Allen’s Homepage

Airport Security hole

by on Oct.25, 2012, under Uncategorized

http://www.washingtonpost.com/national/experts-warn-about-security-flaws-in-airline-boarding-passes/2012/10/23/ed408c80-1d3c-11e2-b647-bb1668e64058_story.html

The last time we flew home, I got the “random selection” to be extra screened which was very annoying.

It started when I went through the security theatre, the agent pointed out that I had a “DDD” printed on my boarding card, which means that I was subjected to additional security checks. This required the full pat down, as well as the swabbing of my laptop, inside bag, hands, clothes. Successfully passsed this test, and proceeded to the gate. Overall it took around 2 to 3 times longer than it usually does.

At the gate, the agent said because I had the DDD on the boarding pass, I needed to have the extra screening done by security, and as a result they needed to stamp my boarding card to state that it was done. They of course did the screening but forgot to stamp my boarding card, so back to security to be re-screened. I was a bit smarter this round of screening, and left all my bags with my wife so they wouldn’t have to re-test everything. The airline agent was rather confused by the fact that my wife and I shared bags on the airline, and that I did not have my bag and she did not have hers — “but which bag is yours? Security needs to scan your bag”, “I dont have a bag, they both belong to my wife”.

My observation at the time was, if I had a bit of white out or some way to remove the “DDD” from my boarding card, this wouldnt have happened. In the future, if I get a DDD on the boarding card, I will have to go to the restaurant first and spill a bit of grease on the spot with the DDD to remove the thermal transfer marks, and save me a bit of time!

I thought it interesting that they let me know “because of the DDD on the card” – in other words if you wanted to smuggle stuff onto a plane, check your boarding card. If it has a DDD on it, maybe today is not the day and try again tomorrow, or book your tickets in a pair. My wife and I booked together, but only I was randomly selected — any suspicious items I could have given to my wife to bring onto the plane.

Comments Off more...

Breaking into your local radio station

by on Sep.16, 2012, under Coding, Linux, White Hat

My local radio station has a web stream, that you can play from their website (www.radiokoeln.de). Their site, in addition to having annoying ads that delay the start of the music, only runs on Adobe Flashplayer. I wanted to be able to play it on my Raspberry Pi from XBMC, which is running an arm processor instead of an intel, and there is no flashplayer for arm. Using the website is not an option for running it on the Pi, so I had to find another way to play it.

Given that the stream is a normal mp3 stream once it starts, and there are lots of mp3 players for the Pi, I thought I could dig and get the stream URL and put that in a normal mp3 playing program… wow was I wrong!

The first try was to take a look at the URL that the flashplayer calls. This ends up being

http://edge.live.mp3.mdn.newmedia.nacamar.net/radiokoeln/livestream.mp3?token=668f3341238b48e9efb2032c2be54ca6

Pasting that into VLC did not work. I also tried without a token, which basically says I need to authenticate.  Ok, the task gets a bit more challenging since instead of having a simple URL I will now need to write a script to generate the token and pass that to my media problem.  This should be simple enough, once I know where to get my precious token.

I did some tracing of exactly how the page starts the stream. The above URL, including the token changes each time the stream starts, is delivered by the following URL: http://freestream.nmdn.net/authenticate

First it makes a request to /authenticate, which returns a token:
GET /authenticate HTTP/1.1
Host: freestream.nmdn.net
Connection: keep-alive
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_4) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1
Accept: */*
Referer: http://freestream.nmdn.net/swf/player.swf
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=190596092.1734083112.1338502802.1340537404.1340564465.20; __utmz=190596092.1340216827.11.6.utmcsr=radiokoeln.de|utmccn=(referral)|utmcmd=referral|utmcct=/koeln/rk/111960/webradio; __utma=190596092.1734083112.1338502802.1340537404.1340564465.20;
sid=28187jvha9ovr4ts2alqia0et6;
__utmb=190596092.19.10.1347781728; __utmz=190596092.1340216827.11.6.utmcsr=radiokoeln.de|utmccn=(referral)|utmcmd=referral|utmcct=/koeln/rk/111960/webradio; __utmc=190596092

When this is done “quickly”, it returns the following JSON result:
{“authorized”:true,”stream”:”http:\/\/edge.live.mp3.mdn.newmedia.nacamar.net\/radiokoeln\/livestream.mp3?token=669e3446248b48e5fbb6442c2be54ca6″}

So then I tried replaying the request: no dice all I could get was a “not authenticated” result. Repeated attempts show that the SID is the only value that changes, so this must be a one-time token.  Next try is to try this with a fresh SID that hasnt yet been sent.

