Wednesday, August 11, 2010

I saw this interesting article from Wired, regarding the ATM reprogramming hacking. Its apparent how tempting are these cash machines for under world people hackers. Story is
A North Carolina grocery worker is being held without bail in Houston on attempted computer hacking charges after inadvertently partnering with an undercover FBI agent in an alleged citywide ATM-reprogramming caper. Thor Alexander Morris, 19, was arrested at a Houston flea market last month after trying a default administrative passcode on a Tranax Mini-Bank ATM there, according to the FBI. Morris, who was wearing a wig to disguise his appearance, allegedly hoped to reprogram the machine to think it was loaded with $1 bills instead of $20 bills. That would let him pull $8,000 in cash with $400 in withdrawals from a prepaid debit card.
Cash-machine–reprogramming scams were first noticed in the financial industry in 2005, and surfaced publicly in 2006 when a cyber thief was caught on video looting an ATM at a Virginia gas station. Threat Level later confirmed that default administrative passcodes for retail ATMs manufactured by Tranax and Triton were printed in owner’s manuals easily found online.
On the drive to his first cash machine, Morris bragged to the undercover agent that he’d already conducted ATM hacking trips to Tennessee, Florida, South Carolina and Virginia, and hit machines in his home town of Jacksonville. He also boasted about other supposed exploits as a “hacker”, claiming he’d stolen credit card information from  the Food Lion where he worked, and had targeted the Navy Federal Credit Union and Walmart in a manner unspecified in the criminal complaint.
When he was through gabbing, Morris donned a long, black curly hair hairpiece he called his “Rick James” wig and walked with the agent to an ATM at the Mercado 6 flea market, where managers had previously agreed to cooperate in the investigation. The agent watched as Morris entered the key sequence that brings up the “Enter Password” screen, and then keyed in the default passcode for the Tranax Mini-Bank.
The code, though, had been changed on this machine, and Morris was thwarted. He allegedly tried two more times, then tried a completely different code before the FBI agents surveilling the scene got impatient and arrested him.
ATM hacking being a interesting topic, i did further research and astonished to find out the some facts on how easy is to hack the ATM and make it dispense more money than it ideally should. Please read it for information purpose and do not try to hack ATM if this vulnerability still exist/left unpatched.
Its unlikely common ATM tricks uses various high tech devices to capture identity of your ATM card and Pin number. Hackers are first trying to identify the ATM maker and model from the video like one on news about ATM reprogramming scam fraud at at a gas station on Lynnhaven Parkway in Virginia Beach.
ATM brand  model number Tranax Mini Bank 1500 series is uncovered to be of serious issues with possibilities of hacking. Hackers managed to find the default pass code and back door sequence for that particular machine and tried reprogramming the machine to dispense more money with the help of  Tranax Mini Bank 1500 Series (MB1500) operator manual or installation manual, which contains a lot of security sensitive information includes:
  • Instructions on how to enter the diagnostic mode or operator function menu.
  • Default Master, Service or Operator passwords.
  • Default Combinations For the Safe.
Inside the Tranax Mini-Bank 1500 user guide manual, you can also learn how to set the denomination of the type of bill (the value of the cash notes i.e $1, $5, $10, $20, $50 or $100) that the ATM’s cassettes will be dispensing. That’s all you probably need to trick the ATM to think that the $20 bills it dispensed are actually of the $5 or $1 bill, possibly earning you a hefty profit. So, the only thing left now if you trying your luck to find an ATM cash machine that haven’t been changed its factory default passcodes and passwords. Tranax has shipped 70,000 ATMs, self-service terminals and transactional kiosks around US, where majority of those shipments are of the flagship Mini-Bank 1500 machine that was rigged in the Virginia Beach heist, according to eWeek.
The ATM scammer in Virginia Beach case successfully to re-program and trick the Tranax MB1500 series ATM to act as if it had $5 bills in its dispensing tray instead of $20 bills, and the withdraw cash using a pre-paid debit card with a 300% profit. However, he forgot to reprogram back the ATM to correct denomination, and the ATM was left misprogrammed for next 9 days before somebody reported the misconfiguration, and hence revealed the fraud.
ATM hacking becomes common in all places including checking gas station pumps,  food world, supermarkets, hotels. Any unattended card reader, not just feral ATMs. But skimmers are pocket-sized or smaller, so even attended readers are at risk. Another card trick, detected at a fast food joint, had the cashier dip the card beneath the counter, just for an instant, where it was skimmed before coming back up and run through the real card reader.
Further reading:
Kerbs on Security blog had more information on previous ATM attacks and worth reading. click here

Exploit Kit: government website hack

US Department of Treasury's three website have been compromised to spread malware. this is another good example to demonstrate how easy it is to use automated toolkits and identify security vulnerabilities on a computer and exploit them. These sites belong to the US Bureau of Engraving and Printing, whose primary mission is to produce paper currency for the federal government.
Roger Thompson, chief research officer at AVG, said the attackers injected a malicious IFRAME into the sites, causing visitors to unknowingly be redirected to a hacker-owned site in the Ukraine. The attack site,, has previously been flagged as suspicious, according to a StopBadware report.
A spokesperson for the Treasury Department did not immediately respond to a request for comment. It is unclear whether any visitors were infected.Websites operated by the US Treasury Department are redirecting visitors to websites that attempt to install malware on their PCs, a security researcher warned on Monday.
To cover their tracks, the miscreants behind the compromise tailored it so it attacks only IP addresses that haven't already visited the Treasury websites. That makes it harder for white hat-hackers and law enforcement agents to track the exploit. Indeed, Thompson initially reported that the problem had been fixed until he discovered the sites were merely skipping over laboratory PCs that had already encountered the attack.
Today, we came across an embedded iframe inside of the Department of Treasury website. This iframe (pictured below) is used to silently load one of the elenore exploit kits main URL’s, which in turn determines what’s the best available exploitation method for the browser accessing the site.
for more information on its attack read the panda lab blog

Monday, August 2, 2010

GoogleSharing: Firefox Add-on

For all who care about privacy, worry about people like google looking at our private informations like the content of your email address,  IP address, your search request, what is your preference, news you read and places you go. Here is a  tool called "Google Sharing" which is designed to protect users so that google is not able to track their activities on the internet. Their main idea is simple by using series of proxy servers that are designed to work with google services that do not require a login. Every access to such a Google service, like Google search for instance, will be routed automatically through a Google Sharing proxy server that will replace the identifying data of the user with its own.
This is a system that mixes multiple request of many different users together, such that google is not capable of telling what is coming from whom. Google Sharing's main objective is
  • Provide a system that will prevent Google from collecting information about you from services which don't require a login.
  • Make this system completely transparent to the user. No special websites, no change to your work flow.
  • Leave your non-Google traffic completely untouched, unredirected, and unaffected.

The GoogleSharing is the proxy code has been made available by the developers as a Firefox add-on, so that it can be analysed by the security people and installed to run the proxy on their own web server.  The Firefox Addon watches for requests to Google services from your browser, and when enabled will transparently redirect all of them (except for things like Google Mail) to a GoogleSharing proxy. There your request is stripped of all identifying information and replaced with the information from a GoogleSharing identity.
The GoogleSharing system consists of a custom proxy and a Firefox Addon. The proxy works by generating a pool of GoogleSharing "identities," each of which contains a cookie issued by Google and an arbitrary User-Agent for one of several popular browsers. The Firefox Addon watches for requests to Google services from your browser, and when enabled will transparently redirect all of them (except for things like Gmail) to a GoogleSharing proxy. There your request is stripped of all identifying information and replaced with the information from a GoogleSharing identity.
This "GoogleShared" request is then forwarded on to Google, and the response is proxied back to you. Your next request will get a different identity, and the one you were using before will be assigned to someone else. By "sharing" these identities, all of our traffic gets mixed together and is very difficult to analyze.
The GoogleSharing proxy even constantly injects false but plausible search requests through all the identities.
The result is that you can transparently use Google search, images, maps, products, news, etc... without Google being able to track you by IP address, Cookie, or any other identifying HTTP headers. And only your Google traffic is redirected. Everything else from your browser goes directly to its destination.
And GoogleSharing uses https for the connection between your Firefox browser (with GoogleSharing) and the GoogleSharing server, which makes your search much more secure from third parties spying on it e.g. over wifi.
To download the add-on click here