Behind the Internet Wheels of Steel - Recording Live From Somewhere - Mixing the Fresh Beats of Technology, Intelligence, Science & Security together with the occasional bass-heavy break of Humor.
"There is no security on this earth, there is only opportunity"
- General Douglas MacArthur (1880-1964)
Tuesday, October 31, 2006
Month of Kernel Bugs - The First is Just Hours Away
Let just say that tomorrow will be a day to remember....seriously, mark it in the books. Shake the dust off your Cipro bottles and prepare for the the digital ground to shake...
It is going to be crazy month....I love it.
http://projects.info-pull.com/mokb/fs-bugs-23-10-2006.txt.asc
Check out the Matasano blog as well. He is shocked that a simple tool that sprays random bytes all over the place can break so much stuff...and I have to agree. That is totally insane.
Firefox 2.0 Anti-Phishing Filter Vulnerable To Evasion
Jungsonn has only been a member of the forums for one day and he hits big with IP encoding that evades Firefox’s anti-phishing filter. This isn’t the first time I’ve seen this sort of thing, but it’s the first time I’ve seen it in a commercial browser. What Firefox is doing is doing a direct compare against the URL. Using the IP obfuscation calculator you can create IP addresses that don’t match what is in the anti-phishing list. But it’s worse than Jungsonn reported even.
That’s right, go to any phishing site and add in a QUERY_STRING to the end of the URL and poof, no more popup. What a bummer. I was really hoping they would do something a little smarter with this. Unfortunately with this knowledge it is extremely easy to defeat the anti-phishing detection built into Firefox’s newest browser.
The QUERY_STRING issue is a tough one to solve, because where do you know to compare against? The IP address issue that Jungsonn came up with really bothers me. Why would you use the URI field to do comparisons instead of the IP address that it is normalized to? Is it an oversight? Oh well, I hope they fix this soon.
This is kinda scary. Phishing sites have been using IP obfuscation tricks for quite some time. Just roughly guessing, I would say that around 10-20% of the phish that I saw on PIRT were using some form of simple IP obfuscation.
Monday, October 30, 2006
Paper: 802.11b Firmware-Level Attacks
By Mike Kershaw and Joshua Wright
http://802.11ninja.net/papers/firmware_attack.pdf
------------------------------------------
If you are one of the many Apple Borg that believe that Airport is immune to firmware/driver level wireless flaws...then you are in for a bumpy ride in the near future.
Saturday, October 28, 2006
RFID E-Passport Skimming PoC Code Released
The latest version of RFIDIOt, the open-source python library for RFID exploration/manipulation, contains code that implements the ICAO 9303 standard for Machine Readable Travel Documents in the form of a test program called 'mrpkey.py'.
This program will exchange crypto keys with the passport and read and display the contents therein, including the facial image and the personal data printed in the passport. Currently the data read is limited to the following objects:
Data Group: 61 (EF.DG1 Data Recorded in MRZ)
Data Group: 75 (EF.DG2 Encoded Identification Features - FACE)
Other Data Groups will be implemented as and when examples come to the author's attention.
The ICAO standard relies on a 'secret' key to protect the RFID chip from casual reading, which is derived from data printed inside the passport. However, this data is also potentially available by other means, so the key for a specific passport could be derived without physical access to the passport. The information required is as follows:
The Passport number
The Date Of Birth of the holder
The Expiry Date of the Passport
(Each of the fields also has a check digit which can be calculated by the software if not otherwise available).
The author has previously shown that this data can be obtained through other channels, such as poorly secured websites, as it is a subset of the data that is required by the US Homeland Security for Advance Passenger Information, and is therefore commonly collected by airlines and other associated organisations.
This article, from the UK national newspaper The Guardian, gives more details of one of the techniques used:
http://www.guardian.co.uk/idcards/story/0,,1766266,00.html
Others have also highlighted the possibility of bruteforcing the keys, given that the components are largely predictable, giving a much smaller keyspace than might otherwise be supposed:
http://www.riscure.com/2_news/passport.html
The demonstration code (RFIDIOt.py version 0.1g) can be found here:
The ICAO 9303 standard documents can be found here:
http://www.icao.int/mrtd/publications/doc.cfm
Enjoy!
Adam
Wednesday, October 25, 2006
Fedora Core 6 Zod Final Released
Use torrents or mirrors to to download. It appears the main Fedora website is down...
I was able to pull down the full DVD from the Kernel.org FTP mirror in around 2 hours.
While you wait for the download, check out the "Inside Fedora Core 6" article...
Metasploit to Include 802.11 Raw Injection
OCTOBER 23, 2006 | HD Moore, Jon Ellch (a.k.a. johnny cache), and another researcher known as "skape," are collaborating on adding 802.11 wireless exploits to the Metasploit 3.0 penetration testing tool. Moore, the creator of Metasploit, has written a wrapper for the tool that lets it execute raw 802.11 packet injection.
802.11 packet injection lets an attacker go after the lowest level of the operating system, such as wireless device drivers, which Ellch says are an attacker's goldmine. "This code is full of bugs because it is not written by software companies and until recently, bugs in it were not really exploitable," Ellch says. "Now that we can send packets at such a low level, we can hit the bugs in the code."
Wireless device-driver vulnerabilities are becoming a hot topic. Ellch, in a presentation at last week's Blue Hat summit, told Microsoft it needs to work with device-driver vendors to turn off some of the unnecessary wireless card features to minimize the risk of a hack. "The basic problem is end users have two choices on the driver, 'on' or 'off.'" And there's a lot of code in this software associated with features users may not need, such as "power-save," for instance, that leaves the door open for bugs.
"The more code you have, the more bugs there are," he says.
And with Metasploit 3.0 about to include 802.11 exploits as well, Microsoft and device-driver vendors may have to take action sooner, rather than later. "A working Metasploit module is definitely motivation for wireless vendors to review their code," says Moore, who is also director of security research with BreakingPoint Systems. Moore says the new features will likely be ready to go in the next few weeks for Metasploit 3.0.
Meanwhile, Ellch says for Microsoft to better secure the 802.11 device-driver layer of the kernel, it would have to determine which features users could disable in their device drivers. "Microsoft can't fix this themselves," though. The software giant would need to work with wireless card device-driver developers, he says.
Microsoft developers didn't actually commit to following Ellch's recommendations, but they did say it would be easy to implement in Vista. The company has already been searching for device-driver bugs, he says.
"Microsoft is really interested in trying to solve this problem," Ellch says. "That's what really impressed me the most. Microsoft is actively looking for bugs in device drivers, even though they didn't write them. That takes a lot of work, because Microsoft doesn't have the source code" for that.
So why not pitch this to the device-driver vendors themselves? "You won't find one that doesn't say 'we don't have bugs,' but they all do," Ellch says. "Anyone who has not had their device driver patched yet is going to."
Zero Day Vulnerability Found in Myspace
OCTOBER 24, 2006 | A researcher has published proof-of-concept code on a zero-day vulnerability he found on MySpace.com -- and another variation on the cross-site scripting (XSS) theme.
Called XSS fragmentation, the vulnerability consists of multiple chunks, or fragments, of JavaScript malware that can slip by a filter or firewall because individually they don't constitute a security risk. But when they are combined after hitting the site, they can then be dangerous.
XSS fragmentation is rare, but a potentially powerful vulnerability that could be used against community-based sites such as MySpace or Web-based mail systems, security experts say. MySpace in particular is vulnerable because it takes user-supplied content and stores it without adequate filtering, says Jeremiah Grossman, CTO of White Hat Security. An e-commerce site would not be at risk to this type of attack, he says.
Tools of the Trade - MSG-Free
2) The first public beta of the BackTrack 2.0 LiveCD is out.
3) Nessus 3.0.3 W334 was released for the Windows platform - no longer beta. The Windows version of Nessus is getting better, but the reporting still isn't up to part with the Linux version.
4) On Oct 18th, Cain & Abel v3.0 was released. New features include:
- Support for AirPcap USB 2.0 adapter in Wireless Scanner
- Passive Wireless Scanner with channel hopping support.
- AirpCap.DLL dynamically linked.
- WEP IVs sniffer (Capture files are compatible with Aircrack's .ivs files).
- 802.11 capture files analyzer compatible with PCAP and Aircrack's .ivs file formats.
- 802.11 capture files decoder (support WEP and WPA-PSK encryption).
- WPA-PSK pre-shared key calculator.
- WEP Cracker using Korek's Attack (64-bit and 128-bit key length supported).
- Off-line capture file processing now compatible with Wireless extensions.
- Added G722.1 codec support in the VoIP sniffer.
- Added support fo Winpcap library version 4.0 and higher.
- OpenSSL library upgrade to version 0.9.8d.
- Winpcap library upgrade to version 4.0 beta1.
6) On Oct 1st, Aircrack-ng 0.6.2 was released. No more peek5.sys issues. See changelog for details.
7) Also on Oct 1st, HoneyTrap 0.6.3.1 was released. HoneyTrap is a low-interactive honeypot that collects information regarding known or unknown network-based attacks and thus can provide early-warning information.
8) On Sept 28th, OpenSSL released several new versions to correct four security issues.
9) On Sept 27th, OpenSSH 4.4/4.4p1 was released to correct several security issues. More details on the fixes in the changelog.
10) AOL just release WinAmp 5.31 that fixes several security issues outlined by iDefense.
Tuesday, October 24, 2006
FireFox 2.0 Released
In less than two years, tens of millions of people worldwide have discovered the easier, faster and safer online experience that Firefox provides. Translated into more than 35 languages at its release, Firefox 2 is available in a native language version for more people around the world than any other Web browser.
Firefox 2 is immediately available for Windows, Mac or Linux operating systems as a free download from www.getfirefox.com.
“Firefox 2 delivers the best possible online experience for people today,” said Mitchell Baker, CEO, Mozilla. “The improvements Mozilla has made to the ease of use, performance, and security in Firefox 2 reflect our ongoing, singular focus on meeting the needs of Web users all over the world.”
MoKB: Month of Kernel Bugs
Tarball available at: http://projects.info-pull.com/mokb/fsfuzzer-0.6-lmh.tgz
L.M.H said the following on several security mailing list:
The Month of Kernel Bugs will start on 1st November, and will be announced this next Monday (Oct 30). I'm looking for other people interested on providing bugs forXNU (also for the "good old" Darwin), win32, *BSD, etc. If youwant to contribute, drop me a line. Please note that only 'fresh',unknown bugs will be accepted, and submissions should be brieflydocumented. The goal is disclosing a kernel bug (DoS, privilegeescalation, whatever interesting) on a daily basis for November.
Watch his blog for more details.
UK to Fingerprint Pub Goers
The government is funding the roll out of fingerprint security at the doors of pubs and clubs in major English cities.
Funding is being offered to councils that want to have their pubs keep a regional black list of known trouble makers. The fingerprint network installed in February by South Somerset District Council in Yeovil drinking holes is being used as the showcase.
"The Home Office have looked at our system and are looking at trials in other towns including Coventry, Hull & Sheffield," said Julia Bradburn, principal licensing manager at South Somerset District Council.
...
Bradburn could not say if fingerprint security in Yeovil had displaced crime to neighbouring towns, but she noted that domestic violence had risen in Yeovil. She could not give more details until the publication of national crime statistics to coincide with the anniversary of lax pub licensing laws on 24 November.
She was, however, able to say that alcohol-related crime had reduced by 48 per cent Yeovil between February and September 2006.
...
New licences stipulate that a landlord who doesn't install fingerprint security and fails to show a "considerable" reduction in alcohol-related violence, will be put on report by the police and have their licences revoked.
Offenders can be banned from one pub or all of them for a specified time - usually a period of months - by a committee of landlords and police called Pub Watch. Their offences are recorded against their names in the fingerprint system. Bradburn noted the system had a "psychological effect" on offenders.
Reduced crime? I am not so sure...displaced crime to other areas? Most likely. Is that a good thing? I guess that is up for debate.
1984 here we come....
Saturday, October 21, 2006
Simple Yet Effective Malware Tricks
SecureWorks has a great write-up on a piece of malware called "SpamThru Trojan Analysis".
While it does not employ rootkit type hiding tricks that are so common these days, it is anything but simple. This is a botnet trojan that took time, skill and money to create. This was made for the blackart of underground business...
Here are several of the tricks that it uses to keep the botnet alive, kicking and making money:
Peer-to-Peer Communication
It uses P2P technology to pass information from bot to bot and therefore update the network. It reminds me of Cisco CDP in some ways. Each bot knows about the bot around it and they update each other as new information is loaded. The botnet is still controlled via a central C&C (command and control) server, but the bots can be directed to a new C&C server via the P2P technology if the server is ever taken down.
Anti-Virus Scanning
Like most trojans, this one was tweaked and customized during creation time to minimize AV detection; however SpamThru takes AV scanning to a step beyond the normal trojan. It actually installs a hacked version of Kaspersky AntiVirus for WinGate to clean the machine before main infection takes place. This helps increase the stability of the new bot and decrease the chance that it will be "stolen" by a rival botnet controller.
Encrypted Template-based Spam
Each bot in the net has its own spam engine. Each bot downloads a spam creation template from a central template server using an AES-based challenge-response authentication system. This challenge-response system reduces template leakage to third-party and AV researchers. The template contains e-mail addresses, spam hashes that are used to bypass filters and random "from" names. The templates are also encrypted using AES for extra protection.
GIF randomization
GIF files in the spam template are modified with each spam sent, to change the width and height, and a section of random pixels is appended to the bottom, in order to defeat anti-spam solutions which might try and reject mail based on a static image.
Very interesting indeed. As you can see, spam is very very serious business and these groups take every step possible to keep their business up and running.
Check out the SecureWorks link at the top for more details on this cool piece of malware.
Friday, October 20, 2006
N. Korea Detonates 40 Years Of GDP
PYONGYANG, NORTH KOREA—A press release issued by the state-run Korean Central News Agency Monday confirmed that the Oct. 9 underground nuclear test in North Korea's Yanggang province successfully exploded the communist nation's total gross domestic product for the past four decades.
"This is a grand day for the Democratic Peoples Republic Of Korea, whose citizens have sacrificed their wages, their food, and their lives so that our great nation could test a nuclear weapon thousands of feet beneath our own soil," read an excerpt from the statement. "Now the rest of the world must stand up and take notice that the DPRK, too, is capable of decimating years of its wealth at any given moment."
This is meant as a joke article created by The Onion, but the idea has a large amount of truth...sad.
Thursday, October 19, 2006
Apple Plays the Blame Card
This isn't the first time this has ever happened and it will not be the last, but the respond from Apple about the case is a little strange.
The company said in its statement, adding "as you might imagine, we are upset at Windows for not being more hardy against such viruses, and even more upset with ourselves for not catching it."
What? That is like saying... "As you might imagine, we are upset that your body is not more hardy against E. Coli, but we seriously should have found that in our spinach."
What the hell is that? That is no kind of statement. This is a corporate statement in respond to your corporation shipping viruses to paying customers and all you have to say is "damn Microsoft." I don't think so...
How about you tell your paying customers how you plan on fixing the issues. How about you tell your paying customers the measures that you have put in place to stop this from happening again. How about you tell your paying customers that you made a mistake and that you will do whatever it takes to win those customers back.
All users should be running up-2-date anti-virus, which would have stopped this from infecting their computer. Those customers were infected because they did not have the correct security measures in place....they didn't do what they were suppose to be doing.
Which is basically the same excuse Apple has for shipping viruses to customers, right?
Apple might be good at marketing, but they really suck at PR.
Wednesday, October 18, 2006
VoMM: Taking Browser Exploits to the Next Level
Now prepare to be down right frightened of browser exploits.
Enter VoMM (eVade o’ Matic Module).
VoMM is a Metasploit module developed by LMH and Aviv Raff that cloaks browser exploits using multiple techniques and make them almost undetectable to common static signature-based detection systems. This includes many AV scanners and most IDS/IPS systems.
The most relevant techniques being deployed:
- White-space randomization (using whitespace, tabs, etc).
- String obfuscation and encoding.
- Random comments: placement and manipulation of existing ones.
- Block randomization.
- Variables and functions names randomization.
- Integer and misc. variables obfuscation.
- Function pointer reassignment.
Check out LMH's blog entry for the rundown on each technique. Gregg Keizer released a TechWeb article yesterday on VoMM as well.
HD Moore used several of these tricks when he created the VML exploit for Metasploit. When it was released, Moore's exploit was undetected by all 26 virus scanning engines supported by VirusTotal, which include Grisoft's, McAfee's, Microsoft's, Symantec's, Kaspersky's, and others.
Moral of the Story - Patch'em if you got'em and do it as soon as possible. Most corporations slowly roll out patches to minimize possible damage and because they feel protected by other mitigation factors. Those "defense in depth" protection layers are shrinking and in some cases, being totally bypassed.
Tuesday, October 17, 2006
UK Drivers Bypass Ticket Cameras Simply By Changing Lanes
A massive flaw in a new generation of speed cameras means motorists can avoid fines and points on their licence simply by changing lanes.
The Home Office admitted last night that drivers can avoid being caught the by hi-tech 'SPECS' cameras which calculate a car's average speed over a long distance.
The astonishing loophole means that millions of speeding drivers around Britain could escape a £60 fine and three points on their licence. The hidden blind-spot - revealed today by the Daily Mail - raises questions about the supposedly foolproof hi-tech camera system which is increasingly used on Britain's roads.
Although designed to improve road safety, the loophole means that drivers may actually increase the risk of accidents by continually switching lanes.
Police chiefs were last night forced to urge drivers not to exploit the shortcoming by trying to evade the cameras.
I am sure drivers won't change lanes if asked not to....seriously, we can just ask real nicely - "Please don't change lanes mate...and don't speed, ohh yeah and don't stab people."
Monday, October 16, 2006
Spyware infection prompts McDonalds MP3 recall
McDonalds Japan has launched a recall after discovering that MP3 players it offered as a prize were loaded with a particularly nasty strain of malware. Up to 10,000 people might have been exposed to the problem after claiming a Flash MP3 player pre-loaded with ten tunes and a variant of the QQpass spyware Trojan.
Punters received the contaminated gift after purchasing a large drink form the fast-food chain in Japan and submitting a serial number contained on the beverage holder as part of a competition, sponsored by McDonalds and Coca-cola. Users who connected the McDonalds-branded MP3 player to their Windows PC were exposed to spyware code programmed to transmit their web passwords and other sensitive information to hackers. The cause of the accidental infection is unclear but past experience suggests a contaminated machine involved in loading content onto the players is the likely culprit.
McDonalds Japan has apologized for the cock-up and established a helpline designed to handle the recall of the infected MP3 players and send out uncontaminated music gizmos. A Japanese-language statement also explains how punters can cleanse potentially infected PCs.
Sunday, October 15, 2006
Moby Wants to Save the Internet, Don't you?
I was just watching the Discovery Channel and saw the latest Anti Net Neutrality ad sponored by the Cable Assocation. Pretty sad and quite misleading.
They want to believe that we are attempting to give government control of the internet...which isn't the case at all. They are the one that decided to change the "normal balance" of the internet and now we are being forced to use government laws to protect it.
So to get the word out, I have selected this video which shows you how to join the fight for Net Neutrality.
http://www.youtube.com/watch?v=xOJnKgsWPGw
What is at stake? For out here.
Another PowerPoint 2003 Zero-Day
Microsoft confirmed the new zero-day on Oct. 12th in their MSRC blog.
Hopefully Microsoft is taking a pro-active step and looking at the Office code base as a whole for security vulnerabilities. The updates released at this point, don't show much of that however.
They seem to just be plugging what is found or released...
Targeted Trojan Attacks on the Rise
MONTRÉAL - On December 1, 2005, two e-mail messages were sent from a computer in Western Australia to members of two different human rights organizations. Each e-mail message carried a Microsoft Word document with a previously unknown exploit that would take control of the targeted person's computer and open up a beachhead into the group's network.
The attack failed, as did a second attempt to infiltrate the same human-rights groups a week later, due in no small part to an overabundance of caution on the part of e-mail security provider MessageLabs, which initially blocked the e-mails based on the strangeness of the Word attachments. The attacks only targeted a single person at each organization and, after the two attempts, never repeated.
Targeted Trojan horse attacks are quickly becoming a major issue for the antivirus and computer-security industries. Last year, computer emergency response groups in the U.K., Canada and Australia warned of such attacks. While the United States Computer Emergency Readiness Team (US-CERT) did not issue a warning, security firms confirmed at the time that U.S government agencies and companies had already been targeted by such malicious software.
...
The attacks are also very well researched, Shipp said. One targeted Trojan was sent to five employees at one company--every single person was a member of the firm's research and development team.
...
Most of the attacks come from the Pacific Rim, emanating from Internet addresses in mainland China, Hong Kong, Australia and Malaysia. However, one IP address that consistently attacks military installations comes from a computer in California. Shipp believes that the computer could have been compromised as part of a bot net.
...
However, the antivirus industry is still moving too slowly, ISS's Corman said. The Trojan horse sold to private investigators by an Israeli couple took 18 months to detect.
"People in the industry keep talking about the Israeli Trojan horse, because that is one of the few public examples," Corman said. "But that's just one of hundreds, if not thousands, of successful attacks."
In July 2004, I was the target of an unsuccessful targeted trojan attack. It was much less advanced than the attacks of today and most likely not controlled by the same people. It came in as EXE and I was the only person in the company of thousands to get the e-mail.
With the help of Peter Kruse from CSIS of Denmark, the attachment was found to be a trojan with remote access, STMP relaying and keylogger abilities.
The trojan created a mutex with the name "CocoAzul v0.765".
This was later to be tagged by several AV vendors as the Cocoazul Worm. Several variants were created as outlined by Megasecuirty.org. Yet none of those listed match my sample in size.
Even today, detection of my sample is iffy:
Saturday, October 14, 2006
Methamphetamine for Stroke Victims
Methamphetamine may protect the brain after a stroke, according to new research in rats and gerbils.
The illicit street drug – also known as speed – helped reduce brain damage when used up to 16 hours after stroke, potentially widening the window of opportunity for drug intervention.
Researchers induced strokes in gerbils, causing them to become twice as active and agitated as normal gerbils. But when the animals were given a low dose of methamphetamine up to 16 hours after the event, the animals became calmer. Dissection later showed that the neurons of the gerbils given methamphetamine were as intact as in animals that had not suffered stroke.
“Methamphetamine is a drug that has been shown to exacerbate stroke damage when administered before a stroke, but we have seen roughly 80% to 90% protection of neurons when administered after a stroke,” says Dave Poulsen, who led the research at the University of Montana in the US.
Carnivorous Plant Eats Mouse At French Garden
LYON, France -- Visitors to the Botanical Gardens in Lyon, France, should watch their fingers after a carnivorous plant there ate a mouse.
Botanists discovered a partially digested mouse inside the plant on Friday after several people complained of a horrible smell.
The carnivorous plant, native to the Philippines, is the first to actually prove that plants can indeed eat small mammals.
Previously, insects were the only things that were known to be in a carnivorous plant's diet.
Friday, October 13, 2006
Hackers Steal 500,000 Dollars from Two U.S. Virgin Island Gov Bank Accounts
Computer hackers have exploited weaknesses in the security technology of a Puerto Rican bank to siphon hundreds of thousands of US dollars (euros) out of two U.S. Virgin Islands government accounts, a finance official said Thursday.
Hackers accessed the U.S. Caribbean territory's accounts with banking giant Banco Popular, making numerous small withdrawals for up to two months until government officers discovered the thefts totaling US$500,000 (euro399,010) in August, Finance Commissioner Bernice Turnbull said.
The San Juan-based bank has credited the U.S. Virgin Islands accounts with US$300,000 (euro239,406) and is planning to replace the rest of the missing money in coming days, Turnbull said. It's not clear why the Virgin Islands government did not disclose the theft earlier.
One of the accounts contained money earmarked for the Human Services' Special Supplemental Nutrition Program for Women, Infants and Children, she said. The other account was a general fund.
Turnbull said federal officials had a suspect in the case but would not elaborate.
The FBI could neither confirm nor deny an investigation. Local police said they had not been notified about the theft.
Thursday, October 12, 2006
Could a 30-in. monitor help you do your job faster?
Providing employees with 30-in. computer monitors can boost worker productivity at companies where 17-in. or 19-in. monitors are typically used, according to a French consultant hired for a study sponsored by Apple.
The study, which evaluated Apple’s 30-inch Apple Cinema Display, concluded that large screens can offer gains of up to 50 percent to 65 percent in productivity on a variety of specific office tasks and can earn back their extra costs in time savings over several years. The 30-in. display costs $1,999.
I have been using multiple screens for years. You could have paid me 10 bucks to tell you this. lol
What a waste of money....Silly Apple. Of course having more screen space increases productivity. But two 19in regular monitors can do the same thing and be a hella lot cheaper.
This research isn't even new. I mean Microsoft said this in 2003, for gods sake.
They took information that any person that has ever used multiple screens could tell ya and threw their 30in screen in it - then called it research.
Smells less like science and more like advertising.
The next study will conclude that using OS X instead of Linux/Unix/anything else can make you more productivity...sponsored by Apple.
Remind you of anyone else?
Tuesday, October 10, 2006
Protect DVD-Video - Created, Then Cracked
The movie industry seems determined to continue on a course where it happily erodes the rights of legitimate users, all in the name of securing profits. The latest example of this comes in the form of a DVD copy protection technology called Protect DVD-Video which actually prevents a DVD being played on a Windows PC using Windows Media Player, Windows Media Center Edition or any software players based on DirectShow.
Protect DVD-Video is the brainchild of a company called ProtectDisc. Part of the copy-protection mechanism is a non-standard UDF (Universal Disc Format) file system which results in the IFO file on the DVD (this is the file responsible for storing information on chapters, subtitles and audio tracks) appearing to the PC as being zero bytes long.
The upshot of this is that if you have a DVD disc protected by Protect DVD-Video and you try to play the disc in a PC-based system using, say, Windows Media Player, the process will fail. Now, lets be clear here, we are taking about a genuine, legitimate DVD disc not working in a PC, not a pirated disc or a download via a torrent. Protect DVD-Video protects a DVD by basically making it un-playable in a DVD drive that's in a Windows-based PC (I've no information on whether this also locks out Linux users - I would imagine that it does).
Remember how I told you that Protect DVD-Video was the brainchild of ProtectDisc? Well, the interesting thing about this company is that it is run by Volkmar Breitfeld, who is also managing director of ACE (who market the FluxDVD copy protection). However, dig a little deeper and you find that Breitfeld used to work for the "other side" and is known for his work developing tools to circumvent copy protection, such as InstantCopy and InstantCD/DVD.
As with most copy protection mechanisms, a way round it is never that far behind. SlySoft have a product called AnyDVD which works in the background to automatically remove the copy protection of a DVD movie as soon as it's inserted into the drive. The other day they released an updated version of AnyDVD which effortlessly bypasses Protect DVD-Video.
"With this copy protection the film industry clearly overshot the mark", says Giancarlo Bettini, CEO at SlySoft. "The premium customer who spent a lot of money on his multimedia home cinema and who, for quality reasons, would never even consider watching anything else but an original DVD, is being slapped in the face. These customers with their shelves stuffed with rightfully acquired DVDs, can't watch their videos."
As usual, I don't have a problem with anyone protecting their intellectual property and making sure that they are paid fairly for their work, but I am dismayed when, time after time, they seem to blur the line between fair use and piracy. The more that legitimate users are being made to feel like they have been cheated out of being able to use what they've paid for, the more people are being pushed into looking for tools that allow them to circumvent copy protection … simply to use what they paid for. That sets a worrying trend that will ultimately make things worse for the movie and recording industry. Imagine if keys were outlawed and people had to turn to lockpicks to get into their own homes? Would that make us all more secure? I doubt it! The same thing is happening here. The entertainment industry is forcing ordinary users to look for tools to bust copy protection in order to use a product they’ve paid for, ordinary users feels abused and ripped off by a big, faceless corporation, and the next time they want a song or movie, they're less likely to pay for it and more likely to acquire it through other channels.
And to be honest, who can blame them
I just noticed that I totally missed Anti-DRM day (Oct 3rd).
Myspace URL Redirects
Monday, October 9, 2006
Discovery Channel - Atlas
I have watched the China episode twice today. Simply amazing.
China & Italy have been shown. Brazil, France and Australia are on the plate, I know.
In the opening credits, you will see a guy jumping off a wall. As far as I can tell that is Sebastien Foucan. One of the founders of the art/lifestyle known as "Free Running".
If you haven't seen Jump London, you must...Free Running is like a cross between a visual art form, a martial art and a lifestyle based on the idea of freedom.
The jumps will leave you speechless...
Sunday, October 8, 2006
Prepare for Ludicrous Speed
In 1957, German theoretical physicist Burkhard Heim publicly outlined a new idea for spacecraft propulsion. It was based on his new theory of physics which successfully described Einstein's theory of Relativity within the framework of Quantum Mechanics, and it married the two so effectively that he became an instant celebrity. Such a goal was long sought by Einstein himself, but never realized.
Heim's ideas described a "hyperdrive" which would locally modify the constants of nature in such a way that a vehicle would be allowed to travel at immense speeds, possibly faster than the speed of light. Such a propulsion system could theoretically reach Mars in under five hours, and neighboring stars within a few months.
But shortly after he announced his theory, Heim went into isolation, and took his theories and formulas with him. It would be years before his theories again resurfaced, but when they did, they attracted the attention of NASA, the U.S. military, and the Department of Energy.
About thirteen years before announcing his theory, Burkhard Heim was permanently disabled during an accident while working as an explosives developer in World War 2. He was working on an explosive device when it detonated in his hands, severing both of his forearms and severely damaging his eyesight and hearing. After undergoing a series of operations, Heim distracted himself from the pain by intensely studying Einstein's relativity theory. He registered at the University of Goettingen to study physics, and fulfilled his academic degree requirements with the help of companions.
Heim was able to continue his work in physics because he developed an extraordinarily accurate acoustic memory, able to recall formulas in exact detail once they had been recited to him. He became involved in physics research at the Max Planck Institute for Astrophysics, and it was during this time that he made his Heim theory public, along with the hyperdrive propulsion system based upon it.
Heim's attempt to heal this divide added four "sub-space" dimensions to Einstein's four, making a total of eight. Later he decided that two of the dimensions were unnecessary, and removed them from the theory. His two sub-space dimensions coupled the forces of electromagnetism and gravity, which meant that theoretically, electromagnetic energy could be converted into gravity. This is the principle that his hyperdrive idea was based upon. The theory was so compelling and the math worked out so well that after Heim announced it, Wernher von Braun– the man leading the Saturn 5 rocket program– contacted Heim and asked him whether the Saturn 5 was a waste of money.
...
Burkhard Heim died in 2001, but Walter Dröscher has continued the work, and teamed up with a physicist named Jochem Häuser to produce a paper proposing an experiment to test Heim's quantum theory. The experiment calls for a magnetic field of extremely high intensity, but space propulsion researchers at Sandia National Laboratories think it might just be possible to perform the experiment using their "Z Machine" X-ray generator. But they are waiting for the math behind the theories to be better understood before they volunteer the use of the expensive piece of equipment.
Because it is so complex and has had relatively little exposure, the Heim-Dröscher theory is still not well understood by most physicists. But its ability to calculate particle mass with uncanny accuracy has lent it a certain degree of credibility, because no theory before or since Heim's can accomplish the same thing. If the theory is accurate, the hyperdrive propulsion field it allows may make a weekend trip to Mars a reality, and put the stars within our grasp.
I guess we should prepare to go to plaid!
Friday, October 6, 2006
Server Core: Windows Without Windows
One of the most innovative features coming in Windows "Longhorn" Server isn't really a feature as much as a whole new version of Windows. It's called Server Core, and it will only take one-sixth of the disk space of a normal Longhorn installation. It's not expected to need anywhere near as many patches and hotfixes as Windows 2000. It's a version of Windows that does not, in fact, use windows. It's breaking Microsoft's long-standing reliance on graphical interfaces and shaking things up in several of Microsoft's product groups.
Server Core reflects a changing view of servers. "Administrators are accustomed to thinking of servers by their role. That's my file server, that's a domain controller, that's an Exchange server," says Andrew Mason, a Microsoft program manager for Server Core. Some of those roles really don't use much of what is built into Windows.
Server Core also recognizes -- based on painful experience -- that fewer "moving parts" in an operating system equates to fewer vulnerabilities, stability issues and maintenance points. Reducing the amount of code can help reduce the amount of bugs. That's what Server Core is all about.
Server Core can only act as a file server, domain controller, DNS server or DHCP server. As such, it's far from being a full-fledged Windows operating system (although Microsoft is considering other roles for future versions). Besides these four core roles, Server Core also supports Cluster Server, Network Load Balancing, the Unix subsystem, the new Windows Backup in Longhorn, Multipath I/O, Removable Storage Management, BitLocker drive encryption and SNMP. Server Core also supports Remote Desktop administration, although you'll only get a command-line window when you connect.
That's about it. There's no Internet Explorer, no Outlook Express, Calculator or Windows Paint, no Wordpad, Windows Messenger or Media Player -- just the basics. Microsoft did add Windows Notepad to Server Core at the request of several sneak-preview customers, but even that's a stripped down version. You can't, for example, use the "Save As" function, because Server Core doesn't have dialog boxes for functions like Open and Save As.
There's also no Microsoft .NET Framework. This means you can't run any managed code on Server Core. Mason says his development team wants to add the .NET Framework to Server Core, but they first need the Framework team to modularize the code so they can add just the essentials. The Framework's absence in Server Core is significant. For example, you can't run Windows PowerShell, Microsoft's vaunted new management shell, on Server Core. That doesn't mean you're out of remote management options, however.
Server Core will come in Standard, Enterprise and Datacenter editions for i386 and x64 platforms. Most companies will probably opt for the Standard edition because most of the differences found in the Enterprise and Datacenter editions of Longhorn won't be present in Server Core. The Enterprise Server Core does, however, get you more processor and memory support, as well as clustering. Datacenter adds the whole Datacenter hardware program and 99.999 percent reliability -- although the current Datacenter isn't exactly flying off the shelves.
U.S. Air Force Researches Feasibility of "CyberCraft"
What if you could send a computer program to do the job of a spy, or a bomber, or drone? It sounds like science fiction -- and it'll probably stay that way, for a long, long time. But Air Force researchers think there's enough to the idea to start funding a trio of companies for initial work into these attacking, snooping "Cyber Craft."
"Using the Cyber Domain to conduct military operations... has significant potential," an Air Force paper announces. Examples include long-term intelligence activities, like "being to monitor a military barracks, accumulate financial information on a potentially hostile nation, or provide status on the political climate of a South American country."
Researchers think the programs could answer shorter-term, tactical questions, too. "Like who is in this building across the street, where are the tanks located in a particular town or village that is going to be entered by friendly forces, or what’s the latest intelligence regarding adversarial forces in a particular town or village."
Obviously, it would take more than a bulked-up Web crawler to get the job done. Cyber Craft would have to be able to hop from standard computer networks to electrical grids to wireless nets and back, over and over again.
Cyber agents will need to embody the ability to covertly travel across these mediums, constantly assessing the network layout, morphing itself as networks change, and remaining covert while maintaining the integrity of its mission. Increased use of data hiding techniques and data hiding detection techniques add additional complexity to the Cyber craft weapon arsenal... Cyber weapons will need to perform real-time continuous self-assessment of the adversary’s detection capability and be able to make instant decisions to morph or self-destruct. Both these functions will be required in covertness and with the decision information sent back to its Cyber Craft home.
...
The goal is to develop a system that follows the 'fire-and-forget' methodology. However, with this philosophy comes the danger of a Cyber Craft morphing into something that performs unintended actions that would be harmful to friendly forces or provide an adversary with information about the sender’s intentions, position, etc. One way of controlling a Cyber Craft is have it 'dissolve' after completing its’ mission. However, depending on the level of the Cyber Craft (strategic, operational, and tactical) the mission length can go from minutes to years... Thus, the damage that can be inflicted by a rogue Cyber Craft could be significant.
While it does sound far fetched and the technology isn't here yet, it does sound very interesting indeed.
Wednesday, October 4, 2006
Beginner's Guide to Fuzzing Wireless Device Drivers
Since our talks at Black Hat Vegas and DEFCON, Jon Ellch and I have been peppered with questions regarding how to find vulnerabilities in wireless device drivers and the specific techniques that were employed. Rather than answer these questions one at a time, an article seemed a better course of action. In this first article, we will discuss how to build an auditing environment, how to construct fuzzing tools and, finally, how to interpret the results.
Although our previous talks have focused primarily on 802.11-based protocols, these same auditing methods can be applied to almost any type of device, including Bluetooth and infrared, with successful results. This article is designed as a beginner's guide to fuzzing wireless device drivers. To get the most out of it you should already be familiar with exploit development and debugging, as the article does not cover either of those topics in depth.
HD Moore Unplugged
HD Moore got his first real job in security research eight years ago, at the tender age of 17. He worked for the U.S. Department of Defense.
...
Today, most everything Moore, 25, does is watched closely by the commercial world, especially by software companies like Microsoft. His Metasploit penetration testing software has been hailed as a crucial tool for security white hats (the black hats love it, too), and his memorable Month of Browser Bugs (MOBB) project and other vulnerability discoveries and disclosures at times have put him at odds with Microsoft. (See Getting Buggy with the MOBB.) All of this activity has made him one of the most respected -- and sometimes criticized -- security researchers.
...
Meanwhile, Moore's rock star status is about to go Hollywood (yes, really). The upcoming Die Hard sequel with Bruce Willis will feature an evil hacker named "evil hax0r" who takes down the U.S. infrastructure using the Metasploit tool. Moore can't help rooting for the bad guy: "Who needs marketing with movies like this?"
Tuesday, October 3, 2006
Update: Possible Vulnerability Reported at Toorcon
We got a chance to talk to Mischa Spiegelmock, the Toorcon speaker that reported the potential javascript security issue referenced earlier. He gave us more code to work with and also made this statement and agreed to let me post it here:
The main purpose of our talk was to be humorous.
As part of our talk we mentioned that there was a previously known Firefox vulnerability that could result in a stack overflow ending up in remote code execution. However, the code we presented did not in fact do this, and I personally have not gotten it to result in code execution, nor do I know of anyone who has.
I have not succeeded in making this code do anything more than cause a crash and eat up system resources, and I certainly haven’t used it to take over anyone else’s computer and execute arbitrary code.
I do not have 30 undisclosed Firefox vulnerabilities, nor did I ever make this claim. I have no undisclosed Firefox vulnerabilities. The person who was speaking with me made this claim, and I honestly have no idea if he has them or not.
I apologize to everyone involved, and I hope I have made everything as clear as possible.
Sincerely,
Mischa Spiegelmock
Even though Mischa hasn’t been able to achieve code execution, we still take this issue seriously. We will continue to investigate.
-Window Snyder
Monday, October 2, 2006
Word on the Street - Microsoft's VML Patch
Microsoft Releases Security Patch
Last week, Microsoft released a patch for a critical security flaw in its Internet Explorer web browser. What do you think?
Stefan Wells,
Campaign Consultant
"Well, this meets all the criteria for things I'm most terrified of: something I don't understand at all and refuse to learn more about."
Layna Torgerson,
Pest Control
"Thanks, but I'll pass. I kind of like how the Nigerians rearranged my desktop."
Greg Anderson,
Line Cook
"From what I gather, this patch works by plugging the remote code execution vulnerability in the VML, while a web page with VML when a rect tag is displayed in IE. Anyone who understands what this means has earned the right to attack my computer."
Apple Sliently Hurts its Users
Johnny Cache did deliver a small speech however. It points out that Apple is saying one thing and doing another. Apple claims that SecureWorks provided no useful information, yet they release remote code execution wifi patches and are "working" with SecureWorks on something.
If Apple and SecureWorks were making a new cake recipe, they wouldn't get CERT/CC in the mix, do would they?
So what is Apple doing? They are doing exactly what they have always done.
Silenced those that might pull the veil for the Apple Faithful’s eyes....so that he/she can see the truth. Am I implying that they have blinders on? I sure am...
Apple believes the public disclosure of security flaws doesn't help anyone. But I know tons of people in the Windows security management world that might strongly disagree if Microsoft held this position. So why the difference? Because Apple doesn't hold any ground in critical corporate infrastructure.
A serious Microsoft vulnerability can stop a company in its tracks. Do you think an OS X vulnerability would do that? No. Even if it was a remote code execution, reachable from the internet with an active Mac worm….it just isn’t going to have the impact that a serious Microsoft vulnerability will have.
Take this April 2006 vulnerability story as an example.
Tom Ferris, a security researcher in Mission Viejo, Calif., published late on Thursday information on seven flaws in Apple's operating system that potentially put Mac users at risk of a cyberattack. The most serious of the flaws could let attackers surreptitiously run malicious code on users' PCs, Ferris said in an interview via instant messaging.
"We're in the process of investigating and addressing them," Bud Tribble, Apple's vice president of software technology, told CNET News.com. "I think it is important to note that although these are potential vulnerabilities, there are no known exploits to them and they are not affecting customers today."
Five of the flaws identified by Ferris relate to how Mac OS handles various image file formats--including BMP, TIFF and GIF, according to his security advisories. Another flaw involves the way OS X decompresses Zip archives. Additionally, Ferris claims to have found several bugs in Apple's Safari browser.
"The image flaws are the scariest ones, giving an attacker multiple methods of compromising a host," Ferris said. "They can be exploited to execute arbitrary code very easily and were not hard to find."
Do you think this type of talk would work if Microsoft was pushing it? Of course not....because Microsoft knows better. They were once silent on vulnerabilities too...
Apple assumes that no one can exploit a vulnerability without a public exploit...which is just silly thinking.
The Apple faithful need to stop blindly accepting the information that is force feed to them from Apple HQ and just look at Apple's actions to see the truth.
But I guess ignorance is bliss...