Monday, April 27, 2015

Secure Or You Will Loss Your Reputation

Recently, a Hong Kong based company carrying out a KickStarter Campaign for a coffee machine (Arist). Their goal is $120,000-USD and it is funded over 580% ($845,139-USD). The design of the coffee machine gets an ICT Awards 2015 in Hong Kong too.

However, the backers messages or questions have not been answered since it is funded. Many backers asked for refund and they lost their faiths too. The creator of the campaign posts recently that their server has been hacked and sensitive data have been stolen. The creator believed that it was done by some of the backers. Meanwhile, some backers created a Arist Scam to gather the evidence of the "scam". According to the comments of KickStarter, the mother company of Arist is a Windows Phone Apps development company namely nBition Development.

Arist claims to change the specifications of the coffee machine after the "hack" according to some of the backers who find "Subject to be Changed" in the web site. This is what the backers most unsatisfied.

I wonder if the creator of the campaign is a scammer or their server is really being hacked? I then carry out a quick and dirty check on the server.

First of all, the CEO and founder of Arist, Mr. Benson CHIU is an ex-staff of Microsoft (source is in Traditional Chinese). According to the article, Mr. Benson is doing programming work. His brother Nelson is running a new company after the campaign, namely Kick Start HK.

What I find so far? The web site of Arist is hosting on Cloud Server at RackSpace. The web application is running Wordpress 4.1.1, Microsoft IIS 8.0 and PHP 5.4.38. The shopping cart application is WooCommerce. It is a plugin for Wordpress. The shopping cart part is running SSL/TLS. The site is believed to be protected by Cloudflare as I find Cloudflare javascript on the site.

So, what's wrong with the web site? We know that Wordpress 4.1.1 has vulnerabilities on Same-Origin Method Execution and Unauthenticate Stored Cross-Site Scripting. There is also a SQL injection vulnerability on WooCommerce recently (dated March, 2015). Meanwhile, the most interesting thing is that the site is running a private SSL certificate for the shopping cart part. In addition, the site is running quite slow and the WooCommerce do not accept PayPal. It accepts credit cards only.

After my quick and dirty test on Arist web site, it is believed that the site may vulnerable to (1) Same-Origin Method Execution and (2) Unauthenticate Stored Cross-Site Scripting on Wordpress as well as (3) SQL injection on WooCommerce. Those vulnerabilities may lead to data abuse and loss.

Finally, if the Arist is not a scammer, their web site may properly being hacked and suffering from sensitive data loss. However, it is still unknown that the reason why the design and patent have been stolen too. They are keeping those confidential data in a web server? Or, the network of Arist can be pivot to other servers for the "data loss"? May be the Arist is a scammer?

Anyway, I am not going to comment that why Arist do not response to their backers' questions and queries. I am not going to comment if Arist is a scammer or not. However, I doubt that why an IT guy (Mr. Benson CHIU) will overlook this fault. In my opinion, businessmen should not overlook Information Security or you will lost your reputation very easily.

That's all! See you.

Update on April 28

I find something weird on Arist.

Benson and Nelson are running their web sites for their companies, nBition Development and Kick Start HK, with Tengine web server. However, Arist is running on Microsoft IIS.

Meanwhile, nBition Development and Kick Start HK are protected by WAF (Akamai Technologies Inc). The web applications of those sites cannot be detected easily. However, Arist is not protected by any WAF although Cloudflare javascript is found on the site. The web application can be identified very easily and it is hosting at RackSpace.

I believe that Kick Start HK web site should be built later than Arist's.

My question is that Arist is not as important as nBition Development and Kick Start HK? Or, it is really a scam? We need to wait until the October this year for the product delivery.

Update on April 28 (Part 2)

The Arist web site has been checked again and the captioned said vulnerabilities are still there.

I almost read all the comments by Benson and Arist team on the KickStarter and they are summarized as the following :

- During the campaign, they often answer questions and urge others to be backers.
- They said they will release the video to all arist backers personally. However, they failed to do so. It is because of the patent pending. However, they show the video to the reporters of Why not backers?
- They said that they will update the backers often several times, but it is failed too.
- They said the arist is in production, but who knows. It is April 2015 now.
- Later, they even do not answer any questions.
- They claimed that their web site has been hacked and confidential data have been stolen. They suspect it was done by backers.
- They stated that the delivery will be delayed till October 2015. Why not deliver the products batch by batch????

Source from Arist Scam : Is Arist planning to defraud the Hong Kong government?

They post a "Statement of Clarification" on their web site :

It has come to our attention that there has been posting and circulation of articles with untrue and false information about Arist originated from Hong Kong media groups and individuals since 26 April 2015 (HKT). Given the situation has already led to unnecessary speculation on the capacity and integrity of the Arist Team, we are obliged to clarify as below:

1) Our website and cloud storage account were hacked in mid-April 2015. Being a responsible developer, we have reported the case to the U.S. Police. A notice of such had been posted on our Kickstarter campaign site to notify our backers.

2) We have no plans to delay the planned launch date, which is from October 2015 onwards. As promised, if we cannot ship Arist 3 months after your expected ship date, you will have the option to request a full refund. We stick to this promise with no exceptions.

Despite the recent hacking, and circulation of untrue and biased online messages, we have no intention to stop the work with Arist. As of today, we have more than 25,000+ retail orders to consider as well. We will not stop until we deliver Arist to everyone.

We continue our mission to change the world of coffee. We have come a long way and we are almost there. To those of you who have been with us since the beginning, we thank you most sincerely. We truly appreciate your support, concern and attention.

Update April 28 (Part 3)

Scanomat states that Arist steal their concept and design. He posted the first comment on KickStarter which is dated October 24, 2014.

First comment

Here is the answer of Arist which is also on the same day :

Reply by Arist

It seems that all backers missed this comment due to the design of the KickStarter.

I have reported to Arist Scam and they stated that KickStarter has paused the campaign until Arist redesigned the smartphone apps as it is looking very similar to Scanomat one. Meanwhile, Benson states in the comment in KickStarter that they are applying patent to all over the world.

However, Scanomat's coffee maker is in the market at the moment and they may have patented already. Does Benson telling lie? In addition, Nelson states in the recent interview that they also do the manufacturing matter. They are smartphone application development company. Suspicious!

Update April 29 (Part 4)

Nelson said that the Arist was in the market 3 months before the ICT Awards 2015 Competition. The Startup Beat has a report on this (source is in Traditional Chinese). If the coffee maker is already in the market, why they need to change the specifications and delay the delivery for the backers? Another lie?

Meanwhile, it is confirmed that they juice the number of KickStarter backers, please see Arist Scam article.

Update April 29 (Part 5)

After further checking, the WooCommerce plugin version may be 2.3.7 and it is not vulnerable to aforesaid SQL Injection. Therefore, the previous assumption of data leak and data loss may not be occurred. The current version of WooCommerce is 2.3.8 at this time of writing. Meanwhile, the web application does not updated since April 27 even they claimed that they have been hacked. Weird enough.

After reviewing the other manual and auto coffee makers, I suspect that Arist cannot fulfill all the features in a so small footprint machine. The size should be much larger than these designs (version 1 and 2).

Update April 29 (Part 6)

It is very interesting that Benson starts to communicate with the backers at KickStarter since 4 hours ago (about 1700 hours HKT). He failed to do so since the end of the Campaign. He said he need to 'step in" for the matter. Why? Scare?

Update April 30 (Part 7)

Does Benson steals the other's concept and idea? If yes, how can he get the patent? It should be already patented. The following video is posted on Jan 16, 2012 when nBition Development may not be formed :

The protocol of the captioned video is here.

Update April 30 (Part 8)

I doubt that the Jura (the so-called Arist Version 1) has been shown by Benson to the judges of ICT Awards 2015 and the video to shown to the reporter of

The protocol of the Jura is available. It is the reason why Benson and Nelson told to the reporter of that the cost of the development and manufacturing are not so high as expected by the public. It is because they stole other's idea, concept and work. They even wanted to apply patent as their work too. It is also the reason why they are unwilling to show the working Arist (Version 1) to the backers or public.

Meanwhile, they stole others idea, concept and work to have Hong Kong Government funding.

In addition, it is an impossible project for Arist (Version 2). The awesome features in a so small footprint device is impossible in physic, I think. Where is the water tank? Where is the two bean containers? Where is the milk container? Where is the syrup capsule container? Where is coco powder container? They are the features that stated in Arist project.

Update April 30 (Part 9)

Benson and Nelson are also running a cafe shop at Causeway Bay, Hong Kong, namely Tosavour Cafe (Facebook). I wonder if they use their Arist (Version 1) in their shop or not.

I also wonder why they need to employ Barista as Arist can make a wonderful and professional coffee.

Why I say that? It is because the Arist (Version 1) has been sold over 1,000 units 3 months prior to the ICT Awards 2015 Competition (Source).

Please note that I mean Arist (Version 1) is the Arist on KickStarter while Version 2 is at the ICT Awards 2015 Competition.

Update May 1 (Part 10)

All of sudden, Benson "step in" the backers comment (on April 29, 2015, HKT) and Matthew Lam (later known as Matt Lam, who stated he is buddy of Benson in the early stage of the comment of KickStarter) starts to fire at some backers in order to keep them silent on April 30, 2015 (HKT). Interesting .... Interesting .... Very interesting ....

Update May 1 (Part 11)

It is really surprised me that the web site of Arist still not yet updated/upgrade even they claimed to be hacked.

The initial quick test may have some errors on April 27, 2015. Hereby, I attached the version findings which is conducted today :

Update May 5 (Part 12)

According to PC Market (PCM, Issue 1136 dated May 5, 2015) Page 26 and 27, Nelson told the reporter of PCM that they have sold out 1,000 units of Arist Version 1 to Baristas all over the world in July 2014. Those units are assembled by hand. Those buyers are required to sign a Not-Disclosure Agreement (NDA). (Please also read Update April 29 (Part 4) and April 30 (Part 9) as well as Arist Scam in conjunction.)

I wonder how many buyer will sign an NDA when they paid for the product. Meanwhile, Benson and Nelson should have UL and CE certifications before selling the units, which is mentioned by one of the backers, Dan_R, in KickStarter comments.

In addition, why Benson and Nelson do not deliver the Arist Version 1 to backers when the there are only about 2,000 backers in KickStarter? The Arist Version 1 does not exist?

Update May 8 (Part 13)

According to anonymous source (I have seen the evidence but I will not post them here in order to protect the contributor) that Benson was doing Netduino/Arduino things around July 2014 in which he claimed that Arist Version 1 had been sold 1,000 units to Baristas all over the world.

Is he still inventing the machine? If yes, why he said Version 1 had been sold over 1,000 units? If no, why he cannot show the demo video to backers? Or, is he telling lie? Or, is he thinking too big in the early beginning that he realized today that it is an project impossible?

Update May 17 (Part 14)

The owner of Arist Scam, Jake, states that he has been refunded this morning and he is no longer can post to KickStarter due to the refund. Meanwhile, another backer, Dax, states that he also got his refund this morning. It is confirmed that Benson dislikes Jake and Dax very much and make them shut up.

It is interesting that, Benson starts to post to the KickStarter since then. He states that he cannot reply to backers these days due to busy to response to the media about the false reports. For real?

Benson just posts to the KickStarter a few minutes ago that he denied to refund to anyone when someone else asks for his refund after reading Jake's site (link). Benson says that they (Jake and Dax) may be kicked by KickStarter. Really? Does Jake and Dax do any harm to KickStarter? No! But to you, Benson!!!

Benson fears to open the refund flood gate!

Update May 18 (Part 15)

Benson is arguing and insulting to the backers who lost their faiths on the project.

Benson and Nelson CHIU are starting to issue refunds to everyone who complains about their scam!

After you, backer, receive your refund, please contact, so that they can build a community and bring justice to the Benson and Nelson.

Meanwhile, the web site of the AristCafe is updated to Wordpress 4.2.1 but it still has a private SSL certificate. In addition, the web site is vulnerable to DoS.

Benson sent 2 emails to Jake (the owner of the Arist Scam web site) to threaten Jake to shut down the web site (link). Meanwhile, the proof of refund from Benson is here.

From anonymous source that Hong Kong Identity card numbers and addresses of Benson and Nelson have been obtained. I think they will be published to public very soon.

Benson, Benson, you have a very wrong and dead move!

Facebook Group is online

Update May 19 (Part 16)

Nice article from SCMP on Arist today. The following sentence makes me laugh :

"Chiu demonstrated Arist for the Post using the accompanying iPhone app to produce two espressos after engineers had made a few tweaks to the prototype using screwdrivers and a black and yellow pencil."

Did Benson say that they already sold over 1,000 units of Arist all over the world to Baristas in July 2014? Does every Barista, who purchased the said Arist, requires to use screwdrivers and pencil to tweak the Arist and then produce coffee?

Benson and Nelson are scammers for sure in my opinion!

Meanwhile, I have Benson and Nelson's HKID card numbers.

Ah, I forgot to mention that Benson posted the link of the article of SCMP to KickStarter to proof something. However, he is suicide as he overlook the last sentence of the article.

Update May 21 (Part 17)

More evidence on Benson cheats at Kickstarter launch at here (Read with "Update April 29 (Part 4)"). It is not ethical.

Update May 24 (Part 18) is now well protected by Cloudflare and it has valid SSL certificate now. However, it used private SSL certificate between August 6, 2014 (domain creation date) and May 21, 2015 (GoDaddy SSL certificate). Benson also claims that the site takes 25,000 pre-orders. Read with "Update May 1 (Part 11)" and "Update May 18 (Part 15)".

Although is well protected by Cloudflare, I am sure that it is still vulnerable to DoS attack. It can be taken down within minutes. new feature - TimeLine.

Update May 27 (Part 19)

Benson released the update #17 to his backers and asked them not to release to the public in early morning (May 27, 2015 HKT).

In the update #17, Benson stated that his team is still developing the prototype (the current is at Phase 4A). He use all backers' money to develop a prototype instead of a working prototype before the KickStarter campaign.

His website ( is protected by Cloudflare recently and he has a valid SSL certificate (begins on May 21, 2015). He showed a graph of his website on the update #17 to proof his website has a lot of visitors. I doubt that those traffic are from the bot of Cloudflare or Google (I am also running a website behind Cloudflare too). It only shows the traffic between 0555 and 0655 hours on a day (which day?). Why not between August 6, 2014 and today? May be the traffic are from the one who want to see what is going on due to they read the media recently?

He also said that the engineer use "screwdriver" and pencil to turn off the sensor in order to brew the coffee when the cover is removed. I doubt that why he needs to take off the cover to brew the coffee. To show to the SCMP reporter that the machine is so complicate? Or, it needs to remove the cover to brew the coffee?

In conclusion, Benson is telling lie that he had shipped 1,000 units of Arist to the Baristas all over the world. He uses backers' money to develop the prototype. He also spent all the backers' money too. He cannot proof that he has 25,000 pre-orders. He is still telling lie in the update #17 again.

Update on Dec 2, 2015 (Part 20)

Arist-ed development: Troubled Kickstarter project endorsed by Hong Kong gov’t raises fears backers aren’t being protected

Video - Arist Demonstration Fails

Source : NowTV (【新聞極客】網上眾籌平台保障成疑 - Cantonese)

Thursday, April 16, 2015

How Secure Your Networks And Systems Are?

Almost all Intrusion Detection and Prevention Systems (IDS/IPS) can be bypassed. No matter it is commercial or open source, they can be bypassed by any skilled attacker. I am running my home brewed Intrusion Prevention System for over 2 years. It becomes mature and I decided to carry out a bypass test against it.

My plan is to conduct the Application Layer (Layer 7) exploitation behind my IPS. Normally, almost all attacks are from the external. However, I am trying to do it from internal to external.

I picked up one live web site which is vulnerable to Wordpress vulnerability. I carried out the exploitation from the internal and it is not surprised that I can dump the database from the said site. I successfully bypass the IPS from my internal network. I know that there are different rules for external and internal traffic. At least I know that I can do it from internal and it is not very hard from external, I think.

The following are the database that dumped from the said site (some characters are masked in order to protect the victim) :

Several years ago, I conducted an exploitation test to see if the system can log down the attack or not. The final result is that it cannot. You can watch the video at here. Similarly, I also conducted a test to bypass some famous Anti-Virus programs. The final result is that it can be bypassed very easily. You can watch the video at here.

In conclusion, those security measures are just like our lock on the door and metal gate in front of our houses. They should be there but they cannot fully protect you from being burgled if intruder find a way in. Therefore, we should not fully relying on those security devices and/or programs as well as log checking. Make sure your networks or systems are in excellent security condition. Be remember that the strongest security is at the weakest point. 99 percent secure is a 100 percent insecure. The most dangerous is that you believe it is secured.

That's all! See you.