Ringleader claimed to be an IT contractor, got access to bank computers.
Using social engineering to install a remote-controlled keyboard-video-mouse (KVM) switch on bank PCs, the gang managed to transfer millions to outside accounts in two separate jobs in April
and July of 2013. They were caught attempting to rob a third bank in September.
Level 8 of the Stripe CTF is a password server that returns success: true if and only if the password provided matches the password stored directly via
a RESTful API and optionally indirectly via a callback URI. The solution is side channel attack like a timing attack but with ports instead of time.
(I found this in my drafts folder and had intended to post a while ago.)
Code
def nextServerCallback(self, data): parsed_data = json.loads(data) # Chunk was wrong! if not parsed_data['success']: # Defend against timing attacks remaining_time = self.expectedRemainingTime() self.log_info('Going to wait %s seconds before responding' % remaining_time) reactor.callLater(remaining_time, self.sendResult, False) return
self.checkNext()
Issue
The password server breaks the target password into four pieces and stores each on a different server. When a password request is sent to the main server it makes requests to the sub-servers
for each part of the password request. It does this in series and if any part fails, then it stops midway through. Password requests may also be made with corresponding URI callbacks and after the
server decides on the password makes an HTTP request on the provided URI callbacks saying if the password was success: true or false.
A timing attack looks at how long it took for a password to be rejected and longer times could mean a longer prefix of the password was correct allowing for a directed brute force attack. Timing
attacks are prevented in this case by code on the password server that attempts to wait the same amount of time, even if the first sub-server responds with false. However, the server uses
sequential outgoing port numbers shared between the requests to the sub-servers and the callback URIs. Accordingly, we can examine the port numbers on our callback URIs to direct a brute force
attack.
If the password provided is totally incorrect then the password server will contact one sub-server and then your callback URI. So if you see the remote server's port number go up by two when
requesting your callback URI, you know the password is totally incorrect. If by three then you know the first fourth of the password is correct and the rest is incorrect. If by four then two
fourths of the password is correct. If by five then four sub-servers were contacted so you need to rely on the actual content of the callback URI request of 'success: true' or 'false' since you
can't tell from the port change if the password was totally correct or not.
The trick in the real world is false positives. The port numbers are sequential over the system, so if the password server is the only thing making outgoing requests then its port numbers will also
be sequential, however other things on the system can interrupt this. This means that the password server could contact three sub-servers and normally you'd see the port number increase by four,
but really it could increase by four or more because of other things running on the system. To counteract this I ran in cycles: brute forcing the first fourth of the password and removing any entry
that gets a two port increase and keeping all others. Eventually I could remove all but the correct first fourth of the password. And so on for the next parts of the password.
I wrote my app to brute force this in Python. This was my first time writing Python code so it is not pretty.
Apparently they cast folks who have already closed on a house. Well… at least the folks on the show are non-actors who were actually recently looking for a new house…
Use of my old Hotmail account has really snuck up on me as I end up caring more and more about all of the services with which it is associated. The last straw is Windows 8 login, but previous straws include Xbox, Zune, SkyDrive, and my Windows 7 Phone.
I like the features and sync'ing associated with the Windows Live ID, but I don't like my old, spam filled, hotmail email address on the Live ID account.
A coworker told me about creating a Live ID from a custom domain, which sounded like just the ticket for me. Following the instructions above I was able
to create a new deletethis.net Live ID but the next step of actually using this new Live ID was much more difficult. My first hope was there would be some way to link my new and old Live IDs so
as to make them interchangeable. As it turns out there is a way to link Live IDs but all that does
is make it easy to switch between accounts on Live Mail, SkyDrive and some other webpages.
Instead one must change over each service or start over depending on the service:
There's no way to do this for the Zune specifically, however changing over your Xbox account also transfers over all your Zune purchased
content. I don't have a Zune Pass so I can't confirm that, but all of my previously purchased television shows transferred over successfully.
Windows 7 Phone
To change the main Live ID associated with your phone, reset your phone to factory default and start over. All purchased applications are
lost. Had I purchased any applications I would have been pissed, but instead I was just irritated that I had to reset my phone.
Mail
I don't use my Hotmail account for anything and it only sits and collects spam. Accordingly I didn't attempt switching this over.
SkyDrive
I didn't have much in my SkyDrive account. I downloaded all files as a zip and then manually uploaded them to the new account.
2010 Dec 30, 6:42"Posted here, verbatim, is an example of the sort of spam I get. 'hello I am China dinosaur factory .Hope that you know our product more .Also hope that we can establish long-term cooperative
relation.'"humorspamrobotdino
I just finished watching both seasons of this very funny and engaging TV series Id previously never heard of and I highly recommend it. Adam Scott stars as an actor who has given up on his dream of
acting and joins a catering company working along side actors trying to make it in LA. There are many ties to Veronica Mars: the shows creator is Rob Thomas (the creator of Veronica Mars), the show
features Ken Marino and Ryan Hansen, and has guest stars of Kristen Bell, Jason Dohring, and Enrico Colantoni, among others. It has many of the same talented people from Veronica Mars but Party
Down is more like a smarter and funnier The Office given the relationship between Adam Scott and Lizzy Caplan and their subtle mockery of their wackier workmates and inept boss.
