Category: security

I’ve had a thought forming in the back of my head since a recent ISD Podcast we did the other day featuring a breach of a Star Wars fan site.  In the case of a data breach like this, it really doesn’t matter what your password is if the website stores in in clear text.  Obviously you would hope that they wouldn’t do this but if they do, you are screwed.

No matter how much care you put into having that 80 character pass phrase with punctuation, etc, the data thief is sitting there staring at your password plain as day.  Furthermore, you are standing out as the lone wolf who has this crazy password.  From the thief’s perspective, that makes you a more interesting target since you are A) Either just more careful than the average Joe or B) You have something spectacular to hide.

Most people choose a password of 7-8 characters.  This is because this is the minimum required length for most websites.  A password of that length is somewhat trivial to crack these days practically no matter how much capitalization or punctuation you have present.  When you move up to more like a 15 character password, I’ll dare say that you are beyond the practical reach of current capabilities. If you were dumb about it and made it easy to guess then all bets are off.  Putting in spaces can help but even just combining odd words will make a better password.  To illustrate:

“sneakyrubberdogbath” is safer than “P4$$#ui!”

But then if a website gets hacked and the all the user accounts are leaked, having something REALLY long and REALLY crazy is going to make you stand apart from the pack.  Probably far more than you really want to.  If I saw something like…

userbob: St4rz4rr666brown_wag1n4setz_blahblahblah_blahlitmus_vermin

…my interests would personally be peaked and I would wonder what was so damned important that userbob is trying to protect.  My point is that you should keep your password within a range and not get carried away too far in either direction.

Find my iPhone

I was listening to a comedy podcast and one of the guys told this awesome story about how he got his iPad back from someone who stole it at a super market.  One of the OTHER guys on the show had just lost his iPhone a couple of weeks before that and lamented about how he wished he had set up a program to track it’s location.  Luckily, after that event, everyone else on the show enabled Apple’s free app “Find my iPhone”.  Find my iPhone works on any newer iDevices such as ipads, 4th gen iPod Touches and 3g+ iPhones.

Enabling it is simple.  You go and download the free app from the app store.  Then you enable a mobile me account which seems partially deprecated but is still used for this service.  To enable it, you go into settings -> mail, contacts -> add account -> mobile me.  You then sign in with you Apple ID.  At that point, you may or may not be required to confirm your email address.  After all that, you slide a switch to enable find my iphone.

When all that is done, you can sign into the app and track the device you are on, which is pretty useless or you can track any other devices that you have access to track.  If you only have one device, you can sign into the Find my iPhone web app here:

So for all of the collective bitching about how iPhones track your location, this seems like a pretty fair trade to me overall.  This does bring up points though of subpoenas and forensics where it’s conceivable that you could be arrested for something, the police can confiscate and search your iPhone without a warrant and then potentially see that you have this app installed and contact Apple to retrieve records beyond what the phone itself stores.  If your story doesn’t match what the records say, you could be in deep shit really quick.  This reminds me of an EXCELLENT video I saw on YouTube the other day about how you should never talk to the police under any circumstances since you can nearly never help your case.  It was a presentation give by a lawyer and a police officer:

Every used router tells a story

I’ve been buying WRT54G variants at thrift stores for probably a year now.  It’s a little obsessive actually.  I would say I’ve purchased about 15-20 of them now.  My wife asks why I do it and I’m not sure I have a great answer.  Some of them I’ve used to set up my own network, others I’ve swapped out with friends and family to get them onto better, more stable hardware and still others I’ve bricked and experimented with.

Today I was at Goodwill up in Mount Vernon, WA.  Somewhat of a podunk, low-tech place.  I wasn’t particularly expecting to find a router but I did.  It was a shiny WRT54G v2.2 for $5.99.  I couldn’t pass it up at that price but honestly I will pay up to $12.99 for them so this was a score.

Anyways, I was remembering the Samy location tool story we ran on ISD Podcast a couple weeks back.  I decided to check out the MAC address for this router and see where it came from.  First I tried the address on the bottom of the router not really expecting it to work.  Unsurprising enough, it didn’t work.  Then I remembered something that one of the other guys on ISD said… all the MAC addresses on the router are within a few digits so I incremented the last byte of the address a couple times and low and behold, I was presented with an EXACT location in Edmonds, WA.  It was so precise in fact that it even gave me a street address.  For reference Edmonds is 50 miles from Mount Vernon and there are at least 15 thrift stores closer to Edmonds than this one so I’m not sure why it ended up way out there.

This was a little bit startling.  I’m not even entirely sure what the implications are but this does seem like a security risk to me.  With the address, I am able to obtain the home owner’s name although but with no guarantee that the router lived in that house.  Furthermore, I’m able to see what the name of the WiFi was.  In this case, it was “Jayne1”.  Popping in the street address, I found this was a small condo building.  If I wanted to dig further, I’m sure I could find which unit “Jayne” lives in.  She did change the default password so I could see anything further without a bit more effort than I’m willing to put out at the moment.

If nothing else, the creepy factor here is pretty high.  Lesson here should be to reset your router config at minimum before sending your old router out to pasture.

Zeus botnet for Dummies

For those not tuned into the infosec world, Zeus is a do-it-yourself kit for bad guys to make computer viruses and other malware with a point and click interface.  Zeus has been defeating your anti virus and malware protection software for several years now and the reason for this is that bad guys can customize the payload with MANY different features and when you get hit with it on your computer, it ALWAYS has a different look and feel to it.  In other words, it can’t be detected based on a certain file name, file size, hash value or even necessarily a behavior because these features are all customizable and somewhat randomizable via a plethora of different options.  I have come across something online that will pull back the curtain and give you some insight as to how complex and well thought out this tool kit is.

Presumably the same person who posted the source code online has also graciously posted the instruction manual for Version, March 20, 2011 of the Zeus crimeware kit on pastehtml.  Reading over this instruction manual shows the level of sophistication of the authors of Zeus.  The manual gives many insights on how the piece of malware you create will be able to hide itself from the user and the operating system.  Here is a short (paraphrased) excerpt from the Bot-Protection section:

  1. All objects IE: files, MUTEXes and registry keys will be created with completely random and unique names.
  2. The code that first installs the bot is destroyed after the bot is installed.
  3. Files are not hidden from WinAPI, because anti-virus tools will find the file too easily.
  4. The bot can be updated on the fly without a reboot.
  5. The bot self-monitors it’s own integrity of it’s files, keys and other objects.

After the protection section, the manual spells out the server-side functions of the bot:

  1. Socks 4/4a/5 server with support for UDP and IPv6.
  2. Backconnect for any service (RDP, Socks, FTP, etc.) on the infected machine. I.e. may gain access to a computer that is behind a NAT, or, for example, which has prohibited connections by a firewall. For this feature to work there are used additional applications that run on any Windows-server on the Internet, which has a dedicated IP.
  3. Getting a screenshot of your desktop in real time.

Next, the manual spells out the different ways your custom piece of malware can hook into the wininet.dll or nspr4.dll’s to intercept http/https traffic going through IE or Firefox.  (pro-tip, keep Opera handy):

  1. Modification of the loaded pages content (HTTP-inject).
  2. Transparent pages redirect (HTTP-fake).
  3. Getting out of the page content the right pieces of data (for example the bank account balance).
  4. Temporary blocking HTTP-injects and HTTP-fakes.
  5. Temporary blocking access to a certain URL.
  6. Blocking logging requests for specific URL.
  7. Forcing logging of all GET requests for specific URL.
  8. Creating a snapshot of the screen around the mouse cursor during the click of buttons.
  9. Getting session cookies and blocking user access to specific URL.

The list goes on and on but shows that this is truly a swiss army knife of malware.  Skipping down to the C&C feature description section, there is a lot of focus on client tracking and geolocation along with some logging and notification features.  One particularly interesting section of features spells out the client details that are tracked:

  • Windows version, user language and time zone.
  • Location and computer IP-address (not for local).
  • Internet connection speed (measured by calculating the load time of a predetermined HTTP-resource).
  • The first and last time of communication with the server.
  • Time online.

When you read over the instructions, you realize what an incredible tool this could be for plain old white hat system administration.  The level of detail provided in the instructions is truly impressive and rivals most legitimate pieces of software that we’ve seen as of late.

The other conclusion we can easily draw is that the Zeus crimeware kit is clearly the work of a well-backed team of developers rather than some Russian dude in his basement.

Most of the document is incredibly interesting and I would urge you to take a peak to see what’s behind the curtain.  We discussed this on ISD Podcast on episode 386.  Take a listen for more details.

The ISD Podcast has entered into a contest to help the Electronic Frontier Foundation (EFF) raise some funds this year before Defcon 19.

For those who don’t know, the EFF is a non-profit group of lawyers, policy analysts, activists, and technologists who fight for digital rights and have helped countless hackers and security researchers get out of hot water as well as exposing injustices caused by ignorant legislation and bad judgements.  Please click the following link to donate to a vitally important cause:


Derbycon memes

Scotch tape webcam security

The other day, a laptop crossed my desk that belongs to a family with three beautiful daughters.  Two of them have done extensive modeling even.  I’ve worked on this computer a few times before.  They carelessly tend to let anyone who walks into their home use this computer unsupervised.  The viruses tend to run rampant because of extensive Facebook use and using Limewire in the past.

Digging into the computer, I noticed that it had an infection of “ms removal tool”.  This is a simple scareware scam.  Running the latest update of Malwarebytes from safe mode blows out this one fairly swiftly.  I figured that was it but I decided to dig a little deeper just in case.  What I found wasn’t a virus but something far more sinister…

Someone somewhere along the line had installed “Webcam Spy Pro” on this laptop.  The intention of this “tool” is to allow someone to be able to remotely view your webcam from anywhere else in the world through a web browser.  This is one of the creepiest things I’ve personally encountered while fixing someone’s laptop.  I’m not sure if the perpetrator ever got the thing working but nevertheless, the intentions were there and the software does exist.

Although I believe the perp in this case was someone with physical access to the computer, it’s completely possibly to remotely exploit a computer to install a tool such as this.  One of the top security testing tools, Metasploit, has this built right into it in fact and doesn’t even need to be installed on the remote computer so you may never know anyone was even in there.

One thing I’m curious about is whether the webcam activity light is hardwired to the webcam’s power source or if it’s software-controlled via the driver.  If it’s the latter, I’m sure I don’t need to go into the implications of being able to turn on someone’s webcam without the indicator light going off.

In any event, you can prevent yourself from this sort of intrusion entirely by putting a piece of scotch tape over your camera.  Some laptops use the camera as an ambient light sensor; the scotch tape won’t impact this but it will obfuscate the picture to the point where an attacker would only see a blur.  Try out an app that will view the camera just to make sure it works the way you want.

As far as sound goes, one trick I’ve used is plugging in an unused 1/8″ to 1/4 ” adapter into the microphone plug.  Most laptops will switch off the internal mic when you do this.

InfoSecDropBox rest in peace

click to enlarge

Sometime around 10am PDT on March 29th, 2011 someone in the InfoSec world had a clever idea to create a twitter account that anyone could log into and vent frusterations they had about the InfoSec industry or whatever else they wanted to.  Whoever did it remains unknown but luckily I was able to snag this screenshot from another browser after I realized it had been shut down only 4 hours after it was created.  I estimate that there were roughly 60-80 people who ultimately logged in and vented on this soundboard.  Twitter caught on as it was pretty much starting to go viral.

The bio first read:

“I am Jack’s infosec-induced rage. Password is Infosec, come log in and vent your rage anonymously. (And get yourself +1 followers)”

Then was changed to:

“I am Jack’s infosec-induced rage. Come log in and vent your rage anonymously. The password is guessable. So figure it out.”

Ultimately, this was a brilliant mashup of twitter and 4chan.  My hat goes off to whoever thought of this.

click to enlarge

Update 3/29/2011 1:59pm pst:  Someone just posted a v2 InfoSecDropBox but consequences will never be the same 🙁

Update 3/30:

The Adrians (Irongeek and Sanabria) have dug up a bit more so I will post that here as well:

Missing a few of the funniest hours…

InfoSecDropBox Mar 29, 8:07pm via web
Alright alright.. enough.

InfoSecDropBox Mar 29, 4:23pm via web
hey everyone want to know aloria real name

InfoSecDropBox Mar 29, 4:21pm via web

InfoSecDropBox Mar 29, 4:20pm via TweetDeck
pen testers are typically arrogant assholes, guess who created this, a pen tester

InfoSecDropBox Mar 29, 4:20pm via web
I use IE6 #2

InfoSecDropBox Mar 29, 4:20pm via web
@InfoSecDropBox @0ph3lia @aloria Shes on @th3j35t3r dick too much.

InfoSecDropBox Mar 29, 4:19pm via web
why wont @0ph3lia sleep with me why wont @aloria sleep with me why wont anyone sleep with me

InfoSecDropBox Mar 29, 4:18pm via web
@th3j35t3r = slowloris with a fancy GUI….Long live @real_j35t3r

InfoSecDropBox Mar 29, 4:16pm via web
is @aloria a tranny

InfoSecDropBox Mar 29, 4:15pm via web
@real_j35t3r is with ANONYMOUS!!!!

InfoSecDropBox Mar 29, 4:14pm via TweetDeck
@infosecdropbox says STFU @infosecdropbox

InfoSecDropBox Mar 29, 4:14pm via web

InfoSecDropBox Mar 29, 4:13pm via web
@th3j35t3r is a pretend hacker….long live @real_j35t3r!!!

InfoSecDropBox Mar 29, 4:13pm via web
.@real_jester is a fake long live @th3j35t3r. PS fuck Anon.

InfoSecDropBox Mar 29, 4:10pm via web
The password to this account is Infosec. It’s not a secret. I removed it from the profile to prevent bots… cool w/ everyone?

InfoSecDropBox Mar 29, 4:05pm via web
Looking for female roommates for defcon. RT pls, send pic. -Thx-L

InfoSecDropBox Mar 29, 3:58pm via web
BRING BACK TEH LULZ. Hacking was fun once.

InfoSecDropBox Mar 29, 3:58pm via web
Hey @0ph3lia do you realize that technical skills alone do not make a security professional? Stop shitting on QSAs or I will suckerpunch

InfoSecDropBox Mar 29, 3:58pm via web
My name is Gregory D. Evans.

InfoSecDropBox Mar 29, 3:52pm via web
I hacked HBGary.

InfoSecDropBox Mar 29, 3:51pm via web

InfoSecDropBox Mar 29, 3:51pm via web
If anything on this gets taken seriously you need to get a life.

Mar 29, 3:01pm via web
How long before some douche resets the password?

InfoSecDropBox Mar 29, 1:09pm via web
PW = “Infosec” come log in and vent your rage anonymously!

Here are some archived html files as captured by Irongeek.

Lastly, here is a PDF file of the reactions to InfoSecDropBox that was captured a bit after it was shut down.

A mind map of browser tab abuse

This post is about nothing more than how I have come to surf the web.  Ever since I discovered tabbed browsing many years back, I became addicted to them.  A true tab junkie.  Often I’ll have an average of 30-50 tabs open at any one time.  Then I have the nerve to get pissed off at my computer when it gets slow.  I’ll be the first to admit that I’ve been spoiled.

My browser of choice?  Mozilla Firefox.  Why?  I don’t really know anymore.  I don’t use that many plugins.  HTTPS-Everywhere is the one I consider most important.  The best feature in Firefox is the session manager though.  Browsers don’t crash nearly as often as they used to but in the early days of tabbed browsing before the session manager really worked right, my browser would crash and I’d lose 20-25 tabs and wonder what the hell I was supposed to be doing at that specific moment.  It would often take me an hour to recover.

I tend to use tabs like live bookmarks…  Instead of bookmarks that I file away never to look at again, my tabs don’t get closed until I’m done dealing with things that I’m currently working on.  Just as an example, let me list out all my currently open tabs right now.  This may get a little lengthy 🙂

  1. notanon add new post: This is of course the tab I’m currently working in right now.  It stays open nearly all the time so I can jot down my thoughts for my next blog post at any moment of the day.  I never feel like I post on my blog enough but this is my constant reminder that I should be posting.
  2. I preview what I post here and just keep an eye on the look and feel of the site.  IDK, is that vain?
  3. IdleRPG: I play idle rpg on one of the IRC servers I’m on.  idk why, just for kicks I suppose.  I like to keep an eye on the stats.  I was even winning this one for a while.  Not as of today though.
  4. Google docs: Ah yes, the quintessential Google Docs.  It’s a love/hate thing with me but unfortunately also a necessary evil.
  5. Rory Lewis iPhone dev videos: Learning to program the iPhone/iPod touch right now.  These videos are great and they go with a book I’m slowly reading.  When I’m done with the book, I’ll write up a review here on my blog of course.
  6. Download Libretto 50CT drivers: Don’t even ask what I’m going to do with this one.  I haven’t decided yet in all honesty.  I don’t even plan to run Windows on my Libretto’s.  I think I just don’t want to lose this page in case I change my mind.
  7. Tiger Direct: This is a link to 12″x18″ oversized tabloid paper for my Xerox 7750 printer.  I intend to buy this paper and I need it but I don’t quite desperately need it enough to waste the space in the house storing it so instead I store the idea to buy it in a browser tab.
  8. MS-DOS Debug Program: A primer on how to use debug for MS-DOS obviously.  This is something I’ve played with a little over the years but never had nice clear instructions like this.  I went through a little of it and then put it aside.  I intend to check it out again before permafiling it in my bottomless pit of bookmarks.
  9. MS Window DOS Stub Program: Using debug to step through the dos stub program that lives in all windows executables.  This bit of legacy code is nearly obsolete today but it’s one of the simplest programs to step through so it makes for a good example.  It’s in conjunction with link #8 of course.
  10. Detailed explanation of the FAT boot sector: retro but relevant.  I had this odd idea to play with a hex editor on one of my dos drives and make a bootable drive that just prints a message on the screen.  To do that though, I need to know what the bios is looking for to boot.  I’m also interested in forensics and data recovery so this has some overlap.  This kind of low level knowledge NEVER hurts.
  11. Travelocity: hopefully planning my trip to defcon this year.  I won’t stay in the Rio where the event is because I want to save as much money as possible.  This leads right into the next tab…
  12. Google maps: where I’m mapping out all the hotels in the core of the strip.  Trying to figure out which ones are both cheap and close to the Rio.
  13. Installing Gentoo on the Libretto 50CT: This is something I tried to do right when I first got my Librettos.  I never saw this link before though.  It may be a bit outdated and incomplete but I’m hoping for some clues to eventually complete this task.  When I do, I’ll post a newer set of instructions about this on my own blog.
  14. Amazon Fresh: When my running grocery list hits $75 I’ll order because that’s when I get the free shipping.  I haven’t used the service in a while because I find a lot of stuff is way overpriced but there are other items that I can’t find anywhere else and things like emergency water that I’d rather have them carry to my front door to save my back a bit.
  15. Twitter: Yeah, I use the web interface… wanna make something of it?  I like the web interface the best of all the tools I’ve tried although I have to say that I HATE the new twitter interface so I really don’t know what I’m going to do when/if they ever turn the old one off.
  16. OTC: I picked up this random car diagnostic tool at Goodwill a while back.  I intend to sell it on eBay.  This placeholder is both my reminder and the source of information I will use when listing the device.
  17. 96mb of ram in the Libretto 110CT!: This link is pretty much irrelevant to me because I don’t have a Libretto 110CT but it’s inspirational.  I was looking for a way to bump my 50CT up to 48mb since 32mb is the typical max.  I’m thinking this link might hold some clues but I haven’t taken the required time to dissect it yet.
  18. O’Reilly School of Technology Python 2: The second online Python class is on sale right now for 20% off.  I got the first one at 25% off but I’m still considering doing this one because I don’t know when they’ll get that cheap again.  I liked the first course a lot and I’m sure this one would be great as well.  Problem is that I don’t have a direct use for Python at the moment other than practicing programming.  I REALLY wish O’Reilly had an Objective-C/iPhone programming course since that’s what I really need right now but, that being said, I still want to ultimately obtain the Python programming certification.  Seriously considering pushing the button here 🙂
  19. Installing Damn Small Linux on a Mitsubishi Amity: Nope, I don’t have a Mitsubishi Amity but they had Libretto in the text and this page came up for me in Google.  Trying to see if it has anything useful regarding putting DSL on the Libretto as an alternative to Gentoo.
  20. Programming in Objective-C part one: 6 hours of live web training for $99.  I’m seriously considering this one but I have a really hard time committing to the schedule they have projected so I’m thinking this probably won’t work out for me 🙁
  21. 72-squared iPhone tutorials: Saw this blog mentioned in the current most popular app on the iTunes store, Tiny Wings.  If this site helped that guy create a multimillion dollar grossing game, I’m thinking it’s worth a read.  Objective-C has not come easy to me and I need all the help I can get with it 🙂
  22. Paypal: A necessary evil to selling stuff on eBay.  I had this open because I was checking to see if an eBayer had paid me or not.  I’ve been having trouble with my spam filter being overzealous lately so I wanted to make sure I looked manually.
  23. Hacker gets Kinect working on PS3: Dumb article someone sent me this morning.  Finished reading it but I got distracted before I closed it.  Sony has made me wish I bought an Xbox 360 instead SOOOOO many times this year but this post is rather amusing in any event.  I wonder if Sony will try to have the guy arrested 😛
  24. Verizon doesn’t know dollars from cents:  Something I Googled a few minutes ago to prove a point to someone on twitter.  Verizon has a real math problem when it comes to their data plan pricing.  This is a pretty old blog post but I don’t doubt their still could be issues with it.

So there you have it.  Everything inside my browser at the current moment and what train of thought led to it being there.

There are several problems with having all this crap running at once.  First off, I’m vulnerable to cross site scripting types of attacks.  The scariest tab of all to have open is probably the Paypal one since it could do the most damage in that regard.  Second of all, this arrangement does nothing favorable for the speed and responsiveness of my computer.  I have a pretty fast system but when I get rolling with about 60 tabs, scrolling twitter gets REALLY slow.  And finally, it’s a disorganized mess and doesn’t really help me be more productive.  This is kind of akin to having a messy desk.  Stuff get’s forgotten and shoved to the bottom of the pile.

InfoSec career day

If you are currently looking for a career in InfoSec or looking to move up, there have a been a few great podcast episodes recently worth checking out.

InfoSec Daily Podcast episode 315 was a fantastic open discussion tossing around the topic of certifications vs. degrees and everything in between.  Special guests Dave Kennedy and Adrian Crenshaw hashed it out with your regular hosts and everyone in the IRC.

Also worth noting is Securabit episode 71.  Those guys have been knocking it out of the park lately with some great shows.  This one in particular is good because it features head hunter, Lee Kushner giving some excellent perspective about personal development vs. continuing education.  He also brings up career planning stating that the guys who actually bother to plan out their career paths(15%) have much more success in life than everyone else(85%) who simply fly by the seat of their pants.

Lastly, InfoSec Daily had another career day special for episode 300 where they discussed what to do when you make the WRONG career switch.  Many of us have been there.  Left something good for greener pastures and wished we could go back.  Listen here for some helpful advice about not burning bridges and what not to do.

If you are attending higher ed or digesting a pile of certs, I hope you have a plan.  I hate to see people out there WASTING money on making the schools rich and if you don’t really know where you are going, that is exactly what you are doing.

Powered by WordPress. Theme: Motion by 85ideas.