Wednesday, December 31, 2008

hashes and collisions

ok, so there's been a few blurbs about hashes and collisions lately...

this is something that caught my eye back in the day in CS class...

i am not a math guy at all (stats breaks my brain), so i am not at all qualified to speak on this topic. a hash function like md5 or sha1 or whatever takes an arbitrary sized input and reduces it to a pseudo-unique string of a certain size. so take the following md5 values:

echo "r" | md5sum
echo "rw" | md5sum
echo "rwnin" | md5sum

so each input gets a "unique" output, but the issue is that a one, two, five, or five thousand character input always gets a 32 character output. so if you input a single character, or the entire text of hamlet, or any (or every) subset of hamlet possible you will always get a 32 character output with md5.

as i said before, i'm not so good with math, but there is a fundamental problem here. a 32 character hex value can represent approx 3.4x10^38 values. that's a ton!!! BUT. that huge number of values is used to represent *all arbitrary (infinite) values*...

and that's the problem. so even sha512 gives you a fixed length output. ultimately you know that collisions in such a system are possible. they may be mathematically unlikely, but they are inevitable.

so it's kinda frustrating to read the vuln advisories which say "oh, most people stopped using md5 so this isn't an issue", because a few years ago there were advisories which said "we stopped using 3DES so this isn't an issue".

if we decide to place our trust in hash based certificates (which is our trust in the tubes, at the end of the day), we need to accept that someone might get lucky and fake a CA cert. the haters may say "oh well that's super unlikely". well, i guess they are the same people who say "it's stupid to buy a lottery ticket! do you know the odds!?!"

well guess what, every week or three, some lucky bastard wins the lottery. and some unlucky bastard gets struck by lightning. so don't be surprised if someone finds a collision for your hash algorithm.

Friday, December 12, 2008

ironic: /me props av company

so i've dogged on the AV industry pretty hard in the past, but i want to give some props to the peeps at McAfee Avert Labs.

i've been following them on my feeds for a while and they turn out consistently interesting and nifty blurbs about attackers. sometimes tech, and sometimes just info.

i found this portion of a recent entry particularly interesting:

Many websites employ security images to convince the user that they can feel safe logging in so long as they see a teddy bear, a train, or some other image they choose from a library when creating their profile. As phishing scams become more complex, scammers’ websites can easily start acting as proxies to the legitimate website. This isn’t in widespread use yet, but a few isolated incidents have been seen, and the technique is easy to craft: when you enter your username into the phishing site, the site turns around and queries the legitimate website for your security image. It can then display the security image to the customer to gain their trust.

that's just an awesome bit of info. attackers using their phising sites as proxies to get your security image?!? a simple and prolly quite effective hack against pseudo-2-factor auth. it doesn't break the tubes, and there are mitigations, but it's something i'd never thought of before.

btw, the theme of that blog post is about online fraud and also users who are new to the internet, which is a topic some friends and i kicked around a while ago. we just got to the point where grandma isn't going to fall for lovebug type emails, and now we've got this emerging class of users out of china, some african nations, and other emerging economies. do we have to re-educate all of these people from scratch???

i was happy to hear from a coworker who recently got back from a trip to china that the security team he worked w/ over there is developing short (30 second) snippets about security best-practices and distributing them to their users as an ongoing practice. hopefully we'll see more stuff like that all over as time goes on...

sooooo, if avert labs isn't on your feeds, i'm poking you cause it's pretty good stuff...

anywho... lookit that, a post which props some AV peeps and ends on a hopeful note... ;)

Wednesday, December 10, 2008

ie 0day and the heap spray....

so this little writeup on the ie7 0day by hdmoore got me thinking about heap sprays and such.

that reminded me of this awesome writeup by justin schuh about turning a firefox bug into a sploit, because i think the technique he was using here was also a heap spray. (note: turns out it's not a heap spray, but similar on some levels)

i'm really curious about leveraging heap sprays in javascript enabled applications beyond the browser (such as PDFs and Flash), but i doubt i'll get motivated enough to play. i am way behind on things already!

i keep putting off my pending semi-substantial blog post too... /me sighs...

Friday, December 5, 2008

vuln report digestion

(note: this is NOT an article about responsible disclosure ;)

so i found some vulns in a commercial app a while back, and i've been working w/ the vendor to get them reported and fixed and all of that.

when i first tried to contact this reasonably large company my google search foo was weak, and i couldn't find the proper email address to report the vuln. so i started digging through the "contact us" phone numbers and making calls. after 2 hours of phone trees and transfers and being on hold, i went back to google and found the proper email address.

this is a company which makes IT products for businesses, and their security reporting contact info is buried deep enough in a page that what i found on google was someone asking my same question and someone else answering it.

so what happens if you try to do responsible disclosure on something outside the norm? how about the modem CSRF vuln disclosed by nathan the other day? here we have a consumer grade product produced by a big ass corp, and an attack which exploits default settings via one of the less well known web application attack vectors.

if you hit the contact us page at to try to report this issue, you're relegated to the "general info" team. are they going to take this issue seriously? are they going to route it to the right people to get a firmware update made (to fix the retarded defaults) and a notice pushed out to consumers?

this may be an application level attack, and it may be against a non-traditional target, but the disclosure was pretty similar to dropping an 0day. anyone who read his blurb and has some tech skills could be out there owning gateways right now. and if you did it right you could potentially own a lot, which could lead to a lot of other attacks.

i'll go out on a limb and speculate that privately reporting this vuln to motorola would probably be more of a pain than i went through doing my recent disclosure.

it'd be nice to see companies that produce tech products or services putting security contact info on their main "contact us" pages to help researchers who want to privately report vulns but don't want it to be an arduous journey...

