.:Computer Defense:.

Just a few quickies today:

Sid @ SecuriTeam has an interesting post on how he found out that his router was open to the world to FTP into.  It's worth a read... and it also introduced me to nmap online... Something I'd be previously unaware of.

Brian Krebs has a nice write-up on the flaw in Google Desktop which prompted a quick patch.

I'm a little behind on this one, but apparently Stefan Esser has been making mention of March being the Month of PHP Bugs. Haven't we seen enough of these already?

The beta of Nessus 3.2 has been made available for Linux, FreeBSD and Solaris.

That's all... short and sweet.

I know... you're thinking the same thing I thought when I read it... What the hell does that mean... Well Ross at nCircle provides the definition, "A clean slate; a blank or erased tablet." He also provides a short, but interesting post on the subject of backwards compatibility. The ultimate question of his post is summed up by the introduction:

Backwards Compatibility. I'm hardly a Mac user, but from what I've heard, they don't bother with it. Every Mac OS release is a clean slate (or close to it) and the end user just has to adjust. On the other side, Microsoft spends millions (billions?) making sure that you can still open that document you put together using Word 95 in Office 2007.

Which approach is better? Define better.

Give it a read and see if you agree.

One of the websites in my RSS feed that I really enjoy is LinuxSecurity.com. The site compiles outside links from various news sources and presents some of the more interesting ones on a single page... however it's not without issues... From the RSS feed, you are constantly getting "Page Not Found" errors... and you have to return to the main page to click the link for the article.

Anyways I was over there looking today and I found some rather interesting articles available:

Stompy Session ID Analyzer -- This is a great concept... I haven't tested it yet so I can't quite say great tool.  People quite often create their own Session IDs... this will let you see if they're based off anything.. or if there's a pattern available...  Download Link (tgz)

AJAX Fingerprinting Web 2.0 -- Another great concept... As people move to this new world of Web 2.0 applications are being built on frameworks... GWT, PyJamas, ASP.NET AJAX, etc... More often than not when these frameworks are flawed... the applications based off them will also be flawed. The concept of AJAX fingerprinting gives us:

Ajax fingerprinting can help in deriving the following benefits:

• Vulnerability detection – Knowledge of the framework on which a web application is running, allows the mapping of publicly known vulnerabilities found for that particular framework. Example – DWR client side vulnerability.
• Architecture enumeration – On the basis of derived information from fingerprinting it is possible to guess application architecture and inner working of a system. Example – Atlas (.NET application framework), DWR (Servelet/JavaScript combo).
• Assessment methodology – Derived information from the fingerprinting phase can help in defining future assessment path and vulnerability detection methods. Example – Deciding on JavaScript-scanning.

Download Link (pdf)
These last two are just news articles...

2006: The Year Hacking Became a Business

Vulns Spiked 39% in 2006 according to an IBM ISS report.

I've got some things to do before bed... but I wanted to make sure I shared these.

Digital Bond has released a SCADA Honeynet... It emulates a fairly popular PLC and it sounds like a fairly interesting idea... First thing tomorrow I'm going to give it a look and let everyone know what I think.

Other than that I just wanted to point out Jeremiah Grossman's blog for those that don't read it... or rather two great posts that he published today.

The first post was Input Validating or Output Filtering, which is better. Not only does the article give a clear explanation of the two preventative measures, but it also gives examples.

The second post is The Difference Between Security Assessments and Penetration Tests.  It's focused towards Web Application Security, since that's his field of expertise, however it can be applied to any aspect of security.

That's all for today... short and sweet.

Just a few things that caught my attention today..

We'll start with a post over at ha.ckers.org by RSnake on the ability to have an emergency sequence linked to your account for emergencies... It comes out of a (potential) myth that entering your PIN in reverse at an ATM will summon the police. It's an interesting idea. There are benefits to this everywhere... Passwords, PINs, Alarm Codes... Perhaps a push should be made to make it the new standard...

