It took them a while but it has finally arrived. Sweet! π
Category: General
Why morons shouldn’t be writing about security, part 2
I read Kotaku's article called "FBI Says Alleged Hackers Used FIFA To Steal Millions From EA" this morning. And it reminded me of the crap articles Catalin Cimpanu writes at Softpedia.
What's wrong with Kotaku's article?
Well, pretty much everything.
First, this group did not steal from Electronic Arts. If fact, not a single penny of real currency was taken from EA.
According to an unsealed FBI indictment, Clark and his co-defendants allegedly built a tool that would send false signals to EAβs servers to spoof matches, generating these FIFA coins at a rapid rate. The FBI alleges that Clark and crew then sold the coins to third-party sellers, earning millions.
Exactly! Guys received FIFA coins from EA (it's an in-game currency) which they later sold on underground sites. Money came from persons entirely unrelated to Electronic Arts and it was given voluntarily. And that, by definition, is not a theft.
The article continues with a plenty of other funny statements like
.. worked with the defendants to get Xbox development kits and reverse-engineer a pirated copy of FIFA 14 using a program called Interactive Disassembler. This process took several months, Alcala said, but it allowed them to create a tool for mining FIFA coins.
I just love the IDA reference in here. π These guys used disassembler, they must be real evil hackers! All in all, this article is a fun read but it got all the basic facts wrong.
Mr. Jason Schreier, please stop writing about things you have no clue about. Stick to your video game reviews or something.
What is really happening?
Thankfully, UK journalists have much better idea of what's happening in US courts, and they wrote a much better article. According to the indictment, the charges are "conspiracy to commit wire fraud", a stupid catch-all term used in US courts for pretty much everything done over the Internet.
That document is equally funny read and shows how desperate the prosecutors must be to make any charges stick. Let's see:
- the defendant assisted in creating a program (...) which sent electronic messages to EA's servers fraudulently representing that thousands of FUT matches had been completed in the EA's FIFA video game. EA's servers materially relied on the completed match messages and credited various accounts maintained by the defendant and his co-conspirators with FIFA coins. - this is the only part of the indictment that actually makes sense. Kinda. There's one teeny tiny detail - RANE Developments got virtual goods from EA. And the legal status of virtual goods is very unclear in the United States. If virtual goods are not "money or property" in the eyes of law, then there was no fraud.
- the defendant and co-conspirators continued to create and execute new methods to circumvent the security measures by EA in EA's effort to prevent fraudulent activity associated with the company's FIFA video game. - that might be a breach of EULA but not a crime;
- executed their "application" through a video game console, which they modified to circumvent security and copyright protections, and on game development kits, which they obtained from unlicensed sources. - we're getting desperate, let's charge them with modding their consoles!
- executed their "application" through cloud computer servers, which allowed them to run more copies of the software and obtain significantly more FIFA coins. - if nothing else helps, let's charge them with renting cloud computer servers! Oh, wait, what? π
Naturally, the defendant has pled not guilty to the charge. And if his lawyer is any good, I'm guessing he'll walk out of the court as a free man.
Gone for summer vacation
Last few months were quite busy for me.
On the good side: I solved 2 tracks of Labyrenth CTF - Windows and Documents. Unfortunately they still haven't published the Honor Roll, so I have no clue if I placed 1st, 2nd or 44th..
On the bad side: there are lots of changes happening in my office. I don't mind changes per se but the uncertainty of the future of the company.. Well, that's not great.
So, I'm leaving for summer vacation. I'll spend almost 4 weeks on islands with very spotty mobile coverage and almost certainly without Internet access. Will be back in mid-September, relaxed and ready to do some serious reversing again.
Have fun and talk to you all later!
Six-factor authentication (it’s not)
Today I read an article in The Register called Tor torpedoed! Tesco Bank app won't run with privacy tool installed.
It's a fun read about Tesco's Android banking app and how it refuses to run when Tor application is installed on your mobile. But what really caught my attention, is this comment to the article:
I did a count of my account with a certain bank and when I use a PC which does not store their funky cookies, I get 6 (yes really, 6) steps for authentication.
- Initial Customer code
- Security password as there is no cookie so PC is not recognised
- pre-agreed image
- pre-agreed phrase
- Customer Number
- Security code
and if I use a Windows PC it whinges that I don't have cRapport which would 'improve my security'
So 6-Factor security isn't good enough and you want an extra package to help???????
Sir, if you ever read what a multi-factor authentication is, you wouldn't be stating such nonsense. All six of the steps you mentioned are of the same factor - "something you know". As such, they provide no additional security, as one keylogger/screengrabber will capture them all.
Why your bank insists on you jumping over so many redundant hoops, remains a mystery..
Quickpost: addicted to meaningless jargon
This is a great article about one journalist's experiences in the RISE conference.
βWe visually organize your email and cloud-based content for ultra fast access,β says Kalpesh, reading from his promotional materials. βItβs visual storytelling with any type of content.β
Say what? What does this thingy do? I have no clue.
Apparently I'm not alone. Luckily, article author translated it to plain English:
Translation: Cubes is actually an app that pinpoints anything thatβs not plain-Jane text in your email or Dropbox accounts (a photograph, an excel file, a YouTube video), takes snapshots of those things, and then bundles them together in a standalone app.
