http://www.secuobs.com Observatoire de la securite Internet fr webmaster@secuobs.com 2010-02-05 22:51:48 - Plan B Security Technology and the Law : Just published my first Metasploit Blog Post Whee, unauthenticated fingerprinting is my favorite and my best http://www.secuobs.com/revue/news/189108.shtmlhttp://www.secuobs.com/revue/news/189108.shtml Secuobs.com : 2009-12-28 22:31:50 - Plan B Security Technology and the Law - Backwards compatibility is for chumps, apparently GNU Grep version 254 fundamentally changes regular expression syntax from the 253 and prior behavior The below demonstrates the backwards breakage between 253 on box1 and 254 on box2 todb box1 grep --version GNU grep 253 Copyright C 1988, 1992-2002, 2004, 2005 Free Software Foundation, Inc This is free software see the source for copying conditions There is NO warranty not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE todb box1 for i in cat parrot dog monkey do echo i egrep -v ' catdog ' done parrot monkey todb box1 Meanwhile, on a system with grep 254 todb box2 grep --version GNU grep 254 Copyright C 2009 Free Software Foundation, Inc License GPLv3 GNU GPL version 3 or later This is free software you are free to change and redistribute it There is NO WARRANTY, to the extent permitted by law todb box2 for i in cat parrot dog monkey do echo i egrep -v ' catdog ' done cat parrot dog monkey root box2 The second fails because the special regex characters of parenthesis and pipe loose their special grouping and alteration meanings in 254 Thus, this works for 254 todb box2 for i in cat parrot dog monkey do echo i egrep -v ' cat dog ' done parrot monkey But the same does not work for 253 todb box1 for i in cat parrot dog monkey do echo i egrep -v ' cat dog ' done cat parrot dog monkey todb box1 What this all boils down to is that scripts that rely on egrep are going to break pretty horribly and somewhat mysteriously when the underlying grep package gets updated even better, there's no common method between the two versions to ensure that you get what you expect with a regular expression that involves grouping or alteration Naughty, naughty, grep maintainers Off to submit a bug report now, but since grep 254 was released way back in February, 2009, I suspect the damage is going to be somewhat unavoidable If you know of a way to create a regex that will work in both contexts, I'd love to hear it Single versus double quotes don't work, so for my purposes, I have to wrap my grep functions up in a version check of grep itself grep --version sed s 0-9 head -1 for the curious http://www.secuobs.com/revue/news/176232.shtmlhttp://www.secuobs.com/revue/news/176232.shtml Secuobs.com : 2009-10-09 15:29:50 - Plan B Security Technology and the Law - If you like to transmit secret messages to from Debian Linux-based hosts like Ubuntu and friends , you will probably want to pay attention to Ubuntu's bulletin and the corresponding Ubuntu Forum thread Dammit all This guy spent the morning ranting that vendors are bad for security I think it's more appropriate to get specific, though non-cryptographers are bad for cryptography IMAGE http://www.secuobs.com/revue/news/148994.shtmlhttp://www.secuobs.com/revue/news/148994.shtml Secuobs.com : 2009-10-09 15:29:50 - Plan B Security Technology and the Law - Well, I feel vindicated Wired is reporting that Metasploit was defaced via ARP spoofing While the issue was fixed reasonably quickly, I have a personal affinity for this particular attack You see, at DallasCon 2003, I used the exact same attack to quote-deface-unquote the target web server set up for a capture the flag competition Within about an hour and a half of the contest's start, I had rerouted all the incoming traffic to my own laptop's Apache server, claiming victory with some joo r 0wned web page Unfortunately for me, my attack was discounted by the judges, because it wasn't realistic, and thus, I didn't win the prize -- some 50 peice of 80211 hardware, IIRC The following year, ARP spoofing was specifically outlawed as a valid attack I'm happy to see that ARP spoofing a target from within the same broadcast network is, in fact, being used in the wild as they say And it would have been effective for trojaning users, at least you could do a fair bit of damage by cloning and replacing Metaspliot's download link with a custom keylogger version of the venerable attack suite So take that, conference organizers from 5 years ago Now gimme me prize IMAGE http://www.secuobs.com/revue/news/148993.shtmlhttp://www.secuobs.com/revue/news/148993.shtml Secuobs.com : 2009-10-09 15:29:50 - Plan B Security Technology and the Law - Well, you don't