted using the aquirer’s PIN encryption and translated to the next banks (Bank 1)  PIN Encryption Key (Pin translation only occurs within the aquirer HSM) This is then sent back to the aquirer Switch engine as the Bank 1 encrypted PIN.
• The aquirer switch engine then send the decrypted 2805 message with the newly encrypted PIN back to aquirer HSM to be encrypted with the Bank 1 MAC key.
• The resultant Bank 1 key encrypted message is then sent to Bank 1 for processing and/or passing to the card issuer (using a similar process as described above).
• When the result is received back from the issuing bank it is encrypted with the Bank 1 MAC key (the pin will not be present in the result message).
• This is then decrypted by the aquirer HSM, the transaction fate result stored into the aquirer merchant reporting system and the transaction fate re-encrypted with the original aquirer DUKPT key (should be different per terminal/merchant instance) and the result sent back to the terminal through the original established SSL encrypted terminal connection.

The aquirer may terminate the the SSL connection on a hardware device such as a CISCO Content Service Switch (CSS), or equivalent instead of the design described in the diagram which terminates onto a SSL session server/gateway (Possibly including a Certificate Authority) or on the aquirer transaction switch.

When PIN blocks are received by the aquirer processing centre, the PIN encryption is translated from the terminal key to the Local Master Key (LMK) by the Host Security Modules (HSM).

When the message is sent on the upstream bank interchange link to the issuer or gateway , the aquirer HSM translates the encrypted PIN block from the LMK to the Zone Master Key (ZMK) of the aquirer interchange link. The PIN block is always encrypted using DEA3 (3DES) whenever outside of the Terminal or ATM.

HSM-8000-User Guide V2.2

Hi,

I have been putting some secure application development documents together recently and have found some good general tutorials and guidelines which I thought I would post here.

Best Practices

• The Ten Most Critical Web Application Security Vulnerabilities, 2004 Update, The Open Web Application Security Project. URL: http://www.owasp.org/documentation/topten
• A Guide to Building Secure Web Applications, The Open Web Application Security Project. URL: http://www.owasp.org/documentation/guide
• Improving Web Application Security: Threats and Countermeasures, Microsoft MSDN. URL: http://msdn.microsoft.com/library/default.asp?url=/library/enus/dnnetsec/html/ThreatCounter.asp
• Authentication in ASP.NET: .NET Security Guidance, Microsoft MSDN. URL: http://msdn.microsoft.com/library/default.asp?url=/library/enus/dnbda/html/authaspdotnet.asp
• Session Fixation Vulnerability in Web-Based Applications, ACROS Security. http://www.acros.si/papers/session_fixation.pdf
• Writing Secure Code, Michael Howard and David LeBlanc, Microsoft Press.
• Threat Modelling, Window Snyder, Microsoft Press.
• 10 Things You Shouldn’t Do with SQL Server (Data Access Developer “Don’ts”) http://www.dotnetjunkies.ddj.com/Article/86F0988E-FED4-414F-BA2E-D01D953C11BE.dcik
• Ten dos and don’ts for secure coding http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1172049,00.html
• Cross Site Scripting http://www.cert.org/archive/pdf/cross_site_scripting.pdf http://www.acunetix.com/websitesecurity/cross-site-scripting.htm
• The Cross Site Scripting (XSS) FAQ http://www.cgisecurity.com/articles/xss-faq.shtml
• XSS (Cross Site Scripting) Cheat Sheet http://ha.ckers.org/xss.html
• SQL Injection Cheat Sheet http://ha.ckers.org/blog/20070315/sql-injection-cheat-sheet/

Other Resources

• AusCERT is the national Computer Emergency Response Team for Australia http://www.auscert.org.au/
• SANS Institute http://www.sans.org/free_resources.php

I was asked some time ago what sort of things may be considered when looking at Internet Banking.

Below is a list of things which could be considered. It was just a brain dump and as such may not be complete.

Don’t underestimate the value of standard for your infrastructure, website configuration,  database engine configuration/architecture,staging environment and development/QA environments.

Some thoughts:

• Many don’t lock accounts after X failed logins, this is normally done for good customer service, but leaves the system vulnerable.

- And all the other things expected for a remote login session (forced password changes, aging, etc))
- Tools such as Brutus may be use to brute force hack authenticated sessions.

• Many allow session sequence numbers to be incremented, allowing an authenticated user to view other customer session.

- These may be server side, client side, cookie based, etc.
- Get someone to check the development methodologies and the code being used.
- Database query strings can be placed into test entry fields, allowing table dumps to browser.
- Check all pages served are secure and contain user authentication flags.

• Customer data may not be segregated, this needs to be checked.
• Customer data should not reside on the Web Server.

• Authentication databases / system data should not reside on the webserver.
• The databases should reside on a private/semi-private network.

- A different segment to the main banking system.

• Webserver should be dual homed or equivalent (some VLAN techniques are good)

- Separate private and public network cards, monitoring/backup/administration
- Infrastructure set-up to explicitly deny inbound/outbound ports, private IP & monitoring escaping from the network.

• At all data segregation points ensure rules are in place which appreciates the traffic though that point.

• All customer data where possible should be sourced from a secure back-end database.

- This may be a staging environment. i.e. no the main banking system.
- This usually allows for transactions to appear real time to the customer.
- Many transactions may be batched in reality. (internal or external to the bank)

• Ensure suitable rules have been set-up on firewalls.

- There should be inbound and outbound rules on firewalls and filtering routers.

• Don’t allow any infrastructure on the front end to allow remote administrative connections. (telnet, etc.)

- Use the serial console port to connect to a server or back-end terminal server.

• Look for the segregation / staging of online customer content from main banking systems

• Ensure that a separate development / QA / production environment system and suitable process is in place.

• Services not used by the system are active

- These should be disabled.

• Port scan of the supporting infrastructure (routers /switches) and server(s).

- Investigate the reasons for all open ports.

• Don’t use the main gateway for trusted partner access (clearing / RAS / etc.)
• Do all that standard IIS checks and NT checks (Sample scripts, change management, patching methodologies, etc.)
• Ensure denial of service precaution have been taken into account for all infrastructure and server equipment.
• Check the adequacy of the escalation procedures used.

- Look for real-time monitoring and alerting.
- Look for responsibility matrix.
- Look for ownership of issues.

• Consider upstream carrier(s) vulnerability (denial of service, IP spoofing, DNS hacking, etc)
• Consider social engineering of customer, administrative, partner accounts / systems / infrastructure.

- Helpdesk procedures and policies and/or alternate technologies (Caller ID, Gateway IP, etc.).

• Use dynamic passwords where possible (SecureID, TACACS, etc.).
• Use encrypted tunnelling where needed (IPSec, Firewall 1, etc)
• Consider looking at other customer authentication methods to enhance existing methods.

- Digital cert, IP address locked to account, etc.
- Consider use of CVV or CVN for bank issued cards.

• Consider how passwords are distributed /changed for customers.

- Plain text email, telephone, etc.
- Can passwords be changed online?

• Is additional authentication used between sections of the services once authenticated?
• Consider what the customer has access to once authenticated.

- Look at SWIFT, RTGS, inter-bank transfers, access to credit cards, etc.
- If an attacker does get in, what can the do?

• Use techniques to ensure pages, customer details are not cached at ISP, or client system.

- These are flags that can be set within pages.
- Normally SSL is cached, but some proxy vendors have been playing with techniques to do so.
- Caching of SSL pages on the client system can be turned on on some browsers.
- May banks use a Java (or similar) applet for all customer interaction, restricting all caching issues.

• Ensure paper based and on-line liability clauses are available are address all effected areas.
• Ensure within the customer sign-up process banking liability is reduced.

- I’ve seen statements like “use this system at your own risk, responsibility for any liability or claim will NOT……”
- Not very customer focused, but that’s what their legal department recommended.

All of the above can effect the security and/or operation of an on-line banking system.

Other things to consider:

• External development and support of the application.
• Ownership and management of the hardware/applications
• Publishing points for new content (internal/private/trusted network or Internet)
• Topology of front end.  i.e. Security Architecture document should be in place and managed appropriately.
• Are limited AP tests performed whenever changes are made to the environment? i.e. integrated AP into Change management process.
• Database access. Is it buffered or is it live to the core banking systems.
• What facilities are provided? Direct debit + Credit Card + SWIFT + ……. Consider different scenarios for your attack depending on the feature.
• What other services are shared within the network segment that the Internet Banking service is running. Can this be used to compromise the Internet Banking site. eg. different support/business/development organisations with differing security strategies/profiles.
• Consider all external supporting services within you AP. Look at internal/external DNS poisoning opportunities, mail relay, etc. What IPS’s do they use has the ISP any opportunity to access systems or supporting services which may affect Internet Banking.
• Depending on the size of the Bank, many organisation do not use the same support groups for infrastructure and the application. As a result external connections to the infrastructure may be provided for an external support organisation to administer the infrastructure.
• Look at the business and user authentication methods and paths (client side certs, secure ID, SMART Card, etc). Consider two factor authentication and modern user identification methods. eg. what is your favourite food in addition to normal usernames and passwords. Do system administration staff use dynamic passwords (secureID, etc)?
• See if the Internet Banking application sends email to users which may contain interesting information.
• Better access to the application can generally be gained after access to the system. i.e. get an legitimate account on the system. I have found that some sample/administration screens have been restricted to authenticated users only.
• Consider social engineering the Help desk to have an account password reset.

