I ran across something interesting today. A friend asked me to send him a certain exe to his email. Not thinking much about it, I composed an email on my gmail, attached the exe, hit send and then seen an error in which basically told me google doesn’t allow exes to be sent through gmail.

Irritating enough, but seemingly familiar, I decided to ‘get smart’ and zip the exe in a folder and send it. Same thing.

!@#$%

I also tried gzipping the archive and sending it.. didn’t work either.

I finally compressed the folder+exe to make a bz2 archive and sent it away. Worked like a charm.

Where was Google attachment filters then!? *grin*

Megacubo 5.0.7 Download & Execute Remote Exploit

JJunior

PHP GD Library Information Leak Exploit

Hamid Ebadi

Destiny Media Player 1.61 “lst file” Local Buffer Overflow Exploit

Encryt3d.M!nd

VMware Remote DoS Exploit

Laurent Gaffie

Konqueror 4.1 XSS & Crash Exploits

staker

I live in Vancouver.  Despite the fact that this is in Canada, we do not live in igloos, nor do we have to get around by dogsled.  Most of the time.  At the moment, we are having an unusual spell of snowy weather.  It’s here, for one thing.  It’s been here for more than two weeks, for another.  It’s also much deeper than usual: more than 30 cm (a foot, US) is on level areas in many places, and the piles where the snow has been shovelled are getting pretty high.

That’s not unusual in many places, but in Vancouver it is practically unheard of.

The weather in Vancouver is very similar to the weather in Seattle, so Seattle is snowed in, too.  And I was discussing this with a much younger friend in that area.  I was complaining that nobody around here was shovelling their sidewalks.  He was complaining that people in his area were.

Those of you who live in the deep snow areas will probably not understand his complaint.  You see, in this region, when we do get snow, the temperatures tend to hover around the freezing point.  So, some days the snow will start to melt.  And at nights, or on other days, it freezes again.  So if you don’t shovel the sidewalk properly, you create a bit of skating rink.

The key is to shovel properly.  There are a few factors involved in this, but the primary one is to shovel right to the edge of the sidewalk.  If you can see even one blade of grass as the edge, then, when the snow starts to melt, the meltwater does into the ground.  Leave even a centimetre of snow on the edge of the walk, and the meltwater runs all over the sidewalk, and, when it freezes, you’ve got the slickest, most treacherous footing imaginable.

Which brings me to security.  For a number of years, many of us in the field have been faced with the extreme frustration of preparing security architectures, designs, and plans to fit the particular business and environment in which we find ourselves.  Finely tuned, appropriate to the assets and risks involved, and complete.  Only to have some bean-counter come along and say that this is great, but a bit too expensive: couldn’t we get half the security for half the cost.

The answer, as we know, is no.  Security is not something you buy by the kilogram.  Security is not like a blanket, where the more you have, the warmer you are: it’s like a roof or tent, where you’ve either got one up or not.  Security is not like a road, where, no matter how long it is, it is of some use: it’s like a bridge, where, if it’s even a little bit too short it is no use at all.

So, here’s another illustation for you.  Security is like clearing the snow in Vancouver.  Do it right, out to the very edge, and you’re golden.  Do it quick and dirty and cheap, with one shovel width down the middle, and you’re creating a problem for yourself.  And others.

This is a few weeks old, but I think it’s very cool. First, because it implements in real life what an attack that is constantly done on the Internet -  life imitating art, so to speak. Second, because it reminds me of the “Panther Moderns” terrorist attack in Neuromancer and remembering Neuromancer is a great way to start the year.

The only problem, of course, is that it’s easy to catch who did it - for one, there’s a picture of their real car.

Attacking MD5 to create a rogue CA that is trusted by most modern browsers is a very cool attack. I have to admit that whenever I read about a practical cryptanalysis attack I feel a bit inferior: probably what a desk officer at the Pentagon feels when they meet a Marines soldier coming back from Iraq. It’s like I’m not a “real” security researcher - I only play with SQL injections and Cross Site Scripting when the real soldiers are in the field breaking algorithms.

I can’t remember many times when our team was impressed as much as they were when Zvi Gutterman gave us a talk about breaking the Linux kernel PRNG. That week, everybody stopped looking for buffer overflows and started reading Donald Knuth instead.

But inferiority complex aside, this hole won’t have much impact. SSL certificates are a great idea, that just doesn’t work. When SSL Certificates started, you only got one after the CA verified your identity. This involved sending them a bunch of documents to prove the company’s identity, and them giving you a surprise phone call to see if the information on the web site really matches the submission you gave them, and perhaps other subtle tests. It took a while to get a certificate and so having one meant “you” could be trusted.

But today, it’s hard to say who “you” are. Companies have many web sites for many different purposes, and it’s very difficult to deny them a certificate based on some logic. But it gets worse: SSL Certificates are so abused, that users don’t really care about them. I had two different banks show me certificates that generated browsers errors. Some valid google URLs still produce SSL warnings. This is apparantly so common firefox had to put a scary warning message on top of their regular, already scary, warning message.

