ATM In-Security in 2013 | ATM Security Flaws & Vulnerabilities

Introduction With the recent SecTor security conference in Toronto Canada, once again ATM security flaws have risen to the top of the agenda.  ATM flaws have become wide-stream knowledge since Barnaby Jack showed off his ‘Jackpotting‘ attack.  ATM flaws have once again become a hot-topic since the late Barnaby’s demise two weeks prior to this years Blackhat conference (USA 2013) where he was going to present about Pacemaker flaws.  Barnaby…

Proxmark3 – Adding Ultralight Support

Introduction The Proxmark3 appeared to be missing Mifare Ultralight support.  The ability to identify Ultralight cards was present within the ‘hf 14a reader‘ command. However the facility to read and write cards was sadly missing. But no worries as the protocol and instruction set is essentially the same as Mifare Classic; the only difference is standard Ultralight cards do not need authentication, and encryption and the Block size is 4…

SDR – ADS-B Decoding: RTL1090 (Windows)

RTL1090 is  a program that will automatically decode ADS-B signals that are commonly found on the 1090MHz frequency.  Alternatively known as Mode S, ADS-B allows a variety of types of data to be sent from the transponder, including: ICAO aircraft code (the tail number of the plane can be obtained from this) Flight Number Altitude Location (Longitude and Latitude) Heading Using this software on Windows from the picture above we can…

USB Rubber Ducky – Part 3: Crypto Duck

Background The USB Rubber Ducky is an extremely powerful and versatile device.  Sadly, the potential is missed, and this is probably due to its high price tag (from an initial small development production run).  Since its release mid-late 2011, the Ducky has grown in popularity and the Hak5 Team have more than doubled their production run, meaning costs have been slashed in half.  Potentially with enough interest and investment the…

USB Rubber Ducky – Part 2: Attack of the HID

Background The USB Rubber Ducky was introduced in our previous post “The Return of USB Auto-Run Attacks“.  This is the first of many follow-ups, that introduce new attack scenarios and the increase in functionality, that really makes this tiny device a big part of the hearts of penetration testers. Brute-force attacks…

Magstripes Revisited | Access Control – Part 1 | InteliSecure

Background You would think in this day and age that everyone would be using RFID for access control on their buildings / environment. You’ll be surprised that magstripes are still quite commonly in use. But unlike hotels (at least the reputable chains I’ve stayed at, I’ve always held onto the keycard and then analysed the keycard back at the office) which appear to encrypt their data, the access control mechanism…

The Return of USB “Auto-Run” Attacks

Background USB Autorun attacks became the rage back in 2005.  Hak5 created a project to increase awareness of this security issue called USB-Hacksaw, originally a U3 device that would auto-run a series of programs.  This could be used from general system administration tasks, or potential malicious tasks; such as installing back-doors and running password collection programs.  Shortly, Vendors like Microsoft started to remove Auto-run capabilities to prevent more serious malware…