Behind the Internet Wheels of Steel - Recording Live From Somewhere - Mixing the Fresh Beats of Technology, Intelligence, Science & Security together with the occasional bass-heavy break of Humor.
"There is no security on this earth, there is only opportunity"
- General Douglas MacArthur (1880-1964)
Sunday, April 30, 2006
Data Breaches - As Common As the HouseFly
In a security incident with a Slovak National Security Office server, a great amount of data has been downloaded by crackers, as Slovak community website (www.blackhole.sk) informed on April 25th.
Crackers got access to and downloaded "20 gigabytes of emails, internal documents, directives etc.." as described probably by the authors of these attacks, crackers got access thanks to weak security, specifically the intruders tried a common account name "nbusr" followed by password nbusr123 guessing it at the first attempt.
See the full article above for more details. They even su'd with no password.
-------------------------------
Via FCW.com -
The Defense Department announced April 28 that someone broke into a Tricare Management Activity (TMA) public server and gained access to information. The compromised information included personal information about military employees, DOD officials said.
“As a result of this incident, we immediately implemented enhanced security controls throughout the network and installed additional monitoring tools to improve security of existing networks and data files,” said William Winkenwerder Jr., assistant secretary of defense for health affairs. “Such incidents are reprehensible, and we deeply regret the inconvenience this may cause the people we serve.”
Investigators do not know the motive for the crime or whether the information has been misused. The Defense Criminal Investigative Service is participating in an investigation. DOD sent letters to employees who were affected by the intrusion to inform them of potential identity theft.
Tricare is DOD's Military Health System, which provides health care for members of the uniformed services and their families and for retirees. TMA oversees Tricare activities.
Friday, April 28, 2006
Fun: Manifesto of the Technocrat - v2
"I am the Technocrat. I live in a world beyond your world; where names are unknown. The world of the packet and the switch. In this world, alliances are fluid like water. In this world, the attackers are invisible and so are the protectors. At the very instant this world emerged from its electronic birth, a war began. A war void of guns and bombs. A war in which the only weapons are light and electrical pulses. The battles are silent, but each has the potential to alter your very existence in unfathomable ways. This is the world in which I live, endure and excel."
- Technocrat (2006)
---------------------------
I was bored and decided to write my own manifesto. Lame, I know. It was inspired by The Hacker's Manifesto, of course.
Thanks for the input from one of the cDc Ninjas, you know who you are.
New Bill Threats MP3 Streaming Radio
The Washington Post reports that Senators Feinstein (D-Cal.) and Graham (R-S.C.) have introduced S. 2644, dubbed the PERFORM Act, that is aimed at punishing satellite radio for offering its subscribers devices capable of recording off the air.
Buried in the bill, however, is a provision that would effectively require music webcasters to use DRM-laden streaming formats, rather than the MP3 streaming format used by Live365, Shoutcast, and many smaller webcasters (like Santa Monica's KCRW and Seattle's KEXP). The streaming radio stations included in iTunes also rely on MP3 streams (since Apple isn't about to license the Real or Microsoft streaming codecs).
...
If the PERFORM Act becomes law, webcasters who use the statutory SoundExchange licenses to play music would have to give up MP3 streaming in favor of a DRM-restricted, proprietary formats that impose restrictions on any recordings made. So much for great time-shifting technologies like Streamripper and RadioLover.
Apple Argues Bloggers Can't Protect Source
"A trial court ruled last year that if a journalist publishes information that a business claims to be a trade secret, this act destroys constitutional protection for the journalist's confidential sources and unpublished materials."
What are the rules for claiming a "trade secret"? Is the model of my KVM switch a trade secret? What about the model number of the copier down the hall? My cube number? Come on...
Apple has a right to defends its "real trade secrets", but it better wake up and see that they are no longer making computers just for teachers and artists. They have opened OS X (and their very company) to a world that they were not expecting. It is the largest paradox box they have ever seen and they better learn how to deal with it quick.
Thursday, April 27, 2006
Paros Proxy Updated
---------------------
Paros is pretty cool. I don't know if I like it more than some of the others....java is a hog, but it is free. So what are you waiting for? Go try it..
Wednesday, April 26, 2006
Fun: IT = Insomniac Tendencies
Reflecting back on what just happened. Just 3 hours ago, I received an IM from a friend that works right down the road from me. He was still at work, so I figured I would help him mentally unwind a bit.