2010 Feb 18, 4:59"At TED2010, Bill Gates unveils his vision for the world's energy future, describing the need for "miracles" to avoid planetary catastrophe and explaining why he's backing a dramatically different
type of nuclear reactor."tedbill-gatesvideoenvironmentenergy
2009 Aug 14, 9:58Photos of "...the smelting of Sonic's rings, the chiseling of the 1-Up mushroom, and the rubber-pressed rebounding blocks of Arkanoid."videogamemariotetrisfactoryphoto
2009 Jun 8, 3:40I didn't hear about this at the time, but a sixth Hitchhikers Guide novel will be written by Eoin Colfer. This article has some quotes from Eoin about it and big-shoe filling is addressed. Also in
the article is a clip of the voice actor of Arthur Dent from the radio series as Arthur Dent complaining about being brought back to life that had been played on BBC Radio.hhgttgdouglas-adamseoin-colferand-another-thingbooknewsaudio
I've made another extension for IE8,
Outline View, which gives you a side bar in IE that displays an outline of the current page and lets you make intrapage bookmarks.
The outline is generated based on the heading tags in the document (e.g. h1, h2, etc), kind of like what W3C's Semantic data extractor
tool displays for an outline. So if the page doesn't use heading tags the way the HTML spec intended or just sticks img tags in them, then the outline doesn't look so hot. On a page that does
use headings as intended though it looks really good. For instance a section from the HTML 4 spec shows up quite nicely and I find its
actually useful to be able to jump around to the different sections. Actually, I've been surprised going to various blogs how well the outline view is actually working -- I thought a lot more
webdevs would be abusing their heading tags.
I've also added intrapage bookmarks. When you make a text selection and clear it, that selected text is added as a temporary intrapage bookmark which shows up in the correct place in the outline.
You can navigate to the bookmark or right click to make it permanent. Right now I'm storing the permanent intrapage bookmarks in IE8's new per-domain DOM storage because I wanted to avoid writing
code to synchronize a cross process store of bookmarks, it allowed me to play with the DOM storage a bit, and the bookmarks will get cleared appropriately when the user clears their history via the
control panel.
2009 Mar 14, 10:23TED talks from Aimee Mullins mostly on the topics of her prosthetic legs. The two talks are eleven years apart and you can note the advances in tech. "A record-breaker at the Paralympic Games in
1996, Aimee Mullins has built a career as a model, actor and activist for women, sports and the next generation of prosthetics."aimee-mullinsvideotedprostheticbody-modvia:boingboing
2009 Jan 22, 9:48"Revocation presents another challenge. If a system relies only on a biometric for both identity and authentication, how do you revoke that factor? Forgotten passwords can be changed; lost smartcards
can be revoked and replaced. How do you revoke a finger?"articlemicrosoftsecurityidentityauthenticationbiometrics
2009 Jan 22, 9:43'Behind the press reports, the academic community has been engaged in a hot debate over whether the evidence supports a connection between the violent content of games and any behavioral effects. One
of the researchers who has argued forcefully that it's not is Christopher Ferguson, who has just published a paper that argues that the continued societal focus on games as a causal factor in
violence is an example of what's termed a "moral panic."'gameviolencesocietyvideogames
2008 Sep 5, 2:15"Do a commercial, there's a price on your head, everything you say is suspect..." Bill Hicks quotes about actors who do commercials mixed with music laid on top of video of famous actors in cheesy
commericials makes for a surprisingly catchy video. (Lyrics NSFW)musicvideohumorcommercialadvertisingbill-hicks
Sarah and I got an exercise bike on sale and when attempting to put it together found that it was missing a bag of about ten different screws. The manufacturer website said we could order
a replacement bag for thirty dollars (!!) but since the instructions listed the various kinds of screws we needed I figured we could just go to a hardware store and buy them.
We started at Home Depot because I didn't know better. The screws are all listed in metric sizes which is apparently uncommon and a helpful senior worker forwarded us to McLendons whose stock was better but we were again redirected this time to Tacoma Screw Products.
Tacoma Screw Products is great! See them for your hardware needs first! The store has a back area with every kind of screw ever. I felt a little out of place as as all the customers looked like
contractors. The employee who helped me explained the various options I had in screws as the bike instructions weren't as explicit as they could have been. In the end I bought all my screws for
only one dollar (much better than $30!) and they all fit correctly.
2007 Dec 26, 5:45Miscellaneous thoughts I had that would have been relevant many months ago:
A History Channel program had a reenactment of a 1920's archaeologist discovering a stone tablet, sending the tablet to a warehouse, etc. all behind the voice over giving the dry facts. The
reenactor hammed it up a bit and I would have rather had clips from Indiana Jones in the background. If they're already not showing me the archaeologist who discovered the tablet, they may as well
show me one who will be entertaining.
There are many parodies of the Get a Mac ads and so when I saw a UK Get a Mac ad I payed attention to see what the joke was. I was
disappointed by the 'parody' because it was a conventional Get a Mac ad with different actors. Apple localized their Get a Mac ad campaign in this fashion in the UK and in Japan. I've got a
playlist of the US, UK, and Japan's version of the Piechart ad. Ranking the lovable bumblingness of the PC I give the order
UK, Japan, then US and ranking the sumgness of the Mac I give the order UK, US, then Japan. But don't take my word for it, view
the ads for yourself.
Yahoo Pipes lets users generate an RSS feed altering service that runs on Yahoo's server using a GUI. This is very different from Microsoft's Popfly which allows users to component-ize and share javascript utilities that run client side on a webbrowser. Both have the awesome power of buzzword associations
like 'Web 2.0' and 'Mashup' but in my mind Yahoo Pipes is for server side RSS feed modification and Popfly is about client side javascript webpages. And neither will allow me to run an arbitrary
XSLT =).
I've made another extension for IE8,
Outline View, which gives you a side bar in IE that displays an outline of the current page and lets you make intrapage bookmarks.
Some rights reserved