Monday, November 24, 2008

more tao props - data visualization

another interesting (imo) tao article.

what jumped out at me is the attempt to take data normally displayed as text and move it into a visual format.

i've spent far too much time kicking this type of idea around (and def not enough time coding solutions: suX0r@me).

back in the day (at a corp which saw no value in log review) i was reviewing boatloads of event logs each morning, and doing 'page-down, page-down, page-down' on the retarded windows messages i hadn't yet parsed out on the syslog server i noticed that i was looking for a visual change in the text patterns scrolling by to get my attention. when the scrolling pattern changed, i'd page up and pay attention. i know this sucks, but the job didn't give me much time, and i figured it was better than nothing.

i ended up coding up a different solution (which i'll finish and release some day, really!) which processed all these impossible to read win log data messages and turned them into useful info (ie: bob had 12,631 failed logins in the last hour).

but the visual cue thing sticks with me to this day. i've really wanted to build a visual scoreboard very very similar to the tao post for use with either log events or with network flows (kinda like bruce potter talks about; pay attn to the outliers).

anyway, i'm not at a gig where i have visibility on big pipes anymore, or bit syslog feeds, so all my dev in this area has halted. hopefully i'll get back to it someday...

Thursday, November 20, 2008

a couple thoughts

first up, and kinda relating to my last post, there is a really interesting blurb over at tao sec.

Who buys stolen business data? Brett Kingstone, founder of Super Vision International ... knows the answer all too well. In 2000, an intruder breached Super Vision's public-facing website and probed deep enough to snatch secrets behind the company's patented fiber-optic technology ... [which] made its way into the hands of a Chinese entrepreneur ... [who] built a new Chinese factory from scratch and began mass marketing low-priced counterfeit lighting fixtures ... "They had an entire clone of our manufacturing facility"

ouch... it matches up w/ reports we've heard over the years, from titan rain to reports of mass EU data theft coming out of china. and it matches up w/ incidents i've seen personally.

anyway, the relation to the last post is just that identifying *what you have* that is valuable, and *where it all resides*, is a pre-req to getting down to securing those assets.


also, i've done some waf work lately, and came away feeling (like many others) that they don't do much to prevent application layer attacks.

i came across a sans diary entry (linkage lost) that gave me pause tho. in my experience fighting wafs, there was a lot of trial and error finding ways around them, and those bypasses varied depending on which waf i was fighting.

until attackers make smarter bots that attempt a variety of app level attack vectors, waf's might offer worthwhile protections against asprox-like 'dumb' bot attacks.

attackers sitting at a keyboard tho? not holding my breath there ;)

Sunday, November 2, 2008


to quote many good teachers: "keep it simple stupid"

while we're on that subject, i am often stupid... ;)


ever hear something like: who is really going to attack it? there isn't anything valuable there

it sounds reasonable and risk management-ish because they're allocating limited infosec resources by examining the likelihood of an event. but is the conversation limited to the perception of value held by the decision makers (who might be middle management for developers, dbas, sysadmins, etc)?

someone can covet something of yours, even if you don't know you have it.

say you have a reasonable security setup. you've got layer 3 segmentation into security zones, good firewall policies segregating traffic between those zones, and you've got a decent waf protecting your your web app dmz. and let's ignore any argument that a compromise could be used to leverage an attack on another system in that security zone, since most non-infosec peeps glaze over at that point.

so you're trying to convince people to take you seriously about fixing those medium-rated host configuration vulns and web app flaws, and they're telling the cio "well, we already fixed the stuff rated high, and our people are stacked up and deadlines are tight. you know those security guys, they jump at their own shadows."

so our attacker alice pokes around. there's a portion of a mundane web app that appears to be vulnerable to reflective xss. but there's no login to steal, and no sensitive information on the site or host. the app doesn't do anything with money or sensitive info.

alice determines that using dangerous values in the suspected param results in a different 200ok page, redir, reset, or whatever. alice probes the suspected vuln and determines that a small subset of xss attacks work past the waf. even when they work, the functionality is very limited because the waf is blocking many potentially abused html elements as well as some scripting syntax.

alice can use either scripting or html to influence user navigation, but is reliant on user interaction to do it. there is no significant limitation to normal characters or the length of her reflecting input.

so she designs a phishing mail or maybe puts together a fake flash advert for the target company. it's all legit looking w/ reasonably syntax and diction, and uses logos and says something like come check our site we make cool widgits. the link contains the xss that alters the contents of the page. the user still sees your legit site, but it has a little "limited time sale" bait or something like that. it's just subtle 'click here to buy now', but they're already kinda interested in you and your widget because they followed the link. and the price is reasonable. not a steal, but definitely on sale.

alice registered and with your look and feel and it says "secure" and "safe" when you click through. it doesn't use ssl when you submit, so some potential customers might dig and notice, but some wouldn't. expect your package within 7 to 10 business days :P

so in the end, there are customers who went to your site and were offered a deal. their money is with alice, and your brand was leveraged to make it happen.

even if your waf picked up the probes, and even if your admins actually investigated, the probing could be done in such a way that the attack vector is not deducible. and alice could wait a while after the probe to perform the attack, and maybe get a couple days before anyone calls your helpdesk with a concern.

there are a lot of highly-effective subtle and simple attacks like this. there are proactive counter-measures that can reduce a lot of risk, but the solutions are often manual and mundane rather than sexy-terminatrix (btw: river tam ftw!) ninja hacker shit.

targeted methodical process and procedure can reduce a lot of risk, and can be implemented and maintained with relatively little manpower cost. think about that the next time you're getting wined and dined by some vendor for some 6 figure plus nifty gadget that is going to keep you safe.

there may be more value in investing in some mundane things (which might also end up improving the org overall ;)

Saturday, October 11, 2008

my hate by numbers ripoff post

ok, let's scope out to national security matters w/ this article for a min... hate by numbers ftw btw...

(alt links since the orig is 404:,2933,434561,00.html

The man found dead in a suitcase in Tibbetts Brook Park last week was a drug mule from the Dominican Republic who died from an apparent overdose after two packets of heroin leaked into his body, police said yesterday.

1: i'm assuming it was a big ass suitcase or he was cut up, but i'm w/ you overall. we have a country of origin for this drug smugglers body we found...

Authorities found 50 packets of heroin, with a street value of at least $100,000, inside the man's body. They believe he was likely dumped in the park by fellow drug mules after his accidental overdose.

