Mal-Aware.org

Abstract:
———
The ExpressPay stored-value card system used by FedEx Kinko’s is vulnerable to attack. An attacker who gains the ability to alter the data stored on the card can use FedEx Kinko’s services fraudulently and anonymously, and can even obtain cash from the store.

Description:
————
The FedEx Kinko’s ExpressPay system, developed by enTrac Technologies of Toronto, Ontario, is based on a Siemens / Infineon SLE4442 memory chip card. The data stored on this card is freely rewritable once a three-byte security code has been presented to the card’s security logic. Neither this security code nor the data stored on the card is encrypted; anyone able to obtain the security code is free to rewrite the data stored on the card using an inexpensive commercially available smart card reader/writer.

The first thirty-two bytes of the memory chip card are writable and subsequently permanently write-protectable (in this application, these bytes are write-protected), and contain a header which identifies the card as an ExpressPay stored-value card. Bytes 0×20 through 0×27 contain the value stored on the card, represented in IEEE 754 double-precision floating point format. Bytes 0×60 through 0×6A contain the card’s eleven-digit serial number stored as unsigned zoned-decimal ASCII; digits 0×60 through 0×63 are the store number the card was initially issued at, and the remaining seven digits are assigned sequentially at the moment of first issue. A timestamp indicating date and time of issue are located from 0×30 through 0×37, and is repeated from 0xC7 through 0xCE.

In order to write to the card, a three-byte security code must be presented in a specific sequence of commands as outlined by the SLE4442’s white paper. By soldering wires to the contact points of the card and then connecting those wires to an inexpensive logic analyzer, an attacker can sniff the three-byte code as the kiosk or a card terminal prepares to write data to the card. This security code appears to be the same across all FedEx Kinko’s ExpressPay cards currently in circulation.

Once the three-byte code is known to the attacker, the card’s stored value and serial number can be changed to any value. The ExpressPay system appears to implicitly trust the value stored on the card, regardless of what that value actually is. The system will also accept cards with obviously fake serial numbers (e.g. a non-existent store number followed by all nines). Using these altered cards, xeroxes can be made from any machine with a card reader, and computers can be rented anonymously and indefinitely. Most disturbing, however, is that since stored-value cards can be cashed out by an employee at the register at any time, an attacker could cash out altered cards obtained at little or no monetary cost. If a card is cashed out, its serial number does not appear to be invalidated in the system. If an attacker were to clone a known good card and cash it out, the clone would still be usable.

Tested Vendors:
—————
- FedEx Kinko’s

Suspected Vendors:
——————
- Any client of enTrac Technologies who uses the ExpressPay stored-value card system.
- Any company which uses a stored-value card system based on the SLE4442

Vendor and Patch Information:
—————————–
Proof-of-concept of the initial security vulnerability was achieved on 8 February 2006, with research into the ramifications continuing through 12 February. Copies of this report were sent to both FedEx Kinko’s and enTrac Technologies on 15 February; a read receipt was returned from enTrac on 19 February, while no receipt has yet been received from FedEx Kinko’s.

Solution:
———
- Encrypt data before storing it on the SLE4442 card, or migrate to a system which uses cards which have built-in encryption functionality.
- Verify that the stored value on the card does not significantly differ from a reference value stored in a database.
- Do not allow the use of cards with invalid serial numbers.
- Invalidate serial numbers of cards that are cashed out.

Credits:
——–
Strom Carlson, Secure Science Corporation: Hardware Security Division
stromc@securescience.net

Secure Science Corporation released an advisory regarding the fact that the latest Pharming techniques utilized within malware has broken SSL. Chapter 5 of Phishing Exposed, a book by Lance James, who happens to work for Secure Science, demonstrated this technique in his book as an upcoming threat that phishers will take advantage of. The report on how this SSL Pharming attack occurs can be found on the advisories page at Secure Science.

A recent phishing email targeted at the Mountain America Credit Union has been generating a lot of news today, even reaching the front page of Slashdot. The phishing email requests that the user enroll in the Verified by Visa program, a legitimate security program offered by Visa, and includes the first five digits of the card being enrolled. These five digits are found on all Mountain America cards, however it is not likely that Credit Union members understand this. The link in the email redirects the user to www.mountain-america.com - which is of course a phishing site with a look alike URL. The real URL of the bank is www.mtnamerica.org.

What the press finds the most interesting about this story, is that the phishing site was issued an SSL certificate this morning by Equifax, which is now part of a company named Geotrust. SSL certificate issuers are supposed to have a process in place to ensure that the entity requesting the certificate is authorized to do so on the companys behalf, obviously to avoid situations like this where SSL certificates are issued to illegitimate sites. In this case, Geotrust claims that their largely automated process failed to flag the site as suspicious, because the domain name was not matched to any related financial institutions…

The Washington Post and the Internet Storm Center have more on the story.

A California man, along with two minors, are facing felony charges after unleashing a botnet in January 2005 that resulted in shutting down the network of the intensive care unit at Northwest Hospital and Medical Center in Seattle. The hospitals computers, along with up to 50,000 others across the country, were used to make over $100,000 from adware affiliate programs.

The Seattle Times has the full story.

The Tokyo Metropolitan Police Department served an arrest warrant for a 25 year old male for phishing Yahoo! Japan’s Internet auction service.

Story in detail found here

According to eWEEK the 0-Day WMF exploit was peddled on the underground market for about $4,000 via Russian hackers.

It took less than 15 minutes for one researcher to find a Denial of Service vulnerability within the new Microsoft IE7 Beta 2 which allows an attacker to crash the browser and/or to execute arbitrary code.

Technical details from the advisory:
When running a specially crafted .html file, urlmon.dll inproperly parsers the ‘BGSOUND SRC=file://—’ (approx. 344 dashes) and causes the crash.

The advisory can be found here along with a proof of concept crash page here and a screenshot of the crash here.