RATB/Metrorex Card Activ Hacked
…and “Mifare Classic Dark-Side Key Recovery Tool” released under GPL!

Well… It was about the time for RATB/Metrorex Card Activ in Bucharest to fall… And it is not even news. OV Chipkaart in Netherlands, Oyster Card in London were broken in the near and not so near past…

RATT Contactless Ticketing in Timisoara and EasyCard in Taipei are the next samples of cards to be “hacked", i.e. the keys are recovered, need only to analyze the data.

Mifare Classic is both theoretically and practically broken in both active (sniffing) and passive (card-only) attack scenarios.

Thanks to ignorance, lots of money/interest (14 Millions of Euros) and UTI/PMB (Primaria Municipiului Bucuresti/Bucharest City Hall) involvement, RATB/Metrorex still uses Mifare Classic.

Hell ya, where are they gonna go? It’s a logistic nightmare to upgrade the readers in the entire RATB fleet and all Metrorex entrances, manage the exchange of already 800.000 sold cards, not telling about additional several Millions of Euros for upgrade equipment and software upgrades…

Even though researches were blowing the whistle from last year, no system integrator or vendor seems to care . Well it seems that few smart guys (and not pointing to me, I just implemented what other had know and researched for a long time) can fcuk up dozen of systems, each costing Millions of Euros.

Nice equation: (a dozen of smart guys * their brain IQs of Millions) >>>OUT-WEIGHTS>>> (the dozens of projects * XX Millions of Euros)

Long story short, here we go - food for the brain (yes - food for the brain, not spoon-feeding - note the difference):

RATB/Metrorex Mifare Card Security Assessment Document (PDF)

RATB/Metrorex Mifare Card Security Assessment Document (MS Word 2007)

MFCUK (MiFare Classic Universal toolKit) http://code.google.com/p/mfcuk/

Enjoy!

PS: (14 Nov 2009)
Ironically, on the night of publishing this paper/post and the open-source/binary for key recovery, UTI has posted these news “Cardurile de călătorie RATB se pot reîncărca online sau la bancomat (13 noiembrie 2009)” (i.e. “RATB cards can now be topped-up online or at some BCR ATMs”).

DISCLAIMER: The information and reference implementation source/binary contained herein is provided:

• for informational use only as part of academic or research study, especially in the field of informational security, cryptography and secure systems
• as-is without any warranty, support or liability - any damages or consequences obtained as a result of consulting this information if purely on the side of the reader
• NOT to be used in illegal circumstances (for example to abuse, hack or trick a system which the reader does not have specific authorizations to - such as ticketing systems, building access systems or whatsoever systems using Mifare Classic as core technology)

Tags: mifare, classic, key recovery, mifare classic key recovery tool, mifare classic key hack tool, mifare key recovery source binary executable, key crack, ratb metrorex hack, ratb.ro metrorex.ro hack, ratb metrorex crack, ratb.ro metrorex.ro crack, crypto1, crapto1, lsfr_common_prefix, dark side attack, dark side paper, dark side implementation, darkside libnfc, darkside crapto1, darkside attack implementation, ratb metrorex card activ sat spart hackuit crackuit, uti ratb metrorex card activ hack hacked, ratt hack, ratt card hack, ratt.ro hack, ratt.ro card hack, ratt card crack, ratt crack, ratt card spart hackuit crackuit, easycard mifare classic taipei card hack crack, crypto1 crack, crypto1 hack, crapto1, libnfc key recovery, proxmark3 key recovery

About AskAmit

At my previous work and here also, I and coworkers had an internal subject [AskAmit] for sharing shitty code (which we find around or even discover in inherited projects) among us.

This continued in the current company - like for example this one (not exact reproduction, but still) in Java (trully existing code at my present company ) – test if a boolean variable is true or false:

Code:

The [AskAmit] name was coming from Sun’s JMF (Java Media Foundation) incredible naive line at those times (2002) that made the framework buggy enough (though it was a good concept):

jmf-2_1_1e-scsl-src/src/share/com/sun/media/util/Registry.java
if (file.length() == 0) { // TODO: Ask AMITH if you need this

Seems like [AskAmit] kind-of groups grow everywhere, so it reached to a critical level called GovnoKod (ShittyCode) – highly recommended reading not to step on the shitty paths of programming

Excerpts: - Enjoy!

———————————————————————

Си / Говнокод #1829

Code:

Классика жанра.

