.:Computer Defense:.

Just a few things that caught my attention today..

We'll start with a post over at ha.ckers.org by RSnake on the ability to have an emergency sequence linked to your account for emergencies... It comes out of a (potential) myth that entering your PIN in reverse at an ATM will summon the police. It's an interesting idea. There are benefits to this everywhere... Passwords, PINs, Alarm Codes... Perhaps a push should be made to make it the new standard...

• Your Bank Card is associated with two PINs... One that allows you to withdraw money and one that gives an insufficient funds message, locks the account and summons police to the ATM in question.
• Your Alarm could have two codes.. One that disables/enables the system and one that sends a silent alarm to the alarm company signaling that you entered the code under duress.
• Online banking could have two passwords for each account. The first password logs you in, the second locks the account and notifies the bank of possible fraudulent transactions.
• Two passwords for your operating system, email, or anything else. One password logs you in, the other locks the account... recording the Terminal in use, the IP the connection came from or other information depending on the service in question. As RSnake mentions, you could write the "safe password" on a post-it... This could be your warning sign that someone has been casing your office looking for passwords.

Next up is an interesting little side note... Nokia's Website was defaced...

Up next we have Ubuntu install.exe. I was directed to this "feature" by an article on freesoftwaremagazine.com. The article has a lot of valid points... However I think the biggest point is made by the install.exe wiki entry... Reading through the write-up it feels like it's been written by kids... The members of the Linux community that give that very community a bad name. Comments, like the ones I'm going to list, keep me from ever using this in a production environment and stop me from even wanting to experiment with it on a test system.

Some of the Comments:

• "The elimination of the need for partitioning, and thus the chance of data loss, will help ubuntu gain acceptance in the corporate world." -- It isn't the need for partitioning that keeps Ubuntu out of the corporate world... and anyone who would think such a thing has very little knowledge of the corporate world. Also, with todays tools... partitioning, or modifying existing partitions (which is what they are talking about), seldom leads to data loss
• "The elimination of the need for an installation CD will allow users without CD burners or spare CDs to try ubuntu, ease burdens on ShipIt, and allow installation on ultra-portable laptops with no CD drives." -- Didn't we already do this with Linux that boots of a USB Thumbdrive.
• From one of their use cases: "inexperienced Windows user who is tired of viruses and crashes" -- The viruses and crashes don't come from being a Windows user... they come from being inexperienced... This reads like the writing of a Linux Zealot.
• From the same use case: "he downloads it, runs it, clicks "OK" through the installer" -- Should we really be recommending that people "Click OK through the installer"?
• From another use case: "Peter is an amateur video editor who is interested in trying out ubuntu." -- Wouldn't a live CD be better than a prototype installer... After all a video editor is going to have a CD drive.

There are additional issues with the write-up that push me away from ever trying this software (at least until the Authors become more mature in their actions and write-ups)... but I think you get the idea.

Another short comment... Robert Scoble posted an interesting question on his blog... "Do A-list Bloggers have a responsibility to link to others?"... I'm definitely not an A-List blogger but I think all bloggers have a responsibility to link to others.... and I think linking to only the big blogs is a mistake... I'd like to think that the smaller, less popular blogs (like this one) have just as much to offer and sometimes interesting little tidbits of information are missed by avoiding these smaller blogs.

So today's write-up is short and sweet... I'm just going to take you back over to ha.ckers.org and another post that RSnake made today... For this one, I'll just say that I think it's a cool idea and I look forward to seeing the finished product. Now I'll quote part of RSnake's post:

Several months ago Syngress Publishing asked a few people to help contribute to a book on XSS. The contributing authors are Jeremiah Grossman, Anton Rager, Seth Fogie and yours truly. We are still several months away from completing the book, but we are well on our way. Sorry I didn’t tell you all earlier, but I was just finally allowed to start talking about it.

The original articles on this referenced US Airports, however I'm guessing this problem plagues everyone.

I originally saw the report at heise Security, but they referenced a ComputerWorld article... yet they didn't link to it... A bit of quick searching on Google, lead me to the article in question.

Both articles make mention of the ease at which a malicious person can imitate a wireless access point. The process is actually quite simple.

• Put a wireless card into ad-hoc mode.
• Connect a second card to a legit AP.
• Name the ad-hoc network "FreeWifi" or something similar (perhaps the name of a known Hotspot vendor).
• Bridge the connection.

The malicious person can now sniff unencrypted traffic and use man-in-the-middle (MitM) attacks to sniff even your encrypted traffic. There are various warnings provided by these articles. Ensure that you aren't on an Ad-Hoc network. Don't accept SSL errors (Domain Name Mismatch, Unknown Certificate Authorities, etc)... IE7 has done a great job with this one... If you get a warning screen while using wireless in a public place... Don't proceed.. Firefox displays a pop-up box, making it much easier to simply click-past without looking at what's happening. One problem I've noticed with Firefox 2.0 is that when you have a Domain Name Mismatch, the pop-up box actually says "This could be someone trying to fool you, however that is unlikely"... It's like their saying "Ignore this error and click through".

This comes down to user education... We need to get this information to people in mass quantities... Unfortunately heise Security and ComputerWorld don't quite appeal to the masses that need this information. This is an article that needs to be picked up by a site like Security Fix.

Something we all need to keep in mind is that Ad-Hoc mode isn't always an identifier... Both articles I've quoted referenced it and I even used it in my description above, however there are Linux drivers that allow you to have a Wireless card in Infrastructure Mode. Users need to pay attention and be careful and even then there may not be any great ways to tell if you're on a valid AP or not.

Back in 2003 Microsoft published a document entitled "Introduction to IPv6"... They have now updated the document again... and it popped up on my radar. I decided to check it out and I'm reasonable impressed.. If you have the time, it's definitely worth the read.

I was browsing AntiOnline earlier today, a forum that I frequent and there was a post from another member regarding Charter Communications. It seems that his ISP (Charter Communications) has been redirecting search queries to Microsoft Live Search to their own search engine... which is conveniently powered by Yahoo. The AO member who ran into this problem is Tony Bradley from About.com and he's posted a full article on this phenomenon on his About.com Page.

Tony questions the legality of Charter's actions... and while I definitely don't agree with them... I don't think they're necessarily illegal... Tony considers it browser hijacking, which is his basis for the legality/ethics issues... However when the term "browser hijacking" comes to mind, I think BHO's and changes to software on the system... and as he says in his article, nothing of Charter's has been installed on his PC... This makes me think that they are changing the DNS entry (although I don't know what his Charter DNS servers are... I attempted to contact him but he was unavailable at the time)... The issue with that is that there "Opt-Out" process places a cookie on your computer and should you delete that cookie you'll no longer be "Opted-Out".

So here's my assumption of the process (and if anyone has Charter DNS servers and is experiencing this, I'd love to have the IPs of those servers passed my way)...

• User attempts to search with Microsoft Live Search
• Charter's DNS responds to the live.com query with a Charter IP
• The web server records the query and checks for the cookie.
• If the cookie exists it issues a redirect to the actual MS Live Search; If it doesn't exist it sends you to Charter Search powered by Yahoo!.

Interestingly enough, I managed to visit the opt-out page that Tony provided... It sets a cookie named choice with no contents... The cookie expires in 2 months.

I think this is an interesting concept... especially if it is the DNS server issue... ISPs own the DNS server, who says they can't provide their own responses... Symantec pays them to point McAfee.com to their own web server... SuSE pays them to point RedHat.com at their web server... At that point who's DNS server do you trust... and if this starts to happen is their legal protection to the end user? Or will we all end up going to OpenDNS?

[UPDATE] After speaking with Tony I learned two things... a) Outsiders can't use Charter DNS servers (my queries for live.com and www.live.com were REFUSED) b) That live.com and www.live.com resolve properly for Charter customers... Which throws away my DNS theory... Time for a new one... Some sort of proxy perhaps? 

There's a very interesting article over at Replicate Technologies (Which I found via the VMTN Blog)on using Virtual Machines to replace your network devices... (Firewalls, VPN Concentrators, Load Balancers, Email Filters, etc) and I think it makes a lot of sense... Why buy a new box to handle your email filtering when you can hop over to the Virtual Appliance Marketplace and download a system to do it for you... Why stick a firewall in front of a machine when you could drop a VM Firewall on it and use some fancy networking-fu to firewall the box... These eliminates the need for additional devices clogging up your data center... and for a small business let's you have maybe two servers instead of servers and additional devices...

Here's an example of it's use... I know of a company (15-20 employees) with a Windows 2000 Small Business Server... SBS is the worst design ever... Exchange on your DC, which means your DC is on the internet. Everyone knows that there are security risks associated with these... and the company didn't want to put out the money for a second full server... They also had spam issues (which they paid a hefty Trend Micro licensing fee to deal with)... Being a small business, they could have dropped the Trend Micro licensing and purchased another 512MB-1GB of RAM and implemented the Email Security Virtual Appliance. The ESVA could have been live on the internet, the DC would be behind another machine, and they wouldn't have had to buy a new server...

The future of Virtualization is a hot subject right now (See here and here)... and I'm glad to see it's not being easily dismissed.

I know I throw these up every now and then.. They're my way of sharing short blurbs without long blog posts... I've got a few things I want to mention (actually quite a few) so... on with the show.

The first isn't really a list... It's some interesting spam that I received today in the comments of a post...

Author : Spam Bot (IP: 128.61.82.147 , r82h147.res.gatech.edu)
E-mail : spamtester@gmail.com
URI :
Whois : http://ws.arin.net/cgi-bin/whois.pl?queryinput=128.61.82.147
Comment:
Please forgive this post, it is simply a test to see if your site is spamable. Code: XXXXXXXX

I've X'd out the code in case the bot is going to return to confirm it's existence. Nothing to comment, except that if someone is actually testing for research's sake, they should provide a link to explain themselves... if it's a spammer.. why not just spam like all the other spammers.. why test first..

Now... On with the links.

The first link belongs to a blog post by a good friend of mine, J_K9. It's a decent write-up introducing Metisse, which is "not just another 3D Desktop"... The description of it proves interesting... and the videos are definitely worth watching.

Next we've got the link that everyone and their brother has blogged about already, which is why I'm not dedicating a full post to it... most people have already read about it... Basically... GoDaddy is run by sniveling cowards. They also don't respect their customers... it makes me glad that they aren't my registrar.

Bill, from Bits from Bill, questions what defines a vulnerability. I enjoyed reading the post but ultimately I have to disagree with him... He looks at things like the new Microsoft Word 2000 "0-Day" Vulnerability. By Bill's definition these are flaws... His reasoning: First he defines vulnerable (Vulnerable – “open to assault; difficult to defend; capable of being wounded or hurt”), then he blames user interaction... To me, user interaction still leaves you "open to assault"... Let's look at this from another angle. Let's say the foundation of your house has a crack in it... You might say you have a flaw in your foundation... I might say that your foundation is vulnerable to earthquakes... These are both true statements.. If a flaw can make you vulnerable... then a flaw is a vulnerability. In fact, "define: Vulnerability" in Google returns this definition: "A flaw or weakness in system security procedures, design or implementation that could be exercised (accidentally triggered or intentionally exploited) and result in a harm to an IT system or activity"

Up next is a post from Matt Blaze's Exhaustive Search. He's asking that security researchers and crypt-analysts stop using terms such as "breaking into" and "cracking" because of the negative connotations that they have. I like the idea... so now the question is... Can we find new terms that we can all agree on?

I guess my quick list of short posts is turning into something rather long... but I swear I'm almost half done.

One of the things I've done with my blog is join the Security Bloggers Network... which provides a nice RSS feed with several blogs all rolled into one. One of the blogs belongs to the "founder" of SBN, Alan Shimel, who has a... well... interesting blog. I'm quite often surprised, shocked and sometimes left shaking my head at posts that he writes (I've never met him, so I don't know if he's gutsy or stupid (although I'm going with gutsy))... but sometimes they inform me of something I didn't know. Today I thought I'd been informed of something I wasn't aware of... a secret meeting on security being held by Microsoft. Then Matasano cleared things up for me. The meeting has an agenda online (complete with information on who could register and how to register)... Then I remembered why it seemed so familiar... there'd been an email to one of the mailing lists inviting ISOI attendees to dinner and drinks (membership to the mailing list is required).

Item 1 Million on today's daily link list: A new version of honeytrap has been released.  That was so short that I'm going to stick a second link in the same paragraph: An article claiming that 25% of computers on the internet are involved in botnets.

Another interesting tidbit was an article on Emergent Chaos regarding the Three Types of Authentication. The linked article (and driver for the post) is definitely worth the read.

One more site that will only get a brief mention.... Security Bullshit... weekly cartoons based around the security industry... So far there are 4 and they are all worth a laugh.

Lastly (I think), we have a small write-up by Anton Chuvakin on the ROI on Getting your Ass Whooped. It was inspired by another blog post, one with non-humourous content, but even without reading it, you're sure to get a kick out of Anton's post.

The latest version of ActiveState's Komodo IDE has been released. While this may not be this may not be interesting enough news on it's own for some people, the exciting part is that they've released a free version called Komodo Edit (currently a beta). The software is available for Windows, Linux and OS X ( Both x86 and PPC ).

The write-up on Komodo 4 from ActiveState's website:

Komodo IDE 4.0 is the first unified workspace for end-to-end development of dynamic web applications. A rich feature set for client-side Ajax languages such as CSS, HTML, JavaScript and XML, coupled with advanced support for dynamic languages such as Perl, PHP, Python, Ruby and Tcl, enables developers to quickly and easily create robust web apps.

Award-winning features include comprehensive editing and debugging, plus intelligent tools for regular expressions, team development, customization and unparalleled extensibility. The result is a powerful coding environment for framework stacks like Ruby on Rails and CakePHP and client libraries such as the Yahoo! UI Library and Dojo. A single license covers you across Linux, Mac OS X and Windows.

One thing that I've always had issues with is companies that charge for Anti-Spyware, Anti-Virus, Anti-Malware... whatever you'd like to call it... I spent two years performing support at a college student support desk... In those two years I had plenty of options to recommend to students... but it always came back to the same options... Ad Aware SE Personal Edition and Spybot S&D for Anti-Spyware/Anti-Adware protection... For Anti-Virus it was always Grisoft AVG and avast! Home Edition.. These are great products that are all provided free of charge. We had licenses for students for CA's eTrust AV but who wants to recommend that garbage to anyone. Then you had the students that would come in with Norton or McAfee, step 1 with them was to move them to an AV Vendor that wasn't a resource hog.

One thing I've found is that the "Paid Personal Security Solutions" (or PPSS for short) is that it's a very juvenile crowd. This crowd includes AV Vendors, Anti-Malware Vendors and Personal Firewall Vendors... It will never cease to amaze me, the games that they'll play just to get their name in the headlines.

These companies make their money because Microsoft's products have flaws and people are stupid... those are really the only two reasons... Yet these companies call for a) Microsoft to increase security and b) End user education.. I agree with both of those points, but I don't make a living selling end users PPSSs. These companies call for Microsoft to increase it's security spending and improve the security of it's operating systems... This seems like they'd be shooting themselves in the foot... but they are getting press... and that's the important thing.

So Microsoft responds... They provide Windows Firewall and Microsoft Anti-Spyware... What do the PPSSs do... they cry that these products are useless. More press coverage. So Microsoft responds by improving the Windows Firewall in Vista and improving Windows Defender (Previously Microsoft Anti-Spyware). Now these PPSSs nitpick and point out minor problems, while avoiding the flaws in their own software... They provide their own "market research" that's so heavy with bias you can feel it without reading their "research". I had blogged previously on Agnitum doing this with the Windows Firewall in an attempt to pump up the publicity for their Outpost firewall.

The newest offender in this group is Webroot... Who attacks Windows Defender for failing Webroot's in-house testing...  They mentioned that they used "Trojan horses, adware, key loggers, system monitors, and other unwanted programs, all of which were gathered from in-the-wild threats". They don't provide this list of malware... who's to say the Trojans wouldn't be considered viruses (thus not falling in the realm of Windows Defender) and who defines that they consider "in-the-wild" threats. Perhaps Webroot should publish a complete list of the malware used in their testing and indicate which software found which malware. The next issue I have is that Webroot boosts 100% detection of the threats... This is pure marketing... If they have the malware in their lab... of course they'll find all of it... A real test would be to provide the software, and the samples they used to an independent third party... That person could then gather additional malware on their own and provide a true test of the software.

They also attacked the Windows Defender update cycle, stating "Microsoft currently issues spyware definition updates every seven to 10 days, he says. Webroot, meanwhile, identifies approximately 3,000 new traces of spyware every month. "Users can't wait for a week or so to have their anti-spyware signatures updated," says Eschelbeck."  I was curious about this so I pulled up Windows Updates and the update history page. This page lists checks for new definitions practically every day... and for the month of January, so far, updates have been provided on Jan. 2nd, 5th, 13th, 16th, 19th, 24th, and 25th... That's definitely more than the 3-4 times a month that Webroot has suggested... and there's still room for one or two more this month. Yet Eschelbeck never actually tells us how many times per month Webroot puts out updates.

I'd like to hope that these companies, Agnitum, Webroot and any others that were considering this "silly and childish" path will realize that they are only hurting the the public. These marketing gimmicks are just that... flaky attempts to drive sales... As a potential customer to these companies, I find it insulting that they are wiling to sink so low... and Webroot has joined Agnitum on my "Companies I'll Never Purchase From" list. We don't see C-level employees of companies like Ford and GM standing up and saying "Don't buy their cars... they only visually inspect 1 in every 10,000 cars, we inspect 1 in every 1000"... IT companies are slowly growing up and coming into the world in a lot of cases... So at a time when the public expects something "real" out of them... why resort to school yard tactics and lowball antics.

Right now there's only one word to describe Webroot's tactics... pathetic. If I really wanted to I could take useless shots at them.. "How long did it take their marketing department to come up with that slogan... I'm pretty sure we've all seen it before... all we have to do is swap experts with pediatricians and millions with moms"... but why would I want to do that, I'd be no better than they are.

This is big news... It's been a little over 1 year and 10 months since PuTTy 0.58 was released...

PuTTy is available for download for Windows and *nix.
Here's the Change Log for PuTTy 0.59:

• PuTTY can now connect to local serial ports as well as making network connections.
• Windows PuTTY now supports "local proxying", where a network connection is replaced by a local command. (Unix PuTTY has supported this since it was first released in 0.54.) Also, Plink has gained a "-nc" mode where the primary channel is replaced by an SSH tunnel, which makes it particularly useful as the local command to run.
• Improved speed of SSH on Windows (particularly SSH-2 key exchange and public-key authentication).
• Improved SFTP throughput.
• Various cryptographic improvements in SSH-2, including SDCTR cipher modes, a workaround for a weakness in CBC cipher modes, and Diffie-Hellman group exchange with SHA-256.
• Support for the Arcfour cipher in SSH-2.
• Support for sending terminal modes in SSH.
• When Pageant is running and an SSH key is specified in the configuration, PuTTY will now only try Pageant authentication with that key. This gets round a problem where some servers would only allow a limited number of keys to be offered before disconnecting.
• Support for SSH-2 password expiry mechanisms, and various other improvements and bugfixes in authentication.
• A change to the SSH-2 password camouflage mechanism in 0.58 upset some Cisco servers, so we have reverted to the old method.
• The Windows version now comes with documentation in HTML Help format. (Windows Vista does not support the older WinHelp format. However, we still provide documentation in that format, since Win95 does not support HTML Help.)
• On Windows, when pasting as RTF, attributes of the selection such as colours and formatting are also pasted.
• Ability to configure font quality on Windows (including antialiasing and ClearType).
• The terminal is now restored to a sensible state when reusing a window to restart a session.
• We now support an escape sequence invented by xterm which lets the server clear the scrollback (CSI 3 J). This is useful for applications such as terminal locking programs.
• Improvements to the Unix port:
  • now compiles cleanly with GCC 4
  • now has a configure script, and should be portable to more platforms
• Bug fix: 0.58 utterly failed to run on some installations of Windows XP.
• Bug fix: PSCP and PSFTP now support large files (greater than 4 gigabytes), provided the underlying operating system does too.
• Bug fix: PSFTP (and PSCP) sometimes ran slowly and consumed lots of CPU when started directly from Windows Explorer.
• Bug fix: font linking (the automatic use of other fonts on the system to provide Unicode characters not present in the selected one) should now work again on Windows, after being broken in 0.58. (However, it unfortunately still won't work for Arabic and other right-to-left text.)
• Bug fix: if the remote server saturated PuTTY with data, PuTTY could become unresponsive.
• Bug fix: certain large clipboard operations could cause PuTTY to crash.
• Bug fix: SSH-1 connections tended to crash, particularly when using port forwarding.
• Bug fix: SSH Tectia Server would reject SSH-2 tunnels from PuTTY due to a malformed request.
• Bug fix: SSH-2 login banner messages were being dropped silently under some circumstances.
• Bug fix: the cursor could end up in the wrong place when a server-side application used the alternate screen.
• Bug fix: on Windows, PuTTY now tries harder to find a suitable place to store its random seed file PUTTY.RND (previously it was tending to end up in C:\ or C:\WINDOWS).
• Bug fix: IPv6 should now work on Windows Vista.
• Numerous other bugfixes, as usual.

Microsoft has released a suite of the SysInternals tools, allowing for a single download instead of downloading each file individually. The following files are included:

Executables Provided:

• AccessEnum.exe
• Autologon.exe
• Bginfo.exe
• Cacheset.exe
• Clockres.exe
• Contig.exe
• Dbgview.exe
• DiskView.exe
• Diskmnt.exe
• Diskmon.exe
• Filemon.exe
• Listdlls.exe
• LoadOrd.exe
• PHYSMEM.EXE
• ProcFeatures.exe
• Procmon.exe
• Psinfo.exe
• RegDelNull.exe
• Reghide.exe
• Regmon.exe
• RootkitRevealer.exe
• ShareEnum.exe
• Tcpview.exe
• Volumeid.exe
• Winobj.exe
• ZoomIt.exe
• accesschk.exe
• adrestore.exe
• autoruns.exe
• autorunsc.exe
• ctrl2cap.exe
• diskext.exe
• du.exe
• efsdump.exe
• handle.exe
• hex2dec.exe
• junction.exe
• ldmdump.exe
• livekd.exe
• logonsessions.exe
• movefile.exe
• newsid.exe
• ntfsinfo.exe
• pagedfrg.exe
• pendmoves.exe
• pipelist.exe
• portmon.exe
• procexp.exe
• psexec.exe
• psfile.exe
• psgetsid.exe
• pskill.exe
• pslist.exe
• psloggedon.exe
• psloglist.exe
• pspasswd.exe
• psservice.exe
• psshutdown.exe
• pssuspend.exe
• regjump.exe
• sdelete.exe
• sigcheck.exe
• streams.exe
• strings.exe
• sync.exe
• tcpvcon.exe
• whois.exe