So broken SSL certificates are ignored, and valid SSL certificate mean very little - until Firefox 3.0, you had to click on the little lock on the lower right corner to know who the company is behind the certificate. Now that you know - does that mean anything? Is the Banc of America  the same as the Bank of America? Pretty much, yes. So what about the band of america? They can apply for a valid SSL certificate and it will match the organiations name nicely.

SSL Certificates are long broken, and not because of a clever attack. However, the fact that there is an effective crypto attack against them may help bury this cadaver and perhaps help bring another solution to the surface.

Amaya Web Browser

SkD

FreeBSD 6x/7 protosw kernel Local Privledge Escalation Exploit

Don “north” Bailey

Doop CMS CSRF/Upload Shell Remote Exploits
x0r

Ultimate PHP Board

athos

Google Chrome Browser Remote Parameter Injection

Nine:Situations:Group::bellick&strawdog

A BBC story notes that a German re-insurance concern has raised the issue of increasing natural disasters, and a possible tie to climate change/global warming.

Now that the money/finance people are getting scared, will we finally do something?

Now that the money/finance people are getting scared, will we finally do something about business continuity and disaster planning?

(Likely answer: nah.)

What started off nicely in 1992 and promised the much needed privacy to cordless communication at home, has been brought into a halt a few days ago with the practical approach to eavesdropping on DECT communication.

DECT or Digital Enhanced Cordless Telecommunication is a widely used standard for cordless devices, mainly phones, but not limited to it, several POS or Point of Sale devices as well use the standard to communicate in a cheap and secure manner.

The DECT standard itself was not broken, but rather using a cheap off-the-shelf device that is able to receive (not yet transmit) DECT based data, the researchers have been able to prove that eavesdropping on the communication channel is possible.

Most interesting to me as a reader of the paper is that what stopped people from ‘breaking’ it till now, was the lack of hardware, or moreover the lack of cheap hardware, to experiment with, now with the availability (it has been around for a while) of COM-ON-AIR device and its character device (or raw software driver) things have been made a lot easier.

You can read more on this at deDECTed.org

Following up on my previous post on spam, it seems that spam has now gone another step and become not just unreadable - foreign language - but also unreadable to the un-computerized eye:

Subject: Please confirm your message

Body:

IURPQ1RZUEUgSFRNTCBQVUJMSUMgIi0vL1czQy8vRFREIEhUTUwgNC4wIFRyYW5zaX
Rpb25hbC8vRU4iPg0KPEhUTUw+PEhFQUQ+DQo8TUVUQSBodHRwLWVxdWl2PUNvbnRlb
nQtVHlwZSBjb250ZW50PSJ0ZXh0L2h0bWw7IGNoYXJzZXQ9aXNvLTg4NTktMiI+DQo8L0hF
QUQ+DQo8Qk9EWT48YSBocmVmPSJodHRwOi8vY291cnNlbWlnaHQuY29tLyIgdGFyZ2V0P
SjfYmxhbmsiPg0KPGltZyBzcmM9Imh0dHA6Ly9jb3Vyc2VtaWdodC5jb20vOGR2czkuanBnIiBib
3JkZXI9MCBhbHQ9IkhhdmluZyB0cm91YmxlIHZpZXdpbmcgdGhpcyBlbWFpbD8NCkNsaWNr
IGhlcmUgdG8gdmlldyBhcyBhIHdlYnBhZ2UuIj48L2E+PC9CT0RZPjwvSFRNTD57L0JBU0
U2NF9FTkNPREVEfQ0KDQoAAAAAAAAAAAAAAAA=

Wow that is nice, I would sure want to buy an IURPQ1…

This is plain silly it is a Base64 encoded message, but why would my reader open it?

There is indication in the email headers that this is Base64 encoded, but I can’t understand what kind of reader will even try to open it as it seems that base64 encode content inside a body is not common practice unless it is part of a multipart message.

Those wondering, the email’s intention is to show you an HTML  that sells you fake? real? pills.

The “Not A Phishing Worm” really got me interested as it sent special Christmas messages so I decided to dig in just a bit. So as discovered, after the user supplies his MSN credentials, his friends get a link to the “Not A Phishing” website and a lot of tricky links leading to DesktopSmiley.com to download their toolbar. Which they say is “Not Spyware”.

So we got a non-phishing worm downloading a non-spyware program, let’s see its non-evil actions
The first thing I did was downloading the installer, which asks no questions and shows no EULA. It is also digitally signed by “DoubleD Advertising Limited”, well that’s really funny, we have got to give them that

So I ran it in a VM:

That is quite original! “A non-virtualized hardware system is required”, of course anybody technical gets how lame this lie is
why would an IE toolbar “require” a “non-virtualized hardware”, why would it even bother to check if it’s running under a virtualized environment unless it has some illegal actions to hide?!

Well i am defiantly not going to execute it on my machine
Maby i will test is some other day on a real machine with Restore-IT/Ghost

In the meantime, let’s take look at some of the things that it does:
It copies some IE settings from HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ to HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ except for (AutoDetect and UNCAsIntranet which exist there and get modified):
ProxyBypass:1 (default 1)
IntranetName:1 (default 1)
MigrateProxy:1 (default 1)
AutoDetect:1 (default 0)
UNCAsIntranet:1 (default 0)
ProxyEnable:0 (default 0)

It sure looks like someone is going to assign a proxy for us

The setup process command-line:
“C:\Documents and Settings\Insider\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\stbup.exe” /new /src=user

the “/src=user” really sounds like there are cases which the user did not initiated the installation it could be used for self-update though.

Lets examine some of the the strings in the memory of this “DoubleD” software:
Software\SimonTatham\PuTTY\Sessions
Software\SimonTatham\PuTTY\SshHostKeys
Software\SimonTatham\PuTTY
\PUTTY.RND
Well, i don’t want to point a blaming finger but it seems this “legitimate smiley IE toolbar” is very interested in getting some access to our saved PuTTY SSH hosts…quite innocent

There are a lot of weird stuff this spyware does, like starting a local proxy which explains how they steal data from IE and makes this self-updating software a cool way to make a non-botnet botnet
It also implements an SSH client and almost every famous encryption algorithm (rinjdeal, AES, des, 3des, blowfish) looks like it does local MITM attacks to SSH login software.

So get root and Smile away with it

The US Center for Strategic and International Studies (CSIS) is a bipartisan, nonprofit organization headquartered in Washington, D.C.  A commission on cybersecurity was formed in 2007 in order to prepare a set of recommendations for the incoming US President.  Unfortunately, the report is rather generic and banal, boiling down to a statement that US cybersecurity is weak, and that the US should be doing pretty much the usual, only better.  This report has been promoted on a number of security mailing lists as an important set of recommendations.  It probably is important to read, if only to get a view of the fairly limited position which may be driving US public policy in the near term.

This post had a personal info. I have removed it as I think it is irrelevant to the point I’m trying to make. Let’s just call him “Rick”. A user on a domain I maintain forwarded me an email from Rick explaining why his anti-spam swallowed the email, I replied with a set of challenges to his anti-spam’s filter effectiveness, as well as question the validity of the reasons behind it. Let’s be charitable and just say he did not seem to be open to discuss the matter.

Personal manners aside, this does bring up the greater question of arbitrary spam filters (arguably the worst ill effect spam had on the Internet) and standards conformance. Read more…

For those into security awareness:

This security awareness video (on YouTube), made by the infosec people in the state government of the Commonwealth of Virginia, covers some good, basic tips. It’s amusing, and only 13 minutes long. Some of the advice is specific to their security policy, and probably won’t match yours, but at least it’ll get you (or your staff) thinking about some of the issues.

If you want something more, the Virginia Information Technologies Agency (VITA) (state government agency) has an Information Security Awareness Toolkit site with copies of the video (both viewable and downloadable, and with subtitles and without), as well as other links and resources.

Internet Explorer 7 XML Buffer Overflow ‘All-In-One’ Exploit

krafty

MS SQL Server Heap Overflow Exploit

Guido Landi

Barracuda Spam Firewall SQL Injection

Marian Ventuneac

CUPS pstopdf Filter Local Exploit

Jon Oberheide

Coolplayer Local Buffer Overflow Exploit

r0ut3r

Yes snooping on someone else’s GoogleTalk is no big deal if you know their password, but what is interesting that unlike other chat clients like Skype, MSN and others GoogleTalk will allow you to do so simultaneously.

You can connect to the GoogleTalk server while another user using the same username and password is also connected to the GoogleTalk server.

This neat feature, probably stems from the fact that Google supports web based chat in a constantly refreshing web page (unlike MSN which launches a separate window) allows you to see incoming responses and messages being sent to your target without needing to do anything.

BTW Google, don’t fix this, I find it useful for my BlackBerry and PC chat sharing - basically never needing to logon/logoff on my PC/BlackBerry they are both constantly connected to the Google Talk servers.

UPDATE This post is not related to the recently released NSA patent on Snoop detection

I’ve been noticing that most of the spam I get (and nearly all that gets through the filters) arrives during the week, not the weekends. Actually, looking at my spam box, it looks like I receive around twice as much on week days than weekend days.

My point being, and I sure there are some good answers: Is spamming a full time job for a lot of spammers, or even a 40 hour a week job? I’d have to say for at least the dedicated ones, it probably is. Or, do they just figure more people check their mail on the weekdays?

Either way, spam sucks.