Thursday, June 16, 2011

Advanced Evasion Techniques - Stonesoft and ICSA

I attended SC Congress Canada 2011 on Tuesday and Wednesday this week, and perhaps the most interesting talk I attended was Stonesoft and ICSA's Advanced Evasion Techniques.

Stonesoft discovered that with certain evasion techniques (particularly when combined in particular combinations) they could sneak common exploits past many (including their own, at the time) IDS/IPS systems. They built a tool to repeat these tests on a variety of systems, and proved that with the right know how, and the right tool set (including a custom TCP/IP stack) attackers could sneak past our best defenses. Packet captures were sent to ICSA along with info so they could try to reproduce these results in their own labs. They did!

This is real and they foresee a not -too distant future where things like botnet kits will have this as a checkbox feature.

These evasion techniques are not attacks on their own, but rather a sneaky way to get whatever attack you want to use past the network monitoring and policing systems to the target host.
It's not about the bad-guy asking "How can I hack in?", but "How can I hack in without being seen?"

Check out the research paper, and packet captures if you are really techie, at

Monday, June 06, 2011

The Truth About Credit Card Expiry

I used to be dumb enough to give my credit card number to Sony PSN. (No more! From now on I will be using gift cards for online services like that)

I had a MasterCard registered with Sony. I bought some PSN credit in January.
My card changed in Feb. (same card number (PAN), new expiry and CVC numbers)
I had never given Sony my new expiry # so I thought I was OK despite the hacking. After all, when I got the new card the activation instructions said that once you activate the new card, the old one becomes useless and should be destroyed.

I logged into PSN on the weekend to double check what card they had and it was that card.
I started a transaction for $5 worth of credit to see if it would show me for sure the expiry date was the old one... I clicked next and got back a thank you. A minute later an e-mail receipt arrived showing I had just purchased $5 of wallet credit in PSN. WHAT!?!!?

How was Sony able to process a purchase without the new expiry?

I got on the phone with the credit card company and asked them. They told me that because the old card has not yet expired, even though the new one is activated, they still keep the old one active too, and that is why they ask you to cut up the card when you have activated the new one. (funny that's not how they explain the process in the letter that comes with the new card)

So I reported my card lost and had a new one with all new numbers issued.