I found a list of useful Cisco commands which I though I would post here. The list has been updated since the original post extending on the original list from fastget2you.com.

Thanks to the fastget2you.com Joined With #missomhack Community for the original list.

ROUTER COMMANDS :

• Config# terminal editing – allows for enhanced editing commands
• Config# terminal monitor – shows output on telnet session
• Config# terminal ip netmask-format hexadecimal|bit-count|decimal – changes the format of subnet masks

HOST NAME:

• Config# hostname ROUTER_NAME

BANNER:

• Config# banner motd # TYPE MESSAGE HERE # – # can be substituted for any character, must start and finish the message

DESCRIPTIONS:

• Config# description THIS IS THE SOUTH ROUTER – can be entered at the Config-if level

CLOCK:

• Config# clock timezone Central -6
  # clock set hh:mm:ss dd month yyyy – Example: clock set 14:13:00 25 August 2003

CHANGING THE REGISTER:

• Config# config-register 0×2100 – ROM Monitor Mode
• Config# config-register 0×2101 – ROM boot
• Config# config-register 0×2102 – Boot from NVRAM

BOOT SYSTEM:

• Config# boot system tftp FILENAME SERVER_IP – Example: boot system tftp 2600_ios.bin 192.168.14.2
• Config# boot system ROM
• Config# boot system flash – Then – Config# reload

CDP:

• Config# cdp run – Turns CDP on
• Config# cdp holdtime 180 – Sets the time that a device remains. Default is 180
• Config# cdp timer 30 – Sets the update timer.The default is 60
• Config# int Ethernet 0
• Config-if# cdp enable – Enables cdp on the interface
• Config-if# no cdp enable – Disables CDP on the interface
• Config# no cdp run – Turns CDP off

HOST TABLE:

• Config# ip host ROUTER_NAME INT_Address – Example: ip host lab-a 192.168.5.1
  -or-
• Config# ip host RTR_NAME INT_ADD1 INT_ADD2 INT_ADD3 – Example: ip host lab-a 192.168.5.1 203.23.4.2 199.2.3.2 – (for e0, s0, s1)

DOMAIN NAME SERVICES:

• Config# ip domain-lookup – Tell router to lookup domain names
• Config# ip name-server 122.22.2.2 – Location of DNS server
• Config# ip domain-name cisco.com – Domain to append to end of names

CLEARING COUNTERS:

• # clear interface Ethernet 0 – Clears counters on the specified interface
• # clear counters – Clears all interface counters
• # clear cdp counters – Clears CDP counters

STATIC ROUTES:

• Config# ip route Net_Add SN_Mask Next_Hop_Add – Example: ip route 192.168.15.0 255.255.255.0 205.5.5.2
• Config# ip route 0.0.0.0 0.0.0.0 Next_Hop_Add – Default route
  -or-
• Config# ip default-network Net_Add – Gateway LAN network

IP ROUTING:

• Config# ip routing – Enabled by default
• Config# router rip
  -or-
• Config# router igrp 100
• Config# interface Ethernet 0
• Config-if# ip address 122.2.3.2 255.255.255.0
• Config-if# no shutdown

IPX ROUTING:

• Config# ipx routing
• Config# interface Ethernet 0
• Config# ipx maximum-paths 2 – Maximum equal metric paths used
• Config-if# ipx network 222 encapsulation sap – Also Novell-Ether, SNAP, ARPA on Ethernet. Encapsulation HDLC on serial
• Config-if# no shutdown

ACCESS LISTS:

IP Standard	1-99
IP Extended	100-199
IPX Standard	800-899
IPX Extended	900-999
IPX SAP Filters	1000-1099

IP STANDARD:

• Config# access-list 10 permit 133.2.2.0 0.0.0.255 – allow all src ip’s on network 133.2.2.0
  -or-
• Config# access-list 10 permit host 133.2.2.2 – specifies a specific host
  -or-
• Config# access-list 10 permit any – allows any address
• Config# int Ethernet 0
• Config-if# ip access-group 10 in – also available: out

IP EXTENDED:

• Config# access-list 101 permit tcp 133.12.0.0 0.0.255.255 122.3.2.0 0.0.0.255 eq telnet
  -protocols: tcp, udp, icmp, ip (no sockets then), among others
  -source then destination address
  -eq, gt, lt for comparison
  -sockets can be numeric or name (23 or telnet, 21 or ftp, etc)
  -or-
• Config# access-list 101 deny tcp any host 133.2.23.3 eq www

-or-

• Config# access-list 101 permit ip any any
• Config# interface Ethernet 0
• Config-if# ip access-group 101 outIPX STANDARD:
• Config# access-list 801 permit 233 AA3 – source network/host then destination network/host

-or-

• Config# access-list 801 permit -1 -1 – “-1″ is the same as “any” with network/host addresses
• Config# interface Ethernet 0
• Config-if# ipx access-group 801 outIPX EXTENDED:
• Config# access-list 901 permit sap 4AA all 4BB all
  - Permit protocol src_add socket dest_add socket
  -”all” includes all sockets, or can use socket numbers

-or-

• Config# access-list 901 permit any any all any all
  -Permits any protocol with any address on any socket to go anywhere
• Config# interface Ethernet 0
• Config-if# ipx access-group 901 inIPX SAP FILTER:
• Config# access-list 1000 permit 4aa 3 – “3″ is the service type

-or-

• Config# access-list 1000 permit 4aa 0 – service type of “0″ matches all services
• Config# interface Ethernet 0
• Config-if# ipx input-sap-filter 1000 – filter applied to incoming packets

-or-

• Config-if# ipx output-sap-filter 1000 – filter applied to outgoing packets

NAMED ACCESS LISTS:

• Config# ip access-list standard LISTNAME
  -can be ip or ipx, standard or extended
  -followed by the permit or deny list
• Config# permit any
• Config-if# ip access-group LISTNAME in
  -use the list name instead of a list number
  -allows for a larger amount of access-lists

PPP SETUP:

• Config-if# encapsulation ppp
• Config-if# ppp authentication chap pap
  -order in which they will be used
  -only attempted with the authentification listed
  -if one fails, then connection is terminated
• Config-if# exit
• Config# username Lab-b password 123456
  -username is the router that will be connecting to this one
  -only specified routers can connect

-or-

• Config-if# ppp chap hostname ROUTER
• Config-if# ppp chap password 123456
  -if this is set on all routers, then any of them can connect to any other
  -set same on all for easy configuration

ISDN SETUP:

• Config# isdn switch-type basic-5ess – determined by telecom
• Config# interface serial 0
• Config-if# isdn spid1 2705554564 – isdn “phonenumber” of line 1
• Config-if# isdn spid2 2705554565 – isdn “phonenumber” of line 2
• Config-if# encapsulation PPP – or HDLC, LAPD

DDR – 4 Steps to setting up ISDN with DDR Configure switch type

1. Config# isdn switch-type basic-5ess – can be done at interface config

2. Configure static routes
Config# ip route 123.4.35.0 255.255.255.0 192.3.5.5 – sends traffic destined for 123.4.35.0 to 192.3.5.5
Config# ip route 192.3.5.5 255.255.255.255 bri0 – specifies how to get to network 192.3.5.5 (through bri0)

3. Configure Interface
Config-if# ip address 192.3.5.5 255.255.255.0
Config-if# no shutdown
Config-if# encapsulation ppp
Config-if# dialer-group 1 – applies dialer-list to this interface
Config-if# dialer map ip 192.3.5.6 name Lab-b 5551212
connect to lab-b at 5551212 with ip 192.3.5.6 if there is interesting traffic
can also use “dialer string 5551212″ instead if there is only one router to connect to

4. Specify interesting traffic
Config# dialer-list 1 ip permit any
-or-
Config# dialer-list 1 ip list 101 – use the access-list 101 as the dialer list

5. Other Options
Config-if# hold-queue 75 – queue 75 packets before dialing
Config-if# dialer load-threshold 125 either
-load needed before second line is brought up
-”125″ is any number 1-255, where % load is x/255 (ie 125/255 is about 50%)
-can check by in, out, or either

Config-if# dialer idle-timeout 180
-determines how long to stay idle before terminating the session
-default is 120

FRAME RELAY SETUP:

• Config# interface serial 0
• Config-if# encapsulation frame-relay – cisco by default, can change to ietf
• Config-if# frame-relay lmi-type cisco – cisco by default, also ansi, q933a
• Config-if# bandwidth 56
• Config-if# interface serial 0.100 point-to-point – subinterface
• Config-if# ip address 122.1.1.1 255.255.255.0
• Config-if# frame-relay interface-dlci 100
  -maps the dlci to the interface
  -can add BROADCAST and/or IETF at the end
• Config-if# interface serial 1.100 multipoint
• Config-if# no inverse-arp – turns IARP off; good to do
• Config-if# frame-relay map ip 122.1.1.2 48 ietf broadcast
  -maps an IP to a dlci (48 in this case)
  -required if IARP is turned off
  -ietf and broadcast are optional
• Config-if# frame-relay map ip 122.1.1.3 54 broadcast

SHOW COMMANDS

• Show access-lists – all access lists on the router
• Show cdp – cdp timer and holdtime frequency
• Show cdp entry * – same as next
• Show cdp neighbors detail – details of neighbor with ip add and ios version
• Show cdp neighbors – id, local interface, holdtime, capability, platform portid
• Show cdp interface – int’s running cdp and their encapsulation
• Show cdp traffic – cdp packets sent and received
• Show controllers serial 0 – DTE or DCE status
• Show dialer – number of times dialer string has been reached, other stats
• Show flash – files in flash
• Show frame-relay lmi – lmi stats
• Show frame-relay map – static and dynamic maps for PVC’s
• Show frame-relay pvc – pvc’s and dlci’s
• Show history – commands entered
• Show hosts – contents of host table
• Show int f0/26 – stats of f0/26
• Show interface Ethernet 0 – show stats of Ethernet 0
• Show ip – ip config of switch
• Show ip access-lists – ip access-lists on switch
• Show ip interface – ip config of interface
• Show ip protocols – routing protocols and timers
• Show ip route – Displays IP routing table
• Show ipx access-lists – same, only ipx
• Show ipx interfaces – RIP and SAP info being sent and received, IPX addresses
• Show ipx route – ipx routes in the table
• Show ipx servers – SAP table
• Show ipx traffic – RIP and SAP info
• Show isdn active – number with active status
• Show isdn status – shows if SPIDs are valid, if connected
• Show mac-address-table – contents of the dynamic table
• Show protocols – routed protocols and net_addresses of interfaces
• Show running-config – dram config file
• Show sessions – connections via telnet to remote device
• Show startup-config – nvram config file
• Show terminal – shows history size
• Show trunk a/b – trunk stat of port 26/27
• Show version – ios info, uptime, address of switch
• Show vlan – all configured vlan’s
• Show vlan-membership – vlan assignments
• Show vtp – vtp configs

CATALYST COMMANDS
For Native IOS – Not CatOS

SWITCH ADDRESS:

• Config# ip address 192.168.10.2 255.255.255.0
• Config# ip default-gateway 192.168.10.1DUPLEX MODE:
• Config# interface Ethernet 0/5 – “fastethernet” for 100 Mbps ports
• Config-if# duplex full – also, half | auto | full-flow-control

SWITCHING MODE:

• Config# switching-mode store-and-forward – also, fragment-free

MAC ADDRESS CONFIGS:

• Config# mac-address-table permanent aaab.000f.ffef e0/2 – only this mac will work on this port
• Config# mac-address-table restricted static aaab.000f.ffef e0/2 e0/3
  -port 3 can only send data out port 2 with that mac
  -very restrictive security
• Config-if# port secure max-mac-count 5 – allows only 5 mac addresses mapped to this port

VLANS:

• Config# vlan 10 name FINANCE
• Config# interface Ethernet 0/3
• Config-if# vlan-membership static 10TRUNK LINKS:
• Config-if# trunk on – also, off | auto | desirable | nonegotiate
• Config-if# no trunk-vlan 2
  -removes vlan 2 from the trunk port
  -by default, all vlans are set on a trunk port

  CONFIGURING VTP:

• Config# delete vtp – should be done prior to adding to a network
• Config# vtp server – the default is server, also client and transparent
• Config# vtp domain Camp – name doesn’t matter, just so all switches use the same
• Config# vtp password 1234 – limited security
• Config# vtp pruning enable – limits vtp broadcasts to only switches affected
• Config# vtp pruning disableFLASH UPGRADE:
• Config# copy tftp://192.168.5.5/configname.ios opcode – “opcode” for ios upgrade, “nvram” for startup config

DELETE STARTUP CONFIG:

• Config# delete nvram

BGP:

• show ip bgp – Displays entries in the BGP routing table.
• show ip bgp injected-paths – Displays paths in the BGP routing table that were conditionally injected.
• show ip bgp neighbors – Displays information about the TCP and BGP connections to neighbors.

BGP Conditional Route Injection:

Step 1 Router(config)# router bgp as-number
-  Places the router in router configuration mode, and configures the router to run a BGP process.

Step 2 Router(config-router)# bgp inject-map ORIGINATE exist-map LEARNED_PATH
-  Configures the inject-map named ORIGINATE and the exist-map named LEARNED_PATH for conditional route injection.

Step 3 Router(config-router)# exit
-Exits router configuration mode, and enters global configuration mode.

Step 4 Router(config)# route-map LEARNED_PATH permit sequence-number
- Configures the route map named LEARNED_PATH.

Step 5 Router(config-route-map)# match ip address prefix-list ROUTE
- Specifies the aggregate route to which a more specific route will be injected.

Step 6 Router(config-route-map# match ip route-source prefix-list ROUTE_SOURCE
- Configures the prefix list named ROUTE_SOURCE to redistribute the source of the route.
Note The route source is the neighbor address that is configured with the neighbor remote-as command. The tracked prefix must come from this neighbor in order for conditional route injection to occur.

Step 7 Router(config-route-map)# exit
- Exits route-map configuration mode, and enters global configuration mode.

Step 8 Router(config)# route-map ORIGINATE permit 10
- Configures the route map named ORIGINATE.

Step 9 Router(config-route-map)# set ip address prefix-list ORIGINATED_ROUTES
- Specifies the routes to be injected.

Step 10 Router(config-route-map)# set community community-attribute additive
- Configures the community attribute of the injected routes.

Step 11 Router(config-route-map)# exit
- Exits route-map configuration mode, and enters global configuration mode.

Step 12 Router(config)# ip prefix-list ROUTE permit 10.1.1.0/24
- Configures the prefix list named ROUTE to permit routes from network 10.1.1.0/24.

Step 13 Router(config)# ip prefix-list ORIGINATED_ROUTES permit 10.1.1.0/25
- Configures the prefix list named ORIGINATED_ROUTES to permit routes from network 10.1.1.0/25.

Step 14 Router(config)# ip prefix-list ORIGINATED_ROUTES permit 10.1.1.128/25
- Configures the prefix list named ORIGINATED_ROUTES to permit routes from network 10.1.1.0/25.

Step 15 Router(config)# ip prefix-list ROUTE_SOURCE permit 10.2.1.1/32
- Configures the prefix list named ROUTE_SOURCE to permit routes from network 10.2.1.1/32.
Note The route source prefix list must be configured with a /32 mask in order for conditional route injection to occur.

DHCP

Step 1 (config)# interface ethernet0/0
(config-if)#ip address 1.1.1.1 255.0.0.0
(config-if)# no shutdown
- Configure an IP address on the router’s Ethernet port, and bring up the interface. (On an existing router, you would have already done this.)

Step 2 (config)# ip dhcp pool mypool
- Create a DHCP IP address pool for the IP addresses you want to use.

Step 3 (dhcp-config)# network 1.1.1.0 /8
- Specify the network and subnet for the addresses you want to use from the pool.

Step 4 (dhcp-config)#domain-name mydomain.com
- Specify the DNS domain name for the clients.

Step 5 (dhcp-config)#dns-server 1.1.1.10 1.1.1.11
- Specify the primary and secondary DNS servers.

Step 6 (dhcp-config)#default-router 1.1.1.1
- Specify the default router (i.e., default gateway).

Step 7 (dhcp-config)#lease 7
- Specify the lease duration for the addresses you’re using from the pool.

Step 8 (dhcp-config)#exit
- Exit Pool Configuration Mode.

This takes you back to the global configuration prompt.

Next, exclude any addresses in the pool range that you don’t want to hand out.

For example, let’s say that you’ve decided that all IP addresses up to .100 will be for static IP devices such as servers and printers. All IP addresses above .100 will be available in the pool for DHCP clients.

Here’s an example of how to exclude IP addresses .100 and below:

Optional (config)#ip dhcp excluded-address 1.1.1.0 1.1.1.100

The full DHCP reference can be found on the CISCO site.

Common Commands and Troubleshooting

• Set a password on the console line:
  • configure terminal
  • line console 0
  • password ‘cisco’
  • login
• Passwords are case sensitive.
• You must configure a password on the VTY lines, without one no one will be able to telnet to the switch/router.
• The default mode when logging into a switch/router via telnet or SSH is user exec mode, which is indicated by the ‘>’ prompt.
• To configure the switch/router you need to use the privileged EXEC mode. To do this you enter the enable command in user EXEC mode. The prompt is indicated with ‘#’.
• If both enable secret and enable password are set, the enable secret will be used.
• The enable secret is encrypted (by default) where as the enable password is in clear text.
• In a config containing an enable secret 5 ‘hash’ the 5 refers to the level of encryption being used.
• If no enable password/secret has been set when someone telnets to the device, they will get a ‘%No password set’ message. Someone with physical access must set the password.
• To place all telnet users directly into enable mode:
  • configure terminal
  • line vty 0 4
  • privilege level 15
• To put a specific user directly into privileged EXEC mode (enable mode)
  • username superman privilege 15 password louise
• Telnet sends all data including passwords in clear text which can be intercepted.
• SSH encrypts all data preventing an attacker from intercepting it.
• Setting up a local user/password login database for use with telnet:
  • configure terminal
  • line vty 0 4
  • login local
  • exit
  • username telnetuser1 password secretpass
• To set up SSH you need to create the local user database, the domain name must be specified with the ip domain-name command and a crypto key must be created with the crypto key generate rsa command. To enable SSH on the VTY lines, use the command transport input ssh.
• If you connect two Cisco switches together and the lights don’t go amber then green, but instead stays off. A straight through cable has been used instead of a crossover cable.
• The term ‘a switches management interface’ normally refers to VLAN1.
• Assign a default gateway using the ip default-gateway ipaddress command.
• You can use the command interface range fasterthernet 0/1 – 12 to select a range of interfaces to configure at once.
• MOTD banner appears before login prompt.
• The login banner appears before the login prompt but after the MOTD banner.
• The banner exec appears after a successful logon.
• line con 0 – configuring the logging synchronous on the console port stops the router from displaying messages (like an interface state change) until it detects no input from the keyboard and not other output from the router, such as a show commands output.
• exec-timeout x y (x=minutes, y=seconds) – the default is 5 minutes. Can be disabled by setting x=0 y=0
• Shortcut commands
  • Up Arrow – will show you the last command you entered. Control+P does the same thing.
  • Down Arrow – will bring you one command up in the command history. Control+N does the same thing.
  • CTRL+A takes the cursor to the start of the current command.
  • CTRL+E takes the cursor to the end of the current command.
  • Left arrow or CTRL+B moves backwards (towards the start) of the command one character at a time.
  • Right arrow or CTRL+P moves forwards (towards the end) of the command one character at a time.
  • CTRL+D deletes one character (the same as backspace).
  • ESC+B moves back one word in the current command.
  • ESC+F moves forward one word in the current command.
• show history command will show the last 10 commands run by default.
• the history size can be increased individually on the console port and on the VTY lines with the history size x command.
• Config modes
  • config t R1<config> is the global configuration mode.
  • line vty 0 4 R1<config-line> is the line config mode.
  • interface fastethernet 0/1 R1<config-if> interface config mode.

