Security Weekly News 16 December 2010 – Full List

Category Index  

Hacking Incidents / Cybercrime

Gossip site Gawker has experienced a large data breach whose scale fully came to light Sunday. The group that calls itself Gnosis claimed and provided evidence of responsibility, motivated in their words by Gawker’s arrogance in its previous dealings with members of the Internet board 4chan.
While Gawker has posted a notice indicating that it is the user names and passwords of people who comment on their web site that have been compromised, analysis of the file released by the crackers themselves indicates that the breach extends to employees of Gawker, includes credentials for internal systems (Google applications, collaboration tools) used at the company, includes a leak of Gawker’s custom source code, includes credentials of Gawker employees for other web sites, includes FTP credentials for other web sites Gawker has worked with, includes access to Gawker’s statistics web site, and includes the e-mails of a number of the users who left comments at Gawker as well as users of,, and


Blog operator Gawker Media has asked the users of the Gizmodo, Gawker, Deadspin, Kotaku, Jezebel, IO9, Jalopnik and Lifehacker blogs to change their passwords. The reason for the request was that the company’s servers were hacked by a group called ‘Gnosis’, who copied and published sensitive company data, as well as users’ account details, to an online torrent web site.
While the 1.3 million compromised passwords are said to be DES encrypted, this type of encryption no longer presents a major obstacle to password crackers, especially if the passwords are weak. Gnosis said that they managed to obtain the password of Gawker founder Nick Denton, who apparently also uses the same password on Google and Twitter.


Stuxnet Saves Israel Trouble of Iran Strike []
It appears the Stuxnet computer virus may have done more harm to Iran’s nuclear program than even the most savage of air strikes could have.
A report in the Jerusalem Post quotes a German computer expert saying the ‘Stuxnet’ virus set Iran’s nuclear program back two years.
Fox News ecently reported how the Stuxnet virus attacked the nuclear centrifuges at Iran’s main uranium enrichment site in Natanz and how Tehran is scrambling to fix computers attacked by the virus.
But the reported delay in Iran’s suspect nuclear program is huge news in Israel where leaders here have been sounding the alarm about the program which most of the world believes is aimed at producing a nuclear bomb.


Security expert connects the dots to China, not Israel, U.S.
Israel and the U.S. so far have been pegged as the most likely masterminds behind the Stuxnet worm that targeted Iran’s nuclear facility, but new research indicates China could instead be the culprit.
Jeffrey Carr, founder and CEO of Taia Global, an executive cybersecurity firm, and author of Inside Cyber Warfare, says he has found several clues that link China to Stuxnet. “Right now I’m very comfortable with the idea that this is an attack that emanated from China,’ Carr says. ‘I’m fairly certain this was China-driven.’
Carr, who blogged about his new theory today, says Vacon, the maker of one of the two frequency converter drives used in the Siemens programmable logic controller targeted by the Stuxnet worm, doesn’t make its drives in its home country Finland, but rather in Suzhou, China.


And the attackers made over 1 million in profits.
This just emerged from a raid (and hearing apparently) in Romania and other countries. The two main persons being fingered are Catalin Zlate and Cristian Ciuvat. It seems that they were scanning for PBX servers with phone extensions that have weak passwords. Then they abused these accounts to make phone calls for ‘free’, except that free has the price of 11 million EUR for the victims!


News: got pwned  []
I have just been informed by d3v1l’s twitter message, that which is the Swedish mirror of the popular Anti-Virus software was defaced. The site still returns the altered index page by the time of this writing but as a reference, here is its zone-h mirror record.


Genesco Inc, a specialty retailer of branded footwear and other products, today announced that the computer network that processes its payment card transactions in the United States has been hacked, in what the company is calling a “criminal intrusion.” Genesco operates more than 2,225 footwear and headwear retail stores in the United States, Puerto Rico and Canada, principally under the names Journeys, Journeys Kidz, Shi by Journeys, Underground Station, Johnston & Murphy, Hatworld, Lids, Lids Kids, Hat Shack, Hat Zone, Cap Connection and Head Quarters.
The company said it is not aware of the extent of the intrusion yet, but did say that the systems that process payment transactions for its United States Journeys, Journeys Kidz, Shi by Journeys and Johnston & Murphy stores, and for some of its Underground Station stores have been compromised.


Two major online ad networks–DoubleClick and MSN–were serving malware via drive-by download exploits over the last week, experts say, after a group of attackers was able to trick the networks into displaying their ads by impersonating an online advertising provider.
The scheme involved a group of attackers who registered a domain that was one letter away from that of, an online advertising technology firm. The attackers then used the fake domain––to dupe the advertising networks into serving their malicious banner ads. The ads used various exploits to install malware on victims’ PCs through drive-by downloads, according to information compiled by security vendor Armorize.


B ACKGROUND: Data leak allegedly came from a man who held a grudge against the Belfast-based database firm
THE THEFT of the GAA’s membership database is unlikely to lead to identity theft, the Office of the Data Protection Commissioner has said.
The database contains the names, addresses, phone numbers, e-mail addresses and, in a small number of cases, the medical records of every single member of the GAA.
The theft is now the subject of a criminal investigation by the PSNI who have already arrested a man and released him on police bail without charge.
Sources close to the investigation say the security leak came from a man with a grudge against Servasport Ltd, the Belfast-based company that was maintaining the database on behalf of the association.


Major online ad network Google DoubleClick this month inadvertently posted a malicious advertisement on websites that infected users visiting sites running the ad.
This was no typical malvertising campaign attack, says Wayne Huang, CTO and researcher at Armorize, who discovered the threat. The ad automatically installs a rogue antivirus program on the victim’s computer and holds it for ransom until the user purchases software to ‘fix’ it.


Dutch authorities issued a statement Thursday saying that a 16 year old boy has been taken into custody for involvement in attacks against the Web sites of Mastercard and Visa.
The boy, who was not named, was due to be arraigned by a judge in Rotterdam on Friday. The arrest is the first known action taken against online activists who have taken up arms against individuals and organizations that are perceived as acting against the whistle blower Web site Wikileaks following that site’s publication of thousands of sensitive diplomatic cables leaked from the U.S. Government’s classified intelligence network.

