Category Archives: misc

[Security] Credit Card Authorization Compromised

Security experts from the Computer Laboratory of the University of Cambridge have compromised the electronic autorization and verification process of major credit and debit cards like EC-Card, Eurocard, Mastercard and VISA (EMV).

The computer scientists team around Steven Murdoch found a flaw in the in the EMV protocol which allows criminals to use a stolen genuine card to make a payment without knowing the card’s PIN.

Using a man-in-the-middle attack they trick the electronic terminal into believing the PIN was verified correctly while telling the terminal to step back into signature based authorization mode.

This being said, credit card companies and banks worldwide will not be able to hide behind the phrase that their systems are secure and that customers who have been stolen credit cards have not observed the rule to destroy their credit card’s PIN. Insurance companies take care: customers recurse receivables against issueing banks are coming.

Links:
» IEEE Symposium on Security and Privacy: Chip and PIN is Broken (PDF)
» BBC.co.uk: New flaws in chip and PIN system revealed
» University of Cambridge: Computer Laboratory

Documentary is courtesy of BBC.co.uk

[Labs] Unofficial InsanelyMac.com Search Plugin for Firefox

Merry Chrismas, guys. We felt it was kinda overdue to have an INSANELYMAC.COM search plugin added to our beloved Mozilla Firefox. Of course we can also do this manually, but why not having things automized? So here we are.

What does the plugin do?
Basically we’re using our beloved Google.com to search the InsanelyMac.com site.

Disclaimer
We are neither affiliated to InsanelyMac.com nor are we affiliated to Google.com, but we felt it might be rather comfy to have this thing automized eventually.

Warning
This is pure amateurish scripting, we won’t garantee anything. Use on your own risk. Although you may hang a cross above your computer, it may explode anyway ;-) For the paranoids among you download XML file for manual installation.

How it works
Click this button and you’re gonna be offered to install this plugin.

[misc] Web Empfang von MMS mit Alice / Hansenet

Wir alle kennen die Situation. Ein Freund sendet uns eine MMS und wir erhalten eine SMS stattdessen, obgleich unser Telefon MMS fähig ist. Warum eigentlich?

Nun das ist sehr einfach: sofern man selbst keine MMS bislang versendet hat, geht der Provider davon aus, dass man kein MMS fähiges Mobiltelefon besitzt. Das ist einerseits ein guter Ansatz, andererseits jedoch auch eine nette Art, 60 Millionen deutschen Mobilfunkkunden zu zwingen, zumindest eine einzige MMS zu versenden – nämlich damit sie imstande sind, MMS zu empfangen.

60 Millionen MMS x 0,29€ pro MMS, bei jedem Wechsel des Mobiltelefons… Hmmm, nette Summe für die Portokasse der lieben Telefonkonzerne, aber lassen wir das lieber. Heute ist ja dritter Advent.

Blöd wird es nur, wenn einzelne Provider, die die Netze anderer verwenden, die SMS Benachrichtigungsoption für eingegangene MMS’ nur unzureichende implementieren. So isses beispielsweise bei dem deutschen Anbieter Alice / Hansenet. Hier erhält man folgende Nachricht:

Sie haben eine MMS von +491231234567 erhalten. Sie können diese im Web unter lesen. Ihr PIN lautet aB3D5F.

Tja. Äh wo soll ich die abrufen? Genau, nirgendwo. Der Link ist irgendwie nicht in der SMS enthalten. Einige Tests zeigen, dass in allen SMS Benachrichtigungen über eine vorliegende MMS, die von Alice derzeit versendet werden, die Webadresse fehlt. Macht ja nichts, wenn wenigstens Google etwas Hilfreiches zu Tage fördern würde … Hmm… Google hilft leider nicht… Also Gehirn anstrengen.

Alice ist im Mobilfunkbereich Reseller von O2 Produkten. Also mal bei o2 schauen, wo man die MMS online abrufen kann… Hmm… Google vermeldet (nicht ganz auf Anhieb): http://o2online.de/goto/o2mms

Und tadadada… Alles wunderbar. Meine MMS kann ich nun hervorragend bei O2 im Web abrufen. Oder sollte ich vielleicht doch mal die MMS senden, damit mein Provider merkt, dass ich MMS direkt auf dem Mobiltelefon empfangen kann?

[Anonymity] How To Protect Email Addresses against Spam

The Novel

Since the very beginning of the internet in its occurence as the world wide web (www) in the mid of the 1990s there were bad guys.Those bad guys rapidly realized how to make a quick buck out of the technological inexperience of the new inhabitants of the www. It was the days when people had their first contact with HTML. First projects were showing the people’s dogs and the family and looked kinda ugly – from nowadays view.

So people began to show parts of their privacy to the masses almost without fully realizing that their website from now on was visible all over the world. And they added a contact @ character, hoping that other cool people would send them emails and telling them how cool the website about their dog is. But the people didn’t anticipate the guys who knew how to make money from pulling a fast one on others.

One of the first things the bad guys noticed was the fact that the principle of bulk mails could be easily transferred to the internet. So the bad guys began to manually collect email addresses from the websites of the dogowners and all the others. But what to advertise via email? We nowadays know how this question was answered. Those bad guys began to setup porn websites. They often used illegally copied photos of naked women or sex scenes from magazines.

They sent the dogsowners and all the others invitations for porn- or erotics-sites and appealed to their sexual drives. Many of the early days’ porn site operators were email address collectors themselves. They knew porn would sell till the end of mankind.

It didn’t take long and someone improved the way of collecting email addresses. He coded a robot (spam spider) who was able to scan the websites and search for those two HTML tags:

  • <a href="http://www.linktonextsite.org">Link To Next Site</a>
  • <a href="mailto:mymailaddress@mywebsite.org">Send me a Mail</a>

I bet you can already smell how the story went on. The email addresses were written automatically into databases. And while the internet was growing and the amount of websites escalated virtually thru the roof the amount of people who understood to make a living from sending porn, erotic and viagra mails to the people also increased.

Although the novel above may not be 100% historical accurate, the problem of spam nowadays has become even worse.

Today it is estimated that 90% of the emails sent around the globe are spam.

What can we do about it?

Fight Spam Technically

As we’ve seen how the system works. Bad guys use automated robots to search the www for exploitable email addresses and write them back into their databases. So as a website operator the one and only question to take into consideration is: how to hide the email addresses?

Some time ago we’ve found a very nice way, that we are using for quite some years. We don’t know where we found it – otherwise we would credit the guy who wrote it.

Instead of using

  • <a href="mailto:mymailaddress@mywebsite.org">Send me a Mail</a>

we slightly obfuscate the email address by using Javascript. Every webbrowser nowadays perfectly understands Javascript, Ajax and even more. See here what we do:

  • <a href="#" onclick="mp='@';mp='mymailaddress'+mp;mp+='mywebsite.org';this.href=mp;">Send me a Mail</a>

So what’s happening here?

This integrated javascript reacts after you clicked on the “Send me a Mail” link. It then uses the temporary variable mp to reassemble your email address. By not putting the email address as a string into your HTML source of your website this scripts prevents (almost) any spam robot to recognize your email address. As a matter of course we recommend to use this technique from the first day a website is on the internet.

You can easily modify this javascript by changing the variable to another name or by changing the order.

We hope you had some fun in this lesson and appreciate your feedback.

[Anonymity] Anti Spam Strategy

As seen in the past, the spammers steal our valuable life time with sending us porn, drugs and software offers, that we would never have dreamed of. The question is: where do those spammers get the email addresses from? And there are two simple answers.

First being the problem that anyone having a website, mostly also has provided a valid email address for contact purposes. Here in germany in most cases we are even legally obliged to provide such an address as imprint (Impressum). So spammers send robots to the net and harvest all those email addresses and write them back into databases and let them grow and grow. And after a while honorable databases have been generated with lots of email addresses.

Second being the problem that many administrators of forums offer their user databases as well to spammers, although they are not allowed to. Anyway it happens much too often.

At least for the second problem a solution has evolved. It is called “one time email addresses” or “trash email addresses”. Those addresses are valid for a particular amount of time and will cease to work after that.

One of those websites offering such services is http://www.guerrillamail.com/. They provide us with an email address that is working at least for 15 minutes. If that is too short you can manually prolong that address for another 15 minutes by simply clicking a button. We did not try to prolong for the maximum possible amount of time – so we don’t know. But we suspect there may be a time limitation.

When will you actively stop distributing your real email address on the net?



