July 05, 2008

Chinese hacker soap opera - Blogs - The Dark Visitor

On the 21st of June, we told you about SKSgod selling a trojan downloader called “Chinese Hacker Vampire” and the online controversy that ensued when another hacker took credit for it.  The end? No, fresh drama has been introduced into this saga.

Author of Chinese Hacker Vampire Program JAILED!

On 4 July, News.cn reported that an 18-year-old hacker surnamed Zhou had been arrested in connection with selling the trojan downloader program.  Police from Chongqing City launched an investigation into the case after receiving a phone call from an anonymous source who reported that there was a website selling the Chinese Hacker Vampire downloader.  According to the report, Zhou’s website even threatened to shutdown the anti-virus software industry.

On July 1st,  Chongqing police captured Zhou while still asleep in his apartment and he later made a full confession to the crime.  The end? No.

Silly police, you can’t arrest a vampire

Decided to visit SKSgod’s website and see when he last posted and surprise…it was 5 July.  Wait, wasn’t he jailed on July 1st?  Nope.  SKSgod is just having a real run of bad luck with people stealing his program and identity.

On 5 July, he posts an apology to all the people who lost money purchasing the Chinese Vampire downloader and promised to use his energy to create a better program.  One person in the comments section suggested that his time and energy could be put to better use. So, that was funny.

On 4 July, when the story was breaking about the arrest, he posted three separate articles dealing with the rumor.  All three postings had the same theme, complaining about how all this news was hurting his reputation.

Is he at all concerned about the poor schmuck shown getting arrested? Nope, this is all about him and his online creds.  The end? Who knows.

---

July 04, 2008

Friday Squid Blogging: Giant Squid Found off Santa Cruz Coast - Blogs - Schneier On Security

It's twenty-five feet long, with tenticles the size of human legs....

---

Time Bomb Neckties - Blogs - Schneier On Security

Not recommended to wear at the airport....

---

Encrypting Disks - Blogs - Schneier On Security

The UK is learning: The Scottish Ambulance Service confirmed today that a package containing contact information from its Paisley Emergency Medical Dispatch Centre (EMDC) has been lost by the courier, TNT, while in transit to one of its IT suppliers. The portable data disk contained a copy of records of 894,629 calls to the ambulance service's Paisley EMDC since February...

---

Hundreds of Thousands of Laptops Lost at U.S. Airports Annually - Blogs - Schneier On Security

This is a weird statistic: Some of the largest and medium-sized U.S. airports report close to 637,000 laptops lost each year, according to the Ponemon Institute survey released Monday. Laptops are most commonly lost at security checkpoints, according to the survey. Close to 10,278 laptops are reported lost every week at 36 of the largest U.S. airports, and 65 percent...

---

Whathehuhnammm…heh, heh. - Blogs - The Dark Visitor

That was the actual sound that came out of my mouth when I first viewed this picture from Xinhuanet of People’s Armed Police officers demonstrating new Olympic counter-terrorism equipment:

Eastwood, if you can bring me back one of these Segways-of-Death…man, we are buds for life!

---

OWI: Yet Another Anonymous Point of Attack? - Blogs - GNUCITIZEN

About a month ago I traveled by train for a pre-sales meeting with a prospective customer. The trip was about two hours long, which would usually mean that it’d be boring. In this case it was different though: I was surprised with free OWI (Onboard Wireless Internet) on the train!

Simply connect to the available open (no encryption) wireless access point and you will be redirected to a login portal, aka captive portal. Just like any hotspot you find at coffee shops such as Starbucks. However, I was very pleased to find out that users could login as a “guest” which means that all passengers could go online without paying any additional fee!

Just to make things clear, going online as a guest was a legitimate form of access provided, as opposed to bypassing the security of the captive portal. NO illegal cracking (i.e.: SQL injection without permission) was done whatsoever!

Kudos to the train company that provides the service! The connection wasn’t super fast, but fast enough to be able to check my email, read the news, update my RSS feeds, chat with my buddies, etc … It was quite reliable though, which is a big plus as I hate being disconnected while I’m on-line (it reminds me of the old days of dial-up Internet access).

A bit of enumeration 101 led me to learn that:

• I was connected to to Sweden via a VPN link (mentioned in the whois records of the NATed IP address which you can obtain on many sites)
The service provider is a Swedish company called Icomera AB

The data is transferred wirelessly via 3G and satellite connections

All the train coaches are connected to each other in a Onboard Wireless Network (OWN) which is based on Wi-Fi

From a security point of view, this technology adds another “anonymous” point of attack to the already-large list. I say “anonymous” (within quotation marks) because there is no such thing as truly anonymous connectivity. However, one thing is true: if the bad guy knows what he is doing, it becomes unfeasible to track the point of attack and the attacker’s identity. i.e.: it’s not worth starting an investigation if the committed crime didn’t lead to a serious profit loss.

From the top of my head, these are some anonymous points of attack that come to mind:

• unprotected (i.e.: no encryption) or crackable (i.e.: WEP) wireless access points: these could belong either to a home internet user, or a company
• public hotspots where guest access is allowed on purpose. i..e: hotspots at airports which do not require to purchase time when going online. So there is no need to provide personal details and credit card details for registering a user account
• prepaid SIM cards: in many places like Europe it’s possible to buy pre-paid SIM cards without providing any personal identification. When combined with buying a mobile/cellphone from a second-hand items shop it becomes even harder to trace the identity of the attacker (but NOT the location as it can be triangulated in the cells architecture)
• misconfigured proxies (HTTP and SOCKS): they would allow anyone to connect via them without username or password. Although some proxies give away the attacker’s IP address within HTTP headers (i.e.: X-Forwarded-For), there are plenty of sites that check for proxy-added headers that give away the original source IP address
• compromised hosts: we all are familiar with crackers bouncing their connections via compromised hosts (commonly owned via drive-by downloads attacks and browser exploits)
• backdoor/exposed dial-in modems: yes, this is very old school (i.e.: wardialing), but there is still some room for exploitation out there. By the way, Wargames 2 (the Dead Code) sucks really bad! (no joke)

Although there are tons of ways for attackers to hide their location and identity, somehow I find OWI more scary than most of them. It’s scary because the attacker is always on the move, which might make tracking his location more difficult due to time correlation issues when comparing logs.

