Monthly Archives: January 2014

Could we ask John Connor to bring his Atari and bypass this?

Automatic Teller Machines (ATM) are devices that provide the customers of a financial institution with the ability to perform financial transactions [1].  They are available everywhere and often use well known operating systems and off-the-shelf hardware. During last Christmas while on vacations and walking through the beautiful city of Lisbon I came across the ATM posted in the picture.Winnt-ATM

An ATM running Windows NT operating system! – By this time the ATMs should be running Windows XP embedded not to say Windows 7 embedded!

Without a doubt the most common ATM attacks involve using card skimmers. An excellent resource to read about card skimmers is the series that Brian Krebs putted together on “all about skimmers”. It’s definitely an opening eye and excellent to raise awareness. Other attacks techniques are card trapping, pin cracking, phishing and malicious software [2]. However when I saw this ATM I automatically remembered Barnaby Jack and his DefCon presentation Jackpotting Automated Teller Machines.  It’s like in Terminator 2, where John Connor uses its Atari to bypass security on an ATM with a ribbon cable connecting the parallel interface to a magnetic stripe card. Fiction apart these kinds of attacks are very real. For example, this one that was seen in Mexico or the Troj/Skimer-A with a in-depth analysis by XyliBox. Another interesting report is this one from Trustwave which shows  a piece of malware that targets ATMs with Windows XP operating system. Diebold ATM Security Communication and Support Center as good information about all kind of attacks like the one seen in Russia where an insider, would install the malicious code on several ATMs running Windows XP embedded. Then with a special activation card that would allowed complete control of the ATM.

Would you withdraw money from an ATM  running Windows NT?

[1-2] Mubarak Al-Mutairi; Lawan Mohammed ; IGI Global ; Cases on ICT Utilization, Practice and Solutions.


SMTP Gateway placement

smtpWhere and how should I place my SMTP gateway in the security infrastructure?

I saw this question going around in one of the mailing list I am subscribed and would like to share some thoughts about it. This is old school stuff since our IT security perimeters are being diluted from a well-defined structure to unclear points taken by the new mobility, apps and cloud ecosystem. Every day new threats are exploiting the border-less network and mobile platforms are a prime target. However, companies still need the old and traditional security perimeter and its always good to refresh the old network security infrastructure architecture and concepts.In addition SMTP is a popular vehicle of malware infection and distribution.

To answer this question, there is no right or wrong answer since it all depends on your organization size and risk appetite. Designing a specific network security solution for a business of any size its a engineering and creative task. However, there any plenty of industry guidelines and best practices that you should follow in order to have a layered security approach with defense in depth using redundant and overlapping security controls that mitigates or reduces the risk. Lets review 3 technical suggestions for deploying your perimeter SMTP gateway.

Single-arm deployment : You can have a single-arm configuration in your perimeter firewall. This is a simple solution and makes routing and switching easy. In this DMZ you will position your SMTP appliance.  This appliance normally will be from one of the many SMTP GW products outhere like TrendMicro IMSS, Ironport ESA, eSafe Gateway, etc. This SMTP appliance will normally do Anti-Virus and Anti-Spam (both ingress and egress). With this solution you will have a single physical network interface. You will run all the services on this interface. This means the SMTP traffic to the internet and to the internal MTA such as Microsoft Exchange. You will also run all the management protocols like HTTPS, SSH for accessing the management interface, SNMP for monitoring, Syslog for logging and others like LDAP. This solution is very simple with almost no complexity and low maintenance costs. It wont need any special routing and switching and will be easy to troubleshoot. However, your security posture wont be the best and you wont have segregation of data, which means management and production/data traffic will run on the same interface. Plus you need to consider that running all these protocols on one interface it might consume significant amount of bandwidth from the physical interface.

Two-arm deployment : With this configuration you will have one interface connected to the outside, typically the external firewall and one interface connected to the inside, typically the internal firewall – Its also possible to create a two-arm solution with a single firewall – The appliance needs to have 2 physical interfaces each one in different subnets. Normally you call the external interface the frontend and the internal interface the backend. Management traffic will only be accessible trough the backend interface.

Three-arm deployment : If you must have management traffic separated from data/production traffic this is the best solution. Of course your security infrastructure framework should already support this kind of model in order to have proper routing and switching. This setup will require 3 physical interfaces each one on different subnets. Normally the management interface will be in the same subnet as other security infrastructure appliances management interfaces. With this solution you will have great control and flexibility over the data and management traffic which means better security. At the expense of routing and switching complexity you will gain great flexibility and control over the traffic . This solution is normally harder to troubleshoot.

Those three models are the ones typically seen in the enterprises from small, medium to large corporations.

In addition to the positioning you should also have defense in depth for the SMTP protocol. This means you should consider different layers of AV/Anti-Spam inspection. Normally, you will have inspection at gateway level, then at the MTA level and finally at the client level. You can further complement these levels with a layer 2 inspection gateway before or after your SMTP gateway. Do not forget to have IDS doing SMTP inspection trough the traffic path as part of robust network defense solution. Furthermore, you also need to address DNS concerns for SMTP to work properly. Apart of MX and A records for SMTP deliver you might need PTRs, SPF and others properly registered.

PS: If the time permits I will add some diagrams to illustrate each one of the deployment models.

Tagged , , ,

Bitcoin – My story

Image retrieved from

I thought it was worth to share with you my experiences with Bitcoin, so here it goes!