2: ok, i guess they prolly used a big ass suitcase then since they clearly weren't interested in cutting someone up, even for a ton of cash...

The man, who has yet to be identified

3: wait, what? we know what country he's from, but we don't know who he is? ok... that's a little weird, but reportedly they get that idea from an item in his possession which has yet to be identified.

all that aside, we don't know who he is, so i guess he covertly crossed the border on foot?

Police said that the man had probably flown to the United States on a paid mission to deliver drugs

4: i'm sorry, wtf? we accept w/o blinking that we have a known foreign-national flying into the states and government security apparatus protecting our borders from another 9/11 (TSA, INS, ICE, DHS, etc) don't know who he is?

oh, well maybe that was just a local pd spokesman mistake, right?

His fingerprints did not match any in U.S. databases, so he probably was never arrested in this country

5: oh, that was a fox news report? well wtf? don't you need to get between 2 and 10 finger-prints taken when you get a visa to visit the united states?

well, no fingerprints required if you're from one of those 27 countries which make uber passports that you'd have a pretty hard time faking... the Dominican Republic isn't on that list... what do we know about them anyway? oh, wait, we've been working with their security apparatus for at least the last three years and know they are a huge drug smuggling transit point?

are you telling me that i go through all that bullshit at the airport (even though we've already secured the cockpit) to make sure i'm not a terrorist even though i'm a US citizen and fly all the damn time... but if i'm some dude from a known drug state, i can just forge some papers and get right in?

well, maybe he faked them out somehow... was real sneaky-like...

"There could be three, four, five of these mules working together," Calabrese said, explaining how the drug transport system works. "They may be on the same plane, they may be on different planes, but they've usually got to meet up at some place because they've got to pass the drugs. They usually meet in a hotel or motel, or in an apartment nearby. They may be there for a day, maybe two, until they get the drugs to come out.

6: wait, we know all that stuff about how they operate? really? we know all that because someone has watched them before i guess? soooo, could we be watching these people now? or could we mandate an ultrasound for people coming from known countries? or we could keep them in a resort place for 3 days to see if they crap out a lot of drugs or need emergency surgery? isn't the US fighting a war on drugs? hasn't that been going on for a long time now?

gee, i hope the war on terror goes a little better than the war on drugs...

it seems like no one who has a reasonable grasp of security and risk management is callin the shots up top...

Monday, October 6, 2008

big heist?

ok, so there's been a lot of this countermedia stuff lately. no idea on how legit any of it is (/me + econ == fail)...

it didn't seem like anything about protests about the bailout bubbled up to a worthwhile story in the mainstream media, but i mighta missed it...

so supposition is: is it possible that the US is getting knocked off like a big ass bank?

big oil and corp types are elected, soo:

policy of deregulation & big business breaks put into place for 8 years == $$$
huge ongoing war started (iraq) == $$$
mindset of perpetual conflict (terror) == $$$
huge oil prices (xfer of wealth from US to uber-rich and oil-rich actors) == $$$
huge bailout to corps who failed in the free market by being retarded == $$$

i really hate the 9/11 conspiracy stuff too btw, and i've been debating whether or not to post. i've just got nothing to add to the space except mb to say that didn't people always say that a big govt coverup won't work b/c too much shit would leak and be known... could one make an argument that there is an ever broadening set of legit questions which aren't addressed by the US govt surrounding 9/11? i donno...

what i do know, is that post 9/11 the US as a nation has lost touch w/ some of the wisdom of the founding fathers about keeping the gov't from getting all up in your business. and the fact is, w/ warrentless wiretapping, echelon-type information gathering has been hugely expanded. now it is theoretically possible for govt to:

- listen in on your voip and/skype calls
- track significant data relating to online behavior (activies, patterns, interests)
- discreetly activate cell phones for audio surveillance
- track physical location via cell phone tower triangulation
- have eyes-on of physical activity in all-weather (?) at a resolution approaching 1m (out of my ass) whenever you can see the sky?

personally, i think people who say "well if you don't have anything to hide" are out of touch w/ the constitution as well as relevant historical precedent... really, they do this stuff (linkage legality not disputed here, btw)

and if you think i'm just a nut, you might be right, but lemmie point out that this falls in line w/ talks being given by potter (in that a lot can be found in applying stats to loads of raw data) and arguably dead addict (iirc: suppressing information footprints in datasets which are subject to statistical analysis can be more of a flag than existing normally within the mainstream data-set).

speaking to that latter point, you can note that hans reiser took the battery out of his cell phone when he buried his wife. the cops with him to recover her body said they walked right past it in their search, and would've never found it (read in some article i'm too lazy to cite, sry).

dropping off the grid could be raising red flags on someone's radar. similarly, using strong encryption more than the avg joe could be a flag that you warrant further watching.

stretching too far, one could speculate that subtle attacks on CA and trusted crypto infrastructure would clearly be highly guarded information, given how valuable evesdropping "secure" communications proved during wwII and prolly ever since...

anyway, i hear that someone slipped subtle verbage into the bailout bill that allows the taxpayer to have some option to have some ownership in the companies being bailed out. maybe there are good-guys out there slayin dragons in the shadows... who knows...

bottom line, there is a reason that the fight for punishing your friendly telecom (who aren't interested in helping you, btw) has all but been abandoned. there's a reason no candidate is talking about this. who would want to give up that much power?

give a few $$$ to EFF, they are good peeps fighting for all of us normal folk... (i in no way speak for them, btw, they prolly think i'm a nut ;)

someday i'll post real sec stuff again... really ;)

winter is coming...

and i'm way not cool enough to be doin stuff like this... prolly... ;)

See more tinadixon videos at Shred or Die

ps: phife ftw

Friday, October 3, 2008

ok, not condoning...

but i am really impressed with this bank robbery from an attack perspective...

Friday, September 12, 2008

not sure if this is good or bad...

full disclosure foo... so litchfield is a ninja and all, but i'm torn on this one...

here is a no-auth remote compromise of oracle db's from a few months back...

NGSSoftware Insight Security Research Advisory

Name: PLSQL Injection in Oracle Application Server
Systems Affected: Oracle Application Server,,
Severity: Critical
Vendor URL:
Author: David Litchfield [ davidl at ]
Reported: 9th October 2007
Date of Public Advisory: 15th July 2008
Advisory number: #NISR15072008
CVE: CVE-2008-2589

do you see what i saw?

it was publicly disclosed in july 08, but reported to the vendor in *oct 07*. no-auth remote compromise just hanging for the better part of a year...

i'm sorry, but if it really takes that long to dev a security patch, oracle is doing something really really wrong.

this is one of those times where (imho) dropping 0day to kick vendors in the arse is completely justified. not weaponized or anything, but get that info out there. how many other peeps found that vuln and didn't disclose? no one will ever know...

ie 8 add-ons

so ie8 supports add-ons... judging by the number of ratings, not too many people are playing around yet...

the security options are disappointing, and i'd really like more visibility into how these apps are vetted. are they ms built, or community-built? i'm too lazy to register atm ;)

here's an app from wayyyyyyyyyy back in the day... prolly my first app layer foo, for doing zebulun... lulz...

Thursday, September 4, 2008

that was quick

check this vuln out:

"denial of service vulnerability that is successfully crashing the Chrome browser with all tabs"

wait a min... they said all those tabs were separate processes to avoid futzin w/ other tabs like this. so how is this working?

An issue exists in how chrome behaves with undefined-handlers in chrome.dll version A crash can result without user interaction. When a user is made to visit a malicious link, which has an undefined handler followed by a ’special’ character, the chrome crashes with a Google Chrome message window “Whoa! Google Chrome has crashed. Restart now?”.

think it was a fuzz?

i haven't dug around the nix source yet, but i bet the protocol handler is part of the chrome process, and receives data passed up by all of the tab processes.

those critical vulns that affect the entire browser space are still there... prolly time will tell if there are less, or if they're harder to get too, or easier to fix. ;)

Wednesday, September 3, 2008

google chrome security thoughts

some peeps say nay and others say mb...

looks like pdp is running w/ it as a model changing the way we use computers...?? he doesn't say so, but it sure sounds similar...

there have been a number of vulns (carpet bombing, etc) reported so far, but i'm not too worried about those. this is beta software, so we have to expect there will be some oversights which can be exploited. so, based on what we know today, how do we see the design changes which will be present in the final release impacting security?

[process isolation]

process isolation may defeat some client side attacks... are cookies isolated to their tabs? if so, browsing separate domains via tabs may offer some protection from cookie stealing and CSRF.

this is kinda out there, but since processes are isolated, watchdogs on memory and proc usage (mb io?) may be able to identify 0day-ish attacks which are consuming resources...? that's a long shot tho...


incognito mode seems nice on many levels. i've heard jokes about how it's just a pr0n-mode, but there are many times i browse around online where i don't want to allow any web site to write anything to disk (ie: reading headlines on digg). i don't expect anything hostile to happen, but there are attacks (ie: malicious ads/apps via 3rd party content) which could be bumped into. why not use incognito for daily-browsing? might it be a reasonable alternative to running no-script, ad-block, cookie-safe, and flash-block?

i do question whether or not this is read-only, or just a more restricted jail. it seems like temporary file writes will still be required, but i'm not quite sure...

[attack vectors]

so what attacks look possible under this design?

so if users drag pop-ups out, and they get promoted to their own windows, how does that impact sec? does all retained information (cookies, history, etc) propogate to the new process for the pop'd out tab?

sandboxing seems very very good... lots of badness (malicious jscript stealing creds, keylogging, etc) is mitigated in this model. but can it be attacked? if each process is isolated, can an escalation attack upward against the master chrome process succeed in breaking the security model? that brings the question of how much chrome security depends on the isolation model being maintained (ie: how bad are things if isolation is gone; are we just back to where we were w/ browsers pre-chrome? or is it worse b/c we assumed we'd be isolated and so didn't take other sec steps)

the idea of tracking what a user has actually requested is pretty nifty. reminds me of packet-filters (old browsers) vs stateful firewalls (chrome). the comic here points out that plugins don't conform to this model, so those may be a weak-point. another issue will be whether or not a process can create a false user request. can a malicious pwnt tab process mimic some type of user request, either in the local tab or in another tab process.

sandboxing plugins reduces risk, but they can now attack upward as well? will a flaw in a plug-in feature (ie: quick-time, flash) potentially open the chrome process to attack?

another interesting tidbit in the diagram is that the chrome process links pages to plugins. can this be abused somehow? can plugins associate themselves w/ alternate pages? what makes a process eligible to be linked to a plugin process? etc etc etc...

that's all i've got for now. chrome seems to offer some nifty and refreshing looks at browser design.

Wednesday, August 27, 2008

curr.state == enveloped

runnin through my feeds this morning, and came across this great cloud post by pdp... it kinda struck a chord, so i'm using it as a launching point for this blurb.

it doesn't really fit the usage of the term, but you're already in the cloud today. your credit card info resides on many different corporate networks. so does your ssn, and your mothers maiden name, and everything about you that allows you to validate and authenticate yourself w/ all of the entities you interact w/ on a day-to-day basis. all of this information is beyond your ability to protect.

so as "the cloud" gets buzzier and buzzier, it makes sense to examine it. don't freak on me and start doing the "nonono, it's a bad security thing, get it away!!!" don't try to stop it, b/c it will flow right around you (and your tower ;) and pass you by.

business and user communities generally don't consult security peeps until the enemies are at the gate, or a shot has already been fired (and probably found a target).

it is frustrating that we have to jump up and down screaming to get noticed sometimes, but in a way the business is practicing risk management by not implementing everything we sec-folk dream up. sometimes it is really tough to accept unmitigated risks that exist within the environments we are charged with protecting, but sometimes we need to act more like actuaries studying mortality tables. when you're looking at your org, you should spend some time looking at risk at 10k meters.

we place faith and trust in many places which can be exploited today, but we feel reasonably safe. can you say that your data is less secure in the cloud than it is on your local lan? really? cause i've seen a fair number of local lans, and nearly all that i've seen have higher exposure to internal threats and dedicated external attackers than i feel comfortable with.

(some) cloud companies are going to design (some) security into their models, and it might be better than what you have today. w/ all your un-audited server shares with default 'everyone' read permissions all over the place, and mobile machines traversing between your lan and hostile networks.

some cloud companies are going to make mistakes and get owned. some data will be disclosed. some cloud companies will learn, and some of those will improve.

i heard once that the us navy seals emphasize the phrase 'it pays to be first' during BUD/S hell-week. well, sometimes it doesn't pay to be first. i remember reading a story about a soldier in bosnia during the initial deployment in the 90s. he was manning a turret in a convoy, and a rock was thrown up from the vehicle in front of him, and he was killed. doing high-speed convoys on rock roads was a new thing for that unit, and there was an unforeseen risk. that really sucks. later convoys implemented counter-measures (drive slower, protect the turret from thrown rocks, etc) to adapt to the risk.

it hurts to be the first guy when you're faced with unidentified risks. but you can't be so afraid you don't operate. so when you're out there, try to be like spike:

It's not about strength or power - you gotta be fluid ... Water can take any form. It drifts without effort one moment then pounds down in a torrent the very next

if your org starts using the cloud, and you perceive that the risks you face are increasing, develop controls and procedures to mitigate the best you can, and roll with it ;)

Wednesday, August 20, 2008

beautiful attack

via zero day: suspected insider help or coercion to get backdoored components installed in atms. the people who installed the hardware were dressed like legit technicians.

this is a beautiful attack because it can be done in broad daylight against targets that people wouldn't normally suspect. if you don't get greedy and you don't slip up, you could run an op like this for a long time before anyone caught on.

the more we push automated systems out to physically autonomous end-points, the more we'll have to worry about similar attacks. i am surprised ATM physical security is relatively single-layered...

Tuesday, August 19, 2008

quick postage

ok, so bh/dc was an interesting experience. tons of good content at bh. didn't do many talks @ dc, but dc is always different than bh.

some more on the flash space... looks like more attacks cropping up.

seems like some interesting stuff may be going on w/ the fedora servers... suck ;)

anyway, i have a boatload of projects i need to be working on...

- http malware analysis
- flash research foo
- noscript foo spawned by hoffman 1
- noscript foo spawned by hoffman 2

and prolly more... also i have to write up my bh notes... anyway, more to come at a later date.

Tuesday, August 5, 2008

flash cookies

this isn't really new, and mb it isn't even worth sharin... anywho, i'd blocked flash-cookies out of my mind until recently.

so here's the deal. you can manage cookies, and clear your privacy setting when you close your browser, but chances are that flash cookies are still being set and maintaining persistence.

worse, i think javascript can access files a client has rights read (not sure on that), and the ~/.adobe and ~/.macromedia directories default to the read bit for others on ubuntu and gentoo from what i see.

so, if i'm right about the js bit, there you have the ability to track web sites visited, and maybe even pull data like usernams and passwords/hashes (pandora) out of flash cookies.

not the end of the world, but mb worth keeping in mind... there seems to be a moz plugin project trying to deal w/ this issue...

raw domino ownage

everyone remember your truth tables and logic gates? :D

domino mother ucker (uckin w/ my shi;)


i have unfortunate personal interest in this blurb about game vulns... luigi seems to be the only guy tearin this space up (or at least the only one disclosing ;)

the moral here? the attack surface is growing much faster than people generally realize...


i accidentally lost my link to a better version of this story about a guy who is teaching classes to students on how to create malware... once again, here is my opinion of the av industry:

all your uber-secret mumbo-jumbo hasn't worked so good, so how about we try information sharing and public disclosure?


sucks when your free security products get you owned... the sad bit here is that i had a decent conversation w/ a bluecoat se who explained the app to me, and imo it was a very nifty concept intended to benefit the tubes at large...


flyin out tomorrow... traded places w/ paul, who has contributed far more than i to the tubes... i have (endless;) plans tho!

anywho, i've got way too many things to do before i jump on the plane, and one of those is linkage dequeue foo... ready? :D

Wednesday, July 30, 2008

up too late

got a new gig! pretty exciting. getting to focus in on web app stuff, and am working w/ folk who have some talent and exp... just bein around, listening, and asking questions should help me learn plenty of good stuff.

i'm in corp world wearing a suit atm w/ the new gig, but it's just a disguise ;)

so, along that vein of blending in but being different, i stopped looking at webapps and went back to a project brought up at my local citysec a while back. basically a discussion over how to detect malware the way potter is talking about coming up in vegas (iiuc: looking at the extremities of the bell curve of network flows to identify malware).

so i got a vm to kick around and found some live malware which was described as running over http... i've got a lot of analysis to do, and who knows if i'll ever get to what i want w/ it, but it's been interesting (and of course, there were unintended consiquences ;). here's some excerpts in a .txt so the blog doesn't completely dork the formatting...

Saturday, July 19, 2008


via wikipedia:

There is some argument about what is or is not ironic, but all the different senses of irony revolve around the perceived notion of an incongruity between what is said and what is meant; or between an understanding of reality, or an expectation of a reality, and what actually happens.

so... is it ironic (per se? lol) that breaking up patterns is used to defeat IDS and WAFs, but also used to make sure you get served adds?

// split things up to **** blockers
var url = 'http://a'+'d.doublecl'+'' + embedType + '/****.';

this last bit is tangental (surprised?). imo, the net neutral crowd had better be prepared to fight the powers that be long and hard, b/c there's a lot of movers and shakers who get pushed out of $$$ if they can't find a way to start taking money for all the time you spend online...

Thursday, July 17, 2008

google stuff

ran across this as well... i guess it is a google security service for web2 stuff... need to dig up some more info, but here's what caught my attn:


User-Agent Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9) Gecko/2008061015 Firefox/3.0
Accept text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language en-us,en;q=0.5
Accept-Encoding gzip,deflate
Accept-Charset ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive 300
Proxy-Connection keep-alive
Content-length 25124
Content-Type text/plain


*edit: futzed with whitespace to give a better idea on the amt of numbers, and gave up... i need to get a blog/layout w/o craptastic whitespace issues...

crappy code

old crappy code lingers like that huge heap of trash out in the pacific...

nothin special, just ran across these today and they caught my eye...

0x0360: .0.60;...opacity
0x0370: :.0.60;..}....*.
0x0380: html.#TB_overlay
0x0390: .{./*.ie6.hack.*
0x03a0: /.......position
0x03b0: :.absolute;.....
0x03c0: ..height:.expres
0x03d0: sion(

document.write(' \n'); //FS hide this from IE4.5 Mac by splitting the tag

* edit: removed the hex b/c of stupid whitespace
** edit: the crappy code is IE, in case i wasn't specific enough on that

Saturday, July 12, 2008

tweet tweet tweet tweet?

000 ~ Over-confidence? (vmware-player 2.0.4)
"Building the vmblock module ... The module loads perfectly in the running kernel."
001~ Digg is not a geek site anymore. alternatives? fark is funny...

010 ~ Pandora is cool; I am slow... Groove Salad is cool too

011 ~ This talk is looking good; very nice paper; surprised @ .docx i/o .odt :P

Hack Bureaucracy

So Shawn Moyer gave a concise Blackhat talk a few years back (which had a surprise ending ;) about 'hacking the c-suite', w/ the general idea being that it was ethical and part of the job in some situations to advocate and evangelize good security to the corp leaders in order to facilitate infosec progress.

You social engineer them for the benefit of the company and the shareholders, and everyone comes out ahead... You aren't "attacking" the leadership at your org. You're playing the game by their rules to remove roadblocks to the strategic infosec benefit of the org you work for.

Another friend of mine recently happened into a situation where he put a different twist on the benevolent corp hacking thing.

The org in question has some managers who could use some help understanding how to be leaders. Everything is bureaucratic and TPS report-ish.

If you do something w/o the proper paperwork and w/o jumping through the right hoops, then you aren't a team player and should expect a reprimand, even though you're loaded up w/ work, and everyone knows the paperwork is just CYA, and the work needs to get done right now, etc etc.

So Junior is new on the team. He's really hungry and trying to make good impressions and do good work and all of that. My buddy comes across a configuration issue that he traces back to Junior. Just a simple mistake anyone coulda made, didn't impact production systems, and didn't seem to cause ownage or anything like that. He submitted the proper paperwork for the change, it's just that the paperwork included the error but was unwittingly approved.

The problem does need to get fixed, but my friend knows that if he submits a ticket saying "fix problem X on device Y" then there will be a change control inquiry as to how the problem was introduced in the first place, and Junior will face the wrath of the managers who don't understand leadership and won't gracefully admit that they didn't do their part of the job. That will mean reprimand, pointed fingers, and all around negativity.

What Junior really needs is some positive encouragement and some gentle coaching on doing things better in the future. My friend says f this, I'm not gonna let Junior burn for no good reason. So here's how he solves the problem.

He creates the proper change paperwork to fix the mistake, but words it in a specially crafted difficult-to-comprehend fashion. He does this knowing that the manager who needs to approve the ticket is also obviously not going to review it in detail. He knows the manager will say "wtf, i don't have time to figure out what my guy is sayin here... approved" and rubber stamp it.

IMO, this is a very wicked cool hack on bureaucracy. 1st, this is altruistic. in the long run, it is the right thing to do for the infosec team at the org. 2nd, we're doing something which gets around a stupid series of access controls. 3rd, if said access controls were functional and meaningful, *THE HACK WOULDN'T WORK*... i love that last bit.

So we have an infosec guy doing something technically/maybe subversive for all of the right reasons. Kinda like hacking the c-suite. I love it... total props :D

Wednesday, July 2, 2008

random foo

go snort!!!... now i have something new i need to install and fiddle w/....

someone in the sec blog world was bitching about cell phones on planes a while back, and now we have some experimental foo to tell us mb it isn't bs... i have heard stories about interference w/ flight systems from electronics before, but nothing this substantial and focused (tho this isn't a flight system issue). i completely love how they took the issue and turned it into an attack vector in no time flat... wicked cool hacker thinking right there... the thing that sticks in my mind is that all these devices have this FCC sticker which says "this device is certified not to interfere or be vulnerable to interference", or something like that... wtf...

something i noticed while doing some web app work... i'm sure this is probably old hat to everyone, but my initial googling didn't find much... did you know that people are executing core os apps (DirectX) on servers w/ input from the client side???

td colspan="2" style="filter:progid:DXImageTransform.Microsoft.Gradient(endColorstr=...

i had no idea... how many filters are there available? from what i see, this looks like the client is saying "execute this code and pass it this data"... isn't this something we all agree is probably looking to be attacked?

nonono, it's probably another feature...

are things getting better?

so i had a very nifty conversation w/ my buddy n mentor (beware: microblogging linkage) earlier tonight.

so basically we picked up on a thread that i referenced in a prev post where schneier and ranum are talking about whether or not vuln research is ethical... well, shawn and i both believe in responsible disclosure, but we went off on a tangent about something ranum said:

Not only do we still have buffer overflows, I think it's safe to say there has not been a single category of vulnerabilities definitively eradicated ... Has what we've learned about writing software the last 20 years been expressed in the design of Web 2.0? Of course not! It can't even be said to have a "design."

ok, so i completely disagree w/ the non-disclosure argument (sry marcus, you will still always be a badass in my mind ;), i completely agree w/ what he is saying here...

i don't think our software developers are making things better overall. yes shawn, we are making a ton of progress w/ improving development frameworks to have lazy coders conform to secure defaults instead of insecure ones.

but overall, i don't feel like things are getting better. and yea, it's just a feeling. but, pretend for a min that statistically we're reducing the number of vulns introduced in each piece of code via dev education and improvements in dev frameworks. it seems that despite this percentage reduction in vulns, we're seeing an explosion in growth in the number of applications as well as the types of applications (ie: web 2).

the new apps might have vulns, but they will be the same types of vulns we've seen before for the most part, and have a chance of being mitigated by framework improvements, etc.

but the new types of apps (ie: web 2 apps) are completely new threat canvases. they are doing new things in new ways which no one has seen before. this inevitably leads to new ways to do unintended things. who knows what they will be, but if there is a way to do *anything* to a few million people who are using site, someone can find value to leverage that to some nefarious purpose...

imo the verizon security report (full disclosure: atm i have only skimmed it) is telling us that the future holds a lot of badness... 90% of the breaches used exploits more than 6 months old, and 70+% used sploits more than a year old.

it isn't like we're not still seeing OS and core app vulns. the code being written for modern apps by companies trying to improve security are still failing. and don't forget about non-core vulns, like flash and pdf, which aren't secured by any type of common patching/updating framework. and then there's the web app world w/ SQL injection and web app foo. oh, and let's not forget other categories of vulnerable applications, like games... there is a lot of software out there (AV, backup software, etc) which have rights on our boxes and contain vulns...

there are more eyes looking for vulns all over than ever before. and most people haven't even started looking closely at the really new stuff everyone is flocking to. besides the fact that there are a couple of vulnerable browsers on the tubes atm... shawn thinks things are getting better, but i think if you catch his talk in vegas you might see that he's making my point for me... ;)

Saturday, June 28, 2008

so did you watch this vid?

my first thought when i watched the vid? look at how it hiccups when she goes up the wall, it's fake, wowdidijustgetowned?!?

how long until we see (or have we seen and i don't know it) a viral video flash 0day sploit, or something similar? flashblock and noscript are all good, until you turn em off to watch the nifty crap floating around the tubes that day...

this vid came up the other night...

just want to say we love watching your talks bruce... :D

breach waf foo

work has been keeping me busy lately... first official web app pen work was a coldfusion site, paros falsed a lot, but i managed to get some manual sqli and a few other things... fighting a waf :-\ still gotta bang that out some more and get around to writing the report... ;)

anywho, breach came by the office the other day. talked to the engineer about the technical aspects of their offering, which involves 4 ways of protecting your apps (i don't remember them all). their waf box sits out of line on a span/mirror and does the job via sending resets.

they do some analysis on your production traffic to build what boils down to a pattern matching ruleset for how your app works on the network. "this is always an integer" and "this is always a string w/ no special chars", etc. i'm sure this is understating the tech, but yea...

so that got me thinking, what it someone just has a dork for whatever your vuln is and their only interaction w/ you is the one session where they actually perform the attack, which is prepackaged for your vuln and requires no interaction (ie: recent mass sqli attacks). the WAF doesn't see the full attack until it has analyzed the packet(s), by which time the original copy of the malicious payload is on the nic of your web app server. the reset will come too late.

which brings about one of those other types of protection, which is a client shim in the TCP/IP stack which will inspect the packet for malicious payloads prior to releasing it on up to the application layer. so i guess if a waf is kinda like an ids at the app layer, i guess the breach client is like host ids.... "host web application firewall", better known as a "hwaf" (said w/ lots of throat noises ;)

another feature is that they support some common firewall featureset used so the appliance can request dynamic ruleset changes. i can't recall what it is named, and haven't googled around to find out more about it yet. but that bit got me thinkin about how grossman started combining VA and WAF, so i asked the guy if he'd heard of it and if breach was planning anything in that space. he had no idea, but then he told me this other interesting bit...

he said that now that they had a device monitoring application traffic, people have been realizing that it can be used as an application monitoring / health-check device. watching for broken links, error messages, and basically becoming an analysis and maintenence tool... reminds me of a nms for your application layer... damn nifty, and it makes so much sense... but my response was: be careful, much more of that and you won't be a security company anymore ;)

Sunday, June 22, 2008

su - v. sudo su -

ok, all this ubuntu talk has got me wanting to rant a little bit...

sudo su is bad... there's no way around it. i know it's nice to keep users happy by not making them remember yet another password. and yes, it is nice that you have to know the current password to sudo su (in the same way that you have to know the current password to run passwd unless you're root).

this stuff, however, doesn't make sudo su a good thing.

don't believe me eh? all you have to do is check wikipedia (until one of you smartasses changes it):

sudo (super user do; officially pronounced /ˈsuːduː/,[2] though /ˈsuːdoʊ/ is also common) is a program for Unix-like computer operating systems that allows users to run programs with the security privileges of another user (normally the superuser) ... Before running a command with sudo, users typically supply their password. Once authenticated, and if the /etc/sudoers configuration file permits the user access, then the command is run

ok, so right now you're probably thinking that the quote doesn't support my point at all. stfu. look, just because i can edit the sudoers file to allow sudo to run su doesn't mean it's ok. i mean, i can edit the sshd conf to allow root logins, but do we think it's ok to do? i can install mysql w/ a blank sa password. i can use cleartext instead of crypto. i can find web sites with goat pr0n... wait... erm...

anyway, i understand where this fits in w/ the ubuntu community of being all warm and fuzzy and easy. but i don't have to like it. one problem is that it hinders the ability of windoz converts to understand the significance of the nix security and permissions model. but mostly i hate that it removes a layer of security. we're supposed to be about defense in depth, right?

if you get my password, i'd like it if you have to find a privelege escalation vuln and dig around for a while to root me. just using the same password again to do it seems cheap...

i know macs are kinda similar, and i don't care. and i know it isn't a big deal to most people, and i don't care about that either. i don't like sudo su, and i don't have to... grrr...

rwnin@deadwood:~$ cat /etc/sudoers
cat: /etc/sudoers: Permission denied
rwnin@deadwood:~$ sudo su -
[sudo] password for rwnin:
root@deadwood:~# cat /etc/sudoers | grep -v '^#' | sed '/^$/d'
Defaults env_reset
root ALL=(ALL) ALL
%admin ALL=(ALL) ALL
root@deadwood:~# logout


Friday, June 20, 2008

ubuntu update

so my buddy is still waiting for gentoo 2008.0 (and what month is it?)(don't get kicked from any irc forums asking questions btw), and i'm still using ubuntu as my daily box (re: the last ubuntu post)

sooooo, here's my update on this little challenge...

i am really happy w/ the OS i'm using atm... the only issue i've run into that i couldn't solve within seconds is that VLC didn't play a dvd like i expected it to (like it did w/ a diff dvd in windows) so i went upstairs and watched it on the dvd player on my tv... also, vmplayer is dead in the water w/ hardy afaik... that sucks...

but to balance that out, tons of other stuff works correctly which gives me issues on my gentoo laptop (ie: sound, truecrypt, and other stuff i can't think of atm)...

so here's my real bitch about the ubuntu community. i've got a buddy who is getting into *nix, and he tried to drop it on his laptop. since then there's been video card issues w/ Xorg and wifi issues which render the box unusuable. he is pretty decent w/ RTFM and all of that, but he keeps calling me up to come fix his stuff. i kinda wanna bitch, but the sad truth is that when i go out to google issues using the ubuntu keyword, there just isn't much out there. it is as though they've taken for granted that their stuff works all the time, and don't provide detailed documentation for the people who might want to reference it...

i mean, dig into the links and compare this to this... wtf...

so i am considering contributing to the ubuntu community w/ some low level documentation, b/c i see people out there using ubuntu having problems w/ questions that aren't answered by the docs...

the truth i am willing to face up to, is that i can make ubuntu work on a variety of hardware platforms only because i cut my teeth on gentoo... i'm still happier running ubuntu day to day tho ;)


i can't justify making these all separate posts... sooooo....

#!) pdp has a post talking about some conversations he's had w/ joanna about virtualization security issues... the thing i did about this is how he hones in on how 'normal' users aren't going to use virt tech in the way that peeps like joanna see it helping security, b/c it's just too complicated for them. anyway, i dig this b/c it kinda fits w/ my view on security today. it's just too complicated for normal users (and arguably many sec professionals ;), and someday there's gonna have to be a solution to alliviate this pressure... things will not go on like they have in the infosec industry forever imo... anywho, i don't have a solution or anything, i'm just bracing myself for unknown inevitable life-altering change...

#@) the whole hack the coffee maker deal... i'm not sure i totally agree w/ thor on the whole responsible disclosure rant he had. i mean, i agree in general, but it's a coffee maker maker, i can imagine they might be completely unresponsive to infosec issues... anywho, i love this b/c it hits on a point i'm considering doing some research on, which is basically that inet enabled devices which don't have financial incentive for being secure are probably going to have higher vuln rates than appliance networks which add value to their parent companies through being inet enabled. in this case, it's just a feature, not an active profit center, so it isn't a surprise that security hasn't been taken into acct...

##) so some math geeks figured out you can "listen in" to encrypted voip calls (via schneier) just by doing timing and size analysis on the encrypted packets. they claim 50-90% accuracy. if they aren't doing it already, i wonder if you could take candidate words and run them through a grammar checker to improve the ultimate tally.... they've gotta be doing that already tho... i live in awe of math and crypto people sometimes, but i sure don't feel any burning desire to try to become one...

#$) too many mother uckers w/ a cissp... anyway, that's kinda not really the point of this post. but as a sec generalist w/o a cissp, i'll raise my glass and say it is worth reading... also, i like this owasp certification industry hack as well...

#%) ok, i may not entirely understand this AV cloud bs, but to me it sounds like... bs.... are we saying that we're going to do our checksum checks by communicating w/ hosts over TCP/IP instead of a local file? tell me what this solves that needs solving. my AV files aren't filling up my HDD. the problem is that my AV software can get sploited before it knows what happens. i am getting more and more jaded in this area. the solution isn't some new AV magic. the solution is to stop trying to paint lipstick on the pig which is the windows security model and move to a design which is managable a la *nix...

#^) i really need to read this face-off stuff regularly... i am too lazy to find the rss for it... i love both of these guys... despite the fact that one of them seems much more down to earth and cool based on my personal interactions as well as that of a ninja friend doing a talk @ blackhat this year ("please don't do this to me", lol)... anywho, they both know their stuff and stimulate the mind...

#&) came across this paper in the mail... very interesting attack vector which reminds me of reflection xss.... haven't digested it yet, but tacking it on to this post for giggles...

Thursday, June 19, 2008

blackhole dns

a friend and i got the inspiration to implement blackhole dns over a year back... iirc the linkage was snort hosted, but i can't find it.... basically we set up a bhdns check for all outbount web traffic to reduce malware issues.

i am quite surprised this type of thing isn't more popular... yea yea, it is blacklisting and we know that isn't totally effective, but we also know that academic ivory tower BS won't get you very far w/ the common constraints of corp america, budgets, etc etc etc. so are you better off blacklisting some sites which are known very hostile or trying to whitelist known-good stuff and then moving to a default permit posture...

anywho, i see this as one component of defense in depth, and well worth having in a lot of environments...

you know you wanna touch it...

anyway, old ass article i've been saving where b gates says that touch screen tech could be the end of the mouse...

it's ironic that this comes on the heels of the great success of apple w/ the iphone (although i'll admit that i have a winblows touch phone which i grudgingly like). if anyone wonders if this is off-base or not, i'd point back to apple (note: i'm sayin billy is just jumpin on the bandwagon) being completely on-point w/ halting shipments of 3.5 floppy drives. they mb timed perfectly or perhaps even invested and spurned the growth of the USB jump drive industry...

anyway, the reason i'm posting the link is b/c losing the mouse and moving to touch as an interface brings about some interesting possibilities w/ security in the auth space... we're all so used to dealing with passwords, but brining tactile into the space allows for a lot of new ideas... hand positioning, touch timings, geometric passkeys, timing based auth (via touch; but this could be done w/ keyboards too)... anywho, despite coming from MS, i see this possible evolution as being full of interesting possibilities....