Mobile, Vulnerability

Researcher wows Black Hat with NFC-based smartphone hacking demo

Charlie Miller shows how it’s possible—though not easy—to trick Nokia 9 and Google/Samsung Nexus S smartphones

At the Black Hat Conference in Las Vegas Wednesday, Accuvant Labs researcher Charlie Miller showed how he figured out a way   to break into both the Google/Samsung Nexus S and Nokia N9 by means of the Near Field Communication (NFC) capability in the smartphones.

IN PICTURES: Quirkiest moments at 2012 Black Hat security conference

RELATED: Apple bans researcher Miller for app exposing iOS security flaw

QUIZ: Black Hat’s most notorious incidents

NFC is still new but it’s starting to become adopted for use in smartphone-based purchasing in particular. The experimentation that Miller did, which he demonstrated at the event, showed it’s possible to set up NFC-based   radio communication to share content with the smartphones to play tricks, such as writing an exploit to crash phones and even   in certain circumstances read files on the phone and more.

“I can read all the files,” said Miller about how he managed to break into the Nokia 9 when his home-made NFC-based device   is in very close proximity to the targeted smartphone. “I can make phone calls, too.”  Vulnerabilities he identified in the   Android-powered Nexus S were located in the browser surface, he said. NFC works at near-contact range, and it could not be   used to attack from any distance.

Miller said his efforts involved nine months of experimentation with NFC “fuzzing” techniques, and help from a cast of friends   and fellow researchers. He said he plans to make his home-grown NFC fuzzing tool available to help with testing of NFC implementations   “since there really aren’t any today.”

News, Vulnerability

Researcher wins $200,000 prize from Microsoft for new exploit mitigation technology

Security researcher and Columbia University PhD student Vasilis Pappas was announced the winner of the Microsoft BlueHat Prize   contest for an exploit mitigation technology called “kBouncer” which is designed to detect and prevent return-oriented programming   (ROP), a popular vulnerability exploitation technique.

Microsoft launched the BlueHat Prize contest one year ago at the Black Hat USA 2011 security conference in order to motivate security researchers to develop new anti-exploitation   techniques. Pappas received a check for US$200,000 during the award ceremony event in Las Vegas on Thursday.

IN PICTURES: Quirkiest moments at 2012 Black Hat security conference

As part of the contest rules, Microsoft received a royalty-free license to use any of the submitted technologies, but their   creators retain the intellectual property rights over them.

ROP is frequently used in exploits that target memory safety vulnerabilities like buffer overflows, which can result in the   unauthorized execution of arbitrary code.

The technique makes exploits more reliable and allows attackers to get around security mechanisms present in modern operating   systems, like Data Execution Prevention (DEP) or Address Space Layout Randomization (ASLR), said Carsten Eiram, chief security   specialist at vulnerability research firm Secunia.

Kbouncer was one of the three exploit mitigation technologies selected by Microsoft for the BlueHat Prize finals from a total   of 20 entries that qualified.

Pappas worked on other exploit mitigation technologies in the past and already had the idea behind kBouncer in his head, he   said. The BlueHat contest provided an opportunity to put it into practice.

The researcher doesn’t have any concrete plans yet for the technology or the $200,000 prize money that he received from Microsoft.

The other two technologies that made into the final also focused on ROP prevention. They were developed by security researchers   Jared DeMott and Ivan Fratric.

Fratric won second place and a $50,000 prize with his concept called “ROPGuard,” while DeMott won an MSDN subscription valued   at $10,000 and an additional $10,000 for his approach called “/ROP”.

All three technologies proposed by the finalists should make it harder for attackers to exploit certain types of vulnerabilities,   Carsten said. However, it will take time for them to be implemented properly and vulnerability researchers will probably come   up with different exploit approaches by then, he said.

Fratric’s “ROPGuard” idea has already been implemented in the 3.5 Technology Preview version of Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) — a specialized security   tool that can be used by system administrators to apply exploit mitigation technologies to other applications at runtime.

