.:Computer Defense:.

Tonight... in about a 10 minute period... I read two seperate sites mentioning Scrybe.... something I not previously heard of... I had to check it out. Now apparently Scrybe will be launching this October and presently on the website you can submit your email address in order to receive a notice when the beta is first available... First Thought: Maybe this is just a site to harvest email addresses... I mean why not... create a site.. announce some new amazing and up-and-coming technology and have a beta sign-up forum... However I'm trusting that this is real due to the sites where I saw mention of it....

So what is Scrybe? It seems to be an online office suite of sorts... Organizer, Calendar, Notepad.... all of the above.... Their site description reads;

Scrybe^TM  is a groundbreaking online organizer that caters to today´s lifestyle in a cohesive and intuitive way.
Simple solutions for some age old problems.

• Seamless offline access - without any installations
• Rich and fast like a desktop
• Intuitive zoomable calendar views
• Organize your thoughts with bookmarks, web snippets, images and files
• To-do lists integrated with your calendar
• Share and collaborate with friends and co-workers
• Elegant, compact and handy print formats
• Easily work across multiple timezones
• Import and export from other apps easily. Your data is yours!

I'm looking forward to giving it a try as soon as I get a beta account... I'll let you know how it goes.

Peace,
HT

While this is completely unrelated to any sort of security or even IT really... It's pretty cool.... You can upload any image and it will convert it to ASCII art for you... now there are size restrictions on the uploads ( It has to be a jpeg image 60px by 50px ) but it's still fairly cool... the image looks quiet good when it's done.. There are samples on the page.

Check it out.

Peace,
HT

So I posted the other day about the code crunching competition on the SecuriTeam website... At the end they were down to 384 bytes to grab a file off the internet and execute it. Today they updated their blog and Gil has managed to get the file down to 304 bytes.. Now the challenge is 300 bytes.... Anyone want to take it?

Gil also mentioned something that Gadi had posted earlier... The new Code Crunching mailing list... You can subscribe here.

So apparently this IE vuln isn't an IE vuln... It's an Outlook Express vuln... That's what they're saying at MSRC & The IE Blog. That's cool... It's an OE vuln...

So all Microsoft is saying is that they've known about this vuln since (at the latest) April '06 and it's still not patched... I don't think the actual vulnerable component is really what matters... The attack vectors are the important part... and IE is an attack vector for this...

It makes me think of MS03-007, a buffer overflow in ntdll.dll.  If you read the advisory, the mitigation techniques don't point to anything directly related to ntdll.dll... Instead they point to WebDAV... How to disable WebDAV in the registry, how to use URLScan and IISLockdown to filter WebDAV, Methods that you could block to prevent this... Why? WebDAV was an example of something that made a call to the function/procedure containing the buffer overflow in ntdll.dll. WebDAV was an attack vector... Plenty of places called it a WebDAV vuln...

While those people were technically incorrect and Microsoft, here, is technically correct... we're arguing over semantics... The vulnerability exists.... it can be accessed through your browser... If the browser is the vulnerable component or not is irrelevant.

It's like Apple saying "It's not our fault you were infected, Microsoft allowed this to happen by not building a secure product"... The IE Team is saying "Don't blame us... you can only access it through us... blame the Outlook Express team... it's their vuln"...

To me we're not addressing the vuln.... (however minimal it may be)... we're playing the blame game... IE... OE... they're just components of Windows (let's not argue the semantics of that statement).... how about we just call it a Windows vuln... and how about instead of Microsoft teams trying to lay blame on other parts of the company... they work together to fix it...

I would have been really impressed if IE7 wasn't vulnerable when it was released (or wasn't an attack vector)... If the IE Team made a blog posting saying... "This vuln exists in OE... IE was previously an attack vector, however we've made changes to remove this vector of attack.... While we're sure that the OE team is working on fixing this problem... we wanted to do our best to mitigate the problem"... I would have had some respect if they'd done that.

Peace,
HT

So, not even 7 hours after I told you that IE 7 was available for download we have a vuln announced by Secunia..

This same vuln appears to still exist in IE 6 according to Secunia (I don't have access to the browser to test this right now)... so it's not as bad but you'd still expect Microsoft to have patched known vulns before releasing the prodct... The IE 6 vuln has been on record with Secunia since April.

I guess well just have to wait and see what happens.

Peace,
HT

IE 7 was released earlier today.... oddly enough it was available from Yahoo before Microsoft... but either way Microsoft now has it available from http://www.microsoft.com/ie. I used this during the pre-release versions and actually installed it earlier today... I'm a big fan and encourage the upgrade... The phishing filter will be a nice addition.... and it's nice to see IE with tabs finally... I really think that IE7 will give Firefox 2.0 a run for it's money...

There are a few compatibility issues (primarily SSL related) that were discussed on the IE blog earlier. You can read more about these here.

While I'm sure there are plenty of bugs to be ironed out over time and that updates will be seen regularly just as the are now for IE6... I'd definately recommend the upgrade.. the new features make it worthwhile... I'm going to be abandoning Firefox on my Windows machines for the next couple days in order to test drive IE7 Final... If I find any problems I'll post a short write-up on them...

One feature that Microsoft should be given kudos for.... the update during install.. It was so nice to install a product and have it check for security updates before I could use it... It gave me more confidence when I ran it for the first time.

Peace,
HT

I learned something today.... something I have perhaps taken for granted until now. Well two things really....

1. You don't need to have any realistic IT knowledge to work in IT... Your logic need not be sound and reasonable... You simply have to be able to "do your job"
2. That anyone can get a blog... and they don't always present the user with realistic information.

I got up early this morning (girlfriend misplaced her keys and I had to lock the door behind her)... so I figured I'd head to work early... I'd get ready, have a bite to eat and check out my RSS Feeds. One of them, the Infopackets.com Windows Newsletter, had a new article posted. It turned out that this article was a rehash from a blog called "The Handicapped Computerist". I must say I like the concept... a place on using computers with a disability by people with disabilities and an IT background... the information, sorry, misinformation that is being presented is what I have a problem with... Let's call it FUD.

Read more...

I read a lot of blogs / sites today... besides a few humourous stories like the McVirus... there were two items that really caught my attention... two items... four blog postings.... from the SecuriTeam Blog and Matasano Chargen.

Gil Dabah over at SecuriTeam started the day off with a Code Crunching - Tiny PE Challenge.
From the original post:

Ground rules

It might sound fairly easy at first, but it’s not, and there is merely one simple goal:
Grab a file from the Internet and execute it.

With the following rules:
1) Only Imports section is allowed for kernel32.dll to get LoadLibraryA and GetProcAddress.
2) All strings must not be viewable (except rule 1), so we xor…

Now, I can see that this is being written on a level that's both low and complex enough to exceed my current grasp... but I'll watch because it interests me greatly... From that same blog posting Gil mentions that he's gotten the file down to 411 bytes... The challenge was to drop the file below 400 bytes. This challenge was answered with a solution less than 24 hours later... by Gil, with a follow up post, offering a file a mere 384 bytes in size. This seems quite impressive... Something else I found of interest was a point made on DailyDave in a thread following this topic by Damien Miller... If the file is less than 536 bytes, it'll fit into a single UDP datagram without fragmentation.

The second item of interest was a software release from Thomas Ptacek over at Matasano Security. The software, blackbag 0.9, is described as:

(a) collection of sharp, pointy metal bars that I use to explore protocols and prototype tools. It is an intensely Unix-y answer to classic fuzzing tools like “Spike”, centering on a binary interactive netcat program.

My favourite part however was the Caveats section of the post:

Caveats: You aren’t going to be able to build this. I can build it clean under FreeBSD-CURRENT, Mac OS X, and OpenBSD. It has been built under Linux and Solaris in the past. If you make it work somewhere, post how you did it in a comment, and I’ll incorporate your fix.

I compiled this on SuSE Linux 10.1. Here's the process I took to install the software (commands in Italics, results in Bold Italics).

I haven't had much of a chance yet to play with the software, however the small functions that are included I could see as being very useful.

Thomas followed the release up with a second posting regarding one of the tools from blackbag called sub. The article starts off with this great intro:

You’re starting on a new project, attacking a product with its own custom protocol. There’s a couple of things you’re going to do to get started, and then a few ways to go from there.

First, you’re going to set the product up and see it working in its natural habitat. Then, when you know it’s working, you’re going to repeat that step, this time with some form of traffic capture in place. (A year ago “capture” would have meant “sniffing” for me, but now it’s almost always a logging plugboard proxy. A good, easy-to-use [as in, no config files] proxy is one of the most valuable tools you can have).

Next, you’ll eyeball the captures to get an idea of how the protocol works. Your goal: break the TX stream up into individual messages, which you’ll later replay. You’ll do this in any of a number of ways, most of which involve a decent hex editor:

• Looking for common Type/Length/Value patterns, such as big-endian 32 bit integers less than 65k that match up in the hex dump.
• Looking for “signpost values”, byte sequences that occur at regular intervals, like “NTLMSSP” and “SMB” in the simplest cases.
• Looking for ASCII strings and delimiters, like NUL characters, or prefixing length words.
• Looking at the order in which traffic is sent, breaking up the stream at each place where the server responded.
• Feeding bytes to the real server one-at-a-time until a response is forthcoming.

If you’re me, your aim is a directory full of little files, like “msg.0”, “msg.1”, etc, any of which you can cat onto the network and observe the results. Which is what you’re going to do next, to see if messages are simply replayable as-is.

This made me think of a python tool that I wrote that essentially acts like tcpreplay... that I may make available in the near future.  Now I don't want to past all of Thomas' article.. (as i've already CnP'd a good chunk there)... but the rest covers the usage of the command, and how it can apply to fuzzing. I definately suggest jumping over to the page and given it a read..

Peace,
HT

Over the weekend I started playing with RSS... It's been a while since I had my own RSS reader and decided I'd try one again... I decided that instead of a seperate browser I wanted a Firefox plugin (I played with a number of Firefox plugins this weekend and I plan to review a number of them in the upcoming weeks). After playing with a couple of plugins, and some stand alone readers... I decided on NewsFox.

It is a little sluggish... and the occasional feed it hasn't been able to read properly... There's no "mark all as read", you have to perform the task per feed.. but overall it's pretty good. I've got about 80 feeds in it, it checks them every 30 minutes and notifies me of any changes... I've also installed it at work and transfered over the OPML file (attached below)...

I built a fairly complete list of IT Secuity / IT News feeds... I started with blogs / sites that I frequent and then added ones that were linked off those... The result is what's below. I'm calling it the Computer Defense RSS Compilation ... I'll be updating it as I update my own feed... and I'll also welcome input from anyone who feels they have input to add. The file was exported from NewsFox, so if you import it into any other reader the feeds will be added in a folder called NewsFox.

Let me know if you come across any additions.

Peace,
HT

IT RSS Feeds OPML

I love hearing the phrase "Nameless, Faceless Corporations"... We could probably throw the world evil in there.... However... we always attach a name to them... Microsoft is evil, Google is Evil... I love the people that you catch saying these things... They're the same people that you catch saying "Bill Gates is Evil"... When you point out that Mr. Gates donates millions if not billions of dollars annually, they call it a tax write-off... He's not doing it because he cares...

Well now we've got another one for the skeptics for the "everyone who makes money is evil, we should all support only open source" crowd. This may be a shocker... but Google cares about the environment.. This shouldn't be much of a shocker though... because Google's founders have already invested in an electric sports car and solar panels. This time, however, the Googleplex itself is getting a bit of a makeover as Google plans to install solar panels on the roofs of several of the Googleplex buildings... They will generate enough electricity to power 1000 homes.... or cover about 30% of their electricity usage. This will be the largest corporate solar installation in the US and one of the largest in the world... Let's hope that other businesses will see the value in this (A one time expenditure vs monthly electricity payments) and follow suit.

Peace,
HT