Ticketmaster SafeTix Reverse-Engineered

Ticketmaster is having a rough time lately. Recently, a hacker named [Conduition] managed to reverse-engineer their new “safe” electronic ticket system. Of course, they also had the recent breach where more than half a billion accounts had personal and financial data leaked without any indication of whether or not the data was fully encrypted. But we’re going to focus on the former, as it’s more technically interesting.

Ticketmaster’s stated goals for the new SafeTix system — which requires the use of a smartphone app — was to reduce fraud and ticket scalping. Essentially, you purchase a ticket using their app, and some data is downloaded to your phone which generates a rotating barcode every 15 seconds. When [Conduition] arrived at the venue, cell and WiFi service was totally swamped by everyone trying to load their barcode tickets. After many worried minutes (and presumably a few choice words) [Conduition] managed to get a cell signal long enough to update the barcode, and was able to enter, albeit with a large contingent of similarly annoyed fans trying to enter with their legally purchased tickets.

Continue reading “Ticketmaster SafeTix Reverse-Engineered”

Hiding Links In Plain Sight With Bookmark Knocking

Have you ever been looking for a screwdriver, USB stick, or your keys, only to find them right where you left them in plain sight? We have. As many prolific geocachers know, hiding things out in the open is a great way to make sure that people overlook them. 

[Jacob Strieb] has been researching various ways to password protect and hide browser bookmarks in plain sight. He calls his latest technique “Bookmark Knocking” and he’s made a demonstration available on his Github account.

Why hide bookmarks to begin with? A browser’s bookmark collection can give away the habits, interests, and needs of the person who put them there. Bookmarks to gifts, domestic abuse support websites, and other private destinations might be best kept away from prying eyes.

Inspired by port knocking — opening connections to specific network ports in sequence to gain access through a firewall — bookmark knocking requires clicking bookmarks in a specific order to open a link. When the bookmarks are accessed in the proper order, the third bookmark reveals a hidden site. It’s not only a novel approach to hiding things in plain sight, it’s very cool to use! 

We especially appreciate [Jacob]’s motivation: Helping those who are vulnerable to protect themselves in any way possible. It’s a solid reminder that technology can be elevated to a higher stature when put to a noble use. Be sure to check out the demonstration so you can try it for yourself!

If camouflaging data flips your bits, you may want to look at a neat way to embed data right into bash scripts, or conceal a WiFi enabled microcontroller in a USB cable. Do you have your own favorite “hidden in plain sight” hack? Be sure to let us know through the Tip Line.

 

 

 

Security This Week: Racoons In My TLS, Bypassing Frontends, And Obscurity

Raccoon is the next flashy security flaw with a name, cute logo, and a website (and a PDF). Raccoon is a flaw in TLS version prior to 1.3, and seems to be a clever bit of work, albeit one with limited real-world application. The central problem is that these older versions of TLS, when using Diffie Hellman (DH), drop leading all-zero bytes in the resulting pre-master key. As that key is part of the input for calculating the master session key, a shortened pre-master key results in a slightly faster calculation of the master key. If an attacker can make fine-grained timing measurements, he can determine when the pre-master key is trimmed.

Let’s review Diffie Hellman, briefly. The client and server agree on two numeric values, a base g and modulus p, and each party generates a secret key, a and b. Each party calculates a public key by raising the shared base to their own private key, mod the shared modulus: A = g^a mod p. These public keys are exchanged, and each party raises the received key to their own secret key: A^b. Exponents have a non-obvious quirk, the power rule. A value raised to a power raised to a power is the same as the value raised to the power of the exponents multiplied together. g^a^b is equal to g^(a*b). By going through this mathematical dance, the server and client have arrived at a shared value that only they know, while preserving the secrecy of their private keys. Continue reading “Security This Week: Racoons In My TLS, Bypassing Frontends, And Obscurity”

Inventory Report

Security Problems With Gas Station Automated Tank Gauges

[HD Moore] recently posted an article on Rapid 7’s blog about an interesting security problem. They’ve been doing some research into the security of automated tank gauges (ATGs). These devices are used at gas stations and perform various functions including monitoring fuel levels, tracking deliveries, or raising alarms. [Moore] says that ATGs are used at nearly every fueling station in the United States, but they are also used internationally. It turns out these things are often not secured properly.

Many ATG’s have a built-in serial port for programming and monitoring. Some systems also have a TCP/IP card, or even a serial to TCP/IP adapter. These cards allow technicians to monitor the system remotely. The most common TCP port used in these systems is port 10001. Some of these systems have the ability to be password protected, but Rapid 7’s findings indicate that many of them are left wide open.

The vulnerability was initial reported to Rapid 7 by [Jack Chadowitz]. He discovered the problem due to his work within the industry and developed his own web portal to help people test their own systems. [Jack] approached Rapid 7 for assistance in investigating the issue on a much larger scale.

Rapid 7 then scanned every IPv4 address looking for systems with an open port 10001. Each live system discovered was then sent a “Get In-Tank Inventory Report” request. Any system vulnerable to attack would respond with the station name, address, number of tanks, and fuel types. The scan found approximately 5,800 systems online with no password set. Over 5,300 of these stations are in the United States.

Rapid 7 believes that attackers may be able to perform such functions as to reconfigure alarm thresholds, reset the system, or otherwise disrupt operation of the fuel tank. An attacker might be able to simulate false conditions that would shut down the fuel tank, making it unavailable for use. Rapid 7 does not believe this vulnerability is actively being exploited in the wild, but they caution that it would be difficult to tell the difference between an attack and a system failure. They recommend companies hide their systems behind a VPN for an additional layer of security.

[Thanks Ellery]

Avoiding OS Fingerprinting In Windows

[Irongeek] has been working on changing the OS fingerprint of his Windows box. Common network tools like Nmap, P0f, Ettercap, and NetworkMiner can determine what operating system is being run by the behavior of the TCP/IP stack. By changing this behavior, you can make your system appear to be another OS. [Irongeek] started writing his own tool by checking the source of Security Cloak to find out what registry keys needed to be changed. His OSfuscate tool lets you define your own .os fingerprint file. You can pretend to be any number of different systems from IRIX to Dreamcast. Unfortunately this only works for TCP/IP. Other methods, like Satori‘s DHCP based fingerprinting, still work and need to be bypassed by other means. Yes, this is just “security through obscurity”, but it is something fun to play with.