OK, now I get it. Thanks! π
However, the sad thing is, it's not just startups. If you're working in a large company, you've probably seen these kinds of emails sent by your pointy-haired bosses. They are stuck in their bubbles talking about "disruption", "alignment" and "engagement". How about this:
To ensure synergies and alignment between the finance strategy and business needs, Mr.X will co-operate closely with all finance functional leads, including aligning closely with Mr.Y and his team to ensure the consistent dissemination of financial information.
No, I really don't know why our company is going to pay $100k a year to this guy. Do you?
BTVStack.exe requesting access to Skype on every startup
Background
At home I'm using a desktop computer. It has ASUS motherboard with Atheros Bluetooth chip. I have all the drivers installed but I'm not using Bluetooth at all.
Problem
Some time ago I started getting these notifications every single time I started Windows:
btvstack.exe is requesting access to Skype. Only allow access to programs downloaded from a trusted source as they will be able to use information such as your Skype contacts and messages.
No matter what option I selected, it would ask me again on next reboot. Bloody hell!
If you google for the solution, you'll notice that:
- It's a quite common problem;
- Most common solution is to deny/allow access either using the dialog above, or Tools->Options->Advanced->Advanced Settings->Manage other programsβ access to Skype;
- Another solution for Windows 8+ is to deselect "Allow Bluetooth devices to send you PIM items such as business cards, calendar items, e-mail messages, and notes. " in Bluetooth Control Panel applet;
Unfortunately, first solution was not working for me. And second solution is not feasible because there is no such option in Windows 7 Control Panel.
Solution
Since I don't need Bluetooth but I don't like to have broken drivers, I decided to disable just the offending DLL. From the elevated command-prompt I ran
regsvr32 /u "C:\Program Files (x86)\Bluetooth Suite\SkypeAgent.dll"
and the problem has disappeared. Great success! π
Hope this helps someone else too.
Beautiful code
After making quite a few unpackers and other RE-related tools, publishing sources for them and having to maintain and bugfix them, all I can say is: "Read this. Remember this. Worship this."
All code is born ugly.
It starts disorganized and inconsistent, with overlaps and redundancies and gaps.
We begin working it into an imperfect solution for an often poorly defined problem.
As we start building up like clay, a solution starts taking form. The feedback guides us in moving, removing and adding material. It allows us to add and remove details. We learn from our mistakes.
Thank you, Dennis, you made my day so much better.
Quickpost: application reversing becoming legal in USA?
Last Friday authors of Dotfuscator made quite an interesting blogpost, claiming that reverse engineering applications in USA is becoming a legal means for acquiring intellectual property, thanks to the Defend Trade Secrets Act of 2016.
I am not a lawyer, and such statements coming from authors of obfuscator should be taken with a grain of salt - but it's an interesting read nevertheless. What's your take on that?
I bought a software today…
I never buy software. Not sure why is that, probably I just don't see a point in doing that. To me, most of the software seems ridiculously overpriced.
- Paying 30 euros for a copy of WinRar? Are you kidding me?
- Paying 70 euros for latest Need for Speed racing simulator I'm not even sure I'll like? I'm not a hardcore gamer, I'm just looking for a good fun for a rainy evening.
And subscription-based software is even worse:
- Antivirus solution that is constantly annoying you - $40/year.
- Office 365 Home - $80/year.
- Adobe Creative Cloud - $120/year.
Do I look like a f*ing Rockefeller to you?
Hello Adguard!
Imagine my surprise when yesterday I noticed that my beloved Adguard actually has very reasonable prices. And they are offering 40% discount for all licences until May 4th, 2016. Lifetime license for less than a cup of Chai Latte in Starbucks? I'll take that, thank you very much!
Well, it's actually half-true. If you just open their main page in the browser and go to "Purchase", you'll probably see that a lifetime license costs $14.97. Not exactly a cup of Chai Latte.
Hacking Adguard pricing
To get those extra nice prices, you'll need to perform a little trick. Open the mobile version of the same page in your browser: m.adguard.com. Now go to purchase. And now switch to prices in Russian roubles. 179RUB for a lifetime license! π
According to Paypal, I just got my lifetime license for:
Payment: 179.40 RUB
Payment sent to: pr@adguard.com
From amount: $2.94 USD
Cheers!
Summary
If you're interested in a decent adblocker for Android device, I recommend that you give Adguard a chance. No root required! They also have adblockers for Windows and Mac but I haven't tested those.
Full disclosure: the link above is my affiliate link with Adguard. If 4 people will follow this link, install and use Adguard for 30 minutes, I will get a free 1-year license. In that case, I will donate this license to LCF-AT to help with ad-filtering issues.
If you hate affiliate links of any kind, please feel free to visit using a direct link: adguard.com - it's well worth it.
Have fun blocking the ads! π
JS-boobytrapped ZIP files, or why morons shouldn’t be writing about security
This morning I noticed Softpedia article titled "How to Prevent ZIP Files from Executing Malicious JavaScript Behind Your Back".
Here's the beginning of the story in all it's glory:
Let me repeat that:
When unzipping the file, the JavaScript file would execute, automating various operations.
Naturally, I was curious about the cause of this issue and why I haven't heard about it before.
Little bit of reading, little bit of Googling and here's the original post from F-Secure: "How-To Disable Windows Script Host". They write:
And such .zip files typically contain a JScript (.js/.jse) file that, if clicked, will be run via Windows Script Host.
Somehow Softpedia authors managed to convert "user clicking on a JS file" into "JS file being launched automatically when unzipped".
Dear Mr. Catalin Cimpanu, please stop writing about security. Open a hotdog stand or something, that's much more suitable for your skill level.