.:Computer Defense:.

I was messing around as usual and playing with the HTTP TRACE method (No I didn't learn about trace, I already knew about it... what I learned is coming up and is more interesting than just the method itself). For those of you that don't know, think of it as an internal ECHO function. The idea being that you can ensure no proxies / content filters are mangling your HTTP requests.

Example:

C:\Users\Tyler>nc shell 80
TRACE * HTTP/1.0
X-PAD: Read ComputerDefense.org!!

HTTP/1.1 200 OK
Date: Sun, 29 Jul 2007 02:33:18 GMT
Server: Apache/2.0.55 (Ubuntu) PHP/5.1.2
Connection: close
Content-Type: message/http

TRACE * HTTP/1.0
X-PAD: Read ComputerDefense.org!!

As you can see... everything is simply echo'd back.

That isn't what I learned though.... here's the interesting stuff...

Apache (Ubuntu) using HTTP 1.0:

C:\Users\Tyler>nc shell 80
TRACE * HTTP/1.0

HTTP/1.1 200 OK
Date: Sun, 29 Jul 2007 02:38:51 GMT
Server: Apache/2.0.55 (Ubuntu) PHP/5.1.2
Connection: close
Content-Type: message/http

TRACE * HTTP/1.0

Apache (Ubuntu) using HTTP 1.1:

C:\Users\Tyler>nc shell 80
TRACE * HTTP/1.1
HOST: localhost

HTTP/1.1 200 OK
Date: Sun, 29 Jul 2007 02:40:24 GMT
Server: Apache/2.0.55 (Ubuntu) PHP/5.1.2
Transfer-Encoding: chunked
Content-Type: message/http

25
TRACE * HTTP/1.1
HOST: localhost

0

Note that Apache responds to the 1.1 request using 'Transfer-Encoding: chunked'

Now let's look at IIS

IIS 5.0 (Windows 2000) using HTTP 1.0:

C:\Users\Tyler>nc win2000 80
TRACE * HTTP/1.0

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Sun, 29 Jul 2007 05:43:04 GMT
Content-Type: message/http
Content-Length: 18

TRACE * HTTP/1.0

IIS 5.0 (Windows 2000) using HTTP 1.1:

C:\Users\Tyler>nc win2000 80
TRACE * HTTP/1.1
HOST: localhost

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Sun, 29 Jul 2007 05:43:10 GMT
Content-Type: message/http
Content-Length: 34

TRACE * HTTP/1.1
HOST: localhost

Notice the differences? IIS when using HTTP 1.1 doesn't respond with Chunked Encoding. This isn't anything major, but I did find it interesting. I should note that these are both default installs, you may see different results on other systems.

So there's a simple way to distinguish between IIS and Apache (default setups) without looking at the banner. There are actually two additional differences in the outputs displayed above... Try and find them... click Read More to see if you're right.

Read more...

So lately, when I log into the administration portion of my blog, I've been noticing more and more links from a single domain and the titles are generally the same as my latest blog post... I browsed over and sure enough, someone is grabbing my blog posts via WP-Autoblog and posting them on their site. The site in this case, which I've noticed is stealing feeds from a good number of the Security Bloggers Network sites, is newtechtransfer.com.

There weren't any posts on effectively blocking WP-Autoblog that I could find anywhere and after a little bit of searching I found the suggestion to send a DMCA Cease and Desist Request. There is a template available here. I updated the template to properly reflect me and my website, and sent it off to abuse and support for both the domain in question and their hosting provider estdomains.com.

The problem I realized is that I most likely won't get anywhere... based on the email addresses provided in the whois (which are .ru), I'm guessing that there's no legal way of getting the information removed. I've provided the whois information under the Read More link so that it wouldn't clutter the main page.

The second point of interest was the response I got from the abuse and support email addresses. The hosting provider's response was:

Dear Customer,

Due to the huge wave of spam we receive and in order to improve
the speed and quality of the work of our support team we decided
to stop receiving emails.

To get in touch with us please feel free to raise support ticket at

http://support.estdomains.com

Best regards,
Estdomains, Inc Support Team

The text was also repeated in Russian. So I also submitted my Cease and Desist request via their support form.

So my question to the blogging community is, how do you deal with these sorts of problems? Images of vigilante justice keep going through my head, all the affected parties lynching the culprits in a small dirty town reminiscent of every bad western ever made. The problem here is that this *IS* a problem. This can affect search engine ranking and placement, this can affect site traffic and it's just plain irritating. There has to be something that can be done, but the question is: What?

