Posted: 20 Aug 2008 06:08 AM CDT
Johny Long, the well-known Google search hacker linked to a very interesting blog post about the controversy over Chinese gymnast He Kexin. In it, he uses some Google hacks on Baidu (the most popular Chinese search portal) to come up with two cached spreadsheets that show He’s birth year as 1994 which would make her ineligible for the Olympics.
Posted: 19 Aug 2008 11:19 PM CDT
A bit of a different episode this week. Since Martin is traveling, rather than a guest host this week we’re posting the last of the interviews recorded at DefCon- but this one is a doozy. David Mortman, Dave Maynor, Chris Hoff, Robert “Rsnake” Hanson, and Larry Pesce joined us immediately after we all finished our DefCon panel. Martin, as the sober one, interviews us as we record what is our first clearly explicit podcast. Yes folks, we hit all 7 dirty words plus a few bonuses. Not to worry, we do include some content as we discuss what we covered in the panel and whatever other topics flew into our adult-beverage-addled brains. We had a heck of a lot of fun putting the DefCon back into DefCon, and we hope you enjoy this little slice of the unfiltered.
Yes, this really is an explicit episode, so consider yourselves warned.
Length: 24:00 (or so)
This posting includes an audio/video/photo media file: Download Now
Posted: 19 Aug 2008 10:00 PM CDT
During the second day at Black Hat, somewhat depressed by yet another futile attempt to locate coffee, and fighting human gridlock, I decided that it was no longer worth the effort and simply sat down in the nearest conference room. And I am glad I did, as that random selection of presentations turned out to be one of my favorites of the week. The presentation was called Visual Forensic Analysis and Reverse Engineering, presented by Gregory Conti and Erik Dean. I would offer a link for you, but I have been unable to find the slide deck on line. It is on the CD that was included in the Black Hat goodie bag for those of you who attended, and some of the discussion points are located here.
The Conti & Dean presentation shows how to identify the contents, and even reverse engineer, binary files using different graphing techniques. By performing ‘dot plots’ and ‘byte plot’ examples of binary files, you can very quickly detect certain patterns within the binary file that tell you what is contained within it. Much like a human fingerprint, uuencoded content, text, Word documents, bit mapped images, JPEGs, compressed files, and encrypted files each have unique visual signatures. For files that may contain several items, it was easy to pick out the begining and ending points of blobs within the file, and then examine specific binary objects in more detail. They showed a couple examples of extracting image files from a huge binary file in less than 30 seconds.
You know you are a geek when …
I remember in the early 90’s that when I was debugging core dumps I was often just winging it. You really did not have a valid stack trace, so you were rummaging around memory looking for something unusual, or some pattern that gave you a clue to what went wrong. It was more art than science, and it was usually some visual clue or something that just did not look right when you found the root cause of the bug. Again in the mid-90s I can remember loading binary files into a text editor to attempt to, ahem, circumvent or ‘no-op’ out the licensing module which could often be located through a visual inspection (Of course, this was purely for academic purposes). This same technique was effective in hacking video game binaries and save files (slide 46 of the presentation shows a Neverwinter Nights database file as an example). And it was all based upon looking at the binary structure for patterns and experimenting with value substitutions to alter game functionality.
But the graphical tools take this to a whole new level. How do you know your PRNG is producing random numbers? During the presentation, the evolution from these early tools and methods was discussed, and then they showed off tools that provide different 3-dimensional graphical representation of what data looks like. One of the examples that I was most impressed with was the graphs showing a distribution for numbers. These are examples of PRNG output. Random? It is not particularly verify that your pseudo-random number generator is really producing sufficiently random numbers, or to confirm your random number generator’s entropy source is sufficiently random. But by graphing them in this way, you can very quickly see if you have reasonably good randomness, or rather, if you are not close at all.
Anyway, I thought this was a very cool forensic tool for binary files. Check out the graphs- they are quite impressive.
Posted: 19 Aug 2008 09:20 PM CDT
Via Dancho Danchev
Looking for higher education, read it here: China hacker gang busted
Posted: 19 Aug 2008 07:47 PM CDT
Posted: 19 Aug 2008 06:24 PM CDT
United States District Judge George A. O’Toole, Jr., has ordered the restraining order lifted against the information security researchers/students which had been originally set for expiry today. The rationale for the order to vacate is predicated on the magistrate’s view that the Computer Fraud and Abuse Act (U.S.Code Title 18 § 1030) does not apply to speech with any specificity. You can download the referenced section of the United States Code from the Infosecurity.US Public Documents Repository.