Kaspersky

[Soccer] Spielplan EM 2008

Spielplan

Es ist wieder soweit. Die WM ist schon wieder zwei Jahre her und da beginnt auch schon wieder die EM. Im Folgenden der Spielplan mit Uhrzeiten und TV Sendern. Aktualisierungen inbegriffen. Bei schönen Wetter kann man die EM natürlich auch draußen mit Freunden auf einer Public-Viewing Veranstaltung (Liste hier) genießen, ist eh schöner als zu Hause.

Übrigens kann man bei unserem Sponsor (auf dieser Seite oben Links) vermutlich noch Karten für die Spiele bekommen, um Live und Vorort unserer 11 die Daumen zu drücken…

Spiele der Gruppen

Samstag, 07. Juni 2008
Gruppe A 18.00h ZDF Schweiz – Tschechische Republik 0:1
Gruppe A 20.45h ZDF Portugal – Türkei 2:0
Sonntag, 08. Juni 2008
Gruppe B 18.00h ZDF Austria – Kroatien 0:1
Gruppe B 20.45h ZDF Deutschland – Polen 2:0
Montag, 09. Juni 2008
Gruppe C 18.00h ARD Rumänien – Frankreich 0:0
Gruppe C 20.45h ARD Niederlande – Italien 3:0
Dienstag, 10. Juni 2008
Gruppe D 18.00h ARD Spanien – Russland 4:1
Gruppe D 20.45h ARD Griechenland – Schweden 0:2
Mittwoch, 11. Juni 2008
Gruppe A 18.00h ZDF Tschechische Republik – Portugal 1:3
Gruppe A 20.45h ZDF Schweiz – Türkei 1:2
Donnerstag, 12. Juni 2008
Gruppe B 18.00h ZDF Kroatien – Deutschland 2:1
Gruppe B 20.45h ZDF Österreich – Polen 1:1
Freitag, 13. Juni 2008
Gruppe C 18.00h ARD Italien – Rumänien 1:1
Gruppe C 20.45h ARD Niederlande – Frankreich 4:1
Samstag, 14. Juni 2008
Gruppe D 18.00h ARD Schweden – Spanien 1:2
Gruppe D 20.45h ZDF Griechenland – Russland 0:1
Sonntag, 15. Juni 2008
Gruppe A 20.45h ZDF Schweiz – Portugal (nicht im dt. TV) 2:0
Gruppe A 20.45h ZDF Türkei – Tschechische Republik 3:2
Montag, 16. Juni 2008
Gruppe B 20.45h ARD Polen – Kroatien (nicht im dt. TV) 0:1
Gruppe B 20.45h ARD Österreich – Deutschland 0:1
Dienstag, 17. Juni 2008
Gruppe C 20.45h ZDF Niederlande – Rumänien (nicht im dt. TV) 2:0
Gruppe C 20.45h ZDF Frankreich – Italien 0:2
Mittwoch, 18. Juni 2008
Gruppe D 20.45h ARD Griechenland – Spanien 1:2
Gruppe D 20.45h ARD Russland – Schweden 2:0
|

Eine kurze Werbeunterbrechung…


|
Viertelfinale

Donnerstag, 19. Juni 2008
Viertelfinale 20.45 ARD 1. Gruppe A (Portugal) –
2. Gruppe B (Deutschland)
2:3
Freitag, 20. Juni 2008
Viertelfinale 20.45h ARD 1. Gruppe B (Kroatien) –
2. Gruppe A (Türkei)
1:3 (Elfmeterschießen)
Samstag, 21. Juni 2008
Viertelfinale 20.45h ARD 1. Gruppe C (Niederlande) –
2. Gruppe D (Russland)
1:3 (nach Verlängerung)
Sonntag, 22. Juni 2008
Viertelfinale 20.45h ARD 1. Gruppe D (Spanien) –
2. Gruppe C (Italien)
4:2 (Elfmeterschießen)
|

|
Halbfinale

Mittwoch, 25. Juni 2008
Halbfinale 20.45h ZDF Sieger 19. Juni (Deutschland) –
Sieger 20. Juni (Türkei)
Donnerstag, 26. Juni 2008
Halbfinale 20.45h ZDF Sieger 21. Juni (Russland) –
Sieger 22. Juni (Spanien)
|

|
Finale

Sonntag, 29. Juni 2008
Finale 20.45h ARD Sieger 25. Juni – Sieger 26. Juni

|
Alle Angaben ohne Gewähr!!!
|
Wenn Sie die Informationen hilfreich finden, könnte das folgende Angebot auch interessant für Sie sein: