If you're new here and would like to see more of what I'm saying, you may want to subscribe to my RSS feed or have a look at my papers and presentations page for downloads of stuff that you can share or "borrow heavily from". You also might find my guidelines for posting comments interesting, especially if you're a government employee. Thanks for visiting and happy hacking!

Yesterday I got a hasty call from Jon D about my server. He had checked out my blog from work and within an hour got a call from a Symantec SOC that he was looking at a web page that was part of a botnet.

So he called me.

Back 4 years ago I had set up an IRC network for a friend, including my server as one of the nodes. Over time the network died, as they do, and when I moved the server a couple of times over the course of several years, the ircd didn’t come back up.  The ircd.conf didn’t match up with the network interfaces on the box, so ircd would croak every time it tried to start up.

Well, I guess the last server move did something that the ircd did like because it came back up and stayed up.  Bah, that’s resiliency in action for you, kids.

When I got the call from Jon I knew exactly what it was.  It took about 2 minutes to ssh in,verify that there were 8 dirtballs squatting on my server, kill the ircd, and kill the line in crontab that restarts the server if/when it dies.  Problem solved, now back to playing zombie hack-n-slash games.

In an OS sense, there wasn’t a compromise or anything, just the greasies using the application like it was intended to be used, only with a different intent.

Bookmark to:

I’m not Lord Nikon, but I play him at lunchtime. A guy can always pretend, can’t he?

You see, here in “occupied” Northern Virginia, we all work for either the Government, contractors, IT companies, or any combination thereof. Everywhere you go, you have a badge. Most badges have at least two things: the company name and the employee’s name. Looking at my “25 pieces of flair”, I see that you can even get my middle initial and where I work.

If all this sounds exactly like seed material for your password seed files, well then it just might be. Not really what I would call earth-shattering ‘leet skillz, but it might be enough to get a foothold if you’re targeting one company in particular–find the nearest lunch spot and look for the right logo, check the web for @targetcompany.com email addresses, note the smtp headers to see what kind of a user naming convention they use, and mung your collected names list into the right format.

Then get hacking! That’s an exercise left to the reader, just follow the golden rule and “never hack from home.”

Anyway, my little lunchtime distraction is to notice how many organizations I can see standing in line, talking on the phone, or enjoying their lowfat Atkins-friendly salad. I guess you could say it’s the CISO’s version of buzzword bingo.

But then again, I’ve always been a little bit touched, so this shouldn’t be a big surprise. =)

Bookmark to:

Nominations for the Pwnie Awards are open until the 28th.  It’s still not too late to get in that last-minute nomination for your favorites.

Award categories:

• Best Server-Side Bug
• Best Client-Side Bug
• Mass 0wnage
• Most Innovative Research
• Lamest Vendor Response
• Most Overhyped Bug
• Best Song

Note that they don’t have a “Most Loveable but Still Harmless Curmudgeon who Obsesses about Flyfishing, Zombies, and a Whole Lot More” category because I could win it hands-down. =)

Deep inside the site is this link:  PNG (Portable Network Graphics) Deflate Heap Corruption Vulnerability complete with this song:

<Preamble>
Twas the night before Christmas, and deep in IE
A creature was stirring, a vulnerability
MS02-066 was posted on the website with care
In hopes that Team eEye would not see it there

But the engineers weren’t nestled all snug in their beds,
No, PNG images danced in their heads
And Riley at his computer, with Drew’s and my backing
Had just settled down for a little PNG cracking

When rendering an image, we saw IE shatter
And with just a glance we knew what was the matter
Away into SoftICE we flew in a flash
Tore open the core dumps, and threw RFC 1951 in the trash

The bug in the thick of the poorly-written code
Caused an AV exception when the image tried to load
Then what in our wondering eyes should we see
But our data overwriting all of heap memory

With heap management structures all hijacked so quick
We knew in a moment we could exploit this $#!%
More rapid than eagles our malicious pic came –
The hardest part of this exploit was choosing its name

Derek Soeder
Software Engineer
eEye Digital Security
</Preamble>

Bookmark to:

As much effort as we put into badge readers, smart cards, and access controls systems, it’s a dirty little secret that they are easy to overcome if you know what you are doing, and the only way to keep you from cheating is to put a “meatgrinder” in your way.

Techniques for getting past card reader systems:

• The Big Box: Hold a box that’s big enough and bulky enough that you need two hands to hold it. Ask a cleared employee to hold the door open for you.
• The Mad Dash: Hide just out of reach of the door. Wait for a cleared person to go inside, then make a “mad dash” to grab the door right before it closes. If you practice, you don’t even have to run to get the door, you use your sense of timing.
• The New Employee: “Hi, I’m new here and they told me it would be a week until I got my badge. Can you let me in?”
• The Clipboard: Hold a clipboard and act like an auditor who is dismayed that they couldn’t get into the area that they need to inspect.
• The Visitor: Ask somebody to sign in so you can legitimately get access to the area. After that, it’s a simple deal to shed your escort.

The commonality to all this is that you’re preying on peoples’ sense of either being a team player or giving other people some common hospitality. You can teach people to not let anybody else in, but our brains just won’t let us slam the door in somebody else’s face.

Come to think of it, it’s suspiciously like trying to teach your kids not to talk to strangers.

Bookmark to:

Very interesting article on keyloggers and the AV companies.

I’m sitting here trying to think about the problem, the scenario goes something like this:

• I’m the police/$favorite_member_of_NIC and need to keylog somebody
• I need to get the keylogger to the target and their computer
• I need the anti-malware detector on the target computer to not find my product so I can both get a foothold and continue to collect evidence.

So putting on my thinking cap, this is a fairly complicated attack. Yes, malware vendors do it all the time, but they aren’t selective usually in what their target is–they’re throwing what they have at a bajillion targets and taking what sticks.

In order to do this attack right, I would need to know which type of AV/endpoint security the target uses or I need a technique that none of the vendors know about or how to detect. In order to find out the AV that the target uses, I can either break in, hire a snitch, or use a wiretap to wait for the software to phone home for a signature update.  Once I know what exactly the target uses for protection, I can plan the attack.

Of course, this assumes that AV is 100% effective, which we all know isn’t true. =)

Bookmark to:

I’m sitting here on a lazy Sunday afternoon contemplating this question. Hi, my name’s Mike and I’m a security geek. =)

Yes, Myspace is evil when my wife blows a whole week by designing some really cool pictures just so she can put them on MySpace, so I have a little bit of bias (I mean, my $diety, how many times does your profile name need to be changed per day). =)

But it’s interesting if you go poke around on $favorite_search_engine for something like “myspace spam spyware connection”, you start to find some interesting articles.

• Security Protocols just linked to an expose on Myspace and its origins in spammers and spyware pushers. (This is what originally got me started down this tangent)
• Then there’s this article, it’s the text of the YouTube Videos plus a little bit more.
• Myspace Censorship Continues hmmm, seeing a trend here.
• And then, Combing the Shadows of MySpace and Part 2: Deeper into the Shadows of MySpace.

Looking around, it should be a little bit of an eye-opener if you’re naive and living in the backwoods of Idaho. I’m willing to bet that at the heart of most social networking sites there is a little PII-gathering daemon that threatens to share our innermost secrets for $5 per thousand. I’m pretty sure that my old boss in startup land had a history of playing with Herbalife, pr0n, and spam^wopt-out marketing, and we were building shopping cart software. Makes me cringe to think that the endgame was selling information, only they didn’t tell me about it. =)

But then again, I don’t think we’ve figured out yet what to do with the massive amounts of data aggregation that google does on the average web user.

But anyway, I’ve been thinking about a social networking attack over the past couple of years that works like this:

• Build social networking site (let’s call it MikeSpace for the purpose of simplicity, shall we?)
• Harvest email addresses and names from MikeSpace registrations
• Sell email addresses and names
• Make a seed file using MikeSpace account names and passwords
• Probe email accounts using the seed file
• Auto-forward email accounts to your Big Data Hoover (TM)
• Spider other social networking sites using the seed file
• Point the Big Data Hoover at the accounts you’ve compromised
• Agressively pursue password recovery on other sites using captured email accounts
• Data warehousing and some bayesian analysis to determine each user’s preferences
• Sell the aggregated information on people for mucho dinero
• ????
• Profit!

About now, all of you are checking the Interweb to see if I’m behind any social networking sites. Rest assured, I’m not, but the scary thing is that when I’m stepping through this process, I can visualize the database backend and the core code for each step of the ’sploit.

Nor is this a new idea. My friend Lempi always wanted to create her own cult along the same lines, but she was beaten to the punch by some people who will not be named because they actively sue. =)

Bookmark to:

While I was in the “giant kitty-litter box” some years ago, our base was 200 miles from anything. Our link to the outside world was a satellite Internet connection through a company in Dubai. We had a small 10-station computer lab with about as many VoIP phones behind a Linux firewall doing NAT.

Because everything was running on generators, and Joe the Infantryman couldn’t remember to fill the generators with fuel, our base had very unstable power. We would have an outage every day at around 2:00 in the afternoon.  The power situation and the sand caused the power supplies of the computers to die fairly quickly.

Then one day, a bad thing happened. The linux firewall lost the boot drive during a power failure and didn’t come back up. It went to the maintenance shell which, of course, requires you to log in with the root password. This is when people came and asked me to fix it.

All the firewall needed was a fsck, but I was out of luck–no password. I ripped open the case and booted off a CD but the drive wouldn’t take a fsck. I eventually ended up turning the firewall into a debian box. Using ethereal, I sniffed out a gateway and unused IP address, then I called the company who owned the equipment. We had a nice conversation about how it would take them a month to send out a tech to fix or replace the firewall, so in the mean time, I owned it.

Now the funny thing is that everything is slow when you don’t have the tools available. I had to take one of the workstations and rip out a CD drive to put one in the firewall. I had to sniff out a network connection just so I could download a bootable .iso. These are all fairly small, but they take time.

I think the whole time to get us up and running was about 12 hours. Definitely not the quickest job I’ve done. But at least our guys could call home.

Now the reason that I’m bringing this is is because I’m looking at the movies from Hack In the Box 2006 and there is one about hacking satellites: Hacking a Bird in the Sky - Hijacking VSAT Connections by Jim Geovedi and Raditya Iryandi. These guys used some of the same techniques that I did.

Bookmark to: