Friday, March 31, 2006

Fun: CmdrTaco - Lost his Mind?

CmdrTaco has been acting strange over at Slashdot. And now the whole site is PINK. Yep, Pink...early Aprils Fools or just trying to find the lady geeks among the sea of male, who knows. But it looks damn funny. =)

Exploits, Exploits, Exploits

A new faster createTextRange exploits was released on

/*** This one is more faster than all released createTextRange exploits* because it uses last version of SkyLined's heap spraying code,* special 10x goes to him.**/

Also a new untested Windows Help Heap Overflow was released by c0ntex on the FD Security list.

There is a heap based buffer overflow in the rendering engine of .hlp files in winhlp32.exe which will allow some attacker the possibility of modifying the internal structure of the process with a means to execute arbitrary and malicious code. By modifying the value of an image embedded within a .hlp file, (tested with ? image and [] button images) it is possible to trigger this bug and overflow a static buffer that is defined for data sections of the .hlp file. This grants the attacker with the ability to perform an overwrite of block(n) and the following blocks control data.

It should be possible to perform this attack remotly by embedding the .hlp file into an HTML page and tricking a user to click the link, granting remote access to the system with the permissions of the user who executed the help file.

Hurting Phishers Through Dilution

RSA Security's Cyota division is helping fight phishing attacks by giving the online fraudsters what they want: a lot of usernames, passwords, online-banking credentials and credit card numbers.

Very cool idea. This has been used against e-mail harvesting groups for some time, but I would guess this will be much more effective. On the lower right of my blog, you will see a “Spam Poison” icon. This website has been using “dilution” anti-spam technique for quite some time.

Polluting e-mail harvest list is good but this technique can easily be offset by other harvesting techniques. DHA, etc.

I commonly fill in phishing sites with fake information just to learn about how it is using the data and to examine the complexity of the site. I have since seen phishing sites that would verify the Paypal username and password before giving you access. Crazy stuff.

Now if someone would just create a open source tool that will create fake ID and can be customized to force feed information to phishing sites.

Here is the full story on this subject.

Wednesday, March 29, 2006


DRM won't protect the music and film industries from illegal file sharing, researcher says.,aid,125227,00.asp I know that, you know who is going to tell the corporations of the world with all the money THAT still think it works...

Here are a couple of quick links I found for all you iPod users.

1) Changing the Default Graphics
2) Hacking the iPod Nano
3) Turn Your iPod into a Universal Remote
4) Stripping DRM from Music on iTunes
5) Heaps of Geeky iPod Hacks

I am sure there are more...but I will assign the rest of the research for homework ;)

Iran Cracks Down on the Blogosphere

As a blogger that lives in a USA, we can not forget our brothers and sisters in other parts of the world that do not have the freedom that we take for granted everyday.

"Dozens of Iranian bloggers have faced harassment by the government, been arrested for voicing opposing views, and fled the country in fear of prosecution over the past two years."

Tuesday, March 28, 2006

Determina Releases Workaround Patch for IE Hole

Alexander Sotirov of Determina posted this message to the DailyDave security list.


It seems like the IE 0-day generated a lot of activity among the HIPS vendors this weekend. We at Determina spent the weekend working on a fix for the IE createTextRange() bug.

It's finally ready for download, including full source code - here.


MD5: 85b8bfc1c30c6b4451a3ab803f49708b
SHA1: 308ae9a79e48adecf769fd50ac29ddc37a07d33c

It supports all versions of IE 5.01 and IE6. The fix is a DLL that gets injected into all applications via the AppInit_DLLs registry key. The DLL fixes the bug by patching a _single_ byte in MSHTML.DLL when it is loaded in memory. This change makes the createTextRange() function return an error code instead of returning 0. This exactly how the problem was fixed in the latest IE7 beta from March 20th.

If you are interested in the analysis of the bug, check out the comment before
the patch_module() function in CVE-2006-1359.cpp.

16 more days until the Microsoft patch.


So everyone but MS is going to release a patch? At least Microsoft will have some patch data to use....

Monday, March 27, 2006

eEye Releases Workaround Patch for New IE Hole

Marc Maiffret, co-founder and CHO of eEye Digital Security, released the following statement on the FD mailing list tonight.

eEye Digital Security has created a temporary work around for the current Internet Explorer zero day vulnerability within the IE createTextRange functionality.

This workaround has been created because currently there is no solution from Microsoft other than the workaround to disable Active Scripting. We have personally had requests from various customers and the community to help provide a free solution in the case that companies and users are not able to disable Active Scripting. The workaround we have created, like ones before it, is experimental in a sense and should only be installed if you are not able to use the safer mitigation of disabling Active Scripting.

