Category Archives: Cyber Security

Account Registration phone verification internals

Phone verification is becoming wide spread for free account sign ups on sites like Yahoo, Gmail, Craig’s list, Facebook etc.   I hate giving out my real info just to test something with a burner account.   In the past, the solution was as simple as Googling “receive free sms” and going to one of dozen’s sites that will receive the verification code.   I knew that it was too easy to last.  Sure enough, the numbers from those sites are now black listed.

I really didn’t want to give out my primary cell phone to Yahoo.  So I reached went for the next best thing.  My VoIP trunk provider has the capability to receive SMS on a VoIP number and forward it to my primary phone, or even as an email.   I entered that in, and to my surprise yahoo still rejected it.   That got me thinking.  How can they be blacklisting my own private number?  No one else registered with it before.

How it works:

With the numbers being ported all over the place, how can they know whether a particular number is a VoIP number?  The short answer is that they don’t know.   They take a guess based on the information that’s publicly available (or available for small fee) through sources such as these:

Local calling guide is actually quite accurate (and free).  Where it messes up, is as soon as a number is ported.   It will only show the name of the telco that originally registered the number, all subsequent ports are ignored.   When I looked up my numbers that failed to verify, sure enough they all came back as belonging to a VoIP company.  Same thing when I tried to look up many “receive free sms” service numbers.   They all showed up as VoIP.

So now what?  I still don’t want to give Yahoo my cell phone

… There isn’t a fool proof way, but some of these may work

  • Port a “real” number to VoIP.  It costs me about $12/first year to have a secondary VoIP number – which of course doesn’t work that great now days.  Porting a real number to VoIP will work, but it’s little bit more time and money.   I figure about $50/first year (get a sim, port it, cancel original service, keep it running as VoIP).   Not that bad, but a little too much trouble for what I’m using it for.
  • Sign up with a service that provides verification codes for burner phone numbers.   They do the above steps for you in mass scale as a service.   I haven’t tried it though.  If they listed their numbers in advance I could look them up to see if they show up as VoIP.  For this to work they must have a proper setup using “real” phone numbers.   Also it’s hard to believe that they wouldn’t get black listed in a hurry.   Maybe there is one that works, but chances are if it works, now it won’t work several months later.
  • Give up for now (until something better comes along)… this is kind of what I ended up doing.  I still didn’t give them a real number; I ended up reviving one of my old yahoo accounts.  I used it instead.


IT Security Secret Weapon: Physical Control

Strong IT security is a losing proposition.   If you want to develop a system that’s connected to the internet that is unhackable, you’ve lost the game already.   There is no such thing.  If someone wants to hack you they will succeed.   The only thing you can do is inch your way up the ladder and eliminate the lowest hanging fruit.   The strategy becomes being faster than your friend rather than trying to outrun the bear.   Other than that get ready to be hacked.   Your goal should be to get hacked less frequently than your competitors, and when you’re hacked you want to be sure it’s an inconvenience rather than a business ending catastrophy.

Preventing the severity of the attack is where the tables turn.   You as an owner of your data, have an upper hand in restoring control. Just as you had no foolproof protection against getting hacked, your adversary faces the same problem if their goal is to wipe  your data or your business operation off the face of the earth.   They will not succeed if you don’t want them to.  Your secret weapon is physical control.  As long are you retain physical control over your data, you may lose many battles, but you will ultimately win the war.

When hackers penetrate a single system, they call that “owning the system”.   However, that is overstating their accomplishment a bit.   They should really claim that they “temporary control” the system.   Of course, that doesn’t have the same ring to it.   They don’t “own” anything if they can be locked out by you the owner.    Yes, they can do all kinds of damage while on the system.   Yes, they can cause down time.   Yes, it can be a huge disaster.   Yes, it sucks to be hacked.  But as long as you retain physical control over your system you’ll always have the upper hand in the long run.

Why physical control?   What makes physical control so special?  It’s because no matter what kind of games and silly wars happen at the OS or application level, you have a secret secret weapon that hackers don’t.   It’s a weapon that’s unstoppable.   It’s a weapon that makes all the games stop.   You have physical control.   Only you can unplug a network cable – they can never plug it back in.   Only you can shutdown a machine – they can never start it.  Only you can do a offline bare-metal restore and they can’t do a thing about it.   Only you can put your your offsite backups in your briefcase, they can hack all night and they are not going to touch those.

This is why public cloud computing is problematic.   Public cloud takes away the only truly effective weapon you had.   You have 0 physical control in public cloud.   You can’t unplug cables, you can’t carry away your backups in a briefcase,  and you can’t restore elsewhere.   You’re not the owner anymore.  With public cloud, you’ve outsourced the battle.  The battle is now between your cloud provider and the hacker.   Will the cloud fight as hard for you as you would fight for yourself?   Probably not.  In fact I guarantee it.   The cloud will point their finger at you and call it a day.

If you’re going to use the cloud, your physical infrastructure needs to be the root that controls it all.    Don’t think of a cloud as a way to “keep your stuff safe”, think of it as a pace where you temporarily place your stuff to get a specific job done.   It could be there one day, gone the next – just like a cloud.   You should always remain the physical owner of your data and of your key infrastructure.





Value of Personal Computing in the Cloud Era

I got my first computer when I was around 10 years old. It was a ZX80 clone with a whopping 64K of RAM. I had a game of pong on that came on a cassette tape and took 30 minutes to load. Sounds annoying now, but at the time, it was the most awesome thing ever. It was magic. As my programming skills improved and as I saw Moore’s law rip open previous computing limits, that sense of magic became internal and intimate. It changed from “wow, look at what that neat box can do”, to “wow, I’m wielding this magic at my fingertips”.   It’s not an accident that computer programmers and system admins are called wizards. When they place their fingers on a keyboard feels like wielding a magic wand. The possibilities feel endless. They are endless.

A personal computer is an intimate extension of our brains. It makes us think faster with powerful CPUs, have photographic memory with gigantic storage, analyze sort and distill information with smart algorithms, have telepathic powers through internet communication and it creates a playground for our imagination through virtual worlds and simulations. Personal computers are the vessel for electronic thoughts. Just as thoughts are personal and private, so is private computing. It’s a personal and private experience.

Cloud computing takes the closely held magic away from us and places it in the hands of a powerful corporation. If you are a magic user rather than magic wizard, this doesn’t seem like a big difference. After all you still reap the benefits, you still touch your precious keyboard and with a press of a button magic happens. The key difference is that with personal computers you own that magic – it’s personal. With cloud computing that magic happens at someone else’s bidding. The user is merely presented with the end result. It’s magic for rent.   It’s a satisfying illusion. When you use cloud computing, you’ve put away your wizard’s wand and substituted it for a fancy TV remote control. Often cloud computing magic appears more powerful than what you could ever hope to accomplish on your own. For that reason it’s tempting to put away your dusty old wand and to follow the rest of the herd away from that dried up patch of pasture you call “yours”, to a never-ending green field shared by all. Unlike personal computing, cloud computing is also easy, it doesn’t force you to learn and it doesn’t demand you to work. Most importantly doesn’t demand answers to any questions. The only thing is to open your mouth, chew and swallow that juicy green grass.

Does this mean cloud computing is always a bad idea? Certainly not. Personal computing is not about living in a cave as a hermit. It’s about defining limits. Personal computing is a question. What is yours and private? What is shared? What is off limits? What should always stay personal? What is the value of your privacy? What can you afford to let float into the cloud? What will you share? What will you keep secret? And when you are ready to head off to the never-ending green field shared by all, ask yourself: Who owns that field? Will it always be green and never-ending? Who makes the rules while I’m there? And most importantly, can I get best of both worlds? Can I visit the never ending green field for a few hours and return back to my own place at a moment’s notice? Or am I entering a one way corral? Can I keep my wand? Or do I have to trade-it-in for a remote control at the gate?

Draw a boundary; define your kingdom – no matter how big or small. Ask yourself, can I claim that territory my own the same way as I claim my mind my own?

Am I free? Will I remain free?

Undetectable Keylogger in 30 minutes

I noticed that all 60 out of 60 popular Windows anti-virus and anti-malware solutions do not catch the simplest keylogger.

For the test I created a windows application using the popular UserActivityHook.cs library.   It took me about 30 minutes of mostly copy and pasting.  I didn’t have to obfuscate the nature of my program nor did I have to pack it’s binary contents.    The program runs as plain user – it doesn’t need privilege escalation either.  In other words, it is very dangerous.   I scanned the executable through virustotal as well as few popular anti-virus and anti-malware programs on various workstations locally and they all passed the keylogger as 100% ok.

This doesn’t illustrate my hacking abilities (I used none).   What this does illustrate is the poor state of anti-malware and anti-virus tools at the moment.  No matter what the marketing materials tell you, the only protection these tools offer you is against specific white-listed instances of malware. For any other attack you’re on your own.