———————————————————————

Си / Говнокод #1317

Code:

Способ комментирования… O_o

———————————————————————

Си / Говнокод #405

Code:

Операция “подергивание”

———————————————————————

Assembler / Говнокод #453

Code:

Такое борландовский кодогенератор иногда выдаёт

———————————————————————

Assembler / Говнокод #414

Code:

На всякий случай, наверное если первый не сработает

———————————————————————

UPDATE 20100102: As there seem to appear some unsatisfied fuckup-folks, read this first:

• code is provided AS IS, no warranties
• got no time to sort things out? don’t lose your time checking out the code then
• lazy enough/looser-programmer and looking for spoon-feeding solutions only? don’t lose your time checking out the code then
• don’t like my code? write better one instead and let me see you give it for free before you comment
• for those whoever is “fuck you"-ing me for whatever frustration reason they got - you are free to leave the blog - this blog is not for you

UPDATE 20090921: ZIP with sources is NOT corrupted. Please use 7-Zip archiver (ver >= 1.59)

Some time back, I was asked by Emi Abramzon and Gustavo Rubacha from http://www.ideasforiphone.com if I could do some freelancing for an effect of water waves for iPhone. Though I didn’t get into that project, I wanted to do some demo.

Spent one weekend on this. Not very astonishing, but still was an interesting task :). Algorithm is not mine. It is based on “DSAqua project”.

I just integrated everything into the iPhone OpenGL ES skeleton of the cube.

Also, previously provided the sources to Tony Konstant from mousehog.com (btw he has some nice ideas) - he was interested in this effect, but unfotunatelly couldn’t any application related to this on this site.

Download iPhone OpenGL Demo - Water Waves Effect Source

Enjoy!

iPhone OpenGL Demo

UPDATE 20100102: As there seem to appear some unsatisfied fuckup-folks, read this first:

• code is provided AS IS, no warranties
• got no time to sort things out? don’t lose your time checking out the code then
• lazy enough/looser-programmer and looking for spoon-feeding solutions only? don’t lose your time checking out the code then
• don’t like my code? write better one instead and let me see you give it for free before you comment
• for those whoever is “fuck you"-ing me for whatever frustration reason they got - you are free to leave the blog - this blog is not for you

UPDATE 20090921: ZIP with sources is NOT corrupted. Please use 7-Zip archiver (ver >= 1.59)

UPDATE: Sources iPhone OpenGL ES Cube 3D with texture (Some reported archive corruption. Seems to work well with 7-Zip 4.5x, 4.6x for Windows)

This is a demo video showing my humble achievements in the direction of OpenGL ES 1.1 for iPhone, using some texture and light experiments. It is of course not intended as a working program, it’s rather a demo concept snippet of code.

The binary:
- source written in objective-c
- compiled as native application with iPhone toolchain under cygwin
- ran on iPhone 1.1.2 OOB

The acknowledgements go to:
- AJW - for great iPhone OpenGL startups
- ZeusCMD - for great OpenGL ES tutorials
- nullriver - for posts and links

Here is the binary available for download:
iPhone OpenGL ES Demo binary

Instructions:
- GLTextureCube to be put into /Applications and given proper permissions (755 to dirs and files will suffice)
- zveriu.raw to be put into /private/var and given at least read permission (444 will suffice)
- you can replace zveriu.raw with your own image data, given you follow the constraints:
– 128 by 128 pixel - sorry, had to hard-code to speed-up the working demo
– raw data, i.e. no headers, compression, etc -
– 1 (one) byte per color, color scheme RGB
– basically it is a 24bit BMP, with no header, just raw data
_________
- to obtain such a raw file, you can:
– get a 128 by 128 24 bits BMP file with your texture
– open it with IrfanView
– make sure you have IrfanView plugin named Formats
– save as the BMP with RAW file type, instructing irfan view to make it 24 bits RGB (not BGR!) and interleaved, meaning bytes follow as RGBRGB…RGBRGB and not RRRRRR…GGGGGG…BBBBBB
_________
- basically, to check that zveriu.raw (case sensitive!) you have created is right, file size should be 128 (width) * 128 (height) * 3 (bytes for RGB ) = 49152 bytes exactly

Hope you enjoyed this post.

I have some more ideas to test on iPhone - hope to overcome all the limitations (including time-constraint ). And by the way - the USRP is solved, need to get GNUradio working on one of the boxes (cygwin refuses to get me wxPython right for GNUradio - will stick to Ubuntu for the moment!)

Tags: iPhone OpenGL OpenGL ES OpenGLES Demo Cube Cube3D Texture USRP GNUradio

It is sometimes interesting and amusing to see how even big players steal from each other

I was very surprised to see that a flash ad for Yahoo! Music has a video screenshot resembling… YouTube video… When clicking the Video section of the mentioned ad, I was redirected to Yahoo! Music

Maybe I am mistaken, but from what I understand even the flash player design is a matter of design copyright. Maybe I am wrong - then please correct me in comments.