I know what you’re thinking: how is this different to the attacker using a stolen 3G Internet card? After all, using a 3G card would also allow the attacker to be constantly changing his geographical location (i.e.: by being inside a moving vehicle). Well, that’s a good point. However, in the case of using OWI the attacker doesn’t need to steal any equipment.

If you think that being on a fast train won’t make tracking the location of the bad guy when a break-in occurs hard enough, how about doing it on a plane at 800 kmph? Yes, that’s right: free Onboard Wireless Internet aka In-flight wireless internet access, will most likely become very common in the future, which adds another anonymous point of attack to our list. Oh dear, remote Internet break-ins from planes, that’s gonna be fun!

---

Let Freedom Ring - Blogs - The Dark Visitor

US Declaration of Independence

When in the Course of human events, it becomes necessary for one people to dissolve the political bands which have connected them with another, and to assume among the powers of the earth, the separate and equal station to which the Laws of Nature and of Nature’s God entitle them, a decent respect to the opinions of mankind requires that they should declare the causes which impel them to the separation.

We hold these truths to be self-evident, that all men are created equal, that they are endowed by their Creator with certain unalienable Rights, that among these are Life, Liberty and the pursuit of Happiness. –That to secure these rights, Governments are instituted among Men, deriving their just powers from the consent of the governed, –That whenever any Form of Government becomes destructive of these ends, it is the Right of the People to alter or to abolish it, and to institute new Government, laying its foundation on such principles and organizing its powers in such form, as to them shall seem most likely to effect their Safety and Happiness. Prudence, indeed, will dictate that Governments long established should not be changed for light and transient causes; and accordingly all experience hath shewn, that mankind are more disposed to suffer, while evils are sufferable, than to right themselves by abolishing the forms to which they are accustomed. But when a long train of abuses and usurpations, pursuing invariably the same Object evinces a design to reduce them under absolute Despotism, it is their right, it is their duty, to throw off such Government, and to provide new Guards for their future security. —Such has been the patient sufferance of these Colonies; and such is now the necessity which constrains them to alter their former Systems of Government. The history of the present King of Great Britain [George III] is a history of repeated injuries and usurpations, all having in direct object the establishment of an absolute Tyranny over these States. To prove this, let Facts be submitted to a candid world.

He has refused his Assent to Laws, the most wholesome and necessary for the public good.

He has forbidden his Governors to pass Laws of immediate and pressing importance, unless suspended in their operation till his Assent should be obtained; and when so suspended, he has utterly neglected to attend to them.

He has refused to pass other Laws for the accommodation of large districts of people, unless those people would relinquish the right of Representation in the Legislature, a right inestimable to them and formidable to tyrants only.

He has called together legislative bodies at places unusual, uncomfortable, and distant from the depository of their public Records, for the sole purpose of fatiguing them into compliance with his measures.

He has dissolved Representative Houses repeatedly, for opposing with manly firmness his invasions on the rights of the people.

He has refused for a long time, after such dissolutions, to cause others to be elected; whereby the Legislative powers, incapable of Annihilation, have returned to the People at large for their exercise; the State remaining in the mean time exposed to all the dangers of invasion from without, and convulsions within.

He has endeavoured to prevent the population of these States; for that purpose obstructing the Laws for Naturalization of Foreigners; refusing to pass others to encourage their migrations hither, and raising the conditions of new Appropriations of Lands.

He has obstructed the Administration of Justice, by refusing his Assent to Laws for establishing Judiciary powers.

He has made Judges dependent on his Will alone, for the tenure of their offices, and the amount and payment of their salaries.

He has erected a multitude of New Offices, and sent hither swarms of Officers to harass our people, and eat out their substance.

He has kept among us, in times of peace, Standing Armies without the consent of our legislatures.

He has affected to render the Military independent of and superior to the Civil power.

He has combined with others to subject us to a jurisdiction foreign to our constitution and unacknowledged by our laws; giving his Assent to their Acts of pretended Legislation:

For Quartering large bodies of armed troops among us:

For protecting them, by a mock Trial, from punishment for any Murders which they should commit on the Inhabitants of these States:

For cutting off our Trade with all parts of the world:

For imposing Taxes on us without our Consent:

For depriving us, in many cases, of the benefits of Trial by Jury:

For transporting us beyond Seas to be tried for pretended offences:

For abolishing the free System of English Laws in a neighbouring Province, establishing therein an Arbitrary government, and enlarging its Boundaries so as to render it at once an example and fit instrument for introducing the same absolute rule into these Colonies:

For taking away our Charters, abolishing our most valuable Laws, and altering fundamentally the Forms of our Governments:

For suspending our own Legislatures, and declaring themselves invested with power to legislate for us in all cases whatsoever.

He has abdicated Government here, by declaring us out of his Protection and waging War against us.

He has plundered our seas, ravaged our Coasts, burnt our towns, and destroyed the lives of our people.

He is at this time transporting large Armies of foreign Mercenaries to compleat the works of death, desolation and tyranny, already begun with circumstances of Cruelty and perfidy scarcely paralleled in the most barbarous ages, and totally unworthy the Head of a civilized nation.

He has constrained our fellow Citizens taken Captive on the high Seas to bear Arms against their Country, to become the executioners of their friends and Brethren, or to fall themselves by their Hands.

He has excited domestic insurrections amongst us, and has endeavoured to bring on the inhabitants of our frontiers, the merciless Indian Savages, whose known rule of warfare, is an undistinguished destruction of all ages, sexes and conditions.

In every stage of these Oppressions We have Petitioned for Redress in the most humble terms: Our repeated Petitions have been answered only by repeated injury. A Prince whose character is thus marked by every act which may define a Tyrant, is unfit to be the ruler of a free people.

Nor have We been wanting in attentions to our British brethren. We have warned them from time to time of attempts by their legislature to extend an unwarrantable jurisdiction over us. We have reminded them of the circumstances of our emigration and settlement here. We have appealed to their native justice and magnanimity, and we have conjured them by the ties of our common kindred to disavow these usurpations, which, would inevitably interrupt our connections and correspondence. They too have been deaf to the voice of justice and of consanguinity. We must, therefore, acquiesce in the necessity, which denounces our Separation, and hold them, as we hold the rest of mankind, Enemies in War, in Peace Friends.