Using Firefox with Firebug and Tamperdata, I was able to interrupt the request for /authenticate, and manually copy out the SID.  Try as I might, with my fresh SID I could not get an authentication succeeded in my telnet session.  Furthermore, if I took the entire request from Tamperdata and put it through my telnet connection, I would also get authentication denied.  My only explanation here is, the SID contains a timestamp and needs to happen within a shorter time than it takes me to stop the request, copy the SID, edit the telnet GET request, and send it via telnet.

Plan B – Radio Koeln also has an iPad app – maybe that has a simpler URL, however tools aren’t as readily available to ‘tamper’ with the connection.

I setup my router to capture traffic between the iPad and the internet.  Within 30 seconds, I had some positive results:

Wireshark Screenshot

Success!

 

Furthermore, I could not find anywhere in the XML requests where this URL is passed to the app – which to me indicates that the URL is hardcoded into the app.  Disclaimer, I have never developed an app and don’t know what I am doing! However, I don’t see how this could be changed without requiring an update to the app – it should be relatively static.

If anyone is looking for Radio Koeln streams to add to your favourite music player:

http://mp3ad.dumont.c.nmdn.net/radiokoeln_mobile/livestream.aac

For the other “NRW Lokalradios” you can change the city name and it seems to work:

http://mp3ad.dumont.c.nmdn.net/radiobonn_mobile/livestream.aac

 

Comments Off more...

Why you should always know your email address

by on Jun.23, 2011, under Uncategorized

Mis-addressed emails is a common occurrence, particularly with one of my first accounts. On any given day I receive two or three emails intended for someone else. Most commonly, I receive welcome emails from mailing lists. But once in a while I get something more interesting. This one, at first glance, seemed like all the other mailing lists and scams, including typos.

Important Reminder:

Dear amanda chemist,

Incase you haven’t received our previous emails, we wanted to reming you that we would like to publish your essay on our website. By having your essay published, you will have a personal page on CollegeInquirer.com with your name, your full essay, and a line at the top of the page that says “This essay was selected for publication by the Chief Editor of The College Inquirer.”
(Your page will look like this: www.collegeinquirer.com/YourNameHere).

We’ve already published several of our selected essays, and we can’t wait to publish yours! Here are a few links you can look at to see exactly what your essay will look like once published:

http://www.collegeinquirer.com/barryhale
http://www.collegeinquirer.com/chaylaervin

By accepting this invitation to have your essay published, you join an exclusive group of students whose written works have been published on the College Inquirer. You can use this to your advantage in college applications, scholarship applications, job resumes, etc. Any time you need to “get ahead” of your competition, you can simply include your link and show them that you have a published, writeen essay on a major editorial website. This will increase your chances of receiving scholarships or getting accepted to schools you may want to attend!

To have your essay published, there is a $15 administrative fee that is intended to cover the expenses of editing, publishing, and hosting your essay on our website. Whenever you are ready to publish your essay, just click the link below to start the process:

Click Here To Pay The $15 Administrative Fee ->

Thanks again, and if you have any questions, please feel free to email us at help@collegeinquirer-usadmin.com

Sincerely,
The College Inquirer Editorial Staff

I initially ignored this, as it is a well-known scam. However, later that day I received  a second email from the same site:

To all applicants for the College Inquirer $750 Scholarship Contest whose essays have been selected for publication:

Good evening. We have received several complaints and confused emails throughout the day from students who feel that they may be getting “scammed”. We wanted to make an important clarification about our offer to publish your essay.

1) FAQ #1: “Did you select a winner, and am I the winner?”

The short answer is: NO. We did not state in any way, shape or form that we had selected a winner for our scholarship, nor did we lead anyone to believe that it meant you were a winner if we were offering to publish your scholarship. We made it very clear on our website and in all of our email communications that the scholarship deadline is August 14th, 2011. At that time, a winner will be selected. No one has won the scholarship or has been told they won the scholarship yet. So for all of you who are complaining or posting in online-blogs that you were told you were a scholarship winner, you are lying, and we respectfully ask you to stop attempting to deceive others and slander our organization.

See liink2) FAQ #2: “I thought I was special because they wanted to publish my essay but everyone is getting this email!”

The short answer is: You are special. And no, we did NOT send everyone this email offering to publish their essay. You and several hundred other students have been selected to have your essay published, but it is 100% your choice and you are not required to do so. We have received over 6,000 applications for this scholarship. Only a select number of you wrote essays that were good enough to be published. You were one of them.

3) FAQ #3: “They are making me pay $15 and ripping me off so this is a scam!!”

The short answer is: No we are not “making” you do anything. Because we know the value of having your work published on a major editorial website, we are offering to publish your essay. If you choose to publish your essay, it will be to your advantage in many different areas. We are just one of thousands of companies who publish students essays in our major journal for a small fee. It is very simple: If you would like us to publish your essay, we will do so for a $15 administrative fee to cover our operating expenses. If you do not want to have your essay published, you may ignore the offer, and go on with your business. When you see an advertisement on TV for Health Insurance, do you consider it a scam simply because they are advertising their service (insurance) and telling you the price? Then why would you consider this a scam simply because we are advertising our service (essay publication) and telling you the price? Simply put, that is pure nonsense.

No one is required to pay the admin fee to publish their essay. That is your choice, because you have the ability to make your own decision. We are not coersing or twisting your arm into anything. The fewer essays that are published, the better it is for the people who have theirs published. We would PREFER to only publish a few of the essays, and the administrative fee is just that: a fee to cover the expenses of publication. Nothing more, nothing less.

We trust now that as educated and intelligent students, you are able to understand the simple principles of business, and will cease the practice of foolishly calling this a “scam”.

Respectfully yours,

Olivia Martin
——————-
President & CEO
The College Inquirer

You are receiving this email because you applied for The College Inquirer “CollegeTalk” Scholarship. To unsubscribe at any time, simply follow the “Unsubscribe” link in this email.

The College Inquirer

6652 Overland Drive

Colorado Springs, CO 80919



This blatant and rude attempt at convincing  marks that this website is indeed legitimate, persuaded me to do some more digging.

Looking more closely at the second email comments, the scammer initially states that he has never lead anyone to believe that they were the winner (which looking at their site, seems to be correct). He, then attempts to clarify that not everyone is receiving this email and  that *you* are special, one of only hundreds. At $15 per essay (admin costs, you know) and assuming a worst-case of only 100 essays, he will receive $1500 — double the value of the scholarship.

I am not sure what the admin fees pay for. The site is hosted for free on WordPress and a lack of editing (and quality) is clear in the essays posted (See sample here, sorry Shakia).

He then posts that this is NOT a scam, but in fact “a major editorial website”. I have no record of this site existing before the 24th of March, 2011.  How he was able to establish a major editorial website in two months, is a little stretch. In today’s world of blogs, Facebook and other social networking means, my dog, who likes to climb out of moving vehicles, can be published online. So make sure that “major editorial websites” are reputable, have a long and good standing in the media, have actual content, hosted on their own infrastructure, and do not use free email services like gmail. (You can also check out this blog, which talks about the collegeinquirer scam as well)

Another problem about the email: Legitimate businesses never need to convince customers/users that they are indeed legitimate. As soon as one writes “this is not a scam”,  a little warning signal should flash in the back of your head. When does Amazon, eBay, your online banking service ever tell you “this offer/service is not a scam”? Never.

Also, the attitude towards his potential marks, is particularly rude, not a strategy any legitimate business normally uses. Accusing your customer of being ignorant or in the wrong is never a good business model. When a person get offended by somone’s accusation, normally it’s because they (the accuser)  are telling the truth.

With some more research, we came across another one of his websites,  and then a couple more. You can see how they are related on the diagram below.

I do not want to give away details of the scammer, but it was clear to me that he made a lot of obvious mistakes protecting his own privacy. He also seemed confused as the email indicates a Colorado headquarters whereas the site lists the headquarters in Texas.

Addresses, phone numbers and other personal data are easy enough to obtain on the internet. If you are a scammer, you should be a little more conscientious of this fact. (That bike for sale did seem a little pricey).

So if someone on the internet is ever asking you for personal information or money, check around and see if it is for real.

And to all those who don’t know their own email address (especially if you think it is mine), please stop falling for these scams! Even in today’s modern world,  that old saying still applies  ‘if it seems like it’s too good to be true, it probably is’.

Comments Off more...

Using google to track phishing attacks

by on Apr.12, 2009, under Uncategorized

I received a message from (not) my bank “Bank of America” about some recent account activity in (not) my account.

The link leads here:

http://nycompsonline.com/_vti_logs/_vti_logs/onlineest/onlineest/bankofamerica/onlinebankingsitekey/

which lead me to this search, which reveals all sites compromised by this toolkit:

http://www.google.ca/search?q=%22Please+complete+all+of+the+information%22+%22(it+is+the+last+3+or+4+digits+AFTER+the+credit+card+number+in+the+signature+area+of+the+card+)%22&hl=en&client=firefox-a&rls=org.mozilla:en-GB:official&hs=i43&filter=0

Comments Off more...

Whats wrong here

by on Dec.17, 2007, under Uncategorized

The answer to this is the apostrophe is missing, and so is the question mark. There are no tricks in the letters, which I will show below.

Whats wrong here

AAA
BBB
CCC
DDD
EEE
FFF
GGG
HHH
III
JJJ
KKK
LLL
MMM
NNN
OOO
PPP
QQQ
RRR
SSS
TTT
UUU
VVV
WWW
XXX
YYY
ZZZ

Did you know that 80% of UCSD students could not find the error above? Repost this with the title “what’s wrong here”, and when you click “post “, the answer will be really obvious.

Letters are represented by different numbers in a computer;  Not normal numbers but hexadecimal representation. The letters start with A being represented by 65 in decimal, or 41 in hex. Knowing this, we know that if there is any trickery such as using the number zero for the letter O, or using \ / instead of the letter V, it will come up in the hex dump. Any nonsequential number signifies a deviation from the pattern, and the trick.The following is the AAA->ZZZ part of the hex dump. Note the following:

  • 0a is the newline character
  • When reading, remember to read from right to left for each chunk below. If you wanted the combination ABCD, you would read it BA DC
  • Since this is hex, 49 is not followed by 50, but rather 4a (then 4b, 4c, up to 4f, then 50). Use the google calculator above if you need help

0000010 0a0a 4141 0a41 4242 0a42 4343 0a43 4444
0000020 0a44 4545 0a45 4646 0a46 4747 0a47 4848
0000030 0a48 4949 0a49 4a4a 0a4a 4b4b 0a4b 4c4c
0000040 0a4c 4d4d 0a4d 4e4e 0a4e 4f4f 0a4f 5050
0000050 0a50 5151 0a51 5252 0a52 5353 0a53 5454
0000060 0a54 5555 0a55 5656 0a56 5757 0a57 5858
0000070 0a58 5959 0a59 5a5a 0a5a

The above has been clipped from the entire message. Here we can see without a doubt, that the letters are sequential right from 41 to 5a, or A to Z with no surprises such as \/ (5c 2f) instead of V.

Also note, the letter L in lower case is 6c. 6c does not appear where one would expect to see i, which is 49.

Other possibilities include finding things such as KKK. While the KKK is wrong, I don’t think this is the point of this exercise.

Please can we put the constant questions to rest?

For further information, have a look at this hex / character table.

Comments Off more...

Telnet to https

by on Sep.06, 2007, under Linux, White Hat

This nifty little trick allows you to manually enter http requests over https:

openssl s_client -connect www.pcfinancial.ca:443 -state

This command takes place of telnet “www.google.ca 80″ in that openssl negotiates all the key junk for you, and allow you to hack test https webservers.

Comments Off more...

MythTV & Satellite TV

by on Sep.02, 2007, under Coding, Linux

I recently purchased an ExtremeView xv3300 from EFTA.us. I highly recommend their service: Shipping was fast and prices were great. To link it in with my current mythtv system, I needed to build/buy an irblaster, and hook it up to lirc to blink the codes to the set top box. Then I needed to configure my capture card to record channels 2-70 from local cable tv, and 80+ from the s-video input and the satellite set top box.

(continue reading…)

Comments Off more...

Bubbly Water

by on Aug.26, 2007, under Cooking

While I was in Germany, I began to enjoy water with bubbles in it (“Soda Water”). In my previous trips to Europe, I hated the stuff, but this time it really grew on me. Before my course started, I was invited out with a really nice German family from Munich. In their house, they had a machine to turn tap water into bubbly water.

I had to get myself one of these machines! In Germany, they are relatively cheap and the cartridges of CO2 are refillable. This is not the case in Canada. The cartridges are expensive, and each company has their own style of doing cartridges. Clearly this wouldn’t do.

(continue reading…)

Comments Off more...

GPS Logging

by on Aug.08, 2007, under Coding, Travels

GPS Logging of my Germany trip is complete (enough). Version 1 is available at:

http://www.muzik.ca/gpsdata/parse.php

The XML files were logged by the Sunset GPS Tracker (mentioned previously) running on my Windows Mobile (yuck!…well actually it works quite well) and a Hollux GPSlim bluetooth receiver. While in Germany, I had the receiver on my person very often, and I logged many of the trips I did. The log took a way-point every 5 seconds (so you can calculate how quickly I was going by the difference in the waypoints!). “Parse.php” takes the xml file (actually a .gpx file), and extracts the coordinates and puts them on a google map.

Unfortunately it will crash your browser if you have too many points (~300) on your current viewport. Some of my files have lots of way points (5000+), so you still need to choose which leg of the journey you wish to see (0-300 is the default starting position). On my list of todos is to discard “duplicate” points (that is a point within a short distance from its previous point). Also todo is to be able to name a journey (rather than 2007-05-14_…gpx, name it “Trip to Hann-Munden).

When time permits

Comments Off more...


Looking for something?

Use the form below to search the site:

Still not finding what you're looking for? Drop a comment on a post or contact us so we can take care of it!

Visit our friends!

A few highly recommended friends...