Few questions arise:

• Is Yahoo!Music together with YouTube?
• Is Yahoo!Music trying subliminal user driving from YouTube to Yahoo!Music
• Is YouTube licensing somehow it’s player design to other market players?

Thoughts are welcome, as always.

PS: the link which displayed the mentioned ad was found here

Copyright disclaimer: all the trademarks mentioned here are owned by the respective owners. The same applies to the graphical designs depicted in the screenshots.

Tags: yahoo music, yahoo, youtube, copyright

iPhone Face Detection

I think it is pretty amazing, since as far as I know and searched, it seems that it is the first face detection app to be running on iPhone itself.

Regarding comparison with iFace and iPhoto - it looks like these apps snap the picture and send it to a central server for processing and etc. (I am not going to go in a detailed description and comparison of all these apps features though)

Also, it seems like hotels far away from home may act as energy and ideas boosters. One year back once setting up my site, I proposed myself to make the code portable and run on as many platforms, including iPhone which I got at that time. One year of delaying and finally few days of hotel lock-up and I have it working for the iPhone.

Feeling of satisfaction is unbeatable.

Few notes:

• Code is almost 100% portable. Yes, few minor tweaks of settings for the compiling environments, but overall the same routines are used for all these platforms: Windows, Linux, Cygwin, iPhone (FW 1.1.2), Mac OSX.
• It is good to see false-positives and missed true-positives if talking from research point of view, since this means there is room to improve and study. The percentages of detected true-positive, missed true-positives and false-positives seems to be around 80%/15%/5%.
• Still have to check and properly evaluate processing times. No figures here yet
• Compilers used are gcc flavors for the corresponding platform/architecture
• For the iPhone I used iphone-dev team’s toolchain for iPhone FW 1.x
• Unfortunatelly, I cannot share or release code at this point. Please don’t ask for it at least for the moment
• However, if you have any serious research or commercial offers, don’t hesitate to contact me (contacts on right panel)
• Click here for related links of my previous work

TODOs:

• Seems like last minute hassle made my facial features (eyes-mouth triangle) not to work properly. Hopefully will be fixed next time I touch the code (never know when it happens)
• Face recognition. I have some experimental code for PCA method, though I want more research on this.
• Face and flow tracking in video feed from iPhone (crappy) camera

Stay tuned…

Tags: iPhone face detection recognition tracking iFace iPhoto iFaceFriend image video processing computer vision digi-face digiface digi-face.net digi-face.org andrei costin andreicostin.com

eJobs.ro security hacked screwed again - execution with cool-blooded SQL injection

Yes boyz and pretty girlz, eJobs.ro gets it again into the face and gives away 1.3 Mln resumes and personal information! More - passwords in clear, not at least hashed…

My two cents on this:

1. Nice work from the guys here - HackersBlog.org

2. Some of my early whistle-blowers to the ejobs.ro here (ejobs XSS1) and here (ejobs XSS2) - seems like they have either deaf or inexistent security assesment team… Too pitty for them…

3. It seems that the method used by the guys was in one of my earliest attack methods which I left asside for some dumb reasons. eJobs.ro Attack Vectors file

The below is what I was exercising back then, and the similar attack vector is what the guys really used to SQL-inject (the below is not working already for obvious reasons… )

Code:

4. Also, if you go specifically to http://ejobs.ejobs.ro (yes, double times ejobs, it is not a typo!) you will see an internal eJobs position posting. The interesting details I have highlighted below:

Till next time, enhance your

Knowledge of Secure Programming Best Practices

Tags: ejobs, ejobs.ro, ejobs ro, ejobs.ro sql injection, ejobs.ro sqli, ejobs.ro hacked, ejobs.ro hackuit, ejobs.ro security, ejobs.ro spart, ejobs.ro database, ejobs.ro baza de date, ejobs.ro CVuri

google.com - malware problem

As many might recall the Google’s glitch to tag every single site as malware site. More details are:
- @ Google Blogs (fcuk - I think someone will get pretty fudged up in the ase at Google for this human-error, since it was necessary for one of the biggest corporations VP to officially give explanations and appologies - those who worked or are working for some kind of corporations know this kind of price…)
- @ StopBadware.org

One of the most nicest things is

Google to tag itself (i.e. Google) as malware

.

Philosophically speaking, Google being a source of trust for a wide majority of people/systems AND in the same times tagging itself as malware (even though for a very small amount of time AND by “mistake” - I would love to believe that it was a mass-social-experiment ) - doesn’t it raises the question of old classes of computer-field (and not only) problems “Chain of trust and breaking the chain of trust?!”

Here is my screenshot :

Tags: google malware, google is malware, google stopbadware