so this is not a new idea really, but mb worth a little thought/exploration...
most of the recent-ish binary planting research seemed to focus on remote code execution attacks. but sometimes you don't need remote root.
some ppl say this attack is old news and lame, but then other people say 'whatever lands me shell'... binary planting came up in the adaptive pentest talk at DerbyCon, and maybe even Mitnick is using it (as also mentioned in a Derby talk). so whether or not you think it is lame, it appears ppl are using it.
a few weeks back i was digging around w/ binary planting in terms of priv escalation (which coincidentally got kicked around on FD recently)...
if you don't need CWD to win, then the set of potential DLL load attempts changes a bit. lots of apps run on boxen out in the world run w/ elevated privs, so maybe there's something to leverage there. specifically pretty much any DLL load attempt that doesn't find a target could be interesting. but even back on XP the default file perms and the landing place of most DLL loads limits the attack surface available to a non-admin user. so i kinda walked away from priv escalation w/o much success.
but maybe you've got root on a box. now you want your code to persist and exec through reboots. being tricky and hiding can be nifty, but hiding in plain sight can work too. home users don't pay a bunch of attention or have a ton of knowledge, and big environments are often resource constrained and no where near tracking detailed state on their endpoints (integrity checking, etc).
when you're digging for someone hiding under those conditions, sometimes you want to check machines for ways they automatically exec arbitrary code. so you dig through the registry and some folders, and look at core system files... and, well, it's kinda a lot of work...
so after i re-read some of Nick Harbour's thoughts on the issue, i think he already covered this pretty well, and really alluded to the potential magnitude and complexity of this situation...
but i guess i'll add a couple thoughts. first off, Nick seems to mostly consider the issue within the OS realm, but in IRL situations deployed apps give a much larger potential surface. and like the Acros peeps point out in some of their research, there are a number of DLL loads which are pure misses (ie: the DLL doesn't reside on the system, but the system is running fine). if you're search-order hijacking a core system DLL, an investigator can hone in on duplicate DLLs, or maybe where a stub is calling the other DLL to maintain required system functionality.
but a casual review on win7 and winXP found a number of 3rd party apps that miss on calls to non-existant DLLs during normal operation. if you're hiding on a box which is regularly used by a user, there are plenty of opportunities to maintain persistence (often) without going anywhere near System32, because the apps used by the user or loaded by system administrators will happily exec correctly named files in the right location (hence the confused deputy). since the system runs fine without the DLLs in the first place, it seems like lots of these apps produce no error messages or other obvious evidence when they call a DLL which doesn't do what it was hoping for... since it's DLL hell already, one wonders how much solid version and checksum information is really available...?
and to loop right back to the privilege escalation issue... in a more modern OS where privilege escalation isn't as easily accomplished, getting your code through a user-initiated MS Office load might get you a non-admin shell where a given priv escalation technique fails. but when exploiting a missed load from a modern commercial AV product and getting a non-admin shell, the same priv esc technique pulls root...? kinda want to research that more... the "Anti-Virus" product remained blissfully unaware that it had been co-opted and was now the persistence mechanism which maintained a compromised state on the victim machine... sloppy DLL loads and no tracking of it's own integrity... go figure.
not every DLL miss is a gem, but the attack surface seems pretty broad after some quick digging... browsers, media viewers, security/privacy apps, productivity apps, backup apps, etc...
the advantage to the attacker here is that the attack surface is broad and murky. app DLLs are generally not as well documented as OS components. there are more versions and less info.
plus if you change the way you look at it, maybe you don't need the code to exec on boot. if the code execs when the user performs an action, or once a week when a scan is run, the end result for the attacker is the same but now the defender has a whole lot more to look for. this isn't really a 'universal' attack method, b/c it is dependant on the app deployment posture of the environment being attacked, but even that becomes an attacker advantage b/c they aren't hiding the same place everytime. and then on the flip-side, in a given org maybe the vulnerable app is widely deployed.
anywho, check it out and see what you think :)
Monday, October 3, 2011
Wednesday, July 6, 2011
late spring-cleaning mash-up ramblings
.:[Contemporary Attack & Defense: Lulz Teez Peez]:.
soooo, The-State-Run-Attack-Group-That-Shall-Not-Be-Named is pwning all over... and so are plenty of other attack groups... prolly even the most nimble and motivated orgs are working hard to keep up.
some industry statements are so WTF!?!... it can be tough to tell FUD vs ignorance...?
afaik, there isn't a wealth of sharing when it comes to effective defense tactics/techniques/procedures. it is arguably important to protecting some effective defensive TTPs, but certain norms are common and fatal and not often dealt with:
imho, lulzsec gets a +1 for doing the world the service of unignorably highlighting the fact that 'dedicated attackers' can kick a lot of our asses in no time flat. some might be uncomfortable w/ that fact, but how can you ignore it? that hackolution was just tweetivized... ;)
.:[Balance in the Waves of Attack & Defense: Frivolous Musings]:.
improvement in attack has been exponential while defense has been linear...
attack:
defense:
defense needs improving if just because it is significant commitment and work to try to effectively secure a small simple environment...
my shameless but short-winded manifesto(*) on maybe improving defense:
(*): please note that the author does not claim to implement any of this effectively
as for long term improvement, gotta say +1 to mudge for highlighting the need for simpler execution environments in his shmoo keynote.
.:[Future IRL Attack & Defense: Reflections & Predictions]:.
.:[+]:. years ago while reading "Secrets & Lies", i was struck at the insight that inet crime mimics many aspects of IRL crime but w/ certain restrictions removed (geographic proximity, repeatability, etc)... so if IRL crime influenced inet crime, could the inverse happen? perhaps the pervasive access to knoweldge as well as the ability to acquire virtually any required component may someday empower independent sophisticated IRL attack groups in accomplishing awe-inspiring feats of IRL crime... and/or vigilantes?
.:[+]:. the deep integration of technology into the fabric of society will inevitably breed and empower a somewhat anarchist element which will not respect borders, governments, and various bothersome restrictions... a class in society which picks and chooses whether or not to follow certain norms and rules, and could perhaps literally open doors which are closed to the average person...
.:[EOF+n]:.
.:[+]:. doing stuff beats talking about it... so hopefully you all will hear less from me ;)
.:[+]:. to sslvis users: legit or malicious, you keep killing my terrible inefficient kludge back-end "app"... by... using the app :) i'm honored to have so much participation!!! tons of features could improve the app, i will try to make some progess after the next major milestone on the current project... yes, i know it's been over a year since the craptastic alpha was released, sry i am full of the suck :-\
.:[+]:. greetz & respect to all the amazing attackers & defenders i've been honored to share proximity with in the aether... i'm trying to keep up w/ school, but there's ppl setting a wicked pace on all sides!
.:[+]:. and thanks for reading along, and also for the comments... was getting a lot for a while, but they almost all included sketchy links so i mostly managed to keep them un-posted despite a few that slipped through ;) but i enjoyed reading them, so super belated greetz (in no specific order) to the peeps published and/or quoted as well as: 欣侑欣侑欣侑欣侑, 王辛江淑萍康, 楊愛惟, 色情成人卡通漫畫圖, MinB2139, 惠邱邱邱邱雯, 靜錢錢錢怡錢錢錢錢, 阮艳, 文佩齊華, 敬周喜, 嘉王偉, 陳佑發, 佳皓佳皓, 盈廖生家秀蔡, 吳婷婷, 雅莊王edgd春2蕙婷余惠其, 筱婷筱婷, 峻龍, 怡潔怡潔, 慶天慶天, burtong, 林尹, & 秀葉 :D
If you can not be kind, at least have the decency to be vague
By 渍 (stains)
soooo, The-State-Run-Attack-Group-That-Shall-Not-Be-Named is pwning all over... and so are plenty of other attack groups... prolly even the most nimble and motivated orgs are working hard to keep up.
some industry statements are so WTF!?!... it can be tough to tell FUD vs ignorance...?
