Tuesday, February 28, 2006

Humor: Rules for Living in Austin, TX

From the Stanford Texas Club -
  1. First you must understand that Austin is not Texas, but Austin is in the heart of Texas. The rest of Texas is defined by two zones-the vaguely scary, inbred country regions, and the extremely scary, urban, conservative mega-cities. In Austin, we respect both zones (they are, after all, in the great state of Texas), but we really don't have much in common with them. You may hear us speak disparagingly of other parts of Texas, but you are not allowed to do the same. The only thing we hate more than people from Houston coming to Austin and trying to turn Austin into Houston is people from outside of Texas coming to Austin and insulting our state.

  2. You should also understand that it is hot and humid as hell for at least 3 months out of the year. People in Austin know this, and they don't understand people who complain about it. The day lasts 24 hours. There are 7 days in a week. It's hot outside. None of these things are worth mentioning or complaining about.

  3. Austin has some peculiar conventions when it comes to traffic. First, if there is anything that could potentially distract Austin drivers, they stop dead in the middle of the road. If they see the scene of an accident on the other side of the highway, they stop. If they see rain, they stop. If there is snow, they stop and start sacrificing goats. Get used to stopping on highways. At the same time, you should get over the idea that drivers in Austin will stop at other, more appropriate times. Austin drivers will not even slow down for a pedestrian, even if that pedestrian is clinging for life to the front grill of their Suburban Land Yacht. They also will not stop to talk on their cell phones, and they damn sure will not stop for a red light that is less than 10 seconds old. And, of course in Austin, as in the entire state of Texas, it is against the law to use a turn signal. A turn signal may distract other drivers, causing them to stop in the middle of the road, so it is best to not advertise your intentions to turn or change lanes.

  4. If you park your car in Austin, it will be towed.

  5. Getting around Austin requires a bit of training. First of all, it is relatively easy to go north and south in Austin, but not so easy to get east or west. And if you are going north or south, the directions will surely begin with, "Go down MoPac... 'cause you sure as hell don't want to mess with I-35." Of course, this rule is changing as more and more people crowd onto MoPac, so in the future all instructions will begin with, "Actually, it's probably faster to just take Lamar." Lamar is a road with no beginning and no end, and everything is "just off" of Lamar, so it is just a matter of time before it becomes a parking lot similar to I-35 and MoPac. Eventually, a major flood of Shoal Creek will drown all the people parked on Lamar. We call this, "thinning the herd. "There is no point going anywhere during "rush hour," which runs from 6:00 to 10:00 in the morning and from 3:00 to 7:00 in the afternoon every work day except Friday (when rush hour starts on Thursday night and lasts all day). On most days, at least one driver is distracted by something during rush hour, which means that everybody has to stop. You should also make a note that Mopac IS Loop 1 -- they are one and the same. Similarly, Capital of Texas Hwy is 360, and Research is 183. 2222 is Northland or Allendale or Koenig, depending on what part of 2222 you are talking about. 290 is Ben White, but there are two 290 exits on I-35 * one of which is 2222 (which, as mentioned earlier, is Northland, Allendale and Koenig). Don't try to figure it out. Just accept it. If you question the intelligence behind this naming convention, people will simply tilt their heads to the right and stare at you.

  6. Austin is effectively divided into two worlds. The new "tech" people who live "north" of town (north of 183), and the old "true" Austinites who live in the "middle" of town (although census data will no doubt reveal that the true "middle" of Austin is now well north of 183). South of town is hard to describe, so we'll pretend it doesn't exist, and East of town is embarrassing to describe, so we'll pretend it doesn't exist either. North Austin is a plastic, mass-produced world full of chain restaurants and movie theaters. The houses are huge, the yards are small, and the treeless streets have names like "Oak Forest View Circle." Central Austin, on the other hand,tends to attract the granola eating, deodorant-shunning, aging hippie-types. The houses are small and structurally frightening, but they are no less astonishingly expensive, and the businesses tend to be small, privately owned specialty shops that don't sell anything you'd want to buy.

  7. There is no dress code in Austin. How you look and what you're worth typically have little do to with each other here. In central Austin, it is quite common to see some scruffy, smelly hippie with dread-locks, tattoos and piercings driving a new Lexus or Mercedes. People in Austin like to look weird. The woman you see walking down the drag with the tattoo of a dragon across her back and the purple hair may be your child's kindergarten teacher. Your congressman might be a leather-clad biker. And the girl in the coffee shop serving you a latte may have a Ph.D. in astrophysics. Don't judge a book by it's cover here. In the extreme, there is Leslie, who is technically a bearded man, but who likes to hang out downtown in a teddy and a tiara. Leslie's nuts, but he personifies Austin, and we're not going to get rid of him.

  8. Austin has a love-hate relationship with tech companies in general and Dell in particular. We love being progressive, and the tech companies represent "the future." However, they're boring, sanitized, and they tend to treat their employees like cattle. Dell is a nasty machine that uses people like a lubricant, grinding them up and cleaning them out when they get messy or inconvenient. People in Austin are beginning to have a sneaking suspicion that George Orwell was right about everything except the date.

  9. Austinites are largely a bunch of tree-hugging environmentalists. For example, we're strangely and frighteningly proud of our bats. In the summer, the Congress Avenue Bridge is reminiscent of a Hitchcock film, but Austinites flock down there every night to see the show up close and personal. We have a statue devoted to the bats, and we named our hockey team after them (yes, we have a hockey team). The bats rule. As does our salamander. At one time, money-grubbing developers (Freeport-MacMoRan mostly) were building irresponsibly along Barton Creek, and because the bastards (may they rot in hell) couldn't be bothered with things like proper sewage drainage, our beloved swimming hole, Barton Springs Pool, was being polluted with the sewage from Barton Creek Development residents (a.k.a., "rich scum spoor"). Most of the city council and the Texas legislature were in the pockets of the festering scumbag developers, so it was necessary to bring out the big guns-the Barton Creek Salamander, an endangered species that was being threatened by the development sludge. For some reason, in Texas it is okay to make your citizens swim in crap, but it is illegal to make salamanders do so.

  10. And of course, there is music. Austin is supposed to be the "music capital of the world." We have a shrine for Stevie Ray Vaughn down on Town Lake (yes, it's a lake-it looks like a river to you, but it's a lake); pay your respects if you come to town. While you're at it, swing by Threadgills and pay your respects to the memory of Janis Joplin, and drop by Antone's and pay your respects to the memory of Clifford Antone. He's not dead, but he's in a Texas prison on drug trafficking charges, and that may be just as bad.

Monday, February 27, 2006

e-Passports - Are we ready?


The State Department started pilot production of electronic passports earlier this month and plans to roll out e-passports for the general public this summer, officials said.

The senior official in charge of the project also said that technical issues raised recently about e-passport security would not prevent the general distribution of the documents.

Visual Design of the e-Passport

RFID Security

Eariler this month a Dutch security firm broke the security of the Dutch e-Passport pilot. They intercepted the data exchange between the RFID reader and passport, stored the encrypted data, and then cracked the password in just 2 hours on a PC giving full access to the digitized fingerprint, photograph, and all other encrypted and plain text data on the RFID tag.

The United States is suppose to use password protection on the new e-passports as well. They are even suppose to include a radio shield in the front cover, therefore reducing radio leakage when the passport is closed.

What happens if the US government issuse thousands of these RFID passports and then the encryption process is broken by some group? Will they re-design and re-issue new cards to everyone?

Does anyone make RFID blocking backpacks? or computer cases? Someone should...

Man, am I glad I just got my passport...won't need a new one for quite some time.

Friday, February 24, 2006

Announcement - Botnet Reporting & Mitigating Mailing List

Gadi Evron announced the creation of a new open and public mailing list where anyone can join and report a botnet command and control (C&C) server.

The security community has lacked a centrally reporting location and this is finally changing. Read the announcment above and join in the fight if willing.

Also note the private email for reporting off-list.

Good stuff.

Thursday, February 23, 2006

Interview with Solar Designer - Creator of John the Ripper

Federico Biancuzzi has a great interview with Solar Designer on SecurityFocus.com

They discuss the new features in John the Ripper 1.7 and the overall idea of password security.

Google Reader "Preview" and "Lens" Script Improper Feed Validation

My good friend, Debasis Mohanty, posted this to FD this morning.


Google Reader "preview" and "lens" script improper feed validation ===================================================================

Google Reader (http://www.google.com/reader/) helps organise the contents of those rss or atom feeds for which the user is interested in or subscribed to. The user instead of continuously checking his/her favorite sites or discussion groups for updates, (s)he can let Google Reader do it for them.

From news sites to your friends' blogs, Google Reader helps stay up-to-date with all the online information that matters most to the user.

Google reader is supposed to display only those contents which the user has subscribed to however two vulnerabilities has been identified which may allow an attacker to entice it's victim (using google reader service) to view unwanted web contents carrying malicious payloads.

a. Google reader "preview" script improper feed validation (without user

Google feed reader "preview" script: The script
(http://www.google.com/reader/preview/*/feed/) is normally used for displaying the feed contents within the reader.

For example, the following request will display the rss content of the link

Note: '*' in the above link can be replace with any word of your choice otherwise it can be left as it is.

This 'preview' script is only available to authenticated user but if a direct link is provided it doens't ask for user authentication. It can be very usefull for an attacker to mount an attack on its victim by directing them to view the content of malicious sites (carrying evil payloads).

b. Google reader "lens" script improper feed validation (with user

Google feed reader "lens" script: The script
(http://www.google.com/reader/lens/feed/) is normally used for displaying contents of only those feeds to which an authenticated user has subscribed to.

However, it is possible to pass any rss / atom feed to the script as parameter to which the user has not subscribed but the un-subscribed feed contents can still be loaded within the user reader page.

For example, the following request will display the rss content of the link

This 'lens' script is only available to authenticated user and can be usefull for an attacker to mount an attack on its victim by directing them to view the content of malicious sites (carrying evil payloads) even though the user is not subscribed to.


30th Jan, 2006 - Bug originally discovered
2nd Feb, 2006 - Vendor Notified
No vendor response
22nd Feb, 2006 - Vendor Notified again
22nd Feb, 2006 - Public Disclosre

Debasis Mohanty


It isn't a killer RSS hole but just wait...this is just the beginning.

Wednesday, February 22, 2006

Uncomfirmed - Mozilla Thunderbird 1.0.7 : Remote Code Execution & DoS

Just posted to the FD list

Mozilla Thunderbird : Remote Code Execution & Denial of Service


Tuesday, February 21, 2006

Nmap 4.01 - Kinda old News

Just saw that Nmap was updated to 4.01 on the 10th. Just in case you didn't know...now you do. Kinda old news, but I am still catching up.

Nmap 4.01 fixed several bugs, including an important memory leak in the raw ethereat sending system. See other changes.

Possible False Positive Detection of OSX/Inqtana-B - UPDATED

Virus: 'OSX/Inqtana-B' detected in /Library/Printers/EPSON/

Virus: 'OSX/Inqtana-B' detected in /Library/Printers/EPSON/C43Series.plugin/Contents/PDEs/

Virus: 'OSX/Inqtana-B' detected
in /Library/Printers/EPSON/C44Series.plugin/Contents/PDEs/

Virus: 'OSX/Inqtana-B' detected
in /Library/Printers/EPSON/PM860PT.plugin/

Virus: 'OSX/Inqtana-B' detected
in /Applications/Microsoft Office 2004/Office/ShMem.bundle/

Virus: 'OSX/Inqtana-B' detected
in /System/Library/Extensions/

Virus: 'OSX/Inqtana-B' detected
in /Applications/4D Client.app/Contents/4D Extensions/4D Carbon Support.bundle/Contents/MacOS/4D Carbon Support


It would appear that Sophos may have a pretty big false positive issue on their hands....or at least I hope it is a false positive....more information to come.

The Sophos website seems to be running very slow (DoS'd), perhaps caused by this new detection issue.

Inqtana uses a Bluetooth vulnerability that was patched in Mid 2005, therefore most people saw the trojan as "low-risk". If my feelings are correct, the outcome of this false positive will be 100 times worse than the trojan itself.

UPDATE - 11:37AM Central

Sophos has pulled the IDE and confimed it was a false positive. Expect a new IDE within 45 mins.

Feb 2006 - Drone Armies C&C Public Report

Gadi Evron passed this nice report to the FunSec mailing list this morning.

While this information only appears to cover botnets that are reported, it does show which networks are willing to actively fight this growing problem and which aren't. Hopefully posting this information regularly will change some views and increase awareness of the issue.

Keep up the good work.

Monday, February 20, 2006

2006 - Year of the OS X Exploit?

In my personal view, Apple made the right move in using BSD code in OS X and in moving to the Intel chipset.

However, a smart man once said that every action has an equal and opposite reaction.

Why use OS X?

Apple’s use of the BSD microkernel code has turned OS X into the system of choice for both hackers and security professionals alike. As a result, many applications commonly used by on BSD/Linux have been ported to OS X. Some are even better on Apple, take KisMac for example. But all this positive attention hasn’t developed without some negative attention as well.

Opposite Reaction

Security Researchers and hackers now seem to have their sights on Apple’s OS gem.


Will 2006 bring an end to Apple’s current threat immunity? Perhaps - Only time will tell, but the force seems to be strong with those that want to dig in the OS X candy coating.

I have outlined several other security concerns for the Apple world with a good friend and hopefully we can put those all together in a more in-depth blog in the future.

Wednesday, February 15, 2006

Fun: Jamaica

Well, I spent most of the day in the rain forest of Jamaica. It was very muddy and wet...and pretty damn hot, but overall a very fun time. We are underway toward the Grand Caymans.

We will have a private tour on the next island, so driving around in a rented car/van should be pretty fun. As I have stated before, I am pretty much out of the internet security loop for the rest of the week. I hope the internet doesn't die on me....keep it going guys.

Tuesday, February 14, 2006

Fun: Haiti

As some of you may know, I am chilling in Haiti right now. I won't be around for around 4 or 5 days....so stay tuned. I have all types of stuff to catch up on. Not having the internet for a week is like not being alive for a full year. =)

Friday, February 10, 2006

Fun: WebShots Backgrounds

It would seem that someone from Peking decided to collect all the great backgrounds from WebShots and host them on a site in China.


Not sure Webshots would like it however.

Security Breach Exposes CC Details of 200,000

Some of you may have heard about the data-security breach that resulted in numerous people having their debit cards cancelled this week. What happen? How big is the problem?

Details are still coming to light, but right now it sounds something like this -

A pretty big office-supply retailer was hacked and exposed the credit information over perhaps 200,000 people.

Bank of America, Wells Fargo and other banks were alerted by Visa and MasterCard to take security actions for those card holders.

Let’s remember, this isn't some stolen backup tape or a street thief wanting quick money on a laptop...it sounds like a real hacker that targeted the data storage of this retailer. This is my take on the issue and may not be true, but check these quotes from SFGate.com

1) Banking industry sources said they were notified last month by Visa and MasterCard that the computer system of a prominent merchant had been penetrated by a computer hacker, and that account information for thousands of customers had been endangered.

2) Rosetta Jones, a spokeswoman for Visa USA, acknowledged Thursday that the incident involved a U.S. merchant that "may have experienced a data security breach resulting in the compromise of Visa card account information."

3) Sharon Gamsin, a spokeswoman for MasterCard International, said the credit card company had been informed of "a potential security breach at a U.S.-based retailer."

Sounds pretty serious. Visa, MasterCard, BofA and Well Fargo seem to be reacting as required and expected. Issuing new cards and watching accounts is standard for security breach of this nature and is the correct step for customer protection.

So whats the big deal? The "Unknown" retailer is the deal right now.

Under California SB 1386 - requires an agency, person or business that conducts business in California and owns or licenses computerized 'personal information' to disclose any breach of security (to any resident whose unencrypted date is believe to have been disclosed).

So if the above is true, then we can assume one of the following -

1) The "Unknown" retailer has no business in California and therefore is not bound by SB 1386

2) They are bound by the law but all credit information exposed was encrypted.

3) They are bound by the law and they will disclose this breach in due time.

4) They are bound by the law and not following it as it was intended.

Someone needs to find out...and I would guess that we will all have more information very shortly. Keep your eyes out for this one.

Again, take this whole article with a gain of salt because information is will change.

The Secret 64-bit Life of the Intel Core Duo

It would appear that the new Intel Core Duo is really a 64-bit processor in hiding. So why won't Intel let your new iMac run 64-bit Linux??

More details are sure to be exposed. Is OS X 64-bit? Seriously, I am asking you....

Google Desktop = Security Risk?

February 09, 2006

Google Copies Your Hard Drive - Government Smiles in Anticipation
Consumers Should Not Use New Google Desktop

San Francisco - Google today announced a new "feature" of its Google Desktop software that greatly increases the risk to consumer privacy. If a consumer chooses to use it, the new "Search Across Computers" feature will store copies of the user's Word documents, PDFs, spreadsheets and other text-based documents on Google's own servers, to enable searching from any one of the user's computers. EFF urges consumers not to use this feature, because it will make their personal data more vulnerable to subpoenas from the government and possibly private litigants, while providing a convenient one-stop-shop for hackers who've obtained a user's Google password.

"Coming on the heels of serious consumer concern about government snooping into Google's search logs, it's shocking that Google expects its users to now trust it with the contents of their personal computers," said EFF Staff Attorney Kevin Bankston. "Unless you configure Google Desktop very carefully, and few people will, Google will have copies of your tax returns, love letters, business records, financial and medical files, and whatever other text-based documents the Desktop software can index. The government could then demand these personal files with only a subpoena rather than the search warrant it would need to seize the same things from your home or business, and in many cases you wouldn't even be notified in time to challenge it. Other litigants—your spouse, your business partners or rivals, whoever—could also try to cut out the middleman (you) and subpoena Google for your files."

The privacy problem arises because the Electronic Communication Privacy Act of 1986, or ECPA, gives only limited privacy protection to emails and other files that are stored with online service providers—much less privacy than the legal protections for the same information when it's on your computer at home. And even that lower level of legal protection could disappear if Google uses your data for marketing purposes. Google says it is not yet scanning the files it copies from your hard drive in order to serve targeted advertising, but it hasn't ruled out the possibility, and Google's current privacy policy appears to allow it.

"This Google product highlights a key privacy problem in the digital age," said Cindy Cohn, EFF's Legal Director. "Many Internet innovations involve storing personal files on a service provider's computer, but under outdated laws, consumers who want to use these new technologies have to surrender their privacy rights. If Google wants consumers to trust it to store copies of personal computer files, emails, search histories and chat logs, and still 'not be evil,' it should stand with EFF and demand that Congress update the privacy laws to better reflect life in the wired world."

For more on Google's data collection:

Kevin BankstonStaff AttorneyElectronic Frontier Foundation
Posted at 11:04 AM

When the first Google Desktop was released, I pushed up the ranks for this to not be used in the corporate world. People can (and will) do what they want on their personally computers, but in the business world...the "unknown" risk of this software is just unnecessary.

As attackers move away from OS levels, applications security problems will hit center stage. We are seeing this start to happen right now.

Remember the old OS security measure of reducing the number of running services? This reduces your online signature and therefore reduces the attack pathways. The same idea can be applied for system security at the application level.

More Applications = more lines of running code = higher change of security vulnerabilities

Need I say more....

Thursday, February 9, 2006

AOL/GoodMail - The Internet's First Email Tax

The "Fight for Internet Neutrality Principles" has moved into the e-mail system.

Ahh, back in the day. I remember when friends would tell me about how the Postal Service was going to impose a 5 cent surcharge on every e-mail message sent via the Internet. I used to laugh and just say "Ohh that is just an urban legend".

Well, sometimes the truth is scarier than legend. Change "Postal Service" to "AOL/Yahoo" and you are pretty close to truth.

AOL and Yahoo have decided that creating "mail classes" is the next best way to fight spam. They believe that by charging companies just factions of a penny, that they can cut spam. Factions of a penny? That isn't alot? Do you remember "Office Space"? It is alot....really alot.

I am not so sure that I agree with this method. Sounds like a way to make extra money, pretend they are doing something about the spam problem and a great way for other companies to spam directly into your inbox all the time by bypassing spam filters.

It also sounds like a GREAT reason to drop AOL for a better ISP, like you should have done years ago IMHO. If the systems doesn't catch on like expected, AOL may be running their own customers away. Kinda like Sony and the RIAA.

The New York Times had a great article on this very subject earlier this month. "AOL users will become dissatisfied when they don't receive the e-mail that they want, and when they complain to the senders, they'll be told, 'it's AOL's fault,' " said Richi Jennings, an analyst at Ferris Research, which specializes in e-mail.

AOL and Yahoo will be using Goodmail Systems’ processing system to collect the electronic postage and verify the identity of the sender. AOL will be implementing the system in the next two months, while Yahoo will be trying the system out, and has not yet decided how paid vs. unpaid mail will be treated.

Supporters of the system, say it is just like preferred mail classes at your post office. People against the system say it is only going to hurt customers and will be another nail in the "internet e-mail" coffin.

David Stanley, vice president and managing director of messaging security company CipherTrust, said the plan was "a ridiculous idea" and "nothing more than a money-making idea that will not stop spam but will give account holders free reign to send all sorts of 'authenticated' mail."

Umm, I guess the people of the world will have to get together, buy all the dark fiber and create an Open Source Internet. ;)

Wednesday, February 8, 2006

IE7 Beta Breaks Google AdSense

BetaNews - Developers testing out the latest version of Internet Explorer 7 are discovering a nasty flaw -- the browser seems to be incompatible with Google's AdSense advertising service. Although the problem seems limited to those running IE7 Beta under Windows XP, it still has some developers worried. For many, AdSense has become the de facto method for generating revenue for their sites. Google generates over $2 billion in revenue yearly from the program alone.

"Considering that by the end of the year, IE7 should be available for almost all versions of Windows, unless Microsoft wants to face the ire of developers everywhere, it had better fix this," Nathan Weinberg of the InsideGoogle Web log wrote Wednesday. Although it is unknown as to why this is occurring, it is suspected it may have to do with how IE7 now handles JavaScript. Microsoft could not be reached for comment.


Add this little piece of information with the rumors of Vista being released on Dec 1st and you have a adsense money problem in the making. =)

I guess Microsoft can fix this issue when they fix the Remote Code Execution buffer overflow flaw found on several weeks ago.

WMF Vulnerability Returns for IE5

Microsoft issued a new security advisory yesterday. Yet another WMF vulnerabilitiy.

(91333) Vulnerability in Internet Explorer Could Allow Remote Code Execution

This new advisory only relates to the following two cases :

1) Internet Explorer 5.01 SP4 on Microsoft Windows 2000 SP4
2) Internet Explorer 5.5 SP2 on Microsoft Windows Millennium

Note - This is not the same issue as the one addressed by MS06-001

Secunia Advisories (SA18729) - Highly Critical - System Access

Candidate CVE-2006-0020

It would appear that this might be connected to the flaw pointed out by HD Moore on the FunSec mailing list in Jan.

More where that came from. The fun thing about these is that they DO apply to Windows 96, 98, 2000-2003, Vista. You can trigger it via RTF, directly inside IE, and anything else that loads metafiles. A fun bug you can find in a certain WMF parsing application...:

uint_size = wmf_header.size * 2;
ptr = malloc(uint_size);
read(fd, ptr, uint_size - sizeof(wmf_header));



Upgrading to IE 6 SP1 is the suggested action on Windows 2000 SP4 and Windows ME

No patch for the older IE5. My suggested action would to get off Windows ME as soon as possible. The Win9x kernel is dead as dead...

Science: NASA Appointee Resigns

NYTimes.com - George C. Deutsch, the young presidential appointee at NASA who told public affairs workers to limit reporters' access to a top climate scientist and told a Web designer to add the word "theory" at every mention of the Big Bang, resigned yesterday, agency officials said.

Mr. Deutsch's resignation came on the same day that officials at Texas A&M University confirmed that he did not graduate from there, as his résumé on file at the agency asserted.


Mr. Deutsch, 24, was offered a job as a writer and editor in NASA's public affairs office in Washington last year after working on President Bush's re-election campaign and inaugural committee, according to his résumé. No one has disputed those parts of the document.

