Friday, August 1, 2008

Spliced feed for Security Bloggers Network

Spliced feed for Security Bloggers Network

Top 10 Reasons I'm Not Attending BlackHat [The Falcon's View]

Posted: 01 Aug 2008 08:41 AM CDT

1010. The baby is due any day now. 1001. I don't look good in black. 1000. CRISS ANGEL Believe™ Hasn't Opened Yet 0111. No piercings or tattoos. 0110. I don't enjoy over-hyped over-the-top presentations. 0101. In the game "spot the...

SIPcrack - SIP Login Dumper & Hash/Password Cracker [Darknet - The Darkside]

Posted: 01 Aug 2008 05:26 AM CDT

SIPcrack is a suite for sniffing and cracking the digest authentication used in the SIP protocol. The tools offer support for pcap files, wordlists and many more to extract all needed information and bruteforce the passwords for the sniffed accounts. If you don’t have OpenSSL installed or encounter any building problems try ‘make...

Read the full post at

wsrtool [Didier Stevens] [Belgian Security Blognetwork]

Posted: 01 Aug 2008 04:31 AM CDT

Another WiFi program: This Python program allows you to process wsr files (capture files of the ISM spectrum, created by Chanalyzer with a Wi-Spy adapter).
The tool filters out selected frequencies or amplitudes (band-pass and band-stop filter).

You need to install the Python module Construct.

Here’s an unfiltered capture:

And here I used a band-pass filter with cutoff frequencies 2420 MHz and 2445 MHz:

How to 0wn a Cam? [/dev/random] [Belgian Security Blognetwork]

Posted: 01 Aug 2008 01:36 AM CDT

So simply and non destructive!

0wN3d Security Cam

0wN3d Security Cam


Admin Interface on the Web - It Boggles the Mind [Digital Soapbox - Security, Risk & Data Protection Blog]

Posted: 01 Aug 2008 12:55 AM CDT

As system administration has matured and information technology has come along over the past decade or so we've learned many things which appear to go in one ear and then out the other. Most of these deal with secure systems design, and basically how to keep from making yourself an easy target for hackers.

With that glowing in the back of my mind like a energy-saving lightbulb I went on a hunt for things that should not be available on the web.

First off, I think I've had this debate with people so many times it hurt my brain - but administrative interfaces to applications, appliances, or widgets simply shouldn't be available to the general web-based casual viewer. Worse yet, it should definitely *not* be index-able with a search engine.

With that in mind, I decided to give Google a chance to see how many people still allow open, administrator pages on the 'net. Granted, sometimes you just can't help this, right... but if I can index your admin page, and your authentication mechanism isn't well-built... it's only a matter of time before I pwn you. Check it out for yourself, go to Google, and use this search term "inurl:"admin" intext:administrator login" and see what you get. Scarry, huh? How many of these systems that you find do you think you can grind away at until you guess a password via brute-force?

Common boys and girls... you should *not* put an admin interface on the general net, that's what we have VPNs for, and management networks. *sigh*.

Fixing the DNS Flaw Yourself at Home [The IT Security Guy]

Posted: 31 Jul 2008 08:20 PM CDT

Here's a brief howto from Preston Gralla on how to fix the DNS cache poisoning flaw for home users.

Actually, it's pretty simple. He just explains, with screen shots, how to configure your computer to use the DNS servers at OpenDNS, which, of course, have already been patched.

Download the videos from The Last HOPE hacker conference [Security4all] [Belgian Security Blognetwork]

Posted: 31 Jul 2008 06:34 PM CDT

You can download the videos made during The Last HOPE from

Bittorrent is being used to re-distribute the content, so help us seed.

You will find the videos from subjects as:
  • A Hacker's View of the Freedom of Information Act (FOIA)
  • Adam Savage
  • Bagcam
  • Biohacking - An Overview
  • Botnet Research, Mitigation and the Law
  • Building Hacker Spaces Everywhere - Your Excuses are Invalid
  • Cold Boot
  • Crippling Crypto - The Debian OpenSSL Debacle
  • From Black Hat To Black Suit
  • Ghetto IDS and Honeypots for the Home User
  • Hacking Cool Things with Microcontrollers
  • Hacking International Networks and Systems via VoIP
  • How Do I Pwn Thee - Let Me Count The Ways
  • Kevin Mitnick
  • Methods of Copying High Security Keys
  • Off the Grid Voice Data Communications
  • Pen Testing the Web with Firefox
  • PenTest Labs Using Live CDs
  • Phone Losers of America
  • Phreaks, Confs and Jail
  • Port Knocking and Single Packet Authorization - Practical Deployments
  • Project Telephreak
  • Rambam Part 1
  • Rambam Part 2
  • RIAA Litigations - How The Tech Community Can Help
  • The Art of Do-Foo
  • The Art of Social Engineering
  • The Emperor is Naked Virtualization Technolgies Examined
  • The History of Phone Phreaking (1960-1980)
  • The Impossibility of Hardware Obfuscation
  • VoIP InSecurity Italians Do It Better
  • Wikipedia
Related posts:

Random stuff on my to do list [Security Coin]

Posted: 31 Jul 2008 05:05 PM CDT

SQL injection in web apps is sooooo old. It still exists everywhere and security companies are still making good moolah by capturing 'crown jewels' by exploiting this - However, I'm not sure that SQL injection testing for non web based applications/scenarios has caught on. Are they even worth trying ? For example: I'd really like to test the logic for the following (for starters) at some point in life :

1. Cell phones - EMEA registration. Attempt to SQL inject the backend during registration and/or normal communication. Ditto with normal phone lines - would that work ? Before I even say "Only one way to find out.." I should really read up on cell phones to test the theory..