afaik, there isn't a wealth of sharing when it comes to effective defense tactics/techniques/procedures. it is arguably important to protecting some effective defensive TTPs, but certain norms are common and fatal and not often dealt with:
- admin rights
- pervasive broad access which often isn't auditable, much less monitored in near real time
- feeble patching policies
- laughable vendor-"driven" "remediation" via "anti-virus" "quarantine"
- virtually non-existent internal segmentation
- weak controls and non-existent near-real-time visibility on egress flows
- virtually no control or integrity concerning the processes and executables on systems across environments large and small
imho, lulzsec gets a +1 for doing the world the service of unignorably highlighting the fact that 'dedicated attackers' can kick a lot of our asses in no time flat. some might be uncomfortable w/ that fact, but how can you ignore it? that hackolution was just tweetivized... ;)
.:[Balance in the Waves of Attack & Defense: Frivolous Musings]:.
It may be that your sole purpose in life is simply to serve as a warning to others
By 士松 (Shisong)
improvement in attack has been exponential while defense has been linear...
attack:
- tons of excellent education opportunities
- glamorous pen-test consultant lifestyle
- top-tier exploit r&d shops for ninja
- howto? take your pick: app attacks, social eng, os attacks, rented attacks, etc
- multiple state & independent movements w/ differing and/or overlapping agendas/motivations
- wide variety of white/grey/black profit opportunities
defense:
- vendor hell
- academic & CEH/CISSP ivory towers
- individual security controls have limited effectiveness and are generally "expensive"
- some reversing crews understanding and/or combating modern malware
- a few outspoken 'mainstream' (?) voices (Herzog, Kaminsky, Potter, etc) continue to press to improve on the status-quo clusterfuck known as "defense-in-depth"
- listening to environments and effectively processing data quickly into simple relevant information is arguably a key weakness
defense needs improving if just because it is significant commitment and work to try to effectively secure a small simple environment...
my shameless but short-winded manifesto(*) on maybe improving defense:
- K.I.S.S.
- intimate knowledge of what/why you permit & deny the rest
- work w/ what you have (free-ish) first
- push security roles and accountability to existing accountable admins, not to security orgs that shadow the IT org
- get good at effectively parsing vast datasets into actionable and relevant information
(*): please note that the author does not claim to implement any of this effectively
as for long term improvement, gotta say +1 to mudge for highlighting the need for simpler execution environments in his shmoo keynote.
.:[Future IRL Attack & Defense: Reflections & Predictions]:.
所有的資產,在不被諒解時,都成了負債
(All assets, when misunderstood, become liabilities)
By 欣侑欣侑欣侑欣侑 (Xinyou/Urges Joyful)
.:[+]:. years ago while reading "Secrets & Lies", i was struck at the insight that inet crime mimics many aspects of IRL crime but w/ certain restrictions removed (geographic proximity, repeatability, etc)... so if IRL crime influenced inet crime, could the inverse happen? perhaps the pervasive access to knoweldge as well as the ability to acquire virtually any required component may someday empower independent sophisticated IRL attack groups in accomplishing awe-inspiring feats of IRL crime... and/or vigilantes?
.:[+]:. the deep integration of technology into the fabric of society will inevitably breed and empower a somewhat anarchist element which will not respect borders, governments, and various bothersome restrictions... a class in society which picks and chooses whether or not to follow certain norms and rules, and could perhaps literally open doors which are closed to the average person...
.:[EOF+n]:.
幸福不是一切,人還有責任。
(Happiness is not everything, people have a responsibility)
By 文佩齊華 (Wen Peiqi China)
.:[+]:. doing stuff beats talking about it... so hopefully you all will hear less from me ;)
.:[+]:. to sslvis users: legit or malicious, you keep killing my terrible inefficient kludge back-end "app"... by... using the app :) i'm honored to have so much participation!!! tons of features could improve the app, i will try to make some progess after the next major milestone on the current project... yes, i know it's been over a year since the craptastic alpha was released, sry i am full of the suck :-\
.:[+]:. greetz & respect to all the amazing attackers & defenders i've been honored to share proximity with in the aether... i'm trying to keep up w/ school, but there's ppl setting a wicked pace on all sides!