• Your Bank Card is associated with two PINs... One that allows you to withdraw money and one that gives an insufficient funds message, locks the account and summons police to the ATM in question.
• Your Alarm could have two codes.. One that disables/enables the system and one that sends a silent alarm to the alarm company signaling that you entered the code under duress.
• Online banking could have two passwords for each account. The first password logs you in, the second locks the account and notifies the bank of possible fraudulent transactions.
• Two passwords for your operating system, email, or anything else. One password logs you in, the other locks the account... recording the Terminal in use, the IP the connection came from or other information depending on the service in question. As RSnake mentions, you could write the "safe password" on a post-it... This could be your warning sign that someone has been casing your office looking for passwords.

Next up is an interesting little side note... Nokia's Website was defaced...

Up next we have Ubuntu install.exe. I was directed to this "feature" by an article on freesoftwaremagazine.com. The article has a lot of valid points... However I think the biggest point is made by the install.exe wiki entry... Reading through the write-up it feels like it's been written by kids... The members of the Linux community that give that very community a bad name. Comments, like the ones I'm going to list, keep me from ever using this in a production environment and stop me from even wanting to experiment with it on a test system.

Some of the Comments:

• "The elimination of the need for partitioning, and thus the chance of data loss, will help ubuntu gain acceptance in the corporate world." -- It isn't the need for partitioning that keeps Ubuntu out of the corporate world... and anyone who would think such a thing has very little knowledge of the corporate world. Also, with todays tools... partitioning, or modifying existing partitions (which is what they are talking about), seldom leads to data loss
• "The elimination of the need for an installation CD will allow users without CD burners or spare CDs to try ubuntu, ease burdens on ShipIt, and allow installation on ultra-portable laptops with no CD drives." -- Didn't we already do this with Linux that boots of a USB Thumbdrive.
• From one of their use cases: "inexperienced Windows user who is tired of viruses and crashes" -- The viruses and crashes don't come from being a Windows user... they come from being inexperienced... This reads like the writing of a Linux Zealot.
• From the same use case: "he downloads it, runs it, clicks "OK" through the installer" -- Should we really be recommending that people "Click OK through the installer"?
• From another use case: "Peter is an amateur video editor who is interested in trying out ubuntu." -- Wouldn't a live CD be better than a prototype installer... After all a video editor is going to have a CD drive.

There are additional issues with the write-up that push me away from ever trying this software (at least until the Authors become more mature in their actions and write-ups)... but I think you get the idea.

Another short comment... Robert Scoble posted an interesting question on his blog... "Do A-list Bloggers have a responsibility to link to others?"... I'm definitely not an A-List blogger but I think all bloggers have a responsibility to link to others.... and I think linking to only the big blogs is a mistake... I'd like to think that the smaller, less popular blogs (like this one) have just as much to offer and sometimes interesting little tidbits of information are missed by avoiding these smaller blogs.

So today's write-up is short and sweet... I'm just going to take you back over to ha.ckers.org and another post that RSnake made today... For this one, I'll just say that I think it's a cool idea and I look forward to seeing the finished product. Now I'll quote part of RSnake's post:

Several months ago Syngress Publishing asked a few people to help contribute to a book on XSS. The contributing authors are Jeremiah Grossman, Anton Rager, Seth Fogie and yours truly. We are still several months away from completing the book, but we are well on our way. Sorry I didn’t tell you all earlier, but I was just finally allowed to start talking about it.

I know I throw these up every now and then.. They're my way of sharing short blurbs without long blog posts... I've got a few things I want to mention (actually quite a few) so... on with the show.

The first isn't really a list... It's some interesting spam that I received today in the comments of a post...

Author : Spam Bot (IP: 128.61.82.147 , r82h147.res.gatech.edu)
E-mail : spamtester@gmail.com
URI :
Whois : http://ws.arin.net/cgi-bin/whois.pl?queryinput=128.61.82.147
Comment:
Please forgive this post, it is simply a test to see if your site is spamable. Code: XXXXXXXX

I've X'd out the code in case the bot is going to return to confirm it's existence. Nothing to comment, except that if someone is actually testing for research's sake, they should provide a link to explain themselves... if it's a spammer.. why not just spam like all the other spammers.. why test first..

Now... On with the links.

The first link belongs to a blog post by a good friend of mine, J_K9. It's a decent write-up introducing Metisse, which is "not just another 3D Desktop"... The description of it proves interesting... and the videos are definitely worth watching.

Next we've got the link that everyone and their brother has blogged about already, which is why I'm not dedicating a full post to it... most people have already read about it... Basically... GoDaddy is run by sniveling cowards. They also don't respect their customers... it makes me glad that they aren't my registrar.

Bill, from Bits from Bill, questions what defines a vulnerability. I enjoyed reading the post but ultimately I have to disagree with him... He looks at things like the new Microsoft Word 2000 "0-Day" Vulnerability. By Bill's definition these are flaws... His reasoning: First he defines vulnerable (Vulnerable – “open to assault; difficult to defend; capable of being wounded or hurt”), then he blames user interaction... To me, user interaction still leaves you "open to assault"... Let's look at this from another angle. Let's say the foundation of your house has a crack in it... You might say you have a flaw in your foundation... I might say that your foundation is vulnerable to earthquakes... These are both true statements.. If a flaw can make you vulnerable... then a flaw is a vulnerability. In fact, "define: Vulnerability" in Google returns this definition: "A flaw or weakness in system security procedures, design or implementation that could be exercised (accidentally triggered or intentionally exploited) and result in a harm to an IT system or activity"

Up next is a post from Matt Blaze's Exhaustive Search. He's asking that security researchers and crypt-analysts stop using terms such as "breaking into" and "cracking" because of the negative connotations that they have. I like the idea... so now the question is... Can we find new terms that we can all agree on?

I guess my quick list of short posts is turning into something rather long... but I swear I'm almost half done.

One of the things I've done with my blog is join the Security Bloggers Network... which provides a nice RSS feed with several blogs all rolled into one. One of the blogs belongs to the "founder" of SBN, Alan Shimel, who has a... well... interesting blog. I'm quite often surprised, shocked and sometimes left shaking my head at posts that he writes (I've never met him, so I don't know if he's gutsy or stupid (although I'm going with gutsy))... but sometimes they inform me of something I didn't know. Today I thought I'd been informed of something I wasn't aware of... a secret meeting on security being held by Microsoft. Then Matasano cleared things up for me. The meeting has an agenda online (complete with information on who could register and how to register)... Then I remembered why it seemed so familiar... there'd been an email to one of the mailing lists inviting ISOI attendees to dinner and drinks (membership to the mailing list is required).

Item 1 Million on today's daily link list: A new version of honeytrap has been released.  That was so short that I'm going to stick a second link in the same paragraph: An article claiming that 25% of computers on the internet are involved in botnets.

Another interesting tidbit was an article on Emergent Chaos regarding the Three Types of Authentication. The linked article (and driver for the post) is definitely worth the read.

One more site that will only get a brief mention.... Security Bullshit... weekly cartoons based around the security industry... So far there are 4 and they are all worth a laugh.

Lastly (I think), we have a small write-up by Anton Chuvakin on the ROI on Getting your Ass Whooped. It was inspired by another blog post, one with non-humourous content, but even without reading it, you're sure to get a kick out of Anton's post.

I've been a little quiet lately... mostly because thing have been hectic at both work and home.. but I figured I should at least make an appearance. I decided to provide a daily link list (something I haven't done in a bit) with some of the cool things that I found as I was reading blogs (which is a nice wind down to end a busy day)..

Freedom to Tinker, which is a really great blog, had an interesting article today on Diebold voting machines. It seems that Diebold members can order keys to the voting machines from their website... You have to be a member to do this... so no big deal right? ... Wrong... They also provide images which are more than sufficient to produce keys that can open the voting machines. The article provides details and a video on the reproduction and use of these keys.

Mozilla announced the release of Mozilla Thunderbird 2 Beta 2 today.

There's a small write-up on gotspeech.net on using Wireshark to debug sip... Nothing new if you've used Wireshark before but a cool application of the software for those that haven't seen it before.

The SBS Diva Blog, pointed me towards an interesting article on eWeek... although rant might be a better word than article.  The Author of this opinion piece cries foul because Windows Update installed IE7 on his computer... without his knowledge and it was impossible for him to uninstall it. The SBS Diva blog makes an excellent point that he had to agree to the EULA in order to install it... so I guess the question then is, "Can you blame users for "automagically" clicking through screens?"... I may answer that in the future.

I decided I wanted to see just what happened, so I jumped on my fiance's  Windows XP Home PC... Sure enough the January Updates had been installed (via Automatic Updates) yet she was still running IE 6.  Just to be sure, I logged onto Windows Update and took a look... I can see KB929969 (MS07-004) has been installed, as has the January Malicious Software Removal Tool... So, I look under updates... sure enough IE 7 is listed... and right next to it... a check box so I can decide if I want to remove it or not... I don't see Microsoft forcing IE 7 on her. In fact it looks like she has plenty of choice.

Now another issue mentioned was uninstalling it... Time to check my Windows XP Pro PC which is running IE 7... Control Panel --> Add Remove Programs --> Windows Internet Explorer 7... Highlight and click Remove. Now before the uninstall would proceed I was asked if I was sure I wanted to remove IE 7 as other software had been installed since its installation and it couldn't guarantee that software would continue to work if it was reliant on IE 7... and that's understandable.

The last issue is that the author of the eWeek article makes the argument that this doesn't belong in Windows Updates which is for Security Updates... Windows Updates is for updating Windows... I've seen Media Player, .Net and other Non-Security Updates there... I've even seen driver updates... IE 7 was listed as High Priority but not pushed onto users.. This makes sense to me... I would even go so far, as to argue that IE 7 is indeed a security update when you look at the new features it contains.

Now I'm off to reinstall IE 7 on my PC.

Lastly, I wanted to pass on this email from the WebApp Sec Mailing list:

The Web Application Security Consortium (WASC) is seeking contributed 'Guest Articles' by industry
professionals on the latest in trends, techniques, defenses, best practices and lessons learned relevant
to the field of web application security. Articles will be reviewed by our peer review team which will provide
feedback and suggestions, as well as be promoted and marketed by WASC. Article submissions and comments may be sent to articles_@_webappsec.org. 

That's all for now.

Peace,
HT

So since my post mentioning the blackberry PDF a lot of people have emailed me to ask if I've found the document yet. The answer is yes... However I'm not going to post it here... simply because of bandwidth issues. Also milw0rm has recently had it added to it's collection, so those of you interested in reading it can download it from here.

Peace,
HT

Just a couple of things I wanted to touch on (I know... I'm due for a decent post in the next little bit)..

First and foremost, if anyone missed this, Argeniss (Makers of the Ultimate 0Day Exploits Pack for Canvas) has announced that in December the will be running WoODB (Week of Oracle Database Bugs). For one week, they'll release a new Oracle 0Day each day. If other users are interested in contributing, they are going to expand the "project" beyond a week.

Previously, I had mentioned Lauren Weinstein's ridiculous blog post on Google's Click-to-Call and I even gave simple solution that would solve the problem. Lauren has a new blog post out, he has essentially ripped off my idea.

Lastly, I wanted to direct attention to Websense and their Malcode of the Week. This week they've got a very cool breakdown of an MS06-067 exploit. It's definitely worth reading.

Peace,
HT

This is just a quickie to share some of the more interesting points of the day... nothing to long but hopefully it'll still be informative.

It's the little things in Gmail - A run down on the Google blog of some of the smaller additions to Gmail that they really enjoy.

Public PoC released for MS06-070 - The MSRC is reporting a new MS Advisory addressing a recently posted public PoC for the vulnerability addressed in MS06-070. As I post this the advisory link doesn't seem to be working.

Interview with LMH - eWeek sat down and had a little chat with LMH (The mind behind MoKB). It's an interesting read.

Like I said... short and sweet today...

Peace,
HT