"It is very likely that a large (15-20 cm in diameter), irregularly-shaped, cm-thick pancake with beveled edges, taped to the abdomen, would be invisible to this technology, ironically, because of its large volume, since it is easily confused with normal anatomy. Thus, a third of a kilo of PETN, easily picked up in a competent pat down, would be missed by backscatter "high technology". Forty grams of PETN, a purportedly dangerous amount, would fit in a 1.25 mm-thick pancake of the dimensions simulated here and be virtually invisible. Packed in a compact mode, say, a 1 cm×4 cm×5 cm brick, it would be detected."

   IED recognition guide.pdf by Elsa Cristina David

If you want to go serious on decrypt Subject Key Identifier (SKI) from a X509 certificate, meaning cloning ID EU cards and passaports...take a close and very careful reading:

How to validate the Subject Key Identifier (SKI) from a X509 certificate

Some days ago I received an odd complain that some of the Root CAs we use had the wrong Subject Key Identifier (SKI). I knew that the claim was false but I also knew that I'll have to prove it. The guy did dig on our own specifications and calculated the SKI as we required, the hash of the certificate public key but unfortunately the identifiers did not match.

In order to reproduce the problem I extracted the public key of the Root CA, converted to DER, hashed it with SHA1 and verified that indeed the hash did not match. Let’s do a demonstration of what I did with a public available Root CA:

openssl x509 -in GSRootCA-2014.cer -inform DER -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 02:00:00:00:00:00:d6:78:b7:94:05 Signature Algorithm: md5WithRSAEncryption Issuer: C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign Root CA Validity Not Before: Sep 1 12:00:00 1998 GMT Not After : Jan 28 12:00:00 2014 GMT Subject: C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign Root CA Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:da:0e:e6:99:8d:ce:a3:e3:4f:8a:7e:fb:f1:8b: 83:25:6b:ea:48:1f:f1:2a:b0:b9:95:11:04:bd:f0: 63:d1:e2:67:66:cf:1c:dd:cf:1b:48:2b:ee:8d:89: 8e:9a:af:29:80:65:ab:e9:c7:2d:12:cb:ab:1c:4c: 70:07:a1:3d:0a:30:cd:15:8d:4f:f8:dd:d4:8c:50: 15:1c:ef:50:ee:c4:2e:f7:fc:e9:52:f2:91:7d:e0: 6d:d5:35:30:8e:5e:43:73:f2:41:e9:d5:6a:e3:b2: 89:3a:56:39:38:6f:06:3c:88:69:5b:2a:4d:c5:a7: 54:b8:6c:89:cc:9b:f9:3c:ca:e5:fd:89:f5:12:3c: 92:78:96:d6:dc:74:6e:93:44:61:d1:8d:c7:46:b2: 75:0e:86:e8:19:8a:d5:6d:6c:d5:78:16:95:a2:e9: c8:0a:38:eb:f2:24:13:4f:73:54:93:13:85:3a:1b: bc:1e:34:b5:8b:05:8c:b9:77:8b:b1:db:1f:20:91: ab:09:53:6e:90:ce:7b:37:74:b9:70:47:91:22:51: 63:16:79:ae:b1:ae:41:26:08:c8:19:2b:d1:46:aa: 48:d6:64:2a:d7:83:34:ff:2c:2a:c1:6c:19:43:4a: 07:85:e7:d3:7c:f6:21:68:ef:ea:f2:52:9f:7f:93: 90:cf Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Certificate Sign, CRL Sign X509v3 Subject Key Identifier: 60:7B:66:1A:45:0D:97:CA:89:50:2F:7D:04:CD:34:A8:FF:FC:FD:4B X509v3 Basic Constraints: critical CA:TRUE Signature Algorithm: md5WithRSAEncryption ae:aa:9f:fc:b7:d2:cb:1f:5f:39:29:28:18:9e:34:c9:6c:4f: 6f:1a:f0:64:a2:70:4a:4f:13:86:9b:60:28:9e:e8:81:49:98: 7d:0a:bb:e5:b0:9d:3d:36:db:8f:05:51:ff:09:31:2a:1f:dd: 89:77:9e:0f:2e:6c:95:04:ed:86:cb:b4:00:3f:84:02:4d:80: 6a:2a:2d:78:0b:ae:6f:2b:a2:83:44:83:1f:cd:50:82:4c:24: af:bd:f7:a5:b4:c8:5a:0f:f4:e7:47:5e:49:8e:37:96:fe:9a: 88:05:3a:d9:c0:db:29:87:e6:19:96:47:a7:3a:a6:8c:8b:3c: 77:fe:46:63:a7:53:da:21:d1:ac:7e:49:a2:4b:e6:c3:67:59: 2f:b3:8a:0e:bb:2c:bd:a9:aa:42:7c:35:c1:d8:7f:d5:a7:31: 3a:4e:63:43:39:af:08:b0:61:34:8c:d3:98:a9:43:34:f6:0f: 87:29:3b:9d:c2:56:58:98:77:c3:f7:1b:ac:f6:9d:f8:3e:aa: a7:54:45:f0:f5:f9:d5:31:65:fe:6b:58:9c:71:b3:1e:d7:52: ea:32:17:fc:40:60:1d:c9:79:24:b2:f6:6c:fd:a8:66:0e:82: dd:98:cb:da:c2:44:4f:2e:a0:7b:f2:f7:6b:2c:76:11:84:46: 8a:78:a3:e3