I couldn’t believe my eyes, either, so I decided to dig deeper.

Why was this so easy?

To understand that let’s dig into the various detection methods antivirus programs have at their disposal (thanks Wikipedia) and why each method fails

  • Signature-based detection: is the most common method. To identify viruses and other malware, the antivirus engine compares the contents of a file to its database of known malware signatures. Since this malware is new, there is nothing to compare to.   This is also another reason why I’m not posting the keylogger for everyone to download.   Days after I release it, it will get picked up by one of the many anti-malware teams and a signature will be made out of it in a hurry.   I don’t want to be tagged as distributing malware down the road.   This approach is mediocre, but it’s not good enough – definitely not as good as the various vendors would have you believe.   It’s trivial to bypass the anti-malware scan if you spend 30 minutes making your own.   Even if you copy and paste bunch of stuff together.  On the other hand if you’re using someone else’s tool it will get picked up as malware sooner or later.
  • Heuristic based detection: is generally used together with signature-based detection. It detects malware based on characteristics typically used in known malware code.   I was kind of rooting for the anti-malware programs to catch it based on heuristics,  if they can’t catch my test, how are they catching the keyloggers that others are trying to use against me?    Sadly none did.   This is most likely due to the fact that the Windows security architecture allows keylogging as a very routine function that is used by many legitimate applications.   In particular the keylogger depends on GetKeyboardState API call that’s used for many other benign reasons by other applications.   I still think if the anti-virus companies tried harder, they could catch this based on heuristics.  Currently they obviously don’t.
  • Behavioural-based detection: is similar to heuristic-based detection and used also in Intrusion Detection System. The main difference is that, instead of characteristics hardcoded in the malware code itself, it is based on the behavioural fingerprint of the malware at run-time. Clearly, this technique is able to detect (known or unknown) malware only after they have starting doing their malicious actions.    Once again anti-malware products didn’t live up to this promise.  They could have noticed the writes to disk milliseconds after each key press – they didn’t.   Then again, it is tricky.  There are lot of legitimate programs out there that do write to disk after key strokes and they aren’t key loggers.  
  • Data mining techniques: are one of the latest approach applied in malware detection.   Data mining and machine learning algorithms are used to try to classify the behaviour of a file (as either malicious or benign) given a series of file features, that are extracted from the file itself.    Data mining should have been a no-brainer for an anti-malware tool.    I was doing all sorts of suspicious stuff in my code and not hiding it one bit.   I guess we have to wait until this matures a bit, but given how miserably the other methods failed, I’m not holding my breath for that.

So….  this sucks.   How do you protect myself then?    Right now, you probably can’t.   Anti-malware companies have to step up and detect these kind of things.    Be skeptical, just because you see 57 green check marks on virus total, doesn’t mean it’s safe.   And no, don’t stop using your anti-virus, virustotal or whatever else you have.   Even if anti-virus is 90% effective.  That’s better than 0% without it.

ASP.NET dll download vulnerability


  1. Guess what the dll of the core application is called.  By default it will be called the same name as the ASP.NET project created by the programmer.   Other than taking a guess based on the name of the web site, often it’s possible to determine the name by browsing HTML source or by triggering errors.
  2. Download the main dll by requesting the following URL:
  3. Once you’ve got the .dll downloaded you can decompile it using ILSpy or your own favorite reversing tool.   If you’re lucky, you may find hardcoded passwords.  If not, you can now look for SQL and Linq injection opportunities that the source code is likely to reveal.


  • Most IIS installations restrict access to /bin/ folder by default, but I’ve noticed that for some reason, some don’t.   One way to block this attack is by adding a hidden segment “bin”.


  • I found at least one Linux system running Apache with Mono that was vulnerable.  Linux is not immune, if anything I’d say it’s more likely to allow this attack.

Am I a white hat or a black hat hacker?

Every time I hack or crack something, I face a tough ethical dilemma. I wonder, am I hurting people’s security and privacy by doing this? When I improve the code that is designed to simplify the cloning of RFID access cards, am I helping the society? Am I helping criminals break into buildings? When I write a tutorial that explains “how to hack in”, am I helping the society? Or am I helping the criminals send phishing spam?
To untangle this, let’s start with definitions. White hat hacker is defined as someone who improves security, while a black hat hacker is defined as someone who harms security. This isn’t very helpful. Whose security are we talking about? Is a hacker working for a government security organization considered white hat or black hat? After all, they are improving *their* organization’s security. Are our guys the white guys, while “the other” guys are black hat? And how do we define harm or benefit? Is a hacker who releases info about 0-day exploit causing harm, or benefit? It seems these definitions shift the ethics off to another level avoiding the deeper philosophical implications.