2. Magstripes on cards - change data in the magstripe of ID cards , hotel access cards, credit cards, debit cards etc - to SQL inject the backend - Hmmm.. my name/cardnumber/PIN is now ' OR 1=1 -- ?
Something like little bobby tables.

3. Checks - Change the account number on checks to SQL inject the backend. I'm almost certain this would fail because of the MICR E13b restrictions of characters.. ah well..

Ah well..I would need to get back into security consulting at some point if I want to test this out in a legal way..

Baseball, baseball, baseball [StillSecure, After All These Years]

Posted: 31 Jul 2008 04:13 PM CDT

manny It may be the dog days of summer, but it is the height of the baseball season and the trade deadline just passed.  Not without some blockbuster deals going down though.  The biggest one is the a 3 team deal involving the Dodgers, Pirates and the Red Sox.  The BoSox give up the heart and soul of their championship team, future hall of famer, Manny Ramirez. In exchange they get from the Pirates, Jason Bay. A few other players involved, but who cares.  Does this mean the Sox are giving up on this season?  As a Yankee fan I can't tell you how happy I am not to see Manny so many times a year.  I also think Joe Torre will do a great job of managing Manny out in LA. Good luck to Manny.  Though he killed us for years, I respected his talent.

Speaking of the Yankees, they have made a few moves for the pennant run.  In addition to their own trade with the Pirates to get Xavier Nady and Damaso Marte, they pulled off a great deal yesterday getting Pudge Rodriguez to fill in as catcher for Jorge Posada.  This could be a huge deal for the Yankees.  They gave up Kyle Farnsworth, who while threw well this year, gave up home runs like candy.  I am flying up to NY with my two sons tomorrow and will be at the Stadium tomorrow night to watch the Yanks play the Angels, who also made a big trade for the Braves Mark Teixeira.

Another future hall of famer, Ken Griffey, Jr was also traded to the White Sox today.  Wow! What a day in baseball. I can't wait to sit in the temple that is Yankee Stadium with my two boys tomorrow. It is like a dream come true, similar to taking them to a Steeler game last year.  With all of the action going on around baseball it is also a great time to do it.

McAfee buys Reconnex for 46m [StillSecure, After All These Years]

Posted: 31 Jul 2008 03:55 PM CDT

Continuing the rapid consolidation or maybe the swallowing of the DLP market McAfee while announcing flat earnings today also announced that they were acquiring Reconnex for 46 million in cash. That just about does it in the DLP market with most of the pots having found a cover.  Congrats to all of the folks at Reconnex!

Zemanta Pixie

F-Secure Reverse Engineering Challenge [Security4all] [Belgian Security Blognetwork]

Posted: 31 Jul 2008 03:33 PM CDT

For those interested, F-Secure is having another reverse engineering contest tomorrow.

The contest starts on Friday 1st of August 2008 at 12:00 and ends on August 3rd 2008 at 11:59 (local Assembly time, EEST).

Khallenge is a reverse engineering challenge made by F-Secure for the Summer ASSEMBLY 2008 event held in Helsinki, Finland. The contestants must reverse engineer binaries in order to discover keys that the executables will accept. After completing the first level, instructions will be given on how to proceed to the next level.

Further information about challenge, including the official rules, is available from Assembly '08 web site. You can find more information about the people behind this compo from F-Secure Security Labs Weblog.(Source : F-Secure)

(Photo under Creative Commons from pt's Photostream)

Misc MA Stuff [The Security Shoggoth]

Posted: 31 Jul 2008 03:15 PM CDT

Been busy but I still wanted to post something quick.

If you didn't know, F-Secure's yearly reverse engineering challenge, Khallenge, is about to start. It works by using levels - you download a binary, figure out how to reverse it and get the password to the next level. I've done it in years past and have gotten to the last level but not beyond. Maybe I'll try this year. It starts August 1, 2008 at midnight (EEST) which should be about 5PM July 31, 2008 EST. It lasts only two days so get out there and reversing!

There are many excellent blogs out there which have alot of great information on reverse engineering and malware analysis. However, I want to call out one which I consistently find excellent information on new threats and how to perform malware analysys: The Websense Security Labs Blog.

I'll be the first to admit that when I think of Websense I think of content filtering and not malware analysis. (Actually I think of some poor fool who has to visit every site that gets submitted to categorize it.) However, they have some really smart people working for them who do alot of great malware analysis work. They constantly publish excellent blog entries about different aspects of malware. This is one of the blogs which I will ensure I read whenever they publish something new. Their RSS feed is here and I highly recommend it.

Anyone have any good resources they'd like to mention?

Sophos to Acquire Utimaco [Jon's Network]

Posted: 31 Jul 2008 02:30 PM CDT

Sophos intends to buy Utimaco. Until then, Sophos will resell SafeGuard Enterprise and they now have a mutual referral agreement for all products from both companies. Utimaco will become a new business unit focused on data security and the SafeGuard brand will be retained.

From the customer announcement email:

Our future direction integrates information control and security compliance with existing anti-malware infrastructure to make security more manageable, and merging with the market leader in mobile data security provides a strong foundation for growth and leadership.

ISOC: Grants Address Knowledge, Capacity, Cybercrime, And Digital Rights [Infosecurity.US]

Posted: 31 Jul 2008 01:19 PM CDT

ISOC: New grants have been assigned to individual local chapters, addressing knowledge, capacity, cybercrime, and digital rights. The cybercrime focus of the grants will be focused on a project launched by the Estados Unidos Mexicanos ISOC chapter (Sociedad Internet de Mexico).

My Picks for BlackHat USA 2008 [Jeremiah Grossman]

Posted: 31 Jul 2008 01:01 PM CDT

Loads of awesome looking presentations this year! So hard to choose from. I really hope I'll have time to see most of them and not stuck 24x7 in little rooms answering questions with people holding microphones. :) I hear the conference attendance is PACKED and suggest if you want to get in to see a popular speaker/talk, get there early. Oh, the same goes for the OWASP/WASC Party, get the Breach booth early.

Day 1: 10:00 to 11:00

Bad Sushi: Beating Phishers at Their Own Game
Nitesh Dhanjani, Senior Manager
Billy Rios, Microsoft

I saw this talk at Blue Hat is Seattle a couple months back. Not only is the data they present extremely compelling, but their humor and speaking style really put it over the top. With so many dry talks in our industry, when speakers are actively engaging it really makes a difference.

Day 1: 11:15 to 12:30

DNS Goodness
Dan Kaminsky

The vulnerability itself and disclosure drama aside, I have it on good authority that Dan will provide some important lessons learned as a result of the fiasco with regards to software serviceability. I'm really interested in hearing what he has to say about how we can improve our situation so we can adapt better to a similar scenario down the road.

Day 1: 13:45 to 15:00

Iron Chef: Fuzzing Challenge

This event was a lot of fun last year when I participated as a "celebrity judge". Just don't be under the impression that this is a scientific experiment or any kind. Instead simple enjoy the "show" where you can participate if you'd like. You get some code, find vulnerabilities however you want, and share your results. Simple! We should give them RSnake's blog software. :)

Day 1: 15:15 to 16:30

Xploiting Google Gadgets: Gmalware and Beyond
Tom Stracener
Robert Hansen

My man RSnake accompanied by Tom Stracener delivering Google zero-days and JavaScript malware PoC abound. Who could miss that! Keep your eyes peeled for Googlers in the front row feverishly taking notes and radioing live information back to the Googleplex. This talk might also renew our sense of paranoia about browser security, if there is such a thing.

Day 1: 16:45 to 18:00

FLEX, AMF 3 and BlazeDS: An Assessment
Jacob Carlson
Kevin Stadmeyer

Don't know much about the speakers or the talk itself, but the subject matter looks compelling and particularly timely. I've been doing a lot of my own research in Flash/Flex are well and there is a lot of unexplored territory within. XSS and CSRF malware payloads can and will get a lot worse with this stuff.

Day 2: 10:00 to 11:00

Encoded, Layered and Transcoded Syntax Attacks: Threading the Needle Past Web Application Security
Arian Evans

Going only because I have to speak alongside Arian. :) This presentation is the result of a large amount of experimentation on live websites using seriously obfuscated attack techniques. Some of the methods we're still not exactly sure why they work, only that they do in extreme edge cases. What we're also learning is that there is A LOT of web application vulnerability edge cases out there.

Day 2: 11:15 to 12:30

No More Signatures: Defending Web Applications from 0-Day Attacks with ModProfiler Using Traffic Profiling
Ivan Ristic
Ofar Shezaf

A serious toss up between this one and Threats to the 2008 Presidential Election, which I'm sure is also going to be a stellar. For me, I need to stay as up-to-date as I can in WAF technology evolution and Ivan is THE MAN in the open source space.

Day 2: 13:45 to 15:00

REST for the Wicked
Bryan Sullivan

Love the talk title and really interested in learning about any new attack techniques on SOAP and surrounding technologies. This area also continues to be a struggle for automated testing.

Day 2: 15:15 to 16:30

Get Rich or Die Trying – Making Money on the Web, the Black Hat Way
Jeremiah Grossman
Arian Evans

Again, only because I HAVE to be there. :) I've been wanting to do a presentation like this for quite some time and have finally been able to pull together enough data and public examples to make it possible. The idea is to demonstrate how to make serious money illicitly using the most simplistic of web attack techniques, all of which have already been used in the real world, and then speculate a little on other possibilities. All story driven, not meant to be grown breaking attack wise, just really thought provoking and fun.

Day 2: 16:45 to 18:00

Pushing the Camel Through the Eye of a Needle

Only because the Sensepost guys are super l33t, always have exceptional material, and I've never been to a bad presentation yet. Didn't even bother to read the description, I know it'll be worthwhile. Hopefully I can make it over there after my presentation.

Recording and Stream Notice - Episode 116 [PaulDotCom]

Posted: 31 Jul 2008 12:50 PM CDT

The live stream should be active about 6:45 PM EDT, Thursday, July 31st. We should begin recording the live show at about 7:00 PM EDT. Please keep in mind that these times are all estimates, but we will try to do the best that we can.

Don't forget to join in on the IRC channel during the stream - we can take live comments and discussion from the channel! Find us on IRC at #pauldotcom.

When active, the live stream(s) can be found at:



Please join us, and thanks for listening!


- Larry & Paul

No Honor Amongst Thieves: Phish Kits Compromised [Infosecurity.US]

Posted: 31 Jul 2008 11:50 AM CDT

Information Researchers from the UCSB Department of Computer Science, (Marco Cova, Christopher Kruegel, and Giovanni Vigna) have released a paper (at this Monday’s USENIX conference in San Jose, CA, entitled “There is No Free Phish: An Analysis of ‘Free’ and Live Phishing Kits”, detailing the illicit backdoors in already illicit software. Whereby the already stolen data from the unsuspecting user,the victim of the phishing attack, is stolen once more, by the crimimals responsible for the kit publication! Once again, the old adage is relevant: “There is no honor amongst thieves”. You can download a PDF formatted copy of the paper from the Infosecurity.US Document Repository, or via USENIX.

The Daily Incite - July 31, 2008 [Security Incite Rants]

Posted: 31 Jul 2008 09:00 AM CDT

Today's Daily Incite

July 31, 2008 - Volume 3, #66

Good Morning:
I have to admit, the Internet has made me nicer. Now, I wouldn't go around saying I'm like nice or anything. But understanding how the blogosphere works and the fact that Google never forgets (it truly has photographic memory) makes me a nicer person.
Have a nice day!
Since most of the folks that know me well wouldn't say that "nice" is one of the ways they'd describe me, I'll provide some context. A while back the Mogull was complaining about those sploggers that steal syndicated feeds and put up web sites that sell ads around someone else's content. He even ran a pretty funny experiment to see if they pay any attention to what shows up in the feeds. It's a deplorable practice, but it also must be working because I see another one of these sites (stealing my content) popping up weekly.

There are lots of different opinions about how to deal with this. I've chosen to not allow my feed to be syndicated without permission. It's my content and that's what I decided to do. Basically I ask (nicely I might add) for the content thief to stop syndicating my content. Most of the time these folks don't have an email address on the site (though I'm sure they have a place to deliver the AdSense commissions), so I'll leave a comment. Failing that, I lodge a complaint through FeedBurner and within a month or so that usually takes care of it.

Though I did get a pretty nasty response back from one of the webmasters, saying no one has ever asked to be removed from his site before and basically implying that I'm some kind of idiot. Didn't I know that it's very expensive to run a site that steals other people's content? How dare I question his ability to monetize my work (which I've chosen not to monetize).

Before the blogosphere, the "old" Mike would have ripped this guy apart. I would have sent one of my patented nasty-grams (anyone that has worked with me for any length of time has probably experienced it) and that would be that. But I didn't send a nasty-gram. In fact, I sent a very cordial response back saying it was a personal decision and thanked him for doing such great work to aggregate some much great content. Yes, I blew some smoke into his backside.

Huh? Have I become some kind of wimpy, sniveling lame butt? I guess if I'm being candid, sort of. I'm just very sensitive to the "TechCrunch" effect. Basically, if I sent a nasty-gram and told this guy what I really thought of him and how he's a drag on society and adds no redeeming value. That his parents should be ashamed of him and that if he had any kind of original thought or brain activity he would publish his own stuff, instead of stealing mine. But I didn't because I figured he would turn around and post it in a high profile place. And then I'd be the one that looked like a schmuck.

So there you have it, now I'm a nicer guy because I know when I'm not, it'll show up on some web site and make me look like an ass. I guess it's kind of a deterrent in that sense. To be clear, I'm not any nicer, I just understand that venom and vitriol should be delivered in ways that cannot be cut and pasted onto TechCrunch.

Have a great weekend. 

PS: If you didn't see, the P-CSO was reviewed on Slashdot. Woo Hoo.

Photo: "Smiley face cookie" originally uploaded by devillibrarian

Technorati: , , ,

The Pragmatic CSO
The Pragmatic CSO:
Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"
Get Your Special Report:
6 Easy Steps to Protect Your Identity
get access to Security Mike's Portal today

Security Mike's Guide to Internet Security

Top Security News

Is there are "secure enough?"
So what? - I tend to say "good enough" at least a couple of times a day. I believe that given the opportunity, we'd hit the point of diminishing returns in security pretty frequently. Fact is, most of us don't get the resources or funding that we need to hit that point, but ultimately we need to get comfortable with the concept of "good enough." Until someone figures out how to turn security from overhead into revenue generation (and Ken, don't send me that friggin' white paper again :-), we'll still be in the same boat. Jai Vijayan does a little analysis of "secure enough" and it brings up some interesting points. Many of which are echoed in the P-CSO methodology. You know, figure out how secure you can/should be. Then understand "asset value," but personally I don't care about true value - but rather RELATIVE value. I'm trying to figure out what the most important assets are to protect. Then I need to implement a control framework (though that it much easier said than done). Check. Then measure and monitor. I think monitoring is critical, measurement is a nice to have. Not that it's not important to pull metrics, I just think there are a lot of things that can be measured that shouldn't. And the industry hasn't gotten any sense of agreement on what those things (to measure) should be. Overall this is a good article because it factors in the reality that we aren't going to get everything done and we need a structure to make sure that good enough is really good enough.  
Link to this

