Copy Link
Add to Bookmark
Report
Dig 01
...Magazine Information...
Disclaimer
All information is protected by the first amendment. Information is
provided purely for educational purposes. All information presented
here is thought to be accurate; however no guarantees are made or
implied. DIG, authors, editors, and affiliates cannot and will not be
held responsible for any actions arising from persons reading or
downloading this information. We do not condone, support or
participate in any illegal activities. Articles published do not
neccessarily reflect the beliefs of DIG or it's affiliates.
Release Dates
There is no set release schedule for DIG, quarterly installments are
expected, but the release schedule may vary. Check our website
(www.digzine.com) for updates.
Writers Wanted
We are always looking for more writers on topics of interest to
hackers, phreaks, virus writers, crackers, and interesting science, but
other topics are acceptable too. If you dont know whether DIG would be
a good place for your article, email us and well talk.
Distribution
DIG is available for free online and can also be ordered in limited hard
copy at www.digzine.com through Pay Pal (if you dont have Pay Pal,
drop us an email for other payment options). The hard copy contains all
the same information as the online copy, but includes graphics, and you
can hold it in your hand! Feel free to and please do copy, reprint, and
distribute DIG, as long as nothing is changed, and you dont try to
make a profit off of our work.
Letters
We will print your letters. If you would like to make a comment, ask
a question, make a correction or a contribution send them to
dig@digzine.com and we will publish them. If you don't want your
letter published, just let us know. All contact information will be
kept private.
How to help
You can help us by letting everyone know about us, spread flyers, link
to us, print more copies to distribute, or write articles! Monetary
donations are accepted to help pay for hosting and printing, but
providing information or services would be a better donation.
Privacy
We will honor all confidentiality requests. We keep no record of
addresses, privacy is important to us.
Contact
dig@digzine.com
Our Public Key is available on the website.
____ ___ ____ _ _ __
| _ \ |_ _| / ___| _| || |_ /_ |
| | | | | | | | _ |_ __ _| | |
| |_| | | | | |_| | _| || |_ | |
|____/ |___| \____| |_ __ _| |_|
|_||_|
==================================================
==================================================
July 2003
Into the Underground ........................... 4
Explorations in Connected Technologies ......... 5
An Analysis of Smartcards ...................... 7
Thoughts on EZ Pass / Speed Pass .............. 11
Explicit Anarchy .............................. 12
Stunning Snacks ............................... 14
NO CARRIER's Scan ............................. 17
Buffer Overflow Challenge ..................... 21
Conscience of a Hacker ........................ 22
===========================================
+++ Into the Underground ++++ lowtec ++++++
===========================================
Well here it is, the first issue of DIG! I founded this magazine
because I see lots of people working on interesting projects with
unfocused efforts and no central place to report their findings, or ask
for help. I want this magazine to be an interactive experience for
everyone who chooses to participate.
While DIG will focus mainly on hacking, phreaking and exploring
technology, I would love to see more diverse articles. In the end our
readers and contributors will have the biggest say in the direction we
take this production by influencing us with letters, and by submitting
articles to be published. To some of the people who have been on the
scene for a while, some of the information may seem to repeat ideas a
little, but keep in mind that we are trying to appeal to a larger
audience. I think that this will be a good place to learn for everyone.
Let me take a quick moment to dispel some common beliefs held by
the unaware or ignorant. Hackers are people too. The term hacker as
it is used here to describe someone who is aware and curious about how
things work originated at the MIT artificial intelligence labs and was
an honorable title. The media and others have distorted the term to
describe criminals. The truth is that knowledge is power, and with
power comes responsibility. With that out of the way, please enjoy
this issue, and use all information responsibly.
======================================================
++ Explorations in Connected Technologies ++ Astral ++
======================================================
In todays connected world, it is impossible to picture the depth
and complexity that our societys infrastructure has grown to. Its
amazing to know that at any one moment in time, there are thousands if
not millions of transactions, connections and bits of data flowing all
over the world at the same time. Here I will explain and delve as far
as I dare, into the beginning of the net and just how complex it truly
is.
ARPAnet -- WTF IS THAT?
ARPAnet (Advanced Research Projects Agency Network) was designed
in the early 60's to be a mode of communication that could survive a
nuclear war. DARPA (a branch of the DoD) provided the main funding and
research for the project. It started out small, with only a few nodes,
running on old DEC machines, commodores, and old CRAYS. The main method
of communication was over a land link phone line. It was like dialup for
machines to talk per se. After time, a lot of universities started to
get connected with ARPAnet and researchers immediately saw its potential
as a research network for collaborated efforts. Then as more people and
companies started to join the network, other countries started to get on
the bandwagon, and create their own networks. In the USA, there were
several companies that offered public connections to the ARPAnet; they
were Tymnet, Telenet (now Sprintnet) and some others. MILnet was also
on this, but at this time, was on its own nodes and PADs (packet
assemblers / dissemblers). The amount of connectivity at this point
was also amazing; machines over great distances were connected and
sharing data over their 300 baud modems. The net was growing.
Old Articles -- A window into the true times of hacking and exploration
One can get a glimpse into a time long forgotten, when exploits
were still just an idea in Aleph One's mind, and when password guessing
was trivial. Back then finding a VAX/VMS was everyday and security was
just as renowned on those systems as it is still today; hacking into
NASA and Pentagon databases was very easy. A lot of the old articles
are still distributed and a good collection can be located at
textfiles.com/hacking and these will just give you an idea of what the
possibilities were. Exploration was at its peak, the US Government
actually declared war on the Texas based hacker group LoD (legions of
doom) in Operation Sun Devil. One can truly begin to understand what
it took to be a hacker in those days -- intelligence. You can see the
depths of net connectivity even in these files. There is even a LoD
crash course in TCP/IP, something that had just come out during the
80's and 90's. We take for granted the 'ping' command, these guys had
to try and explain it to hackers who were used to dialup PADs and
IBM / VAX / UNIX System V OS's. By reading these articles, you will
become aware of a time before you may have even been curious about
computers and the world; its also a good history lesson of our roots.