Here is a more useful definition:

  • White hat hacker: Hacker who shares their tools and knowledge in a public and open manner for the purpose of enabling everyone to gain privacy and control.
  • Black hat hacker: Hacker who secretively guards their tools and knowledge for the purpose of relinquishing privacy and control from others.

This definition allows us to ask us another interesting question. What would happen if majority of hackers were white hat? What would happen if majority of hackers were black hat?

Black Hat Majority:


Information security is in a very bleak state. Black hats have all kinds of back doors, and everyday users can only throw up their arms and say “privacy is dead”, “liberty is dead”, “I do not have control over my devices – others do”. This is a state we are in now.


White Hat Majority:


Information security is in a good state. Published exploit is a defensible exploit. Black hats still have the fringes to operate in. However, overall, every day users are fairly certain that they have the control over their systems and that they are not just puppets within a system controlled by others.

This makes it easy for me to say: I’m proud to be a white hat hacker.  I’m also proud to be on the right side of the race between the two sides.

I hope this makes others who have been on the sidelines, wondering what’s the right thing to do, jump right in.

Improved proxmark3 scanning of ioProx / Kantech fobs

I’ve been playing with my new proxmark3. It works great for HID cards, but ioProx code is still in its infancy. I made some improvements to it based on analysis by marshmellow:

  • Better accuracy: You no longer have to worry about centering your fob on the antenna or scan it repeatedly to get a “good” reading. Now you can just hold it in your fingers to scan. Before this update I was averaging 10 – 70% accuracy depending on how I held the fob. This version is pretty much 100% – I haven’t had a bad scan yet.
  • Correct decoding of human readable XSF number: Previous version had a bug that displayed the wrong unique code and the wrong facility IDs.


Download the binary firmware (including source code patch if you want to build it yourself) .

There is still more work to be done. For example, there appears to be CRC or checksum near the end – it’s still a mystery.

CAPTCHA firewall bypass / port knocking portal

Couple of my clients’ sites were being probed by botnets.   It was the usual:

  • Common vulnerabilities probes
  • Password guessing attacks

It didn’t warrant putting them behind a firewall, but I also didn’t like the idea of having it open to relentless automated 24×7 scanning. The sites were extranet type of sites, not really public, but not private either.  I scratched my head a bit trying to figure out how I could improve security without inconveniencing users.  What I came up with is this method:

  1. Any access to the website is blocked by a “captive portal” like page
  2. When the user provides the portal what’s being asked for (in this case correct answer to CAPTCHA) the firewall opens an exception to their IP and the user is redirected onward to the site they were looking for.

Is this secure against a determined hacker?  Definitely not.  Solving the CAPTCHA takes only 3 seconds and they’re in through the first layer of defense.   That’s why it’s critical that this is treated as an extra (thin) layer of defense and not as the only layer.

Is this secure against 99% off all attacks out there? (worm / botnet attacks on autopilot): Definitely

How is it implemented?

  • PHP page shows the portal page
  • If CAPTCHA is correct, IP is collected from $_SERVER[“REMOTE_ADDR”], sanitized and saved in a file that keeps track of allowed IPs
  • PHP  page then triggers a shell script that updates iptables with the following entry:
    iptables -t nat -A PREROUTING -p tcp --dport 80 -s $AllowedIP -d $YourIP -j DNAT --to-destination $TargetIP:80

How can this be improved?

Nothing says that access is given with a simple CAPTCHA, there could be full authentication that takes pace before firewall is opened.  Furthermore it could close shortly after access is given disallowing any fresh TCP connections.   Think of it as authenticated port knocking.

security proxy


You’ve probably seen a page like this if you’ve stumbled across CloudFlare protected site when using Tor.  I don’t know what internal mechanism they use, but I imagine it’s very similar.


API Monitors

When reversing applications it’s useful to see what’s happening under the hood.   Up until now I’ve either had to bring out OllyDbg and dive into assembly or rely on a high level tool like Systernals Process Monitor.   I’m fond of strace on Linux, but when I searched for “strace for Windows” resulted in tools that were not very reliable.   That was couple of years ago.

Today I stumbled on these two API monitors that do exactly what I need on Windows: