Tội phạm đánh cắp tiền từ ngân hàng Việt Nam
April 1, 2008 by lamer · Leave a Comment
Theo báo Sài Gòn Giải Phóng ngày 31 tháng 03 năm 2008, lực lượng công an đã bắt được một vài nhóm tội phạm từ các quốc gia khác giả mạo chữ ký và thẻ tín dụng để mua hàng và đánh cắp tiền từ các ngân hàng Việt Nam.
Theo tin đã đưa thì một nhóm từ Nigeria bị bắt trong khi đang dùng thẻ tín dụng giả để thanh toán tại siêu thị. Rất may là nhân viên siêu thị đã nghi ngờ tên trên thẻ không phải tên của gã nên đã tri hô bảo vệ siêu thị tóm lấy tên tội phạm này.
Tin thứ hai, và là điểm chính của bài này, là một vài nhóm tội phạm khác đã tinh vi hơn. Chúng giả chữ ký thực hiện lệnh chuyển tiền từ một tài khoản ở nước ngoài vào một ngân hàng trong nước vào ngày x. Sau đó, chúng ra ngân hàng rút hết tiền vào ngày x + y. Đến khi ngân hàng nước ngoài phát hiện ra chữ ký giả và thực hiện lệnh hủy việc chuyển tiền thì lúc này đã vào ngày x + y + z.
Có hai câu hỏi đặt ra ở đây:
- Tại sao không có thời gian hãm tài để cả hai phía xác nhận lệnh chuyển tiền là thật?
- Phía nào sẽ chịu trách nhiệm cho sự sai sót này?
Software based disk encryption not secure enough!
February 22, 2008 by RD · Leave a Comment
Contrary to conventional wisdom, “volatile” semiconductor memory does not entirely lose its contents when power is removed. Both static (SRAM) and dynamic (DRAM) memory retains some information on the data stored in it while power was still applied and they still hold values for a long intervals without power or refresh. This is a known [2] problem for a long long time. However, no one has ever tried (or published) any practical attack on this problem like what Princeton University researchers did.
This DRAM threat goes beyond disk encryption. Any kind of sensitive data such as password, encryption key, credit card information,… in you RAM could be stolen in just a few minutes. Due to the nature of this problem, it’s hard for software based hard disk encryption solution to protect against this attack. Software based solution would be able to try to encrypt/clear the disk key whenever PC goes into inactive state (i.e screen saver, standby, hibernate) but it’s not really practical and/or applicable in some cases. The white paper [1] also offers interesting algorithms & methods to find crypto keys in memory images.
If you’re really care about your information, you should better to change your behavior to unmount encrypted disk and/or power-off your machine (for a while to give the memory enough time to decay) whenever you’re away from your computer if you’re using software based disk encryption and/or to use a hardware based disk encryption solution. FYI, Seagate also has a hardware based hard disk encryption solution ready to use.
Links:
- Lest We Remember: Cold Boot Attacks on Encryption Keys
- Secure Deletion of Data from Magnetic and Solid-State Memory
Buggy HP iPAQ ROM Update Utility
October 29, 2007 by RD · Leave a Comment
Last weekend I tried to re-flash a HP ipaq rw6828 using the latest HP iPAQ ROM Update 1.01.03 from HP website.
After about 20 minutes, the ROM flash process crashed at 90% and the phone became dead and was not able to power on any longer (tried different suggested methods to get it boot into the bootloader mode but all failed).
I did a quick google on “ipaq 6828 ROM update fail 90%” keywords. Quite a lot of people got the same problem. Some were lucky enough to be able to re-flash the phone again as the phone still can boot into bootloader mode. But many other people had to send the phone to HP Service Center to replace the main board.
So I decided to take a look at the HP iPAQ ROM Update Utility binary (hpRUU.exe – v3.3.2 build 831) to find out the reason.
It didn’t take long to find out that the “90%” problem is caused by a lame buggy code of the HP iPAQ ROM Update Utility itself.
The buggy code is inside the sub_409DA0() (I renamed it to Client_StartFlash()). Below is the reverse C code snippet of ROM update function (not exactly as the asm code)
void sub_409520(int c)
{
DebugLog("odmLib/Client_StartFlash -- Flashing would start here");
hEvent = CreateEventA(0, 0, 0, 0);
dword_425B04 = CreateThread(0, 0, &sub_409DA0, 0, 0, 0);
SetEvent(hEvent);
DebugLog("odmLib/Client_StartFlash: pReturnCode->dwError = %d", 65520);
}
#define FLASH_ERROR(fmt, ...) \
{ \
DebugLog(fmt, ...); \
IsErrorFlag = 1; \
pReturnCode_dwError = 401; \
return; \
}
void Client_StartFlash() //sub_00409DA0()
{
//WORD SelectFile[2];
WaitForSingleObject(hEvent, INFINITE);
DebugLog("DownloadFile: SelectFile = 0x%x TotalFileSize = 0x%x..\r\n",
SelectFile, TotalFileSize);
if (DeviceInBLMode == -1) {
DebugLog("DownloadFile: DeviceInBLMode has a wrong value!");
IsErrorFlag = 1;
pReturnCode_dwError = 602;
return;
}
if (SelectFile[0] & 8) {
DebugLog("DownloadFile: COM_OS ..\r\n");
wsprintfA(StatusBuffer, "Updating the ROM Image ...");
byte_425884 = (DeviceInBLMode != 0) + 17;
memset(_tFilename, 0, 0x64);
pReturnCode_dwExtraInfo = 3;
dHeaderLen = 0;
sub_40A580(3, _tFilename, (int) &dHeaderLen);
DebugLog("DownloadFile: tFilename = %s dHeaderLen = %d\r\n",
&_tFilename, dHeaderLen);
_hFile = CreateFileA(_tFilename, GENERIC_READ | GENERIC_WRITE, 0, 0,
OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, 0);
if (_hFile == INVALID_HANDLE_VALUE) {
FLASH_ERROR("Jcs-CreateFile %s fail .. ", _tFilename);
}
HeaderBuffer = malloc(dHeaderLen);
HeaderBuffer = malloc(dHeaderLen);
ReadFile(_hFile, HeaderBuffer, dHeaderLen, &NumberOfBytesRead, 0);
dFileLen = GetFileSize(_hFile, 0);
dDataLen = dFileLen - dHeaderLen;
DataBuffer = calloc(dFileLen - dHeaderLen, 1);
ReadFile(_hFile, DataBuffer, dDataLen, &NumberOfBytesRead, 0);
free(HeaderBuffer);
ROMDecode(dDataLen, DataBuffer);
if (memcmp(DataBuffer, 'R000ff\n', 7)) {
IsErrorFlag = 1;
pReturnCode_dwError = 401;
DebugLog("Jcs-Warning: The Image is invalid ... ");
wsprintfA(StatusBuffer, "Warning: The Image is invalid ...");
return;
}
if (!bDownLoadThrUSB(DataBuffer, dDataLen, dword_425B20,
SelectFile)) {
IsErrorFlag = 1;
pReturnCode_dwError = 503;
return;
}
free(DataBuffer);
CloseHandle(_hFile);
}
if (SelectFile[0] & 4) {
DebugLog("DownloadFile: COM_BL ..\r\n");
wsprintfA(StatusBuffer, "Updating the Bootloader ...");
dHeaderLen = 0;
memset(_tFilename, 0, 0x64);
pReturnCode_dwExtraInfo = 2;
byte_425884 = 2;
sub_40A580(2, _tFilename, (int) &dHeaderLen);
DebugLog("DownloadFile: tFilename = %s dHeaderLen = %d\r\n", _tFilename, dHeaderLen);
_hFile = CreateFileA(_tFilename, GENERIC_READ | GENERIC_WRITE, 0, 0,
OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, 0);
if (_hFile == INVALID_HANDLE_VALUE) {
FLASH_ERROR("Jcs-CreateFile %s fail .. ", _tFilename);
}
HeaderBuffer = malloc(dHeaderLen);
ReadFile(_hFile, HeaderBuffer, dHeaderLen, &NumberOfBytesRead, 0);
dFileLen = GetFileSize(_hFile, 0);
dDataLen = dFileLen - dHeaderLen;
DataBuffer = calloc(dFileLen - dHeaderLen, 1);
ReadFile(_hFile, DataBuffer, dDataLen, &NumberOfBytesRead, 0);
free(HeaderBuffer);
ReadFile(_hFile, DataBuffer, dDataLen, &NumberOfBytesRead, 0);
free(HeaderBuffer);
ROMDecode(dDataLen, DataBuffer);
FILE = fopen("c:\\ipaq\\downloadEboot.txt", "wb");
fwrite(DataBuffer, 1, dDataLen, FILE);
fclose(FILE);
if (!bDownLoadThrUSB(DataBuffer, dDataLen, dword_425B20,
SelectFile)) {
IsErrorFlag = 1;
pReturnCode_dwError = 503;
return;
}
free(DataBuffer);
CloseHandle(_hFile);
}
if (!bDownLoadThrUSB(&unk_4253F0, 0x80, 0, SelectFile)) {
IsErrorFlag = 1;
pReturnCode_dwError = 401;
DebugLog("Jcs-Download version infomation to device fail ..");
return;
}
dTmp = SelectFile[1];
if (SelectFile[0] & 0x20) {
DebugLog("DownloadFile: COM_FS ..\r\n");
dTmp = SelectFile[1];
}
if (dTmp & 0x80 && dTmp & 0x20) {
DebugLog("DownloadFile: COM_WANOS + COM_WANBL ..\r\n");
wsprintfA(StatusBuffer, "Updating the Radio Stack ...");
dHeaderLen = 0;
memset(_tFilename, 0, 0x64);
pReturnCode_dwExtraInfo = 15;
byte_425884 = 4;
sub_40A580(13, _tFilename, (int) &dHeaderLen);
DebugLog("DownloadFile: tFilename = %s dHeaderLen = %d\r\n",
_tFilename, dHeaderLen);
_hFile = CreateFileA(_tFilename, GENERIC_READ | GENERIC_WRITE, 0, 0,
OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, 0);
if (_hFile == INVALID_HANDLE_VALUE) {
FLASH_ERROR("Jcs-CreateFile %s fail .. ", _tFilename);
}
HeaderBuffer = malloc(dHeaderLen);
ReadFile(_hFile, HeaderBuffer, dHeaderLen, &NumberOfBytesRead, 0);
dFileLen = GetFileSize(_hFile, 0);
dDataLen = dFileLen - dHeaderLen;
dFileLen = GetFileSize(_hFile, 0);
dDataLen = dFileLen - dHeaderLen;
DataBuffer = calloc(dDataLen, 1);
dword_425B1C = DataBuffer;
ReadFile(_hFile, DataBuffer, dDataLen, &NumberOfBytesRead, 0);
free(HeaderBuffer);
CloseHandle(_hFile);
memset(_tFilename, 0, 0x64)
sub_40A580(15, _tFilename, (int) &dHeaderLen)
DebugLog ("DownloadFile: tFilename = %s dHeaderLen = %d\r\n",
&_tFilename, dHeaderLen)
_hFile = CreateFileA(_tFilename, GENERIC_READ | GENERIC_WRITE, 0, 0,
OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, 0);
if (_hFile == INVALID_HANDLE_VALUE) {
FLASH_ERROR("Jcs-CreateFile %s fail .. ", _tFilename);
}
HeaderBuffer = malloc(dHeaderLen);
ReadFile(_hFile, HeaderBuffer, dHeaderLen, &NumberOfBytesRead, 0);
dDataLen = GetFileSize(_hFile, 0) - dHeaderLen;
dword_425B84 = dDataLen;
DataBuffer = calloc(dDataLen, 1);
dword_425B10 = DataBuffer;
ReadFile(_hFile, DataBuffer, dDataLen, &NumberOfBytesRead, 0);
free(HeaderBuffer);
CloseHandle(_hFile);
DataBuffer = calloc(dDataLen + nNumberOfBytesToRead + 88, 1);
szBuffer = _msize(DataBuffer);
memset(DataBuffer, -1, szBuffer);
if (sub_40A5E0()) {
if (sub_40A770()) {
if (sub_40A8F0()) {
ROMDecode(Count, DataBuffer);
if (DataBuffer) {
FILE = fopen ("c:\\ipaq\\downloadMot.txt", "wb");
fwrite(DataBuffer, 1, Count, FILE);
fclose(FILE);
if (bDownLoadThrUSB(DataBuffer, Count, dword_425B20, SelectFile)) {
if (sub_40B270()) {
free(DataBuffer);
free(dword_425B10);
free(dword_425B1C);
dword_425F58 = 1;
} else {
IsErrorFlag = 1;
} else {
IsErrorFlag = 1;
pReturnCode_dwError = 401;
DebugLog ("Jcs-bGetMOTBurnStatus fail ..");
}
} else {
IsErrorFlag = 1;
pReturnCode_dwError = 401;
DebugLog ("Jcs-Download Mot fail ..");
}
} else {
IsErrorFlag = 1;
pReturnCode_dwError = 401;
DebugLog ("Jcs-(pMOTBuf==NULL) fail ..");
}
} else {
IsErrorFlag = 1;
pReturnCode_dwError = 401;
DebugLog("Jcs-PrepareMOTData fail ..");
}
} else {
IsErrorFlag = 1;
pReturnCode_dwError = 401;
DebugLog("Jcs-PrepareMOTAgent fail ..");
}
} else {
IsErrorFlag = 1;
pReturnCode_dwError = 401;
DebugLog("Jcs-PrepareMOTPara fail ..");
}
} else {
dword_425F58 = 1;
}
}
The codes at line 110->112 and 200->202 inside Client_StartFlash() function try to write the ‘decrypted’ EBOOT and MOT ROMs data to hard-coded file locations at c:\ipaq\downloadMot.txt and c:\ipaq\downloadEboot.txt. It doesn’t check whether the fopen() return a successful FILE pointer or not before writing the content.
So, If you install the ROM upgrade program in a different location (in my case, i installed it in d:\tmp\ipaq) instead of default location (c:\ipaq), the update program will get crashed at 90%. This stupid error had killed many ipaq and many people had to spend their time and money for the service & mainboard replacement since the update had been released by HP for almost a year. The HP developer who wrote this code should go back to college to learn how to code properly.
After knowing the problem, I sent the ipaq to HP Service Center a day after and got the mainboard replaced. After few hours of waiting, complaining and giving live proof of the bug to HP technical guy, I did not need to pay for mainboard replacement cost :). The technical guy was a nice guy. He even brought me inside HP technical service center for re-flashing few ipaqs to reproduce the problem. However, the experience with the girl at HP Customer Service Center was kind of bad though.
Links:
