Top 10 Podcast Episodes

Over the years I have compiled my favorite security podcast episodes. Here is my list of top ten shows. Most of these episodes are interviews. Here they are in no particular order:

1. The Silver Bullet Security Podcast, Show 013 - An Interview with Ross Anderson
   Gary McGraw interviews Ross Anderson author of the book Security Engineering. He is one of the researchers in the Security Group at the University of Cambridge Computer Laboratory which has a blog that I check regularly called Light Blue Touchpaper.
   
   Gary and Ross talk about the book, economics of information security, Ben Edelman's paper, disclosure and RFID MITM attacks
   


2. The Silver Bullet Security Podcast, Show 016 - An Interview with Greg Hoglund
   Gary interviews Greg Hoglund author of Exploiting Software, Rootkits, Exploiting Online Games. In fact Gary McGraw co-authored the first and third book mentioned.
   
   They talk about reverse engineering, disclosure, rootkits, EULAs, exploiting software and cheating online games.
   


3. SploitCast Podcast #008
   Guest Victor Oppleman author of Extreme Exploits discuss the RADB, ISP attacks, darknets, uRPF, botnets, DDoS, DNS attacks, tools.
   
   I originally wanted to feature a ThreatCast interview of Barrett Lyon, founder of Prolexic but I think this interview of Victor covers more ground not just DDoS attacks.
   


4. SploitCast Podcast #016
   The host interviews Dino Dai Zovi, discussing the fascinating topic of virtual machine rootkits, OS X security, wifi attacks, vulnerability development, disclosure and Microsoft security.
   


5. StillSecure, After all these years, Podcast #47 - Web application security with RSnake and Jeremiah
   Alan and Mitchell interview Robert "RSnake" Hansen of ha.ckers.org, founder of SecTheory -- Jeremiah Grossman, founder and CTO of Whitehat Security. Of course they discussed application security and of course focused more on web application security.
   


6. ThreatCast - Great debate podcast : NAC v SNF
   Alan Shimel, Chris Hoff, Richard Steinnon and Mike Rothman debate over NAC, Network Admission Control. Bullshit was thrown, heads were rolling and no conclusions were arrived at.
   


7. Security Now 91: Marc Maiffret of eEye Digital Security
   Leo and Steve interview Marc Maiffret. Marc talks about how he got started with security, Windows and Mac OS X security, 0days, vulnerability development, client side attacks and eEye's products.
   


8. McAfee AudioParasitics Episode 17
   Jim and Dave is joined by Dave Aitel of Immunity. Dave Aitel talks about his stint at @stake, Immunity products, mobile devices, penetration testing, virtualization, vulnerability development and malware.
   


9. McAfee AudioParasitics Episode 19
   McAfee AudioParasitics Episode 20
   This two-part show features guests Rafal Wojtczuk and Rahul Kashyap. The hosts and the guests talk about malware on virtual machines and virtualization security in general.
   


10. PaulDotCom Security Weekly - Interview with Mike Poor & Ed Skoudis - Part 1
    PaulDotCom Security Weekly - Interview with Mike Poor & Ed Skoudis - Part 2
    Larry and Paul interviews Mike Poor and Ed Skoudis. They talk about their first computers, how they got started in security, SANS, ISC, botnets, malware, Brazilian hacker groups, physical NOP Sleds, research and security in general.
    

Listen up to these podcasts while they're still online and most of the topics discussed aren't stale yet.

Tongits is in the AIR

Somebody made a card game that runs on Adobe AIR. Tongits is a popular card game played for pastime and also for gambling here in the Philippines. It is played like Mahjong with card rules similar to poker.

What is the Adobe Integrated Runtime:

Adobe® AIR™ lets developers use their existing web development skills in HTML, AJAX, Flash and Flex to build and deploy rich Internet applications to the desktop.

More information at the AIR developer FAQ. According to the FAQ AIR APIs are only exposed to Flash content via ActionScript 3/AVM2. This means it requires Flash version 9 with those nifty features like network sockets.

Installed AIR. Downloaded the game installer, aptly the file extension is .air. The package can be easily unzipped.

$ unzip -l Tongits.air 
Archive:  Tongits.air
  Length     Date   Time    Name
 --------    ----   ----    ----
       59  01-24-08 11:43   mimetype
     5601  01-24-08 11:42   META-INF/AIR/application.xml
       32  01-24-08 11:43   META-INF/AIR/hash
    16931  01-02-08 01:09   icons/128x128.png
     3272  01-02-08 01:09   icons/16x16.png
     4227  01-02-08 01:09   icons/32x32.png
     5545  01-02-08 01:09   icons/48x48.png
  2558544  01-24-08 11:42   Tongits.swf
     3311  01-24-08 11:43   META-INF/signatures.xml
 --------                   -------
  2597522                   9 files

No executable in sight only a SWF file. Looks like AIR is an uber flash player. Double clicked on the .air package.
File system and network access. That's Adobe for you, bringing the Web into the desktop.

Installed the game and the files found their way into C:\Program Files\Tongits. Interestingly a new executable accompanies the rest of the files in the package, Tongits.exe with the game logo.

Loaded the binary into OllyDbg. Looks like it was compiled with Visual C++. Saw nothing specific to the game just a bunch of checks for command line options (-runtime/-stdio), registry entries and if AIR is installed. I thought it must be a generic executable to call AIR. Generating custom executables for each AIR application would be tricky and useless. I confirmed it after I found template.exe which contains the same assembly instructions as Tongits.exe. The binary template.exe is located in the AIR directory C:\Program Files\Common Files\Adobe AIR\Versions\1.0.6.

Stripped all the icon resources from Tongits.exe and I am down to the same size (6144 bytes) as template.exe. Copied template.exe over to C:\Program Files\Tongits and ran it. Expectedly it loaded the game just fine. Apparently the AIR installer just embeds the icon into template.exe and puts it along with the rest of the package files.

I did not see any registry entry specific to the game but it has files in C:\Documents and Settings\root\Application Data\Adobe\AIR\ELS\Tongits.[publisherid]:

PrivateEncryptedData
PrivateEncryptedDatai
PrivateEncryptedDatak
PrivateEncryptedDatav

The publisherid is the same as C:\Program Files\Tongits\META-INF\AIR\publisherid and in the installer package. For this game it is FEEDC458623E9216D3707124DB15BAAB6C08489C.1.

The game only has 10 trial runs before it becomes crippled. You have to buy a key if you want to play seriously.

removed... requested by game author

When registering the game, the files in C:\Documents and Settings\root\Application Data\Adobe\AIR\ELS\Tongits.FEEDC458623E9216D3707124DB15BAAB6C08489C.1 got updated. I figured this where the registration and game info is saved.

Confirmed by backing up the directory, deleting it and running the game again. I was given another 10 trial uses. Copied over from backup and I was registered again. Unfortunately for the game author it is hard to come up with pirate-proof registration schemes.

AIR is bringing Web something.0 technologies into the desktop. I think Mozilla has something similar, the XULRunner. Desktop applications are not dead after all. By the way I prefer the cool guys at AdobeAir.

CPS3 and crypto

From 1997-2000 I was an avid player of button smashing 2D fighting games, Street Fighter III 3rd Strike: Fight for the future was a favorite. With the advent of arcade game emulation on the PC I played NEOGEO and CPS2 games on Windows and Linux emulators. But I was not able to play the SFIII series because there are no known workarounds against the encryption of CPS3 (Capcom Play System III) boards.

The CPS3 has nasty protection built-in to prevent reverse engineering. There is a encrypted game CD and a cartridge for protection. When the system boots up, the CD is flashed into memory and then decrypted on-the-fly by the cartridge. The cartridge is very sensitive to manipulation and if the watchdog detects tampering, the decryption key is erased and the board becomes unusable. The CPS2 has a similar feature dubbed 'Capcom Suicide'. CPS2's encryption was previously worked around using XOR decryption tables but now it is fully cracked.

The same person that cracked CPS2 has cracked the CPS3 encryption, quoting Andreas Naive (Spanish to English):

As we had predicted from the beginning, the algorithm is cryptographically weak, so that, once discovered, it has not been too difficult develop an attack with which to recover the keys.

Andreas' spanish language blog entries from April to June 2007 has the details of the CPS3 attack. Another blog of interest is Nicola Salmoria's blog which has details of the CPS2 attack. Read the cryptoanalysis stuff on their blogs, these folks crack encryptions for fun.

It is also interesting to note that Capcom used some 'birth dates' in the keys of CPS2 and CPS3 games. Here are the keys for the CPS3 games:

jojo:    0x02203ee3 0x01301972
jojoba:  0x23323ee3 0x03021972
sfiii:   0xb5fe053e 0xfc03925a
sfiii2:  0x00000000 0x00000000
sfiii3:  0xa55432b4 0x0c129981
warzard: 0x9e300ab1 0xa175b82c

The lesson here is that closed encryption algorithms (specially if weak) can be cracked given the demand and challenge. Now I can play Street Fighter III 3rd Strike on my PC, thanks to crypto geeks and of course to Capcom.

Cheating MMORPGs

I have a friend that is an avid MMORPGer. But I do not think he plays it for fun anymore because he uses a couple of bots for pseudo-playing. He profits by selling valuable items from the virtual world to other real world gamers.

He told me about a peculiar bug in a popular MMORPG here in the Philippines. The bug allows for players to gain duplicate items. I think the term for this bug in game exploiting lingo is "duping". This particular bug is specially common in MMORPGs that rely on game client connectivity to several servers for state data. Some developers implement this kind of system for ease of maintenance and load balancing. But this design is susceptible to race conditions.

Apparently the duping happens when one of the servers goes down unexpectedly or connectivity to and from it becomes laggy. Looking at the the debug logs from one of his bots. I see three servers being connected to, the account, character and map servers. I told my friend that there is a high chance of reproducing the bug if he was absolutely sure that the only condition for triggering the bug is a connectivity problem to and from a server.

If the laggy condition triggers the bug there is possibility that it relies on game client connectivity and not from server to server. It would also help if the specific server/s can be narrowed down. To simulate a server link down and lag a malicious player can firewall, throttle or rate-limit on his/her side the selected server/s.