Like most computer programmers, he tends to keep strange hours. But everyone in IT is used to that...it is almost the standard. For most of us, work is play...play is work.
Anyways, I show up and he starts to tell me about how he has been working since 9am. In my mind, I was thinking...well 12 hours, that isn't normal, yet it isn't too crazy either. But he didn't mean 9am Tuesday morning....he meant 9am Monday morning. He didn't go home last night.
He was pushing on 40 hours without sleep. lol
After dinner, he went back to the office and appeared to get back into "code mode", so I left.
Now it is almost 1am and he is still at work. His cat is most likely going insane without food.
Moral of the Story - Perhaps IT doesn't stand for Information Technology...maybe it means "Insomniac Tendencies ".
Many of the people reading this right now will understand this fact all too well. =)
Goodnight...
Tuesday, April 25, 2006
Tools of the Trade - Get'em Updated
2) For all you people that need to test IPv6, try out the new THC IPv6 Attack Suite. I haven't tried it yet however.
3) Sensepost has updated Wikto to 1.63.1-2279. Wikto is basically the Windows port of Nikto, plus a forced browser, Google Hacker and more. HTTPrint and HTTrack both work in conjunction with this program as well.
4) On 4/19, Cain & Abel v2.8.9 was released. Added support for Winpcap v3.2
5) On 4/13, the stable branch of Kismet was updated to 2006-04-R1. Remember all new development is in the "Newcore" branch, so most of the changes in stable are just fixes and some new chipset support.
6) This isn't really new, but it is pretty cool. PHP.Hop created by the PHP Honeypot Project (PDF).
7) Winamp isn't a security tool, but I use it and I figure alot of people that stream radio do as well. So make sure you grab the new Winamp 5.21.
8) This is pretty cool as well. I have been hearing stuff about using a RTOS or a Linux OS that runs in parellel with your Windows OS to help fight rootkits, but it seems that this takes that and puts it on a PCI processor. It is Gamma from Komoku - DARPA funded startup.
Next out this eWeek article on the product.
Monday, April 24, 2006
OS X Safari 2.0.3 DoS Vulnerabilitiy
----------------------
Apple Mac OS X Safari 2.0.3 Vulnerability =========================================
Release Date:
April 23th, 2006
Vendor:
Apple Computer Inc.
Tested on:
- iBook G4 1.2 GHz with Mac OS X 10.4.5 (Build 8H14) + all Updates from Apple except "10.4.6 Update"
- iBook G4 1.33 GHz with Mac OS X 10.4.6 (Build 8I127) + all Updates from Apple
- PowerMac G4 Dual 867 MHz with Mac OS X 10.4.6 (Build 8I127) + all Updates from Apple
- iMac G4 800 MHz with Mac OS X 10.4.6 (Build 8I127) + all Updates from Apple
Versions affected:
- Safari 2.0.3 (417.9.2) latest version under 10.4.5 (Build 8H14) and perhaps prior versions
- Safari 2.0.3 (417.9.2) latest version under 10.4.6 (Build 8I127) and perhaps prior versions
Overview:
A vulnerabilitiy exists in Safari 2.0.3 (417.9.2) and perhaps in prior versions which causes the operating system to slow down SRCOD (Spinning Rainbow Cursor Of Death), and therefore, it's not possible to launch any applications like Terminal to kill the process. After several minutes Safari crashes.
For an expample click at the link with Safari (WARNING: That crashes Safari after several minutes an first the SRCOD (Spinning Rainbow Cursor Of Death) is there for all the time!) http://www.yanux.ch/exploits/safari/example.html
Report:
iMac G4 800 MHz with Mac OS X 10.4.6 (Build 8I127) + all Updates from Apple http://www.yanux.ch/exploits/safari/bugreport_imac_g4.txt
Vendor Status:
Apple has notified of this issues on 04/23/2006
Solution:
Currently no patches have been released for this vulnerability.
Discovered by:
Yannick von Arx
yannick[dot]vonarx[at]yanux[dot]ch
Possible Firefox 1.5.0.2 Remote Code Execution
---------------------------------------------------
Software:
Firefox Web Browser
Tested:
Linux, Windows clients' version 1.5.0.2
Result:
Firefox Remote Code Execution and Denial of Service - Vendor contacted, no patch yet.