[UPDATE]

It appears as though the letter worked. All content has been removed from newtechtransfer.com.
Read more...

RSnake has posted a great challenge over on the Ha.ckers.org website. I can't give away any details into the challenge but I can say that it's a fun diversion. It took about 15 minutes to complete but I could see it ranging from 5 minutes to an infinite amount of time depending on your knowledge of HTTP. It's definitely worth taking a shot at, so go... enjoy and most of all.... Have Fun!.

I came across this video today (via Schneier on Security) and had to share it.

The video is directed by Christopher Guest [IMDB] (Nigel Tufnel of Spinal Tap). It stars Dan Finnerty and Rob Giles.

Enjoy!

I just wanted to share a great blog post I found over on the TippingPoint Blog. Cody Pierce does a walk-through on how he found a vulnerability in Borland Interbase 2007. He sums up the post by saying, " I hope this has shed some light on how we go from 0 to 0day in under 30 minutes.".

Intro:

So one of our advisories, TPTI-07-013 went out today. The issue is a remote code execution in Borland Interbase 2007. This is an interesting target for us because we accidentally stumbled on it. The story goes like this...

I was up late on wednesday night, as usual since we are all up late on wednesday nights, and decided to take a look at BakBone NetVault. Upon installing NetVault, I noticed a process listening on TCP port 3050. This process turned out to be the "Firebird SQL Server". When I found a vulnerability in that process, TPTI-07-11, I did some research on what Firebird SQL is. It turns out that at one point Borland open sourced Interbase. This is when the guys at Firebird decided to branch that source tree and start a free, open source version under the Firebird SQL moniker. So hey, if one product has a vulnerability, and it was forked from another products source, then maybe we should look at the other vendor. That's where Borland Interbase 2007 comes in. Since it has the same code base, I downloaded a trial and decided to play with it for a few minutes.

So what im trying to do in this blog post is go over how I found this bug. Hopefully some of this will serve as a "Auditing 101" how-to for network services. This bug was fairly easy to find, and should be good practice. Hey, maybe it will help you find other Interbase bugs.

Read The Rest

There were fatal shootings again in Toronto, a shame for those involved and the after math could affect everyone. As a result of the weekend occurrences, there is once again talk of following the path of banning handguns. Now, I'm not a big gun fan... I'm not like our neighbours to the south in that I don't believe everyone should have a gun under their pillow, and I don't think that the Canadian gun laws are too strict... although I also don't think they're too lenient. Basically I think things are good how they are... banning handguns is like banning prescription drugs because too many people O.D. on heroin.

There are people that say "Guns Kill"... sure they do... but so does insulin. Should we ban insulin and keep it away from diabetics in case they use it to poison others? We can call these people close-minded.
Then you have the people that argue there's no reason to own a handgun. These are the same people that have a 42" Plasma screen, an XBox 360 and a backyard swimming pool. They don't grasp the concept of entertainment unless it's a form of entertainment they are interested in. We can call these people close-minded.
Lastly, you have the people, like Attorney General Michael Bryant, who say:

"There's 215,000 handguns legally owned in Ontario and they are all targets for theft and can end up on the streets of this province. It's not all of the guns that end up in the illegal gun trade, but it's about a third to a half of those guns, and we need to do everything we can to choke off the supply."

Again, we can call these people close-minded... It's the combination of the "close-mindedness" and Mr. Bryant's comments that should concern IT Professionals. Let's think about this for a second... most people don't "get" IT/IS... this leads to a sort of "close-mindedness" and then we have that comment above... That very scary comment. Let's ban the legal use because that will eliminate the 'illegal use'. I love how many people apply this logic and fail to see the problems in it. The people that are illegally acquiring guns will still illegally acquire guns... be it through theft, trunk sales or smuggling. It won't stop it... this will just stop the law abiding people from having access to handguns.

So now you're asking why this is of a concern to IT/IS professionals. Well let's look at France and their restrictions on encryption... or Germany and their "banning of hacking tools". In both of these cases the logic was, "Let's make it illegal and then people will stop using it illegally" WRONG! You are taking tools away from legitimate users, or making legitimate users criminals when they still use the tools and since those using the tools illegally are doing so to break a law... they won't stop. This flawed logic has to stop, it's just a downward spiral that's going to get worse and worse. Why does it seem that no one in positions of authority ever possesses common sense?

So here's how I see it happening:

1. Ontario Bans Handguns
2. Ontario Bans "hacking tools"
3. Ontario Bans personal vehicles, allowing only public transit (after all, cars can be used to kill)
4. Ontario requires all residents to be implanted with microchips for constant tracking (after all, if you're being monitored constantly it's harder to commit a crime)

I hope I'm not the only one that sees the problems with this and the problems with our Attorney General's logic... hopefully this can be stopped before we proceed down the slippery slope.

UPDATE:

I just visited the Ministry of the Attorney General's Contact Page and I was surprised to learn that we're already starting down the slippery slope. In order to provide a comment that will be read you *MUST* provide your name, email address and mailing address. Sure you could provide false information, but we "require" that information? Our government won't allow us to provide feedback and thoughts anonymously? Do they hunt down and kill those that they don't agree with? That's really the only possible reason for requiring that information.

There's been a lot of back and forth discussion lately over the reason for Firefox 2.0.0.5. It seems that Thor Larholm released details on a vulnerability where data passed to Firefox from IE via the firefoxurl protocol handler can be used to execute arbitrary commands. Thor had said this was a vulnerability in IE to not properly parse the data it was passing and the IE team responded that they weren't responsible for the data being passed and instead it was up to Firefox to properly parse the data. The Firefox team released a patch (Firefox 2.0.0.5) which prevents Firefox from accepting bad data passed in from Internet Explorer and Window Snyder commented on the Mozilla Security blog. A second post was written by Asa Dotzler which questioned the IE Team's comments that it was too difficult to provide proper protection against this on their side. All of this was responded to by Jesper Johansson. So now that we've laid out the background... let's discuss.

I think that Microsoft, and specifically the IE Team's claim that it would be too difficult for them to patch this issue is bogus. There's no reason why IE could parse the URI before passing it, escaping certain characters, perhaps based on the URI RFC's definition of reserved and unreserved characters. That being said, as Jesper pointed out, Firefox doesn't do this... so perhaps both browsers should. While it may not be a standard practice, if the two major browsers were to perform this operation, others would follow suit. Should Firefox not accept bad data? Yes, however the entire concept of multi-tiered security is that you have a moat, a wall and other levels of defense. Assuming that Firefox's change to parse and sanitize the data is the wall, why couldn't IE provide a moat with the protocol handler acting as the drawbridge that allows access?

I actually went so far as to fire off an email to the authors of the URI RFC and at this point I've heard back from Larry Masinter. He provided additional clarification and insight into the RFC, providing an example of where responsibility lies if URIs were constructed on the fly by JavaScript.

For example, I could write a Javascript program that constructed URIs on the fly and inserted href’s to them; it would be the responsibility of the Javascript program to construct the ‘correct’ URI. However, HTML 4.0 and XHTML 1.0 don’t supply any justification for trying to ‘normalize’ URIs before they’re sent to the URI handler, except perhaps the suggestion in the appendix that non-ASCII characters be expressed in UTF8 and then percent encoded.

So this says to me that it's the responsibility of the creator of the URI to ensure that it is "correct" and "valid". The problem is that the reliance is that nothing will ever be used maliciously. Software is continually updated to deal with people passing invalid data or using it incorrectly. This is another example of someone using a standard incorrectly for malicious means, so why not modify the other end and stop relying on the user to form something that is valid and correct. I'd say this is no different than the browser tests performed by software like Hamachi (IE was patched against problems that were found by Hamachi). Yes, in that case the browser was rendering the HTML, well why not make the cleaning or "normalizing" of the URI's a part of HTML rendering. Larry went so far as to say that in his email.

You could, of course, suggest that HTML 5.0 or XHMTL 2.0 or whatever define the HREF or SRC attributes as containing a ‘URI like thingie’ and define the interpretation of the IMG or A elements as requiring normalization (according to a supplied algorithm) first. But then that would be in the domain of those languages.

So should we point the blame at Firefox or IE? How about both and none all at the same time. Instead of bickering about what's right, both sides should, as Firefox has already done, remedy the portion of the problem that they are responsible for. Perhaps now it's time to sit down and redefine the HTML, XHTML or something else to provide protection for the user against malicious individuals instead of saying, "Sure it's a problem, but we're not doing anything that violates the RFC so it's not our problem to deal with." When it affects your users... it's your problem, so let's all deal with it.

It seems that more and more lately you see people mentioning NoScript... Every time I mention ads or "fluff" on people's blogs the answer seems to be "Install NoScript". I have a problem with this generic fallback answer... It's not necessarily that I have a problem with NoScript (although I do, and I'll describe it in just a moment) but it almost seems that some people are putting too much reliance on it... that it's being as the safety net of surfing in the same way that in the way that AV and Firewalls were 10 years ago... The "Be All End All" of safety. Maybe I'm misinterpreting people and they just see it as one line in multi-tiered defense.

Anyways... my problem with NoScript is that I see it as the UAC of Browsing... Actually, I find it to be more annoying than UAC (which I actually tolerate and even enjoy). Yet people who support NoScript are some of the same people that attack UAC. I decided that I'd put my annoyance with having to OK every page I visit (even if I do permanently trust it... which is a bit of a security risk in my opinion... given the number of people that probably allow scripts on blogs and forums that they visit). So the other day, I grabbed NoScript and started surfing. Not surprising, given the move to Web2.0, roughly 50% of the pages I visited no longer functioned correctly... Some even gave me messages along the lines of "Your browser doesn't support JavaScript, in order to continue you require a JavaScript Enabled browser".

Given my new found tolerance, I'm (painfully) allowing scripts in order to give NoScript a fair shot... but suddenly I go to click "Mark All Read" in my bloglines and I get the following error:

An error occured:
Traceback (innermost last):
File "cgi.c", line 857, in cgi_init()
File "cgi.c", line 641, in cgi_pre_parse()
File "cgi.c", line 469, in _parse_query()
File "neo_hdf.c", line 770, in hdf_set_value()
File "neo_hdf.c", line 760, in _set_value()
AssertError: Unable to set Empty component Query.

What's this?? It has worked before, so why has it stopped now? I take a look at the NoScript icon... I've allowed bloglines.com and the only other option is to 'Allow Scripts Globally' which even says 'dangerous' next to it. Well, let's test it out. I 'Allow Scripts Globally' and click 'Mark All Read' again. This time, as it has before, it works. So not only is NoScript a royal pain with it's constant 'Allow Script' messages and an large number of sites rendering improperly due to Web 2.0, but even if you're willing to make the sacrifice and use it... it still can't function properly in a Web 2.0 world.

Looks like it's time to uninstall NoScript if I want my sites to work properly at all. Hey... at least when I click Allow/OK with UAC I know it's going to work.

I came across this today (via Liquidmatrix Security Digest) and thought it was good for a laugh.

Three Apple engineers and three Microsoft engineers are traveling by train to a conference. At the station, the three Microsoft engineers each buy tickets and watch as the three Apple engineers buy only a single ticket. “How are three people going to travel on only one ticket?” asks a Microsoft engineer. “Watch and you’ll see,” answers the Apple engineer.

They all board the train. The Microsoft engineers take their respective seats but all three Apple engineers cram into a rest room and close the door behind them. Shortly after the train has departed, the conductor comes around collecting tickets. He knocks on the rest room door and says, “Ticket, please.” The door opens just a crack and a single arm emerges with a ticket in hand. The conductor takes it and moves on. The Microsoft engineers saw this and agreed it was quite a clever idea. So after the conference, the Microsoft engineers decide to copy the Apple engineers (as they always do) on the return trip and save some money.

When they get to the station, they buy a single ticket for the return trip. To their astonishment, the Apple engineers don’t buy a ticket at all. “How are you going to travel without a ticket?” asks one perplexed Microsoft engineer. “Watch and you’ll see,” answers an Apple engineer. When they board the train the three Microsoft engineers cram into a rest room and the three Apple engineers cram into another one nearby. The train departs. Shortly afterward, one of the Apple engineers leaves his rest room and walks over to the rest room where the Microsoft employees are hiding. He knocks on the door and says, “Ticket, please…”

I'm pretty vocal about being a huge Grisoft supporter. AVG is about the only AV software I trust... (I'm also a huge Trend Micro fan but I can't justify the cost). Anyways... I haven't launched Olly Debug in a week or two and I just went to load up some software in it. Imagine my surprise when I clicked on my Ollydbg Shortcut and I get a pop-up that says "The file this shortcut refers to is not present on your system, would you like to delete the shortcut". WHAT?!? I quickly browse to the folder and sure enough ollydbg.exe is gone. Confused, I open AVG and check the virus vault. Sure enough, there it was... I was able to restore it and all is good now but this is the first time that AVG has let me down and disappointed me. A false positive on ollydbg... next they'll be shipping false positives on Excel or Windows XP... I might even go out and invest in Trend Micro.

Screenshot from the Virus Vault: