.:Computer Defense:.

From the Metasploit Homepage:

March 27th, 2007 -- Metasploit is pleased to announce the immediate,

free availability of the Metasploit Framework version 3.0 from

http://framework.metasploit.com/.

The Metasploit Framework ("Metasploit") is a development platform for

creating security tools and exploits. Version 3.0 contains 177

exploits, 104 payloads, 17 encoders, and 3 nop modules. Additionally,

30 auxiliary modules are included that perform a wide range of tasks,

including host discovery, protocol fuzzing, and denial of service testing. 

The full Release Notes can be found via the download page, which also contains download links for both a tarball and a Windows executable.

Pete Lindstrom posted over on the Spire Security Viewpoint asking, and answering, the question "Has SSL Outlived it's Usefulness". He made the following four statements:

1) Users read way too much into its functional value.

2) The threat model for sensitive Web data has never been one of sniffing traffic. There are still way too many accessible websites for this to be the case.

3) If you are going to compromise some device, you might as well compromised the host and not some intermediate device.

4) The bad guys are now leveraging SSL more and more to shield their activities from good guy sniffers.

This was responded to by Dave G. on the Matasano Blog.

I actually find it to be in interesting topic... Right off the bat one could point out that SSL has evolved, becoming Extended Validation SSL, which is quite useful as phishing protection.

I would also respond to Pete's initial four points:

1. SSL is advertised as some end-all-security solution in a lot of cases... This isn't SSL's fault, plenty of security solutions are advertised this way and accepted as operating this way... The truth is that a multi-tiered approach is the only way security will work. SSL is one of those tiers.
2. I think the problem is this is the assumption that we're talking about only the Internet here... As far as I'm concerned SSL is much more useful in intranet type settings. A college residence, a public hotspot, a large conference where they display usernames and passwords on an updating board. This is where SSL really shines in my opinion.
3. So you trust the ISP and every hop between yourself and the website you're accessing? I find that to be a lot to ask... Also.. an attacker might not have access to the client or server... Accessing an Internet facing gateway might be a much more viable option.
4. If you have a company with this problem, there are ways to defend against that. You essentially turn your IDS into an SSL MITM box. I'm sure there are plenty of corporate solutions that I'm not aware of but DeleGate is one example of software that will allow you to setup an HTTPS - HTTP - HTTPS proxy, allowing you to sniff during that HTTP step.

In the end I would argue that:

1. SSL has always been useful
2. SSL has definitely not outlived it's usefulness.

Pete finished off his post by saying, "Sure, it is needed nowadays for basic authentication protection, but we really shouldn't be using userid/password pairs in clear text anyway." This is a topic that has always interested me... A lot of people say, "You shouldn't send your plain text username and password." They then turn around and create a hash which they pass to the web server. That hash if sniffed, can be replayed to the server and used for authentication. This is a common flaw that exists in a lot of the development I see from web developers. Sure there are better ways to do it, and a lot of people implement them, but many people don't. So stating that you "shouldn't be using userid/password pairs in clear text anyway" isn't enough... this makes people assume that a simple hash of the password is safe... and it isn't.

The most popular post I've made, has been my mention of Windows XP Black Edition. While nobody was really in favour of my idea, I'm pretty sure it was popular because people were hoping to find a download link... and found me via Google, where I'm currently the #1 result for the search Windows XP Black Edition.

Discussions following that post often lead to statements along the lines of, "I shouldn't have to pay that much, I don't need the software... I want to use it because I'm a hobbyist." Now I've thought long and hard about this and almost posted a comment in the WinXP Black Edition post... instead I felt it would make an interesting topic of conversation.

So let's start with my blanket statement.... My hypothesis if this were scientific in anyway... instead it's just my opinions. "Computer Hobbyists believe that a hobby shouldn't cost them anything."

While looking for links to back that statement up, I found this interesting comment. It's a very similar argument to the statement above. It all comes down to, "Why should we have to spend a bunch of money?!?" I find this mentality rather amusing. There's an interesting blog post although quite old now, on the subject that I also found and one of the comments caught my attention. I've heard this argument made before as well. "Teenagers pirate software and learn it. As adults they now tell their employers to purchase that software because they are already familiar with it." I even had a prof that supported that, he once made the comment, "Obtain the software, feel free to download it... I believe that you should be allowed to pirate software until you graduate" (paraphrased of course).

These are arguments that people make all the time and I dislike them... I think they're sad arguments. They remind me of a cartoon that my fiance's mother sent her.

We're arguing that it's OK for students to pirate software but they can afford to spend money on all these other luxuries. Will I admit that having access to a large amount of software is beneficial... definitely. Yet I don't think piracy is an option. When planning your future, look into what the school offers. I was lucky... my school offered MSDN AA... I know of other schools that did as well. Now I heard the statement, "This makes sense for Microsoft to offer this for such a low price, the students will be familiar with Microsoft products when they graduate". This was very true. A teenager interested in experimenting with various types of software can just ensure that the place where they will pursue "higher education" offers these programs.

Now back to the argument that you shouldn't have to pay ridiculous prices for software because you're a hobbyist. Let's forget the aspect of youth doing this... and let's look at everyone else. Now I have hobbies... I have several hobbies and they all cost me money.

• Computers -- Last week I spent $100 on network cables, a keyboard, usb keypad, etc... toys that I wanted to play with. In our 600sq ft. apartment we have 5 computers, 3 printers, 2 routers, 2 switches, 3 DVD Burners and a crapload of toys and junk... I buy it or barter for it... I don't want into Best Buy and steal a joystick because computers are my hobby and I shouldn't have to pay for my hobby.
• Music -- The fiance just made a mental note to purchase the new Linkin Park CD... I know I'm talking about software piracy here, but this fits. We've spent thousands of dollars on our music interests, including guitars, a piano, drums, a flute, a karaoke machine and at least $500 worth of music books. We didn't walk into the store and pick up the guitar and leave because it was our hobby and we shouldn't have to pay for it.
• Reading -- The ultimate form of relaxation. This month we've spent just under $300 on books... Excessive? Maybe, but I'm almost out of books to read again, so I'll buy more... I could go online and find pirated ebooks but it's not the same as having the real thing. Maybe I should go to Chapters and just pick out the books I want and leave with them.
• Movies -- Another big one for us... We rent $60-70 worth of movies each month and I've been to the theater 4 times this month. We also purchase regularly (I've lost count of the number of titles we have)... This is topped of with multiple DVD players, DVD Recorders, DVRs, VCRs... Guess what... I paid for all of it. Video Games could also go here... over 100 titles, bought and paid for... 5 Different consoles.
• Swords -- My last sword cost me $150. My collection in total has cost me, so far, about $1500.

These are my hobbies... I spend money on any one of them at any given time, if I don't have the money I save up because it's something I want. I've got a shopping list of books and next time I've got extra money, I'll be at Chapters picking up the books on the top of the list. I pay to enjoy my hobbies... If experimenting with software is your hobby you should be willing to pay for it. My friend's hobby is cars... does that give him the right to go out and steal a car? Maybe he should steal your car... because maybe you've stolen his software.

A lot of people make the argument that software (or movies or music) are already paid for by the time they steal them... so they aren't really costing the company anything. These people are making the assumption that the software has already been paid off... The company invests the money up front to see the software through production... relying on making the money back when the software hits the shelves. If the software is pirated by everyone, the company doesn't make the money back. Everyone else has probably paid for the Author's commission on the books I want to read, so it's the same thing... but I bet the same people that pirate software would tell me that stealing a book from Chapters is wrong. Morals seem to disappear when we enter the electronic world...

I think it would be interesting to see how these pirates that feel stealing software because they are hobbyists or because they feel it's too expensive (and I'm not talking about mass piracy... I'm talking about individual piracy)... I'd be interesting to take these individuals and at the end of the week have their employer not pay them. After all, the employers already got the work out of the employee... Why should they bother paying them?
That would be stupid though... the employee wouldn't come back... Software is the same way... steal the software long enough and the company producing the software won't be back. Sure mass piracy is an issue... but Why? Because individuals buy this software... People always say, "But I'm not the problem, it's the guy that produces 5000 copies and sells them that's the problem." Guess what... That guy is selling them to people just like you... They are paying for what you download yourself for free... both are just as wrong. If nobody bought from the guy that's mass producing the pirated software... he'd have no reason to pirate it... He's doing it for individuals... just as you are are doing it for yourself. Neither of you has any more right to it than the other and neither of you are any less guilty.

If you happen to own a business and take part is software piracy, please leave me a note in the comments with your business name... I'd love to stop by and help myself to some of your products. You don't seem to have a problem when you do it to software companies, so let's see what happens when someone does it to you.

Welcome to a story of delays, frustration and amazing customer service, as I tell you the story of my new phone

So last weekend I went to see 300... It was pretty good... We left and walked a bit and the person I saw the film with caught  a streetcar... I turned the corner to continue walking and there was a Telus Store... Now Telus is my cell phone provider.. has been for just over 2 years (Since December 2004). My old phone was a classic flip phone (Samsung A670) and I had no intention of getting rid of it.

So I stopped by the Telus store with one thing on my mind, changing my phone number to a Toronto number. I've been here 13 months and still had a London, ON (519 area code) number. I figured I'd change my fiance's number at the same time, we'd bought our phones together, so we had  almost consecutive numbers and this time I figured I'd try for consecutive numbers. I was succesful... and without my fiance's presence managed to perform the following:

• Change my phone number (shouldn't have needed her)
• Change her phone number (probably should have needed her)
• Changed our billing addresses (probably should have needed her)
• Changed both phone plans (probably should have needed her)
• Moved her phone over to my account and canceled her account (definitely should have needed her)

Anyways, at the very least, they let me call her (although I could have called anyone, since they didn't call a number associated with the account) and they asked her (or the "her" on the phone) for permission. I waited in the store for about an hour while this was being processed. You see Telus stores are "agents" for Telus... none of them work directly for Telus. So these reps in the store have to call the same customer service number I'd have to call to do this. This number was overwhelmed for a couple of reasons. 1) WNP (Wireless Number Portability) had just launched and 2) Telus had just launched Amp'd Canada (bringing the known American AMP'd brand to Canada).

So I was killing time and decided to check out the Smartphones... I looked at what Telus had to offer... 3 Blackberries and 3 Smartphones (UTStarcom 6700,  Palm Treo 700wx, and the Moto Q). I already knew I didn't want a blackberry and at this point I was just browsing. The clerk and I were making small talk and she asked if I was interested in a PDA phone. I said I was, once my current contract ran out, and indicated an interest in the Palm Treo 700wx based on appearance and what little I knew about them. She pointed me towards the UTStarcom 6700 which has integrated 802.11b/g. It also has a full keyboard that slides out... which I find much nicer, given my larger fingers, to type on. The price tag changed my mind... $549 without a contract. I'd stick with my phone that was two years old and cost me nothing. The clerk said the calls were taking forever to process and suggested I leave (the store had closed 30 minutes earlier) saying she'd call me when the number change was completed. She called roughly 45 minutes later and suggested that she was going to try and get me an early contract renewal with an offer on a PDA phone. I was excited and awaited the response.

On Monday I had a voicemail letting me know that they were making a renewal offer and I could call for details.. I logged into my phone account and saw the renewal offer online. The UT Starcom 6700 on a new 3 year contract for $229.. I wasn't interested in paying even that much, although it was a huge discount... but I returned the call. She said that must be an error because she was prepared to offer it for $79.99. This I could live with, so I went over right after work and got started on the paper work. Here's where the fun started.

The clerk went to process the phone change and something went wrong... it turned out they couldn't change the phone. After about an hour and a half of calling it turned out that during activation the "backend had crashed" and not only did the change not go through... my phone number was deleted. More bad news... they had to charge me 229.99. I'd already paid the 79.99 and said that was all I was going to pay... They called around for another 45 minutes... got my number restored and the phone for me for 79.99. For my troubles they said to come back when I'd decided on a bluetooth headset that I wanted and they'd give it to me for cost. The customer service, since the troubles weren't on their end, was amazing... I couldn't have asked for more... They went above and beyond on getting me every deal possible and saving me as much money as they could. For those of you in the GTA, I highly recommend NexGen Wireless (the store just says Telus) at King and Bathurst.

As for the phone... I've picked up a 2GB Mini-SD card... and I'd recommend this phone to anyone. The keyboard is great to type on. The camera is quite useful and has some cool features. The video camera records audio and video... I'm quite happy with what it does and what it's capable of. It's been great so far...

I've got a few things I wanted to touch on today....

First, a friend of mine, Max ( J_K9 ) is in Seattle... From the UK. He gave details on why he's going, which includes visiting Microsoft and presenting to the board of directors, on his blog. While he's there, he's writing entries on what's going on and so forth. While the first one only covers the traveling, I'm sure the upcoming posts will be very interesting. You can read them all on his blog.

Up next is a blog post from F-Secure...  As most know, I don't always trust competitors when they discuss their competition... Given that F-Secure is now in competition with Microsoft on the AV front, I'd expect them to be attacking MS for AV related issues but apparently they've decided to take a different approach. They're discussing the fact that in Vista file extensions are still hidden by default. I think it's a very minor issue to take exception to and bring up. When you think that both home and business users run Vista... technical and computer illiterate alike... I think it makes sense. A technical user can easily enable this setting should they want to view extensions... The computer illiterate user will have a harder time disabling it. Does it allow certain malicious files to be executed... yes. However, I'd ask how they got the file. Internet Explorer, Firefox, Outlook, MSN... These programs show the complete file name and people generally launch their files right from the download dialogs. They don't go into Explorer and track them down and run them... that's a computer geek thing. So even if the default action were changed, I don't think it would affect the end user.

These next two are related to WebAppSec. The first is a post by Jeremiah Grossman on Jikto.  He makes some interesting points and I'd have to say I agree... I don't know if the release of such a powerful utility, which no "good" purpose is such a good idea.. Read his post for more details.. I may discuss this in the future but not now.

Lastly, a brief write-up on Web Security Auditing from SANS. It's fairly basic... nothing of interest but still a handy reference link.

Enjoy!

I posted when VPC 2004 was made freely available.... So let's post again now that VPC 2007 is freely available. Feel free to download it and play.

I've already mentioned this list once and said I disagreed with a good chunk of it... I also said that I'd come back with my own list. This is exactly what I've done... Ryan (numerophobe.com), Jeremy (engineeringreversed.com) and I sat down and came up with this list. We basically decided that the original list should have been 64 (seems like a more "computerized" number)... So in keeping with the semi-fictional list that IT Security provided, we came up with the following five additions:

1. Acid Burn - Angelina Jolie made all little boys fall in love with computers.
2. Matthew Broderick - For making us want to skip school and hack things.
3. RoboCop - Made us want to protect the world...
4. Al Gore - For Inventing and Fathering the Internet
5. Zero Cool - He kissed Angelina Jolie

I hope that made everyone smile... Now we've come up with an actual list. These are people who have blogs that we feel are worth reading (because we learn something when we do or, at the very least, they are informative), developers of software that drives security, and individuals who have earned a name for themselves with interesting research and are still around with something informative to say.

I'm numbering this list, not to signify importance but to make this distinction... Numbers 1 - 27 were decided upon by all of us... the remaining numbers I added after the fact, we either forgot to add them or they came to mind afterward.

1. Joanna Rutkowska
2. David Litchfield
3. Jeremiah Grossman
4. RSnake
5. HD Moore
6. Anton Chuvakin
7. Matasano Team
8. Bruce Schneier
9. Richard Bejtlich
10. SecuriTeam
11. Emergent Chaos
12. Alex Eckleberry
13. Mark Russinovich
14. TAOSSA
15. Cesar Cerrudo
16. Dave Aitel
17. David Maynor
18. Dave Korn
19. Ilfak Guilfanov (DataRescue)
20. Halvar Flake (Sabre Labs, Sabre Security)
21. Pedram Amini
22. NVD
23. Mitre
24. Michael Sutton
25. Fyodor
26. Mike Rothman
27. Peter Ferrie
28. skape
29. spoonm
30. Mutz / Max
31. DVD Jon
32. Ero Carrera Ventura

I've been following the comments over at Matasano and I realize that Thomas doesn't think they belong in any sort of list... but I beg to differ... The Matasano blog is usually one of my favourite reads of the day. Anyways, we just wanted to share the list.