see that every day IMAGE The working theory is that there's a new root name server in town, which has taken over the old IP address of the L root story here And it's returning bad information for, among other sites, wwwmicrosoftcom On Microsoft Tuesday Isn't that sweet You may want to remove any reference to the old-and-busted address of L on your network If you're an end user, it looks like OpenDNS has done this for you IMAGE http://www.secuobs.com/revue/news/148992.shtmlhttp://www.secuobs.com/revue/news/148992.shtml Secuobs.com : 2009-10-09 15:29:50 - Plan B Security Technology and the Law - PC Magazine is running a story, Texas PC Repair Now Requires PI License, which cites GearLog as its source but no particular article Gearlog, in turn, cites The CW33 via this article CW33 is a television station newsroom which cites nobody Through some other means, a friend turned up This KVUE story another TV station , which mentions the newly formed Institute for Justice Googling with that phrase turns up the IJ press release, which might be the original source Holy hell And nobody has even mentioned which new law we're talking about here, including the IJ Attention real journalists Cite your damn sources Sheesh Attention press release writers Cite the law, please, so I don't have to paw around for that, too I am very, very lazy Attention Mike Rife, owner of PCTech If you're going to complain about getting a PI license, maybe you should button your shirt before you get mistaken for a real fake PI Update Found it My laziness was vanquished Here is a writeup of the legislative text, thanks to some blog called Post Process Presumably, these guys are involved in forensics NB Of all the people I know who practice network forensics in Texas myself included , approximately zero percent hold a PI license, and the pre-2007 text seems to imply that all we Intrusion Analysts need a special Texas license, too IOW, this sounds awfully unenforced, if not unenforceable IMAGE http://www.secuobs.com/revue/news/148991.shtmlhttp://www.secuobs.com/revue/news/148991.shtml Secuobs.com : 2009-10-09 15:29:50 - Plan B Security Technology and the Law - Saw this headline and picture combination on the Chicago Tribune today Struck me funny IMAGE Yay for dynamic editorship IMAGE http://www.secuobs.com/revue/news/148990.shtmlhttp://www.secuobs.com/revue/news/148990.shtml Secuobs.com : 2009-10-09 15:29:50 - Plan B Security Technology and the Law - My middle kid is scheduled to enter kindergarten in the fall, and I'm just finishing up copying all her identity documents for the school Being that I have a bit of background in identity and credit, I look at her Social Security card, and wonder if she can get some credit history going by the time school starts I've heard the silly stories about credit card companies extending credit to little kids, so I went to CreditCardcom to get the latest student offerings My kid has now applications in for Capital One and Citi student level credit cards I tried for a Chase card, but that offer requires enrollment in a 4-year school or a 2-year technical community college Naturally, she couldn't complete that application on her behalf without necessarily lying on the application In fact, she was only able to complete applications for student cards -- my I mean her first attempts were stymied by the issuers' instance that applicants be 18 or older So I don't know how these kids and dogs are getting cards without committing some kind of fraud along the way So, we'll see Assuming the credit card applications fall through, the next step is to just get her jointly named on some card that I already have, or even better, a joint savings checking account , then wait around for the junk mail offers as her name and Social Security number starts churning through the credit system If everything works out, I'll repeat the process with my youngest kid next year This way, by the time they're 18, they'll already have over a decade of rather perfect credit history, and might not be saddled with the horrendous student rates that plague most college freshmen IMAGE http://www.secuobs.com/revue/news/148989.shtmlhttp://www.secuobs.com/revue/news/148989.shtml Secuobs.com : 2009-10-09 15:29:50 - Plan B Security Technology and the Law - Looks like this is the headline from Vegas this year Short story College kids figure out that an RFID authentication system sucks, plan to tell others all about it at a high-publicity security conference Their home state asks rather insistently that they don't A gag order is a little more civilized than a surprise detention by a foreign government A little I guess Massachusetts would prefer this kind of information stay in the real computer crime underground, as opposed to DefCon's play-pretend underground Shrug IMAGE http://www.secuobs.com/revue/news/148988.shtmlhttp://www.secuobs.com/revue/news/148988.shtml Secuobs.com : 2009-10-09 15:29:50 - Plan B Security Technology and the Law - Today, I presented PacketFu at Lone Star Ruby Conf I'm pretty pleased with it, although the guts are quite horrible still Now that it's in a demo-able state, time to refactor everything and make it maintainable I'm sure the rest of LSRC was great but I'm not a web app developer or a Rails nerd, so I couldn't really tell Most of the time I was talking to people who were getting kind of sick with the whole Rails paradigm Expect a more detailed blog post at my employer's blog about my adventures with PacketFu IMAGE http://www.secuobs.com/revue/news/148987.shtmlhttp://www.secuobs.com/revue/news/148987.shtml Secuobs.com : 2009-10-09 15:29:50 - Plan B Security Technology and the Law - Barely a week after I presented PacketFu, I got an idle question about PacketFu's usefulness on Windows Last night, while I was waiting for my brother and his family to drive up from Houston ahead of the Hurricane, I got to messing around with compiling PcapRub on Microsoft Vista and Windows XP Much to my amazement, my goofy hacks worked The rest of PacketFu is pure Ruby without C extensions or anything, so cross-platform love is already baked in there So, the latest revision of PacketFu seems to work fine on XP I haven't tested the Vista machine yet It works so well, in fact, that I duplicated the climax of my Lone Star RubyConf talk in the form of a Flash movie link downloads the FLV, it's not embedded or anything How many other packet libraries have screencasts a week after they're built ZERO, that's how many IMAGE http://www.secuobs.com/revue/news/148986.shtmlhttp://www.secuobs.com/revue/news/148986.shtml Secuobs.com : 2009-10-09 15:29:50 - Plan B Security Technology and the Law - I'm sure I'm not the first to mention this, but according to the Wired story, Sarah Palin's recent e-mail compromise was a result of the Paris Hilton Hack How does it work a Pick a famous person's data store T-Mobile account, Yahoo mail account, whatever b Perform a password reset This will often trigger the data store's authentication mechanism to fail stupid c If the famous person played by the rules, you will be presented with a series of questions with nonsecret answers For Paris Hilton, it was her dog's name Tinkerbell For Governor Palin, it was where she met her spouse Wasilla High Note to famous people Your username is, in fact, your password as well So keep that secret Unless you lie on the password reset questions -- which effectively creates alternate passwords for you You should fill out Yahoo's general security form to get your nonsecret answer changed Note, this is a huge hassle at most places, unless it's another fail-stupid mechanism, in which case, other people may just do it for you Shrug, use it and find out Personally, I usually use nonsense answers for the secret questions on my various web-based data repositories I just live with the knowledge that if I forget my main password, I'm pretty much screwed for the follow up passwords IMAGE http://www.secuobs.com/revue/news/148985.shtmlhttp://www.secuobs.com/revue/news/148985.shtml Secuobs.com : 2009-10-09 15:29:50 - Plan B Security Technology and the Law - Late last week, I wrote a couple blog posts speculating about RSnake and Jeremiah Grossman's canceled OWASP talk After a couple thousand page views, I figure I ought to mention it here The first post is about evading pop-up blockers through click trickery, the second is a postulation of what the Clickjacking problem really is To put it simply, human eyeballs don't adhere to the same-origin policy I've been spending the morning experimenting some more, and I'm pretty certain now that these techniques can be used to create some pretty convincing phishing sites At any rate, it would appear that sites can protect themselves with a frame busting snippet on every page with remotely useful forms Requiring code like this duplicated all other the place sucks, of course Practically, though, it's not a whole lot different from the ubiquitous browser detection snippets that litter the Internet IMAGE http://www.secuobs.com/revue/news/148984.shtmlhttp://www.secuobs.com/revue/news/148984.shtml Secuobs.com : 2009-10-09 15:29:50 - Plan B Security Technology and the Law - Saw an eWeek story this week about how bad guys heart BlackBerry for, surprise, the same reasons that good guys do As far as I can tell, I'm the only one in my group, and possibly my whole office, with a Blackberry It's nice to see this validation of its on board encryption versus the RCMP Take that, iSnobs IMAGE http://www.secuobs.com/revue/news/148983.shtmlhttp://www.secuobs.com/revue/news/148983.shtml Secuobs.com : 2009-10-09 15:29:50 - Plan B Security Technology and the Law - Have I mentioned lately how much I heart BinData It's the guts of my own PacketFu, and now I'm using it to build up an FLV file format parser It's a thousand kinds of rad, or more succinctly, k-rad Now I just need a cutesy name for the eventual Flash file format fuzzer Ooo, I think I have one At any rate, quick search indicates that Aaron and Pedram have already written a custom Flash fuzzer using PaiMei So I doubt I'll come up with anything decent but I do have that ancient version of Flash lying around on the Wii, so you never know Hopefully, I've have mine finished up tomorrow Go Ruby Go BinData IMAGE http://www.secuobs.com/revue/news/148982.shtmlhttp://www.secuobs.com/revue/news/148982.shtml Secuobs.com : 2009-10-09 15:29:50 - Plan B Security Technology and the Law - ZDNet is running a story about how promiscuous excellent adjective Twitter users can be original story here, and Twitterank creator Ryo Chijiiwa's followup here This would have been a slightly better story if Ryo was a security researcher who was trying to make a point about password sharing, but no, that was just a side effect of his viral web service according to him, over two thousand opt-ins in under five hours The fact is, Ryo is not the first to ask for your password Facebook and LinkedIn have been doing it for a while, mainly to rifle through your webmail contacts list, and I'm sure they're not the only ones I've never really understood why anyone would say yes to this, or even why it's acceptable to ask Kids these days with their loose passwords and their Internet promiscuity IMAGE http://www.secuobs.com/revue/news/148981.shtmlhttp://www.secuobs.com/revue/news/148981.shtml Secuobs.com : 2009-10-09 15:29:50 - Plan B Security Technology and the Law - I just put together a freshly installed VMWare appliance for Plan 9 and dumped it on the VMWare Marketplace I was looking for a better solution for a distributed file system at my house, and am in the process of getting hardware together for a Plan 9 installation In the meantime, I figured I'd get acclimated with the UI with this image, and a friend suggested I upload it so others may luxuriate in the alien beauty of Plan 9 from Bell Labs IMAGE http://www.secuobs.com/revue/news/148980.shtmlhttp://www.secuobs.com/revue/news/148980.shtml Secuobs.com : 2009-10-09 15:29:50 - Plan B Security Technology and the Law - One of the things I like most about writing in Ruby is that if I find myself reimplimenting the same thing more than two or three times, I have the option of extending Ruby's base classes to incorporate that functionality People argue against this usually by calling it monkeypatching , but when it comes down to it, I think it's a wonderfully fun way to interact with an interpreted language, even if it's not the safest or prudent habit After all, the more fun something is, the more dangerous it's got to be, right An example base extension I use a lot is binarize -- it takes a String or Array and turns it into binary really, a pack C string Here it is at pastie Once implemented, 414243 binarize magically turns into ABC Delight all around The argument against monkeypatching is that it's not that much more work to create a module with a function of binarize that takes an argument, so you end up with something like NoFunAtAll binarize 414243 But really, only squares with CS degrees would do that Devil-may-care types like myself prefer to extend String and Array directly, and damn the maintainability IMAGE http://www.secuobs.com/revue/news/148979.shtmlhttp://www.secuobs.com/revue/news/148979.shtml Secuobs.com : 2009-10-09 15:29:50 - Plan B Security Technology and the Law - Read a story this morning about the supposed shrinking and presumably non-renewable resource of phishable dollars this morning, aka, the Tragedy of the Phishing Commons Just a thought I had while reading it Phishing is stupendously easy, so the field will attract lots of stupid entry-level phishers While this is a detriment to the professionals someone phished by a dumb phisher may be less likely to be phished later by a smart one , it seems this field of less-skilled phishers are more likely to get caught, which itself gives two benefits to the smart criminals First, law enforcement has finite resources and are almost always driven by bust statistics, so if they hit their quota of easy targets, the hard targets will remain in the field longer Second, while the professional phishers stay in the game longer, they will get better at it At the same time, the law enforcement types, through their success at busting dumb phishers, will get better at busting the same kind of dumb phisher over and over again, further insulating pro phishers So, phishing can be seen in the same light as, say, drug dealing -- cops will tend to spend most of their time taking the least skilled players off the street, while the kingpin types remain to operate relatively unimpeded All speculation, of course, but I watched The Wire, so I'm confident in my ability to comment intelligently on police procedure IMAGE http://www.secuobs.com/revue/news/148978.shtmlhttp://www.secuobs.com/revue/news/148978.shtml Secuobs.com : 2009-10-09 15:29:50 - Plan B Security Technology and the Law - I moved my domain's guts around over the summer, and forgot to point bloggercom at my new atom feed Welp, I just updated that now, so if you've been waiting for content, here's about six months' worth Honestly, I didn't even know anyone was looking at that IMAGE http://www.secuobs.com/revue/news/148977.shtmlhttp://www.secuobs.com/revue/news/148977.shtml Secuobs.com : 2009-10-09 15:29:50 - Plan B Security Technology and the Law - Here's a baseline of how PacketFu version 011 handles a set of 5000 packets This benchmark test takes in a pcap file, then chucks all the processed packets into a Ruby array The performance is horrid compared to Wireshark, but ignore that for a moment these packets are all normal TCP packets 1000 17 26 48 20s 2000 17 27 13 25s 3000 17 27 43 30s 4000 17 28 19 36s 5000 17 29 01 42s 2m33s elapsed, parsed 5001 packets Eek So, the more packets I pull in, the slower PacketFu gets This is pretty disastrous, if you're using PacketFu in offline mode So, after poking at PacketFu Packetparse for a bit, I figured out this morning that if I make a good guess at the packet type before testing it for complete correctness, I get a fairly huge bonus in parsing speed Here's a run with all normal TCP packets 1000 11 21 48 15s 2000 11 22 03 15s 3000 11 22 17 14s 4000 11 22 32 15s 5000 11 22 47 15s 1m14s elapsed, parsed 5001 packets Testing the new and improved version with a mixed bag of packets, which contains ARP, TCP, ICMP, and UDP and a few IPv6 packets 1000 12 21 15 11s 2000 12 21 30 15s 3000 12 21 48 18s 4000 12 22 10 22s 5000 12 22 36 26s 1m32s elapsed, parsed 5001 packets Unfortunately, my creeping performance problem persists -- at least when I have a whole bunch of dissimilar packet types But at least it's less pronounced now, and eliminated entirely when dealing with sets of TCP packets which is going to be the most common use case, I figure --------------------------------------------------------------------- Update That was completely wrong The only reason for the performance boost was that PacketFu Packetparse was forgetting to read in the data The below is even more true -- this is where the problem lies Darnit please make sure to never use PacketFu r66, it's broken --------------------------------------------------------------------- tmanning has been looking at PacketFu lately as well, and believes that there are some more bugs in PacketFu Packetread , mostly revolving around my atrocious design of how read and parse interrelate I suspect this is the source of most of my performance problems as well, so keep an eye out for the next tagged version of PacketFu for some love in that part of the code Oh, and I'll be fixing up the PacketFu Fileappend function to be a lot more sane, too IMAGE http://www.secuobs.com/revue/news/148976.shtmlhttp://www.secuobs.com/revue/news/148976.shtml Secuobs.com : 2009-10-09 15:29:50 - Plan B Security Technology and the Law - You may have noticed that I haven't updated the Plan B blog since February This is largely because I've been spending most of my blogging cycles on my employer's blog, BreakingPoint Labs I suppose I should blogspam myself and just repost here, but I'd hate to divert the traffic At any rate, that link goes to just my posts -- click around the rest of the blog for other people's My last post there was about AIM, specifically about AIM file transfers It's a ripping yarn, to be sure Here's a prettier version of the Ruby code to calculate file checksums So, whee IMAGE http://www.secuobs.com/revue/news/148975.shtmlhttp://www.secuobs.com/revue/news/148975.shtml Secuobs.com : 2009-10-09 15:29:50 - Plan B Security Technology and the Law - PacketFu v020 was released today There's really not a lot to this update, other than the direct inclusion of PcapRub and some more detailed installation instructions -- this week, a couple people wrote me to let me know that the installation instructions were, uh, less than forthcoming kballero wrote this Ubuntu forum post that goes into considerable detail on installing all the discrete components and some details on how to make wlan0 the default interface as opposed to eth0 Many thanks for that At any rate, with this new version, I was able to install and run packetfu-shellrb cleanly on a fresh LiveCD version of Back Track 3, so it should work for pretty much any Linux platform with a reasonbly recent libpcap version If you get it running on WinXP and OS X, please let me know if you had to do anything special Still haven't worked out my performance problems I suspect I'm going to have to ditch BinData entirely if I can't figure out how to fix it up to be a little more efficient with its recursion IMAGE http://www.secuobs.com/revue/news/148974.shtmlhttp://www.secuobs.com/revue/news/148974.shtml Secuobs.com : 2009-10-09 15:29:50 - Plan B Security Technology and the Law - Yes, I really do have SFTP, and I would like to use that rather than plaintext FTP, if that's okay with you, Bloggercom It is Great I've fixed my RSS feed, again Looks like Blogger and I were having some disagreements about relative path roots between SFTP and FTP entry points, and Blogger's error logging is supremely unhelpful in this regard Ah well, lesson learned IMAGE http://www.secuobs.com/revue/news/148973.shtmlhttp://www.secuobs.com/revue/news/148973.shtml Secuobs.com : 2009-10-09 15:29:50 - Plan B Security Technology and the Law - Since it appears that Why the Lucky Stiff has rm'ed himself from the Internet for the time being , I want to make sure that Why's Poignant Guide to Ruby is available for general use -- namely, for my kids, when they're literate enough to learn how to program I had the opportunity to meet and work a little with _why in the spring of 2009 Given my very limited exposure to him, both online and in person, I'm not surprised in the least that this happened So, here it is, in PDF form -- it's been lurking on my various desktops for a while now, and I give it to anyone who says something like, Gee, so what's this Ruby all about, anyway I'm sure there are mirrors elsewhere as well, but this one is the only one I can count on Why's Poignant Guide to Ruby IMAGE http://www.secuobs.com/revue/news/148972.shtmlhttp://www.secuobs.com/revue/news/148972.shtml Secuobs.com : 2009-10-09 15:29:50 - Plan B Security Technology and the Law - I saw an ad on TV about AT T practically giving away Acer netbooks Here's the link of note So, it's 199 for a netbook, as long as you sign a two-year contract for a DataConnect plan and that's where they get you, as they say 40 month, plus 199, makes this a 1159 computing device over two years Oh, and the 40 month plan is capped at 200 mb month Uhhhhh yeah This seems to suck significantly more than I expected Back to Plan A, being an Android phone on T-Mobile and a tethered POS laptop Now to figure out if their data plans are unlimited I've been having creeping problems with my BlackBerry 8310, which is why I'm looking at this now IMAGE http://www.secuobs.com/revue/news/148971.shtmlhttp://www.secuobs.com/revue/news/148971.shtml Secuobs.com : 2009-10-09 15:29:50 - Plan B Security Technology and the Law - Swinging by SecurityFocus' exploit list for the recent SMBv2 denial of service, I was immediately struck by the apparent silliness of listing five seperate but nearly identical implementations of the same bug So struck, I daresay, that I could not resist writing my own stand-alone Ruby version, joking that maybe SecurityFocus will pick it up and make me famous Well, they did, and I did lol They also picked up I ruid's much more interesting bash shell version I thought that opening a socket straight on the command line was strictly the purview of Plan 9, but he proved me wrong The most meta version, so far, is Brent's wget-to-netcat implementation I couldn't get it to function exactly as his tweet was written, but here's a version that Works For Me for i in wget http ur1ca bhe8 -q -O-egrep 'oit 'sed 's s dev null This has the added bonus of including some mild fragmentation, making IDS detection a little more squirrelly At any rate, I think this is all quite hilarious, and now I'm hopeful that the SMBv2 bug will be the widest-implemented DoS ever Update ruid has published a version in Expect Update I've published a version in Perl Update Someone published a version in Java IMAGE http://www.secuobs.com/revue/news/148970.shtmlhttp://www.secuobs.com/revue/news/148970.shtml