Hey dudes/dudez/d00dz! Welcome to the third installment of Enigma’s 2600 report.
It has been nearly a year since the last one. It has taken this long because I want to
fill this thing with quality information. Most of the publications I have seen similar
to this tend to go for the "monthly" aspect (or however often) and just fill themselves
with crap.
Unfortunately, I cannot be at this month’s 2600 meeting. It happens to be on the same
day as my beautiful significant other’s birthday. I hope to see you guys next month and
at DefCon (you are going to DefCon aren’t you?!?!?). If you will be attending, be sure
to check out the Caravan information.
Ever wonder what’s hidden away in that private database that Windows calls
"The Registry." I did, and I found out quite a lot of interesting undocumented "security"
(or lack thereof) information. My finding will be coming soon to the web page, the
2600 report, and/or 2600 magazine.
Have fun and keep the information flowing!
-Enigma
(enigma@netninja.com)
It is now more important than ever to keep your eye on Big Brother Bill Gates. It seems
that Microsoft has started the PC/SC workgroup (that’s Personal Computer/Smart Card) to
define a set of standards for how U.S. smart cards talk to hardware and how that hardware
talks to software. They want to incorporate it into NT5 and Memphis/Windows9x. They
have already gotten a few "big boys" to help them out:
| Bull CP8: | A company that specilizes in smart cards and secure transactions.
Their systems have already been deployed n Belgium, Switzerland, Russia, and Turkey.
| Hewlett-Packard: | We all know them by name
| Schlumberger: | A company that sells smart cards. Some adhere to the "Java Card
Specification" and some ise 1024 bit RSA cryptography.
| Siemens Nixdorf Information Systems: | A hardware company with 15 years of
experience (10 when it comes to CPU based smart cards). Designed the access control
system for Munich Airport and the ECash Bankcard for German banks. They manufacture
several card readers that interface with the PC.
| Gemplus: | "The world leader in smart and plastic cards." They sell the cards
and readers.
| IBM: | We all know them by name. They just want to help write the standards
for "multi-function cards."
| Sun Microsystems: | We all know Sun. They probably have something to do with
the "Java Card Specification."
| Toshiba: | Make of laptops--along with industrial hardware, components, imaging
systems, and medical systems.
| Veraphone: | The maker of the credit card authorization systems that everyone
uses. | | | | | | | | |
The system can be broken down into six layers:
| * | The smart cards will conform to the ISO 7816 specification--both
physically and electronically. (FAQ for
alt.technology.smartcards)
| * | The interface device can be a fairly "dumb" piece of hardware that
provides little more than electrical connectivity between the card and the computer
through some kind of vendor-defined interface. The most common interface seems to be
the keyboard port, according to the specifications--but any port, such as the serial
port, can be used. Using the keyboard port is convienent, since a card reader integraded
with the keyboard would be fairly cheap and easy to use.
| * | The Interface Device Handler is a device driver written by the vendor
for the specific operating system under which the driver runs. The difference
between "smart" and "dumb" interface devices can be hidden here (i.e. the smarts of
a "smart" card reader can be made up for with slick programming).
| * | The next layer of the systems is the Resource Manager. This is
a system-level component and, typically, part of the operating system. This layer
supports the actual transaction primitives. The card device is a "single threaded"
device (only one thing can use it at a time), and most operations require several
commands to be sent to and received from the card. Most operating systems are
"multithreaded," which means that many different applications can request to talk to the
card. This layer assures that a single application’s sequence of commands is executed
without interruption from another application, which could corrupt data or produce
uncertain results.
| * | The next layer is the Service Provider. This provides an API to
applications and takes care of many commonly used functions. Cryptography is handled
by this layer.
| * | The final layer is the actual application itself. This is the
overpriced, shrink-wrapped front-end software you pick up from Fry’s (when this
technology becomes common). | | | | | |
The home page of the PC/SC workgroup is: http://www.smartcardsys.com.
From there, you can download the current revision of the specifications in Post Script or
MS-Word format. You can also find out more about the companies involved.
If you have been on the net recently, you probably know all about WinNuke (if not,
search for it on Altavista). Sending Out of Band (OOB) data to a Windows machine will
crash it. WinNuke takes full advantage of this flaw. A patch is available from
Microsoft (http://www.microsoft.com/kb/articles/q168/7/47.htm). There are also rumors
that a version of WinNuke is out there that somehow gets around the patch...?
Forensic Science is a very intersting subject. They can match bullets to guns.
They have giant databases that associate tire weel-bases to car makes and models.
They have found that leather gloves leave unique "fingerprints" (after all, it’s cow
skin). No two shoes are alike--even if they are the same brand.
http://users.aol.com/murrk
This space intentionally left blank
|
