Azeem Personal play ground

Apropos to Habib Bank Limited (HBL) Internet Banking Security

azimyasin — Fri, 16 Sep 2011 20:33:22 +0000

One good day i happen to get a link shared from one of my friend saying that you’re one of the developer various banks IB you should check this one out i responded back with my comments on that blog but soon i was moderated to respond on it and then a series of email exchange started between us .

Below is the email Chain

1st Email

——————————————————————————————-

So then you do concede that you or someone in your team has access to everyone’s plain-text passwords? Since HSM does have a key and someone knows that key. Is that correct?

Aleem

On Thu, Sep 15, 2011 at 10:47 PM, Azeem <wordpress@aleembawany.com> wrote:

New comment on your post “Habib Bank Limited (HBL) Internet Banking Security”
Author : Azeem (IP: 202.142.176.163 , 202-142-176-163.multi.net.pk)
E-mail : azimyasin@gmail.com
URL : http://azimyasin.wordpress.com
Whois : http://whois.arin.net/rest/ip/202.142.176.163
Comment:

Dear Aleem,

I would again say ”Neem Hakeem khatr-e-jaan” what you’re saying is that pins which are generated by HSM can be seen by anyone / every one , doesn’t that imply that ATM Pin codes that are generated via bank can be seen by bank employees and they can generate duplicate ATM cards and use your pin codes to withdraw your money . Spot on! (Y) You’re actually a geek and you have busted a secret out of banking industry please go on with suing all of those banks that uses partial password as their authentication methods which includes couple of ( swiss banks / world top notch banks )

Regards,
AAY!

You can see all comments on this post here:
http://aleembawany.com/2011/09/10/habib-bank-limited-hbl-internet-banking-security/#comments

Permalink: http://aleembawany.com/2011/09/10/habib-bank-limited-hbl-internet-banking-security/#comment-44090
Trash it: http://aleembawany.com/wordpress/wp-admin/comment.php?action=trash&c=44090
Spam it: http://aleembawany.com/wordpress/wp-admin/comment.php?action=spam&c=44090

My response 1

Dear Aleem,

You should go on with understanding how Pin Mailer / HSM works no pin data are ever stored on any system . Upon initialization of an Alternative delivery channel HSM automatically generates a key and shares a public key with the delivery channel and then the ADC encrypts the pin with that public key and sends it back to HSM now that HSM have a key it stores the password no human intervention is involved neither any human have any access to any key. You should take a look at the product manual of an HSM provided on thales website

Regards

AAY!

—————————————

Second Email comes in

—————————————

As you said it uses a public/private key (asymmetric encryption). And it’s possible you encrypted the entire hard disk volume but either way you, or someone in your team has access to the private key which you can use to get access to the unencrypted volume. Is that correct?

Aleem

—————————————–

My Response 2

—————————————–

The answer is NO! Their is no way you can retrieve private keys out of an HSM . Otherwise the hardware wouldn’t cost in millions

——————————————

Third Email

——————————————

Private key need not be a text based key. You can use a digital card or other hardware tokens. You can even have coupled tokens where two people need to insert their tokens to gain unencrypted access to the machines. So you are saying that no one can decrypt the data and you didn’t get any hardware tokens or similar with your HSM setup?

Aleem

——————————————

My Response 3

——————————————-

HSM are booted by Hardware tokens . That hardware tokens are not used as a private key of ADC’s don’t you feel one can achieve the same task with a normal PC if it was that easy to access all the data? why to buy a 5/6 million hardware you can do it in a 25k MS SQL Server

———————————————

Fourth Email

———————————————

> Their is no way you can retrieve private keys out of an HSM

As a matter of fact, HSMs even allow you to backup the private key through smartcards or tokens.

What I said was that authorized persons can get access to the data as and when they please. The same tokens are also used for making backups.

And on the other hand what you are suggesting is that once the data goes into the data store, there is no way to get it out? Only to verify that it using yes/no responses?

—————————————-

My Response 4

—————————————

Yes that remains a fact. In case an anomaly occurs or an organization needs to fetch that data out of an HSM they need to contact back the vendor of HSM i.e. Safenet or thales and then only they can provide the actual buyer with the hardware key that be the private key and on most of the cases it remains with the actual vendor and it’s the contractual obligation of the HSM providing vendor to keep those keys safe once they sends back the private key to the real consumer the contract goes null and void i.e. that Hardware which costs in millions is no longer the safest place to keep pins .

If getting private keys was that easy all ATM Pins would compromise with one person knowing pin codes of all consumer.

—————————————–

Fifth Email

—————————————–

If you never need to decrypt the data you don’t need asymmetric keys. You do understand how asymmetric keys work don’t you?

The key you are referring to may be the root key or some such key. The HSM does actually provide an API to generate keys to decrypt data. Anyone with sufficient privileges in your team can decrypt the data.

That’s why you are using asymmetric keys. To be able to get back out what you put in.

Otherwise you would use a one-way cryptographic hash. That’s why hackers use brute force dictionaries. I don’t think you really understand this concept.

You should consult your team lead or something and read up on the matter. If you are in IT operations (which it sounds like you might be), I would suggest you consult your software dev lead instead.

Aleem

——————————————–

My response 5

——————————————–

Dear Aleem ,

I do lead a team of 5 devs here . Asymmetric keys are used by HSM to do processing within it self.

Below is the overview of what actually happens

1. Upon initialization of a ATD i.e. ( POS,InternetBanking,ATM) an ATD sends in a Init message(Initialization) to HSM

2. HSM Generates Public/Private key pair and stores it on a keyindex and sends in Public key as a response to this message . Only Keyindex / Public key are accsesible in HSM and no private key data is ever shown.

3. The ATD stores that Public key in its database or in-memory

4. Now lets say a user comes in and register his self on Internet banking . The IB Generates a random password encrypts it with Public key sent by HSM and send it back to HSM . HSM Responds with success / fail . If success HSM stores that pin in its database . If the ATD receive backs Success it sends that pin to consumer via email/sms what ever the organization decides.

5. Now when the user comes in to authenticate a pin verification message is sent to HSM in case of partial password a sentinel value is set i.e. if the password is abcdef123 and abcd is taken as an input from user abcd$$$$$ is sent to HSM by encrypting it with public key of HSM .

6. HSM decrypts it and only check the password positions which are not sentinel values

7. If the pin validates HSM responds back with success and only then the user is able to login .

If you still don’t understand this discussion will never end. I still don’t think it’s wise to say the bank have stored the password in a MYSQL/MSSQL/ORACLE database in plain text format.

Regards,

AAY!

———————————————-

Sixth Email

———————————————-

Actually, it’s not that complex and I do understand what you are saying. Appears your HSM implementation is different and it doesn’t make all that much sense that you have entrusted your private key to another entity.

And you are mimicking one-way encryption by keeping the PK completely concealed. There is a reason why they invented one-way encryption functions. There’s also a reason why entire PHDs have been done on the same and why HSMs have encryption accelerators built into it.

Not to mention all other security considerations with essentially 4-letter passwords (brute forcing it would be trivial).

It might be useful for ATM and pins, but not for user passwords as such. One-way encryption algorithms achieve the same.

Also, I suspect that your SKU might be different, but a quick Google search shows that HSM APIs allow you to get the private key–maybe in your case they just stifled it. Either way, partial passwords are probably better done by generating one-way hashes of possible combinations and keeping the encrypted letter count high enough to avoid brute force (GPU based brute force attack would take a matter of hours if not days).

The analogy is that you have a really secure locker so you are storing everything in it (all your eggs in one basket). With each password individually encrypted using one-way functions, each password is it’s own unique locker. That’s common practise so a compromise doesn’t divulge every password or a brute force doesn’t screw things up. I still see this is as a big gap, though you have taken other measures against CSRF and two-factor auth.

If you just did a one-way encryption, you’d get the same functionality without an HSM (for this specific purpose) and would make it more secure. I am too lazy to find references, but this is also required for regulatory compliance. HSM might be entirely okay for storing other sensitive user data and key financial data or even ATM pins. But the very ethos of asymmetric keys is that you can encrypt and decrypt data. You are using it incorrectly.

Aleem

———————————-

My response 6

———————————-

Partial passwords are used to secure no-voice user from giving away their complete password in a keylogger/hacked machine

Regarding your other doubts that a 4 letter passwords is prone to brute force attack after 3 un-successful login attempt the account of the user is locked and the user have to visit the bank in order to reactivate their password.

You have agreed to the fact that the implementation i have mentioned in my reply makes it nearly impossible for any one to see what the user password is and now you’re arguing on the fact that you should have done one way hashing because you say so.

You do realize that it would have been impossible to do partial password authentication in case of one way hashing and the users would have been more prone to keylogger based fraud/scams ? isn’t it ?

Either way your post saying HBL /MCB or any other bank have stored plain text password is plain wrong. I have worked for multiple banks within Pakistan/Middle east region and i can bet you on the fact that no bank would be fool enough to do what you have just said in your post its just that you don’t know how they have implemented their solution and you’re “assuming”. Moreover no compliance explicitly specify hashing as their recommended way of doing things they do however explicitly specify to not to store any sensitive data in any database/logs at least PA-DSS/ PCI-DSS doesn’t which is a industry standard.

I hope you would write a a corrigendum within your article of HBL using plain-text to store passwords.

Regards,

——————————————————-

Another response of mine prior to receiving his response

——————————————————-

Between your claim that SHA1 and md5 being the more secure way of storing password is again your opinion

put e5e9fa1ba31ecd1ae84f75caaa474f3a663f05f4 at http://www.md5decrypter.co.uk/ and you will get your hashed password in this case secret

Imagine storing hashes in database and some one with access to the db or some one invading an application and having access to thousands of hashes

Regards,

AAY!

—————————————-

Seventh Email

—————————————-

Are you saying SHA1 is insecure? Really? Do you even know how that website works (I haven’t looked but I have a good guess).

Brute force is not meant for online attempts. It’s for when your password bank gets compromised. You have a long way to go before you understand encryption. You have been given a password vault that you bought off the market and you are simply using that blindly after reading the manual. Doesn’t mean you really know the choice of encryption. Ignorance really is bliss.

————————————–

His 8th Email before reciving my response

————————————

Also, you can do partial auth with one-way. Read up on it.

====================

My final response

====================

You simply fail to realize that the encryption scheme.I provided in the algorithm doesn’t leak any information and no one get to know about any sensitive data. Rather you’re crying on the fact that i know better then you and you should follow me rather following any industry standard.

“HBL Stores plain text password” is a joke and you yourself are now telling me their are ways to store partial passwords without knowing them

P.S. Calling your self a security geek doesn’t makes you one make sure you secure the /pics/ folder at your website adding .htpasswd would be a good idea

For those who think private keys are accessible in HSM can take a look at http://forums.adobe.com/thread/831450 or http://www.openmpe.com/cslproceed/HPW04CD/papers/3327.pdf or you can refer to the HSM product manuals.

Moral of the story ”Neem hakeem khatr-e-jaan”

Hacking into .NET Applications a newbie guide

azimyasin — Thu, 25 Aug 2011 19:56:11 +0000

As always .. its been a long time since i blogged about any thing .. I was bored today had nothing good to do so i thought of writing a blog entry to boost traffic of this freaky blog a little bit.

Ever since i got a job i have been forced to transform from a typical *nix geek to a .Netter.. Sad though but it’s a fact.

Invading an application code that’s written in *nix require a hell lot of debugging experience + playing with registers of system however with the ease of programming that is provided by .NET comes in pitfalls of it their are couple of companies developing a very professional reflector for all versions of .NET . Most of the production environment code that is out their doesn’t contain any form of obfuscation hence are very prone to cracking/hacking. I would be giving a demo as to how to invade into a simple .NET Application

So we will Write One Console application that will in-term calls a DLL ( Dynamic Link Library ) to perform certain task .
As i have been working for banking industry let us call our console application to be a service that triggers a Funds transfer from One banking account to some other banking account.

using System;
using System.Collections.Generic;
using System.Text;
using FTLibrary;

namespace PaymentExecutor
{
    class Program
    {
        static void Main(string[] args)
        {

            Console.WriteLine("Starting Our Executor");

            Console.WriteLine("Initiating FT Class");
            FTClass tempObj = new FTClass();
            tempObj.DoFundsTransfer("123", "234");

            Console.ReadLine();

        }
    }
}

Ok the above code is basically a Payment Executor which do funds transfer from Account “123″ to “234″
Our FT Class looks some thing like this

using System;
using System.Collections.Generic;
using System.Text;

namespace FTLibrary
{
    public class FTClass
    {

        public bool DoFundsTransfer(string sFromAccount, string sToAccount)
        {
            string tempFrom = sFromAccount;
            string tempTo = sToAccount;

            Console.WriteLine("Ok Going to do fundstransfer from " + sFromAccount + "  to  " + sToAccount);
            Console.WriteLine("This is where fundstransfer from " + sFromAccount + " to " + sToAccount);
            Console.WriteLine("Execution ends here");
            return true;

        }
    }
}

Now that we have our code compiled the above code would generate a bin folder that would look some thing like this

Imagine you have deployed the same code in some production environment taking out its code would be a piece of cake for anyone with a little experience of Redgate Reflector (Previously available for free) free trial is available though . I tried generating code from the Exe and here is what i have got out of it.

The code that is generated by reflector is a near identical copy of the main class. Moving forward the reflector generated code of FTClass looks something like this.

Fair enough. Now that i can see the code one thing i could to do is to create another project and generate an exe but that’s tricky on most of the system that involves fairly complex library are not that easy to compile we need a simple way to hack in to this dll and modify the transferring account with ours.

A typical output of the above written program would be some thing like this.

This is where Reflexil do the charms its a (Open source ) utility that can be used in conjunction with the Redgate Reflector to modify the instruction set directly in the library for that you will have to go through this link

Opening up Reflector + Reflexil for the above program and navigate to the Instruction set tab of it.

Looking on the above instruction set and going through the CIL Instruction set provided in the given link one can easily make-out before the call of DoFundsTransfer stack is empted first and then two strings are loaded into it.

Now moving to actual FT Class below is the snap of its instructions.

So This is where the funds transfer happens let us add our own instructions with-in it .

So a tricky bit here is that i did ldstr instead of ldarg save the dll from within reflexil menu and replace it with existing now the output looks some thing like this.

tadda…. sweet isn’t it. P.S. the step by step guide is made just to make people aware of the potential security risks i have been into one of the “Secure Coding Technique” guide sorta thing and ” i personally think they are of no use” and are typically bookish . The above guide is a some what practical example of hacking . If you have a little sense of security you can combined the above explained steps with some basic privilege escalation exploits i.e (local root) you can make a huge impact without leaving a single foot print .

Anyways guys Eid mubarak in advance to all of you ! until my next blog post which is not coming any time soon tc tata Byebye ALLAH HAFIZ

PHP/MYSQL Database Tuning/Optimizing

azimyasin — Sat, 26 Dec 2009 21:56:01 +0000

Hey there all ssup! my xams are over now .. though there had been quite couple of things going around with my lyfe i finally took out some spare time to write a blog entry.. Well quite recently i have encountered a problem which is quite weird i have setup a small site with a huge data set.. really huge… My DB Structure was fairly simple 3 tables were there for illustrative purpose i will name them

Table_A
Table_B
Table_A_B (Relation ship of A and B )

Table A contained Lots and lots of data where as table B have relatively small number of data in it.

In my interface application there was an option of Search in which i was fetching out data from Table_A with relationship of Table_A_B

the query i used to fetch out rows was like

SELECT col1,col2
FROM Table_A WHERE id_TableA IN (

SELECT TableA_id
FROM Table_A_B
WHERE Table_Bid =1
)
AND Col1 Like (‘%query%’);

With a data set of 300000 it took 2 minutes to retrieve the search result out of it. That was really pissing me off.

After executing the same query with Explain i found out only one index was being hit which was one of the reason of query taking so long Now i have to make indexes.

Then i Google around and found that i could make Full-text search index on the col1 But guess what Mysql Only supports Full Text search indexes on MyISAM Tables and i had InnoDB Tables which cannot be transformed into MyISAM due to constraints.. Shit Happens.. Nevertheless so Now in this case what i did was to replicate the tables and set my default table type to MyISAM this was easy

Create Table Table_A_Copy SELECT * From Table_A

After doing that you will have a copy of the Table_A however no indexes / Primary key/ FK Constraints would be there you have to make a primary key plus indexes and now this time you can make Full Text Indexes.

And off course you have to change your code/Query to use the new tables there would be a marginal increase in searching after doing this the query would look some thing like this
SELECT col1,col2
FROM Table_A WHERE id_TableA IN (

SELECT TableA_id
FROM Table_A_B
WHERE Table_Bid =1
)
AND Match(col1) AGAINST(‘”search query”‘ IN BOOLEAN MODE)

Mysql Reference manual for Full text search can be found out here

see ya folks and a very happy new year to all of ya

Google ad @ Gmail.

azimyasin — Tue, 02 Jun 2009 17:57:13 +0000

Inbox

Well this was all of the sudden i looked at my inbox and was laughing like hell! man it reminds me of good old days when i use to travel in wagons and coaches ! ROFL!

Random Rantings!

azimyasin — Sun, 22 Mar 2009 20:02:14 +0000

Write now am pissed !! And Where else to go with your frustrations !! Offcourse your blog !

– When some random friend of your’s talk shit ! What would u do ! Slap the shit out of him/her ?! Or say him/her to fuck off !

Well the things are pretty straight if you do what i just said above.! But you simply can’t on times you can’t!

Then what are the ways to topify ! or to say things indirectly!

1. Simply stop talking with him/her. ! ( The best way though they GAY one )!.

2. Be Quick Pick up a phone call some one who’s your friend and his/her friend as well go on with your pitty story and in the end when the guy asks you why are you telling him all the shit simply ask him to call back that shit hoe and say him/her to fuckk off from your side.

3. Be nice be gently give a smile and with all the emotions filled over your face ask him ! Is it that what you deserve.! and if he/she reply back with yes ! this is what you deserve see the line starting with “–” .

4. Put your self in his/her place ask yourself a question that “what if ” at his place and if still the things look wierd go to line starting with “–”

Well this is it from me but you guys can add up what ever you think in it .. to make the list more comprehensive.

Post the T-F-26-09

azimyasin — Thu, 26 Feb 2009 18:33:42 +0000

“It’s being a while i blogged about any thing” < — Repeated again!
Any ways i just visited my own blog after hell lot of tyme ! why ? usually my lyfe loops(work -> home -> movie -> sleep -> work ) around any ways i just found Nadia,Bina tagged me so this post would be about this taggnig stuff

Tag:

6 weird habits/things about yourself

Rules:

The initial player of this “game” starts with the topic “6 weird habits/things about yourself” and people who get tagged need to write a journal about their 6 weird habits/things as well as state this rule clearly.
I removed in the End part because it sounds more like Yeh Email 5 aur ko forward karain nahi to bohat bura hoga raat mein tumhain Babar-shair kha jayega lol!

1st. I talk loud ! even on the places where i am not supposed to

2nd. I can go to sleep while talking over phone at night.

3rd. I can get tensed very easily

4th. I Sleep less then 5 hours daily :p

5th. I google alot.! More then what you can imagine.

6th. I am a opportunist.

Random Stuff

azimyasin — Thu, 15 Jan 2009 17:37:05 +0000

I could have annihilated all the Jews in the world, but I left some of them so you will know why I was killing them. [Adlof Hitler]

EH and Comments.!

azimyasin — Thu, 20 Nov 2008 17:06:53 +0000

Exception Handling plays an important rule in Commercial enviroment where un certainity of input is common you cannot imagine of writing a code that lacks exception handling apparently comments play an important part as well. Logging exceptions of every kind and having logs of every event is very necessary when you’re working with systems which does Financial transactions . This post is not about how to do exception handling or how to write comments in your code. But its all about what msg to pass on exception handling ! Lets say you are working on a project which is deployed on a server which is being monitored by a Certified System administrator and the client you’re working for is very decent they sent you out logs as-it-is from the server by the Server Administrator. Then you should write a code like

void myFunction(string someparameter)

{

try {

// some code here.

}

catch(Exception ex) {

throw new Exception(“There was an exception Processing myFunction Source = ” + ex.Source + ” Error Message = ” + ex.Message);

}

Now Lets take a case where you are working on a project which is deployed on a Server with no authenticated Server Admin and all of the sudden you get an phone from a moron which happens to be a server admin showing you entire stack trace and yelling that your application lacks logics and all ! and after looking in to logs you find that Problem really doesn’t exists on your side but on some other system. The criteria of handling exception changes not in code though but the msg !

void myFunction(string someparameter)

{

try {

// some code here.

}

catch(Exception ex) {

throw new Exception(“OMG OMG OMG WTF WTF WTF !! SOME THING IS REALLY BITCHIN myFunction UP! FUCK IT AM NOT PLAYING ANY MORE ! “+ ex.Message);

}

Some of you might ask me why this well a good answer to the question is that the Moron looking Server admin would never call you up and tell you the entire stack trace he would basically mail you up the entire logs voluntarily !

It works! Not necessarily all time Why ! ? the moral of people varies if the above thrown exception doesn’t work out for you i would recommend to slightly change the message or include some phrases like “I M GAYLORD” it might work out for you.

I usually comment my code a lot the reason behind it is not that i love to comment or its a good coding practice no way ! but the fact is that i don’t my self remember what i wrote an hour back comments like

// ALAAAAAAT! PAPU !! AGAYA !

// LOCHA HERE !! FIX IT AFTER LUNCH OR FUCK IT!

// YEAH BABY YEH !

the rest are censored. Comments are basically made for the convenience of a programmer and i feel like what i comment on my code can be easily understood by any typical karachite and believe me its fun to read my code :p .

Some Ground Realities.

azimyasin — Sun, 09 Nov 2008 12:30:58 +0000

It’s being long since i posted some worth reading stuff and i still don’t know if this post would be worth reading or not.. anyways quite loads of things happening and that too very fast. Politically i am a very moderate personality i don’t like Paki Politics it sucks ! We aren’t democratic in any sense. Couple of weeks back our house was robbed we weren’t in the house and some one intruded while i went out to get police if found an SHO of God knows what area on my way i told him the story of us being robbed and he was like “Why do you have to leave your house locked up don’t you know how dangerous it’s to leave the house locked up now a days” . I was amused by his reply ! Inside i felt like i should tell him “TO FUCK OFF!” though the circumstances didn’t allowed me to we got back home they investigated my home fortunately SHO Of my locality came in as well a young guy with a dashing personality he was an totally different form that Jackass a person who you can talk with very helpful guy and he helped me up with every thing he could. Though this post is not about Police being jerk or helpful its about the Peace of Karachi getting worst and worst i just came to know that one of my relative was gun shot for not giving the “bhatta” a new tradition of “parchi” is on the boom if you go to the area’s in Karachi south i.e. ( Tower,Kharadar,Nayabad,Moosalane,Lee-market,Lyari and other areas that comes in Karachi South. ) I happen to have a chat with my relative he told me the story of the “Parchi” A guy would come up at your shop a baloch mostly and would hand you out an envelope with an amount written on it and on the same day you will get a call on how to deliver that amount if you manage to say no get ready for the first episode .. that would be a firing at your workplace/shop and if you happen to face the first episode you will get a call on the same day weather u still want to resist or not and mostly u will not but if u manage to resist still your family would happen to get your dead body quite soon they happen to know each and every thing about you there are three man groups active in there Jango,Rehman Dakait , Arshad Pappu . Rehman and Arshad Control there every day works from with in the jail how ever Jango is being ruled by some unknown sources.

There is being a recent loot in Iqbal Market robbing 40 Shops at a single time by one of the group the people of these localities are no more secure in any way i would say musharaf period was way too good because there’s being rumors that Rehman is one of the great follower/Supporter of bhutoo. Government should take some bold step to wipe these terrorists out of the country rather then going for international terrorism Pakistan itself is being very unfair with these people ? You people might say why the fuck did you said that ? Well they people were the first to come here Karachi was the place of “Machaira’s” and before any one here they were here and they are still there being “Machairas” Every one except them got flourish in karachi government should gave them opportunities and make them stand out in a suitable place as to wipe off these issues. anyways.. that’s my opinion what do you guys think ?

Some vidz i came across.

This is place is not dead yet!

azimyasin — Thu, 30 Oct 2008 16:11:27 +0000

Its being long since i blogged about any thing there’s being quite alot happening around me ! My house got robbed :/ !! trying to tackle out hell loads of stuff at home! Got my degree in hands yay! finally no more clearance and all.. Coding at it max..i would be writing an article about how to invade an acadmic server lol!! when i get time got so much ppl requesting it :p buwahahah any ways ! guys pray for my mom she aint feelin well now a days !

peace.

Azeem.