Net Complexity -- The massive infrastructure we call the net.
The internet is built and supported by many massive companies.
With current statistics saying over 4 billion websites / pages, the
internet is only growing in size. The net is very complex and
incorporates many different technologies for sharing information. Once,
a couple of years ago, I stumbled upon a Linux machine with an
interesting login banner. It gave me a guest account and after reading
everything, it turns out this was a radio link machine to service backup
medical emergency radio frequencies for all of south Texas. It was part
of a huge radio relay network. To think that my packets on the BBS were
being transmitted across Texas at around 300 Baud on the Ham 2m bands
and such to other BBS's and transceivers and then over a few ham
satellites was just amazing to me. Another example of depth is the
ARPAnet; its still there! I play on it all the time, it is very slow,
and sometimes has a few network outages in certain areas. Still, for
its age and effective yet immature design, ARPAnet is still functioning.
A lot of companies are moving back onto it, due to the security, such as
ANI and phone logs as you remember a good bit is over the x.25 protocols
and modem out dials. You cannot form an exploit and send it to your
target on this network. The internet also links to it; I have found TCP
gateways onto the old ARPAnet for routing and database connectivity
purposes. I love the feeling of making old DEC machines turn their tape
drives and run their modem PAD switches somewhere in a basement, covered
in dust. In most places like South America and parts of Asia and
Russia, the ARPAnet is still a major thing to them. There are whole
sections still linking banks, governments, and companies back to the net
and to each other. Their networks are still active and for the most
part, largely unexplored. Even in the old files, very few did exploring
in world-wide networks. Most dealt with the UK, or Germany, but those
were also leading net countries along with the USA. The machines are
still working hard probably covered in cobwebs and dust, as the large
magnetic tape drives spin daily, keeping track on their 25 MHz
processors what our GHz servers do today. They run the governments, the
banks, and keep their country connected permanently. In Mexico I saw
some of the old server buildings and such belonging to TelMex when I was
in Cozumel. I yearned to go exploring into their depths to find old
gems, but my concern to keep my freedom and to avoid Mexican prison for
my unauthorized exploring kept me from doing so.
Conclusion -- Did you understand?
In the end, its the drive, that maddening sense to explore the
old networks, to see its true depth that urged me to write this. I hope
I have inspired some of you to start reading and learning the ways of
the old hackers; the true Columbuss and Vikings before our time. Read
them, explore, and picture the massive amounts of information on the
web, wireless, radio, ARPAnet, and SATnet that traverse the globe
constantly. You will be amazed and I promise, almost overwhelmed. The
true underground awaits you. Go forth, explore, and conquer.
astral@hackermail.com http://www.leetgeek.tk
=========================================
++ An Analysis of Smartcards ++ lowtec ++
=========================================
Smartcards are becoming ever-more popular in todays world. When
people are looking for security in their applications and they are not
willing (or able) to put lots of resources towards ensuring that the
security is effective, they turn to someone who is willing to do the job
for them. Smartcards offer a very cheap and (potentially) secure
solution. Some of the examples of smartcards in use today are: phone
cards (mainly in Europe), pay TV services (DSS, Direct TV), GSM phones,
an increasing number of credit card companies are combining smartcards
with regular magnetic stripe cards, they can be used as an access
control device, several banks in Europe are using them to authenticate
users, and they can be used as a stored value card or e-purse.
alt.technology.smartcards has an excellent FAQ on smartcards which
is available at http://www.scdk.com/atsfaq.htm. Although the FAQ will
go into much more depth than this file, I intend to only give an
overview of smartcards and focus mainly on the security issues.
Before going any further, it should be made clear that there are
two types of smartcards, only one of which is truly smart. Memory
cards that simply store information and have no onboard processor are
not truly smartcards but are occasionally grouped in the same category.
True smartcards are basically computers on a small chip without a power
supply; they have memory storage and a processor.
The idea behind smartcards has good intentions, but the truth is
that from a security standpoint, some implementations of smartcards are
unreasonable. In some applications the end user has in their possession
the card which contains the chip with the secret information, they can
assault the card indefinitely and have no fear of being caught by
authorities, or arousing suspicion from invalid attempts. The whole
idea with smartcards is that the single card is secure enough to
authenticate a user, so that a central server does not need to be
accessed, however this is not to say that it is never accessed. Also a
record of transactions can be kept, but there is no way to distinguish a
valid transaction with an illegitimate one. Times when a smartcard is
not a good idea to use as a security control device are when the actual
card is the only record or holder of the transaction or authentication
information. Cases that stand out as bad ideas for use with smartcards
include: phone cards, pay TV, and as an e-purse. In other cases,
smartcards may add a degree of security; however the network carrying
the smartcard data should also come into consideration.
Smartcards are described under the ISO 7816 standard which defines
everything from physical and electrical characteristics of integrated
circuit cards down to communication to and from the card. It should be
noted that there were cards made before 1990 that had a different
standard contact location and therefore can not be used with ISO 7816-2
compliant smart card readers. Although contact location and function is
now standardized, the design of the contacts is not. Most contact
designs are patented and make it easy to distinguish a manufacturers
cards.
Unlike magnetic stripe cards that can be easily read and written
to by anyone with the money to buy an encoder, or the know how to build
one (thats another file); smartcards restrict read and write
operations. There are varying levels of protections that can be
implemented in smartcards because essentially a smartcard is a computer
without a power supply. However, smartcards are limited to either being
read or written to simultaneously. This was done to slow down attacks
on the card. The nice thing about smartcards is that in order to read
or write to them, no special equipment is needed; only an interface to a
computer which could consist of contacts and a power supply, or the
power could be provided by the computer. If you are planning on
obtaining a smartcard programmer, I would suggest (for the technically
inclined) building your own. It is not a terribly complicated project,
but not recommended as a beginning project. There are several sites
that provide schematics for building smartcard programmers. Note that a
reader is the same as a programmer, i.e. it can read and write data to a
smartcard because there is no special hardware involved.
What happens during a typical smartcard transaction: 1) After the
smartcard is inserted into the reader, the reader generates a random
number which is sent to the card. 2) The card is asked to perform a
secret calculation with the random number, which the reader also
performs. 3) The card sends the result back to the reader, which
compares the numbers. If there is a match, the card is authenticated
and the transaction is allowed to proceed. This authentication
procedure is commonly known as a challenge response.
While one may think that simply by analyzing the data between the
card and the reader, all cards could be compromised. Such a 'replay'
attack could be beneficial to understanding what goes on during a
session. Although a capture of the data between the reader and card may
be encrypted, no doubt it will help in analyzing the card. Protection
against replay attacks includes using a digital signature and a counter
on the card to refuse replayed transactions.
Until this point, smartcards seem fairly secure and difficult to
attack. A flaw in smartcards was found by Paul Kocher of
http://www.cryptography.com that allows for the extraction of the secret
key. The flaw was that by analyzing the power consumption of the
smartcard you would be able to determine the secret key from the spikes
in power (high for 1, low for 0). This attack is known as Differential
Power Analysis (DPA), which at the time of its discovery all smartcards
were vulnerable to this attack. However a solution to prevent or thwart
DPA was put forward, that is by running a random number generator on the
card separate from the meaningful processing, an attacker trying to
extract the key would be foiled. It is not known how widely the
solution has been implemented.
In order to carry out DPA an attacker would need an oscilloscope
capable of sampling at a rate equal to or higher than the card's
transaction and highly technical knowledge.
DPA is not the only attack that can be used against smartcards.
By physically opening the card and modifying the fuses inside (after
dissolving the protective black epoxy on the EPROM) with microprobes it
is possible in some cases to gain access to secret parts of the card, or
bypass certain 'features'. Also there are many other timing attacks
possible by applying much higher or lower voltage than usual to the
card. By altering voltage levels, the cards processor clock may speed
up or slow down significantly, allowing an attacker to learn more about
each clock cycle.
A similar attack to DPA which was recently brought to my attention
could use thermal imaging to observe very small changes in temperature
on different areas of the chip, and if a random number generator was
implemented separately from the main processor, it could be isolated.
By correlating the changes in temperature to processing cycles, like DPA
the secret key could be extracted.
It should be noted that chip manufactures should not want to lock
down their chips from all analysis; they want to be able to examine
chips that fail to determine the cause of malfunction. Invasive attacks
can be made easier by the fact that silicon is transparent to infrared
light.
In the case of Pay TV, pirates have been able to write protect
their access card and only use the decrypting functions on the card by
the use of an emulator and a legitimate card. Pay TV companies
retaliate by adapting their signal to try to cut off pirates, and a cat
and mouse game ensues. Some more advanced pirates have figured ways to
bypass the need for updating scripts on their cards by modifying the
receiver unit, this only goes to show that more than just the smartcard
must be considered in application. Many satellite TV hacking web sites
have cropped up as a result of its popularity, and while some have
valuable information, most have little information of interest to the
smartcard hacker.
Smartcards are very interesting pieces of technology that you can
count on seeing more of in the future. In the near future smartcards
could replace identification cards and records could be stored right on
the card. There are definitely privacy issues at hand with smartcards
and related technologies. Unfortunately Microsoft and other
corporations see the use of cryptographic hardware as a means of
controlling what applications can be run on their hardware. The Xbox
only runs Microsoft signed code (without a modchip or a buffer
overflow exploit from a legitimate piece of code). Microsofts current
project (which deserves its own article), Trusted Computing Platform
Alliance (TCPA), Palladium, or Next Generation Secure Computing Base
(NGSCB) as they are calling it now (due to negative publicity) will use
the same type of technology to control what programs you can run on your
computer. As technology advances and chips become even smaller,
attacking hardware invasively becomes harder. Also, manufactures will
become devious and integrate the cryptographic chips right into their
processors of your computer making any attacks very difficult to carry
out.
Essential Smartcard links:
Markus Kuhns webpage Many excellent papers on smartcards, and other
very interesting topics
http://www.cl.cam.ac.uk/~mgk25/
Center for Information Technology Integration, at university of Michigan
http://www.citi.umich.edu/projects/smartcard/
Bo Lavares Smartcard Security Page
http://www.geocities.com/ResearchTriangle/Lab/1578/smart.htm
(unfortunately the original site is no longer active but has been
archived on http://web.archive.org)
Ross Andersons webpage Some papers on smartcards and a good FAQ on
TCPA
http://www.cl.cam.ac.uk/~rja14/
http://www.epanorama.net/links/smartcards.html
More information on smartcards with some links to related projects
to build
===================================================
+++ Thoughts on EZ Pass / Speed Pass +++ lowtec +++
===================================================
Radio Frequency Identification (RFID) is a relatively new and
largely unexplored technology. RFID technology is already in
widespread use, some examples are: Exxon speedpass, EZPass for tollways,
wireless smartcards and other wireless cards, secure car ignitions, and
less common 'smart shelves'.
How does it work ?
RFID operates in a number of unlicensed frequency bands worldwide,
with 125 KHz and 13.56 MHz the most common. The 13.56-MHz tags hold as
much as 2,000 bits of data, or roughly 30 times the information of
125-KHz tags. Low-frequency (30 KHz to 500 KHz) systems have short
reading ranges and lower system costs. They are most commonly used in
security access, asset tracking, and animal identification applications.
High-frequency (850 MHz to 950 MHz and 2.4 GHz to 2.5 GHz) systems,
offering long read ranges (greater than 90 feet) and high reading
speeds, are used for such applications as railroad car tracking and
automated toll collection. However, the higher performance of
high-frequency RFID systems incurs higher system costs.
Short range, low-frequency tags are powered by a magnetic field
when held up to the reader (It's basic physics - The tag contains a coil
of wire which, when moved through a magnetic field generates an electric
current). The longer range, higher frequency tags usually contain
batteries which usually last 3-5 years. RFID tags are transponders;
they recieve and transmit.
Although the majority of RFID tags are write-once/read-only,
others offer read/write capability and could, for example, allow origin
and destination data embedded in a shipping container's tag to be
rewritten if the container is rerouted. The data store on a 13.56-MHz
tag is large enough to contain routing information for the shipping
container and a detailed inventory of the products inside.
As mentioned earlier, some stores have started using RFID tags on
their products to track inventory and prevent theft. These tags are
supposed to be deactivated after a sale is completed, but may not always
be. If a tag was left in your clothes, it could be read by other
readers and used to determine your identity. If we're not careful we
could have something very similar to the Minority Report going on. As
RFID tags get smaller and smaller they will be almost impossible to
locate in something you have purchased. Europe plans to embed RFID tags
in every piece of paper currency by the year 2005.
Many modern cars use RFID tags embedded in the key to determine if
the car is being stolen. If not present the car will not start. RFID
tags are susceptible to interference, and when in close proximity with a
Mitsubishi SUV an Exxon speedpass would not let the vehicle start. If a
car owner wants to get a new key for their car, they must go to their
dealer and buy the special key with the embedded RFID tag, and follow
the directions in their manual for programming the key. Usually the car
will require two other valid keys in order to program a new key,
otherwise your dealer will have to work his magic.
Security
In the Speedpass system a credit card is linked to your tag, but
your credit card number is only referenced by an identifier on the tag,
so no actual credit card numbers are processed on the system. This is a
good safeguard but it doesn't prevent lost or stolen tags from working
as no PIN numbers are required for operation. Typically if a tag is
lost or stolen it must be reported to be deactivated.
It is questionable whether or not an RFID transaction could be
'sniffed' and replayed or whether a tag could be copied without opening
it up to gain access to the memory. If this is possible then leaving
your EZPass glued to your windshield, where anyone could read your key
might not be a good idea. Depending on the implementation of the
system, it may or may not be secure.
This is a brief description of an Exxon speed pass transaction: A
gas-pump-based reader interrogates the key-fob SpeedPass (which contains
a chip and an antenna) waved inches from the pump, obtains its
identifier, passes that on via a Very Small Aperture Terminal (VSAT)
network to a back-end system for credit approval and then turns on the
pump, all in seconds.
Read range is another concern with security, because systems are
designed not to cause interference and ignore weak signals it is
possible to build a sensitive reader which would amplify weak signals.
RFID technology is another interesting technology, but it requires
careful implementation in order for it to be secure and protect
individuals privacy.
Links
Optimizing RFID Read Range
http://www.e-insite.net/ednmag/contents/images/84480.pdf
Exxon Mobil Speed Pass
http://www.speedpass.com or 1-87-SPEEDPASS (1-877-733-3727)
Request 4 free tags today! (requires valid credit card)
RFID Basics
http://www.aimglobal.org/technologies/rfid/resources/papers/rfid_b
asics_primer.htm
==========================================
+++ Explicit Anarchy +++ Dreg Nihilist +++
==========================================
First and foremost, I want to evince the truth about the
philosophy of anarchy that is often effaced by the corrupt
misinterpretation imposed on this theory by the punk movement of the
1980s. This movement has lead much of the public to believe anarchy is
a philosophy that is based on allowing chaos to reign over crazed and
frenzied antics of anti-government extremists.
In all actuality, the idea is quite the contrary to the violent
label with which anarchy has been so incorrectly deemed. Anarchy is
actually a very peaceful concept derived from two Greek words meaning
without government and was once known as Liberation Socialism. The
idea is anti-government, but in the manner of speaking of how government
restrains those living under it. Anarchy is being able to liberate
society from governmental restrictions through each individual
cooperating to achieve a peaceful and enjoyable political environment
that diminishes all necessity of an unwanted government. It is not an
attempt to violently overthrow power and order to be able to act on
whatever whim crosses through ones mind; it is a theory based on being
magnanimous and mature enough to live harmoniously through compromise
and toleration. An anarchic society does not need to be ruled over; it
advocates thought and action that denies the ruling of people and
eventually ownership of petty things like land and property that could
cause confrontation. It illustrates the belief that people are
civilized enough to collaborate through open agreements to create a
substitute for a mediator or intermediary; liaison would be the standard
of living. William Godwin, the first proclaimed anarchist, wrote
Political Justice in 1793 which proclaimed his idea and view of anarchy.
Pierre Joseph Proudhon was Godwins successor in spreading the dogma of
anarchic culture with his book What is Property? (which is how the
denial of owning land or property was first introduced). One Russian
anarchist, Mikhail Bakunin, motivated Peter Kropotkin, another Russian
anarchist, to write a multitude of books that significantly affected
anarchy such as The Conquest of Bread, Mutual Aid, and Fields,
Factories, and Workshops. Kropotkin wrote the first adroit encyclopedia
definition of anarchy that lasted a total of about fifteen pages. Next,
Leo Tolstoy introduced Christian anarchy and also wrote "The anarchists
are right in the assertion that, without Authority, there could not be
worse violence than that of Authority under existing conditions."
Anarchy continued to grow and form and become more tangible, but this
also opened the belief to persecution such as in cases of The Chicago
Martyrs or the "Haymarket Eight". Alexander Berkman, companion of one
of the instrumental figures of the anarchist movement (Emma Goldman),
wrote ABC of Anarchism which declares anarchism as freedom from
enslavement. Anarchy has evolved through many movements and is still
practiced today in small communities and societies.
Anarchy is not at all a manifestation of terrorism or disorder
even though the government and media often give it a connotation
synonymous with turmoil because they feel threatened by the idea. Power
corrupts; anarchy is the solution. Anarchism encompasses many ideas and
theories or similar philosophies such as existential individualism,
anarcho-syndicalism, class struggle, anti-speciesism, self-sufficiency,
anti-racism, and eco-anarchism. Anarchy has become a widely accepted
belief around the world and is openly supported. Everything is subject
to perception and interpretation, but misunderstanding the belief
structure and concept base of anarchy is unfortunate. Anarchy speaks
for itself through its history and tenets. Anarchists can correctly
demonstrate and convey the doctrine of anarchy through their actions,
words, writings, and presentations of the practice of Anarchy.
===================================
+++ Stunning Snacks ++++ lowtec +++
===================================
Vending machines are very interesting and can range from purely
mechanical to modern computer controlled devices. These machines that
provide drinks, snacks, newspaper, cigarettes, copies and other services
(you could consider an arcade game or a payphone a vending machine for
providing services) have been the target of many attacks since their
introduction into society. While the main objective of most of these
attacks is to obtain free goods, services, or money from the machines,
there are many more interesting things to be discovered, such as debug
menus and status reporting functions. Here Ill make a very brief
summary of most of the security issues with vending machines that I have
read about or seen. Be warned that by trying any of these methods on a
machine that is not yours, without permission will get you into trouble.
I do not condone or approve of stealing from vending machines.
First there is the use of slugs, or coins on a string. Im sure
this worked at one time or another, but todays machines are more
advanced and coins must pass tests based on weight, shape and size;
coins with a string attached to them wont roll properly or pass through
trap doors. Creating a slug the same weight, shape, and size as a coin
seems like a lot of work and doesnt seem practical. There are some
foreign coins which are very similar to US currency which could be used,
and Im sure you could find a website that provides comparison charts
(this, as following methods is probably covered under counterfeiting
laws). This method is possible but seems a little far fetched unless
you have a collection of Indochina pennies or something.
Then there is the similar dollar bill tape method which although
it has been known to work, requires a strong dollar and the tape must be
very near the trailing edge of the bill for new machines. I have heard
that you need a very long (and strong) piece of tape on new machines and
they are quick to reject bills if the alignment is even slightly off.
Scanners on the machine need to be able to recognize the bill so tape
can not be covering any of the printing on the bill. This method seems
shoddy at best and you have to carry around your taped up dollar which
would be very suspicious.
Another method involves short circuiting the machine by squirting
conductive fluid, usually salt water into the machine through any
openings, usually the bill or change slot. In unprotected machines,
this would cause unpredictable results which might include spitting out
a coke or whatever the machine is dispensing. Also sensitive electronic
components of the machine would probably be destroyed. In new models
this problem has been fixed by shielding all sensitive exposed contacts.
Some people will try to tell you that this will make the machine spit
out bills, and while I have not tried this, it seems impossible because
the bills, like the change are stored in a box which only allows coins
and cash to enter (unless the machine makes change in which case there
is most likely a separate bank of coins for making change). The coin
box on most vending machines has an extra level of security so that the
coins are never exposed once inserted into the machine. If you have
ever seen a parking meter being emptied there is a metal case that is
pulled out and must be inserted into the large collection safe and
twisted in order for the coins to be collected. The main reason for
this extra level of security is to prevent theft by employees. Using
salt water is an easy method, but is becoming obsolete and is messy.
An interesting method that I havent confirmed is manipulating
bills by putting the Mylar strip from a five (or higher) dollar bill on
a one dollar bill, using the one dollar bill in a machine and spending
the five dollar bill at a register (most cashiers wont check for the
Mylar strips). This has been rumored to work on some change machines
seen in arcades. Manipulating US currency like this is most certainly
illegal and could get you in trouble with the Secret Service (yes, they
handle counterfeiting, credit card fraud, and protect the president).
Anyway, just using the strip for verifying the denomination of the bill
seems like a weak security system, not to mention it would be difficult
to get that little thing out and attach it to another bill (maybe use
superglue?).
Color photocopying, or possibly even a black and white copy of a
bill could work on old machines; again I havent tested this because
reproducing currency is illegal except when it is ridiculously out of
scale and one sided. However, as any counterfeiter will tell you,
matching the paper used is the hardest obstacle to overcome when
printing fake money. Also, machines that use scanners to check for the
Mylar strips will probably not be fooled by a copy.
A less well known method of getting free games at arcades is to
take any coin (usually a penny) and flicking it up through the change
return slot. I heard about this method from the temple of the screaming
electron (http://www.totse.com), and while I cant say that I understand
why this would work, I havent had the chance to look inside an arcade
game. The article also suggested banging your knee into the coin box
for free credits (ouch!). I have tried flicking pennies up the change
return slot with no luck, but I did notice that there are bumps on the
back of the change return area that probably were there to prevent me
from doing just that.
One more method I found while browsing through the temple of the
screaming electron is cutting a piece of aluminum foil to the same size
as a dollar bill and inserting it shiny side up. The author says that
this may cause the laser to be reflected onto the template the machine
uses to compare any bill to. I havent been able to test this, but I am
doubtful that it will work because I think the scanner the machine uses
counts on certain areas of the bill to be reflected (light and dark
areas) and then compares those areas to its stored copy. Also, what if
the machine accepts $1 and $5 bills? This is something to look into.
Youll notice all of these attacks are non invasive and require
almost no special equipment to carry out. It is trivial to break into
one of these machines with the proper set of tools; that is not what is
being addressed. Also youll notice Ive left out lock picking mainly
because it requires special skills and tools, although when considering
security it should not be overlooked. Without a strong lock, a thief
could easily saw through or chisel off a lock. Each situation demands
its own security analysis, for example snack machines could be tilted
forward to dump all their snacks if they are not bolted to the wall.
[I will say one quick thing about lock picking; some people have
suggested getting some kind of quick drying clay and forcing it into the
keyhole for a tubular key saying that this will give an impression of
the key. Whoever said this has no clue about how locks work. The clay
would get an impression of all 7 or 8 pins (depending on the lock); no
information about the key could be obtained. But, with the right tool
(a tubular lock pick) tubular locks are very simple to pick. But that
is another article....]
On to the very shocking exploit that gives this article its name.
While most vending machine manufactures have at least taken some aspect
of preventing fraud into their design, few have done much shielding of
electrical contacts on the keypad, most are concentrated around the
money collection areas, and even those have been fairly recent
improvements. I must give credit to Adrian Lamo for informing me of
this exploit. It is possible to use a normal self defense stun gun to
cause some machines to make sporadic electrical connections which can
yield unpredictable results, including the machine vending its product.
The machines which are most notably vulnerable are the snack machines
with the flush clear-button keypad. Holding a stun gun up to the keypad
firing it, and moving it around usually causes the machines to vend
several snacks. This exploit is probably not unique to only snack
machines, but by manipulating voltage levels and using sparks to close
gaps that control vending operations. Similar results could probably be
obtained by using other devices such as a HERF or EMP device. This is a
working exploit, at least on some machines, very easy to carry out,
although it does require some special equipment and determination.
However, stun guns are easily obtained through internet orders, or
schematics can be found online.
People have become extremely lazy with all of our great
technology these days and they want to be able to know how what their
vending machine is up to without having to go check the cash box.
Computers in vending machines can dial up to the internet (or connect
through a network) and email their owners all the information they
could ever want (amount and type of product sold, product remaining,
money in machine, usage statistics, etc). Sometimes menus like these
are available locally through a special combination of buttons, with a
key, or with special hardware. One widespread example is on most Coca
Cola ® machines by imagining the button on top to be #1 and numbering
down (or across on new machines) then press the buttons in order - 4, 2,
3, 1, a menu system will come up on the 4 character display that allows
you to view some information about the machine (credit to ch0pstikninja
from the phonelosers.com forums). Once you have accessed the menu
system you can navigate through it using the buttons as follows 1
previous menu, 2 up, 3 down, 4 - enter. Now some people will say,
Ok, so how do I use that to get free cokes? the answer is, you dont.
Its just a neat little menu that was hidden from you before. As one of
the posters to the phone losers forum said, this could be useful to
thieves deciding if a machine is worth breaking into. Note that this
should work on all machines made by Coca Cola ® (Fruitopia ©, Dasani ©,
etc). Similar menus can be found on many other machines with a quick
Google search, a call to the manufacturer, or some smart finger hacking
(try patterns, etc.).
One particularly interesting feature present on some machines
(usually at universities) is a card based accounting system. Machines
that use some sort of card access whether it is magnetic stripe cards,
smart cards, or some other proprietary identification / accounting
method can be very fun to play with. Some people may be familiar with
the Campus Wide system that Acidus and Virgil were prevented from giving
a talk about at interz0ne. These systems are almost always wide open,
although they do require some technical knowledge to exploit.
Playing with vending machines can be fun and occasionally
rewarding, but be considerate to others and dont damage the machines;
leave them as you found them. After youre finished playing with a
debug or admin menu, return the machine to normal mode. Some machines
will go back to normal mode after a minute or two but just be sure. Use
good judgment when exploring and have fun.
=============================================
+++ 1-800-326-XXXX Carriers+++ NO CARRIER +++
=============================================
March 26, 2003
* Notes: All of the numbers listed in this file remain active as of the
date on this file. The 800-326-XXXX exchange was scanned with Tone Loc
v1.10.
Keys
LBC - Lower modem's baud rate to connect.
If there is a '?' under the 'Baud' column, this means the remote modem
would not connect at a high speed, and you have to lower your modem's
baud rate to connect. 1200 - 2400 baud should allow you to connect.
The [ ] brackets used in the 'Notes + Information' column are my notes
about the system, display settings, etc.
Carriers
~~~~~~~~
-------------------------------------------------------
Number Baud Notes + Information
-------------------------------------------------------
800-326-0037 2400
800-326-0038 1200 ID=
800-326-0054 49333 User Access Verification
800-326-0312 50666
800-326-0494 33600
800-326-0595 31200 User Access Verification
800-326-0699 14400 Garbage
800-326-0712 26400 @ Userid:
800-326-0751 1200 ID=
800-326-0783 26400 @ Userid:
800-326-0840 1200 Welcome to the Mt. Joy Editorial Center
800-326-0879 31200 ** Ascend TNT Terminal Server **
800-326-0880 28800
800-326-0949 26400 @ Userid:
Carriers cont.
-------------------------------------------------------
Number Baud Notes + Information
-------------------------------------------------------
800-326-1111 2400 [Random characters]
800-326-1272 33600 PLEASE SIGN-ON [7,E,1]
800-326-1308 28800 Garbage
800-326-1339 28800 @ Userid:
800-326-1349 49333 Garbage
800-326-1482 26400 @ Userid:
800-326-1502 9600 AIX Version 4
800-326-1585 26400 @ Userid:
800-326-1587 31200 User ID:
800-326-1589 50666 3Com Total Control HiPer ARC (TM)
800-326-1599 50666 STATION ID - stlmo03rs10rd003,stlmo41ev
800-326-1654 31200
800-326-1687 31200 SCO OpenServer(TM) Release 5 (From Compaq)
800-326-1757 1200
800-326-1950 26400 @ Userid:
800-326-1979 28800 @ Userid:
800-326-1983 2400 [Disconnects immediately]
800-326-2107 26400 Multi-Tech RASExpress Server Version 5.50
800-326-2196 28800 @ Userid:
800-326-2251 1200
800-326-2340 2400
800-326-2380 2400
800-326-2435 ? LBC
800-326-2452 ? LBC
800-326-2521 1200
800-326-2549 50666 Mizuho Capital Markets
800-326-2552 ? LBC
800-326-2562 ? LBC
800-326-2617 28800 @ Userid:
800-326-2781 50666 User ID:
800-326-2808 31200 User Access Verification
800-326-3052 31200
800-326-3334 9600 GO-
800-326-3551 28800 US00 ?
800-326-3676 28800 EquiLink BBS [Wildcat! - Closed]
800-326-3827 9600 Operator Code:
800-326-4158 9600
800-326-4216 31200 Garbage
800-326-4498 2400 ATS0=1&W
800-326-4514 26400 FirstClass system, from Centrinity Inc.
800-326-4724 14400 ID=
800-326-4792 2400
800-326-5084 31200 User Access Verification
800-326-5217 28800
800-326-5246 28800
800-326-5265 28800 BEGIN SECURITY
Carriers cont.
-------------------------------------------------------
Number Baud Notes + Information
-------------------------------------------------------
800-326-5561 28800
800-326-5745 33600 lbar1 login:
800-326-5761 31200
800-326-5815 28800 Please press <Enter>...
800-326-6173 48000 login:
800-326-6259 33600 ***SYSTEM TEMPORARILY UNAVAILABLE [7,E,1]
800-326-6326 14400 BeeperMart / Indiana Paging In-Touch II
800-326-6373 14400
800-326-6427 50666 User Access Verification
800-326-6466 14400 Welcome to ENVOY Corporation
800-326-6613 14400 Petaluma Valley Hospital [HP-9000]
800-326-6673 33600 User Access Verification
800-326-6965 33600
800-326-7071 31200
800-326-7075 31200 Please press <Enter>...
800-326-7179 31200 SCO OpenServer(TM) Release 5 (From Compaq)
800-326-7193 ? Garbage
800-326-7226 14400
800-326-7240 28800
800-326-7311 2400
800-326-7364 31200 login:
800-326-7582 50666 User Access Verification
800-326-7944 31200
800-326-8082 49333 Garbage
800-326-8192 26400 @ Userid:
800-326-8681 33600
800-326-8717 2400
800-326-8757 33600
800-326-8830 45333 Garbage
800-326-8948 49333 Garbage
800-326-8963 31200
800-326-9002 31200
800-326-9333 9600
800-326-9343 26400
800-326-9378 31200 OpenServer(TM) Release 5
---------------------------------------------------
95 Carriers Total
Misc #'s
~~~~~~~~
Below is some other stuff I noted during the carrier scan.
800-326-0042 - Tone
800-326-0131 - Tone
800-326-0132 - Tone
800-326-0180 - Sprint
800-326-0181 - PIN # Prompt
800-326-0593 - Person
800-326-0596 - Fax
800-326-0630 - AT&T Easy Reach 800 - Code: 05
800-326-0631 - PIN # Prompt
800-326-0694 - All circuits are busy
800-326-0729 - Silent
800-326-0881 - Please enter your PIN code
800-326-1646 - PIN # Prompt
800-326-1746 - AT&T Easy Reach 800 - Code: 00
800-326-1973 - PIN # Prompt
800-326-1991 - Sprint
800-326-2134 - Tone
800-326-2291 - AT&T Easy Reach 800 - Code: 09
800-326-2355 - Fax
800-326-2431 - Person
800-326-2485 - AT&T Easy Reach 800 - Code: 10
800-326-2747 - Tone
800-326-2892 - Rings + Disconnects
800-326-2981 - PIN # Prompt
800-326-3121 - Tone
800-326-3464 - Tone
800-326-4123 - Tone
800-326-4238 - Tone
800-326-4813 - Rings + Silence
800-326-5299 - Tone
800-326-5558 - Nortel call pilot
800-326-6425 - Conferencing center
800-326-6426 - Meridian Mail VMS
800-326-6512 - Silent
800-326-6685 - AT&T Easy Reach 800 - Code: 00
800-326-6731 - AT&T Easy Reach 800 - Code: 00
800-326-6968 - AT&T Easy Reach 800 - Code: 01
800-326-6969 - Disconnects
800-326-7258 - Fax
800-326-8307 - Fax
800-326-8320 - Silent
800-326-8737 - Sprint's Private Network & Switch Engineering Group
800-326-8759 - Diverts
800-326-8774 - Fax
800-326-9034 - AT&T Easy Reach 800 - Code: 00
800-326-9288 - Fax
800-326-9399 - AT&T Easy Reach 800 - Code: 00
800-326-9813 - Silent
------------------------------------------------------------------------
Hope you enjoyed this file. Look for more scans by me in the future at
http://www.geocities.com/phonescans. Questions, comments, or suggestions
can be emailed to dtmf@email.com.
===========================
+++ Challenge+++ matrix +++
===========================
Think you have skills?
/*
Try to exploit this without using any shell code.
Assume a nonexecutable stack.
Get a root shell.
Jose Ronnick <matrix@phiral.com>
*/
#define message "Are two bytes enough for you? =) <matrix@phiral.com>\n"
void clearmem(char **target)
{
int i;
for(i = 0; target[i] != 0; i++)
memset(target[i], 0, strlen(target[i]));
}
void func(char *src)
{
char buffer[56];
strcpy(buffer, src);
}
int main(int argc, char *argv[], char *envp[])
{
char buffer[100];
char *data, *loc;
long *location;
int buf_len;
if(argc == 1) exit(0);
data = (char *) malloc(20);
loc = data + 16;
*((long *)loc) = (long)message;
location = (long *) loc;
if(argc > 2)
loc = argv[2];
else
loc = 0;
if(strlen(argv[1]) > 38)
if(((unsigned char) argv[1][33] != 0xff) ||
((unsigned char) argv[1][34] != 0xbf)) exit(1);
bzero(buffer, 100);
buf_len = strlen((char *)*location) + strlen(argv[1]);
strncat(buffer, (char *)*location, strlen((char *)*location));
strncat(buffer, argv[1], strlen(argv[1]));
buffer[buf_len] = 0;
if(loc)
{
if(strlen(loc) > 15) exit(1);
if(strlen(loc) < 14)
{
if(loc[14] == 0)
memcpy(data, loc, 17);
else
strcpy(data, loc);
}
}
buf_len = strlen((char *)*location) + strlen(argv[1]);
printf("%s (%d)\n", buffer, buf_len);
clearmem(envp);
clearmem(argv);
bzero(0xbfffff00, 250);
if(buf_len < 56)
func(buffer);
}
Get the file as source: http://phiral.com/research/matrix_challenge.c
If you are able to solve it, e-mail me. matrix@phiral.com
=================================================
+++ The Conscience of a Hacker +++ The Mentor +++
=================================================
Written on January 8, 1986.
Another one got caught today, it's all over the papers. "Teenager
Arrested in Computer Crime Scandal", "Hacker Arrested after Bank
Tampering"...
Damn kids. They're all alike.
But did you, in your three-piece psychology and 1950's technobrain, ever
take a look behind the eyes of the hacker? Did you ever wonder what
made him tick, what forces shaped him, what may have molded him?
I am a hacker, enter my world...
Mine is a world that begins with school. I'm smarter than most of the
other kids, this crap they teach us bores me...
Damn underachiever. They're all alike.
I'm in junior high or high school. I've listened to teachers explain
for the fifteenth time how to reduce a fraction. I understand it. "No,
Ms. Smith, I didn't show my work. I did it in my head."
Damn kid. Probably copied it. They're all alike.
I made a discovery today. I found a computer.
Wait a second, this is cool. It does what I want it to. If it makes a
mistake, it's because I screwed it up.
Not because it doesn't like me... Or feels threatened by me... Or thinks
I'm a smart ass... Or doesn't like teaching and shouldn't be here...
Damn kid. All he does is play games. They're all alike.
And then it happened. A door opened to a world rushing through my phone
line like heroin through an addict's veins, an electronic pulse is sent
out, a refuge from the day-to-day incompetencies is sought... a board is
found.
"This is it... this is where I belong." I know everyone here... even if
I've never met them, never talked to them, may never hear from them
again... I know you all.
Damn kid. Tying up the phone line again. They're all alike.
You bet your ass we're all alike... we've been spoon-fed baby food at
school when we hungered for steak... the bits of meat that you did let
slip through were pre-chewed and tasteless. We've been dominated by
sadists, or ignored by the apathetic. The few that had something to
teach found us willing pupils, but those few are like drops of water in
the desert.
This is our world now... the world of the electron and the switch, the
beauty of the baud. We make use of a service already existing without
paying for what could be dirt-cheap if it wasn't run by profiteering
gluttons, and you call us criminals. We explore... and you call us
criminals. We seek after knowledge... and you call us criminals.
We exist without skin color, without nationality, without religious
bias... and you call us criminals. You build atomic bombs, you wage
wars, you murder, cheat, and lie to us and try to make us believe it's
for our own good, yet we're the criminals.
Yes, I am a criminal. My crime is that of curiosity. My crime is that
of judging people by what they say and think, not what they look like.
My crime is that of outsmarting you, something that you will never
forgive me for.
I am a hacker, and this is my manifesto. You may stop this individual,
but you can't stop us all...
After all, we're all alike.
Copyright 1986 by Lloyd Blankenship (mentor@blankenship.com).
All rights reserved.
==========================
+++ Closing +++ lowtec +++
==========================
Whew! That was a lot of work, and I think this is a very solid first
issue. I'd like to thank all of those who submitted work (thanks to
Strom Carlson for the cover!). I would also like to thank those who
inspired me to start this zine, mainly the now defunct Phone Punx Network
(http://www.angelfire.com/nv/ocpp/main.html), and 2600 for leaving
something to be desired in the area of hacking zines today.
I know we don't do shout outs, but if we did, I'd give a big shout out
to:
the telco-inside crew (telco-inside.spunge.org)
teamphreak.net for putting out a cool zine (and linking to DIG!)
EOF
