A database of 44 millions game accounts!

Posted on May 30, 2010 by wunderbarb

Symantec has located a database server holding 44 million accounts of online gamers. The information in itself is already interesting. But more interestingly is the companion of the server. The database holds credentials, most probably collected by some malwares. But are these credentials still active? For that purpose, the hackers have created a dedicated Trojan that once installed receives a set of accounts to test. If it succeeds to log on one account, it correspondingly updates the database. Using a Trojan on a botnet has the following advantages:

go faster by using many concurrent computers
Bypass eventual limitations of failed login using the same IP address

You may say: “Game accounts! Who cares? It is not as if it was something serious such as bank account”. In that case, you’re clearly not a gamer. More seriously, I would suggest that you take a look at the site player auctions. Wov! You’re not dreaming. This is about real money. And not a few cents!

Once more, we see that hackers are more and more money driven, less visible and not looking for fame.

Thanks MM for the pointer.

SSD accelerates password crack

Posted on May 11, 2010 by wunderbarb

The Swiss company “Objectif Sécurité” was already known for its Ophcrack software. Ophcrack is an open source software that cracks XP/Vista passwords. The originality is that Ophcrack uses rainbow tables. Rainbow tables are data structures, invented by Philippe Oechslin the founder of the company, that drastically accelerate the process of brute force exploration of passwords. Although Ophcrack is open source software, the rainbow tables are not. Objectif sécurité sells these tables.

Objectif Sécurité has designed a new version of rainbow tables optimized to use Solid State Disks (SSD). SSD are blitz fast hard drives using solid state memories rather than magnetic memories. They do not have mobile parts and thus have an extremely fast access. According to Objectif Sécurité, they can crack a 14 character XP password in less than 6 seconds with a rather conventional PC but with 80GB of tables in SSD.

I forgot. The initial requirement is that you have the XP/Vista hash of the user’s password. You can try on their site (don’t use YOUR password hash! :Happy: ). They have a Web demonstration.

UBISOFT re-torpedoed

Posted on March 15, 2010 by wunderbarb

The use of a new type of DRM for its new games “Silent Hunter 5” and “Assassin Creed II” raised a violent reaction against Ubisoft. The software was cracked in less than 24 hours.

But this time, the story did not stop there. Last week, Ubisoft was under a serious Denial Of Service (DOS) attack. Thus, the legitimate gamers were not able to play! These games require online connection for initial authentication but also to save the game! It seems that this weekend a new salvo of DOS was launched from Russia against Ubisoft’s servers. These DOS attacks make the hacked version more attractive (that’s the limit! :Sad: )

Furthermore, some players confirmed on forums that the hacked game was complete (which initially Ubisoft denied).

Lesson: When designing a DRM, we should check what occurs if some context environments fail (such as network connection. The impact should be minimal for the legit customer.

ReFormat: Automatic Reverse Engineering of Encrypted Messages

Posted on March 2, 2010 by wunderbarb

Five researchers, Z. WANG, X. JANG, W. CUI, W. WANG and M. GRACE presented, according to me, a nice piece of work at Esorics 2009.

The objective was to automatically reverse engineer encrypted messages without breaking the algorithms. The basic idea is simple. When a piece of software receives an encrypted message, it performs two steps (regardless of the used cryptographic algorithms and protocols). First, it decrypts the message and then it processes the clear message. This means that the message is during a while in the clear in the memory. if you identify the location of this buffer, and when it is used, then game over.

To succeeed, they used two tricks. The first was to distinguish between decryption routines and normal processing routines. Cryptographic functions use far more bit wise and arithmetic operations than normal software. They measured (on OpenSSL) that more than 80% of the operations were bit wise and arithmetic for cryptographic functions. The rate dropped beneath 25% for normal processing. This heuristic allows to detect the encryption/decryption phases.

The second step is to locate the buffer containing the clear text. They identify all the buffers that are written while in decryption phase. Then, they identify all the buffers that are read during the processing phase. The expected buffer should be in the intersection between the two sets.