Unpatched Vulnerabilities

Another serious remotely exploitable bug in Internet Explorer has cropped up, this one related to the way that IE handles a specific DLL library on pages that reference CSS files. There also is publicly available exploit code for the new bug.
The vulnerability was disclosed initially on the Full Disclosure mailing list on Wednesday when someone posted exploit code for the IE bug. The flaw affects IE 8, IE 7 and IE 6 running on most of the currently supported versions of Windows, including Windows 7, Windows Vista and Windows XP SP3.
‘A vulnerability has been identified in Microsoft Internet Explorer, which could be exploited by remote attackers to take complete control of a vulnerable system. This issue is caused by a use-after-free error within the ‘mshtml.dll’ library when processing a web page referencing a CSS (Cascading Style Sheets) file that includes various ‘@import’ rules, which could allow remote attackers to execute arbitrary code via a specially crafted web page,’ an analysis of the bug by Vupen says. ‘VUPEN has confirmed this vulnerability with Microsoft Internet Explorer 8 on Windows 7, Windows Vista SP2 and Windows XP SP3, and with Internet Explorer 7 and 6 on Windows XP SP3.’


A hardcoded password-related security vulnerability has been discovered which apparently affects every HP MSA2000 G3 modular storage array shipped to date.
MSA2000 Backdoor Vulnerability
Apparently a hidden user exists, that is built into the system and doesn’t show up in the user manager, and the password may not be able to be changed (unconfirmed), creating a perfect “backdoor” opportunity for an attacker to gain access to potentially sensitive information stored on the device, as well as systems it is connected to. The hard coded user and password in the HP MSA2000 is set to an embarrassingly simple:
username: admin
password: !admin


I have received a mail regarding the early development of the OpenBSD
IPSEC stack. It is alleged that some ex-developers (and the company
they worked for) accepted US government money to put backdoors into
our network stack, in particular the IPSEC stack. Around 2000-2001.
Since we had the first IPSEC stack available for free, large parts of
the code are now found in many other projects/products. Over 10
years, the IPSEC code has gone through many changes and fixes, so it
is unclear what the true impact of these allegations are.

Software Updates



Hi everyone. As part of our usual cycle of monthly security updates, today Microsoft is releasing 17 bulletins addressing 40 vulnerabilities in Microsoft Windows, Office, Internet Explorer, SharePoint Server and Exchange. Two of those bulletins carry a Critical rating, while 14 are rated Important and one is rated Moderate.
We’ve assigned our highest deployment priority to the two Critical bulletins, though we recommend that customers deploy all updates as soon as possible.


Over 500 patches for SAP  []
On Tuesday, SAP – one of the largest manufacturers of business applications and enterprise software – released a huge number of so-called Security Notes. An e-mail sent to SAP customers speaks euphemistically of ‘a significant number of security notes’, it’s rumoured there are 525 of these notes.


Four days after a security hole was discovered in the free Exim mail server, the developers of Debian and Red Hat have released corrected versions for their Linux distributions. While the Exim version provided by Red Hat blocks root access, Debian’s new Exim contains fixes for a memory flaw that allows code to be executed with Exim user rights. However Debian’s patched version does not provide any protection against the hole that allows attackers to get root rights. Before they fix that problem, the developers first want to clarify some ‘compatibility issues,’ which they plan to do as soon as possible.


Affected Software
The issue affects the BlackBerry® Attachment Service component of the following software versions:
BlackBerry Enterprise Server Express version 5.0.1 and 5.0.2 for Microsoft Exchange
BlackBerry Enterprise Server Express version 5.0.2 for IBM Lotus Domino
BlackBerry Enterprise Server versions 4.1.3 through 5.0.2 for Microsoft Exchange and IBM Lotus Domino
BlackBerry Enterprise Server versions 4.1.3 through 5.0.1 for Novell GroupWise
BlackBerry® Professional Software version 4.1.4 for Microsoft Exchange and IBM Lotus Domino
Issue Severity
This vulnerability has a Common Vulnerability Scoring System (CVSS) score of 7.8.
RIM has issued the following releases and interim security software updates that resolve the vulnerability in affected versions of the BlackBerry Enterprise Server.


The Mozilla development team has released updates for the Firefox web browser and for the Thunderbird news and email client to close multiple critical security vulnerabilities affecting these products. According to the developers, the Firefox updates address a total of twelve issues, including 9 critical security bugs, one high-risk and a moderate XSS hazard. Many of the issues could potentially lead to the remote execution of arbitrary code on a victim’s system.


Google has released version 8.0.552.224 of Chrome for Windows, Mac OS X and Linux into its Stable and Beta channels. The security update addresses a total of five vulnerabilities in the WebKit-based browser, two of which are rated as ‘High’ priority.


Version 1.0.0c of the free OpenSSL SSL implementation fixes two vulnerabilities. A flaw in an older workaround for Netscape browsers and servers can be remotely exploited to make an OpenSSL server downgrade the ciphersuite to a weaker one for subsequent connections. This can potentially simplify the cracking of encrypted connections. The update simply disables the workaround.


The WordPress development team has released version 3.0.3 of the popular open source blogging and publishing platform, a security update for the 3.0.x branch of WordPress. According to the developers, the update addresses a privilege escalation issue in the remote publishing interface that, under certain circumstances, could have allowed Author and Contributor-level users to improperly edit, publish or delete posts.


Java 6, Update 23 is out  []


On Tuesday night, Apple released an update for its QuickTime multimedia application. Version 7.6.9 is available for users running Windows XP SP2 or later and Mac OS X 10.5.8 (Leopard) – users running the latest version (10.6) of Mac OS X (Snow Leopard) are reportedly not affected. According to Apple, the latest update fixes a total of 15 security vulnerabilities.


Microsoft has released an update for Office 2008 for Mac. The ‘Microsoft Office 2008 for Mac 12.2.8 Update’ is a 332.8 MB download and principally provides a fix for an error in Entourage, the email and calendar application. According to the update description, the flaw can lead to irregular crashes when sending mail, when receiving mail with attachments and when accepting meeting invitations.


RealNetworks has released a monster update that closes an impressive 27 security holes in Windows RealPlayer 11.1. Other versions, such as RealPlayer SP, RealPlayer Enterprise and the Mac / Linux versions are also partially affected. Apparently the current RealPlayer 14.0 does not exhibit any of the vulnerabilities.

Business Case for Security

5 Stages of Infosec  []
From the depths of the twitterverse, here is an example of the Kübler-Ross model of infosec, a Hamster Wheel of Pain where you get to play the Hamster


Everyone sounded the alarms at the Gawker Media attack, which included a security breach of websites such as Gizmodo, Lifehacker, Kotaku, io9, and others. The numbers were impressive: 1.3 million user accounts exposed, 405 megabytes of source code lost, and perhaps more important to some, the identity of those leaving anonymous comments potentially revealed. For Gawker, there is a loss of trust that will be difficult to regain. Users are already clamoring for the ability to delete their accounts. And, on the technical side, all Gawker’s systems will need to painstakingly audited or rebuilt entirely from scratch to prevent the same thing from happening again. Happy Holidays indeed.
So, what is to be learned from this perfect storm of bluster and bravado? Many lessons, most of them demonstrating what not to do.
1. First and foremost, DO NOT poke the bear. By taunting the hacker community, especially the vigilante types, Gawker made itself a target unnecessarily. Never claim to be “unhackable.” The hackers outnumber you by several orders of magnitude, and they have more free time. Respect their capabilities. Not to mention the odds are always stacked against defenders. The attackers only have to find one little crack in wall to bring the castle crumbling down.


Repelling a hacker attack can be costly as PayPal, Visa and MasterCard undoubtedly found out last week as they tried – with mixed success – to keep their Web sites from being knocked offline by supporters of Wikileaks.
How much money exactly? An unrelated attack several years earlier on Google may provide some insight.
In 2005 Google was battling the Santy worm, a bit of malicious software that caused infected computers across the globe to automatically enter search queries – so many, in fact, that Google was overwhelmed. Details of the episode are chronicled in internal F.B.I. memos obtained by The New York Times through a Freedom of Information Act request.


Security Awareness Topic #6 – Passwords  []
Secure use of passwords are critical, they are the keys to the kingdom. If an individual’s or organization’s password is compromised, then an attacker can access everything they are trying to protect. In addition, an attacker can then impersonate the victim and gain access to other resources. As such, password best practices are something many organizations focus on. Here are what I consider some of the key learning objectives for awareness, but in addition some learning objectives that I feel are overblown.
– Complexity: One of the first things every organization focus on is password complexity. I see organizations moving to 12 character passwords with one CAPITAL, one number, one symbol, and changed every ninety days. In a previous blog post I argue this is overkill, we are doing more harm and good. While some complexity is important, I feel organizations will have far greater impact and reduce more risk following these practices.
– Sharing: Often employees feel comfortable sharing passwords with other employees or supervisors. This is a dangerous practice. First, you lose accountability, you cannot track who did what because people have shared accounts. In addition, once a password is shared it may become more shared then expected, including with unethical employees.
– Dual Use: Many users will use the same password for all their accounts.


The Open Source Security Testing Methodology Manual 3.0 covering security testing, security analysis, operational security metrics, trust analysis, operational trust metrics, and the tactics required to define and build the best possible security over Physical, Data Network, Wireless, Telecommunications, and Human channels


Security vendors realize that application security is the next great security frontier and have begun creating new products with their old scan and report approach. Unfortunately we’ve conditioned ourselves to accept that this antiquated approach works for all security issues. It worked for networks right? But the reality is that this approach can only catch the most common issues in web applications. (Read: Most Web Application Scanners Missed Nearly Half Of Vulnerabilities) All of the deeper (and more critical issues) are going to require custom testing to detect. This is the problem. People buy web scanning tools believing the tools is easy to use and that it will result in secure web applications. The reality is that the tool is easy to start up, difficult and time consuming to interpret the results, and will likely only find some common security issues in the application.


Here’s what I want to leave the post with. Evaluating web application vulnerability scanners is a difficult task for anyone. A person has to be knowledgeable in web application security, capable of understanding the report results, not to mention be able to set up enough real-world websites to make the comparison reasonable. How many people does that eliminate? Then what to measure? Everyone has a different point of view of what is meaningful. Do we measure vuln to vulns, Ajax support, scanner depth, usability, reporting capabilities, etc? Each metric has value, but not to everyone all the time. To assist, Anurag Agarwal is helping WASC create a Web Application Security Scanner Evaluation Criteria (WASSEC) with assistance from the community. It should be highly useful when completed.


Before reading the following, ask yourself if you’d recommend to the average user that they store their passwords in a local password manager.
Today there are four primary ways users lose control over their web-based passwords. Phishing Scams (email or SEO), Malware (installing malware or drive-by-downloads), website break-ins (SQLi, RFI, misconfiguration, etc.), and website brute-force attacks. For a user to protect themselves I’ve outlined the client-side technologies they can deploy (reason MFA is left out) and possible changes in their online behavior.


‘Bet on it,’ says security expert, as hackers exploit password re-use
Passwords used by people employed by U.S. federal, state and local governments were among those disclosed by the Gawker hack over the weekend, according to a report by PBS NewsHour on Monday.
If the passwords published online by the Gnosis hacker group were also used by those people for their work e-mail accounts, the passwords could be used in future targeted attacks against government employees to plant malware or steal other information.
PBS NewsHour has identified a subset of the 1.3 million accounts accessed in the Gawker hack that included an unknown number of accounts with the .gov domain, including ones from the Department of Defense, NASA, National Institute of Health and the U.S. Postal Inspection Service.


With the growing diversity of operating systems among companies, as well as the growing use of mobile devices, cybercriminals should have a very profitable 2011.
Their tactic will be to put a new spin on social engineering by way of ‘malware campaigns,’ by bombarding recipients with email that drop downloaders containing malware. All this will largely be made possible because of the Internet. Already, Trend Micro threat researchers have found that more than 80 percent of the top malware use the web to arrive on users’ systems.


A recent forum made it clear that cyber crime does not discriminate – we are all vulnerable , writes GORDON SMITH
YOU MIGHT expect paranoia to be in plentiful supply at an IT security get-together but the need for co-operation in addressing online risks was one of the major themes at the annual cyber crime conference in Dublin – even if, appropriately, nobody wore name badges.
The conference, now in its second year, is organised by the Irish Reporting and Information Security Service (IRISS).
Det Insp Paul Gillen, head of the Computer Crime Investigation Unit at the Garda, called for a pooling of information to tackle the problem of cyber crime. “Ireland, being small, is a good thing – we have an opportunity to develop a community approach to cyber crime and the guards have an important role to play,” he said.
This could be in helping entire sectors such as financial services or retail or critical national infrastructure develop incident response plans after a cyber attack, he added.

Web Technologies

A complete guide to securing a website  []
To secure a website or a web application, one has to first understand the target application, how it works and the scope behind it. Ideally, the penetration tester should have some basic knowledge of programming and scripting languages, and also web security. A website security audit usually consists of two steps. Most of the time, the first step usually is to launch an automated scan. Afterwards, depending on the results and the website’s complexity, a manual penetration test follows. To properly complete both the automated and manual audits, a number of tools are available, to simplify the process and make it efficient from the business point of view.
In this white paper we explain in detail how to do a complete website security audit and focus on using the right approach and tools. We describe the whole process of securing a website in an easy to read step by step format; what needs to be done prior to launching an automated website vulnerability scan up till the manual penetration testing phase.


ModSecurity Demonstration Projects  []
We have a number of different ModSecurity Demonstration projects hosted on the ModSecurity site.
ModSecurity/PHPIDS Evasion Testing Demo
The ModSecurity Demo is a joint effort between the ModSecurity and PHPIDS project teams to allow users to test ModSecurity and PHPIDS. Any data is sent to a ModSecurity install for inspection by the CRS and then it will be proxied to the PHPIDS page for normal inspection and processing. The response body will then be inspected to confirm if there are any evasion issues between the CRS and PHPIDS.
XSS Mitigation with Content Injection Demo
This demo shows how to use ModSecurity’s Content Injection capabilities to prepend defensive JavaScript to the top of the returned page, which will protect against unauthorized JS execution.


Last night I received an urgent message from a client. My machine has been hacked, someone got into the admin area, I need all of the details from this IP.
So, I grepped the logs, grabbed the appropriate entries and saw something odd. – – [09/Dec/2010:22:15:41 -0500] ‘GETS /admin/index.php HTTP/1.1’ 200 3505 ‘-‘ ‘Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv: Gecko/20101026 Firefox/3.6.12’ – – [09/Dec/2010:22:17:09 -0500] ‘GETS /admin/usermanagement.php HTTP/1.1’ 200 99320 ‘-‘ ‘Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv: Gecko/20101026 Firefox/3.6.12’ – – [09/Dec/2010:22:18:05 -0500] ‘GETS /admin/index.php HTTP/1.1’ 200 3510 ‘-‘ ‘Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv: Gecko/20101026 Firefox/3.6.12’
A modified snippet of the .htaccess file:
AuthUserFile .htpasswd
AuthName ‘Protected Area’
AuthType Basic
require valid-user
Of course, we know GETS isn’t valid, but, why is Apache handing out status 200s and content lengths that appear to be valid? We know the area was password protected behind .htaccess and with some quick keyboard work we’ve got a system that properly prompts for Basic Authentication with a properly formed HTTP/1.0 request. Removing the restriction from the .htaccess protects the site, but, why are these other methods able to pass through? Replacing GETS with anything other than POST, PUT, DELETE, TRACK, TRACE, OPTIONS, HEAD results in Apache treating those requests as if GET had been typed.


Today’s release of Firefox 3.6.13 fixes bug 602780 (CVE-2010-3774) – an interesting problem I originally reported to Mozilla in October. It’s a fun one, so here’s a quick recap of what it is about.


Spoofing Google search history with CSRF  []
Let’s assume, dear Web surfer, that I can get you to visit a Web page I control. Just like the page on my blog you’re reading right now. Once you do, by nature of the way the Web works, near complete control of your Web browser is transferred to me as long as you are here. I can invisibly force your browser to initiate online bank wire transfers, post offensive message board comments, vote Jullian Assange as Times Person of the Year, upload illegal material, hack other websites and essentially whatever else I can think up. Worse still, on the receiving end, all the logs will point back to you. Not me.


This week thousands of system administrators who make use of Goolge products will open their inbox to see an email from Google explaining that their Web Optimizer product contains an Cross-site scripting flaw that allows hackers to inject scripts into their Google Optimized web pages.
I have documented my research in this article, and I hope that it will be of use to you. There is a lot to learn from other people’s mistakes, especially when those people are Google themselves.
The flaw exists in Googles Web Optimizer, which is a series of scripts that web administrators use to gain insight into how their web sites are navigated by online customers.
Below is a segment of the the flawed code.


Gmail+Google Chrome XSS Vulnerability  []
The weekend before last, I found a flaw in Gmail that on the one hand was rather exciting for me (as I hadn’t expected to find anything at all, and it was pretty clearly reward-worthy), but on the other was a little unnerving, given how quickly and easily I was able to find it and how serious the vulnerability was.
Vulnerability Discovery
While doing some work on an exploit for an XSS flaw that I had already found on another platform (details will be released in the semi-near future), I decided to see if there were any XSS vulnerabilities that I had missed. The first thing I wanted to try was to see if the application was properly sanitizing filenames in attachments, so I modified a Python email testing application I hacked together and shot off an email with an attachment named ”;!–‘=&{()}.txt (a la RSnake) .


Defense and Offense For HTML5  []
Just to go on the record: I’m just not all that concerned with new security threats from HTML5. Frankly, minus WebGL, HTML5 in 2010 gives us roughly the functionality that Flash gave us in 2004, but with oddly less polish. (I’m not kidding: They’re still trying to figure out how to correctly implement full screen video.)
From a security perspective, that means whatever is scary about HTML5 has already been in place, in 99% of browsers, for half a decade. Not that that means we’ve attacked, or fixed it all – we in the open security community aren’t exactly known for our speed in finding issues. But I can’t say I’ve seen much in HTML5 that’s made me nervous, at least relative to problems that already exist in HTML4 and Flash (to say nothing of Java).


This was one of the newer topics that I covered at BlackHat Abu Dhabi. HTML5 has two APIs for making cross domain calls – Cross Origin Requests and WebSockets. By using them JavaScript can make connections to any IP and to any port(apart from blocked ports), making them ideal candidates for port scanning.
Both the APIs have the ‘readyState’ property that indicates the status of the connection at a given time. The time duration for which a specific readyState value lasts has been found to vary based on the status of the target port to which the connection is being made. This means that by observing this difference in behavior we can determine if the port being connected to is open, closed or filtered. For Cross Origin Requests it is the duration of readyState 1 and for WebSockets it is readyState 0.


HTML5 Security Cheatsheet  []

Network Security

TLS/SSL Hardening & Compatibility Report 2010  []
This is the ‘Release candidate’ version of the paper, should no errors be found it will be the final version.
This paper aims at answering the following questions :
* What SSL/TLS configuration is state of the art and considered secure (enough) for the next years?
* What SSL/TLS ciphers do modern browsers support ?
* What SSL/TLS settings do server and common SSL providers support ?
* What are the cipher suites offering most compatibility and security ?
* Should we really disable SSLv2 ? What about legacy browsers ?
* How long does RSA still stand a chance ?
* What are the recommended hashes,ciphers for the next years to come


My Linux servers are all protected by a local iptables firewall. This is an excellent firewall which implements all the core features that we are expecting from a decent firewall system. Except… logging and reporting! By default, iptables send its logs using the kernel logging facilities. Those can be intercepted by common Syslog daemons: Events are collected and stored in a flat file. Note that some Syslog implementations, like rsyslog, have a built-in mechanism to store logs into a MySQL database. But, messages are stored “as is” without processing or normalization; this makes them difficult to use. Of course, solutions exists to parse Syslog flat files and generate firewalls stats (have a look at fwlogwatch) but I’m looking for something more “visual”. Visibility is a key point!


Completely Protected  []
Sensible additions to your virus scanner
Good behaviour recognition is an important component that is often missing from free anti-virus software. In good commercial products such as Norton or Kaspersky, behaviour analysis is a last and very efficient line of defence, as it monitors and evaluates program activities.
If there is an increase in suspicious activity, for instance because a program immortalises itself in the registry, records keyboard inputs and links itself into the browser’s encrypted communication, there is a likelihood that a trojan is at work. In such cases, the behaviour monitor will intervene and, ideally, even prevent system manipulations.
Using a free anti-virus program doesn’t mean you have to go without this added protection. PC-Tools offers ThreatFire, a free, dedicated behaviour recognition program designed to be installed alongside a conventional anti-virus program


1) Like top, but for files
watch -d -n 2 ‘df; ls -FlAt;’
2) Download an entire website
wget -random-wait -r -p -e robots=off -U mozilla
-p parameter tells wget to include all files, including images.
-e robots=off you don’t want wget to obey by the robots.txt file
-U mozilla as your browsers identity.
-random-wait to let wget chose a random number of seconds to wait, avoid get into black list.


All versions of Microsoft Windows allow real-time modifications to the
Security Accounts Manager (SAM) that enable an attacker to create a
hidden administrative backdoor account for continued access once a
system has been compromised. Once an attacker has compromised a
Microsoft Windows computer system using any method, they can either
leave behind a regular user or hijack a known user account (Such as
ASPNET). This user account will now have all of the rights of the
built-in local administrator account from local or remote connections.


Akamai often finds itself scrambling to stop a DDOS attack against one or more of its clients
Google. Twitter. Government websites. Fortune 500 companies. All have been victims of crippling distributed denial-of-service (DDoS) attacks. The attacks have grown in reach and intensity thanks to botnets and a bounty of application flaws. And Akamai Technologies has a seen it all firsthand.
Many people use Akamai services without even realizing it. The company runs a global platform with thousands of servers that customers rely on to do business online. The company currently handles tens of billions of daily Web interactions for such companies as Audi, Fujitsu and NBC, and organizations like the Department of Defense and Nasdaq. There’s rarely a moment-if there are any-when an Akamai customer is not under the DDoS gun.


Einstein once said – “You have to learn the rules of the game. And then you have to play better than anyone else” and I agree. Rules are the foundation for many different forms of word mangling techniques, as well as some advanced techniques. I’ll briefly cover each rule and give an example of what each rule would do to an input word. I’ll refer to the below tables in other articles, so you may want to learn what each rule does, or at least review each one.


Exploitation  []
References to vulnerability exploitation stuff.


DNSSEC gives developers the ability to authenticate small bits of trusted data in a namespace that transcends organizational boundaries.
That’s great, because application developers have a real problem authenticating across organizational boundaries. PKI based on X.509 was supposed to fix this, but a couple billion dollars in failed deployments later, it’s become painfully clear: X.509 is really quite expensive and painful.


So, I think it’s fairly elegant and straightforward to put a key into DNS like so: IN TXT “v=key1 ha=sha1 h=f1d2d2f924e986ac86fdf7b36c94bcdf32beec15?
On connecting to over TLS, a certificate will be delivered. Traditionally, this certificate would be interrogated to make sure it was signed by a trusted certificate authority. In the new model:
* If DNSSEC says the above TXT record chains to the (one) DNS root, and
* The subtype of the TXT record is key1, and
* The SHA-1 hash of the delivered certificate is precisely f1d2d2f924e986ac86fdf7b36c94bcdf32beec15, and
* TLS is happy with the public key in the certificate


This was one of the newer topics that I covered at BlackHat Abu Dhabi. HTML5 has two APIs for making cross domain calls – Cross Origin Requests and WebSockets. By using them JavaScript can make connections to any IP and to any port(apart from blocked ports), making them ideal candidates for port scanning.
Both the APIs have the ‘readyState’ property that indicates the status of the connection at a given time. The time duration for which a specific readyState value lasts has been found to vary based on the status of the target port to which the connection is being made. This means that by observing this difference in behavior we can determine if the port being connected to is open, closed or filtered. For Cross Origin Requests it is the duration of readyState 1 and for WebSockets it is readyState 0.


When A DoS Isn’t A DoS  []
It seems that denial-of-service (DoS) attacks are in the news nearly every day, including the recent buzz about a DoS vulnerability present in Internet Explorer 8 that surfaced on full-disclosure. Some claimed it was exploitable (such as VUPEN), but most claimed it either wasn’t exploitable or that it would be very hard to exploit. In this post I’m going to show that this particular vulnerability is not a DoS, nor is it impossible to exploit. (**Note: I’ll be using IE8 patched up to MS10-071 on XP SP3)

Mobile Security

Mobile App Top 10 List  []
The Top 10 Mobile Application Risks, or “Mobile App Top 10” for short, is designed to educate developers and security professionals about the mobile application behavior that puts users at risk. This behavior can be maliciously designed or inadvertent.
A. Malicious Functionality
1. Activity monitoring and data retrieval
2. Unauthorized dialing, SMS, and payments
3. Unauthorized network connectivity (exfiltration or command & control)
4. UI Impersonation
5. System modification (rootkit, APN proxy config)
6. Logic or Time bomb
B. Vulnerabilities
7. Sensitive data leakage (inadvertent or side channel)
8. Unsafe sensitive data storage
9. Unsafe sensitive data transmission
10. Hardcoded password/keys


If you are interested in the techniques used to add ASLR to your iPhone here are the slides of my talk at POC 2010. [PDF]
If you want to see the ASLR in action have a look at the GDB output for MobileSafari without ASLR and with ASLR.
When will it be released?
Media wrongly reported an antid0te release date of 14th December. However this date was never announced from my side. Antid0te will be released once it is ready which should be around 24th of December.
Is is a new jailbreak?
Media wrongly reported that antid0te is a new jailbreak. However this is wrong. Antid0te will be a tool that you can use together with the pwnagetool, redsn0w and maybe greenpois0n jailbreaks.
Will you burn another exploit?
No! Antid0te will be a tool used with already jailbroken iPhones. So there is no additional exploit used.


The objective of this report is to allow an informed assessment of the information security and privacy risks of using smartphones. Most importantly, we make practical recommendations on how to address these risks. We assess and rank the most important information security risks and opportunities for smartphone users and give prioritised recommendations on how to address them. The report analyses 10 information security risks for smartphone users and 7 information security opportunities. It makes 20 recommendations to address the risks.


Indian hacker Atul Alex has had a look at the firmware for Symbian S60 smartphones and come up with a back door for it. By modifying version 5 of the original software – which runs on such devices as the Nokia 5800, Nokia X6, Nokia 5530XM, Sony Ericsson Satio and Sony Ericsson Vivaz – he has integrated a back door as a reverse shell, including support for Perl scripts. All of the smartphone’s functions can be remotely controlled, including the camera. Alex wrote the back door itself in Python. He plans to make the firmware available for free soon for downloading.


If you’d like to jailbreak iPhone 4.2.1, iPod touch 4.2.1, or iPad 4.2.1, you can do so by following the guide below. Currently the only tool that supports iOS Jailbreak iOS jailbreak right now is redsn0w (by iPhone Dev Team).
The other jailbreak tools: greenpois0n (by Chronic Dev Team), and limera1n (by Geohot) haven’t been updated to support the jailbreak for iOS 4.2.1 yet.
IMPORTANT: We recommend that only iPhone 3G, and older iPod touch users jailbreak. This jailbreak is only untethered for the older iOS hardware. All of the newer devices are tethered, meaning you will need to re-jailbreak each time you reboot your iDevice. If that is fine with you, then go on and jailbreak.

Cryptography / Encryption

NIST hash function competition  []
The announcement of the final round candidates occurred on December 10, 2010 and the proclamation of a winner and publication of the new standard are scheduled to take place in 2012.
‘NIST has selected five SHA-3 candidate algorithms to advance to the third (and final) round’ [8]:
* BLAKE (hash function)[9]
* Grøstl (Knudsen et al.)
* JH
* Keccak (Keccak team, Daemen et al.)
* Skein (Schneier et al.)


For eight years, Skype enjoyed selling the world security by obscurity. We must admit, really good obscurity. I mean, really really good obscurity. So good that almost no one has been able to reverse engineer it out of the numerous Skype binaries. Those who could, didn’t dare to publish their code, as it most certainly looked scarier than Frankenstein.
The time has come to reveal this secret. contains the greatest secret of Skype communication protocol, the obfuscated Skype RC4 key expansion algorithm in plain portable C. Enjoy!


Today, the United States Court of Appeals for the Sixth Circuit ruled that the contents of the messages in an email inbox hosted on a provider’s servers are protected by the Fourth Amendment, even though the messages are accessible to an email provider. As the court puts it, ‘[t]he government may not compel a commercial ISP to turn over the contents of a subscriber’s emails without first obtaining a warrant based on probable cause.’
This is a very big deal; it marks the first time a federal court of appeals has extended the Fourth Amendment to email with such care and detail. Orin Kerr calls the opinion, at least on his initial read, ‘quite persuasive’ and ‘likely . . . influential,’ and I agree, but I’d go further: this is the opinion privacy activists and many legal scholars, myself included, have been waiting and calling for, for more than a decade. It may someday be seen as a watershed moment in the extension of our Constitutional rights to the Internet.


Today, December 10th, Anonymous, an Internet gathering, released a press release which you can read below. In it, a description is provided of what Anonymous is about, what Operation Payback is, and where the media is getting it wrong. Also in it, its author forgot to remove his name in the pdf’s Meta information.


Don’t expect the government or the software giants to stop the Web snoops from tracking you.
Last week, the Federal Trade Commission tried to goad the federal government into entering the Web browser design business. In an advisory report, the FTC advocated the addition of a persistent ‘Do Not Track’ setting to ‘consumers’ browsers-so consumers can choose whether to allow the collection of data regarding their online searching and browsing activities.’
As it turns out, not much goading will be necessary. Rep. Ed Markey, D-Mass., has proclaimed his intention to craft a bill that would mandate a similar privacy setting, one that would prevent the tracking of children using the Internet.


WikiLeaks  []
I don’t have a lot to say about WikiLeaks, but I do want to make a few points.
1. Encryption isn’t the issue here. Of course the cables were encrypted, for transmission. Then they were received and decrypted, and — so it seems — put into an archive on SIPRNet, where lots of people had access to them.
2. Secrets are only as secure as the least trusted person who knows them. The more people who know a secret, the more likely it is to be made public


A scam where cyber criminals call unsuspecting consumers claiming to be from Microsoft could lead directly to financial theft, Microsoft and the National Consumer Agency warned today.
In a scam that has been gaining momentum since mid-summer cyber criminals call consumers, claiming to be from Microsoft or other legitimate technology companies to tell them they have a virus on their computer.


Realistic Masks  []
They’re causing problems:
A white bank robber in Ohio recently used a ‘hyper-realistic’ mask manufactured by a small Van Nuys company to disguise himself as a black man, prompting police there to mistakenly arrest an African American man for the crimes.
In October, a 20-year-old Chinese man who wanted asylum in Canada used one of the same company’s masks to transform himself into an elderly white man and slip past airport security in Hong Kong.


DNA profile in lab The FSS has provided important DNA evidence in a number of high-profile cases
Continue reading the main story
The government-owned Forensic Science Service, which employs 1,600 people, is to be wound up – closing by 2012.
Crime Reduction Minister James Brokenshire said the Birmingham-based service was losing about £2m a month and could run out of money in January.
Its evidence was key to the arrest of serial killer Steve Wright and in the case of missing girl Shannon Matthews.


How to Hack Websites  []
There has been a considerable amount of ‘hacking’ lately going on. Sites going down, content being stolen, DDoS being leveraged. So while there are various methods of ‘hacking’ a site I think there is one thing that ties all of this insanity together.
Sure, you can DDoS a site right out of existance -but that’s not really hacking. If you think that hacking a site is the same thing as flooding it with bad traffic until the server or pipe chokes…you clearly don’t understand the way that hacking or attack/defense actually works.


Readers of Gizmodo, Lifehacker and other Gawker Media sites may be among the savviest on the Web, but the most common password for logging into those sites is embarrassingly easy to guess: “123456.” So is the runner-up: “password.”
On Sunday night, hackers posted online a trove of data from Gawker Media’s servers, including the usernames, email addresses and passwords of more than one million registered users. The passwords were originally encrypted, but 188,279 of them were decoded and made public as part of the hack. Using that dataset, we found the 50 most-popular Gawker Media passwords


Independent testing company NSS Labs recently published a report on the ability of popular browsers to block socially engineered malware attack URLs. The test, funded by Microsoft, reported a 99 percent detection rate by Internet Explorer 9 beta, 90 percent by Internet Explorer 8, and 3 percent by Google Chrome. However, Google doesn’t entirely approve of this report’s focus and conclusions. According to Google not only didn’t the report use Chrome 6 for the tests, the current version is Chrome 8; it also focused just on socially engineered malware, while excluding vulnerabilities in plug-ins or browsers themselves. Google defended its browser by claiming that it was built with security in mind and emphasized protection of users from drive-by downloads and plug-in vulnerabilities.


Many people are not aware that we have paid a bounty in the past on web application security vulnerabilities which impact client security. We have only paid on critical or extraordinary web application vulnerabilities which have a direct impact against the client. We are now going to include critical and high severity web application vulnerabilities on selected sites. We are giving a range starting at $500 (US) for high severity and, in some cases, may pay up to $3000 (US) for extraordinary or critical vulnerabilities.
We want to encourage the discovery of security issues within our web applications with the goal of keeping our users safe. We also want to reward security researchers for their efforts with the hope of furthering constructive security research.


How rare is your fingerprint?  []
Crime scene forensic analysis has long functioned on the premise that a person’s unique identity is hidden in the tiny loops and swirls of their fingerprints, but teasing that information out of the incomplete prints left at crime scenes is still an inexact science, at best. (Credit: iStockphoto)
U. BUFFALO (US) – A computer scientist has figured out a way to determine how rare a fingerprint is-and how likely it is to belong to a particular crime suspect.


About javascript, programming and tech
Cough, cough…
Have you ever wished that the Firebug console or could execute the piece of Javascript you typed in on IE, or maybe some other browsers as well – at the same time?
Well, now you can!
Now there’s Tutti – a Javascript Shell that will lets you execute Javascript on multiple browsers – all at the same time!
Here’s how it works: to get started,


In a previous post, I explained how you can manually optimize JavaScript for size and/or create self-extracting compressed script using JsSfx. Today I release an updated version of JsSfx, which compresses script to even smaller sizes than the previous version and, as far as I know, smaller sizes than any other JavaScript compressor.


LOIC  []
Low Orbit Ion Cannon goes to Open Source Community
This is the web server stress testing tool that people have been using for the Wikileaks support DoS attacks.


Run Nmap on Android  []
Droidmap is an Android application for root users that implements some functions of Nmap in a GUI.
This program comes with installer scripts for the installation of the required Nmap application that must be run to install the program to your phone.


Oftentimes during a penetration test engagement, a bit of finesse goes a long way. One of the most effective ways to capture the clear-text user password from a compromised Windows machine is through the ‘keylogrecorder’ Meterpreter script. This script can migrate into the winlogon.exe process, start capturing keystrokes, and then lock the user’s desktop (the -k option). When the user enters their password to unlock their desktop, you now have their password. This, while funny and effective, can raise undue suspicion, especially when conducted across multiple systems at the same time. A smarter approach is to wait for a predetermined amount of idle time before locking the screen.


Armitage  []
Cyber Attack Management for Metasploit


Cisco ACL Parser  []
As I work with many firewalls, routers and switches, I have often wished I could parse the ACL’s into a spreadsheet. A few years back I found mangeek’s PIX ACL parser, it can be found at I found it to be a great start to what I was looking for, however the script fell short when using object-groups and names. Also it would not parse the IOS based ACL’s. So a couple years back I made my own version of the tool. My tool was extremely ruff, but it did get the job done enough for my uses. Well, I decided to clean up the tool and fix some of the issues with object groups and names.


oclHashcat 101  []
The world of GPU hash crackers is not a very large one. The list gets smaller when you consider the ones that support mutilhash, or dictionary attack. The list shrinks even further when you consider those that are free, work in both Linux or Windows and support both Nvidia, and ATI. Well really that only leaves one, oclHashcat(oclhc for short). oclhc originally started as a CUDA only tool called ‘Combination CUDA’. The original concept at the time was not to create another bruteforce tool, but instead to pioneer as the first GPU based dictionary cracker. As the project grew it was moved to a platform that was supported by more than just Nvidia, thus oclhc was born. The ocl in oclHashcat stands for Open Computing Language, and was a method for utilizing the two major GPU platforms using a single programming language. In this article I’ll be covering some simple concepts as well as very basic command line syntax.


Rescue CD  []
Boot Up Securely with the Rescue CD
If your computer no longer starts due to malware corrupting the operating system, or you suspect the security software has been compromised, you can use the F-Secure Rescue CD to securely boot up the computer and check the programs installed. The Rescue CD can also be used for more advanced repair and data recovery operations.
The Rescue CD contains Knoppix (a derivative of Linux), an operating system that runs completely from the CD and allows access to your computer’s Windows operating system and hard disks.
Note: the Rescue CD cannot scan encrypted disks.


Explaining how Private Usage Memory Monitoring in HeapLocker works is easy, so let’s start with this technique.
When a malicious document performs a heap spray, allocation of private virtual memory will skyrocket. HeapLocker allows you to set a maximum to the amount of private virtual memory a process is using. If the maximum is exceeded, HeapLocker will suspend the process and inform the user.


Mantra Security Toolkit v0.01  []
Free and Open Source Browser based Security Framework
Mantra is a dream that came true. It is a collection of free and open source tools integrated into a web browser, which can become handy for students, penetration testers, web application developers, security professionals etc.
Mantra is portable, ready-to-run, compact and follows the true spirit of free and open source software.
Mantra is a security framework which can be very helpful in performing all the five phases of attacks including reconnaissance, scanning and enumeration, gaining access, escalation of privileges, maintaining access, and covering tracks.


The FxCop ASP.NET security rules have finally been released after being used for quite some time internally. You can read more about it in this month MSDN magazine
The rules are available on codeplex at


NetworkScanViewer v1.0.3  []
I think v1.0.2 never got released, so those changes are batched in with this release.
* Recoded to use an ESENT database for performance and stability reasons. The previous version held everything in memory which is fast but not scalable, particular with very large result sets. An example result set with the previous version took over 17 seconds to parse, query and display 4800 results, whereas the new version takes under 3 seconds!
* Now displays the total number of results in the displayed result set in the status bar, once the load is complete
* Readded the Host Summary tab which was missing functionality from NessusViewer. Thanks AllanS
* Added the ability to export the Host Summaries as CSV
* Added extra validation to cope with half output files
* Removed extra erroneous output in the logging window


IOCTL Fuzzer v1.2 Released  []
Free tool to locate IOCTL vulnerabilities in Windows drivers.
IOCTL Fuzzer is a tool designed to automate the task of searching vulnerabilities in Windows kernel drivers by performing fuzz tests on them.The fuzzer’s own driver hooks NtDeviceIoControlFile in order to take control of all IOCTL requests throughout the system.
While processing IOCTLs, the fuzzer will spoof those IOCTLs conforming to conditions specified in the configuration file. A spoofed IOCTL is identical to the original in all respects except the input data, which is changed to randomly generated fuzz.


cRARk purpose  []
The primary goal of cRARk is to
* recover (crack) your forgotten password on RAR archives.
Rar/WinRar versions 2.x-3.x-4.x up to 4.0 are supported.
Please bear in mind you have quite no chance to crack unknown password (longer than 6 symbols) if you have no additional info about it.
This is command-line utility for Win32, Linux, Mac OS.


OWASP CSRFGuard (ALPHA) Released!  []
It is with great pride that I announce the release of OWASP CSRFGuard (ALPHA)! This is a development release of the v3 series that is in need of peer review, testing, and general feedback in preparation for BETA. There are several significant new features that are in need of testing in the enterprise development environments. Please contact me for support if you are interested in testing the latest release. Of course, I am always open to questions, comments, or feature requests! Please check out the project home page ( and User Manual ( for more information about how to install, configure, and deploy the OWASP CSRFGuard library.


Agile Programming  []


Classified By: Consul General Robbie Honerkamp for reasons 1.4 (B) and (D )
1. (S/NF) Summary: We’re no strangers to love. You know the rules and so do I.
A full commitment’s what I’m thinking of. You wouldn’t get this from any other guy.
I just wanna tell you how I’m feeling. Gotta make you understand.
2. (C/NF) Chorus: Never gonna give you up, never gonna let you down, never gonna run around and desert you.
Never gonna make you cry, never gonna say goodbye, never gonna tell a lie and hurt you.


I was wondering when I read the famous ‘Programmer Habits’ thread, I was wondering: Is there any way to tell if somebody is a programmer without actually asking them?
Clarification: I am asking for things that you can use to recognise a programmer from ‘afar’ or without knowing them well. To identify habits, you need to be around a person for a certain amount of time.


Mankini bros  []


Heducación  []




A Bluescreen By Any Other Color  []
Seeing a bluescreen that’s not blue is disconcerting, even for me, and based on the reaction of the TechEd audiences, I bet you’ll have fun generating ones of a color you pick and showing them off to your techy friends. I first saw Dan Pearson do this in a crash dump troubleshooting talk he delivered with Dave Solomon a couple of years ago and now close my Case of the Unexplained presentations with a bluescreen of the color the audience choses (you can hear the audience’s response at the end of this recording, for example). Note that the steps I’m gong to share for changing the color of the bluescreen are manual and only survive a boot session, so are suitable for demonstrations, not for general bluescreen customization. Be sure to check out the special holiday bluescreen I’ve prepared for you at the end of the post.


OpenBSD backdoor location  []


Wikileaks  []