• Content count

  • Joined

  • Last visited

  • Days Won


Everything posted by lolhaxorlol

  1. So the most interesting flash drive fell into my lap the other day (or out of someone's pocket maybe? not sure, it was on the floor) and like any good citizen I plugged it into a laptop that I didn't care about running off a BT4 liveCD with no hard drives mounted (I'm not dumb) with the intent of perhaps identifying the owner and returning it. I didn't find any identifying information on the drive, which was odd since it had transcripts of emails etc with names redacted, like it was intentionally anonymized or something... Anyway once I started reading this stuff I couldn't stop. Long story short it appears to be the property of some Verifone employee who has gone to great lengths to let people know how broken their software is and keeps getting shot down. Maybe I'm interpreting a lot of this the wrong way but it's almost like this person wanted this stuff to make it out. Whether that was the intent or not, it's happening Here's the thing though, I'm guessing about 80% of what's on this drive is Verifone's intellectual property and the other 20% they probably wouldn't be too happy about seeing on the internets. I don't want to violate any of BR's policies either and I'm not sure what the stance is on stuff like this. I'll post, in my own words, what appears to be the original research of this drive's owner and I'll gladly send anything on this drive to anyone who wants copies assuming you have a safe anonymous way to get them to you. I might just start an eepsite or something with all this stuff on it, let me know what you all think I should do and I'll respect your opinions and policies. Anyway, on with the stuff I think I'm safe to post here. The docs in here seem to be about 3 products: pc charge, ip charge, and payware pc. They're all credit card processing apps sold by verifone (ip charge seems to be more of a service, very paypal-esque). There's some good stuff that looks like internal documents, training and such, for ip charge and payware, but the majority of this stuff seems to be about pc charge. There are docs labeled "capture spec" and "auth spec" for a couple dozen companies which google tells me are credit card processing companies and various documents outlining how point of sale systems communicate with verifone's stuff. It's all quite fascinating and I'm sure it could've been RE'd anyway so it's probably safe to post here, but this is me asking nicely before pissing people off. The cool stuff though was in its own separate folder, this is where our tech outlines all the security problems found in several versions of the software (there's installers on the drive too for like 4 versions and a zip file that's got what I hope are test accounts - haven't checked if they work, too scared). Here's what was documented: * The software apparently has open SQL injection bugs, and apparently that's enough to get the app's certification yanked on the spot - at least according to the tech... Management seems to disagree in some of the emails... * The software encrypts most of the data it stores, and everything it encrypts is using the same algorithm and key and the data is never hashed, and the key never changes, ever, it's always the same for every installation of the software. There's a spreadsheet in here that appears to be a rainbow table of expiration dates. It's referenced in one of the emails as a proof of concept that threatens the possibility of such a table being made for card numbers too. * The software, apparently, stores its password data encrypted rather than hashed, and uses the same algorithm as it does for everything else. One of the docs shows how you can copy and paste the password field into other database fields and use various menu options and reports to decrypt the password for the root user, who is apparently always named "System" * The software stores absolutely everything in an unlocked unencrypted unpassworded access database. The only protection on this thing is that the version of access they use is so damned old you can't actually do anything with the file in new versions without converting it and making it inaccessible to the app. Of course they circumvent this one and only layer of security by including an old copy of M$ VisData with the app so you can SQL your heart out. * Apparently compliance only requires CC data to be encrypted once it reaches a "public" network like the internet, so nothing between this app and a point of sale system is ever encrypted. Everything is sent either via everyday TCP to an arbitrary port or by a method called "file drop" which according to the docs is more common. "File drop" consists of putting all the CC and transaction info into an XML file, copying that file into a shared folder over the network, and then watching for a file that contains the response. Real secure guys, real secure. Technically speaking I think this is supposed to happen on a separate network segment than the free WiFi you give your customers but who wants to place bets on how many small business owners know a subnet from a fishnet? * The emails seem to indicate that a lot of large chains use this broken app and does list several scarily big names. Not sure if this forum is the appropriate place to drop such a bombshell so I'll await your response on yet another item. There's lots more here. Again please advise on what would be the best method to send this stuff around, assuming you're all even interested. I'm still digging through a lot of this stuff, and some of it is honestly a bit over my head. Until I can get this stuff spreading ask questions and I'll see if there's an answer in here for you. I've spent probably two weeks combing this stuff and playing with the software on VMs that are intentionally disconnected from the 'net, there's a ton of stuff here and I'm just beginning to comprehend it all...
  2. In case the list breaks: All documents from the big package, zipped. This is probably the part you'll all find most interesting. Custom 5.7 build used by Dominos Pizza Client for 5.7.1 isp8c (client speaks to pro or server install over network) Config disk with numerous test accounts, works in all versions posted. Just extract files into the install folder, overwriting files as necessary. Client for 5.8.0 Pro 5.7.1 isp9a, minor bugfixes from isp8c Internal use keygen for pre-5.8 versions. Apparently one of the devs has a hardon for Finnish symphonic rock singers. Pro 5.8.0 Installer Payment Server 5.8.0 Installer Payment Server 5.7.1 isp8c installer
  3. I2P + RapidShare = we all win. It also = I spend FOREVER uploading stuff.
  4. Well, good job calling BS on the story because that's what it is. Problem is I can't tell how I got this data because it would get quite a few people in trouble, myself among them - hence all the I2P, Freenet etc. As for "Heinrich" I rather like that name, maybe I'll keep it Anyway I understand the skepticism, the only reason I haven't attached files here yet is because 1) I2P makes it slow as hell and I was hoping it would be unnecessary and 2) I'm not sure what the forum's policies are for something like that. Since this is a throwaway account anyway, what the hell, here's some files Attached are 2 pdfs outlining the capture and auth specs for TSYS, a rather large CC processing company. You should also find a sample database and log files from an installation of PC Charge 5.7.1 isp8c which I'm assured is the most popular distribution, used by companies like Meineke and Burger King. Dominos uses it too, but they use a custom build that is available in the full sized zip. Enjoy. Oh, btw, those having trouble with the eepsite should add a subscription to http://www.i2p2.i2p/hosts.txt and the file is now available on FreeNet with the key CHK@tLrgMuUaGXK0CjULoDiRdG73poaCjFxroXfyOZncH2o,w4xDL56TzI~rZBbX9MVqni0g9tRFJD59vn5JxSip0uo,AAIC--8/ TSYS db &
  5. I'm working on uploading the file to freenet, it's over 300MB zipped with all the installers and such included. I'll post the key when it finishes. If you don't want to wait I've set up an eepsite serving the file also: http://veriphony.i2p I'm hoping someone here uses one or both networks and will help distribute if enough people find it interesting, I just don't want to be the known point of origin. Verifone is a big company with lots of lawyers, and you'd have to be an idiot not to at least fear them a little...