Problem:
A handling issue exists in how Firefox handles certain Javascript in js320.dll and xpcom_core.dll regarding iframe.contentWindow.focus(). By manipulating this feature a buffer overflow will occur.
Proof of Concept:
http://www.securident.com/vuln/ff.txt
Credits:
splices(splices [dot] org)
spiffomatic64(spiffomatic64 [dot] com)
Securident Technologies (securident [dot] com)
------------------------------------------------
Sunday, April 23, 2006
Computer records on 197,000 people breached at UT
Microsoft Internet Explorer Nested OBJECT Tag Memory Corruption Vulnerability
Microsoft Internet Explorer is prone to a memory-corruption vulnerability. This issue is due to a flaw in the application in handling nested OBJECT tags in HTML content. An attacker could exploit this issue via a malicious web page to potentially execute arbitrary code in the context of the currently logged-in user, but this has not been confirmed. Exploit attempts likely result in crashing the affected application. The issue could also be exploited through HTML email/newsgroup postings, or other applications that employ the affected component.
Microsoft Internet Explorer 6 for Microsoft Windows XP SP2 is reportedly vulnerable to this issue; other versions may also be affected.
See the SF page above for PoCs.
Michal Zalewski
Saturday, April 22, 2006
OS X Flaws Put Mac Users At Risk
Good write-up over @ CNET.com dealing with the recent information disclosure of several serious Mac vulnerabilities.
Looks like at several key quotes.
1) Apple believes the public disclosure of security flaws doesn't help anyone, a position shared by most software makers. "We don't feel that our customers are better served by public disclosure of potential issues," Tribble said. "We think that in the general case, people who need to know about issues are the ones that can actually fix the bugs."
While Apple may not agree with Tom, I bet his action will get the problems fixed faster. Apple would have sat on them for as long as they could, all along claiming they weren't a danger. Which brings me to quote number 2.
2) Apple's vice president of software technology told CNET News.com. "I think it is important to note that although these are potential vulnerabilities, there are no known exploits to them and they are not affecting customers today."
There are no exploits in the public, maybe...but that doesn't mean that they aren't being exploited. This could be of no importance to Apple; these are very serious vulnerabilities and should be fixed. IMHO, only companies that are using Apple products should be focused on whether exploits are public or not. Since this fact does alter the patch management cycle in most cases.
3) Apple silently fixed one of the flaws related to the handling of TIFF image files in update 10.4.6, Ferris said. The other bugs remain unpatched, he said, adding that he reported the issues to Apple earlier this year.
Umm...this issue sounds very familiar. As I stated before, we need to hit Apple on this exact issue as well. Microsoft isn't the only one not doing the right thing in my view.
4) Apple expects to address the issues in an upcoming security update but could not say when that fix might be released. "Our target is to do it promptly," Tribble said. "How quickly that can be done depends on a lot of variables, in terms of how much information we get and how complex the things are to address."
This quote only supports my comment on quote #2. They have known about the issues all year and they are going to fix them "promptly"....umm..and people say public disclosure doesn't work. =)
Friday, April 21, 2006
Mac OS X Multiple Potential Vulnerabilities
1) An error exists in the "BOMStackPop()" function in the BOMArchiveHelper when decompressing malformed ZIP archives.
2) Some errors exists in the "KWQListIteratorImpl()", "drawText()", and "objc_msgSend_rtp()" functions in Safari when processing malformed HTML tags.
3) An error exists in the "ReadBMP()" function when processing malformed BMP images and can be exploited via e.g. Safari or the Preview application.
4) An error exists in the "CFAllocatorAllocate()" function when processing malformed GIF images and can be exploited via e.g. Safari when a user visits a malicious web site.
5) Two errors exists in the " _cg_TIFFSetField ()" and "PredictorVSetField()" functions when processing malformed TIFF images and can be exploited via e.g. the Preview, Finder, QuickTime, or Safari applications.
The vulnerabilities have been reported in version 10.4.6. Other versions may also be affected.
Solution:
Do not visit untrusted web sites, and do not open ZIP archives or images originating from untrusted sources.
Provided and/or discovered by:
Tom Ferris
Original Advisory:
Tom Ferris:
http://www.security-protocols.com/sp-x25-advisory.php
http://www.security-protocols.com/sp-x26-advisory.php
http://www.security-protocols.com/sp-x27-advisory.php
http://www.security-protocols.com/sp-x28-advisory.php
http://www.security-protocols.com/sp-x29-advisory.php
http://www.security-protocols.com/sp-x30-advisory.php
Thursday, April 20, 2006
The Dark Side of Patching
Microsoft has 'fessed up to hiding details on software vulnerabilities that are discovered internally, insisting that full disclosure of every security-related product change only serves to aid attackers.
I love it. Microsoft once said that all exploits come from reversed patches and now it seems they believe the exact opposite. Can't they just sit in the middle and understand that both happen?
Blackhats have zero-days that Microsoft "may" find and fix internally. Microsoft itself has detected unknown hackers using unknown vulnerabilities in the wild. The JView bug that was discovered by Microsoft's honeymonkey project, for example.
But then the world has the vulnerabilitiy once a patch is released. There are places on the internet that tell you step by step how to do a binary diff on patches. Therefore, there is no silence fix.
For Microsoft to keep silence on the issue after the patch is only hurting their customers. Period.
Hopefully once we get Microsoft right on the issue, we can all move to Apple and start over.
Wednesday, April 19, 2006
TrueCrypt 4.2 Released
New Features:
- TrueCrypt volumes can now be created under Linux.
- Ability to create a ‘dynamic’ container whose physical size (actual disk space used) grows as new data is added to it. (Dynamic containers are pre-allocated NTFS sparse files).
- Volume passwords/keyfiles can be changed under Linux.
- Keyfiles can be created under Linux.
- Volume headers can be backed up and restored under Linux.
- Multiple keyfiles can be selected in the file selector by holding the Control (Ctrl) or Shift key (Windows).
- It is now possible to enable and directly set keyfiles by dragging the icon of keyfile(s) or of keyfile search path(s) to the password entry window (Windows only).
- New Linux command line option: -u, --user-mount, which can be used to set default user and group ID of the file system being mounted to the user and group ID of the parent process. Some file systems (such as FAT) do not support user permissions and, therefore, it is necessary to supply a default user and group ID to the system when mounting such file systems.
- The build.sh script can now perform automatic configuration of the Linux kernel source code, which is necessary in order to compile TrueCrypt on Linux. Note that this works only if the installed version of the kernel enables/supports it.
- TrueCrypt volume properties can be viewed under Linux.
- New Mount Option: 'system'. It is possible to place paging (swap) files on a TrueCrypt volume that is mounted with this option enabled. Thus, it is possible to use TrueCrypt to on-the-fly encrypt a paging file. (Windows, command line usage)
- New Mount Option: 'persistent'. A volume mounted with this option enabled is not displayed in the TrueCrypt GUI and is prevented from being auto-dismounted (‘Dismount All’ will not dismount the volume either). (Windows, command line usage)
Monday, April 17, 2006
News: Iran Researched P2 Centrifuges
P2 centrifuges have steel rotors as opposed to the P1's aluminum rotors and can enrichment uranium twice as fast as normal P1 centrifuges.
I tend to agree with the unnamed US government official that said "The more the IAEA looks, the more they find and the more Iran says 'Oops, we need to amend our declaration'."
Perhaps the NPT needs to be fixed to remove this "ohhh, you mean those 4000 magnets" loophole. Keeping to the faith of the NPT does not include that type of "forgetfulness" in my mind.
Science: Megacryometeors
A megacryometeor is a very large chunk of ice, which, despite sharing many textural, hydrochemical and isotopic features detected in large hailstones, are formed under unusual atmospheric conditions which clearly differ from those of the cumulonimbus clouds scenario (i.e. clear-sky conditions). They are sometimes called huge hailstones, but don't need to form in thunderstorms. Jesus Martinez-Frias, a planetary geologist of the Center for Astrobiology in Madrid pioneered research on megacryometeors in January 2000, after ice chunks weighing up to 6.6 pounds rained on Spain out of cloudless skies for 10 days.
Recently these have been hitting Cali again - ABC News and Chron.com
Fun: US Marines Experiment with "Urban Combat Skateboard"
Wow. I heard stuff about the Future Combat Systems, but this has to be a joke. How much did that "Urban Combat Skateboard" cost to "develop" and "fine-tune"? 10k? 50k?
I mean it is the government; couldn't they get Tony Hawk to give them a sick board for free testing? Seriously...no really...
It would seem that I was some type of future urban warrior at the age of about 12 and I didn't even know it.
NEWS FLASH – The "Urban Two-wheel Cycle" has been developed to be used in conjunction with the "Urban Combat Skateboard" accompanied by the "Urban Combat Ski Rope".
Sunday, April 16, 2006
Another Credit Card Information Breach
Specialty retailer Ross-Simons said a security breach detected earlier this month compromised personal information on tens of thousands of customers. The breach affects about 32,000 customers who applied for store credit cards from October 2004, when the cards were first issued, to April 4, when the problem was verified, Ross-Simons spokesman Dante Bellini Jr. said Thursday.
------------------------------------
Paying cash for things is looking better everyday..
Saturday, April 15, 2006
Will Pay for Software Bugs - The Debate
On one hand, I like to see my friends get paid for finding software bugs in software. Why shouldn't they? They spend large amounts of time looking for and finding security issues, which they then report to the vendor.
They aren't making an exploit and creating a new huge botnet - they are helping the vendor. Hopefully helping the vendor become more secure and therefore sell more products. But what do my friends get? Money? Rarely. Sometimes they don't even get a pat on the back. Some vendors claim the bug isn't a problem and that the researcher doesn't know what they are doing....only later to fix the issue in a "feature update". ;)
But Jennifer paints a very real picture in her article. If the third-party broker market keeps growing, issue of information control will come to light. Vendors pay for the "information" and they use it to make their products better - new IDS/IPS Sigs, early forecasting, etc. That sounds like normal business to me....but it isn't without a negative side - as Jennifer points out.
It is a slick slop and I hope the security community overall can find a balance. Perhaps the original product vendors should start to pay for vulnerability information, like Mozilla. I don't know.
Let me know what you think...I want input on this issue.
Are we heading down a bad road??
By not paying for vulnerabilities, are companies not stepping up to the plate to protect their customers?? They pay programmers to write the code and they have their own security people? They pay them all day right? Why not pay a non-employee that helps you better your product?
Tuesday, April 11, 2006
MySpace.com Hires MS Employee to Oversee Security
----------------
Because of concern by parents and school and law enforcement officials that the site sometimes unwittingly makes young people vulnerable to pornographers or predators, the company has hired Hemanshu Nigam, director of consumer security outreach and child-safe computing at the Microsoft Corporation, to oversee safety, education and privacy programs and law enforcement affairs.
----------------
About damn time. Too bad I never heard anything back from Myspace.com when I contacted them about using SSL for login. Self-sign certs should be able to fit in their budget. ;)
Saturday, April 8, 2006
The Technocrats of Urban Communication
The Graffiti Research Lab is dedicated to outfitting graffiti artists with open source technologies. Pretty cool. The graffiti scene has moved from pure paint to LED throwies and art via light projection. I really like this new movement because of its less-damaging outcome.
Check out this Wired.com write-up on this movement in NYC.
The Security Illusion vs Cross-Platform Malware
We live in a world were no computer or OS is safe. Botnets have been found that only contained Linux and OS X bots. If you think your OS is protecting you from the evil of the virtual world...you are dead wrong.
This is the security illusion - I sometimes call it "security complacency".
Any system is open to attack. Bad guys want your computer to be a node on their botnet....it doesn't matter if you are running Windows 98, Windows 95 or OS X. I saw a Windows 98 yesterday with a bot on it. It was scanning for a load of vulnerable PHP applications, most likely an attempt to spread.
Moral of the Story - Don't have a big head. Every computer user needs to be smart and take steps to protect their data, money and their existence.
MacBook Pro / Boot Camp
Read about Jim Dalrymple's experience with Boot Camp over at Macworld.
Before OS X was released, I never wanted a Mac. I didn't see the reason to get one. They had fewer programs, fewer places to get them repaired (which I mostly did on my own anyways) and cost twice as much as my x86 PCs. Apple didn't support the geek overall. They didn't want you to open the case, didn't want you to modify things too much. So again - why would I?
Once OS X was released, my new found love for Linux/BSD could be filled with a really damn cool GUI interface. The once BSD-only ports system works on it. Almost any Linux security tool works on it...and some tools even go beyond their Linux counterparts - KisMac for example.
They are still high priced in my mind. I am typing on my personal Dell Latitude D505 that I got off Ebay for 800-900 dollars (with warranty days left on the machine). Hard to beat that deal. But I found myself thinking about getting a Mac laptop with my tax money. I would have to get a laptop, of course.
But you really have to get a MacBook Pro to get all the function I need. PCMCIA slots, Intel chipset, etc. So there goes 2000 dollars, plus money on the extras. That isn't cheap. Therefore I decided against it. I like my Dell and don't really see what I would do with another laptop.
But I have to say for the first time in my life. If I didn't have a laptop right now, I would be moving toward the MacBook Pro.
I still have some problems with Apple on a couple of issues, but Microsoft isn't much better these days.
I better go disable my Active Scripting in IE now before I catch a virus.
Friday, April 7, 2006
Defense Science: Fighting RPGs with "ForceFields"
Pretty cool. It isn't really a forcefield in the Sci-Fi terms...but it is protection. I do wonder how the system can fire a counter projectile at the correct angle in such a quick manner.
I am still a fan of "Creating wrap bubbles around vehicles" idea. lol
Thursday, April 6, 2006
Black Tuesday : Microsoft to Patch Five Vulnerabilities
Security Updates
* Four Microsoft Security Bulletin affecting Microsoft Windows. The highest Maximum Severity rating for these is Critical. Some of these updates will require a restart. These updates will be detectable using the Microsoft Baseline Security Analyzer and the Enterprise Scan Tool. One of the updates will be a cumulative Internet Explorer update that addresses the publicly known "CreateTextRange" vulnerability.
* One Microsoft Security Bulletin affecting Microsoft Office and Microsoft Windows. The highest Maximum Severity rating for this is Moderate. These updates may require a restart. These updates will be detectable using the Microsoft Baseline Security Analyzer and the Enterprise Scanning Tool.
http://www.microsoft.com/technet/security/bulletin/advance.mspx
----------------------------
I would like to thank Fergie for the heads up. I am a busy man..lol
What other non-public vulerabilities will be fixed in the "Cumulative Internet Explorer Update"??
Sunday, April 2, 2006
Fried Phish & French Phries
The site was being hosted at a US company website, looked like a third-party hosted site. Third party hosted is even worse, since that means that other sites are could be open to whatever attack vector was used.
It was using advanced javascript URL-bar spoofing tricks, stuff I have on a couple of sites in Korea before. It is a paypal phishing tool that is dropped on an open site as a ZIP or a RAR, then unzipped - bang - up and going. This allows for very fast delivery and fast phishing.
Report phishing sites to the PIRT via their Fried Phish website.
Tools of the Trade
1) Fedora Core 5 (FC5) was released a couple of weeks ago. All new graphics as well. Looks much better than FC4.
2) On March 29th, Nessus 3.0.2 beta was released for Mac OS X. It runs native on both PPC and Intel CPUs. I just installed the new one on FC5, working pretty good. Remember the GUI client isn't packaged with the main server party anymore...so make sure you grab the GTK client or use the remote NessusWX.
3) On March 16th, Cain & Abel v2.8.8 was released over at oxid.it. They added VoIP sniffer support for the following codecs: G723.1, G726-16, G726-24, G726-32, G726-40, LPC-10.
4) On March 30th, Aircrack-ng 0.3 was released for both Linux and Windows. If you haven't used Aircrack before, you should try it on your wireless network, you might be shocked to see how well it works.
5) Recently, Ophcrack 2.2 was released. Check out the Ophcrack Live CD. It is a linux bootable CD-Rom with Ophcrack and a set of pre-computed tables. Nice ;)
6) John the Ripper 1.7.0.2 was released for *nix systems. The change was irrelevant for Windows users.
7) Watch out for a Kismet update soon. Development hasn't stopped, it has just shifted into the "NewCore" branch. I am running the development version on FC5, looking good so far. I still haven't seen any information about the Kismet hole leaked at DefCon...strange.
8) Gaim 2.0.0 Beta 3 was released on March 29th. I am currently running the beta 2 - I like it. Time for a upgrade.