• Cisco Discovery Protocol (CDP) runs by default on Cisco routers and switches. It runs globally and on a per-interface level.
• CDP discovers basic information about neighboring switches and routers.
• On media that supports multicasts at the data link layer, CDP uses multicast frames. on other media, CDP sends a copy of the CDP update to any known data-link addresses.
• The show cdp command shows CDP settings.
• CDP can be disabled globally using the command no cdp run and re-enable using cdp run.
• CDP can be disabled at an interface level using the no cdp enable command at the sub-interface level.
• The command show cdp neighbor - lists one summary line of information about each neighbor. Including:
  • Device ID – the remote devices hostname.
  • Local Interface – the local switch/router interface connected to the remote host.
  • Holdtime – is the number of seconds the local device will retain the contents of the last CDP advertisement received from the remote host.
  • Capability – shows you the type of device the remote host is.
  • Platform – is the remote devices hardware platform.
  • Port ID – is the remote interface on the direct connection.
• The command show cdp neighbor detail – lists one large set (approx 15 lines) of information, one set for every neighbor. Including:
  • The IOS version.
  • VTP management domain.
  • Management addresses.
• show cdp entry name - lists the same information as the show cdp neighbors detail command, but only for the named neighbor (case sensitive).
• show cdp – states whether CDP is enabled globally, and lists the default update and holdtime timers.
• show cdp traffic – lists global statistics for the number of CDP advertisements sent and received.
• show cdp interface type number - states whether CDP is enabled on each interface or a single interface if the interface is listed, and states the update and holdtime timers on those interfaces.
• CDP should be disabled on interfaces it is not needed to limit risk of an attacker learning details about each switch or router. Use the no cdp enable interface subcommand to disable CDP and the cdp enable interface subcommand to re-enable it.
• The command show cdp interface shows the CDP settings for every interface.
• Interface status messages:
  • Interface status is down/down – this indicates a physical problem, most likely a loose or unplugged cable.
  • Line protocol is down, up/down – this indicates a problem at the logical level, most likely an encapsulation mismatch or a missing clock rate.
  • Administratively down – this indicates the interface has been shutdown and needs to be manually opened with the sub interface command no shutdown.
• The command show mac-address-table shows the mac address table. show mac-address-table dynamic sows the dynamically learned entries only.
• Most problems on a switch are caused by human error – misconfiguration.
• The command show debugging shows all the currently running debugs.
• undebug all – will turn all debugging off.
• The command show vlan brief shows a switches VLAN configuration.
• If pinging 127.0.0.1 fails on a pc, there is a problem with the local PC, most likely a bad install of TCP/IP.
• On a pc the command netstat -rn shows the pc’s routing table.
• Additional Telnet commands:
  • show sessions shows information about each telnet session, the where command does the same thing.
  • resume x, x being the session number is used to resume a telnet session.
  • To suspend a session use the command CTRL+ALT+6.
  • To disconnect an open session use the command disconnect x, x being the session number.
• Ping result codes:
  • !!!!! – IP connectivity to the destination is ok.
  • ….. – IP connectivity to the destination does not exist.
  • U.U.U – the local router has a route to the destination, but a downstream router does not.
• debug ip packet – can help troubleshooting the above ping results.
• When using traceroute or extended ping the Escape Sequence is: CTRL+SHIFT+6.
• Extended ping can only be run from enable mode.
• If a routing table contains multiple routes to the same destination with multiple next hops and the prefixes are different, the most specific (longest) prefix route will be used. If all of the prefix lengths are the same the Administrative Distance will be used. [AD/Metric].
• Administrative Distance is a measure of a routes believability, with a lower AD being more believable than a route with a higher AD. AD only comes into play if the prefix lengths are the same.
• You can set the Administrative Distance on a static route with the command ip route 55.55.55.0 255.255.255.0 192.168.1.2 150, you would do this to set a backup route if a dynamic route fails/is not available in the routing table.

Cisco NX-OS/IOS BGP (Advanced) Comparison

These may also assist: Undocumented Cisco Commands

Below is an article I found recently. This one of the most comprehensive descriptions of PIN Verification Value (PVV) hacking.

I thought I would replicate it here for my local reference.

As comments have been made regarding the grammar used in the original text, I have corrected some of the obvious errors whilst maintaining the context of the original material.

http://69.46.26.132/~biggold1/fastget2you/tutorial.php

——– Original Text ———-

Foreword
Have you ever wonder what would happen if you lose your credit or debit card and someone finds it. Would this person be able to withdraw cash from an ATM guessing, somehow, your PIN? Moreover, if you were who finds someone’s card would you try to guess the PIN and take the chance to get some easy money? Of course the answer to both questions should be “no”. This work does not deal with the second question, it is a matter of personal ethics. Herewith I try to answer the first question.

All the information used for this work is public and can be freely found in Internet. The rest is a matter of mathematics and programming, thus we can learn something and have some fun. I reveal no secrets. Furthermore, the aim (and final conclusion) of this work is to demonstrate that PIN algorithms are still strong enough to provide sufficient security. We all know technology is not the weak point.

This work analyses one of the most common PIN algorithms, VISA PVV, used by many ATM cards (credit and debit cards) and tries to find out how resistant is to PIN guessing attacks. By “guessing” I do not mean choosing a random PIN and trying it in an ATM. It is well known that generally we are given three consecutive trials to enter the right PIN, if we fail ATM keeps the card. As VISA PIN is four digit long it’s easy to deduce that the chance for a random PIN guessing is 3/10000 = 0.0003, it seems low enough to be safe; it means you need to lose your card more than three thousand times (or losing more than three thousand cards at the same time :) until there is a reasonable chance of losing money.

What I really meant by “guessing” was breaking the PIN algorithm so that given any card you can immediately know the associated PIN. Therefore this document studies that possibility, analyzing the algorithm and proposing a method for the attack. Finally we give a tool which implements the attack and present results about the estimated chance to break the system. Note that as long as other banking security related algorithms (other PIN formats such as IBM PIN or card validation signatures such as CVV or CVC) are similar to VISA PIN, the same analysis can be done yielding nearly the same results and conclusions.

VISA PVV algorithm

One of the most common PIN algorithms is the VISA PIN Verification Value (PVV). The customer is given a PIN and a magnetic stripe card. Encoded in the magnetic stripe is a four digit number, called PVV. This number is a cryptographic signature of the PIN and other data related to the card. When a user enters his/her PIN the ATM reads the magnetic stripe, encrypts and sends all this information to a central computer. There a trial PVV is computed using the customer entered PIN and the card information with a cryptographic algorithm. The trial PVV is compared with the PVV stored in the card, if they match the central computer returns to the ATM authorization for the transaction. See in more detail.

The description of the PVV algorithm can be found in two documents linked in the previous page. In summary it consists in the encryption of a 8 byte (64 bit) string of data, called Transformed Security Parameter (TSP), with DES algorithm (DEA) in Electronic Code Book mode (ECB) using a secret 64 bit key. The PVV is derived from the output of the encryption process, which is a 8 byte string. The four digits of the PVV (from left to right) correspond to the first four decimal digits (from left to right) of the output from DES when considered as a 16 hexadecimal character (16 x 4 bit = 64 bit) string. If there are no four decimal digits among the 16 hexadecimal characters then the PVV is completed taken (from left to right) non decimal characters and decimalizing them by using the conversion A->0, B->1, C->2, D->3, E->4, F->5. Here is an example:

Output from DES: 0FAB9CDEFFE7DCBA

PVV: 0975

The strategy of avoiding decimalization by skipping characters until four decimal digits are found (which happens to be nearly all the times as we will see below) is very clever because it avoids an important bias in the distribution of digits which has been proven to be fatal for other systems, although the impact on this system would be much lower. See also a related problem not applying to VISA PVV.

The TSP, seen as a 16 hexadecimal character (64 bit) string, is formed (from left to right) with the 11 rightmost digits of the PAN (card number) excluding the last digit (check digit), one digit from 1 to 6 which selects the secret encrypting key and finally the four digits of the PIN. Here is an example:

PAN: 1234 5678 9012 3445
Key selector: 1
PIN: 2468

TSP: 5678901234412468

Obviously the problem of breaking VISA PIN consists in finding the secret encrypting key for DES. The method for that is to do a brute force search of the key space. Note that this is not the only method, one could try to find a weakness in DEA, many tried, but this old standard is still in wide use (now been replaced by AES and RSA, though). This demonstrates it is robust enough so that brute force is the only viable method (there are some better attacks but not practical in our case, for a summary see LASEC memo and for the dirty details see Biham & Shamir 1990, Biham & Shamir 1991, Matsui 1993, Biham & Biryukov 1994 and Heys 2001).

The key selector digit was very likely introduced to cover the possibility of a key compromise. In that case they just have to issue new cards using another key selector. Older cards can be substituted with new ones or simply the ATM can transparently write a new PVV (corresponding to the new key and keeping the same PIN) next time the customer uses his/her card. For the shake of security all users should be asked to change their PINs, however it would be embarrassing for the bank to explain the reason, so very likely they would not make such request.

Preparing the attack

A brute force attack consists in encrypting a TSP with known PVV using all possible encrypting keys and compare each obtained PVV with the known PVV. When a match is found we have a candidate key. But how many keys we have to try? As we said above the key is 64 bit long, this would mean we have to try 2^64 keys. However this is not true. Actually only 56 bits are effective in DES keys because one bit (the least significant) out of each octet was historically reserved as a checksum for the others; in practice those 8 bits (one for each of the 8 octets) are ignored.

Therefore the DES key space consists of 2^56 keys. If we try all these keys will we find one and only one match, corresponding to the bank secret key? Certainly not. We will obtain many matching keys. This is because the PVV is only a small part (one fourth) of the DES output. Furthermore the PVV is degenerated because some of the digits (those between 0 and 5 after the last, seen from left to right, digit between 6 and 9) may come from a decimal digit or from a decimalized hexadecimal digit of the DES output. Thus many keys will produce a DES output which yields to the same matching PVV.

Then what can we do to find the real key among those other false positive keys? Simply we have to encrypt a second different TSP, also with known PVV, but using only the candidate keys which gave a positive matching with the first TSP-PVV pair. However there is no guarantee we won’t get again many false positives along with the true key. If so, we will need a third TSP-PVV pair, repeat the process and so on.

Before we start our attack we have to know how many TSP-PVV pairs we will need. For that we have to calculate the probability for a random DES output to yield a matching PVV just by chance. There are several ways to calculate this number and here I will use a simple approach easy to understand but which requires some background in mathematics of probability.

A probability can always be seen as the ratio of favorable cases to possible cases. In our problem the number of possible cases is given by the permutation of 16 elements (the 0 to F hexadecimal digits) in a group of 16 of them (the 16 hexadecimal digits of the DES output). This is given by 16^16 ~ 1.8 * 10^19 which of course coincides with 2^64 (different numbers of 64 bits). This set of numbers can be separated into five categories:

Those with at least four decimal digits (0 to 9) among the 16 hexadecimal digits (0 to F) of the DES output.

Those with exactly only three decimal digits.

Those with exactly only two decimal digits.

Those with exactly only one decimal digit.

Those with no decimal digits (all between A and F).

Let’s calculate how many numbers fall in each category. If we label the 16 hexadecimal digits of the DES output as X1 to X16 then we can label the first four decimal digits of any given number of the first category as Xi, Xj, Xk and Xl. The number of different combinations with this profile is given by the product 6 i-1 * 10 * 6j-i-1 * 10 * 6k-j-1 * 10 * 6 l-k-1 * 10 * 1616-l where the 6′s come from the number of possibilities for an A to F digit, the 10′s come from the possibilities for a 0 to 9 digit, and the 16 comes from the possibilities for a 0 to F digit. Now the total numbers in the first category is simply given by the summation of this product over i, j, k, l from 1 to 16 but with i < j < k < l. If you do some math work you will see this equals to the product of 104/6 with the summation over i from 4 to 16 of (i-1) * (i-2) * (i-3) * 6i-4 * 16 16-i ~ 1.8 * 1019.

Analogously the number of cases in the second category is given by the summation over i, j, k from 1 to 16 with i < j < k of the product 6i-1 * 10 * 6j-i-1 * 10 * 6k-j-1 * 10 * 616-k which you can work it out to be 16!/(3! * (16-13)!) * 103 * 6 13 = 16 * 15 * 14/(3 * 2) * 103 * 613 = 56 * 104 * 613 ~ 7.3 * 1015. Similarly for the third category we have the summation over i, j from 1 to 16 with i < j of 6 i-1 * 10 * 6j-i-1 * 10 * 616-j which equals to 16!/(2! * (16-14)!) * 102 * 614 = 2 * 103 * 615 ~ 9.4 * 1014. Again, for the fourth category we have the summation over i from 1 to 16 of 6i-1 * 10 * 616-i = 160 * 615 ~ 7.5 * 1013. And finally the amount of cases in the fifth category is given by the permutation of six elements (A to F digits) in a group of 16, that is, 616 ~ 2.8 * 1012.

I hope you followed the calculations up to this point, the hard part is done. Now as a proof that everything is right you can sum the number of cases in the 5 categories and see it equals the total number of possible cases we calculated before. Do the operations using 64 bit numbers or rounding (for floats) or overflow (for integers) errors won’t let you get the exact result.

Up to now we have calculated the number of possible cases in each of the five categories, but we are interested in obtaining the number of favorable cases instead. It is very easy to derive the latter from the former as this is just fixing the combination of the four decimal digits (or the required hexadecimal digits if there are no four decimal digits) of the PVV instead of letting them free. In practice this means turning the 10′s in the formula above into 1′s and the required amount of 6′s into 1′s if there are no four decimal digits. That is, we have to divide the first result by 104, the second one by 103 * 6, the third one by 102 * 62 , the fourth one by 10 * 63 and the fifth one by 64 . Then the number of favorable cases in the five categories are approximately 1.8 * 1015, 1.2 * 1012, 2.6 * 1011 , 3.5 * 1010, 2.2 * 109 respectively.

Now we are able to obtain what is the probability for a DES output to match a PVV by chance. We just have to add the five numbers of favorable cases and divide it by the total number of possible cases. Doing this we obtain that the probability is very approximately 0.0001 or one out of ten thousand. Is it strange this well rounded result? Not at all, just have a look at the numbers we calculated above. The first category dominates by several orders of magnitude the number of favorable and possible cases. This is rather intuitive as it seems clear that it is very unlikely not having four decimal digits (10 chances out of 16 per digit) among 16 hexadecimal digits. We saw previously that the relationship between the number of possible and favorable cases in the first category was a division by 10^4, that’s where our result p = 0.0001 comes from.

Our aim for all these calculations was to find out how many TSP-PVV pairs we need to carry a successful brute force attack. Now we are able to calculate the expected number of false positives in a first search: it will be the number of trials times the probability for a single random false positive, i.e. t * p where t = 2^56, the size of the key space. This amounts to approximately 7.2 * 10^12, a rather big number. The expected number of false positives in the second search (restricted to the positive keys found in the first search) will be (t * p) * p, for a third search will be ((t * p) * p) * p and so on. Thus for n searches the expected number of false positives will be t * p^n.

We can obtain the number of searches required to expect just one false positive by expressing the equation t * p^n = 1 and solving for n. So n equals to the logarithm in base p of 1/t, which by properties of logarithms it yields n = log(1/t)/log(p) ~ 4.2. Since we cannot do a fractional search it is convenient to round up this number. Therefore what is the expected number of false positives if we perform five searches? It is t * p^5 ~ 0.0007 or approximately 1 out of 1400. Thus using five TSP-PVV pairs is safe to obtain the true secret key with no false positives.

The attack

Once we know we need five TSP-PVV pairs, how do we get them? Of course we need at least one card with known PIN, and due to the nature of the PVV algorithm, that’s the only thing we need. With other PIN systems, such as IBM, we would need five cards, however this is not necessary with VISA PVV algorithm. We just have to read the magnetic stripe and then change the PIN four times but reading the card after each change.

It is necessary to read the magnetic stripe of the card to get the PVV and the encrypting key selector. You can buy a commercial magnetic stripe reader or make one yourself following the instructions you can find in the previous page and links therein. Once you have a reader see this description of standard magnetic tracks to find out how to get the PVV from the data read. In that document the PVV field in tracks 1 and 2 is said to be five character long, but actually the true PVV consists of the last four digits. The first of the five digits is the key selector. I have only seen cards with a value of 1 in this digit, which is consistent with the standard and with the secret key never being compromised (and therefore they did not need to move to another key changing the selector).

I did a simple C program, getpvvkey.c, to perform the attack. It consists of a loop to try all possible keys to encrypt the first TSP, if the derived PVV matches the true PVV a new TSP is tried, and so on until there is a mismatch, in which case the key is discarded and a new one is tried, or the five derived PVVs match the corresponding true PVVs, in which case we can assume we got the bank secret key, however the loop goes on until it exhausts the key space. This is done to assure we find the true key because there is a chance (although very low) the first key found is a false positive.

It is expected the program would take a very long time to finish and to minimize the risks of a power cut, computer hang out, etc. it does checkpoints into the file getpvvkey.dat from time to time (the exact time depends on the speed of the computer, it’s around one hour for the fastest computers now in use). For the same reason if a positive key is found it is written on the file getpvvkey.key. The program only displays one message at the beginning, the starting position taken from the checkpoint file if any, after that nothing more is displayed.

The DES algorithm is a key point in the program, it is therefore very important to optimize its speed. I tested several implementations: libdes, SSLeay, openssl, cryptlib, nss, libgcrypt, catacomb, libtomcrypt, cryptopp, ufc-crypt. The DES functions of the first four are based on the same code by Eric Young and is the one which performed best (includes optimized C and x86 assembler code). Thus I chose libdes which was the original implementation and condensed all relevant code in the files encrypt.c (C version) and x86encrypt.s (x86 assembler version). The code is slightly modified to achieve some enhancements in a brute force attack: the initial permutation is a fixed common steep in each TSP encryption and therefore can be made just one time at the beginning. Another improvement is that I wrote a completely new setkey function (I called it nextkey) which is optimum for a brute force loop.

To get the program working you just have to type in the corresponding place five TSPs and their PVVs and then compile it. I have tested it only in UNIX platforms, using the makefile Makegetpvvkey to compile (use the command “make -f Makegetpvvkey”). It may compile on other systems but you may need to fix some things. Be sure that the definition of the type long64 corresponds to a 64 bit integer. In principle there is no dependence on the endianness of the processor. I have successfully compiled and run it on Pentium-Linux, Alpha-Tru64, Mips-Irix and Sparc-Solaris. If you do not have and do not want to install Linux (you don’t know what you are missing ;-) you still have the choice to run Linux on CD and use my program, see my page running Linux without installing it.

Once you have found the secret bank key if you want to find the PIN of an arbitrary card you just have to write a similar program (sorry I have not written it, I’m too lazy :) that would try all 10^4 PINs by generating the corresponding TSP, encrypting it with the (no longer) secret key, deriving the PVV and comparing it with the PVV in the magnetic stripe of the card. You will get one match for the true PIN. Only one match? Remember what we saw above, we have a chance of 0.0001 that a random encryption matches the PVV. We are trying 10000 PINs (and therefore TSPs) thus we expect 10000 * 0.0001 = 1 false positive on average.

This is a very interesting result, it means that, on average, each card has two valid PINs: the customer PIN and the expected false positive. I call it “false” but note that as long as it generates the true PVV it is a PIN as valid as the customer’s one. Furthermore, there is no way to know which is which, even for the ATM; only customer knows. Even if the false positive were not valid as PIN, you still have three trials at the ATM anyway, enough on average. Therefore the probability we calculated at the beginning of this document about random guessing of the PIN has to be corrected. Actually it is twice that value, i.e., it is 0.0006 or one out of more than 1600, still safely low.

Results

It is important to optimize the compilation of the program and to run it in the fastest possible processor due to the long expected run time. I found that the compiler optimization flag -O gets the better performance, thought some improvement is achieved adding the -fomit-frame-pointer flag on Pentium-Linux, the -spike flag on Alpha-Tru64, the -IPA flag on Mips-Irix and the -fast flag on Sparc-Solaris. Special flags (-DDES_PTR -DDES_RISC1 -DDES_RISC2 -DDES_UNROLL -DASM) for the DES code have generally benefits as well. All these flags have already been tested and I chose the best combination for each processor (see makefile) but you can try to fine tune other flags.

According to my tests the best performance is achieved with the AMD Athlon 1600 MHz processor, exceeding 3.4 million keys per second. Interestingly it gets better results than Intel Pentium IV 1800 MHz and 2000 MHz (see figures below, click on them to enlarge). I believe this is due to some I/O saturation, surely cache or memory access, that the AMD processor (which has half the cache of the Pentium) or the motherboard in which it is running, manages to avoid. In the first figure below you can see that the DES breaking speed of all processors has more or less a linear relationship with the processor speed, except for the two Intel Pentium I mentioned before. This is logical, it means that for a double processor speed you’ll get double breaking speed, but watch out for saturation effects, in this case it is better the AMD Athlon 1600 MHz, which will be even cheaper than the Intel Pentium 1800 MHz or 2000 MHz.

In the second figure we can see in more detail what we would call intrinsic DES break power of the processor. I get this value simply dividing the break speed by the processor speed, that is, we get the number of DES keys tried per second and per MHz. This is a measure of the performance of the processor type independently of its speed. The results show that the best processor for this task is the AMD Athlon, then comes the Alpha and very close after it is the Intel Pentium (except for the higher speed ones which perform very poor due to the saturation effect). Next is the Mips processor and in the last place is the Sparc. Some Alpha and Mips processors are located at bottom of scale because they are early releases not including enhancements of late versions. Note that I included the performance of x86 processors for C and assembler code as there is a big difference. It seems that gcc is not a good generator of optimized machine code, but of course we don’t know whether a manual optimization of assembler code for the other processors (Alpha, Mips, Sparc) would boost their results compared to the native C compilers (I did not use gcc for these other platforms) as it happens with the x86 processor.

Update

Here is an article where these techniques may have been used.

http://redtape.msnbc.com/2008/08/could-a-hacker.html

I have been recently working inside one of the larger Banks in Australia.
Through this work I have been looking at the controls and mechanisms surrounding the processing of credit and debit cards around the Asia Pacific.

I get perform many security architecture and payment systems assessments.
Over the years I have always considered the protection of the card data as one of the key considerations.

Until yesterday I had never seen an CVV or PVV decryption tools. I think some scripted use of these tools could be very interesting.
The site hziggurat29.com

Many of the other tools on this site are also very unique and worth a look.
Big thanks to ziggurat29 for providing such awesome tools.

As many of these sites are of this nature are difficult to find and often seem to vanish over the years, I have chosen to replicate the the text from this page and provide local copies on the files.
It is worth periodically visiting the ziggurat29 site every now and again to see if any additional tools have been posted.

One of the more extraordinary files is the Atalla Hardware Security Module (HSM)  and BogoAtalla for Linksys emulation (simulation) tools. So I wonder if Eracom and Thales are shaking in their boots. Some how I don’t think so. ;-)

——– ziggurat29 Text ———

These are all Windows command-line utilities (except where noted); execute with the -help option
to determine usage.

DUKPT Decrypt (<- the actual file to download)

This is a utility that will decrypt Encrypted PIN Blocks that have been produced via the DUKPT triple-DES method.  I used this for testing the output of some PIN Pad software I had created, but is also handy for other debugging purposes.

VISA PVV Calculator (<- the actual
file to download)

This is a utility that will compute and verify PIN Verification Values that have been produced using the VISA PVV technique.  It has a bunch of auxiliary functions, such as verifying and fixing a PAN (Luhn computations), creating and encrypting PIN blocks, decrypting and extracting PINs from encrypted PIN blocks, etc.

VISA CVV Calculator (<- the actual file to download)

This is a utility that will compute Card Verification Values that have been produced using the VISA CVV technique.  MasterCard CVC uses the CVV algorithm, so it will work for that as well.  It will compute CVV, CVV2, CVV3, iCVV, CAVV, since these are just variations on service code and the
format of the expiration date.  Verification is simply comparing the computed value with what you have received, so there is no explicit verification function.

Atalla AKB Calculator (<- the actual file to download)

This is a utility that will both generate and decrypt Atalla AKB cryptograms.  You will need the plaintext MFK to perform these operations.  When decrypting, the MAC will also be checked and the results shown.

BogoAtalla (<- the actual file to
download)

This is an Atalla emulator (or simulator).  This software emulation (simulation) of the well-known Atalla Hardware Security Module (HSM) that is used by banks and processors for cryptographic operations, such as verifying/translating PIN blocks, authorising transactions by verifying
CVV/CSC numbers, and performing key exchange procedures, was produced for testing purposes.  This implementation is not of the complete HP Atalla command set, but rather the just
portions that I myself needed.  That being said, it is complete enough if you are performing acquiring and/or issuing processing functions, and are using more modern schemes such as Visa PVV and DUKPT, and need to do generation, verification, and translation.

This runs as a listening socket server and handles the native Atalla command set.  I have taken some liberties with the error return values and have not striven for high-fidelity there (i.e., you may get a different error response from native hardware), but definitely should get identical positive
responses.  Some features implemented here would normally require purchasing premium commands, but all commands here implemented are available.  Examples are generating PVV values and encrypting/decrypting plaintext PIN values.

BogoAtalla for Linksys (<- the actual file to download)

This is the Atalla emulator ported to Linux and build for installation on an OpenWRT system.  Makes for a really cheap ($60 USD) development/test device.

 

Local Files

bogoatalla002
atallaakbcalc
bogoatalla_10-1_mipsel
dukptdecrypt
visacvvcalc
visapvvcalc

Acquiring Institution
The Financial Institution which holds the Merchant Account partaking in a financial transaction, typically the first bank involved in the processing of a payment.

Applet
A small computer program which facilitates the performance of particular tasks.

Bandwidth
The capacity of a server to carry or process information. The higher the bandwidth the faster graphics-laden web pages will download.

Browser
Short for Web browser, a software application used to locate and display Web pages. The two most popular browsers are Netscape Navigator and Microsoft Internet Explorer. Both of these are graphical browsers, which means that they can display graphics as well as text. In addition, most modern browsers can present multimedia information, including sound and video, though they require plug-ins for some formats.

Caching
The automatic copying and storage of frequently used information onto a computer system – Typically caching is seen whilst surfing the internet (graphics, etc.) and used by Internet Services Providers (ISP’s) to reduce the amount of data requested from the user onto the internet.

Issuer
The Financial Institution which issued the cardholder’s account and card.

Cardholder
The individual participating in the financial transaction whose card is being credited or debited.

Card Verification Data
The additional information printed on the card to be processed. This is used to verify if the card was present when the transaction was initiated.  This is the additional digits imprinted on the card usually on the reverse side for VISA & Mastercard and on the front for AMEX.

Certificate
An x.509 certificate used to authenticate entities such as Merchants and Payment Gateways. Certificates can be used to identify and/or encrypt sensitive data such as card numbers and personal cardholder information.

CGI
Common Gateway Interface: A protocol that allows a Web page to run a program on a Web server. Forms, counters, and guest books are common examples of CGI programs.

Any piece of software can be a CGI program if it handles input and output according to the CGI standard. Usually a CGI program is a small program that takes data from a web server and does something with it, like putting the content of a form into an e-mail message, or turning the data into a database query. CGI “scripts” are just scripts which use CGI. CGI is often confused with Perl, which is a programming language, while CGI is an interface to the server from a particular program.

Client
A computer or software that requests a service of another computer system or process (a “server”). For example, a workstation requesting the contents of a file from a file server is a client of the file server. A web browser is commonly referred to as a client.

Clients and Servers
In general, all of the machines on the Internet can be categorised as two types: servers and clients. Those machines that provide services (like Web servers or FTP servers) to other machines are servers. And the machines that are used to connect to those services are clients.

When you connect to Yahoo at www.google.com to read a page, Google is providing a machine (probably a cluster of very large machines), for use on the Internet, to service your request. Google is providing a server. Your machine, on the other hand, is probably providing no services to anyone else on the Internet. Therefore, it is a user machine, also known as a client. It is possible and common for a machine to be both a server and a client !

Cookie
A file sent by some web servers to your computer’s hard drive to enable you to quickly and easily return to particular sites. Cookies give rise to privacy concerns as they are often used to store information used for marketing purposes.

The main purpose of cookies is to identify users and possibly prepare customised Web pages for them. When you enter a Web site using cookies, you may be asked to fill out a form providing such information as your name and interests. This information is packaged into a cookie and sent to your Web browser which stores it for later use. The next time you go to the same Web site, your browser will send the cookie to the Web server. The server can use this information to present you with custom Web pages. So, for example, instead of seeing just a generic welcome page you might see a welcome page with your name on it.

CRN
The Customer Receipt Number (CRN) is used to assist the card holder, the payment gateway and the transaction acquirer to confirm the transaction has been processed and to track the transaction throughout the end-to-end transaction process. This is often used when making enquiries about a transaction or for transaction tracking.

Cybersquatting
Bad faith, abusive domain name registration. Cybersquatters register company and product names as domain names with a view to selling them at inflated prices to the “rightful” owners.

/CVC
The additional information printed on the card to be processed. This is used to verify if the card was present when the transaction was initiated.  This is the additional digits imprinted on the card usually on the reverse side for VISA & Mastercard and on the front for AMEX.

Database
A collection of data: part numbers, product codes, customer information, etc. It usually refers to data organised and stored on a computer that can be searched and retrieved by a computer program.

Deep link
A hypertext link directly to a web page, often bypassing home pages or other identifying pages.

Digital Certificate
A pop up window that allows you to identify the level of encryption used to secure a particular web site.

Digital Signature
A complex numeric “signature” designed to be used, in conjunction with special software, to authenticate the sender of a message and guarantee that the contents of the message have not been altered during transmission to the recipient. The EU has adopted legislation which makes electronic signatures legally valid. The Electronic Transaction Bill (Cth) 1999 has the same effect in Australia.

Domain Name
The plain English name given to a host destination on the Internet, for example, www.madrock.net. The suffix, dot.com is known as the generic top level domain, the prefix madrock. The domain name forms part of the Internet Address or URL.

A name that identifies one or more IP addresses. For example, the domain name microsoft.com represents about a dozen IP addresses. Domain names are used in URLs to identify particular Web pages. For example, in the URL http://www.madrock.net, the domain name is madrock.net.

Download
To transfer information from one computer to your computer.

Dynamic web page
A web document that is created from a database in real-time or “on the fly” at the same time it is being viewed, providing a continuous flow of new information and giving visitors a new experience each time they visit the web site.

Dynamic web sites offer the user the ability to interact with the web site. This interaction can take place in the form of a search for products, a questionnaire that automatically posts results or online polls. Basically, dynamic web pages and content are generated from the input of the user.

EC
Electronic Commerce.

Often referred to as simply e-commerce, business that is conducted over the Internet using any of the applications that rely on the Internet, such as e-mail, instant messaging, shopping carts, Web services, and FTP, among others. Electronic commerce can be between two businesses transmitting funds, goods, services and/or data or between a business and a customer.

ECI
The Electronic Commerce Indicator (ECI), is used to determine the source of the original transaction request. This is a program that the banks have developed and have mandated it’s use.

Electronic Data Interchange (EDI)
Systems set up by businesses, which facilitate the electronic exchange of information.

Encryption
The process of scrambling data to prevent it being viewed by unauthorized persons.

Expiry Date
The date printed on the card indicating when the card will expire. Not to be confused with the card issue date found on some cards.

Firewall
An electronic security barrier and/or traffic filter.

Forms
Forms are web pages comprised of text and “fields” for a user to fill in with information. They are an excellent way of collecting and processing information from people visiting a web site, as well as allowing them to interact with web pages. Forms are written in HTML and processed by CGI programs.

Frame
A means of dividing a web screen into a number of compartments. Frames may give rise to legal disputes if web sites created by third parties are framed as your own.

FTP servers
One of the oldest of the Internet services, File Transfer Protocol makes it possible to move one or more files securely between computers while providing file security and organisation as well as transfer control.

Fulfilment
1. Process of supplying goods after an order has been received.
2. Process of reacting to a customer’s request, covering everything that has to happen from the time the customer places an order until they are completely satisfied.

Host
Any computer on a network that provides services or information to other computers on the network. A host is also called a server.

Integration
The software and/or business processes which combine the Merchant’s (website, back office, etc.) order processing system with the EFT Network Electronic Payment System.

IP address
Every computer connected to the Internet is assigned a unique number known as an Internet Protocol (IP) address. Since these numbers are usually assigned in country-based blocks, an IP address can often be used to identify the country from which a computer is connecting to the Internet.

Gateway
A system allowing incompatible computer networks to send and receive information.

HTML (Hypertext Markup Language)
Language used to translate text documents into a form which can be sent over the web.

Hyperlink
A highlighted phrase in a document which permits linking to another document or part of a document.

Internet Content Host (ICH)
Those who host or propose to host content on the Internet. Anybody who is responsible for a web site, news group or bulletin board that contains articles, graphics or other internet content provided by others. The host may/may not also produce their own content and/or provide access to the Internet through a carriage service, ie they may also be an ISP.

Internet Service Provider (ISP)
A company that provides an Internet connection through some kind of Internet carriage service, for example Sprint, Chello Broadband, Telstra Bigpond, Adam Internet, Internode. ISP’s may/may not also be ICHs.

Mail servers
Almost as ubiquitous and crucial as Web servers, mail servers move and store mail over corporate networks (via LANs and WANs) and across the Internet.

Merchant account
This is an account set up with a bank to process credit card orders from customers.

Merchant
The entity receiving payments for goods and/or services.

Merchant Account
The merchant’s account into which transactions are credited or debited.

Merchant Server
The software installed on the Merchant’s web sites or back office system to enable real-time or batched processing of financial transactions.

Merchant Server Administrator
The individual(s) responsible for the maintenance of the Merchant Server, including issuing and importing merchant certificates.

MTL
Merchant Transaction Layer (MTL)

PAN
Primary Account Number (PAN) is the number printed on the customers card to reference the cardholder’s financial account. This is typically the card number.

Payment Gateway
The Payment Gateway provides a central point of contact/transaction switching with the banking network for the Merchant Server software or devices. The EFT Networks Payment gateway provides advanced integrated reporting, merchant integration services (Mainframe, Mini, Windows, UNIX, OS400, Desktop/Server, EFT PoS Terminals. Loyalty systems, etc.) and Merchant/Bank customised solutions not offered by regional or global banking institutions.

An online system for real-time charging of credit cards when a customer places an order. Normally requires a merchant account.

A common question from merchants is “Do we have to change banks to use payment gateways?”

The answer is NO!  – All you need to do is open a merchant facility with one of the supported banks, EFT Networks can ensure you open the correct one for your transaction needs. The merchant facility is then linked to a nominated bank account for example: Bank of New Zealand, ANZ, St George Bank, NAB, Commonwealth, Westpac, Bank of America, Bank of Scotland, Barclay’s, Bank of Queensland, etc. The money is then transferred at the end of each day from your merchant account to your nominated account.

“Pretty Good Privacy”
A type of encryption program used to scramble data.

Portal
A site that gathers together many sites under a common branding, for example, Yahoo and Excite.

Private key
The password which permits information to be decoded in a public key encryption system.

Public key
The password which is used to send a secure message in a public key encryption system.

Secure Certificate
A document that is used to certify that a user or organisation is who they say they are. They contain information about who it belongs to, who it was issued by, expiry date and information that can be used to check out the contents of the certificate. It is as an important part of the SSL system for establishing secure connections.

Server
A computer that provides a service to other computers (known as clients) on a network.

Shopping cart
A shopping cart is a piece of software that acts as an online store’s catalogue and ordering process. Typically, a shopping cart is the interface between a company’s Web site and its deeper infrastructure, allowing consumers to select merchandise; review what they have selected; make necessary modifications or additions; and purchase the merchandise.

Shopping carts can be sold as independent pieces of software so companies can integrate them into their own unique online solution, or they can be offered as a feature from a service that will create and host a company’s e-commerce site.

Spam
The use of email or newsgroups to send unsolicited information.

SSL
Short for Secure Sockets Layer, a protocol developed by Netscape for transmitting private documents via the Internet. SSL works by using a private key to encrypt data that’s transferred over the SSL connection. Both Netscape Navigator and Internet Explorer support SSL, and many Web sites use the protocol to obtain confidential user information, such as credit card numbers. By convention, URLs that require an SSL connection start with https: instead of http:.

Letting your customers know that you have SSL protection gives your site credibility and may encourage customers to deal with you in confidence.

A security protocol used to protect information – typically used between the cardholder’s web browser and the merchant’s webserver and throughout the transaction processing process. 128bit SSL is typical used as a minimum level within the Payment & Financial industries.

A Secure Server uses an SSL certificate. It is generally a piece of web space that can only be dealt with by using SSL ensuring that data transferred between the web space and the browser is encrypted.

Static web page
In web site terms, static means web pages that are not interactive. Because the web site visitor does not have any control over the information provided, the pages and information do not change with each visit. There is not a two-way communication between the user (client) and the web site (server) in a static page.

Uniform Resource Locator (URL)
An Internet address.

Web page
A specific group of related files on the web, which is usually viewed as a single document.

Web servers
At its core, a Web server serves static content to a Web browser by loading a file from a hard disk and serving it across the network to a user’s Web browser. This entire exchange is mediated by the browser and server talking to each other using HTTP.

Web site
A collection of web pages stored on a file server.

I recently had a couple of complaints in regards to the new Website. It turns out the site looks OK in Firefox but does not seem to work very well with Internet Explorer.

I ran the W3C Validator located at http://validator.w3.org/

When executed against the site it found 11 errors. The files and fixes (highlighted in RED) are described below.

File: Header.php

Error: required attribute “type” not specified

<script type=”text/javascript” src=”<?php bloginfo(‘template_directory’); ?>/js/addEvent.js”></script>

<script type=”text/javascript” src=”<?php bloginfo(‘template_directory’); ?>/js/sweetTitles.js”></script>

I have also seen some other errors in Header.php, but they don´t seem to be a big problem.

Error: document type does not allow element “li” here; missing one of “ul”, “ol”, “menu”, “dir” start-tag.

Update

I finally worked out what was going on…

It was the mod_rewrite (RewriteEngine) in the .htaccess file.

I´m running WPSuperCache, so I thought this may have caused some issues.

As it turned out it was the WordPress section of the .htaccess which was causing the problems. I probably modified it at some stage…

Another Problem Found and Fixed

I have been having problems when placing graphics into a posting, where although the WYSIWYG editor shows the correct layout, the text below the image wraps around the graphic when the site is viewed.

After some looking around, I found a similar article written in relation to a different theme. As it turns out the fix for the DUST-317 Theme is the same.

Edit the DUST-317 Theme style.css located in the DUST-317 theme directory. Search for this line.

#content p img{float:left;border:none;margin-right:10px;margin-bottom:10px;}

Remove the float:left; for the above line, making it look like this.

#content p img{border:none;margin-right:10px;margin-bottom:10px;}

ThatÅ› it… now the text sits under the graphics OK.

I recently read an article in a magazine and was shocked to see some of the toxic dangers which modern living introduce. Australian Men’s Health April 2008, by Susan Casey, pg 87.

I thought I would expand on this article here as a method of analysing some of the things Kerry and I need to be careful of. I hope this also assists others in understanding some of these dangers.

“Except for the small amount that’s been incinerated every bit of plastic ever manufactured still exists”

Toxic Articles	Polycarbonate Bottles (marked with a #7 in a triangle)	Cling wrap and plastic takeaway containers (marked with a #7)	Polystyrene cups and takeaway containers (marked with a #6)	Fast-food containers (with waxy lining) and non-stick (Teflon) pans.	Polyvinyl chloride (PVC), used in vinyl flooring, shower curtains and car interiors.
Dangerous Ingredients	Bisphenol A (BPA), a synthetic oestrogen, which can leach into the bottle’s contents when heated.span>	Phthalates, a probable human carcinogen and endocrine disruptor, can seep into food (especially fatty foods, such as delis meats and cheeses).	Styrene, a possible human carcinogen, can leah into the contents of the cup.	Perfluoro-octanoic acid (PFOA), a grease-repelling flourotelomer chemical and likely human carcinogen, can transfer from the waxy-plastic coating onto the food inside, especially at high temperatures.	Vinyl chloride is a known human carcinogen that gives off gas into the surrounding air, so it’s inhaled instead of ingested.span>
Linked to	Prostate cancer, reduced sperm count and reproductive-organ abnormalities, according to US studies at the universities of Missouri, Chicago and Cincinnati.	Reproductive problems like undescended testes and low sperm count, reveal researchers at New York’s University of Rochester and the Centres for Disease Control and Prevention in the US.span>	Cancer, warn scientists at the US Environmental Protection Agency’s (EPA) Office of Research and Development and the World Health Organisation’s International Agency for Research on Cancer.	Cancer, lung and kidney damage, according to studies at the EPA and Environmental Working Group in the US.	Cancer and liver damage, predicts both the EA and the Centre for Health and Environmental Justice in the US.
How to reduce your exposure	Pots, pans and bottles made from stainless steel are a non-toxic alternative. If you’re using polycarbonate, keep it out of the dishwasher and replace it every 60 days or if it’s scratched. Plastic releases toxins over tie when damaged or exposed to high heat.	Keep it out of microwave and dishwasher. Don’t store fatty or acidic foods in these containers, rather use waxed paper and buy meat wrapped in paper from the butcher. If you use plastic-wrapped cuts, trim the edges off where the product touched the wrapping.an>	Never drink hot liquids out of polystyrene ups. Use paper ones (those without a wax lining) whenever possible or a ceramic coffee mug. If your takeaway comes in polystyrene, transfer it to ceramic dish or glass as soon as possible.	The best alternatives to drive-through and delivery are sit-down restaurants and home cooking. At home, never use Teflon-coated pans. If you own any, replace with non-toxic cookware made from copper, cast iron or stainless steel.	Use natural materials for home flooring. Buy a shower curtain made from hemp – which lasts longer and is naturally mildew-resistant. New vinyl gives off aerial toxins at highly concentrated levels, so open windows to air spaces where this material is present.span>

These are also great articles:

http://www.seattlepi.com/local/326907_plastic09.html

http://www.bravenewleaf.com/environment/2008/02/updated-repeat.html

source

Summary
In November 2003, Adam Laurie of A.L. Digital Ltd. discovered that there are serious flaws in the authentication and/or data transfer mechanisms on some bluetooth enabled devices. Specifically, three vulnerabilities have been found:

Firstly, confidential data can be obtained, anonymously, and without the owner’s knowledge or consent, from some bluetooth enabled mobile phones. This data includes, at least, the entire phone book and calendar, and the phone’s IMEI.

Secondly, it has been found that the complete memory contents of some mobile phones can be accessed by a previously trusted (“paired”) device that has since been removed from the trusted list. This data includes not only the phonebook and calendar, but media files such as pictures and text messages. In essence, the entire device can be “backed up” to an attacker’s own system.

Thirdly, access can be gained to the AT command set of the device, giving full access to the higher level commands and channels, such as data, voice and messaging. This third vulnerability was identified by Martin Herfurt, and they have since started working together on finding additional possible exploits resulting from this vulnerability.

Finally, the current trend for “Bluejacking” is promoting an environment which puts consumer devices at greater risk from the above attacks.
Vulnerabilities

The SNARF attack:
It is possible, on some makes of device, to connect to the device without alerting the owner of the target device of the request, and gain access to restricted portions of the stored data therein, including the entire phonebook (and any images or other data associated with the entries), calendar, real-time clock, business card, properties, change log, IMEI (International Mobile Equipment Identity [6], which uniquely identifies the phone to the mobile network, and is used in illegal phone ‘cloning’). This is normally only possible if the device is in “discoverable” or “visible” mode, but there are tools available on the Internet that allow even this safety net to be bypassed[4]. Further details will not be released at this time (see below for more on this), but the attack can and will be demonstrated to manufacturers and press if required.

The BACKDOOR attack:
The backdoor attack involves establishing a trust relationship through the “pairing” mechanism, but ensuring that it no longer appears in the target’s register of paired devices. In this way, unless the owner is actually observing their device at the precise moment a connection is established, they are unlikely to notice anything untoward, and the attacker may be free to continue to use any resource that a trusted relationship with that device grants access to (but note that so far we have only tested file transfers). This means that not only can data be retrieved from the phone, but other services, such as modems or Internet, WAP and GPRS gateways may be accessed without the owner’s knowledge or consent. Indications are that once the backdoor is installed, the above SNARF attack will function on devices that previously denied access, and without the restrictions of a plain SNARF attack, so we strongly suspect that the other services will prove to be available also.

The BLUEBUG attack:
The bluebug attack creates a serial profile connection