Wednesday, October 3, 2007

Virtualised desktops will end laptop management

With virtual desktop infrastructure (VDI) there are at least three modes of operation:

  1. IT controls VDI completely, desktop is "thin" only IT approved virtual machines are allowed
  2. IT does not completely control the desktop, options get complicated fast:
    a) user virtual machines are allowed
    b) user controls the host
Looking at option 2a, we could have rogue guests, infected guests, any kind of guest ... telling them apart and acting accordingly will be fun!

Looking at option 2b, I can buy a Macintosh or linux or windoze and as long as I can run the IT approved virtual machine, then IT is happy. But what if my Macintosh is owned by the Uzebek barbarian horde? Have I just given the Horde access to my corporate network?

Lot's of interesting questions arise. We have our own use case right here at Catbird. The "approved" IT image is Windows XP with Microsoft Office.
We allow a VDI where an employee can use a Macintosh to run Windows in a vm. We're happy until there is a mac worm!

For example, an organization using Active Directory to lock down their desktops ... Active Directory does nothing to lock down a Macintosh.

How is a windows savvy IT team going to cope with users running Ubuntu, Fedora, Macintosh ... VDI is going to lead to an explosion of host operating system diversity. This will be very exciting for those of us running Windows under duress.

Their will be a huge value in giving IT the tools to manage and secure a highly diverse and constantly changing environment.

Saturday, September 22, 2007

Another one from SANS newsbites

A vulnerability scan would have warned them that their Cerberus implementation was open to attack. Either they were not validating their security compliance, or they were not following an effective process for curing their vulnerabilities.
--Layered Technologies Customer Data Stolen (September 19 & 20, 2007) An attack on a helpdesk application in Layered Technologies' support database has compromised the security of personally identifiable data of as many as 6,000 of the server hosting company's customers. The data include names, addresses, phone numbers and server login details.
Layered Technologies is asking all its customers to change their login credentials. The attack occurred on the evening of September 17, 2007.

Wednesday, September 19, 2007

Highlights from a recent SANS News bites

From SANS ... note that bank account details are now worth $400/per account.


--Ameritrade May Have Been Aware of Breach for a Year (September 14, 15 & 17, 2007) Online brokerage TD Ameritrade Holding has acknowledged that a data security breach has compromised more than 6.3 million accounts. The database contains customer names, addresses, account numbers, Social Security numbers (SSNs) and birth dates. The attackers gained access to the database through a backdoor program they had installed on the TD Ameritrade network. TD Ameritrade says it has removed the rogue code from its systems. The intrusion was discovered in the course of an investigation into stock-related spam that had been reported by the company's customers. An attorney representing plaintiffs in a planned class action lawsuit against the online broker alleges that the company knew of the data security problem for a year before customers were notified. Furthermore, the suit alleges that the company kept entering customer data into the vulnerable database during an internal investigation.

--Symantec Report: Malware Moves Toward Commercialism (September 17 & 18, 2007) Cyber attackers aiming to damage computers or inconvenience users are giving way to more financially motivated criminals. According to Symantec's most recent Internet Security Threat Report, cyber criminals are turning to good business practices to ply their trade. Some malware purveyors are offering guarantees about the performance of their products as well as updates to keep the products current. The report also notes that phishers are scouring social networking sites to gather personal information, which they then use to create targeted emails that lure recipients to phony sites where they can harvest valuable data.
Stolen bank account details are being sold online for as much as US $400 apiece. In addition, levels of pump-and-dump schemes and image-based spam have decreased.,fraudsters-go-all-out-for-social-networkers.aspx

Thursday, August 9, 2007

The Game Is Not Over -- Security for your web site

  1. Man-in-the-middle (MITM) attack against SSL plus Sitekey/Passmark – The Stop-Phishing Research Group at Indiana University demonstrates that if you are not very careful about the URL and the SSL certificate, and most people are not, the attacker will be successful
  2. Sniffing a connection to steal session cookies to bypass user authentication – Robert Graham of ErrataSec, has demonstrated why you need a security barrier for your laptop at Starbucks (If his name for this attack sticks "side-jacking" then we might as well all give up and start referring to SSL as a condom for your browser)
  3. If you think you don’t have to worry about these exploit techniques, then you better have the Security Excuse bingo card (found on Schneier on Security),

It looks pretty bad. SSL can be bypassed, authentication cookies can be stolen. If you follow the blogosphere’s impression of the recent Blackhat/Defcon events, it's all useless and there is nothing we can do to stop the crooks. To top it all off, there isn’t just one Hackistan (great Yak snacks by the way) there are many Hackistan’s and no web site is to small or broad-band connected PC to innocent for them to exploit.

Truth is, if a malicious hacker with the capabilities of a Grossman, Skoudis or Moore is after your site, then you will get hacked. Lucky for you these guys are busy™.

Solutions? Focus on your business needs and take some precautionary steps:

  • Run traditional vulnerability scans (because Skoudis and Moore teach us that the old problems are new again)

  • Run a web application scanner and use a secure coding inspection tool, Grossman and Zorkul are better, but it’s foolish not to automate everything you can

  • Use SSL from start to finish on your web-site, you have an obligation to protect the integrity and security of all the data exchanged between your site and your customer’s browser – otherwise your giving it away to any crook with a copycat access point or a promiscuous wireless card

  • Don’t ignore MITM because you think it is hard, it gets easier to do every day – Lucky for all of us, it’s also getting easier to protect against and detect MITM, Pharming, Highjack and Malware Injection, I know someone who can help

  • Last but not least, plan on getting hacked, have an incident response plan and be prepared, playing security excuse bingo is a losing strategy

Get started today!

Disregard any pop-up security windows you receive

I received this in my mail today:

Dear Electronic Crimes Task Force Member,

CSO magazine is conducting a survey in cooperation with the U.S. Secret Service and CERT Coordination Center, the 2007 eCrime Watch. The purpose of this project is to uncover electronic crime trends.

CSO magazine’s sister company, IDG Research Services, has been commissioned to help us collect your feedback. Please click on the following URL to begin the survey or copy and paste the URL into your browser:


Disregard any pop-up security windows you receive. (Emphasis mine)

Please be assured that any information you provide is confidential and your responses will be used only in combination with those of other survey respondents. This survey should take no more than 10 minutes of your time. If you have any questions about this survey please contact IDG Research Services at or ATSAIC ----------, USSS, San Francisco Field Office 415/-------.

Thank you in advance for your help.
Of course my first thought, was that this was a phishing attack. I couldn't imagine CSO and the ECTF telling me to "Disregard any pop-up security windows you receive."

Imagine my surprise and relief, when I went to the site and there were no warnings. So, they got it right, the SSL certificate was correct and unexpired ... but everyone is so accustomed to that not being the case, that as a matter of course they included the disregard pop-ups message. Is our infrastructure broken or what?