Now let's calculate the SHA1 of the public key:

openssl x509 -in GSRootCA-2014.cer -inform DER -pubkey -noout| openssl rsa -pubin -outform DER| openssl dgst -c -sha1 87:db:d4:5f:b0:92:8d:4e:1d:f8:15:67:e7:f2:ab:af:d6:2b:67:75

As reported, both hashes did not match!
At this point I was a bit confused and decided to read some documentation before moving forward. After some reading I found the answer in the 4.2.1.2 section of the the RFC3280 “Internet X.509 Public Key Infrastructure - Certificate and Certificate Revocation List (CRL) Profile ” (http://www.ietf.org/rfc/rfc3280.txt)

4.2.1.2 Subject Key Identifier The subject key identifier extension provides a means of identifying certificates that contain a particular public key. To facilitate certification path construction, this extension MUST appear in all conforming CA certificates, that is, all certificates including the basic constraints extension (section 4.2.1.10) where the value of cA is TRUE. The value of the subject key identifier MUST be the value placed in the key identifier field of the Authority Key Identifier extension (section 4.2.1.1) of certificates issued by the subject of this certificate. For CA certificates, subject key identifiers SHOULD be derived from the public key or a method that generates unique values. Two common methods for generating key identifiers from the public key are: (1) The keyIdentifier is composed of the 160-bit SHA-1 hash of the value of the BIT STRING subjectPublicKey (excluding the tag, length, and number of unused bits). (2) The keyIdentifier is composed of a four bit type field with the value 0100 followed by the least significant 60 bits of the SHA-1 hash of the value of the BIT STRING subjectPublicKey (excluding the tag, length, and number of unused bit string bits).

In our case we use method 1) for the SKI but in my calculations I was taking into consideration the whole public key, including tag, length, etc, while I should have used the key bits only.
With the following command I was able to locate the “BIT STRING” with the naked key:

openssl x509 -noout -in GSRootCA-2014.cer -inform DER -pubkey| openssl asn1parse 0:d=0 hl=4 l= 290 cons: SEQUENCE 4:d=1 hl=2 l= 13 cons: SEQUENCE 6:d=2 hl=2 l= 9 prim: OBJECT :rsaEncryption 17:d=2 hl=2 l= 0 prim: NULL 19:d=1 hl=4 l= 271 prim: BIT STRING

And I only need to extract it and put it on a file in DER format:

openssl x509 -noout -in GSRootCA-2014.cer -inform DER -pubkey| openssl asn1parse -strparse 19 -out pub.der 0:d=0 hl=4 l= 266 cons: SEQUENCE 4:d=1 hl=4 l= 257 prim: INTEGER :DA0EE6998DCEA3E34F8A7EFBF18B83256BEA481FF12AB0B995110... DDCF1B482BEE8D898E9AAF298065ABE9C72D12CBAB1C4C7007A13D0A30CD158D4FF8DDD4... 73F241E9D56AE3B2893A5639386F063C88695B2A4DC5A754B86C89CC9BF93CCAE5FD89F5... 6D6CD5781695A2E9C80A38EBF224134F73549313853A1BBC1E34B58B058CB9778BB1DB1F... 2608C8192BD146AA48D6642AD78334FF2C2AC16C19434A0785E7D37CF62168EFEAF2529F... 265:d=1 hl=2 l= 3 prim: INTEGER :010001

The remaining part was to calculate the SHA1 hash which was the same as the SKI:

openssl dgst -c -sha1 pub.der SHA1(pub.der)= 60:7b:66:1a:45:0d:97:ca:89:50:2f:7d:04:cd:34:a8:ff:fc:fd:4b

The same method was used to verify the SKI of a Root CA using SHA256 as a hashing algorithm.

 http://certificateerror.blogspot.pt/2011/02/how-to-validate-subject-key-identifier.html

In the Cold War period of the 1950s, the CIA installed Radio Free Europe[21] in Glória do Ribatejo, Portugal, and on June 7, 1956, officially formalized the relation by inviting the new PIDE’s director, António Neves Graça, to visit CIA headquarters.[22] Here are two brief examples from a top-secret document with ten articles and several sections and clauses, entitled “Proposed Agreement Between the Policia International e de Defesa do Estado (PIDE) and the Central Intelligence Agency (CIA)”

...

In 1957 one of the prisoners, Humberto de Lima Morais, stated in his affidavit that after being subjected to the statue torture for several days, he had begun to hear a familiar voice at night. Listening more closely, he had been able to discern the words of a dialogue, in which one voice was clearly his mother’s. She was saying: “‘I am alone and I have no one else, please.’ And the deep male voice of an agent, he thought, had replied, ‘It is only for a day or two, madam.’”[19] However, he could be inclined to admit that it may have been a hallucination, due to his weak physical state. The power of memory on our deepest perceptions and desires is paramount, so that each memory of a voice or other sound is always mediated, deferred and transformed, to a point that “we no longer know what we heard and what we think we’d heard.”[20] Nevertheless, based on similar cases and statements, such apparent hallucinations were actually the result of the use of manipulated sound materials, assembled to produce a state of emotional and psychological confusion through indirect listening, characteristic of acousmatic violence, with the aim of breaking and invading the prisoner’s subjectivity and morale.  

 http://quod.lib.umich.edu/m/mp/9460447.0009.101/--acousmatic-and-acoustic-violence-and-torture-in-the-estado?rgn=main;view=fulltext

Psyops targeting Libya on 6877 kHz

What is Number26?

Number26 is a mobile first bank account interface for their own bank account (the actual bank license is provided by Wirecard Bank), which provides a full featured SEPA bank account and a couple of payment cards.
This bank account uses a rather new method to verify that the initiated SEPA transactions were made by the correct owner of the bank account. To do so, the user first has to link their smartphone with the bank account, using information only known to the account holder. Once this initial pairing is done and a payment via the desktop browser is made, a push notification is sent to the mobile phone and the app is asking for confirmation showing this dialog:
Once the user taps on “Release” (“Freigeben” in the German version), the transfer will be approved. The technical details of how that is done are not publicly disclosed by the time of this writing, but my best guess is that something is being cryptographically signed and sent back to the server.
For those not familiar with SEPA transfers I’ll quickly explain the information you have to provide to initiate a money transfer:

• The recipient’s name (just for reference. Validity is never verified)
• The recipient’s IBAN (International Bank Account Number) and BIC (Bank Identifier Code).
• The amount to be transfered
• A payment reference / subject
• The transfer release pin (which is set once by the user when the bank account was set up)

Where is the problem?

The theory

Look at the information you have to provide to initiate a bank transfer and then look at the screenshot above. Usually, common banks™ use SMS to send a TAN (Transaction Number) to the owner of the bank account, stating at least the amount and some sort of recipient info (usually the IBAN) and ask the user to enter the TAN into the desktop browser to finally release the transaction.
This process has been streamlined with Number26. Instead of entering a TAN into the website received by the phone, the user has to release the transaction directly from the app, which opens once you tap on the notification you’ll receive. The app then shows the name of the recipient and the amount as shown in screenshot above. Once released the money is on it’s way to the recipient.
Stop right here… Let it sink in for a second…
So we just learned that common banks™ have their user verify their transactions. This is done by the user comparing the recipient’s info from the SMS with the info they have in their record, such as an invoice. However, with Number26, this verification is completely impossible as the recipient’s IBAN is never shown to the user once he initiates the transfer.

The attack

The attack on the desktop computer is rather simple. An attacker would install a malicious browser plugin or execute a man-in-the-middle attack exploiting computers with pre-installed insecure Certificate Authorities (see SuperFish on IBM or DELL). The attacking proxy or addon then waits for the user to initiate a bank transfer. It then secretly alters the IBAN and BIC in the background when sending the transaction request via the desktop site https://my.number26.de. Since the app does not show the modified IBAN (because it shows no IBAN at all), the user is in best belief that this transaction is legit and taps on release. In a sophisticated attack, the transaction history on the desktop would also be tampered with so the attack might go unnoticed for days.

The temporary workaround

Luckily I was able to keep using my bank account without being vulnerable to this attack. As a workaround, the user would have to create a standing order which executes the payment in the future (Terminüberweisung). After releasing the transaction it is reviewable in the standing order section in their app.

The Fix

After the update distributed on January 5th 2016, transactions have to be released with this new dialog:
The user finally has the possibility to verify the transaction on a separate channel, thus preventing malicious software on their desktop to secretly alter transaction data. An attack to SEPA payment verification now has to be much more sophisticated, i.e. by adding a rootkit to the potential victim’s cellphone.

Conclusion and personal note

What a clusterfail. It gets worse once you read Number26’s security information page. My favourite gem is this:

Partial screenshot of https://number26.eu/security/ taken on 2016-02-05 This states that TAN via SMS should be avoided for mobile banking because the text messages are sent to the same device that is being used for online banking. Number26, do you know that your method of payment release of mobile initiated transactions is just as bad as mTAN? This is the reason why from a security perspective you have to initiate transfers from your dektop instead of from the linked phone exposing you to the vulnerability that I just explained in length.
Fancy new user experience and a high security datacenter will never be able to protect the user if the design is flawed. Flawed? Broken beyond repair!

Communication with Number26

The support chat (a.k.a the bottomless pit)

Communication was always quite one-sided. I reported the issue to multiple support agentsover the course of six months, but all I ever heard was, “I am giving that to the developers”. I never heard back. So I upped the ante and told them that I am going to disclose my findings, when suddenly one support agent asked me to send a mail with the details to them, they will forward this mail to the developers. Success!
For full transparency, this is the email I sent to the developers – as always with no reply coming back. It just went into a black hole. But this time, an update to the app came back. Hooray!

My Mail to the developers

Dear Developers, Dear Product Owner,
after studying your mobile app and transaction release mechanism for a while, I have found a severe design flaw which lead to me coming up with a proof of concept how to unknowingly redirect transactions to unwanted destinations with little to no effort.
I am a big advocate for using responsible disclosure, as putting your customers at risk is neither in my, nor in your interest. However, this design flaw is so apparent, that I am baffled that it is not being actively abused yet.
I will outline the problem for you, so you can take appropriate action to prevent abuse of this flaw after the full release of my findings on Feb-22 2016. I feel it is my responsibility to inform the public about the risks involved and how to minimize them. Should you feel that nothing has to be changed, I’ll be happy to get a mail from you stating so, so I can release my findings earlier.
Here are the details:
When creating a bank transfer via the desktop website on https://my.number26.de, you are asked to enter
* The recipient’s name
* The recipient’s IBAN and BIC
* The amount to be transfered
* A payment reference / subject
* The transfer release pin
In the next step, a push notification is sent to the owner’s smartphone. In my case, it is an android phone. The user is asked to either approve or delete the request. The information provided for this decision is:
* The recipient’s name
* The amount to be transfered
And here lies the severe design flaw. The user does not see the actual IBAN/BIC that has been sent to the server.
In my proof of concept, a browser plugin (which malicious software could install) can secretly alter the recipient’s IBAN and BIC in the HTTPS request so the money gets sent to the bank account of the “evil hacker”. When releasing the transaction on the Android phone, the user has no chance to see that the transaction has been tampered with. Other banks using mTAN verification methods include the recipient’s IBAN and BIC as this information is more crucial than the recipient’s name. They also state in their mTAN terms, that the IBAN in the SMS has to be checked against the IBAN from the invoice document.
Multiple test transfers have shown that with a completely wrong recipient’s name, transfers are still successful. Further, another point of intrusion could be a transparent proxy inbetween. Sure, there is SSL and certificates, but we are seeing manufacturers adding weird CAs to their computers (see superfish), so some computers might be vulnerable to this kind of attack.
I have reported this issue as a regular chat via the customer support half a year ago. Nothing happened since, so I am taking this to the next level. In my full disclosure on Feb-22 2016, I will advise your customers to only create one time standing orders for a date in the future (i.e. tomorrow), so the content of the transfer can be checked with the phone after it has been released, but before it has been executed.
If you have any further questions, don’t hesitate to contact me. Unfortunately according to ***** [your support agent], you do not offer a pgp key for encryption, if someone else should pick up this conversation, I can not be held responsible for any earlier reporting about this issue. Should you use gpg nevertheless, we can upgrade the conversation anytime. Please use https://sks-keyservers.net/pks/lookup?op=vindex&search=0xCADA0055 as encryption key. I will also sign [my mails] with this key. Alternatively, you can call me at +xxxxxxxxxxxxxxxxx
Best Regards,
Christian Hawkins

No Comment

Unfortunately, Number26 was not available to me for a comment, whether or not there is an indication that this vulnerability has already been used.

But worry not…

…your data was always protected. For your amusement, a statement on the security of Number26.

Partial screenshot of https://number26.eu/security/ taken on 2016-02-05    https://metabubble.net/payment-cards-bank-accounts/number26-pushtan-or-when-transaction-verification-is-impossible/

IED ENVELOPE

Triacetone triperoxide (TATP) "Mother of Satan"

Triacetone triperoxide (TATP) is a highly unstable explosive prone to unintended detonation. Yet terrorists, such as those responsible for the March 22 bombings in Brussels and the November 2015 attacks in Paris, are increasingly using the compound to inflict carnage....
Acetone Peroxide is known as "Mother of Satan" because of its instability. This is a primary explosive, normally used as initiators. Storage of this chemical should be done with great care and in a cool, dark, and dry location. It is sensitive to shock, flame, or abrasion.
Materials
Hydrogen Peroxide
Acetone
Sulfuric Acid
Eye Dropper
Graduated Cylinder
Thermometer
Ice
NaCl (Salt)
Method

Add 30 ml acetone and 50 ml hydrogen peroxide into glass container and mix.
Cool the mixture in an ice/salt bath
Cool mixture to 5°C
While stirring, add dropwise 2.5 ml sulfuric acid, making sure temperature stays around 5°C and never above 10°C
Stir for 5 minutes after all the sulfuric acid is added
Cool mixture in some kind of ice bath or box for 12-24 hours.
Filter out the precipitate (white crystals) using paper towels or filter paper
Wash the crystals using small amounts of ice cold water, handling the crystals gently
Allow crystals to dry, store for use in a cool, dry, dark location.
*Note: Acetone peroxide is viable for aproximately 7 days after creation.

Lithium Battery Causing Extreme Fumes When Cut

Fire: AA battery and gum wrapper

X RAY FILM AND SILVER BROMIDE

After researching a bit, I found out that aluminum oxide is used in crystals for instance, missile guidance systems; this kind of crystals are also detemrine by chromium 51, anyway that gave me another clue, which was , this solubles in silver; what silver? its silver radioactive? well, silver 107 might be, than what's silver 107, well its silver bromide; which is an old x ray film; when exposure to light, however, we could say silver 107 becomes activated; what's activated? its that silver bromide on a gelatine base its not only active in light but also have too fast particles; what are fast particles? fast particles are unstable electrons; therefore atomic neutrons; therefore, radioactive; what's the conclusion? the conclusion is, the old film that gives the x ray image is impregnated of radioactive, which is silver bromide (when activated by sunlight)