.:[+]:. and thanks for reading along, and also for the comments... was getting a lot for a while, but they almost all included sketchy links so i mostly managed to keep them un-posted despite a few that slipped through ;) but i enjoyed reading them, so super belated greetz (in no specific order) to the peeps published and/or quoted as well as: 欣侑欣侑欣侑欣侑, 王辛江淑萍康, 楊愛惟, 色情成人卡通漫畫圖, MinB2139, 惠邱邱邱邱雯, 靜錢錢錢怡錢錢錢錢, 阮艳, 文佩齊華, 敬周喜, 嘉王偉, 陳佑發, 佳皓佳皓, 盈廖生家秀蔡, 吳婷婷, 雅莊王edgd春2蕙婷余惠其, 筱婷筱婷, 峻龍, 怡潔怡潔, 慶天慶天, burtong, 林尹, & 秀葉 :D
天下沒有走不通的路,沒有克服不了的困難,沒有打不敗的敵人。
(There is no dead-end road, there are no insurmountable difficulties, there is no enemy to fight who is undefeated)
By 楊宜婷俊嘉 (Yang Yi Ting handsome fine)
Wednesday, November 3, 2010
fragile software systems & risks in homogeny
well there are some things which reportedly do not belong on blogs... grrr... so here's some more of the drivel you've come to expect ;)
this here is one of those 'not sure if i should laugh or cry' links:
summarized pseudo misquote: "aircraft which cost $125+ million USD apiece were [disabled by] a few lines of computer code"
the F22 IDL story made me wonder if the F/A-18G that 'killed' an F-22 was able to do so particularly because of electronic warfare capabilities...? no idea, but i'd love to ask that Grizzly driver ;)
there might be a couple of take-aways here...
#1 - increasing reliance on critical computerized systems which are not backed by redundant systems and are fragile will present significant new risks. think about the F-22 design philosophy versus my favorite airborne weapons platform: the hawg!
the A-10 has "triple redundancy in its flight systems, with mechanical systems to back up double-redundant hydraulic systems ... [and] is designed to fly with one engine, one tail, one elevator and half a wing torn off." you don't have to google far on the A-10 to find a variety of stories about how well it performs under the stress of combat operations. reportedly, "the 165 Warthogs that flew in Desert Storm [had a] 95.7% mission capable rate ... the highest sortie rate of any USAF aircraft ... [while] roughly half of the total A-10 force supporting Desert Storm suffered some type of battle damage ... [just] five A-10s were lost in action".
yes, physical survivability is very different than electron system fragility, but there may be parallels. if the F-22 is tough to target with traditional weapon systems, maybe a better approach is a big ass radio antenna and a decent fuzzer ;)
#2 - highly homogeneous systems deployed into production can fail spectacularly. relatively survivable critical systems like DNS root servers are deployed on varying hardware and software to avoid this issue. once the JSF becomes the mainstay fighter of western nations, then a similar 'vulnerability' could theoretically disable entire air forces. don't worry, all JSF code is written in C++ (wikipedia) so there won't be *any* software induced failure points... lulz...
ps: speaking of crappy code and fragile software, i recently discovered that the back-end of sslvis is b0rked. i'll be getting it fixed up, getting features added to the back-end, and moving it out of beta as soon as i can... sorry!!
this here is one of those 'not sure if i should laugh or cry' links:
the most advanced fighter in the world ... was able to rack up an impressive 241-to-2 kill ratio [during war-games] ... [but] was felled by the International Date Line (IDL) ...
When the group of Raptors crossed over the IDL, multiple computer systems crashed on the planes. Everything from fuel subsystems, to navigation and partial communications were completely taken offline. Numerous attempts were made to "reboot" the systems to no avail ... the Raptors had their refueling tankers as guide dogs to "carry" them back to safety ... They had no communications or navigation
summarized pseudo misquote: "aircraft which cost $125+ million USD apiece were [disabled by] a few lines of computer code"
the F22 IDL story made me wonder if the F/A-18G that 'killed' an F-22 was able to do so particularly because of electronic warfare capabilities...? no idea, but i'd love to ask that Grizzly driver ;)
there might be a couple of take-aways here...
#1 - increasing reliance on critical computerized systems which are not backed by redundant systems and are fragile will present significant new risks. think about the F-22 design philosophy versus my favorite airborne weapons platform: the hawg!
the A-10 has "triple redundancy in its flight systems, with mechanical systems to back up double-redundant hydraulic systems ... [and] is designed to fly with one engine, one tail, one elevator and half a wing torn off." you don't have to google far on the A-10 to find a variety of stories about how well it performs under the stress of combat operations. reportedly, "the 165 Warthogs that flew in Desert Storm [had a] 95.7% mission capable rate ... the highest sortie rate of any USAF aircraft ... [while] roughly half of the total A-10 force supporting Desert Storm suffered some type of battle damage ... [just] five A-10s were lost in action".
yes, physical survivability is very different than electron system fragility, but there may be parallels. if the F-22 is tough to target with traditional weapon systems, maybe a better approach is a big ass radio antenna and a decent fuzzer ;)
#2 - highly homogeneous systems deployed into production can fail spectacularly. relatively survivable critical systems like DNS root servers are deployed on varying hardware and software to avoid this issue. once the JSF becomes the mainstay fighter of western nations, then a similar 'vulnerability' could theoretically disable entire air forces. don't worry, all JSF code is written in C++ (wikipedia) so there won't be *any* software induced failure points... lulz...
ps: speaking of crappy code and fragile software, i recently discovered that the back-end of sslvis is b0rked. i'll be getting it fixed up, getting features added to the back-end, and moving it out of beta as soon as i can... sorry!!
Thursday, October 7, 2010
recent NSA history via Nova
some crazy tidbits in there... notably lacking in any conspiracy-foo... pbs ftw! :D
haha, so i can't embed hulu here? whatev....
http://www.hulu.com/watch/182504/nova-the-spy-factory
haha, so i can't embed hulu here? whatev....
http://www.hulu.com/watch/182504/nova-the-spy-factory
Wednesday, August 4, 2010
strategic subversion?
<ramble>
my boy @zenfosec was schoolin me on kung-foo flix the other day, and we got to talking about how blue-ray rips and dvd capacity seem to line up and then started wondering about how long until we see previously unknown brands of cheap electronic media players at superstores which can play the format in question... (now?)
anywho, one might observe that 'traditional'/mainstream/'western' manufacturers don't produce these devices but capitalist markets fill consumer demand in this area.
one might also observe that a significant number of rip nfo files appear to come out of china.
that could lead into speculation of whether or not a socialist culture that reportedly 'thinks' in terms of centuries and longer might make a conscious effort to undermine capitalism by using capitalism against itself...?
this might be in line w/ the idea of mass producing offensive infosec 'armies'. btw, i am very disappointed that the talk about this field outta taiwan got pulled from bh/dc. if anyone wants to share the slides, hit me w/ a gpg key ;) (also, i got to chat w/ some super smart folk in vegas n learn some nifty stuff, props to everyone involved :)
anyway... insofar as unintended consequences and blowback, it might be fair to ask if this would be a risky strategy. when a traditional soldier is discharged and leaves his barracks he gives back his primary weapons. if you imagine forward a couple decades to legions of retired technically capable trained electronic 'subversives'(?), what will the world look like to political powers seeking to control information? lots of shades of grey in there prolly ;)
</ramble>
greetz n 敬 to peeps w/ comments n the operanos chillin in the back too ;)
my boy @zenfosec was schoolin me on kung-foo flix the other day, and we got to talking about how blue-ray rips and dvd capacity seem to line up and then started wondering about how long until we see previously unknown brands of cheap electronic media players at superstores which can play the format in question... (now?)
anywho, one might observe that 'traditional'/mainstream/'western' manufacturers don't produce these devices but capitalist markets fill consumer demand in this area.
one might also observe that a significant number of rip nfo files appear to come out of china.
that could lead into speculation of whether or not a socialist culture that reportedly 'thinks' in terms of centuries and longer might make a conscious effort to undermine capitalism by using capitalism against itself...?
this might be in line w/ the idea of mass producing offensive infosec 'armies'. btw, i am very disappointed that the talk about this field outta taiwan got pulled from bh/dc. if anyone wants to share the slides, hit me w/ a gpg key ;) (also, i got to chat w/ some super smart folk in vegas n learn some nifty stuff, props to everyone involved :)
anyway... insofar as unintended consequences and blowback, it might be fair to ask if this would be a risky strategy. when a traditional soldier is discharged and leaves his barracks he gives back his primary weapons. if you imagine forward a couple decades to legions of retired technically capable trained electronic 'subversives'(?), what will the world look like to political powers seeking to control information? lots of shades of grey in there prolly ;)
</ramble>
greetz n 敬 to peeps w/ comments n the operanos chillin in the back too ;)
Wednesday, June 23, 2010
privacy trends
[premise]
the ability to collect and process massive amounts of information allows for a world where anonymity is minimized
[tracking]
i thought i remembered reading that investigators used public surveillance camera data to back-trace the craigslist killer philip markoff, but a quick glance or three at google didn't confirm that at all...
either way, the same idea played out in the whole dubai / mossad deal. cameras are all over, and if you have access to a lot of them you can start traveling back in time in a sense, back-tracing an event in your observable realm...
schneier has pointed out at length that to-date facial recognition false-positive rates render such systems ineffective. but anecdotal evidence suggest a different story when human analysts can quickly review large sets of public video data.
dubai wants more cameras, and technology drivers are expressing interest in mass video collection for further automated and auto-augmented manual analysis.
uav technology is already migrating to law enforcement applications... military developed gunshot detectors have been deployed as well. military style surveillance technology appears to be integrating into daily life relatively quickly.
automated license plate detection technology is growing, and in some places police have real-time access to computerized records which include details beyond court convictions or even incidents where a court was involved.
[physical evasion]
this brings up the whole issue of evasion. in theory tech like this could be expanded to cover more than faces. i hear there are higher grade cameras that filter IR, so this isn't entirely reliable, but then most cameras will be cheap. then there's also the fact that a white shiny blob of a person walking around might attract attention to humans and robots watching the video feed. it might be effective if employed w/ some planning as to when it is activated, and might be augmented by employing physical disguise as part of the plan if you wanted to be concealed moving to and from a location.
a more nifty technique would be lens detection and targeted energy overload of cameras (possible?), but beware false positives from peoples eyes ;) also, the wake of camera failures would be an alarm that something was going down and where it was happening
[secure comms]
there really are rooms where government agencies are sucking up massive amounts of data (presumably including voice data routing over digital transports) which are apparently important enough to invoke 'state secrets' to defend. it seems like major voip providers like skype are cooperating by giving states access to at least targeted conversations. and there seems to be industry enough to support manufacture of ssl mitm devices.
as an aside, big ups to moxie for releasing the redphone app to re-give average people the ability to have a semi-anonymous phone conversation. a friend and i were in the planning stages of a similar app built, but that damn moxie clearly had more motivation, time, and ability ;)
anywho, after september 11 2001 a US lt colonel and others stood up to talk about able danger, which was a mass data-mining and information processing effort. it takes approx 16-22 years of service to attain the rank of lt colonel, so after the government says "we don't know what he's talking about" and there are claims that evidence disappeared you've kinda gotta ask "are these people crazy to fuck up their lives for 15 minutes of fame, or does the government maybe have some interest in hushing the capabilities of massive data analysis...?"
the book 'the rootkit arsenal' calls full packet capture the worse-case scenario for a root-kit operator. you dig? collecting tons of information gives you significant potential detection capabilities.
anecdotal evidence indicates that anonymous voice and data connections may not be readily available as services you can purchase.
[wikileaks / nation-states]
so we get to a place where the founder of a site dedicated to exposing information inconvenient to massive entities is apparently laying low from a nation-state...? according to da twittaz one of the last people he was seen with was valarie plame... at first i was thinking she was sibel edmonds, but all these covert secret conspiracy women just had me all mixed up ;)
[identity]
so there's always a weak link somewhere... and it seems to me that in a world where automated detection and tracking is growing, the weak link might be identity. if you can build ghost identities you can travel and exist in anonymity so long as you don't make anyone notice you, much as humans have been doing far into our past... but if you only have your natural identity then many of your words, motions, and actions may be available for later analysis to an interested party.
information may want to be free, but it seems some people want to horde it...
the ability to collect and process massive amounts of information allows for a world where anonymity is minimized
[tracking]
i thought i remembered reading that investigators used public surveillance camera data to back-trace the craigslist killer philip markoff, but a quick glance or three at google didn't confirm that at all...
either way, the same idea played out in the whole dubai / mossad deal. cameras are all over, and if you have access to a lot of them you can start traveling back in time in a sense, back-tracing an event in your observable realm...
schneier has pointed out at length that to-date facial recognition false-positive rates render such systems ineffective. but anecdotal evidence suggest a different story when human analysts can quickly review large sets of public video data.
dubai wants more cameras, and technology drivers are expressing interest in mass video collection for further automated and auto-augmented manual analysis.
uav technology is already migrating to law enforcement applications... military developed gunshot detectors have been deployed as well. military style surveillance technology appears to be integrating into daily life relatively quickly.
automated license plate detection technology is growing, and in some places police have real-time access to computerized records which include details beyond court convictions or even incidents where a court was involved.
[physical evasion]
this brings up the whole issue of evasion. in theory tech like this could be expanded to cover more than faces. i hear there are higher grade cameras that filter IR, so this isn't entirely reliable, but then most cameras will be cheap. then there's also the fact that a white shiny blob of a person walking around might attract attention to humans and robots watching the video feed. it might be effective if employed w/ some planning as to when it is activated, and might be augmented by employing physical disguise as part of the plan if you wanted to be concealed moving to and from a location.
a more nifty technique would be lens detection and targeted energy overload of cameras (possible?), but beware false positives from peoples eyes ;) also, the wake of camera failures would be an alarm that something was going down and where it was happening
[secure comms]
there really are rooms where government agencies are sucking up massive amounts of data (presumably including voice data routing over digital transports) which are apparently important enough to invoke 'state secrets' to defend. it seems like major voip providers like skype are cooperating by giving states access to at least targeted conversations. and there seems to be industry enough to support manufacture of ssl mitm devices.
as an aside, big ups to moxie for releasing the redphone app to re-give average people the ability to have a semi-anonymous phone conversation. a friend and i were in the planning stages of a similar app built, but that damn moxie clearly had more motivation, time, and ability ;)
anywho, after september 11 2001 a US lt colonel and others stood up to talk about able danger, which was a mass data-mining and information processing effort. it takes approx 16-22 years of service to attain the rank of lt colonel, so after the government says "we don't know what he's talking about" and there are claims that evidence disappeared you've kinda gotta ask "are these people crazy to fuck up their lives for 15 minutes of fame, or does the government maybe have some interest in hushing the capabilities of massive data analysis...?"
the book 'the rootkit arsenal' calls full packet capture the worse-case scenario for a root-kit operator. you dig? collecting tons of information gives you significant potential detection capabilities.
anecdotal evidence indicates that anonymous voice and data connections may not be readily available as services you can purchase.
[wikileaks / nation-states]
so we get to a place where the founder of a site dedicated to exposing information inconvenient to massive entities is apparently laying low from a nation-state...? according to da twittaz one of the last people he was seen with was valarie plame... at first i was thinking she was sibel edmonds, but all these covert secret conspiracy women just had me all mixed up ;)
[identity]
so there's always a weak link somewhere... and it seems to me that in a world where automated detection and tracking is growing, the weak link might be identity. if you can build ghost identities you can travel and exist in anonymity so long as you don't make anyone notice you, much as humans have been doing far into our past... but if you only have your natural identity then many of your words, motions, and actions may be available for later analysis to an interested party.
information may want to be free, but it seems some people want to horde it...
Thursday, May 27, 2010
novel(?) anti-xss technique caught my eye
saw this a few weeks ago, and it stuck out b/c i'd never seen or heard of anything like it... i ran it past a few peeps i respect and they'd never seen it, so i figured i'd share :D
it's very common to find XSS in search functions on web apps where the text a user enters into the form is reflected onto the page after the form is submitted. so you hit an app and search for "foo" and on the search results page you get back the search form is populated with "foo" which you just searched for. well if someone constructs a malicious link like:
http://someapp.somedomain.edu/search.htm?q=foo"><script>evil code here...
you end up w/ an xss attack assuming the app is poorly written...
typically during web app assessments you've gotta go smack the developer and tell them to validate their inputs and encode their outputs, but this time it took me a minute to figure out what was going on... sooooo here's the resulting html src of a little PoC i put together and tested w/ google app engine and ff3.x:
so wtf is that? ok, this was based on a search form on an ajax-ish web app. there was more to the real app, but this includes all the relevant bits. when i searched on the app, i saw my inputs were reflecting in my browser so i went to check if they were html encoding them server side... but the value i was inputting in the search field never showed up in the page src... ermm, wot?
well, here's what i think is happening:
note that the "value=" tag is missing above. that makes the value attribute null when the server first serves it. when you use the form the app acted on your inputs using stuff like onkeyup/onkeydown, but when the user data needs to be read, it's done using the object oriented "this." convention which allows an object to refer to itself.
when you submitted the form the app would process your inputs, but the actual value you enter is never written to the page by the server. it exists only in memory on your client machine and is never written into html src. when the page refreshes your client browser renders the input element and snags the 'value=' value from memory and thus seems to avoid those pesky output encoding issues...?
anywho, it looks legit to me, but it's not a game changer or anything. kinda limited in it's application, and doesn't do anything for sql injection, csrf, etc.
but still kinda nifty mb ;)
it's very common to find XSS in search functions on web apps where the text a user enters into the form is reflected onto the page after the form is submitted. so you hit an app and search for "foo" and on the search results page you get back the search form is populated with "foo" which you just searched for. well if someone constructs a malicious link like:
http://someapp.somedomain.edu/search.htm?q=foo"><script>evil code here...
you end up w/ an xss attack assuming the app is poorly written...
typically during web app assessments you've gotta go smack the developer and tell them to validate their inputs and encode their outputs, but this time it took me a minute to figure out what was going on... sooooo here's the resulting html src of a little PoC i put together and tested w/ google app engine and ff3.x:
<html>
<head>
<title>xsstest</title></head>
<body>
<center>
<form name='testform' action='javascript:alert(testText.value);' id='testform'>
<input name="testText" id="testText" tabindex="1" onkeyup="javascript:alert(this.value)" />
<input type="submit" name="btnTest" id="btnTest" value="testfoo" onclick="" />
</form>
</center>
</body>
</html>
so wtf is that? ok, this was based on a search form on an ajax-ish web app. there was more to the real app, but this includes all the relevant bits. when i searched on the app, i saw my inputs were reflecting in my browser so i went to check if they were html encoding them server side... but the value i was inputting in the search field never showed up in the page src... ermm, wot?
well, here's what i think is happening:
<input name="testText" id="testText" tabindex="1" onkeyup="javascript:alert(this.value)" />
note that the "value=" tag is missing above. that makes the value attribute null when the server first serves it. when you use the form the app acted on your inputs using stuff like onkeyup/onkeydown, but when the user data needs to be read, it's done using the object oriented "this." convention which allows an object to refer to itself.
when you submitted the form the app would process your inputs, but the actual value you enter is never written to the page by the server. it exists only in memory on your client machine and is never written into html src. when the page refreshes your client browser renders the input element and snags the 'value=' value from memory and thus seems to avoid those pesky output encoding issues...?
anywho, it looks legit to me, but it's not a game changer or anything. kinda limited in it's application, and doesn't do anything for sql injection, csrf, etc.
but still kinda nifty mb ;)
Subscribe to:
Posts (Atom)
