| . |
|
Bitland.Net Security Notes
Comments? email jwilkins-at-bitland*net
More information on the author at Jonathan Wilkins's home page RSS feed available at http://www.bitland.net/index.rss 
|
| Archives: 2007, 2006, 2005, 2004, 2003, 2002, 2001, 2000 |
| |
| |
| Norman Sandbox | (2005/12/16 10:00) |
Thorsten Holz recently pointed out the Norman Sandbox on Dave Aitel's Daily Dave mailing list This tool analyzes random malware and tells you what it does. You upload it and it prints out stuff like: [ Network services ] * Looks for an Internet connection. * Connects to "lazy.irwanmartin.com" on port 6667 (TCP). * Connects to IRC server. * IRC: Uses nickname |521508. * IRC: Uses username mlraczsp. * IRC: Joins channel #bin with password 64b5e2Nb. * IRC: Sets the usermode for user |521508 to -x-i. Looks quite handy. |
| +digg | +del.icio.us | [Tools ] | Permanent link |
| |
| 100,000 host BotNet | (2005/10/10 09:00) |
Apparently 3 Dutch hackers managed to build a botnet containing 100,000 machines and had been using it for DDOS attacks as well as to harvest financial info and site credentials (PayPal and eBay for example). The Register has the full story The interesting thing is that when you get to botnets of this size, the usual large company defense against DDOS attacks, excess capacity, may not be enough. A 10,000 node botnet can do about 1-2Gb of traffic, a 100,000 node net should be able to deliver >10Gb. |
| +digg | +del.icio.us | [Misc ] | Permanent link |
| |
| Find encrypted or compressed files | (2005/10/04 17:45) |
I'm going to start stashing random python scripts I write here since some of them will probably be useful for other people. Last weekend Jesse and I were going through the PSP firmware and wanted to find all of the files that weren't packed so we each whipped up a quick python script. I think it's probably more useful as the inverse script so that's what's here. If you want uncompressed, change line 18 to <
# Find encrypted or compressed files
# This isn't perfect, but typically compressed or encrypted files
# can't be further compressed. Properly encryped files look like
# random data and fully compressed files can't be made smaller.
import bz2, os
from os.path import join, getsize
for root, dirs, files in os.walk('.'):
for name in files:
inf = file(join(root, name), 'rb')
s=inf.read()
inf.close()
insize = len(s)
if insize > 0:
c = bz2.compress(s, 9)
csize = len(c)
cratio = csize * 1.0 / insize
if cratio > .98:
print "%s: %d/%d (%.2f)" % (join(root, name), insize, csize, cratio)
|
| +digg | +del.icio.us | [Python ] | Permanent link |
| |
| Comments on the Cisco Debacle | (2005/08/04 14:30) |
Update: I just read that Cisco had paid ISS to do the research, if this is true, the following doesn't apply. I've only heard it from one source though. Michael Lynn released some information on reliable exploitation of Cisco IOS vulnerabilities at this year's Blackhat. He did so over the objection of the company that paid him to do the research and also against Cisco's wishes. Firstly, some links, with full background: Boing Boing's coverage Schneier's comments Tom's comments My opinion is that Cisco has made some huge mistakes in handling this incident. Firstly, they sued a security researcher. That's definitely going to cause them a huge amount of pain over the next weeks and months as more and more researchers go after them. Outside of branding your products "Unbreakable", suing researchers is the fastest way to paint a giant bullseye on your back. Secondly, they tried to cover up the research. Everyone close to the industry knows that pretty much any type of vulnerability is exploitable given time. Most are aware that this isn't the first Cisco IOS overflow. FX of Phoenolit spoke a couple of years about exploiting them. The only difference is that Michael was able to prevent the box from rebooting by killing off the heap checker and spawn a shell. If Cisco had just kept their mouths shut, this would have gotten almost no press. I was planning on skipping the talk entirely (because I saw FX's talk) until I heard about Cisco's efforts to suppress it. Cisco has also managed to annoy various government agencies that are concerned with critical infrastructure protection. Cisco had an obligation to disclose information like that revealed in Lynn's talk and it's clear that they didn't notify a large number of interested agencies. ISS has also managed to severely damage themselves. They basically asked one of their researchers to do some outstanding work and then, at the last minute, caved to a vendor over a presentation that didn't actually release new vulnerability information. That's the truly insane part. All of this uproar is over someone saying that you can exploit Cisco hardware. Something anyone involved in security has had to assume since Cisco started shipping gear and that most people knew was confirmed 2 years ago. Despite this, ISS demonstrated that they were willing to kowtow to a vendor over a well known fact. ISS's credibility as a vulnerability research organization is pretty much gone. I predict that a large number of their employees will leave over the next year. Tom argues that ISS had no choice in the matter. I disagree. I don't see why Cisco has a case against them at all. Security companies do security research all the time and release the results. They didn't have to agree to be quiet in the first place. It was only after they agreed to quash the research that they ran into trouble. They also make it easier for future companies to pull the same trick. Next time ISS is about to release an advisory, the vendor just says that they'll sue and watch as ISS drops it.. As for Lynn, I'm pretty sure that he did the right thing. As he saw it, Cisco had this huge vulnerability that they were about to make much worse (by deploying a feature that would make worms trivial to write) and they were obviously willing to hide the research from thousands of security professionals and government agencies that had a need to know. He did violate his NDA with ISS, but I would have thought that ISS's stance on the issue would be much different. Caving in to vendor pressure like this damages them enormously. |
| +digg | +del.icio.us | [Security ] | Permanent link |
| |
| Running WindowsXP with no services | (2005/08/04 13:10) |
Slashdot pointed out some new work by Mark Russinovich of SysInternals. Mark managed to successfully kill off all services except System and Csrss and leave the system in a stable state. Read Running Windows With No Services |
| +digg | +del.icio.us | [Microsoft ] | Permanent link |
| |
| Cache Timing Attacks on AES | (2005/06/03 16:45) |
Dan Bernstein has recently released a paper on Cache-timing attacks on AES. His attack is able to perform complete AES key recovery based on known plaintext timings across a network. This is pretty huge and is fundamental to the AES algorithm, not any particular implementation. Tom Ptacek has an astoundingly funny edit of the resulting debate on sci.crypt. |
| +digg | +del.icio.us | [Crypto ] | Permanent link |
| |
| Bernstein's paper on Brute Force Attacks in Cryptography | (2005/06/03 15:00) |
I love reading DJB's papers. They're always quite educational and he's not above handing out a well deserved smackdown. Take this quote from his Understanding Brute Force paper. "Why did the author of this paper characterize this serial attack as successful cryptanalysis? It's simply not true that the attack is 'faster than exhaustive search' - unless you assume that the attacker is forcing himself to use a serial computer, ie, that the attacker is an idiot" |
| +digg | +del.icio.us | [Crypto ] | Permanent link |
| |
| Bluetooth Crypto Broken | (2005/06/03 13:45) |
Slashdot reports on a new threat for Bluetooth devices. It's possible to eavesdrop on conversations and even initiate calls. It turns out it's embarrasingly easy. Bluetooth devices need to be be paired in order to talk to each other. In order for this to happen, the user enters a sequence into both devices and they then negotiate a key. Ollie Whitehouse demonstrated a weakness in this process last year wherein you could deduce the key if you could sniff the initial communication. The Bluetooth spec apparently includes a "I forgot my key" message that a device can send to redo this key negotiation. If you are within range, it's trivial to spoof this message. Way to go. Read about the Bluetooth crypto break here |
| +digg | +del.icio.us | [Security ] | Permanent link |
| |
| Aluminum Foil Defeats Common Shoplifting Defence | (2005/06/01 11:35) |
From Hack In The Box: Apparently those anti-shoplifting systems you find all over the place can be defeated by a few layers of aluminum foil. I'm not sure if this applies to all of the variants, but I don't see why it wouldn't. They all rely on being able to get a signal to a small reciever inside the device attached to any item of value. |
| +digg | +del.icio.us | [Security ] | Permanent link |
| |
| Corporate Espionage and Driver Vulnerabilities | (2005/05/30 09:00) |
Since I'm travelling and since these went across Slashdot, I'll be brief. It seems that a bunch of Israeli companies have been trojaning each other to gain competitive information. So far 18 arrests have been made and some large companies have been implicated including two cell phone providers and the Israel's main satellite tv company. Wired's coverage Slashdot's coverage Slashdot also points to this SecurityFocus.com article on vulnerabilities in driver software. It's a fairly high level article, but it's good to see kernel bugs getting greater attention. |
| +digg | +del.icio.us | [Security ] | Permanent link |
| |
| Further analysis of the Witty worm | (2005/05/26 14:45) |
For all who don't know: Vern Paxson > * If a paper has his name on it, it's always worth your time to read it. Given that, here's a new one: Exploiting Underlying Structure for Detailed Reconstruction of an Internet-Scale Event by Kumar, Paxson and Weaver In case you don't remember, Witty was probably the most interesting worm of the past decade. It was a flash worm, targetting installations of several of ISS's products (RealSecure Network, RealSecure Server Sensor, RealSecure Desktop and BlackICE). It infected most of the vulnerable population in just over an hour and likely used a hitlist to seed it's propogation. It was also destructive, overwriting random blocks on the hard drive. It was clearly written by someone skilled, rather than relying on PoC code written by someone else. In this paper the researchers are able to figure out an incredible amount of information on the victim hosts and the spread of the worm by using a block of unused IP address space and the fact that the worm seeded it's PRNG with the infected system's time. They are able to compute each victim's uptime, bandwidth, number of disks, figure out which machine infected which others and find out which machine was the origin of the attack. It also demonstrates the problems with using PRNGs. |
| +digg | +del.icio.us | [Worms ] | Permanent link |
| |
| More alternative energy - Ocean Power | (2005/05/26 11:00) |
Another from Wired. This time they're talking about some experimental Oceanic power possibilities. Basically, it appears that it's feasible to extract energy from the temperature differential between water near the ocean floor and water near the surface. It also has applications for cooling and water purification. It also can be used to accelerate crop growth. |
| +digg | +del.icio.us | [Misc ] | Permanent link |
| |
| XSS Cheat Sheet | (2005/05/25 14:15) |
RSnake has a really handy XSS Cheat Sheet. It won't help you if you don't understand XSS attacks to begin with, but it's a pretty complete list of variants and obfuscation techniques. |
| +digg | +del.icio.us | [Security ] | Permanent link |
| |
| CallerID spoofing | (2005/05/25 11:45) |
This is old news, but I've run into a few people lately who still weren't aware, so I dug up some fresh links. The basic gist is that spoofing caller id is easy and so any authentication system that relies on valid CID info is broken. RootSecure.net covers CallerID spoofing w/ Linux and Asterix. There are also a few services that make things trivial. SpoofTel CamoPhone |
| +digg | +del.icio.us | [Phones ] | Permanent link |
| |
| Microcyn == Super oxidized water | (2005/05/24 22:00) |
This Wired article on Microcyn dumbs down the essentials, but does describe a really interesting breakthrough in wound treatment. Basically this pH neutral oxidized water made by Oculusis is able to treat wounds more effectively than antibiotics and seems to be the only functional treatment for certain types of diabetic ulcers. |
| +digg | +del.icio.us | [Bio ] | Permanent link |
| |
| Up to 72 Terawatts in wind power available | (2005/05/24 16:40) |
Wired reports a new study of 8000 sites worldwide finds that if one were to set up turbines at 13% of these locations, you would be able to generate 72 terawatts of power which is more than 5 times the world's consumption in 2002. |
| +digg | +del.icio.us | [Misc ] | Permanent link |
| |
| New method for generating stem cells | (2005/05/24 16:30) |
Wired reports on a South Korean team's method of generating custom stem cells. This technique uses embryonic stem cells to generate a custom line that is a genetic match to the patient. This reduces the chance of immune rejection. More and more, these inventions are going to be happening outside of North America and Europe due to stupid policies around research. I'm extremely glad to see that countries like China and South Korea are are generating these results, but I feel sorry for researchers trapped in the US. I hear that China's offering some really stellar packages for top geneticists who are willing to relocate. |
| +digg | +del.icio.us | [Bio ] | Permanent link |
| |
| $20 for an SSL Cert | (2005/05/24 12:15) |
GoDaddy is selling $20 SSL certificates for a limited time. Verisign is still making an obscene amount of money flogging them for $349/year. All you're paying for is for them to sign a few bits so that browsers will be able to see that a third party has vouched for your site. Over the past few years, other companies have emerged to sell certs for less than Verisign. Thawte sells them for $149. GeoTrust sells them for $99. A little while ago FreeSSL.com started offering them for $49. The only real difference between them is whether their root certificate is in all the browsers your site is likely to see. If you have a lot of users who are still running Netscape 1.0, then you'll need to pay Verisign to make sure that they don't get any error messages. Otherwise, almost everyone else is fine with the cheap certs you can get elsewhere. |
| +digg | +del.icio.us | [Crypto ] | Permanent link |
| |
| Hamming's "You and Your Research" Talk | (2005/05/22 14:00) |
Richard Hamming (a mathematician who worked at Bell Labs in the days of Feynman, Fermi, Teller and Shannon and who is responsible for many innovations in computer science and related fields such as the Hamming code and Hamming Distance) gave a talk in 1986 which centers on the question "Why do so few scientists make significant contributions and so many are forgotten in the long run". I think anyone working in any scientific or engineering field should read this transcript. |
| +digg | +del.icio.us | [Misc ] | Permanent link |
| |
| Technical Video Rental | (2005/05/22 10:45) |
Always wanted to learn to weld? The Make Magazine Blog points to Technical Video Rental which you can think of as a NetFlix for all sorts of geeks. They have videos to teach everything from linguistics to HAM radio to gunsmithing. |
| +digg | +del.icio.us | [Misc ] | Permanent link |
| |
| DNA Hack Website | (2005/05/19 08:50) |
DNAHack.com has a pile of articles and references for the amateur bio geek. From basic DNA extraction to protocols for preparation of slides, this is looking like a really cool site. |
| +digg | +del.icio.us | [Bio ] | Permanent link |
| |
| GoogleSweep | (2005/05/17 11:00) |
Robert McGrew just announced an interesting discovery tool called GoogleSweep It does Google queries on a given address space and hopes to find interesting things like web statistics, posts to mailing lists (to harvest usernames, etc) entries in log files and the like. It's written in python, so it's quite hackable too. You can get some really interesting results, especially if you use an IP range that a company uses for it's proxy servers. |
| +digg | +del.icio.us | [Tools ] | Permanent link |
| |
| Expect more frequent posts | (2005/05/17 10:15) |
I started relying on Bloglines to store interesting articles from the various blogs I read, but it's been losing my saved articles lately. Complaints to the admins have generated nothing. Which means it's time to stop trusting other services with stuff I'd like to remember. This is a good thing as I've been feeling guilty about neglecting the blog anyway. |
| +digg | +del.icio.us | [Misc ] | Permanent link |
| |
| Raw socket support VS various service packs & hotfixes | (2005/05/17 09:50) |
Microsoft messed with raw sockets when they released Windows XP and complicated things further with the release of XPSP2 and MS05-019. Robin Keir posted a very verbose discussion of what's changed to NTBugtraq. Read Robin Keir's observations on raw sockets vs various Windows versions |
| +digg | +del.icio.us | [Microsoft ] | Permanent link |
| |
| DNS Testing | (2005/05/11 15:50) |
If you came across this site because you were checking out IDS or firewall logs and have questions, feel free to email me (jwilkins at bitland dot net). I'm currently doing some research on some aspects of various DNS server implementations. I'm not doing anything intrusive, but I am doing a lot of queries against a wide variety of servers. |
| +digg | +del.icio.us | [Security ] | Permanent link |
| |
| Simple low tech DNA extraction | (2005/02/14 08:30) |
I was at CodeCon over the weekend and one of the presentations was on SciTools which is a rad web based platform for doing genetics work. (More on that in a few posts). Meredith L. Patterson started the presentation off by demonstrating DNA extraction using household items. Here's the procedure: - grind up the material if it's a solid - add water and some salt - add shampoo (for the sodium laurel sulphate) which breaks down the cell walls - stir and then drain out some of the liquid to a new container - add meat tenderizer or contact solution - centrifuge (with a salad mixer) - add rubbing alcohol - waitAfter that's done, you'll wind up with a layer of DNA, floating above the water. The really cool part of the talk demonstrated the discovery of RNA sequences to build a knockout sequence for a common breast cancer. More on that when I either reconstruct the sequence from notes or they post the presentations. |
| +digg | +del.icio.us | [Bio ] | Permanent link |
| |
| RSS feed available at http://www.bitland.net/index.rss |