The workaround is obviously free, and we do not require any registration information to download it from the eEye website.

Should you encounter any problems with the workaround or bugs please send email to with detailed information on the problem you experienced and we will work to fix any bugs in a timely fashion. We will post updates to the website with version numbers and bug fixes should they arise.

Obviously these things are experimental in nature but considering the options of being vulnerable or at least having a fighting chance... Well I think you get the point. Again this is just another mitigation option until Microsoft releases their patch, which last was scheduled for April 11th or 16 days from now.

For more information on the vulnerability and a link to download the workaround please visit:

Very cool stuff.

eEye is gone out of their way to release this test workaround. Since Microsoft doesn't see this as a big enough threat to release their patch...someone has to do something.

Microsoft doesn't want to release the patch "out of cycle" because that will throw corporations for a loop, but it isn't the corporations that are at the highest risk, so what is the deal? It is home users that are getting rootkit’d and botnet’d...where is their patch? Corporations have firewall, 24 hour security employees, up-to-date firewalls...what does Microsoft expect my parents to do??

Why does Microsoft keep forcing people to suggest a move to Firefox?? Umm, and they wonder why Firefox keeps gaining ground on them…

For all u security professional or general geeks, here is how the patch works.

Post to the PM list today by Derek Soeder of eEye Security
Once you start installing the patch, the first thing that happens is that the installer copies the JSCRIPT.DLL already existing on the system to "%SystemRoot%\system32\jscript-eeye-patch20.dll". Next, it locates and patches the vulnerable code inside jscript-eeye-patch20.dll, using a generic technique that finds the vulnerability on every system we've tested (a LOT). This allows the patch to be applied on all affected OSes, Service Packs, IE versions, and languages.

So, to emphasize, the original JSCRIPT.DLL is never modified. But how do we get Windows to use our patched version instead?

There are three places in the registry where JSCRIPT.DLL is registered as a COM server -- the following three class IDs under HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID":

Once jscript-eeye-patch20.dll has been successfully created and patched, the installer modifies the default value of the "InprocServer32" subkey under each of these CLSIDs to refer to the patched DLL instead of JSCRIPT.DLL. This change won't affect any already-open Internet Explorer windows, or any other process with JSCRIPT.DLL already loaded, so they're still vulnerable while running, but will cause new processes to use jscript-eeye-patch20.dll and therefore be immune.

Of course, the installer preserves the old values, and will replace them when the patch is uninstalled. But as long as these registry values are set, jscript-eeye-patch20.dll will basically eclipse the Microsoft JSCRIPT.DLL on the system, so once that hotfix finally comes out, any changes it makes to JSCRIPT.DLL will be ineffective as long as the eEye patch remains installed. This is important because history strongly suggests that the MS hotfix will silently fix other unrelated vulnerabilities as well as the createTextRange bug.

To remedy this, the installer places an "eEye JScript Patch Checker" in All Users' Startup folder, that checks the file dates on MSHTML.DLL and JSCRIPT.DLL to see if they're replaced by more modern versions. Part of the problem with the official patch not being available yet (besides the obvious) is that we don't know for certain which files Microsoft will update, or what their dates or versions will be. Unfortunately, this part involves a bit of guesswork, so we use the date that the first IE zero-day appeared (March 16th) as the cutoff -- if either DLL we inspect has a date later than that, then the checker will begin asking the user if he'd/she'd like to uninstall the patch.

Here's the message box text:

"This system appears to have the official Microsoft hotfix for the Internet Explorer createTextRange() vulnerability installed. If the hotfix is not installed, or if you are uncertain, please select No and ask your system administrator or computer support staff for
assistance. "Would you like to uninstall the eEye Digital Security JScript patch now?"

Rather than relying on the checker, though, to detect the presence of the Microsoft hotfix, please uninstall the eEye patch *before* installing the hotfix! That's the only way to ensure that you don't experience any conflicts like a new MSHTML.DLL trying to talk to the older-model jscript-eeye-patch20.dll. Hopefully there will be no such conflicts, but until the hotfix is released it's impossible to say for sure.

Check out the source as well.

Sunday, March 26, 2006


In the eyes of the general public, DRM software stops them from doing what they want to do with a product they have purchased.

The record industry in America is feeling the backlash of the Sony DRM issues, but what about the rest of the world?

From -

Brazilian mega-star Marisa Monte's new CDs from EMI ("Infinito Particular" and "Universo ao Meu Redor") come with DRM that can't be uninstalled, and requires you to "agree" to a contract that isn't published in Portuguese. Even if you disagree, the malware is installed. The DRM blocks you from playing the CD on Linux and MacOS, and from loading it onto an iPod. This, just as the Brazilian government has launched a Computers for All initiative to distribute 1,000,000 Linux PCs, seems particularly contemptuous of the Brazilian people.

Also, check out this funny video by ZDNet Executive Editor David Berlind. He explains why DRM is CRAP and outlines why MS CRAP won't work with Apple CRAP and how Sony CRAP won't work with any other form of CRAP.

Moral of the Story - Don't buy any of that CRAP.

Instead of buying the CRAP filled iPod, buy the Pez MP3 Player.

Saturday, March 25, 2006

AWPG Phishing Trends Report - Jan 2006

The Anti-Phishing Working Group has released their Jan 06 trend report - PDF.

No real surprises here. Bad guys are out in full force to rob you blind.

I think the APWG should list the top five domains that were reported. I know there are several domains that never take action when phishing is reported but this would help "call them out" and put them on notice for the world to see.

It is kinda sad that the US is still the highest on the list.

Fun : Trouble at the OK Council

Ok, I saw this article as I was leaving work yesterday and couldn't get over it. Crazy! Much props to Johnny Hughes of for keeping his cool.

Make sure you read the full e-mails and then you will know why Johnny deserves a round.

It is very clear that Mr. Taylor has not idea what Linux is or how it works. CentOS is one of the best Red Hat Enterprise Clones on the internet. I have used it myself for many years on non-critical production servers.

Normally I wouldn't post things of this nature....but Taylor wanted it in the public eye.

"I have no fear of the media, in fact I welcome this publicity." - Jerry Taylor

But I have to give a hand to Jerry as well, he may not have been very familiar with Linux but he was working hard to protect the people in his town. I would hate to be a hacker going head to head with Jerry - that is for sure =)

Friday, March 24, 2006

Attackers Use New IE Hole to Spread SpyBot -


Researchers have spotted a first exploit for an "extremely critical" vulnerability in Microsoft's Internet Explorer.

Visitors of the infected website will automatically be infected with a new variant of the Spybot worm. The malware opens a backdoor on the system and attempts to lower the security settings, effectively turning infected systems into zombie computers.


Now you know why I was talking about this very fact yesterday in my blog. So should I use the IE 7 Refresh or just use Firefox?? Umm..

Oh wait, Microsoft suggest I disable ActiveX all together. Wait, isn't that the only reason I use IE? They might as well suggest that I just use Firefox.

This event has caused the SANS Internet Storm Center to move to Infocon - Yellow.

Microsoft wants to believe that the "bad guys" learn how to exploit IE from Microsoft patches...sorry guys, that just isn't always true.

Stop, drop, re-code.

New Data Loaded into Google Earth

From the Google Earth Blog - here is the official Google post about the new images.

It's now official! Google released new data for Google Earth on Thursday evening. Here's a summary of the updates found so far:
  • This new data is not in Google Local/Maps yet. - But, Google says it will be later.
    The basemap for the whole Earth has been changed to another source called TrueEarth. This new data looks better than the old one. Look at all the continents more closely. The colors are much more vibrant and green. (Read one of the comments below which explains more about the TrueEarth data)
  • Most of Germany is in high resolution
  • Some minor fixes to old data
  • It also appears many Tropical Islands are in higher resolution than before, this includes French Polynesia, some in the Caribbean and the Azores.
  • Even many of the Atolls in the Pacific Islands around French Polynesia are much sharper.
    The beautiful shallow turquoise waters around the Bahamas have been put back
    More of the islands in the Caribbean are in higher resolution (previously just fuzzy blotches) - e.g. some of the Grenadines.
  • New high resolution photos for parts of the Maldives Island group. I found this cool seaplane flying there. Here's a blog entry about the new Maldives photos.

Thursday, March 23, 2006

Thoughts on the New Remote Code Execution IE Hole

I was a little confused by how fast Microsoft reacted to the issue, but then it hit me. They knew about the issue already.


Timeline (as far as I can tell).

1) Stelian Ene calls attention to the known issue on the FD list at 09:13 and basically shows that it causes a DoS state.

2) Around 6 hours later, Computer Terrorism (UK) released a security advisory back to the FD list. The advisory stated that it was a "remote code execution" vulnerability and would result in "remote system access". But I still haven't seen any code.

Key part of the advisory is here however.

Vendor Status:
The Vendor has been informed of all aspects of this new vulnerability (including PoC), but as of the date of the document, this vulnerability is UNPATCHED.

Where is the code execution PoC??


