 To get started, this talk is about theft of service attacks and subscription service vulnerabilities. This talk is going to be a little bit different about than other talks, which normally focus on system exploits. These exploits that I'm talking about today are going to be more of an annoyance kind of an attack. And also, I'm going to, the attacks try not to cross the line of actual legal fraud. Some of them do, but most of them try not to. Most of them just use the holes that are in the applications that are hosted on websites. A lot of them are developed custom in-house, and they don't go through a lot of testing. And there's a lot of simple things that just seem to work with a lot of different websites that are out there. A little bit about myself, my name is Rob Sheehy. I'm with Zentec Consulting. An update of all the slides is available at zentec.com, defcon11, slash TOS. Now, what are theft of service attacks? They're an application level attack. The attacker gains increased access to some limited resource. Usually, it's something that you would pay for. It's an opportunistic attack. It's really hard to kind of scan for sites that are vulnerable to these types of things. It might be just something you almost stumble across and just find out a site is vulnerable to. And the attacks typically do not result in administrator access. It just gets you a little bit of elevated privileges or bypasses some restriction, but you don't actually own the system. Now, some example targets for theft of service attacks are, would be software registrations and downloads, adult web hosting sites, web hosting accounts, proxy and anonymity services, dial-up internet services, email and use net services, shell accounts, financial news services, and even domain name registrations. All different kinds of companies are vulnerable to the attacks I'm gonna be talking about. Some of more examples are hacker conventions and hotels that host hacker conventions. And so we made fake badges. And you can actually get the image for it at FTP to zentech.com slash pub. Everyone who sees this should have a legitimate badge so I don't think there's any harm in letting you guys know about it. We went, spent about 20 bucks at Kinko's in about an hour and got that done. This was actually, we did this last year too and it was actually harder last year because if you try and scan in pressed aluminum, it's hard to print something out that's shiny. So it didn't work, but we were able to do it with the speaker badges because they were green and we were able to walk around with those on top of our real badges and no one ever questioned us. So we also hacked and got a free registration for DEF CON from someone who didn't have to pay. He avoided the common route. He did not go through user registration. He social engineered the speaker registration. He had no notice, nobody knew. They just thought it was me for the talk and he just went in and said, hey I'm here for the theft of service attack talk and they just gave him a badge and no one ever even asked me if he had anything to do with it. Actually I walked into the speaker area with the fake badge on and when I said I was going up to get a speaker badge a goon said, you're going up to get a speaker badge? Yeah, let me see the badge you've got on and I showed it to him and he said it's a fake badge because I'm in the theft of service talk. And he said, go ahead. So and besides hacking the convention you can also hack the hotel that hosts the convention. If you have a hotel here you can actually get cheaper internet access if your room actually has internet. And when you go out the way it works is you send out any internet request through Port 80 it gets redirected to this IP address and the user is presented with two options where you can get either a public or private IP address and you pay either 10 bucks or 11 bucks. Well if you go and view the source of that form all it has is a couple of options and value equals one for the first one and value equals four for the other. And so I started playing around with the values to just hey let's see what happens if I submit other values and I only got a little bit through it because as it starts to charge you I mean you can't really go through and try and find the other ones and know if it really works but this is what I found out two and three can be homework for you guys. But if you actually go through option six you only pay 295 the access is slower but it's an option that's available but they just don't present it to you. So all you have to do is actually view the source, change the option of whatever you're going to select and then save the HTML file on your desktop, make sure all your browsers are closed and then just open up that file that you saved with the edited option and just say I wanna connect and if it's option six it'll do 295. I have a sneaking suspicion three is gonna be a private IP address and might just be 195. And the speed is just fine if you wanna check your email and not have to pay 10 bucks every day. Now who are the attackers that perform these types of attacks? It could be a technically savvy customer of some service, a competitor might try and do something to mess up somebody else's system. Email spammers will try and get free accounts so that they can spread out their email. Anyone looking for a better deal say you're searching around for services and someone just happens to be vulnerable to something to where you pay the normal price but get something better than what everyone else does, you're probably gonna pay for that service. A legitimate customer's friend, this would be for account sharing type of attacks, script could use worldwide and of course my friend Bobcat, they're the attackers too. What's stolen? This is kind of similar to what kind of services, web hosting, DNS registration fees and of course software downloads. Anything that's not physical, the security seems to be a lot more lax. Now subscription based systems seem to be especially vulnerable. Because they're left up unattended, nobody's really watching them, they set them up so that it just runs, people sign up, they do what they're gonna do and they just get their money at the end of the day. Usually they're set up kind of quick, they want to get it up and running because the subscription services, the company's only form of income so they want to get it up and running as quickly as possible so they may not spend the attention to security detail as they really should. A lot of these attacks are really, really simple, I mean script kiddie-ish but it's amazing how many sites out there are vulnerable to them. Okay and some of the problems maybe that the service can't fix the problem because they're using a third-party shopping cart or the application was developed by a consultant who's no longer there and all the code they wrote is uncommented and no one can make heads or tails out of it. So they just have to live with it. Now here's a list of common security holes used for theft of service attacks, I'm gonna go through all of these. Instant account creation vulnerabilities, there's a lot of those. If you see like instant access, instant activation, chances are likely you can instantly nail them and get whatever it is for free. Subscription data in HTML forms, another big mistake a lot of places make. Authentication data that's stored in cookies, PayPal payments, then there's also application server or operating system specific vulnerabilities. Those could be used for theft of service attacks but that's for some other talk. And there's also business process exploits where you just deal, you take advantage of how they do business, how their customer service works. Sometimes you may even know someone on the inside. There's also copy protection circumvention, getting software for free or getting a serial number to register something using someone else's serial number. And abuses of a legitimate account. So you have an account you've really paid for and you just do something that you know or think and assume that the owners of the system would not want you to do but you paid your money, you have your access, it's legitimate and you're able to do some fun stuff because of it. There's also ways of bypassing the billing systems and you can also sometimes do user defined changes to the subscription terms. Now sometimes the way some of these texts will be obscured is by putting orders in, signing up for things during the holiday weekend. If there is any human review, they might miss it because they just came back from a long weekend, they're not happy to be at work. They just want to get all these things done. They're not gonna want to spend a lot of time on it and that you can use that to your advantage. Another thing that'll happen is people will use a valid price for something else. So say there's a basic subscription that's five bucks and a premium that's 20, well they signed up for the premium but it's at the basic price. If someone's just looking in their accounting records they'll see the basic price and it just looks, it blends in with all the other valid transactions. They really have to look at it closely to see it and thus the attack is obscured. Now for copy protection circumvention, that's really easy. You can go to those websites listed above, there's search engines for serial numbers and cracks. You can also go on to UseNet and things are posted regularly and there's a few of the more popular groups to get things. I'm not gonna linger on that. Gonna move on to abuses of a legitimate account. Now when you sign up for a new account you'd be amazed how many places will let you choose your own login and password and you can choose login and password as your password. That makes it real easy to share your account too because you can say, oh hey, I've got this account on the system, it could be a valid account. You're really paying for it and the login is login and the password is password, go have fun. I don't care. And of course then it also allows for anonymous sharing because anyone who comes into a system they just type in login and password if they wanna try it and it'll work. I've signed up for accounts myself where my login is login and my password is password and I've actually found other systems where oh, login was already taken and they chose password. Another way to abuse a legitimate account again is having multiple people share it although if the provider chooses it's really easy to detect. If they try, I mean there's gonna be multiple connections from multiple IP addresses. The more people that are using an account the more easy it's gonna be to tell. Account sharing is less likely to occur though if the system exposes like your credit card data address, things like that. If I see a system exposes my address who I am and whatever I'm really not gonna want login and password as my login and password because I really don't want that information that open. But if the account doesn't expose anything to me if the account is simply a you have access or don't have access, fine. Login and password will work just fine. And also you can share it with anybody else it doesn't matter. Then there's also bypassing the billing system. You can use cookie poisoning to alter your cookie if they're using cookies to identify the user and you can actually assume the identity of a subscriber. You can take a look at what cookies you have and edit them with a program called cookie editor that's pretty good. And you can edit cookies in memory using a program called WinHack. So of course this is all under Windows. Lynx has some support for that but I'm not going to go into that too much. I've got a little bit about Lynx later on. Another way to bypass the billing system is taking advantage of free trial accounts that are available. They're open to usually repeated abuse because you sign up with a credit card that give you some type of limited access and then you can just cancel before it expires. If you have another credit card you can sign up again for another trial account. It's real easy to cancel your credit card and just get a new one. The banks are really happy to do it and usually the two or three dollar fee of doing that is cheaper than the monthly subscription to an account. Though also try to limit it with email addresses so that they want a unique email address. Well getting new email addresses is not hard. Using credit cards and email addresses to have unique users and qualify a new user as unique and never been here is not very good. It's just too easy to get new credit card numbers and new email addresses. Anything free can be abused. If they're giving you free access that's another good indicator that you can do something with it. Then there's also application specific attacks. This is something you would find more on a system that you actually use. You find useful and you just start playing around with things you might throw garbage in somewhere or see what you can do. Maybe do some kind of obscure things when you're in the sign up process and bypass the billing or alter the billing so you get a better price. The front end when you sign up for an account initially that might be very well tested and may actually be secure but then you can cancel your account or upgrade your account and the scripts that do the upgrade and so on and cancellation may not be as well tested and there may be some vulnerabilities in there that they don't know about with some of the methods I'm gonna talk a little later on. There's subscription specific attacks. These types of things work where you are subscribing for some amount of term. Again, I talked about signing up with a premium account at a basic price, a yearly account at a monthly price and a combination of the two can be really bad. You get a bit premium account for one month at five bucks but it's really a year account with a premium account that they might be charging 200 bucks for. Spammers would love that. Porn sites would love that. They can throw something up. I mean, it's something people really could make money off of if they really decided to. Again, there's attacking the resubscription process. Another thing I found is sometimes the user data in their database will get corrupted in certain sites and some of them have actually user verification pages and the user verification pages actually recreate the account for you, sometimes just using something like a transaction ID or some kind of account ID that you used when you signed up. One example I can think of, although I'm not going to name names, is a site where they had a daily download limit and they had a verification page. The verification page linked a user ID and password to a valid subscription. While they had a daily download limit, you could get around that by going to the verification page and just choosing a brand new username and password when you verified your subscription ID and that new ID had a brand new download limit. Then there's also HTML form alteration attacks. This is similar, actually this is exactly what you would do for the Alexis Park to get cheaper internet access. For get posted forms, it's really easy because all the parameters are in the URL. You can see it right there. I mean, they throw it right at your face. It's kind of hard not to see these things when they do it. The post forms though, you actually have to view the source and take a look at things. Now they'll have parameters that are input HTML tags that are of type hidden and the quote character is optional and down at the bottom is an example of something that would look like. In type input type hidden, it'll have a name and then a value. Nothing changes, nothing stops you from since you have the source changing those values, saving them, opening the form in the browser and then submitting the page. The one thing that you might run into is for the forms there's an action equals and that's where the form data is gonna be submitted to and that's some form, some script on their site. Sometimes the address, they don't have the full URL. They only have a local path and if you're loading it off your hard drive it's gonna try and submit it to your hard drive so you would also have to edit the action to include the URL if it's not there. But that's very trivial. Sometimes the way that they'll validate that the form is legitimate is they will use the HTTP referer to verify that this form was submitted and retrieved from whatever the domain was actmeink.com whatever. So the form is submitted, the script that gets it just checks the referer to make sure that the referer is an accepted domain, one of the domains that they own. This is very easy to defeat. It's very trivial. Depending upon how the setup is very, you don't even need to do very much. Sometimes you don't even need to do the much editing to defeat the HTTP referer. And also they'll usually will not automatically disqualify a order because the HTTP referer is wrong. Usually what happens is it flags whatever order it is for more human review because just because the referer is wrong does not automatically mean the order is fraudulent and companies are not gonna wanna throw away valid orders, legitimate things. They're gonna wanna take a look at it. Now here's a couple methods for faking HTTP referer. You would place the edited HTML form onto a web server. This could be a server you have out on the internet, some hosts somewhere, some free website. Something you have control of is, a full control of is actually the easiest. If you have your own local server, that's fine. Apache is free. You can use Microsoft web's personal web server. Just anything that'll let you go to, type in a domain name and go to the website. You change your host file so that the domain name, www.acmeink.com, goes to that website or if it's your local host, it goes to 127.0.0.1 so that when you actually type into your browser, that web address, it goes and hits that other page. You load that URL, then you remove the host file entry and you either wait for the DNS cache to expire or you can flush it manually because that entry is no longer in there when you're submitting the form to the same site. It's going, although the site now has a new IP address, that's not reflected in HTTP refer. It only has the domain name and it thinks the domain name is valid so that's very easy to do. The hardest part is flushing the DNS cache which is just a command line option. The location of the host file is different depending upon what platform you're using. I'm not sure what is for Macintosh or OSX. I would assume OSX is ETC hosts but in Unix, it's ETC hosts, Windows 95, 98, whatever, it's in the Windows directory and in the Windows NT series, 2000 XP, it's in Windows system 32 drivers, ETC. And of course Windows would be replaced with whatever your system directory is. A fake entry in your host file would look exactly like the entry below. This would be for local host and it would be fakerefer.com. So if you typed in fakerefer.com, your browser is going to send a web request to your local machine. The second method of faking is similar to the first one but it uses the proxy support. You edit the host files same as you do in method one and then you load the altered page but then instead of flushing the DNS cache you can just go enter in information for a proxy, maybe even a secure proxy and then submit the form. When you submit the form with the proxy, the DNS resolution is actually done by the proxy. You say you want ecneink.com, the form is going to be submitted to them, that information is sent to the proxy and it resolves it and actually sends it. You actually don't have to remove the entry from the host file because that's no longer being used when you turn the proxy on. Now the other way of doing that is sometimes they'll use a third party cart for their order processing though and that actually makes it easier because you can edit the host file to reflect that your local machine is that site. You then can go submit the form and it's going to a third party site. The fact that the entry for the original merchant is still in the host file doesn't matter because you're going somewhere else. If that third party shopping cart is checking HTTP refer to make sure that the customer ID in domain actually match and are a valid pair, it will look like a valid pair. They won't be able to tell the difference and it just, again, you don't have to remove the entry from the host file to complete the attack. Now there's also another method of tacking third party shopping carts. You can actually place an order for an inexpensive item. You then go and start checkout and go and pay for that item. It's a valid transaction. You give them all your information and so on and then while you're in that window filling out all your information, that cart information is still on the merchant server while you're on the credit card processing vendor server filling out the information. You can actually open up another window, go back to the vendor's site and start adding items to your cart. The bill processing system is not going to know that the total price has changed. It's going to go through and give you the verification and just charge your credit card that small amount and when the transfer was successful because you used a valid credit card, everything's legit, it sends an ID, a message back to the merchant saying, oh, by the way, cart so-and-so was paid for and that's all it says. The fact that there's new items in the cart, the system doesn't know. So it thinks you paid for a lot more than you actually did. A lot of times it'll even say cart ID is paid for, the system will assume that the valid amount was paid. Doesn't do any checks to see how much was actually paid. It just trusts that, oh yeah, I know the system, it told me it was paid. It was paid. Even if they have checked the authenticity of the message, they sign it with a public key, that's going to be valid because the message really is valid. There's nothing fraudulent about the actual transaction. You really are giving them money. They're just going to send you more stuff or give you more things because of it. And doing a combination of these attacks can really result in some really neat access. Again, changing a subscription period from monthly to yearly or even beyond and then changing the price of it. The price is a premium account but it looks like it's a basic price. Again, the transactions look normal just by casual inspection. Most people aren't going to be looking for these types of things. If they were looking for these types of things and knew these holes were out there, they'd probably fix them so that you couldn't do it. And these types of things, again, it comes down to obscuring the attack. If the attack, you just put the order in for a web hosting for a penny, that's going to stick out as unusual even just on a casual glance over. So using the same prices that they have for other service helps obscure the attack. Now, sometimes you want to submit forms and if you want to do that with the get, again, it's all in the URL so you can change the variables there. But if you want to submit it using a command line, you can use links and echo to do this. Links and echo are both ported to Windows and Unix so you could run this anywhere. You just, there's the format for all the variables, the form variables that you would pass. And again, we're going to be passing an email, a username, password, password, confirm, and then a submit. You put that in there, pipe that to links with the post data parameter and the URL that it's supposed to go to and that site will process it. So the example I was talking about before with the download limit problem, you could write a script that would take advantage of that vulnerability by changing your user account every so often, say via a cron job and then just using this command line to submit the data every time you wanted it changed. Now, there's a site that used to be around called IT Knowledge. They were a bookstore. They had an online library of books. They offered a 14-day trial and they only wanted to give you, all you needed was a credit card to sign up for the free 14-day trial. Some were to Safari, or Riley Service Safari. They had a really unsuccessful attempt to stop offline archiving via cookies. WGet wouldn't work because you had to log in, it gave you a cookie. It was a little difficult to get WGet to do that, but that was actually easily defeated with another program I'm gonna talk about called Offline Explorer, which is included on the DEF CON CD for this presentation. The subscribers to the service received complete access to the library. So during the 14-day trial, you could just archive everything. You have your own copy of it. Now, I signed up for one of those 14-day trials and thought that was pretty neat, but I didn't actually keep the account. Then, a while later, I got another email saying that, hey, we want you to have another 14-day trial. We wanna try and get you back. And they sent an email offering another sign-up for another trial, and the way they set it up was really bad. There was no credit card required for the second sign-up. And the second 14-day trial never expired. I don't think that was their intent. And IT Knowledge went out of business, and I can probably see why. They were giving away everything for free. IT Knowledge was owned by EarthWeb, who I believe is still around. Users had access to the entire library for free, and normal access costs 295. They sent me the email message for the second free account. I said, sure, I'll take it. And it just never expired. It was good until they went out of business. They never asked me for money. I never gave them any money. And this is IT Knowledge now. Their important notice to their customers that they discontinued service. Now, what can we learn from this? That resubscription and customer retention programs are also vulnerable, except after service attacks. They created their own vulnerability. They were opening up the doors to everybody. Accounts should be regularly audited to detect irregularities. If they had looked for accounts that no one was paying for, or even tried to track down the accounts that people had signed up for using this new 14-day trial, they would have found this, but they never bothered. And that's probably part of the reason why they went out of business, especially since they sent all this information to the customers who most likely had signed up before and might actually be willing to pay that expense or have their employers pay that expense. They eliminated the need for them to go to their employers and ask for them to pay it, or even for them to pay it themselves, because they just gave out free access. Now, O'Reilly kind of has the same problem, and I'm gonna tell you how to do a theft of service attack against O'Reilly's Safari Bookshelf. They try to enforce a no-offline archiving policy, but they do a lot better job than IT knowledge did. I actually had to try some things to figure out how to actually take an offline copy of their books. Now, the reason why I actually wanted to do this is because I give O'Reilly a lot of money. I have a bookshelf full of O'Reilly books, but it's sometimes useful to have a digital copy that you can just search through digitally, even if it's just to locate which of several books might be the best source for the so-and-so information. And I've used that just to pick out which book I wanna bring with me when I go to visit a client's site, because it seems like I might need it. Now, they do, they try and detect if you're trying to download the books that you're viewing. And after three strikes, they lock out your account. They limit you to one login session at a time. If you try and log in, even if you have two browsers on the system and you open up like you have Netscape and you use Explorer and open up another Explorer window, when you log in a second time, you'll get in there pretty much on both sessions saying that they both expire and you'll have to then log in again. They restrict the access on the book library instead of giving you access to everything. They only give you access to however many books you pay for. In the free trial, it's 10 books or 10 slots. If you do, get your account locked out. This is the message you get. Your Safari account has been locked as a result of excessive activity. And they say if you wanna have your account unlocked, just send them an email and they'll do it. When I got this message, I actually asked them to do it. They did unlock the account, but they did it just the, and this was, I had a valid account that I was paying for. This was not on the 14 day trial or anything. But my account got locked and I asked them to unlock it. I had just been billed for it not too long before and it took them about three weeks to respond. They unlocked the account, but just so that they could bill me the next day, it seemed. And I didn't think that was very nice. Now, when you sign up for their service and you pick a book, because you only have a certain number that you can view, you have to keep the book on the bookshelf for 30 days. And that is actually a limitation because the day you sign up, you may not know which books you wanna view. You can, so it actually makes sense to just have the account for a month and then cancel it and then at the end of the month, sign up for a new account and it has a brand new set of brand new slots that are all open and available for use immediately. If you're reusing a credit card, you won't get the free trial, but again, there's all the bookshelves are open. And if you do use a new card with a new number, even if it's on the same credit card account, but just you got a new card, you get a new 14 day trial. So using that, you can do free trial account abuse, get a new email address because they use the email address as your login, sign up for a 14 day trial, pick the books you want. You've got 14 days, although for archiving, if you wanna archive 10 books, it's a slow process. And then just make an offline copy of the books you want and then cancel the credit card. You'll have a new number. You'll be able to sign up for a new credit card account and you have an offline copy of the books that you already have hard copies of, of course. So offline Explorer is created by Metaproducts. You can get it from metaproducts.com and it is also included on the CD, I included version 2.8.1220. Demo version is usable. I tried doing this with WGIT, didn't have that much success. So I kind of gave up because I knew offline Explorer is more suited for this kind of task. It is a Windows only program, so you need to use Windows for this. When I set it up to archive the book, I set up just using one connection. It can go up to I think 10 connections going out grabbing different files real fast. If you really wanna archive a website, it will do a good job really fast. But I set it up just one connection, 45 second delay between retrieves because O'Reilly doesn't like you getting a lot of stuff real fast. That's gonna set off the alarms real quick. And if you want to filter it so that you only get a single book, you can actually use the ISBN number as a filename filter because all the parts of the book are going to have the ISBN number in it. So if you just wanna get a single book in the bookshelf, you just add that ISBN number and you'll just get that book when you go through the download. And you also wanna add the images filter so that you get all the graphics and the book covers and so on. Now you have it scheduled to run every hour and a half, two hours, whatever, and it runs for nine minutes. There's options in offline Explorer that lets you do that. So it's scheduled to run. There's an option that say stop downloading if you received so many numbers of files or if you've run so many minutes or if it's grown to so much size. You use the option for how many minutes, set it to nine, and then you schedule the job to run every two hours. So it'll run for nine minutes really slow grabbing stuff, stop, and then start up again. So you can just set this up, go to sleep and come back. If you're doing a whole bookshelf this way, it's gonna take a while, but it's not gonna set off the alarms. And if it does set off the alarms and it does lock you out, there's a way to clear out only the bad pages and take advantage of that. You also wanna make sure that you set your identifier so that you're using a valid browser. If you tell O'Reilly that you're sputtering and trying to grab it, they instantly lock you out. It'll definitely lock you out. That URL is there is actually the front page of the bookshelf. Now you can choose how many levels deep you're gonna go to that you wanna grab. So if you only wanna grab a little bit, you can just go, if you just grab level zero, it's just gonna be that bookshelf page of the list of all the books. And if you go to level one, you're gonna get the table of contents for all the books. And then if you go to, and at a level limit one, you're probably gonna get about maybe 20 to 30 pages, depending upon what books you have selected on a 10 bookshelf limit. And at a level limit of two, you get all the pages. And then at a level limit of three, you get all the index pages. And when you get to a level limit of three, that's when you really start to have to download a lot and you would really need to have this program run for a while to successfully get everything at a level three run. But you could start it out and just do say a level one run to get everything initially. And then from there on maybe add a filter to just get one book at a time, whatever you specifically want. And then do a level two of that one to fill in the holes. Okay, I got a little conflicting information here. Stop down in seven minutes. Another thing, do not download existing files. That way it starts up again when it reschedules and will parse the HTML files. It's already downloaded to grab the new links that it needs to add to its queue. And you can also put in your login and password. There's a configuration option where you can put that in into offline explorer. You have to log in manually first before you start it though. There is a window, a browser window in offline explorer so you can hit the O'Reilly site and just log in. And again, if you log in from another machine while offline explorer is going, you're gonna kill offline explorer. And then from then on, it's only gonna be grabbing preview pages instead of the full pages of the book. Here's some excluded keywords and included keywords I used. These are just part of the URL. It helps filter things out so you don't grab a lot of excess stuff that you don't need. And if you want to delete the pages that have errors, you just simply search for all the files that have this is only a preview or session disabled and delete them. You then start up offline explorer again. It's going to parse the HTML files and if you're logged in correctly, it's then going to get those pages and get the full version and it's not gonna have to re-download the successfully downloaded pages. O'Reilly could actually get around this pretty easily just by putting those strings in a comment in every single page. I have a feeling they'll probably do that but there's still other ways to get rid of the preview pages. You just use a bigger search string to get around that. When I did this, I downloaded, one time I downloaded 600 files and just under three hours and I was like maybe two hours and 56 minutes and I got a warning message. So you do have to go pretty slow and you don't want to get a lot of these error messages. It seems to be that after you start getting these messages, the threshold for the next one is lower. So you really don't even want to get that first one. Otherwise it just makes offline archiving that more difficult. Now, basically this is because the idea of digital rights management is really unenforceable. I mean, they can't let you see it and not let you keep a copy of it. You can do it automated and that's pretty much what we're doing. Digital rights management conflicts with ease of use too because as you're using this system, if you try and log in through two browsers or you're at your home machine and work machine, things start to get logged out and it can create a lot of problems for you. So when they're putting in all these limits of what you can do, it actually makes the ease of use harder. Now, another theft of service attack, this is kind of lame, but eBay seller avoidance, basically after you sell an item, you have to pay eBay a percentage. You can fill out a non-paying bidder form and it seems to be an automated process where it just sends the bidder a message saying, oh, was this really a non-paying thing? Did you guys agree not to go through with the deal? And if the user doesn't respond, then it's all good. The seller can get the user to agree to it or the buyer to agree to it and not turn them in just by maybe splitting the cost of it. I don't know if anyone does this, but this is again, another theft of service type attack. Now PayPal was a lot of fun. A lot of places have started taking PayPal payments and a lot of them seem to do it wrong in how they implement their implementation of PayPal. Now for software, there's a return value after you fill in the form and that return page sometimes has what you actually are going to be paying for. Here is a actual URL that adds an item to your shopping cart and this is actually for some VPN software and in blue you can see that the return URL goes to chileweld.com slash success.html. And this is what that page looks like and it just says, oh, thank you for your purchase. I mean, it's the URL that they showed you and you can just download the software straight from there. They have absolutely no security guarding their software and there's a lot of software companies that do things like this. Software, theft with PayPal, there's, again, if you get something where you have software that gives you a serial number or key generator and they send that to you instantly, most likely you're gonna be able to fuck with the subscription process and get something. You can place a legitimate order for the software but alter some terms of it. It's a legitimate order. You are sending them real money. There's nothing fraudulent. I don't think legally fraudulent about it but the system acknowledges payment but doesn't verify that you paid the correct amount for whatever you're ordering. And again, here there's the amounts. Now here they have the amount actually encoded with URL encoding where they're using the percentage characters to represent the actual values. They're trying to obscure what you're doing. Now I changed this myself. The other one, oh, wrong way. Now here it has the actual price which is 90 bucks and shipping is 12 bucks but some places will obscure it, the amount, so that people don't know what to edit that they can actually do that by just doing that encoding which is really no security at all. It's very recognizable. And there's a URL for a URL encoded character reference table. Again, the method's not infected. It just tries to hide the problem rather than fix it. Now another thing is PayPal will give you an option to get insurance for whatever you purchase and that just signing up paying for the insurance confuses the vendors, especially if it's a non-physical item. It just freaks them out, their system has not been usually tested for this type of thing and they just don't quite understand it and even if they're reviewing it by human it kinda seems legitimate. I know someone that actually got hit by this and they actually thought someone was signing up with the insurance or the PayPal guarantee and when they got a small payment they thought that was some kind of insurance money that they were getting from PayPal and they were just curious why they were never getting the full payment. They just had no idea until I explained it to them. Now here's what the HTML looks like in a form for a subscription payment and it actually shows how much it's gonna cost and then there's a setup fee, how long it's valid for and in this example it's a two month free setup valid for two months free and then after two months it's gonna bill you 295 and then you're good for a year and every year from that you get billed again 295. You can just mess with those values and you don't even have to do any HTTP referer stuff. You just submit that to PayPal and it goes with it. Now for preventing form alteration I kinda gotta go quickly because I'm running out of time. You can do CRC variable checksum so that you know that the data hasn't been altered with but that can be reverse engineered but that just kind of obscures it a little bit. Again, you can check the HTTP referer but that can be faked as demonstrated. The best way to do it is just not use form variables. They're just not the way to do it. It takes them extra programming to do it a different way and unfortunately doing it a different way doesn't guarantee it's gonna be any more secure. You really have to take security as a primary concern especially since the business lives on this. They're subscription content. Okay, credit card payment attacks, credit card fraud, price alteration, avoiding payment and subscription terms extension. Again, in the previous example here you could change the instead of being free for two months it's free for 20 months. And then it's not gonna bill you and then you can just cancel the subscription after 19 months and you'll never get billed. Okay, how to spot theft of service attacks, audit your orders, do not trust what your applications are telling you. They may be lying. Look for increases in system utilization. If all of a sudden there's a lot more usage but not that much more income something's probably going on. Make sure that whoever processes your orders there is human verification on everything. Regularly audit account activity. Do not overlook accounting and consistencies. If your system is automated, definitely don't trust it. I mean that's the easiest thing. When I see instant activation they're full of holes automatically. There's not many places that do instant activation securely. Attack response, you can't really do much because the attack isn't always fraudulent. Especially if you're using something like login and password is your password. They let you choose it and there's not much they can do. If they find it really all they're gonna do is ask you to change your login and password or maybe assign you something. And sometimes tracking down the user can be hard because it's easy to fake email addresses and law enforcement will not necessarily care. They may even think it's funny. It's your fault that you did this. Let me jump around. Not much you can do for recovering losses most likely write it off. Last thing I wanna get to is the Direct TV theft of service. Direct TV sent out a lot of letters suing people for who were supposedly pirating cable just because of orders that they placed and not all of them were necessarily doing it. The problem is really that the Direct TV service was not secure. Not that the customers were doing anything. And I just personally think it's wrong that Direct TV has legal protection to sue to recover losses when they just either didn't want to or couldn't make their system secure and now they're gonna sue the customers. If it's insecure, again, it's the provider's fault, not the customers. Suing your customers should not be a profit center. They're making money off this. People are sending in money because they're afraid and they don't wanna get sued so they're gonna pay the 3,500 that they're initially asking. And they were able to send out these letters without giving any proof to any government organization. They're just able to send out and threaten people. And the interesting thing about it is to do these hacks, the people had to actually be legitimate customers and have basic service. So they weren't getting money, they just weren't getting as much as they want. There's some more information there. Kevin Paulson wrote a pretty good article. It's available at the register and I believe it's security focused. And again, Legal Rights has some more information about this. For finding vulnerabilities, I included this on the CD, is a program called SelfSeq. It's your own web spider, it'll go out and crawl out and then you can do your own searches against your own database of websites and search if they're doing PayPal and have amount equals or price equals and search for something that you know is a common vulnerability. SelfSeq is pretty good. Again, just wrapping up, very simple attacks. These are more of an annoyance than anything else. Victims rarely get any sympathy. It's kind of like your own fault that you got hit with this. I mean, you're done, you're giving your stuff away if you're open to this and you're not auditing your orders. And just because there was a theft of service attack does not mean that there was even loss of revenue for the company. They may have gotten more money because more people signed up and so because their service, because they were able to expand their access was better than any competitor. And I think that is about it. So, thank you very much. Since my time is up, I don't have time for questions and answers but I will be outside if anyone wants to ask me any questions. So, thanks a lot.