Magnetic stripe card spoofer

After building a USB magnetic stripe reader, [David Cranor] has found a way to fool a magnetic stripe reader using a hand-wound electromagnet and an iPod. The data on a card is read and stored on a computer, then encoded as a WAV file using a C++ program. The iPod plays the WAV file with the data through a single-stage opamp amplifier connected to the headphone jack. The amplifier is used to drive the electromagnet. Video embedded after the jump.

By no means is this a new idea. There have been a lot of magnetic stripe projects and software. This project in particular references the 1992 Phrack article “A Day in the Life of a Flux reversal” by [Count Zero].

Don’t get your hopes up just yet on strolling through high security installations using this little device. It can only replay the data from a card that has been recorded. If you don’t have a known working card, it won’t get you very far.

[Read more...]

The GIFAR image vulnerability

Researchers at NGS Software have come up with a method to embed malicious code into a picture. When viewed, the picture could send the attacker the credentials of the viewer. Social sites like Facebook and Myspace are particularly at risk, but the researchers say that any site which includes log ins and user uploaded pictures could be vulnerable. This even includes some bank sites.

The attack is simply a mashup of a GIF picture and a JAR (Java applet). The malicious JAR is compiled and then combined with information from a GIF. The GIF part fools the browser into opening it as a picture and trusting the content. The reality is, the Java VM recognizes the JAR part and automatically runs it.

The researchers claim that there are multiple ways to deal with this vulnerability. Sun could restrict their Virtual Machine or web applications could continually check and filter these hybrid files, but they say it really needs to be addressed as an issue of browser security. They think that it is not only pictures at risk, but nearly all browser content.
More details on how to create these GIFARs will be presented at this week’s Black Hat conference in Las Vegas.

Make: television

Make Magazine, famous for the Maker Faire, among other things, has announced a new project called Make: television. The show will be coming to public television stations throughout the USA starting early 2009. The big news is that you can submit 2 minute long videos of your projects to be included in the show’s Maker Channel segment. The bigger news is that if your video is selected, they’ll send you a $50 gift certificate from the Maker Shed and a free year of Make Magazine.

Build a simple bat detector

[Tony Messina] had been fascinated with bat’s echolocation since he was a kid. After he retired, he decided to act on this fascination and built a simple bat detector.

The simple bat detector uses frequency division to lower the bat’s chirping to a frequency we can hear. For example, if a bat is calling at 91kHz the system will divide it by 16 and put out 5.7kHz. The system is digital, so all amplitude is lost. You’ll just hear clicks like a Geiger counter. Being digital has its advantages though. Unlike similar analog devices that have to be tuned to a small frequency range, the simple bat detector can detect a much wider window.

[Read more...]