I’m always keen on learning new things, similar to an eternal student. I like to read and search about new stuff and how it works, especially in the IT security realm. While I do this and, because I have more interests than time, I normally keep notes about something I have seen or have read to further look into it. So, in December 2012 I was reading a new technical paper released by Sophos named Zero Access Botnet – Essentially the details about a botnet for massive financial gain. It was quite interesting how Evil was getting ways to monetize trough fraud and having a economical gain trough Bitcoin mining. It was the first time I have read about Bitcoin. It was novel and creative. I wrote it down on my notebook as something that I would like to further research. Time has passed. In January 2013, while I was doing a research about botnets and how they evolve and emerge, I wrote this article – Step-by-Step Bot Infection process exploiting bad password -. At the time I was writing I came across  a great amount of channels dedicated to mining and activity related to bitcoins in different IRC networks. Here it started to raise my interest. It was out of the ordinary and motivating.

But once again other priorities came across and only on the 10th of April 2013 when I was watching CNN that I saw this crazy commentary about bitcoins. They were talking and showing that the bitcoin price had went mad and 1 Bitcoin was valuing more than 250$. It followed by a crash in the next days to 77$ and I thought, OH MY GOD! I definitely had to educate myself more about this. It was going to be a game changer.

From this date onward I started to read more and started to take it serious. I made a deep dive and among others I read the FAQ maintained by as well as the original paper – Bitcoin: A Peer-to-Peer Electronic Cash System – by Satoshi Nakamoto, who remains anonymous in an intriguing mystery. Then I started to get more familiar with this disruptive and innovative technology that may have an positive impact on payment systems. End result, I figure out that I needed a electronic wallet.

I started registering and creating an online wallet from Blockchain. Then, in order to buy Bitcoins, I needed to use an exchange. So I opened an account on MtGox – the reliable exchange at that time –  I sent them a scan of my ID, proof of residence and after 1 long week I got verified – the queues for verification were enormous due to the April boom-. After having my account verified, I started to buy and sell Bitcoins. I could also deposit and withdraw fiat money. In the meanwhile I took a great degree of risk and wired some money from my bank account to MtGox account in Hong Kong. It took me 4 days until the money was available in the exchange for trading. After that I bought a couple of Bitcoins and started to trade them and in the same time was learning myself more about the concept of mining and the whole bitcoin ecosystem.  I powered up all my computers at home – including my wife’s laptop – and begun mining with them using CPU. Very soon I realized that was worthless due to the difficulty change and electricity costs. I got further and bought the most powerful GPU available on the market for mining which was a ATI Club 3D Dual 7990. It was hashing at 1.8Gh/hashes per second and making a lot of noise. For mining I had to point the client mining software (cgminer) to the Slush pool which was very reliable and trustworthy. I used the GPU for more or less 3 months and then it also became obsolete. In parallel with some price crashes, DDOS to the exchanges and pools plus all the exciting ride I never got to make the money I invested in the GPUs. However, I believe that the bitcoin protocol can have an impact in the future even if it’s not the “bitcoin” we are definitely going to have electronic cash protocol. Following this, I bought a specific machine to mine Bitcoins using ASICs from KncMiner which arrived last October and was worth it. During the summer/autumn 2013 It has been a hell of a drive, extremely interesting and rewarding.

At the moment I am more aware how the system works from a user perspective for the good and the bad. More recently I also read this good explanation on how the protocol works. Noteworthy, are these 3 great videos on C-Span library that were recorded back in November 2013 when different key people in the US testified on digital currencies with remarkable questions and answers.

Furthermore, to follow the price volatility and go into trading mode I use Bitcoinitity charts . At the moment to be part of the mining community and  to be worth of you need to buy specialized hardware e.g, from KncMiner, a client miner like cgminer and then mine in a pool like Slush.

For news and other related matters I follow some threads in Bitcointalk forum, and Coindesk.

Bottom line, to start create an online wallet, register yourself and get verified with a exchange such as Bitstamp. Wire some money – the one you afford to lose – and buy some Bitcoins. Store them on the online wallet or buy some stuff. Keep in mind that if you store money or Bitcoins in a exchange or on a online wallet you accept the risk of losing it due to a breach like many others that have occurred in the past or being seized by a government since Bitcoin is still an experiment without regulation backing it up. If it is a significant amount of Bitcoins you can store them in a offline wallet or even a paper wallet. After you are familiar with the basics you can move up to trading or mining 24/7.

Have fun and enjoy the experience!

gb_master's /dev/null

... and I said, "Hello, Satan. I believe it's time to go."

Source Code Auditing, Reversing, Web Security

Finding Hidden codes in the software

BruteForce Lab's Blog

security, programming, devops, visualization, the cloud

Count Upon Security

Increase security awareness. Promote, reinforce and learn security skills.

Naked Security

Computer Security News, Advice and Research

Didier Stevens

(blog \'DidierStevens)


Adventures in double-clicking malware / by Anuj Soni

Rational Survivability

Hoff's Ramblings about Information Survivability, Information Centricity, Risk Management and Disruptive Innovation.

SANS Internet Storm Center, InfoCON: green

Increase security awareness. Promote, reinforce and learn security skills.


Increase security awareness. Promote, reinforce and learn security skills.

Schneier on Security

Increase security awareness. Promote, reinforce and learn security skills. Blog

Increase security awareness. Promote, reinforce and learn security skills.

Lenny Zeltser

Increase security awareness. Promote, reinforce and learn security skills.

Krebs on Security

In-depth security news and investigation