rwnin security

'confused deputy' persistence mechanism: binary planting

2011-10-03T03:48:00.002+01:00

so this is not a new idea really, but mb worth a little thought/exploration...

most of the recent-ish binary planting research seemed to focus on remote code execution attacks. but sometimes you don't need remote root.

some ppl say this attack is old news and lame, but then other people say 'whatever lands me shell'... binary planting came up in the adaptive pentest talk at DerbyCon, and maybe even Mitnick is using it (as also mentioned in a Derby talk). so whether or not you think it is lame, it appears ppl are using it.

a few weeks back i was digging around w/ binary planting in terms of priv escalation (which coincidentally got kicked around on FD recently)...

if you don't need CWD to win, then the set of potential DLL load attempts changes a bit. lots of apps run on boxen out in the world run w/ elevated privs, so maybe there's something to leverage there. specifically pretty much any DLL load attempt that doesn't find a target could be interesting. but even back on XP the default file perms and the landing place of most DLL loads limits the attack surface available to a non-admin user. so i kinda walked away from priv escalation w/o much success.

but maybe you've got root on a box. now you want your code to persist and exec through reboots. being tricky and hiding can be nifty, but hiding in plain sight can work too. home users don't pay a bunch of attention or have a ton of knowledge, and big environments are often resource constrained and no where near tracking detailed state on their endpoints (integrity checking, etc).

when you're digging for someone hiding under those conditions, sometimes you want to check machines for ways they automatically exec arbitrary code. so you dig through the registry and some folders, and look at core system files... and, well, it's kinda a lot of work...

so after i re-read some of Nick Harbour's thoughts on the issue, i think he already covered this pretty well, and really alluded to the potential magnitude and complexity of this situation...

but i guess i'll add a couple thoughts. first off, Nick seems to mostly consider the issue within the OS realm, but in IRL situations deployed apps give a much larger potential surface. and like the Acros peeps point out in some of their research, there are a number of DLL loads which are pure misses (ie: the DLL doesn't reside on the system, but the system is running fine). if you're search-order hijacking a core system DLL, an investigator can hone in on duplicate DLLs, or maybe where a stub is calling the other DLL to maintain required system functionality.

but a casual review on win7 and winXP found a number of 3rd party apps that miss on calls to non-existant DLLs during normal operation. if you're hiding on a box which is regularly used by a user, there are plenty of opportunities to maintain persistence (often) without going anywhere near System32, because the apps used by the user or loaded by system administrators will happily exec correctly named files in the right location (hence the confused deputy). since the system runs fine without the DLLs in the first place, it seems like lots of these apps produce no error messages or other obvious evidence when they call a DLL which doesn't do what it was hoping for... since it's DLL hell already, one wonders how much solid version and checksum information is really available...?

and to loop right back to the privilege escalation issue... in a more modern OS where privilege escalation isn't as easily accomplished, getting your code through a user-initiated MS Office load might get you a non-admin shell where a given priv escalation technique fails. but when exploiting a missed load from a modern commercial AV product and getting a non-admin shell, the same priv esc technique pulls root...? kinda want to research that more... the "Anti-Virus" product remained blissfully unaware that it had been co-opted and was now the persistence mechanism which maintained a compromised state on the victim machine... sloppy DLL loads and no tracking of it's own integrity... go figure.

not every DLL miss is a gem, but the attack surface seems pretty broad after some quick digging... browsers, media viewers, security/privacy apps, productivity apps, backup apps, etc...

the advantage to the attacker here is that the attack surface is broad and murky. app DLLs are generally not as well documented as OS components. there are more versions and less info.

plus if you change the way you look at it, maybe you don't need the code to exec on boot. if the code execs when the user performs an action, or once a week when a scan is run, the end result for the attacker is the same but now the defender has a whole lot more to look for. this isn't really a 'universal' attack method, b/c it is dependant on the app deployment posture of the environment being attacked, but even that becomes an attacker advantage b/c they aren't hiding the same place everytime. and then on the flip-side, in a given org maybe the vulnerable app is widely deployed.

anywho, check it out and see what you think :)

late spring-cleaning mash-up ramblings

2011-07-06T04:20:00.002+01:00

.:[Contemporary Attack & Defense: Lulz Teez Peez]:.

If you can not be kind, at least have the decency to be vague
By 渍 (stains)

soooo, The-State-Run-Attack-Group-That-Shall-Not-Be-Named is pwning all over... and so are plenty of other attack groups... prolly even the most nimble and motivated orgs are working hard to keep up.

some industry statements are so WTF!?!... it can be tough to tell FUD vs ignorance...?

afaik, there isn't a wealth of sharing when it comes to effective defense tactics/techniques/procedures. it is arguably important to protecting some effective defensive TTPs, but certain norms are common and fatal and not often dealt with:

admin rights
pervasive broad access which often isn't auditable, much less monitored in near real time
feeble patching policies
laughable vendor-"driven" "remediation" via "anti-virus" "quarantine"
virtually non-existent internal segmentation
weak controls and non-existent near-real-time visibility on egress flows
virtually no control or integrity concerning the processes and executables on systems across environments large and small

imho, lulzsec gets a +1 for doing the world the service of unignorably highlighting the fact that 'dedicated attackers' can kick a lot of our asses in no time flat. some might be uncomfortable w/ that fact, but how can you ignore it? that hackolution was just tweetivized... ;)

.:[Balance in the Waves of Attack & Defense: Frivolous Musings]:.

It may be that your sole purpose in life is simply to serve as a warning to others
By 士松 (Shisong)

improvement in attack has been exponential while defense has been linear...

attack:

tons of excellent education opportunities
glamorous pen-test consultant lifestyle
top-tier exploit r&d shops for ninja
howto? take your pick: app attacks, social eng, os attacks, rented attacks, etc
multiple state & independent movements w/ differing and/or overlapping agendas/motivations
wide variety of white/grey/black profit opportunities

defense:

vendor hell
academic & CEH/CISSP ivory towers
individual security controls have limited effectiveness and are generally "expensive"
some reversing crews understanding and/or combating modern malware
a few outspoken 'mainstream' (?) voices (Herzog, Kaminsky, Potter, etc) continue to press to improve on the status-quo clusterfuck known as "defense-in-depth"
listening to environments and effectively processing data quickly into simple relevant information is arguably a key weakness

defense needs improving if just because it is significant commitment and work to try to effectively secure a small simple environment...

my shameless but short-winded manifesto(*) on maybe improving defense:

K.I.S.S.
intimate knowledge of what/why you permit & deny the rest
work w/ what you have (free-ish) first
push security roles and accountability to existing accountable admins, not to security orgs that shadow the IT org
get good at effectively parsing vast datasets into actionable and relevant information

(*): please note that the author does not claim to implement any of this effectively

as for long term improvement, gotta say +1 to mudge for highlighting the need for simpler execution environments in his shmoo keynote.

.:[Future IRL Attack & Defense: Reflections & Predictions]:.

所有的資產，在不被諒解時，都成了負債
(All assets, when misunderstood, become liabilities)
By 欣侑欣侑欣侑欣侑 (Xinyou/Urges Joyful)

.:[+]:. years ago while reading "Secrets & Lies", i was struck at the insight that inet crime mimics many aspects of IRL crime but w/ certain restrictions removed (geographic proximity, repeatability, etc)... so if IRL crime influenced inet crime, could the inverse happen? perhaps the pervasive access to knoweldge as well as the ability to acquire virtually any required component may someday empower independent sophisticated IRL attack groups in accomplishing awe-inspiring feats of IRL crime... and/or vigilantes?

.:[+]:. the deep integration of technology into the fabric of society will inevitably breed and empower a somewhat anarchist element which will not respect borders, governments, and various bothersome restrictions... a class in society which picks and chooses whether or not to follow certain norms and rules, and could perhaps literally open doors which are closed to the average person...

.:[EOF+n]:.

幸福不是一切，人還有責任。
(Happiness is not everything, people have a responsibility)
By 文佩齊華 (Wen Peiqi China)

.:[+]:. doing stuff beats talking about it... so hopefully you all will hear less from me ;)

.:[+]:. to sslvis users: legit or malicious, you keep killing my terrible inefficient kludge back-end "app"... by... using the app :) i'm honored to have so much participation!!! tons of features could improve the app, i will try to make some progess after the next major milestone on the current project... yes, i know it's been over a year since the craptastic alpha was released, sry i am full of the suck :-\

.:[+]:. greetz & respect to all the amazing attackers & defenders i've been honored to share proximity with in the aether... i'm trying to keep up w/ school, but there's ppl setting a wicked pace on all sides!

.:[+]:. and thanks for reading along, and also for the comments... was getting a lot for a while, but they almost all included sketchy links so i mostly managed to keep them un-posted despite a few that slipped through ;) but i enjoyed reading them, so super belated greetz (in no specific order) to the peeps published and/or quoted as well as: 欣侑欣侑欣侑欣侑, 王辛江淑萍康, 楊愛惟, 色情成人卡通漫畫圖, MinB2139, 惠邱邱邱邱雯, 靜錢錢錢怡錢錢錢錢, 阮艳, 文佩齊華, 敬周喜, 嘉王偉, 陳佑發, 佳皓佳皓, 盈廖生家秀蔡, 吳婷婷, 雅莊王edgd春2蕙婷余惠其, 筱婷筱婷, 峻龍, 怡潔怡潔, 慶天慶天, burtong, 林尹, & 秀葉 :D

天下沒有走不通的路，沒有克服不了的困難，沒有打不敗的敵人。
(There is no dead-end road, there are no insurmountable difficulties, there is no enemy to fight who is undefeated)
By 楊宜婷俊嘉 (Yang Yi Ting handsome fine)

fragile software systems & risks in homogeny

2010-11-03T03:04:00.005Z

well there are some things which reportedly do not belong on blogs... grrr... so here's some more of the drivel you've come to expect ;)

this here is one of those 'not sure if i should laugh or cry' links:

the most advanced fighter in the world ... was able to rack up an impressive 241-to-2 kill ratio [during war-games] ... [but] was felled by the International Date Line (IDL) ...

When the group of Raptors crossed over the IDL, multiple computer systems crashed on the planes. Everything from fuel subsystems, to navigation and partial communications were completely taken offline. Numerous attempts were made to "reboot" the systems to no avail ... the Raptors had their refueling tankers as guide dogs to "carry" them back to safety ... They had no communications or navigation

summarized pseudo misquote: "aircraft which cost $125+ million USD apiece were [disabled by] a few lines of computer code"

the F22 IDL story made me wonder if the F/A-18G that 'killed' an F-22 was able to do so particularly because of electronic warfare capabilities...? no idea, but i'd love to ask that Grizzly driver ;)

there might be a couple of take-aways here...

#1 - increasing reliance on critical computerized systems which are not backed by redundant systems and are fragile will present significant new risks. think about the F-22 design philosophy versus my favorite airborne weapons platform: the hawg!

the A-10 has "triple redundancy in its flight systems, with mechanical systems to back up double-redundant hydraulic systems ... [and] is designed to fly with one engine, one tail, one elevator and half a wing torn off." you don't have to google far on the A-10 to find a variety of stories about how well it performs under the stress of combat operations. reportedly, "the 165 Warthogs that flew in Desert Storm [had a] 95.7% mission capable rate ... the highest sortie rate of any USAF aircraft ... [while] roughly half of the total A-10 force supporting Desert Storm suffered some type of battle damage ... [just] five A-10s were lost in action".

yes, physical survivability is very different than electron system fragility, but there may be parallels. if the F-22 is tough to target with traditional weapon systems, maybe a better approach is a big ass radio antenna and a decent fuzzer ;)

#2 - highly homogeneous systems deployed into production can fail spectacularly. relatively survivable critical systems like DNS root servers are deployed on varying hardware and software to avoid this issue. once the JSF becomes the mainstay fighter of western nations, then a similar 'vulnerability' could theoretically disable entire air forces. don't worry, all JSF code is written in C++ (wikipedia) so there won't be *any* software induced failure points... lulz...

ps: speaking of crappy code and fragile software, i recently discovered that the back-end of sslvis is b0rked. i'll be getting it fixed up, getting features added to the back-end, and moving it out of beta as soon as i can... sorry!!

recent NSA history via Nova

2010-10-07T15:47:00.004+01:00

some crazy tidbits in there... notably lacking in any conspiracy-foo... pbs ftw! :D

haha, so i can't embed hulu here? whatev....

http://www.hulu.com/watch/182504/nova-the-spy-factory

strategic subversion?

2010-08-04T06:34:00.003+01:00

<ramble>

my boy @zenfosec was schoolin me on kung-foo flix the other day, and we got to talking about how blue-ray rips and dvd capacity seem to line up and then started wondering about how long until we see previously unknown brands of cheap electronic media players at superstores which can play the format in question... (now?)

anywho, one might observe that 'traditional'/mainstream/'western' manufacturers don't produce these devices but capitalist markets fill consumer demand in this area.

one might also observe that a significant number of rip nfo files appear to come out of china.

that could lead into speculation of whether or not a socialist culture that reportedly 'thinks' in terms of centuries and longer might make a conscious effort to undermine capitalism by using capitalism against itself...?

this might be in line w/ the idea of mass producing offensive infosec 'armies'. btw, i am very disappointed that the talk about this field outta taiwan got pulled from bh/dc. if anyone wants to share the slides, hit me w/ a gpg key ;) (also, i got to chat w/ some super smart folk in vegas n learn some nifty stuff, props to everyone involved :)

anyway... insofar as unintended consequences and blowback, it might be fair to ask if this would be a risky strategy. when a traditional soldier is discharged and leaves his barracks he gives back his primary weapons. if you imagine forward a couple decades to legions of retired technically capable trained electronic 'subversives'(?), what will the world look like to political powers seeking to control information? lots of shades of grey in there prolly ;)

</ramble>

greetz n 敬 to peeps w/ comments n the operanos chillin in the back too ;)

privacy trends

2010-06-23T05:45:00.004+01:00

[premise]
the ability to collect and process massive amounts of information allows for a world where anonymity is minimized

[tracking]
i thought i remembered reading that investigators used public surveillance camera data to back-trace the craigslist killer philip markoff, but a quick glance or three at google didn't confirm that at all...

either way, the same idea played out in the whole dubai / mossad deal. cameras are all over, and if you have access to a lot of them you can start traveling back in time in a sense, back-tracing an event in your observable realm...

schneier has pointed out at length that to-date facial recognition false-positive rates render such systems ineffective. but anecdotal evidence suggest a different story when human analysts can quickly review large sets of public video data.

dubai wants more cameras, and technology drivers are expressing interest in mass video collection for further automated and auto-augmented manual analysis.

uav technology is already migrating to law enforcement applications... military developed gunshot detectors have been deployed as well. military style surveillance technology appears to be integrating into daily life relatively quickly.

automated license plate detection technology is growing, and in some places police have real-time access to computerized records which include details beyond court convictions or even incidents where a court was involved.

[physical evasion]
this brings up the whole issue of evasion. in theory tech like this could be expanded to cover more than faces. i hear there are higher grade cameras that filter IR, so this isn't entirely reliable, but then most cameras will be cheap. then there's also the fact that a white shiny blob of a person walking around might attract attention to humans and robots watching the video feed. it might be effective if employed w/ some planning as to when it is activated, and might be augmented by employing physical disguise as part of the plan if you wanted to be concealed moving to and from a location.

a more nifty technique would be lens detection and targeted energy overload of cameras (possible?), but beware false positives from peoples eyes ;) also, the wake of camera failures would be an alarm that something was going down and where it was happening

[secure comms]
there really are rooms where government agencies are sucking up massive amounts of data (presumably including voice data routing over digital transports) which are apparently important enough to invoke 'state secrets' to defend. it seems like major voip providers like skype are cooperating by giving states access to at least targeted conversations. and there seems to be industry enough to support manufacture of ssl mitm devices.

as an aside, big ups to moxie for releasing the redphone app to re-give average people the ability to have a semi-anonymous phone conversation. a friend and i were in the planning stages of a similar app built, but that damn moxie clearly had more motivation, time, and ability ;)

anywho, after september 11 2001 a US lt colonel and others stood up to talk about able danger, which was a mass data-mining and information processing effort. it takes approx 16-22 years of service to attain the rank of lt colonel, so after the government says "we don't know what he's talking about" and there are claims that evidence disappeared you've kinda gotta ask "are these people crazy to fuck up their lives for 15 minutes of fame, or does the government maybe have some interest in hushing the capabilities of massive data analysis...?"

the book 'the rootkit arsenal' calls full packet capture the worse-case scenario for a root-kit operator. you dig? collecting tons of information gives you significant potential detection capabilities.

anecdotal evidence indicates that anonymous voice and data connections may not be readily available as services you can purchase.

[wikileaks / nation-states]
so we get to a place where the founder of a site dedicated to exposing information inconvenient to massive entities is apparently laying low from a nation-state...? according to da twittaz one of the last people he was seen with was valarie plame... at first i was thinking she was sibel edmonds, but all these covert secret conspiracy women just had me all mixed up ;)

[identity]
so there's always a weak link somewhere... and it seems to me that in a world where automated detection and tracking is growing, the weak link might be identity. if you can build ghost identities you can travel and exist in anonymity so long as you don't make anyone notice you, much as humans have been doing far into our past... but if you only have your natural identity then many of your words, motions, and actions may be available for later analysis to an interested party.

information may want to be free, but it seems some people want to horde it...

novel(?) anti-xss technique caught my eye

2010-05-27T03:00:00.003+01:00

saw this a few weeks ago, and it stuck out b/c i'd never seen or heard of anything like it... i ran it past a few peeps i respect and they'd never seen it, so i figured i'd share :D

it's very common to find XSS in search functions on web apps where the text a user enters into the form is reflected onto the page after the form is submitted. so you hit an app and search for "foo" and on the search results page you get back the search form is populated with "foo" which you just searched for. well if someone constructs a malicious link like:

http://someapp.somedomain.edu/search.htm?q=foo"><script>evil code here...

you end up w/ an xss attack assuming the app is poorly written...

typically during web app assessments you've gotta go smack the developer and tell them to validate their inputs and encode their outputs, but this time it took me a minute to figure out what was going on... sooooo here's the resulting html src of a little PoC i put together and tested w/ google app engine and ff3.x:


<html>
<head>
<title>xsstest</title></head>
<body>
<center>
<form name='testform' action='javascript:alert(testText.value);' id='testform'>
<input name="testText" id="testText" tabindex="1" onkeyup="javascript:alert(this.value)" />
<input type="submit" name="btnTest" id="btnTest" value="testfoo" onclick="" />
</form>
</center>
</body>
</html>

so wtf is that? ok, this was based on a search form on an ajax-ish web app. there was more to the real app, but this includes all the relevant bits. when i searched on the app, i saw my inputs were reflecting in my browser so i went to check if they were html encoding them server side... but the value i was inputting in the search field never showed up in the page src... ermm, wot?

well, here's what i think is happening:


<input name="testText" id="testText" tabindex="1" onkeyup="javascript:alert(this.value)" />

note that the "value=" tag is missing above. that makes the value attribute null when the server first serves it. when you use the form the app acted on your inputs using stuff like onkeyup/onkeydown, but when the user data needs to be read, it's done using the object oriented "this." convention which allows an object to refer to itself.

when you submitted the form the app would process your inputs, but the actual value you enter is never written to the page by the server. it exists only in memory on your client machine and is never written into html src. when the page refreshes your client browser renders the input element and snags the 'value=' value from memory and thus seems to avoid those pesky output encoding issues...?

anywho, it looks legit to me, but it's not a game changer or anything. kinda limited in it's application, and doesn't do anything for sql injection, csrf, etc.

but still kinda nifty mb ;)

rwnin@firefox-extension: ./sslvis -h -vvv

2010-05-07T16:45:00.010+01:00

[sslvis: firefox extension]
https://addons.mozilla.org/en-US/firefox/addon/158232/

[background]
iirc, the basis for a lot of security assumptions on the modern intert00bz come down to everyone trusting that the CAs will keep their promise to not issue bullcerts (technical term: bullshit certificates).

but it looks like they are issuing them to governments and intelligence agencies:

http://www.wired.com/threatlevel/2010/03/packet-forensics/
http://arstechnica.com/security/news/2010/03/govts-certificate-authorities-conspire-to-spy-on-ssl-users.ars

[not to be a bitch]
i mean, in theory all important comms should go over crypto that you manage and trust... and this can be used for 'good'. but that doesn't change the fact that most people use these communication channels for a variety of reasons with an expectation of near absolute privacy.

[so the theory goes]
they are hunting someone using 'secure' public inet services and wanna do a targeted interception or run some pattern matching on a network near afghanistan to find someone. so they do a network level tap on a choke point in the networks serving the region.

[and?]
the CAs gave em a valid cert, so they plug in their device and they're doin cleartext intercepts on everything going through that region. the cert is valid, it's made out to google or sekritbadguylayer.com or whoever.

[massive qualifier]
so do you think that cert the CA gave some snooping party is an exact match of the legit cert of the one running in production?

i'm gonna guess no for the following reasons:

1) the CA would be completely destroying the trust model (bad for business) if they couldn't revoke the certs
2) maybe they simply can't reproduce a cert they issued because data wasn't kept or conditions can't be reproduced (?)

[not my idea]
hashes are just dang hard for people to pay attention to, cause they're huge random strings. but a few years back at bh/dc someone (kaminsky? ranum? sober? no...) was talking about how you can visually represent that same hash value as a series of colors, and all of the sudden it's really easy for humans to notice when a hash changes.

[soooo]
boiling a hash into a word is what sslvis does, and it's a very similar concept. if you hit gmail one day and your word is 'paradox' when it always used to be 'apple' you can easily notice that those words have changed. normally you wouldn't be alerted to the change because there are no warnings or indicators for changes to another valid cert.

[verification?]
there may be a completely legit reason the cert changed. certs expire, disks fail, load balancers exist, devices change, etc etc etc. that's why sslvis sends the host, domain, tld, and hashword value to an external app server:

the default server is hosted on google app engine and feeds the info into a tagcloud:

it includes a (crappy) search feature which let's you visualize the proportions of the certs other people are seeing in real-time. it is slated to include clouds which show the results over time (vapor tagclouds atm ;).

so if your google word is paradox, and that's what everyone else is seeing for the last hour, you're prolly ok to feel kinda sorta mb privatish... kinda...

but if your google word is paradox and there are no other results or just a couple others there is a stark visual cue in the juxtaposed sizing in the tag cloud... this let's you know you're experiencing an anomaly in your connection, and mb you shouldn't proceed...?

in the img above, it looks like maybe a non-malicious anomaly, since canvas is the normal word for www.google.com from what i've seen... (should prolly implement a word search function)

[communist socialist conspiracy?!?!]
well it kinda democratizes and visualizes the whole CA trust issue. a sort of sunshine for crypto maybe? again, not a new idea...

[sidenote]
what about wildcard ssl certs? in theory this detects them too...?

[erm, privacy?]
yea, there is a definite loss of privacy here. but before anyone rants about it, you kinda need to understand that there are rooms in major network facilities where state actors are tapping massive networks on a massive scale. the fact that you go to ilovefarmanimals.com or someshadysite.com is already potentially known to a potentially interested party, even if the details of what you are doing are hidden in the SSL channel.

oh, well that and you can use regexp exclusions or just disable reporting. by default rfc1918 networks are excluded. a trailing asterisk let's you know that a value wasn't reported.

also, you can choose your remote reporting server in the extension options and the source is available so you can just light up one for your own network (and/or just write your own interface to capture the data, it's just a couple HTTP GET parameters).

[what else can it do?]
well, if you capture ip information you track and geo-locate anomalies in near-real time... that could be kinda cool i think...

it would be pretty easy for the app to report back to your browser that your result is way off from the current norm and actively alert you somehow...?

[kludges?]
well... erm... a lot... but right now the data is exported via xmlhttp requests that fire each time you change focus on the tab, and not for each actual request you make... firing on each request also kinda sucks for sites with frequent requests. keeping tabs on what requests are made and how often is probably the way to go.

(btw, i use a secondary xmlhttprequest because you can't read the public hash for an active connection from javascript easily afaik)

there are more kludges... check it out for yourself, i'm def open to suggestions ;)

[downsides]
you're losing (a ton of) entropy, so there's an increased chance an attacker could find a collision and be really tricky. right? a bigger wordlist and highly efficient hashing algo helps there mb...? it might make sense to just report the actual hash back to the server, or pass it as a sanity-check parameter. not sure what (if any) privacy ramifications that might have.

also the app currently has no anti-fraud capabilities. rate-limiting prolly makes sense server-side, and client-side the user could be subjected to some captcha-esk process that issues a cert to check for humans vs cylons.

the app is currently cleartext comms, so a mitm could mitm you when you use it ;)

oh, and this is all only works if the snoopers aren't getting exact copies of certs, either from the CAs or from a compromised certificate store.

[other?]
there are some bugs and unimplemented features... and the app is still in the sandbox since i'm not done testing and adding features.

[coda]
that's all... for now... :)

why it sucks to be an infosec defense guy & an example of real-world cyberwar

2010-04-19T22:55:00.003+01:00

i got a chance to listen to Richard Clarke talk w/ Terry Gross on Fresh Air today, and while it was full of a lot of the things that suck about listening to mass-media talk about infosec, there were definately some gems...

i'd say it's worth a listen... anywho, onto the content:

[why it sucks to be an infosec defense guy]

@ 02:20

"somehow from a thumb-drive, a virus a worm got into the classified network, which is supposed to be a closed loop network, of CENTCOM and attacked compromised thousands of computers of our warfighters in Iraq and Afghanistan and probably exfiltrated large amounts of information to someplace in the internet [in December 2008]"

ok, so this blurb says two things to me.

1) "it attacked an infected thousands of computers on a closed-loop network" - here's a lot of assumption, but when i hear about worms spreading in closed networks, it makes me say 'oh you didn't apply security patches to those machines because you thought they were safe'. unless this thumb-drive was full of 0day, this incident is classic failure to follow best-practices because you assumed some other layer of defense would keep you safe.

2) and wait, was this "closed-loop" network airgapped? well, clearly it wasn't if you were able to exfiltrate any data out of it to the internet. and even if it wasn't an airgapped network, why the #@%(*@#%* are you letting this classified military network which supports men & women with guns TALK TO THE INTERNET?!?! srsly guys, you know firewall policies can be set to block traffic leaving your network too, right?

this kind of stuff just sucks. here you have a network which should be one of the most secured in the world, and has tons of resources dedicated to protecting it, and it falls flat on it's face w/ two well known best practices. when .mils aren't doin this stuff, you know that corp networks are probably worse. how can you tell me to help protect you if you're unwilling to patch and control your network? and you're surprised when bad things happen to you? srsly?

we know how to do so much good defensive stuff, but it's a lot of mundane process and procedure. it takes cycles and people, and it takes some documentation and training, some audit and enforcement, and it takes some effort and work. and it seems like no one is doing it... booo :(

oh well... c'est la vie

[an example of real-world cyberwar]

as a bonus...

remember when Israel bombed some secret facility in Syria? well, according to Clarke, that attack was performed by Israeli F-15s and F-16s which are very not-stealthy fighters. so a reasonable question is why weren't these planes shot at/down by Syrian air-defense networks?

according to Clarke, the Syrians saw nothing on their radar at the time and after the fact because "the Israelis had used cyberwar as part of a traditional attack. They had taken control of the Syrian air-defense system, and made all of the radars look like there was nothing in the sky, even though the sky was filled with Israeli fighter-bombers."

anyway, just wanted to include this because so many people in the infosec game seem to think that cyberwar can only be a digital-pearl-harbor type catastrophic attack. as if the entire attack will be encompassed by bytes on a wire. in my opinion cyberwar capabilities can be used effectively as a small part of larger tactical engagements. dismissing cyberwar as a fantasy ignores real-world realities and capabilities which are apparently being put to use today by state actors, and possibly others...

more xss introduced by security devices

2010-03-05T05:06:00.005Z

soooo, i found this a while back, and it may be patched or who knows... but i (re?)'rediscovered' it n kinda had to be snarky n vocal about it... such a surprise, i know ;)

it's kinda similar to the xss introduced by an intermediate security device post from a bit back...

i see a little light-weight web server i'm not familiar with, and kinda assume it had to be made in the last i donno... 10 years? so these guys who made it are sitting around a table and they're like:

"hey, let's make (or buy) this simple http server that just does some simple stuff really well and *nothing else*, and use it as a workhorse for these expensive widgets we want to sell!"

and later, someone says:

"man, we need a simple http server to run this security service that authenticates unknown users" and they build it into a security-ish widget...

an unauthenticated user requests a page:

GET /somethin.aspx?foo=bar HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; ...)
Accept: */*
Pragma: no-cache
Host: somehost.domain.tld

...

and the little server that could redirects them to authenticate:

HTTP/1.1 200 OK
Server: ********gw
Content-Type: text/html
...

<HTML><HEAD><TITLE>***********************Authentication Redirect</TITLE><META http-equiv="Cache-control" content="no-cache"><META http-equiv="Pragma" content="no-cache"><META http-equiv="Expires" content="-1"><META http-equiv="refresh" content="1; URL=https://an.auth.svr/login.html?redirect=http://somehost.domain.tld/somethin.aspx?foo=bar"></HEAD></HTML>

of course the server encodes the output reflected in th-...

GET /somethin.aspx?foo=bar"></head><body><script>alert('wot?')</script></body> HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; ...)
Accept: */*
Pragma: no-cache
Host: somehost.domain.tld

...

HTTP/1.1 200 OK
Server: ********gw
Content-Type: text/html
...

<HTML><HEAD><TITLE>***********************Authentication Redirect</TITLE><META http-equiv="Cache-control" content="no-cache"><META http-equiv="Pragma" content="no-cache"><META http-equiv="Expires" content="-1"><META http-equiv="refresh" content="1; URL=https://an.auth.svr/login.html?redirect=http://somehost.domain.tld/sometin.aspx?foo=bar"></head><body><script>alert('wot?')</script></body>"></HEAD></HTML>

you've gotta wonder... how many code releases and updates has the server gone through, since... ummmm.... 2005? You know, have you thought about output encoding in the last *5 years* since an xss worm made headlines w/ mainstream media? how much revenue did this bring you in the last 5 years? annnnnd how much is a simple static or dynamic analysis?

that's not to say that this looks wormy, for a couple of reasons. plus, modern anti-xss filters seem to protect against it.

one interesting bit is that the redirect values are completely arbitrary and seamless in the browser, which mb makes a targeted attack easier because the victim URL can be anything...?

***note: the vuln here is _not_ in msnbc.com***
***another note: ie8 anti-xss filter disabled for this screenshot***

other than that, it doesn't look like anything terribly special really, and someone has prolly already posted somethin about it somewhere, cause you just kinda trip over it if get within 30 feet of the server...

anywho, that's all for now ;)

flash is dead... long live... yawn

2010-03-03T06:21:00.005Z

well html5 has been rumbling around and 'maturing' for a while now...

i was recently introduced to the youtube html5 beta via fark iirc (linkfail). anywho, the article quoted some steve jobs flash/ipad/drama foo, and also included some nice quotes about epic flash failure from charlie 'i pwn n00b devs in my sleep' miller XD

sooo, throw a supported user-agent to youtube annnndddd... fail. firefox supports html5, but only some open video format, yada yada yada...

wellll, i wonder if there's anything interesting in the youtube src?

<snip>
<script type="text/javascript">
var yt = yt || {};
yt.preload = yt['preload'] || {};
yt.preload.start = function() {
var img = new Image();
yt.preload.VideoConnectionReference = img;
img.onload = img.onerror = function () {
delete yt.preload.VideoConnectionReference;
};
img.src = 'http://v18.lscache2.c.youtube.com/generate_204?ip=0.0.0.0&sparams=id%2Cexpire%2Cip%2Cipbits%2Citag%2Calgorithm%2Cburst%2Cfactor&fexp=904020%2C902306&algorithm=throttle-factor&itag=34&ipbits=0&burst=40&sver=3&expire=1267621200&key=yt1&signature=7A4D3513CEE589B3E53529C08C6BDEA27DF80C1F.96F3E4606263CB33E9198662204B49FD2E4B98F7&factor=1.25&id=92e467b5ad5ad0bf';
img = null;
};
yt.preload.start();
</script>
</snip>

soooo, i know *nothing* about html5 atm, but that's what jumped out at me...

scripts with interactions on the network layer, some id-foo, expire-foo, and key-foo... sounds like an interesting attack surface at a minimum ;)

i'll confess i downloaded chrome to try out the html5 vid... i'm glad i did for the new spinny loading graphic and this epic quote:

'all the bugs have been worked out of flash'
- @pzembashis

(btw, nice work misrepresenting html5 support in browsers pal :P [jkjk!])

lulz... anywho, security aside, sry steve jobs but my cpu wasn't very happy even w/o fullscreen... and man, to think these people are trying to go against flash w/ chop like that, ick :-\

prolly some interesting stuff to find in the rfc-ish linkage...?

datapyning (tool release)

2010-02-05T18:05:00.003Z

okok, i'm always writing stuff and never getting it released, so this time i've kludged up a tool and dropped it on google code:

http://code.google.com/p/datapyning

just a little python script that will query search info (to google atm, others in next rev) and pull down all the returned results. the idea is to allow you
to collect files/data en-mass and store it away for further analysis later...

[purpose]

so is there any security relevance here? well i built the tool to archive data for a security research project i've been kicking around. i see it being useful for a variety of research and information discovery tasks, but i donno if anyone else will.

ultimately, the idea came from me trying to find some info i'd seen before and coming to the conclusion that the data had poofed into the aether. if you aren't archiving information you care about, is anyone else???

this tool might help you archive some of that data for your purposes...

[examples]

~ grab up to 20 PDFs posted in the last week w/ the search phrase 'free', verbosely

[user@box datapyning]$ ./datapyning.py -S ./null.list -n 20 -f pdf -t w -s free -v

~ grab up to 100 .xls files in the last year w/ .com, .org, and .net domains w/ search phrase 'profit' quietly into a dir called foo

[user@box datapyning]$ ./datapyning.py -f xls -t y -S ./small.list -s profit -q -d foo

~ grab up to 100 results from the last 24 hrs for each tld w/ the search phrase 'default.password'

[user@box datapyning]$ ./datapyning.py -s "default.password"

[limitations]

* searching for -s 'foo bar' makes google barf, but -s 'foo.bar' works... wtf, mah bad, def on the list to get fixed :(
* other 'advanced' search features (intext:, etc) aren't accesible via cli and mostly not through the search phrase
* currently the tool kinda expects search frequencies >= 1 per day (result dir contains dirs named by search date)
* search domains/sites aren't handled on the cli (files w/ crlf delimeters only)
* max of 100 records per search
* no status bar for larger downloads (it will timeout, make note, and move on if d/l fails)
* no rate limiting, sooo it will use the bandwidth it can
* not sure if the way download file names are genericized and logged makes sense
* tied to google (but potential for either modularized search providers or mb search agnostic)

snail-mail-fail

2010-02-02T20:52:00.006Z

hey lookit, important tax-return document in the mail... wazzat w/ the top of the envelope?

erm... umm... wot?

sighhhhh.... yea, those current number fields aren't blank... fuggin wonderful...

so there's an IRL infosec attack in motion... i'll speculate local postal carriers couldn't harvest enough numbers to make it worthwhile... maybe a USPS mail distribution worker, or someone in the mail or finance dept of Chase or whoever produces their mailers...?

countermeasures for command & control

2009-12-30T07:59:00.003Z

~irl blue skies sec post~

been sittin on this for a bit, and the recent predator security issue is a great place to start.

[recap]
a year ago militant gear was discovered with predator video feeds. aquire satellite dish, point up, download software, and *poof* record yourself some killcam videos... kinda like snoopin on webcams... ;)

turns out the vuln was known for about a decade. (incidentally, in bosnia in 1998 seals reportedly used a remote controlled plane with recon gear to hunt their quarry. this is the earliest squad level military uav activity afaik, and the dates lines up pretty nice... can you imagine what toys those guys use today?)

oh, and the vuln exists in tons of military devices, including many items which have been mass produced and widely deployed... whoops...

[erm, wot?]

well, lots of "similar" civilian devices have similar utter failure in the network security realm (voip phones or printers anyone?)... some people feel that fixing vulns like this is paranoid, and they aren't likely to be exploited. well i guess someone trying to blow you up is pretty damn motivating...

[lesson learned?]

rapid prototyping software without a clean upgrade path for fixing these potentials issues is a recipe for failure. also, desperation drives innovation (evolution in action in this case). and fix it in the field can bite you in the ass...

[back to the point]

there are lots more remote controlled and automated devices nowadays... some are pretty wicked in kinetic situations, and others are more passive... some are pretty small, or tiny, some are big, and some have guns. some can jump... some are being used in civilian areas as well (some people protest in humorous ways). some just keep on going.

oh, and militants use them too...

yea, researchers are growing remote controlled bugs... and they mimic bugs and nature too...

so clearly there's a lot of activity and nifty/scary tech in the space...

[attack surface update]

pulling the operator physically out of the loop means that network comms are somewhat more critical and vulnerable than before.

.:location:.
jamming a gps bomb doesn't make tons of sense because the military and spooks have plenty of options in that space. but do smaller and widely deployed surveillance devices and attack platforms using gps utilize anti-jam gps technology?

.:communication:.
how many smaller drones are vulnerable to standard RF interference and jamming? small powerful jamming devices might be able to create a small null zone where remote operated devices are unable to maintain comms with their operators.

.:sight:.
drones generally rely on digital cameras, which begs the question if they can be dazzled and disabled by lasers or strong infrared light sources, a la michael westen

also, thermal cameras seem very common, so i wonder if there are any effective thermal countermeasures? that seems difficult, but who knows...

.:detection:.
can the c&c comm traffic be detected in general? is it possible to cheaply monitor likely radio bands for encrypted (or not) network traffic to alert on a suspected drone presence? or is background RF too much here? if you can detect the c&c traffic, can you get directional information similar to passive radar?

and can the cameras used by visual surveillance platforms be detected (trivially?) like sniper rifle lenses?

.:destruction:.
at least one drone killed itself when a transmission triggered an auto-shutdown procedure, which sounds like there was no authentication on that particularly vital command option... (different than the reported russian take on self-destruct mechanisms...)

and can effective small (and safe) EMP generators be used to knock out nearby drone and surveillance devices? no idea on ranging, or directional vs bubble... no idea if a pulsing emp could be used to maintain a safety zone (and would it be practical considering you'd be frying any nearby electronics of your own, right?)

[anywho]

ultimately, it seems likely that smaller drones will have cost and power-utilization pressures which increase their vulnerability to attacks on their comms...

kinda rambled a bit, but hope you enjoyed it...

xss introduced by an intermediate security device

2009-11-22T18:02:00.006Z

during a web app assessment there were some apache HTTP Host and Expect header XSS vulns reported, but the version of apache running on the server was newer than the affected versions and shouldn't be vulnerable.

looking closer at the data i realized there were security devices inline during the assessment (*my bad*)... hrmmmmm....

so i found an unfiltered connection, and sure enough the web server was properly output encoding the responses:

GET / HTTP/1.1
Host: www.someserver.tld
Expect: <script>alert('XSS');</script>

=-=-=-=-=-=-=-=-=-=-

HTTP/1.1 417 Expectation Failed
Date: Sun, 01 Nov 2009 03:03:03 GMT
Server: Apache/2.x.x
Content-Length: 488
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>417 Expectation Failed</title>
</head><body>
<h1>Expectation Failed</h1>
<p>The expectation given in the Expect request-header field could not be met by this server.</p>
<p>The client sent<pre>
    Expect: &lt;script&gt;alert('XSS');&lt;/script&gt;
</pre>
but we only allow the 100-continue expectation.</p>
<hr>
<address>Apache/2.x.x Server at www.someserver.tld Port 80</address>
</body></html>

so back to the filtered connection. here the intermediate security device examines the request, sees the unexpected / error condition, and informs the user. but in the error page they are reflecting user controlled content without output encoding it... doh:


HTTP/1.1 500 Unknown Host
Date: Sun, 01 Nov 2009 19:19:19 GMT
Connection: close
Via: HTTP/1.1 sec-device-hostname (********-Content_Gateway/7.x.x [x x x ])
Cache-Control: no-store
Content-Type: text/html
Content-Language: en
Content-Length: 463

<HEAD><TITLE>Unknown Host</TITLE></HEAD>
<BODY BGCOLOR="white" FGCOLOR="black"><H1>Unknown Host</H1><HR>
<FONT FACE="Helvetica,Arial"><B>
Description: Unable to locate the server named "<em><script>alert('XSS')</script></em>" --- the server does not have a DNS entry.  Perhaps there is a misspelling in the server name, or the server no longer exists.  Double-check the name and try again.</B></FONT>
<HR>
<!-- default "Unknown Host" response (500) -->
</BODY>

=-=-=-=-=-=-=-=-=-


HTTP/1.1 417 Expectation Failed
Date: Sun, 01 Nov 2009 19:19:19 GMT
Server: Apache
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>417 Expectation Failed</TITLE>
</HEAD><BODY>
<H1>Expectation Failed</H1>
The expectation given in the Expect request-header
field could not be met by this server.<P>
The client sent<PRE>
    Expect: <script>alert('XSS');</script>
</PRE>
but we only allow the 100-continue expectation.
</BODY></HTML>

we all make mistakes i guess :(

so there's nothing earth shattering here. i don't think there's a risk of wide spread issues, but maybe targetted attacks. and all from installing a security device. bleh...

***update: more of the same - http://rwnin.blogspot.com/2010/03/more-xss-introduced-by-security-devices.html***

web app sec dev guidelines

2009-11-09T21:18:00.007Z

Here's a list of guidelines to help developers create more secure web applications. This info was based around the OWASP WASS project and the app sec STIG.

The general idea is to set the expectation on what gets audited during a web application security assessment and help developers code things up better the first time around...

http://sites.google.com/site/rwninsecurity/webappsec_dev_guide

Feedback/suggestions welcome!

tiered architecture revisited

2009-09-21T06:25:00.003+01:00

[background]

recently "bob" told me about a situation which seemed simple: a dmz web server with a back end db on the trusted network was being upgraded. the IT staff started loading the new db software on the web server, breaking the tiered architecture model.

bob and i initially agreed this was bad, but let's play devils advocate for a minute.

[the tiered model]

the tiered model separates presentation, app logic, and db roles onto different hosts, and *is often implemented as*:

if the exposed front-end web server suffers a host compromise, the business-logic and data aren't immediately compromised, and the attacker will have trouble attacking these systems further because of tight fw policies between the dmz and trusted zones. well, that's the theory...

[problems?]

so why is this maybe silly? ask a pen-tester how they feel when they get an external network assessment where webapp and soc-eng are off limits... they groan and cuss, because many/most organizations today have gotten pretty good at limiting inet facing services and keeping inet facing hosts patched and up to date.

but those same inet facing web apps have logical ties back to systems which often reside on the internal network. application layer attacks like sql injection tunnel through the firewall on the back of trusted application functionality.

the tiered model defends against host vulns, but not app vulns. and are host vulns really more prevelant than app vulns today?

plus, how much protection do you actual get from the tiered model if a host level compromise occurs? the web server can be defaced, credentials can be stolen, and all the back-end data presented to users flows back and forth through the presentation layer. so is there a substantial security gain here?

maybe one can look at apps and equate parameters to listening services on hosts? they accept input and process it, and are vulnerable to attack. if you equate parameters to listeners (i know it's not a perfect comparision) then the attack surface on a web application is larger and more vulnerable than host services on the average inet facing segment.

[well we have WAFs, right?]

srsly? rly? i donno... i haven't seen these devices work in real-world environments yet, so i don't have much faith. they are either 'self-learning' models which prevent mainly simplistic automated attacks, or they are manually configured models which are nearly impossible to keep properly tuned. maybe some orgs have highly effective WAF deployments, but i haven't seen or heard about it...

[sooooo?]

isolating a presentation server in a high-security zone but letting it connect back to other machines in the trusted zone just isn't a good idea. there are at least a couple ways to improve this model.

if the tiered model is used, then all of the tiers should reside in their own DMZs. that way, when the database server gets owned via sqli and the attacker is pivoting to the next target, he'll be isolated in the db DMZ. maybe this is what the tiered model was always intended to be, but it isn't something i've seen very often on real-world networks. plus, an org willing to put in the time and effort to run 2 or 3 DMZs, they will probably also parameterize their queries, validate their inputs, encode their outputs, and make sure that the db app user isn't over-privileged.

a simplier alternative for some applications is to abandon the overhead of running multiple tiers and go back to a single-machine model. the machine can be isolated on a DMZ, and the content served by the application can be managed through a one-way push from the trusted network (trust -> DMZ only). this model has an advantage that the exposed machine has no connection back to the internal network. plus you have an on-site backup on your trusted network.

but if the apps gets a lot of input from users which is stored to be used in near-real-time by other applications or processes, the isolated push model fails because that data needs to be read back into the trusted network and the same injection vulns apply.

[anywho]

is there something obvious i'm missing? there's nothing amazing here, but it seems like the common implementation of the tiered model buys you very little in terms of security...?

looking in the mirror

2009-09-19T21:27:00.001+01:00

just came across a tidbit of info that i'd forgotten, and it got me thinking about my op-sec

i use my handle for fun, and there are a few places where i choose to tie it to my IRL info. at cons i tell people my real name and my handle, and there are obvious places where my IRL geogrophy is publicly revealed. i'm not out there commiting crimes or tryin to be an uber-reet hax0r, so i'm not too worried about that.

but i recently started re-doing my home network, and although i do a lot of good defensive foo, there's definately some stuff i noticed that wasn't right. some things pointing to my home network that didn't really need to be there. there were gaps in visibility and logs. some files and directories that i dropped on my box but never moved into the right cryptographic containers. tracking down inet accounts that aren't often used, i realized there are a number of passwords which aren't strong enough and/or haven't been rotated recently enough. machines which were not hardened.

it's easy to let things slip when you're doin sec from 9-5 and just wanna hang out w/ the fam and/or veg-out w/ hulu when you get home. it's not always easy step up and take the extra steps that need to be done to track down the details and stay on top of your environment.

i've got friends who have awesome op-sec and go the extra mile. i need to keep them in mind when i make decisions about my environment...

yea, i've seen people get popped who made bigger mistakes than me. but that doesn't matter if it's my mailspool and / or my filesystem.

a buddy of mine commented that it sux there are ppl out there makin us scared of teh pwnage. i agreed at the time, but really i donno. attackers are a reminder... a buzz in our ear, the angel and the devil on our shoulders reminding us that we do this stuff full time. if we can't run our own houses, why should anyone trust us to help them?

sometimes it's tough to look deeply in the mirror, but ultimately it only helps. it's painful to see the truth with warts and all, but you can't make something better until you understand what it really is.

quick vmware perf foo (lameeee non sec post)

2009-08-13T16:52:00.005+01:00

i was sick of my win VM running sooo slowwwww, so i defragged the 'drive' using the windows defrag utility. then every time i booted my win vm my lptp hdd thrashed and thrashed and performance was worse than before...

so i found out there's a defrag util for VMs... anyway, after a few pitfalls here's a concise description of the tasks:

vmware-mount /path/to/file.vmdk /mnt/
vmware-vdiskmanager -p /mnt/
[kill some time while the vmdk preps]
vmware-mount -d /mnt/
vmware-vdiskmanager -k /path/to/file.vmdk
[kill some time while the vmdk shrinks]
vmware-vdiskmanager -d /path/to/file.vmdk
[kill some time while the vmdk is defragged]

so i ended up w/ a free 30 gig of space after shrinking the disk, and everything is running pretty snappy again. you need at least as much free space on your disk as the size of your vmdk in order to perform the shrink and defrag operations...

time to go write some reports... >sigh<

cloud security redux

2009-06-27T05:21:00.003+01:00

short and sweet post.... tons of talk about the cloud over the last 6-12 months...

so the cloud is a bunch of boxes offering a service out there on inet. all the security discussion i've seen has focused basically on confidentiality of your data once it enters the cloud, but mb there's another way to look at it.

clouds are potentially massive environments of resources which are allocated and partitioned to paying customers. instead of focusing on the risk posed to cloud customers, why not look a little at the risk to the cloud operators?

clouds are big business networks, and big networks are often under-monitored. attacking cloud allocation schemes could result in resources being allocated to an attacker off-the-record. "ghost" resources in the cloud controlled by an attacker who isn't paying for service and isn't abiding by the ToS. these ghost resources could be used for all kinds of illegitimate purposes with significant value for the attacker who controls them.

if you are subtle, you could probably operate under the radar within the cloud for quite some time...

from the blackhat reject bin

2009-06-19T06:20:00.004+01:00

so maybe this is obvious, i donno...

the talk started when i told my buddy (@zenfosec) that i had this password for the firewall for this big .com site... it was one of those "it's always been that" passwords... pure speculation, anyway...

so at the end of the gig while presenting my report, i suggested they rotate the password, since they gave it to an external party. the admin laughs, and he's like "you can only get to the box from inside once i pull the rule for you".

i'm a big advocate of dropping the whole "inside" / "outside" terminology for substantial networks. the fundamental protection measures are so cheap in true cost, and the risk/benefit is clear. anywho...

so my buddy says "yea, until you client side him" ;)

so that was the crux of the talk. when you get client-sided by xss or flash vulns or whatever, your internal network can be attacked.

this idea really built off the nifty modem csrf pointed out by nathan... so let's just extend it. what if there's auth required on the device? can we attack it when we're XSSing and/or CSRFing?

blah blah, slides about xss and csrf history, and traditional distinctions, etc...

so anyway, the hostile code can blindly assume gateways are .1 or .254 on the local /24 (re: the timely rsnake comments on the pervasive homogenous rfc 1918 networks) or you can do a little work and find them.

once found, gateways can be attacked w/ a csrf via the client-side. if the gateway requires auth, it can be brute forced. i didn't do much with forms based because i was really curious about http basic auth. this lead me to realize you can pass http basic auth creds to the gateway:

<img src="https://username:password@u.r.gate.way/known/path/img.gif">

***update*** - i thought this auth method was really nifty when i thought about it and tested it, and just two days ago realized that the gnucitizen crew used the same method in their AttackAPI.. mb others did before that too. anywho, just wanted to give credit

generate tons of code brute the passwords with known usernames and image paths for common gateway models. you are auth'd, you detect it and initiate a second stage which leaks out the creds and/or performs a csrf to enable wan management.

bruting will work because people feel like inside is safe and they don't take reasonable precautions like password rotation, password complexity, and human monitoring of interesting log events like days of failed password attempts on the firewall.

i haven't come across similar ramblings on the web yet, so i wanted to share :)

thanks for stickin w/ me if you read this far ;)

dr horrible ftw

2009-06-19T05:27:00.002+01:00

okok, so i just heard that there are ppl who haven't enjoyed this yet. soooo:

enjoy :D

(ps - this is 1/3)

props

2009-06-08T06:09:00.002+01:00

quick note to say...

spent the weekend doing ctf quals w/ a bunch of peeps who are smart and cool... appreciate the chance to play w/ peeps who know what's up, and lookin fwd to applying some new knowledge next year...

oh, and btw, i didn't watch the new burn notice till just now, so you know i thought quals were cool as hell ;P

peace!

quick strongwebmail blurb

2009-06-05T02:39:00.002+01:00

so strongwebmail got pwnt, and mb some hacker peeps are gettin paid... gratz all around!

it's interesting that strongwebmail focused so strongly on authentication (at least in the media reports i read prior to the pwnage)... they must've felt very secure that no one was going to find a way to read the PIN sent via SMS to a cell phone...

it's a beautiful hack (imo) to ignore that aspect entirely, sign up for an account, and subvert the system from the inside on the application layer.

seems like mb strongwebmail got some tunnel-vision about their uber 2-factor auth and forgot some simple stuff like input validation and output encoding ;)

data feed analysis

2009-05-20T05:22:00.003+01:00

relatively simple data-mining is a powerful and prolly underutilized defensive asset for dynamic risk management...

this recent rw story about a fuel leak in a plane is a great starting point for this little rant...

A fuel leak on a civilian aircraft caught the attention of Staff Sgt. Bartek Bachleda, 909th Air Refueling Squadron boom operator, during a flight from Chicago to Narita airport, Japan. After alerting the pilots and aircrew, the ranking pilot made the decision to divert the flight to San Francisco.

"I noticed the leak on the left side of the aircraft right behind the wing earlier during take-off," said Sergeant Bachleda.

Sergeant Bachleda continued analyzing the outflow of fuel to be 100 percent sure it was a leak while the plane was reaching cruising altitude. Almost an hour into the flight, he told a stewardess of the possible leak [emphasis added], but was given an unconcerned response.

...

Sergeant Bachleda said the captain and the crew were trying to figure out how the aircraft was losing 6,000 pounds of fuel an hour and then they knew exactly what was going on.

...

While conversing with the captain, the sergeant said he was hesitant at first to inform them about the leak, but he knew it was abnormal. The captain said they would have never made it to Japan if it wasn't for him.

the first draft i read in my feeds said the plane diverted back to chi-town, and then they went to SF because it's the other hub to Narita (i miss you TKO!). anyway, the impression i get from this .mil news report is that it is plausible that the plane could've flown out to the pacific before anyone noticed it was running low on fuel. i'm sure (?) they'd notice in time to divert to some island airstrip, but that's not the point...

for all the complexity and information being managed through the cockpit of the modern airliner, there is nothing that analyzes real-time information and says "you're in flying-gear and your fuel is dropping x% beyond the capacity of your engines to use fuel... LEAK!!!"

if you have devices that feed data into log servers, there's a lot of good info available... don't try to make some uber system for parsing data, b/c that's just perfection being the enemy of good. just parse for simple stuff that is clearly not right, b/c it's better than doing nothing.... who is hitting that explicit deny rule for outbound smtp on the firewall (b/c ppl other than your mail servers serving mail might be interesting... right?)? the number of messages received containing the word 'alert' or 'error' or 'critical' has changed by what percent over the last hour, day, and week? user xyz has 314 denied access attempts on network shares over the last hour. etc...

you're not looking to build some uber silver bullet, just a series of flashing lights to pull your attention to a particular area... without knowing too much about data, you can still put things within reasonable boundries and alert when something spikes... a built-in regexp based tuner for false-positives, and you're all set to learn some new stuff about your environment...

i've got some horrible mangled embarassing code stuffed away in this space, and since i'm building things out for some analysis coming up (and hopefully interesting blog foo) maybe i can break this out and get things ready for release... perhaps... if nothing shiny gets in my way... ;)

effective selective near real time mass communication?

2009-04-29T20:30:00.007+01:00

today i saw the highway being shutdown along a route that some important person would presumably soon be traveling. i was able to observe some interesting operational details, and started pseudo-red-teaming the situation in my head looking for vulns.

i tweeted about the route, and that got me thinking about how much operational real-world security benefits from obscurity.

if someone was paying attention and could act upon the information i tweeted, it could present a significant security exposure. ZOMG!!!1! twitter is a terrorist tool!!! nono, that's not what I'm saying...

the amazonfail hashtagging phenomenon shows us something about it. If a grassroots group of people want to track a topic in near-real time, they can do it. soooo, loopin back to phy sec and operational security issues, hashtagging could be used to track a number of things which traditionally have been effective in-part due to obscurity, such as:

#roadblock
#sobrietycheck
#speedtrap

these are all candidates for multi-tagging with a #city hash to make them more useful.

i guess you could track celebrity locations in near-real time too:

#bradpitt #paparazzi
#clairedanes #stalker

orrrrr how about #flashmob #city.... or #hotclub #city.... or #riot #city... waitwaitwait...

anyway, the point (if there is one) is that no single person can make twitter give them this type of information, but if certain hashtags becomes popular grassroots phenomenons, they can significantly alter the effectiveness of traditional obscurity based physical security measures. even if #roadblock is never picked up, someone looking might be able to infer things using #traffic ;)

*update* - looks like i tweeted the route taken by the presidential motorcade...

quick misc blurbage

2009-04-23T21:27:00.002+01:00

sqlmap: the new version sounds pretty niftified... reading the whitepaper atm.

GreenSQL: on the other side, this tool sounds potentially nifty... a reverse proxy for SQL connections which uses positive and negative security models. perhaps granular proxies like this can be combined with WAFs to provide reasonable app-layer protection, or perhaps you'll just end up with a huge blog of false-negatives and false-positives and an unmanageable nightmare ;)

Joint Strike Fighter theft: so add another tally for china i guess (unverified). the bit that stands out to me is that the volume of information stolen was "several terabytes". gonna take a step back from the hype and just point out that very low-tech things like a human watching network flows and trends based on protocol and destination might've been helpful here. maybe some lost-cost common sense defensive controls will come out of the DoD hiring hackers... it'd be an interesting network to try to defend...

vapor client sec app, and futher ramblings...

2009-04-09T21:19:00.004+01:00

now that it's CFP time, i'll revisit an idea from years past.

everyone pretty much accepts that AV blacklisting fails. modern behavioral AV appears to be hit and miss. imo, whitelisting is the way to go.

a while back i thought it'd be interesting to leverage the features of rootkits into a defensive security device. the crux of it was to have a rootkit that examined every program prior to execution or during execution, and if it isn't an approved and signed app, it can't run.

whitelisting is a challenge on a couple of levels:

how do you stay up to date with releases, patches, etc
how can you decide programs aren't malicious?
surely more...?

staying up to date will require some dedicated cycles or service for evaluating new apps, accepting requests for missing apps, etc. i've been thinking that there might be value in starting an OSS community project to identify and sign non-malicious apps.

that leads into how do you decide an app isn't malicious? the basic idea i had was for a service to run software on VMs for a period of time, and examine the traits of the software and how it has updated, impacted, and utilized the system. using AIDE HIDS style examination of the filesystem changes, watch for network traffic, watch for changes to the OS in memory, etc. you may even be able to write an algorithm to try to take a human analyst out of the picture, but it'd probably be tricky.

if you do this, one other concern is malware which sleeps for a time-delay before becoming overtly malicious. maybe you could do static analysis on the executable and enumerate all the functionality. or you could run it in a vm over time, and instead of reporting something as secure/insecure, maybe you give it a security rating based on the length of time it's been analyzed (say in a VM out in the cloud in some SaaS AV whitelisting business model). the customer gets a portal which lets them see the trust rating of given apps, and can assume the risk of running any given app in their environment.

i found out that a company called fireeye does some really interesting heuristic AV work which does a similar HIDS type analysis of executables. i was pretty impressed with their presentation, if only from the standpoint of doing AV out of the box, but i haven't had a chance to see the product in action yet.

anyway, some people get down on whitelisting because it's too difficult to admin, and isn't perfect, etc etc. personally, looking at enterprise endpoint management, the tradeoffs make sense to me. an imperfect whitelisting solution which has administrative overhead should pay for itself in reduced malware cleanup, os reloads, incidents, etc.

since windows is a reality in enterprise environments, i'm looking forward to spending some time with AppLocker in Windows 7 to see if there's a chance to roll out a whitelisted set of apps along with the OS in the coming future... seems like a huge chance for a security win, if the project can be designed and implemented properly....

that's all, for now...

rw sec blurb

2009-04-07T03:34:00.002+01:00

the overlaps in rw-sec and infosec tempt me into running astray w/ my blog posts from time to time... here is one of those times...

ran across this article about how obama is using the 'state secrets' bit to block lawsuits fighting the warrantless wiretapping program. rather than delving into any political bs, i want to try to examine motives here...

why would obama, who is generally seen as far opposite of bush, support one of the single most controversial programs and legal positions of the bush administration?

lack of moral character: he betrays key asserted ideals once he assumes the throne
pressure from hidden powers: intel agencies (et al) force his hand in some political thriller type scenario
executive power precedent: now that the executive branch has asserted such broad authority under the premise of national security, it would be moronic to give that power up (i blogged supporting this position earlier)
sources & methods: there is significant intel value in this program, or in a related undisclosed program

at the moment i hate to learn towards the 4th option, but i am. i think executive power is still a compelling argument ("oh, i won't use this great power for evil!"), but maybe once he got briefed in he found out that there is value here. no matter if they ID'd Atta or not, it's clear that Abel Danger demonstrated a continued commitment to generate info from data for signals intel... perhaps the next generation programs are bearing fruit...

so pointless to speculate about really... anywho, maybe infosec posts again someday?

quick quotage

2009-04-03T19:50:00.000+01:00

wow, it's been a long time since i posted... been really busy w/ work, life, etc... anywho, i was catching up on feeds, and felt like this quote from joanna is worth sharing:

does the fact we can easily compromise the SMM today, and write SMM-based malware, does that mean the sky is falling for the average computer user?

No! The sky has actually fallen many years ago… Default users with admin privileges, monolithic kernels everywhere, most software unsigned and downloadable over plaintext HTTP — these are the main reasons we cannot trust our systems today. And those pathetic attempts to fix it, e.g. via restricting admin users on Vista, but still requiring full admin rights to install any piece of stupid software. Or selling people illusion of security via A/V programs, that cannot even protect themselves properly…

;)

hittin the hash | yet again

2009-02-05T08:35:00.005Z

hashes and collisions have been on the back-burner for a bit now w/ recent hullabaloo...

so the thought that keeps coming back (reminder: /me != math guy) came from my experiences w/ gentoo... either the kernel or portage (but not both ;) used .sig files which contained multiple hashes for verification of the download integrity.

so say you've got a 1/x chance of collision in md5 and a 1/y chance of collision in sha1 (assuming that x & y are both reasonably large numbers), then isn't the likelihood of getting a collision of *both* hashes on the same file exponentially larger than getting a collision on x or y individually?

so if we're really worried about the apparently real weaknesses in some md5 and the up and coming realistic weaknesses in sha1 (via that chinese-professor-ninja-woman & her math students iirc), why not just start checking multiple hashes each time we verify integrity?

no new technology needed, just parse more than 1 value before you evaluate that if/then to true, right?

the birds n the bees

2009-02-02T07:50:00.002Z

i've heard that nature repeats itself at different scales. seems reasonable to me. i know that nature has a lot to teach us (and if you don't, then sry but you're not paying attention)... so let's play around w/ analysing some attack and defence in nature and see where we end up..,

source article about bee's which may or may not be getting completely pwnt

beekeepers that didn't suffer from Colony Collapse Disorder, or had only a touch of the plague, made changes too, and they are still around and in fact are doing well and growing. Those changes have been huge in terms of what they have managed to do with the number of colonies they have, and even more so in terms of the paradigm shift in colony management techniques.

wait... orgs are supposed to adapt?

the major shift has been in how beekeepers monitor for, and control varroa mites in their colonies.

monitor the health and activity of network participants? what?!?

Better techniques are being used to find and count mite populations, and safer and kinder techniques are being used to control those mites.

are you one of those managers who told a motivated employee that dedicating time to review logs doesn't matter? for shame! for shame!!

This is good because mite populations don't build up to lethal numbers, lots of mites aren't able to pass along destructive viruses, and the control agents previously used are no longer building up inside the colony.

in my experience, manual intrusions seem to involve a period of time where the intruder evaluates and probes prior to executing whatever plan they have to help themselves at your expense. looking for signs of intrusion (logs!) is vital...

Beekeepers are feeding their bees more food when food is scarce, feeding them at a more appropriate time in the season, and feeding them better food. All have contributed to better wintering, better buildup, and healthier colonies.

what? support and nurture the business?!? crazy-talk!!! (lol)

flags aren't always true

2009-02-02T07:39:00.002Z

srsly, we know this....

anyway, so the official story is that (an) al-qaeda cell(s) in Algeria are dying because they caught the black death... unfortunate side-effect which occurs when attempting to kill the american devil w/ biological hazards...

forgive me, but while the whole 'omfg terrorists w/ bio-agents' story is quite striking, i kinda expected red threat levels and all of that.

but you could consider an alternate view-point... the black death is highly curable. so if you infected hostile covert operatives with it they would spread it to their allies (your enemies!) who would be faced with either death or treatment at a hospital (oh, the black death you say? i'm sure the security services aren't interested in anyone with *that* old disease).

just a random thought...

noscript feature

2009-01-18T17:38:00.003Z

ok, so peeps around me might've heard me blabbing on and on about my exciting noscript 'discovery'... i stumbled upon functionality i thought was weird while searching for sharpening stones for my katana (ironic but true).

anyway, i procrastinated research for a month or so, and when i realized i wasn't going to fuzz each html tag for js execution i emailed giorgio... that deflating sound is my ego:

many thanks for the PoC.

Is it just about links going back and forth in history working?
If so, fortunately that's a feature, not a bug: NoScript Options|Advanced|Untrusted|Attempt to fix JavaScript links.
In order to make user's life easier, NoScript tries to detect JavaScript links used for navigation purposes (e.g. containing an URL or resembling a back/forth history navigation) and "emulate" them on the fly *by design*.
If you want, you can disable this feature from the aforementioned configuration option.

Please let me know if I'm missing something more malicious.

Thank you again
--
Giorgio

i respond:

oh wow! rtfm & bad on me! ;) ok, well the things that seem malicious are all subtle imo.

the fact that .go() can be used for arbitrary navigation kinda seems dangerous. even though you'll be running noscript wherever you end up, it could be used to exploit a vuln that noscript doesn't protect against (possibly flash, pdf, etc).
...

and giorgio disagrees:

no "automatic navigation" can be triggered, because of the way this feature works: it reacts on *user click*, checks if the clicked item is a link (either an anchor or a map or a button) and tries to "guess" the destination by simple string parsing, then emulates the navigation.

Cheers

well, i'm not going to get into an infosec pissing match w/ a guy who's contributed more to protect end-users than i prolly ever will... sigh...

i was really surprised to find script execution when i had ns set to not allow scripts globally.

for the navigation feature, i've got no click generating foo atm. iirc there are things that can be done to overlay pages and catch clicks.

for the sandbox fun, nursing my bruised ego kept me away from coming up w/ a way to smuggle the information back to the attacker. but my understanding of infosec suggests that giving someone a way to discover information about a system (file exists, exists but you don't have perms, exists and is executable, and doesn't exist) is not optimal. also, prompting a user w/ a download dialogue seems dangerous, even for local files.

anyway, i've put up a quick PoC for the stuff i was playing with...

winter cleaning time

2009-01-02T04:18:00.002Z

was out in cali visiting my folks, and got into an infosec discussion w/ dad (who sat patiently while i ranted for a *while*).

on the topic of best practices i was talking about password rotation and pushed an idea i've been kickin around (but which has roots w/ @shawnmoyer)... i've been thinking of doing a livecd experiment (really, someday soon), and for a less extreme suggestion i brought up treating your OS install as a replaceable session. do quarterly rotations, or whatever.

doing this limits the lifetime of a lot of compromises, ensures that recent (restorable) backups exist, and pushes you towards a core set of applications which are being kept up to date.

he asked if i was doing this myself, and i owed up and said no. so now i am. bleh, me and my big mouth... ;)

anywho, i'll be linking up interesting docs and stuff here when i find em...

hashes and collisions

2008-12-31T07:03:00.004Z

ok, so there's been a few blurbs about hashes and collisions lately...

this is something that caught my eye back in the day in CS class...

i am not a math guy at all (stats breaks my brain), so i am not at all qualified to speak on this topic. a hash function like md5 or sha1 or whatever takes an arbitrary sized input and reduces it to a pseudo-unique string of a certain size. so take the following md5 values:

echo "r" | md5sum
72cfd272ace172fa35026445fbef9b03
echo "rw" | md5sum
bc3f381953be1f16b956a9d394cf969f
echo "rwnin" | md5sum
023c306a26488624aaa2b3028779cfb0

so each input gets a "unique" output, but the issue is that a one, two, five, or five thousand character input always gets a 32 character output. so if you input a single character, or the entire text of hamlet, or any (or every) subset of hamlet possible you will always get a 32 character output with md5.

as i said before, i'm not so good with math, but there is a fundamental problem here. a 32 character hex value can represent approx 3.4x10^38 values. that's a ton!!! BUT. that huge number of values is used to represent *all arbitrary (infinite) values*...

and that's the problem. so even sha512 gives you a fixed length output. ultimately you know that collisions in such a system are possible. they may be mathematically unlikely, but they are inevitable.

so it's kinda frustrating to read the vuln advisories which say "oh, most people stopped using md5 so this isn't an issue", because a few years ago there were advisories which said "we stopped using 3DES so this isn't an issue".

if we decide to place our trust in hash based certificates (which is our trust in the tubes, at the end of the day), we need to accept that someone might get lucky and fake a CA cert. the haters may say "oh well that's super unlikely". well, i guess they are the same people who say "it's stupid to buy a lottery ticket! do you know the odds!?!"

well guess what, every week or three, some lucky bastard wins the lottery. and some unlucky bastard gets struck by lightning. so don't be surprised if someone finds a collision for your hash algorithm.

ironic: /me props av company

2008-12-12T18:19:00.002Z

so i've dogged on the AV industry pretty hard in the past, but i want to give some props to the peeps at McAfee Avert Labs.

i've been following them on my feeds for a while and they turn out consistently interesting and nifty blurbs about attackers. sometimes tech, and sometimes just info.

i found this portion of a recent entry particularly interesting:

Many websites employ security images to convince the user that they can feel safe logging in so long as they see a teddy bear, a train, or some other image they choose from a library when creating their profile. As phishing scams become more complex, scammers’ websites can easily start acting as proxies to the legitimate website. This isn’t in widespread use yet, but a few isolated incidents have been seen, and the technique is easy to craft: when you enter your username into the phishing site, the site turns around and queries the legitimate website for your security image. It can then display the security image to the customer to gain their trust.

that's just an awesome bit of info. attackers using their phising sites as proxies to get your security image?!? a simple and prolly quite effective hack against pseudo-2-factor auth. it doesn't break the tubes, and there are mitigations, but it's something i'd never thought of before.

btw, the theme of that blog post is about online fraud and also users who are new to the internet, which is a topic some friends and i kicked around a while ago. we just got to the point where grandma isn't going to fall for lovebug type emails, and now we've got this emerging class of users out of china, some african nations, and other emerging economies. do we have to re-educate all of these people from scratch???

i was happy to hear from a coworker who recently got back from a trip to china that the security team he worked w/ over there is developing short (30 second) snippets about security best-practices and distributing them to their users as an ongoing practice. hopefully we'll see more stuff like that all over as time goes on...

sooooo, if avert labs isn't on your feeds, i'm poking you cause it's pretty good stuff...

anywho... lookit that, a post which props some AV peeps and ends on a hopeful note... ;)

ie 0day and the heap spray....

2008-12-10T22:29:00.003Z

so this little writeup on the ie7 0day by hdmoore got me thinking about heap sprays and such.

that reminded me of this awesome writeup by justin schuh about turning a firefox bug into a sploit~~, because i think the technique he was using here was also a heap spray~~. (note: turns out it's not a heap spray, but similar on some levels)

i'm really curious about leveraging heap sprays in javascript enabled applications beyond the browser (such as PDFs and Flash), but i doubt i'll get motivated enough to play. i am way behind on things already!

i keep putting off my pending semi-substantial blog post too... /me sighs...

vuln report digestion

2008-12-05T15:47:00.002Z

(note: this is NOT an article about responsible disclosure ;)

so i found some vulns in a commercial app a while back, and i've been working w/ the vendor to get them reported and fixed and all of that.

when i first tried to contact this reasonably large company my google search foo was weak, and i couldn't find the proper email address to report the vuln. so i started digging through the "contact us" phone numbers and making calls. after 2 hours of phone trees and transfers and being on hold, i went back to google and found the proper email address.

this is a company which makes IT products for businesses, and their security reporting contact info is buried deep enough in a page that what i found on google was someone asking my same question and someone else answering it.

so what happens if you try to do responsible disclosure on something outside the norm? how about the modem CSRF vuln disclosed by nathan the other day? here we have a consumer grade product produced by a big ass corp, and an attack which exploits default settings via one of the less well known web application attack vectors.

if you hit the contact us page at motorola.com to try to report this issue, you're relegated to the "general info" team. are they going to take this issue seriously? are they going to route it to the right people to get a firmware update made (to fix the retarded defaults) and a notice pushed out to consumers?

this may be an application level attack, and it may be against a non-traditional target, but the disclosure was pretty similar to dropping an 0day. anyone who read his blurb and has some tech skills could be out there owning gateways right now. and if you did it right you could potentially own a lot, which could lead to a lot of other attacks.

i'll go out on a limb and speculate that privately reporting this vuln to motorola would probably be more of a pain than i went through doing my recent disclosure.

it'd be nice to see companies that produce tech products or services putting security contact info on their main "contact us" pages to help researchers who want to privately report vulns but don't want it to be an arduous journey...

more tao props - data visualization

2008-11-24T17:17:00.004Z

another interesting (imo) tao article.

what jumped out at me is the attempt to take data normally displayed as text and move it into a visual format.

i've spent far too much time kicking this type of idea around (and def not enough time coding solutions: suX0r@me).

back in the day (at a corp which saw no value in log review) i was reviewing boatloads of event logs each morning, and doing 'page-down, page-down, page-down' on the retarded windows messages i hadn't yet parsed out on the syslog server i noticed that i was looking for a visual change in the text patterns scrolling by to get my attention. when the scrolling pattern changed, i'd page up and pay attention. i know this sucks, but the job didn't give me much time, and i figured it was better than nothing.

i ended up coding up a different solution (which i'll finish and release some day, really!) which processed all these impossible to read win log data messages and turned them into useful info (ie: bob had 12,631 failed logins in the last hour).

but the visual cue thing sticks with me to this day. i've really wanted to build a visual scoreboard very very similar to the tao post for use with either log events or with network flows (kinda like bruce potter talks about; pay attn to the outliers).

anyway, i'm not at a gig where i have visibility on big pipes anymore, or bit syslog feeds, so all my dev in this area has halted. hopefully i'll get back to it someday...

a couple thoughts

2008-11-20T15:56:00.002Z

first up, and kinda relating to my last post, there is a really interesting blurb over at tao sec.

Who buys stolen business data? Brett Kingstone, founder of Super Vision International ... knows the answer all too well. In 2000, an intruder breached Super Vision's public-facing website and probed deep enough to snatch secrets behind the company's patented fiber-optic technology ... [which] made its way into the hands of a Chinese entrepreneur ... [who] built a new Chinese factory from scratch and began mass marketing low-priced counterfeit lighting fixtures ... "They had an entire clone of our manufacturing facility"

ouch... it matches up w/ reports we've heard over the years, from titan rain to reports of mass EU data theft coming out of china. and it matches up w/ incidents i've seen personally.

anyway, the relation to the last post is just that identifying *what you have* that is valuable, and *where it all resides*, is a pre-req to getting down to securing those assets.

=-=-=-=-=-=-=-=-=-

also, i've done some waf work lately, and came away feeling (like many others) that they don't do much to prevent application layer attacks.

i came across a sans diary entry (linkage lost) that gave me pause tho. in my experience fighting wafs, there was a lot of trial and error finding ways around them, and those bypasses varied depending on which waf i was fighting.

until attackers make smarter bots that attempt a variety of app level attack vectors, waf's might offer worthwhile protections against asprox-like 'dumb' bot attacks.

attackers sitting at a keyboard tho? not holding my breath there ;)

kissxss

2008-11-02T02:52:00.005Z

to quote many good teachers: "keep it simple stupid"

while we're on that subject, i am often stupid... ;)

=-=-=-=-=-=-=-=-=-=-=-=-=-

ever hear something like: who is really going to attack it? there isn't anything valuable there

it sounds reasonable and risk management-ish because they're allocating limited infosec resources by examining the likelihood of an event. but is the conversation limited to the perception of value held by the decision makers (who might be middle management for developers, dbas, sysadmins, etc)?

someone can covet something of yours, even if you don't know you have it.

say you have a reasonable security setup. you've got layer 3 segmentation into security zones, good firewall policies segregating traffic between those zones, and you've got a decent waf protecting your your web app dmz. and let's ignore any argument that a compromise could be used to leverage an attack on another system in that security zone, since most non-infosec peeps glaze over at that point.

so you're trying to convince people to take you seriously about fixing those medium-rated host configuration vulns and web app flaws, and they're telling the cio "well, we already fixed the stuff rated high, and our people are stacked up and deadlines are tight. you know those security guys, they jump at their own shadows."

so our attacker alice pokes around. there's a portion of a mundane web app that appears to be vulnerable to reflective xss. but there's no login to steal, and no sensitive information on the site or host. the app doesn't do anything with money or sensitive info.

alice determines that using dangerous values in the suspected param results in a different 200ok page, redir, reset, or whatever. alice probes the suspected vuln and determines that a small subset of xss attacks work past the waf. even when they work, the functionality is very limited because the waf is blocking many potentially abused html elements as well as some scripting syntax.

alice can use either scripting or html to influence user navigation, but is reliant on user interaction to do it. there is no significant limitation to normal characters or the length of her reflecting input.

so she designs a phishing mail or maybe puts together a fake flash advert for the target company. it's all legit looking w/ reasonably syntax and diction, and uses logos and says something like come check our site we make cool widgits. the link contains the xss that alters the contents of the page. the user still sees your legit site, but it has a little "limited time sale" bait or something like that. it's just subtle 'click here to buy now', but they're already kinda interested in you and your widget because they followed the link. and the price is reasonable. not a steal, but definitely on sale.

alice registered ecommerce-yourdomain.com and with your look and feel and it says "secure" and "safe" when you click through. it doesn't use ssl when you submit, so some potential customers might dig and notice, but some wouldn't. expect your package within 7 to 10 business days :P

so in the end, there are customers who went to your site and were offered a deal. their money is with alice, and your brand was leveraged to make it happen.

even if your waf picked up the probes, and even if your admins actually investigated, the probing could be done in such a way that the attack vector is not deducible. and alice could wait a while after the probe to perform the attack, and maybe get a couple days before anyone calls your helpdesk with a concern.

there are a lot of highly-effective subtle and simple attacks like this. there are proactive counter-measures that can reduce a lot of risk, but the solutions are often manual and mundane rather than sexy-terminatrix (btw: river tam ftw!) ninja hacker shit.

targeted methodical process and procedure can reduce a lot of risk, and can be implemented and maintained with relatively little manpower cost. think about that the next time you're getting wined and dined by some vendor for some 6 figure plus nifty gadget that is going to keep you safe.

there may be more value in investing in some mundane things (which might also end up improving the org overall ;)

my hate by numbers ripoff post

2008-10-11T19:06:00.006+01:00

ok, let's scope out to national security matters w/ this article for a min... hate by numbers ftw btw...

(alt links since the orig is 404:

http://poorbuthappy.com/colombia/post/drug-mules-coming-from-latin-america/
http://www.foxnews.com/story/0,2933,434561,00.html
)

The man found dead in a suitcase in Tibbetts Brook Park last week was a drug mule from the Dominican Republic who died from an apparent overdose after two packets of heroin leaked into his body, police said yesterday.

1: i'm assuming it was a big ass suitcase or he was cut up, but i'm w/ you overall. we have a country of origin for this drug smugglers body we found...

Authorities found 50 packets of heroin, with a street value of at least $100,000, inside the man's body. They believe he was likely dumped in the park by fellow drug mules after his accidental overdose.

2: ok, i guess they prolly used a big ass suitcase then since they clearly weren't interested in cutting someone up, even for a ton of cash...

The man, who has yet to be identified

3: wait, what? we know what country he's from, but we don't know who he is? ok... that's a little weird, but reportedly they get that idea from an item in his possession which has yet to be identified.

all that aside, we don't know who he is, so i guess he covertly crossed the border on foot?

Police said that the man had probably flown to the United States on a paid mission to deliver drugs

4: i'm sorry, wtf? we accept w/o blinking that we have a known foreign-national flying into the states and government security apparatus protecting our borders from another 9/11 (TSA, INS, ICE, DHS, etc) don't know who he is?

oh, well maybe that was just a local pd spokesman mistake, right?

His fingerprints did not match any in U.S. databases, so he probably was never arrested in this country

5: oh, that was a fox news report? well wtf? don't you need to get between 2 and 10 finger-prints taken when you get a visa to visit the united states?

well, no fingerprints required if you're from one of those 27 countries which make uber passports that you'd have a pretty hard time faking... the Dominican Republic isn't on that list... what do we know about them anyway? oh, wait, we've been working with their security apparatus for at least the last three years and know they are a huge drug smuggling transit point?

are you telling me that i go through all that bullshit at the airport (even though we've already secured the cockpit) to make sure i'm not a terrorist even though i'm a US citizen and fly all the damn time... but if i'm some dude from a known drug state, i can just forge some papers and get right in?

well, maybe he faked them out somehow... was real sneaky-like...

"There could be three, four, five of these mules working together," Calabrese said, explaining how the drug transport system works. "They may be on the same plane, they may be on different planes, but they've usually got to meet up at some place because they've got to pass the drugs. They usually meet in a hotel or motel, or in an apartment nearby. They may be there for a day, maybe two, until they get the drugs to come out.

6: wait, we know all that stuff about how they operate? really? we know all that because someone has watched them before i guess? soooo, could we be watching these people now? or could we mandate an ultrasound for people coming from known countries? or we could keep them in a resort place for 3 days to see if they crap out a lot of drugs or need emergency surgery? isn't the US fighting a war on drugs? hasn't that been going on for a long time now?

gee, i hope the war on terror goes a little better than the war on drugs...

it seems like no one who has a reasonable grasp of security and risk management is callin the shots up top...

big heist?

2008-10-06T02:46:00.002+01:00

ok, so there's been a lot of this countermedia stuff lately. no idea on how legit any of it is (/me + econ == fail)...

it didn't seem like anything about protests about the bailout bubbled up to a worthwhile story in the mainstream media, but i mighta missed it...

so supposition is: is it possible that the US is getting knocked off like a big ass bank?

big oil and corp types are elected, soo:

policy of deregulation & big business breaks put into place for 8 years == $$$
huge ongoing war started (iraq) == $$$
mindset of perpetual conflict (terror) == $$$
huge oil prices (xfer of wealth from US to uber-rich and oil-rich actors) == $$$
huge bailout to corps who failed in the free market by being retarded == $$$

i really hate the 9/11 conspiracy stuff too btw, and i've been debating whether or not to post. i've just got nothing to add to the space except mb to say that didn't people always say that a big govt coverup won't work b/c too much shit would leak and be known... could one make an argument that there is an ever broadening set of legit questions which aren't addressed by the US govt surrounding 9/11? i donno...

what i do know, is that post 9/11 the US as a nation has lost touch w/ some of the wisdom of the founding fathers about keeping the gov't from getting all up in your business. and the fact is, w/ warrentless wiretapping, echelon-type information gathering has been hugely expanded. now it is theoretically possible for govt to:

- listen in on your voip and/skype calls
- track significant data relating to online behavior (activies, patterns, interests)
- discreetly activate cell phones for audio surveillance
- track physical location via cell phone tower triangulation
- have eyes-on of physical activity in all-weather (?) at a resolution approaching 1m (out of my ass) whenever you can see the sky?

personally, i think people who say "well if you don't have anything to hide" are out of touch w/ the constitution as well as relevant historical precedent... really, they do this stuff (linkage legality not disputed here, btw)

and if you think i'm just a nut, you might be right, but lemmie point out that this falls in line w/ talks being given by potter (in that a lot can be found in applying stats to loads of raw data) and arguably dead addict (iirc: suppressing information footprints in datasets which are subject to statistical analysis can be more of a flag than existing normally within the mainstream data-set).

speaking to that latter point, you can note that hans reiser took the battery out of his cell phone when he buried his wife. the cops with him to recover her body said they walked right past it in their search, and would've never found it (read in some article i'm too lazy to cite, sry).

dropping off the grid could be raising red flags on someone's radar. similarly, using strong encryption more than the avg joe could be a flag that you warrant further watching.

stretching too far, one could speculate that subtle attacks on CA and trusted crypto infrastructure would clearly be highly guarded information, given how valuable evesdropping "secure" communications proved during wwII and prolly ever since...

anyway, i hear that someone slipped subtle verbage into the bailout bill that allows the taxpayer to have some option to have some ownership in the companies being bailed out. maybe there are good-guys out there slayin dragons in the shadows... who knows...

bottom line, there is a reason that the fight for punishing your friendly telecom (who aren't interested in helping you, btw) has all but been abandoned. there's a reason no candidate is talking about this. who would want to give up that much power?

give a few $$$ to EFF, they are good peeps fighting for all of us normal folk... (i in no way speak for them, btw, they prolly think i'm a nut ;)

someday i'll post real sec stuff again... really ;)

winter is coming...

2008-10-06T02:36:00.001+01:00

and i'm way not cool enough to be doin stuff like this... prolly... ;)

See more tinadixon videos at Shred or Die

ps: phife ftw

ok, not condoning...

2008-10-03T23:53:00.001+01:00

but i am really impressed with this bank robbery from an attack perspective...

not sure if this is good or bad...

2008-09-12T18:50:00.003+01:00

full disclosure foo... so litchfield is a ninja and all, but i'm torn on this one...

here is a no-auth remote compromise of oracle db's from a few months back...

NGSSoftware Insight Security Research Advisory

Name: PLSQL Injection in Oracle Application Server
Systems Affected: Oracle Application Server 9.0.4.3, 10.1.2.2, 10.1.4.1
Severity: Critical
Vendor URL: http://www.oracle.com/
Author: David Litchfield [ davidl at ngssoftware.com ]
Reported: 9th October 2007
Date of Public Advisory: 15th July 2008
Advisory number: #NISR15072008
CVE: CVE-2008-2589

do you see what i saw?

it was publicly disclosed in july 08, but reported to the vendor in *oct 07*. no-auth remote compromise just hanging for the better part of a year...

i'm sorry, but if it really takes that long to dev a security patch, oracle is doing something really really wrong.

this is one of those times where (imho) dropping 0day to kick vendors in the arse is completely justified. not weaponized or anything, but get that info out there. how many other peeps found that vuln and didn't disclose? no one will ever know...

ie 8 add-ons

2008-09-12T18:27:00.003+01:00

so ie8 supports add-ons... judging by the number of ratings, not too many people are playing around yet...

the security options are disappointing, and i'd really like more visibility into how these apps are vetted. are they ms built, or community-built? i'm too lazy to register atm ;)

here's an app from wayyyyyyyyyy back in the day... prolly my first app layer foo, for doing zebulun... lulz...

that was quick

2008-09-04T03:29:00.002+01:00

check this vuln out:

"denial of service vulnerability that is successfully crashing the Chrome browser with all tabs"

wait a min... they said all those tabs were separate processes to avoid futzin w/ other tabs like this. so how is this working?

An issue exists in how chrome behaves with undefined-handlers in chrome.dll version 0.2.149.27. A crash can result without user interaction. When a user is made to visit a malicious link, which has an undefined handler followed by a ’special’ character, the chrome crashes with a Google Chrome message window “Whoa! Google Chrome has crashed. Restart now?”.

think it was a fuzz?

i haven't dug around the nix source yet, but i bet the protocol handler is part of the chrome process, and receives data passed up by all of the tab processes.

those critical vulns that affect the entire browser space are still there... prolly time will tell if there are less, or if they're harder to get too, or easier to fix. ;)

google chrome security thoughts

2008-09-03T20:44:00.003+01:00

some peeps say nay and others say mb...

looks like pdp is running w/ it as a model changing the way we use computers...?? he doesn't say so, but it sure sounds similar...

there have been a number of vulns (carpet bombing, etc) reported so far, but i'm not too worried about those. this is beta software, so we have to expect there will be some oversights which can be exploited. so, based on what we know today, how do we see the design changes which will be present in the final release impacting security?

[process isolation]

process isolation may defeat some client side attacks... are cookies isolated to their tabs? if so, browsing separate domains via tabs may offer some protection from cookie stealing and CSRF.

this is kinda out there, but since processes are isolated, watchdogs on memory and proc usage (mb io?) may be able to identify 0day-ish attacks which are consuming resources...? that's a long shot tho...

[incognito]

incognito mode seems nice on many levels. i've heard jokes about how it's just a pr0n-mode, but there are many times i browse around online where i don't want to allow any web site to write anything to disk (ie: reading headlines on digg). i don't expect anything hostile to happen, but there are attacks (ie: malicious ads/apps via 3rd party content) which could be bumped into. why not use incognito for daily-browsing? might it be a reasonable alternative to running no-script, ad-block, cookie-safe, and flash-block?

i do question whether or not this is read-only, or just a more restricted jail. it seems like temporary file writes will still be required, but i'm not quite sure...

[attack vectors]

so what attacks look possible under this design?

so if users drag pop-ups out, and they get promoted to their own windows, how does that impact sec? does all retained information (cookies, history, etc) propogate to the new process for the pop'd out tab?

sandboxing seems very very good... lots of badness (malicious jscript stealing creds, keylogging, etc) is mitigated in this model. but can it be attacked? if each process is isolated, can an escalation attack upward against the master chrome process succeed in breaking the security model? that brings the question of how much chrome security depends on the isolation model being maintained (ie: how bad are things if isolation is gone; are we just back to where we were w/ browsers pre-chrome? or is it worse b/c we assumed we'd be isolated and so didn't take other sec steps)

the idea of tracking what a user has actually requested is pretty nifty. reminds me of packet-filters (old browsers) vs stateful firewalls (chrome). the comic here points out that plugins don't conform to this model, so those may be a weak-point. another issue will be whether or not a process can create a false user request. can a malicious pwnt tab process mimic some type of user request, either in the local tab or in another tab process.

sandboxing plugins reduces risk, but they can now attack upward as well? will a flaw in a plug-in feature (ie: quick-time, flash) potentially open the chrome process to attack?

another interesting tidbit in the diagram is that the chrome process links pages to plugins. can this be abused somehow? can plugins associate themselves w/ alternate pages? what makes a process eligible to be linked to a plugin process? etc etc etc...

that's all i've got for now. chrome seems to offer some nifty and refreshing looks at browser design.

curr.state == enveloped

2008-08-27T15:26:00.002+01:00

runnin through my feeds this morning, and came across this great cloud post by pdp... it kinda struck a chord, so i'm using it as a launching point for this blurb.

it doesn't really fit the usage of the term, but you're already in the cloud today. your credit card info resides on many different corporate networks. so does your ssn, and your mothers maiden name, and everything about you that allows you to validate and authenticate yourself w/ all of the entities you interact w/ on a day-to-day basis. all of this information is beyond your ability to protect.

so as "the cloud" gets buzzier and buzzier, it makes sense to examine it. don't freak on me and start doing the "nonono, it's a bad security thing, get it away!!!" don't try to stop it, b/c it will flow right around you (and your tower ;) and pass you by.

business and user communities generally don't consult security peeps until the enemies are at the gate, or a shot has already been fired (and probably found a target).

it is frustrating that we have to jump up and down screaming to get noticed sometimes, but in a way the business is practicing risk management by not implementing everything we sec-folk dream up. sometimes it is really tough to accept unmitigated risks that exist within the environments we are charged with protecting, but sometimes we need to act more like actuaries studying mortality tables. when you're looking at your org, you should spend some time looking at risk at 10k meters.

we place faith and trust in many places which can be exploited today, but we feel reasonably safe. can you say that your data is less secure in the cloud than it is on your local lan? really? cause i've seen a fair number of local lans, and nearly all that i've seen have higher exposure to internal threats and dedicated external attackers than i feel comfortable with.

(some) cloud companies are going to design (some) security into their models, and it might be better than what you have today. w/ all your un-audited server shares with default 'everyone' read permissions all over the place, and mobile machines traversing between your lan and hostile networks.

some cloud companies are going to make mistakes and get owned. some data will be disclosed. some cloud companies will learn, and some of those will improve.

i heard once that the us navy seals emphasize the phrase 'it pays to be first' during BUD/S hell-week. well, sometimes it doesn't pay to be first. i remember reading a story about a soldier in bosnia during the initial deployment in the 90s. he was manning a turret in a convoy, and a rock was thrown up from the vehicle in front of him, and he was killed. doing high-speed convoys on rock roads was a new thing for that unit, and there was an unforeseen risk. that really sucks. later convoys implemented counter-measures (drive slower, protect the turret from thrown rocks, etc) to adapt to the risk.

it hurts to be the first guy when you're faced with unidentified risks. but you can't be so afraid you don't operate. so when you're out there, try to be like spike:

It's not about strength or power - you gotta be fluid ... Water can take any form. It drifts without effort one moment then pounds down in a torrent the very next

if your org starts using the cloud, and you perceive that the risks you face are increasing, develop controls and procedures to mitigate the best you can, and roll with it ;)

beautiful attack

2008-08-20T19:49:00.002+01:00

via zero day: suspected insider help or coercion to get backdoored components installed in atms. the people who installed the hardware were dressed like legit technicians.

this is a beautiful attack because it can be done in broad daylight against targets that people wouldn't normally suspect. if you don't get greedy and you don't slip up, you could run an op like this for a long time before anyone caught on.

the more we push automated systems out to physically autonomous end-points, the more we'll have to worry about similar attacks. i am surprised ATM physical security is relatively single-layered...

quick postage

2008-08-19T15:51:00.002+01:00

ok, so bh/dc was an interesting experience. tons of good content at bh. didn't do many talks @ dc, but dc is always different than bh.

some more on the flash space... looks like more attacks cropping up.

seems like some interesting stuff may be going on w/ the fedora servers... suck ;)

anyway, i have a boatload of projects i need to be working on...

- http malware analysis
- flash research foo
- noscript foo spawned by hoffman 1
- noscript foo spawned by hoffman 2

and prolly more... also i have to write up my bh notes... anyway, more to come at a later date.

flash cookies

2008-08-05T06:40:00.004+01:00

this isn't really new, and mb it isn't even worth sharin... anywho, i'd blocked flash-cookies out of my mind until recently.

so here's the deal. you can manage cookies, and clear your privacy setting when you close your browser, but chances are that flash cookies are still being set and maintaining persistence.

worse, i think javascript can access files a client has rights read (not sure on that), and the ~/.adobe and ~/.macromedia directories default to the read bit for others on ubuntu and gentoo from what i see.

so, if i'm right about the js bit, there you have the ability to track web sites visited, and maybe even pull data like usernams and passwords/hashes (pandora) out of flash cookies.

not the end of the world, but mb worth keeping in mind... there seems to be a moz plugin project trying to deal w/ this issue...

raw domino ownage

2008-08-05T01:42:00.001+01:00

everyone remember your truth tables and logic gates? :D

domino mother ucker (uckin w/ my shi;)

linkage

2008-08-05T01:20:00.002+01:00

i have unfortunate personal interest in this blurb about game vulns... luigi seems to be the only guy tearin this space up (or at least the only one disclosing ;)

the moral here? the attack surface is growing much faster than people generally realize...

01010101010101010101010101010101010101010101

i accidentally lost my link to a better version of this story about a guy who is teaching classes to students on how to create malware... once again, here is my opinion of the av industry:

all your uber-secret mumbo-jumbo hasn't worked so good, so how about we try information sharing and public disclosure?

01010101010101010101010101010101010101010101

sucks when your free security products get you owned... the sad bit here is that i had a decent conversation w/ a bluecoat se who explained the app to me, and imo it was a very nifty concept intended to benefit the tubes at large...

blackhat

2008-08-05T01:14:00.002+01:00

flyin out tomorrow... traded places w/ paul, who has contributed far more than i to the tubes... i have (endless;) plans tho!

anywho, i've got way too many things to do before i jump on the plane, and one of those is linkage dequeue foo... ready? :D

up too late

2008-07-30T06:42:00.004+01:00

got a new gig! pretty exciting. getting to focus in on web app stuff, and am working w/ folk who have some talent and exp... just bein around, listening, and asking questions should help me learn plenty of good stuff.

i'm in corp world wearing a suit atm w/ the new gig, but it's just a disguise ;)

so, along that vein of blending in but being different, i stopped looking at webapps and went back to a project brought up at my local citysec a while back. basically a discussion over how to detect malware the way potter is talking about coming up in vegas (iiuc: looking at the extremities of the bell curve of network flows to identify malware).

so i got a vm to kick around and found some live malware which was described as running over http... i've got a lot of analysis to do, and who knows if i'll ever get to what i want w/ it, but it's been interesting (and of course, there were unintended consiquences ;). here's some excerpts in a .txt so the blog doesn't completely dork the formatting...

irony?

2008-07-19T03:47:00.002+01:00

via wikipedia:

There is some argument about what is or is not ironic, but all the different senses of irony revolve around the perceived notion of an incongruity between what is said and what is meant; or between an understanding of reality, or an expectation of a reality, and what actually happens.

so... is it ironic (per se? lol) that breaking up patterns is used to defeat IDS and WAFs, but also used to make sure you get served adds?

// split things up to **** blockers
var url = 'http://a'+'d.doublecl'+'ick.net/' + embedType + '/****.';

this last bit is tangental (surprised?). imo, the net neutral crowd had better be prepared to fight the powers that be long and hard, b/c there's a lot of movers and shakers who get pushed out of $$$ if they can't find a way to start taking money for all the time you spend online...

google stuff

2008-07-17T04:43:00.004+01:00

ran across this as well... i guess it is a google security service for web2 stuff... need to dig up some more info, but here's what caught my attn:

POST: http://safebrowsing.clients.google.com:80/safebrowsing/downloads?client=Firefox&appver=3.0&pver=2.1&wrkey=

Host safebrowsing.clients.google.com
User-Agent Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9) Gecko/2008061015 Firefox/3.0
Accept text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language en-us,en;q=0.5
Accept-Encoding gzip,deflate
Accept-Charset ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive 300
Proxy-Connection keep-alive
Content-length 25124
Content-Type text/plain

goog-malware-shavar;a:29,63-65,68-70,72-74,76-86,
88-100,102-104,106-111,114-115,118-126,128-134,
136-140,142,144-147,150-159,161-168,170-177,
179-180,184-186,188-190,192-195,198-211,213-214,
216-244,246-249,262,269-276,278-279,281-288,
290-299,301-308,311-313,
329-331,333-335,338-339,341-342,344-346,348-366,
369-370,372-392,394-396,399-408,410-413,415-416,
418-419,421-424,426-474,476-498,500-506,508-532,
534-535,537-539,541-569,571-574,576-578,580-583,
586-589,591-608,610-613,615-617,620-621,625,627,
629-631,635,639,645,647-648,650,652,663-664,666,
674,685,692,708,713,716,724,730-731,741,749,751,
754,760,767,771,778-780,783-784,793,796-797,802,
806,808,820-821,825,831,833,843-844,847,849,852,
854,856-857,861,863,869,873,888,891,893,895-897,
900,902-903,909-910,912-914,919,921,924,926,
928-932,934-937,940,944-946,949,953-954,958,962,
964-967,970-971,974-977,980-981,985-986,989-990,
993,1000,1003,1013,1019,1030,1035,1037,1040,1049,
1051,1054-1055,1064,1067,1071-1072,1075,1077,
1089,1093,1101,1106,1110,1118-1119,1122,1134,
1146-1148,1150,1152,1154-1155,1163,1175-1176,1179,
1185,1192,1200-1201,1204,1209,1213,1216,1222-1223,
1226,1229,1235,1243,1246,1266,1270,1272-1273,1276,
1279,1281,1289-1290,1292-1293,1296,1299,1303,
1306-1308,1310,1316-1317,1319,1321-1322,1324,1336,
1348-1349,1351,1355,1362,1378,1380-1381,1383-1384,
1387,1390,1394,1399,1402,1407,1416,1426,1431,1435,
1438,1440-1443,1449,1461,1463,1469,1473,1478,1482,
1487,1497-1509,1511,1513-1532,1536-1537,1540,1542,
1544-1545,1547-1553,1555-1571,1573,1577,1582-1583,
1585,1588-1589,1591-1592,1597,1608,1620-1623,
1625-1627,1631,1633,1739,1742,1746-1747,1758,1823,
1851,1888,1911,1915,1919,1932,1953,1956,1961-1962,
1964-1965,1969-1971,1976,1978,1981,2000,2004-2007,
2011,2025,2027,2031,2033-2035,2038,2040,2044,
2046-2047,2066-2067,2071-2072,2074,2091,2093,2096,
2099-2102,2109,2113-2114,2117-2133,2135-2136,
2138-2139,2141,2143-2149,2151-2169,2185,2187-2189,
2191,2194-2196,2205,2210,2213-2216,2224,2227,2260,
2330-2331,2372,2378,2385,2387,2392,2397,2429-2431,
2434-2436,2438-2441,2445-2446,2448-2449,2451,2454,
2457,2466-2469,2471-2473,2475,2479-2482,2485-2486,
2488-2489,2491-2493,2495-2496,2498-2500,2502,2508,
2512,2516,2520-2534,2544-2545,2548-2551,2561,
2563-2565,2571-2578,2583,2586,2589,2593,2600,
2602-2604,2607,2610,2620-2622,2625-2626,2631-2632,
2640-2644,2647-2649,2651,2653-2655,2664-2665,
2668-2672,2674-2675,2681,2683,2695-2696,2702-2708,
2710,2712-2720,2724-2726,2728,2730-2731,2733-2736,
2738,2742-2743,2745-2752,2754-2765,2767,2773-2774,
2776,2778-2779,2781,2785-2786,2791,2797-2818,
2820-2825,2827-2841,2843-2871,2873-2878,2880-2906,
2910,2913-2978,2980-2992,2995-3020,3022,3024-3031,
3033-3065,3068-3169,3171-3178,3180-3183,3185-3186,
3188-3190,3193-3196,3199-3204,3207,3210-3211,
3218-3219,3223,3227-3228,3231-3232,3235,3240,
3249-3250,3252-3254,3256,3260,3263-3264,3266,
3268-3271,3275-3277,3279,3284,3297,3299-3302,3307,
3309-3311,3313-3316,3318-3326,3330,3336-3338,
3346-3349,3351-3377,3379,3381-3383,3385-3391,
3395-3398,3405-3420,3430,3432,3436,3439-3502,
3505-3531,3537-3580,3582-3741,3747,3749,3751,3753,
3755,3757-3784,3788-3789,3791-3792,3794-3795,3798,
3805,3808,3813-3820,3822-3836,3838,3840-3895,
3897-3913,3915,3918,3920,3922,3926,3929-3933,
3935-3936,3938-3939,3943-3944,3947-3951,3954-3956,
3960-3961,3963-3966,3968,3972,3976,3980,3983,
3987-3989,3992,3994,3996,3998-3999,4001-4003,4005,
4007-4008,4011-4012,4014,4017-4019,4023,4025,
4027-4028,4031-4032,4035,4039,4041-4045,4047,4049,
4058-4062,4065,4068,4070,4073,4075,4077,4079,4083,
4087,4090,4092-4093,4095,4097-4100,4105-4106,4108,
4110-4111,4113,4116-4118,4122,4125,4127,4130,
4132-4134,4136-4138,4140-4141,4145-4146,4148-4149,
4151,4156,4161-4162,4166,4168,4170,4172,4175,4177,
4179,4181,4185-4186,4197,4208,4213-4215,4219,
4222-4224,4226-4227,4230-4231,4235,4240-4242,
4244-4246,4248,4250-4251,4254-4255,4257-4259,
4261-4262,4265,4269,4272,4274,4276,4278,4281-4283,
4286,4288,4291,4293,4295-4297,4299,4303,4305,
4307-4311,4313,4316,4318,4320-4321,4323-4324,4327,
4330,4332,4334,4337,4339-4341,4346-4347,4349,4351,
4354,4356,4358,4360-4361,4363-4367,4369,4373,
4376-4377,4380,4383,4385,4389-4390,4392-4393,4396,
4399,4401-4402,4404,4406-4407,4409,4411,4413,
4416-4423,4426,4428,4431-4432,4434-4435,4438,4440,
4442,4444,4446,4448-4449,4451-4452,4455,4458-4460,4463-4464,4467-4468,4471,4474,4479,4481,4485,4487,4489-4490,4492,4495,4498,4501-4502,4505,4507-4508,4511-4512,4515-4516,4518,4520-4521,4523,4525-4526,4528-4534,4537-4539,4543-4544,4546,4548-4549,4551,4553,4558,4562-4563,4565,4568,4570,4572-4573,4576-4578,4580-4581,4587,4591,4594,4596-4598,4600-4601,4603-4606,4608,4610,4612,4614-4619,4622,4625,4628,4630-4632,4635,4637,4640,4643,4647-4650,4653-4655,4657-4658,4660,4663-4665,4667-4669,4671,4673-4676,4678-4679,4681,4685-4686,4689-4690,4692-4698,4700-4701,4703-4705,4707-4708,4710-4714,4718-4721,4723-4726,4730-4731,4734,4737,4739-4741,4744-4747,4751,4754,4756-4758,4760-4784,4786-4787,4789,4791,4794,4798,4800-4802,4804,4806,4808,4810,4813,4815,4818-4821,4823-4825,4827-4830,4832,4834,4837-4838,4840,4842-4843,4845,4847,4849,4851-4854,4856,4858-4862,4864-4866,4868-4869,4872-4873,4875,4877-4882,4884-4886,4888-4889,4891-4892,4894-4898,4900-4904,4906-4908,4910-4913,4917-4918,4920-4921,4923-4924,4926-4928,4930-4932,4935-4936,4938-4939,4942-4951,4953-4955,4959-4963,4966-4967,4969-4976,4979-4982,4984-4997,5000,5002-5016,5018-5024,5026-5031,5033-5042,5045-5046,5048-5054,5056-5058,5060-5061,5063-5065,5067-5070,5072-5080,5082-5089,5091-5092,5094-5107,5109-5138:s:1-958,960-967,969-1001,1004-1006,1008,1011,1014-1019,1021-1225,1229-1243,1245-1246,1250-1252,1263-1266,1268-1371,1373-1487,1489-1492,1496-1506,1508-1509,1511-1518,1520-1521,1523-1530,1538-1541,1545-1546,1549-1550,1552,1557-1558,1560,1566-1572,1574-1660,1663-1672,1675-1693,1695,1697,1700-1702,1704-1746,1748-1794,1797-1799,1802-1813,1815-1837,1848,1853-1859,1864-1877,1883-1887,1889-1892,1898-2000,2002-2009,2011-2032,2034-2037,2039-2081,2083-2092,2094-2114,2116-2120,2122-2124,2127,2129,2131,2133-2134,2136-2138,2140,2145-2160,2166-2191,2193-2204,2206-2230,2236-2357,2359-2374,2376-2377,2379,2381-2394,2398-2403,2405-2409,2411-2412,2420-2431,2435-2444,2446-2466,2470-2472,2474-2490,2497-2503,2509-2514,2520-2529,2532-2541,2548-2549,2553-2554,2557,2560-2562,2566-2577,2579-2580,2587-2600,2602,2607-2612,2614-2625,2629-2631,2633-2644,2648-2654,2666-2709,2713-2977,2980-2996,2998-3008,3010-5203:mac
goog-phish-shavar;a:8860,9140,9157,9783,9910,9947,9978,10037,10065,10097,10142,10144,10149,10166,10194,10243,10258,10282,10308,10352,10362,10365,10373-10374,10387,10403-10404,10415,10487,10489-10491,10507,10509,10513,10517,10520,10523,10541-10542,10555-10556,10581,10592,10608,10621,10623,10626-10628,10647,10672-10673,10677,10680-10681,10747,10753,10760,10792-10794,10797,10812,10814,10817,10853,10875-10876,10881,10883-10884,10886,10894,10898,10903,10905,10910,10916,10924,10926,10997,11024,11043,11100,11124,11142,11165,11249,11252,11254,11257,11265,11269,11274,11291,11309,11331,11346-11347,11370,11378,11384,11394-11395,11397-11399,11401-11402,11404-11406,11469,11472,11474,11481,11509,11523-11524,11527-11528,11531,11539-11540,11550,11552-11554,11558-11559,11569,11583,11590-11591,11608,11642,11665,11669,11686,11695,11707,11709,11732-11733,11772-11773,11779,11791,11817,11833-11834,11843,11845,11853,11855,11861,11870,11892,11907,11941,11947,11971,12044-12046,12049,12077,12102,12156,12160,12162,12164,12166,12169,12171,12173-12174,12188-12189,12194,12199,12211,12229,12240,12275,12277,12279-12281,12292,12296-12297,12303,12318,12320,12323,12331-12334,12339,12379,12385,12391,12400,12414,12431,12433,12435-12440,12444,12446,12452,12457,12466,12468,12476-12478,12498,12503,12525,12551,12557,12560-12562,12564,12566,12568,12571-12573,12575,12577,12584-12585,12587,12595,12598-12599,12602,12607,12610,12613,12619,12621-12622,12639-12640,12690,12698-12699,12705,12707,12709,12720,12723,12727-12728,12731,12736-12737,12739,12748,12754,12758,12761,12768,12771,12800,12839,12846-12847,12849,12851-12860,12864,12867,12877,12910,12916,12931,12960,12975,12977,12980-12983,12989,12994,12999-13000,13002,13031,13037,13042,13047,13068,13082,13085,13087,13089-13094,13103-13104,13109,13114,13116,13119,13140,13142,13145-13147,13150-13151,13162-13163,13165-13166,13174-13175,13181,13187,13205,13216,13221,13223-13224,13226-13229,13231,13234-13236,13240,13248,13255,13262,13270,13272-13273,13276-13278,13284,13299-13300,13304-13308,13310-13313,13315-13392,13394-13406,13408,13410-13448,13450-13453,13455-13460,13462-13465,13467-13470,13472-13486,13488-13493,13495-13509,13511,13513-13516,13518-13519,13521-13523,13526-13559,13561-13566,13568-13574,13576-13580,13582-13586,13588-13595,13597-13604,13606-13627,13629-13635,13637-13643,13645-13646,13649-13655,13657-13662,13665-13678,13680,13682-13685,13687-13710,13712-13723,13725-13731,13733-13746,13749-13750,13752-13765,13767-13772,13774-13775,13777-13780,13782,13784-13791,13793-13798,13802-13803,13805,13807-13817,13819-13829,13831-13835,13837,13839-13841,13843-13847,13850-13854,13857-13872,13874-13876,13878-13883,13885-13895,13897-13899,13901-13902,13904-13912,13914-13916,13918-13920,13922-13926,13928-13929,13931-13942,13945-13948,13950-13958,13960-13964,13966-13967,13969-13974,13977-13985,13987-13990,13992-13999,14001-14015,14017-14022,14024-14031,14033-14050,14053-14065,14067-14076,14078-14088,14090-14115,14117-14120,14123-14134,14136-14144,14147,14149-14203,14205-14208,14211-14226,14228,14230-14231,14235-14237,14240-14243,14246-14253,14255-14256,14258,14260-14270,14272,14274-14291,14293-14298,14301-14303,14305-14307,14309-14318,14320-14327,14330-14346,14348-14376,14378,14380-14394,14396-14397,14399-14402,14404-14425,14427-14435,14437,14439,14443-14471,14474-14487,14489-14500,14502-14506,14509,14511-14512,14515-14519,14522-14542,14544-14548,14550,14552-14562,14565-14566,14568-14583,14585-14589,14591-14592,14594-14626,14628-14631,14633,14635-14645,14647-14659,14661-14671,14673-14685,14688-14692,14694-14696,14698-14700,14702-14711,14713-14726,14728-14734,14736-14740,14742,14744-14756,14758-14759,14762-14771,14773,14775-14787,14789-14790,14792,14795-14800,14802-14803,14805-14807,14810-14826,14828,14830,14832-14835,14837,14839-14845,14847-14855,14858-14868,14870-14878,14880-14885,14887-14896,14898-14903,14905-14914,14916-14917,14919-14922,14924-14928,14930-14935,14937-14945,14948-14963,14965-14980,14982-15029,15031-15043,15045-15057,15059-15070,15072-15076,15078-15080,15082-15084,15086,15088-15091,15093-15098,15101-15127,15129-15143,15145-15148,15150-15155,15157-15191,15193,15195-15199,15201-15209,15211-15225,15227-15273,15275-15290,15292-15316,15318-15323,15325-15331,15334,15336-15351,15353-15379,15381-15414,15416-15432,15435-15447,15449-15454,15456-15457,15460-15463,15465-15472,15474-15480,15482-15484,15487-15490,15493-15542,15544-15569,15572-15599,15601,15603-15604,15606-15614,15616-15620,15622-15626,15628-15630,15632,15635-15642,15644-15646,15648-15649,15651,15653-15663,15665-15669,15671-15678,15680,15682-15684,15686-15689,15691-15695,15697-15712,15714-15724,15727-15735,15737-15745,15747,15749-15750,15752-15753,15755-15759,15761-15769,15772-15777,15779-15783,15785-15786,15789-15802,15804-15812,15814-15835,15837,15839-15850,15852-15875,15877-15892,15894-15915,15917-15939,15941-15969,15971-15983,15985-16002,16004-16006,16008-16010,16012-16102,16104-16105,16107-16142,16144-16160,16162-16212,16214-16250,16252-16270,16272-16277,16279-16291,16293-16319,16321-16333,16335-16353,16355,16357-16364,16366,16368,16370-16373,16375-16385,16387-16391,16394-16402,16404,16406-16407,16410,16412-16425,16427,16429-16438,16440-16459,16461-16462,16464-16465,16467-16488,16490-16499,16501,16503,16505-16509,16511-16514,16516-16519,16523-16530,16533-16536,16538-16539,16541-16544,16546-16554,16556-16557,16559-16563,16566-16575,16577-16591,16593-16611,16613-16614,16616-16637,16639-16648,16650-16654,16657-16660,16662-16664,16666-16667,16669,16672,16674-16675,16677,16679-16694,16696-16698,16700-16713,16716-16725,16728-16733,16735-16739,16741-16746,16748,16750-16761,16763-16782,16785-16790,16792,16794,16796-16800,16802-16804,16806-16811,16814-16896,16898-16903,16905,16907-16911,16914-16979,16981-16984,16986-17017,17019-17057,17059-17162,17164-17169,17171,17173-17183,17185-17193,17195-17245,17247-17264,17266-17289,17291-17299,17302-17313,17315-17320,17322-17330,17332-17339,17341-17356,17358-17361,17363-17371,17373-17386,17390-17413,17415-17423,17425-17428,17431-17435,17437,17439-17440,17442-17447,17449,17451-17463,17466-17470,17472,17474-17476,17478,17480-17495,17497-17528,17530,17532-17575,17577-17582,17584,17586-17595,17597-17599,17601-17602,17604-17609,17612-17616,17619-17621,17623-17625,17627,17630-17631,17633-17634,17636-17642,17644-17653,17655-17669,17671-17691,17694-17697,17699,17701-17710,17712-17715,17717-17725,17727-17761,17763-17817,17819-17822,17824-17833,17836-17845,17847-17961:s:4,15,20,27,73,121,147,186,245,250,283,324,460,469,506,516,672,691,771,775,810,814,823,877,881,1061,1126,1150,1160,1193,1233,1355,1447,1459,1649,1651,1796,1813,1845,1880,2056,2354,2426,2465,2509,2701,2722,2724,2736,2847,2890,2930,2970,2972,3141,3564,3647,5062,5096,5401,5437,5452,5540,5553,5562,5564,5596,5598,5627-5628,5647,5653,5656-5657,5659,5662,5671,5675-5676,5684,5687,5696,5706,5713,5719,5722,5728,5737,5746,5754,5765-5766,5771,5776-5777,5793,5811,5836,5849,5879,5895,5909,5930,5940,5966,5973,5989,6023,6026,6052,6056,6064,6073,6085,6182,6189,6191,6210,6220,6223,6267,6292,6301,6313,6395,6409,6431,6488,6499,6518,6549,6563,6597,6602,6623,6638,6955-6956,6971,6974,6980,7084,7114,7135,7142,7150,7165,7231,7238,7293,7297,7317,7375,7390,7392,7400,7414,7416,7423,7433,7452,7465,7479,7481,7487,7489-7490,7492,7495,7503,7509,7512,7514,7530,7536,7540,7555-7556,7567,7575,7581,7587,7599,7606-7608,7612,7619,7635,7653,7701,7726,7750,7753,7777,7797,7800,7815-7816,7826,7829,7847,7875,7879,7882,7885,7889-7890,7892,7897,7917-7918,7920,7927,7932-7933,7939-7941,7943-7945,7948-7950,7958,7960-7962,7965-7967,7970,7982,7984,7986-7988,7993-7994,7997,7999,8001-8002,8004-8005,8009-8010,8016-8018,8020,8027-8029,8032,8034,8036,8038-8039,8042-8043,8045-8048,8050,8056,8058-8059,8063-8065,8067-8068,8072-8074,8076-8079,8081-8086,8088-8093,8095-8097,8100-8101,8103-8108,8110-8111,8114,8120-8122,8124,8128-8130,8132-8134,8136-8153,8155,8157,8160,8167-8168,8172,8177,8181,8186,8189,8191,8198-8199,8207-8208,8210,8219,8225,8229,8231,8233-8234,8236,8243,8246,8248,8251,8256,8259,8262,8265,8268,8271,8274,8277-8278,8282,8285,8289-8290,8295-8296,8298-8300,8302-8303,8305-8307,8310,8313-8314,8316-8317,8319,8328,8331,8334,8341,8343-8345,8348-8349,8355-8356,8358,8361-8362,8366-8367,8369,8371-8372,8375,8377-8378,8382-8383,8390,8392,8394,8399,8403,8405-8406,8409,8419-8421,8423,8438,8441-8442,8446,8453,8459,8462,8467,8469,8472-8475,8477,8479,8490,8492,8498,8500,8505,8508-8509,8514,8516-8517,8522-8523,8525-8526,8533,8536,8539,8541,8548,8551-8552,8556-8557,8559,8562-8563,8569,8579-8580,8583-8584,8587,8591-8595,8598-8600,8602-8604,8606-8607,8609-8610,8613,8616-8620,8624,8628,8634-8636,8638,8643-8645,8652,8654-8659,8666,8668,8672,8675,8678,8682-8683,8690,8694,8700,8705,8707,8710,8713-8714,8717,8719,8721,8723,8728,8730,8734,8736-8740,8750,8755-8756,8758-8763,8768,8771,8773-8774,8781,8784-8785,8787-8788,8790,8793,8795,8797,8800,8802-8807,8815,8821,8824-8825,8830,8834-8835,8840-8841,8845-8846,8851,8863,8867-8868,8870-8872,8875,8877,8882-8883,8888,8890-8892,8894,8899-8900,8902,8904,8923,8925,8928-8929,8931,8934,8941,8945,8949,8952,8958,8960-8961,8963-8964,8967-8968,8973,8975,8977,8979,8983,8988,8995,9013,9063,9066,9068,9077-9078,9092-9093,9095,9120,9130,9146,9162,9165-9166,9177,9188,9190,9210,9240,9243,9255,9264,9268,9290,9299,9336,9351,9353,9355,9357,9363,9367-9368,9374-9375,9377,9380,9385,9389,9391,9394,9403,9408,9410,9412,9416,9421,9428,9432,9434-9436,9439-9440,9443-9444,9456,9462,9467,9473,9478,9483,9486,9494-9495,9499,9511,9514,9516,9518,9521,9526,9536-9537,9546,9553,9555,9570-9571,9578,9594,9600,9609,9612,9619,9621,9623-9624,9626,9636,9643,9651,9654,9657,9659,9662-9666,9668,9670-9671,9674,9677-9678,9680,9685,9690,9694,9697,9700,9703,9705-9706,9708,9710,9712,9716,9720,9723-9724,9727,9729,9731-9732,9736-9737,9739,9743,9751,9757,9764,9773-9774,9793,9795,9808,9810,9820-9821,9823,9842,9853,9871,9873,9878,9884,9889,9892,9898-9899,9901,9906-9907,9911,9931,9943,9946,9973,9998,10007,10018,10032,10034-10035,10041,10044-10045,10047,10050,10065,10074-10075,10079,10096,10098-10099,10109,10115,10125,10129,10131,10142,10158,10160,10163,10169,10173,10182,10184-10185,10191,10193,10204,10212,10214,10218,10221,10227,10229,10234-10235,10237-10238,10242-10243,10246-10247,10258,10263-10264,10266,10268,10270,10273,10276,10279,10284,10287,10289,10308,10313,10316,10318,10321,10326,10328,10330-10335,10337-10339,10341,10344,10346,10350,10353,10356,10358,10361,10363-10364,10366-10367,10369,10372-10373,10378,10380,10382,10384-10386,10388,10391-10394,10398-10399,10404,10406-10407,10409-10410,10412,10416,10420,10422-10424,10428,10434-10436,10438,10440-10445,10447,10449-10453,10455-10456,10459,10462,10468,10470,10477-10478,10483,10485,10487,10491,10493,10499,10506,10508-10510,10514-10515,10517-10520,10523,10527-10529,10531-10536,10538-10539,10544-10545,10548-10549,10554,10556,10562-10564,10566,10571-10572,10575,10577-10578,10580,10582-10584,10587,10593,10598-10599,10603,10605-10606,10608,10616-10617,10621,10623-10625,10628,10633,10636,10638,10641,10646,10649,10651,10654-10657,10663-10664,10667,10670-10671,10681,10685,10689,10692,10694,10696-10697,10699-10700,10702,10704,10709,10713-10714,10721,10725-10726,10729,10735,10743,10747-10752,10755-10756,10760-10761,10763-10765,10767,10776,10780-10781,10783-10784,10794-10796,10799-10801,10805,10808,10812,10815-10816,10818-10819,10822,10824,10826-10827,10830,10834,10838-10839,10841-10843,10851-10853,10855-10856,10864,10869,10872-10873,10875-10877,10879,10882,10889-10892,10894,10896,10899-10902,10904,10906,10908-10909,10911-10913,10915,10917-10918,10920-10921,10923,10926-10927,10931-10932,10935,10937-10942,10944-10945,10947,10949,10951-10952,10954-10957,10959-10963,10966-10979,10981-10988,10990-10992,10994,10996-10997,11000,11002-11004,11006-11009,11011,11017-11032,11034-11035,11037-11039,11041,11043-11046,11048,11051-11054,11056-11063,11065-11068,11072-11073,11076-11085,11087-11091,11093-11096,11098-11101,11104,11106-11108,11112-11117,11119,11121-11123,11125-11128,11130-11146,11148,11150,11152,11155-11167,11169-11170,11172-11180,11182-11186,11188,11190-11194,11196,11198-11199,11202,11204-11205,11207-11222,11224-11225,11227-11229,11231-11242,11244,11246-11248,11250,11252,11254-11255,11257-11258,11260-11263,11265-11268,11270-11279,11281,11284-11290,11292-11293,11295-11298,11300,11302,11304,11308-11322,11325-11327,11330-11340,11342-11345,11347-11360,11362-11364,11368-11377,11379,11381-11387,11389-11397,11399,11403,11405,11408-11412,11414-11418,11420-11422,11424,11426,11428,11430-11434,11436,11438-11441,11445-11451,11453,11455-11457,11459-11470,11472-11474,11476-11479,11481-11483,11485-11491,11493-11495,11497-11498,11500-11514,11517-11518,11520,11523-11539,11541,11543,11545,11547-11553,11555-11562,11564,11566-11569,11571,11573-11574,11577-11584,11586-11589,11591,11594-11601,11604,11607-11609,11611-11620,11622-11628,11630-11631,11633-11637,11640,11642,11644-11645,11647-11648,11650,11652-11657,11659,11661-11664,11666-11667,11669,11673,11675,11677-11679,11681-11683,11685-11688,11691-11692,11694-11698,11702-11703,11705-11706,11708-11714,11716-11719,11721,11723,11728-11730,11732-11733,11735-11738,11744,11749-11752,11755,11757-11758,11760-11764,11766,11768,11770-11776,11778-11793,11795,11797-11798,11800-11806,11808-11809,11811-11815,11820-11823,11826-11827,11829-11833,11835-11839,11841-11842,11844-11846,11850-11857,11859,11862-11870,11873,11877,11881,11883-11884,11886,11889-11891,11893-11897,11899-11908,11910-11913,11916,11919-11923,11925-11927,11929-11930,11932,11935-11936,11938-11941,11943-11946,11948,11950-11956,11958-11961,11963-11964,11966-11974,11976-11977,11979,11981-11983,11985,11987,11989-11990,11992,11994,11996-11998,12001-12004,12007,12009,12012,12014,12016,12018,12020-12022,12025,12027-12029,12031,12033,12035-12036,12038-12043,12046,12051,12053,12056,12059-12068,12070-12076,12079-12085,12087-12098,12101-12105,12110,12112,12115-12121,12124,12126,12131-12132,12134-12135,12137-12142,12144,12146-12147,12149-12150,12155,12157,12159-12169,12171-12172,12174-12182,12184,12186,12188-12189,12195-12196,12198-12199,12203-12209,12211-12212,12217-12225,12227-12229,12234-12236,12238-12239,12244,12246,12248-12250,12253,12256-12258,12260,12262,12264-12266,12272,12279,12283,12288,12290-12299,12301-12303,12305-12309,12312-12321,12323-12328,12330-12332,12334,12336-12340,12342-12343,12345-12348,12351-12355,12358-12359,12361-12362,12364-12367,12370-12379,12381-12384,12386-12390,12392-12395,12398-12400,12402-12407,12409-12415,12418,12420-12429,12432-12434,12436,12439-12449,12451,12453,12462-12467,12469-12473,12476-12478,12480-12484,12486-12488,12490-12491,12493-12499,12502-12503,12505,12507-12508,12513-12516,12518-12519,12521-12526,12528-12529,12532,12534-12535,12538-12544,12546-12547,12550-12551,12553-12556,12558-12563,12565,12568,12570,12572-12573,12575,12579,12582,12589-12593,12595-12597,12600-12608,12610-12625,12627-12629,12631-12633,12635-12636,12638-12644,12646,12648,12650-12651,12654-12657,12660-12661,12663-12664,12667,12669-12674,12678-12690,12692-12701,12703-12714,12717-12719,12721-12723,12725,12729-12734,12736-12740,12742-12750,12752-12754,12757-12758,12760-12764,12766-12768,12770-12773,12775-12777,12779-12780,12782-12794,12797-12798,12802,12804,12806,12808-12809,12811,12814-12815,12817,12819,12821-12822,12826-12827,12829-12832,12835,12837-12855,12857-12860,12863-12865,12867-12869,12871-12872,12874,12877,12879,12881,12884-12885,12887-12894,12896,12898-12901,12903-12905,12907-12908,12911,12914-12916,12918,12921,12923-12924,12926,12929-12930,12933-12937,12939-12942,12944,12951-12954,12957-12959,12961,12963-12964,12967-12970,12973,12975-12979,12982,12985-12986,12989,12991-12992,12994,12996-12999,13001-13003,13005-13006,13008-13013,13015-13023,13025,13027,13030-13034,13036-13042,13045-13049,13051-13052,13054-13058,13060-13081,13083-13089,13091-13099,13101-13102,13104-13111,13113-13117,13119,13121-13126,13128-13131,13133,13136-13141,13143-13150,13152-13153,13155-13156,13158,13160-13175,13177-13180,13182-13185,13187,13190,13192-13194,13196,13199-13213,13215-13216,13219-13227,13229-13233,13235-13236,13241-13248,13250-13252,13257,13259-13263,13267,13270,13272-13277,13279-13289,13291-13299,13301-13314,13316-13317,13319-13320,13322-13324,13326-13327,13331-13335,13337-13355,13357-13360,13362-13365,13367,13369,13371,13373-13376,13378,13380-13395,13397-13399,13402-13408,13410,13412-13413,13415-13430,13432,13434-13438,13440-13457,13459-13463,13465-13470,13472-13474,13476-13496,13498-13501,13504-13505,13507,13510-13517,13519-13520,13522-13525,13527-13530,13532,13534-13541,13543-13547,13549-13554,13556-13558,13562,13565,13568-13571,13573-13584,13586-13595,13598,13601-13602,13608,13611-13622,13625-13627,13629-13631,13633-13634,13636-13639,13641-13644,13647-13648,13650-13653,13655,13657-13661,13663,13668,13670-13671,13675-13676,13678,13681-13682,13685-13691,13694,13700-13703,13707-13708,13711-13712,13714-13716,13718,13720-13725,13727-13738,13740-13744,13746,13748-13751,13753,13755-13756,13758-13759,13761-13762,13764,13766,13768,13770-13771,13773-13774,13776-13777,13779,13781-13793,13796-13797,13799-13804,13810-13817,13819,13823,13825-13837,13839,13841-13849,13851-13861,13864-13868,13870-13876,13878-13885,13887-13890,13892-13897,13900-13920,13922-13923,13925-13945,13947-13949,13953-13955,13957-13959,13961-13963,13965-13972,13975,13977-13996,13998,14000-14009,14011-14015,14017,14019,14021-14031,14033-14045,14047,14049-14057,14059-14062,14064-14075,14077-14081,14083-14085,14087-14088,14090-14092,14094-14099,14101-14104,14106,14108-14109,14111-14114,14116,14118-14120,14122-14124,14126,14128-14129,14131,14133-14160,14162-14174,14176,14178-14184,14187-14192,14194,14197-14201,14203-14209,14211-14213,14216-14218,14220-14225,14227-14235,14237-14251,14254-14276,14278-14288,14291-14303,14305-14317,14319-14322,14324-14339,14341-14345,14347-14349,14352-14354,14356-14358,14360-14363,14365,14367-14368,14370,14372-14374,14376-14378,14380-14390,14392-14393,14395,14397,14399-14406,14408-14425,14427-14434,14436-14439,14441-14447,14449-14451,14453-14456,14459-14472,14474-14476,14478-14481,14485-14487,14489-14495,14498,14500-14511,14513-14518,14520-14532,14534-14537,14539-14548,14550-14553,14555-14559,14562-14569,14571-14573,14575,14577-14583,14585-14587,14589-14591,14593-14596,14598-14603,14605-14611,14613-14620,14623-14628,14630,14633-14634,14636-14640,14643-14648,14652-14656,14660,14662-14669,14672-14673,14676-14678,14681-14685,14687-14694,14696-14697,14699-14717,14719,14722-14729,14731-14739,14741-14759,14761-14763,14765-14774,14776-14777,14779-14785,14788-14790,14792-14808,14811-14812,14814,14816-14822,14824,14826-14852,14854-14858,14860-14867,14869-14892,14895-14907,14909-14918,14920-14932,14934,14936-14937,14940-14942,14944-14948,14950-14955:mac

*edit: futzed with whitespace to give a better idea on the amt of numbers, and gave up... i need to get a blog/layout w/o craptastic whitespace issues...

crappy code

2008-07-17T04:16:00.004+01:00

old crappy code lingers like that huge heap of trash out in the pacific...

nothin special, just ran across these today and they caught my eye...

0x0360: .0.60;...opacity
0x0370: :.0.60;..}....*.
0x0380: html.#TB_overlay
0x0390: .{./*.ie6.hack.*
0x03a0: /.......position
0x03b0: :.absolute;.....
0x03c0: ..height:.expres
0x03d0: sion(document.bo

document.write(' \n'); //FS hide this from IE4.5 Mac by splitting the tag

* edit: removed the hex b/c of stupid whitespace
** edit: the crappy code is IE, in case i wasn't specific enough on that

tweet tweet tweet tweet?

2008-07-12T04:52:00.005+01:00

000 ~ Over-confidence? (vmware-player 2.0.4)

"Building the vmblock module ... The module loads perfectly in the running kernel."

001~ Digg is not a geek site anymore. alternatives? fark is funny...

010 ~ Pandora is cool; I am slow... Groove Salad is cool too

011 ~ This talk is looking good; very nice paper; surprised @ .docx i/o .odt :P

Hack Bureaucracy

2008-07-12T00:38:00.001+01:00

So Shawn Moyer gave a concise Blackhat talk a few years back (which had a surprise ending ;) about 'hacking the c-suite', w/ the general idea being that it was ethical and part of the job in some situations to advocate and evangelize good security to the corp leaders in order to facilitate infosec progress.

You social engineer them for the benefit of the company and the shareholders, and everyone comes out ahead... You aren't "attacking" the leadership at your org. You're playing the game by their rules to remove roadblocks to the strategic infosec benefit of the org you work for.

Another friend of mine recently happened into a situation where he put a different twist on the benevolent corp hacking thing.

The org in question has some managers who could use some help understanding how to be leaders. Everything is bureaucratic and TPS report-ish.

If you do something w/o the proper paperwork and w/o jumping through the right hoops, then you aren't a team player and should expect a reprimand, even though you're loaded up w/ work, and everyone knows the paperwork is just CYA, and the work needs to get done right now, etc etc.

So Junior is new on the team. He's really hungry and trying to make good impressions and do good work and all of that. My buddy comes across a configuration issue that he traces back to Junior. Just a simple mistake anyone coulda made, didn't impact production systems, and didn't seem to cause ownage or anything like that. He submitted the proper paperwork for the change, it's just that the paperwork included the error but was unwittingly approved.

The problem does need to get fixed, but my friend knows that if he submits a ticket saying "fix problem X on device Y" then there will be a change control inquiry as to how the problem was introduced in the first place, and Junior will face the wrath of the managers who don't understand leadership and won't gracefully admit that they didn't do their part of the job. That will mean reprimand, pointed fingers, and all around negativity.

What Junior really needs is some positive encouragement and some gentle coaching on doing things better in the future. My friend says f this, I'm not gonna let Junior burn for no good reason. So here's how he solves the problem.

He creates the proper change paperwork to fix the mistake, but words it in a specially crafted difficult-to-comprehend fashion. He does this knowing that the manager who needs to approve the ticket is also obviously not going to review it in detail. He knows the manager will say "wtf, i don't have time to figure out what my guy is sayin here... approved" and rubber stamp it.

IMO, this is a very wicked cool hack on bureaucracy. 1st, this is altruistic. in the long run, it is the right thing to do for the infosec team at the org. 2nd, we're doing something which gets around a stupid series of access controls. 3rd, if said access controls were functional and meaningful, *THE HACK WOULDN'T WORK*... i love that last bit.

So we have an infosec guy doing something technically/maybe subversive for all of the right reasons. Kinda like hacking the c-suite. I love it... total props :D

random foo

2008-07-02T06:44:00.004+01:00

go snort!!!... now i have something new i need to install and fiddle w/....

someone in the sec blog world was bitching about cell phones on planes a while back, and now we have some experimental foo to tell us mb it isn't bs... i have heard stories about interference w/ flight systems from electronics before, but nothing this substantial and focused (tho this isn't a flight system issue). i completely love how they took the issue and turned it into an attack vector in no time flat... wicked cool hacker thinking right there... the thing that sticks in my mind is that all these devices have this FCC sticker which says "this device is certified not to interfere or be vulnerable to interference", or something like that... wtf...

something i noticed while doing some web app work... i'm sure this is probably old hat to everyone, but my initial googling didn't find much... did you know that people are executing core os apps (DirectX) on servers w/ input from the client side???


td colspan="2" style="filter:progid:DXImageTransform.Microsoft.Gradient(endColorstr=...

i had no idea... how many filters are there available? from what i see, this looks like the client is saying "execute this code and pass it this data"... isn't this something we all agree is probably looking to be attacked?

nonono, it's probably another feature...

are things getting better?

2008-07-02T05:50:00.004+01:00

so i had a very nifty conversation w/ my buddy n mentor (beware: microblogging linkage) earlier tonight.

so basically we picked up on a thread that i referenced in a prev post where schneier and ranum are talking about whether or not vuln research is ethical... well, shawn and i both believe in responsible disclosure, but we went off on a tangent about something ranum said:

Not only do we still have buffer overflows, I think it's safe to say there has not been a single category of vulnerabilities definitively eradicated ... Has what we've learned about writing software the last 20 years been expressed in the design of Web 2.0? Of course not! It can't even be said to have a "design."

ok, so i completely disagree w/ the non-disclosure argument (sry marcus, you will still always be a badass in my mind ;), i completely agree w/ what he is saying here...

i don't think our software developers are making things better overall. yes shawn, we are making a ton of progress w/ improving development frameworks to have lazy coders conform to secure defaults instead of insecure ones.

but overall, i don't feel like things are getting better. and yea, it's just a feeling. but, pretend for a min that statistically we're reducing the number of vulns introduced in each piece of code via dev education and improvements in dev frameworks. it seems that despite this percentage reduction in vulns, we're seeing an explosion in growth in the number of applications as well as the types of applications (ie: web 2).

the new apps might have vulns, but they will be the same types of vulns we've seen before for the most part, and have a chance of being mitigated by framework improvements, etc.

but the new types of apps (ie: web 2 apps) are completely new threat canvases. they are doing new things in new ways which no one has seen before. this inevitably leads to new ways to do unintended things. who knows what they will be, but if there is a way to do *anything* to a few million people who are using site foobar2dotohhhh.com, someone can find value to leverage that to some nefarious purpose...

imo the verizon security report (full disclosure: atm i have only skimmed it) is telling us that the future holds a lot of badness... 90% of the breaches used exploits more than 6 months old, and 70+% used sploits more than a year old.

it isn't like we're not still seeing OS and core app vulns. the code being written for modern apps by companies trying to improve security are still failing. and don't forget about non-core vulns, like flash and pdf, which aren't secured by any type of common patching/updating framework. and then there's the web app world w/ SQL injection and web app foo. oh, and let's not forget other categories of vulnerable applications, like games... there is a lot of software out there (AV, backup software, etc) which have rights on our boxes and contain vulns...

there are more eyes looking for vulns all over than ever before. and most people haven't even started looking closely at the really new stuff everyone is flocking to. besides the fact that there are a couple of vulnerable browsers on the tubes atm... shawn thinks things are getting better, but i think if you catch his talk in vegas you might see that he's making my point for me... ;)

so did you watch this vid?

2008-06-28T05:02:00.002+01:00

my first thought when i watched the vid? look at how it hiccups when she goes up the wall, it's fake, wowdidijustgetowned?!?

how long until we see (or have we seen and i don't know it) a viral video flash 0day sploit, or something similar? flashblock and noscript are all good, until you turn em off to watch the nifty crap floating around the tubes that day...

this vid came up the other night...

2008-06-28T04:58:00.002+01:00

just want to say we love watching your talks bruce... :D

breach waf foo

2008-06-28T02:02:00.002+01:00

work has been keeping me busy lately... first official web app pen work was a coldfusion site, paros falsed a lot, but i managed to get some manual sqli and a few other things... fighting a waf :-\ still gotta bang that out some more and get around to writing the report... ;)

anywho, breach came by the office the other day. talked to the engineer about the technical aspects of their offering, which involves 4 ways of protecting your apps (i don't remember them all). their waf box sits out of line on a span/mirror and does the job via sending resets.

they do some analysis on your production traffic to build what boils down to a pattern matching ruleset for how your app works on the network. "this is always an integer" and "this is always a string w/ no special chars", etc. i'm sure this is understating the tech, but yea...

so that got me thinking, what it someone just has a dork for whatever your vuln is and their only interaction w/ you is the one session where they actually perform the attack, which is prepackaged for your vuln and requires no interaction (ie: recent mass sqli attacks). the WAF doesn't see the full attack until it has analyzed the packet(s), by which time the original copy of the malicious payload is on the nic of your web app server. the reset will come too late.

which brings about one of those other types of protection, which is a client shim in the TCP/IP stack which will inspect the packet for malicious payloads prior to releasing it on up to the application layer. so i guess if a waf is kinda like an ids at the app layer, i guess the breach client is like host ids.... "host web application firewall", better known as a "hwaf" (said w/ lots of throat noises ;)

another feature is that they support some common firewall featureset used so the appliance can request dynamic ruleset changes. i can't recall what it is named, and haven't googled around to find out more about it yet. but that bit got me thinkin about how grossman started combining VA and WAF, so i asked the guy if he'd heard of it and if breach was planning anything in that space. he had no idea, but then he told me this other interesting bit...

he said that now that they had a device monitoring application traffic, people have been realizing that it can be used as an application monitoring / health-check device. watching for broken links, error messages, and basically becoming an analysis and maintenence tool... reminds me of a nms for your application layer... damn nifty, and it makes so much sense... but my response was: be careful, much more of that and you won't be a security company anymore ;)

su - v. sudo su -

2008-06-22T05:45:00.002+01:00

ok, all this ubuntu talk has got me wanting to rant a little bit...

[rant]
sudo su is bad... there's no way around it. i know it's nice to keep users happy by not making them remember yet another password. and yes, it is nice that you have to know the current password to sudo su (in the same way that you have to know the current password to run passwd unless you're root).

this stuff, however, doesn't make sudo su a good thing.

don't believe me eh? all you have to do is check wikipedia (until one of you smartasses changes it):

sudo (super user do; officially pronounced /ˈsuːduː/,[2] though /ˈsuːdoʊ/ is also common) is a program for Unix-like computer operating systems that allows users to run programs with the security privileges of another user (normally the superuser) ... Before running a command with sudo, users typically supply their password. Once authenticated, and if the /etc/sudoers configuration file permits the user access, then the command is run

ok, so right now you're probably thinking that the quote doesn't support my point at all. stfu. look, just because i can edit the sudoers file to allow sudo to run su doesn't mean it's ok. i mean, i can edit the sshd conf to allow root logins, but do we think it's ok to do? i can install mysql w/ a blank sa password. i can use cleartext instead of crypto. i can find web sites with goat pr0n... wait... erm...

anyway, i understand where this fits in w/ the ubuntu community of being all warm and fuzzy and easy. but i don't have to like it. one problem is that it hinders the ability of windoz converts to understand the significance of the nix security and permissions model. but mostly i hate that it removes a layer of security. we're supposed to be about defense in depth, right?

if you get my password, i'd like it if you have to find a privelege escalation vuln and dig around for a while to root me. just using the same password again to do it seems cheap...

i know macs are kinda similar, and i don't care. and i know it isn't a big deal to most people, and i don't care about that either. i don't like sudo su, and i don't have to... grrr...


rwnin@deadwood:~$ cat /etc/sudoers
cat: /etc/sudoers: Permission denied
rwnin@deadwood:~$ sudo su -
[sudo] password for rwnin:
root@deadwood:~# cat /etc/sudoers | grep -v '^#' | sed '/^$/d'
Defaults    env_reset
root    ALL=(ALL) ALL
%admin ALL=(ALL) ALL
root@deadwood:~# logout
rwnin@deadwood:~$

[/rant]

ubuntu update

2008-06-20T06:07:00.002+01:00

so my buddy is still waiting for gentoo 2008.0 (and what month is it?)(don't get kicked from any irc forums asking questions btw), and i'm still using ubuntu as my daily box (re: the last ubuntu post)

sooooo, here's my update on this little challenge...

i am really happy w/ the OS i'm using atm... the only issue i've run into that i couldn't solve within seconds is that VLC didn't play a dvd like i expected it to (like it did w/ a diff dvd in windows) so i went upstairs and watched it on the dvd player on my tv... also, vmplayer is dead in the water w/ hardy afaik... that sucks...

but to balance that out, tons of other stuff works correctly which gives me issues on my gentoo laptop (ie: sound, truecrypt, and other stuff i can't think of atm)...

so here's my real bitch about the ubuntu community. i've got a buddy who is getting into *nix, and he tried to drop it on his laptop. since then there's been video card issues w/ Xorg and wifi issues which render the box unusuable. he is pretty decent w/ RTFM and all of that, but he keeps calling me up to come fix his stuff. i kinda wanna bitch, but the sad truth is that when i go out to google issues using the ubuntu keyword, there just isn't much out there. it is as though they've taken for granted that their stuff works all the time, and don't provide detailed documentation for the people who might want to reference it...

i mean, dig into the links and compare this to this... wtf...

so i am considering contributing to the ubuntu community w/ some low level documentation, b/c i see people out there using ubuntu having problems w/ questions that aren't answered by the docs...

the truth i am willing to face up to, is that i can make ubuntu work on a variety of hardware platforms only because i cut my teeth on gentoo... i'm still happier running ubuntu day to day tho ;)

multipost

2008-06-20T05:34:00.002+01:00

i can't justify making these all separate posts... sooooo....

#!) pdp has a post talking about some conversations he's had w/ joanna about virtualization security issues... the thing i did about this is how he hones in on how 'normal' users aren't going to use virt tech in the way that peeps like joanna see it helping security, b/c it's just too complicated for them. anyway, i dig this b/c it kinda fits w/ my view on security today. it's just too complicated for normal users (and arguably many sec professionals ;), and someday there's gonna have to be a solution to alliviate this pressure... things will not go on like they have in the infosec industry forever imo... anywho, i don't have a solution or anything, i'm just bracing myself for unknown inevitable life-altering change...

#@) the whole hack the coffee maker deal... i'm not sure i totally agree w/ thor on the whole responsible disclosure rant he had. i mean, i agree in general, but it's a coffee maker maker, i can imagine they might be completely unresponsive to infosec issues... anywho, i love this b/c it hits on a point i'm considering doing some research on, which is basically that inet enabled devices which don't have financial incentive for being secure are probably going to have higher vuln rates than appliance networks which add value to their parent companies through being inet enabled. in this case, it's just a feature, not an active profit center, so it isn't a surprise that security hasn't been taken into acct...

##) so some math geeks figured out you can "listen in" to encrypted voip calls (via schneier) just by doing timing and size analysis on the encrypted packets. they claim 50-90% accuracy. if they aren't doing it already, i wonder if you could take candidate words and run them through a grammar checker to improve the ultimate tally.... they've gotta be doing that already tho... i live in awe of math and crypto people sometimes, but i sure don't feel any burning desire to try to become one...

#$) too many mother uckers w/ a cissp... anyway, that's kinda not really the point of this post. but as a sec generalist w/o a cissp, i'll raise my glass and say it is worth reading... also, i like this owasp certification industry hack as well...

#%) ok, i may not entirely understand this AV cloud bs, but to me it sounds like... bs.... are we saying that we're going to do our checksum checks by communicating w/ hosts over TCP/IP instead of a local file? tell me what this solves that needs solving. my AV files aren't filling up my HDD. the problem is that my AV software can get sploited before it knows what happens. i am getting more and more jaded in this area. the solution isn't some new AV magic. the solution is to stop trying to paint lipstick on the pig which is the windows security model and move to a design which is managable a la *nix...

#^) i really need to read this face-off stuff regularly... i am too lazy to find the rss for it... i love both of these guys... despite the fact that one of them seems much more down to earth and cool based on my personal interactions as well as that of a ninja friend doing a talk @ blackhat this year ("please don't do this to me", lol)... anywho, they both know their stuff and stimulate the mind...

#&) came across this paper in the mail... very interesting attack vector which reminds me of reflection xss.... haven't digested it yet, but tacking it on to this post for giggles...

blackhole dns

2008-06-19T07:11:00.004+01:00

a friend and i got the inspiration to implement blackhole dns over a year back... iirc the linkage was snort hosted, but i can't find it.... basically we set up a bhdns check for all outbount web traffic to reduce malware issues.

i am quite surprised this type of thing isn't more popular... yea yea, it is blacklisting and we know that isn't totally effective, but we also know that academic ivory tower BS won't get you very far w/ the common constraints of corp america, budgets, etc etc etc. so are you better off blacklisting some sites which are known very hostile or trying to whitelist known-good stuff and then moving to a default permit posture...

anywho, i see this as one component of defense in depth, and well worth having in a lot of environments...

you know you wanna touch it...

2008-06-19T07:01:00.003+01:00

anyway, old ass article i've been saving where b gates says that touch screen tech could be the end of the mouse...

it's ironic that this comes on the heels of the great success of apple w/ the iphone (although i'll admit that i have a winblows touch phone which i grudgingly like). if anyone wonders if this is off-base or not, i'd point back to apple (note: i'm sayin billy is just jumpin on the bandwagon) being completely on-point w/ halting shipments of 3.5 floppy drives. they mb timed perfectly or perhaps even invested and spurned the growth of the USB jump drive industry...

anyway, the reason i'm posting the link is b/c losing the mouse and moving to touch as an interface brings about some interesting possibilities w/ security in the auth space... we're all so used to dealing with passwords, but brining tactile into the space allows for a lot of new ideas... hand positioning, touch timings, geometric passkeys, timing based auth (via touch; but this could be done w/ keyboards too)... anywho, despite coming from MS, i see this possible evolution as being full of interesting possibilities....

echelon

2008-06-19T06:57:00.001+01:00

digg ran this vid... got some foolish friends who think i wear a tinfoil hat b/c of some of their quite poor choices of words during phone conversations... anywho... been not posting for quite a while... sry!

.mil botnet?

2008-05-13T18:43:00.002+01:00

along the lines of my inet doom n gloom blurb, now via security focus there is an AF col who is suggesting we build our own .mil botnet to counter the emerging inet threats from china and others...

my post focused mostly on defensive measures, such as filtering, but this guy turns it around and thinks about how we can be offensive so as to have a "deterrent we lack"...

the theme of the piece is that we already know that defense is not an acceptable posture. every example of warfare in the past has shown that holing up in a castle or fort won't keep you safe from an attacker... so we should have offensive strike capability in our arsenal to augment our existing fortifications...

in a nutshell, he says the US should have a botnet to counter-attack attackers. he talks about how they could integrate the code into .mil IDS/IPS, and then goes on to say that they shouldn't throw away obsolete PCs, but rather put botnet code on them and stuff "them in any available space every Air Force base can find". past that, he wants to begin installing the code on .mil machines, and then later on .gov machines.

this weapon would be a DDOS machine. and since we need volume to DDOS, he points out that the entire network must be able to be activated by a single commander, and not sliced up into sections controlled by different military factions. the paper degenerates into endless blathering here, making case after case that the weapon should be controlled by a specific segment of the AF... .mil politics and internal power struggles make me barf in my own mouth... then the last 1/3 of the paper is devoted to countering predicted counter-arguments to such a system.

imo, the guy is missing some key points here. for one, a DDOS botnet isn't an effective counter-attack tool to end an ongoing attack. if successful, it is at best similar to a mute button. once you stop counter-DDOSing your attacker, they will be free to continue their attack on you. you haven't removed the machine from the hostile botnet, or acheived permanent disruption of the attackers C&C, or anything. so what did you achieve?

he says that in some cases, the attacker won't be readily identifiable, but we could make reasonable conclusions on who the host entity is, and just attack them. yea, that'd go over really well. but there is a bigger problem wrapped up in this point. see, an unethical attacker will be controlling a botnet which is global in scope. we won't know where they are coming from, but an entity who found itself under "counter-attack" from our DDOS botnet would know where _we_ are coming from. They can blackhole route .mil and .gov subnets at their border routers, and then we'll need the bandwidth to flood every pipe going into and out of china? right... oh, well we could just spoof the source IP's, except that he points out that spoofing could make an attacker "guilty of the war crime of perfidy" or in violation of UN rules (which the US would *never* violate).

another big issue is that he is talking about running code which can generate (raw?) packets on every non-secret network the US govt has, with remote control capability. let's think about unintended consequences here for a second. we define risk by combining the liklihood of an event with the damage such an event would have if it were to occur. so yea, maybe it's unlikely that an attacker could compromise our official .mil botnet, but if an attacker did, it could be a pretty serious problem. he says the system will have:

protection with various mechanisms, including disabling the botnet code if an automated check indicated the code has been altered. The af.mil botnet could protect against fratricide by having filters to prevent attacks against .mil, .gov or registered allied addresses, unless specifically overridden.

but if you can override them, then maybe an attacker could too... at one very interesting point which ties in w/ the end of my last post, he says:

if the U.S. is defending itself against an attack that originates from a computer which was co-opted by an attacker, then there are real questions about whether the owner of that computer is truly innocent. At the least, the owner may be culpably negligent, and that does not, in fairness or law, prevent America from defending itself if the harm is sufficiently grave

emphasis added there... wow... so anyway, this guy has a few other choice quotes i wanted to include:

We want potential adversaries to know this capability works and will be used when needed. In fact, we should do live-fire demonstrations on the Internet against range targets so foreign signals intelligence organizations can observe. Of course, we should fire inert rounds so as to not give away secrets.

wot? are we talking DDOS here? whatever... and then there's this jewel:

Brute force has an elegance all its own.

anyway, this has become a monster post. despite my belief that a .mil DDOS botnet isn't the right next step, i think the author has hit upon an important point. today the internet is the wild west, and there are little bastions of civility and law, but if a big group of bandits comes riding along, you might have a problem. we aren't going to secure the internet at large by installing firewalls and IDS's at client sites. that does nothing about the badness right outside your fort which is hanging out trying to figure out how to get in.

when this thing reaches a boiling point, and change is at our door, i expect we'll see proactive security methods introduced into the internet at large. there's lots of possibilities, and lots of potential consequences... but, as i'll continue to state, i don't believe the status quo of infosec can be maintained...

botnet foo

2008-05-12T23:15:00.004+01:00

so there's an interesting thread on the incidents mailing list talking about bruteforce ssh attacks...

yea yea, old news...

but what's interesting isn't the brute ssh stuff, but the level of sophistication and coordination in the botnet itself. i'd only recently heard of denyhosts, which is a blacklist of known-hostile IP addresses that attack ssh servers. if a new IP fails logins to an ssh server, it gets added to the list...

it seems that this botnet is actively trying to get around this defense mechanism by coordinating attacks so that different login attempts come from different IP addresses. so you'll see an attempt pattern like this:

x.x.x.x: user=alice
y.y.y.y: user=bob
z.z.z.z: user=charlie

the really nifty bit is that state is apparently maintained as the botnet iterates through the dictionary of users... one admin reported that if you blacklist ssh from all but a few /8's, the attacks will cease for a while, but eventually one will come from the whitelisted IP address block and will be the next alphabetical username...

i really need to get a gig as an engineer at an ISP so i can spend some time writing code to identify and disrupt botnets... more needs to be done in that area... but yet again, there is this whole debate about the ethics of dismantling botnets... i haven't thought about it enough yet, but there are clearly important points on both sides of the issue. but lets cut through all of that high-brow legalese and ethical stuff (i'd rather go listen to Jennifer Granick talk about this stuff at bh/dc this year instead of flaming over it anyway;) and cut right to something more grounded...

comcast is talking about bandwidth caps and charges for overusage... so, tell me, what is going to happen when your grandmas bot infested box is spewing spam and she gets a big old bill from comcast...?

statcounter follow-up

2008-05-12T23:04:00.004+01:00

so how do you feel about cleartext passwords over inet? anyway, this is a followup from my other post about statcounter passing creds in the clear after you hit their page via SSL... the rub of it is that SSL is up and functional for processing creds, they just don't use it.

so i mailed em, and here's what they said:

As far as the general member log in is concerned, a secure connection is not generally used - our view is that the information in your StatCounter account is not "critically sensitive" in the same way as your online bank account would be. In addition, we have never had a case of anyone's log-in details being stolen.

Basically, since we provide a free service, we have to analyse everything on a risk return basis from the perspective of our members. The extra cost of providing secure log in facilities in terms of increased hosting costs etc would reduce the level of service we can provide to our members and tha vast majority of our members are happy with the system as it stands. This is the thinking behind our position.

The service we provide, however, is 100% driven by our members. So if a large portion of our members voiced their concerns to us in this regard, then this is something we would have to implement.

i think that bit at the end is very cool. kudos for being willing to listen to your user base. so i wrote em back w/ this blurb, and haven't heard anything in a few days:

I completely understand that there is a cost benefit analysis that must be done in regards to any security measure. You do provide a nifty free service, and I'm grateful for it...

My main disagreement w/ the crux of your response comes from the fact that you already have SSL infrastructure in place. You clearly have the capacity to handle the current amt of people who hit https://statcounter, although I'm sure most users probably hit http:// instead.

I have never hosted a site, so I can only speculate, but it seems that the increased cost of doing an HTTPS POST for users who explicitly travel to the HTTPS main page would only moderately increase the amount of bandwidth hitting your SSL devices (considering that most users probably hit HTTP by default).

...

[if you] do your login POSTs as cleartext HTTP, then you should just disable the HTTPS site entirely, because it is wasting money and bandwidth by encrypting the public site and not protecting user credentials...

what do you think? do you use the same username and password for accounts like this? or do you have a different password for every site you visit? do you bother to check if you're on SSL when you're logging into a site? are we worried about sniffing anymore?

not sure how i feel about this...

2008-05-12T02:45:00.001+01:00

but i must confess...

so a long time ago, i built this machine as a gentoo/windows dual boot box. at the time i had gentoo and beryl running on my work d620, and i was very very happy... i'm not anti-windows, mainly because i game. so i made gentoo the primary boot, and off i went.... and i ended up using windows almost every time i booted.

since then i've changed jobs, and installed gentoo on a POS toshiba (redundant redundant) laptop. during a recent emerge -uD world, the truecrypt module started bombing when i try to open my tc files. also, i've been listing to the endless issues my buddy is having w/ his gentoo install/upgrade experiences. the two of us have been using gentoo for a few years now...

so today as i sat down to boot my windows box to browse the web and write some emails, i was like WTF... i've never been happy w/ where this gentoo box is, and i shouldn't be using windows for shit i know is good on linux. so fuckit.

i already had the latest version b/c i'd installed it on a machine at a client site. jdm and i have been debating it for a few days, and i took the plunge and installed ubuntu as my primary desktop OS. i have a weird ass setup atm, so when i tried to do manual partitioning (w/o reading any directions) it (or i) dorked up. so i grabbed a spare big ass hdd and just used the wizard. and you know what? i'm up and running in less time (than gentoo or windows) and having a much easier go at it.

my other buddy sk00t will give me no end of shit for it, i'm now to the point where the easiness of ubuntu and the fact that it just works has outweighed my macho feelings that anyone who doesn't compile their entire computer from scratch has something to prove to the world at large. hell, even some of my non-tech friends will probably chuckle at me, as i'd been advocating gentoo to them as being better than ubuntu.

but the fact is that while there is still a place in my heart for gentoo (much as there is for fbsd), apt-get isn't all that different than portage (or the ports tree). and i installed this thing in a very short amt of time (like an hour) and everything just works.

ubuntu is not superior to gentoo, but seems to be more actively supported. and when it's sunday afternoon and i want to not be using windows, having things work right w/o much pain seems more important than hacking through some issue for a few hours just to make my box act the way i want.

most importantly, i know i'll be using this as my default environment... now i just have to fix my windows partition so i can recover my documents and continue playing games that use punkbuster ;)

certs and paranoia

2008-05-09T14:55:00.003+01:00

so did the gmail ssl cert change today for anyone else, or did someone just MitM me?

i've been in the habbit of checking the hash on the site for a while now. i think kaminsky talked about doing things to help remember hashes a few years back at blackhat/dc (i think he proposed using phases derived from the hash value, which are easier to remember, but i'm not sure). i know others have talked about hash visualization... i dug around for a hash visualization plugin for firefox, and turned up nothing, and am kicking around building one (w/ all my free time ;)...

anyway, it's tough to remember those long hash strings, so i was using the weaker method of just remembering a few values and their placement in the hash string. much to my surprise this morning, the values i was expecting were no longer there...

sooooo, now what? i hit cancel... then i went back and examined the cert, and the cert chain. but wtf am i lookin for? if they can gen a fake gmail cert, they can gen a fake cert chain too, right? so anyway, i went ahead and logged in after a few min of indecision. i need to rotate my passwords anyway ;)

but now i'm left wondering what is the right thing to do when a cert changes... how do you verify that it is legit, and not a MitM? guess i've got some reading to do...

dur, wtf statcounter?

2008-05-01T05:29:00.005+01:00

so my buddy and i recently noticed this lameness with statcounter and other sites...

so i do dislike non-ssl stuff in some situations, like when google-ish stuff passes you to cleartext after the login... but at least when you hit the initial google-ish page w/ https, it will generally retain your ssl session past login...

what irks me is that statcounter does the opposite... i hit https://statcounter.com and go to login, and firefox warns that i'm passin creds in cleartext:

so i embarked on testing the stuff in this post, just cause i was curious... i figured others had probably been all over bitching about this type of stupidity, but maybe not...

anywho, so i check the source of the page to see what the form is doing:

and then i tcpdump and sure enough:

(syn)
05:02:34.157286 IP (tos 0x0, ttl 128, id 37627, offset 0, flags [DF], proto TCP (6), length 48) 192.168.13.113.4820 > 67.15.80.69.80: S, cksum 0xb352 (correct), 1179194610:1179194610(0) win 65535
0x0000: 4500 0030 92fb 4000 8006 065f c0a8 0d71 E..0..@...._...q
0x0010: 430f 5045 12d4 0050 4649 14f2 0000 0000 C.PE...PFI......
0x0020: 7002 ffff b352 0000 0204 05b4 0101 0402 p....R..........

(syn-ack)
05:02:34.216816 IP (tos 0x0, ttl 45, id 0, offset 0, flags [DF], proto TCP (6), length 44) 67.15.80.69.80 > 192.168.13.113.4820: S, cksum 0x8e44 (correct), 974121408:974121408(0) ack 1179194611 win 5840
0x0000: 4500 002c 0000 4000 2d06 ec5e 430f 5045 E..,..@.-..^C.PE
0x0010: c0a8 0d71 0050 12d4 3a0f e9c0 4649 14f3 ...q.P..:...FI..
0x0020: 6012 16d0 8e44 0000 0204 0518 0000 `....D........

(ack)
05:02:34.216945 IP (tos 0x0, ttl 128, id 37630, offset 0, flags [DF], proto TCP (6), length 40) 192.168.13.113.4820 > 67.15.80.69.80: ., cksum 0xbc35 (correct), 1:1(0) ack 1 win 65535
0x0000: 4500 0028 92fe 4000 8006 0664 c0a8 0d71 E..(..@....d...q
0x0010: 430f 5045 12d4 0050 4649 14f3 3a0f e9c1 C.PE...PFI..:...
0x0020: 5010 ffff bc35 0000 0000 0000 0000 P....5........

(cleartext-password)
05:02:34.218309 IP (tos 0x0, ttl 128, id 37631, offset 0, flags [DF], proto TCP (6), length 906) 192.168.13.113.4820 > 67.15.80.69.80: P, cksum 0x8c8d (correct), 1:867(866) ack 1 win 65535
0x0000: 4500 038a 92ff 4000 8006 0301 c0a8 0d71 E.....@........q
0x0010: 430f 5045 12d4 0050 4649 14f3 3a0f e9c1 C.PE...PFI..:...
0x0020: 5018 ffff 8c8d 0000 504f 5354 202f 7072 P.......POST./pr
0x0030: 6f6a 6563 742f 2048 5454 502f 312e 310d oject/.HTTP/1.1.
0x0040: 0a48 6f73 743a 206d 7933 2e73 7461 7463 .Host:.my3.statc
0x0050: 6f75 6e74 6572 2e63 6f6d 0d0a 5573 6572 ounter.com..User
0x0060: 2d41 6765 6e74 3a20 4d6f 7a69 6c6c 612f -Agent:.Mozilla/
...
0x02e0: 2530 305a 2539 3925 3043 2543 343b 2073 Z%99%0C%C4;.s
0x02f0: 6573 7369 6f6e 5f32 3034 3630 393d 3132 ession_204609=12
0x0300: 3039 3631 3531 3330 2532 3630 0d0a 436f 09615130%260..Co
0x0310: 6e74 656e 742d 5479 7065 3a20 6170 706c ntent-Type:.appl
0x0320: 6963 6174 696f 6e2f 782d 7777 772d 666f ication/x-www-fo
0x0330: 726d 2d75 726c 656e 636f 6465 640d 0a43 rm-urlencoded..C
0x0340: 6f6e 7465 6e74 2d4c 656e 6774 683a 2035 ontent-Length:.5
0x0350: 330d 0a0d 0a66 6f72 6d5f 7573 6572 3d72 3....form_user=r
0x0360: 776e 696e 2666 6f72 6d5f 7061 7373 3d** wnin&form_pass=*
0x0370: **** **** **** **26 4c4f 4749 4e5f 4255 *******&LOGIN_BU
0x0380: 5454 4f4e 3d4c 4f47 494e TTON=LOGIN

so, do you think ssl is available? well i can telnet to 443 on my3.statcounter.com... let's see:

and what do you know... it logs me in... let's see what tcpdump says... hrmm, lots of ssl foo w/ certs and such, and then lookit:

(the last ssl push)
05:06:01.601591 IP (tos 0x0, ttl 45, id 9839, offset 0, flags [DF], proto TCP (6), length 63) 67.15.80.69.443 > 192.168.13.113.4834: P, cksum 0x4e45 (correct), 5419:5442(23) ack 1125 win 8420
0x0000: 4500 003f 266f 4000 2d06 c5dc 430f 5045 E..?&o@.-...C.PE
0x0010: c0a8 0d71 01bb 12e2 466f 21b9 5f9f 5c66 ...q....Fo!._.\f
0x0020: 5018 20e4 4e45 0000 1503 0100 1243 c1f8 P...NE.......C..
0x0030: cb60 a052 d4d3 28f3 b8fc 1452 214b 64 .`.R..(....R!Kd

(ssl fin)
05:06:01.601659 IP (tos 0x0, ttl 45, id 9841, offset 0, flags [DF], proto TCP (6), length 40) 67.15.80.69.443 > 192.168.13.113.4834: F, cksum 0xf49f (correct), 5442:5442(0) ack 1125 win 8420
0x0000: 4500 0028 2671 4000 2d06 c5f1 430f 5045 E..(&q@.-...C.PE
0x0010: c0a8 0d71 01bb 12e2 466f 21d0 5f9f 5c66 ...q....Fo!._.\f
0x0020: 5011 20e4 f49f 0000 0000 0000 0000 P.............

(ssl ack)
05:06:01.601735 IP (tos 0x0, ttl 128, id 38227, offset 0, flags [DF], proto TCP (6), length 40) 192.168.13.113.4834 > 67.15.80.69.443: ., cksum 0x18ad (correct), 1125:1125(0) ack 5442 win 64727
0x0000: 4500 0028 9553 4000 8006 040f c0a8 0d71 E..(.S@........q
0x0010: 430f 5045 12e2 01bb 5f9f 5c66 466f 21d0 C.PE...._.\fFo!.
0x0020: 5010 fcd7 18ad 0000 0000 0000 0000 P.............

(ssl ack-ack)
05:06:01.601803 IP (tos 0x0, ttl 128, id 38228, offset 0, flags [DF], proto TCP (6), length 40) 192.168.13.113.4834 > 67.15.80.69.443: ., cksum 0x18ac (correct), 1125:1125(0) ack 5443 win 64727
0x0000: 4500 0028 9554 4000 8006 040e c0a8 0d71 E..(.T@........q
0x0010: 430f 5045 12e2 01bb 5f9f 5c66 466f 21d1 C.PE...._.\fFo!.
0x0020: 5010 fcd7 18ac 0000 0000 0000 0000 P.............

(cleartext syn)
05:06:01.763055 IP (tos 0x0, ttl 128, id 38257, offset 0, flags [DF], proto TCP (6), length 48) 192.168.13.113.4836 > 70.85.96.58.80: S, cksum 0xdac5 (correct), 1060888897:1060888897(0) win 65535
0x0000: 4500 0030 9571 4000 8006 f0ad c0a8 0d71 E..0.q@........q
0x0010: 4655 603a 12e4 0050 3f3b e141 0000 0000 FU`:...P?;.A....
0x0020: 7002 ffff dac5 0000 0204 05b4 0101 0402 p...............

(cleartext syn-ack)
05:06:01.805390 IP (tos 0x0, ttl 46, id 0, offset 0, flags [DF], proto TCP (6), length 44) 70.85.96.58.80 > 192.168.13.113.4836: S, cksum 0x8285 (correct), 1186140239:1186140239(0) ack 1060888898 win 5840
0x0000: 4500 002c 0000 4000 2e06 d823 4655 603a E..,..@....#FU`:
0x0010: c0a8 0d71 0050 12e4 46b3 104f 3f3b e142 ...q.P..F..O?;.B
0x0020: 6012 16d0 8285 0000 0204 0518 0000 `.............

(cleartext ack)
05:06:01.805390 IP (tos 0x0, ttl 128, id 38258, offset 0, flags [DF], proto TCP (6), length 40) 192.168.13.113.4836 > 70.85.96.58.80: ., cksum 0xb076 (correct), 1:1(0) ack 1 win 65535
0x0000: 4500 0028 9572 4000 8006 f0b4 c0a8 0d71 E..(.r@........q
0x0010: 4655 603a 12e4 0050 3f3b e142 46b3 1050 FU`:...P?;.BF..P
0x0020: 5010 ffff b076 0000 0000 0000 0000 P....v........

(cleartext post-login page)
05:06:01.815469 IP (tos 0x0, ttl 128, id 38259, offset 0, flags [DF], proto TCP (6), length 763) 192.168.13.113.4836 > 70.85.96.58.80: P, cksum 0xa53a (correct), 1:724(723) ack 1 win 65535
0x0000: 4500 02fb 9573 4000 8006 ede0 c0a8 0d71 E....s@........q
0x0010: 4655 603a 12e4 0050 3f3b e142 46b3 1050 FU`:...P?;.BF..P
0x0020: 5018 ffff a53a 0000 4745 5420 2f70 726f P....:..GET./pro
0x0030: 6a65 6374 2f3f 6163 636f 756e 745f 6964 ject/?account_id
0x0040: 3d32 3034 3238 3330 266c 6f67 696e 5f69 =2042830&login_i
0x0050: 643d 3226 636f 6465 3d38 3033 6333 3939 d=2&code=803c399
0x0060: 3430 3261 3633 6363 3833 3966 3238 6336 402a63cc839f28c6
0x0070: 3564 6162 6262 6432 3026 2048 5454 502f 5dabbbd20&.HTTP/

so yea, statcounter is completely set up and ready to process your logins securely, they'd just rather save that one extra 's' they'd have to gen from their php source to crypt it... so maybe their admins thing they are wicked cool b/c they're still running leet apache 1.3.37, but they should remember they're also running mod_ssl 2.8.28... and use it... by default...

scuse me, mr ranum sir... can not using crypto for passwords when you have crypto available be the 7th dumbest thing in security? ;)

Race to STFU

2008-04-29T20:19:00.003+01:00

If you're familiar w/ DefCon, then you know that there are always nifty contests and activities. A new one was announced on bugtraq a few days back, called The Race to Zero...

Short version is, contestants get malware samples which are detectable by AV products, and the first cat to get all the samples passed through w/ a zero detection rate wins... So, unsurprisingly the AV vendors came out and were like "bad hackers! bad defcon!!" and have been written up saying how this is adding to the state of insecurity, and encouraging the wrong behavior, blah blah blah.

But are they really thinking this through, or is it just a knee-jerk reaction? The AVG 'chief research officer' says it's hard to see the good in "encouraging people to write more viruses". Maybe I'm splitting hairs, but I'm callin you out here because there is nothing in this contest about creating new viruses. Hell, I'd challenge someone to debate whether or not the outcome of this contest will result in new virus variants. If I understand it correctly, the goal is to have a functionally intact sample obfuscated to escape detection.

This blog from Sophos is where I first heard grumbling about this issue, and it really rubbed me the wrong way...

It seems odd that the focus be on building awareness (that is already present) that signature-based detection is not enough by itself, it has been dead since the early 1990s when utilisation of polymorphic engines became widespread.

Really?!? Wait, can you say that again for me??? Signature based detection has been dead since the 1990s? Geeze, I wanna go to your reality, cause I bet you have flying cars and stuff too. I'm pretty sure that signature detection is still a major component of AV, IDS, WAF, etc in this reality. Yea, people have been talking about anomoly detection for years upon years, but commercial security products (including yours) still rely widely on signature detection. Hell, one reason we ended up picking Sophos for a global rollout a few years back was because their lab seemed to cosistantly turn around really good sigs really quickly. In fact, iirc, there wasn't any anomoly detection in Sophos until the latest release of their client software. It's been a long time, but I think SAV4 was only sig based, SAV5 was vapor, SAV6 was a clusterf*ck from an enterprise deployment standpoint and was sig based. I think it was either SAV7 or 8 where I first saw a blurb about watching for unusual behavior in software...

Essentially Defcon appears to be promoting the development of malicious software ... pseudo-benevolent coders are being challenged to add to the quagmire of nasties under the guise of promoting more widespread and generic detection

That's why you think they're doing this? Have you ever organized a contest at a security con? Do you personally know anyone who has? Cause, you see, it's kinda alot of work and planning and stress, because you want it to work out and you don't want people to be disappointed. The people who do this stuff are generally inquisitive and intelligent people who have some deeper research interest in the subject at hand. So where you assume there is some juvenile malicious intent which doesn't make much sense, I assume there may be legitmate research intenet or commentary on the AV industry...

See, if I was researching how people obfuscate malware to avoid detection, getting a bunch of smart hacker types together to produce examples of obfuscated malware might be a really good way to collect data.

Similarly, if I wanted to raise attention in an area which has been a problem for far too long, maybe I'd organize a contest to raise awareness and shame the culprits into action. You act as though a few hundred variants (at maximum) will be some paradigm shifting end of the world event, but to me it would seem to be at the very worst a drop in the bucket. Researchers say that Storm code is being repacked *by the minute*. Bad guys are using encryption and packing all over the place. And iirc, I remember reading some articles on studies where a significant percentage of malicious code was able to bypass AV detection and own the box some disconcerting percentage of the time.

This is the industry which ignored emerging internet based malware until then eventually realized that they could sell us a new poduct and make more money. Then they did the same thing with rootkits. Sorry, can you please tell me the fundemental difference between a virus and some malware and a rootkit? Because as far as I'm concerned, it's all malicious code running on a box, and I don't want it there.

I'm sorry, but I give the AV industry a big "F" for "FAIL"... The status quo isn't working. So if some people start a contest to learn something to help them think up a better defense, then I think that's great. And alternately, if they start a contest to draw attention to how much this industry is failing overall, I think the AV companies have certainly earned it.

And I'm sorry to be so negative here, because I get that AV work involves some huge technical challenges, and often times you are trying to protect OS's with flawed security models, and on and on... And I generally like Sophos too... But don't do this self-serving bitch session against people who aren't causing any real problems for real users. Organized criminals who are building botnets and paying coders tons of cash to come up with new attacks are the people you should be worried about... People who are trying to do research, lobby for change, and facilitate out of the box solutions are your friends...

inet doom n gloom

2008-04-27T21:50:00.002+01:00

ok, i'm a little worried about where the future of inet is heading...

basically, i completely support the EFF folks and net neutrality, but i am worried that the genie has been out of the bottle on that stuff for a while now, and we're just not accepting the new paradigm.

china has been sending resets and filtering content for a long time. it isn't impossible to subvert. now there's rumbling that russia may be doing something similar.

similarly, the usa govt is all about sniffing around and is also looking to expand and normalize such monitoring, which is surely a step towards active interference of activities deemed to be inappropriate.

the number of attacks coming out of china just pushes the issue further. we know they are monitoring things traversing their network perimeters, and researchers keep reporting wide-spread recon and attacks against a multitude of government and private networks which are traced back to some router in china. i'd imagine that intel ppl and infosec policy makers in the usa are probably saying to themselves: there's no way they don't at a minimum know when attacks occur and where they are coming from. at worst, is it a stretch to assume that there might be official chinese government involvement in the attacks? i can't dig up the link, but right before notacon there was a story running about a woman boarding a plane to china with trade secrets and 30k in cash in her bag.

so anyway, take into account pressures from private companies as well. after helping the us gov't break the law by spying on us citizens, perhaps comcast felt emboldened to start poking around. now we have other companies talking about it too...

we're really going to lose something important and special if we go the route we seem to be heading. but with so much value on the internet, and so much that people and organizations and commerce and governments depend on being ingrained in the internet, can you imagine that there won't be further pushes to regulate and control the internet by the powers that be?

i'm want to be hopeful about this, but people already suck on so many other levels, that i'm not bettin the farm that we'll get this one right...

lateral sql injection

2008-04-24T19:38:00.003+01:00

so litchfield just posted a pdf on what he calls lateral sql injection...

basically, the attack focuses on situations where you can affect a function which doesn't take any parameters. normally you'd assume such functions were immune to attack. but he takes a side-channel approach and alters the output of internal commands called by the function which are used in sql queries.

as he says at the end of the paper, the attack vector probably isn't going to be seen all that often. i'm def not a sql/db expert, but it seems like you'd need a decent amount of knowledge about the underlying code being used in a system to attack it via lateral sql injection... of course, there are probably some really common stored procedures, and perhaps an attacker could make reasonable guesses as to what a developer called in his or her code...

anywho, it's always fun to see people looking at things in new ways...

<3

2008-04-22T22:02:00.004+01:00

totally ripping off the xkcd style here, but i have no art skills... true story tho...

storm info

2008-04-21T21:56:00.003+01:00

been doing some reading on a fascinating investigation into the storm worm which came out of the usenix leet08 con...

the authors start out explaining traditional botnets, and then differentiate the new p2p botnet anatomy. they do analysis on how information is routed and propagated, and then look into how they can participate within the network to gauge its size and more...

the sybil attack (and eclipse attack) are new to me, and pretty nifty...

overall, i think it is interesting how we're seeing p2p evolve to fill a new space. coming out of the high ideals of freenet, p2p moves over to a lot of legit and illegit filesharing, and now we're seeing it used to protect the C&C capabilities of modern organized crime networks.

the sophistication of some aspects of storm are quite impressive. the authors describe adaptive attacks on browsers, where non-vulnerable browsers are ignored and vulnerable ones are sent a variety of payloads. also, the exe files used to infect hosts are repacked by the minute (which seems like a cpu expensive operation) on certain web servers serving them... the payload includes a rootkit to hide itself. there are other things which point to ongoing and active development of the network. they say they are going to try to identify the ppl behind the curtain as their next effort, and i wish them luck. i am quite curious to know more about the innerworkings and motivations of the people who are coding this up.

another interesting note is that almost all of the social engineering attacks from storm were done in english. given the level of sophistication we're seeing in being adaptive and polymorphic in some areas, i wonder how long it will be until we see adaptive language (maybe based on destination ip of the domain for the spam?) as a component in these networks.

finally, the authors say they were able to successfully attack the network from the inside, by seeding benign files and then routing requests for malicious files to their sybils (the polluting attack). this is very nifty, because it allows for disruption to the network overall, and might (?) allow for the possibility to write a type of code-green countermeasure if you could somehow get infected hosts to execute a file which would turn them into sybils or clean themselves somehow.

unfortunately, given how sophisticated the bad guys seem to be, i can only imagine that this possibility will be closed in the future. i may not have thought this all the way through, but it seems that the clients could be coded to check for a digital signature on any file which is being published, and to ignore any published files which are incorrect or missing a signature. this wouldn't prevent infiltration into the network, but i think it would severely hamper any ability to hijack or suppress it. on the flip side, however, i believe the authors would then subject themselves to non-repudiation if law enforcement found a copy of the private key on their box ;)

notacon

2008-04-09T04:44:00.006+01:00

notacon! just got back... been forever since posted... anywho, just a few pics...

the con was a bunch of fun... very chilled environment. i've only been doing the bh/dc stuff before now, so this was quite a change... got to hang out w/ some friends who i don't often enough get to drink beers w/...

some interesting talks, and talked to some cool ass ppl, hung at at the lp pagoda.... oh yea, and there was a party which whupped my arse the next day...

go figure, DoD sent their best and brightest ;)

anywho i loved it... super happy i went and hope to go again next year...

oh yea, and one itty bitty security tidbit... so i left my lp stuff at home, so i bought a new set of picks at the con (which was pointless, b/c my club-like hands were seemingly cursed and useless over the weekend... sigh...). well, you know, i coulda dropped em in the thing to send em home in the mail. they say no tools over 8 inches, but i figure mb they wouldn't like lockpicks on the plane given all of the stuff they've taken from ppl in the past...

speaking of that:

so anyway, we ask the TSA lady if that's stuff they pulled out of luggage and off of people, and she's like "yep, isn't is scary what people try to get on planes? that's all stuff we got in the first year since we've been doing this" (mb she meant post 9/11 sec measures?)... so i say back, "well, i guess people were probably carrying that stuff all along, and we just didn't know"... she gives me a weird look at that point...

so i'm wondering if they're going to spot my picks as my bag goes through the xray... and i hear "bag check!"... crap... the lady pulls it out, and opens it up, and pulls out a little bottle of hot sauce my friend gave me... "it's just two ounces" she says, and gives me the bag...

sigh... i am kinda disapointed...

homebrew forensics

2008-03-12T03:29:00.006Z

came across an interesting article about a university in australia where students (staff?) developed a linux based livecd tool called SImPLE to assist police in forensics investigations...

at first i was like, "erm, helix" but after i RTFA i realized that this is a different class of product.

they reportedly have remove hdd write capability from the kernel, and come up with some scripts which dig through the file-system looking for image and movie files. it mentions that there are skin tone algorithms as well, which sounds kinda nifty (speaking as one who hasn't done any img analysis programing)...

so anyway, you can prolly see where this is going: helping cops find child pr0n...

the jist of it is that police forensics units were overwhelmed, and many cases involved cp. i know from talking to people who used to be that type of LEO that there are definately staffing and workload constraints.

so on the surface this seems like a cool tool. basically the beat cops get a cd and drop it on the suspects laptop and take a gander at the imgs and vids the tool produces.

i guess it is dual edged because if you aren't doing a drive image and then doing helix/ftk/encase analysis, you're prolly gonna miss a lot of stuff. are there crypted containers? are there deleted files? slack space files? is there other evidence in the file-system which might lead you to find evidence elsewhere?

i dug around a bit for the tool, but couldn't find it, so mb it isn't open. i found another project the uni is doin called LIARS (Laptop Inspector and Recovery System), where it digs through registry keys to help determine information about the original owner of a lost/stolen laptop... w00t @ that!

so i guess overall it is a win, and we just get back to the old equation of balancing cost versus value. use the tool to reduce the load, but if you feel strongly that the person is a sophisticated predatory type, hire a real forensics investigator to do the job right.

we actually do a similar thing at work. we can do general investigations to help you figure out what happened, and we can also do very detailed analysis which can be used in legal proceedings and the like. we just leave it up to the client to tell us which level of detail they want....

we also use a linux derived tool (amongst others) for part of our analysis, but it's just to grab the image. this box has a ton of different ports, and is a write-blocker. you hook up the two drives and hit go, and it rips off a bit for bit image. then it is ready for loading into your fav tool...

and on a completely unrelated kick... i saw this at a client site the other day. it was just sitting in a hallway area... i couldn't help but laugh... i didn't want to know what was in the container... ;)

if you can't read it, it says "DO NOT TURN THIS VALVE"... lol...

happy über-kludge day!!!

2008-02-29T14:53:00.003Z

Feb 29th is possibly the longest lasting kludge in human history.... if you've got a better one, i'd love to know about it ;)

Adding an extra day to the calendar every four years compensates for the fact that a solar year is almost 6 hours longer than 365 days ... However, some exceptions to this rule are required since the duration of a solar year is slightly less than 365.25 days. Years which are evenly divisible by 100 are not leap years, unless they are also evenly divisible by 400, in which case they are leap years For example, 1600 and 2000 were leap years, but 1700, 1800 and 1900 were not. Going forward, 2100, 2200, 2300, 2500, 2600, 2700, 2900, and 3000 will not be leap years, but 2400 and 2800 will be. By this rule, the average number of days per year will be 365 + 1/4 − 1/100 + 1/400 = 365.2425, which is 365 days, 5 hours, 49 minutes, and 12 seconds ... The marginal difference of 0.000125 days means that in around 8,000 years, the calendar will be about one day behind where it is now. But in 8,000 years, the length of the vernal equinox year will have changed by an amount which cannot be accurately predicted

info ganked from wikipedia :D

all your search results are belong to who?

2008-02-29T02:49:00.003Z

ok... i think this is really important....

the ninjas over at google have been monitoring drive by malware in their search results, and they've come to find that more than 1% of their search results last month contained suspected malware... and they point out that the trend is increasing:

as expected, pr0n sites are more likely than other pages to contain malware. i obviously haven't read enough, but i wonder if google is delivering these pages or blocking them. even if they aren't delivering them, what about yahoo and others? i'd really like to know the percentage of malware sites which (would) appear on the first page...

one of the most important aspects of this shouldn't be overlooked. in many cases here we're talking about legitimate sights serving malware... we're talking about malicious adds being served, and other general badness.

this is why i run noscript and flashblock all the time. there are only a couple of domains i permanently allow. i don't allow youtube (or the new ytimg.com bs) by default, just as an example. sometimes it is a PITA, but this type of info reminds me that it is the smart thing to do. anyway, i'm getting ready to install safecache and safehistory too...

bleh...

define value...?

2008-02-29T02:39:00.005Z

a couple different sites picked this up... grossman has a blurb, but i think tao really hits it on the head.

i kinda want to share this w/ a previous employer, b/c it is what they need to hear. they'd always say "we don't have cash, so there isn't a security risk"... i tried to tell them, "you have over 1000 hosts w/ nearly 100 megs of bandwidth... that is valuable to some people even if it isn't valuable to you. there are a lot of other things they have which could be valuable. as the saying goes, one mans trash is another mans treasure.

so basically, this guy does some hacking, and finds out some private negative financial news about a corp. i kinda assume he wasn't searching for info like that, but who knows. he then goes out and sells the stock short, and picks up 250 grand after the company makes the info public and the stocks tank. they've identified the hacker, who makes approx 40k per year. not a bad haul.

the funniest part is that apparently due to securities law retardedness, insider trading is only when you legally know things and use it to trade. if you steal secrets and trade on them, insider trading doesn't apply. i wonder if they'll get the guy on hacking charges or not...

an ironic hack...

infosec dogma

2008-02-24T18:42:00.003Z

so i was gonna just post some pictures and do a little ranting, but my good buddy is on the same page as me w/o either of us knowing it. he wrote up this blurb here, and i think it fits where my head is at right now...

so first the pics and rants, and then i'll see if i can thread this into a cohesive post... ;)

alright, so i found this sticker in a hotel in FL. i might be missing something here, but if i understand correctly, this is some type of "security control". it says, "this sticker must be on all vending machines, and if it isn't then call this number to get a reward!"... ok, so run that past me again. the florida legislature expects consumers to be vigilant enough to notice the absence of a sticker, and then also expects that the consumer has pre-recorded a hotline number so they can call when they see that the sticker isn't there? seems like it puts a large burden on a "user" to enforce compliance... i'm really not sure what this is supposed to solve anyway. perhaps these machines have a tax levied against them or something? i donno, if i was a crook, i think i'd just make a fake sticker, since there are no anti-counterfeiting devices to make it tough to duplicate...

i found this one out at a client site... i guess this is some type of passive-aggressive outreach program? i can't think of a better way to entice a potentially reluctant user to come forward with information than to imply that he/she is a pest, and that _really_ they shouldn't think they might be wasting your time or anything.

anyway, those both cracked me up...

so here's how i see this tying in w/ the jdm rant. in the oft-repeated words of my mentor, "security is a process, not a product." this means that we have to look at things (someone smack me for using this word) holistically. yea, it's great that you have a strong password policy and that you update your machines on patch tuesday, but you're shooting yourself in the foot by having all of your shares running everyone/full-control and leaving that script you used to set your new local admin passwords out where anyone can stumble over it.

i don't really agree that user education is the first place we should look to make things better. security is a frame of mind, and some people just don't think that way. kinda like how some people are great at algebra but suck at geometry and trig, or vice versa. it is a monumental task to try to get tens or hundreds of people to change their innate way of thinking. again, to paraphrase my mentor, why should i give them the choice to do the right or wrong thing? i'd much rather take away their ability to make mistakes. if, for technical or political reasons, you can't stop them from making mistakes, then try to make the mistakes as hard and/or painful to make as possible.

it isn't our job to bring people around to our way of thinking, so they can navigate treacherous waters safely without us. our job is to create systems and processes that keep our users from knowing that they are in danger. our job is to teach them not to put their hand on the red-hot burner on the stove, but we can't expect them to have full comprehension of a subject matter which we devote our careers to.

every day when you drive your car you engage in one of the most potentially lethal activities you'll ever undertake (unless you're a cop or a soldier, etc). and yet millions of people do it w/ complete ease every day. they do it without a care in the world. they do it while talking to friends and loved ones. they do it while putting on make-up, and eating, and sometimes reading a book. (note that these people help make it more dangerous for the rest of us ;) they engage in this activity because we have a series of processes that give them comfort. they have a seatbelt snugly around their bodies. they believe that if there were a crash, airbags will deploy and keep them from harm. there are general rules for use of the road, and these rules are loosely enforced by trustworthy individuals who keep the most dangerous among us from causing too much damage.

here we have an extremely high-risk activity which is well managed. we have a general barrier for entry (age, license testing, and insurance requirements), and we have pain for non-compliance (tickets, revocation of privileges, raising insurance rates, and jail time). there will be crashes, and there will be fatalities. but for the most part, these loose controls keep the herd in line, and manage the risk well enough that business can continue.

a 2U box in a rack can't devise a system like that for your org. instead of dropping thousands or hundreds of thousands on security hardware, hire someone who knows what they're doing and what to look for to come in and look over your environment, and then _implement their findings_. if you can swing it, hire them on full time. a real infosec ninja can do more benefit for your org w/o spending a dime than any appliance will ever be able to provide. that's the good news.

the bad news is that it isn't nifty hollywood hacker shit. there are no uber-replicating bunny viruses we can fight on the monitor in real time, and unfortunately we never get to see angelina jolie removing hawt leather clothing in the course of doing our jobs. no, when it gets right down to it, and when you cut out the mystique, our jobs as infosec professionals can be kinda tedious. we're managing risk. we're weighing possibilities and guessing at attack vectors. what is the biggest bang for the buck i can get improving your security? what is the most likely compromise? how much will it hurt you if incident X occurs, and how can i reduce the likelihood that it happens?

in this business, we can only make you as strong as your weakest link. if you're only going through the motions w/ infosec, if you're just looking to check that checkbox and get back to "real" work, then we can't help you.

full disk decryption hack

2008-02-23T00:12:00.003Z

i think this is a super-cool (haha) hack.... i hope these ppl are gonna bring this to present at bh/dc, or notacon...

a very impressive way to get around something that i think most people took for granted as highly secure...

security theater

2008-02-13T03:27:00.002Z

wow... bruce is prolly gonna light this up in the next cryptogram...

so there's a huge backlog of visas for people to get into the country. to relieve the backlog, apparently they are going to skip detailed background checks and approve visas which have been waiting for over 6 months...

you know, terrorists try to get visas too...

what kind of sense does this make? wtf?

well, here is one opinion:

Make no mistake, this bureaucratic cave-in is nothing short of a sugar-coated admission of the agency [DHS] being incapable of doing its mission.

trust but verify

2008-02-12T05:17:00.000Z

ok, so i was having this conversation w/ a buddy a few days back. we were talkin about baseball, and all the cheating and such. and then of course the superbowl came up, w/ the recent allegations that the pats cheated in previous superbowls.

the conversation covered a lot of ground, but some parts stuck out in my mind. for one, the whole history of drug testing and baseball. over and over throughout the saga, you have people with vested interests making decisions that they are in no way impartial about. the players unions can't tell us if it is ok to test for steroids, because they represent the people who would be using steroids for personal gain.

it's just like the NFL, where you have a team that was caught cheating already. then allegations come up that they cheated in the same basic way in a different circumstance, and the NFL commisioner and peeps are like "oh, we don't think it's credible"... i'm sorry, what? it isn't credible because they've already done something exactly like that? or it isn't credible because you don't want any bad press or feelings right before the biggest game of the year?

so we got to talkin about how to fix cheating in baseball. we ended up agreeing that the way to do it was to have a completely independent body who tested pro atheletes (in multiple sports) for drug use. indepent funding, management, etc. this would keep the organization from having conflicts of interest, and should insure the impartiality of the testing to both the players as well as the team management.

i think this situation ties in very nicely w/ an infosec situation i was just in...

so, one reason to get an external company to do a review or assessment of your security posture is to verify that your people are doing what they tell you they are doing. you trust them, but it doesn't hurt to have another set of educated eyes looking over the situation.

so what if your org uses outside contracters to do work? well, in my estimation, you do the exact same thing. you bring in a 3rd party contractor to verify what's going on. it is really funny to me how in the RW you end up w/ people in these situations worried about how the original business partner feels. this isn't personal. you're handing them a check. it isn't about their feelings, it is about the quality of the work.

anyway, i was out of town doing an assessment at a bank a few days back. the CISO of the company had been using a consulting shop for network and security services. they had a vulnerbility identified a year back, and the company stepped in to sell them a product and offer consulting hours to remediate the vuln. i get in there, and i'm looking at the diagrams, and i'm like "why is this thing here again?" it just isn't making sense to me. the more i dig, the funnier things get. it ends up w/ the consulting company refusing to grant me access to review the firewall policies, and a review of a text version of the supposed firewall config reveals that the issue which was supposed to be remediated were, in fact, still present. and beyond that, the scope of the issue had grown over the past year (via direct action from the consulting company).

so i delivered my preliminary report before i jetted out of town, and the CISO looked fairly unhappy.

some people might blame the CISO. shoulda been technically proficient enough to see the issue hadn't been fixed. well, i'd take the position that managing infosec is wayyy different than implementing infosec. i don't want my CISO to know how to implement sec... i want them to manage it, and trust me that i'm doing the job...

and i definately want them to verify the work that's being done...

end point network monitoring?

2008-02-11T16:41:00.000Z

there is an interesting post over at tao sec that talks about running network security monitoring out at the endpoint, mostly to cover blackout periods where mobile devices are on unknown hostile networks...

i think this is nicely future focused idea. it is clear that the hard borders of our networks are eroding very quickly with the glut of mobile devices and alternate connection technologies.

on the flip side, i struggle to imagine the org of any decent size which is willing to put together the resources to tackle monitoring the network sec logs from all their mobile devices on top of their fixed sites. but i guess rather than being negative, i should see that as an opportunity to build better data analysis tools...

are you alive?

2008-02-01T18:20:00.000Z

ok... so a friend n colleague of mine pointed out that the yahoo captcha has reportedly been effectively compromised...

as others have said, we've kinda seen this building for a while now.

but, mostly the responses i'm hearing from the sec community have all been centered around building a better captcha to save us from the coming onslaught of spam (and some more xss prolly)...

imho, it is a poor stop-gap to make this the focus of mitigating the issue. we know this is attack and defense. we know the goal-posts move. so stop trying to build a better wall! build a series of redundant walls that force your enemy into overlapping fields of fire. it is accepted practice that we have layers of security in other areas, so why aren't we doing more of it here?

a significant portion of code on web sites is dynamically generated already, so that makes our job easier. the most simple thing we can do is use multiple strong captchas, where a single one is psuedo-randomly picked for a given page render.

then, while you're at it (or mb instead) you can use other methodologies to add layers to determining humanity from script. we can make small transparent things look interesting to scripts. we can make fake forms that human users don't see. we can make invisible iframes too, but use em as tar pits for bots.

the point is that there are a range of simple tests that can be done to attempt to id bots without putting more burden on users or captcha developers.

some pages do this stuff already, but you can still take it further. say we say we have 10 tools in our toolbox. we don't have to walk onto the battlefield in rows and columns and never deviate. we can dynamically utilize between 3-7 tools on a given page render and randomize which tools are picked from the pool. we can use more attack-like tactics to raise the bar right back. we can obfuscate our code too... we can use polymorphic structures to try to confuse the bots... why are we giving our attackers static defenses to target?

anyway, bonus points if u recognize the reference in the title of this post, and a gold star if you get the irony... peace!

info sec == sec info

2008-01-30T05:07:00.000Z

so one aspect i love about this stuff is that it isn't all attackers and russian mobsters and chinese govt and such...

it's all about the CIA triad...

so maybe that's a pissed off employee, or maybe it is an earthquake... either which way, there's always something to think about, even if there aren't red lights flashin on your IDS...

local admin password change script

2008-01-27T21:18:00.000Z

ok, so from time to time an admin leaves and you need to change local admin on a bunch of computers... annoying how ms doesn't let you just click to do it for the domain via AD...

so i had to do this recently, and after searching the net for script examples, i put this together. basically, it lets you update the local admin accout (or any acct, note that "administrator" isn't a variable in the script like it should be ;). you can do it for a domain, or for an ou, or for a group of boxes...

the way i used it was to run it on a domain, and then use grep, sed, awk, and wc to pull out the failed boxes, and then plug them back into the script as a list of individual boxes. you can do this a number of times and catch stragglers (boxes that are ooto or off), and also end up w/ a list of machines which still have the old password...

so anywho, it was useful for me, hopefully it will be useful for other ppl... enjoy...

btw, blogger totally butchered my whitespacing and all of that... sry...

''''''''''''''''''''''''''''''''''''''''''''''''
''''''''''''''''''''''''''''''''''''''''''''''''
''
'' Local Admin Password Update script by rwnin
''
'' Update the local admin password on a domain
'' or group of computers.
''
''''''''''''''''''''''''''''''''''''''''''''''''
''''''''''''''''''''''''''''''''''''''''''''''''
option explicit
on error resume next

const forWriting = 2
const forAppending = 8

dim objUpdates
dim objLocalUser
dim objFSO
dim objLog
dim objItem

dim i
dim numUpdates

dim errText
dim errLog
dim newPassword
dim strBox

dim arrHostnames()
dim tempArr

newPassword = "y3r#n3w#p4ss#h3r3"

errLog = "pupdate_log.txt"

'' prep our logging
set objFSO = CreateObject("Scripting.FileSystemObject")

if (objFSO.FileExists(errLog) = false) then
set objLog = objFSO.CreateTextFile(errLog)
end if

set objLog = nothing
set objLog = objFSO.OpenTextFile(errLog, forWriting, true)
set objFSO = nothing

objLog.WriteLine("Executing at: " & date & " " & time)

'' Kludge Alert:
''
'' for pulling hostnames, the .Count method isn't implemented, n .PropertyCount
'' method seems to return the count of all of the objects in the collection, not the
'' filtered ones... so i decided to iterate once to count and then again to collect the
'' names. it could be done in a single loop, but then you'd have to redim (right?) for
'' each iteration, and that seems more expensive than just doing 2 loops...
''
'' also, for querying via OU, i know you can set the scope to subtree w/ a straight
'' query, but i haven't figured out how to do it w/ the getobject call... so, atm it
'' will only query the OU you specify. if you're doing sub OUs you have to say:
'' OU=subou, OU=mainou, DC=etc etc etc... i should update it, but i'm bein lazy...
''

''''''''''''''''''''''''''''''''''''''''''''''''
''''''''''''''''''''''''''''''''''''''''''''''''
'' uncomment for domain query
''''''''''''''''''''''''''''''''''''''''''''''''
''''''''''''''''''''''''''''''''''''''''''''''''
'set objUpdates = GetObject("WinNT://your.addomain.tld,domain")
'objUpdates.Filter = Array("Computer")
'numUpdates = 0
'for each objItem in objUpdates
' numUpdates = numUpdates + 1
'next
'redim arrHostnames(numUpdates)
'i = 0
'for each objItem in objUpdates
' arrHostnames(i) = objItem.Name
' i = i + 1
'next

''''''''''''''''''''''''''''''''''''''''''''''''
''''''''''''''''''''''''''''''''''''''''''''''''
'' _OR_ uncomment for OU query
''''''''''''''''''''''''''''''''''''''''''''''''
''''''''''''''''''''''''''''''''''''''''''''''''
'set objUpdates = GetObject("LDAP://OU=subsubou, OU=subou, OU=ou, DC=your, DC=addomain, DC=tld")
'objUpdates.Filter = Array("Computer")
'numUpdates = 0
'for each objItem in objUpdates
' numUpdates = numUpdates + 1
'next
'redim arrHostnames(numUpdates)
'i = 0
'for each objItem in objUpdates
' arrHostnames(i) = objItem.CN
' i = i + 1
'next

''''''''''''''''''''''''''''''''''''''''''''''''
''''''''''''''''''''''''''''''''''''''''''''''''
'' _OR_ uncomment to manually define a list
''''''''''''''''''''''''''''''''''''''''''''''''
''''''''''''''''''''''''''''''''''''''''''''''''
'' stupid vbs doesn't let you copy arrays to dim'd variables
'numUpdates = 3
'redim arrHostnames(numUpdates)
'tempArr = Array("box1", "box2", "box3")
'for i = 0 to (numUpdates - 1)
' arrHostnames(i) = tempArr(i)
'next

'' now we loop through and try our updates. timeout on hosts that don't respond can
'' be approx 20 sec in my experience, so give this some time...
for i = 0 to (numUpdates - 1)

'' build the string and get the object...
set objLocalUser = GetObject("WinNT://" & arrHostnames(i) & "/Administrator")
if (err.number <> 0) then
select case Err.Number
case -2147024843
errText = arrHostnames(i) & ": Unable to connect to host"
case else
errText = arrHostnames(i) & ": Unknown error (num: " & err.number & ") occured"
end select
err.clear
objLog.WriteLine(errText)
else
'' attempt to set the password
objLocalUser.SetPassword(newPassword)
if (err.number <> 0) then
select case Err.Number
case 424
errText = arrHostnames(i) & ": Unable to connect to host"
case else
errText = arrHostnames(i) & ": Unknown error (num: " & err.number & ") occured"
end select
err.clear
objLog.WriteLine(errText)
else
objLog.WriteLine("Updated " & arrHostnames(i))
end if
end if
next

objLog.WriteLine("Completed...")
objLog.Close
set objLog = nothing
set objLocalUser = nothing
set objUpdates = nothing

note to self

2008-01-15T06:19:00.000Z

don't post while drinking... ;)

one more time

2008-01-11T05:44:00.000Z

and this one comes via my dad... he thought i'd surely have known about this, but i'd never heard a thing about it...

the app

pretty simple concept. let your apps read from disk, but only let them write to a sandbox. obviously not an extrustion prevention solution, but it is a really simple concept that seems like it could prevent a lot of badness... kinda chroot jail-ish imo...

anyway, just another cool idea to be a potential solution to some problems. but as per my last post, it is kinda laughable how this essentially just attempts to impose proper perms to tmp dirs on windows browsers. following that reasoning, just quit windows and run *nix where the browser can read the /tmp dir chmoded out at 777, and virtually nothing else.

and this also suffers from the same problems as many other security products. yea, i can build a *nix server w/ buffer overflow protections, and a hardened kernel, and other general hardening. and i can put it out on inet running services and feel pretty confident that i'll probably see any attempted attack on the machine if i watch my logs and am careful about configuration in general. but the fact that i can do that doesn't really help 99% of machines out there. this app might have potential, but 99% of ppl out there will never hear of it. i mean, i still have to tell people what no-script is. all of these patch-like solutions and add-ons need a better distribution method so the risk mitigation can reach the masses...