var debug = fail

Using textareas for evil

2010-11-03T17:33:00.007-04:00

Recently I've gotten a new job and have been doing significantly more interesting things with my time. Woo hoo!

Web exploit kits are always evolving and using new techniques to complicate automated analysis. I've been looking at one group in particular that is using blackhat SEO for google image search in order to redirect a user to a malicious site. Basically, someone performs an image search for something innocuous and clicks an image result that contains an iframe to the blackhat SEO domain. If the iframe code is executed, the person is 302'd to an intermediary domain. The intermediary has some basic server-side defenses that check the referrer string, IP address, and whether either has been seen before and how long since they have been seen. If so, the site redirects to google. If not, you reach the exploit domain.

The HTML on the exploit site has two textarea tags at the top of the page:

Notice the code after the textarea sections is a giant obfuscated <script>. Running it through the usual suspects (wepawet, jsunpack, spidermonkey, malzilla) doesn't yield good results. The reason? The textarea tags -- they aren't used until the end of the page:

Not only do they contain a couple syntax errors, but the typical tools don't seem to handle the textarea calls very well. Wepawet partially decrypted the page, but ultimately categorized it as benign. Not good.

So what's actually happening? The first textarea tag contains the function to deobfuscate everything in the script tag. When you run the function through spidermonkey, you see a document.write that writes out <p>[some integer]</p>. This integer is used in a for loop to deobfuscate the script. Substitute the integer value where it needs to go in the function, clean up the code a bit, and use the Didier Stevens spidermonkey package and the web-obj.js script from REMnux, and the eval'd <script> code gets piped out to file:

The deobfuscated page hits you with a variety of exploits, dating back to 2006.

Cryptome back up!

2010-03-02T09:18:00.003-05:00

As a follow-up to recent news of Cryptome being shut down, Microsoft apparently withdrew its claim stating that they only wanted to copyrighted material removed, not a site shutdown. Good news indeed. Anyway, the site is back up.

Cryptome shut down

2010-02-25T10:24:00.003-05:00

Related to wikileaks needing financial assistance to stay online, the site Cryptome appears to have been suspended by their host for DMCA violations. Wikipedia for Cryptome has some background information, and a couple sites have posted articles regarding the takedown.

It seems the breach of DMCA occurred when the site published a 'secret' Microsoft spy guide, which details its policies and procedures for dealing with law enforcement issues. The guide can still be found in a few places, as well as mirrors of the site.

While I recognize the need for varying degrees of data secrecy and am an advocate for privacy and encryption, business transparency is equally important; how companies, such as Google and Microsoft, handle our digital information is something I believe consumers and users of these companies' services have a right to know. I can only hope that legislation will one day help protect the rights of users and whistleblower outlets, such as Cryptome, instead of big businesses.

Wikileaks needs your help!

2010-02-23T16:19:00.003-05:00

Wikileaks needs help to stay online! Per their website, their yearly costs are around $600,000 and they're over halfway to that goal. This is such an important resource in this day and age, we cannot let it go to waste.

Please donate! $100, $10, $1, anything will help.

Cable inference and mapping

2009-06-12T13:36:00.002-04:00

Long time, no post. I just don't have the free time I used to .

Anyway... I sort-of caught up on my feeds and after reading this article about finding 'secret' government fiber lines, I started thinking. If the ground is very saturated with multiple crisscrossed cables, utilities, etc., is it reasonable to think that by looking at a map of those utilities and cables you can infer, with varying degrees of probability, the locations of these 'black' lines?

I would assume that in areas like the DC there are all sorts of classified communications lines going all over the place, so the logical place to start would be in the vicinity of a government building that has a high likelihood of having a classified or sensitive (non-commercial or public) line. Based on the locations of existing lines, one could extrapolate the rough areas where a line might leave the building and the path it takes (around the existing lines and utilities).

Maybe I'm thinking too two-dimensionally, but all this seems somewhat plausible. Let's say a 'black' line runs through an alley between buildings (unlikely but possible). Could someone dig through the basement to the line and tap it? I vaguely remember reading something about being able to tap a fiber line for around $100. The cost required to protect those lines from tampering would be too enormous, right?

There's my thought for the day.

Decision reached, let the migration begin

2009-02-22T20:15:00.002-05:00

I finally decided to go with Arch Linux as my Gentoo replacement. I tried Sabayon (very) briefly, and it seemed that it would not give the the modularity that I need. Anyway, I already installed Arch and am up and running, albeit somewhat crippled, with disk encryption via dm-crypt and LUKS. Since this is the first time I've done disk encryption, I didn't want to mess with loop-aes; I'll leave that for some later date. So far, I've noticed no noticeable slowdown with LUKS.

Overall, the setup for FDE has been the easiest part of the whole migration thus far. I had a really difficult time getting X working. Surprisingly, when you install X as a dependency it doesn't install the necessary drivers (read: keyboard and mouse) as well. That took a few minutes to figure out. But overall, I think I have 80% of the apps I need installed now, and I'm really happy with how quickly that went. I am a little shocked that firefox is out of date in the repos, but from what I have read, it's because of some branding issues and I'm trying to see if I have a repo workaround (already installed latest firefox, trying to see if there's an 'Arch' way to do it).

I'm pretty pleased so far. Really, everything has been very smooth aside from the usual distro transition issues. I miss openrc right now (never thought I'd say that), but I think ultimately this setup will be more stable. Didn't realize that vmware-player was not in the repos beforehand, and unfortunately vmware's download server is down right now (go figure). I think vmware-player is the last app I need, or at least would like, before work tomorrow morning.

I really can't stress enough, I am very happy so far with Arch. Moving to FDE was *REALLY* easy, the hardest part was waiting fro my /dev/urandom hdd overwrite (which took approx. 14 hours for 80GB). The pacman package manager is pretty easy to use, but I'm still getting to know the options. For those who want to know, no, I did not tweak my kernel manually (which I DO miss), but I plan to work on that as I go. Unfortunately I do have 74 modules loaded now, but really I haven't noticed any slowdown. My boot time is a bit higher than I'd like, but it's hard to accurately measure (b/c of the FDE password and the ethernet card timeout) which I hope to fix soon.

Here's hoping that tomorrow fixes a lot of issues. For now, hopefully, there is hfsplus support in my kernel (for my backup disk lol).

Oh, and I passed my CISSP exam. w00t!!!

Palm - I hate you

2009-02-02T23:20:00.004-05:00

I began writing this on my Treo, but it became too difficult after the second reboot.

Dear Palm,

I tried to send this directly to your company, but I couldn't find
your contact info while using blazer, so I'll just leave this here.

Fuck you Palm.

That's pretty harsh, but I want you to know that I mean it. I own a
treo 700p and I have to say it is the worst 'phone' I have ever had
the displeasure to own, use, carry, or otherwise be close to. Now I
hear you're releasing the pre, but for Sprint only. that just makes me
hate you more. Prior to using this 'phone' (I use the term very
loosely) I refused to use any phone with a windows os. Being a *nix
guy, I assumed that palm os would run circles around any win based
phone. I was gravely mistaken.

The browser 'blazer' is the most sorry excuse for a browser ever. Ever.
It crashed the whole phone while surfing your site. Read that again.
Yes, my treo rebooted while surfing palm.com. Oh, and that's after
your site told m there were multiple browser-related errors. I can't
use opera mini bec--

I had to switch to my laptop because it's impossible to write an email on my Treo 700p. Anyway... Opera Mini, which works well on just about all mobile devices, crashes almost instantly on the 700p. I don't know why I'm pidgeonholed into using blazer, but seriously, who at Palm was like "Wow, this is an awesome mobile browser. We should totally force this upon our customers." Whoever made that decision does not use blazer. And what the hell is up with the lag times?? It takes at least 10 seconds to CLOSE THE BROWSER?!?!?!?!?! WHAT THE FUCK!!!

This is a total rant post, which I try to avoid, but seriously, fuck you palm. You have totally ruined my outlook on mobile technology. At this point, I would rather own a Windows-based phone than anything developed, even 3rd party developed, by palm. Never again. NEVER again. To anyone who reads this, I implore you, I beg you, DO NOT, ever, EVER, EVER buy/use palm devices (especially do not buy). You no longer can compete in the smart phone market (more like inept phone market, but I don't think that your marketing guys brought that one up). I hope the Pre saves you, and maybe that will show that Palm has evolved past the same shit over and over and over again, but I doubt anyone will switch to Sprint for the Pre (good fucking decision there guys, hope you made enough bank for that bad decision).

I'm pissed, I don't care, I'm getting a new phone. I hate you palm. That is all.

Unlinked files

2009-01-28T13:09:00.003-05:00

A colleague and I have been discussing forensics on Linux recently which has led to me exploring the contents of my /proc directory. Wow what a wealth of information there is in there. He just shot me a link to a post about unlinked files, something I'd heard of (and experienced) before, but had never looked into with any kind of depth. Very interesting stuff. I have a lot to learn about /proc

http://sansforensics.wordpress.com/2009/01/27/recovering-open-but-unlinked-file-data/

Google + Police = Case closed?

2009-01-08T12:51:00.002-05:00

An interesting story was on digg today about how cops located a child and her kidnapper using cell phone GPS coordinates and Google.

Finding a new distro... part 1?

2008-12-26T00:04:00.003-05:00

I've been looking pretty seriously at Arch to replace Gentoo, so this post will describe my experiences and impressions thus far. I set up a VM to try the install and get a feel for the distro, and so far it seems OK. The install was easy and pretty fast, although I would have liked the ability to configure my kernel at install -- a step that, at least after years of Gentoo, was conspicuously missing. As expected there are a bunch of modules loaded on boot (61 total iirc), and boot time was actually painfully slow -- about 50 seconds! I'm not sure if it's the VM or all the extra garbage at this point. On the flip side, getting a working X configuration up and running with Openbox took all of 10 minutes, a process that would've taken significantly longer on Gentoo. At the same time, I wasn't able to try out the nvidia prop. drivers since it's in a VM -- who knows how well that will work, but if my experience so far is any indication, it should be fairly flawless. Another plus is that the latest (beta) nvidia drivers are in the repository (180.16-1) which is nice. Now that I look at my sync dir, I only see 177.82-1 in my local sync, so I guess my repositories aren't configured correctly.

The package management program pacman will take some getting used to. It certainly is much faster than emerge/portage, and not having to compile everything from source is a big plus. I do like the ports tree structure of portage though, maybe just because I'm so used to it, but I do like being able to see everything that's in my current repositories without having to go online. I can see all the packages, but I already miss seeing general categories (e.g. net-irc, www-servers) to give me alternatives to apps I already use.

Something that would be nice for me is an option to configure disk encryption at install. There's a guide on the wiki on how to do it, but iirc Debian gives you an option at install which I think is awesome. Also suspiciously missing on install was the ability to add a regular user. Maybe I just went through it too fast and missed the option, but it was very surprising to have to log in as root immediately after install. I do like the idea of different projects within Gentoo (e.g. gentoo-hardened) and at this point I do not know whether Arch has anything comparable.

So here I am, now questioning whether Arch is the right distro for me. I wish I had a more concrete idea of what I'm looking for or where to look outside of distrowatch. Someone recommended Slackware to me recently, and maybe I should give it another shot. I'll keep working with Arch to see where I end up and we'll see what happens over the next few weeks. Happy Holidays and have a happy New Year!

Decision finally reached

2008-12-16T19:35:00.003-05:00

I've decided to abandon Gentoo due to continued frustrations caused by portage and the project/community in general. I hope this change is temporary because I have a lot of love for Gentoo. It breaks my spirit to say I'm calling it quits.

Now I have to decide what to migrate to. I've narrowed it down to three choices: Arch, Debian, and Sabayon. I'm leaning toward Arch since it seems to be similar to Gentoo in some ways: highly configurable, optimized, but it also gives you the option of installing from binary instead of source, a big plus for sweeping update days that include firefox, gtk+, and kdelibs.

Debian I have always wanted to try out for an extended period, although I'm not sure it's bleeding edge enough -- the repositories, to my (limited) knowledge, lag a little further behind than I'm used to. But Debian is stable and configurable.

Sabayon is only on the board because the idea intrigues me; to build a Gentoo-based distro that uses a new package management system and introduces binaries, the idea sounds like the best of all worlds. Almost too good to be true. I hesitate since I'm not sure how mature the project is.

If anyone has an opinion, please tell me. I'm waiting for a lull to format and reinstall. I have no experience with Arch, Debian, or Sabayon, so all input is welcome.

Technology IRC rap

2008-11-24T12:37:00.001-05:00

Awesome.

Secret German IP Ranges Leaked!

2008-11-20T09:51:00.003-05:00

Not good for T-Systems/Deutsche Telekom. Government should be safeguarding citizens, not spying on them.

Promising new VISA card

2008-11-17T13:32:00.002-05:00

VISA's new idea to combat identity theft. Sounds promising...

Am I too resistant to change?

2008-11-17T10:10:00.002-05:00

For a while now I've had a little beef with Gentoo, but nothing I couldn't just shrug off. Now, I think I'm at the point where the frustration of portage just doesn't make sense to me anymore. Not once, but twice in the last two days have I wrestled with portage only to experience a much more hassle free install after cutting OUT portage. I won't go into detail, but the nvidia-drivers and vmware-player were the two culprit packages that, in both instances, emerged and installed perfectly, but utterly failed to run.

So now I'm asking myself why the FUCK I deal with long compile times when portage is, in my mind, broken?!? I'm giving it till the end of this month to see how stable my system remains before making the decision to stay or switch. November 30th is the day. I have a lot of love for Gentoo, that's why I've stayed for this long. But now, I just don't get it. I hope things change and I decide to stay, but for now I'm thinking that's unlikely.

This is not a drill Windows admins...

2008-10-23T13:51:00.002-04:00

Microsoft is releasing an out-of-band critical patch today to fix an 0day that's being actively exploited in the wild. Yowza.

Sniffing your WIRED keystrokes (from the next room)

2008-10-21T10:12:00.001-04:00

Saw this story, pretty cool stuff. Some Swiss researchers have developed a few different ways to sniff your electromagnetic keystrokes from up to 20 meters away. Vid.

NVIDIA 177.80 driver breaks OpenGL

2008-10-17T18:55:00.002-04:00

At least it breaks OpenGL for me and a bunch of other people according to a google search. The issue seems to be in the actual libGL.so library. It seems like this is a persistent issue in the 2.6.27 kernel as well, so I'm not sure why this is in Gentoo's portage. Maybe my system is just broken? If anyone reads this and has had success w/ the 177.80 driver with gtk+ working and using nvidia's opengl implementation... please let me know. For now, I'm putting this driver on the backburner.

Ghetto Fabulous

2008-10-17T08:49:00.001-04:00

For the truely paranoid and the utterly cheap, how to make a faraday cage wallet.

Stopping SQL Injection and Building Secure WebApps

2008-10-16T15:33:00.002-04:00

Here's a paper (PDF) from Oracle on writing "injection-proof PL/SQL."

Also a guide shown to me by a friend on building secure webapps (from OWASP).

It's all about risk and consequences

2008-10-16T10:45:00.006-04:00

I just read Paperghost's post on trying to contact someone at eBay about 5000+ of their users' logins posted online. His post highlights a few things that are 'broken.' One that he calls out is the problem a 'normal guy' would have trying to get this through to someone. There's nobody helpful you can talk to, no point of contact that can provide any kind of clarity... just black holes. But why does eBay make it so hard to contact someone who can actually help? The truth is they don't care. Let me explain.

From the 'About eBay' page:

eBay is The World's Online Marketplace®, enabling trade on a local, national and international basis. With a diverse and passionate community of individuals and small businesses, eBay offers an online platform where millions of items are traded each day.

Their business is one of the most widely recognized and successful online marketplaces ever. Wow! eBay rocks! And yes, eBay does rock, but they also don't care. A lot of people use eBay for free -- they sign in and bid on items. eBay gets a small percentage of each sale as well as advertising revenue and additional features sellers can pay for (that's how I understand it, correct me if I'm wrong, pretty simplified). They work really hard to protect people's accounts since that ultimately hurts their bottom line (profit).

The reason they don't care is because they can't. If I have an online eBay business and my account credentials get stolen, whose fault is that? Probably not eBay's, nor is it their responsibility to really do anything at all in the event something does happen to my account. Their only real motivation is based on dings to their reputation as a business, and since eBay is _huge_ there's not a whole lot of difference the loss of my (or a few thousand) account will make. Of course eBay wants to keep accounts safe to uphold their reputation, but ultimately, if accounts get compromised, it's not their fault and there's very little they can do to stop it from happening right now.

I, of course, blame the user for this (stop clicking on pop-ups please!). I read an article recently on how you're pretty screwed if your GMail or Yahoo! Mail account credentials get jacked (can't find the article, ah well). Google can only do so much if your account gets compromised, just like eBay, and ultimately, you're just a drop in the bucket. While the information in your GMail account or your flawless seller's reputation on eBay may be important to you, it's not very important to those companies. So getting back to the original question 'Why do these companies make it so hard to contact someone useful if shit hits the fan?' the answer is 'Well, there's not a whole lot we can do, so you're pretty much on your own.' It's not really that they don't care, it's that they can't care. And of course there's the volume of these type of requests -- I'm guessing far too many to keep up with. There's also the issue of alternatives -- eBay and GMail are so big and so successful, and this problem is shared among ALL businesses in these industries, there's not a whole lot to lose.

The real problem is nothing new: authentication and identification. It's not even an online problem, just a problem in general. Ensuring authentication and identification is tough... REALLY tough. Much harder than I once thought. But the problem with authentication and identification (shortened to AuthI) is complicated with sites like eBay and GMail, where there is no real consequence to the companies if your account is compromised. That's why it's all about risk and consequences. The risk of compromise is high, the consequence of compromise is low, so that equals 'no sale.' For banks, this issue is taken a little less lightly. Account compromise is actually a liability since the bank is responsible to offer some kind of reimbursement or protection or credit monitoring, whatever, in the event your 'identity' (account) is stolen.

So what's the deal with AuthI? Two-factor auth is a good solution (here's a post that breaks it all down), but again, it all comes down to risk and consequence. For eBay, that's a big investment of capital to only (maybe) bring down your risk to medium. How do you fix something that's really hard, but a lot of people think is easy? Just because I have a Canadian passport doesn't mean I'm Canadian, but you can't expect a database of DNA samples for everyone to be feasible or very practical for most applications. How do you fix bad behavior? How do you stop illegal behavior?

Now I'm ranting and just got derailed so I'll end this post here.

Bypass Win 98 login prompt?

2008-10-01T12:15:00.002-04:00

Not new, but still awesome. Via Digg.

Why ePassports are bad

2008-10-01T09:06:00.003-04:00

From a convenience and 'coolness' perspective, ePassports are great. But when THC decides to break the security and create a fake one, that's a really bad thing. I'm sure there are ways of making a secure ePassport, and governments in support of using them need to review their methods and revise as needed.

Wireless FU from TSSCI

2008-09-29T16:13:00.000-04:00

Another great post.

Group post

2008-09-17T10:48:00.002-04:00

I've been ridiculously busy. So, to redeem myself for not posting.

Awesome hack: maze solution

You're doing it wrong: defense against terrorism

Trend continues toward visualization: (ze)nmap visuals

Airgaps FTW: SCADA fail

Cool?: psad

LHC webcam

2008-09-17T10:45:00.001-04:00

LOL

WebAppSec perspective

2008-09-17T08:43:00.001-04:00

I saw this post on TSSCI Security yesterday and really enjoyed it.

Friday Summary

2008-09-05T09:31:00.002-04:00

Very hectic couple weeks, so much to do in so little time.

Very cool:
Easy OSS Linux rootkits
Cardio crypto key

Very uncool:
Shredded checks as packing material (via Schneier)
IRS IT people suck

BGP sucks and why it matters

2008-08-29T09:12:00.002-04:00

First DNS broke, now BGP. I'm in ur internetz, breakin teh protoclz! This is actually a big deal. Maybe we need to examine our network protocols and rethink things. I mean, the environment has changed a lot since the 70's. Maybe we should redesign the internet .

New grippers!

2008-08-26T08:36:00.002-04:00

I've been trying to take my health seriously since about January and so far have lost a decent amount of weight (even though I've recently gained back some pounds). I'm still roughly 25-30lbs from my target weight and something that's always been a goal of mine is to excercise at work. People in IT sit at their desks all day; it promotes such a sedentary mindset. But, to combat that in a small way, I started training with grippers, specifically the Captains of Crush grippers from Ironmind. I started with the Trainer, then #1, and #2 came yesterday. Not only does it build hand and forearm strength, but it's great stress relief.

Legislating the future

2008-08-25T12:31:00.003-04:00

Biden is Obama's VP nominee; he has lots of experience in politics and, more importantly, foreign policy experience. BUT he doesn't like encryption, net neutrality, or filesharing. This is a big deal for anyone who DOES like freedom of the interwebs.

reDuh released

2008-08-25T09:38:00.000-04:00

The SensePost guys released their reDuh tool. Sweet.

hichina.com = FAIL

2008-08-21T11:13:00.004-04:00

And not just fail, cheese cat fail. Just going through my spam box, the majority of 'bad' domains are registered with hichina.com. My understanding is that ICANN requires all registrars to have valid information for each domain, no? I know that's tough to police, but come on! Unless I'm mistaken, "JIEFANGLU268.SHUANGXIAJIUDIAN1003" is not a city in China, or anywhere in the world. Is there something from preventing a registrar from validating City/Province, etc (a script perhaps like so many other sites use) at registration? That's no solution, but at least it's a barrier from straight jibberish.

Accessing your bank account via password resets

2008-08-20T15:53:00.002-04:00

This is an interesting story, and it raises some questions we've been struggling with a lot recently; namely how we fix identity verification online. Change is coming :)

Interesting stuff to try

2008-08-19T09:48:00.002-04:00

First, the guys from SensePost and their reDuh research. Really cool stuff there, those guys are really smart.

Ratproxy is in portage now, from their website:

A semi-automated, largely passive web application security audit tool, optimized for an accurate and sensitive detection, and automatic annotation, of potential problems and security-relevant design patterns based on the observation of existing, user-initiated traffic in complex web 2.0 environments.

Seems like something worth trying.

Lastly, there's OpenVAS, the "free alternative to Nessus." Evidently this project forked from Nessus a while ago and I've just never heard of it.

So many projects in the works... where to begin?

Sometimes you just need to laugh...

2008-08-18T11:49:00.001-04:00

It never ends.

DC16!

2008-08-13T00:41:00.001-04:00

Had a great time in Vegas, saw some great talks, met some cool people. Still recovering... already excited for next year!

Black Hat/DefCon!

2008-08-04T08:16:00.002-04:00

I leave tomorrow for Black Hat/DefCon and it looks like this will be a great one. There are so many awesome presentations, it will be hard to choose between them. If you're at the conference, I'd love to catch a drink!

US Customs laptop and electronics search & seizure policy

2008-08-01T16:35:00.002-04:00

US Customs and border patrol agents can search and seize your laptop or electronics for any reason, keep it indefinitely, give the data to anyone, take it off-site, etc. etc. Wow. The official policy went public today. Via Schneier.

Some encouraging news!

2008-08-01T13:04:00.001-04:00

We know things are bad, but they could be worse.

Vacation planning -- securing your home and property

2008-07-28T15:22:00.002-04:00

There's paranoid, then there's seriously paranoid. I like to think I'm just paranoid, and when I read a list of a crapload of steps to take to secure your home before leaving for vacation, some of which really take some prep, I am reassured.

Kaminsky's exploit -- code released

2008-07-28T15:18:00.003-04:00

The code hasn't just been released, it's in metasploit.

Deniable file system

2008-07-18T15:14:00.002-04:00

I'd never really thought about plausible deniability in regards to a partition or OS before. TrueCrypt's "Hidden Volume" and "Hidden Operating System" are both very interesting to say the least. I should study crypto :)

Invulnerability is impossible

2008-07-17T16:04:00.002-04:00

Schneier posted a link to a really superb paper out of OSU (pdf). The paper examines how to protect the US, the Department of Homeland Security, and the progress we've made since 9/11, and also considers how one could better approach the problem of terrorism and the threat of terrorist attacks.

This is a really well written and interesting read, and one can draw a lot of parallels from this.

When will people stop trusting McAfee?

2008-07-17T15:26:00.002-04:00

Not that this is the straw that breaks the camel's back, but still. How much credibility do they really have left?

How worthwhile is logging?

2008-07-16T11:55:00.002-04:00

I've been wondering about this for some time, and I really started thinking about it today after reading this post. Actually, what really got me thinking about it was when I configured auditd on a red hat system last week. In roughly 3 hours, without network connectivity, just me on the box, 3 gig of logs. And that's just the audit logs. Sure, that much information is great after you're owned and you're looking over the logs (assuming you're logging to a remote server), but really, with that much information, aren't you just creating more of a hassle than anything else? No organization has enough staff to watch that much log traffic. Even after the fact, do all those logs get you anywhere? Sure, you can say "Ok here's where they came in and what they did" but that's about it. Is that worthwhile?

Now that I think about it, I guess if you're concerned about someone coming in and sitting on your systems indefinitely without being detected, then serious logging might be warranted, but again, who can watch that volume of logs? I saw something recently that I thought was really cool -- Juniper's IDP device has an option where you can allow it to profile your 'normal' traffic. It watches and watches and gets a baseline of what usually happens on your network, so if anything abnormal happens, you are alerted. This isn't new, but I hadn't really seen it before, so it's newish to me. Is there something similar for logging? That would be a worthwhile application in my opinion -- generate events OUTSIDE the usual mundane.

I'm torn on this issue. Logs are like a warm blanket; verbose logging means you can know what's happening on your systems if you keep up with the logs. At the same time, logs become a burden very very easily, and they are easy to ignore. I guess each admin determines the line between verbosity and noise, but for me and my systems, I need to think about this more. I'm not sure I'm comfortable running systems with no logging. That seems like a liability issue -- a problem waiting to happen.

Functionality vs. security

2008-07-15T18:17:00.003-04:00

After working for two weeks trying to set up a small, stand alone web application and associated database, I witnessed firsthand the difficulties of balancing security and functionality. Really, we approached the project from the wrong side. Our thought was to secure everything first, then open things up as needed. That's not the right way to do it, especially when the network diagram changes rapidly and new requirements are added mid install. Essentially, Murphy's Law proved itself with a vengence over the past two weeks.

For example, a log management appliance requires both RPC and remote registry enabled on each server in order to remotely access the C$ share of each Windows server in order to grab logs. Seriously. We were all a bit dismayed when we saw that.

On the one hand, the system has to work. On the other hand, you want it to be secure. There's no easy balance, especially when you buy devices without consideration for security. Sometimes the rules are too stringent. Tradeoffs need to be made, those tradeoffs are dictated by functionality. To compensate, you need staff to watch the logs and keep an eye on things, so it all comes full circle.

A week of Red Hat

2008-07-15T17:47:00.003-04:00

I've been working hard out of town in a situation where everything that could go wrong, did go wrong. Part of the job was getting a Red Hat box up and running, locked down, and interfaced with two IDS devices via Juniper's NSM program. Sound easy? I thought it did too. After a week of struggling, I finally realize why I love Gentoo as much as I do. Just wow.

My biggest complaint is package management. Maybe I just 'don't get' how rpms work, but I know that for every application I attempted to install, there were at least two dependencies that I had to find prior to successful installation. Additionally, when removing unnecessary packages, like CUPS and gnome's print manager, I couldn't since, for some reason, like 50 other packages depend on gnome printing and CUPS. WTF.

NSM was another story -- getting it to run on RHEL 5.1 was a challenge to begin with. I've never seen anyone embed binary packages in a shell script before, pretty sneaky Juniper. Ultimately, NSM <-> IDP communication didn't work since RHEL 5.1 is 'unsupported' as of yet. Things worked flawlessly on RHEL 4. One thing I don't get is why NSM requires a very old version of OpenSSL and PostgreSQL. Maybe you can upgrade, I didn't try.

Anyway, this post is mainly to say that Red Hat still leaves a bad taste in my mouth and I don't understand why people use it (ok fine, theres support. Great. Not good enough). There is a need for a Linux standard, but I don't think Red Hat is the right way to go. That's not to say Gentoo is, but hey, 2008.0 is out, go get it.

McAfee Hacker Safe in the news again

2008-06-27T15:56:00.002-04:00

This is just ridiculous. Displaying a banner that says this site is safe is NOT a good business model. Although, being Nate McFeters certified is pretty awesome.

Insider threat exaggerated??

2008-06-24T09:05:00.004-04:00

According to Verizon's 'Data Breach Investigations Report,' the insider threat is exaggerated. I'm not really sure I understand what they're trying to say, but I'm with Schneier on this; there are a lot more outsider attacks, so naturally the number of incidents directly attributed to outside attacks is higher, but really you can't quantify this type of thing. The insider threat is a serious one, and even though the article states, "When internal hacks occur, they tend to be nastier..." that hardly does the issue justice.

I get the sense that this report diminishes the severity of the insider threat, something I really don't understand. The biggest difference is that an insider already knows something about what he/she is attacking, and presumably already has access to the network. Those are two _huge_ advantages right there. I remember looking at the main SAN for a former employer and finding all sorts of very sensitive financial information out there for the taking. The only things I needed were access to the network and very general knowledge of where this info might be.

Companies still follow the 'crunchy on the outside...' idea right? For me, it boils down to defense in depth again and again. If an organization prepares awesome boundary defenses, great! But if/when someone does get in, the internal environment should be locked down as well. There's a problem with this though: having high confidentiality, integrity, and availability is tough. Tradeoffs must be made, so I guess Verizon's report is advocating trading the insider threat for a more secure boundary. The more I think about this, the more I think this is more complex than I initially thought. In any event, I question the usefulness of this report ~~since it doesn't really say anything useful or even interesting~~.

I've been streetviewed!

2008-06-20T09:12:00.007-04:00

Google streetview has been gradually moving outward from NYC and today I see that the google mobile drove through my area. From the looks of it, a few months ago too. I think streetview is a cool idea, but after seeing my residence, car, and neighborhood on streetview, I must admit it's a bit creepy. It's easy to understand the privacy implications when you can virtually drive down your own street to your driveway.

A window into SIGINT

2008-06-19T09:00:00.002-04:00

rwnin posted up a video I had not seen before. I've always been fascinated with the NSA and general SIGINT. Pretty intriguing.

Hacking electronic locks

2008-06-18T13:48:00.001-04:00

Via Schneier, hacking electronic locks with magnets.

Two interesting tools

2008-06-17T11:23:00.001-04:00

Here are two interesting tools that I'd like to try out in the near future:

SIPVicious -- For auditing SIP-based VoIP systems
OSWA Assistant -- For hands-off auditing of (smaller) wireless networks

Sometimes it's good to laugh at your mistakes...

2008-06-17T10:12:00.005-04:00

...but sometimes you should learn from them. The TSA is being pretty ridiculous. After recently traveling abroad and being able to closely compare Newark Intl vs. other major airports, Newark is the worst in my book. In fact, Newark is one of the worst airports I have ever flown into or out of. Take for example the full 45 minutes it took for our luggage to start descending to the international baggage claim. That's 45 minutes AFTER going through immigration and physically standing by the little carousel. That's not the fault of the TSA though, I just wanted to complain. I did get to see a cute little bomb-sniffing beagle trotting around though :) When will the madness end?

The human CAPTCHA market

2008-06-17T09:40:00.004-04:00

RSnake posts links to human CAPTCHA breaking services; one of which, imagetotext.com, I have heard of before. Both RSnake and I argue that one of the problems with improving CAPTCHA is that it only encourages using cheap human labor to solve them all day. We still don't have a solution for this, although there are some interesting alternatives popping up. Still, CAPTCHA is inherently flawed in this regard. CAPTCHA must be (relatively) easy for a human to solve, yet difficult to solve algorithmically. The more effective CAPTCHA becomes at keeping real bots out, the more organized crime syndicates and spammers are obliged to use human bots to get the job done.

Catching up on feeds is a bitch...

2008-06-17T09:38:00.002-04:00

When you take a break from reading, you come back and have 180 new posts to catch up on...

Long hiatus from posting!

2008-06-17T04:21:00.002-04:00

You may have noticed I haven't posted in a while. I've been outside the country taking in the sights, but now I'm back (for a week). Google reader has 174 posts queued up for me, so I've got some reading to do. Okinawa is great!

PDF Evilness

2008-06-01T23:50:00.003-04:00

F-Secure posted on a seemingly innocuous PDF file that looks like the DHS immigration form that does some pretty serious evilness if you open it. The site the rootkit calls back to is nbsstt.3322.org, out of China, and seems to have some connection to the Chinese military or people involved with the Chinese military. Pretty crazy.

Serious legal ramifications

2008-05-29T11:24:00.002-04:00

Jeremiah Grossman posted on the currently pending court case and investigation of a woman who created a fake MySpace profile and ultimately caused a teenage girl to commit suicide. This story is utterly appalling and horrible, and I strongly think that this person needs serious help and should be severely punished for her actions. Unfortunately there is no law that really applies to this situation, so what do you do? Lump this into the US Federal Computer Fraud and Abuse Act. If this goes through, it could have very serious legal ramifications, as Jeremiah points out. Read his post.

More doubts surround 'Hacker Safe' and other scan services

2008-05-29T11:08:00.002-04:00

Russ McRee posted a video pointing out problems with ControlScan and McAfee's 'Hacker Safe' services. The future of these services does not look good. I wonder what these services actually scan? Good luck finding that info on the McAfee Secure website.

Abusing the micro-payment system

2008-05-29T10:38:00.002-04:00

The Register has an article (originally from Wired) about a man who set up multiple accounts with E-Trade and Schwab, then wrote scripts that abused the micro-payment account verification feature of each site to steal more than $50,000. If you're not familiar with the micro-payment system, when you open an external account (for transfers or anything else), the bank will typically transfer a small amount of money into the account to make sure the transfer succeeds. If you script this feature, you get lots of micro-payments, for free. The banks eventually noticed, and the Secret Service traced the transactions back to his home IP's. Moral of the story: next time use tor? This is a really clever hack, and I'm a little surprised no one has done this before. Really clever.

If it looks good on paper...

2008-05-28T10:03:00.002-04:00

There's a pretty sensationalist article on how a pen tester hacked his way through a civilian government network and got the keys to the FBI's NCIC database. While the article is a bit over the top, it does highlight some problems with standards compliance. From the article:

"This was a company that had maintained they were Sarbanes-Oxley compliant for several years. Yet I had control of the business within the first 20 minutes. I could actively change general ledgers and do other critical tasks," he says.

He also has found problems with companies that claim to be in compliance with the newer Payment Card Industry (PCI) standard. "I've had people who have spent millions of dollars on security to say they are compliant, and I walk in and pop open their main credit card processing system within 10 minutes."

The problem, he says, lies with compliance rules themselves. "The government has narrowed the scope of compliance so much to make it cost affordable that it overlooks a lot of things that are real-life security vs. paper security," he says.

There are some pretty big problems with how things look on paper and how they actually exist. This is evident from the Scanless PCI compliance news recently, and the ideology is tied into the McAfee 'Hacker Safe' banner. Even though there are differences between ideology and implementation, the basic security practices needed to secure a network are still there. I think some decision-makers get caught up in making sure the paperwork looks good instead of concentrating on being proactive and taking the initiative to, for example, properly review and test code, patch machines, and design networks.

Adobe Flash exploits in the wild

2008-05-28T09:50:00.003-04:00

There are a number of articles covering the recent (new) wave of mass SQL injection attacks and Adobe Flash exploits. NoScript is a great (read: awesome) addon for Firefox that blocks _a lot_ of potentially bad stuff and I highly recommend it.

Cisco responds to IOS rootkit threat

2008-05-28T09:38:00.003-04:00

Earlier this month, the alarm was raised in response to a presentation at EUSecWest where a security researcher demonstrated the first known rootkit for a Cisco router. Cisco responded with their recommendations on guarding against this type of attack. Frankly, their recommendations are pretty lame. Only patch/download/install from trusted sources, check the MD5 on each IOS image, restrict the number of users who have access, and harden your router config.

That's it? I think that's all common knowledge and practice, no? I know some organizations that just do not patch their routers (or ANY network gear for that matter), but I would like to think those organizations are outliers. Am I too optimistic to expect a better solution from Cisco?

Dave Aitel responds to APEG paper

2008-05-20T10:15:00.002-04:00

Jeremiah Grossman posted a link to a Security Focus article written by Dave Aitel, respected security guru and founder/CTO of Immunity. In the article, Dave responds to the recent paper on automatic patch-based exploit generation. The gist of his article is that their paper, while highlighting some known issues in the patch process, is full of crap, and the authors seriously misunderstand the difference between an exploit and proof of concept. He goes on to argue that there is a significant disparity between academia and (real world) security/vulnerability research. Quite an interesting read -- Dave brings up some very good points.

Holy crap!

2008-05-17T20:56:00.002-04:00

This is the coolest thing I have ever seen, ever. Wow.

Rootkits for routers

2008-05-16T15:14:00.005-04:00

From networkworld.com, a security researcher has developed the first (or first known) rootkit for a Cisco router. The attacker, however, would need to access the router before he/she could successfully install the rootkit. I am no fan of Cisco, mainly because they do a pretty awful job at security in general. Look at any Call Manager device and you'll find loads of problems; if not, the organization using it probably voided its warranty to make the machine a bit more secure.

Realistically, what could you really do if you managed to install a rootkit on a Cisco router? You already need to compromise the router to load your rootkit, what's the added benefit? Admin privileges? Could you snoop on traffic? The other issue is detection. Unless you modify the router's config, there's no way for an admin to know the router has been compromised. It's not like there's any AV or rootkit detection software for network devices (as far as I know anyway -- if there is, please tell me).

As far as I can tell, the only benefit to a router rootkit is being able to access the router without an admin noticing, but a good router admin would notice that someone logged into it at a weird time, so that should be a clue. This could be useful in bringing down an organization's network -- compromise all the accessible routers with the rootkit, then take them all down at once. You'd have to wipe the flash memory back to factory settings to regain control, and yeah, that would be pretty disastrous so there you go. I hope we get some more details soon.

RIAA talks about catching pirates

2008-05-16T15:11:00.002-04:00

Interesting article, although I think most people already know that this is how they operate. Many free IP blocklists block Media Sentry IP addresses (Peerguardian does at least).

Update to the massive SQL injection saga

2008-05-14T23:26:00.003-04:00

After yesterday's post, I wanted to follow up and see how quickly things are changing. Four of the .cn domains mentioned yesterday seem down now:

bluell.cn
kisswow.com.cn
wowgm2.cn
wowgm1.cn

Google still shows well over 100,000 sites that are affected or were recently. After looking around, I'm not seeing any _new_ sites hosting this exploit code, although my searches were fairly basic.

Be that as it may, I am seeing a number of similar injections with code hosted on the site s.see9.us. The actual javascript is different, but one of the sites referenced in the code, b.kaobt.cn (seems offline), uses hichina.com DNS servers. That's no conclusive link by any means, but it does raise some questions about the integrity of hichina.com (if it has any integrity). What I think is really strange about the see9.us attack is that it seems mostly Chinese sites are targeted -- there really are very few non-Chinese sites affected. Google shows less than 9,000 sites exploited.

Update: Looks like the only site that's still up is 9i5t.cn; it serves the exploit as a.js, which also references computershello.cn (now seems offline).

SQL injection on the rise

2008-05-13T22:58:00.007-04:00

I've been following a lot of reports of a massive number of SQL injections, and the number is growing. Reading an f-secure post got me wondering how widespread they actually are. Wow did I find out. There are lots of domains around that are affected. Here's a quick list of some of the .cn domains that I've found.

9i5t.cn
bluell.cn
kisswow.com.cn (a lot going here)
winzipices.cn
wowgm2.cn
wowgm1.cn
killwow1.cn
computershello.cn
wowyeye.cn

Something interesting I found while looking around were a lot of (unrelated?) injections from s.see9.us, which now appears to be offline; the odd thing is that all (or at least most) of the sites are .cn -- interesting stuff. One of the ips for winzipices.cn and computershello.cn is 60.191.239.221, is this fast flux though?

Last night as I wrote this, wowyeye.cn seemed to go offline. It no longer resolves today, but the whois is still there.

Border Patrol stops, questions of legality

2008-05-12T13:42:00.002-04:00

Unless you live in a cave, you're familiar with the recent surge in US border stops and the increase in the number of security checkpoints. A video of someone being stopped and 'sticking it to the man' surfaced on digg. He was left alone, but I wonder about the legality of his approach, or what typically happens in these situations. Couldn't the border patrol agent simply say, "Yes you are being detained" and wait for him to cooperate? This needs some looking into.

DNS weirdness?

2008-05-09T00:09:00.011-04:00

I'm doing a web pen test for a friend and just for fun, I try to hit the site by its ip. I get this site: searchportal.information.com -- ok, that's strange. I lookup the IP, it resolves to gator184.hostgator.com. I hit that in a browser, it redirects to searchportal.information.com.

Weird, right? When I hit the ip, I get a page with very little HTML code, essentially just an iframe with a redirect to searchportal.information.com.


[html]
[head]
[/head]
[iframe width="100%" height="100%" frameborder="0" src="http://searchportal.information.com/?a_id=47368&
domainname=referer_detect"]
[/iframe]
[/html]

What the hell is that?? Is this hostgator box hacked? Are they just serving an iframe for information.com? I don't get it, that's for sure. Hostgator has been notified.

Update -- Hostgator responded saying this is their default server page and is completely normal. Am I crazy? I guess so. I always thought link farms were bad.

Going after the audio CAPTCHA

2008-05-01T15:43:00.002-04:00

Read a timely post by Ronald van den Heetkamp on breaking Google's audio CAPTCHA. All the research is done by Wintercore Labs and their writeup is a good read. Comes with a vid.

Statcounter - bite me

2008-04-30T11:05:00.003-04:00

I started using statcounter to track hits on this blog. Unfortunately, as a friend pointed out, they send login creds in clear text. Boo on you statcounter.

Update: Sitemeter has the same problem. I guess this is a common thing.

Quantum cryptography

2008-04-29T12:36:00.002-04:00

An article about Quantum Cryptography raises some interesting questions, the main one being "Is this the holy grail of cryptography?"

AlphaGalileo.org sums up the current state of Quantum crypto and why it's a good thing. The Swiss actually use this technology already to encrypt voting data, something I actually read a little bit about a few months ago. Quantum mechanics was something I never had the opportunity to study in college, but what an interesting field. I wonder if/when this will become mainstream.

Do y'all got boosch on tap?

2008-04-25T22:40:00.003-04:00

I'm back in Georgia and went to one of the nicest hotels in Augusta. Now, normally I wouldn't post things like this, but I really feel the need. The hotel has its own restaurant and separate bar, both are pretty nice. Anyone who knows me understands that I'm a bit of a beer snob, but I wanted to post a little excerpt between a couple of the bar patrons and the bartender:

Male Patron: Do y'all have pitchers?
Bartender: No pitchers, only bottles and pints.
Male Patron: How much are draft beers?
Bartender: $6, $6, $6, $6, and $12.
Female Patron: DAAAAAAAAAAAAAAAAAAAAMNNNNNN!!!
Male Patron: Aight, give me two Mich' Ultras and a Busch.
Bartender: Sorry, no Busch.
Female Patron: Do you know anything that's, like, comparable taste-wise to Busch?
Bartender: (laughing) No, I wouldn't know. I'm not trying to sip on Busch.
Female and Male Patrons: Damn!
Male Patron: How 'bout Bud Light?
Bartender: Ok, two Mich' Ultras and a Bud Light.
Female Patron: (calling someone) Hey, they ain't got Busch here, what you want? ... Naw, they got all this fancy beer ... What's another cheap beer?
Bartender: All domestics are the same price.
Female Patron: (on phone) They all the same price... Aight. Gimme two Bud Lights!

It was all I could do not to laugh. Georgia is an interesting place.

Defending against DDoS

2008-04-22T23:29:00.002-04:00

DDoS is a hot topic these days, especially after the attacks against Estonian government sites last year. There's a good writeup about defending against DDoS in the early days of DDoS. Interesting read.

Six dumbest ideas in Computer Security

2008-04-22T13:08:00.001-04:00

From Ranum, the six dumbest ideas in computer security.

Generating exploits from patches

2008-04-18T14:11:00.005-04:00

A friend sent me a link to a very interesting /. article (abstract, pdf) on generating exploits from patches. The title of the paper is "Automatic Patch-Based Exploit Generation is Possible: Techniques and Implications" and is an interesting read. Their core ideas are that once a patch is released, anyone with access to that patch probably has enough information to generate an exploit for the weakness, and that patching machines takes some time after a patch is released. From the abstract:

The automatic patch-based exploit generation problem is: given a program P and a patched version of the program P′, automatically generate an exploit for the potentially unknown vulnerability present in P but fixed in P′.

... our results indicate that automatic patch-based exploit generation should be considered practical. One important security implication of our results is that current patch distribution schemes which stagger patch distribution over long time periods, such as Windows Update, may allow attackers who receive the patch first to compromise the significant fraction of vulnerable hosts who have not yet received the patch.

The authors note that recent widespread attacks, such as the Slammer worm, are carried out very quickly, "hosts are compromised in minutes."

This is some really interesting stuff, and I'm a bit surprised no one thought of this sooner (or if someone did, please let me know) since this is a great idea. I wonder if this will have any impact on how patches are released or how organizations effectively mitigate the risk of something like this happening. Really interesting work.

Wherefore art thou Gentoo!

2008-04-17T22:54:00.002-04:00

I did something stupid. I tried to rush through a kernel upgrade. Strike one. When it failed, I tried to fix it quickly. Strike two. Then I tried to roll back to my original install. Sort-of strike three.

After doing a world update, checking off all my options via menuconfig, compiling the kernel and installing, I rebooted. My framebuffer console is messed up -- that was the first sign. The second sign was the kernel panic when it couldn't find my root partition. Instead of being sda3, gentoo now wants to use hda3. I still don't know why.

So, I boot back into my working install, which incidentally since the world update will not shut down cleanly, and remove framebuffer console and IDE HDD support completely. Reboot back, now I have no console output at all, but I know the kernel panics since all my LEDs start flashing. Even after selecting hda3, the damn thing won't boot completely since my install expects sda3. wtf.

Now I'm back to my crippled but working install, hoping I can figure out what's wrong and fix it before Monday. The last time I had this much trouble with gentoo was very late one night at my last job after doing about a hundred scripted installs :)

Penny for your thoughts, chocolate for your password?

2008-04-17T10:42:00.004-04:00

A recent study in London concluded that a woman is more likely to give out her corporate password in exchange for chocolate than a man. This is classic social engineering testing. Pose as someone innocuous or authoritative and play the part. Social engineering is nothing new, but why does it work so often? Most people trust other people if the other person seems nice enough. Recently, an office not far from mine was breached by a man posing as a computer repairman. He made off with a few hundred bucks.

It really is amazing sometimes how often social engineering works. But some companies do take it seriously and have taken some great strides to defend against these types of attacks. Ernst & Young in New York is a good example. The lobby of their building off Times Square is well locked down with multiple security staff hanging out.

What's scary about the chocolate test is that people also offered up their dates of birth. Something that comes to mind that could make a decent social engineering scam are those cigarette reps that walk around bars giving out lighters or packs of smokes when someone signs up for mailings. To sign up, they scan your drivers license and take your signature. What a rap that is. All you need is the guy's social, and I bet some drunk at the bar would be all too happy to offer that up. $5 for an identity, right there.

But defending against social engineering is hard. It functions the same way email viruses and phishing do -- trust. If you trust your input, you're vulnerable, but it's unreasonable to untrust everything and everyone, right? This guy is knocking at the door, he says he forgot his ID card so he can't get in. Do you trust him? If you don't let him in and he does work there, you're that jerk who is a little too much of a tightwad. Thinking about a former employer, the back door was RFID access and kept everyone out for the most part, but the front door was wide open, and the receptionist rarely questioned anyone coming in.

So what do you do? Smokers are a problem since they go out all access points. How about setting alarms on all external doors except the front door? Implement ID cards that must be worn while at work. Implement access control mechanisms like RFID readers or card scanners at the entry points. Use cameras and man traps. Employ at least two guards. Establish a visitor control procedure complete with contractor/visitor VLANs.

