cybergibbons

Yeah... you look like one of the ones that very little info in there. But still there.

I'm guessing none of you were contacted to tell you your data might have been leaked?

Fareham and Worthing? Both there. Pentested means penentration testing, i.e. you get someone who knows how to hack to have a crack at your systems. I'd that even ARCs should be having them done (I've done a few now, and found a lot of problems, most easily fixed), but signalling providers with centralised receiving, like CSL and WebWayOne, should definitely be pentested. The report is about the encryption and general security of the CSL CS2300 signalling units.

Ah, yes, sorry. The User-Agent is one of the factors they use, which is pretty stupid. I meant how come it was showing in search results?

Yes - IMO it still leaks data that it shouldn't. The problem was before it used to send the client all of the data in the background. You couldn't see it in the plain, but it was sent. There's only a few options here: 1. They haven't been pentested. You'd kind of think the biggest signalling provider in the UK would do it. 2. They have been pentested by someone incompetent. If they gave money to the people who developed apprentices4fs.com, this is plausible. 3. They have been pentested and ignored all of the findings. Who knows? FYI, on the 23rd November, the CSL Dualcom CS2300 report is being published.

Number 25, Bristol area?

On 1st May this year, I found it was possible to dump the names, addresses, emails, usernames, and phone numbers of every single user of every single company who had registered on the CSL M2M SIM page. I did not push the investigation any further, but worse may have been visible. http://cybergibbons.com/alarms-2/customer-database-leak-on-csl-dualcoms-sim-registration-portal/ If you would like to know if your company was one of the listed ones, I can check for you.

Can you screenshot it and blank out the IP? Interested to work out why that happened. Surely it's pretty libellous leaving a page up listing someone's IP and saying they are some elite hacker.

They appear to have hidden that and the banned page, probably because they are being ridiculed in several places.

To be honest, if you are using common forum software, and anything custom was developed with a framework, or by a develop with any skill, you won't have these issues. It's actually like they have gone out of their way to make it bad. Happy to have a quick look over your stuff in the future, will need to send over a rules of engagement to legally cover us both. Much better to go into a touch more depth with some active attacks.

I mean, just visit this and read the **** they spout: http://www.apprentices4fs.com/jobboard/cands/jobresults.asp?c=1&bms=1&localstrKeywords=%3Cscript%3E&localdivtypeOfJob=&localdivregion=

It's the worst site I have seen that handles any more personal than email/password/forum posts. I've seen worse content management systems, but no one elses data has been put at risk. This has been purely observation of normal behaviour on the site. If it was taken to active attacks, god knows what would be found.

They know about the blog post, that's it. I'm not into waiting when security is that bad - users need to be told

Yes, I won't pass comment on that. No, actually, I will. I think the exploitation of young people in the guise of providing training is terrible.

If any of you use http://www.apprentices4fs.com/, I would advise not using it until they fix the plethora of security issues on their site. http://cybergibbons.com/security-2/terrible-website-security-on-www-apprentices4fs-com/ This is amongst the worst website security I have seen from a company handling other's details.

Has someone stockpiled these? I can't remember the specific IC used, but it's not been made since 1996 or something.

Some of the outputs are pre-set to mirror other signals in the alarm.

The biggest problem by far is the small key compared to the code size, so I've kind of stopped looking into this one.

The same is true for encryption in some wireless systems. The receiver in the panel doesn't have the overhead to deal with a key per detector, so it just uses a single system wide key. That means all detectors, ever, use the same key...

Thanks. With a) it seems that the main issue is that customers could reset the panel when the ARC doesn't want them to. b) I suspect exactly the same algorithm is used in the panel as in the program. I think the algorithm was written for whatever 8-bit processor was used in those days. Might as well show the algorithm used, the only bit of it that needs to be secrete is the vector at the top which I have changed. I don't know if you know any programming or python, but it's really simple. # Taken from the data in the exe vector = [3,3,5,5,8,1,3,9,8,0,5,9,3,9,4,1,1,0,9,4,3,0,2,2,8,4,3,2,8,4,9,4,1,3,3,3,3,8,5,3,0,2,4,3,2,1,8,9,0,5,4,3,9,5,8,3,9,9,1,0,0,9,9,3,3,8,2, 1,4,9,1,4,9,2,9,0,9,5,3,9,5,3,3,5,9,1,0,2,9,3,2,1,2,9,8,0,4,9,4,2,3,9,4,0,1,8,5,3,3,9,9,1,0,5,9,3,8,9,4,8,4,2,3,1,0,3,9,4,8,2,0,4,3,3, 1,0,5,2,8,3,3,5,2,8,3,2,9,5,2,1,2,4,4,3,0,4,2,3,4,1,8,2,9,1,0,5,1,8,2,4,3,5,1,0,3,8,5,3,2,1,1,3,9,3,2,3,5,8,3,9,0,3,2,3,5,3,8,4,0,3,9, 1,9,3,0,2,9,3,8,1,4,2,8,4,0,1,9,1,0,1,2,1,3,5,3,3,9,0,2,1,4,1,2,3,4,3,4,9,5,3,5,9,3,1,3,9,4,0,3,2,3,3,4,4,2,1] def generate_reset(quote, version): i = 0 tens = 0 reset = [] while i <= 4 : j = 0 result = 0 while j <= 4: offset = (version + tens + quote[j]) % 256 result = result + vector[offset] tens = tens + 10 j = j + 1 reset.append(result%10) i = i + 1 return reset print(generate_reset(quote = [0,0,0,0,2], version=131)) Notice that there is no multiplication, division, or anything fancy. The % symbol means "modulus" which most people know as "remainder". So "% 256" means "divide by 256 and give me the remainder". You normally get this for free in a microcontroller - an 8-bit number is limited to 256 values, so it just wraps round anyway. Panel firmware would contain it - in fact, now that I know certain panels have it, I can find the long string of characters called "vector" in some of them. The problem with panel firmware is that it is very hard for me to work out what is data and what is code. In x86 exes, there are normally a lot more hints available to me. I can also easily run an x86 exe and step through the running code to see how it works. With a microcontroller in an alarm, I can't easily do this.

Tunstall are someone who Menvier took over who Cooper took over? If you can point me towards a program to generate them...

Precisely Joe. This is just an easy target to show that.

It's all part of learning. Nothing lost for a few hours work.