Motorola Timbuktu’s Internet Locator Service real-time data exposed to public
We just want to make a public warning to those users of Motorola/Netopia Timbuktu Remote Control Software who are using the Internet Locator service. This service allows to locate any Timbuktu's user just by knowing the email.
More than five months ago we notified Netopia's customer support (http://blog.wintercore.com/2008/04/26/things-that-shouldnt-be-there/), after discovering a hardcoded user/password pair within SALT.dll.
---------------
v 8.6.5.1373
Dll: SALT.dll
Address: 0x604b83D4
PE section: .rdata
user: xa7z8
pass: e74sa9
url: findme.netopia.com/_REMOVE_THIS_findme/
---------------
By using this information it was possible to access, in real-time, to hundreds of users' records containing their IP, email, software version and information related to the license.
We have received no reply since then. 5 months after, we have found out what we would say an "obvious" patch: "if the problem was the user/password, well, let's remove it!. Fixed.".
Really hilarious.
Now, everyone can access those records without having valid credentials.
Taking into account that there are remote exploits available for that software, that everyone can grab your IP and software version, and that there are emails from government, military and high-profile corporate staff, better you disable that feature.
Things that shouldn’t be there
Some days ago we released a security advisory for Realtek-curious note: according to secunia, it is the first advisory for that vendor- where a piece of code that was originally intented to be used by the engineers only, ends up being compiled in the release driver. Obviously, there is no reason to think about this issue as any kind of backdoor since makes non sense, it is merely an error. In other cases, the issue is not so clear.
Anyway the fact is that sometimes either by error or having obscure intentions, there are "things" that should not be there. Nowadays, these issues pose a real threat.
Not long time ago, I was reversing a well-known software widely extended within the enterprise enviroment when I came across one of those "things": a hardcoded user/password pair that grants access in real-time to thousands of high profile emails, their associated IPs and software version, among other things.
Definitely, it's not a good idea to share the kingdom's secrets with any guy with a disassembler.
This is a valuable information that can be used in targeted attacks, phishing or even to exploit a flaw in the software. Anyway, we immediately contacted to the vendor so this information leak should be fixed soon.
Have a nice weekend!
Ruben Santamarta.
R&D/Reverse Engineer
Breaking Gmail’s Audio Captcha
A week ago I came across this interesting post at the Websense blog, anyway I guess everybody is already aware that a bot was spotted breaking Gmail's image captcha. According to the post, the success rate is about 20%, which from spammers point of view is really profitable and sure more than enough for its purposes. However what caught my attention, while reviewing the gmail signup page, was the Audio Captcha.
First off, it is worth noting the “cat&dog” Asirra captcha from Microsoft Research, that’s a really good captcha, has kept the success rate of those who tried to break it (computer vision gurus) below of 60%. Why? I think the problem with most of the captchas is that are using a complex solution to show so simple challenges: obfuscated, deformed and distorted image to represent short alphanumeric sequences. On the other hand we have the “cat&dog” style Captchas that implement a simple solution to show a really complex challenge for automated agents: Are you seeing cat or dogs in this perfectly clean picture? A question too hard to answer if you are not human.
The Gmail's Audio Captcha suffers a similar error. It is a wav file embedded within the webpage, once loaded it plays limited series of numbers . Twice. Btw, I don’t understand why that alphanumeric obsession...Anyway, let's begin. In this post I am going to show how that captcha can be broken just by using fourier analysis.
You should play the captcha before continuing Look for this image 
within the signup page.
The first obvious error is the use of fixed patterns that clearly identify where the sequence begins and where it ends.
We can listen to the numbers, in background there are distorted voices.Taking into account that human beings are visual entities ( this is the reason because everybody can spot Wally in a crowded place but only trained individuals could distinguish a distorted tone while an orchestra is playing) my question was: “If you are still capable of distinguishing easily the numbers played in the captcha, why an automated agent couldn’t do so?”
So let’s try to find out the answer by taking a look at the waveform of a random Gmail's audio captcha