Microsoft has taken a lot of heat lately for their results in various AV testing (Examples: -1-, -2-, -3-, -4-, -5-). My opinion has stayed pretty much the same... My assumption is that the product failed due to missing older viruses... so their competitors who have years of industry experience and a large signature database would have a better chance... I highly doubt that these AV tests use only new viruses. This is why the AV Tests fail in my opinion... The older viruses aren't usually the problem... How many people reading this blog even remember CIH for example (t could, in certain cases, cause you to go out and buy a new motherboard). Microsoft is new to the game... If they were to cover every old virus and front load them before product release, then the product may never get out the door... So they had to pick and choose... I'm sure this older coverage will come. They probably have a small team dedicated to filling in the coverage. In the mean time it was much more important that they cover viruses that are in the wild and current... So that was my take on it and I didn't think very much of them failing the virus tests. At the same time, I don't use OneCare... There are plenty of free AV Solutions that are great and I prefer them.

Regardless, Microsoft has now stepped forward and responded on their Anti-Malware Engineering Blog. The writeup confirmed some of what I had assumed and pointed out that they are new to the AV game. Sure they purchased Sybari so they had some AV insight... but I don't think that insight was comparable to that of Symantec, McAfee or Trend Micro. Anyways give the article a read... a follow up is coming in a few weeks from the Microsoft Security Research and Response GM.

A few things that I came across that I could have turned into a number of small blog posts but instead I choose to throw them all into one.

Up first we've got a WordPres plugin I recently downloaded and added... Like many bloggers I use Google Analytics, and like many wordpress bloggers, I've simply added the Google Analytics tag to my footer... This has all changed now. Thanks to a plugin called Ultimate GA. I've just set it up but I'll know better in a few days how it's working.... Here's the info from the website:

I managed to get a Google Analytics account back in the days when there was a long waiting list. I added the tracker JavaScript to the footer of all my pages, as instructed by Google Analytics. This gave me some great statistics to start with, but I wanted more.

I also want to track outgoing links to other sites and links to downloads (e.g. PDF documents) on my own site. Google Analtytics can do this, but you have to add an onClick JavaScript to all these links. I didn’t like the idea of editing all my blog entries to add an onClick event to the links. So I ended up writing a WordPress plugin that does it for me. You can download the plugin for your own use.

I've just set it up, so I'll let everyone know in a few days what I think of it.

Up next we've got a post on the Technology and Marketing Law blog, and this one is rather interesting.  It discusses a case ( Internet Archive v Shell ) which asks the question "Can a Spider Enter Into a Binding Contract?" As I have an interest in webs spidering this caught my attention. I think the case is ridiculous from the get go... The question being asked isn't the right question... The correct question should be, "Can a website provide a "contract" along the lines of Shell's and have it be valid?" I think the answer to that should be no. Although looking at Shell's website, I see this as an attempt at a money grab... She's targetting Internet Archive due to their size in my opinion... if she had a valid case, she'd have targetted Google, which I'm sure has cached her page.

Since she wants money from anyone who copies her website, I suggest you visit it.  Scroll to the bottom of the horridly designed website... It looks like those old Angelfire and Geocities websites. Shell licenses her website for viewing over the internet only... (I wonder if she's attempted to go after every visitor... after all their browser caches pages). In order to view the copyright, you have to click a box asking if you agree to the Terms (prior to seeing the terms)... The whole site made me laugh and the case is making me laugh even more... I'm definitely curious to see the outcome though... Maybe I'll add fine print to the bottom of this page that if you view the RSS feed you're agreeing to pay me $1000.00.

Next on the list is an article about Novell being linked to a press release stating that the TCO for Microsoft products is less than Linux. I'm sure this article has irritated plenty of Linux advocates... however the statement is true... This was debated before when Microsoft released their large Microsoft costs less than Linux campaign... and the Microsoft TCO is less. Think about it, you purchase the Microsoft product... you have an IT person... your cost is their salary + the software cost.  All of your software ties in quickly and easily and install / configuration is simple and a breeze. Now take a look at Linux... There are less Linux people out there so you will probably pay more for your Admin. Now you have to pay for the software (enterprises run SuSE or RH... not as many go grab VectorLinux or Debian). Now you have to painstakingly install and configure everything... You don't have the benefits of Active Directory... of your users being tied together... of software like Exchange... You may have a web based calendaring system... or thunderbird but the productivity just isn't at the same level... Something is lost. In the end, when everything is factored in... Microsoft is cheaper... I've actually blogged on this subject in the past... feel free to jump back and read it.

A quickie link here to a couple of online PDF viewers.... one offered by Adobe and a third party one... I tested both of this with the same PDFs this evening and the third party viewer worked much better... actually it worked, which is more than I can say for the Adobe offering.

Lastly, everyone has been jumping on the horn to mention The Top 59 Influencers in IT Security for 2007. Congrats to everyone on the list and hopefully none of you will find what I say next overly insulting or think of it as an attack. I take some issues with the list... The focus on C-Level Execs and Bloggers is interesting... but not how I would have done it... Certain bloggers and C-Level execs that were listed certainly belong to be there... but I think the emphasis was missed... The end of the list contains the real influencers and even that portion seems to have missed the boat. H.D. Moore, Fyodor (which is spelled incorrectly on the list) and others are the ones that it should be focused on... Those are the people that I think deserve to be considered as the influences for 2007. Others that should have been on that list that were not included... Jeremiah Grossman (sure his blog was mentioned briefly but he should have had his own number), RSnake and David Litchfield for example. Web App Sec and Database Security are still growing issues... WebAppSec is getting bigger daily and we recently saw the release of a Free Database Security Scanner. Others should not have been on the list at all... Kevin Mitnick for example... that turns the blog list into a 90s throw back... How about Kevin Poulsen and Tsutomu Shimomura...

So Congrats to the decently large number of you that deserve to be on the list... and to the authors of the list.. Consider leaving the 1990s hero worship out of it next time... especially if you're attaching a date to the list... If you want to play out the hero worship bit, you might as well include the entire TLC Hackers Hall of Fame list. I may release what I consider to be a more accurate list in the near future.

Now that I've sufficiently irked a large number of people... that's it for me...

A Joke courtesy of Brian Madsen's .Net blog.

The Smiths were unable to conceive children and decided to use a surrogate father to start their family.
On the day the proxy father was to arrive, Mr. Smith kissed his wife good-bye and said, "Well, I'm off now. The man should be here soon."

Half an hour later, just by chance, a door-to-door baby photographer happened to ring the doorbell, hoping to make a sale.

"Good morning, Ma'am", he said, "I've come to..."

"Oh, no need to explain," Mrs. Smith cut in, embarrassed, "I've been expecting you."

"Have you really?" said the photographer. "Well, that's good. Did you know babies are my specialty?"

"Well that's what my husband and I had hoped. Please come in and have a seat" After a moment she asked, blushing, "Well, where do we start?"
"Leave everything to me. I usually try two in the bathtub, one on the couch, and perhaps a couple on the bed. And sometimes the living room floor is fun. You can really spread out there."
"Bathtub, living room floor? No wonder it didn't work out for Harry and me!"

"Well, Ma'am, none of us can guarantee a good one every time. But if we try several different positions and I shoot from six or seven angles, I'm sure you'll be pleased with the results."
"My, that's a lot!" gasped Mrs. Smith.
"Ma'am, in my line of work a man has to take his time. I'd love to be in and out in five minutes, but I'm sure you'd be disappointed with that."
"Don't I know it," said Mrs. Smith quietly.
The photographer opened his briefcase and pulled out a portfolio of his baby pictures. "This was done on the top of a bus," he said.

"Oh my God!" Mrs. Smith exclaimed, grasping at her throat.

"And these twins turned out exceptionally well - when you consider her mother was so difficult to work with."
"She was difficult?" asked Mrs. Smith.
"Yes, I'm afraid so. I finally had to take her to the park to get the job done right. People were crowding around four and five deep to get a good look."
"Four and five deep?" said Mrs. Smith, her eyes wide with amazement.
"Yes", the photographer replied. And for more than three hours, too. The mother was constantly squealing and yelling - I could hardly concentrate, and when darkness approached I had to rush my shots.

Finally, when the squirrels began nibbling on my equipment, I just had to pack it all in."
Mrs. Smith leaned forward. "Do you mean they actually chewed on your, um... equipment?"
"It's true, Ma'am, yes. Well, if you're ready, I'll set-up my tripod and we can get to work right away."
"Tripod?"
"Oh yes, Ma'am. I need to use a tripod to rest my Canon on. It's much too big to be held in the hand very long."
Mrs. Smith fainted.