Friday, June 29, 2007

Malicious payload based on user-agent string

Websense Security Labs has a blog post about a malicious site serving up payloads based on the HTTP user-agent string. This is something I've seen in the wild many times, and I kind of thought it was old news. The easiest way to get around this kind of simple protection is to set the user-agent string sent by wget. You'll want to use the "--user-agent" option, and there is an extensive list of user-agent strings at

Pro-tip: a generally malware-ok user-agent string is
Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)

Update: You can also do this.

Wednesday, June 27, 2007

Virtualization Threats Ahead

This is exactly a point I've been trying (and failing) to express clearly of late. From How 9 Hot Technologies Can Blow Up In Your Face on InformationWeek.
If organizations keep expanding server virtualization without taking into account what makes virtual machines different from physical ones, they'll open new doors for intruders into the data center. We can't identify the precise nature of the threats, because they haven't yet materialized. But anyone who takes comfort in that fact hasn't been paying attention to information security the past couple of years.

Thursday, June 21, 2007

Still not a zealot...

But about half of Slashdot Is Not Getting It At An Olympic Level.

In summary,

Some guy:
open source = you can see the source

Bruce Perens:
Sigh. I imagine you use some of this Open Source software sometimes. Please try to get your head around the fact that it would not be possible for such software to exist and for folks like you to benefit from it, unless it was developed. And it would not be developed without a developer community, and that community would not be able to do their work unless they had the right to modify and redistribute the software. Thus, Open Source must be more than just visible source code - it has to include the right to distribute and modify, and it also needs the right for you to use it. So, that's 4 things - source, use privilege, distribution privilege, modification privilege and there's a bit more. Years ago, I wrote down what was necessary for software to be Open Source, and OSI uses that Open Source Definition to classify licenses. It is not an arbitrary thing.

Wednesday, June 20, 2007

Spamming with Google Docs

I frequently use Google Docs and Spreadsheets to manage and share various documents. I was surprised to log in today and see a document I didn't recognize in my list. When I logged into my email, it turned out that it was a legitimate document shared amongst a group of acquaintances, but it got me thinking. Couldn't a spammer have just as easily have done the same thing, and bypassed my spam filters besides?

I downloaded a "pump and dump" spam image and created a document that looked like this. Then, I added as "viewers" another of my Gmail addresses, a non-Gmail address, and a friend's Gmail and non-Gmail addresses.

In every case, the notification email came right through as "I've shared a document with you called ..." with a link. The social engineering aspects here are:
  • the email comes from Google
  • the link goes to Google
  • the text of the email is familiar and non-threatening, especially to users of Google Docs
It is ultimately NOT difficult to convince a user to click on this link (I probably would), and it's not likely to be filtered as spam.

The additional benefit, of course, is that you can dump documents right into a Google Docs user's main document view without any filtering at all, just by "sharing" the document. Imagine logging in one day to find your list of documents shoved down to make room for a list of docs with titles like "Buy cheap Viagra online!!"

I'm not sure if Google is already watching for accounts that have a high level of document creation/sharing activity, but if not, they probably should be. Additionally, they may want to consider options to allow users to keep newly-shared/unconfirmed documents out of the default view, or to limit who to accept shared documents from at all.

Friday, June 15, 2007

Patching vs. protection

I recently received a secondhand account of a system administrator's argument against patching Office. Though not a direct quote, the sentiment was essentially this: "Shouldn't our antivirus protect us from having to patch?"

I have a little security angel on my shoulder who cringes when he hears things like this; but I've also got a devil, who asks "well...isn't it true?"

The answer, of course, is an emphatic NO. Antivirus software is able to protect against specific known threats and suspicious behavior, but the important thing it DOESN'T do is close your security holes. Antivirus addresses attacks -- patching addresses vulnerabilities. In a perfect world, we do both; certainly attempting to substitute one for the other is a terrible mistake.

Tuesday, June 12, 2007

A Quote from Dave Aitel

Two quotes in a day? This one was too good not to repeat. Dave Aitel had the courage to say it:
...people derisively say "script kiddie" and 100% of the time they mean "someone who's way better at security than I'll ever be".

Too true. There are very few people in the world who can look down on the so-called "script kiddie," and a LOT more than that who THINK they can.

Threat Analysis: Auditors, Obv

This actually came from a spam email. I assume it originated elsewhere, but I'd never heard it before:
"Hackers may find you; auditors WILL find you."

Thursday, June 7, 2007

Career Goals

This is an email I wrote in a conversation with a friend working in IT security who is considering whether to major in computer science or something more "business and IT" oriented. He asked my advice, so I asked what his career goals were. He replied that he didn't have any, and this was my response.

I didn't edit before posting, so forgive any errors in spelling, grammar, or punctuation.

Goals are critical…they don’t have to be extremely specific, but if you’re doing something like declaring a major, your goals should be at least specific enough to allow you to do so.

So, my long-term career goals are pretty simple, being basically along the lines of “work in IT in a hands-on technical role” which could include programming, systems administration, etc. Point being that it’s not incredibly specific (notice it doesn’t even specify IT security), but it’s enough to let me know that a comp sci degree is in line with my goals.

Keep in mind that career goals don’t need to necessarily be about a specific type of work. Mine are, but only because I’m passionate about IT. Some people may not care what type of work they do, but want to make as much money as possible, for example. Others might want to help people, and would be equally satisfied as a doctor or as a guidance counselor.

Ultimately what I’m getting at is that you should determine what you want your career to accomplish in the larger context of your life, not necessarily what field you want to be in.

That being said, if you’re into pursuing security further, and you’re finding that you prefer the technical aspects of it to the regulatory/administrative aspects (hate to meet the person who preferred the latter), I would definitely major in computer science. Security can be as technical as you can make it, being by necessity and by definition at the cutting edge of technology. The better equipped you are to deal with technology, the more opportunity you have in security. That being said, a computer science degree lays the groundwork, but it’s really important to put in additional work doing certs/training, and definitely to do your own projects/research. A potential employer for, say, a pen-testing job will most likely be more impressed by someone who says “I don’t have a degree, but I discovered 3 remote roots last year and developed and released Tool X and Tool Y.”