We, therefore, the Representatives of the united States of America, in General Congress, Assembled, appealing to the Supreme Judge of the world for the rectitude of our intentions, do, in the Name, and by the Authority of the good People of these Colonies, solemnly publish and declare, That these United Colonies are, and of Right ought to be Free and Independent States; that they are Absolved from all Allegiance to the British Crown, and that all political connection between them and the State of Great Britain, is and ought to be totally dissolved; and that as Free and Independent States, they have full Power to levy War, conclude Peace, contract Alliances, establish Commerce, and to do all other Acts and Things which Independent States may of right do. And for the support of this Declaration, with a firm reliance on the protection of divine Providence, we mutually pledge to each other our Lives, our Fortunes and our sacred Honor.

Posted under US attacks…for those men and women who sacrificed so much for our freedom.

---

July 03, 2008

Random Stupidity in the Name of Terrorism - Blogs - Schneier On Security

An air traveller in Canada is first told by an airline employee that it is "illegal" to say certain words, and then that if she raised a fuss she would be falsely accused: When we boarded a little later, I asked for the ninny's name. He refused and hissed, "If you make a scene, I'll call the pilot and you...

---

MindshaRE: Identifying Encryption Functions - Research - DVLabs

Posted by Cody Pierce
Welcome back to another installation of MindshaRE.  This week we will cover identifying a common pattern seen in encryption and compression functions.  The purpose is to quickly identify locations of interest in a binary that may handle this type of activity.

MindshaRE is our weekly look at some simple reverse engineering tips and tricks.  The goal is to keep things small and discuss every day aspects of reversing.  You can view previous entries here by going through our blog history.

When analyzing a binary looking for patterns can help quickly identify what purpose a function may serve.  By doing this we can gain an insight into how a binary works.  There are plenty of patterns you can identify.  In this case we will be discussing functions that handle encryption or compression.

There are hundreds of instructions in Intel assembly language.  Most are never used.  In fact, running some heuristics proves that less than 100 are used (in most cases).  We can use this to our advantage when identifying encryption/compression routines.  These functions in almost every case do bit shifting and flipping.  Doing so requires the usage of a few key instructions such as xor, shl, shr, ror.

Obviously these instructions can be used for many things.  However, in encryption/compression functions they occur in an easily identifiable pattern.  Lets look at a sample from the Kraken bot.

    001AF08F   shl     eax, 4

    001AF092   add     eax, [ebp+var_8]

    001AF095   mov     edi, edx

    001AF097   shr     edi, 5

    001AF09A   add     edi, [ebp+var_C]

    001AF09D   xor     eax, edi

    001AF09F   lea     edi, [esi+edx]

    001AF0A2   xor     eax, edi

One of our hints is the xor.  The xor of two different registers is a tell-tell sign of encryption or compression.  If we can identify a few of these we might be able to automate the identification of such routines.

I have come up with a few metrics to do this.  I give each rule a weight.  My script runs through each function in a binary, and calculates a score.  If a function scores high enough it will print out its location.  This has proved fairly effective at quickly identifying interesting functions.  Here's my rules.

1. xor of different registers is weighted the highest
2. shl, shr, ror, rol, and cdq are counted as well, all having a lower score than xor since they occur naturally
3. If any of these instructions occur in a loop it increases the score
4. If any of these instructions are in the same basic block it increases the score

I use this weighting system for lots of different purposes, but it seems to work best in the cases of encryption and compression routines.  This is due to the xor.  Like I stated its rare to see xor'ing of different registers, and in the case of a false positive it can be manually verified.

We are always looking for ways to better understand functions in a binary.  Using patterns is a good way to do this quickly.  Try putting this in a script and running it on various binaries.

-Cody

---

Sony PlayStation's site SQL injected, redirecting to rogue security software - WebApp - CGISecurity.com

---

Firefox 2.0.0.15 Addresses Multiple Security Issues - WebApp - CGISecurity.com

---

Browser Insecurity - Blogs - Schneier On Security

This excellent paper measures insecurity in the global population of browsers, using Google's web server logs. Why is this important? Because browsers are an increasingly popular attack vector. The results aren't good. ...at least 45.2%, or 637 million users, were not using the most secure Web browser version on any working day from January 2007 to June 2008. These browsers...

---

ratproxy - Passive Web Application Security Audit Tool - Blogs - Darknet

Ratproxy is a semi-automated, largely passive web application security audit tool. It is meant to complement active crawlers and manual proxies more commonly used for this task, and is optimized specifically for an accurate and sensitive detection, and automatic annotation, of potential problems and security-relevant design patterns based on the...

Read the full post at darknet.org.uk

---

Whitepaper: Vulnerability Assessment Plus Web Application Firewall (VA+WAF) - Blogs - Jeremiah Grossman

For those interested we’ve released a whitepaper on how Vulnerability Assessment Plus and Web Application Firewall (VA+WAF) function independently and collectively. We spend a few pages describing the technical fundamentals of both which many should find educational – especially on the WAF side with industry material in painfully short supply. Very few people really understand the nitty gritty details of how WAF work and deployed in the real-world. I've learned a great deal in the last couple months talking with those who have. There is a little F5 ASM marketing in the paper so beware! :) Enjoy, snippets:

“WAFs at their core are designed to separate safe Web traffic from malicious traffic before it’s received by the website. And, if an attack does find a way to sneak past a WAF, it still has the ability to prevent sensitive information from leaving the trusted network. To get a better understanding of how the technology works, it’s helpful to view a WAF’s functionality as three discrete components - policies, policy generation, and policy enforcement. Depending on the particular WAF in use, they may go about implementing each component in a number of different ways. No one particular way has proven to be the right way, as each has its pros and cons.”

“Every effective vulnerability assessment program requires a cohesive combination of people, process, and technology. Qualified people are necessary to carry out day-to-day tasks, manage the technology, and interpret the results to make them meaningful to the business. Process is required for coordinated efforts between executive management, IT Security, and software development groups to share information, prioritize vulnerability fixes, and enable organizational improvements. The right technology is essential for consistency, efficiency, and comprehensiveness. Whether an organization chooses to perform vulnerability assessments with internal resources, a consultancy, or a Software-as-a-Services vendor, the overall vulnerability program must always account for people, process, and technology. If not, the effort will cost more in time and dollars than it should. Or worse, simply not work.”

---

July 02, 2008

Cloudsecurity.org Interviews Guido van Rossum: Google App Engine, Python and Security - WebApp - CGISecurity.com

---

Microsoft outlines extensive IE8 security improvements - WebApp - CGISecurity.com

---

Dan Wallach on Electronic Voting Machines - Blogs - Schneier On Security

It's been a while since I've written about electronic voting machines, but Dan Wallach has an excellent blog post about the current line of argument from the voting machine companies and why it's wrong. Unsurprisingly, the vendors and their trade organization are spinning the results of these studies, as best they can, in an attempt to downplay their significance. Hopefully,...

---

PCI-DSS references the outdated OWASP Top Ten - Blogs - Jeremiah Grossman

I’m sure other people have noticed this, at least I hope so, but never mentioned it publicly. If you read PCI-DSS 1.1 section 6.5, the part that covers “Cover prevention of common coding vulnerabilities in software development processes”, you’ll notice the list is identical to that of the OWASP Top Ten 2004 while the latest version is 2007:

6.5.1 Unvalidated input
6.5.2 Broken access control (for example, malicious use of user IDs)
6.5.3 Broken authentication and session management (use of account credentials and session
cookies)
6.5.4 Cross-site scripting (XSS) attacks
6.5.5 Buffer overflows
6.5.6 Injection flaws (for example, structured query language (SQL) injection)
6.5.7 Improper error handling
6.5.8 Insecure storage
6.5.9 Denial of service
6.5.10 Insecure configuration management

I guess technically speaking anything that’s in v2007 and not v2004 you don’t have to worry about. That means you still have to code against Buffer Overflows and Application DoS, but not Malicious File Execution, Insecure Direct Object Reference, and Cross Site Request Forgery (CSRF). Ahh, fun fun. Gotta love compliance. :)

---

Web Application Security Today - Are We All Insane? - Blogs - Jeremiah Grossman

CSO magazine was kind enough to publish an opinion piece where I present a top-down view of the current state of web application security. I nervously expect a “spirited” flow of blog comments because it questions the value of certain best-practices and deeply held personal philosophies. Fortunately though our general public discourse has advanced a great deal recently and the community at large is a lot more informed of the challenges at hand. I pulled out a snippet to give a feel.

"It is unreasonable to expect publishers, enterprises and other site owners to restart and reprogram every website securely from scratch. Nor can we fix the hundreds of thousands (maybe millions) of custom Web application vulnerabilities one line at time. The very thought sounds insane to me. It would take too long (probably never finish), cost far too much (billions per year), and the bad guys are already ahead of us. Conservative estimates put the total annual IT security spend in the US at $50 billion and e-crime losses at $100 billion. We're losing two dollars for every dollar spent."

Enjoy!

---

Google Calendar a New Target for Phishing - Blogs - Darknet

It seems like the Phishing crews at trying to get some new ideas on how to con people into giving away their credentials and leaking info. The latest target appears to be Google Calendar. As always be on your guard as these scams are coming from all directions. A few months ago, spam came to Google Calendar. Now [...]SHARETHIS.addEntry({ title:...

Read the full post at darknet.org.uk

---

July 01, 2008

PRC Cyber Space Capabilities - Blogs - The Dark Visitor

Very interesting testimony before the US-China Economic and Security Review Commission on PRC cyber space capabilities. The commission broke the talks down into three major sections, with some congressional persepective and admin thrown in for good measure. The primary topics were space capabilities, cyber capabilities and proliferation. Only panel three spoke on cyber issues but a typo in the contents section says panel two also spoke on it. Panel two actually talked about space capabilities.

The three people called to testify before the panel were Colonel McAlum, Mr. Thomas and Dr. Mulvenon. All three gave very good presentations. If you don’t want to search through the whole document, the cyber section begins on page 45.

I would also point out on this slide that it’s really important to get the lexicon right. In the open source media and other forums, you hear the term “cyber attack” used rather liberally, and you won’t hear anyone in the Department of Defense use that term in the context of cyber reconnaissance or network intrusions. What we are seeing today are network intrusions.

Really glad to finally hear someone clarify the difference between cyber attack and intrusion. Words really do make a difference.

The rest of the report on PRC cyber space capabilities found here….

---

Nugache Worm Writer Arrested - Blogs - Schneier On Security

A 19-year old from Wyoming will plead guilty....

---

Save your passwords with Mozilla’s Weave - Blogs - GNUCITIZEN

Save all your passwords and session identifiers in the cloud with Mozilla’s Weave. What do you think about that?

Now this is not entirely unique feature to Mozilla only. We’ve seen the same trend with Microsoft’s Live Mesh and I suspect that Adobe and Yahoo are currently working on their own clones. These types of technologies totally change the rules of the game. Now picture this: what if your corporate employee uses the same password for their flickr account as their VPN/Email logon? Hack the cloud, get the goodies!

---

Kill Switches and Remote Control - Blogs - Schneier On Security

It used to be that just the entertainment industries wanted to control your computers -- and televisions and iPods and everything else -- to ensure that you didn't violate any copyright rules. But now everyone else wants to get their hooks into your gear. OnStar will soon include the ability for the police to shut off your engine remotely. Buses...

---

PAW/PAWS - Python Advanced Wardialing System - Blogs - Darknet

Now this is an oldskool topic, wardialling! Some people still ask me about wardialling tools though, so here’s one I found recently written in Python. PAW / PAWS is a wardialing software in python. It is designed to scan for ISDN (PAWS only) and “modern” analog modems (running at 9.6kbit/s or higher). Wardialing tools are -...

Read the full post at darknet.org.uk

---

June 30, 2008

Today's the day! PCI DSS section 6.6 is required - WebApp - CGISecurity.com

---

Pentagon Consulting Social Scientists on Security - Blogs - Schneier On Security

This seems like a good idea: Eager to embrace eggheads and ideas, the Pentagon has started an ambitious and unusual program to recruit social scientists and direct the nation’s brainpower to combating security threats like the Chinese military, Iraq, terrorism and religious fundamentalism. The article talks a lot about potential conflicts of interest and such, and less on what sorts...

---

Security and Human Behavior - Blogs - Schneier On Security

I'm writing from the First Interdisciplinary Workshop on Security and Human Behavior (SHB 08). Security is both a feeling and a reality, and they're different. There are several different research communities: technologists who study security systems, and psychologists who study people, not to mention economists, anthropologists and others. Increasingly these worlds are colliding. Security design is by nature psychological, yet...

---

Cellular Interference - Research - DVLabs

Posted by Pedram Amini
Like many others in the world, I've always been a skeptic of the need to disable cell phone antenna's on takeoff and landing. What kind of interference could possibly be caused to an airplane? We've all dealt with the minor nuisance of clicks and beeps when someone on a land line keeps their cell phone too close to the base, but serious interference to a plane? I always figured it was a better safe then sorry measure... Until a couple of weeks ago when I was doing some work in Photoshop on my old Dell laptop and randomly made an interesting discovery.

I had placed my iPhone on the laptop just below the keyboard and was using an external keyboard and mouse (from my new laptop over Synergy, which is fantastic software by the way). At some point my layer background color starting changing, the rulers appeared and disappeared, various nav items opened or closed, etc... The laptop is old and buggy so I thought nothing of it at first, then I wondered if it was my iPhone. I theorized that perhaps the iPhone was causing interference that was resulting in key strokes that mapped to hotkeys for manipulating my canvas and UI. A few quick tests confirmed the accuracy of this assumption, my interest peaked and I immediately called over the rest of the team to revel in this accidental discovery.

Before I continue, check out this demo video we made showing my Phone sitting on the Dell Inspiron 9300 with UltraEdit running in the foreground (with an increased font size).

A few seconds into the video, Cody starts to make a call to my cell from his. At about the 10 second marker you'll see a flurry of characters spew across the screen. You may notice what appears to be a pencil tracing around the iPhone. We quickly realized that moving the phone too far off a specific spot failed to produce any key strokes. At this point we had three primary questions in mind:

1. What is under that part of the keyboard that is being interfered with?
2. Can we reliably generate arbitrary key strokes of our choosing?
3. Solving [1] and [2], could we build a focused radio transmitter "gun" of sorts to transmit arbitrary keys to a target laptop from a distance? (huge grin on face)
   

To answer the first question Cody took the laptop apart. I wish we would have taken a picture of the underbelly of the 15lb beast that was my old laptop, but we forgot, so visualize if you will: Both the keyboard controller chip and the keyboard ribbon were in close vicinity of the radio interference. Alternating our experiment between shielding the ribbon and the controller with aluminum foil leads us to believe that the radio signals from the iPhone are triggering key strokes through the actual ribbon.

To answer the second question I coded up a little test harness. I created a small PHP script to generate random data of a suitable length to create interference. I loaded the URL on the iPhone and refreshed the page until a single character was sent. I marked the random data that resulted in that character and continued to map a few more characters. Here is the DB schema and simple script used to accomplish these tasks:

    <?

    /*

      MySQL Table structure:

      CREATE TABLE 'tempest' (

        'id' int(11) NOT NULL auto_increment,

        'char' char(1) NOT NULL,

        'data' longtext NOT NULL,

        PRIMARY KEY  ('id')

      ) ENGINE=MyISAM;

    */

    mysql_connect("", "", "");

    mysql_select_db("");

    $id = 0;

    if ($id)

    {

      $sql = "SELECT * FROM tempest WHERE id = $id";

      $row = mysql_fetch_object(mysql_query($sql));

      print base64_decode($row->data);

    }

    else

    {

      $x = "";

      for ($i = 0; $i < 500; $i++)

        $x .= chr(rand(0, 255));

      print $x;

      $sql = "INSERT INTO tempest SET data = '";

      mysql_query($sql . base64_encode($x)  . "'");

      print mysql_error();

    }

    ?>

The table name TEMPEST by the way is the US government acronym for Transient ElectroMagnetic Pulse Emanation STandard. Running through this experiment provided no usable results. We postulated that the reason behind this is that the actual radio signals transmitting between the phone and the tower are not the same even for the same data. Despite the fact that we had already wasted half a day on this utterly useless (in terms of business) project, we were excited about the possibility of having a keystroke sending radio gun so we pressed on.

Two hours of research time later we collectively decided that the next step would be to purchase a Universal Software Radio Peripheral (USRP) radio transceiver which we could write custom code for via the GNU Radio project. We speced out the cost of our ideal platform to be somewhere in the $2,000 to $3,000 range. Time for a budget approval, time to talk to the boss:


Dave Endler
Though amused, Dave was less then eager to drop precious budget dollars on a silly research project that would result in little to no re-usable security research. Our hopes and dreams shattered, we scrapped the project for a few weeks and have now resurrected it for public consumption. I recall being a CS student at Tulane university with lots of time and motivation and few solid project ideas. Today I have zillions of ideas and not enough hours in the day to accomplish them. Perhaps someone out there looking for a project idea can push this along... Write us if you do, we'd love to hear about it.

---

Top Ten Anti-Terrorism Patents - Blogs - Schneier On Security

This is not a joke. The Airplane Trap Door is my favorite. Perhaps this would make a good Movie-Plot Threat Contest for next year....

---

Tiger Team Operations vs. Penetration Tests - Blogs - GNUCITIZEN

If you read the Wikipedia’s definition of Tiger Team you get the following: A tiger team is a specialized group tasked with testing the effectiveness of an organization’s ability to protect assets by attempting to circumvent, defeat or otherwise thwart that organization’s internal and external security. And further down we have In the computer security field, the term is now obsolete, and more common terms are penetration testers or security testers. Security assessment testing of a computer system or network infrastructure is called penetration testing, which I find very untrue.

There is a significant difference between a tiger team operation and a penetration test. They differentiate largely in terms of quality, pricing and also the time frame which is allocated for each project. Let’s have a look at these differences.

Quality

It is needless to say that the tiger team operations will produce more quality if this is what you are after. Tiger Team operations involve more then one expert in the info security field. Not to mention that each expert specializes or s/he is good at in a different area all together when compared to the rest of the participants. This adds a lot of value and it works a lot better in the long term for companies/organizations who are interested in protecting their digital assets.

When a tiger team operation is established, there is a lot brainstorming involved. This usually leads to greater input and therefore much better job. Simply put, the more heads are thinking on the same problem, the more solutions you will get and much more quality is provided as a result.

Penetration tests, from what I can see from the market today, usually involve only one person. I must admit that I’ve seen penetration tests which consisted of more then one info sec expert but all of them specializing in the same field. As you probably guess, this is not very good from creative input point of view since all experts will tackle the problem from the exact same angle. Therefore, the quality is much lower.

Pricing

Tiger team operations cost a lot more when compared to penetration tests, because they involve several experts for a longer period if time, as you will see in the next section. A single tiger team operation may take a lot of money but at the end of the day you get what you pay for. You can buy jeans from the local market for 5-a but if you want the quality stuff you might want to get the American denim which will cost you a lot more.

In UK for example, anything that is less then £1000 per-day onsite work should tell you that the people who will test you will run Nessus and this is how far their commitment to your situation goes. Still, many companies are doing exactly this. In some very rare situations you get good stuff for not much but this is very, very rare. Probably you’ve hired a good startup company which does not know how much to charge you just yet.

Time frames

Tiger Team operations usually take more time then standard penetration tests. Why? Because they are custom tailored for the specific situation. Strategic planning is the key. But on the good side of the things, you don’t have to attend the team progress on every single step. The quality and professionalism speak for themselves. So, in general you do a better job by not investing your time which usually costs you money.

Penetration tests are very narrowed and can take up to a single day which in some cases is enough in others is just the start but if it is a pentest then what is done is done and this is how much you get otherwise you have to pay more, which may not be enough and which again, takes up of your time. As you can see this is a mess.

Conclusion

I guess I am bias as being the leader of the only tiger team in UK but I wouldn’t have been part of such initiative unless I believe in its values and qualities. There are many differences between both types of services and they all fit different types of clients. Therefore, both of them fit different needs. It is up to the client to decide what they really need.

---

China Home to at Least HALF of Malicious Web Sites - Blogs - Darknet

It looks like China is becoming a hotbed for malware and malicious websites (those sites that push malware infections via browser exploits). They often used to be found in Korea and Taiwan and parts of Eastern Europe. According to the latest data more than half of the sites are now located in China. More than half of [...]SHARETHIS.addEntry({...

Read the full post at darknet.org.uk

---

June 29, 2008

Security Companies are Boring - Blogs - GNUCITIZEN

I was flipping the pages of the latest SC Magazine and I am afraid to admit that it was very boring.

And this is not because the idea behind the magazine is bad. Not at all. It is mainly the fault of the numerous info security companies SC Magazine is listing, which are striving to sell you the latest crap that you don’t really need. Promises. Promises. And more Promises. But no substance! And most of the companies I have never heard of or they haven’t done anything interesting to justify their positions. I am not saying that they have to go geek tech sec, but please… If you do have a clue about the situation why don’t you inform your customers appropriately.

---

Chinese cell phone use goes through the roof: One out of every two people now own one - Blogs - The Dark Visitor

(From Zaobao) Xinhua News, citing statistics from the Chinese Industry and Informationization Department, reported that cell phone use in China increased to the point that one out of every two people owns a set and that traditional landline use continues its steady decline.

End of May (2008) statistics showed that out of China’s 1.3 billion population, 592 million households now had a cell phone.  This was a 9% increase from numbers at the close of  2007, which showed 547 million users.

The report stated that the telecommunications industry had continued to slash prices in order to increase cell phone use.

Furthermore, traditional landline household use had dropped by 6.5 million to 358 million users.

---

June 28, 2008

Sir, sir…please don’t poke the bear! - Blogs - The Dark Visitor

From the Heilongjiang Daily, via News China, a 19-year-old Chinese hacker going by the online name of Autumn Breeze decided to deface the main page of the… Daqing Public Security Bureau website … and leave behind several taunting messages to include his contact information. Brilliant!

According to the report, Autumn Breeze felt that his skills at hacking were so good there was no way he could get caught. Well, it did take the police a little over an hour to track him down…so he has that going for him.

On 12 June, police who were working online discovered that a hacker had managed to gain access to the Daqing Public Sercurity Bureau website and leave behind several taunting messages:

“So, basically Daqing doesn’t have a cyber police force?”

“Do the cyber police just get paid to do nothing?”

“Is the software installed on the internet cafes used by the cyber police to collect fees?”

He also left behind the name “Autumn Breeze” and his e-mail contact information.

Under the direction of Captain Liu, of the Daqing Cyber Police, officers were able to track Autumn Breeze to a local internet cafe and arrest him while in the process of attacking another website. Autumn Breeze made a full confession saying, “Oh, you get paid to do this!”

Yeah, I may have fudged that last quote a bit.

---

Later this evening: - Blogs - The Dark Visitor

Another Chinese hacker makes the Stupid/Evil category…mainly just stupid

One cell phone for every two people in China…WOW! Use grows by 9%, old school landline users sinking like a stone

Off to see Wall-E with the little one, back later tonight

---

Dividing up the Chinese hacker world by region - Blogs - The Dark Visitor

Chinese hackers are much more organized than I could ever hope to be and as a consequence, do a lot of the heavy lifting for you in finding them. So, you want to figure out what groups are operating in certain regions of China, where do you begin? Let me suggest cn-hack.cn as a great place to start your research. They have conveniently broken down the groups by province and city:

Next, click on the area you are interested in (I chose Henan) and presto, hacker website from the region:

Not a comprehensive listing to be sure but thought it was interesting. Do you think they have their own sports teams?  Go, Beijing Hackers! Boo, Hebei!

---

Information gathering…not just a computer thing - Blogs - The Dark Visitor

Hat-Tip: GaoYuLong

At times, I get so busy going through Chinese hacker websites that I forget there are other methods of collecting information that should not be ignored. Fortunately, reader GaoYuLong reminds me that HUMINT has not passed the way of the dinosaur and we need to keep track of the methodology used by China. GaoYuLong points to two articles from the Epoch Times that clearly illustrates these techniques:

Chinese Regime Looks to Student-Spies to Push Agenda in Canada

It was a sobering moment. Countless Falun Gong adherents in mainland China had received similar threats, and hundreds—if not thousands—went on to face torture and brainwashing after being turned in by fellow students and teachers.

But Lingdi Zhang does not live in China. The then-computer science student was studying at the University of Ottawa.

FBI Chinese Advertisement Targets CCP’s State Security
An advertisement by the Federal Bureau of Investigation (FBI) aimed at Chinese-speaking residents of San Francisco’s Bay Area, ran from July 2 through July 8 in three local Chinese-language newspapers, seeking information about Chinese espionage to the United States.

---

June 27, 2008

Friday Squid Blogging: Rising Fuel Costs Halt Japanese Squid Industry - Blogs - Schneier On Security

A video....

---

Schneier Interview in The Edge - Blogs - Schneier On Security

Here....

---

OFF Topic: A farewell to Bill gates - WebApp - CGISecurity.com

---

Carrier Pigeons Bringing Contraband into Prisons - Blogs - Schneier On Security

In Brazil. I think this is the first security vulnerability found in RFC 1149: "Standard for the transmission of IP datagrams on avian carriers." Deep packet inspection seems to be the only way to prevent this attack, although adequate fencing will prevent the protocol from running in the first place....

---

More UPnP Hacking Fun with Google Media Server - Blogs - GNUCITIZEN

The fun with hacking UPnP enabled devices has just began. We’ve started our exploration in the fields of UPnP earlier this year with some smoking posts which covered some basic attacks and the advance flash attacks. Today I stumbled across Google Media Server, a desktop gadget which allows you to share all your laptop/desktop media content with all other devices you may have locally such as your phone, xbox, TV, and I suspect, your fridge. And all that via UPnP. That, I like very much.

I guess I will repeat myself, but I will say it one more time: UPnP does not have any mechanisms for authenticating with your devices. Therefore, anyone can mess with your media. Good that Google has implemented some kind of IP/MAC based lockout features in the Media Server, but I as you understand these checks are insufficient.

Do not use Media Server on your home WiFi network or your corporate laptops unless you are completely aware of the risks involved.

---

Bsqlbf V2 - Blind SQL Injection Brute Forcer Tool - Blogs - Darknet

There are quite a lot of SQL Injection Tools available and now there is one more to add to the stable for testing - Bsqlbf V2, which is a Blind SQL Injection Brute Forcer. The original tool (bsqlbfv1.2-th.pl) was intended to exploit blind sql injection against a mysql backend database, this new version supports blind sql [...]SHARETHIS.addEntry({...

Read the full post at darknet.org.uk

---

June 26, 2008

CCTV Cameras - Blogs - Schneier On Security

Pervasive security cameras don't substantially reduce crime. There are exceptions, of course, and that's what gets the press. Most famously, CCTV cameras helped catch James Bulger's murderers in 1993. And earlier this year, they helped convict Steve Wright of murdering five women in the Ipswich area. But these are the well-publicised exceptions. Overall, CCTV cameras aren't very effective. This fact...

---

MindshaRE: Adding IDA to Explorer Context Handler - Research - DVLabs

Posted by Cody Pierce

In this weeks MindshaRE we will show you how to add IDA into the right click context menu of windows explorer.  This is handy when quickly disassembling .dll's and .exe's.

MindshaRE is our weekly look at some simple reverse engineering tips and tricks.  The goal is to keep things small and discuss every day aspects of reversing.  You can view previous entries here by going through our blog history.

When disassembling binaries in IDA most people will go through a couple steps to load a new binary.  In the past I would first open IDA, locate the binary I want to disassemble, and drag it from the explorer window into the IDA MFC.  This is fine, but we are always looking for a more efficient way to work.

Adding IDA to the right click context menu in explorer is pretty simple.  This allows you to right click any binary you have set up for IDA to handle, and simply clicking "IDA" or whatever you want to label it.  By doing this we can disassembly target binaries with a few clicks.  There are several ways we can achieve this but I will present the one I use.  Here's the steps to accomplish this.

1. Open "regedit.exe"
2. Open the key "HKEY_CLASSES_ROOT"
3. Locate the file extension class you want.* ("dllfile" and "exefile")
   
4. Open the sub key "shell", it the key does not exist create it
5. Create a new key
6. Give it the text label you want displayed when you right click the file type
7. Create another key under the label and name it "command"
   
8. Open the "(Default)" key under the newly created label key
9. Add the path to your installation of IDA Pro's idag.exe binary in double quotes followed by "%1"
   
10. Repeat for any other file extensions you want
11. Close "regedit.exe"

After you have added IDA to the extensions you want find a file to disassemble.  Right click the file, and select the label you added for IDA from the list.

Adding IDA to the context menu is a very simple action.  But if you are like me and use the application daily it can really help.  Thats all for this week, see you next week.

-Cody

---

Fever Screening at Airports - Blogs - Schneier On Security

I've seen the IR screening guns at several airports, primarily in Asia. The idea is to keep out people with Bird Flu, or whatever the current fever scare is. This essay explains why it won't work: The bottom line is that this kind of remote fever sensing had poor positive predictive value, meaning that the proportion of people correctly identified...

---

Landing Blogsecurify - Blogs - GNUCITIZEN

During the last couple of days we combined forces with Blogsecurity.NET in an effort to improve their online Wordpress vulnerability scanner. The result of these efforts is our new initiative called Blogsecurify.

Blogsecurify was created to help individuals and organization to secure their blog infrastructures by testing them against a set of security tests. The project is still in alpha stage although I am quite happy with the actual framework which I believe is the only one of its kind. The same framework will be used for several other initiatives but I will talk about them when their time come.

---

Can WAFs protect against business logic flaws? - Blogs - Jeremiah Grossman

“Web Application Firewalls (WAF) are a total waste of time/money because they can’t protect against business logic flaws!,” a common theme among the few, but vocal, seriously anti-WAF zealots out there. While there is some truth it’s also like saying car door locks are useless because criminals can break in by smashing the windows. Or car alarms are a waste because they don’t protect against carjacking. And steering wheel locks are lousy because the car is at risk to thieves with tow trucks. You see where I’m going with this. Every security measure has a particular purpose, limitation, and overall value to the owner considering what it is they’re protecting.

Sure, WAFs don’t defend against every logic flaw, or even every crazy form of SQLi or XSS. Just as white/black box scanners can’t identify every vulnerability and neither can expert pen-testers or source code auditors. A/V products don’t red flag every piece of malware. Anti-spam misses some junk mail. Yet we still utilize these solutions anyway because their value outweighs their limitations. And of course WAFs don’t replace vulnerability assessment (VA) or secure coding practices just as Nessus doesn’t compete with network firewalls or good segmentation practices. Therefore I recommend we ignore rash criticisms and keep an open mind into what WAFs can/can’t do, the value they may provide today, and consider how they made be improved – including being aided by VA intelligence (VA+WAF).

I’m going to keep my comments vendor agnostic. Perhaps some of the features described below are already included in some of the available WAF products. In fact I know they are and claim no novelty of any of these ideas (probably printed elsewhere), but I’ll leave it to the vendors to comment on their specific products capabilities. I think the readers here might be pleasantly surprised. My intent here is to explore a few of the more common business logic flaw examples we’ve all seen, assume we know where their location (VA), and attempt to hypothesize defense measures.

Business Logic Flaw examples

1) Rotating numbers in URLs, the classic case of Insufficient Authentication, Insufficient Authorization and Insufficient Process Validation where an attacker can gain access to data or functionality their user-level should not have. We’ve seen these issues countless times in order tracking systems, bank account screens, and even in online vote registration. I see at least two possible ways to prevent these types of business logic flaws with a WAF.

URL encryption
The WAF inspects outbound Web page content, dynamically encrypts and replaces every URL directed to the website, and by extension decrypts them on the way back in – completely transparent to the web server or application. For example:

* a href=”http://website/app.cgi?foo=bar”>action* /a>

becomes…

* a href=”http://website/06ad47d8e64bd28de537…”>action* /a>

or

* a href=”http://website/app.cgi?foo=bar&t=1fad47d…”>action* /a>

URL encryption is powerful as it prevents URL parameter tampering and by extension protects against a wide range of attacks (XSS, SQLi, CSRF, etc.). No parameter tampering, no number rotation, no business logic flaw. Implementation is really tricky though because the HTML parser has to be perfect otherwise requests will be blocked when links are missed. Bookmarks and search engine indexing is also potentially disrupted. However, websites where most functionality is behind a login screen, such as banking sites, might not mind. Its also possible these side effects could be reduced by only focusing on the URLs known to be vulnerable (VA) instead of pursuing global enforcement. There is no need to encrypt URLs that aren’t vulnerable.

Session-State tracking
Users can be tracked from one page to the next so it’s technically possible for a WAF to know where they are in a particular flow and where they should be able to get to, or not. If an attacker were to rotate a number in a URL the WAF could be capable of determining if they should have been able to get it (UI-wise) from where they are. If they shouldn’t be able to, deny! Or perhaps a more forgiving threshold is in order so the may try 1, 2, or even 10 illegal URLs, but not more because that would surely be abnormal behavior. Scalability is biggest drawback here as increasingly large state tables are required for tracking. However, if you know a particular URL or parameter name has a problem with number rotation, WAFs can again be configured to focus and enforce controls only there.

2) Session hijacking by way of cookie tampering is another old school hack that has implications for Credential/Session Prediction, Insufficient Session Expiration, and Session Fixation. This issue doesn’t show up as much as it once did because most developers are using the native session handling APIs in their development frameworks as opposed to rolling their own. A very good thing.

Just like the previous example we can utilize some good ol’ on-the-fly cookie encryption/decryption that can be easily performed with a WAF. If an attacker is unable to modify their cookie to a valid value, and the WAF would know cryptographically, then session handling issues go away. You could even add some httpOnly, secure, and non-persistent flags if you want. You’d still probably have issues with Insufficient Session Expiration or Session Fixation, but we’re getting somewhere. The only drawback I can think of is if JavaScript or some other client-side language needed to read/write the original cookies values.

3) WAFs could also potentially be used to stop login brute force attacks or Insufficient Anti-Automation by including CAPTCHAs on-the-fly at various choke points. Again, thresholds would be neat. We could explore other examples, but I think you get the idea and this post is long enough. Well at least I don't want to write anymore. :)

Its important to understand that we’re at the very beginning of WAFs (or website VA for that matter), their deployments, which is also why there is so little field experience posted anywhere. We need an open community dialog so we can see where this technology can go and how it can be improved. - independent of the PCI 6.6 mandate. My point is I don’t think WAFs will be able to solve all of our web application security problems, or even all business logic flaws, and I don’t know of anyone who does. It certainly would be nice though to see what WAFs can do or be made to do. We won’t know unless we keep and open mind and try.


"Any fool can criticize, condemn, and complain, and most fools do."
Benjamin Franklin

---

Hackers Crack London Tube Oyster Card - Blogs - Darknet

It just goes to show, having an aluminium lined wallet could really be useful! Hackers in the Netherlands found they could clone an access card using the Mifare chip, after that they traveled to London to try their technique out on the Oyster card (used on the London Underground), which uses the same chip. It just [...]SHARETHIS.addEntry({ title:...

Read the full post at darknet.org.uk

---

Summary: Chinese cyberwarfare threat by the Heritage Foundation - Blogs - The Dark Visitor

This is a very interesting read by John J. Tkacik on Chinese cyber attacks that runs counter to many of my arguments.  The PDF document titled Trojan Dragon: China’s Cyber Threat is 12 pages but well worth checking out.

Genesis of China’s Cyberwarfare

In the 1990s, China’s Ministry of Public Security (MPS), which manages the country’s police services, pioneered the art of state control of cyberspace by partnering with foreign network systems firms to monitor information flows via the Internet. By 1998, according to an insider’s account of China’s Internet development, the MPS and its subordinate bureaus found that their resources for monitoring the Internet had been overwhelmed by the sheer volume of Internet traffic—which by 1998 had not yet reached 1 million users in China.

Keep reading…