Obviously, there are many ways to deter this attack. For instance code obfuscation may change the rate. Dynamic code encryption is of course a must. Nevertheless, I found the approach extremely clever.

Once more, it proves that writing secure implementations is extremely difficult. And it requires clearly a twisted mindset. :Happy:

If you are interested in tamper resistance, you have to read this paper. It is available here.

Attacking the BitLocker Boot Process

Posted on February 11, 2010 by wunderbarb

TPM and BitLocker are interesting targets for security experts. Tarnovsky has recently reverse engineered a Trusted Platform Module (TPM) chip from Infineon. Five researchers from German Fraunhofer Institute have explored attacks on BitLocker when using TPM to seal the data.

The paper is interesting even if you are not familiar with TPM. The team targets the boot loader and especially the recovery strategy. If you illegaly modify the environment of the machine, the TPM will detect it but the sealing data for BitLocker will not be accurate anymore. Thus, Bitlocker uses a recovery mechanism independent from the TPM. The idea is to trick the user in this mode. They suggest five attacks: create a false plausible recovery situation, spoof the recovery message, Spoof then hide, replace the computer by a “‘phishing” computer, and preemptive modification (i.e. modify the computer before activating BitLocker. The two last attacks are less plausible. All attacks require physical access to the target.

Lesson: The attacks target the operating mode and process and not the technology itself. Therefore, they are clever.
Recovery systems are always BACKDOORS in a system!!

The paper is available at here.

H1N1 and social engineering

Posted on December 2, 2009 by wunderbarb

The spammers become extremely good at social engineering. The latest one I received is very clever.

From: Centers for Disease Control and Prevention [674651373med@cdcdelivery.gov]
To: *Security Reporting
Subject: Create your personal Vaccination Profile

You have received this e-mail because of the launching of State Vaccination H1N1 Program.
You need to create your personal H1N1 (swine flu) Vaccination Profile on the cdc.gov website. The Vaccination is not obligatory, but every person that has reached the age of 18 has to have his personal Vaccination Profile on the cdc.gov site. This profile has to be created both for the vaccinated people and the not-vaccinated ones. This profile is used for the registering system of vaccinated and not-vaccinated people.
Create your Personal H1N1 Vaccination Profile using the link:

create personal profile

This mail is damned clever.

First of all, it uses basic fear motivation: the swine flu and the current actuality: vaccination.
Then a pinch of truth “The Vaccination is not obligatory” and then the trick “every person that has reached the age of 18 has to have his personal Vaccination Profile on the cdc.gov site” That you vaccinate or not, you have to register!!
Of course, the CDCs exist and the site cdc.gov also. The address inside the link of course does not point to cdc.gov but to an .im This extension belongs to the Isle of Man but can be used by any individual.
Grammar and orthography are OK (at least for me 🙂 ) which is often not the case

When such a mail arrives in a non personal mailbox, there is no doubt that it is a malware. But, will Joe Average detect it as such? Will he not follow the initial reactions of his reptilian brain (flu = fear, CDC = authority…)?

Social engineering is definitively a dangerous weapon.

[update: 3-dec The news about this malware is every where on the blogosphere. Here are more technical details http://blog.appriver … tribute-malware.html ]

Will Quantum cryptography become mainstream?

Posted on October 26, 2009 by wunderbarb

Siemens SIS has teamed up with Swiss ID quantique company to propose quantum cryptography protected key exchange over dark fiber. (See id Quantique and Siemens collaborate to commercialize Quantum Key Distribution in the Netherlands)

Quantum cryptography has the intrinsic propriety to be robust against eavesdropping. According to Heisenberg, when observing an electron, you change its spin. This makes (in theory) its interception impossible, thus extremely secure.

It is one of the first large scale commercial initiative. The offer is currently limited to Netherlands and costs about 80,000$ for a pair of boxes. Thus, it is not yet to protect your personal mails.

But, the future is coming nearer.

The blog of content protection

A site managed by Eric Diehl

Category Archives: Hack