Wednesday, August 8, 2007

Virtually Secure

Christofer Hoff has a good post here. In particular,
Combine that with NAC agents on the hosts and...whether or not it actually works is neither here nor there. They told they story and here it is. It's good to be king.
His point being that Cisco doesn't have to worry about when they are going to deliver a product or even how will it will work when they do ...

Meanwhile, back in your virtualized data center, you can be warm and happy knowing that Cisco's virtually shipping product has you virtually secure already. Nice, huh?

What about Real Security -- Real Security for Virtualized Infrastructures? You've deployed half a dozen quad-core systems and thrown out 150 obsolete boxes. Maybe you had IPS and NAC in your datacenter already, but do you have it now? If your virtual windows 2000 server get's infected and starts attacking the other systems on the host, how will you know?

Maybe you will know when the infection begins to spread to other hosts and their virtual servers, but by then you will have a real mess on your hands.

The right answer involves doing something today, not waiting for a vendor to implement a solution next year. Here is the pragmatic prescription for today, virtual servers are servers, period.

If there reliability and security are important to your business then you have to secure them with same mature IT processes that you use for everything else:
  1. Specify the appropriate security requirements at the start
  2. Determine and implement secure baselines that meet your business and security requirements
  3. Validate/test that the performance and security of your systems meets the stated requirements before you put them in production
  4. After deployment, test them again -- virtualization really helps you here
  5. Use change control and segregation of duties -- (ITIL and ISO 17799 driven) processes and controls to keep working systems, working
  6. Patch management and vulnerability management are a continuous process -- don't treat these problems with a calender ... not unless you like emergencies
  7. Continuously monitor your network and systems, use the protection appropriate to the value of the data or business operations, such as:
    • Gateway: firewall, anti-spam, anti-malware, content filtering, vpn ...
    • Network: vulnerability monitoring, IDS/IPS, NAC, Policy management and compliance ...
    • Endpoint: Anti-malware, AAA, log analysis, patching, encryption ...

  8. Disaster/Business continuity planning, incident response and training have to include your virtual infrastructure -- DR/BP might be a big driver behind your virtualization effort, but nothing substitutes for a good test.
Do all of the above, appropriately to the level you need, don't wait to become the next security breach. It's more about the process than the tools.

Monday, August 6, 2007

I hate Passwords #10

From IP: link here
What I think needs to be done is that the public needs to be educated about these sites, and the security risk they pose.
The "public" is already being educated. We tell them over and over that they should not share their password with anyone. The problem is that the public gives up their password all too easily. We can keep blaming the public, and we will, but we should also try to understand why someone will give up their Yahoo (or other service) password easily, while the same person would never share their ATM PIN.

I think the public is pretty smart, but they learn best when they experience immediate consequences from their actions. Right now, I know that identity theft and losses from this behavior are at a tolerable level because most of the public are still willing to give their password away -- where the same public will never forgot to lock their car door at the shopping mall parking lot.

If the consequences (or at least people's awareness of these consequences) get a lot worse, we will either see a change in behavior or the deployment of technologies to eliminate reliance on passwords (tokens, client-side certificates ...).

Friday, August 3, 2007

Voting Software Security

Matt Blaze's group reviewed the Sequoia system's code. From his blog:

We found significant, deeply-rooted security weaknesses in all three vendors' software.

The problems we found in the code were far more pervasive, and much more easily exploitable, than I had ever imagined they would be.

Deliberate backdoors in these systems, if any existed, would be largely superfluous
My humble opinion: this is a great opportunity for the open source community to get together with the private sector (hello Fortify) to solve this problem.

Computer Market will keep growing

I learned a long time ago that no market grows fast forever....

Toni Sacconaghi, an analyst with Sanford C. Bernstein & Co., has chipped in on the gloom and doom scenario as well in a new research report.

"As the use of server virtualization rises, a negative impact on x86 server demand appears all but inevitable," he wrote. "While we still forecast positive x86 server unit growth in 2007 and 2008, our forecast calls for shipments to contract in 2009 and for growth to be about zero between 2007 and 2012, compared with historical double-digit gains."

This analysis varies from wrong, to really really wrong.

I agree with Ashlee Vance in the Register, virtualization is going to drive the demand for huge well-integrated multi-core systems, but there will still be plenty of need for ever more horsepower on the desktop and for dedicated blade or 1U system in the data center to feed specific CPU intensive applications.

I think we will eventually see desktop virtualization follow in the server virtualization footsteps, but when I look down the hall and see dedicated 4 core systems on people's desks, I find it hard to believe that we're going to see a sharp reduction in the growth of this market.

Tuesday, July 10, 2007

Bad Things

Bad thing #1: Don't take bribes in China.

Bad thing #2: Don't install today's MS Update without backing up!

My woes began early this AM when I installed the patch and rebooted. During start-up Data Execution Prevention (DEP) killed the Malicious Software Removal UI, then svchost, outlook and other applications began giving the choice between terminate and debug. I'd estimate that I have sent dear MS about 100 debug messages in the last four hours. Sweet.

I'm back up now, but I had to relax the settings on DEP before I could get a clean start-up. My intuition is that this is related to the core-duo microcode patch.

Three words: Network Attached Storage.

Without a good backup I'd a been toast. Even with the backup and uninstalling the patches I made a semi-permanent change to DEP's behavior that I have not been able to undo. Ouch.

Monday, July 9, 2007

SSL Security the Verisign Way

My analysis of Verisign's FAQ at

Indicates that with the EV certificate "advanced" browsers will paint the URL bar green.

Since user's have been trained to ignore the color of the URL bar and phishers can probably paint the URL bar any color they want -- this is useless.

Quoting from their FAQ:
With the EV certificate the CA will: Provide a reasonable assurance to the user of an Internet browser that the website the user is accessing is controlled by a specific legal entity identified in the EV Certificate by name, address of Place of Business, Jurisdiction of Incorporation, and Registration Number

In the US this amounts to something like a credit check or D&B report to verify that the applicant for an EV certificate has provided the correct name and address for their entity. Given the 55 million user ids floating around since the TJ Max breach this is not very useful.

Outside the US, Europe and Japan this is pointless. I imagine that if I wanted to form a company named "Cisco LTD" in the Bahamas and register the domain "" I could have my copy cat site with an EV cert sometime later this week. I could do this in the States too, I'd just take the precaution of paying cash for a PO box at Mailboxes Etc. first.

Here is the best part from Verisign's EV Cert procedure, here's what they promise that they will not do:
EV Certificates focus only on the identity of the Subject named in the Certificate, and not on the behavior of the Subject. As such, an EV Certificate is not intended to provide any assurances, or otherwise represent or warrant:
  • That the Subject named in the EV Certificate is actively engaged in doing business;
  • That the Subject named in the EV Certificate complies with applicable laws;
  • That the Subject named in the EV Certificate is trustworthy, honest, or reputable in its business dealings; or
  • That it is “safe” to do business with the Subject named in the EV Certificate.
Let's read that carefully. The EV Certificate is not intended to provide any assurances that is "safe" to do business with the Subject named in the EV Certificate.

Tell me again why the EV certificate is good for consumers?

Friday, June 22, 2007

Making our mark

It was time to go. We’d succeeded in breaking into their primary systems and had installed our backdoor. We hung the company shirt and other marketing tchotchke around the room.

Now we had to get out quietly. We waited until we could mix with a shift change and left unnoticed in the crowd.

At the front entrance, we asked to see the security chief. The guards were confused. They didn’t believe us when we said that their boss was in his office. Our mission was complete. The news was not good.

We’ve turned south now. The Aleutians are falling behind us. I can see the first hint of dawn, and home is six hours away.

The end, (part 7 of 7) (go back to part 1)

TriCipher Responds

After I published TriCipher USB key, Tim Renshaw, VP Field Solutions at TriCipher responded with the following confirmations and clarifications:
Yes, we use two authentication "stores". In the TriCipher solution (our name aludes to our 3-key technology) set, we use public key crypto, but instead of having a single private key and public key, each user has 2 private keys and a public key. A private key the user controls and a second private key kept on the TriCipher ID Vault appliance. Of course, then there is a 3rd key, the public key.

For our "USB key" feature, the USB device serves as the 2nd "what you have" factor and of course works in conjunction with the user's password. These two components are used to recreate what is best to think of as the "user's key". Note that loss or theft of the USB key provides an attacker no attack vector to guess or work backward to the password. Same with theft of the password. Whether phished, pharmed, keylogged or social engineered in any way, possession of the password alone is useless without the USB key.

The "user's key" is used in conjunction with the other private key for that user kept on the ID Vault (ID Vault key). To properly authenticate both the user's key and the ID Vault key are used to co-sign, if you will, and consequently create a standard, x.509 certificate based, verifiable signature for any client-SSL enabled relying party site.

Important points:
  • Relying party needs no TriCipher code to accomplish this standards-based function.
  • The two private keys for each user are never recombined anywhere to be compromisable in a single location.
  • The user's private key is never stored anywhere, ever.

No, we do not get in the middle between authenticating sites and users. We utilize the true two-way, mutual authentication SSL mechanism built into both the server and client ends. All our "magic sauce" briefly described above is done between the client and the TriCipher ID Vault directly. It is pretty accurate to think of the connection between the client and the ID Vault as forming a secure, virtual smart card. Certainly as far as all the client code is concerned, the signature is performed by a local, smart card as we again use the existing standards for signing procedures, CAPI and PKCS11.
I still have to wonder about the compromised computer kiosk. If I insert my USB key into an 0wned system, can that system rip the token from the key and log my password?

Friday, June 15, 2007

TriCipher USB key

From the marketing glossy it would seem they use public key crypto, with two authentications stores. One is on the key and the second is on the Web.

The key is used to authenticate you to the TriCipher key vault on the web. TriCipher then authenticates you to the financial web site. My guess is that you establish an SSL tunnel to TriCipher using a certificate on the key. You then authenticate yourself to TriCipher using something you know. Then TriCipher somehow authenticates you to the bank and establishes an SSL session between you and the bank that is already authenticated.

My guess is that TriCipher starts as a man-in-the-middle and then somehow hands off the session, maybe a reverse tunnel is established from the bank back to you?

Since you're running software off of the key and your authentication to TriCipher involves a cert and something you know, it's possible to evade key loggers. One method would be for TriCypher to display a captcha image back to the user which the user combines with their pass-phrase to create a one-time key for the session.

But this is all guess work from a marketing glossy. Might be fun to try it out.

Thursday, June 14, 2007

Phishing and Pharming

I work at a startup. It should come as no surprise that I think we do some very cool things. About a year ago, our Marketing VP realized that we had the ability to offer protection against a certain type of attack.

She created this product.

We’re still often asked, “What are Phishing and Pharming?" Here is my response:

Phishing and Pharming are common attack methodologies designed to harvest authentication credentials and personally identifying information (PII). Criminals use these attack methods to gain unauthorized access to financial, e-commerce, health care or other institutions. The attackers then sell, trade, or use these stolen identities to commit further compromises. Over 90% of these attacks target financial institutions.[1] Ultimately, these identity thefts result in billions in damages from these institutions. [2]

Phishing attacks begin with an email or instant message, the “lure” which tricks the victim into giving up their identity. Common Phishing attacks succeed 3-5% of the time, more advanced techniques like Spear-Phishing achieve 15% success rates.[3] A study at the Indiana University indicated that Phishing attacks that utilize social networks might achieve success rates as high as 70%. [4]

Pharming attacks do not require a lure or any voluntary action from a user. With Pharming, the attacker compromises the network infrastructure of the victim web site. Pharming attacks are typically not detectable by the victim and may go unnoticed for hours or even days. The bank customer almost never detects these attacks and once they are detected, the victim financial institutions are notorious for not disclosing their costs. With clever construction a Pharming attack can achieve more than an 80% success rate.

Pharming is a collection of several old and new attack techniques including: DNS or domain hijack, DNS cache poisoning, Man-in-the-Middle (MITM), script injection, malware seeding and related site attacks involving cross-site scripting (XSS), frames, pop-ups and numerous other exploits of the user’s browser. In March of 2005, one Pharming attack diverted 1,304 domains and harvested over 7,000 victims in only a few hours.[5] More recently a sophisticated Pharming attack targeted 50 financial institutions -- this attack affected at least 1,000 systems per day.[6]

Protecting against these attacks[7]
Phishing is a form of social engineering, preventing these attacks requires a combination of user education and implementation of technologies to make it easier for potential victims to recognize fraudulent sites.

Pharming attacks start with an exploit against the network and application infrastructure of a web site. Financial institutions should perform the following actions to protect against Pharming:
  • Protect your entire site with SSL; educate users to look for the padlock
  • Monitor your domain and DNS infrastructure for cache poisoning, hijack and spoofing
  • Monitor your web servers and DMZ systems for vulnerabilities; implement a continuous security process for vulnerability and patch management of these critical systems
  • Monitor web content for script injection and unauthorized modifications; extend this monitoring to partner sites which include content via frames or cross-site scripting
  • Implement a secure web “watermark” that validates the security of your web site; educate your users to look for and verify the watermark is correct
  • Develop a security response plan with your service providers to react quickly and cooperate to take down a malicious site targeting your institution
For both Phishing and Pharming, provide simple mechanisms for your customers to report abuse or suspect web sites. The prevalence of these attacks will continue to rise with the swell of e-commerce. Responsible institutions must increase the difficulty (and the resulting cost) of making a copycat web website and they must implement continuous monitoring and response processes to respond in the event of an attack.

  1. APWG Activity Report. (2007 April). Published by the Anti-Phishing Working Group. Retrieved June 14, 2007 from
  2. Phishing and Pharming (2006 January). Published by McAfee. Retrieved June 14, 2007 from
  3. 'Spear Phishing' Tests Educate People About Online Scams. (2006 August). Written by David Bank of the Wall Street Journal. Retrieved June 14, 2007 from
  4. Social Phishing. (2005, December 12). Written by Tom Jagatic, Nathaniel Johnson, Markus Jakobsson, and Filippo Menczer School of Informatics Indiana University, Bloomington. Retrieved June 14, 2007 from
  5. SANS ISC Diary. (2005 March). From Sans Internet Storm Center. Retrieved June 14, 2007 from
  6. Elaborate ‘pharming’ attack targeted 50 banks. (2007, February 22). Written by Jeremy Kirk of the IDG News Service. Retrieved June 14, 2007 from
  7. Protection recommendations from numerous sources including: Microsoft, Symantec, SANS, RSA, CSO Online, Network World and others:

Monday, June 11, 2007

Nigerian Scam Emails Just Keep Coming

This scam is older than the Internet, I think it started when the first FAX machine was installed in Nigeria. I used to feel sorry for people who fell for this.

Got this message (how many millions have we all spent on SPAM filters and these still come through) on IP today:

Hello My Good friend, But you don't know my name do you?

How are you today? Hope all is well with you and your family?, Good, thanks for asking. You may not understand why this mail came to you. Oh, I understand, you send this to millions of people because it still works! But if you do not remember me, you might have receive an email from me in the past regarding a multi-million-dollar business proposal which we never concluded. US Law Enforcement gets HUNDREDS of complaints per day about the 419 scam ...

I am using this opportunity to inform you that the multi-million-dollar business has been concluded with the assistance of another partner from India who financed the transaction to a logical conclusion. Probably some poor fool who doesn't know he has been scammed.

Presently, I am in London for investment projects with my own share of the total sum. Nigerian fraudsters make so much money, it is the number 1 scam on the US Government's export page. Meanwhile, I didn't forget your past efforts and attempts to assist me in transferring those funds despite that it failed us some how.

Now contact my Personal Assistant in Abuja, Nigeria and ask him to send you the CERTIFIED CASHIER CHEQUE Look at that! British spelling, maybe he really is in London... of US$1.2M which I wrote in your name in appreciation of your past effort in helping me.

Below is his contact informations:

Name: Mr. Allusine Sakoh

Who would have thought that "Allusine Sakoh" would be such a popular hotmail address. I imagine they stopped using Yahoo after they reached allusinesakoh666.

Tel: +234-803-537-6903 234 is the Nigerian country code, I wonder if they accept collect calls?

Feel free and get in touched with him for the sending of the draft to any address where you would prefer the draft to be mailed. Please do let me know immediately
you receive the CASHIER DRAFT.

Yes, but will you need to pay a

  1. Clearance fee, paid before the check can be sent?
  2. Commission paid to your Nigerian friend for sending the check?
  3. Some new wrinkle?
  4. Over one million hits on Google for "Nigerian scam"
  5. A greedy fool and his money are soon parted ...

At the moment, I am very busy here in London because of the investment projects which I, and the new partner are having at hand but would appreciate your update once the cheque is deliverred Hey! Another typo, doesn't happen much with these guys. to you thru my email:

Finally, accept my goodwill my dear friend.

Thank you once again and may God bless you.

Mr.Aku Ubah.

This county treasurer got 14 years... More information from the Nigerian Consulate in Atlanta, Georgia.

When you see this email, press delete.

Monday, June 4, 2007

Fourth time is a charm

It was 23:30 local time. We’d just adjusted our tools for another try. Lights had switched off as the last few employees had left. We knew it was time to move.

The “finger” pressed the button, the lock released. Now, on to the prize: we entered the room into the camera’s blind spot. We were behind the server farm. The safety lighting gave us a clear view past the racks. Our targets (the file servers, databases and external firewall) were all in this room. We knew that we had to move fast, capture the data, and, if possible, backdoor the firewall so that we could re-enter from the Internet — this was our goal.

We had arranged our priorities. If we could capture next year’s product design, our client would be chagrined. If we could capture the design for two years hence, they would be appalled. If we could backdoor the firewall and demonstrate the ability to pillage at will… It’s an interesting job; we were earning our payday by emulating our client’s worst enemy or most ruthless competitor.

Part 6 of 7, (to be continued)

Tuesday, May 29, 2007

Phishing email

I recently received a phishing message that looked like this:
Dear National City business client:

The National City Corporate Customer Service requests you to complete the National City Business Online Client Form.

This procedure is obligatory for all business and corporate clients of National City.

Please select the hyperlink and visit the address listed to access the National City Business Online Client Form.

Again, thank you for choosing National City for your business needs. We look forward to working with you.

***** Please do not respond to this email *****

This mail is generated by an automated service.
Replies to this mail are not read by National City Corporate Customer Service or technical support.


Of course, the actual link points to

The site '' is being used for malicious purposes. The other hidden component of this message was below the dashed line, "hidden" by setting the font to white: (or near white -- FFFFF3, FFFFF6 and FFFFFF were used)
interface: 0x36, 0x1, 0x63, 0x6256, 0x988, 0x2572, 0x80, 0x7637, 0x57264282 end, SGK, include, B870, K8H, WV5O, UK5, create. 0x6, 0x8549, 0x119, 0x8820, 0x402, 0x81, 0x31 8XU: 0x873, 0x5224, 0x2, 0x2, 0x9, 0x8, 0x080, 0x515, 0x43, 0x96767749, 0x88, 0x340, 0x25 0x2, 0x49725777, 0x56099999, 0x29944557, 0x7245, 0x725 M06D: 0x02484306, 0x7392, 0x33, 0x538, 0x525, 0x67920133, 0x3282 XLM: 0x4 2PEU: 0x014, 0x48384334, 0x1, 0x1, 0x11505955, 0x9691, 0x63, 0x189, 0x85388483, 0x113, 0x81125589, 0x0528 0x081PZ: 0x10, 0x7513, 0x410, 0x0375, 0x134, 0x5 CRA: 0x16, 0x58937392, 0x181, 0x27551688, 0x026, 0x5300, 0x45, 0x427, 0x41491833, 0x43275927, 0x9, 0x2, 0x7, 0x462 0x33, 0x0589, 0x771, 0x69, 0x3, 0x96524563, 0x588, 0x8388, 0x3, 0x17, 0x8769, 0x137, 0x4, 0x2211, 0x30 engine KMY9 engine stack: 0x0016 tmp: 0x43286114, 0x88, 0x04, 0x2, 0x095, 0x65, 0x79461383, 0x18078378, 0x65882286, 0x1, 0x6, 0x06 CHA start: 0x3520, 0x1064, 0x69, 0x047, 0x214, 0x062, 0x678, 0x227 0x91708961, 0x0625, 0x2, 0x0, 0x278, 0x2, 0x0, 0x7, 0x09339745 2TWO: 0x14, 0x1, 0x90402223, 0x572, 0x1980, 0x4, 0x9, 0x6377, 0x6914, 0x43462100, 0x848, 0x26 Q8BE: 0x37865183, 0x11, 0x06, 0x2, 0x2132, 0x3, 0x70656885, 0x3758 HKU: 0x1114, 0x1914, 0x2, 0x45, 0x263 0x4, 0x3930, 0x3, 0x4, 0x3, 0x4, 0x0, 0x79365666, 0x4856, 0x57, 0x0, 0x77, 0x4, 0x10401843, 0x6317 0x11658786, 0x0, 0x5 YTIZ, Z5JV, WOJ, api, create0x14424486, 0x17907803, 0x590, 0x13855537 0x591, 0x6, 0x22, 0x2126, 0x81675440, 0x67351277, 0x6, 0x1 serv: 0x36026386, 0x6, 0x7, 0x772, 0x64, 0x8180, 0x9701, 0x50750989, 0x7, 0x9, 0x87, 0x3058, 0x5, 0x263, 0x23 7Z1 common KXLL hex 0x0071, 0x63
I'm curious about the code: do you think the hex was used to defeat Bayesian SPAM filters, a programming mistake by the Phisher or something else?

Thursday, May 24, 2007

Pain relief for SOX audits

Got this note from a colleague today:
THERE IS HOPE :).. Here is what we turned up.... reading through the details to see what it REALLY means!:

The PCAOB's proposed changes could do just that. The governing body is proposing to allow companies to conduct a risk assessment, which will help them identify the most likely avenues for financial fraud. Auditors might then require more stringent compliance in those areas -- such as sophisticated forensics that allow auditors to find out who made changes to the general ledger and when -- while allowing less likely fraud avenues, such as backup tampering, to come under less scrutiny.


And the PCAOB is considering adopting more detailed guidelines for how SOX audits are conducted, Davis observes. "There have been some concerns because there's no real accreditation for SOX auditors, as there are for [Payment Card Industry] standards," he says. "This would help set some common standards for what a SOX audit entails and what qualifications an auditor has to have."

Looks like the PCAOB has also done extensive work to allow the auditors more latitude to scale the their work to match the size and complexity of an organizations -- Great news for smaller public companies.

Hello and a Question for Michael

My beautiful espousa forwarded this message to me from a friend:
Something came up today and I have a quick question for Michael: In a nutshell, someone online accessed my checking account (with Washington Mutual) and drew out 500.00 from USAA (the bank with which I have a savings account, a credit card and renters' insurance.)

I recently did an online electronic transaction from USAA, telling them to remove funds from my Washington Mutual account (like I do every month) to pay off an insurance premium.

Between last night and this morning, a transaction took place whereby 500.00 was transferred via a "USAA Internet Chk" from my WaMu account to an alleged USAA accont somewhere, or probably, just through USAA and out a back door. I have both USAA and Washington Mutual investigating it, but boy, it's a rude way to start someone's morning!

Anyway Michael, if you have a view of what may have happened, I'd love to hear it. The only thing differently I've done recently is to reset my DNS server numbers in my wireless router to those of, a free service that supposedly prevents phishing, etc. I've since reset the router to just get DNS numbers automatically (I'm with Verizon).

Sorry to bother you with this, but you're probably much savvier than any of these folks and might have some insight. As it is, I'm grateful that ------y keeps her money with a separate bank, though we do have other WaMu Joint accounts... Makes us gunshy to use the internet for banking transactions (emphasis is mine) - or at least to maybe designate just one, and then to feed it funds for electronic fund transfers at the time bills come due...

All the best,

This sort of thing is very uncommon, but we always jump to the conclusion that we've been hacked by a criminal. This is the email I sent back to my friend last night:

Hello N------,
  1. Go to a friends house or a system at work and change all of your passwords! Don't use your computer, it may have been compromised.

  2. Never re-use a financial site password with any other site.

  3. Change the password on your router and other network equipment.

  4. Have an expert look at your computer, if it has been compromised you'll need a professional to get it fixed. If it were me, I would back up my data and reinstall from secure media.
If you were not phished then your bank may have been pharmed.

It is very unlikely that an outsider directly compromised the the bank. If you used a unique id and password, a random hacker would not gained access by guessing your password.

There are many possible explanations for your problem.
Someone you know compromised your access:
  • They knew enough about you to access your account. If this is true the bank will be able to follow the money to them.

Some stranger compromised your access:
  • If you used your bank password at a secondary web site the secondary web site might have been compromised, leading to a compromise of your bank account.
  • Your system may have been compromised through an attack launched by a web site that you have visited. These days criminals compromise you via the web and install a program to record the web sites and passwords you use (keystroke logger). Once they captured your bank password they would have set up a transfer to withdraw money from your account.
  • You may have been phished or pharmed. Catbird Pharming ShieldI doubt you were phished, but pharming is very hard to detect. In a pharming attack the criminals impersonate your bank web site by hijacking the infrastructure the site relies on. You think you're visiting WAMU or USAA but in reality you have been redirected to a fraud site.

An employee at one of your banks has exploited a flaw in the bank's security:
  • Banks have several layers of protection to prevent this, but criminals are very creative at exploiting loopholes or flaws in network or web application security.

Either USAA or WAMU has made a transaction error:
  • This doesn't happen often, but it does happen. Personally, I have had my bank process duplicate transactions on more than one occasion. The situation you describe is very suspicious but it may turn out to just be a simple mistake.

Take care and feel free to contact me directly.
So what do you think, did I give my friend good advice?

Tuesday, May 22, 2007

Top 10 Reasons Why You Might be a Domestic Terrorist

  1. You believe the Constitution is the highest law of the land.
  2. You believe that absolute power corrupts absolutely.
  3. You believe that all governments regardless of their construction are subject to corruption and abuse of power.
  4. You believe everyone has the right to bear arms.
  5. You believe that everyone has basic rights that may not be infringed.
  6. You believe all persons have equal protection under the law.
  7. You believe the State can not unfairly confiscate your property.
  8. You believe that the State shall not force people to testify against their will.
  9. You believe that you have the right to publicly complain about the government and its policies.

And the number one reason why you might be a home-grown domestic terrorist:

1. You might disapprove of what I have to say, but you will defend my right to say it.

My thanks and appreciation to the Founders, Locke, Hobbes and to the many others who contributed to this list.

Edited to add:
Another Enemy of the People?

Friday, May 4, 2007

Pen testing

Hi Michael,

I was wondering if I could get a little pen testing advice. What were the primary factors in determining the cost for a penetration test? In general, what is a ball park range that is reasonable to charge for say, 5 external IPs/servers?


(name withheld)

Well, like everything, that will depend on several factors.

  • Is this an external attack only, or internal, external and wireless?
  • Is social engineering involved, will a physical penetration be attempted?
  • Will you be dumpster diving?

My guess from your question is that you are performing a remote network penetration test without social engineering.

The scope of work then depends on the level of adversary you are imitating:

  1. Motivated attacker, a user with inside knowledge or an attack by a professional seeking monetary gain
  2. Robot master, someone looking for bots to add to their army
  3. Opportunist, a script-kiddie or other non-professional attempting to crack systems because it's a rush

Level 3 is a little above what you can do with a flat Nessus scan. I'd certainly add a little MetaSploit work and some light web application inspection, looking for obvious input flaws.

Level 2 will run several well-known exploits and perhaps a 0day. You need to take a very careful look at the attack surface, validate all web applications for input checking (multiple encodings) and prevention of script or SQL injection.

Level 1 will do all of the above, plus deep research on the target and target employees, this level is beyond the capability of a small-business IT defense.

For a client with only five external IP, simulating either a level 2 or level 3 attack is your best bet.

You should be able to perform a Level 3 with automated tools and a little manual work involving the more interesting targets, three hours per IP address is probably a reasonable guess, but you won't actually spread your time that evenly.

Level 2 is tougher; a true attacker of this type hits you and moves on. However, since we can't predict the exact exploits that this attacker would use, a pen-tester has to perform a far more thorough review of the attack surface. This attack simulation will start at a few minutes per IP address, but you should expect to spend 5-10 hours (each) inspecting specific web application services and web server code for flaws. You will need to run exploit and possible denial-of-service attacks. Economically, you can’t bid this at more than 5-10 hours per IP address, but you could easily double that amount of time if you run into an interesting web application.

My estimates include, the time for testing, data gathering and report writing -- never under-estimate the time you will spend on the report. The report is the most lasting and visible product of your efforts.

Most small clients can bite-off a blend of these two attack scenarios. Cover all of the systems with an automated scan and a little manual follow-up, but spend a day or two taking a hard look at their primary web server and/or back-end.

Sunday, April 8, 2007

Sample Stay out of Trouble Language

This posting is provided "AS IS" with no warranties.
The question of safe penetration testing or security research comes up time an again. Good guys get prosecuted too. [1] [2]

So, to follow-up my comment on RSnake's recent post, here is something that I have used to stay out of trouble.

DISCLAIMER: I am not a lawyer. If in doubt, ALWAYS, ALWAYS, ALWAYS get professional advice from an attorney. I hope this document puts the reader on the right track and helps keep them out of trouble.

CompanyName (“COMPANY”) hereby accepts the services and the related terms and conditions set forth in the attached Statement of Work (the “SOW”) of SecurityResearcher (“HACKER”).

COMPANY expressly acknowledges that the performance of these services will require HACKER to gain access to COMPANY confidential and proprietary network and information assets, and authorizes this access for the purposes described in the SOW, subject, however, to the Mutual Nondisclosure Agreement, dated ____________________, between COMPANY and HACKER (the “NDA”).

Due to the nature of the services contemplated by the SOW, COMPANY acknowledges that no representation or warranty can be made by HACKER with respect to such services or the efficacy thereof. In particular, COMPANY acknowledges that damage to COMPANY systems or information could result from the performance of such services, and that, following completion of such services, there can be no assurance that the COMPANY network will be secure or that unauthorized access thereof will not occur.


In order to induce HACKER to perform its services COMPANY is accepting the terms and conditions and making the representations set forth herein, and COMPANY irrevocably waives and releases, and shall be stopped from asserting, any claims for damages or otherwise arising out of or in connection with the services, except as expressly contemplated by the NDA.

COMPANY represents and warrants that the COMPANY information systems to be accessed by HACKER do not contain confidential or proprietary information or other property belonging to any person other than COMPANY, or any classified information. By accepting HACKER’s services, COMPANY assumes any and all liability for any disclosure of any third-party confidential or proprietary information assets, or any classified information, arising out of or resulting from such services, and agrees to indemnify, defend and hold harmless HACKER from and against any claim, loss or liability asserted by any person arising out of or relating to any such disclosure, subject, however, to the NDA.

COMPANY expressly authorizes HACKER to gain access, including without limitation external network access and without regard to the COMPANY Information Security Policy, to all COMPANY computer networks and information systems which is reasonable and necessary, in HACKER’s sole judgment, for the purposes described in the SOW, and COMPANY acknowledges that such access shall be obtained by HACKER with the express permission of COMPANY and that such access is not a violation of any federal, state or local laws, rules or regulations, including without limitation the Computer Crime Act of 1986, as amended, or the Economic Espionage Act of 1996, as amended. Execution of this SOW by the representative of COMPANY shall constitute a representation and warranty by COMPANY that such representative is duly authorized to do so and has received all requisite governmental consents and approvals which may be necessary or appropriate to execute this SOW and to carry out the terms hereof, including without limitation the preceding sentence.

Accepted and approved by:

Name Title

Signature Date

Saturday, March 31, 2007

Remote Microsoft Outlook and Vista Exploit

A new vulnerability is being exploited against Microsoft Outlook and all Microsoft Windows Operating Systems: Windows 2000 SP4 through Vista.

The exploit allows remote attackers to execute programs on your system or create a denial of service. There is no patch available for this exploit.

This is the first remote exploit against Vista and the security community is concerned that this vulnerability may be converted into a wide-spread attack worm.

The Community recommends:
  1. All users make sure their Anti-virus software and detection files are up to date.
  2. Spread of this exploit by email may be prevented by blocking all .ani, .cur, .ico and .jpg files at your email gateway.

Additional information about this vulnerability may be found at these links:

UPDATE: 4/2/2007, Microsoft plans early patch update to address this flaw:
Microsoft Response Center Update
UPDATE: 4/3/2007, Microsoft has released a patch.

I will update this blog post as more information becomes available.

Tuesday, March 13, 2007

Request to exit

The industry calls it a Request-To-Exit (RTE). Some are motion sensitive, others require the push of a button, and a very few require another wave of the badge. We’d examined the client’s public areas. Some of their RTEs were motion sensitive, and some used a button. What about the data center? We knew that the RTE could be a weak spot. The security system might log the RTE, but even here at the data center, it would probably not trigger an alarm. The motion sensitive types unlock at any close approach, and pressing a button is a normal event. If we could trigger an RTE and avoid forcing the door, we would have more time to work.

Our view was limited. We had a four-by-eight-inch view above the door handle. We could see another camera, a blank stretch of wall and a small corner of a lit room. We watched for shadows and assembled our tools.

We knew the probable height and position of the button. Could we reach it? The door was not the automatic-opening type. The dead bolt was open, but the electromagnetic lock was closed. We’d taken our MacGyver shopping list to a local hardware store, our $40 worth of spare parts versus a multi-million dollar data center. We made the viewing scope from 1/2 inch narrow pipe, carpet tape, and a convex mirror. We bent the pipe and squeezed the mirror below and past the door. The data center was on a raised floor, and we had a three-fourth-inch clearance. We had our window. In the three-inch mirror, there was the button! We quickly assembled the “finger.” The mirror became a problem because we needed to have both of our devices in view, as we squeezed down next to the door. Two pairs of hands blindly working, while a third pair of eyes directed, and a fourth kept watch. You know what they say about convex mirrors: “Objects in mirror are closer than they appear.”

Part 5 of 7, (to be continued)

Friday, March 9, 2007

ICANN Factsheet: Root server attack on 6 February 2007

I'm reading through the the ICANN factsheet (08mar07.pdf) and this paragraph jumps out at me.
A third category is the huge increase in individual Internet users installing routers in their homes, usually to provide wireless access or to link up several computers in the house. These consumer products usually come with the same password and a large percentage of home users never change this default password, making it easy for hackers to seize control of them for their own ends. If consumers were encouraged to change the default password or if router manufacturers were persuaded to provide each unit with a different password, then future attacks against the Net’s infrastructure could be tackled at (the) source.
(my emphasis)
I know there has already been quite a bit said about this topic here, here and here. However, this particular paragraph is written by the people who make sure that the wheels stay on the Internet's bus. This is really a very important issue and it's time the router vendors solve this problem.

The factsheet is well written and introduces a lot of information regarding the attack. Now that is has been published I can speak a little about it here. (Full disclosure: Catbird performs DNS monitoring for some of the root service providers.)

After the attack I reviewed our aggregate DNS and web performance data. Catbird gathers over one million data samples each day so I had more than enough to choose from. I chose a random samples of our monitors and developed the two charts included in this post.

The Feb 6 attack occurs around the midpoint of each chart. The attack hit two of the thirteen root servers very hard, but as you can see from these graphs the downstream DNS providers and the web sites they serve were not affected.

I make this point because I do not believe the attackers intended to bring down the Internet. I think that this was the performance test of an attack botnet. This attack combines good advertising with a live product demo. I will not be surprised to hear about a rise in DDOS attacks and extortion demands made against high-value commerce web sites.

I recommend that we all brush up on our understanding of anycast, GeoDNS and related defenses against DDOS.

Thursday, March 8, 2007

Airline Security Since 9/11

Over on Schneier's blog, there is a lively discussion about an article link Bruce posted. I posted a comment, but have more to say below.

What real security improvements have been made?
  1. Stronger cockpit doors
  2. Air Marshals
  3. Passengers (and crew) who know that resisting the hijacker may be the best course of action
Regarding number three, it is not always necessary to fight the hijacker. In 2004, Eritrean hijackers seeking political asylum, diverted a plane to the Sudan.

However, in the continuing to fight the last war department, we have multi-million dollar projects to build a hijack-proof plane.

SAFEE coordinator Daniel Gaultier said: "You never reach zero level of threat, no risk, but if you equip planes with on-board electronics, it will make them very difficult to hijack."
<sarcasm>Sure, electronics will make it better. Just like the on-board electronics in RFID equipped
passports. Electronics always make you safer.</sarcasm>

It is important that we address known threats and act to make
people feel safer on airplanes but what are we doing about the next threat?

We could be loading baggage into blast-proof cargo containers, but as I pointed out in my comment, this is being fought by the airlines themselves. The airlines must believe it is much cheaper to just pay-off the relatives or sue Libya.

What else? Protecting our ports of entry? You could ship an entire tank division through one of our ports, let alone a chemical, biological or nuclear weapon. Meanwhile people think building a 2000-mile fence to keep out our gardeners, housekeepers and building contractors is a good idea. Hello, New Orleans, sorry all those folks actually helping you rebuild the city... Please send them back to Mexico. If I were Bin Laden, I would be driving a taxi in New York, availing myself of our excellent hemodialysis care, while personally selecting the next target.

Does anyone really think that a terrorist will risk dying of thirst crossing the Mexican border, when they can just as easily enter the country on a Princess Cruise? Am I the only person who saw Speed 2?

The latest craze with liquids on airplanes, is an example of the hype involved here. These activities do not make us safer and will most likely lead us to ignore the real warning signs. After all, smokers are (warning: may be inappropriate for some viewers) still finding ways around the system.

If individual safety is more important than lobbyist dollars or inconvenience, then we should be building safer planes, blast-proof cargo containers, banning most carry-ons and getting rid of those awful snacks. We also need a homeland security organization that consults with people like the Tofflers, Vinges and Harlan Ellison.

Sunday, March 4, 2007

Popular Blog Software Cracked

A successful attack was made on the WordPress 2.1.1 download. The attacker modified the files theme.php and feed.php. These modifications created a backdoor which would allow a user to gain privileged access to any server running WordPress 2.1.1.

All users have been requested to update immediately to WordPress 2.1.2. Users who access updates through the Subversion repository were not compromised.

Wednesday, February 28, 2007

Important Update to Super Bowl web site hack

Super Bowl Infection - Analysis of One Break-in

One of the victims has provided their analysis of the attack and their lessons learned. Important reading for any web site developer.

My thanks to the Internet Storm Center for providing a channel for this information.

I blogged on this earlier.

Tuesday, February 27, 2007

Hidden in wait

As we waited, we had time to think and review the plan. To us, the world’s greatest hackers are an unknown. No one knew their names and no one would know their faces. The celebrities in the paper are not the best. For tonight, we had to be the best. Otherwise, our faces would be on tape, and we would just be more bad boys who’d been caught.

We arrived at the target floor. We knew there were cameras everywhere. If they saw us in this area, we’d only have a few minutes before guards arrived. Our next stop was the fire suppression closet.

Now the challenge: we had to build our device. We worked by light reflected through a four-by-eight-inch window. As people left for home, they passed our closet, but we remained undetected.

We’d examined the company’s card key system and checked it on the Web. Card key systems are everywhere and they almost all use the same operating methods.

Part 4 of 7, (to be continued)

Outsmarting the motion detectors

We waited until the building was mostly empty. We knew this business, this client. Their operations were 24/7. We arrived in the early evening and had already examined the ground and the building plans in detail. We knew our route. The weather had been perfect: rain with wind. This would mask the infrared, mess with the ultrasound. Still, we knew we had to be quick, and our timing had to be good.

We waited 40 yards from a garage exit. We could see the guard shack, but the patrol was out of sight. We waited until a distraction caused the guards to look the other way. We dashed for the ramp. We couldn’t avoid the sensors, but hoped that after a night of false alarms ours would be ignored. We had to get inside the Garage quickly. A car came down the ramp as we dashed up. This might fool the guards on the motion camera; they’d see the car, but not us. Did the driver see us? We were past him in a blink on the blind side, but one look in the mirror would be all it took.

Up the ramp and into the garage. There was another camera straight ahead. Two seconds to pass the camera, we would show for a few frames on a bank of sixteen monitors. Then into the fire escape. The team climbed past the public areas quickly and silently, before the guards could reach the stairwell. We listened for the sound of pursuit while our hearts pounded – tough work for computer jocks.

Part 3 of 7, (to be continued)

Friday, February 23, 2007

Get out of jail free cards

In the hotel, we met with our client. He gave us two “pass” cards. We joked that the cards said, “Let these guys go, but scare them first.” We knew the procedure. The guards would call the police before calling their boss. The police had guns.

The security chief would wait in his office hoping to hear the good news. He wrote on our passes that they were good for one night only. Trust is carefully measured.

Catching us would be good news. It would inform our client that his system beat us. However, our job was to deliver an honest assessment of his security risks. Idiots are caught every day.

Part 2 of 7, (to be continued)

Wednesday, February 21, 2007

Penetration Testing

It’s Friday, for the second time.

We left Asia yesterday and are a few hours past the International dateline, traveling parallel to the Aleutian Islands. Sunrise is ahead of us. Our moonlit challenge is behind us.

We had been a team off and on for the last ten years -- C programmers, UNIX kernel engineers, and now a tiger team paid to sneak into secure data centers.

As trained security consultants, our clients paid us to break in -- with the full knowledge of our employer, the company’s security chief -- but without the knowledge of site security.

We’re going to turn south soon. Home is ahead. We have been away for two weeks, carefully planning and arranging to perform the task that took less time from start to finish than the remainder of our flight.

During that time, we analyzed the building and planned the technical part of our attack. We determined the systems that needed our backdoor. We carefully arranged our timing with the security chief; he knew we were coming, but his staff did not. This was a test. Were they as good as they thought they were?

The motion sensors, cameras and guards were on one side. Our skill, technical experience and creativity were on the other. Our job was to determine if the physical security and technical safeguards would be enough to keep us from breaching the physical security of their data center and creating a backdoor to the Internet.

Part 1 of 7, (to be continued)

Sunday, February 18, 2007

I Hate Passwords #12

There are three basic types of authentication, often called “factors.”

  • Something you know
  • Something you have
  • Something you are
Passwords, ATM cards and fingerprints are examples of these factors. There are many good techniques for putting these authentication methods into practice. Probably the most familiar two-factor method is the ATM card with PIN.

'Drive-by Pharming' Attacks Potential Threat to Broadband Users

Many users, however, do not change their default password issued by the router manufacturer, Ramzan said. According to a separate informal study conducted by Indiana University, up to 50 percent of home broadband users are susceptible to this attack.

Examples like this are reason #12 for why I hate passwords. Vendors, including ATM machine vendors, continue to ship all of their devices with the exact same administrator password. The problem is not that the device has a default password. The problem is that every device (e.g. Linksys router) has the same default password. When you are building devices that dispense cash or connect to the Internet, this practice is unacceptable. Where I differ from Ramzan, is that I believe the responsibility lies with the router manufacturers not the users. The manufactures must stop this practice of using default passwords.

Security research has analyzed this area for ages. The manufacturers have no excuse for continuing to ship products that are insecure from the start. Here are a few of the available solutions:

  1. Use the device serial number, or the last four digits of the serial number as the initial password. This works for home or SOHO routers (only visible to the owner) and ATM machines (located behind a locked panel)
  2. Prompt the owner for a new administrator password. Make it easy, any four digits (PIN) will suffice as long as the device resists password cracking.
  3. Add another factor. Ship ATM machines with a “manager” ATM card (chain it to a holder behind that locked panel). Network devices could include a soft token with their installation software. This soft token would also simplify setting up wireless devices with WPA-2 security.
  4. Use challenge response questions instead of a password. Ask the user three questions out of a pool of thirty, then select one question each time the user needs administrative access. While this will not work for the ATM machine, it is fine for network access.

I hope that someone out there at Netgear or Linksys is watching, because they are responsible for this problem. If finding out that your broadband router is an open door to your home network is not bad enough, I’ll leave you all with this very educational video on door locks, which shows that your front door is wide open too.

Wednesday, February 14, 2007

MySpace (in)Security

I'm in Chicago, listening to United's hold music (95 minutes and counting), catching up on my DarkReading.

A prime example of this problem is MySpace, which has been hit by the same vulnerability six times because it has not properly stopped attackers from entering malicious text through stripping. In providing a consumer benefit, MySpace has made its site far more dangerous to those very same consumers.
Attackers at MySpace are using the MySpace tools to introduce exploit code into a MySpace web page. MySpace is responding by attempting to delete the offending code from the content.

As RSnake notes, this has led to an oscillating conflict between the MySpace web coders and the attackers. It looks something like this:


Submit(Post_html) where Post_html equals:

>html start ... [embedded exploit] ... html end<

Defender (server side of submit function)

Clean(Post_html) {
If Found_Exploit(Post_html)
Post_html = Strip_Exploit(Post_html)

This conflict oscillates because after each improvement the Defender makes to the “Strip_Exploit” logic, the Attacker adapts her efforts to defeat the system. To get out of this situation, the defender needs to change the rules.

There are many ways to solve this problem. I’ll delve into two examples: with “stripping” the Defender could iterate over the data until clean; another solution is to use Substitution instead of Strip.

Example 1: Defender using strip

Clean(Post_html) {
If Found_Exploit(Post_html)
Clean( Strip_Exploit(Post_html) )

Recursion prevents the attacker from passing a nested embed attack through the Strip function. As an alternative to recursion, the defender could iterate through a loop until the exploit code is gone:

While Found_Exploit(Post_html)
Set Post_html to Strip_Exploit(Post_html)

Another solution is to replace the exploit code with a safe substitution. For example, if the offending code is “Crake” then replace each instance of Crake with “Oryx.” It is vital that the replacement text is the same length or less than the length of the exploit text – otherwise, the attacker may discover a method to overflow the buffer you are using to contain Post_html.

Example 2: Defender using substitution

While Found_Exploit(Post_html)
Set Post_html to Replace_Exploit(Post_html)

Meanwhile, I recommend you disable scripting when you browse a page at MySpace.