So basically, Microsoft knew about the issue and has already started on fixing the issue. Microsoft even stated that it was fixed in the new fresh of IE7 Beta 2 announced at Mix '06 (March 20-22).

Ok, so when were they going to apply this fix to IE 6 SP2?? You know the browser that everyone and their grandparents use??

I have the sick feeling that if Stelin didn't call attention to the issue, we would only seen a patch once Microsoft "got around" to it - next patch Tuesday perhaps, maybe not.

But the DoS exploit has been around on the internet for some time. So Microsft assumes that no blackhat group (aka crimeware gang) has made the "code execution connection" yet?

If they knew about the issue and had information that could protect people, why not release it when it was just a DoS exploit?? How many DoS exploits have to turn into code execution exploit, before Microsoft shifts its view on this issue.

But now that the masses have their eyes focused on the issue, Microsoft wants to release a pre-patch advisory and help protect us with workarounds.

Geezz thanks. Why not release this workaround protection information when it was just a DoS??

I understand that non-public vulnerabilities are found and closed all the time and this really isn't much different - but the problem was fixed in IE 7 before it was fixed in IE 6.

I kinda have a problem with that.

Am I crazy or does this seem a little fishy??? Give me some feedback, I need more coffee.

Wednesday, March 22, 2006

Another Code Execution 0-Day for IE 6 & 7

Stelian Ene posted a message to the Full-Disclosure Mailing list this morning about a possible code execution issue on IE 6.

Several hours later, Computer Terrorism posted a Security Advisory for the same issue to the same mailing list. Full-Disclosure, of course.

The oldest known PoC for this exploit was discovered on by 'shog9' (or Joshua Heyer).

WARNING!! - Clicking this link will crash your IE - CrashIE.html

Anyways, Secunia has released an advisory on the issue as well. Giving it a "highly critical" rating. Microsoft is aware of the issue and working on a patch.

Will the patch be released out of cycle? I would hope is an active exploit that has been confirmed to cause code execution in latest version of IE.

FireFox 2 (Bon Echo) Alpha 1 Released

Here are some new features in Bon Echo Alpha 1 that require feedback:
  • Changes to tabbed browsing behavior
  • New data storage layer for bookmarks and history (using SQLlite)
  • Extended search plugin format
  • Updates to the extension system to provide enhanced security and to allow for easier localization of extensions
  • Support for SVG text using svg:textPath
  • List of notable bug fixes

As always, this is a Alpha release and therefore several things will break (like themes, etc). Normal users of 1.x should not use Bon Echo Alpha 1.

Also, it would seem that a "serious" flaw was found in Firefox by a very sharp-minded lady. The flaw is so serious, she left her fiance of 5 years. Good write-up and pretty funny. She found out about her fiances' "extra" browsing habits and filed a Bugzilla report on the issue.


This privacy flaw has caused my fiancé and I to break-up after having dated for 5 years.

Basically, we share one computer but under separate Windows XP user accounts. We both use Mozilla Firefox -- well, he used to use it more than I do but nowwe don't really use it. The privacy flaw is this: when he went to log-in underhis dating sites (,,, etc.),Mozilla promptly asks whether or not he'd like Firefox to save the passwordsfor him. He chose never, obviously. However, when he logged off his useraccount, and I logged onto my Windows XP account X amount of days later, Idecided to use Firefox because hey -- it loaded everything much moreefficiently, was better to work on with website designs and is a lot morestable than IE7beta2.

Firefox prompted whether or not I'd like it to save my password for logginginto my website. I chose never and changed my mind. I went into the PasswordManager to change the saved password option from Never to Always and that'swhen I saw all these other sites that had been selected as "Never SavePassword." Of course, those were sites I had never visited or could ever dreamof visiting.

Then I realized who, how and what... and sh*t hit the fan. Your browser doesnot efficiently respect the privacy of different users for one system.


So instead of other people getting to use this "flaw" to dump boyfriends, she wants it fixed. That is a true open-source security guru. Way to go Mary...or Jane or whatever ;)

Tuesday, March 21, 2006

FrSIRT - Victim of French Laws?

A couple of days after my first post on the issue of FrSIRT, I saw a hint on the internet that their actions may have been pushed by French law. FrSIRT closed their public exploit recently and now it seems that French law was the primary reason, or so they say.

Anyone in France want to shed some light on these laws? Are they just French copyright law, as suggested in the court case of Guillermito in 2002?

While they deny that it was for commercial reasons, I am sure it didn't hurt business any Business is business and exploits can ALWAYS be found outside of France.

Google Cache of FrSIRT Exploits

If you know of any other good sources (I can think of a few more Russian sites), shoot me a comment and let me know. I might make a little side bar list of them.