I want to get out of that little car
So what? - Looks like Linus Torvalds (yes, the Linux dude) is aiming some of his angst (maybe about creating a bunch of multi-billion dollar revenue streams and not getting dick out of it) towards the "security circus." If this is a circus, I want to be one of the clowns that gets out of the little car. That looks like fun. It's easy for someone who just sits in an ivory tower and worrys about kernel issues to be very critical of how security researchers choose to promote themselves. In fact, I do that all the time. I don't worry about kernel issues, but certainly spend a good part of every day in my own little ivory tower. The point Linus is trying to make is that security is sensationalized and it's a problem. Unfortunately, he thinks that taking a middle of the road approach of not pandering to either the no or full disclosure ranks is the right path. Unfortunately that doesn't work either and can be more dangerous than anything else. Ask Dan Kaminsky about that. I'm still of the opinion that it's either all or nothing. Either don't disclose at all, and work with the vendors in the background - hoping that the bad guys don't have the attack. Or disclose IT ALL and get the good guys making tools to hopefully stay ahead of the bad guys. Both ways kind of suck, but at the end of the day this is the bed we made (crappy code with no thought to security) - so now we get to sleep in it.
Link to this

And the benefits are great...
So what? - The grass is always greener on the other side. Fact is, if you work in the security business, odd are the grass looks like crap wherever it is you squat. It seems the vendor security researchers are a little steamed that independents get all the attention for finding the "cool" security bugs. Just because they don't have anything better to do, the X-Force ran some numbers to prove that it's really the vendor researchers that find 80% of the "critical" bugs. Talk about needing a hug. Would someone in Armonk please fly down to Atlanta and tell the X-Force guys that you still love them. That someone in a blue suit actually gives a crap about what they find. Or maybe this is a recruiting technique. Join the X-Force and find the important stuff. That's much better than going the independent route and becoming infamous and filling up your Black Hat talk. All kidding aside, it just seems ridiculous to me that anyone would be spending any time to figure out who was "more right." The bad guys are finding new stuff all day, I suggest the researchers (whether they are independents or vendors) get back to work.
Link to this

The Laundry List

  1. HD was not pwned, just misquoted and had the unfortunate luck of actually using AT&T for Internet connectivity. Yes, the fact that his company was impacted by his exploit code is ironic, but the mischaracterization in the media is irresponsible. - Metasploit blog
  2. Deal: Aladdin uses one of their wishes (and $65 million) to buy SafeWord from SCUR. Good for SCUR to focus on their gateway business. Good luck to Aladdin, I hear it's easy to compete with RSA and $5 tokens from everyone else. - Aladdin release
  3. Georgia boy hacks into his school. Must be taking the Mitnick approach to fame and fortune. Hack a bit, add KY and then write a book. Publishers line up, the book should be ready in about 2015. - NetworkWorld coverage
  4. Is Big Yellow rebounding? They announce a good FQ1. Evidently executing less than "sucky" actually works. And someone should be measuring Enrique's head for the crown. - Symantec earnings release
  5. Lots of other earnings news as well. SonicWall does OK. Zix also announces (why are these guys still public?), and Entrust shows that they still can't hit the top line number. All three mention the "challenging business environment." I guess that's a code word for "give me a pass, it's brutal out there."

Top Blog Postings

I'll take one defeat and despair to go...
It's fact that you have to have a certain type of personality to be a security professional. Paranoia is critical, since the really are trying to get us at all times. But there is a downside to being able to focus on negative use cases all day long, every day. Basically we become grumpy and prone to despair. Amrit tries to provide some context around the fact that "This too shall pass" is a good way to look at things. A mentor of mine would constantly remind me that it was a marathon, not a sprint. We need to play for the long term, even though many of the incentive plans (both positive and negative incentives) are all about short term actions and thinking. Amrit believes that the good guys have a lot going for us and that we actually have an "advantage." Part of this is trying to make lemonade out of a bunch of crap, but he does have some good points. Yet the net is the world is a resilient place. Every time you get backed up against the ropes, the collective we finds a way out of it. Yes, it's hard to keep that context in the morass of daily firefighting and the like, but it's true. The sun will rise tomorrow, just like it has for a billion years. Until it doesn't and then we probably have bigger problems to worry about.
Link to this

If that's the wrong problem, what's the right problem?
Sir Ivan makes a great point here about the real root cause of our security issues. "Underneath all our security issues lies our inability to write defect-free code. Solve that and we've solved the security issues. Focus on the security alone and we won't solve anything." I agree with the sentiment, but can't for the life of me figure out how we'd get there. Food for thought over the weekend.
Link to this

"Perfect" measurement? Give up now.
Perfect is the enemy of the good. So when I see the title of this post on BlogInfoSec "Crossing the Metrics Rubicon: Quest for the Perfect Measurement" I turn my nose up and figure it's yet another highly theoretical idea about what should be counted and why. But to Patrick Foley's credit, this isn't that post. It's really about the fact that we have a lot more data now, but no one has figured out how to turn it into information. Most interestingly, he points to some securities trading and insurance models that could be instructive in what we have to do. But there will always be problems with models, since they can't predict what we don't know. And it seems every attack that has ever made a big wave was NOT predicted by the people that are supposed to be predicting. So I don't want data to help me predict what is at risk. I want data to help me understand whether I'm working efficiently. I'm starting to come to the conclusion that you can't necessarily come up with a number to represent "risk," but you can count and measure efficiency of the "right" stuff that we know needs to happen. I'm kind of throwing some crap against the wall here, but my utter frustration relative to almost all things metrics is forcing me to look at the problem from a very different perspective.
Link to this

F-Secure Reverse Engineering Challenge 2008 [Didier Stevens] [Belgian Security Blognetwork]

Posted: 31 Jul 2008 08:41 AM CDT

I'M THE DJ! [Donkey On A Waffle]

Posted: 31 Jul 2008 08:35 AM CDT

Man, why didn't I think of this. I've seen video of people social engineering their way through many restricted areas in the past; some claiming to have forgotten something in the target locations, others claiming to be Jason Biggs from American Pie fame. None of them are quite as simple, and effective, as just claiming your the DJ! Watch as this man gets into every club he tries just by claiming he's the DJ and is spinning shortly. Watch to the end of the video to see some reasonably funny attempts at DJ social engineering in completely random places.

Learn how to hack at

Shamelessly ganked from Schneier's Blog because I found it funny

Site Guesses Your Gender via Browsing History [Darknet - The Darkside]

Posted: 31 Jul 2008 04:31 AM CDT

This is a pretty old issue, but this is an interesting new implementation of an old idea. Using your browser history and by matching your browsing habits the site attempts to guess your gender with a weighting system according to the gender demographics for a list of fairly popular sites. It’s not super accurate unless you [...] ShareThis

Read the full post at

MobileMe Wiped My Contacts [Jon's Network]

Posted: 31 Jul 2008 02:14 AM CDT

This afternoon on my MacBook Pro, Mail and Safari were acting screwy. Safari would give me a beach ball when I tried to fill out a form on Amazon and Mail would give me a beach ball when it did an address look up when I typed someone’s name in the To: field. I tried to open Address Book, but it wouldn’t open, instead giving me a “not responding” status immediately in the Force Quit Applications window.

Not having the skills or time to really find out what was going on, I popped open Cocktail and repaired the disk permissions and left to run some errands. I came back 3 hours later, glanced at the Cocktail log and opened a new email. When I typed a name into the address field, it did the look up (I could see the spinner working) and then stopped, not having found the name. This time I was able to open Address Book to see that everything was gone. All my contacts. Thousands of them. Gone. I visited the MobileMe page, naturally, the contacts were gone there too. I then opened my iPhone to turn off syncing before it got wiped - too late. Since I didn’t find the problem before SuperDuper made my daily backup, it looks I have lost my most recent changes, but luckily nearly everything is saved in my Daylite database so this isn’t critical - just a huge pain in the ass.

I had been reading headlines about the MobileMe problems, but never suffered any until this afternoon. I was a .Mac customer before solely for the convenience of the iDisk to backup a small amount of critical data so Apple won’t lose any of my money, but I have turned off over-the-air sync and don’t plan to turn it on until 2010 or so. If my contacts got wiped from my phone while I was on the road I would be crippled. Nope, can’t take that chance.

Report on Banking Web Sites is Flawed [The IT Security Guy]

Posted: 30 Jul 2008 09:24 PM CDT

In a recent blog post, I cited a study by researchers at the University of Michigan, saying 75% of banking web sites had design flaws, making them vulnerable to hackers.

In a recent article by Larry Seltzer of eWeek, he said the findings from the study, which came out in 2006, are outdated. He said the results were either not relevant any more -- such as insecure login pages not using https -- or not real threats -- non-https Contact Us pages.

He goes through the rest of the report point-by-point and makes some interesting points.

Indian DoT: Blackberry Security Revisited [Infosecurity.US]

Posted: 30 Jul 2008 07:47 PM CDT

The Economic Times of India reports significant scrutiny is being applied (yet again) to RIM’s deployment of Blackberry devices to the general public, and the security measures to be taken. More headaches for RIM (NasdaqGS: RIMM), or can they comply with the recommendations of the Government of India Department of Telecommunications (DoT)?

Midsummer Night's Dream: 2008 papers released from Stopbadware, HotSec '08, IBM X-Force and Websense [Security4all] [Belgian Security Blognetwork]

Posted: 30 Jul 2008 07:15 PM CDT

It's summertime meaning that the first half of 2008 has passed. So time for papers to be released and for us to read them.

1. Stopbadware released a paper using data from Google's Safe Browsing initiative and found that 200,000 websites were engage in badware behavior. Now there is also a small update:

In June we released a report with numbers from late May, showing the network blocks containing the largest numbers of badware sites reported by Google. Here are updated numbers from early July:

# of badware sites AS block name
26792 CHINANET-BACKBONE No.31,Jin-rong Street
13250 BIZLAND-SD – Endurance International Group, Inc.
8582 CHINA169-BACKBONE CNCGROUP China169 Backbone
5311 CHINANET-SH-AP China Telecom (Group)
5203 AOL-ATDN – AOL Transit Data Network
3845 CNCNET-CN China Netcom Corp.
2544 CRNET_BJ_IDC-CNNIC-AP China Tietong Telecommunication Corporation
2525 THEPLANET-AS – Internet Services, Inc.
1865 SOFTLAYER – SoftLayer Technologies Inc.
1348 CHINANET-IDC-BJ-AP IDC, China Telecommunications Corporation

Note: A network block owner is not always the owner or operator of the infected servers on that block, and our publication of these data is intended to inform and educate, not to assign blame.

As some people mentioned, most of in the infect servers appear to be located in China. The infection vector through websites has increased a lot compared to last year. (see: Drive-by downloads). Read the entire paper for some interesting insights.

2. Papers from WOOT '08 and HotSec '08

Two interesting workshops took place this week: 2nd USENIX Workshop on Offensive Technologies (WOOT '08) and 3rd USENIX Workshop on Hot Topics in Security (HotSec '08). Both of them produced some interesting documents! Some examples:
  • Exploitable Redirects on the Web: Identification, Prevalence, and Defense
    Craig A. Shue, Andrew J. Kalafut, and Minaxi Gupta, Indiana University

  • There Is No Free Phish: An Analysis of "Free" and Live Phishing Kits
    Marco Cova, Christopher Kruegel, and Giovanni Vigna, University of California, Santa Barbara

  • Towards Quantification of Network-Based Information Leaks via HTTP
    Kevin Borders, Web Tap Security, Inc.; Atul Prakash, University of Michigan

  • Panic Passwords: Authenticating under Duress
    Jeremy Clark and Urs Hengartner, University of Waterloo

  • Towards Application Security on Untrusted Operating Systems
    Dan R.K. Ports, MIT CSAIL and VMware, Inc.; Tal Garfinkel, VMware, Inc.

Have a look at the rest of them (Woot08 and Hotsec08).

3. IBM X-Force released security statistics

The report, issued by IBM's Internet Security Systems division, summarizes security statistics over the first half of 2008. It highlights the ISS X-Force research and development team's observations over the first half of the year and points out any new trends that researchers are tracking. (Source:

4. Websense released mid year 2008 report

Those numbers come from stats (PDF) collected in the first six months of this year by Websense, an online security company that scans more than 40 million Web sites hourly for signs that they may have been compromised by hackers.

Websense found that 60 percent of the Top 100 most popular sites this year have either hosted malware or forwarded visitors to malicious sites. The company also says that nine out of 10 of those compromised sites were social networking or Web search sites. (Source: Securityfix)

(Photo under Creative Commongs from Dhammza's Photostream)

Did the DNS attacks begin? (part 2) - Fact or myth? Some facts. (updated x2) [Security4all] [Belgian Security Blognetwork]

Posted: 30 Jul 2008 07:03 PM CDT

I have seen a lot of reports on attacks on unpatched DNS Caching servers but with little or no (technical) information. A lot seems to be based on the email posted on the Fedora mailinglist by user James Kosin. (see Did the DNS attacks part 1)

The logs he provided were not signs of exploitation, but it was a indication of a scan for open resolving dns servers. An increase of DNS scanning has been reported by Arbor Networks in their "30 Days of DNS Attack Activity" post of the 28th of July.
Plotting UDP/53 attack activity (the thicker dark "pinkish red" line below) across Arbor's "anonymous statistics program" participants (~70 ISPs) illustrates an order of magnitude increase in UDP/53 and/or DNS events beginning around July 9, 2008. Note that while most of the data from the anonymous statistics program is based on Network and Transport layer attributes of traffic, there are specific DNS capabilities that exist in our Threat Management System (TMS) product that deal extensively with payloads as well. Given that this vulnerability was partially disclosed on July 8, I suspect a great deal of this traffic is name server vulnerability scanning, as opposed to malicious cache poisoning attempts, although there may well be a mix of the latter.
One other interesting observation is that most of the activity we've seen thus far kicked off in conjunction with the disclosure itself, although there is a perceptible activity level increase just subsequent to the 13-day "leak" as well. This could be more vulnerability scanning, although it could also be actual cache poisoning attempts, and given that several exploit tools are now openly available, I don't expect this to improve any time soon. (Source: Arbornetworks)
So still no conclusive proof there. But if you look at the graphic from Arbornetworks, the increase in DNS scanning since the 8th of July is concerning. Also the small difference after the 13-day leak is an indication of some kind.

Now, the metasploit exploit needs a service to determine the source port used by the target name server. The 'check' command does just that. The exploit itself will also query the Metasploit service if you set SRCPORT to 0. So no information is sent to unless SRCPORT is manually set to '0' or the check command is run (non-standard for aux modules). (Source: HD Moore on the Full Disclosure mailinglist). For more information, check the entire post.
So, it's useful to know that in some case, the metasploit tool will report information back. Now let's look at this Twitter message from the 24th of July:
HD Moore: About 75% of the folks checking exploitability via metasploit module are vulnerable. (
05:47 PM July 24, 2008)
So this is telling us that people were testing this tool and most of the DNS servers they were tested on were vulnerable (24 June) . This is not a good sign of course. But it doesn't proof malicious activity. Until I saw the following message on Twitter:

HD Moore: is happy that is no longer cache poisoned for (it was serving ads). Too bad its still not patched. (July 29, 2008)

Oh. At least I hope it were not infected ad images or javascript injected pages as well. So I think the above gives enough indication to be sure that there is a rising problem. There is still a lot of inconclusive information out there. If you have some logfiles or indications of live attacks yourself, please report them. Surfing to and seeing ads instead of a search engine is a clear sign.

UPDATE: As a result of the SBC/ATT DNS servers getting poisoned, HD Moore has added a module in Metasploit to compare the cache of two DNS servers. (/UPDATE)

Patching is in progress, but as Dan Kaminsky said. Patching is not the final solution. It only makes the exploit a lot harder. There is still a 1% change each hour to succeed in cache poisoning. There is a fierce discussion going on in the comments of the latest Bruce Schneier post: "The DNS Vulnerability". The article itself makes a good point that by having design security in the system in the first place, we wouldn't need the patch. I recommend to read it including the comments.

So again, advice for syadmins how can you detect this attack? Look for this kind of patterns in your logfiles:

deniedJul 27 18:42:37 local@ named[19501]: client attacker#53264: query (cache)'
deniedJul 27 18:42:37 local@ named[19501]: client attacker#53264: query (cache)'
deniedJul 27 18:42:37 local@ named[19501]: client attacker#53264: query (cache)'
deniedJul 27 18:42:37 local@ named[19501]: client attacker#53264: query (cache)'
deniedJul 27 18:42:37 local@ named[19501]: client attacker#42398: query (cache)'
deniedJul 27 18:42:37 local@ named[19501]: client attacker#42398: query (cache)'

Or you can have a look at research described in Jose Avila's Recursive DNS Cache Auditing presentation in addition to the ONZRA security research tool CacheAudit v.01, see the Research folder at ONZRA for the CacheAudit download. Scan for udp/tcp port 53 in your network and check and patch the servers asap. Even if they are internal servers.

Advice for endusers: use the DNS tool on the website or the webbased tool from DNS-OARC. If it appears, you are using an unsafe DNS server, switch to openDNS. Here are the instructions.

I'm also considering how this can affect hotspot users and similar mobile users in combination with tools like Evilgrade or Karmetasploit. Even without this DNS exploit, both toolkits used on untrusted LANs of WLANs can be dangerous. But that is for another post.

UPDATE: Zero Day just posted a similar article that additionally includes some interesting DNS Security Surveys from the past. Check it out.

UPDATE (30/07/2008): Brian Krebs from the Washington Post just wrote an article on Evilgrade and hotspots. It seems that iTunes and Mac OS updates were fixed in december '07. Read here for more info.

FINAL UPDATE (30/07/2008): HD Moore has put some more details in a post on Metasploit on what happened. The enemy has entered the gate now and is inside.

Previous posts:
(Photo under Creative Commons from soldiermediacenter's Photostream)

How Twitter got pwned in 2 hours [Security4all] [Belgian Security Blognetwork]

Posted: 30 Jul 2008 07:02 PM CDT

Rsnake joined twitter and did it with a bang. In about two hours, he found a XSS using a trusted domain of Twitter. Luckily, Twitter saw the tweet and it got fixed in about 90 minutes total. The crossdomain.xml has indeed been thoroughly revised. A chain is only as strong as it's weakest link.

Read this post from Ed Bellis for the details and the response from Twitter. A story with a happy end.

Robert "RSnake" Hansen is a webapplication specialist and one of the authors of the XSS book (XSS Attacks - Cross Site Scripting Attacks Exploits and Defense). You can download a zipped up version of Chapter 5 and the table of contents (free sample).

(Photo under Creative Commons from Darwin Bell's Photostream)

Backtrack T-shirts for Europe and a hint about Backtrack Version 4 - The next Security Distro [Security4all] [Belgian Security Blognetwork]

Posted: 30 Jul 2008 07:01 PM CDT

I was browsing through the Backtrack forums and noticed that Backtrack-fr opened up a webshop for Tshirts (French) a while back. It's based on the spreadshirt site and is based in Germany and can deliver almost all over Europe. The US version is in the making. I might buy one or two. So what about Backtrack 4?

While I was listening to the Pauldotcom podcast about Paul's experiments with the Asus Eee PC, they mentioned Backtrack 4 (Episode 114). He was replacing the Xandos Linux version with Ubuntu and used Backtrack only from a USB Thumb Drive. He wouldn't recommend installing it as the default OS, as Backtrack 3 is really made as a live distribution.

He then mentioned that Backtrack 4 would be more built as a complete distribution in comparison to the previous versions. This can only mean more flexibility and more pwnage. I will be looking forward to it!!

Related posts:

1 comment:

TonzSS88 said...

Thanks for the sbo information, I really enjoyed the post.