Even with measures like those, you can easily steal an employee's ID card while he/she is at lunch, or just make a fake one, etc. etc. Tough stuff. What else can you do, from a physical perspective, to protect against social engineering?

Mark Dowd eats pieces of flash like you for breakfast

2008-04-16T15:54:00.004-04:00

Mark Dowd -- wow. If this is new to you, Mark Dowd released a 25 page pdf on a new flash exploit. All I can say is holy crap. As BK says, I'm not even going to try explaining what's going on, not because I haven't read the whitepaper and have never coded flash, but because Thomas Ptacek already has an awesome writeup. Thomas also breaks it down for us in a second post.

Wow. Very impressive.

Another problem for biometrics

2008-04-16T15:48:00.003-04:00

Termed 'biologging' is now a problem for biometric devices according to Matthew Lewis. He demoed a POC at Black Hat Amsterdam: a biometric fingerprint device that can capture fingerprints. I have not read the whitepaper yet, but I hope it's a good read.

I think that in general we place too much faith in biometric devices. These devices are still vulnerable to attack and are not the holy grail of security.

CIA Website + XSS = ???

2008-04-16T15:31:00.002-04:00

According to ma1, the CIA has a number of gaping XSS holes on its website. Why is it that this happens to sites that really should be as secure as possible and very well tested?

Oklahoma DOC is not OK

2008-04-16T15:27:00.002-04:00

TheDailyWTF.com posted on a serious information disclosure issue on Oklahoma's sex offenders website. Modifying some SQL statements (which were pseudo in the address bar) gave access to a LOT of info. Moral of the story: trusting user input is not good.

DNS in the news

2008-04-16T15:13:00.002-04:00

After a longish hiatus from posting, I'll attempt to catch up a bit, first with DNS.

kuza55 posted on an issue with Network Solutions hosting. Essentially, they use the unused subdomains of hosted sites as advertising. Not a good thing in terms of cookie handling as kuza55 points out.

The Register has a post on DNS cache poisoning and how it's still a pretty big issue. BIND is the big culprit here since they it is still (at least I assume) the biggest DNS implementation around.

And finally, Dan Kaminsky gave a presentation at RSA on DNS rebinding (from The Register) and how it "sort of breaks the entire security model of the web."

Long story short, DNS attacks seem to be on the rise.

Notacon and how busy I am

2008-04-09T21:42:00.002-04:00

Got back from Notacon and immediately went back to work, this time flying to Georgia. Wow I am busy. Notacon was great. Got to see some friends, good times.

Trapster service: good idea, bad website

2008-04-03T14:10:00.005-04:00

An article made the front page of digg about a new website called Trapster. The site allows users to mark locations on a map where cops usually hide or are currently hiding. You can get real-time updates on your phone too. Cool idea!

Naturally, I go to register. Unfortunately, no SSL is used during the logon/registration process. Say goodbye to that password, I hope it's not the same one you use for your bank account.

To be fair, they are having problems with the increased load to the site and are fixing some database things. Check out the logout error.

Ahh well, what can you do. Use SSL for logon and registration processes? Yes!

Phishing sites

2008-03-30T00:05:00.002-04:00

I've been pretty busy with a few things, so I decided to post on a few phishing sites in the interim. DO NOT visit the sites unless you know what you're doing.

Site 1, whois:
Domain ID:D19715619-LRMS
Domain Name:BUILDERS-PRO.INFO
Created On:29-Aug-2007 17:20:59 UTC
Last Updated On:28-Oct-2007 20:33:17 UTC
Expiration Date:29-Aug-2008 17:20:59 UTC
Sponsoring Registrar:GoDaddy.com Inc. (R171-LRMS)
Status:CLIENT DELETE PROHIBITED
Status:CLIENT RENEW PROHIBITED
Status:CLIENT TRANSFER PROHIBITED
Status:CLIENT UPDATE PROHIBITED
Registrant ID:GODA-036803396
Registrant Name:Alex Johns
Registrant Organization:
Registrant Street1:4196 Merchant Plaza, Suite 522
Registrant Street2:
Registrant Street3:
Registrant City:Lake Ridge
Registrant State/Province:Virginia
Registrant Postal Code:22192
Registrant Country:US
Registrant Phone:+1.8037492967
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:hitdoctors2005@yahoo.com
Admin ID:GODA-236803396
Admin Name:Alex Johns
Admin Organization:
Admin Street1:4196 Merchant Plaza, Suite 522
Admin Street2:
Admin Street3:
Admin City:Lake Ridge
Admin State/Province:Virginia
Admin Postal Code:22192
Admin Country:US
Admin Phone:+1.8037492967
Admin Phone Ext.:
Admin FAX:
Admin FAX Ext.:
Admin Email:hitdoctors2005@yahoo.com
Billing ID:GODA-336803396
Billing Name:Alex Johns
Billing Organization:
Billing Street1:4196 Merchant Plaza, Suite 522
Billing Street2:
Billing Street3:
Billing City:Lake Ridge
Billing State/Province:Virginia
Billing Postal Code:22192
Billing Country:US
Billing Phone:+1.8037492967
Billing Phone Ext.:
Billing FAX:
Billing FAX Ext.:
Billing Email:hitdoctors2005@yahoo.com
Tech ID:GODA-136803396
Tech Name:Alex Johns
Tech Organization:
Tech Street1:4196 Merchant Plaza, Suite 522
Tech Street2:
Tech Street3:
Tech City:Lake Ridge
Tech State/Province:Virginia
Tech Postal Code:22192
Tech Country:US
Tech Phone:+1.8037492967
Tech Phone Ext.:
Tech FAX:
Tech FAX Ext.:
Tech Email:hitdoctors2005@yahoo.com
Name Server:NS1.ACCESSONESOFTWARE.COM
Name Server:NS2.ACCESSONESOFTWARE.COM

Notice the NS1 and NS2 entries point to accessonesoftware.com, what an odd site. The site claims that some of their hosted sites were compromised and being used for phishing and other illegal things. Funny thing is that right below that notice they have links to two active phishing site 'examples!' WTF?? One of the other examples is a defacement by a hacker using the moniker "ThE sOuLs GhOsT." A google search comes up with some sites he's defaced.

Site 2, whois:
Domain Name.......... tuxhttpd.com
Creation Date........ 2008-02-25 15:16:31
Registration Date.... 2008-02-25 15:16:31
Expiry Date.......... 2009-02-25 15:16:31
Organisation Name.... xiaowen
Organisation Address. No.12 chang'an road
Organisation Address.
Organisation Address. Beijing
Organisation Address. 100001
Organisation Address. BJ
Organisation Address. CN

Admin Name........... gr wen
Admin Address........ No.12 chang'an road
Admin Address........
Admin Address........ Beijing
Admin Address........ 100001
Admin Address........ BJ
Admin Address........ CN
Admin Email.......... 3498@34.com
Admin Phone.......... +86.103093034
Admin Fax............ +86.103493934

Tech Name............ gr wen
Tech Address......... No.12 chang'an road
Tech Address.........
Tech Address......... Beijing
Tech Address......... 100001
Tech Address......... BJ
Tech Address......... CN
Tech Email........... 3498@34.com
Tech Phone........... +86.103093034
Tech Fax............. +86.103493934

Bill Name............ gr wen
Bill Address......... No.12 chang'an road
Bill Address.........
Bill Address......... Beijing
Bill Address......... 100001
Bill Address......... BJ
Bill Address......... CN
Bill Email........... 3498@34.com
Bill Phone........... +86.103093034
Bill Fax............. Name Server.......... ns4.secways4.com
Name Server.......... ns3.secways4.com
Name Server.......... ns2.secways4.com
Name Server.......... ns1.secways4.com

This is a straightforward BoA phishing site, looks like it is designed for use in forged BoA e-mail messages. After entering in information, you are prompted for your password and account number details. The site then says your account will be reviewed within 24 hours and redirects you to the real BoA homepage. secways4.com doesn't resolve, but the whois info matches the above.

Site 3, phishtank already has this one. No whois info since I can't find a site for Indonesia whois data. Lame. Can glean some info from the webserver though, looks hastily configured.

Companies don't care about you

2008-03-25T09:10:00.004-04:00

New Jersey was questioning the accuracy of the results of the February primary election. The key word there is 'was.' The state used electronic voting machines made by Sequoia Voting Systems (http://www.sequoiavote.com/), and it seems that there are some discrepancies in the results. As you may know, New Jersey is home to Princeton University -- a place where some pretty smart people hang out. Long story short, there's a guy named Ed Felton who hacked the Diebold machines and is really good at this sort of thing.

Well, when Union County called for Felton to independently review the machines, Sequoia pitched a fit and threatened legal action. Surprisingly, their threat STOPPED THE INVESTIGATION! Their reason? An independent investigation would potentially disclose trade secrets.

...

That's it? Trade secrets? That's all you've got?? Let me see if I've got this -- you're more concerned with trade secrets than the integrity of elections and thus the democratic process and the principles this nation was built on? Now they say they've contracted with a federally accredited consulting firm, Wyle Laboratories, and an independent one, Kwaidan Consulting. Kwaidan doesn't seem to have a website, and if they do it's not on the first page of google results. I can't imagine they are qualified to conduct any kind of meaningful review.

I get heated when I hear about these kinds of issues. Company A weasels out of its responsibilities for the sake of profit. Company B makes a crappy product, marketed as a secure one, and refuses to be taken to task when the vulnerabilities are exposed. When you deal with confidential customer data, or information of the highest integrity, you NEED to care about privacy, security, and integrity. Ever heard of the CIA triangle? What's the answer to this? How can you make a company give a crap?

Evaluating code

2008-03-24T19:54:00.000-04:00

This is a good way to evaluate code. HA!

Sending email to the wrong address

2008-03-24T19:41:00.003-04:00

There's a post on the Emergent Chaos site on replying to 'Do Not Reply' mail. The post highlights how some companies use the domain 'donotreply.com' in do not reply mails. Too bad for those companies the domain donotreply.com is valid, and the guy who owns it posts the more interesting mails he receives.

Why would a company use donotreply.com? It makes no sense. If you trust the average user to know that donotreply.com is something he/she will NOT reply to, you might not understand why phishing schemes still work.

Click here to go to jail!

2008-03-21T09:10:00.004-04:00

I just read a thread on a new FBI plan to entice users to click on links to purported child porn. Essentially, the FBI agent sets up some honeypot server and registers it with a cheap nameserver company. Then the agent posts links to the honeypot on sites known to link to child porn. Anyone clicking on the link gets his/her IP address recorded and a raid scheduled on his/her home. Wow.

Normally I think it's great when the authorities find new ways to drive scumbags off the internet, but this is absolutely ludicrous. Just like the EU recently said that an IP address is personally identifiable, this essentially says the same thing, BUT with the added catch that it doesn't matter how you got to the honeypot. All that matters is that you were there, so you must've wanted some kiddie porn, right? Wow. Sometimes I wonder whether anyone is safe. Just wow.

Everyone is on the same page

2008-03-17T11:15:00.002-04:00

Still thinking about the ongoing problems with CAPTCHA, it looks like everyone is on the same page about this: despite the actual image being vulnerable to OCR, the real threat is the cheap labor, because that's not going away. Paying people pennies (or dollars) to solve a bunch of CAPTCHAs is almost exactly like creating a bot. The only difference is that the botherder actually has to pay a small amount of money to stay up and running.

Again, there are some problems. If CAPTCHA is still viable to keep out bots, which it is with some modifications, there's the human bot aspect (I'll call it 'hu-bot', like who-bot). In the case of hu-bots, employing widespread (strong) CAPTCHA encourages the hu-bot market and will necessitate more and more hu-bots in the employ of cybercriminals. If CAPTCHA use is discontinued, the problems associated with it stop immediately, but now there's a need for a new technology, a technology that will probably be similar to CAPTCHA in that it will successfully fool bots most of the time, but not hu-bots.

This really is a catch-22, and there is no obvious, painless solution. You could use heavy moderation to screen out many of the bots after registration (a privacy violation?), or impose strict sending limits for some specified period of time after creating the account (ultimately totally ineffective). How about beefing up e-mail spam filters (both ingress and egress filtering) as well as developing web-based spam filters for blog comments and the like. It might not be the most effective way of combating spam, but that's the most promising idea I can come up with that has any chance of defeating the hu-bots.

Really, though, who still buys into the online pharmacy and penny stock spam schemes? I have such a hard time envisioning someone reading some spam for C!4l15 or \/iagr4 and thinking "Wow, what a great deal!" Obviously I am out of touch with some segment of the population.

Nancy Grace gets OWNED

2008-03-16T12:36:00.000-04:00

This is hilarious. Thanks to Charlie for this one!

Bad News for Pacemaker Recipients

2008-03-13T10:16:00.003-04:00

Some new research does not look so good for the recipients of pacemaker + defibrillator combination units. It seems some researchers were able to not only eavesdrop on the radio signal of an Implantable Cardioverter-defibrillator (ICD), gaining information such as the patient's name, date of birth, and medical history, but could also hack the device so they could turn it off, modify the treatment schedule, or even send potentially lethal shocks to the patient's heart.

I'm not going to go into detail here since Schneier wrote a really good post on it (first link above), but the moral of the story is that security was not a factor in the design of the device.

Continuing CAPTCHA problems

2008-03-13T09:54:00.003-04:00

There's a post on RSnake's blog that caught my attention. He addresses the (possibly) most successful way to defeat CAPTCHA: using cheap labor to solve them. CAPTCHA has been on my mind a lot lately, and his post really drives home the point that no matter how easy it is to change an algorithm to make it harder to solve, effectively buying some time, the bad guys can still just pay someone a couple bucks for a couple thousand CAPTCHAs.

The part of this that I have not thought about before is how the continued use of CAPTCHA encourages this kind of cheap labor. And assuming the difficulty of breaking CAPTCHA will improve, the use of this will more than likely become more widespread. As RSnake notes, the market for breaking CAPTCHAs has already become more competitive, driving the price per solved CAPTCHA down. Maybe CAPTCHA isn't the solution since cheap labor will continue to be a problem as long as tests are easily solvable by humans. So, the million dollar question, what's the solution? Do we abandon CAPTCHA in favor of more frequent or more vigilant monitoring for spam? That's not really practical. Do we continue to use/improve CAPTCHA to make it harder for bots? That encourages the continued use of cheap labor. What a conundrum.

Image above is from the OCR Research Team. They do some really cool stuff, check them out.

Pentagon's data woes

2008-03-07T10:00:00.002-05:00

Remember that Pentagon breach that was headline news for a while? Remember how they downplayed it and effectively said it was no big deal? That's no longer the case. Pentagon officials are admitting that an "amazing amount of data" was stolen that could be very very harmful in the hands of enemies.

Interestingly, the breach "took three weeks and $4m to clean up." I can't put my finger on it, but something about that statement really irks me.

My question is this: if you have IDS, firewalls, qualified staff, knowledgeable users, etc etc etc, how the hell did this happen? I mean, your guys should be watching the IDS logs, the firewall logs, looking for suspicious e-mail attachments, etc. If suddenly you see encrypted traffic going out to some IP in Nowheresville, what do you do? Let it continue?

I must not be seeing the whole picture here because I think strange unencrypted traffic popping up suddenly and going to somewhere (probably China) would set off alarms and start big freaking red lights flashing. Does this mean that the outbound firewall rulesets were/are very lax? Does this mean the IDS is tuned too low? Does this mean people aren't looking at logs?

It never ceases to amaze me how something like this can happen simply because we, as security professionals, get too comfortable in our jobs, or fail to do our jobs completely. Or maybe it's because the users have too many requirements so the firewalls must be left open outbound. Or maybe it's because the users are disgruntled and don't care. Whatever the reason, for something like this to happen at a place like the Pentagon, security must be in a very sad state.

Phish Your Co.

2008-03-07T09:50:00.002-05:00

A post from RSnake highlights a new website: phishme.com. Essentially, you get sign off from the execs, then via phishme.com you attempt to phish your own organization -- the results of which are quantifiable. Interesting idea, although as RSnake points out, the service only detects whether a password was entered in a field, it does not retain the password or verify its validity. I think it would be interesting to see how many employees provided false passwords vs. actual passwords.

This got me thinking whether you really need phishme.com to do this sort of thing. The answer is no, but they do provide a nice service, making pretty charts and statistics, etc. Cool idea.