According to his résumé, Mr. Deutsch received a "Bachelor of Arts in journalism, Class of 2003."

Yesterday, officials at Texas A&M said that was not the case.

"George Carlton Deutsch III did attend Texas A&M University but has not completed the requirements for a degree," said an e-mail message from Rita Presley, assistant to the registrar at the university, responding to a query from The Times.

Repeated calls and e-mail messages to Mr. Deutsch on Tuesday were not answered.

Mr. Deutsch's educational record was first challenged on Monday by Nick Anthis, who graduated from Texas A&M last year with a biochemistry degree and has been writing a Web log on science policy, scientificactivist.blogspot.com.


All political comments aside, how can a person work for the President and then for NASA and no one checks on their college degree??


Tuesday, February 7, 2006

Verizon: We're Ending Google's "Free Lunch"

NetworkingPipeline Blog – “One more member of the Telco mafia has threatened Google with a bandwidth cutoff. Verizon senior VP and general counsel John Thorne told a conference that Google "is enjoying a free lunch," by using Verizon's network, and issued a veiled threat to cut off Google's bandwidth. “

Needle in the Neutrality Haystack that Telecos intend to burn.

All Your Data Belong to Us

Man, have the reports of data leakage been crazy the last couple of weeks. Here are some of the highlights...

1) Guardian Unlimited (Feb 7th) - Russian thieves have stolen more than €1m (£680,000) from personal bank accounts in France using "sleeper bugs" to infect computers. French authorities claim the thieves can take control of and empty a bank account in seconds. In one hit, a bank customer lost €40,000.

Police say the virus is embedded in emails or websites and remains dormant until the user contacts their bank online. When that happens, the bug becomes active and records passwords and bank codes which are then forwarded to the thieves. They then use the information to check the victim has money in the bank before transferring funds to the accounts of third parties, known as mules, who may have agreed to allow money to pass through their accounts in return for a commission of between 5% and 10%.

2a) Boston Globe - It has come to our attention that consumers are receiving telephone calls from companies offering to assist them prevent credit card fraud. These companies, including one calling itself the “National Verification Office”, are asking consumers to provide the credit card or bank card information the consumer used to pay his or her Boston Globe or the Worcester Telegram & Gazette subscription. These companies are NOT AFFILIATED with the Boston Globe or the Worcester Telegram & Gazette.

2b) Boston.com (Feb 1st) - Credit and bank card numbers of as many as 240,000 subscribers of The Boston Globe and Worcester Telegram & Gazette were inadvertently distributed with bundles of T&G newspapers on Sunday, officials of the newspapers said yesterday.

3) Networkworld.com (Feb 6th) - A small Lockport, Manitoba-based distributor of herbal remedies has for the past 15 months been mistakenly receiving faxes containing confidential information belonging to hundreds of patients with Prudential Financial's insurance group. The data exposed in the breach -- and faxed to the company by doctors and clinics across the U.S. -- included the patients' Social Security numbers, bank details and health care information.

4) InfoWorld.com (Feb 6th) - Honeywell International Inc. says a former employee has disclosed sensitive information relating to 19,000 of the company's U.S. employees. Honeywell discovered the information being published on the Web on Jan. 20 and immediately had the Web site in question pulled down, said company spokesman Robert Ferris.

5) Networkworld.com (Jan 27th) - About 365,000 hospice and home health care patients in Oregon and Washington are being notified about the theft of computer backup data disks and tapes late last month that included personal information and confidential medical records.


As you can tell, data loss comes in many forms.

Thieves stealing backup tapes, normal people making mistakes, old employees taking some anger out for kicks, and organized groups of hackers (perhaps even foot soldiers of Russian organized crime group).

Now just think about all the cases that are not reported....yeah - exactly.

WDRaptor X - World's First Clear Cover Hard Drive

Ok, it isn't the "first" hard drive to have a window, but it is the first to be available right from the manufacturer.

The old way of doing the HD windows included a zip-lock bag, time, glass, cutting tools and other equipment to open the drive. Sometimes this process would kill the drive, sometimes it wouldn’t. It is important to also note that this reduces the drives shielding from magnetic damage - this may have kept the WDRaptor X window small.

In college, I was all into hardware modding. I created a custom windowed CD-ROM, created a dual-windowed aluminum case, glow-in-the-dark cables and created my own custom CPU fan. Ahh, those were the days. Once you could buy a windowed computer with lights at CompUSA, I knew it was time to move on.

Pre-Order your WDRaptor X 150GB 10k RPM for $350

Toms Hardware has a write-up on the new WDRaptor X as well.

US DoD - Quadrennial Defense Review Report

Recently, the United States Dept of Defense released it Quadrennial Defense Review Report (pdf).

The report singles out India, Russia and China as "major and emerging powers" in Asia. However China is singled out on page 29 has the "greatest potential to compete militarily with the United States and field disruptive military technologies that could over time offset traditional US military advantage abset US counter strategies.

I don't see this sentence as unreasonable. The DoD is making any assessment of powers in the region and China is one of the biggest and less understood by the US government.

But China doesn't seem to really like the words used in the report.

See the Feb 3rd, QDR Pentagon Briefing in video or plain audio.

Monday, February 6, 2006

Internet Neutrality - US Senate Commerce Committee

Today the US Senate Committee on Commerce, Science & Transportation held a full hearing on the subject of "Net Neutrality".

I was unable to watch this hearing because of work, but I will be watching for updates.

This issue was summarized in a Jan 18 blog titled "The Fight for Internet Neutrality Principles".

During the week in Jan, the blogosphere was filled with stories about it - Jeff Pulver blog and of course Vint Cerf's Official Google blog.

Bluetooth Stack Vuln on Sony/Ericsoon Cellphones

This is exactly why I have bluetooth disabled on my black Moto. Just posted to the FD Security list.


[Software affected] Bluetooth Stack on Sony/Ericsson cell phones

[Version] Sony/Ericsson K600i, V600i, W800i, T68i and certainly other models

[Impact] Bluetooth Stack Denial of Service (may be more - may be a rootkit :) - Phone DoS (reboot or shutdown) - White screen bug (freeze sleeping)

[Credits] Pierre Betouin - pierre.betouin@infratech.fr - Bug found with BSS v0.6 GPL fuzzer (Bluetooh Stack Smasher)

BSS could be downloaded on http://www.secuobs.com/news/05022006-bluetooth10.shtml

[Vendor] notified now

[Original advisory]

[PoC] download it on http://www.secuobs.com/news/05022006-bluetooth6.shtml

[PoC usage]
# ./reset_display_sonyericsson 00:12:EE:XX:XX:XX

A short raw L2CAP packet such as :
08 01 01 00
It represents the following L2CAP header fields :
ident 1
length 1
The "real" packet sent is, in fact, 4 bytes long.
The DoS can be triggered when the length sent in the L2CAP field is equal to the real length minus 3 (which is the size of the L2CAP header here).


Independent Security Testing for DRM Software

It appears that SunComm has agreed to submit all future versions of its MediaMax DRM software for independent security testing in an effort to weed out any further vulnerabilities.

For those just tuning in to the story, late last year SunComm's MediaMax software was discovered covertly installing itself and leaving PCs vulnerable to attack.

SunComm hopes to reduce any future legal problems by using the independent software review model.

From the BBC article, it sounds like that testing might be headed by the EFF, which is good news. The EFF will look for security issues but will keep customer rights in mind at the same time.

But shouldn't the big record labels also have customer rights in mind? I would have said "yes" before the whole XCP/MediaMax incident. However it became very clear that security of their customers was pretty low on the DRM list of "things to do".

Will First 4 Internet, makers of the XCP DRM, make the same "good faith" move??

Should SunComm do this work in-house instead of using a non-profit group to secure their software??

Either way, this good is a positive step in protecting customer rights in the face growing DRM use.

Super Bowl XL Commercials on Google Video

Just in case you missed a commerical or two yesterday, Google is hosting them all on a special Google Video page.

Sunday, February 5, 2006

Science: When Giant Octopus Attacks

Just saw this on Bruce Schneier's blog. Wow!

Here is the full video via Google.

Friday, February 3, 2006

Keep your Applications Updated or else....

1) If you aren't on Winamp 5.13 yet, get it now. Remember the extremely critical system access exploit that was released for it. Well the exploit posted for this vuln is not being used to push spyware. It didn't take very long.

2) Get your Firefox updates. Firefox was released recently. It fixes several highly ciritical security issues. Improvements include - better support for OS X, several memory leaks are fixed and several other security enhancements.

3) Recently, some vulnerabilities have been reported in Thunderbird, which could result in compromise of the user's system. Recommended workaround is to disable JavaScript.

4) Disabling JavaScript is also the only workaround for the vulnerabilities reported in the Mozilla suite as well.

Word Around the Campfire is...

Well, it is friday. As FatBoy Slim said - the weekend starts here....

1) eWeek.com is reporting that the WMF exploit was being sold in the middle of Dec 2005 on the Russia computer underground for $4,000 a pop.

2) Blue Boar posted information about a new project on the FunSec Mailing list this morning. The "mwcollect Alliance". Mwcollect is honeypot type program that can be ran in Linux or BSD to collect worms/bots and other bad stuff from right off the internet. Pretty cool sounding. After I move and get settled into my new place, I might have to play around with mwcollect.

3) Today is Feb 3rd. The day that CME-24 is set to attack full force. There have been initals reports from Indian about large volumes of e-mails and larger than normal to support centers, but initals reports always sound worse than truth.

Randy Abrams has a great blog about the work put into fighting the CME-24 threat. The TISF Blackworm task force worked very hard to reduce the damage worldwide. Good work guys. That "good work guys" also goes to Microsoft. =)

Watch for updates on the following sites.
ISC SANS & SecuriTeam Blog

While the global infection number of 300k isn't alot, it might hurt some of the top infected nations. We can only wait and see...no matter the outcome. We will still all be back at work on Monday - maybe even with a "case of the Mondays"

Thursday, February 2, 2006

CME-24 Worm - The Black Cloud

Well, tomorrow is the 3rd. The payload trigger for CME-24.

As it stands right now - India, Peru, Italy and Turkey will be hit harder than the US.

On Jan 27th, I blogged about how Microsoft's was not going to release an updated Windows Malicious Software Removal Tool before "D-Day". They stated this again on Jan 30th in this Anti-Malware Engineering Team blog, but they do remind us that the Windows Live Safety Center Beta will remove the threat.

They could had just said - "Yeah, we can save some of you, like we did for Zotob, but we really need you to test our new beta products - Safety Center and OneCare. Thanks".

I agree that Safety Center is a great free website. I will all my friends about it. It provides much more than just malware removal as well. Microsoft created it and they did a very good job.

But why not take the extra step while there was still time?

Remember they rushed out a new version of the Windows Malicious Software Removal Tool in August for the Zotob worm. Why not now? It is true that 300,000 people isn't anywhere near the numbers that could have been attacked by Zotob, but still.

Why not now? Microsoft, please tell me it isn't to get people on your beta programs...please...get me something. Anything.

Blue Light Reduces Melatonin Production

I was scanning over my Google Reader this morning and found this very cool Digg.com article. A small study, sponsored by National Space Biomedical Research Institute, suggest that subjects exposed to short-wavelenght light (aka blue light), are immediately perked up.

Very interesting. Back in a former part of my life, I was very into chromotherapy and Ayurvedic medicine in general. I am Pitta for the record. ;)

Anyways, lets get into the details of this blue idea.

1) In chromotherapy, Red is said to increase the pulse rate, to raise the blood pressure, and the rate of breathing. Perhaps this is why we always see red lights on planes in military movies, who knows.

2) Back in 2001, neuroscientists at Jefferson Medical College clarified how the human eyes uses light to regulate melatonion production. George Brainard, Ph.D. was a professor of neurology at Jefferson Medical College of Thomas Jefferson University in Philadelphia.

Remember that name ;)

Melatonin is a hormone produced in the pineal gland and also by the retina. It is commonly used against insomnia, jet lag and other types of sleep misalignments. In simple terms, melatonin makes you sleepy.

In the study, they looked at the effects of different wavelengths of light on 72 healthy volunteers, exposing them to nine different wavelengths, from indigo to orange. Subjects were brought into the laboratory at midnight, when melatonin is highest. The subjects’ pupils were dilated and then they were blindfolded for two hours. Blood samples were drawn.

Next, each person was exposed to a specific dose of photons of one light for 90 minutes, and then another blood sample was drawn. Wavelengths of blue light had the highest potency in causing changes in melatonin levels, he explains.

So bascially, certain light colors effects the production of melatonin in different ways. Very cool.

Now, if they can find the light color that inhibits serontonin reuptake in the synaptic terminls of neurons. That would be cool. Colored light should be much better on the body than ecstasy (MDMA), cocaine, and man-made TCAs.

Wednesday, February 1, 2006

Humor: Adages of the Internet

According to Wikipedia, adages are short, but memorable sayings, which hold some important fact of experience that is considered true by many people, or it has gained some credibility through its long use.

I was reading up on Moore's Law and started to think about all the weird Murphy's Law variants that my friends and I used in college. So, I started to dig. Wikipedia has a pretty good list going and I can only laugh when I read them.

Here are some of the better ones:

  • Murphy's Law - "If anything can go wrong, it will." - So true. I first heard about this law in college programming but by the end of college, it make so much sense (on many different levels)
  • Occam's Razor - "Given two equally predictive theories, choose the simpler." - Perfect example of not following this? Steve Gibson and the WMF exploit. Need I say more...
  • Hanlon's Razor - "Never attribute to malice that which can be adequately explained by stupidity. " - It is commonly said that people are the weakest security link, but why? Well this Jinx.com t-shirt says it all.
  • Parkinson's Law - "Work expands so as to fill the time available for its completion. " - Anyone that has ever worked in the corporate world, knows this is true. =)
  • Godwin's Law - "As an online discussion grows longer, the probability of a comparison involving Nazis or Hitler approaches one." - Anyone that has watched a security mailing list has seen this happen right in front of their eyes.
  • Amara's Law - "We tend to overestimate the effect of a technology in the short run and underestimate the effect in the long run. " - Happens all the time.

I am sure there are more floating around the internet today. Anyone have any to add??

Fyodor on Nmap 4.00

Great Fyodor interview over at SecurityFocus. He goes over several of the new features in detail. Very good read for those that love Nmap.

Former SoC student Zhao Lei is working on the second generation of OS detection, which will use many new tricks. Nmap 4.00 uses application heuristics along with TCP/IP fingerprinting. Cool improvement.