Monday, March 20, 2006

Fedora Core 5 - Coming out to Play

Well it would appear that Fedora Core 5 was given permission to "come outside and play".

According to the official release schedule, it was released today. I would try the BitTorrent links if you need it right now. Otherwise wait a few days for all the mirrors to update.

If FC5 is anything like FC4, it should be a pretty good hit.

Happy Birthday SANS Internet Storm Center (ISC)

Happy B-day guys, keep up the good work.

Posted by Marcus Saches, Director of SANS ISC
In March of 2001, the Lion worm set in motion a series of events that resulted in the creation of the SANS Internet Storm Center. That was five years ago in an era when script kiddies were defacing web sites and launching endless DDoS attacks against each other. Worms were a pretty big deal, and bots were just getting started. Credit card theft was already happening, but "identity theft" had not become the big buzzword that it is today. That was also pre-September 11th and we had no idea what was in store for the planet later that year.

So on this anniversary of the Storm Center, I'd like to thank all of our volunteer incident handlers from over the years for their many hours of dedicated time, as well as extend a note of appreciation to the thousands of DShield sensor operators, the people who read our daily diaries, and those who participate in the various discussion forums. I'd like to also thank Johannes Ullrich for his tireless efforts to keep the electrons flowing behind the scenes, and the SANS Institute for paying the bills.

Since we all like to have contests, here's one that should be fun to do. Look back through your old email to the period around March or April of 2001 and see if you can find any notes that reference the SANS Internet Storm Center. If you can, forward them to us via the contact page above and we'll figure out who has the earliest one. We'll mention your name in a future diary if you want us to, or you can remain anonymous.

Happy hunting, and Happy Birthday Internet Storm Center!

Saturday, March 18, 2006

US Government Barely Improves on Cyber-Security

I am sure many of you have already about the yearly Federal Information Security Management (FISMA) Reports on Government Cyber-Security.

The government scored a D+ overall, with the Dept of Defense and Dept of Homeland Security in the lowest groups.

FISMA Report of 2005 (PDF)
FISMA Report of 2004 (PDF)
FISMA Report of 2003 (PDF)

Surprised? Not so much. I have been watching the Government Accountability Office (GOA) reports for quite some time now.

GOA Report on FAA IT Security

GAO-05-231 : Information Security - Emerging Cybersecurity Issues Threaten Federal Information Systems.
GAO-05-383 : Federal Agencies Need to Improve Controls over Wireless Networks
GAO-06-527T : Information Security - Federal Agencies Show Mixed Progress in Implementing Statutory Requirements
GAO-06-374T : Aviation Security - Significant Management Challenges May Adversely Affect Implementation of the TSA's Secure Flight Program

Basically, the government is basically like many of the large corporations of today. They are in a full sprint to CATCH UP. But the government has more red tape and management to deal with, is that a good excuse?? Hell no...

I don't expect them to fix everything in a year...but can we at least improve over last year??

DRM is Safe and Invisible to the User

DRM in MP3 files is safe and invisible to the user, right? Wrong.

When playing MP3s with DRM protection, most MP3 players will experience 25% less battary life. And we won't even get into the other performance issues found with DRM songs on MP3 players.

I think I am going to get the Pez MP3 Player. No special DRM software or special music uploading junk. Now if I can only get him to make a 1 or 2GB model.

Friday, March 17, 2006

Happy St. Patrick's Day

Well, is it that time again and it appears to be a lovely day for a Guinness.

Here is a collection of Irish Quotes.


"An Irishman is the only man in the world who will step over the bodies of a dozen naked women to get to a bottle of stout."
- Unknown

"God invented whiskey to keep the Irish from ruling the world."
- Ed McMahon

"May all who love the Lord, love you and those who don't love you, may the Lord give them a limp so you can see them coming. "
- Irish Blessing

" A light heart lives long."
- Irish Proverb

"A lie travels farther than the truth."
- Irish Proverb

"You've got to do your own growing, no matter how tall your grandfather was."
- Irish Proverb


Everyone be safe tonight and be smart.

Éireann go Brách (Ireland Forever)

Thursday, March 16, 2006

Windows XP on Intel Mac - Confirmed

Well, the contest is over. After submitting the files and steps needed to dual-boot OS X and Windows XP on a Intel-based Mac, he was awarded the $13,854 prize.

Engadget has more mirrors of the files as well.

Apple most likely isn't happy about this hack...but it will cause more people to buy Intel-based Macs overall. So perhaps they are too mad about hackers bypassing their security. ;)

If I had a Dime for Every Data Breach...

