So, as I said yesterday, I'm a big fan of Microsoft Tags. There have been many times when I've been out and about and I've seen an ad or poster that I've wanted more details on, snapping a picture of a small barcode is much easier than jotting down the details. However, as I played with creating my own barcodes last night I thought about the security implications of them.
Let's imagine it's a year from now and tags are wildly popular. They are on every concert poster on every light post on the street. They are on billboards, bus schedules and in stores (put a barcode on your box so shoppers can pull up additional product info). Everyone is snapping pics and storing information. It's fast, it's easy and it's convenient.
Now I come along, Mr. Malicious... I visit the Microsoft Tag website and create tags pointing to malicious sites. The site detects if you have a Blackberry, iPhone or Windows Mobile and serves up custom browser exploits. I print out hundreds of these tags and start going into stores and pasting them to products, or walking down the street and covering up the tags on the posters with the malicious tags.
There's no confirmation of the site you're visiting, no testing (that I'm aware of) to ensure the link in the tag isn't malicious. Where's the defense against this?
What if they contain a malicious vcard file that harvests your contacts, or turns your phone into a sms spamming device?
I realize that Microsoft Tag is still a beta product, but I'm wondering what thoughts Microsoft has had around tag security, if any. Before I become to attached, it would be nice to know that when the subway gets Tag support, I won't be killing my phone by snapping the tag to get updated route schedules.
Guess what, this isn't a post about the recent Rogue CA presentation... just something I came across that frustrated me.
I recently went to check out adsense to see if it's ever actually made me any money. Being Canadian and using google.ca hourly (since google.com forces me to google.ca I might as well type it myself), I typed in www.google.ca/adsense. I was kicked over to https://www.google.ca/adsense and had the following appear in Firefox
I know it's obvious what the problem is, but let's look at my other screenshots since I took the time to take them.
Now why can't a company like Google get their SSL certs right? How's the general public ever supposed to trust SSL if major web-based companies are too lazy to get proper SSL certs? I'm actually rather disppointed by this. I've actually trained some of my family to not venture into sites with improper SSL certs (or at least investigate them first) and this would confuse them and set all the effort that I've made back several steps.
We always talk about educating the user, and I believe that SSL is something we can properly educate the end user about, however that requires an effort on the part of the website / vendor in question. This time Google has failed.
Two Python libraries have caught my attention lately, the first is lxml and the second is matplotlib. Ideally I wanted to write something short, just to get a feel for the basics of them. The goal was figuring out what I could do quickly so that I could play around with arguments and output, yet still have an actual result. I also wanted a nicely formatted useful XML file to parse. I ended up going with nmap's XML output. I also decided that I would plot the frequency of ports in the file.
Is this useful... perhaps? I could see a sys admin wanting a count of specific open ports on the network or a pen tester wanting to know the most common ports on a target network.
The python script is extremely basic and is called via nmap_port_frequency.py <XML Input> <png Output>. The result is an image similar to this:
The above image is the output from scanning three hosts.
I shared a while back that I had decided to pick up two dedicated servers... rather than worrying about buying hardware and paying colo fees, I went with just paying fees... high fees, but fees none-the-less. I picked up one windows machine and one linux machine and I've been playing with them quite a bit.
One of the things I got to do was remember everything I learned in school and configure various services in a working "production" state. It's one thing to setup a piece of software to test against... it's another to configure it, and lock it down to a state you're comfortable with having online.
One of the things I decided to do was to pick up an extra IP and setup nepenthes listening. I decided to register the domain scan-me.org to attach to it. The domain may seem to obvious but I figure automatted tools looking at IP addresses or links to domains (required link for any bots to pick up).
I've had it listening for about a month with nepenthes 0.2.0. I attempted to upgrade to the latest svn version so that I could include the listener for MS08-067 but my first attempt went rather poorly and I ended up with nothing listening. I'm back to 0.2.0 for now, however I do plan to attempt another upgrade in the near future.
I'm hoping mentioning the domain here will increase the number of scans and quantity of traffic that it sees (anyone that wants to feel free to repost the address). As I've seen limited samples coming in so far, however those samples do make for some fun nights (I suppose I have an odd definition of fun).
Anyways... I just wanted to share that I had nepenthes running and get a blog post out with the domain mentioned. In the upcoming weeks I hope to post some write-ups related to the samples I'm seeing.
So, for anyone who didn't get the email, or hasn't heard yet... it looks like Microsoft is releasing an Out-of-Band Bulletin tomorrow. I'm excited to find out why there was cause for an emergency patch release.
Side Note: Possibly the shortest blog post ever.
I've always commented that I'm not a big fan of NoScript... I find browsing "modern" websites to be almost impossible with the plugin installed. For this reason, I don't know how popular it is with "the masses". That being said, I use it because a hindrance is better than a gaping security hole.
However, I've now found what I feel to be the best feature in NoScript. The ability to force HTTPS. Sites like Linkedin have always had issues with provided adequate HTTPS support. There are other sites that are HTTPS only, yet don't redirect HTTP to HTTPS. I've always found these issues to be frustrating. NoScript has solved these problems.
I've inserted a number of common websites I visit into the force HTTPS dialog and now, even if they have flakey HTTPS support that pushes you to HTTP on every request, I'm always using HTTPS. If I type in a address manually to a site that's configured only for HTTPS, NoScript forces the connection over to HTTPS and I no longer curse and go to the address bar to add the 's'.
This is an amazing feature and has greatly increased the value of NoScript in my eyes. Given that this isn't the core focus of the plugin, it's probably the single greatest addition that could have occured.
Update
Marcin just pointed out that LinkedIn public profiles don't exist over HTTPS (treguly (http) works, treguly (https) doesn't)
To resolve this, simply add www.linkedin.com/in/ to the "never force https connections" portion of NoScript.
So I spent today in training @ SecTor. I attending HD Moore's metasploit training and rather enjoyed myself... I picked up a couple of things that I'd been previously unaware of. Since I was already onsite, I took advantage of the open registration booth and picked up my SecTor goodies.
Instead of the cooler bag (last years very cool SecTor registration goodie), there's a rather nice tote with the SecTor logo on it. Inside the bag was the usual advertising literature, a nice Leed's notebook with a metal (I think) cover, with the SecTor logo, and a pen and BlackBerry screen cleaner.
The badges are quite nice... given that the program includes a picture of the DefCon badge, I imagine they were trying to go with something along those lines. Rather than the hard plastic, "corners will cut you when you attempt to touch it" badge of last year, the badge this year is rather cool. There's a usb cable enclosed on the back of the badge and when you connect it, you find that it's a 1GB storage device. Definitely a step up.
I took pictures to attach, but I'm getting an error, so I won't be uploading them tonight... I'll try again tomorrow.
Now given that it's 2AM and I'm meeting people for breakfast in 5.5 hours, I should probably grab some sleep... but on that note... The program this year doesn't mention a breakfast, so some of us are meeting at Cora's on Spadina (not far from the MTCC) at 7:30 if anyone happens to read this between now and then and wants to join us.
Well it certainly didn't take long... I noticed this on milw0rm this morning. It seems that someone has found a DoS in Google Chrome. What's interesting is that one of the thngs that Chrome does is process separation between tabs (or so they claim), yet this DoS manages to take out all of Chrome, not just the tab you visit the page in.
Original Advisory with PoC (Note that you don't even have to click on the PoC link in the advisory. You can cause the crash simply by mouse overing it.)
Just a quick little note to share with people. In my efforts to add to the social activities associated with SecTor and to foster discussion, I've created a new website, SecTorAttendees.com. On the page you'll find a forum and a mailing list. I would invite everyone who is attending SecTor to join both and share in the discussion. For those of you that aren't quite sure yet, sign up and you'll most likely find a reason (hopefully in time to beat the end of August price increase)... and for those of you that can't make it to SecTor this year, you're all welcome as well, you'll see what's happening so that you can make it next year.
Hey All,
I wanted to do a brief repost over here to direct everyone to the 5-part non-technical blog series that I did on cons (for the most part) and con experiences. This was my contribution to blogging following Blackhat / DEFCON.
- Being a Research Engineer at a Blackhat Booth
- Competitors Can Be Civil
- Why DEFCON Sucks
- Why the Social Aspect of Cons is Important
- What Can Be Done to Improve the Cons.
Enjoy!
