October 25th, 2014

“MIFARE Classic” report released

Researchers from the Institute for Computing and Information Sciences at Radboud University in The Netherlands have, at long last, published their report (PDF) on the security posture of the MIFARE Classic system. The report, simply and appropriately entitled “Dismantling MIFARE Classic”, was presented as part of the 13th European Symposium on Research in Computer Security (ESORICS 2008).

At a mere 18 pages, the report still provides good detail about the team’s findings, including hardware setup, crypto used by MIFARE Classic (including the oft ridiculed 48-bit CRYPTO1 cipher), and exploits that can be launched against the system. Additional information can be found at the homepage of Flavio D. Garcia, one of the researchers involved.

Hat tip to Security4all for the notification on this paper.

OWASP Testing Guide v2

Open Web Application Security Project (OWASP) have released an updated version of web application pentesting methodology – OWASP Testing Project. It is a culmination of 3 years of research covering testing approaches for topics like SQL Injection, AJAX, Fuzzing, Information Gathering, and other areas relevant to web application testing. Methodology is available for download as a pdf or doc files as well as for online browsing/editing on project’s wiki where anyone can contribute to further development .

News for slacking hackers

Here are some of the stories that have been in the news during the last week:

  • o True, none of us really need any more reason not to like the diebold voting machines, but the latest news really puts things over the top.

    Armed with a little basic knowledge of Diebold voting systems and a standard component available at any computer store, someone with a minute or two of access to a Diebold touch screen could load virtually any software into the machine and disable it, redistribute votes or alter its performance in myriad ways.

    Update (5/12/06): Here is a link to a report by Black Box Voting (.org) with some of the specific technical information removed, along with a “Full Disclosure” type discussion on the forums. Here is a link directly to the .pdf. Their conlusion is that all machines need to be recalled, re-engineered and re-flashed. They estimate that the machines can be contaminated (pwn3d) in less than 5 minutes.

    As seen on Schneier

  • o Adrian Lamo the “homeless hacker” is in the news again, this time because the feds want his DNA. Adrian doesn’t want to give up his blood, and cites religious reasons (though he doesn’t say which). Apparently this is a requirement for all federal felons.

  • o Eric McCarty is being prosecuted for helping to point out a security hole. While how he did it seems a bit gray, it’s still not a good trend for security researchers. Don’t shoot the messenger.

    From wired, and written by Jennifer Granick.

  • o After allegedly comitting the biggest military hack of all time, UK hacker Gary McKinnon will most likely be extradited to the US. The best part is that he says he was just Looking for UFOs.

  • o Last but not least, Annalee Newitz brings us 5 tales from the RFID-hacking underground.

Imhotep theme designed by Chris Lin. Proudly powered by Wordpress.
XHTML | CSS | RSS | Comments RSS