One of Microsoft’s core strategies is to implement exploit mitigations in its products, said Mike Reavey, senior director   of the Microsoft Security Response Center. It’s already been done with Ivan Fratric’s technique and the other ideas are being   evaluated, he said.


NSA chief asks hackers at Defcon for help securing cyberspace

National Security Agency Director General Keith B. Alexander addressed the attendees of the Defcon hacker conference in Las   Vegas on Friday and asked for their help to secure cyberspace.

“This is the world’s best cybersecurity community,” said Gen. Alexander, who also heads the U.S. Cyber Command. “In this room   right here is the talent our nation needs to secure cyberspace.”

Hackers can and must be part, together with the government and the private industry, of a collaborative approach to secure   cyberspace, he said.

Hackers can help educate other people who don’t understand cybersecurity as well as they do, the NSA chief said. “You know   that we can protect networks and have civil liberties and privacy; and you can help us get there.”

Gen. Alexander congratulated the organizers of Defcon Kids, an event dedicated to teaching kids how to be white-hat hackers,   and described the initiative as superb. He called 11-year-old Defcon Kids co-founder CyFi to the stage and said that training   young people like her in cybersecurity is what the U.S. needs.

The NSA director stressed the need for better information sharing between the private industry and the government and noted   that the Congress is currently debating legislation to address this.

NSA’s and U.S. Cyber Command’s roles are to protect the nation from cyberattacks and foreign intelligence, Gen. Alexander   said. The issue is that if you don’t see a cyberattack you can’t defend against it and at the moment, the NSA has no insight   if Wall Street is going to be attacked, for example, he said.

Gen. Alexander pointed out that if the industry could share some limited pieces of information from their intrusion detection   systems in real time, the NSA could take it from there.

The next step from information sharing is jointly developing standards that would help secure critical infrastructure and   other sensitive networks, he said.

He encouraged hackers to get involved in the process. “We can sit on the sidelines and let others who don’t understand this   space tell us what they’re going to do, or we can help by educating and informing them” of the best ways to go forward.

“That’s the real reason why I came here. To solicit your support,” he said. “You have the talent. You have the expertise.”

At the Aspen Security Forum conference on Thursday, Gen. Alexander revealed that there’s been a 17-fold increase in cyberattacks   against U.S. infrastructure between 2009 and 2011, the New York Times reported.

The hacker community has built many of the tools that are needed to protect cyberspace and should continue to build even better   ones, he said during his keynote at Defcon. He gave the example of Metasploit and other penetration testing tools.

“Sometimes you guys get a bad rap,” he said. “From my perspective, what you’re doing to figure out vulnerabilities in our   systems is great. We have to discover and fix those. You guys hold the line,” he said.

Gen. Alexander’s presence at Defcon was a rare event. Before introducing him to the stage, Defcon founder Jeff Moss, who is   the chief security officer of ICANN and a member of the U.S. Homeland Security Advisory Council, revealed that he has tried   for the past 20 years to get a high-ranking NSA official to speak at the conference.


New Tools Bypass Wireless Router Security

Security researchers have released new tools that can bypass the encryption used to protect many types of wireless routers. Ironically, the tools take advantage of design flaws in a technology pushed by the wireless industry that was intended to make the security features of modern routers easier to use.

At issue is a technology called “Wi-Fi Protected Setup” (WPS) that ships with many routers marketed to consumers and small businesses. According to the Wi-Fi Alliance, an industry group, WPS is “designed to ease the task of setting up and configuring security on wireless local area networks. WPS enables typical users who possess little understanding of traditional Wi-Fi configuration and security settings to automatically configure new wireless networks, add new devices and enable security.”

Setting up a home wireless network to use encryption traditionally involved navigating a confusing array of Web-based menus, selecting from a jumble of geeky-sounding and ill-explained encryption options (WEP, WPA, WPA2, TKIP, AES), and then repeating many of those procedures on the various wireless devices the user wants to connect to the network. To make matters worse, many wireless routers come with little or no instructions on how to set up encryption.

Enter WPS. Wireless routers with WPS built-in ship with a personal identification number (PIN – usually 8 digits) printed on them. Using WPS, the user can enable strong encryption for the wireless network simply by pushing a button on the router and then entering the PIN in a network setup wizard designed to interact with the router.

But according to new research, routers with WPS are vulnerable to a very basic hacking technique: The brute-force attack. Put simply, an attacker can try thousands of combinations in rapid succession until he happens on the correct 8-digit PIN that allows authentication to the device.

One way to protect against such automated attacks is to disallow authentication for a specified amount of time after a certain number of unsuccessful attempts. Stefan Viehböck, a freelance information security researcher, said some wireless access point makers implemented such an approach. The problem, he said, is that most of the vendors did so in ways that make brute-force attacks slower, but still feasible.

Earlier today, Viehböck released on his site a free tool that he said can be used to duplicate his research and findings, detailed in this paper (PDF). He said his tool took about four hours to test all possible combinations on TP-Link and D-Link routers he examined, and less than 24 hours against a Netgear router.

“The Wi-Fi alliance members were clearly opting for usability” over security, Viehböck said in a instant message conversation with “It is very unlikely that nobody noticed that the way they designed the protocol makes a brute force attack easier than it ever should.”


Separately, Craig Heffner, a researcher with Columbia, Md. based security consultancy Tactical Network Solutions, has released an open-source tool called “Reaver” to attack the same vulnerability. Heffner notes that once an attacker has successfully guessed the WPS PIN, he can instantly recover the router’s encryption passphrase, even if the owner changes the passphrase. In addition, he warns, “access points with multiple radios (2.4/5GHz) can be configured with multiple WPA keys. Since the radios use the same WPS pin, knowledge of the pin allows an attacker to recover all WPA keys.”

Source: Stefan Viehböck

The important thing to keep in mind with this flaw is that devices with WPS built-in are vulnerable whether or not users take advantage of the WPS capability in setting up their router. Also, routers that include WPS functionality are likely to have this feature turned on by default.

First the good news: Blocking this attack may be as simple as disabling the WPS feature on your router. The bad news is that it may not be possible in all cases to do this.

In an advisory released on Dec. 27, the U.S. Computer Emergency Readiness Team (US-CERT) warned that “an attacker within range of the wireless access point may be able to brute force the WPS PIN and retrieve the password for the wireless network, change the configuration of the access point, or cause a denial of service.” The advisory notes that products made by a number of vendors are impacted, including Belkin, Buffalo, D-Link, Linksys, Netgear, TP-Link and ZyXel.

Viehböck said none of the router makers appear to have issued firmware updates to address the vulnerability. The US-CERT advisory makes no mention of updates from hardware vendors. The advisory also says little about which models may be affected, but if your router has a “WPS PIN” notation on its backside, then it shipped with this WPS feature built-in.


Virtual Sweatshops Defeat Bot-or-Not Tests

Jobs in the hi-tech sector can be hard to find, but employers in one corner of the industry are creating hundreds of full-time positions, offering workers on-the-job training and the freedom to work from home. The catch? Employees will likely toil for cybercrooks, and their weekly paychecks may barely cover the cost of a McDonald’s Happy Meal. home page

The abundance of these low-skilled, low-paying jobs is coming from firms that specialize in the shadowy market of mass-solving CAPTCHAs, those blurry and squiggly words that some websites force you to retype. One big player in this industry is, a service that appeals to spammers and exploits low cost labor in China, India, Pakistan, and Vietnam.

KolotiBablo, which means “earn money” in transliterated Russian, helps clients automate the solving of puzzles designed to prevent automated activity by bots, such as leaving spammy comments or mass-registering accounts at Webmail providers and social networking sites. The service offers an application programming interface (API) that allows clients to feed CAPTCHAs served in real time by various sites, which are then solved by KolotiBablo workers and fed back to the client’s system.

Paying clients interface with the service at, a site hosted on the same server as Antigate charges clients 70 cents to $1 for each batch of 1,000 CAPTCHAs solved, with the price influenced heavily by volume. KolotiBablo says employees can expect to earn between $0.35 to $1 for every thousand CAPTCHAs they solve.

The twin operations say they do not condone the use of their services to promote spam, or “all those related things that generate butthurt for the ‘big guys,’” mostly likely a reference to big free Webmail providers like Google and Microsoft. Still, both services can be found heavily advertised and recommended in several underground forums that cater to spammers and scam artists.

Registered users can read more about why customers typically purchase the service, and how KolotiBablo is run. From the description:

“All CAPTCHAs in our service are completely solved by real humans, there are usually 500-1000 (and growing) workers online from all the world. That’s why we can process any CAPTCHAs at any volume for a fixed price $1 per 1000 CAPTCHAs.

You may probably think that using human resource inappropriate or inhumane. However, keep in mind that we pay the most of collected money to our workers who sit in the poorest corners of our planet and this work gives them a stable ability to buy food, clothes for themselves and their families. Most of our staff is from China, India, Pakistan and Vietnam.”


To get started as a CAPTCHA-solving worker at (pictured at left), you’ll need to provide a working account at WebMoney, a virtual currency. After that, the system will start feeding you live CAPTCHAs to solve, prefacing each with an notice about the rate that the client has agreed to pay per batch.

Depending on the demands that clients place on the service, there may be a brief delay between CAPTCHAs, but generally only a few seconds pass between the time a solved puzzle is submitted and when a new one is offered. Each new puzzle is preceded by an audible “beep,” and workers are expected to solve and type each of the CAPTCHAs in less than 10 seconds. During downtime, the system displays workers’ average puzzle solving times, as well as actual and projected weekly earnings.

If sort of drudgery sounds like easy money, take a moment to work out the math. Assuming that you can solve six CAPTCHAs per minute and work eight hours straight, you’d be able to solve about 2,880 puzzles each day. Even at the highest CAPTCHA solving rate, you’d only make $2.88 daily; at the lowest rate, you’d make just over a dollar a day.

No, the real earnings only come when you assemble an army of workers to solve CAPTCHAs for your WebMoney account, as described by this FAQ at

As long as there is low-cost human labor willing to do this kind of work for pennies per day, CAPTCHAs will continue to be an ineffective way to prevent automated account creation and spammy Web site comments. But at least experts are working on making CAPTCHAs less annoying: Some firms are starting to pitch more user-friendly alternatives to the hard-to-read squiggly CAPTCHAs.

If you’d like to learn more about CAPTCHAs and the semi-automated systems being built to defeat them, I’d suggest reading this paper (PDF) on CAPTCHA-solving services, from researchers at University of California, San Diego. Also, in Nov. 2010, I wrote about CAPTCHABot, another puzzle-solving service with similar rates and practices.


Phishing Your Employees 101

A new open source toolkit makes it ridiculously simple to set up phishing Web sites and lures. The software was designed to help companies test the phishing awareness of their employees, but as with most security tools, this one could be abused by miscreants to launch malicious attacks.

Simple Phishing Toolkit admin page

The Simple Phishing Toolkit includes a site scraper that can clone any Web page — such as a corporate Intranet or Webmail login page — with a single click, and ships with an easy-to-use phishing lure creator.

An education package is bundled with the toolkit that allows administrators to record various metrics about how recipients respond, such as whether a link was clicked, the date and time the link was followed, and the user’s Internet address, browser and operating system. Lists of targets to receive the phishing lure can be loaded into the toolkit via a spreadsheet file.

The makers of the software, two longtime system administrators who asked to be identified only by their first names so as not to jeopardize their day jobs, say they created it to help companies educate employees about the dangers of phishing scams.

“The whole concept with this project started out with the discussion of, “Hey, wouldn’t it be great if we could phish ourselves in a safe manner,’” said Will, one of the toolkit’s co-developers. “It seems like in every organization there is always a short list of people we know are phishable, who keep falling for the same thing every six to eight weeks, and some of this stuff is pretty lame.”


First released in October 2011, the Simple Phishing Toolkit is already in its fourth revision. The latest version includes an education module with the options to ‘educate on link click’ (to warn users about the dangers of drive-by malware downloads), upon form submission (credential harvesting), or not at all.

Partly to deflect criticism about the tool’s potential for abuse by miscreants, the toolkit doesn’t include the capability to capture data that recipients enter into forms in the phishing pages, although its creators say this feature will be offered in a future version as an optional add-on.

While more comprehensive open source phishing toolkits (the Social Engineer Toolkit for Backtrack/Metasploit, e.g.) have been in existence for some time, Will and project co-developer Derek said they wanted a more lightweight approach.

“We wanted a stand alone project that doesn’t cost money and doesn’t take a lot of devotion to learning,” Derek said.

The toolkit lives up to its name: It’s extremely simple to install and to use. Using a copy of WampServer — a free software bundle that includes Apache, PHP and MySQL — I was able to install the toolkit and create a Gmail phishing campaign in less than five minutes.

It seems that not long ago, the idea of organizations phishing their own employees was controversial. These days, there are a number of organizations that offer this awareness training as a service. If you’d rather design and execute the training in-house, SPT looks like a great option.


‘MegaSearch’ Aims to Index Fraud Site Wares

A new service aims to be the Google search of underground Web sites, connecting buyers to a vast sea of shops that offer an array of dodgy goods and services, from stolen credit card numbers to identity information and anonymity tools.

MegaSearch results for BIN #423953

A glut of data breaches and stolen card numbers has spawned dozens of stores that sell the information. The trouble is that each shop requires users to create accounts and sign in before they can search for cards.

Enter, which lets potential buyers discover which fraud shops hold the cards they’re looking for without having to first create accounts at each store. This free search engine aggregates data about compromised payment cards, and points searchers to various fraud shops selling them.

According to its creator, the search engine does not store the compromised card numbers or any information about the card holders. Instead, it works with card shop owners to index the first six digits of all compromised account numbers that are for sale.  These six digits, also known the “Bank Identification Number” — or BIN — identify which bank issued the cards. Searching by BIN, MegaSearch users are given links to different fraud shops that are currently selling cards issued by the corresponding bank.

I first read about this offering in a blog post by RSA Fraud Action Research Labs. It didn’t take much time poking around a few hacker boards to find the brains behind MegaSearch pitching his idea to the owners of different fraud shops. He agreed to discuss his offering with me via instant message, using the search service as his screen name.

“I’m standing on a big startup that is going to be [referred to as] the ‘underground Google,’” MegaSearch told KrebsOnSecurity. “Many users spend a lot of time looking [through] shops, and I thought why not make that convenient?”


The service currently indexes compromised BINs from five different card shops, although he said several more shops are close to completing their integration with MegaSearch. He acknowledged garnering a small advertising fee for each relationship, although he repeatedly declined to discuss the particulars of those arrangements. But he said both sides benefit: stolen card data grows less reliable with age, and fraud shops that are indexed by MegaSearch stand a better chance of clearing their inventory faster, the hacker argues.

MegaSearch said that when his site first launched at the end of 2011 and began indexing the five card shops he’s now tracking, those shops had some 360,000 compromised accounts for sale, collectively. Since then, those shops have moved more than 200,000 cards. The search engine currently has indexed 352,000 stolen account numbers that are for sale right now in the underground.

According to BIN search stats published on the site, Citibank cards are the most sought-after, followed by cards issued by FIA Card Services, Capital One and Chase.

In the coming weeks, he said, the site will include new features that index other types of criminal wares, including Social Security numbers and proxies — addresses of hacked PCs that paying clients can use as a relay to anonymize their online communications.

“I’m about to add more services to that site that would help newbie underground, including proxies, stolen identity information, etc.,” MegaSearch told me. “I’m also going to add a survey [to rate] the best shop.”

2011 has been called the Year of the Data Breach. If services like MegaSearch are indicative of a trend, 2012 may well become known as the year the criminal underground started getting a clue about how to better index and use all of its stolen data.