Posted: 19 Aug 2008 06:01 PM CDT
Posted: 19 Aug 2008 03:09 PM CDT
Now that I’m back to pen testing I’m having the chance to see the mistakes that admins are going into nowadays. There is something very interesting that Windows domain administrators sometimes forget and needs to be addressed as it brings serious security implications: login script files permissions.
Login scripts are those little batch scripts that run when the user is logging in. They’re usually stored in a share at the domain controllers called NETLOGON. The risk here is quite obvious; if I can modify your login script, I can run commands under your user account when you are logging on. This is usually not possible as the NETLOGON permissions are usually set accordingly, being writable only by domain admins.
The problem is that login scripts are one of those complexity beasts that grow together with the organization and its network. Big organizations usually have lots of servers, file servers, domains and other stuff. The admins struggle to keep user lives a little easier by automatically mapping network drives, cleaning temporary file transfer areas and other stuff, and the login scripts are a good tool to do that. When doing that they sometimes need include some different command line utilities, as the regular Windows shell doesn’t have all the features needed by those very creative admins. When doing that, they usually place those executables on network folders accessible by all users (of course, as they need those files during the login process :-)). What happens is that when doing that they often give too many rights for the users on those folders. Remember, when you create a folder and then share it on a Windows Server without changing any permissions there is a big chance that it will be a “Everybody - Full Control”.
If you are a domain admin in a organization that extensively uses login scripts, check them for external executable references. Tampering with login scripts is a easy way for a insider to steal credentials and information from other users without being detected.
Posted: 19 Aug 2008 01:37 PM CDT
Federal Computer Weekly’s (FCN) Michael Hardy reports the United States Department of Energy’s Inspector General Gregory Friedman, has discovered significant security related flaws in the Departments Information Technology division (report (in pdf format). The report is also available for download in the Infosecurity.US Public Documents Repository.
Posted: 19 Aug 2008 01:15 PM CDT
I thought this was interesting... I don't seldom have emails that are this long, but since every survey submission is seen as part of the same resonse, I've been seeing it. It appears as though every 61 messages, the thread is cut and a new one is started. Has anyone else seen this and possibly experienced a different number? If everyone else is indeed seeing 61, does anyone know why?
Does anyone from Google read this? If so, why cut the threads at 61?
Side Note; Anyone know when Google Apps will be getting the 'Always use SSL' checkbox?
Posted: 19 Aug 2008 12:55 PM CDT
Posted: 19 Aug 2008 12:45 PM CDT
One of the sessions I enjoyed at DefCon was Nathan Hamiel and Shawn Moyer’s, “Satan is on My Friends List”. Aside from directly hacking the security of some of these sites, they experimented with creating fake profiles of known individuals and seeing who they could fool. Notably, they created a profile (with permission) for Marcus Ranum on LinkedIn, then tried to see how many people they could fool into connecting to it. Yes, folks, I fell for it.
In my case it wasn’t that big a deal- I only use LinkedIn as a rolodex, and always default to known email accounts before hopping into it. But that’s not how everyone sees it, and many people use it to ask questions, connect to people they want to be associated with but aren’t really connected to. Someone behind a fake profile could spoof all sorts of communications to either gather information or manipulate connections for nefarious reasons (pumping stock prices, getting fake references, disinformation campaigns, and so on). All social networks are vulnerable to manipulation, real world or virtual, but when you remove face to face interaction you eliminate the biggest barrier to spoofing.
I avoid some of this by only linking to people I know, have met, and have a reason to keep in contact with. If you’ve sent me a link request because you read the blog or listen to the podcast, and I haven’t responded, that’s why. Otherwise it loses any usefulness as a tool for me.
One of Shawn’s recommendations for protecting yourself is to build a profile, even if you don’t actively use it, on all the social networks. Thus I now have MySpace and Facebook pages under my real name, tied to a throwaway email account here at Securosis. WIll it help? Maybe not- it’s easy for someone to create another account with my name and a different email address, but after I tie in a few friends that should reasonably draw people to the real me, whatever that’s worth.
One unexpected aspect of this was a brief blast of mortality as Facebook splattered my high school graduating class on a signup page. I haven’t really stayed in touch with many people from high school days; in my mind’s eye they were frozen in the youth and vibrance of those few years we felt we ruled the world. Seeing them suddenly years later, long past the days of teenage hopes and dreams, was a visceral shock to the system. No, we’re not all that old, but at 37 we’re far past any reasonable definition of youth.
Damn you Mr. Moyer. I can forgive you for mildly pwning me in your presentation, but smashing open my vaulted teenage memories with a lance of reality? That sir, I can never forgive.
Posted: 19 Aug 2008 10:13 AM CDT
Tim Greene's NAC column today goes back to the recent Gartner IT Security Conference. At Lawrence Oran's session on NAC, using the handheld voting machines he asked the audience if and when they planned on deploying an 892.1x capable network. Of course answers are always dependant on how the question is framed. But in this session about 50% of respondents said they were going to go .1x by 2011. You know what they say, once you go .1x you don't go back. That bodes well for NAC deployments. 802.1x remains the most secure and powerful way of implementing NAC. However, .1x is also useful for other security and network functionality. If you want to read more about .1x my friend JJ has a ton of good .1x stuff up on her blog.
A couple of interesting points though. Gartner themselves as Tim points out estimates that .1x adoption will be closer to 70% by 2011. The difference between the 50% in the survey and Gartner's estimates will be realized due to increasing ease of implementation of .1x networks. Perhaps, I know at StillSecure we are always looking for ways to make it easier to implement .1x and NAC. However, lets be clear. Installing new supplicants because Cisco and Juniper say the Microsoft supplicant is not good enough is a red herring. Yes the Odyssey client is cool, but it is a nice to have in the .1x equation, not a must have. The same goes for the Cisco/Meetinghouse supplicant. Also, not all .1x is created equal. There are still enough differences between switch vendors in how and what they support in .1x to make it maddening.
Finally, like I have said before if you are going to do 802.1x just for NAC, don't bother. But if you are going to go to 802.1x you should give NAC a good look.
Posted: 19 Aug 2008 09:34 AM CDT
Thanks to everyone who's filled it out, for those of you that haven't... you still can (survey). A large number of people are prefering to stay anonymous, but I have gotten some rather interesting comments. To date 169 people have filled out the survey. If all goes well, I'm hoping to start analyising the results after about a week or so.
To clarify, for anyone who reads this first... When I say Denial of Service, I'm not considering packet flooding (these days you essentially need DDoS for that)... I'm thinking single packets that cause servers to crash, or malformed pages that cause browsers to crash. That being said, I don't want to influence anyones answers... that's why I provided plenty of places for notes. Feel free to tell me what you really think.
Lastly, in the goal of making an interesting whitepaper out of this, I've started contacting vendors. Currently I've contacted Adobe, Apple, Google, Microsoft, Red Hat and Sun. I've asked them to answer the survey (and provide me with unique information via email that they will put in the name, email and url portions (for proper identification)) and I've passed on a few vendor specific questions. I've taken the route of contacting their PR agencies, so we'll see what happens.
Posted: 19 Aug 2008 09:31 AM CDT
Posted: 19 Aug 2008 09:19 AM CDT
Aviv Raff’s recent post (focusing on information security best practice,) details his views that following best practice may not necessarily keep you safe, and in fact, may be a fundamental error in judgment. Good reading. Thoughtful. We also agree.
Posted: 19 Aug 2008 05:10 AM CDT
Posted: 18 Aug 2008 11:57 PM CDT
“Chinese online human hunting” has been a subject that has fascinated me ever since I first read the story of the “Bronze Mustache” in 2006. Somewhere in my gut, it left me with the impression that this was an important trend to watch. Why you ask? Why not I answer! Yep, got nothing.
Does this fascination stem from the demonstrated ability to cyber-mobilize, combined with cyber-vigilante justice? Okay, if that explanation works for you, it works for me. This really bugs me and I haven’t been able to put my finger on why this trend seems to be important to watch. It could very well be the catalyst that launched the category of “Chinese Hacker Hunting” on this blog…but that gets way too much into the realm of self-analysis and could leave me screaming into my pillow. Moving on.
So what is “online human hunting?” I could try and summarize the whole social mechanism but it would probably cross the line of “fair use.” China Supertrends gives an excellent explanation of “human flesh search engines.”
Finally, sciam.com provides a current report on how this trend is progressing:
Any…FREE…insightful explanation on why my views makes sense would be greatly appreciated.
Posted: 18 Aug 2008 11:51 PM CDT
Several blogs are alight with speculation about the recruitment of bots ahead of the South Ossettia crisis. According to some of these stories there was a massive recruitment of bots on 4/5 August ahead of the Georgian action on the 7th and Russian Response on the 8th.
Posted: 18 Aug 2008 07:03 PM CDT
Most of our BlackHat/Defcon team has arrived back home in one piece.. I landed with a fever and a lost voice (but to be honest i already caught something while in Vegas!)
We will post some post-Vegas thoughts as soon as the dust settles, but i also promised:
The final versions of the re-direction tools will be posted here by weekend (after some last minute documentation / cleanup)
(a quick overview of Glenn's reDuh tool is also posted to [the same location]
Posted: 18 Aug 2008 06:56 PM CDT
In March of this year, CNN ran a story about Xiao Chen and his organization of hackers, reporting that the group had broken into the Pentagon and received payments from the Chinese government.
Xiao Chen, in a subsequent interview with the Shanghai Post, refuted all of CNN’s allegations and tearfully explained how all of this controversy had caused him to close his website hack4.com…he had struggled to create it…he had poured his heart and soul into it…and now was left with only had a handful of magic beans to show for his trouble.
I may be mixing my stories but he did elevate whining to an art form.
No need to worry, Xiao Chen pulled himself up, dusted himself off and managed to get back in the hacking game. Welcome to the new hack4.com , decorated in Olympic themed swirls guaranteed to never go out of style:
Posted: 18 Aug 2008 02:51 PM CDT
Perusing my blogs this morning I caught a post by Anton on DLP and compliance. That’s the blogging equivalent of chaining a nice fat bunny to a stake in the middle of coyote territory here in Phoenix (in other words, the park behind our house). I, as the rabid coyote of DLP-ness, am compelled to respond.
Anton starts by wondering why he doesn’t see compliance more in DLP vendor literature:
Then, he nails the answer:
I’ve spent a heck of a lot of time working with DLP vendors and users, and this is a problem that affects technologies beyond just DLP. Early on, the DLP vendors all talked about how they’d make you SOX, HIPAA, or XXX compliant. Problem was, there isn’t a regulation out there that requires DLP. The customer conversations went like this:
The truth is that DLP can help significantly with compliance with a variety of regulations, but none of them require it. As a result, vendors have softened their message and the good ones adjust it to show this value. I don’t know if I really influenced this, but it’s something I’ve spent a lot of time working on with my vendor clients over the years.
Other markets face this same challenge, and if you look back they almost always start by hitting compliance for the apparently easy cash, and are then forced to adjust messaging unless they are explicitly required. Users also face the same problem:
Be it a vendor or an end user, the compliance sell is either the easiest or hardest you’ll ever face. If the regulation (or your auditor) explicitly requires something, there’s an immediate business justification. While there’s a *lot* more to compliance, if it isn’t on that list you can’t sell it with merely the C word.
Instead, evaluate the tool or process in the context of compliance and show the business benefits. Does it reduce compliance costs? Does it reduce your risk of an exposure? For example, DLP content discovery, by identifying where credit card data is stored, can reduce both audit costs and the risk of non-compliance. Database Activity Monitoring can reduce SOX audit costs and the cost of maintaining appropriate logging on financial databases. There are a ton of internal process changes that improve audit efficiency and reduce the burden of generating compliance reports last minute every year or quarter.
When something is on the checklist, sell it as compliance. When it’s off that list, sell it as cost or risk reduction. If it doesn’t hit those categories, buy a monkey to do the dance- it’s cuter than you are and more likely to get the banana.
Posted: 18 Aug 2008 02:36 PM CDT
The Economist has a short but great overview on crisis management. The article is well worth reading completely, but there is one section that bears highlighting:
Be well prepared in advance. Potential members of a crisis management “team” should rehearse how they would manage the impact of an incident. It is a bit like learning the safety instructions on a plane before take-off: you hope you will never need them, but you know it would be unwise to miss the lesson. The team should include the chief executive and a representative of the press office. Thereafter, all external enquiries relating to a crisis should be answered by the team.
It's amazing how often this step gets left out of business continuity plans and it is probably the most important. I heartily encourage all executives to not just plan but practice practice practice. This is the sort of thing that can really bite you hard at just the wrong time.
|You are subscribed to email updates from Security Bloggers Network |
To stop receiving these emails, you may unsubscribe now.
|Email Delivery powered by FeedBurner|
|Inbox too full? Subscribe to the feed version of Security Bloggers Network in a feed reader.|
|If you prefer to unsubscribe via postal mail, write to: Security Bloggers Network, c/o FeedBurner, 20 W Kinzie, 9th Floor, Chicago IL USA 60610|