Register (UK) : Ernst & Young has lost another laptop containting the social security numbers and other personal information of its clients' employees. This time, the incident puts thousands of IBM workers at risk.

Ex-IBM employees are also affected.

The Register has learned that the laptop was stolen from an Ernst & Young employee's car in January. The employee handled some of the tax functions Ernst & Young does for IBM's workers who have been stationed overseas at one time or another during their careers. As a result of the theft, the names, dates of birth, genders, family sizes, SSNs and tax identifiers for IBM employees have been exposed.


I used to blog every data breach that I could find, but it is starting to get crazy. You could run a whole daily blog on just data breaches, so I stopped trying. However, I did find a very cool place that keeps up with them almost daily.

The Chronology of Data Breaches over at records every major public data breach since the ChoicePoint incident of 2005.

Now if I had a dime for every data breach on that list....

Wednesday, March 15, 2006

FrSIRT Closes Public Exploit Section

Larry Seltzer of sent this over FunSec today.

FrSIRT / Exploits and Codes
French Security Incident Response Team 24x7
- 15 March 2006 -

FrSIRT's public exploits section have been definitively closed.

Exploits and PoCs are now available to FrSIRT VNST subscribers only.

For additional information :


Well, it looks like they have pulled the ole Bait and Switch on the security community. Ohh well, forget them, at least PacketStorm is still around. =)

Tuesday, March 14, 2006

Fun: Chef Quits South Park!

Man this sucks. Who is going to teach the children??

Isaac Hayes has quit South Park, stating that he is unhappy with the jokes about religion in episodes of the hit cartoon.

So he is a Christian that has had enough? Not really.

Although Hayes has not pointed to one particular episode, it would seem that the jokes about Scientology – the legendary soul star’s religion – are what caused him to quit, as stated by South Park’s co-creator Matt Stone. "This is 100 percent having to do with his faith of Scientology," said Stone.

Massive Credit Card Fraud Ring Busted

Remember my blog about that mass credit card breach??

It would seem that the USSS and the FBI have been making progress.

Monday, March 13, 2006

Anti-Virus = Hidden Changes Hourly

In the Patch Management world, it is said that a patch could cause up to 10% failure on your network. Not bad when compared to a deadly worm or Russian hacker with a rootkit in your network.

Most PM Admins take the risk and do their job. They deal with the problems created by patching system and go about the day. After all, you know what caused the problem and you don't have to worry about some hacker that dropped God knows what into your kernel.

But there is something else that is updated much more often and gets MUCH less attention. Anti-virus. Most AVs update hourly with new sigs and scan engines, therefore AV is changing almost every system on your network over 20 times a day. But how often do we think about this issue? Never, until it causes a problem.

Issues do happen and they can be quite blind-siding.

Norton update kicks AOL users offline - Mid-March 2006
McAfee issues bad DAT - Early March 2006.
Sophos issues bad update - Late February 2006.
Norton update causes Outlook problem - January 2006
TrendMicro update causes big problem in Japan - April 2005

I am sure there are many many more that go unreported in the media. I remember when Sophos detected a SAP client file as a virus and started to delete them. It wasn't big enough to hit the news, but it did cause my employer then some extra work.

90 to 99% of the time, the updates are just fine and never cause a problem. But it is an issue you should be prepared for however. Setting your AV to automatically delete detected "viruses" isn't always the best idea.

Review your current AV policy and consider "Blocking Access" instead of "Deleting"...unless you are using Sophos but that is another blog. =)

OpenWRT Calls Sveasoft Out for GPL Violations

OpenWRT issued a statement recently that claims that Sveasoft has used OpenWRT code without giving back to the community, therefore in violation of section 4 of the GNU General Public License.

Section 4:

You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance.

So basically Sveasoft lost its license as soon as they decided not to play fair. Will this go to court? How will it stand in court? Are they still playing legal? Are they breaking the spirit of the license?

Sveasoft and OpenWRT both make firmware "upgrades" for the Linksys WRT54G wireless router. BUT NOT v5. Version 5 runs the real-time operating system Vxworks and all known hacks are useless.

I have one WRT54G running a once free Sveasoft firmware, works great.

Sunday, March 12, 2006

Jedi Training for Security Professionals

Security is double-edged sword. During the 6th century BC, Sun Tzu said the following in "The Art of War":

So it is said that if you know your enemies and know yourself, you will not be imperiled in a hundred battles; if you do not know your enemies but do know yourself, you will win one and lose one; if you do not know your enemies nor yourself, you will be imperiled in every single battle.

I have always said that security professionals have to be right 100% of the time. They have to seal every hole and give attention to every possible threat. However, attackers need to be right only once. In the words of Sun Tzu, security professionals can't afford to "win one and lose one". Security isn't a checkbox on a compliance worksheet; it is a journey of good versus vs. white.

Therefore a security professional must know their enemy as well as they know themselves. That is a tall order for most people, but it is possible. If you want to stop hackers, you must think like a hacker, you must problem solve like a hacker, you must have the mindset like a must be a hacker.

I joke with my friends and call security training - Jedi Training. But it really isn't a joke; you must learn to bring out that hacker mindset...the hacker force if you will.

So how do you do it? And where do you start?

Tough questions and there is no one answer. Some people have an inclination toward the hacker mindset from the very beginning. When I was little, I always wanted to take stuff apart and I had to know how things worked. I wanted to understand the world around me to the deepest level. Well that desire has now moved into the new age - the digital age.

The general public sees computers as tools, but they really do make the world around us. The money you keep in the bank is stored as a database value, nothing more. Your credit limit and rating is again a database value controlled by computers. All the information about you is stored and accessed via computers. You are who the computer says you are.

This stored information about you is the "truth" of your life. But that "truth" is controlled by computers....and those computers are controlled by people. Some good, some bad.

So how do you learn about security?? Well, it requires a whole heap of reading and playing. If you don't like computers or you don't really like to read, then you have hit a wall right out of the gate.

Here is a collection of apps and websites that can help you in your quest for Jedi power.

Jedi Training Applications

Hacame Bank v2.20
Hacame Books

Jedi Training Websites
MindLock Security
Starfleet Academy (currently not working)

Jedi Training Books

The Art of Deception
The Art of Intrusion
Stealing the Network - The Series
Hacking Exposed - The Series
Rootkits - Subverting the Windows Kernel
Exploiting Software - How to Break Code
Google Hacking for Penetration Testers
Reversing - Secrets of Reverse Engineering
Security Warrior
Hacking - The Art of Exploitation
Silence on the Wire
The Shellcoder's Handbook
The Art of Computer Virus Research and Defense
OS X for Hackers at Heart
19 Deadly Sins of Software Security
Malware - Fighting Malicious Code
WarDriving Drive, Detect, Defend - A Guide to Wireless Security
Know Your Enemy - Learning about Security Threats
Windows Forensics and Incident Recovery
plus many many more.

Go. Read. Learn. Hack. Protect.

Thursday, March 9, 2006

Starbucks As the New Office

Well, it is lunch time and I am sitting at Starbucks...having my second latte of the day. I know...too much...but that is another blog. A little background on me before I get to the point.

Back in my college days, I worked in the coffee industry for several years. Both in a family owned Italian coffeeshop and at a wholesale coffee importer / roaster. It is nice to have fresh roasted Jamaican Blue Mountain at your fingertip everyday. Technocrat Focus...

Anyways, the coffeeshops of today remind me of the pubs of old Europe. People came together over drinks...had a good time and sometimes new products and services were created.

You can't go to Starbucks without seeing at least three laptops or someone on a hands-free device talking about work...or sometimes a wedding planning party (I saw one last night at this exactly Starbucks).

Some people actually call Starbucks their "office".

A friend of mine used to work on a movie script at Starbucks everyday....I saw him there for weeks on end...everyday. He went to LA a couple of times...and I never saw him again.

Coffeehouses ARE the new office for many small businesses due to low-cost internet access and well-placed locations.

Well that is my crazy realization of the day. I am going to finish my coffee and get back to work.

Wednesday, March 8, 2006

Fun: Will Wright's "Spore" Game

I have to thank Fergie for this link. I am not a gamer...I have zero games installed on my computer. But I have a hacked XBOX and I play it like once a month....told you I wasn't a gamer.

However, I am a science / evolution guy and I have always loved science / RPG games.

Myst, SimCity, Civilization, Fable, Starcraft, Black & White, etc.

I even played SimFarm in the early 90s.

But "Spore" is in a new class. It is like taking all of the games above and rolling them together. The result appears to be a totally custom world, created by you. Your animal starts in the micro world and become macro. Hell, it becomes groups of marcos. One very small multi-celled creature and can become an entire city of animals. You grow, eat and change in this your own custom world...a world that is filled with other animals and objects created by other gamers, yet not controlled by those players.

Basically they have built-in all of the world's editor tools into the game itself. No need to go to a fan website and get a custom character or a special is done automatically.

You just have to watch the video. It is a little over an hour long...but it is WELL worth the watch. If you want to cheat and get right to the action, jump in at around 12 mins....then jump in again at around 30 mins.

Let me know what you think....

