Wednesday, September 16, 2009

Security Advisory Lingo Demystified F'Reals

Inspired by Cisco Security Advisory Lingo Demystified.

Remote code execution: Can be used to pop up porn ads and send spam.

Mitigating factors: Bold-faced lies.

Workarounds: Hold onto your butts, we're not patching this anytime soon.

Not exploitable in the default configuration: Remote code execution.

Limited targeted attacks: You've been owned 6 times in the time it took you to read this.

Responsible disclosure: Researcher allowed the vendor to drag their feet for 18 months in order to ensure credit in the advisory.

Crafted packet: Who knows, Metasploit does all that nerd stuff.

Denial of service condition: Remote code execution.

Friday, September 11, 2009

Krpata's Law

Godwin's Law: "As a Usenet discussion grows longer, the probability of a comparison involving Nazis or Hitler approaches 1."

Krpata's Law: As any online discussion grows longer, the probability of someone linking to XKCD approaches 1.

Friday, September 4, 2009

Interesting Firefox Alert

Not sure I know what this means or whether it's useful yet, but if you try to make Firefox FTP to an SSH server (ftp://whatever:22) and hit Stop before it times out, it'll pop up an alert with the SSH version string.

Happens the same way whether you put it in the nav bar, img tag, script tag, or whatever. Wonder if there's any way to get at that programmatically.

Wednesday, September 2, 2009

DFU Mode

If you're uncoordinated and easily confused like I am, here's a video on how to put your iPhone into DFU mode that even I was able to follow. Thank you, random college kid and wandering roommate.

Thursday, August 27, 2009


Ok, I'm apparently not going to get around to a full recap of Blackhat/DEFCON, so here's some bullet points.

  • Shawn Moyer/Nathan Hamiel talk was first and probably best at BH. I don't think most people got it. I'm not sure I even 100% got it.
  • Thanks to the DEFCON goons who got me into the BH speakers party. Maybe next year I will be there for real.
  • WhiteHat dinner was excellent! Good people over there.
  • Mandiant training was good. A little more "find malware in Windows boxes" than I'd have liked, but overall a very valuable experience.
  • HackProv! (Did you know that Chicago plays "Big Buddha" differently than Boston? They use swears.)
  • Badges by December. Seriously badge fail.
  • My favorite moment of the whole trip was making an analog iPhone amplifier out of a plastic cup and Seventeen magazine at the Riv bar at like 3am.
  • Also, some dude was like "I don't think you guys like the same music as me" but it turns out his iPod was loaded up with 90's industrial and we were all like "sup man"
  • Honestly by the time DEFCON rolled around I was pretty much talked out, I only ended up going to a very small number of talks. "The Psychology of Security Unusability" was excellent but much too rushed
Hallway/bar track was the best. Met a ton of cool people, and probably (maybe?) justified the money my company spent to send me out there. Definitely looking forward to next year, though I may skip the training.

Friday, August 14, 2009

XSS-ing the user agent. Is there a point?

Still haven't gotten around to recapping the rest of BlackHat/DEFCON. It's still on the list. In the meantime...

I've been seeing a lot of this lately:
User-Agent: <script>window.location='http://somewhere'</script> (compatible; MSIE 7.0; ...etc etc)

I'm not sure if this is attacking a specific vulnerability, or just trolling for unknown XSS vulnerabilities. Doesn't seem like the most subtle way to do it in either case. Anyone know?

Tuesday, August 4, 2009

Post BlackHat/DEFCON

Unfortunately the blogging failed closed after Blackhat Part 1, as the network got a little too dangerous to start throwing my Blogger credentials across it.

I have a ton to write about, and it's going to take me several posts. In the meantime, DEFCON BEES

Sunday, July 26, 2009

Blackhat, Part 1

My first two days of Blackhat are complete. This weekend I took the "Web Application (In)Security" course by NGS Software. The class was taught by Dafydd Stuttard and Marcus Pinto. It covered pretty much every web application security topic you can imagine, and was heavily focused on attack, rather than defense. It seemed very oriented toward pen testers.

Before the class started, I had some doubts about whether it would be too basic. While most of the topics covered were topics I was already familiar with, the course material as a whole was intermediate to advanced. Dafydd and Marcus really know their stuff, and it shows. We started going really quickly in day 2, and I think a lot of us were struggling to keep up.

The course was about evenly split between presentation time and lab time. I appreciated the hands-on approach. These guys had a TON of labs available. I actually was kind of annoyed at the absolute impossibility of completing all the labs in the time given, but I think the point was to make sure nobody ran out of work to do. I don't think anyone was expected to complete them all.

We were encouraged to use Burp Suite, and many of the examples were shown using Burp. I'd never used Burp before, thinking it was just another localhost proxy. Turns out I was very wrong. Burp is an extremely powerful, flexible, and complete web application security tool, and I will definitely be using it in the future. I'd say this aspect of the course was worth the price of admission.

We finished out the course with a CTF game, which always makes me happy. I wish we had a little more time to work on it. (And I'm happy to say that I spent most of the game near the top of the leaderboard.)

My only real complaint about the course is that there seemed to be way too much material for two days, and it felt very rushed. (Also, the room was absolutely FREEZING.)

In other Vegas news, I kind of feel like I should be putting some more effort into making some friends here. I haven't really been socializing outside of class. I've spent some time on the poker tables, but I've been taking a beating and am busted out. (Last night I went to the felt on a flush draw with two overs, caught my flush on the river, turns out I was drawing dead to a boat. Part bad luck, part bad play.)

Also, there is absolutely nowhere to eat here that costs less than a million dollars.

Friday, July 10, 2009

Tyler Krpata: Picks for BlackHat 2009

As prompted by Jeremiah Grossman: Picks for BlackHat 2009

Day 1
  • FX: Router Exploitation
  • Nathan Hamiel & Shawn Moyer: Weaponizing the Web
  • Eduardo Vela Nava & David Lindsay: Our Favorite XSS Filters and How to Attack Them
  • Dan Kaminsky: Something to do with Network Security? (LOLZ)
  • Thomas Ptacek, David Goldsmith & Jeremy Rauch: Hacking Capitalism '09

Day 2
Not that interested in any of the 10am talks, so either
  • Zane Lackey & Luis Miras: Attacking SMS
    • or
  • Tyler Krpata: Sleep Late :)
  • Jeremiah Grossman & Trey Ford: Mo' Money Mo' Problems (and I don't even have to be there!)
  • Kevin Mahaffey, Anthony Lineberry & John Hering: Is Your Phone Pwned?
  • Turbo track
    • Steve Ocepek: Long-Term Sessions - This Is Why We Can't Have Nice Things
    • Peter Guerra: How Economics and Information Security Affects Cyber Crime
    • Michael Brooks: BitTorrent hacks
  • Bruce Schneier: Reconceptualizing Security

Thursday, July 9, 2009

Email From Security

From: Security
To: User
Subject: Cut the shit


This email is in regards to your recent download of "Ja Rule - R.U.L.E."

First of all, who the fuck listens to Ja Rule. I mean really.

Let's be clear, I could give a fuck less if you want to pirate music. Hell, I'm in FAVOR of illegal downloads. Nothing like Robin-Hood'ing those motherfuckers. When I have to think really hard before buying a DVD or a six pack, while the latest MTV flash-in-the-pan has 18 diamonds glued to his teeth, I think we can agree the recording industry is corrupt as hell and deserves what they get.

But regardless, for better or for worse, I'm the one stuck wasting my time responding to DMCA complaints when your stupid ass decides to use your employer's internet connection to download this shit. I know you don't realize it, but every time you do something stupid, a little alert pops up on my desktop, and then I have to do something about it. Believe it or not, I have better things to do with my time. Those Facebook status updates don't write themselves, you know.

In short: smarten up, or I'm changing your desktop background to lemonparty and disabling all your accounts.


Monday, June 29, 2009

Random iPhone thought...

I just had a wild thought. If someone's got the audible clicks going on their iPhone, could you sniff their typing based on the relative time between keystrokes?

Thursday, June 11, 2009

Decode F5 BigIP cookie in one line of Perl

BigIPcookie = 673059850.20480.0000

echo 673059850.20480.0000 | perl -ne'print join ".", map {hex} reverse ((sprintf "%08x", split /\./, $_) =~ /../g);'

Wednesday, May 27, 2009

My Take on Enterprise Vulnerability Assessment

I wrote this in an email today, thought I would clean it up and re-post here. It's in response to the question "why not use an open source vulnerability scanner?" I realize it reads a bit like an ad for QualysGuard. I really like QualysGuard though. (Err, also no offense to Tenable. I like you guys just fine, you know, as people.)

The only free product in this space that’s considered “enterprise class” is Nessus. (As of Nessus 3, the license is no longer “open source”. Free as in beer.) The problem is there’s no central management. In fact, Tenable sells a commercial management system for enterprise Nessus use for that very reason. I’ve looked into Nessus/SecurityCenter in the past, and found the interface to be barely usable and the false positive rate through the roof… basically it was nearly impossible to get actionable information out of it.

My opinion is that we want to go with a solution that allows us not only to check the compliance checkbox, but to actually improve our overall security posture. Any vulnerability management program really comes down to the processes in place to prioritize and remediate identified issues, but for that to work, the process needs to be fed good, actionable information. Qualys is the best solution to provide that.

From an operator’s standpoint, Qualys is the easiest solution to manage. This is important once you are scanning more than a small network, because unless you’re able to organize, it’s really difficult to accurately classify assets and report on vulnerabilities. Again, it’s a matter of getting the right information, and then getting it to the right people.

I’m a big fan of open source/free software when appropriate, but I’ve found that for most security applications, open source lags pretty far behind. The big name open source security products generally have a commercial enterprise component for management of larger installations (Tripwire, Snort), and for good reason. Once you’re beyond a very small target network, the volume of information is such that it’s really impossible to get any useful information out if there’s no central management, reporting, etc.

Monday, March 23, 2009

Conficker: Fact or Fiction

The web-o-sphere is abuzz with news that Conficker.C (a.k.a. Downadup.C) is preparing to implement its new update scheme on April 1, or as one article so sensationally put it, "No Joke - Conficker Worm set to explode on April Fool's Day!" All the trolls are out, and it's clear that there's a generally poor understanding of the issue out there. This post is an attempt on my part to correct some of the myths, to the best of my ability. Comments are appreciated.

Fiction: This is easy to fix! Take down the command and control machine and/or infiltrate the botnet and upload self-destruct code and/or create a white hat worm to repair infections!

1. There IS no C&C. Updates are propagated through a (newly) robust P2P mechanism. It does rely upon communicating with a predetermined domain name generated by date. Until revision C, this was a list of 250 domains per day, which were eventually prevented from being used by the good guys. Unfortunately, the newest update expands the space to 50,000 domain names per day, which is effectively logistically impossible to control.
2. Infected hosts will not execute arbitrary code. All updates are digitally signed with a key known only to the authors.
3. That's worked real well before. The idea is generally agreed to be ethically ambiguous, of dubious effectiveness, and most definitely illegal.

Fiction: April 1 we are all doomed!

Fact: Shades of Michelangelo! The fact is that the Conficker botnet does have the potential to cause some pretty severe damage on April 1. The more likely scenario, though, is that if it does anything at all on that date, it'll be another update that provides it with additional functionality. The end is (probably) not near. In the long run, this system is more likely to be used for blackhat money-making activites rather than some Internet-ending attack. I don't mean to minimize the damage potential, but I don't think it's time to panic and unplug everything from the network on April 1.

Fiction: Buy a Mac (Linux, BSD, Commodore 64, etc.)

Fact: It seems like the smug, self-satisfied Mac and Linux users can't hit the keys fast enough on this one. Ok, so the fact is that this particular malware does not target any non-Windows OS. This in no way proves the numerous comments that Mac and Linux systems are virus-immune. Market share is the key here. There's no real gain to be had by a malware author who infects some small percentage of what's already a small percentage of installed user base. If there's one thing NOT to take out of this, it's that "Macs are more secure."

Fiction: This seems bad. I am worried about my own computer.

Fact: If you're aware that Conficker exists, you're probably adequately protected. It would be a rare case where a regularly-updated system with working antivirus would be a victim of this malware. The systems being compromised are probably not yours. Sure, definitely check for it. But you should be worrying a lot more about the threat FROM other people's computers.

To close out, the fact is that whoever is behind this monster has proven to be very technically competent and pretty well on top of their game. Fact is, nobody really knows what they are up to. I don't think there's any cause for panic, but the Conficker botnet is essentially an incredibly powerful illegal supercomputer, and very well could be used to cause some serious damage. It's important to be diligent while keeping perspective.

Friday, March 20, 2009