Sunday, September 30, 2007

Cinnamon Buns Ice Cream

Those two guys, Ben & Jerry, know what they are doing....that stuff is pretty good.

Defaced Point-of-Sale System in Russia

Via -

Clearly this POS is basically just a PC in a different case. Note the CD-ROM and floppy drive on the front. I wonder what OS it was running? Did it have internet access? Was it running a web server?

Those are all interesting questions.

Google Fixes Gmail Cross-site Request Forgery Vulnerability

Via -

Google has fixed a vulnerability in their Gmail web based email service which would have allowed internet attackers to steal mail messages from users without being noticed.

The attack works by forcing a logged-in user to add a mail filter to their Gmail account, thereby allowing their mail to be forwarded to an external mail address controlled by the attacker. Because the Gmail service did not adequately verify the origin of such requests, it was possible for attackers to create their own web pages that used JavaScript to automatically make such requests on behalf of their victims. In essence, a Gmail user would visit one of these pages and have their account compromised without necessarily realising anything is awry. Only close inspection of the Filters tab in the Gmail Settings menu would reveal what had happened.

Proof of concept exploits used JavaScript to make a silent POST request to the Gmail service and add the attacker’s filter. With the results of the request hidden in an iframe, it is highly unlikely that a victim will have noticed that their Gmail account would have been compromised, particularly while they are browsing a completely different website. While this attack scenario would only be successful if the victim was logged in, many Gmail users remain constantly logged in throughout the day, thus increasing the likelihood of a successful attack.

The technique used by this exploit is known as CSRF (Cross-site Request Forgery) and is becoming an increasingly common method to attack web applications. If a web application is vulnerable to CSRF, it will allow unauthorised attackers to carry out arbitrary actions in the context of an authorised, logged in user of the application. Not only does this make a hacker’s life easier, but it also helps them to cover up their tracks, as malicious actions will appear to be carried out, unwittingly, by authorised users of the system.

Compromised webmail accounts are regarded as a valuable commodity by hackers, as they often contain information that would allow an attacker to gain unauthorised access to other systems, such as internet banking, and to harvest credit card details from online stores used by the victim. Because the attacker is now effectively in control of their victim’s email, they could also attack other accounts belonging to the victim by following “forgotten password” links and obtaining the relevant passwords via email.

Cross-site Request Forgery vulnerabilities are often difficult to identify using automated tools and typically require testing by security aware developers.

Imam Killed in Russia After Speaking Out Against Islamic Militants

Via -

MAKHACHKALA, Russia - Gunmen killed a Russian imam on his way to morning prayers in a restive southern region Saturday, a day after he spoke out against Islamic extremists, police said.

Nurmagomed Gadzhimagomedov was shot by attackers in a car while walking from his home to his mosque in the Dagestani settlement of Gudben, they said.

Dagestan, a mostly Muslim region east of Chechnya that is home to many ethnic groups, has been plagued by shootings, bombings and other violence, including regular attacks on top officials and police. Some of the violence has been linked to Islamic extremists and some was rooted in disputes between local criminal clans.

Gadzhimagomedov was a vocal critic of Islamic extremism who had spoken out against militants during a service at the mosque Friday, police said. They said the killing was "clearly a revenge attack" by Islamic militants.

In July, a deputy chief mufti at the central mosque in the provincial capital, Makhachkala, was killed, along with his driver, by a roadside bomb blast.

Chinese, US citizens Charged with Espionage in San Francisco

Via -

A Chinese national and a US citizen have been charged with conspiring to steal sensitive microchip designs capable of use in military technology, justice officials said Wednesday.

The US Attorney's office in northern California said Lee Lan and Ge Yuefei had been indicted on multiple charges of conspiracy to commit economic espionage and to steal trade secrets.

Lee, 42, a US citizen, and Ge, 34, a Chinese national, had sought to steal secrets from their employer, NetLogics Microsystems, and from the Taiwan Semiconductor Manufacturing Corporation, a statement said.

The two men had set up a company for the purpose of developing and marketing products related to the stolen trade secrets, and had attempted to secure funding from the Chinese government, it added.

"The vigorous enforcement of intellectual property statutes increases the economic vitality of this region, and adds to the security of our nation as a whole," US attorney Scott Schools said.

"This office is committed to the prosecution of individuals who seek to benefit foreign governments or instrumentalities with stolen trade secrets."

Lee and Ge have been released on 300,000 dollars bail and must reappear in court on October 29. They face up to 15 years in jail and a 500,000 dollar fine if convicted.

US officials have said China and Russia are spying in the United States at levels close to those of the Cold War.

Iraqi Man Arrested in Italy for Plan to Target US Bases in Iraq

Via Yahoo! News -

ROME - An Iraqi allegedly linked to al-Qaida in Iraq and suspected of plotting a terrorist attack on U.S. bases there using ultra-light aircraft was arrested Friday in northern Italy, authorities said.

Saber Fadhil Hussien, 45, was arrested on international terrorism charges in a morning raid in Padua, Carabinieri paramilitary police said.

Hussien, a former member of ex-Iraqi leader Saddam Hussein's Baath Party, had been in touch with aides of Abu Musab al-Zarqawi, the founder of al-Qaida in Iraq who was killed last year in a U.S. airstrike, said Col. Francesco D'Auria, head of the Carabinieri unit in Padua that conducted the investigation.

"It is documented that he was in contact with the al-Qaida in Iraq terrorist group," D'Auria told The Associated Press by telephone. "He was organizing an attack against American bases in Iraq."

The attack would have employed suicide bombers, anti-tank weapons and ultra-light helicopters that the group planned to buy from an Italian company, investigators said.

"These would have been used because they fly low and cannot be spotted by radar," D'Auria said.

Hurried Passenger Prompts Austin Airport Security Scare

Via -

A JetBlue passenger is in hot water after missing his flight and taking matters into his own hands.

A representative with Austin-Bergstrom International Airport said the plane was about to pull away when passenger Carlos Romero ran through an emergency exit and up to the plane.

Flight attendants decided to open up the doors and let him on. Security officers arrived shortly thereafter and arrested Romero.

Passengers were forced to get off the plane while bomb-sniffing dogs checked for anything suspicious.

The plane finally left about an hour after the incident without Romero.

Romero issued this statement Thursday: "I am sorry for the inconvenience and alarm I caused. I want to make clear that I arrived at the airport an hour before my flight and had already been cleared through security. But I went to the wrong gate. In my urgency to catch my flight at the right gate, I walked out of the door leading to the tarmac in order to see whether I could still get on my flight. Please accept my apology for the inconvenience and alarm I caused."


As a citizen of Austin and a frequent flyer (e.g. I was at the airport late Friday night), I accept Romero apology on the following condition only.

I hope this event has taught Romero that his flight is no more important than the hundreds of other people waiting for their flight....hence scaring the crap of out of hundreds, perhaps a thousand people is totally unjustified and is the opposite of how a compassion person would act.

No one likes dealing with the traffic on south 183, having to take off their shoes at the TSA checkpoint, only to sit around and wait.......but if we all make it as easy as we can for the person behind us, then we will all be a big happier.

We are all human and we are all guilt of not thinking about other people at some point...but this story is just silly....

Saturday, September 29, 2007

Project Dark Web - Tracking Terrorists By Writing Styles

Via Danger Room Blog -

You might think your anonymous online rants are oh-so-clever. But they'll give you away, too. A federally-funded artificial intelligence lab is figuring out how to track people over the Internet, based on how they write.

The University of Arizona's ultra-ambitious "Dark Web" project "aims to systematically collect and analyze all terrorist-generated content on the Web," the National Science Foundation notes. And that analysis, according to the Arizona Star, includes a program which "identif[ies] and track[s] individual authors by their writing styles."

Almost all CCTV systems are illegal, says Expert

Via -

As many as 95% of CCTV systems in the UK are operating illegally, according to a CCTV expert. The revelation comes as new legislation is about to take effect in Scotland which could render even more systems illegal.

Companies whose premises have CCTV systems in operation must alert the Information Commissioner that they are gathering personal information about the people they are recording. They must also put up signs to warn the public that recording is taking place.

A new law will come into force in Scotland on 1st November requiring those operating systems on a contract to have a separate licence. The law, which is already in effect in England and Wales, does not apply to operators working directly for the company whose premises are being surveyed.

Bernie Brooks of CCTV compliance consultancy DatPro told OUT-LAW Radio that he comes across few systems that operate within the law.

"From my own my experience after personally surveying many, many hundreds of buildings, I would say probably less than 5% are compliant," said Brooks. "I would say that 95% are non-compliant in one way, shape, form or another with the [Data Protection] Act. Obviously that's quite a worrying thing. If the system is non-compliant it could invalidate the usefulness of the evidence in a court of law."

Brooks's assessment matches that of non-profit CCTV awareness raising body Camerawatch. It said in June that its research showed that over 90% of the UK's 4.2 million CCTV systems were not compliant with the Data Protection Act.

(IN)SECURE Magazine

Issue 13 (PDF) includes the following:
  • Interview with Janne Uusilehto, Head of Nokia Product Security
  • Social engineering social networking services: a LinkedIn example
  • The case for automated log management in meeting HIPAA compliance
  • Risk decision making: whose call is it?
  • Interview with Zulfikar Ramzan, Senior Principal Researcher with the Advanced Threat Research team at Symantec
  • Securing VoIP networks: fraud
  • PCI DSS compliance: a difficult but necessary journey
  • A security focus on China outsourcing
  • A multi layered approach to prevent data leakage
  • Safeguard your organization with proper password management
  • Interview with Ulf Mattsson, Protegrity CTO
  • DEFCON 15
  • File format fuzzing
  • IS2ME: Information Security to Medium Enterprise

Mayan Riviera Vacation - Photos

Here are a couple of photos from my recent vacation in the Mayan Riviera. All photos were taken with my Canon Powershot S80.

Beach @ the Mayan Ruins of Tulum

Mayan Ruins of Cobá - Top of Nohoch Mul (42 meters / 138 feet)

Panorama View from the Top (42 meters / 138 feet)
(composed with three shots via Adobe Photomerge)

Beach on the Mayan Riviera

(Onyx - The Beach Dog)

Tools of the Trade - Now with Chaya!

Chaya (Cnidoscolus chayamansa and Cnidoscolus aconitifolius), also known as Tree Spinach, is a large, fast growing leafy perennial shrub, native to the Yucatán Peninsula of Mexico. It is popular in Mexico and Central America as a leafy vegetable, cooked and eaten like spinach; raw leaves are toxic. A USDA study in Puerto Rico reported that higher yields of greens could be obtained with chaya than any other vegetable they had studied. In another study chaya leaves were found to contain substantially greater amounts of nutrients than spinach leaves.

Chaya is a good source of protein, vitamins, calcium, and iron. However, raw chaya leaves are toxic as they contain a glucoside that can release toxic cyanide. Cooking is essential prior to consumption to inactivate the toxic components. In this respect chaya is similar to cassava, which also contains toxic hydrocyanic glycosides and must be cook before being eaten.


I ate a ton of Chaya on my recent vacation to the Mayan Riviera...hopefully, it was all

On to the tools...


1) On Sept 30th, Pidgin 2.2.1 was released. Pidgin is a multi-protocol Instant Messaging client that allows you to use all of your IM accounts at once. It is licensed under the GNU General Public License (GPL) version 2. This version fixes a MSN DoS that was found recently.

2) On Sept 29th, Foxit Reader 2.2 was released. Foxit Reader is a free PDF document viewer and printer, with incredible small size (only 2.1 M download size), breezing-fast launch speed and amazingly rich feature set. Foxit Reader supports Windows 98/Me/2000/XP/2003/Vista. Its core function is compatible with PDF Standard 1.7. This version fixes several bugs, including some problem with selecting text.

3) On Sept 28th, CCleaner v2.01.507 was released. CCleaner (Crap Cleaner) is a freeware system optimization and privacy tool. This version improved index.dat cleaning on XP & fixed a bug where some IE Temporary files were not removed....among other things.

4) On Sept 28th, Wine 0.9.46 was released. Wine is an Open Source implementation of the Windows API on top of X, OpenGL, and Unix. Main Changes in this release include:
  • A variety of fixes to improve Photoshop CS2 support.
  • More complete support for device installation in setupapi.
  • New Bidi text implementation that doesn't depend on libicu.
  • The usual assortment of Direct3D improvements.
  • Beginning of I/O completion ports support.
  • Lots of bug fixes.
5) On Sept 25th, THC released thc-orakelcrackert11g. It is the first full blown cracker for Oracle 11g. This tool can crack passwords which are encrypted usingOracle's latest SHA1 based password protection algorithm.

6) On Sept 22nd, SOSDG released ClamAV for Windows v0.91.2-3. ClamAV/SOSDG is a port of the powerful ClamAV anti-virus software package from UNIX/Linux to Windows using the Cygwin compatibility layer.

7) On Sept 18th, VMware released VMware Server 1.0.4 Build 56528. VMware Server is a free virtualization product for Windows and Linux servers with enterprise-class support. See the release notes for all the update details.

8) In other news, H.D. Moore recently started to add iPhone exploitation support to MSF 3.0. I heard about this right before going on vacation and it looks like it was released to the public while I was gone. Apple might be patching bugs...but as HD pointed out, all the apps run as root by default. We haven't seen the last iPhone exploit but any means.

Ruling Junta in Burma Cuts Internet Access in Attempt to Stop Democracy

Via -

The ruling junta in Burma has cut internet access to citizens in an attempt to stop footage of pro-democracy protests escaping the country.

Internet cafés have been closed and the state ISP is claiming that a damaged cable has led to a total internet shutdown across the country.

The latest protests have been filmed extensively on mobile phones and video cameras and sent across the web.

"They are going to delay the message, but they are not going to stop it," British journalist Dominic Faulder told Reuters. "This time, there will be more pictures and they will come out."

Burma is subject to some of the strictest censorship in the world, but images of the protests, including the beatings of Buddhist monks and the killing of a Japanese photographer, have all been sent out via the internet.


According to Wikipedia,

In November of 2006, the International Labor Organization announced it will be seeking "to prosecute members of the ruling [Myanmar] junta for crimes against humanity" over the continuous forced labour of its citizens by the military at the International Court of Justice.

See Burma on Google Maps

Burma is ranked 164th (right below China) on the Press Freedom Index of 2006 complied by the International Press Watchdog group - Reporters without Borders. Only four nations were ranked below Burma....Cuba, Eritrea, Turkmenistan & North Korea.

As a comparison, the US is ranked in the 53rd. This is a very bad ranking for the US.....but the whole NSA spying and other recent terrorism laws reduced the overall ranking.

Apple Released Another iPhone Update

Via PC World -

Users are reporting that a new update to Apple Inc.'s iPhone is making previously unlocked iPhones unusable.

The iPhone 1.1.1 update, released Thursday, breaks phones that have been hacked so that they work with providers other than AT&T Inc., the only U.S. provider Apple has allowed to carry its mobile phones.

In recent months, a number of software tools have been developed which allow iPhone users to break free of Apple's AT&T-only restriction, but Apple has said that it would fight any attempts to unlock the iPhone. Earlier this week the company released a warning that unlocked iPhones "will likely result in the modified iPhone becoming permanently inoperable when a future Apple-supplied iPhone software update is installed."

Shortly after the Thursday update was released, users of unlocked iPhones began reporting problems.

Security researcher Tom Ferris said the new software disabled a phone that had been unlocked using the open-source anySIM software in order to work on T-Mobile USA Inc.'s wireless network. After the update, the iPhone was stuck with an error message and apparently unusable. "It kept saying 'unsupported SIM card,' even with the AT&T SIM card in it," he said. "You can turn the phone off or on, but we just can't figure out how to get past this 'SIM card not supported'," he said.

SIM (Subscriber Identity Module) cards contain account information and are used to authenticate devices on certain types of mobile networks. Unlocked iPhones can use SIM cards from non-AT&T networks.

Others were reporting similar problems on Thursday.

The update also appears to disable the 'Jailbreak' hack which allows users to install unsupported software on the iPhone, Ferris said. After the 1.1.1 patch was installed it wiped out all of the third-party applications he had installed on a second iPhone, he said.

The new software is Apple's biggest iPhone update to date, and it fixes a number of security flaws in the mobile phone's browser, mail client and Bluetooth networking server.

The majority of the flaws do not appear to be critical, but the update fixes a larger number of bugs than the first iPhone update, released July 31.

Hackers have said that the iPhone's browser and mail clients are the most likely sources of software flaws and this release bears that out. Apple fixed seven flaws in the Safari browser, two in the iPhone's mail client and one Bluetooth bug with the release.

The Bluetooth flaw could be the most serious -- Apple said that it could allow an attacker to run unauthorized code on the iPhone -- but because Bluetooth works over a range of just a few feet, the attacker would have to be standing near the victim for any exploit to work, said Andrew Storms, director of security operations with nCircle Network Security Inc.

Noted hacker HD Moore agreed that the Bluetooth flaw was serious. "The only bad issue here is the Bluetooth [flaw]," he said via e-mail. "I will start working on this tonight."

Though there may be some technical limitations to what an attacker could do by exploiting this bug, it "could be a nasty remote exploit," he added.

Earlier this week, Moore added iPhone hacking capabilities to the Metasploit hacking tool that he develops.

The patch also fixes some cross-site scripting and JavaScript flaws in the browser that could also be serious, Storms said via instant message. These flaws could be exploited to make the browser run unauthorized JavaScript code, he said.

A Tale of Two Tunisis? Questions About the Latest Al-Qaida Casualty in Iraq

Via CT Blog -

This morning, the Pentagon conducted a press briefing with Brigadier General Joseph Anderson, the Chief of Staff of Multinational Corps-Iraq. In a video linkup from Camp Liberty in Baghdad, General Anderson addressed a number of issues--chief among them, the reported killing of a "high level" Al-Qaida commander--Tunisian national Abu Usama al-Tunisi--near Musayyib, Iraq on September 25 in a targeted strike by U.S. warplanes. According to General Anderson:

"Abu Usama al-Tunisi [was] a close associate and part of the inner circle of close advisers to Abu Ayyub al-Masri, or otherwise known as AAM, the overall leader of al Qaeda in Iraq, and his likely successor... Abu Usama al-Tunisi was one of the most senior leaders within al Qaeda in Iraq. He was the emir of foreign terrorists in Iraq, and as I stated, part of the inner leadership circle of al Qaeda in Iraq who had direct contact with Abu Ayyub al-Masri. He was originally from Tunisia, and was a primary facilitator for the movement of foreign terrorists into the country... He operated in Yusufiya, southwest of Baghdad, since the second battle of Fallujah in November '04 and became the overall emir of Yusufiya in the summer of '06. His group was responsible for kidnapping our American soldiers in June '06. He was known to have direct access to the al Qaeda in Iraq senior leader AAM. He facilitated foreign fighters in the Yusufiya area and helped equip them for improvised explosive device, vehicle-borne improvised explosive device and suicide attacks in Baghdad. He took command of the Aisha battalion after its former leader, AAM, was promoted to al Qaeda in Iraq emir status."
Oddly enough, this is not the first time that Abu Usama al-Tunisi has been reported killed. Over a year ago (in May 2006), Al-Qaida supporters posted online announcements declaring the "martyrdom" of Abu Usama al-Tunisi. The news of al-Tunisi's death was distributed on, among other places, the highly credible Al-Hesbah Islamic Network--which has been directly endorsed in past propaganda films produced by Al-Qaida in Iraq. According to that announcement (a translation of which was posted shortly thereafter on
"The martyrdom of Abu Usama al-Tunisi, the commander of [Al-Qaida’s] Aeisha Brigade... He caused much desperation and anxiety among the Americans and he spread frustration among their soldiers. The Americans knew Abu Usama al-Tunisi very well, because he was one of the commanders who led the Battle of Abu Anas al-Shami during which he served as the military commander responsible for one of the four frontlines of the mission... Abu Usama first entered Iraq two years ago. He used to always smile when talking to his brothers and had a profound faith in Allah. Abu Usama was killed in the area of Al-Yusifiya during an air strike that also killed four other brothers."

This naturally leads us to the problem of addressing this obvious discrepancy. Is it possible that there are two separate Abu Usama al-Tunisis serving as commanders for Al-Qaida in Iraq? Perhaps... but the likelihood of this incredible coincidence rapidly plummets when one considers that both of these men have been identically described as the commander of Al-Qaida's Aeisha Brigade and active in the area of al-Yusifiya. If we put aside this theory, we are left with quite limited possibilities. It would seem that either Al-Qaida supporters were engaged in a deliberate misinformation campaign on their own password-protected chat forums, or else the U.S. military has potentially been the victim of questionable intelligence. It should be further noted that Al-Qaida has prided itself in the past on providing accurate and timely information concerning the "martyrdom" of its military commanders. When former Al-Qaida commander Abu Musab al-Zarqawi was killed in a U.S. airstrike in mid-2006, the same Al-Hesbah Network was one of the first sources to correctly confirm the news of his death on behalf of Al-Qaida.

Click to view Biography of an Al-Qaida Operative “Martyred” in Iraq: Abu Usama al-Tunisi (


I went over to the CT blog to ask Evan about this exact question.....after seeing the Biography released in July 2006 (linked above). I guess he doesn't know either...weird.

Sunday, September 23, 2007

Leaving on a Jet Plane

Well, it is getting near the end of summer..and Technocrat needs a little R&R. So I will be back in a week...make sure the internet doesn't fall apart on me while I am gone.

Adios amigos!

Microsoft Learns from the Fuzzing Lesson

Via ComputerWorld -

September 21, 2007 (Computerworld) -- A wave of attacks targeting Microsoft Corp.'s Office 2003 last year taught the company some tough security lessons it's now aggressively applying, a Microsoft software engineer said today.

"When Office 2003 shipped, we thought we'd done some good work and that it would be a secure product," said David LeBlanc, a senior software development engineer with the Office team. "For the first two years after release, it held up really well, only two bulletins. [But] then people shifted their tactics and started finding problems in fairly large numbers."

LeBlanc, one of the proponents of Microsoft's Security Development Lifecycle (SDL) initiative, and Michael Howard, the co-author of Writing Secure Code for Vista, referred to the spate of attacks in 2006 that exploited numerous vulnerabilities in Office 2003's file formats. The suite's core applications -- Word, Excel and PowerPoint -- were all patched multiple times last year.

"I can't gloss this over. You can look up the security bulletins that apply to Office 2003 yourself."

The attacks, and the flaws they exposed, not only prompted immediate patches -- and the release this week of Office 2003 Service Pack 3 (SP3) -- but pushed Microsoft to step up efforts to track down bugs before shipping code.

"We realized that fuzzing needed to be a much bigger part of what we did," said LeBlanc. "We were already on the road to doing that, but we had to do more of it, and get smarter at it."

"Fuzzing" is a process used by security researchers trolling for vulnerabilities and by developers looking for flaws in their code before it goes public. Armed with fuzzers -- automated tools that drop data into applications, file formats or operating system components to see if, and where, they fail -- programmers stress-test software. LeBlanc calls it "exercising the code."

Office 2007, especially its file formats, was extensively fuzzed during its development, often with custom-built fuzzers written by the teams responsible for specific file formats, said LeBlanc. In turn, that led Microsoft's developers to go back into Office 2003 to run the same level of fuzzing against its code as was done with Office 2007. Fixes for flaws uncovered during the repeat round of testing were incorporated in SP3. Office 2007, especially its file formats, was extensively fuzzed during its development, often with custom-built fuzzers written by the teams responsible for specific file formats, said LeBlanc. In turn, that led Microsoft's developers to go back into Office 2003 to run the same level of fuzzing against its code as was done with Office 2007. Fixes for flaws uncovered during the repeat round of testing were incorporated in SP3.


If you heard it once you have heard it a thousand times...fuzzing shouldn't work.

I agree that fuzzing shouldn't work and the truth is starting to work less and less as vendors (like Microsoft) start to seriously "exercise their code" before release.

But fuzzing is far from dead. Security professionals have moved from randomly fuzzing parts of programs into fuzzing in a very smart & focused manner which exercises the entire codebase. New fuzzing frameworks are being released which are making fuzzing process accessible to the masses....or are at least bringing it closer to the masses.

Sadly, random fuzzing will continue to work for many years against certain groups of software. It will work against vendors that haven't "learned the fuzzing lesson" or other programs which aren't built with security as a focus (shareware, small development shops, etc).

Just look at the recent vulnerabilities which were uncovered via fuzzing...
(this is just a small smaple)

Aug 2007 - Opera & Mozilla: JS Fuzzer Finds Flaws in Browsers
July 2007 - ISE: iPhone / Safari Moblie Browser (PDF)
June 2007 - Errata Secuirty: Safari Browser Flaws
Nov 2006 - MoKB: Month of Kernel Bugs
July 2006 - MoBB: Month of Browser Bugs
June 2006 - Lorcon: 802.11 Fuzzing Finds Driver Flaws

Friday, September 21, 2007

First-Ever GPL Lawsuit

Via CIO-Today -

On Thursday, the free software world saw a first. The Software Freedom Law Center announced that it filed the first-ever U.S. copyright infringement lawsuit based on a violation of the GNU General Public License (GPL) on behalf of its clients.

The plaintiffs are the two principal developers of BusyBox, a set of Unix utilities for embedded systems. BusyBox is open-source software licensed under GPL version 2. The defendant in the case is Monsoon Multimedia. The lawsuit was filed in Manhattan Federal District Court.

"We licensed BusyBox under the GPL to give users the freedom to access and modify its source code," Erik Andersen, a developer of BusyBox and a named plaintiff, said in a statement. "If companies will not abide by the fair terms of our license, then we have no choice but to ask our attorneys to go to court to force them to do so."

One of the conditions of the GPL is that redistributors of GPL software are required to ensure each downstream recipient is provided access to the source code of the program. On the company's own Web site, Monsoon Multimedia has publicly acknowledged that its products and firmware contain BusyBox. However, it has not provided any recipients with access to the underlying source code, as is required by the GPL, according to the complaint.

The complaint requests that an injunction be issued against Monsoon Multimedia. It also requests that damages and litigation costs be awarded to the plaintiffs. The lawsuit, "Erik Andersen and Rob Landley v. Monsoon Multimedia," will be heard by Senior District Judge John E. Sprizzo of the United States District Court for the Southern District of New York.

"Free software licenses such as the GPL exist to protect the freedom of computer users. If we don't ensure that these licenses are respected, then they will not be able to achieve their goal," Eben Moglen, Software Freedom Law Center's founding director, said in a statement. "Our goal is simply to ensure that Monsoon Multimedia complies with the terms of the GPL."

Matousec Security: Windows Personal Firewall Analysis

Via -

During our security analyses of personal firewalls and other security-related software that uses SSDT hooking, we found out that many vendors simply do not implement the hooks in a proper way. This allows local Denial of Service by unprivileged users or even privilege escalations exploits to be created. 100% of tested personal firewalls that implement SSDT hooks do or did suffer from this vulnerability! This article reviews the results of our testing and describes how a proper SSDT hook handler should be implemented. We also introduce BSODhook – a handy tool for every developer that deals with SSDT hooks and a possible cure for the plague in today's Windows drivers world.

Source Code for MediaDefender Anti-Piracy Tools Leaked

Via Threat Level -

Hackers who seized more than 6,000 internal company e-mails from anti-piracy company MediaDefender, have made good on their promise to release additional material from the company. Today's trove includes source code for dozens of tools MediaDefender uses (or, perhaps, used to use) to thwart the trading of copyrighted content on file-sharing networks. These include tools like BTSeedInflator and BTDecoyClient that target the BitTorrent network.

The code is a boon to admins on the targeted file-sharing networks since it exposes MediaDefender's methods for seeding the networks with decoy files and, therefore, will help the admins combat those strategies.

Ernesto at TorrentFreak was, once again, the first to hear about the new leak of MediaDefender data. Ernesto has been on top of the MediaDefender story for months, having first discovered in July that MediaDefender was secretly operating a download site to catch users trading in illegal content. After he exposed this information, a hacker or group of hackers who go by the name MediaDefender-Defenders e-mailed him last Saturday telling him that they had seized thousands of internal MediaDefender e-mails and had released them to the BitTorrent network.

A day later, the same group released the content of a database seized from a MediaDefender company server as well as a recording from a conference call that appears to be between a MediaDefender employee and investigators with the New York attorney general's office. The parties speaking on the call discussed a secret project that MediaDefender was working on with the law enforcement investigators to troll file-sharing networks for people trading in child porn.

According to notes the hackers have included with some of their data dumps, they've been inside MediaDefenders computer network -- and possibly its phone system -- for nine months. More data is likely to come.

IronKey Launches Secure USB Flash Drive for Enterprises and the Military

Via IronKey Press Release -

September 20, 2007 - Los Altos, CA. - IronKey Inc., a provider of secure portable computing products and Internet security services, announced today the launch and availability of the IronKey: Enterprise Special Edition, a secure flash drive designed for use on sensitive government, military and enterprise networks.

"We have been working closely with numerous enterprises and government agencies to develop an IronKey that retained the military-grade hardware encryption and nearly indestructible design of the original IronKey, but that can be easily deployed in extremely sensitive and restrictive network environments," said David Jevans, CEO of IronKey and Chairman of the Anti-Phishing Working Group. "And that is what the IronKey: Enterprise Special Edition is, a device designed to protect the most critical data assets of our government, military and enterprise customers."

The IronKey: Enterprise Special Edition, like all of IronKey's product family, has been designed to be the world's most secure USB flash drive, using onboard hardware encryption to protect the gigabytes of files that can be stored on the device. No software or drivers need to be installed on your computer to use an IronKey. A password is used to unlock your IronKey, and this is verified in hardware. If an IronKey is lost or stolen, attempts to unlock or tamper with the IronKey will trigger a self-destruct sequence, ensuring data is kept confidential.

The IronKey: Enterprise Special Edition features include:
  • Hardware-Encrypted USB Flash Drive: With its strong hardware AES cryptography and authentication, there is no need to install additional hardware, software or drivers.
  • No Administrator Privileges Needed: Unlike many other encryption products, the IronKey does not require Administrator privileges on Windows XP or Vista.
  • Designed for Enterprise Networks: The IronKey performs dynamic drive letter mapping for use in enterprise environments with network-mapped drives.
  • Tamper-Resistant and Waterproof: The IronKey is designed so that it cannot be physically tampered with or disassembled by a determined hacker. The IronKey has also tested, passed, and exceeded military waterproof standards (MIL-STD-810F).
  • Easy to Inventory: Each IronKey has a unique, easy-to-read serial number, making it easy for IT managers to inventory the devices.
  • Assists in Regulatory Compliance: The IronKey helps organizations meet regulatory requirements such as HIPAA, Sarbanes-Oxley and GLBA.
  • Rugged and Durable: Unlike plastic USB drives, the IronKey's rugged metal casing is filled solid with epoxy, making it both tamperproof and waterproof.

As far as I can tell, the 4GB Special Edition IronKey is only $150 dollars. At that price...this is a total steal. wow!

MIT Student Arrested For Fake Bomb At Logan

Via -

BOSTON An MIT student with a fake bomb strapped to her chest was arrested at gunpoint Friday at Logan International Airport and later claimed it was artwork, officials said.

Star Simpson, 19, had a computer circuit board and wiring in plain view over a black hooded sweat shirt she was wearing, said State Police Maj. Scott Pare, the commanding officer at the airport.

"She said that it was a piece of art and she wanted to stand out on career day," Pare said at a news conference. "She claims that it was just art, and that she was proud of the art and she wanted to display it."

The battery-powered rectangular device had nine flashing lights, he said. Simpson also had Play-Doh in her hands, he said.

The phrases "Socket to me" and "Course VI" were written on the back of sweat shirt, which authorities displayed to the media. Course VI appears to be a reference to MIT's major of electrical engineering and computer science.

Simpson pleaded not guilty to a charge of possessing a hoax device at her arraignment in East Boston District Court Friday afternoon. She was released on $750 bail and ordered to stay away from Logan Airport.

Simpson could face up to five years in prison and a $5,000 fine.

"I'm shocked and appalled that somebody would wear this type of device to an airport," Pare said.

Simpson was "extremely lucky she followed the instructions or deadly force would have been used," Pare said. "She's lucky to be in a cell as opposed to the morgue."

Simpson is a Massachusetts Institute of Technology sophomore from Hawaii, officials said.

Simpson was a member of MIT's swimming and diving team in 2006, according to the team's Web site, which lists her hometown as Kihei, Hawaii, and her high school as Hawaii Preparatory. MIT spokeswoman Patti Richards confirmed that Simpson is an MIT student, but said the school could not immediately confirm any other details and did not have further comment.

She was arrested about 8 a.m. outside Terminal C, home to United Airlines, Jet Blue and other carriers.


After seeing photos of the device and of the sweatshirt, I can see how this could be a problem. Given the addition of play-doh, which could visually be mistaken for plastic wasn't a smart thing to do at the airport.

However, this device doesn't seem any more advanced than this year's Defcon I hope that the government determines her intent and reduces the "hoax device" charge.

Adobe PDF ZeroDay


I am closing the season with the following HIGH Risk vulnerability: Adobe Acrobat/Reader PDF documents can be used to compromise your Windows box. Completely!!! Invisibly and unwillingly!!! All it takes is to open a PDF document or stumble across a page which embeds one.

The issue is quite critical given the fact that PDF documents are in the core of today’s modern business. This and the fact that it may take a while for Adobe to fix their closed source product, are the reasons why I am not going to publish any POCs. You have to take my word for it. The POCs will be released when an update is available.

Highlight from the Comments

1) it affects both… embedded and standalone [PDF Files].

2) Windows Vista users are not affected.
3) The PDF issue is officially confirmed by Adobe’s team. Foxit is vulnerable as well, although the user is required to interact with the document in order to launch the exploit.

Velociraptor Was Just a Scary Turkey

Via The Hindu -

Velociraptor, the fearsome dinosaur made famous in the Jurassic Park films, had feathers and probably more closely resembled a big turkey than the killer screen dinosaur, scientists have discovered.

Velociraptor, which was much smaller in real life than its screen version, was a one-metre tall, two-legged predator that lived more than 70m years ago. Equipped with large claws on each leg, it was a close relative to the earliest birds.

In a study of the fossilised forearms of velociraptors found in Mongolia in 1998, palaeontologist Mark Norell of the American Museum of Natural History found "quill knobs" - bumps where the feathers used for flight in modern birds are anchored to the bone with ligaments. His results are published in the journal Science.

"The more that we learn about these animals the more we find that there is basically no difference between birds and their closely related dinosaur ancestors like velociraptor," said Professor Norell.

"Both have wishbones, brooded their nests, possess hollow bones, and were covered in feathers. If animals like velociraptor were alive today our first impression would be that they were just very unusual looking birds." Because of velociraptor's relatively short forelimbs, the feathers would not have helped it to fly.

The researchers speculated that the feathers could have been passed down from smaller ancestors that did fly but would have served other functions such as display, shielding nests, temperature control or to help stability and manoeuvring while running.

Lead Concerns Prompt Warning About Lunch Boxes

Via Mercury News -

SACRAMENTO—State officials on Thursday urged consumers not to use some 56,000 potentially lead-tainted lunch boxes from China that were distributed through the Department of Public Health in an effort to get people to eat more fruits and vegetables.

Tests found elevated levels of lead in three of the boxes, officials said.

The boxes were given out at health fairs and other events and carried a logo saying "eat fruits and vegetables and be active."

"Certainly it's unfortunate that an item we're using to hopefully promote healthy behavior is then discovered to be a potential health hazard," the department's director, Mark Horton, said in a conference call with reporters.

He said a swab test conducted by the Sacramento County Health Department in July indicated that the boxes contained lead.

Several weeks of more sophisticated testing done through the state Department of Toxic Substance Control confirmed the presence of lead "in multiple parts of the box," including the logo, he added.

"I think we took the appropriate steps based on the information available to us at the time," Horton said when asked why it had taken so long to issue a warning to the public.

He said the department did tell community groups to stop requesting more of the boxes while the testing was taking place.

He also urged parents whose children may have used the boxes to consult with a physician to see if the kids should be tested for exposure to lead.

The green canvas boxes were imported from China by T-A Creations Inc. of Los Angeles.
Andrew Halim, company's vice president, said only the boxes' linings were tested and found to be free of lead before they were sold to the state through another company.

"That's the only request we had," Halim said in an interview.

But Horton said the lining of the tested boxes also contained some lead.

Thursday, September 20, 2007

New Cyber Security Initiative Looks to Increase NSA Domestic Monitoring

Via Wired Blog -

The plan calls for the NSA to work with the Department of Homeland Security and other federal agencies to monitor such networks to prevent unauthorized intrusion, according to those with knowledge of what is known internally as the "Cyber Initiative." Details of the project are highly classified...

At the outset, up to 2,000 people -- from the Department of Homeland Security, the NSA and other agencies -- could be assigned to the initiative, said a senior intelligence official who spoke on condition of anonymity.

The NSA's new domestic role would require a revision of the agency's charter, the senior intelligence official said. Up to now, the NSA's cyberdefense arsenal has been used to guard the government's classified networks -- not the unclassified networks that now are the responsibility of other federal agencies...

Current and former intelligence officials, including several NSA veterans, warned that the agency's venture into domestic computer and communications networks -- even if limited to protecting them -- could raise new privacy concerns. To protect a network, the government must constantly monitor it.

"This will create a major uproar," predicted Ira Winkler, a former NSA analyst who is now a cybersecurity consultant.

"If you're going to do cybersecurity, you have to spy on Americans to secure Americans," said a former government official familiar with NSA operations. "It would be a very major step."

Security Researcher Finds Flaw in Windows Media Player

Via ComputerWorld -

Hackers can wield malicious Windows Media Player files to exploit any unpatched Internet Explorer (IE) vulnerability on a PC -- even if the user relies on Firefox, Opera or some other Web browser, a UK security researcher said yesterday.

Microsoft is investigating, a spokesman said Wednesday.

Petko Petkov, a penetration tester who released proof-of-concept code last week for a flaw in Apple's QuickTime, said Tuesday that Microsoft's media software also harbors critical bugs that could be used to hijack PCs. On his blog, Petkov posted several exploits targeting a vulnerability in the "HTMLView value" XML tag that's used in several support Windows Media Player file formats, including .asx.

"HTMLView will display a page of our choice within the stand-alone Windows Media Player," Petkov said. "I repeat, the page will be opened within the Media Player surroundings, not a stand-alone browser. This is very interesting behavior."

Medco Sys Admin Pleads Guilty To Computer Sabotage

Via -

A former systems administrator at Medco Health Solutions pleaded guilty in federal court Wednesday to writing and planting malicious code that could have crippled a network that maintains customer health care information.

Yung-Hsun Lin, of Montville, N.J., pleaded guilty in U.S. District Court in Newark, N.J. to the charge of transmitting code that would cause damage to a protected computer. The charge carries a maximum sentence of 10 years, but the plea deal sets a guideline of 30 to 37 months. The judge, who will levy the sentence on Jan. 8, is not bound to the guidelines.

"Had this gone off, the damage to Medco's reputation could have been catastrophic," Assistant U.S. Attorney Erez Liebermann told InformationWeek. "I look at this as one of the most significant [computer sabotage] cases because it could have done more than financial damage."

Lin admitted to creating and planting the malicious code, or logic bomb, on Medco's computer network because he feared he would lose his job in an expected round of layoffs. Another systems administrator at the company, however, foiled his plan when he discovered the logic bomb before it went off.

If it had been detonated, prosecutors say the code would have eliminated pharmacists' ability to know if a new prescription would dangerously interact with a patient's current prescriptions. They also say it would have caused widespread financial damages to the company. Even though it didn't go off, Medco reported that it cost them between $70,000 and $120,000 to clean up the problem.

Wednesday, September 19, 2007

Learn To Talk like a Pirate

Part 5 of the LoadingReady Language Series

Thanks to Captain "I hate Hard Disks" Charisma for the link.

International Talk Like A Pirate Day 2007

International Talk Like A Pirate Day 2007 (Sept 19th 2007)

Brwaack! Polly want a cracker? … Oh, wait. That’s for Talk Like a PARROT Day.

Uninformed Journal - Volume 8

Uninformed is pleased to announce the release of its eighth volume. Thisvolume includes 6 articles on a variety of topics:

Covert Communications: Real-time Steganography with RTP
Author: I)ruid

Engineering in Reverse: PatchGuard Reloaded: A Brief Analysis ofPatchGuard Version 3
Author: Skywing

Exploitation Technology: Getting out of Jail: Escaping InternetExplorer Protected Mode
Author: Skywing

Exploitation Technology: OS X Kernel-mode Exploitation in a Weekend
Author: David Maynor

Rootkits: A Catalog of Local Windows Kernel-mode Backdoor Techniques
Authors: skape & Skywing

Static Analysis: Generalizing Data Flow Information
Author: skape

This volume of the journal can be found at:

Tuesday, September 18, 2007

The Threat of Reputation-Based Attacks

Via SecurityFix Blog - is accustomed to being attacked by online crooks: The volunteer-led cybercrime-fighting group has endured nearly a month long siege by thousands of criminally-controlled PCs aimed at crippling its Web site. So when the latest attack failed to prevent legitimate users from visiting the site, the bad guys unveiled an unlikely secret weapon: bogus donations.

The unauthorized contributions all came in via PayPal, the online payment service owned by eBay. Some were sent via PayPal accounts that attackers had hijacked in phishing scams; others were submitted through PayPal's e-check option using compromised checking account numbers. A few donations were for as little as $1, while other fake donations ranged as high as $2,800.

To the victims of the stolen PayPal accounts, it looks as if CastleCops is the one stealing their money, when in reality, it's the attackers. Also, the fraudulent activity seeks to ruin their relationship with PayPal.

This attempt to smear the good name of a legitimate organization by tainting them with the stain of illegal activity - known as a "reputation attack" - came after more than three weeks of sustained distributed denial-of-service (DDoS) attacks against So-called DDoS attacks direct the Web traffic of thousands of "bots - compromised PCs that when grouped together are called "botnets" -- at a targeted site, with the aim of rendering it unreachable.

CastleCops is working with PayPal and the FBI to try to stem the fraudulent donations. So far, the organization has refunded 37 unauthorized contributions, but many more are still pending. Meanwhile, even more unwanted gifts keep rolling in.

CastleCops has been under fairly consistent DDoS attacks since early this year. The group's volunteers work with Internet service providers and other industry partners to combat a variety of criminal enterprises, from phishing schemes to spam to malicious software hosted on hacked Web sites or home computers. Many of those same partners have also stepped forward to help the group fend off the DDoS attacks.

When it became clear to attackers that this most recent frontal assault was no longer working, they changed their tactics, said CastleCops co-founder Paul Laudanski.

"Clearly someone's got it in for us and has been paying someone to try and take us out, but we're bringing discredit on the botnet masters because they're not succeeding," Laudanski said.
You know you've succeeded in angering some deep-pocketed criminals when they start burning stolen PayPal accounts by the dozen after botnet-for-hire attacks fail to work. One criminal organization that CastleCops has been particularly effective against - known as the Rock Group - stole more than $150 million worth of consumer data last year in phishing attacks, according to security giant Verisign.


Wow, this is pretty crazy.

But since an unverified Paypal account with a couple hundred dollars in it can be purchased for between 15 - 50 dollars, the bad guys can throw almost 100% of their smaller stolen accounts at Castlecops and still make huge money off the larger accounts......scary.

Castlecops reports on tons of Paypal phishing attacks, so this reputation-based attack is doomed to fail from the corporate trust standpoint...and as the news get out to the general public, it is doomed to fail on the public level as well. But while the attack might not take Castlecops out of the game, it is forcing them to be defensive....which reduces the resources that can be used for the offensive fight against the bad guys.

Artists Against 419 claims to have been a victim of a very similar reputation-based attack as well.

If any group can weather this "storm", it is Castlecops. Good luck guys....keep those reports flowing.

Google Releases Open-Source Fuzzer PoC

Flayer is a Valgrind tool which provides bit-precise dynamic taint analysis of input to a target application. In addition, it allows this flow to be altered irrespective of content through the modification of conditional jump (if clauses) and function call behavior.

In addition, a small, Python wrapper library, LibFlayer, is included. It provides an easy interface for automation.

This is a proof of concept implementation, but it is fully functional. Please check it out!


Also check out the blog entry by for more information about Flayer.

Symantec Internet Security Threat Report - Sept 2007

The Symantec Internet Security Threat Report offers analysis and discussion of threat activity over a six-month period. It covers Internet attacks, vulnerabilities, malicious code, Phishing, spam and security risks as well as future trends. The twelfth version of the report, released September 17, 2007, is now available.

Computer Science Grad Convicted Of Hacking Into Texas A&M

Via Yahoo! News -

An alumnus of Texas A&M University was convicted of hacking into the school's computer system and stealing 133,000 Net ID's and passwords from students and employees.

Luis Castillo, 23, admitted to breaking into the system and embedding malicious code that gathered and transferred the information to a file where he could easily retrieve it. He was found guilty of recklessly gaining unauthorized access and causing damage to the Texas A&M domain controller.

The man, who graduated with a bachelor's degree in computer science in December 2006, faces a maximum of five years imprisonment and a $250,000 fine. He is set to be sentenced on Dec. 10.

"We appreciate the FBI's commitment to investigating this type of crime," said Dr. Pierce Cantrell, VP and associate provost for information technology at Texas A&M University, in a written statement. "Such action and results should certainly serve as a deterrent to anyone else who might be contemplating such activities."

Microsoft Office 2003 SP3 Expected Tomorrow

Via -

September 17, 2007 (Computerworld) -- Microsoft Corp. may be successfully hawking Office 2007, but the software vendor isn't neglecting its many users who remain on Office 2003.

On Wednesday, the company is expected to release a third service pack update for Office 2003, making the update available for downloading from its Web site.

In a white paper released to the media, Microsoft said that Service Pack 3 offers security improvements, better compatibility with Windows Vista and other customer-requested features while minimizing the impact on existing systems -- a major concern for IT managers worried about how an update could affect the PCs of their users.

The security enhancements in SP3, which comes two years to the month after its SP2 predecessor, include improved protection from social engineering attacks designed to steal private user data, Microsoft said. It also enables IT administrators to more finely control what types of documents users can download and open, and adds other security features that are already in Office 2007.

In addition, the update includes more than 450 fixes, many of them for minor but nagging bugs caused by incompatibility between Office 2003 and newer Microsoft products such as Vista and Internet Explorer 7. For instance, Microsoft said that Word 2003 users will now be able to copy and paste text from a Web e-mail account, such as Windows Live Hotmail or Yahoo Mail, in IE 7 without causing the word processing application to crash.

Another fix is designed to prevent the screen from flickering when users move their mouse over the tab control in the Access 2003 database.

Office 2003 users who don't go to Microsoft's site to download SP3 will be notified of the update by the software vendor's AutoUpdate feature over the next few weeks.

Tell-All PCs and Phones Transforming Divorce

Via -

The age-old business of breaking up has taken a decidedly Orwellian turn, with digital evidence like e-mail messages, traces of Web site visits and mobile telephone records now permeating many contentious divorce cases.

Spurned lovers steal each other’s BlackBerrys. Suspicious spouses hack into each other’s e-mail accounts. They load surveillance software onto the family PC, sometimes discovering shocking infidelities.

Divorce lawyers routinely set out to find every bit of private data about their clients’ adversaries, often hiring investigators with sophisticated digital forensic tools to snoop into household computers.

“In just about every case now, to some extent, there is some electronic evidence,” said Gaetano Ferro, president of the American Academy of Matrimonial Lawyers, who also runs seminars on gathering electronic evidence. “It has completely changed our field.”

Privacy advocates have grown increasingly worried that digital tools are giving governments and powerful corporations the ability to peek into peoples’ lives as never before. But the real snoops are often much closer to home.

“Google and Yahoo may know everything, but they don’t really care about you,” said Jacalyn F. Barnett, a Manhattan-based divorce lawyer. “No one cares more about the things you do than the person that used to be married to you.”

Most of these stories do not end amicably. This year, a technology consultant from the Philadelphia area, who did not want his name used because he has a teenage son, strongly suspected his wife was having an affair. Instead of confronting her, the husband installed a $49 program called PC Pandora on her computer, a laptop he had purchased.

The program surreptitiously took snapshots of her screen every 15 seconds and e-mailed them to him. Soon he had a comprehensive overview of the sites she visited and the instant messages she was sending. Since the program captured her passwords, the husband was also able to get access to and print all the e-mail messages his wife had received and sent over the previous year.

What he discovered ended his marriage. For 11 months, he said, she had been seeing another man — the parent of one of their son’s classmates at a private school outside Philadelphia. The husband said they were not only arranging meetings but also posting explicit photos of themselves on the Web and soliciting sex with other couples.


I am really surprised that they didn't even hint at the rise of Traffic Cameras & RFID tracking in divorce cases...

June 2007

August 2007,CST-NWS-cheat12.article

The sad part is...we saw it coming...

Sept 2004
"Several people have lost divorce cases after lawyers subpeonaed data from RFID systems used in EasyPass express toll systems and used it as evidence against them, noted panel moderator David Kirkpatrick, senior editor of Fortune magazine."
"You can imagine nightmare legal scenarios that don't involve the cops. Future divorce cases could involve one party seeking a subpoena for RFID logs--to prove that a spouse was in a certain location at a certain time."

Tools of the Trade - Freeworld Edition

As a consequence of the new German law on 'hacking tools', THC (The Hacker's Choice) decided to re-structure its team and split into a German and Freeworld division. German members will not continue to develop and distribute THC releases and papers. Members outside Germany will continue in the spirit of THC on some servers outside Europe.


On to the tools...

On Sept 14th, QuickTime Alternative v1.90 was released. QuickTime Alternative allows your system to play QuickTime movie files (.mov) without having to install the full version of the Quicktime Player. It includes the browser plugins to allow seamless playback of movies within webpages. This release updates the included QuickTime components to version

On Sept 13th, Shreyas Zare released Technitium MAC Address Changer v4.7. The list of features in this freeware Mac changer is very impressive. This tool will be added to my normal pen-test install, for sure.

On Sept 13th, Pidgin 2.2.0 was released. Pidgin is a multi-protocol Instant Messaging client that allows you to use all of your IM accounts at once. Check the changelog for all the details.

On Sept 12th, Nth Dimension released SSHatter v.0.3. SSHatter is a remote brute force utility that attempts every password from a given list against a target.

On Sept 11th, Real Alternative 1.60 was released. Real Alternative allows your system to play Real Media files (.ra .ram) without having to install the full version of RealPlayer.

On Sept 10th, Microsoft released Process Explorer v11.01.

On Sept 10th, CCleaner v2.00.500 was released. CCleaner is a freeware system optimization and privacy tool. It removes unused files from your system - allowing Windows to run faster and freeing up valuable hard disk space. It also cleans traces of your online activities such as your Internet history. See the complete version history for all the details.

On Sept 9th, Jason Ostorm released VoIP Hopper 0.9.0. VoIP Hopper is a GPLv3 licensed security tool, written in C, which rapidly runs a VLAN Hop into the Voice VLAN on specific Ethernet switches. VoIP Hopper does this by mimicking the behavior of an IP Phone.

On Sept 8th, FileZilla 3.0 was released. FileZilla is a fast and reliable FTP client and server with lots of useful features and an intuitive interface.

Google recently released Sketchup 6.0.1099. Google SketchUp (free) is an easy-to-learn 3D modeling program that enables you to explore the world in 3D. With just a few simple tools, you can create 3D models of houses, sheds, decks, home additions, woodworking projects - even space ships. And once you've built your models, you can place them in Google Earth, post them to the 3D Warehouse, or print hard copies.

OpenOffice v2.3 was released recently. Check the release notes for all the changes. This version includes a security fix as well.

The Lives of Others

After attempting to fight a case of the Mondays all day at work, I decided to relax tonight and watch a movie. So I rented "The Lives of Others'.

I must say, if you haven't seen must. Wow...

Very moving.

Monday, September 17, 2007

Colin McRae Killed in Helicopter Crash

(photo via MotorTrend)

Colin Steele McRae, MBE (5 August 1968 – 15 September 2007) was a Scottish World Rally Championship (WRC) driver, the son of five-time British Rally Champion, Jimmy McRae and older brother of professional driver Alister McRae. He won the world driver's title in 1995, was championship runner-up in 1996, 1997 and 2001, and third in 1998.

He helped Subaru to the Manufacturers' title in 1995, 1996 and 1997, and Citroën in 2003. He was appointed a Member of the Order of the British Empire in 1996.

At approximately 4:10 pm on 15 September 2007, an AS350B2 Squirrel helicopter registered G-CBHL to McRae crashed 1 mile (1.6 km) north of Lanark, Scotland, close to the McRae family home. McRae's agent Jean-Éric Freudiger stated that McRae was piloting the helicopter at the time of the crash. Police confirmed the next day that McRae, his five year old son Johnny, and two family friends, Graeme Duncan and Johnny's six year old friend Ben Porcelli, died in the crash.McRae's previously active website,, was later replaced with a memorial screen stating a few details about the crash, and then with a short statement released on behalf of McRae's father, Jimmy.

Exploiting Concurrency Vulnerabilities in System Call Wrappers

System call interposition allows the kernel security model to be extended. However, when combined with current operating systems, it is open to concurrency vulnerabilities leading to privilege escalation and audit bypass. We discuss the theory and practice of system call wrapper concurrency vulnerabilities, and demonstrate exploit techniques against GSWTK, Systrace, and CerbNG.

Paper (PDF) by Robert N. M. Watson of the Computer Laboratory @ University of Cambridge

Also see his slides (PDF) from USENIX WOOT 07.

MediaDefender Defenders Strike Again

Via TorrentFreak -

The leak of MediaDefender’s emails caused quite some controversy, Ironically, in a recently leaked phone call, a New York attorney and MediaDefender discuss the security of their email-server. Whilst there is some initial confusion as to where the leak may have originated, they eventually write it off as some technical problem.

The leaked phone call shows that they are unsure about their network protection, their IDS etc. One of the parties is on a VOIP connection which may explain how the leak was obtained.

The subject of the call is rather serious. MediaDefender is apparently involved in an ongoing Child Porn investigation. Their job is to identify child-porn images and report the IPs of the offending computers back to the government. A tricky project since it would mean that they actually have to download and rate the illegal content.

This wont be the end of the leaks according to the “MediaDefender-Defenders”, they claim that more will follow when time is ready.

In addition the the phone call, a huge MySQL database dump from a MediaDefender server was leaked on BitTorrent as well. The database shows tracking and decoy file information for the Gnutella network which is used by P2P clients such as LimeWire.

All this leaked information is a huge blow for MediaDefender, and it will undoubtedly cost them a lot of time and money to clean this up. Interestingly, no evidence can be found that MediaDefender is actually involved in prosecuting or gathering evidence against filesharers (as we reported earlier). Their core business is releasing fake files and polluting the filesharing networks.

Sunday, September 16, 2007

Spammers Bypass Myspace Link Protection Scheme

Some time ago, Myspace put in place a link protection scheme. This system is used to counter phishing and other link based spam on Myspace. It allows Myspace to kill any link found to be "evil"....but it seems the spammers have found a way to bypass this protection scheme.

Here you can see a link going to being redirected by Myspace's protection scheme.

Here, we see a typical Macy gift card spam message. This bulletin was sent to me this evening by a friend that had her account hijacked (most likely phished).

Note the URL in the status bar of the above screenshot. The red text is linking to a third-party website...and it got around the Myspace redirection protection scheme. But how?

See anything odd in that link anchor?? Yep, they have broken the anchor tag all up and even injected random text before the href section...effectively bypassing Myspace's link protection.

Here is a second bulletin posted by the same friend...note the change of the random text.

Saturday, September 15, 2007

U.S. Official Says Syria May Have Nuclear Ties

Via -

WASHINGTON, Sept. 14 — A State Department official said Friday that the United States had concerns about Syria’s involvement in illicit nuclear activities and suggested that North Korea might be aiding the Syrians in their efforts.

Andrew Semmel, a top official on countering the spread of nuclear weapons, said that Syria may have a number of “secret suppliers” for a covert nuclear program, and that North Korean technicians were currently operating inside Syria.

His comments, in an interview with The Associated Press in Rome, came in response to questions about an Israeli airstrike inside Syria last week. Neither Israel nor the United States has confirmed what targets the Israeli jets hit, and the government in Jerusalem has imposed a blanket restriction on the Israeli news media from reporting details about the raid.

American officials have been similarly tight-lipped, and officials who ordinarily see intelligence reports on such issues say their access has been restricted.

Mr. Semmel did not specify whether the technicians in Syria were specialists in nuclear technology; North Korea has long supplied Syria with missile technology. Some weapons experts said they were skeptical that Syria was in league with North Korea to build a secret program.

Media Defender E-Mail Leaked to Internet


When we reported in July that an Anti-Piracy Gang Launches their own Video Download Site to Trap People and that the company was called Media Defender and, as anyone who aims to be a credible news resource would, we checked and double checked our sources. We said, with some confidence:

Media Defender, a notorious anti piracy gang working for the MPAA, RIAA and several independent media production companies, just launched their very own video upload service called “”. The sole purpose of the site is to trap people into uploading copyrighted material, and bust them for doing so.

However, in
comments made to Ars technica, Media Defender’s Randy Saaf chose to rubbish our claims, calling it an ‘accidentally un-secured internal project’.

From the emails we cannot be sure that it’s an entrapment site or that it is related to the MPAA (perhaps it’s a legit a P2P video client?), but it does look suspicious.

Unfortunately for Media Defender - a company dedicated to mitigating the effects of internet leaks - they can do nothing about being the subject of the biggest BitTorrent leak of all time. Over 700mb of their own internal emails, dating back over 6 months have been leaked to the internet in what will be a devastating blow to the company. Many are very recent, having September 2007 dates and the majority involve the most senior people in the company. Apparently this is not the first time that a
MediaDefender email leaked onto the Internet.

HP ActiveX Remote Heap Overflow PoC

GOODFELLAS security research team has found a bug in a dll included in at least the following HP products:

* HP All-in-One Series Web Release
* HP Photo & Imaging Gallery version 1.1

The affected dll is called hpqutil.dll at least in it's version in English, and specifically the problem is a heap overflow.

Remotable exploitation of this heap overflow could allow a user to execute arbitriary code or crash internet explorer. The heap overflow is related to a call to lstrcpyA() inside a function that is not checking the buffer's bounds. This call is made from the FindFile() function the dll overloaded from MFC42. The dll allocates 320 bytes for the buffer where some arbitrarily long user input is to be stored.

This bug is related with "FileFind class from MFC Library cause heap overflow"

You could view more details in

This exploitable bug crashes internet explorer and if used along other techniques could allow for remote code execution. Explotation requires a targetted user to load a web page containing the crafted activeX control with internet explorer, it is also required to have activeX enabled.