Massive Credit Card Breach - The Plot Thickens

Issue 1 - On Feb 10th, I blogged about a massive credit card security breach. At the time, little was known about the issue. VISA, MasterCard and several banks confirmed that a security breach at a US retailer was to blame. The name "OfficeMax" was thrown around. The FBI and the USSS were looking into the issue.

Issue 2 - In early March, people started to see issues with Citibank ATM cards in Canada, UK and Russia. At the time, they were told it was due to a possible security breach...nothing more. Citibank later issued a statement.

Two separate issues? Maybe not. - "Financial institutions around the country continue to issue warnings, the most recent this week by Citibank, which said it had spotted fraudulent withdrawals from U.S. accounts made in Canada, the United Kingdom and Russia.In each case, the banks have blamed a third-party company — in some cases, more specifically identified as a merchant or retailer. Speculation has been rampant that the source of the stolen data is office supply store OfficeMax, starting with an article last month in the San Francisco Chronicle indicating 200,000 account numbers had been stolen from the firm. OfficeMax denies it's to blame."

I guess we don't know anything for sure until the FBI and the USSS are finished with the issue. the way an undisclosed number of Verizon employees at now at risk of identity theft.

As a friend once said in a very good book.

You have money in the bank if a computer says so. Your blood type is what the computer says it is. You are who the computer says you are.

Symantec Kills L0phtcrack

After merging with @ stake back in 200 and then surviving the take over by Symantec in 2004, the LC line of products has finally died. LC5 and LC4 have both been very good password crackers...and where held with high regard in the pen-testing world...but they are no more. Sad really.

Is this going "thinning of the herd" going to kill other great products? Most likely. But business is business right? Umm, I guess.

Monday, March 6, 2006

Mac OS X Hacking Contests

Last month, a blogger conducted an OS X hacking contest. Attackers were given local user access to a Mac running OS X and were asked to remove several directories or deface the running was contest ended 6 hours later.

The winner stated that he used a non-public vulnerability to gain root access to the Mac. But this isn't a true hacking test, is it?

I do agree that giving attackers local access does make the process MUCH easier, but it still sends a very powerful message. OS X has local privilege escalation vulnerabilities that are not public. They are not known by the vendor and not known by the public. However, Apple isn't alone in this class. Blackhats are constantly on the lookout for unknown holes in all operating systems. At least once a year, you will hear about some new critical zero-day vulnerability that affects Windows users.

But what about hacking into OS X from the internet with no beginning access? What will happen? I don't know, but the University of Wisconsin plans to find out. They have started their own Mac OS X Security Challenge. It is slated to end on March get to hacking. Go ahead.

Was Apple ready for this new surge of hacker attention? Only time will tell...

Friday, March 3, 2006

93,000 Students Warned After Laptop Theft

Same old story - unencrypted data on a laptop. It is likely that the person that took the laptop is just going to dump it for money, doesn't sound much like a data thief to me. However, who will get the laptop after that? A pawn shop? Who gets it after that? And for what reason?

That is the part that scares me.

Colorado college warns 93,000 after laptop theft

Laptops are seen as walking attack vectors in the internet security world....but in the real world even judges see unencrypted credit card information on a laptop as no real threat.

Interview with KF - Creator of the OS X InqTana Worm has a great interview with Kevin Finisterre, creator of the InqTana worm. He has been an Apple user for a while and created the OS X malware in an attempt to pull back the thin veil that seems to be keeping many OS X users blind to possible threats.

InqTana was designed to be a POC and had built-in methods to reduce its overall threat. Therefore, many AV companies saw it as a "low" threat from the very beginning.

However on Feb 21, Sophos issued a bad IDE for the InqTana.B worm. At around 8am, I found that Sophos was detecting Epson printer drivers, Adobe files and even Microsoft Office 2004 files as the InqTana.B worm. I was 97% sure it was a false positive and reported it to Sophos as quickly as possible...within 45 mines a new IDE was released. Fun Day! =)

Since Sophos isn't big on the "Quarantine" idea, it was deleting files as fast as the clients were automatically updated. While I agree with the general idea, I believe that disabling access to a possible malware file is much better than just deleting it by default. Since Sophos was deleting the files, it make it very hard to get a good sample file to send them...hello, they were deleted.
What is Sophos detects a critical non-running SAP file as malware? This has happened to me and we had to reinstall the SAP client on around 10 workstations...also not a fun day.

Will 2006 be the "Year of the OS X Exploits"??

I hope so for the sake and security of all OS X users. Real threats against Apple have been few and far between...but that trend is starting to change.

Awareness is key.

The Mac Faithful should remember this old Kenyan proverb -

Blind belief is dangerous.