Bluetooth eavesdropping vid

Check out this POC of bluetooth headset eavesdropping.

College courses for free

Not exactly free since you don't get the real experience of college (ie: drinking, drunking, dranking, etc.), but you can still (essentially) take a course online for free. There are no grades (since that's really what you're paying for), but the lectures, assignments, and other material is there. A lot of places do this, you just have to google a bit to find what you want. Here's a course on cryptography. Incidentally, MIT does this too. So do some of my old profs. The only real barrier here is the course book, but even that is starting to change.

Free alternative to ghost!

Ever since my first time using Symantec ghost when I was an IT intern, I loved the app. What a great tool for anyone interested in PC's. Now there's a utility (free open source) that supports uni- and multicasting. Awesome.

RBN paper

A study of the RBN. Interesting read for me.

Facebook iframe exploit. Is this old?

Have I just been in a cave? Is this for real?

Interesting hack-game site

Interesting.

School tackling security with a vengence

There's this school district that got hacked a couple times by students wanting to look around the network or change grades and records. In response, the school has spent a boatload of money to beef up security (and as we all know, money solves all security problems). Their improvements, at least from reading the article, sound impressive. This is great! A school (and not even a university) is taking security seriously! But one part of the article piqued my interest:

The district is also moving to prevent what is called "sniffing," where hackers with wireless access sit outside school buildings, often in their cars, and scan traffic in order to capture passwords and view the content of messages send over the Internet.


In response, the district is spending about $500,000 to purchase a package of sensors for every school and district building which will pinpoint the location of the sniffers and alert police. The technology will also encrypt the data so sniffers can't understand it.

So... hmmm. I've heard of appliances that can locate where a wireless signal is coming from, but this seems too good to be true. Not only do the sensors locate an attacker (both actively hacking and passively sniffing), but it also scrambles the data beyond recognition? Something doesn't seem right. I googled a little and found RFprotect -- this seems like a complete wireless solution in a box. Included is an app called RFlocate which does indeed locate wireless signals. I wonder how the data is scrambled. Is it SSL? WPA? AES? I would imagine that each client machine would need a client app in order to decrypt traffic and use the network in this case.

This seems a bit over the top for me. I know, defense in depth is great, but this setup seems to have so much redundancy built in, how the hell are admins supposed to get past the logs? Ok, they have increased staff, but increased it enough? Even in small enterprises, it is easy to get overwhelmed by logs by deploying too much too quickly. I want to see how this situation plays out. It seems more and more that in information security, either companies aren't spending enough on security (ie: appliances, firewalls, other infrastructure, etc.), or there aren't enough people to make it all work. Rarely does it seem that both these needs are ever satisfied. Are security-types just griping too much?

Airport Kisosks not so secure

It seems the world of kiosk security has not caught up in terms of security (voting machines are perfect proof of that). GNUCITIZEN (pdp) posted what he could do at an airport kiosk by just clicking buttons. Dangerous and risky? Yes. Funny? Very.

Found some other funny pics of kiosks crashing.

RE: Windows 2k RNG not random

You guessed it. XP has the same problem, although you'd need to be an administrator to make any kind of predictions and at that point you'd have a whole lot of other problems to contend with.

Great intro to CSRF (XSRF)

From GNUCITIZEN, Mario Heiderich posted a really good intro/tutorial/explanation of Cross-Site Request Forgery (CSRF). I wish there was some way to keep a login to a site (like gmail) completely isolated to that single instance (isolated in that specific tab, if you will). Instead, if I log into gmail, then visit blogger, I can get logged in automatically! Great for convenience, bad for security. That's partly a problem with cookies, but mostly a problem with how browsers deal with open sessions.

I wonder if it's possible to write a firefox plugin that keeps session information separate by tab. So if I visit gmail and login, I can open a new tab and not get logged into blogger automatically. Not sure how possible that would be since you would need to figure out how to deal with a new cookie from blogger (read: google) when you already have one. Maybe do it like NoScript and have it alert you so you can allow or ignore/deny (default). Hmmm... sounds like I have yet another project to think about.

Operating manual for Guantanamo Bay leaked!

This is a serious leak. I really believe this document should have been classified. For the record, I didn't read the doc, just the front page of the posted page and Schneier's post on it. I have to believe that things have changed (read: passcodes) since 2003 though, but regardless this is a telling document.

Phone spyware demo

Mikko from F-Secure demos the capabilities of some phone spyware.

Truman - a 'sandnet' application

This sounds pretty nifty. Truman is a tool that makes malware analysis easy (sort-of). You can use it to build a 'sandnet' or virtual, isolated internet for the malware to interact with in real time. The tool automates the reimaging of VM's too so the amount of mundane work is minimized. Check it out.

Bigger and better than the storm?

An article on Darknet is claiming that the next botnets will function over p2p and they'll be extremely powerful. To me, this sounds like a bit of FUD. What does "peer-to-peer botnet" even mean? The way I take it is that instead of using something traditional (read: IRC) for command and control, there is no centralized command and control. If that is the case, how do you update your bots? If they just detect special changes in the malware code, security researchers could modify the code in the same way, no? Spreading via p2p seems like a good idea; however, without a command and control node that the authors have control over, how can the botnet sustain itself? Corps will block the outbound traffic at the firewall, home users will rely on personal AV and firewalls to protect them (sucks to be you Joe Schmo).

Maybe I am missing the point here. What exactly is this article claiming? That p2p is a better medium to push malware and vis-a-vis botnets? That's nothing new -- malware already spreads over p2p. What am I missing here?

The easiest way to hack a combo lock

rwnin, did you know how to do this? Pretty sweet. I never imagined it would be this easy to open a combo lock.

Safari sucks more than we thought

Safari/Apple allows telnet to connect automatically! What an awesome feature (for hackers)!

Oh.My.God. F.U.D.

You know, sometimes when I read things, I just want to scream. I think I should start a website called 'FUD of the Day dot com' just because there's do damn much floating around. Just read this stupid article. Moral of the story: China is going to destroy the US in every way imaginable (and then some more). And when I say I want to scream, I don't mean like Psycho shower scene scream. I mean Bruce Willis in the ejector seat screaming expletives as a jet explodes under him scream. FUD!

EDIT: Sorry, it was unclear that I am criticizing the government people, not The Register. The article is cool, the study/findings/report/FUD is bad.

WoW shares threads with viruses & malware?

For some reason, World of Warcraft is still popular. Blizzard has had some problems in the past with hackers -- crashing the WoW servers, stealing other users data, creating bots to 'farm gold', and other nefarious acts are all hurdles Blizzard has needed to overcome. Enter 'The Warden,' Blizzard's WoW watchdog that ensures users are playing fair.

Well, The Warden now uses encryption to communicate with WoW users according to an article in The Register. While this may seems like a big 'duh,' the way The Warden actually works is much more interesting than anything else. Here are some key points:
* polymorphic code
* collection of client window names, memory modifications, process names, etc.
* pseudo-random (changing) cryptographic function for encryption
Looks to me like Blizzard is using traditional (but sophisticated) virus and malware techniques in their gaming environment. I think this is absolutely phenomenal! Finally we are learning from the bad guys.

More RNG Strife

Schneier posted an entry about NIST's new RNG standards on his blog. From what some researchers have been able to see, it seems the NSA might be up to some very shady stuff (read: decrypting everything that uses one of the RNG schemes). Schneier describes it as a 'backdoor.' Pretty confusing stuff, read it for yourself.

FINALLY! Lawsuit filed against Comcast

Yep, it finally happened. A Comcast customer in California filed a class action suit today against Comcast over their BitTorrent throttling. I'm not convinced this will go anywhere, but there is compelling evidence that Comcast is doing this, even if you ignore the statements of Comcast employees confirming that they actually do throttle/stop BitTorrent traffic. If this gets to court, the biggest flaw in my mind is proof -- if Comcast just goes up there and lies (and Sandvine does too), there's very little evidence that indicates Comcast is doing anything shady; the point of the Sandvine appliance is to be transparent, and it is.

New Firefox History DoS

This is a pretty neat little script that will DoS Firefox. I even tried it for myself here (WARNING: use NoScript or your Firefox will get DoS'd [duh]).

Windows 2k RNG not random

According to an article on The Register, the random number generator used in Windows 2000 is not so random after all. This poses a serious problem since many cryptographic algorithms rely on RNG's as a key component of the crypto (SSL anyone?). Since MS has shown that they tend to reuse old code (a lot), I wonder when the next group of researchers will break XP's RNG.

This is a pretty serious security problem, but we've known that this problem exists. It is impossible to engineer an algorithm to guarantee generation of completely random numbers with the limitations of today's computers (read up on quantum computing). So this begs the question "What do we do about it?" I was reading the comments and saw this one:

Random number generation
By Anonymous Coward
Posted Wednesday 14th November 2007 04:11 GMT
Alert

This is a genuine extract from a document for the Finnish Bankers' Association. Note the second line of the first paragraph particularly, regarding key-generation:

------

Appendix 3: Key management

A key common to all banks is used in the calculation of the authentication identifier. The key is generated in the Finnish Bankers’ Association by tossing a coin 64 times and entering the result so that heads is 0 and tails is 1. The 8-bit bytes of the 64-bit key are given an odd parity, the bits are converted into a hexadecimal format and the result is the key common to all banks.

The key is transferred to reliable people within the banks and they enter the keys into the same or equally protected system as the system where the PATU dongles are stored. The technical solution is bank-specific but the security level must be the same.

------

Predict that!

Now that's one way to tackle random number generation. Not even that creative, but pretty innovative. I've never coded my own RNG before, but I have done hash functions and the like to do non-colliding calculations -- and I thought that coming up with a good enough modulus was hard! There's an old white-haired Windows fanboy at my old job who continuously praises Microsoft. I'd like to hear what he says to this. Probably something lame like "Well Windows [blah blah blah blah not listening blah]."

DUDA!1!!!11 OMG LOL THIS IS SO AEWSOME111!!1

LOL. Translate your text to 12 year-old. Think of a firefox addon that does this to ALL YOUR WEB PAGES!!!111

Just for fun, an excerpt from Moby Dick.

a noble thing is that canticle in the fish's belly! How billow- like and boisterously grand! We feel the floods surging over us; we sound with him to the kelpy bottom of the waters; sea-weed and all the slime of the sea is about us! But what is this lesson that the book of Jonah teaches? Shipmates, it is a two- stranded lesson; a lesson to us all as sinful men, and a lesson to me as a pilot of the living God. As sinful men, it is a lesson to us all, because it is a story of the sin, hard-heartedness, suddenly awakened fears, the swift punishment, repentance, prayers, and finally the deliverance and joy of Jonah. As with all sinners among men, the sin of this son of Amittai was in his wilful disobedience of the command of God - never mind now what that command was, or how conveyed - which he found a hard command. But all the things that God would have us do are hard for us to do - remember that - and hence, he oftener commands us than endeavors to persuade. And if we obey God, we must disobey ourselves; and it is in this disobeying ourselves, wherein the hardness of obeying God consists.

After translation becomes:

A NOBLA THNG IS TAHT CANTICLA IN TEH FISHS BLY!!1!!!1 HOW BILOW- LIEK AND BOISTAROUSLY GRAND1!!!11! OMG WTF WE FEL DA FLODS SURGNG OVER US WE SOUND WIT HIM 2 TEH KALPY BOTOM OF TEH W8RS SEA-WED AND AL TEH SLIEM OF DA S3A IS ABOUT US!!1! OMG BUT WUT IS THIS L3SON TAHT DA BOK OF JONAH TEACH3S?!?!? WTF SHIPMAETS IT IS A TWO- STRANDED LESON A LESON 2 US AL AS SINFUL M3N AND A L3SON 2 M3 AS A PILOT OF DA LIVNG GOD1!11!! WTF LOL AS SINFUL MAN IT IS A LESON 2 US AL B/C IT IS A S2RY OF DA SIN HARD-HEART3DNES SUD3NLY AWAEKN3D F3ARS TEH SWIFT PUNISHM3NT R3PENTANCE PRAEYRS AND FINALY DA DALIEVRANCE AND JOY OF JONAH!!111 AS WIT AL SIN3RS MONG M3N DA SIN OF THIS SON OF MITAE WAS IN HIS WILFUL DISOBDEINC3 OF TEH COMAND OF GOD - NAVAR MIND NOW WUT TAHT COMAND WAS OR HOW CONVEY3D - WHICH HA FOUND A HARD COMAND11!1111 BUT AL DA THNGS TAHT GOD WUD HAEV US DO R HARD FOR US 2 DO - R3MEMBR TAHT - AND H3NCA H3 OFT3NAR COMANDS US THAN 3NDEAVORS 2 P3RSUAED1!1!1!! OMG AND IF W3 OBY GOD WE MUST DISOBY OURSELVAS AND IT IS IN THIS DISOBYNG OURS3LVES WHAREIN DA HARDN3S OF OBYNG GOD CONSISTS1!!!1!! WTF

So I put the output back in a couple times (OMG LEIK F0UR11!!!11 WTF):

A NOBLA THNG IS TAHT CANTICLA IN TAH FISHS BLY1111111111!1! OMG WTF OMG WTF LOL HOW BILOW- LEIK AND BOISTAROUSLY GRAND1111111!1!!1!1! OMG WTF WTF LOL OMG WTF LOL LOL OMG WTF W3 FAL DA FLODS SURGNG OV3R US WA SOUND WIT HIM 2 TEH KALPY BO2M OF TAH W8RS S3A-W3D AND AL TAH SLEIM OF DA S3A IS ABOUT US1111!1111!!!!!!!11 WTF LOL WTF LOL OMG BUT WUT IS THIS L3SON TAHT DA BOK OF JONAH TACH3S11?!1?111?!?!!11????!??!!!1111!!!!11!!11 OMG WTF WTF LOL WTF LOL OMG WTF LOL WTF SHIPMA3TS IT IS A TWO- STRANDAD LESON A L3SON 2 US AL AS SINFUL M3N AND A L3SON 2 M3 AS A PILOT OF DA LIVNG GOD1111!11!111!!1! OMG LOL LOL OMG WTF LOL WTF WTF LOL AS SINFUL MAN IT IS A LASON 2 US AL B/C IT IS A S2RY OF DA SIN HARD-H3ART3DN3S SUD3NLY AWA3KN3D F3ARS T3H SWIFT PUNISHM3NT R3PANTANC3 PRA3YRS AND FINALY DA DA3LIVRANCA AND JOY OF JONAH1111!111!!1!1!!! WTF LOL WTF LOL AS WIT AL SIN3RS MONG M3N DA SIN OF THIS SON OF MITA WAS IN HIS WILFUL DISOBD3INC3 OF TAH COMAND OF GOD - NAVAR MIND NOW WUT TAHT COMAND WAS OR HOW CONVAY3D - WHICH HA FOUND A HARD COMAND1111111!1!!! WTF LOL OMG WTF LOL OMG WTF LOL OMG WTF BUT AL DA THNGS TAHT GOD WUD HA3V US DO R HARD FOR US 2 DO - R3M3MBR TAHT - AND H3NCA H3 OFT3NAR COMANDS US THAN 3NDAVORS 2 P3RSUA3D1!11!!1!11!1!!!11! WTF LOL WTF OMG WTF LOL OMG AND IF W3 OBY GOD WA MUST DISOBY OURSALVAS AND IT IS IN THIS DISOBYNG OURS3LV3S WHA3RIN DA HARDN3S OF OBYNG GOD CONSISTS11111!111!1!1!!1! OMG LOL WTF LOL OMG LOL WTF WTF

More stuff to read

I am constantly updating my bookmarks of security/technology sites. Today I ran across Dancho Danchev's blog. He seems to be a bleeding edge researcher and I like his style. I hope I'll eventually get enough time to do real research.

RBN goes away?

The Register is reporting that sites/ips hosted by the notorious RBN are offline. They may be relocating to China (which doesn't make too much sense to me. Romania seems a much better choice).

Internet enabled gas pumps?

According to an engadget article, Google maps will be available on some 3500 internet-enabled gas pumps in the near future. This raises two questions: 1) WTF? and 2) ORLY?

Gas pumps connecting to the internet to process credit cards, cool, we've gotten used to that. Gas pumps connecting to web sites with a pretty (probably Windows OS) interface, not so good. I wonder how you could hack a gas pump and what kinds of fun things you could do to it. I think goatse would be my signature.

Dude, awesome if it works.

Check this. For real. Check it out. I'm trying it ASAP.

Comcast 3-phase filtering plan?

I'm not convinced this is real, but if it is, I don't know what to think. Sometimes teh internets makes me a sad panda. You really should read this.

Of course, as long as we tunnel all our traffic, we should be fine, right? :(

Can a spam filter play chess?

From Sunbelt's blog: Can a spam filter play chess? This was, for me, a really interesting article.

When RSnake takes offense...

I'm a big fan of RSnake. I am a big fan of a lot of people in the security community. So I was a little surprised when I saw that two people very actively involved (Kuza55 and Sirdarckcat) attempted to deface RSnake's blog (ha.ckers.org). They failed, but RSnake got mad. The whole thing was pretty interesting to me, even though it was supposed to be a prank. Read the comments.

I think the most interesting bit is not that someone tried to pwn RSnake's site -- as he says, that happens a lot. The interesting part is who was doing it and the reaction of some of the players and bystanders. Can whitehats attack other whitehats for fun?

(Not that new) Flash exploit

RSnake posted some text on a flash exploit via the 'Expect' function. Not much on it, but I thought it was interesting.

Screw you Palm (TM)

For the past two days I've been struggling to update the firmware on my phone. Palm released this update that you can apply either by copying a bunch of files to a blank SD card (I don't have a reader so that's out), or by running an updater from Windows (which I don't use). Here's what I tried:

* Running the Windows update from a Parallels WinXP session on a mac (failed)
* Copying the files onto an SD card via FileZ and HandZipper (failed)
* Running the Windows update from an actual WinXP machine (failed)
* Mounting the phone as a filesystem and copying files (failed)
* Transferring the files directly to the SD card via pilot-xfer (failed)
* Running the Windows update from my WinXP vmware-player session (success)

It's worthy to note that I could not, and still cannot, HotSync with Gentoo nor with my XP VM. What sense does that make? Here's another question for you -- if I can dial *228 and get my phone programmed over the air, why can't I get the update the same way?

So bizarre.

Weird.

Pass-the-hash toolkit

From Darknet, the pass-the-hash toolkit seems like a neat idea. I wish I had a terminal server to try it on :)

CAPTCHAs and social engineering

CAPTCHAs have really taken off as of late. While some methods for defeating them are already in place (OCR), this story off The Register shows a rather ingenious way of defeating them. Essentially, there's this virtual stripper and in order to see boobies, you have to solve a CAPTCHA. Naturally, whatever you enter in will be used to create some e-mail account on yahoo or gmail or hotmail to send spam. Cool idea, right? I mean, who can resist virtual pr0n?

As I read the article, I started thinking -- maybe we've been looking at CAPTCHAs all wrong. These days there's always a little link to have someone read what's there to you. Why not hack that instead of the image? I mean, audio is probably an easier medium for computers to analyze. Seems I'm not the first to have this idea. I didn't spend much time looking for a PoC, but I wonder if it's out there.

AT&T is not your friend

We all remember the whole wiretapping business, right? New details uncovered by Andrew Appel, and elaborated on by wired, show how serious AT&T is about monitoring what you do on their network. And people are concerned about the CIA having a surveillance network. What are we to do when the companies we rely on for communication are logging and analyzing who we talk to every day? Schneier had this story first, link to original.

Malware now officially targeted at Mac

Sunbelt picked up a story on a trojan targeted at Mac. As the article says:

This is pretty groundbreaking, actually. Not from the standpoint of ‘malware can exist on Mac too’ (everybody who's not a moron knew that), but really from the fact that this actual malware created by real malware groups, not one of those useless proof-of-concept of ‘malware can exist on Mac too’.

Welcome to club Mac! Security focus has picked this up too.